An important part of ensuring the success of a HAZOP study is to understand the errors that can cause the team to lose focus
Since its inception in the 1960s and its first official publication in 1977, the Hazard and Operability Study (HAZOP) has become one of the most powerful tools for identifying process hazards in the chemical process industries (CPI). Utilizing systems that are qualitative or even simplified semi-quantitative, the HAZOP method has been increasingly used, not only as a tool for identifying process hazards, equipment deficiencies or failures and operability problems and assessing their risks, but also as a tool for prioritizing actions and recommendations for process-risk reduction. Reducing risk is especially important in ensuring the safety of the personnel who must work in the plant environment each day (Figure 1).
The HAZOP methodology is a systematic team-based technique that can be used to effectively identify and analyze the risks of potentially hazardous process operations. It is the most widely used process hazard analysis (PHA) technique in numerous industries worldwide, including petrochemicals, pharmaceuticals, oil-and-gas and nuclear, and is used during the design stages of new processes or projects, for major process modifications and for periodic review of existing operations.
A HAZOP is a time-consuming exercise and should be conducted in such a way to ensure that the results justify the effort. This article presents some common mistakes that can jeopardize a HAZOP team’s task. Frequent or chronic occurrence of these mistakes indicates potential gaps in the site’s process-management system. However, it is ultimately the responsibility of the HAZOP facilitator to correct these mistakes if or when they occur during the course of the HAZOP study. Therefore, the selection of an experienced facilitator is an essential element for assuring the success of the HAZOP. Without an adequate depth of knowledge and experience, the HAZOP can become a “check the box” exercise.
Benefits of a HAZOP
The advantages offered by HAZOP over other process-risk analysis tools are numerous, and include the following:
- It is a rigorous process; it is structured, systematic and comprehensive
- It is adaptable to the majority of CPI and manufacturing operations, including those in petroleum refineries (Figure 2) and other oil-and-gas processing plants, nuclear facilities, and specialty chemical, pharmaceutical and even high-speed manufacturing plants
- It is team-based and allows the interchange of knowledge and experience between the participants
- It helps to anticipate potential accidents or harm to employees, the facility, the environment and the surrounding community
- It functions as a type of training for the team’s participants and leader, who are required by the nature of the method to look at the process from a new perspective — not just from the perspective of “how should it run?,” but also “how can it fail to run correctly?”
A HAZOP is time-consuming because it requires the participation of a multi-disciplinary team over extended timeframes. This investment of time and personnel, often involving third parties, means that the performance of the HAZOP needs to be optimized to maximize its value. The following sections detail some commonly found mistakes that occur during the planning, execution and followup stages of a HAZOP.
Mistake 1: Mismanagement of time-allotment issues. One of the most frequent mistakes of a HAZOP is failure to manage the time allotted for the study. A HAZOP is often scheduled for a set amount of time, neither by the HAZOP facilitator nor the team, and sufficient time may not have been allocated. Furthermore, there may be little or no flexibility in the schedule. An insufficient amount of time for the HAZOP limits discussion and brainstorming and reduces the quality of the analysis, in turn leading to some of the mistakes discussed in more detail below.
Estimating the duration of a HAZOP is not an exact science, and it requires a good knowledge of the methodology, the complexity of the process, the nature of the risks that can be identified up front and the idiosyncrasies of the group. Although a HAZOP should not be open-ended in time allotment, the ideal HAZOP has some flexibility built into the schedule. The team leader should make an estimate of the time required for the team based on the process description and preliminary count of HAZOP nodes (specific portions or topics of the study process) so that managers are aware of the degree of personnel commitment that will be required.
Mistake 2: Incomplete, inaccurate or unavailable process safety information. Another common mistake during a HAZOP is not having all the prerequisite process safety information (PSI) and other valuable information available, including out-of-date or incomplete information. This is especially critical regarding piping and instrumentation diagrams (P&IDs), current standard operating procedures (SOPs) and appropriate data on flammability, combustibility, reactivity, toxicity and electrostatic properties of materials in all forms and phases, as well as compatibility of chemicals with each other and with the processing equipment. If the HAZOP is conducted by an external facilitator, it is the responsibility of the owner of the process to verify the integrity of the PSI.
Related to this, it is not acceptable that participants attend the HAZOP for the purpose of obtaining information on a process or project. HAZOP participants should be well prepared to contribute to the discussion and have all requisite background information with them. It is the responsibility of the facilitator to instruct all participants that they must come to the HAZOP prepared.
Mistake 3: Incorrect size of HAZOP team. The HAZOP team should be limited in size, ideally five to seven people, excluding the HAZOP facilitator and the HAZOP scribe or secretary. A team that is too large can easily lose focus, dwell on a subject or issue too long, or be disruptive. It is human nature that all participants seek to present their perspectives, but this can lead to excessive discussion. A group that is too small will not likely include the right expertise or provide enough different perspectives to evaluate the process hazards and controls adequately or in the right detail.
Mistake 4: Lack of focus during the meeting. A HAZOP is a complex exercise that requires the concentrated and coordinated contribution of all the members of the team. Distractions should be minimized in order to ensure and maintain the team’s focus. Therefore, team members should not be allowed to come and go into and out of the meeting, take phone calls, answer emails, or discuss issues not related to the HAZOP during the sessions. Use of an offsite venue may be helpful to prevent plant operations from becoming a distraction.
It is the responsibility of the HAZOP facilitator to maintain the focus of the group and keep the HAZOP process moving by allowing some open discussion on the issue, node and consequence at hand, but not letting it get out of control. Sufficient (but not excessive) breaks for participants to eat and drink and conduct activities not related to the HAZOP, such as checking their emails and voicemails, should be planned and coordinated. The HAZOP room should be free from cellphones, and distractions like texting during the HAZOP exercise should be forbidden.
Mistake 5: Preventing the team from brainstorming. Another frequent mistake in HAZOPs is to restrict the brainstorming exercise, which is, after all, the basis (and the power) of the method. The most common issues in this area include the following:
- Omitting key words, parameters or even nodes, with the argument that an upper bound for the consequences in this node can be easily identified, and these maximum consequences are protected by safeguards. This clearly means that steps or phases of the HAZOP procedure will be skipped, and some process hazards may not be identified. This violates the HAZOP methodology and overall purpose of conducting the HAZOP in the first place. Although on many occasions, strict application of the methodology will not identify any hazardous scenarios other than the obvious ones, which have already been listed up front and used as an argument for omitting any further analysis. Nevertheless, sometimes a non-obvious scenario will be identified that constitutes the purpose of the HAZOP, and this is where it demonstrates its power
- Carrying out a superficial review of the combinations of key words and parameters, listing the most obvious, and often repetitive, causes of deviation without going into detail. In other words, repeating the same causes, parameter after parameter and node after node, instead of conducting a more in-depth analysis and discussion
- Carrying out HAZOPs using some form of prior information — pre-built templates or the HAZOP from a similar project, for example. Again, what the HAZOP is meant to do is analyze the possible specific risk scenarios (especially the non-obvious ones) of the process or project being studied at the time of the HAZOP (Figure 3). While one can refer to, or reference previous material, the HAZOP is to be conducted based upon the current facility or process, and the equipment, process or controls may have changed since the last HAZOP
In practice, the quality of a HAZOP is influenced by the ability of the HAZOP leader to ask the appropriate questions to ensure that the team identifies all the hazards of the process being studied, not only the most obvious hazards. This ability is based on the leader’s experience with the HAZOP technique and his or her technical skills in process-hazard identification, as well as human error and equipment failure potential. It is the responsibility of the HAZOP facilitator to manage the team and the HAZOP study process to ensure that the team stays focused and that no nodes or hazards are missed by the team.
Mistake 6: Mistaking the tools for the process.The HAZOP spreadsheet should not be viewed as a questionnaire whose boxes all have to be filled in, even with numerous repetitions of scenarios. The combination of pairs of key words and parameters is not intended to be an end in itself, but to encourage discussion and identify deviations from the desired state. As would be expected, the same deviation generally causes the alteration of more than one process parameter, and therefore could be entered in more than one place in the spreadsheet. An obvious example is a distillation column, in which pressure, temperature, composition and flowrate (of reflux, for example) are clearly interrelated. Hence, any change in one of the parameters automatically causes responses and changes in the others.
It is not as important for all the spreadsheet “boxes” to be filled in as it is for the HAZOP group to work effectively in identifying all the possible deviations. A HAZOP table is not and should not be a form-filling exercise. Rather, it should guide and structure strategic brainstorming discussion with the intent of identifying all hazards and operability problems that may injure employees (Figure 4), cause damage to property and assets, impact the community or cause environmental damage.
Mistake 7: Misrepresenting or misunderstanding safeguards. Documentation of effective and appropriate safeguards is a key step in the PHA team’s decision whether additional process-risk reduction is required for a specific scenario. Examples of safeguards that are neither effective nor appropriate are given below:
- Local instruments that are never checked by field operators
- Alarms that fail to give the operator sufficient time to effectively halt the consequences of the deviation. Examples include the following:
- Alarms that fail
- Very generic alarms that are activated in numerous different situations. In this case, the operator has to diagnose which of the multiple options he or she is faced with, thereby losing valuable time for action
- Alarms that are activated frequently, often for trivial reasons, and that therefore tend to be ignored by the operators
- Alarms where no specific operator response has been given in procedures and training
- Cascades of alarms, where “first-in” is not obvious or indicated
- Pressure-relief systems (such as safety valves and rupture discs) that were not designed for the case and process conditions being studied. Obviously, the purpose of a HAZOP is not to verify the correct design of pressure-relief systems. Nevertheless, if there is reasonable doubt, a recommendation should be issued to check that the scenario for which it was listed as a safeguard was one of the cases of design for the relief device or system
Operating procedures cannot be considered safeguards when the cause giving rise to the scenario is human error, which presupposes that the procedure has not been followed properly
Mistake 8: Excessive recommendations. Some HAZOP groups believe that they should issue a recommendation for any scenario that has negative consequences, whether a hazard scenario, equipment failure or operability problem. This is not in the spirit of the HAZOP method. What a HAZOP aims to do is identify all of the hazardous scenarios, determine the associated risk for each particular scenario and check whether the process has been duly protected by the safeguards, and only if there is not adequate protection, propose recommendations for doing so.
Mistake 9: Irrelevant recommendations. Sometimes, people will suggest and utilize HAZOP recommendations as a way to obtain approval for an operational or plant design improvement that is not necessarily directly related to the safety of personnel or the release of a hazardous chemical. In many cases, these changes have already been evaluated and ruled out for various reasons. While a HAZOP can and should include recommendations related to operational and maintenance issues, the HAZOP’s sole intent is for the identification of issues, not to find a solution to the problems or redesign the facility. All recommendations are made for further investigation and design considerations. Therefore, the actual HAZOP is not the best time or place to deal with these types of issues. They should be further investigated offline in the correct setting, and should include the appropriate personnel in the discussions.
Mistake 10: Excessively lax recommendations.When making recommendations in a HAZOP, it is very important to utilize the proper wording. Since the HAZOP team is composed of knowledgeable people, recommendations should be made that involve action. Two words that are highly over-utilized are “recommend” and “consider.” “Recommend” is already used in the title for the column and most of the time, the team’s brainstorming makes up the “consideration” aspect of the recommendation being proposed. If additional risk analysis is required, “consider” is an appropriate phrase.
There are often multiple ways to reduce risk and the team’s time should not be spent analyzing alternatives. Another common phrase seen in many HAZOP recommendations is “Further study on what needs to be done in order to…” — which in reality is not specific and can be left open for interpretation. Most of the time, recommendations that involve an action and have a specific purpose should be made. Start recommendations with strong action words, such as “install,” “investigate,” “graph,” or “add.” Additionally, when wording recommendations, if a recommendation is being made for a specific reason, include that reason in the recommendation so it is not forgotten when the HAZOP report is written or is being reviewed. The following are good examples of well-worded recommendations:
- Install a pressure gage and transmitter on the overhead line “L12” of the distillation column to increase the SIL level from 1 to 2
- Graph the P/T curve for the reaction process and add the acceptable operating range. Utilize this chart to set appropriate process alarm and shutdown points
It should be noted how these two recommendations are very specific action items and also include the reason for the action.
On some occasions, there may be two or more divergent opinions, and a consensus cannot be reached during the HAZOP itself. In this case, both recommendations should be included in the HAZOP and left for further investigation or evaluation by the company, based upon the information from the HAZOP. For scenarios such as these, the best solution — after further investigation and research is completed — may be something not even mentioned or thought about in the HAZOP itself.
Again, it should be reiterated that except for a few unique situations, such as the divergent opinion case, recommendations should be clear, specific, not open to interpretations and include the reasoning at the time that the HAZOP was conducted.
Mistake 11: Trying to solve the recommendation or design the solution during the HAZOP. Another common mistake that can delay the HAZOP and cause the group to lose its focus is trying to solve the problem or redesign the process listed in the recommendation during the HAZOP study itself. This is most common when process-design engineers are team members and they desire to make the process perfect. Unless it is a clear and easy solution, many recommendations require further investigation or other actions to complete the task, alleviate or minimize the hazard, and close out the action item based upon the recommendation. It must be remembered that a HAZOP is a brainstorming exercise with knowledgeable process personnel from different areas of the plant, whose task is to identify hazards or hazardous scenarios and make practical recommendations to alleviate or minimize the hazardous scenarios or consequences. As previously stated, not all recommendations have clear-cut solutions, and the HAZOP time should not be wasted with actions that may require research and further investigation that only one of the participants, or a qualified expert, can resolve in the quiet of his or her own office. Even HAZOP-recommended changes to a process should be subjected to the site’s management-of-change (MOC) process to prevent the introduction of new hazards. It is not uncommon for an incident to be triggered by a change made for safety reasons. The HAZOP can and should result in a list of actions or recommendations, with the designation of someone responsible for carrying them out, but not necessarily the final solution or re-engineering of the plant.
The output of the HAZOP study is the set of recommendations that are usually presented to management in a standardized report format. At this stage, site management is responsible for responding to each recommendation according to local or site requirements and the requirements of applicable standards, such as the U.S. Occupational Safety and Health Administration (OSHA) Process Safety Management (PSM) standard Title 29, CFR Part 1910.119. Site procedures should include regular followup reports to track recommendations to their resolution.
Mistake 12: Failure of management to act promptly on each recommendation. Site management must evaluate each recommendation according to its technical feasibility, the risk-reduction benefit versus total cost of implementation, availability of alternative solutions and other factors. The PSM standard allows rejection of a PHA recommendation only for specific causes. Good industry practices dictate that management takes prompt action on each recommendation and ensures that all recommendations are tracked to final resolution and closure.
Mistake 13: Failure to update HAZOPs when process knowledge changes. A HAZOP worksheet is a living document. Ideally, it reflects management’s current knowledge of the process hazards, the consequences of those hazards and the controls necessary to reduce the process risk to a tolerable level. HAZOPs lose their effectiveness over time when they are not updated promptly.
Changes in process safety information should result in a PHA review through the site MOC procedure. The review will identify any new causes of a process deviation or operability issues, changes in safeguards for previously documented hazard scenarios, and possibly new or revised recommendations to address the hazards.
Recent accidents or near misses on a site process, or a similar process elsewhere, should trigger a HAZOP review to ensure that the same or similar scenario has already been considered and documented during the most recent HAZOP and that effective controls are in place to prevent a similar incident from occurring in the future.
For the sake of simplicity, this article has focused on common mistakes observed during the use of the HAZOP methodology. The discussion in this article can be equally applied to other scenario-based methodologies, such as “what-if” analyses, which can be carried out at very early stages of the process lifecycle — HAZOP is typically reserved for late-design stage or later-lifecycle stages when more detailed PSI is available. The specific PSI that is available and the expertise needed for other hazard evaluation methodologies may be different, but the types of mistakes discussed here, and their prevention, are very similar.
OSHA recognizes the HAZOP technique as an acceptable methodology for conducting PHAs of processes covered by the PSM standard. Other regulators around the world also accept the HAZOP methodology as appropriate for analyzing the existing and potential hazards of a complex process that involves a highly hazardous substance.
The HAZOP methodology represents an extremely powerful tool for the identification, semi-quantification and mitigation of risks in CPI production facilities with continuous, batch or semi-batch processes.
The biggest inconvenience of this technique is its relatively high cost, in terms of time and people who need to be involved and participate in the brainstorming sessions. This high cost means that the HAZOP needs to be carried out to optimum effect, avoiding the sorts of mistakes that have been discussed in this article. It is the responsibility of the HAZOP facilitator to make sure the group stays focused and does not commit any of these mistakes. Finally, the selection of a knowledgeable and experienced PHA facilitator is a crucial element for assuring the success of the HAZOP process.
Edited by Mary Page Bailey
Arturo Trujillo is managing director of Chilworth Amalthea, the Spanish subsidiary of the process safety division of DEKRA (Nàpols 249, 4ª planta 08013 Barcelona, Spain; Phone: +34-931-426-029; Email: [email protected]). He has facilitated more than 200 HAZOPs, and his specialities include SIL and LOPA. Prior to working at Chilworth, he served as a division manager at Technip Iberia and as engineering director at Asesoría Energética. He attended Universitat Politècnica de Catalunya and received a Ph.D. from Johns Hopkins University.
Walter S. Kessler is a senior process safety consultant at Chilworth Technology Inc. (113 Campus Drive, Princeton, NJ 08540; Phone: 832-492-4358; Email: [email protected]). Kessler has 20 years of experience in the petroleum refinery, gas-processing, specialty-chemical, pharmaceutical, manufacturing and HVACR (heating, venting, air conditioning and refrigeration) industries, including five years performing process-safety engineering functions. He was instrumental in the design and construction of several refinery, gas and chemical processing facilities, designing a pharmaceutical filling process and also has experience in Six Sigma and lean manufacturing.
Robert L. Gaither is a senior process safety specialist at Chilworth Technology Inc. (113 Campus Drive, Princeton, NJ 08540; Phone: 732-589-6940; Email: [email protected]). Gaither has more than 28 years of experience in company operations, regulatory compliance, management consulting and process safety and risk management. He has led organizations at site, division and corporate levels to achieve record safety performance and significant cost savings. Gaither is trained in HAZOP and SIL/LOPA facilitation. He holds a Ph.D. and is a certified safety professional (CSP).