5.2.1.5 Hazardous Operability Studies in Engineering Design Hazardous operability HAZOP studies are based on the principle that a team ap-proach to hazards analysis will identify more p
Trang 1The cause-consequence diagram is reduced to a minimal form by, firstly, remov-ing any redundant decision boxes and, secondly, manipulatremov-ing any common failure events that exist on the same path The common failure events can be extracted as common sub-modules or individual events This process is equivalent to construct-ing the fault tree, convertconstruct-ing it to a BDD, and identifyconstruct-ing and extractconstruct-ing indepen-dent sub-modules An algorithm has been developed that will produce the correct cause-consequence diagram and calculate the exact system failure probability for static systems with binary success or failure responses to the trigger event This is achieved without having to construct the fault tree of the system and retains the documented failure logic of the system (Ridley et al 1996)
The minimised cause-consequence diagram is then analysed using a BDD analy-sis procedure Thus, exact, rather than approximate calculations are performed The advantages of the cause-consequence diagram are:
• The diagram can be constructed directly from system description.
• Dependencies in the system can be incorporated in the analysis.
• The system is modularised to increase efficiency.
• Exact calculation procedures are adopted.
Repeated events The four-stage procedure developed to construct and analyse
a cause-consequence diagram is capable of dealing with the events that occur in more than one fault-tree structure attached to the decision boxes in any sequence path The CCD method can deal with repeated events in a more efficient way to that used for FTA (Ridley et al 1996)
Using the CCD method, there is no need to obtain the Boolean expression of the top event and then manipulate it to produce a minimal form prior to analysis The converse approach of the cause-consequence method deals with sequences of events that either occur (fail) or do not occur (work) The probability of a partic-ular outcome is obtained by summation of the probabilities of all paths that lead
to the outcome Summation of the probabilities of the mutually exclusive paths in the reduced diagram yields a result similar to that obtained from the fault tree fol-lowing Boolean reduction An algorithm has been developed that can trace through
a cause-consequence diagram, and identify and extract any repeated basic events in more than one fault-tree structure on the same sequence path (Bryant 1986; Ridley
et al 1996)
The procedural steps used in the extraction algorithm are the following:
1 Identify the fault-tree structures in the path under inspection
2 Each fault tree in a path undergoes a modularisation process to identify inde-pendence The identified independent sub-trees are then individually considered for further analysis
3 The independent sub-trees for each fault-tree diagram are compared with one another and following, the identification of any common sub-trees or individual basic events, the cause-consequence diagram is modified
Trang 24 The cause-consequence diagram is modified by applying the following rules:
a Following the identification of a common sub-tree or basic event, the com-mon element is extracted and set as a new decision box at the highest point
in the cause-consequence diagram with all dependencies below it
b The cause-consequence diagram is then duplicated on each branch starting from the new decision box
c Having developed a single decision box for the common sub-tree or basic event, the decision boxes that contained the common event prior to extrac-tion require modificaextrac-tion The common event/s are set to 1 (TRUE) in the fault trees following the NO outlet branch from the new decision box, as this indicates failure, and 0 (FALSE) in the fault trees following the YES outlet branch to signify that the common event(s) are valid
d After extraction of the common sub-tree or basic event, each fault tree that has been modified requires reorganisation Each fault tree containing the ex-tracted Boolean variable is inspected and the fault trees modified by setting the Boolean variable to represent the path taken in the cause-consequence diagram
e The cause-consequence diagram is then reduced to a minimal form by re-moving any redundant decision boxes identified
This procedure is repeated until all sequence paths have been inspected and no re-peated sub-trees or basic events discovered
For better clarity on the application of the procedural steps used in this extraction algorithm, an example of the technique is given in Sect 5.2.4 dealing with safety and risk evaluation The technique has been applied to a simple high-pressure protection system The basic functions of the system are to prevent the passage of a high-pressure surge originating from upstream pumping of process material in order to protect process vessels located downstream of the surge
5.2.1.5 Hazardous Operability Studies in Engineering Design
Hazardous operability (HAZOP) studies are based on the principle that a team
ap-proach to hazards analysis will identify more potential problems in process designs than would the combined results of individual designers of various disciplines and expertise who are working separately The expertise is brought together during HA-ZOP sessions and, through a collaborative brainstorming effort, a thorough review
is made of the process design under consideration
The HAZOP study focuses on specific portions of the process called ‘nodes’ Generally, these are identified from the pipe and instruments diagram (P&ID) of the process before the study begins A process parameter is identified (for example,
flow), and an intention is created for the node under consideration Then, a series of guidewords is combined with the parameter ‘flow’ to create deviations For
exam-ple, the guideword ‘no’ is combined with the parameter flow to give the deviation
‘no flow’ The team then focuses on listing all the credible causes of a ‘no flow’
Trang 3de-viation, beginning with the cause that can result in the worst possible consequence
the team can think of at the time Once the causes are recorded, the team lists the consequences, safeguards and any recommendations deemed appropriate The pro-cess is repeated for the next deviation, and so on until completion of the node The study then focuses on the next node and the process is repeated HAZOP studies concentrate on identifying both hazards as well as operability problems While the HAZOP study is designed to identify hazards through a systematic approach, more than 80% of the study’s recommendations are operability problems, and per se not hazards Although hazard identification is the main focus, operability problems are identified for their potential to lead to process hazards, or for their negative impact
on the environment, or profitability of the engineered installation
The definition of hazard is given as “any operation that could possibly cause
a catastrophic release of toxic, flammable or explosive chemicals, or any action that could result in injury to personnel”, whereas the definition of operability is given as “any operation inside the specific design under consideration that would cause a shutdown that could possibly lead to a violation of safety and health or environmental regulations, or negatively impact the profitability of the engineered installation”
a) Design Representations
A fairly wide range of design representations are in use in process engineering de-sign and it is possible for any of these to be the basis of a HAZOP study The use of mathematically formed representations for safety-related software systems
is increasing and also these can be used for a HAZOP study Examples of design representations include:
• block diagrams
• flow charts
• data flow diagrams
• object oriented design diagrams
• state transition diagrams
• timing diagrams
• logic diagrams
• electrical circuit diagrams.
The design representations used should cover all aspects of the system that could relate to hazards If a single design representation does not, or cannot, cover all the relevant attributes or credible failures, then one or more other forms of representa-tion should be used The following issues are relevant in the decision of whether or not a further design representation is necessary (DEF STAN 00-58 2000):
• If dynamic behaviour is critical, such that hazards may result from incorrect
se-quencing, a representation such as a state transition diagram may be necessary
Trang 4• If the system has multiple states (such as start-up, normal operation, and
shut-down), then representations of all of these should be available Operating in-structions or procedures should be included in the representation to be studied
• If the timing of events is crucial, such that hazards could arise from timing
devi-ations, a timing diagram is necessary
• If, during a study, a question arises regarding the possibility of a hazard, and
this cannot be answered by considering the attributes available on the design representation being studied, there is the likelihood that a further representation
is necessary
b) Entities and Their Attributes
It is the responsibility of someone familiar with the design, at the planning stage of
a HAZOP study, to identify and document, for each component and interconnection
on each design representation, the entities and their attributes, and also the attributes
of any components to be studied When the interconnection between two points is being studied, each type of flow should be identified as an entity in its own right, and every attribute relevant to each entity should be listed and studied, as it is common for there to be several types of data flow between two points For example, there may be both information and control data
c) Deviations from Design Intent
A HAZOP study may often concentrate on the interactions, and address components
in detail only if an understanding of their failure modes is essential to the assessment
of deviations from design intent on interconnections If components are to be stud-ied, then their associated attributes need to be identified It should be noted that the term ‘components’ is used in the broadest sense and includes hardware, software, mechanical, electrical and electronic elements The examination of components is not unique to HAZOP studies but this technique provides a systematic means of re-viewing their possible failure causes and consequences The deviations from design intent on the interactions are, however, the novel feature of HAZOP studies Con-sidering the interactions between components is useful as a preliminary technique if the failure modes of the components are not known at the early phases of the engi-neering design process, or if the failure modes are found to be very complex at the later detail design phase
d) Guidewords and Interpretations
The principle of the use of guidewords is that, once a component or interconnection
on the design representation has been selected for study, an entity on it (there may be one or more) and an attribute of the entity are chosen A guideword is then applied to
Trang 5Table 5.5 Standard interpretations for process/chemical industry guidewords
Guideword Standard interpretation in process/chemical industry
No No part of the design intention is achieved
More A quantitative increase
Less A quantitative decrease
As well as All design intent achieved but with additional results
Part of Only some of the intention is achieved
Reverse Reverse flow in pipes and reverse chemical reactions
Other than A result other than the original intention is achieved
the attribute For example, if the guideword ‘more’ is applied to the attribute ‘value’,
it may generate the questions ‘what are the possible causes of the value of this entity being greater than the design intent?’ or ‘what are the consequences?’
Inquiries are made into these questions and the results recorded This process is repeated for each guideword in turn, and the whole process is then carried out for each other attribute of the entity being studied Typical guidewords used in HAZOP studies are:
no, more, less, as well as, reverse, other than.
The choice of guidewords should be considered carefully, as a guideword that is too specific may limit ideas and discussion, and one that is too general may not focus the HAZOP study efficiently Guidewords may be interpreted differently when applied
to different design representations for different types of processes, as well as at different stages of a system’s life cycle When guidewords are chosen for a HAZOP study, their interpretations should be defined, as each guideword may have more than one interpretation in the context of its application to the design representation The guideword interpretations in Table 5.5 are normally adequate for the process engineering industry (DEF STAN 00-58 2000)
Interpretations of attribute-guideword combinations Combinations of specific
guidewords and attributes, in the context of the particular design representation, need interpretation according to standard guidelines as given in Table 5.5 A matrix may be a convenient way of expressing attribute-guideword combinations Exam-ples in Table 5.6 provide a matrix of interpretations of the guidewords in the context
of design representations and attributes appropriate to those representations
e) Selection of Process Parameters
The selection and application of process parameters in HAZOP studies of process
engineering designs will depend on the type of process being considered, the equip-ment in the process, and the process intent The most common specific process
parameters that should be considered are flow, temperature, pressure and, where appropriate, level In almost all instances, these parameters should be evaluated for
Trang 6Table 5.6 Matrix of attributes and guideword interpretations for mechanical systems
Generic
meanings
No part of the intention is achieved
Quantitative increase
Quantitative decrease
All design intent with additional results
Only some of the intent is achieved
The logical opposite of the intention
Result other than original intention Torque No torque
appears
Higher than expected
Lower than expected
reversed
Torque is cyclic
expected
Lower than expected
unexpected direction
expected
Less than expected
direction
Containment Complete
failure of containment
containment
Material Complete
failure
material
Corrosion is persistent
Fatigue, failure N/A Creep
Trang 7every node The team’s comments concerning these parameters must be documented without exception Additionally, the node should be screened for application of the remaining specific parameters such as those given in the list below These should be recorded only if there is a hazard or operability problem associated with the param-eter A sample set of specific process parameters includes the following:
flow, temperature, pressure, composition, phase, level, relief, instrumentation, sampling, corrosion, erosion, services, utilities, maintenance, addition, safety, reac-tion, inserting, purging, contamination
Specific process parameters should be considered when evaluating each node
If a particular parameter does not change from one node to the next, then it is not necessary to repeat all of the deviations that were considered in the previous node
Guideword-parameter combinations—exploring deviations from design intent
The HAZOP study creates deviations from the engineering design intent by
combin-ing guidewords (no, more, less, etc.) with process parameters, resultcombin-ing in a possible
deviation from the design intent For example, when the guideword ‘no’ is combined with the parameter ‘flow’, the deviation ‘no flow’ results The design team would then list all credible causes that will result in a ‘no flow’ condition for the specific node Not all guideword-parameter combinations are meaningful, as the following examples indicate:
no flow no temperature no pressure no reaction
more flow more temperature more pressure as well as reaction less flow less temperature less pressure part of reaction
f) The Concept of Point of Reference
When defining nodes and performing a HAZOP study on a particular node, it is
useful to use the concept of point of reference (POR) in the evaluation of deviations.
For example, in considering a node consisting of acidified gas piping up to the inlet tank of a reverse jet scrubber vessel, if the deviation ‘no flow’ is applied, then
a dilemma results when considering the causes of ‘no flow’ due to pipe rupture of the acid inlet line (with safety and environmental consequences) The term ‘no flow’
is ambiguous, since there is still a flow of gas to the inlet tank but no flow through
the acid piping to the inlet tank of the scrubber vessel A POR should, therefore, be
clearly established at the time the node is defined, at the downstream terminus of the node
g) Screening for Causes of Deviations
It is necessary to be thorough in listing causes of deviations A deviation is consid-ered realistic if there are sufficient causes to consider that the deviation can occur
Trang 8However, only credible causes should be listed Team judgment is used to decide whether to include events with a very low probability of occurrence Expert judg-ment is required in determining what events have a low probability of occurring, so that credible causes are not overlooked There are three basic types of causes:
• Human error, in the form of acts of omission or commission by an operator,
designer or constructor, creating a hazard that could possibly result in a release
of hazardous or flammable material
• Equipment failure, in which a mechanical, structural or operating failure results
in the release of hazardous or flammable material
• External events, in which items outside the unit being reviewed affect the
opera-tion of the unit to the extent that the release of hazardous or flammable material
is possible External events include upsets on adjacent units affecting the safe operation of the unit (or node) being studied, loss of utilities, and exposure from weather and seismic activity
The level of detail required in describing causes of a deviation depends on whether
or not the cause occurs inside or outside the node
For example, suppose that the inlet tank of the reverse jet scrubber includes
a level controller as part of the node, where the level control valve results in a high-level condition in the closed mode Since the valve and controller are part of the node, the causes should be stated in more detail because the valve may fail closed due to mechanical failure of the valve (internal event), or the valve may close due to loss of instrument air to the unit (external event) If the level controller was outside the node being studied, it would be sufficient to merely state ‘level control valve LV-XXXX closes’ When the analysis considers the node in which the level con-troller is located, then more detail can be listed for the various causes
h) Consequences and Safeguards
The primary purpose of a HAZOP study is the identification of scenarios that would lead to the release of hazardous or flammable material into the atmosphere, thereby exposing workers to injury It is thus always necessary to determine, as exactly as
possible, all consequences of any credible causes of a hazardous release of toxic
material This serves a twofold purpose, in that it aids in determining a risk ranking
of multiple hazards, so that priority can be established in addressing the most se-vere hazards first; furthermore, it aids in determining whether a particular deviation results in an operability problem or hazard If the HAZOP study team concludes from the consequences that a particular cause of a deviation results in an operability problem only, then further investigation should end in this case, and consider the next cause, deviation or node
If the HAZOP study team determines that the cause will result in the release of
hazardous or flammable material, then safeguards should be identified Safeguards
should be included whenever a combination of cause and consequence presents
Trang 9a credible process hazard The basis of what constitutes a safeguard can be sum-marised in the following criteria:
• Those systems and/or written procedures that are designed to prevent a
catas-trophic release of hazardous or flammable material
• Those systems that are designed to detect and give early warning following the
initiating cause of a release of hazardous or flammable material
• Those systems and/or written procedures that mitigate the consequences of a
re-lease of hazardous or flammable material
The HAZOP study team should use care when listing safeguards Hazards analysis requires an evaluation of the consequences of failure of engineering and administra-tive controls, so a careful determination of whether or not these items can actually
be considered safeguards must be made In addition, the team should consider re-alistic multiple failures and simultaneous events when evaluating whether or not any of the above safeguards will actually function as such in the event of an occur-rence
i) Deriving Recommendations
Recommendations are made when the safeguards for a given hazard scenario, as
judged by an assessment of the risk of the scenario, are inadequate to protect against
the hazard ‘Action items’ and ‘information needs’ are those recommendations that have been assigned for follow-up by one of the team members Implementation of hazard analysis recommendations may follow the following guidelines:
• High-priority action items should be resolved within 4 months.
• Medium-priority action items should be resolved within 4–6 months.
• Lower-priority action items should be resolved following medium-priority items.
Review of all recommendations made in HAZOP studies must be made to deter-mine relative priorities and deterdeter-mine a schedule of implementation After each rec-ommendation has been reviewed, all resolutions should be recorded in a tracking document and kept on file Recommendations include design, operating or main-tenance changes that reduce or eliminate deviations, causes and/or consequences Recommendations identified in a hazard analysis are considered to be preliminary
in nature
5.2.1.6 Risk Analysis in Engineering Design
Risk analysis methodology used for determining the integrity of engineering design are grouped into two categories: hazards identification and risk estimation This
level of risk analysis is usually for making an assessment of equipment criticality
during preliminary design through the use of a risk priority number (RPN) technique
Trang 10(Bowles et al 1994) Although the technique has been described in Sect 3.2.2.5, some of the basic features are repeated here in summary
This method prioritises risk by calculating a risk priority number for a component failure mode using three factors:
• Failure mode occurrence probability.
• Failure effect severity.
• Failure detection probability.
The risk priority number is computed by multiplying the rankings on a scale from 1
to 10 assigned to each of these three factors, and is expressed by the relationship:
where:
RPN= the risk priority number
OR = the occurrence ranking
SR = the severity ranking
DR = the detection ranking
Risk estimation, as adopted by the European Community (EC 1996) for use in risk assessment, is defined in the following format:
Risk, related to an identified hazard, is a function of the probability of its occurrence with respect to the frequency and duration of exposure to the hazard, and the means of avoiding
it, and the severity of the accident or incident that can result from the hazard.
Thus, risk can be quantified as the product of the level of severity of the risk (i.e disaster or loss), with its probability of occurrence (i.e chance)
This can be formulated as the following:
From the definition, severity is the disaster or loss incurred The measure of severity can be quantified in two events: accidents and incidents The measure of probability can be quantified in the form of appropriate statistical probability dis-tributions or measures of statistical likelihood In this regard, an accident is an un-desired event that results in disastrous physical harm to a person An incident is an undesired event that could result in a loss In the context of safety, this loss is in the form of an asset loss, which implies damage to equipment or property Risk is
thus an indication of the degree of safety, determined on the basis of two
considera-tions, the first according to design criteria, and the second according to operational performance:
• The estimated degree of safety This is assessed according to the contribution of:
– the ‘estimated disabling injury frequency’ arising from functional failure of the item,