Chapter II
Evaluation of Hazard and Risk Analysis
Abstract
Hazards and risks are very plant specific. So, to address the many varieties of risk there are a number of ways to address them. Detailed selection processes are discussed to select the best one suitable for the plant. Hazard analysis is the primary step toward plant hazard analysis (PHA). A rigorous treatment is presented to focus on various factors with special reference to major incidents and for major hazard facilities (MHFs) and HAZID. In addition to outline discussions on various PHA methods, detailed discussions are presented on task analysis to take into account human action errors. Starting from qualitative risk analysis, various independent protection layers are chosen to arrive at semiquantitative risk analysis. Control measures play a very big role in risk analysis. Detailed discussions are presented to address these control measures so that safety of the facilities can be ensured. For complex systems, quantitative risk analysis (QRA) is quite common, so QRA with statistical approaches is covered. Safety management systems are covered to ensure total safety for MHFs. Detailed dialog on risk analysis and management is also a part of the discussions so that the reader can develop one for any specific plant based on the outline discussions covered.
Keywords
Control measure; Fire and explosion index; Hazard identification; Hierarchical task analysis; Independent protection layer; Major accident event (MEA); Major hazard facility; Plant hazard analysis (PHA); Quantitative risk analysis; Safety management system (SMS); Substance hazard index; Task analysis
In the previous chapter, it was established that in industry, plant hazards can cause harm to property (plant–machinery, asset), people, or the environment. So, it is important to develop some means of analyzing these and come up with a solution. Unfortunately, it is not as straightforward as it sounds. There are plenty of plant hazard analysis (PHA) techniques and each of them has certain strengths and weaknesses. Also each specific plant and associated hazard has specific requirements to be matched so that hazard analysis will be effective. In this chapter, various hazards (in generic terms) will be examined to judge their importance, conditions, quality, etc. so that out of so many techniques available for PHA it is possible to select which one is better (not the best because that needs to be done by experts specifically for the concerned plant) suited for the type of plant. So, discussion will be more toward evaluation of PHA techniques. Some PHA is more suited for process safety management (PSM) and is sometimes more applicable for internal fault effects [e.g., hazard and operability study (HAZOP)]. In contrast, hazard identification (HAZID) is applicable for other plants, especially for the identification of external effects and major incidents. HAZID is also covered in this chapter. As a continuation of the same discussion, it will be better to look at various aspects of risk analysis with preliminary ideas already developed in the previous chapter. In risk analysis risk assessment, control measures for safety management systems (SMSs) will be discussed to complete the topic.
1.0. Plant Hazard Analysis Preliminaries
It is better to start the discussions with the preliminaries of PHA.
1.1. Fundamentals of Plant Hazard Analysis
1.1.1. What is Hazard Analysis
Hazard analysis can be conceived as a preventive approach to identify any potential hazards, which should be realistic and relevant to the facility. Also hazards must be prevented, eliminated, or reduced. This means that in a modern plant it is necessary to detect the hazard early and there should be suitable safety measures to mitigate/control it. Now let us see how various institutions look at PHA.
• As per the Environmental Protection Agency: PHA is a thorough orderly and systematic approach for identifying, evaluating, and controlling the hazard of the process (involving highly hazardous chemicals). The part in parentheses signifies that such a definition is generally applicable to other plants as well.
• According to the Center for Chemical Process Safety (CCPS): PHA is an organized effort to identify and evaluate hazards associated with chemical process and operation to enable their control. This review normally involves the use of qualitative techniques to identify and assess the significance of hazards. Conclusions and recommendations are also developed. Occasionally quantitative methods are used to help prioritize risk reduction.
• From the foregoing two definitions one can conclude that PHA is a set of well-organized and systematic (meaning following a certain rule) rules to identify and characterize each of the possible hazards in the process, then to assess them and prioritize them. These must be communicated suitably with basic recommendations for mitigation and control. This means that in PHA, corrective measures are also identified to improve safety and this is communicated as recommendations. So, PHA is the foundation for process safety studies, and a risk management program to save the assets and control adverse effects to people and the environment.
1.1.2. Aim of PHA
In the world, there is no place or system that is totally free from hazard. As long as there are hazards there will be a risk of damage. People will always try to eliminate risk as best as possible. Unless one is aware of various hazards and hazardous situations, how is it possible to get rid of the same. So the basic aims of PHA are:
• Identify the potential hazard as one of the activities
• Identify equipment, instrument failure, process upset, and human error, which could manifest the potential hazard and have a detrimental effect such as loss of asset and/or negative environmental impact
• Analyze the magnitude and likelihood of hazards
• Identify and evaluate existing protection systems against risk consequences
• Document all potential hazards with recommended mitigation strategies, which when compared with the existing protection, may require additional protection
• Statutory requirements, for example, Clause 4.2 of NFPA 654 (2013) is a classic example:
• “… Design of fire and explosion safety provision shall be based on process analysis of the facility, the process and associated fire and explosion hazards.” It also says “PHA shall be documented and to be used for life of the process…”
1.1.3. Basic Scope of PHA
Normally, the scope of PHA shall include but not be limited to the following:
• Equipment in the process and their failure including electrical, control and instrumentation (EC&I) system [hardware (HW) and software (SW)]
• Identification of previous incidents that had likely potential catastrophic incidents
• Engineering and administrative controls pertinent to hazards and their interrelationship
• Consequences of failure of engineering and administrative controls, etc.
• Qualitative evaluation of failure of safety controls on assets, humans, and the environment
• Facility sitting (assessing explosion toxicity)
• Human failure factors
• Environmental impact on the process and hazard caused by the same
• Steps required to correct or avoid deviation
1.1.4. Major PHA Steps
The following are the major PHA steps normally followed. In this connection Fig. II/1.1.4-1 may be referred to:
• Study and preparation of PHA (some cases preceded by preliminary hazard analysis)
• Formation of team with team leader (experienced in PHA and one plant expert)
• Scope and boundary definition in accordance with system demand description. This is very important in the sense that without this the entire hazard analysis process could be a huge one and effective control will be a serious problem. Description shall include but not be limited to:
• Specifications/detailed design requirements
• Operational details
• General compliance to standards and other statutory requirements
• Applicable standard human convention factors (e.g., lamp color, etc.)
• Accident experience and failure reports and similar plant data
• Hazard identification: Irrespective of the process chosen, this is necessary because by itemizing the hazards, analysts can imagine and develop a picture of the complexity of the plant and breadth of safety analysis required. Hazard identification gathers information about:
• Characteristics of the hazard including inherent nature, multiplicity, etc.
• Form and some quantification of hazard
• Where and when in the project/facility it is present
• How this hazard could result in an undesirable event or a chain reaction
• Collect and collate up to date all relevant information to support PHA
• Selection of appropriate PHA techniques out of those shown in Fig. II/1.2-1 (refer to Clause 2.0 of this chapter) is well understood
• Agreement for schedule of work also in terms of time
• Conduct regular meeting and documentation
• Depending on applicability, conduct functional analysis
• Develop preliminary hazard list, identify contributory hazard, initiator, etc.
• Detailed documents of PHA result (risk assessment has been set aside as this will be treated separately in this chapter)
• Implementation [including management of change (MOC)—if called for] and follow-up
1.1.5. Management of Change (MOC)
This is another issue quite relevant to PHA especially for process plants. PHA is normally done periodically to validate that the actions suggested are still valid. In some cases periodic PHA is a statutory (e.g., Clause 4.2.3 of NFPA 654[2013]) requirement. Nevertheless, if after PHA it is revealed that some systems need to be changed to mitigate a potential hazard, as the name suggests, one needs to implement the MOC. When changes occur in any operation of a system (especially handling hazardous materials), it is essential that changes to the process must be well managed to understand and meet the challenges of these hazards and to mitigate them. This is extremely important from a safety point of view. Previously, many accidents took place on account of the nonfunctioning of the MOC. Usually, major chemical process companies have their own set procedure toward this. MOC may call for replacement in kind or change in process technology itself. Also MOC is applicable to and dependent on all PHAs.
1.1.6. Typical Output Expected of PHA
• Identification of hazards that can result in adverse consequences, improper usage, leading to accidents and even shutdown
• A quantitative assessment of likelihood and consequences discussed
• Risk ranking for major risks involved
• Development of suitable applicable criteria and specifications
• An evaluation of design hazards and the suggested corrective actions and safeguards including those in subsystems and subgroups
• A basis for program -oriented precautions, personnel protection, safety devices, emergency equipment, procedures, training, and safety requirements for facilities, equipment, and the environment
• Safety factors for tradeoff considerations
• Evidence of compliance with program safety regulations
• Develop future plans, for example, additional analyses, tests, and training
However, such results may be possible if all required information is made available at the time of PHA and there is a good team with suitable leadership to produce a result that is very lucid and easily implementable. In such cases, resource mobilization is effective and should be minimal.
1.2. Various Plant Hazard Analysis Methods
To select a PHA technique best suited for one plant it is necessary to evaluate various PHA techniques. To do this it is essential to gather basic knowledge about each of these PHA techniques. A number of such PHA techniques fall under three basic categories, as shown in Fig. II/1.2-1. Also Table II/2.1.2, where a few quick PHA techniques and important terms associated with chemical process plants [e.g., Dow Fire and Explosion Index (FEI), etc.] have been highlighted shall be referred to.
As shown in the diagram there are three classes into which PHA techniques could be classified, namely, (1) qualitative, (2) guided words, and (3) quantitative.
1.2.1. Qualitative
Hazards may be identified through a qualitative process, either formal (part of safety assessment) or based on discussions, interviews, and brainstorming. This is normally done after formation of a multidisciplinary team. As a part of safety assessment, the main aims are: (1) to identify a potential incident/accident scenario, and (2) evaluate the scenario through detailed discussions and brainstorming to arrive at risk assessment and recommend risk mitigating procedures. In some cases when conclusive judgment cannot be made, then the system may be repeated for the final result. Some of the various methods under this category are:
• Preliminary hazard analysis: As already discussed in Chapter I (also Chapter III), this can be utilized during conceptual design, front end engineering design (FEED), or R&D stage. As stated earlier, one of the major purposes of preliminary hazard analysis is to identify the extent or boundary limits of complex hazards and analyze the risks and hazards associated with all the processes involved (see Clause 4.0 of Chapter I).
• Checklist: This is a list of attributes or check points for hazards. This list is generally prepared from risk assessments pertinent to similar projects done in the past. However, it is to be validated for applicability before it is used. Naturally, such lists need to be prepared prior to the take-up of PHA. This list is used for acceptability by comparing the system with established norms and previous systems—hence it is a tool for assessment of hazard. Since this is a comparison, it could be used by nonexperts. Also the list may offer a wider exposure of hazards encountered in previous cases so that obvious things are not missed. However, it does not allow much imagination and as a consequence hazards that in the past were not considered or did not happen would be missed. For new projects with new technologies the checklist may not be helpful.
• “What if” (including structured “what if”): This is a brainstorming method in which a group of experienced people belonging to different disciplines participate to ask questions and/or raise concerns against possible undesired events. There is another category, which is sometimes referred to as the “what if checklist” because it is similar to “what if” but is a defined structured list prepared by the team leader. In fact it is in some respects similar to HAZOP. Here the team leader puts forward a suitable list of prompts such as “What if…” or “If some ever…,” etc. It is a good alternative to HAZOP because it takes less time but can result in a good record of hazard identification. However, it is totally dependent on the experience of the team members, especially the team leader. List adaptability in any project needs to be thoroughly checked if applicable.
1.2.2. Guided Word
The principles of a guided word PHA are explained in Fig. II/1.2.2-1. This is a systematic method where deviation causes are initiated by guided words.
There are intended activities in a process or plant, and a list of deviations can be started immediately after the intended activity listing is complete, with the help of guided words. Next, causes and consequences are listed. Then, for each set of causes and consequences specific safety interventions are inserted and listed. Such initiating guided words could look for an event or an incorrect performance of an event that has been skipped; “none,” “loss of,” etc. could be the guided words. These are carried out by the team and team leader who have experience in the study as well as experts from the operational group. HAZOP and FMEA (failure mode and effect analysis) are examples of PHA in this class. These are performed for startup, shutdown, and batch processes, as well as continuous processes (e.g., HAZOP in a power plant).
• HAZOP: This is a systematic guided word PHA. This is applicable to all modes of operation, process flow diagram, piping (process) and instrumentation diagram (P&ID), etc. This is quite a detailed and rigorous technique, to be developed in a step-by-step fashion. “More/less, reverse flow, or too little/too high/more/less” pressure, and other parameters are generally the guided words. As stated earlier, deviation from the intended activity is assessed for suggesting safety actions. These are well recorded during the process in established recording formats. In this method the entire system is broken down into various subsystems and units. So, the success of the study is very much dependent on the amount of information available and the skill of the team, especially the team leader. Also a good amount of preparation and time is needed for the study.
• FMEA: This is mainly used for a set of equipment or for study at a functional level to assess failure at the component level and the performance of the desired function, that is, assessment of consequences for major component failure. Since it starts from the bottom, it is often referred to as a bottom-up technique. Here also detailed system description, specifications, etc. are necessary to carry out the study. Like HAZOP this is also systematic, rigorous, and has a wide range of applications. In addition, there are established formats for record keeping. This is mainly applicable to electrical, mechanical, electronic, or computer systems (manufacturing). This is an inductive method and can handle with singlepoint failure. It is also time-consuming and expensive and depends a lot on the skill of the team leader.
1.2.3. Quantitative
This class is one step ahead of the other approaches discussed. Here the probability of an incident occurring is well calculated in a probabilistic manner. This is done to eliminate and/or reduce the risk to the greatest extent possible. For this, experience and a record of previous data (for similar plants) are used and hazards are calculated in terms of number or rate utilizing engineering estimates. Good use of reliability engineering is common. Since here the failure number or rates are calculated statistically it would be agreeable to have a basic knowledge of statistics and probability, as discussed in Chapter I.
• Event tree analysis (ETA): An event tree is based on the binary logic of the happening or nonhappening of an event or failure or no failure of a component. It starts with an initiating event (e.g., failure of a component or release of gas, etc.) and generates multiple scenarios. In the event tree, from each branching point, there will be only two paths (basically Y/N). Thus it starts from a single event and then consequences follow a series of possible paths, each of which is assigned a probability, and various outcome probabilities can be calculated to arrive at the final consequence probability caused by the event. A good knowledge of the system is expected of the person carrying out the analysis. There can be extensive documentation for the process. This inductive method of PHA generates specific output.
• Fault tree analysis (FTA): While the event tree is divergent in nature, the fault tree is convergent in nature, that is, it is deductive. When complementary ETA and FTA are used they are referred to as “bow and tie.” So, here the combination of failures can lead to a specific event of interest. Here also the probability of happening will be assigned to each branch. Then, based on their combination in union/intersection (OR/AND), final event probability will be calculated. The binary decision diagram, discussed in Chapter I, could be a helpful tool in probability calculation. It is possible to address multiple failure issues in FTA. FTA is drawn from top to bottom, and the starting point is the undesired event at the top, which then goes down to have a logical tree for an immediate contributory fault, which may be caused by another fault, then another one, and so on. Theoretically, the tree could be endless but in reality it stops after a certain point. It is possible to have an extensive report of the FTA. The study can continue by having extensive training. It is moderately time-consuming.
• Layer of protection analysis (LOPA): LOPA is a systematic and structured way of quantification of risk reduction and safety integrity level (SIL) determination. Usually, it starts its work on the data developed in HAZOP analysis. For each documented undesired event with an initiating cause, it provides an independent protection layer (IPL), which will mitigate or prevent the hazard. Then, the total amount of risk can be determined. If safety instrumented function is necessary, LOPA methodology can be used to determine SIL also. From ISA 84 transaction it is found that LOPA is a simplified risk assignment tool used to evaluate the effectiveness of IPLs that are designed to reduce the likelihood or severity of an undesirable event. Quantitative PHA LOPA deals with single cause consequence pairs. Detailed documentation is possible and can be applied for continuous process.
• Human reliability analysis (HRA): With technological development and incorporation of redundancy it is possible to reduce equipment failure to a great extent. However, human behavior is not that predictable. So, there are chances that failure could occur because of human factors. This is a method by which probability is measured. It is also used in PHA. This could be quantitative as well as qualitative. Although the exact value is not certain it is estimated that error committed by a human could be as high as 60–80% (even 90%). Human performance is affected by several factors, referred to as the performance shaping factor (PSF). By this method, PSF is identified and tries to improve it. In addition to PSF, normal human error probability (HEP) is also calculated on the basis of human activity. There are so many factors that affect this analysis: accuracy, reproducibility, bias, etc. There have been several methods and each needs to be understood before application. An HRA event tree is often used. It may be informative to refer to Table V/1.0-1 (Chapter V).
2.0. Evaluation of Plant Hazard Selection Techniques
According to (US) Occupational Safety and Safety Administration (OSHA): “The process hazard analysis is a thorough, orderly, systematic approach for identifying, evaluating, and controlling the hazards of processes involving highly hazardous chemicals. The employer must perform an initial process hazard analysis (hazard evaluation) on all processes covered by this standard. The process hazard analysis methodology selected must be appropriate to the complexity of the process and must identify, evaluate, and control the hazards involved in the process.” There are more or less 12 types of PHA methods. Apparently, almost all of them can serve the purpose of PHA for a particular plant. Now, the question is whether there is a better method than what has been selected for the plant. If so, will it not be a waste of money if a non-appropriate one is chosen? The answer to this question is yes! If a company is thinking of setting up a semiconductor manufacturing unit with new technology and at an early design stage it opts for the HAZOP technique, then it may not be appropriate because for semiconductor manufacturing systems FMEA, “what if,” etc. may suit it better. In addition, on account of new technology at an early design stage there may not be sufficient data to carry out HAZOP. Therefore neither result will be satisfactory and it will be a waste of time and money. As a result, it is needless to argue the importance and effectiveness of the selection of an appropriate PHA for a specific application. However, the selection of an appropriate PHA method is not an easy job. There are many influencing factors that play a role in decision making. Also the experience, expertise, and leadership qualities of the person leading the PHA activity are also crucial in the selection process. There are different plant types, there are different goals for PHA, and there will be different hazard types and different levels of severity, etc. Similarly, the action called for will differ with different plant requirements. Air pollution from a thermal power plant will have a long-term effect on the environment and action to counter this should be planned for the long term, for example, installation of flue gas desulfurization, etc. On the other hand, containment failure from a chemical factory could cause havoc, for example, the gas disaster in Bhopal, India. Similarly, some systems definitely need immediate alternative action to ensure safe operation to avoid a large-scale accident, for example, aircraft control. Now, in this clause attention will be centered on discussions of selection of the PHA method and application guidelines. Here, it must be noted that in this book an endeavor has been made to cover the overall PHA for chemical process (ref 1910.119 Process Safety Management of Highly Hazardous Chemicals). Guidance on this is available in international standard ISO 31010:2009. A brief discussion on this is presented in Clause 1.1 of Chapter VI.
2.1. Preselection Consideration
A few points discussed below will be helpful in the selection procedure.
2.1.1. Basic Plant Facility and Hazard Considerations
• Plant facilities (in connection with process safety according to OSHA, facility means the buildings, containers, or equipment that contain a process):
• Site facilities, such as, number and type of units, associated hazards, for example, for an integrated steel plant there could be a number of units such as material preparation, sinter plant, rolling mill, captive generation units, or several units of a power plant. Note that in all cases hazard scenarios are different. In the latter case (a plant with several units of power plants), generally similar hazards are expected, whereas in the former case, different plants have different characteristics. It is worth noting that we have tried to cover plant hazards in place of process hazard alone.
• Building or structure, types of systems and system design, etc. Here also hazards vary with the size of the building or structure, etc., for example, nature of hazard for a tall structure (say Chimney) is different from that of, say, a turbine building.
• Process design: Chemical plants have inherent additional problems caused by reaction, etc.
• Requirements of local or international standards, laws, etc.
• Miscellaneous other issues
• Hazards: The following headings are generally concerned with hazards for PHA:
• Material (OSHA guidelines given later may be referred to especially for chemical plants where 1910.119 is applicable)∗
• Energy (many plant applications with possibilities of explosion and for several manufacturing units, e.g., semiconductor manufacturing unit, say silicon gas)
• Process
• Synthetic external hazard (accident caused by vehicle movement)
• Natural hazards (e.g., earthquake, tsunami, or climatic disaster)
• ∗According to OSHA: “Information on the hazards of the highly hazardous chemicals in the process shall consist of at least the following:
• Toxicity,
• Permissible exposure limits,
• Physical data,
• Reactivity data,
• Corrosivity data, and
• Thermal and chemical stability data, and hazardous effects of inadvertent mixing of different materials.”
• Checklist of general hazard components: In hazard analysis all types normally have the following checklist, given here to obtain a clearer vision of hazard. These can be classified and put against one of the categories mentioned earlier, for example, equipment failure can be classified under process, or electrical may be classified under energy.
• Toxic chemicals
• Exothermic/endothermic chemical reaction
• Chemical reaction runaway
• Very high temperature
• Fire/explosion
• Very high pressure (overpressure)
• Mechanical (machine structural stability)
• Material handling transfer
• Drainage/spillover
• Leakage
• Machine moving parts
• Vehicular movement
• Quantity of flammable materials (special hazard)
• Corrosive and erosive material handling (special hazard)
• Failure of equipment
• Failure of EC&I
• Electrical system (e.g., high-voltage isolation)
• Radiation
• Hazard caused by noise/vibration
• Environmental pollution
• Biological
• Suggestive control actions: Although this is not directly concerned with hazard analysis process selection, it may be helpful for the selection process because it is concerned with the outcome of PHA. These actions are necessary for selection of control measures to be discussed in connection with risk analysis.
• Preventive action vis-à-vis mitigation/control action
• Engineering prevailing over administrative action
• Engineering design
• Controlling at source including barrier, etc.
• Implementable and practical control
• Phases of project/plant: With the phases of the project/plant the hazards and/or accidents also change. During construction there could be an accident, for example, the falling of a generator during the installation stage in a thermal power plant, which resulted in a few casualties as well as a long delay in job completion. On the other hand, hazards and accidents during plant operation can be different. Therefore for the PHA selection process it is necessary to consider various phases, for example:
• New plant with new technology
• Planning/design stage
• Construction/installation phase
• System qualification
• Production/operation
• Standby
• Shutdown: planned or emergency
• Maintenance
• Decommissioning
2.1.2. Some Important Terms and Quick Methods
It is prudent that a few terms associated with PHA, mainly for PSM systems, are discussed. In Table II/2.1.2-1, a few hazard analysis methods have been highlighted such as the Dow FEI and the Mond Index, etc. for quick risk assessment in process plants.
Table II/2.1.2-1
Technical Terms Used in PHA (Especially for Chemical Process Plants)
| Terms | Elaboration |
| Mond Index | The Mond Index was developed by ICI's Mond Division as an extension of the Dow F&EI to address the toxicity hazards associated with materials in process units. This is to be used in conjunction with FEI. It is seen that when toxicity is 0–6, it is light with FEI 0–60. Toxicity >10 could be intermediate or heavy depending on associated FEI in the range of 127–158. For FEI >159 and toxicity index >10 it is severe. It relates both FEI and the toxicity Index [2]. Mond indices are classified as “Mild,” “Light,” “Moderate,” “Moderately Heavy,” “Heavy,” and “Extreme” for the ranges 0–20, 20–40, 40–60, 60–75, 75–90, and >90, respectively [4]. |
| Chemical exposure index (CEI) | The CEI is again an index used by Dow Chemical to assess products of various factors (acute toxicity, volatile portion of the material that could be released, molecular weight, distance coverage, and operating parameters like temperature, etc.) using a numeral scale. |
| Substance hazard index (SHI) | The SHI is an index to identify the toxic chemical substances that could be involved in a catastrophic release. The index is a simple function of vapor pressure and toxicity: The higher the vapor pressure, the more rapid will be the entrance in the atmosphere in the event of a release. The greater the toxicity, the lower the concentration required to present a hazard—so, SHI will be higher. |
| Hazardous material and material hazard index (MHI) | Any chemical substance that when released or misused will cause harm to the environment and/or public health. These are used in various industries. Hazardous materials may be in the form of explosives, flammable and combustible substances, poisons, and radioactive materials [5]. MHI is an index used by the State of California. It is the material vapor pressure at 25°C divided by the level of concern, which can be defined on the basis of toxicity, fire explosion, etc. [3,6]. |
| Hazard factor (HF) | There are two kinds of hazard caused by the toxicity, fire, or explosion effect on materials, (1) General purpose, where the intensity of an accident increases on account of its presence. (2) Special purpose, where the probability of an accident increases (Clause 2.1.1). |
2.2. Plant Hazard Analysis Methods Selection Criteria
In the previous Clause 2.1, some of the important issues influencing methods have been discussed. Now, we shall try to find the means by which PHA methods are normally selected taking into consideration various factors. It is advisable to refer to Fig. II/2.2-1 for an idea.
From Fig. II/2.2-1 it is seen that a team with a team leader is necessary to select the process. However, in certain cases team formation may not be mandatory. Also it is necessary that the team leader or who is leading from the front must have expertise (may be acquired through experience). There are a number of influencing factors that are responsible in the selection process. In addition, stage of the project, available resources, and management aims influence the selection process. For detailed guidelines ISO 31010:2009 may also be referred to.
2.2.1. Aim of PHA Selection
At the time of the PHA selection process, it is expected that the corporate management must decide in advance and frame a general guideline for:
• Aim or purpose of PHA
• Kind of result/type of detailing to be expected from the result
• Resources available (not only funds but also information and human resources)
• Deadline of completion
• Stage of the project
• Selection of team leader/expert
2.2.2. Team Formation and Team Leader
After a team leader or expert is selected, it is the duty of the expert (may be outside agency) to form a team and proceed in close coordination with the management. The team leader must understand the purpose of the job very carefully and not try to fit one of the typical PHA selection frames into the system. This is important because each plant/process or company may have unique demands. Immediately, a group of people need to be selected as a team when called for (always formation of team may not be necessary). Normally in the team, experts from process/operation and instrumentation and electrical mechanical engineering disciplines are included. At the preliminary stage the team leader with the team will go through the guidelines set forth by management. It is necessary that such guidelines are modified continuously. This is ideal as long as any alternatives can meet the target in a better way. It is not uncommon that, considering the amount of information available, or based on purpose, the team leader finds that instead of process A, it is better to go for process B. It is the duty of the team leader through his experience and logic to convince management to do so. However, while doing so the team leader needs to take into consideration: (1) influencing factors, (2) stage of the project, (3) plant-specific problems, and (4) timeframe, etc. Also it is better for management to listen to the team leader as long as his/her suggestions are logical and are backed up with experience and expertise.
2.2.3. Factors Influencing PHA Method Selections [1]
There are a few influencing factors that directly affect the PHA selection process, as shown in Fig. II/2.2.3-1.
Major influencing factors are:
• Aim of the study
• Type of result
• Available information database
• Characteristic-matching issues
• Plant-specific problem
• Resource and management issues
Now each of these issues will be discussed at length sequentially.
• Aim of the study: As discussed earlier, it is most important that the aim of the study be well understood by the team leader otherwise it may be a complete waste of resources. There are several issues to discuss, such as the list of hazards, to meet the statute, overall risk analysis, and risk mitigation including detailed quantitative risk analysis (QRA), etc. There may be other interrelated factors such as a new plant with new technology or quantum of available information, etc. These will be discussed separately but are mentioned here because while fixing the charter they need to be considered also, for example, if for a new plant with new technology detailed quantitative risk assignment is desired, then at the initial stage this may not be possible because of lack of sufficient information. This can be done at a later stage. Therefore it is the responsibility of the team leader to select the most appropriate factor taking into account available resources.
• Type and kind of result: The type of result expected from PHA has been elaborated in Clause 1.1.6. All these results are not always available from all PHA methods. Even from each of the PHA types there could be variety of results that is dependent on the outcome. These results could be just a list of hazards or accidents; they could be a detailed list with priority of action or input for a further study of safety instrumentation systems with alternatives or input for a QRA. As all methods are not capable of providing all kinds of results it will be the responsibility of team leader and the team to decide on the issue. From the discussions in Clause 1.2 almost all PHA is capable of giving a list of hazards and recommendations for mitigation. If, however, further detailing such as prioritization of risk or quantitative analysis is necessary then the team needs to opt for ETA, FTA, etc.
• Available information database: Available information plays a great role in PHA study. For example, in a process flow diagram (PFD) we have process flow and basic equipment, whereas in a P&ID we have not only process flow with equipment but also instrumentation and piping details. Again the scope of availability of information is dependent on the stage of the project. While the PFD is available at a much earlier stage, the P&ID may be available at a later stage. The following list shows the type of information and available stages. It is worth noting that as we go down the line, details of the information and stage of the project increase (i.e., time from inception increases):
• Basic materials involved, physical/chemical property
• Basic process or material flow
• Experience with similar project
• PFD
• Equipment data
• Plant layout
• P&ID (this is mentioned after layout because in many cases the P&ID is slightly dependent on layout, e.g., a mud system in offshore engineering)
• Existing details
• Operating details/procedure/production process
• Plant operating experience
Therefore it is clear that the quality of information and the stage when it is available also influence PHA method selection. For the same reason it is not possible to carry out HAZOP for a plant at the conceptual stage. So, if quality data are not made available, then the team and the team leader have probably only two options: they can either recommend to the authority to change the detailing desired from PHA or delay the selection and inform management. In the last example we discussed the lack of information. Similar things happen if the available data are not up to date. It is wrong to work with old data because such an exercise is futile. Therefore it is essential that the team leader is aware of this so that hazard evaluation performance is improved and not delayed.
• Characteristic-matching issues: Each type of plant has certain inherent characteristic issues such as continuous plant, process plant or manufacturing unit, batch processing, etc. Similarly, each of the PHA methods has some inherent characteristics for which the particular PHA method has been developed. It is not that a particular method cannot be applied to the other plant but it may not be best suited. This will be clear with some examples. Power plants and mud plants in offshore applications are all basically continuous operating process plants and HAZOP is better suited for such situation. On the other hand, FMEA is better suited for computer or electronic device production lines. Similarly, when there are questions of multiple failure, FTA could be a better choice. So, the team leader needs to see that the chosen characteristics are matched with the characteristics of the plant in question. This is somewhat like protocol matching in computer communications, where even electrical connections are made correctly; however, without proper protocol matching communications for data transfer cannot be made. For example, someone speaking in Bengali may not be understood by someone who speaks Spanish. Therefore the purpose is not met. When one speaks of the inherent characteristics of a plant this refers to:
• Type of process
• Operation style and type
• Size and complexity of the plant
• Inherent hazards, etc.
• Type of failure
• Type of process: Generally, an initial screening is possible from the type of process involved. As stated earlier, FMEA is more suitable for computer systems and HAZOP is more suitable for process systems. Naturally based on the same PHA method, selection may be possible and needs to be judged with respect to other characteristics, for example, size and complexity.
• Operational style and type: The type and style of operation also affects the characteristics of the plant and involves the team leader to check whether the PHA method is suitable. The plant may be a static or transportation type, for example, a manufacturing unit and vehicle movement in a mining operation. The involved process may be a batch process, for example, a pharmaceutical unit or a continuous process such as a power plant. In the vehicle movement case, simple systems such as “what if” would be adequate but the same is not true for a power plant—a continuous system.
• Size and complexity of the plant: Plant size and complexity play a significant role in selecting the PHA method. Naturally, it will not be a prudent decision to apply a simple PHA method, say preliminary hazard analysis, for analysis of hazards in a nuclear installation. Plant size mainly depends on numbers of subplants/subsystems involved, amount of equipment in each of the subsystems and/or number of steps involved. One demineralized plant involving five or six chains will be larger in size than a plant with two or three chains. Similarly, a 650-MW plant involving many auxiliaries will be larger in size than a 60-MW plant with fewer auxiliaries. With an increase in the number of auxiliaries, both complexity and chances of failure in logic also increase. Plant complexity again depends on many factors, such as: operation type and condition, chemical process and/or chemistry, as well as chemical reaction and reaction rate. Complexity also depends on human interaction with the system as well as associated hazard types such as toxicity, flammability, fire, etc. Choke and kill blowout preventer (BOP) in the offshore industry are classical examples, where high-pressure flammability is involved. Similarly, complexity can be seen in ultrasupercritical boilers involving very high-pressure and high-temperature operation. Chemical process plants pose such problems because of chemical reactions.
• Inherent hazards: In process industries, various hazards such as toxicity, flammability, fire, explosion, etc. can be analyzed by any of the analysis processes, but if a hazard involves failure of equipment, or more than one failure, then a more detailed study may be involved and a simple system may not be suitable. In batch or manufacturing plants a similar logic applies. So, the team leader needs to adopt a different approach to address inherent hazards.
• Type of failure: There are several situations concerning single failure, multiple failures, etc. There may be process upset, operational fault, or hardware/software/human failure, etc. It is therefore pointless to attach importance to the fact that PHA method selections have a direct impact on these failures, for example, to handle a multiple failure situation or probability-based quantitative analysis one may have to apply FTA and/or ETA, etc. instead of FMEA and/or HAZOP.
• Plant-specific problem: The PHA method selection process depends on the team and team leader. So, accuracy of the study depends on the experience and skill of the team leader as well as that of the entire team. Naturally, any omission will contribute to the inaccuracy of the study and may contribute to inherent problems at the plant. So, when management decides to adopt a detailed study, they should go for a more systematic type of study suitable for their needs, for example, a utility company building a nuclear installation will invite a more detailed study than that for a thermal power plant. Some of the plant inherent problems come from operating experience, for example, when a plant is operating over a long period, then the majority of the inherent problems are well known, or could be understood from operating data. However, when a new plant comes into operation involving new technology, inherent problems may not be apparent. So, these problems will be increased and a detailed PHA method may be better. MOC is another important issue in contributing to inherent problems, for example, where a plant has been operating over a long period with few potential hazards and a number of changes have been incorporated. In this case, the chances of hazards may not be an issue and management may decline a detailed study. The author had similar experience in a cement plant. The kiln feed measurement system was old and was posing a problem but there had not been evidence of any potential hazard, just poor quality output. When the kiln feed system was later changed with an impact scale, bypassing the original one, there were not many studies because the existing kiln feed was kept in parallel so that production was not hampered. On the contrary, for a comparatively newer plant, where there was problem of non-formation solid clinker, operational changes were incorporated after a number of studies. In summary, when there are major changes, management will adopt a systematic study for MOC (say a checklist).
• Resource and management issues: These are more or less financial and management issues involving:
• Number of skilled and knowledgeable persons available
• Financial resource of the company
• Company culture
• Management preference
• Time schedule
Quality of PHA is extremely dependent of the quality of effort of the team [1].
2.2.4. PHA at Various Stages of the Project
As discussed in Clause 2.1.1 there are several stages of the project. Naturally, at each of these stages several types of PHA may be applicable. Also from the beginning, PHA needs to be developed at various stages. In fact, the PHA is revalidated at various stages. Also at various stages there would be different appropriate PHA methods. This is because at various stages the information available varies.
• FEED stage: At the initial FEED stage, PFDs, certain equipment, etc. are fixed and it is in the process of development of a P&ID. At this stage, preliminary hazard analysis, checklists, etc. are utilized for PHA. Then, slowly instrumentation is developed based on layers of protections desired as a safeguard and interlock.
• Detail engineering: During the detailed engineering stage when plant data are more finalized, P&IDs, layout, and equipment/instrument lists are available along with respective data sheets, depending on the type of plant. HAZOP/FMEA/“what if”/structured check lists, etc. may be applied to identify the hazard or accident. If necessary, LOPA is applied to ensure safety. These are basically revalidation of PHA with more information and different PHA method. Since it is desired that most of the hazards are identified, depending on type of plant other methods may also be applied when multiple failure is taken into consideration.
• Construction stage: Normally at this stage it is not desirable to change the design; however, in reality there will be some site modification, which calls for revalidation of PHA with the changes incorporated. HAZOP could be a better solution for process industries.
• Operational life: Startup from a normal or controlled shutdown is part of the safety procedure. There may be three types of shutdown: planned, emergency, and shutdown for maintenance, as indicated in Clause 2.1.1. Each of these has certain safety issues associated with it, so, these types of plant shutdown along with startup from emergency shutdown should be checked.
• Revalidation: The PHA needs to be periodically revalidated to incorporate changes necessary for plant safety. As the plants operate there will be modifications needed. It is almost inevitable for all plants. There should be some corporate policy for MOC. MOC risk reviews are carried out as part of company policy and/or any of the PHA methods. However, this depends again on to what extent the MOC hazard study will be carried out (an example with a cement plant has already been discussed). However, normally the PHA method that was implemented earlier is also followed for MOC.
• Extended shutdown—decommissioning: Mothballing (restoration) of a plant is a step undertaken for a safety shutdown system. Not only all reactants have to be drained and neutralized but a safe state must be restored, especially for restart from an extended shutdown. Before starting, the condition of all equipment and instruments, especially those meant for safety, must be thoroughly checked, revalidated for operation, and calibrated. At this stage, a PHA review is done. Also during decommissioning when equipment is dismantled, a thorough safety check is essential to avoid any accidents. A PHA review is done prior to the decommissioning activity.
2.2.5. Decision for PHA Method Selection
As discussed, every PHA method has certain strengths and weaknesses (Fig. II/2.2.5-1) (inspired by Ref. [1]).
As shown in the figure there are a few issues regarding resources, such as number of knowledgeable persons available in the organization (if an external agency this may be less important as long as the knowledgeable staff is available within the agency; however, staff training is important). Financial support available from management is very important. In some cases, expenditure could be high, especially when an agency is deployed. Timeframe or time schedule is no way less important because if the time schedule is not met, the basic purpose may be defeated. Naturally, this may call for alternatives if possible. The management decision for selection is also critical. Here, the team leader has a key role to play. If the team leader feels that a particular method is best for the project, then the team leader needs to take the lead role in convincing management. In the end there are a few other options pertinent to PHA methods (Step 7 in the figure), which have been shown to reflect the requirements of the proposed PHA method. If there is a chance to opt for alternatives, then such selections will be helpful (e.g., some PHA methods do not need a team, for example, ETA, FTA, or a checklist that involves fewer staff, etc.—if there are alternatives then those could be selected; these are in addition to the main steps as helpful tips).
2.3. Comparison of Various PHA Methods
Having discussed various features of miscellaneous PHA methods, it is better to compare their characteristics with respect to the various criteria in Table II/2.3-2 (inspired by the Process Improvement Institute Inc. Ref. [1]). This table may be referred to for various codes. In this connection it is worth noting that each of these systems has its strengths and weaknesses and is best suited for a particular type of industry or industries. The comparative studies given in the table provide ideas about their characteristics. In this connection, another important point to be noted is that it is possible to divide all plants into three categories: continuous operation, discrete operation, and batch process operation. In continuous production, materials flow continuously without interruption. Power plant operation is an example of the continuous process. There are a number of distinctive differences between this and batch process operation, for example, tank volume and time required in the batch process (refer to Chapter VI) will be greater than in the continuous process. A cement plant is an example of a discrete plant. Here, in between the raw mill section and the kiln section there is raw materials storage silo, so, when the kiln runs it may not be necessary for the raw mill to run. Similarly, because of the clinker silo, when the kiln runs, the cement mill may be idle. On the contrary, pharmaceutical production, soft drinks production, etc. are batch processes, and on the medicine label, for example, one can see the batch number. In the batch system, any mix of whatever produced in the intermediate stage must be consumed in total in batch production. Exactly for this reason, if something untoward happens in batch production, the entire batch is rejected. Based on the foregoing distinctions, PHA methods also change.
Table II/2.3-2 should be read in conjunction with the following notes:
1) HAZOP is not suitable for electronic computer/mechanical production plants
2) FMEA is not suitable for process plants with process flow
3) Simple and small plant jobs can be undertaken by PHA, FMEA, HAZOP, ETA, FTA and HRA, but this is not economical and hence is not shown
4) Normal staffing shall be two to three in a team for most cases, except HAZOP where staffing may be five to seven or more [7]
Table II/2.3-1
Codes for Various PHA Methods (Refer Table II/2.3-2 for Uses of These Codes)
| Code Name Used | PHA Method |
| CL | Checklist (qualitative) |
| WI | “What if” (qualitative) |
| SWI | Structured “what if” (what checklist) (qualitative) |
| PHA | Preliminary hazard analysis (qualitative) |
| FMEA | Failure mode and effect analysis (guided word) |
| HAZOP | Hazard operability (guided word) |
| ETA | Event tree analysis (quantitative) |
| FTA | Fault tree analysis (quantitative) |
| HRA | Human reliability analysis (quantitative) |
| LOPA | Layer of protection (semiquantitative/quantitative) |
| QRA | Quantitative risk analysis (quantitative—different approach) |
Table II/2.3-2
Comparison of Various PHA Methods: To Be Read in Conjunction With Details in Table II/2.3-1. In This Connection Annexure of ISO 31010:2009 May Be Referred to Also
| Main Criteria | Subcriteria | CL | WI | SWI | PHA | FMEA | HAZOP | ETA | FTA | HRA | LOPA | |
| Type (FTA is deductive) | Qualitative | X | X | X | X | |||||||
| Guided word | X | X | ||||||||||
| Quantitative | X | X | X | X | ||||||||
| Team for all | But individual possible∗ | ∗X | ∗X | |||||||||
| Operational mode | Continuous | X | X | X | X | X | X | X | X | X | ||
| Batch/startup/ shutdown | X | X | X | X | X | X | X | X | X | |||
| Hazard level | High | X | X | X | X | X | X | X | ||||
| Low | X | X | X | |||||||||
| Simple/small plant (time in hours/days) | X | X | X | X | ||||||||
| Complex/large plant (days/weeks) | X | X | X | X | X | X | X | |||||
| Experience with system (H for high; L for low) | H/L | H/L | H/L | L | H/L | H/L | H | H | H/L | H | ||
| Information database | F: FEED, D: Detail design | F | F/D/O | F/D/O | F | D/O | D/O | D/O | D/O | D/O | D/O | |
| O: Op unit/startup | ||||||||||||
| Project stages: A: All; F: FEED; E: Detail Engineering.; C: Construction/startup; O: Operation; M: Modification; D: Decommissioning | A | A | A | E/C/M | E/C/M | D/O/M | ||||||
| Team leader expertise M: Minimum; MO: Moderate; E: Extensive | M | M | M | MO | MO | E | E | |||||
| Analysis quality G: Gross; S: Specific; V: Very specific | G | G | G | G | S | S | V | V | ||||
| Failure | S: Single; M: Multiple | S | S | S | S | S | S | M | M | M | ||
| Coverage width | W: Wide coverage; P: Physiochemical | W | W | W | S | S | W | W | ||||
3.0. Hazard Identification (HAZID) and Risk Estimate
The question may arise: because there are so many PHAs, why is there a need for HAZID? Before answering, one thing should be kept in mind: there is no conflict between PHA and HAZID. In fact many PHA may be utilized in HAZID for identification hazards. This question is best answered with the help of an example. Suppose there is a manually operated valve (maybe locked open) in a pipe line handling corrosive material, situated at a height. The valve is never/hardly operated and kept open all the time. To access the valve, there is a cat ladder. If there is a seat leakage or the valve is closed, any hazard may be analyzed using the PHAs discussed. On seeing a leakage a mechanic attends to it by climbing on a ladder but unfortunately something heavy falls on his head and he is injured (even with precautions like a helmet, etc.—such incidents are covered by human factor engineering, which deals with the application of information on physical and psychological characteristics to the design of devices and systems for human use). This accident is an external issue and not at all related to the process, and may be missed in PHA. While carrying out HAZID, the same situation may be identified and a canopy may be recommended over the area. This situation also addresses another misconception, that HAZID is used for new projects! In this case the plant was running or operating while the incident happened.
The basic concept of HAZID has been depicted in Fig. II/3.0-1.
HAZID is extensively used to address major accident issues, usually at a major hazard facility (MHF). In HAZID, incidents with a very low likelihood but with very high severity are also addressed so as to avoid any catastrophe at any time.
As shown in the HAZID process, hazards in process or nonprocess plants are identified usually by a group of people including workforce participation (in some cases this may be by an individual but workforce participation is also necessary), with the help of hazard identification techniques. When hazards are identified the risk associated is assessed and safety control systems are applied. In this clause, discussions will be restricted to HAZID, risk estimations, and task analysis methods. Further details on the HAZID concept are depicted in Fig. II/3.0-2. All PHAs are related to risk analysis but HAZID is strongly linked to risk analysis. According to CCPS [12] HAZID and risk analysis is basically pivoted around three questions: Hazard: What can go wrong?, Consequence: How bad could it be? and Likelihood: How often might it happen?
3.1. Basics of HAZID
Fundamental and relevant details regarding HAZID will now be discussed. The first point that comes in mind is: what is HAZID? HAZID basically is a study tool usually deployed at the early stage of a project. However, it can be used at other stages in the life cycle of plants also, from early project life to decommissioning. With the help of this tool it is possible to organize health and safety engineering (HSE) deliverables in the project. It identifies all hazards with a potential to cause a major accident to a facility, or to people at or near a facility and the environment. HAZID is applicable to both process- and nonprocess-based plants. It addresses not only the process hazards but also the hazards from external sources (e.g., hazard caused by the environment). Another important feature of HAZID is the involvement (direct or indirect) of workforces through proper understanding of the systems. Often people confuse HAZID with HAZOP. It is to be noted that HAZOP is mainly guided by IEC 61882 and HAZID mainly falls in the purview of the Seveso II Directive (after June 2015, Seveso II will be repealed and Seveso III will be effective) (Fig. II/2.3-1). HAZID is also a part of HSE and the Offshore Petroleum and Greenhouse Gas Storage (Safety) Regulation (Commonwealth) (OPGGS). However, HAZID is less costly, detailed, and assured when compared with detailed PHAs [12]. Some key features of HAZID are detailed in Fig. II/3.1-1.
3.1.1. HAZID Concepts and Features
• To identify all hazards, especially those that lead to a major accidental event (MEA), and to ensure that operator and workforce are well aware of the hazards at the existing facility and that new hazards are recognized before they could happen. This is to ensure workforce safety and the active participation of the workforce directly or indirectly through feedback.
• The hazard identification process should be workable and applicable for the facility concerned.
• Once the hazard is identified, the operator should ensure that proper action is taken to manage (reduce/mitigate) the issue.
• Hazard identification is necessary to instill sufficient knowledge, understanding, and awareness among all concerned, especially for those who lead an MEA, so that unwarranted situations are mitigated or prevented.
• The most suited hazard identification techniques are applied so that in-depth analysis is possible.
• A full range of hazards, modifications including health and safety-related hazards, and events are considered and output of the HAZID process is documented. Documentation should be maintained in a logical and systematic manner.
• An SMS must be employed for all hazards including health and safety hazards, not just for MEA.
• HAZID must be able to identify, select/reject, evaluate, and justify the control systems for hazard prevention/mitigation, especially for MOC.
• Identified hazards should not be ignored automatically just because a control system is in place. Also for existing systems, fresh look and inspection shall be initiated and provided. One should not ignore the existing plant as there is knowledge about it and no further knowledge is required.
• HAZID must take into account all expected modes of operation, activities, human factor, human–machine interface, system, and engineering issues.
• Many hazards occur because of a combination of failures, and so should not be ignored.
• All methods, results, assumptions, and any uncertainties must be documented in a systematic manner. Also all control systems proposed must be documented in such a way that they are clear to any third party; documentation should also demonstrate how hazards are reduced.
• HAZID is an ongoing dynamic process and applicable at all stages of the project, especially when there is any modifications and preventive control actions.
3.1.2. Some Important Definitions and Discussions
• Control measure: Control measures include actions that can be taken to reduce the potential of exposure to a hazard, or the control measures could remove the hazard or reduce the likelihood of the risk of exposure to that hazard being realized [8]. The National Offshore Petroleum Safety and Environmental Management Authority (NOPSEMA) defines control measures as “A control is any system procedure, process, device or other means of eliminating, preventing, reducing or mitigating the risk of any major accident events arising at or near the facility. These control measures could be process control, management decision/process, maintenance procedure, and emergency plan.”
• Formal safety assessment (FSA): This is the Offshore Petroleum and Greenhouse Gas Storage (and Safety) [OPGGS(S)] regulation. It “is an assessment or series of assessments that identifies all hazards having the potential to cause a major accident event, is a detailed and systematic assessment of the risk associated with each of those hazards, including the likelihood and consequences of each potential major accident event; and identifies the technical and other control measures that are necessary to reduce that risk to a level that is as low as reasonably practicable” [9]. According to the International Maritime Organization: “FSA is a structured and systematic methodology, aimed at enhancing maritime safety, including protection of life, health, the marine environment and property, by using risk analysis and cost benefit assessment” [11]. There is another term FSA (functional safety assessment) in connection with IEC 61508 & 61511, and should not be confused with this. Functional safety assessments have been discussed in later chapters. Basically, FSA is the debating, analyzing, sharing of views, and development of consensus among the participants to develop a system. In its simplest form FSA can be divided into:
• Identification of hazards
• Assessment of risk
• Risk control options
• Cost–benefit analysis
• Recommendations for decision making
• Major accident event (this should be read in conjunction with Fig. II/3.2.5-2): A major accident event is connected to the facility including external and natural events, which have the potential to cause fatality to persons at or near the facility including offsite (offsite is included here in light of the vastness of the major accident at Bhopal, India).
• Major incident (this is to be read in conjunction with Fig. II/3.2.5-2): A major incident is an uncontrolled incident including emission, loss of containment, fire, explosion, or high-energy release related to schedule 9/15 materials (materials are dangerous goods stored in a facility below a threshold value on account of the risk involved; for further details see Occupational Health and Safety Regulations (2007)) and which can cause a serious/immediate health and safety hazard.
• Major hazard facility: Major hazard facilities are locations where large quantities of hazardous materials are stored, handled, or processed, for example, an oil refinery, large chemical plant, etc.
• Safety assessment: Safety assessment process is consistent with international risk assessment standards such as ISO 31000. Safety assessment involves investigation and analysis of a major incident/accident and gives the operator a detailed understanding of all aspects of risk related to health and safety.
• Workforce: As per OPGGS(S)—an Australian legislation/standard, members of a workforce include those who are identifiable before the safety case is developed and working, or are likely to be working on the relevant facility [refer to OPGGS(S) standard]. For the development of the safety case for the facility, it is necessary that there is consultation with and participation of members of the workforce. It may not be possible to involve all concerned but effective circulation of FSA details and feedback from the members of workforce are of utmost importance. Naturally, suitable documentation plays a major role. Sufficient knowledge, awareness, and understanding of hazard scenarios by the members of workforce cannot be overestimated. Therefore regular reviews and feedback comments are very important.
3.1.3. Aim of HAZID
The basic objective of HAZID is to identify hazards (all types including possible escalations) to review the effectiveness of the selected safety and control measures for achieving an as low as reasonably practicable (ALARP) risk level. This also serves as proof that the facility (process/nonprocess) is operated with all major hazards to the workforce and third parties within a tolerable risk range. HAZID involves a critical sequence of information gathering and the application of a decision-making process. These assist in discovering major hazards, which can lead to a major accident (hazard identification). It also indicates how likely it is that a major accident would occur with potential consequences. It also indicates the control measures to reduce/mitigate the hazards. So, broadly, this can be:
• Identification of hazards that can lead to a major accident event.
• To provide the operator and the workforce with awareness and a clear understanding and sufficient knowledge of all hazards including design problems. These will provide them with a means to prevent the occurrence of and/or manage a hazardous situation.
• Identify the outcomes of events and perform a risk ranking.
• Establish the clear linkage among hazards, causes, and potential events.
• Enable the identification of all hazards related to health and safety of people at or near a facility.
• Provide a means to identify, evaluate, and justify the suggested/selected control measures to mitigate or reduce the hazards based on risk ranking and acceptance criteria.
• Systematic record keeping of all hazards and their impact including those related to health and safety hazards. This systematic record must also include all uncertainty, assumptions, and hazard screening if any. These are necessary for further reviews.
• Recording of all assumptions and uncertainties for further studies.
3.2. Planning and Preparatory Stage
3.2.1. General Considerations
Usually, qualitative brainstorming methods are undertaken by a team with in-depth knowledge of the facility and expertise in HAZID analysis. It is quite uncommon but not impossible that an individual is doing HAZID (may be possible for ETA/FTA). As stated earlier (Clause 3.1.3) the main philosophy behind HAZID is to develop a safety assessment of the system, and safety assessment is best developed through debating, analyzing, creating, and sharing views for the development of an integrated system where involvement of the workforce is very important. Keeping parity with the diverse nature of hazards, there is diversity in HAZID analysis and in HAZID analysis techniques, so suitable system selection is valuable. Several major steps involved in HAZID have been shown in Fig. II/3.2.1-1.
In many applications it is necessary to produce a safety case outline by the operator prior to developing a safety case. (Ref MHF regulation). MHF stands for major hazard facilities (such as oil refinery, chemical plants). MHF regulation is applicable for working in these facilities in Australia, and for working safe in these areas there are some obligations to be met with. In UK similar regulation is in place in the name of control of major accident hazards (COMAH).
3.2.2. Scope
It is necessary to identify all hazards that could lead to a major incident/accident. However, this is an endless task, so the operator (who is conducting the study) is required to set the boundary for each study. If there are no possibilities, because of any activity/procedure at the facility being escalated to a major incident/accident, then these can be excluded from the study. However, this is not arbitrary! Anything that is kept outside the boundary must be properly recorded with suitable reasons for demonstrating the safety case.
3.2.3. HAZID Team Formation
Because HAZID is related to the safety case and safety assessment, team formation and number of persons in the team are very much relevant. Safety cases are the responsibility of the entire organization, so it is necessary that there is a proper mix of experts and workforce. Usually, the team consists of three to five people, one team leader, and one secretary. While forming the team the following points may be taken into account:
• The team shall be the right mix of experts and the relevant work group. For selecting people from work group it is better to have prior discussions with various work groups to choose the proper representative.
• Because HAZID takes into account external hazards, it is better to involve people from manufacturing and contractors also.
• Operating personnel with high-quality knowledge about the facility may be taken into the team.
• People experienced and knowledgeable in plant technology, control systems, maintenance, and design engineering may be taken into the team.
• As a rule of thumb, a project manager for the facility (particular section), an expert team leader, one each from design and O&M, and a mechanic/technician may be included and if necessary the team may be augmented with views from manufacturers/contractors.
• HAZID calls for good participation from workforces but it is not possible to involve all, therefore discussion points may be circulated and feedback can be obtained. This feedback could be in the form of training and control of the hazards present. In this way, the workforce can be involved. The workforce may be involved in the following cases by sharing data and receiving feedback from them:
• Developing HAZID through interaction with workforce
• Forming team and workshop scheduling
• Participation in workshop
• Review comments on the result of the workshop
• Implementing modification and receiving feedback from shop floor workshop after analysis (involving them also)
It is desired that there is more and more workforce involvement for the awareness, knowledge, and understanding of hazards.
3.2.4. Hazard Identification Technique Selection
HAZID may not be as detailed as PHAs (detailed elsewhere) but there are a few influencing factors similar to those discussed in Clause 2.0. These are:
• Size and complexity of the facility
• Type of process and activity, for example, engineering procedure, process flow, mechanical type, electrical type, etc.
• Stages of the project in the plant life cycle
• Pilot study or safety case from a similar facility
Since hazard identification is the foundation of future courses of action, the selection of a proper identification technique is essential. The following are the features expected of hazard identification techniques:
• Systematic and structured
• Appropriate for the facility and stage of the job
• Possible to get maximum information
• Appropriate for people involved
The selection techniques with increasing effort level are:
• Checklist
• “What if”
• Guided word
• HAZOP
• FMEA
• Task analysis
• ETA
• FTA
Table II/3.2.4-1
Discussions on Selection Techniques
| Criteria | Discussions | Remarks |
Project stages in plant life cycle: Concept stage Detailed design stage Construction/startup Normal operation Decommissioning | At concept stage insufficient information so detailed systems HAZOP/FMEA are not suitable During detailed design detailed techniques will be a better choice At construction/startup and decommissioning phase better to go for task analysis Whereas in normal operation stage many are suitablea (see Remarks) | aAt normal operation it will be influenced by hazard knowledge history, etc. |
| Complexity and size | Large system means number of operations, multitude of equipment, etc. Very simple technique may not do but complex techniquesb may be bogged down (see Remarks) | bETA/FTA |
| Process type | FMEA is suitable for the case to detect failure mode (say electronics/control equipment manufacturing). HAZOP is better for process systems ETA and FTA is better for multiple failure detection | All these discussed at length in Clause 2.0 |
| For large, complex systems it is better to break down into small sections and apply suitable technique(s). Again a new system where the operator does not have any experience, or where similar plant data may be missing, then it is better to go for a detailed technique. | ||
3.2.5. Documentation
Fig. II/3.2.5-1 is an important record-keeping document for HAZID analysis. This hazard register is same as the risk register discussed in Clause 3.2 of Chapter I, and details of the risk register are shown in Fig. I/3.2.1-1. Since details of the risk register are already available, it will not be repeated here. Fig. II/3.2.5-1 shows the basic structure. In the case of HAZID, hazard register is the popular term, hence it is used here. These hazard registers are available for each section of the facility. For each section, all hazards and major incidents/accidents are listed along with the probable cause. The register also contains the control measure, assumptions, etc. This will become the main document for subsequent use.
Basic requirements of the hazard register are as follows:
• All hazardous events with controls shall be numbered suitably, as shown in the hazard worksheet discussed later.
Table II/3.2.5-1
| Area No. | Area Details | Detailed Description | Toxic Inventory | Corrosive Inventory | P&ID Reference | Remarks |
| 1 | ||||||
| 2 | ||||||
| n |
• All documentation of the HAZID shall be maintained under the control of documentation either manually or in large cases through computer software (e.g., ProArc).
• The hazard register must contain sufficient information to support later stage use, and later time decisions can be taken on this basis.
• The document is maintainable in the sense that it is possible to revisit the document and update knowledge. So, it should accommodate any knowledge gap, assumption, uncertainty, debated issue (if any), learnings from hazards, etc.
To develop a hazard register there are hazard worksheets, which are illustrated in Table II/3.2.5-2. It is better to divide large cases into several sections; such a section division sheet may be as shown in Table II/3.2.5-1. Here the number of columns and rows are arbitrary and in reality will depend on the actual situation.
Two typical sets of HAZID worksheet are presented in Table II/3.2.5-2 Typical hazard worksheet1, in one style where the severity index and frequency index have been shown along with regulation details. In Table II/3.2.5-3 the HAZID worksheet cause and consequence details along with safeguards are shown. These are all typical examples and are presented only for understanding the typical data requirements and presentations. In the earlier discussions, major incidents and accidents were used together, but in HAZID these are normally used slightly in different contexts, which are explained in Fig. II/3.2.5-2.
3.2.6. Scheduling
As the name suggests this means fixing up a HAZID study program. Since this involves the workforce as well as an expert, proper planning and scheduling are vital. Another important issue is to allow sufficient time to complete the HAZID study with a fully defined scope in depth as required by the chosen HAZID technique. A few important guideline points are:
• Availability of expert person and workforce involved
• Need to maintain production and other activities
• Cross-shift involvement so as to adjust manning and keep activity unimpaired
• Proper mental alertness with required breaks so that fatigue does not set in
• Maintenance of continuity and consistency
• Interaction with workforce to get real feedback
Table II/3.2.5-2
| Hazard Worksheet | Accident Category: Category I Description XXXXXXXXXXXX | |||||||||
| ID | Hazard Description | Phase | Cause | Effect | Detection | Subcategory | Regulation | SI | FI | Comments |
| 1.2 | Main ID may be actual/escalation issue under main ID | |||||||||
| 1.2.1 | ||||||||||
| 1.2.3 | ||||||||||
| a.b.c | ||||||||||
Table II/3.2.5-3
| ID | Hazard/Major Incidenta | Cause | Possible Consequence | Existing Safeguard | Risk Reduction Procedure | Remarks |
| Main Section | ||||||
| Subsection | ||||||
| 1.2 | ||||||
| a.b.c | ||||||
3.3. HAZID Process Description
So far the discussions have been on planning. Process description starts with collection and discussions on collected data. The basic process is depicted in Fig. II/3.3-1.
The HAZID study basically consists of the stages shown in Fig. II/3.3-1. All data and information are collected and duly reviewed by the team. They debate and analyze the data to develop an output for the hazard register discussed previously.
3.3.1. Information Collection and Handling
There are a few sources from where the data and information can be collected. The basis of HAZID is the comprehensive and accurate description of the facility by the operator. This includes but is not limited to the following:
• Complete process description in the form of PFD/P&ID, material safety data sheet, existing condition including any modifications carried out, etc., even before starting HAZID study.
• For an existing facility it is necessary to review all corrosion, explosion, fire incident, breakdown, equipment/control failure, and maintenance issues.
• Plant event history and/or similar plant event, major accident/incident event information or near miss issues should be reviewed. Here one point must be remembered: it should never be taken for granted that any incident not appearing in the history or similar plant data event cannot happen. So, anything that is omitted must be recorded for further review.
• Collection and compilation of all information.
Other important qualitative issues relating to the HAZID study should be properly addressed to obtain a better result. These are:
• All participants and the operator should understand the HAZID study and its purpose.
• The study being undertaken is applicable and relevant to the existing facilities.
• The study follows acceptable standard and norms.
• All knowledge gaps are identified and duly addressed.
3.3.2. General Considerations and Major Accidents/Incidents
Comprehensiveness and accuracy of HAZID is extremely important for subsequent actions such as safety assessment.
Initially, it is necessary that the facility is divided into several sections, which are manageable and logical. As shown in Fig. II/3.3.2-1, the division could be based on divisions in similar facilities. Geographical and in the case of a large complex facility logical sections may be based on similar process handling/chemicals or it could be based on similar operations and/or a combination of both, for example, in the case of an offshore mud storage facility it could be oil-based mud or water-based mud, etc. After this is done logically and in full agreement with the team and team leader, a question and answer session can be implemented. Some of these questions for each section may be as follows:
• Is there any deviation in process/activity or procedure from a design basis?
• What are the activities conducted and how could they go wrong?
• Is the presence of a hazard continuous or occasional?
• What equipment is there and how can it fail? Is there a possibility of failure because of external factors?
• What are the infrequent but abnormal activities that could be performed and how can they go wrong?
• Could there be additional hazards?
• What are the worst case events? It should be noted that not only is the design basis responsible for worst case events but also the presence of materials, extreme process conditions, failure to isolate the system, proximity, installation and commissioning issues, layout, proximity of other section/equipment, etc. could result worst case events.
• What are the major accident/incident events and how are they influenced (refer to Fig. II/3.2.5-2). A major accident/incident can be influenced by: (1) people (work culture, inadequate training, knowledge, understanding, attitude, mind condition); (2) the system (management philosophy, organizational chart, inspection, administration, communication and interaction); (3) the task (operation, construction startup); (4) the operating mode (normal operation, startup—when many interlocks may be bypassed—shutdown); (5) technology (equipment, controls); and (6) external/environmental conditions (suppliers, quality, political, earthquake, lightning).
• What are the possible events and their impact?
• What are the interactions with other sections and the possibility of a hazard causing aninteraction?
• How can existing controls and their impact be identified? It is helpful for a third party to understand that all identified hazards have controls and adequacy of control must be demonstrated.
• Already from Clause 3.2.5 it is known how major accidents/incidents are defined. It is now wise to consider some commonly used guided words in HAZID:
• Unignited hydrocarbon (HC) released
• Hydrocarbon (HC) released—fire
• HC released—explosion
• Toxic exposure
• High pressure
• High/low temperature
• Corrosion
• Object dropping
• Improper access/escape
• Radiation
• Maintenance
• Construction/startup
• Explosives
• Electrical
• Mechanical
• Structural
• Effluent disposal
• Biological and others
3.3.3. In-depth Analysis
The main motto of the study is that it is possible for the operator and others concerned to understand the nature of each hazard. The analysis shall be done in depth so that root cause is well identified, and appropriate remedial or control measures could be prescribed. The success of the study will not be achievable if only hazard is identified. The study shall be deep enough to indicate “When,” “Where,” and “Why” a hazard is present.
3.3.4. Creative and Lateral Thinking
In any plant there are certain obvious hazards, for example, fire hazard in shale shaker area of offshore facility or generator are hydrogen cooled generators in power plants. HAZID is not meant to identify such kinds of hazards only. There needs to be some realty and lateral thinking power while carrying out the study. Also there always exist certain chances of a hazard in a complex event, on account of a series of activities. In the study this can be revealed. These characteristics shall include but are not limited to the following:
• Challenge the existing system, such as any assumption, norm, and action, to discover any glaring weaknesses
• Thinking creatively beyond immediate experience
• Look in depth for the effect of failure of systems, controls, etc.
• The combinational effect of various factors can lead to a catastrophe, for example, a normally running safety device is always in service but on account of a specific issue one criterion might have been bypassed during startup. Because of human error this is not reversed and because of a combination of two human errors it can lead to a dangerous situation because protective devices are bypassed. For a better understanding of combination effect hazards see Fig. II/3.3.4-1 (inspired from Guidance Note WorkSafe [10])
• Other important considerations: It is often observed that there is a general tendency to ignore certain accidental events on account of low probability of occurrence. It may be thought by some that sufficient control measures have been considered with redundancy and the likelihood of occurrence is almost impossible. In any case, when any major accident issue is rejected on account of these considerations, in all probability such safety assignment will also be rejected by the authorities. In certain applications such as offshore, this tendency is rarely considered to reduce space and weight requirements. However, although there may be excellent control systems and protections , can anyone say for sure that it will not happen? Major contributing factors toward this logic are:
• Over time the effectiveness of controls will deteriorate.
• New control technology and action when needed may not be time tested.
• After the initial investigation, if anything is left out, and in a subsequent case it is recognized, there may be a possibility that the control system might not be adequate. Also the control system may not be properly managed on account of the absence of importance attached to it and control system requirements are properly followed.
• Potential dangers are extremely important for emergency planning.
However, initially, preliminary hazard analysis is often done for hazard screening processes to assess a major event. This will help in developing an SMS and FSA. Therefore the discussion may be concluded by saying that no potential danger situation is liable for rejection however low the likelihood of its occurrence is. Also if any assumption is considered it must be recorded for further review.
3.4. HAZID Output
The main output of HAZID is the documentation in the form of the hazard register where all hazards are listed with identification for each section, and cause and consequence and suitable linking with control measures are recorded. This is done in a logical structure and detailed in Clause 3.2.5 of this chapter, and hence is not repeated. Here, one very important point is that all assumptions, debated issues, and uncertainties must be logically recorded for further review. Another issue connected with HAZID study output is its application. The major application area of HAZID by the operator shall include but not be limited to the following:
1. An input document for safety assessment
2. Imparting knowledge with the workforce, so that hazard awareness is developed. This can be done through workshops and training. It very much depends on the operator's outlook.
3. The hazard register helps in the revising and rethinking processes, and general awareness about hazard is greatly improved.
4. Identified control measures are taken in safety assessment and assist in looking at the control system from different angles to improve its effectiveness.
3.5. Review
The operator is responsible for identification all hazards before they turn into a major event. Therefore HAZID is an ongoing and dynamic process. Whenever any new system or device is introduced and/or changed, HAZID shall be carried out to ensure that the assessed safety is not jeopardized. MOC is always an integral part of HAZID, so a facility modification or change in control needs to be carried out. If there is deficiency in control measures, HAZID needs to be augmented.
3.6. Quality Check
As in any other system, a quality check for the study is important so that it is effective and safety assessment is appropriate. The quality of HAZID may be based on input/process/output or a combination of these. The pillars on which the quality of HAZID depends are as follows:
1. Team: Qualification and knowledge, experience, training, and facility knowledge of the team carrying out the study
2. Involvement of the workforce and health and safety engineering representative, and their understanding and awareness
3. Selection of method most appropriate for the facility
4. Proper documentation and periodic review
5. Sufficient time allowed for completing the study
3.7. Task Analysis
The task analysis technique has been developed mainly to handle human factors (in HAZID and other methods). In HAZID this is helpful in addressing human factors such as human error, man–machine interface, and procedural error. Of the various hazard identification techniques, task analysis is one of the most important. The other techniques are discussed in subsequent chapters, but here discussions will be on task analysis. Task analysis is the study of what users need to do, in terms of actions and/or cognitive processes, to achieve a task objective. There are several factors, such as task duration, repetitive frequency, task allocation, complexity, equipment, ambience, and environmental conditions, which are required for the task and they very much influence the performance. At times, tasks are often used interchangeably with process.
• The basic purpose of task analysis is to systematically describe and analyze activities and document the procedures, processes, and resources that are used by individuals or groups to achieve the target/goal. Task analysis deals with a variety of human factors, so for HAZID and PHA the aim is to assess the human error or chances of human error and try to reduce that effect.
• Often task analysis and performance analysis are confused. They are parallel but are two different things. Performance analysis deals with future achievement while task analysis deals with the results currently being achieved.
Here concentration will be on task analysis. There are clear advantages of task analysis, but at a cost.
The advantages are:
• It gives a clear idea about the relationship between resources, process, and input with an accomplished result.
• It allows identification of what is good and bad about the current process and identifies the areas where there is scope for improvement.
• It allows a systematic review of the current task, and it will be possible to put forward recommendations for changes needed for the current task for its improvements and hazard-free operation.
The disadvantages are:
• It requires a fair amount of time and resources, which might not have been planned for.
• It is difficult and challenging to determine how the task will change because of recommendations, and what will be their impact on other parts of the system.
Broadly there are two kinds of task analysis:
• Action oriented: In this method, the observable behavior of humans along with task structure is described.
• Cognitive type: This contemporary technique is used for supervisory control and decision making. Here, the focus is on the mental process behind human observable behavior in decision making or problem solving. This also forms part of HRA.
The following important terms are defined first, for better understanding of subsequent discussions:
• Duty: The first level of breakdown of a job is the identification of duties, which are the areas of responsibilities of a person. From duty one can get an overview of the job. Normally, a job consists of five to six duties on average.
• Task: This is the first breakdown of duty, and can be further broken down into elements.
• Elements: This is the final breakdown component of a task. It gives the finer details of the task. (It is like an atom of an element.) When priorities are assigned to a duty, it permeates to applicable elements too.
• Performance influencing factor (PIF): There are a few factors, such as work environment, procedure definition, time stress, effective training, noise, long duty hours, etc., that influence the likelihood of error and human performance. It should be noted that PIFs are not automatically associated with but can influence human error. PIFs are plant specific. In applications like HRA, PIFs are rated numerically (e.g., worst 1, average 5, and best 9) to check the ratings for a procedure (written procedure, training) or working environment (such as noise, lighting, etc.). Also factors like fatigue (caused by prolonged duty hours, shift rotation, lack of rest, etc.) influence PIF, and may result in errors. The PIF scale varies from a well-defined procedural system to worst possible system without training or defined procedure, and is plant specific.
There may be certain preconditions for a task, and by task analysis these preconditions may be eliminated to make the system error free. Task analysis is quite often used for a new system or for modification work in a HAZID application. It can be used during detailed investigation. We will now concentrate on various systems of task analysis, as shown in Fig. II/3.7-1.
3.7.1. Hierarchical (Action-Oriented) Task Analysis
This is a top-down system. Here, there are two important terms that need to be understood:
• Operation: This refers to the action by the operator while interfacing the system or the action by the system itself.
• Plan: The condition necessary to take the action referred to as to Plan.
• Hierarchical task analysis description: Hierarchical task analysis starts its journey from the overall objective needed to be achieved. This objective is divided into a series of suboperations. The plan specifies the information source and when it is to be carried out. The question is do these suboperations need to be subdivided into finer elements? This is totally dependent on the analyst, in case the analyst feels that there is scope for error. The analyst can then further divide the suboperations into the lowest level or elements to improve the quality of task analysis. This will be clear from the example of CCPS of isolating a one-level transmitter [13], as shown in Fig. II/3.7.1-1. It should be noted that in this example, one task has been further subdivided, so that the possibility of obtaining one side of a differential pressure transmitter is avoided, following instrumentation working convention.
As shown in the figure the process starts with the main objective of isolation of a transmitter by Plan 0, which says to perform operations 1 to 4. At operation 1 it has precondition Plan 1 where it needs to do suboperations 1 to 4 (1.1–1.4) to complete operation 1. Then it goes to operation 2 and faces Plan 2, which again asks to complete suboperations 2.1 to 2.4. Note here that operation 2.2 is necessary to ensure that at no limb of the differential pressure transmitter is there a chance of much higher pressure than when carrying out suboperation 2.3 and 2.4. Also this ensures two options for transmitter drain so that the transmitter is depressurized, which is a requirement in operation 3. Finally, at operation 4 the main objective is achieved and verified. The following are the major advantages:
• It is economical in the sense that knowledge gathering and organizing can be carried out up to the point of desire.
• Hierarchical task analysis can be the starting point for further error analysis methods.
• When used as input to design functional safety, hierarchical task analysis can be placed at a higher level, which helps in allocating functions to the system and people concerned.
• Since hierarchical task analysis is developed in collaboration, the analyst is well aware of the perception of people and allocated tasks and plans.
There are a few negative points also. These are:
• As hierarchical task analysis is developed with various levels of people a good amount of time is essential.
• The analyst needs a fair amount of skills training and technical knowledge about the system so that the breaking down of the tasks can be done effectively.
3.7.2. Operator Action Event Tree
As the name suggests Fig. II/3.7.2-1 is like an event tree diagram, which shows various decisions and actions concerned people are expected to do. This operator action tree is mainly used for post accident cases to pinpoint an operator's failure. This is very much used in accident analysis in air crashes. The level of breakdown of the main task is crucial. Too many breakdowns may pose a problem in handling. From visual inspection it is possible to identify the crucial operation that can initiate the event. The figure will give a clearer idea.
In this example, in its simplified form the actions of the operator when the drum level is high initiates the pretrip alarm. Also in this example, one set of boiler feed pumps (BFPs) and one set of feed control valves (FCVs) have been considered to simplify the diagram. By manual control in first action stands for master control in manual mode, whereas individual controls for BFP speed and FCVs are shown separately. This is structured information on operator actions after the event occurred and is able to identify critical action in response to an initiating event. Here it is possible to detect the error of omission but it does not throw any light on alternative actions, if any. Also if the system is complex then the event tree will be much larger and sometimes may be difficult to handle. In this example, if 3 × 50% BFPs and FCVs are considered then the event tree size will be quite large and somewhat complex because of logical selections.
3.7.3. Flow Diagram
This type of task analysis is applied when there are issues related to decision making, complex situation handling, time-based system interlock checking, etc. This is somewhat like a program flow chart in which action sequences are described. The system is described with the help of very short burner management logic, as shown in Fig. II/3.7.3-1.
This is user friendly to the workers because it describes all the critical steps the operator needs to take care of to complete the process. This also helps the analyst to check whether all check points have been fully satisfied by the worker. However, if the task is too complex, unless they are broken down into smaller tasks, it is very difficult to handle.
3.7.4. Critical Action and Decision Evaluation Technique
The Rasmussen ladder diagram is the basis for this technique. As the name suggests it deals with critical actions and decision making. It senses the consequences. In case of failure of critical action and decision, then there may be serious consequences for safety, production, etc. Initial alertness, observation, interpretation, execution, feedback, etc. are some of the decisions and actions. For example, a pretrip alarm indicates the first stage of a problem. This is when the operator needs to take action (as shown in Fig. II/3.7.2-1). However, “absent mindedness,” “distraction by any other issue,” or “low alertness” are a few errors that may prevent the operator from taking necessary action in time, which may result in a boiler trip (as shown in Fig. II/3.7.2-1). Similarly, observation and interpretation of data from, say, an instrument reading are vital. During observation the operator may make assumptions (e.g., in the example of the drum level, if the assumption was that the high level was caused by swelling, which occurs at times of high demand, and actually the level rises during low demand, and the action is ignored, then the consequences may be detrimental). Also by the time operator realizes that the initial assumption was incorrect the operator needs to take alternative actions.
3.7.5. The Influence Modeling and Assessment System [14]
This is another kind of cognitive task analysis, and is used to elicit a subjective cause sequence model, which is a graphical representation of the operating team regarding:
• Alternative causes for a disturbance
• Various consequences as a result
• Various displays in the control room
These are used in training to acquire diagnostic solutions to problems.
3.8. HAZID Discussions
In the following subclauses, human factors and pitfalls in HAZID are covered.
3.8.1. Human Factor
HAZID discussions are incomplete unless human factor is addressed. Actually, human factors can be seen as interactions among people, organizations, systems, and equipment including control systems (HW&SW). Human intelligence is unquestionable, but there are also limitations in understanding, interpretation, and capacity. This varies from person to person, as well as with training and a person’s particular trade, for example, when a designer is assigned a technical marketing task his performance rating may fall as that person may not be trained in technical details and coinages needed for marketing. So, from a major hazard perspective, the human role is critical and must be addressed in safety documentation. The operator should always examine foreseeable major accidents and consider the human factors involved. For example, human factors can save a plant from catastrophe through intuition and intelligence; similarly human factors can contribute to hazards at all levels. Therefore, task analysis has an essential role to play.
3.8.2. Worst Case Scenario
The operator needs to examine case by case the entire documentation, assumptions, etc., and the risk estimate (risk analysis) discussed later, to arrive at a worst case scenario for a facility.
3.8.3. Common Mistakes, Pitfalls, and Suggestions
• There is always a tendency to screen a few hazards because either their occurrence is rare or their consequence is low because of the control system. Again, the key purpose of risk assignment is to find the control measure and improve its efficiency and effectiveness. So, with such assumptions, it becomes self-defeating.
• Hazard identification should not be too generic.
• All root causes, initiating event(s), must be identified.
• It is better to conduct risk assignment/analysis, which should not be linked with HAZID.
• Large systems should be broken –down into smaller systems because the broad scope of HAZID is difficult to handle.
• Preparation, record-keeping mode, etc. must be decided beforehand to obtain the desired result. A pilot study may be helpful.
• It is better to include experts from outside along with workforce participation.
3.9. Risk Estimate (Brief)
After the hazards have been identified, it is necessary to find out the initiating event(s). Initiating events are those events that unleash the potential inherent cause of the hazard and, either directly or indirectly, cause consequential damage to the property, people, and environment. Therefore there will be a list of initiating event(s). Risk associated with these events will be estimated so that control measures can be assigned as part of risk assessment discussed later. As a preliminary step, qualitative risk estimation is a good choice. Here it is to be noted that the hazard register and HAZID worksheets discussed in Clause 3.2.5 will be helpful. From Fig. II/3.9-1, one can find the acceptable and ALARP (refer to Chapter I) events. Risk analysis is not only associated with HAZID, therefore risk analysis, assessment, and management will be discussed in Clause 4.0 in this chapter.
The risk matrix method can provide a quick understanding of the risk profile of the facility and can be based on judgment or be further investigated using more detailed information. This method has limitations also. It is not easy to incorporate the effects of risk reduction measures within the risk matrix, and it cannot be used for cumulative risks.
4.0. Risk Assessment and Management
With the basic definition and knowledge on hazard and risk, risk matrix, risk ranking, etc., it is now possible to proceed with discussions on risk assessment and management. The first step toward risk assessment is hazard identification. This is done through knowledge of various PHA and HAZID discussed in the preceding two clauses of this chapter. Now the reader is in a position to follow discussions on risk assessment and management. In risk assessment, one part is control measures, which will also be covered in this clause. Here it is worth noting that the control measures referred to earlier do not mean process control alone but cover all physical controls for prevention and mitigation of risk (including process control). Risk analysis and management enable analysis and management of risks associated with a facility or project. No two projects or facilities will have identical risks, hence a specific task is necessary for each case to reduce/eliminate/mitigate risks. The international standard for this is ISO 31000, which is discussed in Clause 1.1 of Chapter VI.
4.1. Risk Analysis Basics
In this subclause, short discussions are presented on various definitions, meanings, etc. so that these can be used in subsequent clauses.
4.1.1. Various Terms and Definitions
It is better to refer to various standards so that the reader can get the feel of the entire scenario. For convenience, various terms are linked with the figures in the book for a better understanding.
• What is risk assessment?
• From the Canadian Center for Occupational Health and Safety, risk assessment is a process to identify hazards, analyze or evaluate the risk associate with those hazards, and determine appropriate ways to eliminate or control hazards.
• According to ISO 27001:2005, risk assessment combines two techniques: risk analysis and risk evaluation (defined later).
• At HSE.gov.uk, risk assessment work has been described as identifying the harm to people in the workplace, who might be harmed and how. This is achieved by evaluation of risks and deciding on appropriate control, taking into account controls already in place, recording risk assessment, reviewing, and updates (Fig. II/4.1.1-1).
• ISO 31000:2009 (preface) says that risk assessment attempts to answer the fundamental questions:
What can happen and why?
What are the consequences?
What is the probability of their occurrence?
Is there any factor(s) that mitigates the consequence of risk or that reduces the probability of risk?
As per ISO Guide 73:2009—Risk Management—Vocabulary, it is the overall process of risk identification, risk analysis, and risk evaluation.
• As per NORSOK Z013: “Overall process of performing a risk assessment including: establishment of the context, performance of the risk analysis, risk evaluation, and to assure that the communication and consultations, monitoring and review activities, performed prior to, during and after the analysis has been executed, are suitable and appropriate with respect to achieving the goals for the assessment”
• What is risk analysis?
• According to ISO 27001; 2005: Risk analysis uses information to identify the possible sources of risks. It uses the information to identify the threats or events that could have harmful impacts. It then estimates the risk by asking: what is the probability that this risk will actually occur in future? And what impact would it have if it actually occurred?
• What is risk evaluation?
• According to ISO 27001:2005: A risk evaluation compares the estimated risks with risk criteria (Fig. II/4.1-1). This is done to determine how significant the risk really is. The estimated risk is established by risk analysis.
• As per NORSOK Z013: Judgment, on the basis of risk analysis and risk acceptance criteria (Fig. II/4.1-1), of whether a risk is tolerable or not.
• As per ISO 31000 one needs to consider project objective, whether some activity needs to be undertaken, need for risk treatment (if any), priorities of treatment, tolerability of risk to others, and decide if it is acceptable.
• What is control measure?
• According to ISO 31000:2009 it is basically modifying the risk. (However, note that controls may be any process, policy, device, practice or other action which modify risk, and that controls may not always exert the intended or assumed modifying effect.)
• From ISO 2700:2005 definition: Control measures are the ways to control each specific hazard. Hazard control methods are often grouped into the following categories:
• Elimination (including substitution)
• Engineering controls
• Administrative controls
• Personal protective equipment
• Control measures in a facility may be any system, procedure, process device that will be used eliminate hazards, or prevent hazardous incidents from happening, or reduce the severity of the consequence of hazardous incidents when they occur. Control measures act like a wall between the hazard and the facility (similar to a firewall in a computer system).
4.1.2. Definitions of a Few Related Terms
• Risk assessment and safety audit: A risk assessment result can be used to predict whether the facility is safe or not. If it is not acceptable then additional control measures must be used to keep the facility safe. A safety audit is a process by which such safety claim is verified for consistency in results. Each case-by-case validation is done.
• Risk assessment and SMS: As stated earlier, with the help of risk assessment and (if necessary) with additional control, a facility will be made SFARP (so far as is reasonably practicable), that is, as far as practicable. SMS is the system to ensure that the risk levels achieved during risk assessment will be well maintained.
4.1.3. SFARP/SFAIRP
Both these abbreviations are in use. In HSE.gov.uk it is used as SFAIRP. In Clause 4.3 of Chapter I ALARP has been discussed. As per HSE.gov.uk they essentially mean the same thing, the core concept being “reasonably practicable.” The term balances risk with time trouble, difficulty, and cost (together termed as sacrifice). Similar to ALARP, if sacrifice is disproportionate in relation to risk, it may be accepted but needs to be demonstrated. The major influencing factors that need to be considered are:
• Likelihood of the risk
• Severity of the consequence (harm degree)
• Availability/suitability of the ways to eliminate or reduce
• Cost for reduction/elimination
• Concerned person knowledge about the hazard and its reduction
4.1.4. Objective and Philosophy of Risk Assignment
The objectives of risk analysis and assessment are as follows:
• Develop a basis for identifying, evaluating, and ranking various risks with risk contributors.
• Define and justify control measures for the facility.
• Establish a link between the control measure and potential major incidents. This is necessary for formal safety assessment where applicable.
• Another purpose of risk assessment is to choose the appropriate tool for risk analysis and selection of control measures. For this, a preliminary study may be helpful.
• Capture knowledge about the major hazards and associated risks that can lead to a major incident. This knowledge will help in combating the challenges posed by the risks.
• Identify the concern for community, safety management issue, and emergency plan.
• Demonstrate the adequacy of control measure as well as reduce risk to ALARP.
• The result of risk assessment/analysis is used for decision making regarding additional control measures and may be required to provide specific information demanded by regulation.
The main philosophy behind risk analysis is to ensure that the entire workforce has sufficient knowledge, awareness, and understanding of the risks from major incidents. Understanding the risk may be accompanied by uncertainty, and by effective risk analysis, this is removed through debate, active participation, and sharing knowledge about risks and control measures. In this connection NORSOK Standard Z-013 Clause 5.2.2.3 may also be referred to. The standard also includes operation constraints and limitations, defined situations and accidents, area system and equipment classification, etc.
4.1.5. Features and Framework of Risk Analysis: The Basic Features of Risk Analysis Shall Cover
• All hazards and contributors for major incidents
• All consequences and frequency with which they happen
• All stages of the facility
In its general form, the basic framework accordingly shall include analysis of cause frequency and consequence, justification of control measure, and final evaluation, as shown in Fig. II/4.1.5-1. The entire procedure is greatly influenced by a number of factors such as people, viewing the system, appropriate selection of analysis process control measure, updating, and maintenance as shown. The operator's safety philosophy plays vital role in modifying the structure of risk analysis. If the intent is to seek clearance from an authority or to meet the requirement of a standard, then it will be guided by the basis of the standard. However, it is the duty of the operator to ensure that all aspects have been covered, even if they are not covered in the standard. If the risk analysis is done for an engineering or management system, then the framework may vary.
4.1.6. Standards
Standards associated with risk analysis shall include but are not limited to:
• ISO/IEC 31000
• IEC 60300-3
• EN 1050
• NORSOK Z-013
• ISO 17776
The references of a few are given so that, according to need, the reader can refer to the relevant standard.
4.2. Risk Analysis Prestart Issues
For an effective risk analysis it is recommended that there shall be some planning and preparation before the actual procedure is taken up. The following basic steps may be considered.
4.2.1. Scope and Approach
It is very important to define the scope of the job (NORSOK Z-013 may be referred to). If this activity is undertaken for a routine/nonroutine activity of the company project, the approach will be different if it is taken as FSA. Within this limited discussion we shall take a generalized approach. However, a more rigorous approach is recommended so that operator can understand the preventive and mitigating actions, and can take well-informed decisions. Also it should help in developing SMS.
4.2.2. Technique(s) Selection
It is of the utmost importance that the operator selects the most appropriate technique for the facility. Various techniques are discussed in subsequent chapters (see also IEC 31010) and hence are not discussed here. For compatibility and suitability of the techniques for the facility, the following points should be under consideration:
• Type and complexity of the facility
• Type of likely hazards
• Selection of control measure
• Ability to rank the risks (likelihood and consequence)
• Level of details desired
• Available resources
• Technique complexity as per requirement
• Consistency with the facility's general approach
Depending on the requirements these could be qualitative, semiquantitative, or quantitative. As discussed next.
4.2.3. Risk Analysis Types
There are basically three types of risk analyses: qualitative, semiquantitative, and quantitative. The type suitable for a facility mainly depends on selection of the risk assessment process discussed, details desired in the assessment result, and predictive risk level.
• Qualitative: With the help of the risk matrix discussed in Clause 3.0 of Chapter I, it is possible to carry out rapid risk assessment. However, this is very project specific. Also here the numerical scale is not used. In this approach, cumulative risk assessment is very difficult. These are subjective approaches.
• Semiquantitative: Risk matrix (Clause 3.0 of Chapter I), risk nomogram, and risk graph (Fig. I/3.4.1-1): In these approaches it is possible to generate the numerical value of risks (but not absolute), to differentiate risks, and to conduct rough cumulative risk assessment. Also control measure assessment is possible.
• Quantitative: Based on calculated estimate risk value, calculation is possible. This is suitable for large complex facilities, where detailed study is required. However, it is time-consuming and expensive.
• In most cases a three tier approach is adopted, as shown in Fig. II/4.2.3-1. Initially, a qualitative or semiquantitative approach is taken to assess the risk and screen it. When risks are in a high risk zone or there is the possibility of a major accident event, then quantitative risk assessments are carried out to prescribe necessary control measures. It is quite common that in many cases a combined approach is necessary to justify consequence analysis. Mostly, when a quantitative approach is undertaken, prior preliminary analysis is done. From the diagram it is seen that whenever all replies to the queries shown in the diagram after qualitative analysis are “NO,” then the action stops. If any reply is “YES,” then the next level of analysis is carried out. A similar approach is applicable for semiquantitative and quantitative analyses (Fig. II/4.2.3-1).
In some cases detailed studies are necessary to pinpoint major incidental events, for example, aging (Chapter I). For such cases several quantitative studies will be undertaken. Some detailed study lists are presented in Table II/4.2.3-1.
4.2.4. Staffing and Workforce Involvement
In line with the requirements stated in Clause 3.2.3, there shall be total involvement of the entire workforce in the system. Only a few numbers will be directly involved in the process while others’ views shall be counted through their interview feedback report. Information sharing is very important. The team will comprise management, supervisors, operations, maintenance groups, etc., and, wherever necessary, specialized groups. It is quite natural that each of these groups looks at things from different angles and shares different experiences. Also data is better retrieved from interviews and information from those who are not directly involved in the team but connected with the working of the facility is also helpful. It will also be better to involve contractors and suppliers because they can provide valuable information. It will be the responsibility of team members to carry out cause, likelihood, and consequence analysis. Therefore team members should possess good knowledge of the risk analysis process and be in a position to suggest control measures. So, experienced personnel should be a part of the team along with someone from the health and safety department to better organize the system.
Table II/4.2.3-1
List of Probable Investigation Studies (Inspired by Ref. [16])
| Risk Driver | Investigation | Risk Driver | Investigation |
| Aging and integrity | Mechanical integrity, corrosion rate, breakdown data, reliability, inspection and maintenance issue | Hazardous gas | Ventilation/layout, gas/smoke ingress, wind tunnel, overpressure, gas dispersion |
| Process condition changes | Various HAZOP/mechanical integrity | Dropped/load impact | Dropped object/layout study/material handling |
| Human error | Task/HRA or procedural study | Fire/explosion | Electrical zone classification/hazardous study/equipment compliance |
| Control system reliability | Power supply, common mode failure |
4.2.5. Information Flow
After the hazards have been identified, a series of information becomes available. This information along with other relevant data gathering is very important for risk assessment. Fig. II/4.2.5-1 depicts a few sources of such information.
The collection of information will help to develop an understanding about the data within the participants so that:
• Suitable link between the control measures and the hazard causes could be developed. A part of the control measures that was not done during the hazard identification stage will be completed now.
• Available information on control measures is well understood and additional information could be developed at this stage.
• Classification of hazards can be performed so that they can be addressed in a group if possible.
4.2.6. Combinational, Cumulative, and Individual Hazards
Always there is no need for hazards to appear individually. In fact, an individual effect may be negligible but in combination these may cause havoc. In this connection, Fig. II/3.3.4-1 may be referred to. Another aspect on which emphasis must be placed is cumulative risk. Unless cumulative risk is assessed, the overall risk profile for the facility cannot be drawn up. This also makes it possible to evaluate key causes and control measures in the perspective of cumulative hazards. It is recommended that before starting the risk analysis process these aspects are well understood.
4.3. Outline of Risk Analysis Procedure
Basically, risk analysis means analysis of consequences, likelihood, and human factors. Control measure is also a part of risk analysis, but will be dealt separately in Clause 4.4. Also in this clause three different kinds of risk analyses shown in Fig. II/4.2.3-1 will be covered.
4.3.1. Consequence Analysis
As the name suggests, this judges the magnitude that deals with the scale of damage (the area/number of people affected) and the severity that deals with actual level of damage (depth of damage). Another important factor is the escalation zone, which means intensifying the event and/or triggering another event(s). These are important areas in which to establish control measure adequacy and emergency planning.
As is seen from Fig. II/4.3.1-1, near the vicinity of the incident the severity will be more intense than further away. Also it gives an idea of the magnitude of the consequence of an event. To assure adequacy of the control measure it is necessary to realize the worst case scenario, which could be a cumulative or combination effect. Most likely the incident issue is important, hence the total range of hazards is important. Also the potential escalation zone at the interface area of the fatality zone and equipment zone is vital because severity in this zone may be wider. Qualitative estimation of consequences is done on the basis of previous experiences. In some cases, such as jet/flash fire gas dispersions, etc., detailed quantitative analysis based on computerized modeling may be called for. Various analysis types are discussed separately.
4.3.2. Likelihood Analysis
As already discussed in Chapter I in connection with risk matrix, in qualitative analysis, likelihood is estimated and categorized based on experience and judgment applicable for the project. Also these risk categorizations may be done on a quantitative basis as already discussed (say once in a year, etc.). In quantitative analysis the same is done based on previous records or a failure database for which quantitative PHA may be helpful. Failure occurrence data from other plants within or outside the company could be a good source of data.
4.3.3. Nature of Injury
While carrying out the risk analysis it is important to have data regarding the nature of injury caused by a major incident event. For this it is necessary to know what may go wrong and why (is it because of the wrong implementation of control measures or did control measures fail to act). Also it requires a whole range of outcomes, etc.
4.3.4. Human Factor
This is another important factor that may cause a major incident event. Unfortunately, it is rather difficult to have a quantified estimate of the likelihood of such occurrences. A rough estimate may be available from previous incidents.
4.3.5. Screening of Hazards
During hazard identification, screening of hazards is not recommended but based on consequences this may be done. It is important that all hazards need analysis but not at the same level. Screening will help in this regard. All screening shall be done on a real consequence basis on the assumption of effectiveness of control measures or because of likelihood of occurrence.
4.3.6. Qualitative Risk Analysis
From Clause 4.3.3 it is clear that the most common form of qualitative risk analysis is the risk matrix and risk ranking (Chapter I). Generally, preliminary hazard analysis (Clause 4.0 of Chapter I) is done to obtain rough knowledge about the risk profile for the facility.
4.3.7. Semiquantitative Risk Analysis
Semiquantitative methods are used to describe the relative risk scale. For example, risk can be classified into categories such as “low,” “medium,” “high,” or “very high.” The number of levels of risk can vary from (say) a to b. In a semiquantitative approach, different scales are used to characterize the likelihood of adverse events and their consequences. Analyzed probabilities and their consequences do not require accurate mathematical data. Semiquantitative assessment is useful especially if quantification of risk is difficult. At the same time, qualitative interpretation is too subjective. As already discussed, the risk graph (highly project dependent) discussed in Chapter I in conjunction with available guided risk nomogram or LOPA approach, is commonly used for this purpose. Here discussions will be mainly on the LOPA approach (LOPA will be dealt with separately later).
LOPA basically assesses single event–consequence scenarios, as shown in Fig. II/4.3.7-1. As is seen, there will be initiating events or issues that are the cause of an event, for example, electrical spark may be the initiating event, cause may be the fire, and the event may be the explosion, which may have far-reaching consequences (Fig. II/4.3.7-1).
In the figure, IPL 1–4 are independent protection layers, which are devices, systems, or actions that can prevent a scenario from spreading to an undesired consequence. All these layers are independent so that any one failure will not affect the functioning of the other layers.
As is clear from Fig. II/4.3.7-2, after the consequences are screened, consequences leading to accidents are considered. For each case, initiating event IPLs are considered. Risk estimate and risk evaluations are now done using the risk matrix, which may have quantitative scales. In the next step, associated risks are checked for acceptability. If accepted, then the next initiating event is considered. If not acceptable, then various options are considered for a new IPL, either preventing or mitigating to reduce the risk. After this exercise is over, again likelihood and consequence may be reassessed. The critical elements are: estimation of likelihood, consequence class (mainly dealing with consequence size—area or spread, fatality and cost, etc.), and tolerance limit. Total risk level can be estimated in terms of severity and probability rather in a quantitative way.
4.3.8. Quantitative Risk Analysis (QRA)
QRA is contemplated when further accurate studies are necessary (Fig. II/4.2.3-1). As per DNV (Clause 8.4.2 of Ref. [18]) process definition “quantitative analysis is the process for numerically analyzing the effect on overall project objectives of identified risks.” Generally, QRA is performed on the basis of results obtained from qualitative analysis.
• Generally speaking, QRA is recommended in the following cases:
• Effectiveness of various IPLs opted out, could not be established
• Relative risk demonstration/improvement of consciousness of workforce
• Layout issue related to escalation of hazard
• New technology with perceived risk but lack of historical data
• Very costly equipment/plant and probability of high risk for workforce/surrounding people because of accident
• QRA analyses numerically the effect of project risks on project objectives. A decision tree or Monte Carlo simulation is used with basic objectives:
• Calculating probability of achieving project objective
• Quantification of risk and then ranking for attention
• Quantitative project outcomes with associated probability
• This system generates quantified risk for the entire facility by cumulating from individual hazards.
• Guidance for project management decision making, developing emergency plan because of uncertainty
• Getting realistic cost, timeframe, and scope boundary
• Major tools and techniques are:
• Interviewing techniques are used to quantify the probability of and impact of risks. There are normally two techniques used: one is triangular distribution where optimistic, pessimistic, and most likely cases are considered. Other is normal distribution, for normal distribution, mean and standard deviation need to be developed from collected data and placed in a normal distribution graph. All these are done on expert judgment.
• Quantitative risk analysis and modeling techniques: One is sensitivity analysis and is used to determine which risk has the most potential impact. A project or facility may consist of several elements. In sensitivity analysis, effects of project objective are tested because of variation of an element when others are in baseline values. It can highlight how a single change in one of the risk variables can make a marked difference on overall project objective. The other is expected monetary value analysis where each possible outcome is computed, and wherefrom the average of outcomes is determined.
• Probabilistic and simulation: Probabilistic analysis specifies probability distribution of a single risk and then combinational distribution is considered. Generally, a Monte Carlo simulation model is used. Here a project simulation uses a model that translates uncertainty specified at a detailed level with its potential impact on the objective at the level of the total project.
• Decision tree technique: A typical decision tree is shown in Fig. II/4.3.8-1. Here there are two major nodes: one is the decision node and the other is the probabilistic or chance node. The figure shows the decision regarding cost versus risk.
• Major utilization of QRA output: Major application areas are:
• Probability of achieving project cost and schedule
• Prioritizing risk according to quantified values
• Risk trending very helpful in decision making
4.3.9. Uncertainty Factors for Risk Analysis
From the discussions so far it is very clear that when there is uncertainty, effectiveness of risk analysis, even the probabilistic approach, may suffer from inaccuracy. There are two kinds of uncertainties:
• Aleatory uncertainty refers to uncertainty caused by probabilistic variations in a random event.
• Epistemic uncertainty is uncertainty that comes from lack of knowledge. This lack of knowledge comes from many sources, for example, inadequate understanding of the processes, incomplete knowledge of the phenomena, imprecise evaluation of the related characteristics, etc. Epistemic uncertainties affect the values of the probabilities and frequencies of the events included in the accident scenarios, such as mechanical failure and repair rate, probability of failure on demand for a control system, or human error. There are three different cases in this regard:
• Hardware failure: Insufficient data for quantitative analysis with expert judgment, as discussed earlier.
• Human error: An analyst may not have sufficient refined data and characteristics.
• Phenomenal failure or an environmental event such as gas release, earthquake etc.: Here also there may be insufficient available data regarding all processes and geographical data/experience.
4.4. Risk Assessment and Output
This is a part of risk analysis that should be done after control measures (Clause 4.5) have been taken into account.
4.4.1. Risk Assessment Issues
After risks have been identified based on consequences, they are screened and those need special attention are separated and QRA, etc. are performed on them. In risk assessment, the total likelihood of each incident with control measures shall be assessed. In risk assignment, the complete risk profile, highest risk incident, and the individual as well as cumulative hazards must be analyzed and evaluated. Individual hazards may be insignificant but cumulatively they may be a big issue! Therefore cumulative and combinational effects need to be considered. In the previous clause, a number of outcomes of uncertainty were discussed. There are other uncertainties caused by:
• Invalid assumption
• Incomplete hazard/consequence identification
• Improper modeling
• Lack of process or operational knowledge or information
• Misunderstanding of the link between hazard and control measure
4.4.2. Brief Risk Assessment Goal
One of the main goals of risk assessment is to ensure that safety is brought to the system. Now it is the job of the operator to demonstrate that the risks are in SFARP.
• Risk criteria give the basis for judging tolerability for overall risk. It is better to divide overall risk criteria into three parts, as shown in Fig. II/4.4.2-1.
The top part in the figure is the unacceptable region and detailed QRA, and suitable additional control measures are necessary to reduce risk. The mid portion is the tolerable region and suitable control measures are necessary after semiquantified analysis to bring them to SFARP. Even for the acceptable zone risk analysis is necessary but qualitative will do. Adapted control measures must be shown to collectively eliminate or reduce to ALARP, with details in the safety document. Additional control measures (Clause 4.5) may be adapted for:
• Unacceptable risks
• Demonstration of risk is in ALARP
• Deficiency of existing control measure
• New technology
• Change in control measures
However, there is no prescribed methodology for such demonstration. The documents shall be detailed so that after evaluating control measures it should be possible to see that ALARP has been attained. Risk reductions can be achieved by elimination, reduction of likelihood of occurrence, or reduction in consequences.
4.4.3. Outputs and Their Uses
Various outputs and their use from risk analysis shall be as follows:
• Identification of factors influencing hazards and control of these factors
• Establishment of defined link among hazards, major incidental events, and control measures to regulate them
• Prioritization of action to avoid major incident event
• Identification of the likelihood of major incident events
• Understanding how risk analysis can help the entire workforce to identify all the hazards and major incident events associated with the facility and how these can be combated with use of control measures
• Result of risk analysis is necessary to demonstrate that risks have been reduced to ALARP/SFARP.
• Contingency planning from risk analysis results
• Risk analysis results help in planning improvement of operating procedure/process and management. It is also helpful to tackle MOC.
4.4.4. Risk Assessment Discussions
Risk analysis is a live document and it should be thoroughly reviewed by the operator whenever there is any change in the system because it is the responsibility of the operator to understand all risks and control measures all the time. Also to improve the quality of risk analysis it is important to validate all hazards/major incident events, likelihood, control measures, and consequence, very rigorously. Proper communication, updating, and education/training are parts of risk management, which is an extension of risk analysis. So far helpful discussions have taken place regarding control measure, but what is control measure? The next clause provides the answer.
4.5. Control Measure
Risk assessment without control measure is like cooking without salt. Similar to reviewing risk analysis after each change, here also the reader is advised to read risk analysis after going through control measure to get a better understanding! What is control measure? First, control measure is an integral part of the facility in question. Control system may be physical equipment or device, or it could be a system, process or procedure meant to eliminate/prevent/reduce/mitigate hazards and/or their consequences, if they occur. It is the main tool of the risk management system or SMS. Some often refer to this as physical device! Not necessarily, it could be a procedure, for example, regular inspection to prevent corrosion is a preventive control measure. Purging a boiler is an operating procedure to avoid a hazard caused by explosion. The proper operational procedure of a kiln can help to solidify the clinker. Again an intrinsic safety barrier is a device used to prevent energy release.
4.5.1. Control Measure Characteristic Features and Associated Details
As stated previously the main function of control measure is to eliminate, prevent, reduce, and mitigate risks.
• Major characteristic features shall include but are not limited to the following:
• Clear understanding of control measure allows the operator to gain knowledge and a better understanding of major incidents in the facility and its relationship with the control measure.
• Identification of existing control measure and requirement for additional ones.
• It is the basis for selection or rejection of existing controls and prescribing additional ones.
• It is the basis for demonstrating adequacy of control measures required during demonstration of risk assessment.
• It forms the basis for establishing a link between hazard, major incident, and control measures so that effectiveness of control measures and their impact on risk assessment/analysis can be well understood.
• In control measures there are several categories and they are placed in a hierarchical manner according to priority such as: (1) elimination, (2) prevention, (3) (risk) reduction, and (4) (risk) mitigation. Of these, the first two appear on the left-hand side of a major/top event in a bow and tie diagram (Fig. II/4.5.1-1). The first two are categorized as proactive while last two are categorized as reactive, because they work after the incident to reduce impact, hence they are shown on the right-hand side of the bow and tie diagram (Fig. II/4.5.1-1).
• Eliminate: This enjoys the highest priority for the simple reason that it eliminates the hazard and hence there is no requirement for a control
Table II/4.5.1-1
| Type | Engineering Control | Other Control |
| Elimination | Substitution with noncorrosive or nonflammable materials, safe layout to prevent escalation | Inherently safe design |
| Plant design/operating procedure | ||
| Prevention | Barrier for dropping object, ventilation, process control, use of barriers [e.g., intrinsic safety (IS)] | Quick isolation, maintenance/operating procedure |
| Reduction | Process control, emergency plan, physical barriers, safety relief valves | Use of ignition suppression, procedural system |
| Mitigation | Firefighting, detection of fire or gas leakage | Contingency plan, emergency plan |
• Prevention: This is the means used to prevent or remove the intended cause, or reduce the likelihood of occurrence, for example, interlocks in process control systems, use of a canopy to prevent injury caused by a dropping object.
• Risk reduction: This is used after the incident has happened to reduce the impact or severity, for example, process emergency controls and alarms.
• Mitigations are those control measures that are meant to limit the consequence after major incidents have happened, for example, passive fire protection system.
4.5.2. Various Control Measures
Generally, a single control measure is not enough so in reality layers of protection are employed through IPLs, as discussed earlier and in Chapter V. Understanding the relationship between hazard, major incident, and control measure cannot be overestimated. The following is important:
• The operator needs to understand the mechanism with which control measures act upon various hazards and manage the major incidents at various stages of the facility, be it normal operation or an emergency situation.
Also it is necessary to ensure that sufficient control measures are in place and that they are robust enough to face all the challenges. To understand the system it is better to rely on a bow and tie diagram; Fig. II/4.5.1-1. The hazard register and control have the same function. In this diagram there are a number of hazards that individually or in combination can cause a major or top event. Some of these causes can be eliminated and prevented. After the incident has happened, there could be some reactive control measure that will reduce the impact. Both proactive and reactive control measures can be from various activities such as engineering and operation and maintenance. From the figure a few points are worth noting: proactive control measures are applied before the top event and reactive barriers are applied after the top event. Also all these are applied at different stages of the project through devices, services, or procedures. Some examples are presented in the figure.
4.5.3. Influencing Factors Related to Selections and Effectiveness of Control Measure
There are a number of factors that influence the selection of control systems. Some them shall include but are not limited to the following:
• A simple system will obviously require a simple control measure, but if the system is complex or new, naturally a rigorous control measure assessment will be the call of the day. In any case the chosen control measure should be workable and should be best fitted for the system, and safety philosophy is well reflected.
• Existing knowledge should be properly reviewed while selecting the control measure. Even if there is previous experience, this knowledge must be reviewed because each project may have separate requirements.
• When there are too many choices, it is often not very easy to select the right one. Here it is a must to differentiate the chosen one from others to see how it best fits the project or facility. Another important factor needs consideration is that uncertainties have been reduced to acceptable limits before going for such selection. Again too many uncertainties will require further effort, otherwise the possibilities of wrong selection will be great.
• A suitable group of people through proper consultation is providing the solution, and selection team is receiving correct feedback of information from others so that proper selection is made.
• Proper documentation of all data and periodic reviews will make control measure assessment better and more effective. This is a live document, hence without periodic checks it may not be useful for future use.
4.5.4. Selection, Rejection, and Adequacy of Control Measure With Addition Controls
In this part the primary aim is to see that the control measures chosen are appropriate and adequate. If not, nonappropriate ones will be rejected and additional control measures will be incorporated. Several factors related to this are:
• To justify the adequacy (adequate to eliminate, prevent, or reduce risk to SFARP) of the control measure. These control measures shall be effective and viable. For these, associated influencing factors may be:
• Good experience and thorough knowledge of the usage of control measures as well as knowledge about various failure modes pertinent to the facility.
• Sound knowledge and experience of the complexity, scale, and risk profile of the facility and ability to keep pace with changes in technology over time.
• Available time and resources.
• Adherence to control hierarchy discussed, and suitable uniform distributions of control types such as engineering as well as administrative controls.
• Application of independent layers of protection matching the requirements.
• Identification of common mode failure.
• Definition of performance indicator and standards.
• Definition of critical controls.
• Layers of protection: There are many independent layers of protection provided in the control measure in addition to the basic process control system. These layers of protection make the control measures more robust. Fig. II/4.5.4-1 may be referred to for more detail. Detailed discussions are available in Chapter V.
• Common mode failure: Common mode failure refers to the failure of more than one control system on account of a common cause, which underlines the importance of independent layers of protection. However, common cause can affect both engineering and administrative controls. So, while considering the adequacy of control measures used for risk prevention/reduction/mitigation, etc. it is necessary and important to see that all such control measures are not only independent but also do not suffer from common mode failure—discussed in later part of the book.
• Control measure and life cycle: Control measures also have a life cycle. It is therefore necessary to consider that the control measure suggested is appropriate for the stage of the facility in its life cycle. In addition, various other factors such as environmental factors need to be considered.
• Critical operating parameter (COP): Many facilities try to put special focus on COP and scrutinize control measures for these. What is COP? Each piece of equipment, process, and procedure has lower and upper performance limits and the operation shall be limited within this boundary to avoid accidents. Whenever a control is designed, for example, it should meet the performance requirement (say 50–100%). Operation range below 50% and above 100% performance is not guaranteed. So, it is necessary see that these limits corresponding to each COP are not exceeded. The role of control measure in relation to COP is clear from Fig. II/4.5.4-2. The critical control parameter needs to be monitored and managed continuously for the process where immediate and continuous response from the operator is necessary.
• Critical control: All control measures have the same priority. A few are sometimes segregated as critical control measures because:
• Control measure is relied upon for prevention/reduction/mitigation of risk with very severe consequence, or used to combat most likelihood risk.
• A single measure to combat a major accident or a control measure to combat a number of risks.
• Control measures with weak backup.
• Control effectiveness and viability: While selecting a control measure the following criteria are important for how well the control measure is going to perform:
• The associated factors related to this are functionality and reliability. While functionality is associated with fitness/appropriateness of the control measure for the intended application, reliability stands for how reliable the application will be. Reliability is measured in terms of the dependence of the control measure on others, like human or other control measures. Reliability is also measured in terms of whether it is going to fail or be affected by the failure of a single component, etc.; whenever diverse control measures are adapted then better safety is expected in one failure and may not affect the other.
Figure II/4.5.4-2 Critical operating parameter. Based on Hazard Identification, Risk Assignment and Control Measures for Major Hazard Facilities; Booklet 4, Internet Document; https://www.comcare.gov.au/.
• Viability assesses the practicability of the control measure. It depends on compatibility, survivability, and availability. Compatibility takes into account how the control measure is going to interact with alternative control. Survivability is the ability of the control measure to function as intended even during an accident for which the control measure is used for reduction or mitigation. Availability stands for how available it is and is also related to cost. For an easy understanding, Fig. II/4.5.4-3 may be referred to.
4.5.5. Performance Indicator and Standard
The performance of any system has a target to achieve. Here are two important things:
• Performance indicator: This is information that is used to measure the effectiveness of a control measure. This can be used to compare current with past performance. While the performance indicator is selected it should be specific, measurable, appropriate, realistic, and timely [17]. The performance indicator is defined by the operator to:
• Measure, monitor, or test the effectiveness of a control measure.
• Report and suggest corrective action in case of failure.
• Performance standard: This is a target set for the performance indicator.
4.5.6. Additional Control Measure
As a part of control measure assessment it is necessary to demonstrate all control measures such as physical control (say barrier), engineering control (say process control, relief valve), and administrative control such as defined procedure, etc. During demonstration the operator needs to challenge the control measure to improvise the process. In this way, alternative controls could be taken into account, especially in those cases where all risks are not in SFARP. Helpful guidance toward both additional control measures and past disaster issues are highlighted in the following:
• Existing control measure is it fully functional
• Discarded control are really not applicable and why
• Any improvement for existing control
• Control measure's obsolescence
• Augmentation and addition of new control measure
• New control measure to modify facility
All these exercises are carried out to understand the system very closely; they could improve the suggested system and additional control measures may be included. Such reviews are important especially in cases of:
• New facility or new technology
• Loss of knowledge base for safe operation
• Obsolete system exists in control measure
• Degradation in effectiveness of control measure
• Occurrence of an incident
4.5.7. Control Measure Output
Basically control measure output consists of:
• A list of existing and additional controls with established relations among hazard, incident, and control measure
• Adequacy assessment of existing control with additional control measure list and relation
• A list of performance indicators, COP, and critical controls
• Improvement actions recommended
• A list of hazard and additional controls
These outputs can be used for:
• Risk assessment discussed earlier
• Monitoring of effectiveness of control measure
• Identification of additional control measures and their implementations
4.5.8. Discussions
Like risk assessment the control measure document is also a live document and should be subject to review and revision periodically or when there may be any change. Workforce involvement will be a similar involvement pattern, as discussed in Clauses 3.2.3 and 4.2.4.
4.6. Safety Management System
Discussions on risk assessment are not complete without some focus on SMS. SMS is a comprehensive and integrated system to address all aspects related to health and safety. It is to be properly documented so that this comprehensive document is accessible to all concerned. It must be compatible with the safety management objective and philosophy of the facility in question. It is mainly concerned with the control measure. It tracks errors, deviations, etc. in the control measures. It also keeps track of performance standards of the equipment and system. Therefore it is a live document and needs periodic reviews and updates.
4.6.1. Features
SMS manages and supports specific aspects of the facility, mainly operational aspects. It is concerned with control measures adopted for the facility to prevent, reduce, and mitigate risks. In a nutshell, it is an integral part of the risk management system to ensure safe operation of the facility by regulating various control measures for the facility. A major purview of SMS shall include but is not limited to the following:
• Implementation of standards and procedures at various stages (e.g., design, construction, and operation) of the facility including imparting knowledge among the workforce, supervision of tasks and procedures, resource management, and procedures to manage third parties.
• Work permit and equipment isolation procedure
• Risk assessment and MOC procedure
• O&M procedure, quality assurance (QA) of device and maintenance of critical asset
• Emergency plan and procedure
• Monitoring audit and review of SMS
4.6.2. SMS and Control Measures
One of the main properties in SMS is that it shall be comprehensive, so, related to control measure, SMS needs to address the following issues:
• Identification of control measures and definition of the performance standard
• Implementation of control measures. Layers of protection in control measures are checked; if one layer does not function well then another is to be brought to implement and enhance the control measure.
• SMS should be in a position to identify anomalies, then report them and rectify the shortcomings. So, SMS audits the system as well as compliance against documented SMS.
• All concerned shall have easy access to and cooperation in the decision-making process.
4.6.3. Operational Aspects in SMS
It is a part of SMS to look into the operational aspects in the facility. A major controlling area in this part shall include but is not limited to the following:
• Hot work such as welding
• Electrical work such as high-voltage isolation, grounding
• Physical isolation
• Working in a confined place
• Issuance of permit to work
• Authorization to work or supervise
4.6.4. MOC
This is an important element in SMS. Whenever a change in the system is incorporated, then there will be possibilities that there will be changes in hazard situations as well as major incidents. Apart from these discrete changes to any system operating over time, there could be changes in the risk profile of the facility as it is a dynamic process. MOC needs to track those changes. Naturally, there will be a necessity to maintain safety and SMS. MOC may initiate a review of SMS. SMS and MOC are directly related.
4.6.5. SMS Performance Standard
The operator needs to develop a performance standard for SMS. This performance must be transparent, workable, and appropriate to ensure safety to people concerned and property. This performance standards needs to address a few things:
• Coverage of all aspects of SMS
• Ability to measure the effectiveness of SMS
• Suitable performance standard for critical procedure, control, and equipment
• The performance should show sufficient details.
4.7. Conclusion
The overall picture of risk analysis vis-à-vis control measure and SMS can be conceived from Fig. II/4.7-1.
Risk assessment/analysis is a vast subject and very much plant specific. It depends highly on stages in the plant life cycle, available information, and resources. Therefore it is very difficult to cover all the processes and highlight each of them. In fact, there could be as many as 62 different kinds of PHA and risk assessment methodologies available. The most popular ones, which are mainly used in industry, have been covered here. Depending on specific requirements, one may have to choose the best one at that time for the facility. Now it is time to analyze each PHA in some detail.
List of Abbreviations
| ALARP | As low as reasonably practicable |
| BFP | Boiler feed pump |
| CCPS | Center for chemical process safety |
| CEI | Chemical exposure index |
| COP | Critical operating parameter |
| DOW FEI | Dow Fire and Explosion Index |
| EC&I | Electrical, control, and instrumentation |
| ETA | Event tree analysis |
| FCV | Feed control valve |
| FEED | Front end engineering design |
| FMEA | Failure mode and effect analysis |
| FSA | Formal safety assessment |
| FTA | Fault tree analysis |
| HAZID | Hazard identification |
| HAZOP | Hazard and operability study |
| HC | Hydrocarbon |
| HRA | Human reliability analysis |
| HW | Hardware |
| IPLs | Independent protection layers |
| LOPA | Layer of protection analysis |
| MEA | Major accidental event |
| MF | Material factor |
| MHF | Major hazard facility |
| MHI | Material hazard index |
| MOC | Management of change |
| NOPSEMA | National Offshore Petroleum Safety and Environmental Management Authority |
| O&M | Operation and maintenance |
| OPGGS | Offshore Petroleum and Greenhouse Gas Storage (Safety) Regulation (Commonwealth) |
| OSHA | Occupational Safety and Safety Administration (USA) |
| P&ID | Piping (process) and instrumentation diagram |
| PFD | Process flow diagram |
| PHA | Plant hazard analysis/preliminary hazard analysis |
| PSF | Performance shaping factor |
| PSM | Process safety management |
| QRA | Quantitative risk analysis |
| SFARP/SFAIRP | So far as is reasonably practicable |
| SHI | Substance hazard index |
| SMS | Safety management system |
| SW | Software |
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.