HAZOPs: a how-to guide

A HAZOP is used to identify major hazards or operability issues related to the design, installation and operation. Major hazards include the release of hazardous materials or energy. The focus of the study is to address incidents, which may impact on public health and safety, worker safety economic loss, the environment, and the oil field or upstream unit’s reputation.

In a HAZOP (Hazard and Operability) study, a package (or a facility) is broken down into ‘nodes’ on a ‘P&ID’. Each node will be examined under the direction of a number of guidewords such as high pressure, low pressure, low flow, high flow, no flow, reverse flow, etc. Some guidewords will become specific to each system or team. For example, operation team, commissioning team, etc, each have its own guidewords. The two major inputs to the HAZOP are the (P&IDs) and Cause and Effect charts.

One of primary purposes of the HAZOP is the identification of scenarios that would lead to the release of hazardous or flammable material into the atmosphere, thus exposing workers and people living surrounding the oil field or upstream facilities to danger. In order to make this determination it is always necessary to identify, as exactly as possible, all consequences of any credible causes of a hazard.

HAZOP study

Ensuring that the HAZOP meeting covers the required scope of the HAZOP study is important task. Too often, HAZOP studies failed to cover whole the intended scope or sometimes they exceeded the defined battery limits. A clear scope definition is the key for a HAZOP.

Another important element that is essential for a successful machinery or package HAZOP study whether in an oil filed or upstream unit is that “all possible modes” of operation, start-up and shutdown should be considered. A machinery package has different modes of operation; all modes should be considered, and proper guidewords should be applied for each mode of operation. Care should be taken to identify less obvious modes, particularly those associated with different shut-down situations (such as normal shutdown cases and different emergency shutdown situations in various circumstances), and the subsequent start-up and their combinations.

The scope of a HAZOP study should ensure that all the possible deviations from design intent (and normal operation) are not only identified within the immediate scope of the machinery or package under the HAZOP study, but they are also identified with respect to surrounding facilities of the machinery or package. Four cases that require particular attention are:

  1. The upstream of a machinery package (often known as the suction) which could be affected by alternative operation cases and possible malfunctions. For example, in many pumps and compressors, in many cases, the suction system should be rated for a higher than normal pressure or even it should be rated for the discharge pressure because of some of these cases.
  2. The downstream of a machinery [or package] (often known as the discharge) which could be seriously affected by different modes of normal and abnormal machinery operation.
  3. Large and high power machineries or packages.
  4. Modifications to existing machineries or packages. Changes to the operating conditions and procedures for any existing components, systems or equipment, arising as a result of modifications should be included in the HAZOP study. Particular attention should be paid to package piping specifications.

Past experiences have shown that some post start-up problems have not been identified at the HAZOP stage for machineries and packages, because the HAZOP study did not look far enough at the upstream or downstream consequences of the modifications. In large packages, the HAZOP study is usually conducted in stages. An example could be a large gas turbine driven compressors where the HAZOP can be planned in different stages for the gas turbine (and its accessories such as hear recovery), the compressor casings, axillaries, etc. Under these circumstances, there is the potential for incomplete follow through of problems, issues and consequences and for “things” to slip between the individual boundaries.

Regarding modifications on machineries and packages, in particular, relief and blow-down systems, emergency shutdown systems, alarms, interlocks, and hazardous area classifications should be reviewed to ensure that they are adequate after the modifications have been implemented.

Safety versus operability

The “Hazard” is any item or operation that could possibly cause a catastrophic release of toxic, flammable or explosive chemicals or any action that could result in injury to personnel. The identification of hazards is the main focus of a HAZOP. However, a HAZOP is expected to identify “operability problems” which are any operation inside HAZOP scope that would cause a shutdown, particularly those that could possibly lead to a violation of environmental, health or safety regulations or negatively impact profitability. A HAZOP concentrates on identifying both hazards as well as operability problems. Although the hazard identification is the main focus of HAZOP, operability problems should be identified. Particularly, it is expected that all operability problems that potentially can lead to process hazards, result in an environmental violation or have a negative impact on profitability, should be identified in a HAZOP. While the HAZOP study is designed to identify hazards through a systematic approach, more than 55% of all HAZOP study recommendations for oil fields and upstream units are operability problems and are not actual hazards.

HAZOP considerations

Operation and maintenance are important parts of a HAZOP study. It should be verified that a machinery or a package can be adequately vented or drained. For example, the venting is important for the start-up and shutdowns, and the draining is critical for the maintenance. A machinery or package should properly be isolated.

A short perspective review of each system at the start of a HAZOP meeting of each system is recommended by an expert. This should be a brief review and the study should be transferred to a line-by-line basis. It is always best to follow each line through the P&ID; a general overview is usually much less affective in a HAZOP. One of the reason is in a line-by-line review the team focus on each item at the same time. Poorly placed valves, inadequate access and potential for non-draining low points can be problematic.

Recommendations should be made when the safeguards for a given hazard scenario, as judged by an assessment of the risk of the scenario, are inadequate to protect against the hazard. Action items are those recommendations for whom an individual or department has been assigned. For some cases, “Information Required” might be identified as recommendations for follow-up by one of the team members. The following guidelines are suggested for the implementation of hazard analysis recommendations:

  • High priority action items should be resolved within 1 - 2 months.
  • Medium priority action items should be resolved within 2 - 4 months.
  • Lower priority action items should be resolved following medium priority items.

Relative priorities of all actions should be determined. After each recommendation has been reviewed, the resolution of each recommendation should be recorded in a tracking document such as a spreadsheet, and kept on file. Recommendations can include design, operating, or maintenance changes that reduce or eliminate deviations. Recommendations identified in a hazard analysis are considered to be preliminary in nature; additional information or study might be needed or a comprehensive analysis may be required.

CHAZOP for oilfields and upstream facilities

CHAZOP is a HAZOP for “Control” system. In other words, a CHAZOP study is conducted with focus on the control system. This is primarily concerned with the control systems and not the underlying process. The underlying process has been reviewed using a conventional HAZOP. Two of the important questions in a CHAZOP is that

  1. Are the control loops are adequate for the intended operation?
  2. Can the control loops create any potential problems?

There are dedicated keywords of machinery [or package] CHAZOP. For instance, three most important keywords of CHAZOP are:

  • Integration.
  • Possible interaction.
  • Control system at the start-up.

A critical consideration is proper integration of the machinery or package control system with the overall control system. Possible interactions such the interaction between the package control system and another independent control loop, such as a facility (or unit) control loop which can affected the package or an anti-surge loop, can cause an interaction and trouble.

A package control system can receive its most important test at the start-up of the machinery or package; proper evaluation, precaution and provisions should be respected in the CHAZOP for the startup and initial operation. It should be verified that the control loops are adequate and they cannot create any potential problems operating the machinery or package in different modes under various situations. Electrical and control systems are typically identified by highlighting single-line diagrams and control system architecture drawings.

Controls under normal operation cases, turndown situations, alternative operating cases and emergency situations should be studied. Instrument and actuator locations are important. An emergency shut-down loop deserves special attention. After all, this is the control loop that should bring the machinery or package to a safe shutdown in a case of emergency. Sometimes, in a CHAZOP, it might be required to develop initial concepts of a control item or identify a specific input to a project team. Some developments in areas such as graphic page design (for example, for machine-operator interface), formation of layout, etc, might be needed.

An alarm review might be required in a CHAZOP. In this way, it is required to re-evaluate justifications for each alarm, their activation points and action required of an operator in the event of an alarm. Some experts believe that this alarm review can take place post start-up when initial operational experience has been gained to better evaluate the situation. However, in author’s view, the best recommendation is to plan for three alarm reviews, one before the commissioning, another after a few weeks of the start-up and third review a few month after the second one. Some adjustments might be required a short time after the start-up and another one a longer period (say 2-4 months) after the start-up. In each meeting or exercise, based on operational experiences, some adjustments will be done on alarms and set-points. Too often, operation personnel need help to manage machinery, package and surrounding facilities in the event of infrequent alarms. The alarm review should identify and eliminate nuisance alarms. Sometimes alarms with a low priority can repeatedly alarm in control room which can distract the operator attention; this could result in confusion and operational problems. Control system testing procedures and steps are important. Control sequence testing procedures, interlock test procedures and emergency shutdown testing procedures should be carefully reviewed.

SIL/LOPA assessment

A SIL/LOPA study is to assess the adequacy of the “Safety Protection Layers” (SPLs) or safeguards that are in place to mitigate against hazardous events relating to major process hazards, identify those SPLs or safeguards that do not meet the required risk reduction for a particular hazard, and make reasonable recommendations where a hazard generates a residual risk that needs further risk reduction. This is done by defining the tolerable frequency (TF). The TF of the process deviation is a number which is derived from the level of the risk identified from the HAZOP. This indicates the period of occurrence, in terms of years, of the process deviation which the operating company can tolerate. For example a TF of 10-4 indicates that the company can tolerate the occurrence of the process deviation once in 10,000 years. The mitigation frequency (MF) is derived as a calculation from the likelihood of each cause.

The inputs to the SIL/LOPA assessment are the process deviations, causes, risk levels and safeguards identified during the HAZOP. The SIL/LOPA assessment recommend the “Safety Protection Layers” (SPL) to be designed to meet the process hazard. It is usually possible to integrate SIL/LOPA studies with the CHAZOP or even the HAZOP. By integrating SIL/LOPA studies and the CHAZOP (or HAZOP) into one session, the time and cost to conduct these sessions are reduced, there is more data integrity as the same team conducts both the studies and it removes the subjectivity which comes out of a pure CHAZOP session. An integrated study is usually a semi-quantitative technique and applies much more rigor than a CHAZOP or HZOP alone. This determines if the existing safeguards are enough and if proposed safeguards are warranted; It tightly couples the risk tools (matrices, risk graphs, etc).

HAZCON

The risk assessment and hazard identification during the construction is known as “HAZCON”. While a HAZCON for a specific machinery or package might not be common, however, commissioning team and machinery engineers should attend the HAZCON and discuss machinery issues related to each oil field or upstream facility under the HAZCON. Particularly hazards, problems and issues related to machinery completion activities and machinery pre-commissioning need attention.

Notation

HAZOP: Hazard and Operability study

SIL: Safety Integrity Level

LOPA: Layers of Protection Analysis


Adapted by David Bizley

Published on 15/05/2015


Get your FREE Oilfield Technology magazine »

Get your FREE trial of Hydrocarbon Engineering magazine »

Get your FREE trial of World Pipelines magazine »


 
 

Recommend magazines

  Oilfield Technology