Fine Print

Educational/ Training Material

Issued as a service to the industry
for Free Distribution
Hazard & Identification

Safety Studies
Based on industry practices
Introduction

Chemical Process Industries (CPI) are top Safest Performers
 Fatal Accident Frequency Rate (FAFR) – No. of fatalities in a group of
1,000 people per 100 million hours over their working lifetimes for a
variety of occupations
 Construction: 67 Road travel: 57 CPI: 4 Stay at home: 3
Bureau of Labor Statistics 2006, US Department of Labor

Still spectacular accidents happen, blowing up the image. We

need to identify hazards that are present
H2S: Toxic. H2/LPG: Flammable/ Explosion

Hazard: Machinery: Can injure.
 An inherent physical or chemical characteristic with a potential to
cause harm to people, the environment, or property (AICHE Center for
Chemical Process Safety)
 Any activity, procedure, process, substance, situation or other
circumstance that has the potential to cause injury or illness
Still accidents happen

Time to take stock; Reflect
WHAT WENT WRONG Bhopal: 20,000++ Dead

Boat hit

Hurricane hit

Hydrocarbon into Boiler Air Erosion Corrosion Column overflow

Safety Studies

Companies that regularly perform Safety Studies usher in a
Safety culture and reduce frequency and severity of accidents

Historically
 Safety Reviews (1960s)
 Check Lists (1960s) - Experience + Lessons learnt
 PHA: Preliminary Hazard Analysis (1970s) - Haz materials & Operation
 What-if Analysis (1970s) - Brainstorming techniques
 HAZID (1970-80s) - Hazard Identification - Hazards in Operations
 HAZOP (1970-80s) - Hazard & Operability Analysis
 FMEA – Failure Modes, Effects Analysis
 FTA - Fault Tree Analysis
 SIL - Safety Integrity Level

In addition there are sub-contracted studies
 Most of these studies - routine in North Sea and Australia
 Only selected studies for projects in rest of the world/ onshore plants
Safety Studies

Safety studies – proactively search for hazards,
assess them and provide mitigation measures

Earlier the studies are done, easier it is to implement
recommendations or change designs

Conceptual Construction & Commissioning

FEED Detailed Engg Fabrication Production
Design Erection & Start-up
Check Lists

Standard check list on Design & Operation issues
 Most common. Simple & easy to use. Built over time and many
projects – “lessons learnt”
 Based on industry standards/ codes/ practices

Discipline-wise checklists
 Separator - controls & protection; Pump - controls & protection
 Piping practices – location of valves
 Instrt & Control practices; Civil/ Structural design issues
 Commissioning steps/ Start-up procedures

Flush the lines first; Remove control valves before flushing

Good for permit to work, job safety analysis – where type of
hazards are fairly known or understood
Caution: Practices based on corporate/ industry/ statutory codes are not
adequate to cover changes in new plant/ operation/ design
Check Lists

Typical list on Design & Operation issues
Event Causes Initiating Causes
Flow 1) Low differential head across pump - High suction and low discharge press 2) Pump FCV fails open 1) Loss of pump control
1) High 3) Pump min flow FCV fails open; 4) Pump racing 5) Discharge line rupture 6) Discharge drain or vent
Flow left open
2) Low 1) Blocked or plugged outlet – solids build up 2) High differential head across pump - Low suction 1) Loss of pump control and
Flow and high discharge press 3) Pump FCV malfuction 4) Pump min flow FCV malfuction 5) Pump backs operational issues
up on curve 6 Suction line rupture 7) Suction drain or vent left open
3) No Flow 1) Blocked 2) Pump failure 3) Pump FCV fails closed 4) Pump min flow FCV fails closed 5) Discharge 1) Loss of pump and operational
head high 6) No inflow - pump under min flow 7) Suction line rupture issues
4) Reverse 1) Pump failure and free wheeling 2) Pump min flow FCV fails open, routing high press discharge 1) Loss of pump and operational
Flow side liquids to suction issues

Pressure 1) Pump NPSH not met – suction cavitation 2) Blocked inlet 3) Suction strainer fouled 4) Blocked 1) Loss of pump and operational
outlet 5) Pumped fluid density different 6) Water hammer issues

Others 1) Changes in feed composition or flows 2) Ingress of air, water, steam, corrosion products

Start-up 1) Purging, flushing, steaming, removing mill scales 2) Pressure testing

Opn: Tank 1) Improper operation Op error; failure to follow

overflow instructions; poor training

Good in shop floors. Not good to identify new

hazards
What-if Analysis

Brainstorming sessions with a series of "What if…?”
questions on potential upsets that may result in an
incident or poor system performance
 Each addressing a potential failure or mis-operation
 Responses determine potential hazards
 Existing safeguards evaluated; Additional safeguards or
mitigation measures recommended

Plant or system is subdivided into several nodes, to
stay focused
What if the Feed Pump fails to start?
the tail pipe freezes over?
the reactor temperature shoots up?
the operator adds the chemicals in the wrong sequence?
What-if Analysis

Example
Hazard Causes Consequence Safeguards Action or On
Recommendation
Pool fire Vessel 1) Pool fire of oil/ condensate 1) F & G detection / ESD/ Blowdown
overpressure 2) Potential vapor cloud explosion 2) PPE to prevent skin exposure to mercury
and leak; (VCE) 3) Hazardous area classification and selection
Flange leak; 3) Toxic exposure (CO2, H2S, Mercury) of electrical equipment conforming classified
Spill; Local 4) Equipment/ Structural damage zone
draining 5) Personnel injury 4) Automatic isolation of power to non-
6) Escalation to adjacent risers and essential electrical equipment on confirmed
other equipment on board fire detection
5) Decks are naturally ventilated
What-if Analysis

Simple and effective in the hands of experienced
team members

Good for early hazard identification with PFDs only

Better than HAZOPs for batch operation like pigging
or depressurizing a pipeline

Common and least structured methods

Good & flexible tool in a wide range of circumstances

Good at any stage and for change review

Team members should not get into a tunnel vision,
limiting themselves to the check list
HAZID

What?
 Identify hazards or risks in a plant, its design and operation

When?
 As early as possible, FEED stage, based on min info - layout and flow
diagrams

How?
 Team selects areas to study; Plot or deck wise or system wise
 Each system or area reviewed against a pre-agreed checklist.
 When a hazard or risk is identified,

All potential causes or scenarios that could trigger the hazard

Their potential consequences - direct as well as escalated

Impact on personnel, assets and environment

Effectiveness of safeguards/ risk reduction/ or operating procedures
present

Recommendation, if any, to add to existing measures are evaluated
HAZID

Discussions are recorded in a transparent way
Hazard Cause Consequence Safeguards Action or On
Recommendation
Hydrocar Rupture 1) Pipeline / riser / piping leak/ 1) F & G detection / ESD/ Blowdown 3) Provide suitable
bons of risers rupture leading to gas cloud. 2) Lifting procedures / look out man on the topsides / type of crane and a
release - and/ or Potential vapor cloud crane mechanic on standby combination of
with or on-deck explosion (VCE) 3) Crane operating radius away from pipeline cranes, forklifts,
without piping 2) Riser fire (jet fire for a long corridor hydraulic
ignition due to: duration) 4) Certified crane operators. Dead man’s handle to manipulators, lifting
3) Toxic exposure (CO2, H2S, operate crane. beams and appliances.
Dropped Mercury) 5) Regular crane maintenance 4) Check operational
object, 4) Pool fire of oil/ condensate 6) Dropped Object / crane location / laydown area requirements for lay-
Swinging on deck and sea surface study to ensure that crane resting position is not down areas, bumper
load, 5) Equipment/ Structural above equipment or escape routes bars and mechanical
Fitting damage 7) Fusible plugs near riser ESDV to shutdown SDVs handling capabilities.
Failure or 6) Personnel injury upon confirmed fire detection 5) Ensure that
Leak, or 7) Missile generation, 8) PPE to prevent skin exposure to mercury wellheads are
Operator equipment/ structural damage 9) Hazardous area classification and selection of automatically
Error 8) Escalation to adjacent risers electrical equipment conforming classified zone shutdown upon
and other equipment on board 10) Automatic isolation of power to non-essential confirmed fire
electrical equipment on confirmed fire detection detection on topsides
11) Decks are naturally ventilated

Recorded without ambiguity to avoid any misunderstanding.

Must be clear even after 10 years

Only items with potential hazards are recorded
 Unlike Hazid, Hazop requires P&IDs, Cause &
HAZOP Effect Matrix. More rigorous and detailed.
Hazid – ½ day; Hazop – 1 to 8 weeks

What?
 Structured and systematic examination of a planned and existing
operation to identify issues in design and operation. Wisely used
 One section of a plant or system or operation (node) is examined by a
multi-disciplinary team

Why?
 Identify and evaluate hazards; operability and maintenance issues

How?
 Operating parameter + Guide word to find possible deviation from
design/ operational intent, its feasible causes and their potential
unwanted consequences
 Node by node (line by line or equipment by equipment)

Then?
 Available safeguards evaluated; additional safeguards/ studies
/solutions recommended
HAZOP - Steps Parameters
Flow, Press, Temp,
Level, Time etc

Select a system. Explain its general intent

Select a node (area of focus, small bite) vessel or line. Explain general
intent

Apply:
1. an operating parameter <Flow> and a guide word < No>
2. to develop a meaningful deviation < No Flow>
3. possible causes <Outlet blocked> and consequences <pressure builds up>
4. potential hazards <flange leak, vessel burst, fire, explosion>
5. safeguards <PCV/ PAHH/PSV> and
6. recommendation/ action. Repeat for all guide words for the parameter

Repeat for all parameters, flow, pressure, temp
Guide Words

Node complete. Repeat for all nodes No, Less, More, As
Well As, Part of,

Examine auxiliary units - heating, cooling, utility Reverse
HAZOP - Test
Can you spot improvements?
RO

J1 Pump Feed to Distillation

Column

150 #/ 300# Start-up Bypass

Pump failure will
lead to reverse
flow from column
and bypass
RO Min Flow FCV with larger pumps

Power Supply –
alternative
J1 Pump
PG

Feed to Distillation
sources
Column
Spare Pump
150 #/ 300# Start-up Bypass

Auto start of
Spare Pump

Suction PSLL
HAZOP

Discussions are recorded/ tabulated as below
Guide word & Cause Consequence Risk Safeguards Action On
Deviation Ranking
High Level in 1) LCV failure 1) Tank overflow 1) 2 separate LAHH
V3010 2) LIC sensor failure 2) Environ Impact 2) 1 hour storage above
2) Outlet SDV or block 3) Pool fire LAHH
valve closed
3) More inflow
4) Sandjet valve open

Creative & open-ended. Good participation from different

discipline team members bring out the best

Systematic, structured, comprehensive and flexible

Identifies all potential hazards and operability issues
Caution:
1. No credit for controls as they might be on manual mode
2. Alarms get bypassed and “nuisance” ones ignored
Alarm fatigue in an emergency situation
3. Trips might have latently failed. Car break failure gets noticed; not headlight failure
unless you regularly drive in night time
HAZOP

Time-consuming, repetitive that hinders “full” participation.

Monotonous and maintaining interest is a challenge. Team
members may “switch-off” - no contribution!

Success limited by team composition and time given. Team
may miss out scenarios they are not familiar with

Domination by a single person

Ignoring start-up/ shutdown issues. Poor participation from
operations in new projects

Expecting Hazop to be a catch all “Design Review”
Ethylene Plant: 100 P&IDs; Av 5-6 items/ nodes per P&ID
4 parameters * 5 guide words + 5 start-up i= 25 queries/ node; 3-5 minutes/ query
8 hour/ day sessions. 5 day/ week
Hazop Duration = 550 * 25 * 4 /60/8/5 = 22- 25 weeks
FMEA – Failure Modes, Effects
Analysis

Finds consequences of all possible failure modes of a -
component, module or subsystem and their consequences
usually in equipments. Key issue: Reliability & availability

Hazid provides helicopter view; Hazop  ground view; FMEA
 micro view of individual system

Good for analyzing mechanical and electrical hardware
systems eg. wellhead panels, PLCs etc

Failure modes of each component, their possible causes,
probability of occurrence, potential consequences, and
proposed safeguards are noted
FMEA key words:
• Rupture, Crack, Leak, Plugged, Stop, Start, Bypass
• Failure to open/ close/ stop/ start/ continue
• High /low pressure; High /low temperature
FMEA

Compressor PLC
Failure Mode Effect Causes Safeguards Action On

SDV open Wrong indication of valve Wear and tear Commissioning and test Correct position indication is
position position to control system. procedures to ensure that required in compressor start-
indicator switch Incorrect controller all compressor SDV up logic. All position indicators
fail sequence initiated indicators are wired should be function tested in
correctly to PLC vendor shop

Very structured and reliable method for hardware and

automatic control systems. Improves reliability

Easy to learn and apply. Easy to evaluate even complex
systems. Gives an insight into failure modes

Takes lot of time and may miss areas of multiple faults.

May not identify areas of human error in operations
FTA - Fault Tree Analysis

Graphical method: Combinations of possible events
that results in an undesirable outcome (top event)

Intermediate events are combined using AND and
OR, logical operators

Considers both hard ware and human
Press Rise
failures
PAHH Fails
PSV1 Fails
Kaboom and
to relieve
and or SIS Fails
Press Rise
SIS Output
PSV2 Fails Fails
to relieve PIC Fails
PCV Input
or and or DCS Fails
Fails
PCV Fails DCS
or PSV set
to open Output
high
Fails
PSV
undersized
FTA - Fault Tree Analysis

Good for analyzing multiple (combination of) failures
that result in an accident or when multiple outcomes
are possible

Traceable, logical, quantitative + visual
representation of causes, consequences and event
combinations

With probabilities of individual even known, easy to
calculate, probability of top event. QRA

Not intuitive. Training required. Difficult to
document. Can get complex. Time taking
Fault Tree Analysis

Figure out the ways in which hazards can occur
 Then apply frequency and probability to find likely events
 Mistakes are not made in f and p, but figuring out hazards
Meetings
Press Rise
with Lunch
Hi Hi 1 /year
20 /year
Free Meal Press
and and
2 /year 0.005
Invitation
/year RV Dead
0.1
0.005
(HOD = 1)
Visitors
15 /year
Lunch with
visitors and
1.5 /year Invitation
0.1
Common Mistake: Not counting all
Free Meal
1.5 /year
or hazards (known/ unknown),
Training Suppose, a clever manager figures
Lunch with
5/year out that it is cheaper to buy lunch
Training and and herd all for monthly Tool Box/
1.0 /year Brown Bag/ Safety meetings, 12
Invitation
0.2
/year at 1, additional (unwanted)
lunches = 12
SIL - Safety Integrity Level

Determines effectiveness of safety systems
 Considering probability of failure to respond on demand
 Establishes availability of Safety Instrumented System (SIS) Failure of
LAHH SIF
when things go wrong looking at Layers of Protection (LOPA)

Data
 HAZOPs, QRAs etc studies; P&IDs; Cause and effect charts;

and
Maintenance and shutdown details; Relevant operational
information
 List of Safety Instrumented Functions (SIFs) based on above

or

SIL Classification or target values
 SIL 1 - between 10-1 and 10-2 (0.1 to 0.01) Once in 10–100 years Logic Solver
 SIL 2 - between 10-2 and 10-3 (0.01 to 0.001) Fails
 SIL 3 - between 10-3 and 10-4  (0.001 to 0.0001). That is once
LAHH ‘B LAHH ‘A’
in 1,000 or 10,000 years. Maxm. This is as good as a PSV Fails Fails
 SIL 4 - between 10-4 and 10-5  Not practical

SIL Achieved
 Fault Tree Analysis based on sensors, final elements, logic
solvers; redundancy; their reliability and testing intervals
Proof test interval is key to get high SIL
SIL – Layers of Protection

Control system maintains stable operation – 1st layer

Trip & shutdown system provides primary protection, when
control system fails – 2nd layer

Relief system provides secondary protection, when control &
trip systems fail – ultimate protection or last line of defense –
3rd layer
PIC

T0 Flare
PAHH
PALL
T0 Compressor
SDV

Well Fluids Production

SDV
Separator
SDV
SDV
Oil/ Condensate
Produced Water
 SIL – Layers of Protection

Credit given for Layers of Protection (LOPA)
 Basic Design; Process Control System; Alarms, Trips, Operator
Response; Pressure Relief Devices. LOPA and owner’s risk matrix are
used

SIL studies can help delete redundant SIF / instrumentation

SIL is an excellent mathematical tool
 Economic or Asset protection alone will demand hi SIL
 Operating and Engg companies yet to go full hog
Community Emergency Response
Emergency, Evacuation
Plant Emergency Response
Containment/ Evacuation Procedure
Mitigation
SIL Terms: Mechanical mitigation, Relief System
Operator Action
TF= Tolerable frequency. TF of 10-4 means, company can tolerate
an incident once in 10,000 years. Company’s risk appetite! Prevention
SIS Trips
PFD = probability of failure on demand (PFD), that is when SIS
Operator Response
fails to protect, user or manufacturer data!
Controls & Monitoring
MF = Mitigated frequency. Should be less than reqd TF/ SIL Controls, Alarms
Operator Supervision
Process
Risk Matrix - Typical UKOOA simple 3 x 3 Matrix

Consequence 
High Medium High High
Risk of a hazard:
its probability x severity of its consequence. Medium Low Medium High
How likely and how bad it would be if it happened Low Low Low Medium

UKOOA 5 x 5 Matrix Low Medium High

Severe 6 Medium Medium High High High
Many lives
Critical 5 Low Medium Medium High High
Several lives
Substantial 4 Low Low Medium Medium High
Single life/ serious injury
Marginal 2 Low Low Low Medium Medium
Single serious injury or
many minor injuries
Consequence 

Negligible 1 Low Low Low Low Medium

Single minor injury

1 2 4 5 6
Rare Unlikely Infrequent Occasional Frequent
< 1 in 10,000 1 in 1,000- 1 in 100-1,000 1 in 10-100 y 1 in 10 year
years 10,000 years years

Frequency 
High: Risk - Not tolerable – additional protection/ design changes required
Medium: Risk – Tolerable with controls – evaluate additional control/ design changes
Low: Risk – Tolerable. Do nothing!
How do we mitigate risks

Risk = Probability x Severity
 Reduce probability, severity, or both
 Hazard: LPG tank farm. LPG leakage
 Risk: Vapor cloud Explosion
 Mitigate probability: Proper isolation before swinging blind
 Mitigate severity: (1) Install remote operable valves (ROV)
to isolate spill or transfer contents to another tank and (2)
install F& G detectors to close ROV

Usher in a safety culture. Empower operators to
believe that they can deduct a hazard and act on it
Safety Culture Identify hazards
Analyze Risks Internal Auditing
Prioritize Risks Safety Risk Safety External Auditing
Treat Risks Management Assurance Good testing & maintenance
Safety Management System
(SMS) Building Blocks Training & Education
Report all incidents
Safety Policy Safety Toolbox Meeting
(non-punitive)
Communicate Safety Alerts
Identify Responsibilities & Objectives Promotion

Empowered employees make a difference! Document & Record

BEFORE AFTER

Safety is a priority for me but I can’t
I can ensure safety is a priority at my
translate that to my plant plant

Accidents may happen once in a while in
I take care of hazards before they turn
my plant into accidents

I don’t know what is the greatest risk in
I can classify every risk in my plant and
my plant know how to mitigate it

What should I do to improve safety?
I have a risk-based prioritized list of
things that I should do to improve safety

I don’t know how safely my workers are
My workers are trained and they help
doing their job keep the plant a safe place

How safe is my plant? How will I know?
I measure safety performance and know
the trends

My managers keep my plant safe
Every worker helps to maintain and

improve safety
Based on a presentation on airport safety
Safety Studies
Qualitative Vs Quantitative
Knowledge, Experience and Judgment.. Vs Numerical Analysis

Qualitative/ Quantitative Risk Analysis (QRA)
 Quantifies risk levels to personnel and public
 Demonstrates risk levels meet the specified criteria
 Provides design options

Ship Collision Risk Analysis
 Reviews risks posed by passing vessels, supply boats etc
 Suggests remedial measures, protection

Dropped Object Risk Analysis
 Reviews risks posed by dropped objects on equipment
 Suggests remedial measures, protection

Equipment Location
 Consequence modeling for identified hazards
 Checks out location of buildings. Provide fire / blast protection
Safety studies – proactively search for hazards,
assess them and provide mitigation measures
Safety Studies

Smoke & Gas Ingress, Toxic Gas Risk Analysis
 Vapor cloud / toxic gas dispersion. Flammable mass for explosion
 Blast analysis; Fire consequence analysis
 Distance reqd for LFL  flash fire; Location of buildings and facilities

Fire & Explosion / Blast Risk Analysis
 Pool fire/ Jet fire/ Flash fire/ BLEVE
 Thermal radiation. Impact on personnel and facilities
 Isolation of inventory and depressurization; Passive fire proofing to
prevent escalation
Control of fire through Firewater spray systems
 Blast overpressure based on fluid composition, mass, reactivity and
confinement
 Checks out location of buildings. Provide fire / blast protection
Safety Studies

EERA- Escape, Evacuation and Rescue Analysis
 Reviews egress, escape, evacuation & rescue of personnel
 Temporary Refuge Integrity Analysis

ESSA - Emergency Systems Survivability Analysis
 Reviews Essential Systems survive a major event

Emergency Systems Reliability / Availability Analysis
 Reviews availability of Emergency Systems

EIA - Environmental Impact Assessment
 Reviews impact emissions and discharges to atmosphere,
soil and sea
Safety in Design

Inherent Safety
 Eliminate hazard by non hazardous materials and process
conditions / technology
 Reduce inventory in process and storage
 Relocate or rearrange equipment locations

Hazard Prevention
 Overpressure protection by Pressure Relief and De-
pressuring
 Hazardous Area Classification to control electrical sources
of ignition
 SIL verification based on historical failure data
Safety in Design

Hazard Detection
 Flammable / Toxic Gas / Flame Detection
 Building smoke and fire detection
 Manual alarms and Emergency Shutdown Stations

Hazard Control
 Process isolation and depressurization
 Flare and vent tip location to protect personnel from thermal radiation
and toxic gas
 High risk areas downwind of low risk areas
 Drainage and spill control; Ventilation and pressurization

Hazard Mitigation
 Active fire protection
 Firewater / foam systems / fixed and portable extinguishers
 Passive fire protection for structural steel, enclosures, equipment
supports, electrical and instrumented systems
Accidents Still happen

No method can identify all accidents that could occur

Team may be unaware of a scenario, may overlook it or
decide it as not credible or significant

You can add redundancy in alarms and shut down valves
(parallel trips, valves in series)

How about the man – to take the right action, in the right
time and right sequence

Failure rates
 100% in an emergency respond to avoid a serious accident, with so
many alarms and phones ringing
 10% in a busy control room with phones ringing
 1% in a quite control room as in a pumping station
 0.1% if the button to press is right below the alarm
Human Element

Before we blame operational errors, consider
 Equipment can be off-line or under maintenance
 Safety devices may fail to respond or take time to cut in
 Hazardous consequences may propagate in several ways/
thru multiple systems requiring concurrent multiple tasks

Limited manpower in modern control rooms

Procedures may not have covered all situations or
been followed or ignored.

Operator may respond based on instinct than plan

Hazop worksheets with well documented scenarios are never looked at after the safety studies are over. A tabulation of
equipment based deviations and causes given to plant operators may help them in real situations – to identify less apparent
contributory causes that may cut across plant boundaries and develop operators’ analytical skills
Accidents

Do they happen or do we let them happen
Your every action in a day, considering its impact on you, your family,
your colleagues and friends, will make it a way of life!

THANK YOU - BE SAFE