SHARINGKNOWLEDGE MK32015

RISKANALYSIS
(FROMHAZOPWITHBOWTIE)
ROSLINORMANSYAH 1506785526
HAZOPModel
 HAZARD STUDY

HAZAN HAZOP
HAZARD & OPERABILITY
SAFETY AUDIT
DOW INDICES (HAZARD RANKING)
ACCIDENT ANALYSIS
SCENARIO DEVELOPMENT

EIA QUANTITATIVE RISK ASSESSMENT (QRA)

EMERGENCY MANAGEMENT PLAN (EMP)

The above diagram of inter-relationships shows that there are there are four main areas of hazard study namely :
Hazard analysis (HAZAN), Hazard and Operability study (HAZOP), Scenario development, Quantitative Risk
Assessment (QRA) and finally Emergency Management Plan (EMP). These inter-relationships are more
elaborated in the following diagram :
HAZARD CHECK LIST SYSTEM DESCRIPTION
HAZAN
SAFETY AUDIT
HAZARD IDENTIFICATION
DOW INDICES
SCENARIO DEVELOPMENT HAZOP
ACCIDENT ANALYSIS

ACCIDENT PROBABILITY ACCIDENT CONSEQUENCE

QRA
RISK DETERMINATION

RISK AND/OR HAZARD ACCEPTABILITY NO

YES
EIA BUILD AND/OR OPERATE EMP

ADAPTED FROM GUIDELINES FOR HAZARDS EVALUATION PROCEDURES,

AMERICAN INSTITUTE OF CHEMICAL ENGINEERS, NEW YORK, 1985, P 1-9
 HAZOP history

The basis for HAZOP was laid by ICI in 1963 and was based on
so-called critical examination techniques
First guide: A Guide to Hazard and Operability Studies, ICI and
Chemical Industries Associations Ltd. 1977.
First main textbook: Kletz, T. A.: Hazop and Hazan Identifying
and Assessing Process Industry Hazards, Institution of Chemical
Engineers.
See also: Kletz, T. A.: Hazop past and future. Reliability
Engineering and System Safety, 55:263-266, 1997.
Types of HAZOP
Process HAZOP
The HAZOP technique was originally developed to assess plants and process systems
Human HAZOP
A family of specialized HAZOPs. More focused on human errors than technical failures
Procedure HAZOP
Reviewof procedures or operational sequences Sometimes denoted SAFOP SAFe
Operation Study
Software HAZOP
Identification of possible errors in the development of software

Only Process HAZOP and Procedure HAZOP are covered in this presentation.
What is HAZOP?
A Hazard and Operability (HAZOP) study is a structured and systematic
examination of a planned or existing process or operation in order to identify
and evaluate problems that may represent risks to personnel or equipment, or
prevent efficient operation.

The HAZOP technique was initially developed to analyze chemical process

systems, but has later been extended to other types of systems and also to
complex operations and to software systems.

A HAZOP is a qualitative technique based on guide-words and is carried out by

a multi-disciplinary team (HAZOP team) during a set of meetings.
HAZOP objectives
Identify all deviations from the way a system is intended to function:
their causes, and all the hazards and operability problems associated
with these deviations.
Decide whether actions are required to control the hazards and/or the
operability problems, and if so, identify the ways in which the problems
can be solved.
Identify cases where a decision cannot be made immediately, and decide
on what information or actions are required.
Ensure that actions decided are followed up.
Make operator aware of hazards and operability problems.
 When to perform a HAZOP?
HAZOPstudiesmayalsobeusedmoreextensively,including:
Attheinitialconceptstagewhendesigndrawingsareavailable
Whenthefinalpipingandinstrumentationdiagrams(P&ID)are
available
Duringconstructionandinstallationtoensurethat
recommendationsareimplemented
Duringcommissioning
Duringoperationtoensurethatplantemergencyandoperating
proceduresareregularlyreviewedandupdatedasrequired
 Reporting and review Conclusions

Team members
HAZOP team members
The basic team for a process plant may be:
Project engineer
Commissioning manager
Process engineer
Instrument/electrical engineer
Safety engineer

Depending on the actual process the team may be enhanced by:

Operating team leader
Maintenance engineer
Suppliers representative
Other specialists as appropriate
HAZOP meeting
Proposed agenda:
1. Introduction and presentation of participants
2. Overall presentation of the system/operation to be
analyzed
3. Description of the HAZOP approach
4. Presentation of the first node or logical part of the
operation
5. Analyze the first node/part using the guide-words and
parameters
6. Continue presentation and analysis (steps 4 and 5)
7. Coarse summary of findings
HAZOP worksheet
The HAZOP work-sheets may be different depending on the scope of
the study generally the following entries (columns) are included:
1.Ref. no.
2.Guide-word
3.Deviation
4.Possible causes
5.Consequences
6.Safeguards
7.Actions required (or, recommendations)
8.Actions allocated to (follow-up responsibility)

(Version 0.1)
Prerequisites
As a basis for the HAZOP study the following information should be
available:
Process flow diagrams
Piping and instrumentation diagrams (P&IDs)
Layout diagrams
Material safety data sheets
Provisional operating instructions
Heat and material balances
Equipment data sheets Start-up and emergency shut-down
procedures

(Version 0.1)
HAZOP procedure
1. Divide the system into sections (i.e., reactor, storage)
2. Choose a study node (i.e., line, vessel, pump, operating instruction)
3. Describe the design intent
4. Select a process parameter
5. Apply a guide-word
6. Determine cause(s)
7. Evaluate consequences/problems
8. Recommend action: What? When? Who?
9. Record information
10. Repeat procedure (from step 2)

(Version 0.1)
HAZOP procedure
The HAZOP procedure may be illustrated as follows:
Divide section into study nodes

Select a study node

Apply all relevant

Record consequences combinations of guide-
and causes and suggest words and parameters.
remedies YES Any hazards or NO
operating problems?

NOT SURE

Need more information

HAZOP report
Modes of operation
Thefollowingmodesofplantoperationshouldbeconsideredforeach
node:
Normaloperation
Reducedthroughputoperation
Routinestartup
Routineshutdown
Emergencyshutdown
Commissioning
Specialoperatingmodes
 Process HAZOP work-sheet
Study title: Page: of

Drawing no.: Rev no.: Date:

HAZOP team: Meeting date:

Part considered:

Design intent: Material: Activity:

Source: Destination:
No. Guide- word Element Deviation Possible Conse- Safeguards Comments Actions Action
causes quences required allocated to

Source: IEC 61882

Worksheet entries 1
Node
A node is a specific location in the process in which (the
deviations of) the design/process intent are evaluated. Examples
might be: separators, heat exchangers, scrubbers, pumps,
compressors, and interconnecting pipes with equipment.
Design intent
The design intent is a description of how the process is
expected to behave at the node; this is qualitatively described as
an activity (e.g., feed, reaction, sedimentation) and/or
quantitatively in the process parameters, like temperature, flow
rate, pressure, composition, etc.
Worksheet entries 2
Deviation
Adeviationisawayinwhichtheprocessconditionsmaydepartfrom
theirdesign/processintent.
Parameter
Therelevantparameterforthecondition(s)oftheprocess(e.g.
pressure,temperature,composition).

(Version 0.1)
Work-sheet entries - 3
Guideword
A short word to create the imagination of a deviation of the
design/process intent. The most commonly used guide-words are: no,
more, less, as well as, part of, other than, and reverse.
In addition, guidewords such as too early, too late, instead of, are used;
the latter mainly for batch-like processes. The guidewords are applied, in
turn, to all the parameters, in order to identify unexpected and yet
credible deviations from the design/process intent.

Guide-word + Parameter Deviation

Worksheet entries 4
Cause
The reason(s) why the deviation could occur. Several causes may be identified for
one deviation. It is often recommended to start with the causes that may result in
the worst possible consequence.
Consequence
The results of the deviation, in case it occurs. Consequences may both comprise
process hazards and operability problems, like plant
shut-down or reduced quality of the product. Several consequences may follow
from one cause and, in turn, one consequence can have several causes
Worksheet entries 5
Safeguard
Facilities that help to reduce the occurrence frequency of the deviation
or to mitigate its consequences.

(Version 0.1)
 Safeguard types
1. Identify the deviation (e.g., detectors and alarms, and human operator
detection)
2. Compensate for the deviation (e.g., an automatic control system that
reduces the feed to a vessel in case of overfilling it. These are usually an
integrated part of the process control)
3. Prevent the deviation from occurring (e.g., an inert gas blanket in
storages of flammable substances)
4. Prevent further escalation of the deviation (e.g., by (total) trip of the
activity. These facilities are often interlocked with several units in the
process, often controlled by computers)
5. Relieve the process from the hazardous deviation (e.g., pressure safety
valves (PSV) and vent systems)
 Process parameters 1
Processparametersmaygenerallybeclassifiedintothefollowing
groups:
Physicalparametersrelatedtoinputmediumproperties
Physicalparametersrelatedtoinputmediumconditions
Physicalparametersrelatedtosystemdynamics
Nonphysicaltangibleparametersrelatedtobatchtypeprocesses
Parametersrelatedtosystemoperations
FromStatoilGuidelineHMST/99142
Process parameters 2
Theparametersrelatedtosystemoperationsarenotnecessarily
usedinconjunctionwithguidewords:
Instrumentation
Relief
Startup/shutdown
Maintenance
Safety/contingency
Sampling
Examples of process parameters
Flow Composition pH
Pressure Addition Sequence
Temperature Separation Signal
Mixing Time Start/stop
Stirring Phase Operate
Transfer Speed Maintain
Level Particle size Services
Viscosity Measure Communication
Reaction Control
Guidewords
The basic HAZOP guide-words are:
Guide-word Meaning Example

No (not, none) None of the design intent is achieved No flow when production is expected

More Quantitative increase in a parameter Higher temperature than designed

(more of, higher)
Less Quantitative decrease in a parameter Lower pressure than normal
(lessof, lower)
None of the design intent is achieved
As well as (more An additional activity occurs Other valves closed at the same time (logic fault or
than) human error)
Part of Only some of the design intention is achieved Only part of the system is shut down

Reverse Logical opposite of the design intention Back-flow when the system shuts down
occurs
Other than (other) Complete substitution - another activity takes Liquids in the gas piping
place

(Version 0.1)
 Conclusions

Guideword & parameter - 1

Some examples of combinations of guide-words and parameters:

NO FLOW
Wrong flow path blockage incorrect slip plate incorrectly fitted
return valve burst pipe large leak equipment failure incorrect
pressure differential isolation in error
MORE FLOW
Increase pumping capacity increased suction pressure reduced
delivery head greater fluid density - exchanger tube leaks cross
connection of systems control faults

(Version 0.1)
Guideword & parameter 2
MORE TEMPERATURE
Ambient conditions failed exchanger tubes fire situation
cooling water failure defective control internal fires
Resultsofhazardandoperabilitystudyofproposedolefine
dimerizationunit:resultsforlinesectionfromintermediatestoragetobuffer/settlingtank
Guide word Deviation Possible causes Consequences Action required
NONE No flow (1)No hydrocarbon available Loss of feed to reaction section (a)Ensure good
at intermediate storage. and reduced output. communications with
Polymer formed in heat exchanger intermediate storage
under no flow conditions. operator
(b)Install low level alarm
on settling tank LIC.
(2)J1 pump fails (motor As for (1) Covered by (b)
fault, loss of drive,
impeller corroded away
etc.)
(3)Line blockage, isolation As for (1) Covered by (b)
valve closed in error, or J1 pump overheats. (c)Install kickback on J1
LCV fails shut. pump.
(d)Check design of J1
pump strainers.
(4)Line fracture As for (1) Covered by (b)
Hydrocarbon discharged into (e)Institute regular
area adjacent to public highway. patrolling & inspection
of transfer line.

(1)
 Results of hazard and operability study of proposed olefine
dimerization unit: results for line section from intermediate storage to buffer/settling tank
Guide word Deviation Possible causes Consequences Action required
MORE OF More flow (5)LCV fails open or LCV Settling tank overfills. (f)Install high level alarm
bypass open in error. on LIC and check
sizing of relief opposite
liquid overfilling.
(g)Institute locking off
procedure for LCV
bypass when not in use.
Incomplete separation of water (h)Extend J2 pump suction
phase in tank, leading to line to 12 above tank
problems on reaction section. base.
More pressure (6)Isolation valve closed in Transfer line subjected to full (j)Covered by (c) except
error or LCV closes, with pump delivery or surge pressure. when kickback blocked
J1 pump running. or isolated. Check line.
FQ and flange ratings
and reduce stroking
speed of LCV if
necessary. Install a PG
upstream of LCV and
an independent PG on
settling tank.
(7)Thermal expansion in an Line fracture or flange leak. (k)Install thermal expansion
isolated valved section due relief on valved section
to fire or strong sunlight. (relief discharge route to
be decided later in study).
More (8)High intermediate storage Higher pressure in transfer line (l)Check whether there is
temperature temperature. and settling tank. adequate warning of
high temperature at
intermediate storage. If
not, install.

(2)
 Results of hazard and operability atudy of proposed olefine
dimerization unit: results for line section from intermediate storage to buffer/settling tank
Guide word Deviation Possible causes Consequences Action required
LESS OF Less flow (9)Leaking flange of valved Material loss adjacent to public Covered by (e) and the
stub not blanked and highway. checks in (j).
leaking.
Less (10)Winter conditions. Water sump and drain line (m)Lag water sump down
temperature freeze up. to drain valve and steam
trace drain valve and
drain line downstream.
PART OF High water (11)High water level in Water sump fills up more quickly. (n)Arrange for more frequent
concentration intermediate storage Increased chance of water phase draining off of water from
in stream. tank. passing to reaction section. intermediate storage tank.
Install high interface level
alarm on sump.
High concen- (12)Disturbance on distillation Higher system pressure. (p)Check that design of
tration of lower columns upstream of settling tank and associated
alkanes or intermediate storage. pipework, including relief
alkenes in stream. valve sizing, will cope with
sudden ingress of more
volatile hydrocarbons.
MORE Organic acids (13)As for (12) Increased rate of corrosion of (q)Check suitability of
THAN present tank base, sump and drain line. materials of construction.
OTHER Maintenance (14)Equipment failure, flange Line cannot be completely (r)Install low-point drain and
leak, etc. drained or purged. N2 purge point down-
Stream of LCV. Also
N2 vent on settling tank.

(3)
NODESELECTION
Resultsofhazardandoperabilitystudyofproposedolefine
dimerizationunit:resultsforlinesectionfromintermediatestoragetobuffer/settlingtank(NodeMerah)
Guide word Deviation Possible causes Consequences Action required
NONE No flow (1)No hydrocarbon available Loss of feed to reaction section (a)Ensure good
at intermediate storage. and reduced output. communications with
Polymer formed in heat exchanger intermediate storage
under no flow conditions. operator
(b)Install low level alarm
on settling tank LIC.
(2)J1 pump fails (motor As for (1) Covered by (b)
fault, loss of drive,
impeller corroded away
etc.)
(3)Line blockage, isolation As for (1) Covered by (b)
valve closed in error, or J1 pump overheats. (c)Install kickback on J1
LCV fails shut. pump.
(d)Check design of J1
pump strainers.
(4)Line fracture As for (1) Covered by (b)
Hydrocarbon discharged into (e)Institute regular
area adjacent to public highway. patrolling & inspection
of transfer line.

(1)
BowTieModel
 Bow-Tie Diagram

Maps the evolution of causes into a loss event, and how it progress further
into consequences
Fault Tree shows how individual causes contribute towards a loss event
Event Tree shows how mitigating measures reduce the impact of the loss
event.
A loss Event: Ignition of Material
Hazard
Scenario
1

Hazard
Ignition of
Scenario materials
2 (Fire-1)

Hazard
Scenario
3, etc
Hazard Scenario
Barriers
Barrier to detect, diagnose, activate actions to prevent or
mitigate impact of accidents
Types of Barrier
Behavioral: e.g., double check, defensive driving
Socio-Technical: e.g., calling fire brigade on alarm, activation of fire
fighting systems
Active Hardware: e.g., sprinkler system, pressure relief valves,
ventilation system
Passive Hardware: blast wall, dike, anti corrosion paint
Examples of Control Barriers (Offshore Platform)
 Preventive Measures
Hazard
Scenario
Prevention
H1 P1-1 Prevention
1-2
Ignition of
Hazard materials
Prevention
Scenario
P2-1 (Loss
H2
Event)
Prevention
3-2
Hazard Prevention
Scenario P3-1 The chance of
H3 occurrence of the loss
event is expected to be
lower
Recovery
Conseque
nce C1
Mitigation
M1-2

Ignition of Mitigation Mitigation Conseque

Materials M1-2 M2-2
nce C2
(Fire-1)

Mitigation
M1-3

Conseque
Mitigation to reduce the nce C3
impact of the loss event
Putting it together - Bow Tie Diagram
H1 C1-1
C1
C1-2 M1-2
Loss
H2 C2-1 Event M1-2 M2-2 C2

C2-3
M1-3
C3-1
H2 Mitigative C3
Preventive
Measures
Measures
Event that
trigger the Consequences
incident
Bow-Tie (Accident with Domino Effect)
Class Example: Loss of Control while Driving

Causes Prevention

Poor Visibility (Haze) Behavioral

Car Lost of
Slippery Road (Rain) Control
Tire Punctured Active
Driver asleep
Passive
Class Example: Loss of Control while Driving

C1

Mitigation

Loss of C2
Control of
a Car

Mitigation

C3
Any Question