Você está na página 1de 248

Loughborough University

Institutional Repository

A modular method for


hazard and operability
studies of process plant
This item was submitted to Loughborough University's Institutional Repository
by the/an author.

Additional Information:

A Doctoral Thesis. Submitted in partial fulllment of the requirements


for the award of Doctor of Philosophy of Loughborough University.

Metadata Record: https://dspace.lboro.ac.uk/2134/7456

Publisher: c Matthew Jeerson


Please cite the published version.


This item is held in Loughborough Universitys Institutional Repository
(https://dspace.lboro.ac.uk/) and was harvested from the British Librarys
EThOS service (http://www.ethos.bl.uk/). It is made available under the
following Creative Commons Licence conditions.

For the full text of this licence, please go to:


http://creativecommons.org/licenses/by-nc-nd/2.5/
A Modular Method for Hazard and Operability Studies of Process
Plant

By

Matthew Jefferson Esq., MA(Cantab), MEng.

A DoctoralThesissubmittedin partial fulfilment of the requirementsfor the awardof


PhD of LoughboroughUniversity

December1999

by A Jefferson1999.
In memory of my dad

Dr Alan Jefferson

1945-1999

- ii-
Abstract

The identification of hazardsin chemicalplants has becomeincreasinglyimportant.


Not only havechemicalplants becomelarger and more complex,but somecountries
now have regulationsrequiring that some form of formal hazard identification be
carried out. With the increasedspeedof many other parts of the design process,
hazardidentification is becomingthe log-jam in attemptsto speedup the designof
new plants still further.

One of the most popular techniques for hazard identification is a hazard and
operability study (HAZOP), in which a group of peopleattempt to identify creatively
the possible hazards by applying a methodical process whereby the effect of
deviationsto everyprocessvariableis consideredin everypart of the plant.

The aim of this thesis is to explore methods of improving hazard identification


through the developmentof the HAZOP technique.This thesis examinespossible
improvementsthat can be madethrough a betterunderstandingof activities and how
they are carried out in HAZOP, discussesthe possibilities of automatedhazard
identification basedon HAZOP, and in particular presentsa novel, modularHAZOP
methodology.

Modular HAZOP is basedaround identifying the modulesthat make up a chemical


plant andthen using previouslygeneratedHAZOP resultsassociatedwith eachof the
modules.The hazardsassociatedwith these moduleswill therefore be known and
rules are requiredto deal with the interconnectionsbetweenmodules.Application of
these rules determines any additional hazards that might arise from the
interconnectionof modules.

A number of important principles have been identified including, the level of


decompositionrequired,the use of interchangeablesub-moduleswithin modules,the
fact that the majority of cause-consequence
scenariosexist in adjacentmodules,and
the categorisationof locally and remotely propagatedeffects. Theseprovide for a
procedurewhich is adaptableto different plant configurations,but canalso be quickly
andeasilyapplied.The latter principlesenablethe simpler fault paths,which makeup
most of the cause-consequencescenarios,to be identified quickly, leaving a much
reducednumberof fault pathswhich requirea morethoroughanalysis.

- iv-
Acknowledgments

The work on which this thesisis basedwas supportedby fmancialassistancefrom the


EPSRC(Projectref: GR/H74629)and by financial and technicalassistancefrom ICI
EngineeringTechnology,Runcorn. In particular, I would like to acknowledgethe
technical input and stimulation provided by Jeremy Illidge, and the project
managementof Malcolm Preston, both of ICI EngineeringTechnology.The access
provided by other ICI to
personnel HAZOP to
meetings, HAZOP resultsand to the
MM8 plant at Billingharn was also much appreciated.ICI also arrangedfor me to
twice attendtheir Haza d StudyLeader'sCourse.

I would like to thank both my supervisorsat LoughboroughUniversity for their


support; Dr Andy Rushton for his technical assistanceand critical analysis, and
ProfessorPaul Chung for his persistentencouragementto completemy thesis. My
thanksalso to all the staff and studentsof the Departmentof ChemicalEngineering
I
and anyone else came into contact with who contributedto making my time at
Loughboroughso worthwhile.

-
Contents

ABSTRACT
-3-" iv
.........................................................................................

ACKNOWLEDGEMENTS v
.................................................................

vi
CONTENTS ..........................................................................................

X
INDEX OF FIGURES ..........................................................................

XII
INDEX OF TABLES .........................................................................

1 1
INTRODUCTION ...........................................................................
1.1 PROJECT OVERVIEW 1
......................................................................................
1.2 CONTMUTIONS 3
............................................................................................
1.3 LAyouT OF THE THiESIS 4
.................................................................................

6
2 CONVENTIONAL HAZOP ............................................................
2.1 ORIGINSOFHAZOP 6
......................................................................................
2.2 HAZOP PROCEDURE 8
.....................................................................................
2.3 HAZOP FAILINGS 11
.......................................................................................
2.4 HAZOP EFFECTIVENESS 13
............................................................ .................
2.5 DEvELoPmENT OF HAZOP PROCEDURE 14
......................................................
2.5.1 General Development of HAZOP Procedure 14
........................................
2.5.2 Development of Guide Words and Checklists 15
........................................
2.6 WORKEDExAmPLEs OF HAZOP APPLICATION 19
............................................
2.7 SummARY 21
............................................................................................ .......
3 IMPROVING CONVENTIONAL HAZOP PERFORMANCE. 23

3.1 EFFECTIVE
HAZOP TEAMS 23
.........................................................................
3.1.1 I-L4ZOP Team Composition 23
..................................................................
3.1.2 lL4ZOP Secretary 24
................................................................................
3.1.3 HAZOP TeamLeader 24
...........................................................................
3.1.4 HAZOP Meetings 25
.................................................................................

-A-
3.2 LESSONSLEARNEDFROMHAZOP IN INDUSTRY 26
..........................................
3.3 COMPUTERAIDS iN CONVENTIONALHAZOP 30
...............................................
3.4 CoNcLusioNs 31
.............................................................................................

4 AUTOMATED HAZOP 33
................................................................
4.1 CAUSAL RELATIONSHIPS
REPRESENTING 33
......................................................
4.2 AumMATED HAZOP SYSTEMOVERVIEW 35
..................................................
4.2.1 UnitModels 36
.........................................................................................
4.2.2 Plant Description 37
.................................................................................
4.2.3 InferenceEngine 38
..................................................................................
4.3 HAZOP EMULATION - PRELINUNARY STEPS 38
.........................................
4.4 HAZOP EMUATION FAULT'SAND CONSEQUENCES 40
-IDENTIFYING ..........
4.4.1 Representing Faults and Consequences 40
................................................
4.4.2 Identifying Process Variable Influences 40
................................................
4.4.3 Search Strategies 41
..................................................................................
4.4.4 Linking Causes and Consequences 43
.......................................................
4.5 RESEARCHAND DEVELOPMENTISSUES 44
........................................................
4.5.1 Configuration Defects 44
..........................................................................
4.5.2 Data Acquisition 45
..................................................................................
4.5.3 Protections 46
...........................................................................................
4.5.4 Search Efficiency 46
.................................................................................
4.5.5 Output Quality 46
.....................................................................................
4.6 CONCLUSIONS 47
.............................................................................................

S MODULAR HAZOP THEORY AND PRINCIPLES ................. 49


5.1 LITERATURERELATING TO MODULAR ILkZOP 49
............................................
5.2 DECOMPOSITION
OFPLANTFORMODULARHAZOP 50
.....................................
5.2.1 Levels ofDecomposition 51
.......................................................................
5.2.2 Sub-modules 55
.........................................................................................
5.3 PRINCIPLESOFHAZARD IDENTIFICATIONUSING MODULAR HAZOP 56
............
5.3.1 Dealing with Interconnections 56
..............................................................
5.3.2 Causeand ConsequenceTypesin Conventional HAZOP 59
......................
5.4 TYPESiN MODULARHAZOP
CAUSEANDCONSEQUENCE 63
.............................

- vii -
5.4.1 Cause- ConsequenceTypesin Hybrid HAZOP 71
....................................
5.5 SUMMARY 72
...................................................................................................
6 MODULAR HAZOP PROCEDURE 74
............................................

6.1 OUTLINE OFMODULAR HAZOP PROCEDURE 74


...............................................
6.2 PREHAZOPED MODULES 79
............................................................................
6.3 COMPUTERSUPPORT 81
....................................................................................
6.4 APPLiCATIONSOF MODULAR HAZOP PROCEDURE 84
......................................

7 CASE STUDY 87
................................................................................

7.1 INTRODUCTION 87
............................................................................................
7.2 PROCEDURE 87
................................................................................................
7.3 REsums 90
.....................................................................................................

8 CONCLUSIONS 109
..........................................................................
8.1 CONTRIBUTIONS 109
........................................................................................
8.2 LIMITATIONS 110
.............................................................................................
8.3 FuRTHERWoRK III
........................................................................................
8.4 IMPLEMENTINGMODULAR HAZOP IN AN INDUSTRIALEN-viRoNmENT 113
.......
8.5 AUTOMATED MODULARILAZOP 114
...............................................................

REFERENCES 116
............................................................................
APPENDIX 1- CASE STUDY PREEL4,ZOPED RESULTS Al
............
APPENDIX 2- BENZENE PLANT MODULAR HAZOP A31
............
APPENDIX 3- MODULAR IIAZOP LIBRARY A41
...........................
A3.1 COOLING
WATERSUPPLY SYSTEM A42
..............................................................
A3.1.2 SpecificSub-ModulesAvailable A42
.........................................................
A3.2 REACTIOR
MODULES A44
...................................................................................
A3.2.1 ExothermicLiquid PhaseReactor A44
......................................................
A3.2.2 Requiredsub-modules A46
........................................................................
A3.2.3 Additional genericsub-modules A46
.........................................................
A3.2.4 ExothermicLiquid PhaseReactorSpecificSub-Modules A46
....................

- viii -
TANK MODULE
A3.3 ATmospnERic STORAGE A53
....................................................
A3.3.1 Requiredsub-modules A53
........................................................................
A3.3.2 Additional sub-modules A53
......................................................................
A3.3.3 Available SpecificSub-Modules......................................................... A53

- ix-
Index of rigures
FIGURE 2.1 - BASIC METHOD FOR CONVENTIONAL HAZARD AND OPERA131LITYSTUDIES

(HAZOP) 10
..........................................................................................................
FIGURE 4.1 - SMALL PLANT FRAGMENT 34
.....................................................................
FIGURE 4.2 - GENERAL ARCHITECTURE FOR AUTOMATED HAZOP SYSTEM 36
..............
FIGURE 4.3 - PARTIAL SIGNED DIRECTED GRAPH FOR A PIPE 37
.......................................
FIGURE 4.4 - BASIC METUOD FOR AUTOMATED HAZOP 39
............................................
FIGURE 4.5 - SIGNED DIRECTED GRAPH 40
....................................................................
FIGURE 4.6 - CONNECT10N BETWEEN FAULTS AND CONSEQUENCES 44
............................
FIGURE 5.1 - FIRST LEVEL OF DECOMPOSITION. COMPONENT LEVEL 51
...........................
FIGURE 5.2 - SECOND LEVEL OF DECOMPOSITION. EQUIPMENT MODULES 52
...................
FIGURE 5.3 - THIRD LEVEL OF DECOMPOSITION. FUNCTIONAL MODULES 53
....................
FIGURE 5.4 FOURTH (IIIGHEST) LEVEL OF DECOMPOSITION. PLANT LEVEL 54
- ..............
FIGURE 5.5 FOUR SETSOF EFFECTSNEED TO BE CONSIDERED FOR EACH MODULE 57
- .....
FIGURE 5.6 EFFECTS NEEDING CONSIDERATION WHEN TWO MODULES ARE
-
CONNECTED 57
.......................................................................................................
FIGURE 5.7 EFFECTS NEEDING CONSIDERATION WHEN TEREE MODULES ARE
-
CONNECTED IN SERIES 58
. .......................................................................................
FIGURE 5.8 POSSIBLE PATHS BETWEEN INITIAL CAUSES, VARIABLE DEVIATIONS AND

END EFFECTS 58
......................................................................................................
FIGURE 5.9 AN EXAMPLE OF AN INITIAL CAUSE-END EFFECT TYPE OF CAUSE-

CONSEQUENCE 65
...................................................................................................
FIGURE 5.10 AN EXAMPLE OF AN R41ML
- CAUSE-DIRECTLY PROPAGATED EFFECT TY PE
OF CAUSE-CONSEQUENCERELATIONSHIP 66
.............................................................
FIGURE 5.11 AN EXAMPLE OF AN INITIAL CAUSE-INDIRECTLY PROPAGATED EFFECT
-
TYPE OF CAUSE-CONSEQUENCERELATIONSHIP 66
....................................................
FIGURE 5.12 - AN EXAMPLE OF A VULNERABILITY-END EFFECT TYPE OF CAUSE

CONSEQUENCERELATIONSHIP 67
.............................................................................
FIGURE 5.13 - AN EXAMPLE OF A VULNERABILITY-DIRECTLY PROPAGATED EFFECT TYPE

OF CAUSE CONSEQUENCERELATIONSHIP 68
. ............................................................
FIGURE 5.14 - AN EXAMPLE OF A VULNERABILITY-END EFFECT TYPE OF CAUSE-

CONSEQUENCE................................................................................................... 69
FIGURE5.15 - AN EXAMPLEOFA VULNERABILITY-INDIRECTLYPROPAGATED
EFFECT

TYPEOF CAUSE-CONSEQUENCE
RELATIONSHIP 70
. ...................................................
FIGURE5.16 - POSSIBLEPATHSBETWEENCAUSEAND CONSEQUENCE
TYPESIN

MODULARHAZOP ............................................................................................. 71

FIGURE7.1 - MODULAR HAZOP EXAMPLE;WASTEACID PLANTCONFIGURATION 94


.....
FIGURE8.2 - BENZENEPLANT A32
.................................................................................
FIGUREA3.1 - EXAMPLE REACTIORMODULEMADE OFVARIETYOF SUB-MODULE..... A45
FIGUREA3.2 - REACTORVESSELSUB-MODULE A46
.......................................................
FIGUREA3.3 - REACTIORTWIN FEEDWITH FLOWAND CONCENTRATION CONTROL.... A47

FIGUREA3.4 - REACTORSUB-MODULE- LIQUID OUTLETWITH LEVELCONTROL A48


.......
FIGUREA3.5 - REACT'ORCOOLINGVIA JACKET A48
.......................................................
FIGUREA3.6 - REACTORCOOLINGVIA EXTERNALRECYCLE A49
....................................
FIGUREA3.7 - REACTORSUB-MODULE- VENT T'OHEADERWITH PRESSURE CONTROL

A50
.......................................................................................................................
FIGUREA3.8 - REACTORSUB-MODULE- STIRRER A51
....................................................
FIGUREA3.9 STORAGETANK SUB-MODULE- FEEDWITH LEVEL CONTROL A52
- .............
FIGUREA3.10 STORAGETANK SUB-MODULE- FEEDwrmouT CONTROL A54
- ................
FIGUREA3.11 STORAGETANK SUB-MODULE- OUTLETVIA PARALLELPUMPS A54
- ........
FIGUREA3.12 NITROGENBLANKETINGSYSTEM A56
- ....................................................

- xi-
Index of tables

TABLE 2.1 - GUIDEWORDSASORIGINALLYAPPLIEDIN HAZOP. (FROMCIA 1977) 15


...........
TABLE 4.1- PARTIALOUTPUrFROMHAZARDIDENTIFICATIONSYSTEM 44
................................
TABLE 5.1 ExAmPLEOFHAZOP RESULTS (FROMLAwLEY, 1974), IlLUSlRAflNG LOCAL

AND DISTANTCAUSES
ANDCONSEQUENCES 62
..................................................................
TABLE 6.1 - MODULE LIBRARY coNTENis ATmospHERic PRESSURE STORAGE TANK 75
- . ......
TABLE 6.2 - CoNvmnoNAL HAZOP PRoFoRmA 77
. .............................................................
TABLE 7.1 - EXAMPLE OF NMAL CAUSESFILJERED RESULTS 88
. ............................................
TABLE 7.2 - ExAmPLE OF VULNERABILITY FILTEREDREsums 88
. ...........................................
TABLE 7.3 SUE-MODUIESFORWASTEACID STORAGEMODULE 91
- .........................................
TABLE 7.4 SuB-moDuLEs FORNEuTRALisAiioN REACTORMODULE 92
..................................
TABLE 7.5 SuB-moDuLEs FoRTREATED WASTE STORAGEMODULE 93
- ..................................
TABLE 7.6 SuB-mowus FOR COOLING WATER SUPPLY MODULE 93
- .....................................
TABLE 7.7 WASTE ACID TREATMENTPLANT MODULAR HAZOP REsuLTs 95
- .........................
TABLE 8.1 PART OF PREHAZOPED RESULTSFOR STORAGETANK SHOWINGHOW REMARKS
-
COLUMNCANBEUSED 112
................................................................................................
TABLEAU WASTE AciD PLANTPREHAZOPED RESULTS FILTERED A2
- -IC ........................
TABLEA1.2 WASTEAm PLANTPREHAZOPEDRESULTS VUL FILTERED A21
- - ...................
TABLE A2.1 BENzENEPLANTMODULARHAZOP RESULTS A33
- ...........................................
TABLE All COOLINGwATER SYSTEMsm-mowas PREHAZOPED RESULTS A58
- - ..........
TABLE A3.2 ExoTilERMIC REACTOR SUB-MODULES PREHAZOPED (IC
- - RESULTS
FILTERED) A69
.................................................................................................................
TABLE A3.3 ExoTHERmic (VUL
- REAcToRsuB-mODULES- pRFjtAzopED RESULTS
FILTERED) A74
.................................................................................................................
TABLE A3.4 ROADTANKERSUB-MODULES (IC A75
- - PREHAZOPED RESULTS FILTERED) ....
TABLE A3.5 - ROADTANKERsuB-moDULES pRgjAZopED RESULTS (VUL FILTERED) A77
-
TABLE A3.6 - STORAGETANK SUB-MODULES PREHAZOPED (IC
RESULTS FILTERED) A79
- ...
TABLE A3.7 - THERMALox[DisER suB-moDuLES PREHAZOPEDRESULTS A89
- ...................
TABLE A3.8 - STORAGETANK SUB-MODULES PREHAZOPEDRESULTS A95
- ..........................

- xii -
BLANK IN ORIGINAL
1
Introduction

1.1 Project Overview

The identification of possible hazardsin chemical plants has become increasingly


important.Not only havechemicalplants becomelarger and more complex,but also
some countries now have regulationsrequiring that some form of formal hazard
identification be carried out. Moreover, environmental regulations have been
tightenedas the public has becomeaware of the dangersposed by large chemical
plants. In the United Statesit is also a legal requirementto carry out someform of
hazardidentificationretrospectivelyfor plants alreadybuilt and operatingbut which
havenot previouslybeensubjectedto any formal hazardidentification(OSHA 1992).

There are a number of hazardidentification techniquesavailable.Thesetechniques


consist of procedures,rules and guidelines to be followed in order to make the
identificationof hazardsas efficient andas effectiveas possible.Over the yearsmany
companieshaverefined particulartechniquesto suit their own particularneedsand to
try to increasetheir effectivenessand efficiency. However, in general,this has not
reducedthe time takento carryout hazardidentification.

With the increased speed of many other parts of the design process, hazard
identification is becomingthe logjam in attemptsto speedup the designof new plants
still further.The speedingup of hazardidentificationhasbecomean urgentpriority as
the chemical industry seeks to speed up the building of new chemical plants.
However, above all, it is necessarythat
any hazard identification procedure
maximisesthe numberof hazardsidentified and any improvementshould not reduce
the numberof hazardsidentified.In orderto improvehazardidentificationtechniques,
improvementsneedto be madeto the procedures,rules and guidelinesthat make up
thesetechniques.

-I-
Therearethreemaintechniquesfor hazardidentification:

Checklists -a list of haza dous plant arrangements, equipment designs, operating

regimes, etc. are comparedwith the plant under considerationto see if similar
circumstances exist which may give rise to hazards.

What If -a group of people attempt to identify creatively the possibility for hazards
by applyingthe question,"What if?", in combinationwith known failure mechanisms
for equipmentandsystems,to all the itemsin the plant.

Haza d and Operability Studies(HAZOP) -a group of people attempt to identify


creativelythe possibility for hazardsby applying a methodicalprocesswherebythe
effect of deviationsto variable
everyprocess is consideredin everypart of the plant.

Following the identificationof hazards,a combinationof stepsmay be takento reduce


the likelihood of the hazardoccurringand to minimise the effect of the hazard.What
by
stepsare requiredto be taken,andthe effectivenessof thesestepsmay be assessed
applying a rigorous, quantitative, analysis of the hazard, this is quantitative risk
assessment(QRA). Typically, hazard identification techniques are essentially
qualitative; a determinationof the likelihood of causesand the effects of hazards
basedon a crudejudgementmadeby the people involved. QRA includestechniques
such as fault tree analysis(FTA) and failure modes,effects and criticality analysis
(FNIECA).

The aim of this thesisis to improve hazardidentificationthrough the development


of
the HAZOP technique.In consideringhow to improve HAZOP there would seemto
be three options. Firstly there is the possibility that the could be
methodology
improvedthrough a betterunderstandingof activities and how they are carriedout in
HAZOP. Secondlythere is the possibility that a methodologycan be developedto
allow HAZOP of chemical plants on a modular basis. Rather than carrying out
HAZOP on a line by line basis,moduleswill exist which havealreadyhad a HAZOP
carriedout on them,and so the hazardsassociatedwith thesemoduleswill alreadybe
known. A few rules can then be applied to determineany additional hazads that

-2-
PAGE

MISSING

IN

ORIGINAL
analysehow effectiveHAZOP is in practice,andwhethertherewereany lessonsto be
learned.This was done by studying the original HAZOP results for part of a fairly
complexplant and comparingthe problemsidentified thereinwith problemsthat had
subsequentlycome to light on the plant and trying to establishwhether and/or how
improvementscould havebeenmade(detailsconfidential).

1.3 Layout of the Thesis

This thesisstartsby detailingthe HAZOP procedureandsomeof the history behind


its development.Havingdealtwith this backgroundinformation,an analysisof the
possibleimprovementsto conventionalHAZOP is provided.In particular,this covers
the compositionandstructureof HAZOP meetingsandthe useof computertools. The
developmentandrole of automatedHAZOP is thenoutlined.

The latter half of this thesisdealswith the theoryandprocedureof modularHAZOP.


As identifiedabove,this techniquefor hazardidentificationbreaksthe plant down
into modulesthat havealreadybeensubjectto someform of hazardidentificationand

areprovidedwith a setof HAZOP style resultsof this hazardidentification.These


latter chaptersof the thesisdealwith how the plant is brokendown into modules,how
the interconnectionbetweenmodulesis dealtwith and givesan exampleof the
applicationof this technique.The appendicesprovidea further exampleof the
applicationof the modularHAZOP procedureandexamplesof HAZOP style results
for somemodules.

-4-
BLANK IN ORIGINAL
2 Conventional HAZOP

2.1 Origins of HAZOP

The 1960ssaw significant developmentsin the processindustries.Throughoutthis


period plants becamemore complex and significantly larger than previous chemical
In
plants. addition processes were developedwhich required higher pressuresand
temperaturesplacing additional demandson materialsof constructionand process
It
control. was during this time that it was recognisedthat the existing approachto
dealing with hazardswas no longer acceptable.With previous smaller plants, no
attempt was made to identify the possibilities for hazards.Instead, hazards were
to
allowed occur, on the understanding that the losses would not be significant, and
that subsequentdevelopmentof the plant andthe drafting of appropriatecodes,meant
it would not happenagain.Processplant safetyconcentratedon minimising the effect
of any hazards. Butler (1973) how
describes Dow Chemical's safety policy is based

upon, amongst other things, physically dividing the plant up so that damagedue to
fire or explosiondoesnot exceeda certain limit, the wearing of safety gogglesand
helmets, training of new plant operators and anonymousreporting of near miss
incidents.

This trial and error approachto hazardidentification was no longerjustifiable given


that lossesresulting from hazardson new processplant could indeedbe significant.
This was brought sharplyinto focus following the Flixboroughdisasterin 1974.Kletz
(1992) sumsup the approachtakenas follows:

"The traditional methodof identifying hazards- in use from the dawn of technology
to the presentday - was to build the plant and see what happens- 'every dog is
allowed one bite'. Until it bites someonewe can say that we did not know it would.
This is not a bad methodwhen the size of the incident is limited but is no longer
satisfactorynow that we keep dogs,which may be as big as Bhopal (over 2000 killed
in one bite), or evenFlixborough(28 killed). We needto identify hazardsbeforethe
accidentsoccue'.

-6-
HAZOP was first developedand used by ICI in the late 1960s. HAZOP was a
developmentof methodstudiesand the earliestaccountof their use and evidenceof
their origins canbe found in Elliot & Owen (1968).They describea techniquecalled
critical examination and although the majority of their paper is concernedwith
optimising the designprocess,it doesinclude a sectiondiscussinghow the technique
could be usedto carry out gives "hazardsurveys".In particular it describesits use as
follows:

"Another useful application of the questioning approach of critical


examination is in the study of operability and hazards.Using the "finished" line
diagramas a basis,the detailedoperationsrequiredto start up, run, and shut down
both normally and in emergencyare examinedfor every item of plant."

They also identify that the value lies in the way the thinking is done

"We re-emphasisethat the techniquesare an aid not a substitutefor thinking.


Their value ahnost always arisesas a result of the mannerin which the thinking is
done - systematically,logically, and in depth, and yet retaining flexibility and
imagination."

I believethat this is an importantpoint, which seemsto havebeenlost asHAZOP has


developed.In many cases,it now seemsthat peopleexpectthat the applicationof the
techniquewill automaticallyproducethe answers.In developingthe proceduresome
of the principleshavebeenlost.

Lawley (1973) published the first complete paper on the HAZOP technique.
Originally referredto as an "operability study", it was developedon the supposition
that the failure to identify most hazardswas due to the complex natureof the plant,
rather than a lack of knowledge on the part of the designteam. It is summarisedas
follows:

"In essence [an operability study] is an abbreviated form of "critical


examinatiorf' basedon the principle that a problem can only arise when there is a

-7-
deviation from what is normally expected.The procedure,therefore,is to searchthe

proposed schemesystematically for every conceivable deviation, and then look


backwardsfor possiblecausesand forwardsfor the possibleconsequences.
"

The referenceto "critical examination7'clearly links this work to that of Elliot &
Owen (1968) describedabove.As well as a thorough descriptionof the "operability
study" procedure, and a detailedset of results for an operability study of part of an
olefm dimerisation plant, the paper also describes a technique called "hazard analysis"
using logic treesto derive a quantitativeassessment of serioushazards following their
identification.This is easilyrecognisableas FTA.

2.2 HAZOP Procedure

The basicprinciple of HAZOP is to apply guide words to a modelof the systembeing


The
analysed. guide words are applied on a section by section basis to appropriate
to
systemvariables generaterelevant deviations.The sizeof sections is determined by
the level of detail required for the study. For continuousprocessplant, the basic
model of the system will be the finished piping and instrumentationdiagram(MID)

or engineering line diagram (ELD) and the sectionswill correspond to lines on the
MID or ELD. For batch processesthe model of the system may be the batch
operatinginstructions andthe sectionswill correspond to individual operations.

There are numerous texts that give detailed instructions on how to carry out HAZOP
in chemical plants (Chemical Industries Association Ltd, 1977; Kletz, 1992;
Knowlton, 1992; Lees, 1996). The basic principle for a continuous plant is for a group

of people to apply certain defined guide words to lines, on a piping and


instrumentation diagram (P&ID) or engineering line diagram (ELD), on a line by line
basis in an effort to identify causes and consequencesof process deviations. The

approach taken is outlined in figure 2.1. This figures is a modified version of that
presented in the above texts. The two steps in the middle of the procedure, "Examine

possible causes" and "Examine consequences" are normally illustrated by showing


the latter following the former, i. e. indicating that the "Examine possible causes" step
is carried out before the "Examine consequences"step. In practice these steps may be

-8-
applied, particularly by more experiencedHAZOP teams, in either order. This is

generally dependenton the likelihood of a particular cause or the severity of a


Where
particular consequence. likely causesare readily identified, time is spent
subsequently on determining possible consequences.Alternatively, the ready
identificationof a moderateor seriousconsequencemay then leadto time being spent
on analysisof possiblecauses.

-9-
Selecta
line/vessel
I

Explain
intention
I

Apply
guideword

Develop
meaningful deviation

Examine Examine
possible causes consequences

ff Deltermine
hazards

Record discussion]
e
as appropriate
I

Repeat for all


meaningful deviation

I Repeat for all I


guide words

Mark line/vessel as
having been exarnined
I

I Repeat for all I


lines/vessels

Figure 2.1- Basicmethodfor conventionalhazardand operability studies(HAZOP)

-
10-
2.3 HAZOP Failings

Before looking at how HAZOP has developed and the possible methods for
improvementin the future, it is worth looking at the current failings of HAZOP and
why thesefailing exist. Ironically HAZOP is now suffering from the sameproblem
that chemicalplants were suffering from 20 yearsago. The problem usedto be that
becausea chemicalplant or processhad never beeninvolved in any incidentsthen it
was assumed that there were no hazardsassociatedwith it. One of the reasonsthat
HAZOP was introducedwas to combatthis attitude and provide a tool for deciding
whetherpotential problemsexistedor not. The problem now is that because,on the
whole, potential problemswith the applicationof the HAZOP methodologyhave not
beenassociatedwith any incidents,no one seesany needto changeit. (SeeCrawley
(1995) for an exception).

The problem stemsfrom the perceivedhigh cost of HAZOP due to the lengthof time
it takesto carry out HAZOP and the apparentlack of benefits.In fact, data collected
from 125 HAZOP basedhazard studies shows the cost of a hazard study is only
0.16%of the capital cost of a project (Gillet, 1995).In addition,the tangiblebenefits,
the benefits seen by project managers,the actual addition of safety measuresand
provision of protective equipment which safeguardthe company assets, is only a
small part of the total benefit. There are considerableintangible benefits including
behavioural,quality and corporateimagebenefits(Gillet, 1995).The main intangible
benefitrealisedby HAZOP is the training andknowledgegainedby teamparticipants.
This translates into more efficient commissioning of plant and improved plant
operation.For more intangiblebenefitsseePully (1993).Also, as designers,at leastin
some companies, are becomingmore aware of possiblehazardsand are coming up
with betterdesigns,HAZOP identifiesvery few, if any, real hazards.

This perceivedhigh cost of HAZOP hasresultedin companiesusing lessexperienced


personnel to carry out HAZOP. In addition as any technique becomes more
widespread the standard of performancefails (Kletz, 1995).HAZOP was developed
by SHE experts and the guide words provided convenienthandleson which they

could hang their expertise. In effect, each guide word prompted the experts to

-II-
considercertain problemsand HAZOP would have beenjust as effective whatever
words were used. The guide words provided a convenient alternative to long
checklists.In this way the HAZOP methodologyalso overcameone of the main
drawbacksof checklists.It is very easyto prove that checklistsare incomplete.It has
neverbeen possible to prove how complete HAZOP is. HAZOP also enablesa certain
amount of flexibility in its application. One of the advantagesof this being that a
certain amountof redundancy was introduced, if
so a problem was missed first time
round there was still likely to be the opportunity to it
pick up elsewhere.However,
this flexibility also introducespotential problems in the form of ambiguities.For
exampleit is ambiguouswhen studyinghigh flow whetherthat refersto high flow in
to the line being studiedor high flow out of it. Among experiencedHAZOP leaders
theseambiguitiesare realisedand they have developedtheir own rules for dealing
with them. This also relies on the leaderhaving good control over the membersof the
team so that the team acceptsthe interpretationof the guide words suppliedby the
leaderand they do not stray into consideringinterpretationsthat the leaderfeels are
inappropriate.

Less experiencedHAZOP teamsdo not have the expertiseto realise the problems
associatedwith eachof the guidewords andhavenot developedrules for overcoming
the ambiguities.The first of theseproblems meansthat HAZOP results are not as
completeas they could be. The latter problem leadsto HAZOP taking longer than it
should. This only servesto reinforce the perceptionthat HAZOP has a high cost for
little benefit. These problems are exacerbatedby the lack of adequatetraining
availablefor HAZOP team leaders.Although there are plenty of coursesavailableto
teach the basics of leading HAZOP teams, the best training can only be through
experienceof HAZOP meetings.Further, this experienceshould go beyond simply
contributing to HAZOP meetings.The ideal role to gain the necessaryexperience
must be as a HAZOP secretarywith appropriatecoaching from the HAZOP team
leader. However, in order to reduce the perceivedcost of HAZOP meetings,the
number of peopleinvolved in is
eachmeeting being reducedand the first role to go is
that of HAZOP secretary,often to be replacedby a computer.

- 12-
2.4 HAZOP Effectiveness

It is also worth trying to understandwhy HAZOP is so effective.Two primary factors


have been identified for effective hazard identification (Lowe & Solomon, 1983).
Theseare,the availability of appropriateinformation and having a systematicmethod
for applyingthe knowledge.They also identify two different procedures,comparative
methods,wherea designis checkedagainstcodes,and fundamentalmethods,suchas
HAZOP. Obviously HAZOP studies satisfy the systematic requirement and, if
conductedproperly, all the appropriate information should be available. There are
other methodsthat satisfy these requirements but the results are apparentlynot as
goodas thoseachievedwith HAZOP. Systematic methodssimilar to HAZOP include
WHATIF andcheckliststudies.Checkliststudiesare a comparativeapproachwhereas
WHATIF studiesareanotherfundamentalapproach.

How areWHATIF, checklistandHAZOP studiessimilar?The HAZOP and WHATIF


techniquesrely on stimulatingthought amongsta team of peopleusing a team leader
to apply the method correctly and to ask questionsas necessary.They can all be
to
applied study a detailed line diagram and their primary objective is to identify

scenarios.
cause-consequence The WHATIF study is based on askingquestionsabout
What
possiblecauses. is really being askedis 'What are the consequences of..? ' The

checklist study involves trying to identify whether or not certaincircumstancesexist


that havebeenfound to createpossiblehazards.Thesecircumstancesare identified on
a list and the study requirescomparisonof the proposedplant with the list. Checklist
studies are systematicbut there are two important deficiencies using checklists.
Firstly, creative input is limited. Secondly they can only be used to identify
arrangements of components that havepreviouslybeenshownto be possiblecausesof
hazards.Checklists, however, provide a quick way of checking designs for basic

errors.It is anticipatedthat computerscould be usedto checkautomaticallyP&IDs or


ELDs generatedusinga computeraideddesign(CAD) system.

The importantpoint aboutHAZOP studiesis that they canbe usedeither to identify a


consequenceof a certaindeviationor to identify a causeof a deviation.The teamcan
move from a deviationforward to a consequence
or backwardto a cause.This would

- 13-
seemto maximisethe opportunitiesfor creativeinput and reducethe possibilitiesof
oversights.

2.5 Development of HAZOP Procedure

2.5.1 General Development of HAZOP Procedure

The basic principles of HAZOP have remained unchanged since its development by
the process industry, and in particular ICI, 25 years ago. However, it is now used by a

wide range of industries extending far beyond the process industry including the
construction, electrical and transportation industries (Eggert, 1995 & Sankaran 1993).
Of course each industry and each individual company has made modifications to the

procedure to maximise the efficiency and effectiveness of HAZOP (Rushton et al.,


1994).

Along with the developmentof the HAZOP procedure,ICI developeda six stage
proceduredesignedto identify hazardsat different stagesin the life of the plant, from
initial project exploration through to commissioningand normal plant operation
(Gibson, 1976). Duxbury & Tumey (1989) give a more detailed descriptionof this
procedure.Haza d StudyI is intendedto make sure that the hazardsassociatedwith
the materialspresent in the plant are understood.It provides the basis for a safe
design.Hazard Study II is a top down considerationof the major hazads that may
exist within the plant. Potentiallymajor events,suchas fire, explosion,toxic release,
to
etc., are analysed see which represent hazards and suitable designs will be
developed,if necessary,to reducethesehazards.The HAZOP Procedureis part three
(HazardStudy111)of this six stageprocess.However,thereis little time savinggained
by using this six stageapproach.Haza d StudiesI and 11identify possibly problem
areasand address particularly hazardoussituationsbut they do not have the same
rigorous and detailed methodology that lies behind the successof HAZOP in
identifying possiblehazards.HazardStudiesIV, V andVI exist to checkthat the plant
is built as designed,that no new hazardshavebeenintroducedduring commissioning
and that any unforeseenhazards or operabilityproblemsare dealtwith.

-
14-
2.5.2 Developmentof Guide Words and Checklists

The list of basic guide words for continuousprocessplant has remainedgenerally


unchangedsince HAZOP originated. Table 2.1 gives a list of the guide words and
their meaningstakenfrom the CIA Guide(CIA, 1977).

GUIDE MEANINGS COMMENTS


WORDS

NO or The complete negation No part of the intentions is achieved but


NOT of these intentions nothing else happens.

MORE Quantitative increase Increase in quantities and properties such

as flow rates and temperature as well as


activities like heat and react.
LESS Quantitative decrease As above but decrease.

AS WELL Qualitative increase All the design and operating intentions are
AS achieved together with some additional
activity.
PART OF Qualitative decrease Only some of the intentions are achieved;

some are not.


REVERSE The logical opposite of Applies to activities such as flow or
the intention reaction. It can also be applied to
substances,e.g. poison instead of antidote
or d instead of I optical isomers.
OTHER Complete substitution No part of the original intention is
THAN achieved. Something quite different
happens.

Table 2.1 - Guide words as originally applied in HAZOP. (From CIA 1977).

- 15-
Having been developedlargely in the petrochemicalsdivision of ICI, the original
HAZOP procedure(Lawley, 1973)was biasedheavily towards continuousprocesses.
This is illustratedby the typesof deviationassociatedwith eachof the guidewords:

NONE - No flow.

MORE OF - More of flow, temperature, pressure, viscosity, etc., i. e., higher flow,
higher temperature, or whatever, than there should be.

LESS OF - Lower flow, temperature,pressure,viscosity,etc.,thanthereshouldbe.


AS WELL AS - Impurities present,e.g., ingressof air, water, acids. Extra phase
present,e.g., vapour,solids.

PART OF - Change in composition of the stream, e.g., ratio of components different


from what it should be.

REVERSE - Reverseflow.

OTHER - What else apart from normal operations can happen, e.g., start-up,
shutdown, maintenance,catalyst change, failure of plant services.

Thesedeviationsare generatedby combining the guide words with relevant process


variables for continuousplant. Clearly however, there are certain combinationsof
guideword and processvariablethat are not valid. Thesewould be things suchas no
temperatureand no viscosity. The relevant deviations for continuousplant can be
defmed explicitly, the above set being used for batch processeswith a couple of

additions.This eliminatesthe to
need combinea guide word with an intention. For
continuousplant the following list of deviationsshouldbe considered:

HIGH FLOW
LOW FLOW
NO FLOW
REVERSEFLOW

- 16-
HIGH/LOWPRESSURE
HIGH/LOWTEMPERATURE
HIGH/LOWLEVEL
HIGH/LOWMIXING
STATIC
HIGH/LOWCONCENTRATION
CONTAMINANTS
TESTING
START-UP
SHUT-DOWN
COMMISSIONING& MAINTENANCE.

Other deviations which have been suggestedfor considerationfollowing hazards


which have occurred and for which the potential was not identified in HAZOP
(Crawley, 1995)are:

VIBRATION
IMPACT
NATURALFREQUENCY
ENTRAINMENT
VORTEX

Rushford (1977) took the developmentof deviations for continuousprocessplant


further. Along with the guide words and the processdeviationsfor continuousplant,
thereis also a list of possiblecausesandconsequences
that may needto be considered
with respectto thesedeviations.This checklist type guide word aid was developed
ftirther by ICI. Lees (1996) presentsan extensivelist, called a guide diagram,of the
processdeviationsfor continuousplant andpossiblecausesof thesedeviations.Other
companieshave similarly developedguideword aids (Sweeney,1993& Kelly, 1991).
Kelly (1991) details some changesthat have been made to the HAZOP procedure
within the company he works for (M. & M. Protection Consultants,Cedar Knolls
N.J.). They have developedthree processhazards checklists to aid the HAZOP
procedure.The first dealswith initiating problems,the secondwith consequences
and

- 17-
the third with hazardousevents.Thesechecklists are then used at the appropriate
point in the HAZOP procedure.The initiating problems checklist is used to try to
identify causesof processdeviations.The consequences list is usedto try to identify
consequences. Finally the hazardous is
eventschecklist used to try to determinehow

seriousthe final outcomemay be. One problemwith Kelly's approachis that it places
too much emphasissolely on the identification of hazards.HAZOP is important in
that it also identifiesoperabilityproblems.Indeedone of the main benefitsof HAZOP
is the reductionin the numberof start-upmodificationsrequired.

In addition to the guide diagram for continuousprocesses,ICI have subsequently


developed guide diagrams for batch processes,mechanical handling equipment,
computer control systemsand building designand operability (ICI, 1993).A similar
type of guide diagram is also available, developed by Unocal Corporation for
electricalsystems 1993).
(Sankaran,

More recentdevelopmentson the useof checkliststo aid HAZOP of continuousplant


have occurredduring the last few years as computingtools have been developedto
assistthe carrying out of HAZOP (PrimaTech, 199?;LamdaDelta, 1995). Many of
thesetools contain databasesof possiblecausesand consequences
of deviationsfor

many items of common process plant equipment. The use of computersto assist
HAZOP is discussedlater in Chapters3.3.

The processdeviation is developed,if necessary,to defineexplicitly the problem in a


meaningfulway. For example if the guide word is high andthe processvariableunder
is the
consideration pressure, process deviation is obviously high pressure.Then, for

a long pipeline, possibledistinct problem areasare, liquid hammer,delivery pump


overpressureand thermal expansion of locked in liquid. Each of these distinct
deviation scenarioswould be addressedin turn by membersof the HAZOP team.
They are askedto try to identify possiblecausesand consequencesof the deviation
scenariounder consideration.An evaluation is then carried out by the group to
for
establish need action.This action could take the form of further analysis,such
the
as fault tree analysisof any hazardsidentified, or suggestionsfor possiblechangesto
the plant, suchasaddition of alarmsor the provision of traceheating.

- 18-
noticedin
Thesechecklistswere introducedpartly to addressthe lack of completeness
someHAZOP results.However the checklistsare by no meansas rigorousas a proper
checklist and there is still a reliance on the expertiseof the team to fully realise
possible consequences. In fact it is only likely to make things worse. There is the
possibility that the checklistaspectbecomes a crutch for inexperiencedteams to lean

on, and, because it is a very meagrechecklist, the results cannot be expected to be

complete. This use of lists is not helped by the computer HAZOP aids available,
which presentlists of relevant parameters,causesand It
consequences. canrestrictthe
studyto the everydayparameterssuchas flow, pressureand temperature, it
when may
be more appropriateto consideralternativeparameterswhich might be suggestedif
the original HAZOP procedurewasapplied.

2.6 Worked Examples of HAZOP Application

The following paperscontain worked examplesof the application of conventional


HAZOP to chemicalplant.

Lawley (1974) presentsthe results of the application of HAZOP to the feed section of

an olefm dimerisation plant. The part of the process studied is the transfer of olefin
from storage to a buffer and settling tank where the water impurity is settled out.
Although only a limited section of the plant is studied, the results given are thorough

and detailed.

Lawley (1976) gives the results for a study of an ethyleneoxide feed systemto a
group of batch As
reactors. with Lawley's the
other example, scope is limited but the
resultsgiven are detailedandthorough.

Rushford(1977) gives the resultsfor a simple sectionof a crackerunit. The section


studiedis the gasdrying sectionwhere the gaseousproduct from the crackeris heated

and passed through a suction catchpotbefore being fed to a compression train. The
results are detailedand include a wide variety of problems,a significant number of
by
which are generated the considerationof the guide word "other thaif'. Relatively

- 19-
few problemswere identified by the considerationof the guide words "more" and
"less".

Austin & Jeffreys (1979) carry out a HAZOP on the reactor section of the methyl

ethyl ketone plant described in their book. This HAZOP is interesting in that the
reactor section operates in a semi-batch manner, that is the normal operating
conditions of this part of the plant alter with time. There is plenty of background
information included as part of this worked example, including the design intention

and the design conditions for the different operating conditions of the part of the plant
being studied. The results presented are quite extensive and detailed. However, there
is no attempt made to identify any problems that may be due to such things as start-

up, shut-down and, of particular importance, maintenance.Austin & Jeffreys note that
this is a "truncated operability study" as only an isolated part of the plant is being
studied. They recognise that this introduces difficulties becausedeviations originating
upstream of the truncation point can only be specified in general terms. However,
their intention for presenting the study is to illustrate the principle of HAZOP and so
the completenessof the results is not paramount.

Kletz (1985) analyses a lOkm cross-country pipeline which transfers liquid propane
from a storagetank to a consumerplant buffer tank. This study generated39 actions
for just one line, the resultsgeneratedbeingvery clearanddetailed.

Ozog (1985) appliesHAZOP to a flammablereagentstoragetank. The tank has a


nitrogen blanket to provide an inert in
atmosphere the tank and a pump to deliver
liquid to the process.However,the tank as drawn would appearto have two major
safety flaws, one of which is not queriedin the HAZOP results. Firstly there is no
tank overflow; insteadit seemsfrom the HAZOP resultsthat they are expectingthe
tank to overflow via the relief valve RV-1. The query (column G) relating to
overfilling of the tank due to "unloadingtoo much reagentfrom tank truck7 (cause6
in columnC) is "Is RV- I designedto relieve liquid at loadingrateT'. This is definitely
not a safeway to design for overfilling. Many tanks are only designedto withstanda
coupleof inchesof water head.If liquid is not allowed to overflow from a properly
designedoverflow below the top of the tank but instead is allowed to fill into

-20-
pipework above the top of the tank, then it is quite conceivablethat the tank will
rupture. Secondlythere is a valve V-8 included between the tank and its relief valve.
This leavesthe tank without any overpressureruptureprotectionif V-8 is closed.This
is not noted in the HAZOP resultsgiven, althoughit is presentin the FTA analysis
included in the paper.In addition to theseproblemsthe HAZOP results shown are
lacking in detail.

Although not presentedas a set of HAZOP resultsMcCluer & Whittle (1992) detail
some important safety recommendations generatedby HAZOP of fluid catalytic
cracking units (FCCUs). HAZOP of three FCCUs yielded between 150 and 200
for
recommendations eachunit. From these detailed, specific recommendations, II

were
generalisedrecommendations derived and theseare outlined in the paperalong
with a brief descriptionof the natureof the problemand how hazardsmay be realised.
These generalisedrecommendationslargely relate to hazardsand not operability
problems.Also includedis a detaileddescriptionof the operationof an FCCU and a
descriptionof the structureof the HAZOP.

Sankaran(1993) showshow HAZOP has been applied to somenon-processrelated


projects. Three different sets of results are illustrated. They are for an electrical
distribution system,a urea storageand shipping operation,and an undergroundtank
removal. Although the results are not completefor any of these projects, they are
detailedand somebackgroundmaterial is includeddiscussingeachof theseprojects
and how the HAZOP meetings were conducted.This paper provides very good
examples,which illustrate how HAZOP could be applied in a wide variety of
industriesandthe benefitsthat are achievable.

2.7 Summary

This chapter provided an extensivereview of the developmentof the conventional


HAZOP procedure.It also highlightedthe failings and effectivenessof HAZOP. The
next chapter will consider the different ways of improving the performanceof
conventionalHAZOP.

-21-
BLANK IN ORIGINAL
3 Improving Conventional HAZOP Performance

This chapter looks at how conventional HAZOP performance can be improved.


Firstly the composition of HAZOP teams is looked at to see how their effectiveness

can be maximised. Secondly, lessons from HAZOP experts, people with many years'
experience of carrying out HAZOP in industry are considered. Finally the role of
in
computer aids conventional HAZOP is looked at, and the pros and cons of their use

considered.

3.1 Effective HAZOP Teams

3.1.1 HAZOP Team Composition

One of the reasonsthat HAZOP is so effective is becauseit stimulatesa group of


peopleof different disciplinesto creativelythink about and discusspossibleproblems.
To maximisethis effectivenessthe teamcompositionis vitally important.Basically it
is necessarythat the team should have amongstthem the appropriateknowledgeand
experiencerequired to identify the problemsthat may exist with the systemunder
consideration.Along with this requirementfor knowledgeand experience,the team
should also include an experiencedHAZOP team leader and a HAZOP secretary.
However in order to remain disciplined and efficient it is necessarythat the team
shouldnot be too large.It would be recommendedthat no morethan six peoplemade
up the team.

The members of the team should be selected to achieve the right balance of
knowledgeandexpertise.For HAZOP of a new chemicalplant design,the most likely
composition of a HAZOP team would be, project engineer, process engineer,
instrumentationdesignengineer,and an independentteam leader.In addition it may
if
include a researchchemist necessary.For HAZOP of an existing plant the team
would normally consistof the following people, plant supervisor,
plant foreman,plant
engineer,instrumentmanager,process investigation managerand independentteam
leader.For HAZOP of a modification or extensionto an existing plant then some
combination of thesetwo groupswould be used,bearingin mind that the total ought
not to exceedsix (Kletz, 1985).

-23-
3.1.2 HAZOP Secretary

The HAZOP secretaryor scribe plays an important part in the team, particularly in
recording, as appropriate,the discussions of the team as a whole. Goyal (1994)
identifies the following requirementsof a good scribe, basic engineering/technical
knowledge,linguistic skills, ability to type reasonablyfast and familiarity with the
recording system. In addition the scribe should have the ability to listen and pay
attentionto detail. However, in order to reducethe numberof participantsin a team,
some companies are combining the roles of the HAZOP leader and the HAZOP

secretary (Kletz, 1985). Apart from the advantage of reducing the personnel
requirement, there is also the advantage that the HAZOP leaderknows what is being

recordedand that nothing importanthasbeenmissed out. There would seemto be one


significant disadvantagewith this method and that is the rest of the HAZOP study
team are often left waiting whilst the HAZOP team leader writes up his notes. In
particular, this may impact on the ability of the HAZOP team leader to effectively
manage the team.With a separatesecretary this is not so muchof a problem. Having a
separate secretaryalso provides a good platform for training novice HAZOP team
leaders.Alternatively the project engineercould also be usedas the secretary.He will
alreadybe familiar with the referencenumbersfor different partsof the plant andwill
havea good incentiveto makesurethat all relevantdiscussionis captured.

3.1.3 HAZOP Team Leader

The HAZOP team leader is mainly responsible for making sure that the team follows
the HAZOP procedure. In addition he should make sure that the team works

efficiently and effectively, primarily by controlling the discussion and stimulating


team thinking. Although HAZOP studies have a definite systematic methodology it is

widely recognised that many HAZOP team leaders adopt different approaches.It has

also been shown (Freeman et al., 1992) that expert HAZOP team leaders will conduct
a hazard study faster than their novice counterparts. Our own study (Jefferson et al,
1995a) confirms the finding of Freeman et al.

-24-
The main question arising from our analysis is, "How can novice HAZOP team
leadersbe trainedmost effectively?" An importantfeatureof HAZOP is that it can be
applied flexibly, either to identify first a consequenceof a certain deviation or to
identify first a cause of a deviation. However, novices do not appreciatethis
flexibility. This doesnot necessarilycompromisethe integrity of the HAZOP but can
lead to inefficient use of time. Proper training of novices is required to reducethis
inefficiency. Expert team leadersare markedout by their ability to choose,by some
mechanism,the most appropriateroute for the team to follow to identify efficiently
the causeconsequencescenariosof interest.Novices shouldbe madeawarethat they
can be flexible when leadingHAZOP meetings.It works most effectively when there
is no prescribed direction to follow from deviation to cause or deviation to
consequence.

3.1.4 HAZOP Meetings

One option for improving HAZOP is to make sure that the meetings are set up in such

a way that the HAZOP team members are given the best opportunity to perform at
their most effective. This includes things such as, making sure meetings are not too
long, allowing sufficient breaks during meetings and having a good environment for
the meeting.

Determining the maximum length of individual HAZOP meetings would seem to be a

compromise between reducing the overall time span required for the HAZOP and
allowing HAZOP participants as much time as possible to carry out their normal
duties. However, there is evidence that no such compromise is necessary.It has been

noted (Pully, 1993) that for a complete HAZOP of similar units, the number of hours
spent on the HAZOP was halved when meetings were held for only four hours per
day rather than 8 hours per day (half day sessionsas opposed to full day sessions).In

other words the overall time span for the complete HAZOP was the same. Dowell
(1994) suggests that meetings are restricted to 3-4 days per week with 6 hours of

meeting sessionseach day. The general consensusis that if any more hours per week
are spent carrying out the meetings, the participants become fatigued and there is
more pressure for them to miss HAZOP meetings in order to continue their normal

-25-
duties.Fatigueresultsin a lack of drive, enthusiasmand creativity, and makesfor less

efficient and effective meetings.The to


pressure miss HAZOP in
meetingsresults at
least late arrivals and early departures,and this disruption further impedes the
progressof the study. On the other hand, if any less time is spent per week, then a
significant proportionof that time is spent getting back to
up speedon the details of
the P&IDs, the processandthe HAZOP procedure.Sweeney(1993) suggeststhat if 8
hours of meetingsper day are required to facilitate an urgent HAZOP, then these
shouldnot extendbeyond two weeks before a substantialbreak is provided.However,
I think it is fairly clear given the observationsabovethat unlessthe entireHAZOP can
be completedwithin those two weeks then it is probably not worthwhile. Indeed,
Jones(1992) reckonsthat in practice,for studieslasting more than about a week, a
five hour per day meeting schedulecan accomplishalmost as much as one lasting
eight hoursper day.

3.2 Lessons Learned from IIAZOP in Industry

A number of papersexist, written by people who have carried out HAZOP for a
number of years, detailing additional guide lines that they have developedover the

yearsin orderto makethe HAZOP asefficient andeffectiveaspossible.

Thesesuggestionscan usefully be differentiatedinto two main groups,thosethat are


applicablein the setting up of the HAZOP meeting, those that are applicablein the
carrying out of the meeting.Establishinga safeenvironment for team is
members an
exampleof a requirement that must be met in the setting up of a HAZOP meeting.
This sort of requirementwould need to be used by both HAZOP team leadersand
in
managers charge of setting up HAZOP meetings. Giving too little credit for
is
safeguards applicableto the carrying out of the meeting.Suggestionsapplicableto
the carrying out of meetingswould need to be recognisedand utilised by HAZOP
teamleaders.

Thereare a large numberof papersavailablediscussingthe selectionof membersof


the HAZOP team. Thesepapers are written by experiencedHAZOP practitioners,
generally HAZOP team leaders, and provide valuable guidelines on how tearn

-26-
selectioncanaffect HAZOP performance.

Lihou (1986) gives somevaluable insights into how team membersshould perform
within a HAZOP team. He identifies the following roles and suggeststeam members
shouldbe ableto move freely betweenroles:

" Expert Informant: The person who can explain how a new processis
intendedto operateor how an existingplant is operated.

" Experienced Unbeliever: The personwho recognisessimilarities between


the item beingexaminedandothersthat havebeenproblematical.

" Enthusiastic Pupil: The person who asks from clarification from the
-exper&' and/or the unbelieverthereby helping them to be sure that their
adviceis relevantin the currentsituation.

" Logical Goalkeeper: The person who prevents fallacious solutions to


possiblehazardsidentified being includedin the lists.
"action7'

Thesecan be groupedtogetherandI will refer to them subsequentlyas HAZOP team


selection.

He also detailsthe responsibilitiesof HAZOP team leadersand gives someguidance


on other aspects
of carrying out effectiveHAZOP.
Jones(1992) has put together a very detailed list of potential pitfalls and common
mistakesmade during HAZOP, as well as detailing somepotential HAZOP benefits.
The possiblebenefitsof HAZOP that he identifiesare:

A systematicandthoroughreview canbe madeof existingplant.

Evaluationof the consequences


of humanerror canbe made.
Subtlesequences
of eventsthat leadto uniqueaccidentsare identified.
Plant efficiency canbe improved.
A better understandingof plant operations is gained by operators and
engineers.

-27-
PAGE

MISSING

IN

ORIGINAL
PotentialHAZOP pitfalls identified are:

Poor understandingby managementof the HAZOP procedureand resources


required.
InexperiencedHAZOP team.
Inadequatelytrainedor inexperiencedHAZOP teamleader.

Some of the mistakeshe identifies are those associatedwith the role of the team
leader.They are:

Failing to establish a "safe" environment (in terms of being free from


for
recriminations) teammembers.
0 Consequences
of eventsnot carriedto conclusion.
Giving unwarrantedcredit to safeguards.
Too little or no credit given for safeguards.

0 wherefollow-up is difficult.
Making recommendations

0 Poor recording of HAZOP.

General mistakes that can occur and which can hamper the progress of HAZOP are:

Failureto HAZOP start-upandshutdownprocedures.


Poorly updatedP&lDs.
Carryingout a HAZOP in placeof properly executeddesignreviews.
Wrong techniquefor the systembeingreviewed.
HAZOP sessionsthat run too long eachday.

Using the recommendationsfrom the abovereferencesand separatingthem into two


groups,I havegeneratedthe following lists of suggestionsfor improving HAZOP.

-29-
Suggestionsfor HAZOP managersand HAZOP team leadersfor settingup HAZOP
meetings

Select the correct HAZOP team.


Establish a 'safe' environment for team members.
ScheduleHAZOP sessionsin a reasonableway.
Make sure proper resourcesare available.
Use properly trained HAZOP team leaders.
Make sure proper design reviews have been carried out.
Use up-to-date P&IDs.

Suggestionsfor HAZOP team leadersfor carrying out HAZOP meetings:

Make sure HAZOP sessionsdo not run on too long.


Allow plenty of breaks at suitable intervals.
Give appropriate credit for safeguards.
Make sure recommendationsare suitable.
Make sure a proper record of the meeting is made.
Make sure start-up and shutdown proceduresare analysed.
Make sure all necessaryinformation is available.

3.3 Computer Aids in Conventional HAZOP

In the past few years, a number of computer programs have been developed to assist
in the carrying out of HAZOP (e.g. PrimaTech, 1994; Sigma-Lambda, 1995). On the

whole these are simple secretarial tools to provide a convenient way of turning the
deliberations of a HAZOP meeting into a formal, structured report. They also provide

a prompt for the team, suggestingthe next guide word and processvariable requiring
consideration. However, these computer tools have also, in general, not reduced the
time taken for hazard identification.

-30-
3.4 Conclusions

The conventionalHAZOP procedurehasbeenestablishedfor a long time. Somework


has been done on improving the HAZOP procedureand on shorteningthe time
requiredfor HAZOP meetingsbasedon experience.However,thereis a limit to what
can be achieveddueto the exhaustivenatureof the approachtakenin HAZOP. More
radical approacheswill need to be consideredin order to bring about drastic
improvements.

In the future there is the possibility that HAZOP will be performed automatically by

computer. Loughborough University is at the forefront of these developments(Chung,


1993 & Jefferson et al., 1995b). Automated HAZOP offers a considerable reduction
in the amount of time required for hazard identification, however it is unclear how

effective it will be in identifying all hazards. The next chapter looks at the
possibilities for improvement afforded by automating hazard identification.

Chapters5 to 7 will deal comprehensively


with the ideaandmethodologyof modular
HAZOP that has beendevelopedthrough this project.

-31-
BLANK IN ORIGINAL
4 Automated HAZOP

Onepossibleroute for speedingup the identificationof hazardsin chemicalplant is to


usecomputersto identify hazardsautomatically. The pioneering work in this areawas
first carriedout by Parmarand Lees (Parmar1987;Parmarand Lees 1987a,1987b).
They set out to developa hazardidentification tool basedearlier work by Lees and
colleagueson fault propagation
and fault tree (Martin-Solis
synthesis et al 1977,1980,
1982;Kelly and Lees 1986a,1986b, 1986c, 1986d).They did not originally assume
that it would necessarilyemulate HAZOP. They consideredvariants more akin to
fault treesand to failure modesand effects analysis,but concludedthat the HAZOP
approachof examining every potential deviation in every line does offer the best

of
assurance completenessand therefore developed their initial versionof HAZID as,
in effect, a HAZOP emulator. There are now a number of researchprototypes
describedin the literature that adopt the sameapproachdevelopedby Parmer and
Lees (Zerkani and Rushton 1993; Venkatsubramanianand Vaidhyanathan1994;
Jeffersonet al. 1995b;Larkin et al. 1997;Wakemanet al. 1997).

The purposeof this chapteris twofold. First, it providesa generaldescriptionof the


commonapproach that is in
used many of the automated HAZOP systems developed
so far. Second, it highlights the researchissuesthat needto be in
addressed order to
build fully functionalsystemsthat will be acceptedby engineers.

4.1 Representing Causal Relationships

To emulateHAZOP, a programneedsto be ableto infer how a processplant behaves


in qualitative terms, i.e. how the increase,or decrease,in one processvariable will

affect other variables in the plant. Given a processplant description,it is possibleto


declarecausalrelationshipsbetweenall of the processvariablesin the plant. Consider
the small plant fragmentshownin figure 4.1. If we only considerthe propertyof flow
in this systemthen we can defineten processvariables,i.e. the flow at eachinlet and

outlet of eachpieceof equipment.Any given variablemay dependon any of the other


nine. There are ninety dependenciesin all. Once these dependencieshave been
declared,then it becomesa simpletask to seethe effect that a changein one variable

-33-
hason othervariablesin the systern.

in2

out m, out inl 11 1


-1 outl in
in
vlol vl 02
plol hIO1 I out2

Figure 4.1 - Small plant fragment

In a large plant it is unrealistic to expect that every causal relationship could be


explicitly declared.A more economic approach, taken here, usesthe assumptionthat
the causalrelationshipswithin an item of equipmentare independentof the contextof
equipment in the plant, together with a method of generatingcausal dependencies
between adjacent equipment. This approach dramatically reduces the number of
dependenciesthat need to be declaredand still allows the dependenciesbetween
remote process variables to be deduced. Because the description of causal
relationshipsis at the equipmentlevel, rather than at the plant level, it is easierto
ensureandto maintaincorrectnessand completeness.

A common representationfor modelling causalrelationshipsis the SignedDirected


Graph(SDG). SDGswere first used for studyingprocessplants by Iri et al. (1979).
hasbeenwidely usedby other researchers.
Sincethen the SDG representation

A directed graph consists of a network of nodes and arcs. A node representsa


variable. An arc from a node, X, to anothernode, Y, indicatesthat in
a change the
variableX will causea change in the variableY. In other words, Y is dependent
on X.
Therefore,a directed graph can also be called an influence diagramor dependence
diagram(MacCallum,1981).An SDG is an extensionof a directedgraph.Eacharc of
the graph is labelled with a sign "-+-"or The sign "+" indicates a positive
influence,i.e. Y will increaseif X is increasedand Y will decreaseif X is decreased.

-34-
The sign 'V' indicatesa negativeinfluence,i.e. Y will decreaseif X is increasedand
Y will increaseif X is decreased.

An SDG can be derived empirically or from conventionaldifferential and algebraic


that
equations modelthe behaviour in
of a particularplant numericalterms.However,
as mentionedearlier, constructinga SDG from for
scratch a completeplant can a be

very time consuming process.Fortunately,


processplants, like other physicalsystems,
are built by connectinga set of smaller equipmentstogetherto perform the required
functions. The behaviourof eachof theseequipmentscan be describedin a system
independentmanner.By combining the equipmentdescriptionsthe behaviour of a
whole plant can then be analysed.This idea of generatinga completeplant model
from equipmentdescriptionsis used by a number of researchers(Lees and Kelly,
1986;Oyeleyeand Kramer, 1989;Catino, et al., 1991).For the SDG representation,
an equipmentdescriptionconsistsof a mini-SDG -a set of propagationarcs - which
shows how a changein one processvariable affects anothervariablewithin the same
equipment. A deviation in one equipment can be propagatedeither upstreamor
downstreamthrough the inport and outport connections.Therefore,the SDG for a
complete plant is generatedby joining the appropriate mini-SDGs together as
appropriatefor the plant topology.

4.2 Automated HAZOP System Overview

A generalarchitecturefor an automatedHAZOP systemis shown in figure 4.2. The


unit library contains unit models, which are mini-SDGs of common items of
equipment found in continuous plants. The unit model of an item of equipment
describesthe behaviour of processvariables, failure modes and the consequences
associatedwith the failure modesand deviations.The plant model is a descriptionof
the plant underanalysisbasedon the equipmentin the plant and how it is connected.
The equipmentin the plant is declaredby referenceto unit modelsin the unit library.
The main elementof the systemis the inferenceengine.It hasthree basic functions,
which are:

e Creationof the plant SDG from the information given in the plant model and

-35-
library.
component
Emulationof the conventionalHAZOP procedure.
Searchof the plant SDG for causesandconsequences
for a given deviation.

Component I
Library

Plant I Inference Plant


Model Engine SDG

Reiults

Figure 4.2 - General Architecture for Automated HAZOP System

4.2.1 Unit Models

Unit modelsin the componentlibrary definethe defaultbehaviourandattributevalues


for different types of equipment.Each unit model is specified as a frame, which is
similar to the idea of an object in object-orientedprogramming(Coad and Yourdon,
1991).For examplethe unit modelfor a pipe is definedas:

frame( pipe isa unit,


[inports is [in],
is
outports [out],
propLinks are [
arc([in, flow], +,[out,flowl),
arc([out,flow], +, [in, flow]),
arc([fauIt,leakj,-,out,flowj),
arc([fault,leak],+, [inflow]),
arcQfault,leak],+,[consequence,
contaminateenvironment]),
arc([in,temp],+,[out,temp]),

-36-
+,
arc([in,pressure], [out,pressure]),
arc([in,composition],+, [out,composition]),

otherarcs]

otherattributesrelatedto a pipe

*11]),

This saysthat a pipe is a sub-classof unit, i.e. it inheritsthe attributesandthe default


values associated with a unit. A pipe has one inport called in and one outport called
out. The attributepropLinks stores a list of arcs that define,
the mini-SDG relatedto a
pipe. The first eight lines the
represent SDG fragmentsshownin figure 4.3.

[consequence, contaminate environment] -d+ [fault, leak]

[out, flow] + [in, flow]

[in, temp] [out, temp]

[in, pressure] -*[out, pressure]

[in, composition] [out, composition]

Figure 43 - Partial signed directed graph for a pipe

4.2.2 Plant Description

The plant model is a descriptionof a plant constructedwith respectto. the way in


which its processequipmentis connected.The equipmentin the plant is declaredby
referencingunit modelsin the unit library. The descriptionfile can be generatedfrom

-37-
a CAD systemor constructedusing a text editor. The plant fragmentshown in figure
4.1 is describedas:

instance(p101 isa pump, outports info [out is [vI 0 ljnfl).


instance(vlOl isa valve, outports info [out is [hl0l, inlfl).
instance(hlOl isa heatExchanger,outports info [outl is [v102, infl).
instance(v102 isa valve).

4.2.3 Inference Engine

The inferenceenginetakesa plant descriptionas input and builds up the plant SDG
from the textual representationsof arcs in the unit library with regard to the unit
models and their connections as specified in the plant description. The inference

engine also has a HAZOP emulation driver. By searchingthe plant SDG in an


appropriate manner it effectively emulates conventional HAZOP. The detail of
HAZOP emulationis describedin the following sections.

4.3 HAZOP Emulation - PRELIMINARY STEPS

Figure 4.4 illustrates stepsin the method used to emulate conventiortal HAZOP.

ConventionalHAZOP is a powerful techniqueand has been developedfor use on


both continuousand batch processes.However, automatedHAZOP systemshave so
far only beendevelopedto handlecontinuousprocesses.This reducesthe numberof
guide words and intentionsthat needto be handled.For continuousplant the main
processdeviationsthat can be generatedfrom the combination of guide word and
intentionare:

IRGII/LOWFLOW
NO FLOW
REVERSEFLOW
1-UGII/LOWPRESSURE
I-HGHJLOWTENTERATURE
IUGH/LOW LEVEL

-38-
Theseprocessdeviationsare consideredin turn for every port, althoughthere is an
exception with HIGH and LOW LEVEL which are applied to vesselsonly.

Start

Select a
Dlant unit

Selecta

Select a
vrocess deviation

Find all faults leadig I


to the process deviation I
I

rFind
all consequencesof
faults and of deviation

I Repeat for I
all faults

Repeat for
all deviations

Repeat for
all ports

Repeat for
all lines/main units

End

Figure 4.4 - Basic method for automated HAZOP

-39-
4.4 HAZOP EMULATION - Identifying Faults and Consequences

4.4.1 RepresentingFaults and Consequences

Figure 4.5 showspart of the SDG of a plant fragmentwith two pipes and a valve.
Pipel is connectedto the inport of valvel and the outport of valvel is connectedto
the inport of pipe 2. Thetop, middle and bottom partsof the figure arethe mini-SDGs
for pipel, valvel and pipe2 respectively. The three parts are joined together by
linking the appropriateinterfacingnodes.

4
[in, flow] [out, flow] Pipel
-+ AL
...........................................................................................................................................
+ [fault, leak]
[consequence, contaminateenvironment]
4+
Valvel
[out, flow] [in, flow]
I**
, T-1-11-1-111-1---
........................................... ....... ..... ....................
................... . ....................
. ...... . ............
. ................
4
[in, flow] [out, flow] Pipe2

Figure 4.5 - Signed Directed Graph

In the notation that is used here, each node in the graph that makesreferenceto a
process variable has two parts. The first part specifiesthe port and the secondthe
particular processvariable. When a noderepresentsa fault condition, the first part is
the word 'fault' and the secondpart is the fault description.When a node representsa
consequence, the first part is the word 'consequence' and the is
secondpart the
consequence description. Note that only nodes related to flow, and only one fault

condition and one consequence are shown in the figure.

4.4.2 Identifying Process Variable Influences

Given the SDG of a plant, the way in which one variable affects another can be
by
established identifying an acyclic pathjoining the two nodesof interest.An acyclic
path has no node repeatedin it. The sign of the influencethat a changein the initial

-40-
node has on the fmal in
node the path is the product of all the signs in the path. For
example,given the SDG in figure 4.5, the in
way which the changein pipel [in, flow]
affectspipe2 [in, flow] is determinedby the following acyclic path:

Pipel 1Valvel I Pipe2


[in, flowl--o. [out, flowl-L[in, flowj-+[out, flowl4 [in, flow]

The product of all the signs in the path is 'Y'. Therefore,an increasein pipel [in,
flow] will give rise to an increasein pipe2 [in, flow]; a decreasein pipel [in, flow]
will give rise to a decreasein pipe2 [in, flow]. If we considerthe effect of a leak in
Valvel then it has a positive influence on the in flow of pipel upstreambut has a
negativeinfluenceon the outflow of pipe2 downstream,i.e. a leak will result in more
flow in pipeI but lessflow in pipe2:

Pipel I Valvel I Pipe2

[out,flow]+'-+
[in,flow]*-- -"[out, flowjLo.[in,flow]
[fault,leakT:

If there does not exist a path joining any two nodes then the two nodes are
independent.

4.4.3 Search Strategies

Giventhe ability to representlocal causalrelationshipsfor a processplant, what will a


in
systemneed order for it to be ableto reasonaboutthosedependencies? At the most
fundamentaland generallevel, two typesof questionsexist in hazardidentification:

e What can causeeventA to happen?Examplequestionsinclude "What could cause


the storagetank to rupturcT and "What could causehigh temperatureat the heat
exchangeroutletT

o What will happenas a result of eventB happening?An examplequestionis "What

-41-
will happenif this pump stopsT

The answersto each type of question are found by using two different search
strategies,known as backwardand forward searchesrespectively.To answerthe first
type of question, we construct a path from the final event by following the arcs
backwardsin orderto determinewhat sequenceof influencescould havecausedit. To
answer the second type of question,we construct a path from the initial causeby
following the arcsforwardto determineany consequences of that event.

In emulatingHAZOP we are interestedin exploring all the faults that will lead to a
particulardeviationand all the consequences
associated
with the deviation. Therefore,
searcheshaveto be doneexhaustively,whethersearching forward or backwardfrom a
given node.The term exhaustivehere refers to the requirement that from somepoint
in the graphwe must ensurethat all possiblepathsthroughthe graphto its boundaries
are developed.Only by doing this can we be surethat all influencesbetweenthe given
nodeandeveryother nodehavebeenconsidered.

Two commonsearchstrategies,which can be usedto traversea graph exhaustively,


are the breadthfirst searchand the depth first search(Winston, 1984). The breadth
first searchmethodproceedsfrom somestart point and developsall paths from that
point in parallel. If the start point hasN arcsconnectingit to other nodesthen the first

step of the searchwill produce N paths of length 1. If eachof those N arcs lead to
nodes which have M arcs leaving, then the next step will produce N*M Pathsof
length2.

The depth first searchmethodproceedsfrom some start point by first developinga

singl.e.path as deeply as possible. When that path reachesa terminating node, the
algorithm will backtrackto the last node from which a new sub-pathremains to be
developedand attemptto extendfrom that node.Again this new developmentwill go
as deepaspossiblebeforebacktracking.

For an exhaustivesearch there is no difference in the efficiency of these two


Both
strategies. will traversethe samenumber of arcs and produce the same end

-42-
result.

4.4.4 Linking Causes and Consequences

In conventionalHAZOP, havingestablisheda possibleprocessdeviationfrom a guide


word and intention, the team will simultaneouslyattempt to identify possible faults
that give rise to this deviationand consequences
of this deviation.The intention is to
come up with a realistic cause-consequencescenario.If no consequencesare found
then causesare not a problemand if no causescan be found the consequences
should
neveroccur.If no realistic cause-consequence
scenariocan be found then the HAZOP
teamwill move on to considerthe next processdeviation.

In the SDG representationconsequencescan be linked to both faults and process


deviations.The inferenceengineis directedto searchbackwardsfirst, from a process
deviationto a cause.Having establisheddifferent faults as causes,then a fairly simple
method is used for identifying consequences.Firstly, consequences are identified if
they are directly linked to the processdeviation,at the item of equipmentand the port
under consideration.Secondly,consequencesare identified if they are directly linked
with any faults leading to the process deviation under consideration. Thirdly,
consequences are identified if they are linked to any of the deviationsbetweenany of
the faults andthe processdeviationunderconsideration.

Considering figure 4.6, if the original query was made concerning deviation 3, then
the inference engine traces back and finds two faults: cause I and cause 2. Having
found these faults it looks for consequences.Consequence 5 is directly linked to
deviation3. ConsequencesI and 2 are directly linked to cause 1. Consequence4 is

also identified as it is linked to deviation I which is in the path between the fault and
deviation 3 (the deviation under consideration). Consequence3 is identified as it is
linked to cause 2. The output generatedis shown in table 4.1.

-43-
cause3 7
consequence

deviation5 deviation6----o-

co 4
consequence consequence 5
a'-tion
dcvilonl 0-deviation2--P-d: 3-0- deviation40

cause cause2
consequence6

consequence consequence2 consequence3

Figure 4.6 - Connection between faults and consequences

Deviation Possible causes Consequences

deviation3 causeI 1,2,4 &5


consequence
cause 3&5
consequence

Table 4.1- Partial output from hazard identification system

4.5 Research and Development Issues

The preceding sections have given a general overview of the basic features of an
automated HAZOP system. This section highlights the research and development
issuesthat typically arise in developing a tool of this kind.

4.5.1 Conflguration Defects

A particularclassof problem in plant designis that associatedwith the configuration


of the units. There are certain configurationswhich may be questioned, based on
experience of problems with similar configurations, without resort to fault
An
propagation. example is the caseof a control valve at the end of a long pipeline
containing liquid. This configuration immediately suggests potential for water
hammer.This type of situationcan thereforebe dealt with by a simple configuration
rule.

-44-
4.5.2 Data Acquisition

A common problem in computer aids for process plant design is that of data
The
acquisition. value of the tool is greatly reducedor evennegatedif the data input
are
overheads excessive. It might be expected, since computer aided design (CAD)
systemshave been around for some time, that there should be little problem in
downloadingbasic plant data,but in fact this is not the case.CAD systemsare still
fragmentedandthereis not a universalinterfaceinto which a computeraid of the kind
describedcanbe "plugged". The designerof sucha systemis thereforefacedwith the
to
need provide the interfacesnecessary for the acquisitionof the required data. The
mainpiecesof information requiredto representa chemicalplant are:

Plant Description: Essentialdata are those given in the EngineeringLine Diagram


(ELD) of the plant, namely the constituentunits, including the controls, and their
Equally
connectivities. essential
are data on the properties,stateand compositionof
the fluids in the plant and the design envelope of the plant defined in terms of
pressure, temperature, etc. It is also necessaryto have what may be termed
"configurational" information.For example,it is necessaryto know whethera set of
two pumpsshownpiped up in parallel is to be run as a set of two pumpsoperatingin
parallelor as a setwith onenormally operatingand one on standby.Likewise, if there
are two pressurerelief valves in parallel it is necessaryto know their duty and
capacity.

Operating Instructions: It is then necessaryto create within the program a plant


which
representation conforms with the methodof analysisto be used.This also is not
a trivial problem.For example,a plant is, or shouldbe, designed to be in
operated a
particular way. The operating procedures therefore constitute a further set of
informationrequiredfor effectivehazardidentification.

Unit Models: In the methodologyused,the individual units are eachrepresentedby a


unit model. Each is
unit model a set of qualitative relations equivalentto a signed
directedgraph.The formulation of high quality modelsrequiressomeexperienceand

-45-
effort. The provisionof a unit model library is a partial solution, but experienceshows
that in most caseswhen constructinga new plant description it is necessaryto
configureone or two new models.It is therefore
necessary to provide some form of
tool to assistthe user in creatingthesemodels.The user can expectto find in the unit
model library the great majority of the modelsrequired. Guidance,however, should
be providedto ensurea correctselection.This points to the needfor a soundstructure
for the library.

4.5.3 Protections

HAZOP record sheetsoften have a column which indicatesthe protectionsavailable


for the deviationsexamined.Theseprotectionsare typically alarms, pressurerelief
devices,controls and trips. A computer aided method is more complete if it can
identify where such protections exist. Early work on dealing with control in the
contextof fault tree synthesiswas carriedout by Shafahiet al. (1984). Chung(1993)
has developedan algorithm for analysingthe propagationof control signals using
signed directed graphs.The algorithm is used in the CHEQUER system(Jeffersonet
al., 1995(b)) for the
generating protection column entriesfor HAZOP.

4.5.4 Search Efficiency

Another issue is search efficiency and program run time. Despite the power of current
PCs,it is still necessaryto try to limit the searchesandto makethem as economicalas
practical. Some work on improving the search algorithm was carried out at
LoughboroughUniversity underthe STOPHAZproject (McCoy, 1999).

4.5.5 Output Quality

With regardto the format of the output record,the intent is that an automatedhazard
identification system should broadly follow that of a conventional HAZOP. It is

characteristicof computergeneratedsearchesthat they tend to produceoutput which


usersdo not find "naturar'. The issue of casting the output in a form acceptableto
be
usersshould specificallyaddressed.

-46-
in
output HAZOP emulationsis that it
Another characteristicof computer-generated
tendsto includean excessivenumberof unimportantconsequences. In a conventional
HAZOP theseare "filtered out", often almost unconsciously.Handling of the large
number of "false positivee' is perhaps the single most significant problem in
developingan acceptabletool. It is necessaryto rank the consequences
and to remove
the lesssignificant,thoughthe user can be given somecontrol over the thresholdfor
reporting (McCoy
consequences. et al. 1999)

is retainedas significant,there can still be a problem with an


Even if a consequence
excessivenumber of causes,most of which arc unimportant. This again requires
specifictreatment.

Another aspect of quality in the output is completenessin identifying important


Such
consequences. completeness is largely a function of the quality of featuressuch
as the unit modelsand fluid model.

Finally, the outputneedsto be as free as possibleof the outright errorsand nonsenses


to which computer-generated output tends to be prone. The only solution to this
problem is high quality work throughoutthe system.

4.6 Conclusions

This chapter describedhow hazard identification can be automatedby emulating


conventionalhazard and operability studies(HAZOP). There are a numberof major
researchprojects that have been carried out in this area. Although the basic fault
propagation methodology is simple, there are major researchand development issues
that needto be addressedbefore sucha tool will reacha level that is acceptableand
by
used engineers.

-47-
BLANK IN ORIGINAL
5 Modular HAZOP Theory and Principles

The first sectionof this chaptergives a summaryof what has beendone in modular
HAZOP relatedwork to setthe scene.The rest of the chapterdiscussesthe theory and
principles behind the modular HAZOP In
approach. particular it sets out definitions
that areusedin modularHAZOP.

5.1 Literature Relating to Modular HAZOP.

Thereis no literaturethat I am awareof that makesreferenceto the form of modular


HAZOP developed in this thesis. The most similar developments of HAZOP appear

to be thosedescribedby Black & Ponton(1993)andToola,(1992).

Black & Pontondescribea methodfor hierarchicalHAZOP which is basedupon the


decompositionof processplant accordingto Douglas(1988). However, the type of
decompositionhe describesis not suitable for the type of modular HAZOP we are
interestedin. The levelsof decompositiondescribedby Douglasare:

1. Processinput-output structure.
2. Recycle structure.
3. Separationsequence.
4. Energy integration.

For hierarchicalHAZOP, Black & Ponton,apply the HAZOP procedureto eachlevel


of the abovedecompositionof the plant as it is designed.
Although, as they identify in
their conclusion, this form of HAZOP enableshazardsto be identified earlier, it
would seem more appropriateto apply a method like the ICI six stagehazardstudy
procedure (Duxbury & Turney, 1989). There are two possible advantagesof the
hierarchicalHAZOP approachover the ICI six stagehazardstudy. Firstly it may be
able to identify hazardsdue to interactionsbetweenequipmentat an earlier stage.
Secondly, it may make the final HAZOP simpler. On the first of these points, I
that
suspect very few interactionhazardsare apparent
until the detail of equipmentis
known and for the otherpoint it is unclearwhetherthe time savedin the final HAZOP

-49-
is eithersignificantor is not negatedby additionaltime spenton earlierHAZOP.

Toola (1992) describesan approachto hazardidentification at the plant level. This


plant level safety analysis includes a HAZOP of the plant using a functional block
diagramas the model of the systemrather than a MID or ELD. This approachwas
compared by Toola with a conventionaldetailed HAZOP of the plant using a P&ID.
The differencesin hazardsidentified reflected the level of detail presentedin each
case.For the plant level hazards
analysis, were moreeasily identified wherethey were
due to the interactionbetweenthe blocks making up the functional block diagram.
Although detailed HAZOP of a plant should identify hazads due to the interaction
betweendistant units, the sheerscaleof the plant and size of the drawings involved
makes this a difficult task. For the detailed analysis the hazardswere more easily
identified at the componentlevel. A modular HAZOP methodologyought to be able
to identify both of thesetypesof hazards.

5.2 Decomposition of Plant for Modular HAZOP

The principal reasonfor developingmodular HAZOP is to reducethe time taken for


effective haza d identificationthroughthe use of setsof previously HAZOP
generated
results. These sets of results will be referred to as preHAZOPed results. These

preHAZOPed results are generated for In


equipmentmodules. order for there to be

any significant time saving, these preHAZOPed results must be of reasonablysized


sectionsof plant. Conversely, they must not be so large as to makethe preHAZOPed
results useless with regardsto applicability to new plant. This section looks at the
problems that need to be in
addressed looking at the level of decomposition required
in creatingequipmentmodulesfor the generationof preHAZOPedresults.To some

extent in existing HAZOP the


meetings, plant may be broken into modularsectionsin

order to simplify the study procedure. For example, a pump set is unlikely to be
decomposedinto its componentparts - valves, impeller, motor, etc. - and each
considered separately.Instead,a setof knowledgerelevant to the module will be used.
in the caseof a pump this would include knowledgeof motor failure and impeller
failure.

-50-
5.2.1 Levels of Decomposition

Firstly at the lowest practical level of decomposition (figure 5.1) we can break each
item of a plant up into its basic constituent elements. These component modules are

connected either by electrical, hydraulic or mechanical links. A pump may be broken


down into a motor, gearbox, impeller, etc. This level of decomposition goes even
further than the line by line decomposition employed, certainly by experienced
HAZOP teams, in conventional HAZOP.

Figure 5.1 - First level of decomposition. Component level.

At the next level of decomposition(figure 5.2) we can considerthe plant being made
of equipment modules. Theseare groups of components which perform functions at a
very simple level. These equipment modules may be pumps, heat exchangers,
pipelines,vessels,etc. Included within thesemodules will be the relevantvalves and
connecting pipes.This is the level at which HAZOP
experienced leaders conducttheir
meetings. They know that they do not needto considereachvalve or pipe and they
havebuilt up a set of knowledge,particularly of faults and consequences
for many of
theseequipmentmodules.

-3rl -
Separadon

Reaction Heat II Storage


Pump Vessel
MnAtIlf. -I -1
-1 -I I M.

Heat Ij Chemical
Pump I Pla6tB
Exchangerl

Figure 5.2 - Secondlevel of decomposition. Equipment modules.

The next level of decomposition (figure 5.3) is to consider the plant as being made up

of a set of functional modules. These might be functions such as reaction, separation,


storage, refrigeration etc. These modules will be interconnected in some way and they
may also have connections to the outside world. The main problem here would seem
to be defining exactly what constitutes a functional module. For example, a separation

module may be defined as being made up of pumping equipment, vessels, and


condensers, or it may be more simply defined as just a separating vessel. From a
hazard identification point of view the main problem is whether or not it is possible to
identify all the hazardswithin these functional modules. In terms of reducing the time

taken to perforrn hazard identification the larger the modules are the less time it is
likely to take to carry out modular HAZOP. On the other hand, the larger the modules

are the less likely it is that they will be re-used in future plants.

This level of decomposition may be used in conventional HAZOP in certain

circumstances.For example, some of the connections to the plant may not be subject
to rigorous HAZOP, only known causes and consequenceswill be considered based

on the functionality of the system connected. Examples might be cooling water


supplies, nitrogen supplies and power supplies. In the case of a power supply the
HAZOP team would probably only consider complete failure. Although other failure

modes could be conceived, based on their previous experience of power supplies, only
complete failure would be considered. No consideration is normally given to the
components making up the power supply, it is treated strictly on a functional basis.

- s*L-
Figure 53 - Third level of decomposition. Functional modules.

At the highestlevel of decomposition(figure 5.4) we can take a plant as a complete


entity with connectionsto the outsideworld. Theseconnectionsto the outsideworld
will include the environmentand operatingpersonnelas well as physical connections
to other plants or tanker loading and unloading facilities. Hazard identification is
applied to try to identify the possible haza dous effects that the plant may have on
people and the environment.However, unless the plant is identical to one for which
all the possiblehazardsare known then there is no way to identify the hazards at this
level of decomposition.Figure 5.4 illustratesthis top level of decomposition.

-93-
Figure 5.4 - Fourth (highest) level of decomposition. Plant level.

It should be noted that there is some overlap between each of these levels of
decompositionas illustrated above.For example,a valve could be consideredas an

equipmentmodule and broken down into its component it be


partsor may considered
as a componentof say a pump module. A condensercould be consideredas either a
functional module or an equipment module. It may be consideredan equipment
module when it forms part of a distillation column, but a functional module if it

occurs in isolation. There are no formal defmitions of where the boundariesbetween


thesedifferent levelsof decompositionlie. Nor is any neededasthe different levelsof
decompositionare intendedas illustration only.

This discussionillustratesseveralthings. Modules must contain sufficient detail that


the resultsgeneratedare accurateand complete.In terms of time saving, ideally we
would like to be able to identify hazardsin modulesat the functional level. The larger
the modulesthat the
we use, more time be
can savedover conventionalHAZOP. This
will reduce considerably the number of items studied at HAZOP while still
identifying (hopefully) all the possiblehazards.However, the larger the module, the
lesslikelihood there is that it can be reusedin future projects.If the modulecannotbe
reusedthen there is potentially no time saving, although the overall time taken for
modular HAZOP of a complete plant may still be less than the time taken for

- S-f -
conventional HAZOP of the same plant, even if time is spent generating
preHAZOPed resultsfor moduleswhich may have no or limited possibility of reuse.

5.2.2 Sub-modules

To solve the conflicting requirementsof making the modulesas large as possibleto


savetime but small enough to be useful in numerousprojectsand to be sufficiently
detailed, the concept of sub-moduleswas introduced.The aim is to optimise the

effectivenessand efficiency of the moduleswhile minimising the number required.


The intention is that rather than having a large number of different preHAZOPed
module results,one for every variation of equipmentand its arrangementthat might
make up a module, it should be possibleto createtheseresults by piecing together
results for sub-modules. The approach taken is that, modules are defMed on a
functional level and are made up of a number of sub-moduleswhich are defmed
substantiallyat an equipmentlevel. The connectionsbetweensub-moduleswithin a
module are defined explicitly so there is no significanttime taken in
up generatingthe
preHAZOPed results for a module from the preHAZOPed results for each sub-
module.

As an example of the use of sub-modulesand particularly how they introduce


flexibility for applyingthe samesub-modulesto analysisof different plants,consider
a stocktank. The basic stocktank moduleconsistsof the following sub-modules,inlet
sub-module, tank itself, outlet sub-moduleand a vent sub-module.The outlet sub-
module could be a singlepump, or two pumpsoperatingcontinuouslyor two pumps,
one running, one spare. The inlet sub-module could be a continuousfeed from another
part of the plant or it may be a batch feed from a tanker. The vent sub-modulecould
either be an open vent to atmosphere or an inert gas blanket. These few simple
examplesprovide 12 different stock tank arrangements.As a further example,the
preHAZOPed results for a stock tank with a heating coil would only require the
addition of the resultsfor a heating coil sub-moduleto be addedto the standardstock
tank results.

In somecasesit may not be necessaryto createnew preHAZOPedresults for each

-55-
variation of a sub-module as the effects on the module may be very slight and the
sameresults could be used for a variety of different sub-moduleconfigurations.If we
consideran inert gas venting sub-module for a stock tank module, it is possibleto
envisagea couple of different control strategies.However, in this case, similar
problems are encountered whatever arrangement is used, so it would not seem
necessary to have a different set of sub-module results for each, though some
additionalcommentsmay be appropriate.

The main problemenvisagedis dealingwith the interactionbetweensub-modules.It


is foreseeablethat there are caseswhere the choice of one sub-moduleaffects the
preHAZOPed results of another sub-module. It is hoped that through appropriate
in
comments the preHAZOPedresults most problems can be overcome.However
there may be caseswhere it is necessaryto selectdifferent sub-moduleresults for a
given sub-moduledependingon the selectionof other sub-modulesthat make up a
particularmodule.

5.3 Principles of Hazard Identification Using Modular HAZOP

5.3.1 Dealing with Interconnections

The approach taken in modular HAZOP for dealing with the interconnections
betweenmodulesis to considerthe effectsmoduleswill haveon eachother. For each
module there will be four setsof effectsthat will needto be considered.Theseeffects
are illustratedin figure 5.5.

1. Effects from the module-a setof possibleeffectson other modules.

2. A set of module vulnerabilities - effects (from outside the module) that have an
effect on the module.Thesecan either give rise to hazardsinside the module or new
effectson othermodules.

3. A setof internalmoduleproblems.

4. Effects(from anothermodule)which will passstraightthroughthe module.

-56-
Figure5.5 illustratesthesesetsof effectswith respectto a module.

latemal
Effects

Standard EffectsFrom
Module
cq 2!S(Ldffirogh

Figure 5.5 - Four setsof effects need to be considered for each module

If modulesare connectedtogether,then to identify hazardsdue to this relationshipwe


need to matchthe possibleeffects from one module with the vulnerabilitiesin another
module. For exampleeffects from one modulemay be less flow and high temperature.
The vulnerabilities of another module may be high flow and high temperature.
Connectingthese two would immediately lead us to the considerationof high
temperatureasbeinga problem.Figures5.6 and 5.7 show what effectswould needto
be consideredif two or threemodulesare connectedin series.

I Internal
Internal
Effects Effects

Effectsftom I Effectson2 Standard


Standard ::
Module I Effectsftom2 Module 2

Figure 5.6 - Effects needing consideration when two modules are connected.

- 5.7t -
I Internal I internal
Internal Effects
Effects Effecu

Effectsfrom Effect'In 2 Standard Effectstrom2 ri Effectson3- Standard


Standard 'I. - j -U
Effectsfrom2, Module 2 Vftcts cil 2 Effectsfrom3 Module 2
Module I ffectson I

Figure 5.7 - Effects needing consideration when three modules are connected in series.

This propagationof faults has beenusedas the basisfor attemptsto automatehazard


identification procedures(Parmar & Lees, 1987), and forms the core of current
attempts to automate HAZOP (Jefferson et al, 1995b). The originating causesare
defined as initial causesand the realisableconsequences are defined as end effects.
The possibleeffects and vulnerabilities are defined as variable deviations.An initial
causemay be connectedeither directly or via any numberof variabledeviationsto an
endeffect. Of course,
many initial causeswill not connectto any end effectsand vice
versa. Figure 5.8 illustrates possible paths that may exist between different initial

causes, variable deviations and end effect s. Obviously for hazard identification, the
'
paths of interestare complete pathsthat start at initial causes (causes) and.end at end
effects(consequences). Asterisks indicate incomplete paths.

Initial (a) -*
cause Endeffect(d)

Initial (a) ->


cause Endeffect(e)

Initial (a) ->


cause Variabledeviation Endeffect6)

*Initialcause(b) -+ Variabledeviation(g)

deviation(c)
*Variable -> Endeffect(h)

Figure 5.8 Possiblepaths between initial causes,variable deviations and end effects.

-rs -
For the variable deviations,we will use applicableprocess. However, in order to
reduce the number of matches and hence the number of effects that are propagated
betweenmodulesthese may be qualified where appropriateby the addition of the
stateof the material involved, i. e. liquid or vapour. If no qualification is given then
the effect appliesto all materialstates.Possiblehazardsare generatedwhen either an
initial causeis linked to a endeffect within a moduleor an initial causein one module
is linked via matchingvariabledeviationsto a endeffect in anothermodule.

5.3.2 Cause and Consequence Types in Conventional HAZOP

it has already been discussedhow simply providing HAZOP results of individual


modules that make up a plant, without dealingwith the connections,would probably
not save much time in identifying the hazards present in the plant. It would be

necessaryto explorethe whole plant againto determineany possibleeffectsthat there


may be due to the There
connectionof modules. is a therefore
requirement to develop

rules so that any problemsthere may be with connectioncan be identified simply and
effectively.

In order to illustrate how a causein one part of a plant can have a consequence in a
different part of a plant, a study was made of conventionalHAZOP results.Causes
and consequences are defmed as either being local or distant. Local causesor
consequences occur somewhere on the line being studied. Distant causes or
occur
consequences on a different line to that being studied. This results in four
scenario
possiblecombinationsof causeconsequence

(local - local). The causeand the consequence


Local cause- local consequence

are in the sameline.

Local cause- distant consequence(local - distant). A causeidentified in the


line underconsiderationgivesrise to a consequencein anotherline.

(distant- local). A consequence


Distant cause- local consequence identified in

-59-
the line underconsiderationis dueto a causein anotherline.

Distant cause- distantconsequence (distant - distant). A deviation in the line

underconsiderationis due to a causein anotherline and gives rise to a consequence


also in a different line.

Thesecan be divided into two categories.Local causeconsequencescenariosand


remotecauseconsequence Local
scenarios. causeconsequencescenariosconsistonly
of local cause - local consequencetype scenarios. Remote cause consequence
scenariosmake up the remainderwhere the causeand consequenceare in different
lines.

for one of the lines in


Table 5.1 illustrateslocal and distant causesand consequences
the HAZOP resultspresentedby Lawley (1974).This set of HAZOP resultsgenerates
8 remote cause consequencescenariosand 9 local cause consequencescenarios.
Investigationof numerousother setsof HAZOP results,from HAZOP studiescarried
out by ICI, revealsthat on averageone third of the causeconsequencescenarios
generatedare remote. However, no attemptwas made in this investigationto try and
establishwhether either of these scenariosgave rise to consequences which were
generallymore severe than consequences of the other scenario.This could form the
basis of future work. If the more severe consequenceswere due to local cause
consequencescenarios then a checklist approach may be acceptablefor hazard
identification. If not then some form of configuration checking is necessaryfor
adequate hazard identification.

-60-
Linefrom intermediatestorageto bufferisettlingtank
Guide Cause Local/dist Consequence Local/dis
vmrd antcause tant
consequ
ence
NoFlow 1 Nohydrocarbon
at Local Lossof feedto reaction Distant
intermediate
storage sectionandreduced
output.Polymerformedin
heatexchanger
underno
flowconditions
2 J1 Pumpfails(motorfault, Local Asfor I Distant
lossof drive,impeller
corrodedawayetc.)
3 Lineblockage,
isolation Local As for 1 Distant
valve
closedin erroror LCVfails Local J1 pumpoverheats. Local
shut
4 Linefracture Local Asfor 1 Distant
Local Hydrocarbon
discharged Local
intoareaadjacentto public
highway.
More 5 LCVfailsopenor LCV Local Settlingtankoverfills Local
Flow bypass
openin error. Local Incomplete
separation
of Distant
waterphasein tank,
leadingto problems
on
reactionsection.
More 6 valveclosedin
Isolation Local Transferlinesubjectedto Local
Pressure erroror LCVcloses,withJI fullpumpdeliveryor surge
pumprunning pressure

-
61 -
7 Thermalexpansion
in an Local Linefractureor flangeleak Local
isolatedvalvedsectiondue
to fireor strongsunlight
More 8 Highintermediate
storage Local Higherpressurein transfer Local
Temperat temperature lineandsettlingtank

ure
Less 9 Leakingflangeor valvestub Local Materiallossadjacentto Local
Flow notblankedandleaking publichighway
Less 10 Winterconditions Local Watersumpanddrainline Local
Temperat freezeup.

ure
High 11 Highwaterlevelin Local Watersumpfillsupmore Distant

water intermediate
storagetank quickly.Increased
chance
conc.in of waterphasepassingto
stream reactionsection.
High 12 Disturbance
ondistillation Distant Highersystempressure Local&

conc.of of
columnsupstream distant
lower intermediate
storage.
alkanes
or
alkenes
organic 13 Asfor 12 Distant rateof corrosion Local
Increased
acids of tankbase,sumpand
present drainline
Maintena 14 failure,flange
Equipment Local Linecannotbecompletely Local
nce leak,etc. drainedor purged.
I I --- I I II

Table 5.1 Example of HAZOP results (from Lawley, 1974), illustrating local and
distant causesand consequences.

-62-
5.4 Causeand ConsequenceTypes in Modular HAZOP

On the face of it the samedefinitions for causeconsequence


scenarioscould be used
for modularHAZOP. However,thereis an importantdifferencein the typesof causes
or consequences that would be considered local or distant for modular HAZOP and
the types of causesor consequences that would be consideredlocal or distant for
conventional HAZOP. This is becausethe conception of locality in relation to
modular HAZOP is at the level of modules and sub-modules in
and conventional
HAZOP it is at the level of lines. A line in a conventionalHAZOP would includethe
itemsof equipmentat eitherendof it. Thereforea fault in an item of equipmentat one
end of the line leading to a consequence in an item of equipmentat the other end of
the line would still be considereda local causeconsequence scenarioin conventional
HAZOP. Modular HAZOP would considerthe itemsof equipmentat either endof the
scenariowould be
line asdistinct modulesandthereforethe abovecause-consequence
either local-distant or distant-localdependingupon the viewpoint. In order to make
this distinction clear, causeconsequence scenariosare defted in a different manner
for modularHAZOP.

The types of causes defmed for modular HAZOP are initial causes, and
vulnerabilities.

The types of consequences defmed for modular HAZOP are end effects, directly

propagatedeffectsand indirectly propagatedeffects.

An initial causeis a fault within a module that gives rise to some effect, either a
propagated effect or an end effect. This terminology is used to explicitly define its
positionas the potentialstartof a fault path.

An end effect is a realisableconsequence.This terminology is used to explicitly


defmeits positionasthe potentialendof a fault path.

A directly propagated effect is a variable deviation, representing a type of

consequence,which will give rise to an effect in an adjoining sub-moduleof an

-63-
adjoining module to that being studied,equivalentto an effect in the other end of a
line in a conventionalHAZOP. It is either a consequenceof a vulnerability or a
of
consequence an initial cause.

An indirectly propagatedeffect is a variable deviation, representinga type of


consequence, which will give rise to an cffect in a non-adjoining This
sub-module.
will lead to an end effect equivalentto a distantconsequence in conventional HAZOP.
It may be a consequence of a vulnerability but in the majority of casesit will be a
of
consequence an initial cause.

A vulnerability is a variabledeviation,representinga type of cause,which has effects


on a sub-module. Le. The sub-module is vulnerable in some way to the variable
deviation specified.This vulnerability gives rise either to an end effect or to some
type of propagatedeffect.

The term propagatedeffect without an initial qualification is usedto indicatethat the


sourceof the is
effect unknown. It could either be local or remote.

The relationshipsgeneratedby combiningthe causeand consequence


types will have
the following representationsin modular HAZOP:

initial cause- end effect. The causeand consequence


lie entirely within one module.
For example, in a heat exchangerthis might be a shell side leak giving rise to
contamination
environmental (figure 5.9). This is a subsetof local-local
conventional
relationships.
cause-consequence

-64-
-- -----------
----------
Shellside Shellside Environmental
leak (IC) inlet contamination (Ec)
S-M

Tubeside FIX Tubeside


inlet c re outlet
S-M S-M S-M

EE=E,, J crreat
IC = Initial cause
Heat
exchanger I
module

Figure 5.9 An example of an initial cause-endeffect type of cause-consequence


relationship.

Initial cause- directly propagatedeffect. A causein one sub-modulegives rise to a


consequence in an adjacent sub-module of an adjoining module. The sub-modulesare
directly connectedand representeither end of a conventionalline. For examplethis
might be fouling of heat tubes
exchanger leadingto low flow out of tube side of heat

exchanger (figure 5.10). Given a vulnerability in the directly adjoining sub-module to


the propagated effect we can develop three different possible scenarios. If the

vulnerability has an end effect associated with it, then a conventional local cause
consequencerelationship is formed. If the vulnerability is associated with a directly
effect
propagated (which will only occur rarely), then this may give rise to additional
local-local cause-consequence scenarios.Finally, if the vulnerability leads to an
indirectly propagatedeffect this may give rise to local-distant cause-consequence
scenarios. Of course if there is no vulnerability to any of the propagatedeffects
involved then there is no end effect linked to the initial cause,there is no complete
fault path andno causeconsequence
relationshipexists.

-65-
r----------------- --------
Heat
exchanger
Shellside module I
inlet
S-M
D Fouling of
HX tubes(IC)
Tubeside HX Tubeside I
Inlet care (outlet I
S-M S-M S-M I
I I
Low
Mflow
(LPE)
-
Shellside I I
outlet I
IC Initial cause
S-M I
I LPE = Local
---------------- --------I propagated effect

Figure 5.10 - An example of an initial cause-directly propagated effect type of cause-


consequencerelationship.

Initial cause- indirectly propagatedeffect. Causein one sub-modulegives rise to


consequence in an unconnected sub-module. For examplefouling of heat exchanger
tubes gives rise to high/low temperature(dependingon heat exchangerduty) out of
shell side of heat exchanger (figure 5.11). This combination of cause and

consequence types will typically give rise to local-distant cause-consequence


if
scenarios a completefault path exists.

r ----------------------
Heat
exchanger
Shellside module
inlet
S-M
Fouling of
HX tubes(IC)
Tubeside HX Tubeside
inlet core outlet
S-M S-M S-M

Shellside Hig /low


outlet temperature IC = Initial cause
S-M (RPE)
RPE = Remote
propagated effect
L----------- --- - ----------

Figure 5.11 - An example of an initial cause-indirectly propagated effect type of cause-


consequencerelationship

-66-
Any
High S-M
pre sure I
(P Any
module I

r---------- --- ----------

High Shellside Shellside I


pressure
ur inlet rup t ure
(IVUL) S-M

Tubeside HX -Tutes- I
inlet core outlet I
S-M S-M S-M E:E= F-,,JI FFec. L
PE = Propagated
Shellside effect
outlet VUL = Vulnerability
S-M Heat
exchanger I
module
_I

Figure 5.12 - An example of a vulnerability-end effect type of causeconsequence


relationship

Vulnerability - end effect. Vulnerability in one sub-module gives rise to a


consequence in that sub-module.For examplehigh pressurein a sub-moduleupstream
of the shellside of a heat leads
exchanger to heat exchangerrupture (figure 5.12). This

combination of cause and consequencetypes may give rise to either local-local or


distant-local cause-consequencescenariosdepending on the type of cause in the
connecting sub-module. For example polymerisation of fluid in tubeside of heat

exchangerdue to low flow of cooling stream at sub-moduledownstream of shellside


of heat exchanger (figure 5.14). This is an example of a distant-local cause-
scenario.
consequence

-67-
r ---------- ----- ----------
Heat
exchanger
Shellside module I
inlet
S-M
*

Tubeside HX Tubeside I
inlet core outlet
S-M S-M S-M

Shellsid High/ owC


outlet temperature
eM el
High flow ( LpE )
LI
(VUL) s M

--------- -- --- - ----------

L
------ -- --- ---- ------ A-ny---I
PE Propagated
module I
High flow Any effect
(PE) S-M
m
LPE = Local
propagated effect
VUL = Vulnerability

Figure 5.13 - An example of a vulnerability-directly propagated effect type of cause


consequencerelationship.

Vulnerability - directly propagatedeffect. Vulnerability in one sub-modulegives rise


to a propagatedeffect which affects a directly adjoining sub-module.For example,
high flow in sub-moduledownstreamof shellsideof heat exchangerleadsto high/low
temperature(dependingon heat exchangerduty) in that downstreamsub-module
(figure 5.13). This combinationof causeand consequence types can give rise to any
type of cause-consequence scenario depending on the type of causeand the type of
in
consequence connectingsub-modules.

-68-
r---------- ------- --------

Heat
Shellside exchanger I
inlet module I
S-M

Tubeside HX Tubeside I
inlet core outlet i O
S-M S-M S-M
High/low
temperature
[S- hellside (RPE)
OL
outlet
I
High flow S-M
(VUL)
-- -- --- --- --------

Any PE Propagated
High flow module effect
(PE) Any
S-M
S RPE = Remote
-M I propagatedeffect
I VUL = Vulnerability

Figure 5.14 - An example of a vulnerability-end effect type of cause-consequence


relationship.

Vulnerability - indirectly propagatedeffect. Vulnerability in one sub-moduleleadsto


consequence in unconnected sub-module. For example, high flow in sub-module
downstreamof shellsideof heat exchangerleadsto high/low temperature(depending
on heat exchanger duty) in sub-modules downstream of tubeside of heat exchanger
(figure 5.15).This will form either local-distantor distant-distantscenarios.

-69-
r---------- ------- --------Heat
exchanger
Shellside module
inlet
S-M

Tubeside HX
inlet core
S-M S-M
olymer-
isation in
Shellside HX tubes CW I
outlet
Low flow S-M
(VUL)
k----
-- --- --- --------

Fc= Enj E FFec-L


----- --- -- -- --- --- ----- ---I
A-ny PE = Propagated
I module I effect
Low flow Any I
(ofcooling S-M VUL = Vulnerability
stream)
(PE)

Figure 5.15 - An example of a vulnerability-indirectly propagated effect type of cause-


consequencerelationship.

Figure 5.16 givesexamplesof possiblefault pathsthat canbe generated.The asterisks


indicate incompletepaths,i.e. where there is no link betweenan initial causeand a
endeffect.

-70-
Initial cause(a) end effect (b)

Initial cause(c) propagated effect (d) vulnerability (d)


end effect (e)

*Initial cause(i) propagated effect (g)

Initial cause(g) -4 propagated effect (h) vulnerability (h)

-> propagated effect (i) vulnerability (i)

-4 end effect (j)

*Vulnerability(k) -> end effect (1)

Figure 5.16 - Possiblepaths between causeand consequencetypes in modular


HAZOP

5.4.1 Cause - Consequence Types in Hybrid HAZOP

Hybrid HAZOP occurswhen a line that is being studiedusing conventionalHAZOP


joins a modulethat hasa setof preHAZOPedresultsassociatedwith it. The line being
studied should be defted so that the appropriatesub-moduleforms one end of the
line. The definitions used for types of causesand consequences in conventionaland

modular HAZOP apply in hybrid HAZOP as The


appropriate. sub-moduleend of the
line hastypesof causesdefmedas initial causesand vulnerabilities.For the other end
of the line two types of causeswill needto be local
considered, causes and distant

causes. Similarly for typesof at


consequences, the sub-moduleend they are defmed as
locally propagatedeffect, remotelypropagatedeffects and end effects. For the other
end of the line local and
consequences distant consequences
will need to be

considered.

that ariseentirely within the


As well as the combinationsof causesand consequences
conventional section or entirely within the module, combinationsexist where the
cause and consequence are in different sections. The following combinations of

-
71 -
exist where
causesand consequences the cause and consequence
are in different

sections.

Cause in conventional section - Consequence in module

Local cause- Locally propagated effect


Local cause- Remotely propagated effect
Local cause- End effect
Distant cause- Locally propagated effect
Distant cause- Remotely propagated effect
Distant cause- End effect

Cause in module - Consequence in conventional section

Initial cause- Local consequence


Initial cause- Distantconsequence
Vulnerability - Local consequence
Vulnerability - Distant consequence

5.5 Summary

This chapter has looked at the theory behind modular HAZOP and provides
definitions of terms used in modular HAZOP. This terminology will be used in the
following chaptersin which the modular HAZOP procedureis further explained.In
particular, this chapterprovidesan analysisof the size and form of modulesused in
the modular HAZOP procedureand how thesemodulesare broken down into sub-
It
modules. also shows how fault paths are built up betweeninitial causesand end
effects through propagatedeffects and vulnerabilities. These fault paths enablethe
determinationof effectsdueto the connectionof modulesandthe particularprocedure

adoptedis explainedin the next chapter.

-72-
BLANK IN ORIGINAL
6 Modular HAZOP Procedure

This chapter looks at the practicalities of applying modular HAZOP using the
theoreticalideasexploredin the previouschapter.This chapteris divided into three
parts. The first part gives an overview of how the theory from the previouschapter
be
can used as a general method for modular HAZOP. The secondpart details the
specific method developed.
It is anticipatedthat modular HAZOP be
can used a in
in
variety of situations a similar way to conventionalHAZOP. The third part outlines
someof theseapplications.

6.1 Outline of Modular HAZOP Procedure

As with all hazardidentificationprocedures,


the first requirementis to haveup-to-
dateinformationon the plant to be studied.

The first stepin the modularHAZOP procedureis to selectthe requiredmodulesand


thenthe appropriatesub-modulesthat makeup the plant underconsideration.The
modules and sub-modules selectedshouldbe documented andthe connections
betweenthemneedto be madeexplicit. Exceptfor the simplestplantsit is quite likely
that preHAZOPedresultswill not exist for somemodulesandparticularly for certain
sub-modules.For thesemodules and sub-modules it is necessaryto draw up the
requiredpreHAZOPed resultsandrecord them for future use.In the mostpreferred
the
cases, plant will havebeendesigned
on a modularbasis,whereindetailedpre-
designedandpreHAZOPedmodulesareput togetherto form the requiredplant, and
the modulesand sub-moduleswill alreadybe known.

In orderto lessenthe time takento performhazardidentification,it is necessarythat


the majority of sub-modulesshouldalreadyhavepreHAZOPedresultspreferably
takenfrom a modulelibrary. Sucha library shouldincludea descriptionof the
module,the sub-modulesmakingup the module,a representationof the sub-modules
and,of the
course, preHAZOPed resultsfor each It
sub-module. is not necessarythat
the plant sub-modulesbe identicalto library sub-modules.Variation in the indication,
alarmand manualvalving is
arrangements generallyacceptable.The main similarities

-74-
that mustbe satisfiedare,that for control valves,the samecontrol variableis being
used, for pumps, the sametype of pump is being used, for single or multiple pumps,
the appropriatesub-moduleis used,andfor any vesselssimilar vent arrangementsare
used. Requirements for matchingsub-modulesshould ideally be included in the
module library.

Required Available Specific Sub- HAZOP- Comments


generic sub- Modules PC Node
modules No.
Storage tank Storagetank vessel 5
vessel
Storage tank Storagetank feed with flow 10 Use as many as are
feed(s) control (No required to represent
Storagetank feed with level 1 different reactor
control feeds.
Storagetank feed without 13
control valve
Storagetank outlet with flow II
Storage tank control
outlet Storagetank outlet without 4
control valve
Storagetank vent to 2 For a simple vent to
Storage tank atmosphere atmosphere
vent system Nitrogen blanket supply, 6 For a nitrogen
continuous feed through RO. blanketed vent
Nitrogen blanket supply with 7 system use one
pressurecontrol blanket supply node
Vent to headerwithout 8 and one vent to
control valve header node from
Vent to headerwith pressure 9 these nodes.
control
Storage tank Storagetank overflow 3
overflow
Additional None.
generic sub-
modules
Table 6.1- Module library contents- atmosphericpressurestoragetank.

Table 6.1 givesan exampleof the sub-modulesavailablefor a storagevesselmodule


in a modulelibrary. For eachsub-modulethereexist line diagramsandpreHAZOPed

results.

-75-
The next stepis to usethe preHAZOPedresultsto generatethe HAZOP resultsfor the
plant. The HAZOP results are createdby identifying all possiblecauseconsequence
scenarioswhich exist either within modulesor through the connectionof modules.
Any causeswhich do not leadto consequences or consequences which haveno cause
are generally eliminated. This is done by tracing paths forward from all the initial

causesto see if they leadto terminalconsequences.

Many of the initial causeswill be linked explicitly to terminal consequences


within
the same module. These are obviously the simplest fault paths as there are no
propagated effects or vulnerabilities between the initial cause and terminal
consequence.

At a slightly more complex level are those initial causesand terminal consequences,
which occur, in directly adjacentsub-modules. These are however,relatively easyto
identify. It is only necessaryto matchlocally propagatedeffects due to initial causes
with vulnerabilities, which give rise to terminal in
consequences the directly adjacent
sub-module. These cause consequencescenarios are equivalent to causes and
consequencesat eitherend of a line in HAZOP.
conventional

The most complexcauseconsequence scenariosto identify are thosewherethe initial


causesand terminal consequences
exist in sub-modules which are not directly
adjacent. In order to identify cause consequencescenarios of this type, it is necessary
to match remotely propagated effects with vulnerabilities.

The suggestionis that any remainingconsequences, which are not linked to causes,
are reviewedto determine if the vulnerability leadingto that consequence could have

some cause. This is particularly appropriatewhere the consequences


could have

severeeffects. As an example consider a pump handling a flammable fluid. One


with
vulnerability associated the pump is that no flow at downstreamunits causesthe
to
pump cavitate, overheatand the pump seals fail leaking flammable fluid. Clearly
this could havedevastatingconsequences
and althoughno particularcauseof noflow
may have been identified in the particular plant being studied, it is neverthelessa

-76-
Hazardous
realistic occurrence. scenariossuch as this should be recordedas part of
the modularHAZOP results.

Any conventionalHAZOP resultsproformacan be usedto record cause-consequence


scenarios from the preHAZOPed results. The guide word, process parameter,
deviation, causeand consequenceare recordedalong with the safeguardsand any
actionsor recommendations. The safeguards
are taken from the preHAZOPedresults.
Theseare consideredin the normal HAZOP mannerto determinewhat action may be
necessary. Recommendations are entered in the appropriate column.
Recommendationsmay either be taken from the preHAZOPedresults or enteredby
the user.Table 6.2 illustratesheadingsthat may be found on a conventionalHAZOP
proforma.

Guide Para- Devia- Causes Consequences Existing Actions and

Word tion Protectionsand Recommend-


meter
Safeguards ations

More Flow I I-Egh I. I 11igh 1.1.1Inadequate 1.1.1.1Relief 1.1.1.1Ensure


flow supply venting.Vessel valve is
vent sized
pressure overpressure
rupture. adequately.
1.1.2Staticbuild up. 1.1.2.1Dip
tubes

1.2 Level 1.2.1 Tank overflows 1.2.1.1 Mgh 1.2.1.1 Tank to

control level alann be bunded, if

valve fitils necessary.

open 1.2.1.2

Overflow

Table 6.2- ConventionalHAZOP profonna.

As stated above, the first step in the modular HAZOP procedureis to select the
requiredmodulesand then the appropriatesub-modulesthat makeup the plant under
The
consideration. modules and sub-modules selectedshould be documented and the
between
connections them needto be madeexplicit.

-77-
As part of a modular design procedurethe selectionof modules and sub-modules
would be relatively simple, as the designwould be basedon appropriatemodulesand
Any
sub-modules. descriptionof the plant would referencethe selectedmodulesand
and
sub-modules would include information on the between
connections them.

Given that modulardesignproceduresdo not yet exist for chemicalplant the selection
of modules and sub-modules would have to be made based upon traditionally
available design documents.
For conventionalHAZOP a detailed ELD is required,
however,for modularHAZOP, the samelevel of detail is not required,indeedit may
not be This
desirable. is becausea large amountof detail can be encompassed within
the sub-modules.All that is required is enoughinformation to be able to selectthe
correct sub-modules. A processflow diagrammay be a little short of information for
this selectionof sub-modules.PFDs will generallyonly have enoughinformation to
define the modulesinvolved. This is not to say that a modular HAZOP cannot be
performedwith just a PFD. If information is availableon which sub-modulesshould
be usedin particularsituations,basedon connectingmodulesand chemicalsinvolved,
then it should be possibleto selectthe required sub-modules.This approachwould
only be recommended as part of a unified modular design and modular HAZOP
approach. This thesis is not concerned with modular design though the use of sub-
modulescan be seento be a usefultechniquein a modulardesignprocedure.

one possibleapproachmay be to adopt a semi-modulardesignphilosophy.Modules


are determinedaccordingto the PFD and sub-modulesare roughly outlined basedon
the processrequirementsand normal companypractice.Details are then filled in by
referenceto the appropriate in
sub-modules the sub-modulelibrary.

The intention is that specificationof sub-moduleseither as part of a modularHAZOP


library of modulesor a modular design library of modules will include a detailed
MID, a checklist of necessarydesign considerationsand the preHAZOPedresults.
The preHAZOPedresults should be a complete and accurateHAZOP of the sub-
module within the context of the relevant module including the vulnerabilities and
propagatedeffectsthat needto be taken into consideration.

-78-
Given that modular HAZOP does not require as much ELD detail as conventional
HAZOP, then it can be applied at an earlier stage of design. This has numerous
benefits. In particular it is easierto include any modifications suggestedand the
overall design time required can be reduced with significant savings. Because
conventional HAZOP can only start once a completeELD has been produced,design

and HAZOP cannot be carried out in parallel, and, in order to have the plant
operationalas soonas possible,ordering and construction often start while HAZOP is

still on-going.

The next stepin the modularHAZOP procedureis the useof preHAZOPedresultsto


generatethe HAZOP results for the plant. In the outline of the modular HAZOP
procedureabove,it is statedthat the identification of cause consequencescenariosis
done by starting with initial causesand following deviations through to terminal
consequences. In fact, the identification of causeconsequence
scenarios
can be done
in two ways, either by startingwith all the initial causesand tracing pathsforward to
see if they lead to terminal consequencesor starting with all the terminal
consequences and tracing backwardsto see if there are any initial However,
causes.
the way that causeandconsequence typeshavebeendefmedandthe effect this hason
the generationof preHAZOPedresults,meansthat it is only sensibleto trace forward
starting from initial causes.To trace backwards would have required direct and
indirect vulnerabilitiesto havebeendefined with just one type of propagatedeffect,
rather than one type of vulnerability and two types of propagatedeffect. This change
of definition would also affect the preHAZOPed results. Providing the correct
definitions are usedthen there are no advantagesor disadvantagesin the amount of
work required whether paths are traced forwards or backwards.However, I would
suggestthat it is more intuitive to trace paths forward from initial causesand this is
the methodthat hasbeenadoptedandexpoundedhere.

6.2 PreHAZOPed Modules

In order to provide some flexibility within the preHAZOPed module results, the
conceptof sub-modules has been introduced. The aim is to optimisethe effectiveness
andefficiency of the moduleswhile minimising the numberrequired.

-79-
In developingpreHAZOPedmoduleresults,work was carried out at two levels. The
level of detail requireddiffers dependingon what is trying to be achieved.At a low
level of detail, generic preHAZOPedmodule results were developedto provide a
general framework on which more detailed modules can be built. However, they are
still useful for the
assessing potential of modular HAZOP, in particular how well the
faults and deviationsare propagatedthrough the plant. At this level of detail, it is
mainly just the susceptibilitiesand propagatedeffectsthat are required,and it is only
necessary to defme the module by its function and its inlets and outlets. At a high
level of detail fully preHAZOPedmoduleresultswere developed.This requiresthat
modulesare fully defmed in order that accurateand complete resultscan be drawn up.

The genericpreHAZOPedmoduleshave beendevelopedwith one primary aim. The


aim is to illustrate how the different module interactionsbehavewhen modulesare
To
connected. this end effort was concentratedon using guide words which are most
likely to give rise to interactions.This has meantconcentratingon the NoALess/More
guide words. However, for those guide words, which have been considered,the

corresponding consequences
causes, and safeguardsshouldbe complete.Obviously in

order to complete the generic preHAZOPed modules and convert them to fully

preHAZOPed modules, other guide words such as start-up, shut-down and


need
maintenance to be considered.

The fully preHAZOPedresultsare intendedto combinethe detail of a checklist for


each module with the interfaceinformation using the standardHAZOP guide words.
The checklist approachenablespast experienceand expertknowledgeto be included.
This means that less experienced engineers can perform competent hazard
identification. In thesecasesit is proposedthat a substantiallycompletemodulesare
developed.Specificationof thesemoduleswill includea detailedMID, a checklistof
design
necessary considerations, a completeand accurateHAZOP of the moduleitself
the
and vulnerabilitiesand effects
propagated that needto be taken into consideration.

-80-
6.3 Computer support

Any modification to the HAZOP procedureshouldbe easyto use. In order to make


the systemas easyto use as possible,HAZOP-PC (PrimaTech,1994) was used for
developmentand recording of the preHAZOPed module results. HAZOP-PC was
chosenprimarily it
because was availablein the Departmentof ChemicalEngineering
at Loughborough University, having been provided at a substantialdiscount by
PrimaTech. In the event, the ability with HAZOP-PC to categorisecausesand
consequences, and to subsequently generate a HAZOP report filtered on these
categories,proved to be of significant value.It would thereforebe recommendedthat
any computerisedHAZOP recording tool used for modular HAZOP should have a
similar functionality.

HAZOP-PC is a computertool for conventionalHAZOP. Essentially it is used to


record the deliberationsof HAZOP teamsin conventionalHAZOP and it providesan
efficient alternative to more conventional documentation means. In particular it
provides for the generationof various formatted reports from the inputted data. In
addition to being a recording tool HAZOP-PC will also provide prompts for guide
words and parameters.It can also provide information on causesand consequences
that shouldbe considered.Thereare a large numberof columnsthat can be usednot
only for recording HAZOP meetings but also for recording the progressof actions
to
subsequent any meeting.HAZOP-PCcanalso generatevarioustypesof report.

Using someof the featuresof HAZOP-PC it has beenpossibleto makethe modular


HAZOP methodfairly user friendly. In particularHAZOP-PCcan be usedto filter the
output of the preHAZOPed modulesin various ways so that only particular sets of
causes and are
consequences generated.This has advantages it
when comes to
matching propagatedeffects with vulnerabilities in order to try to identify links
between initial causes and terminal consequences.Other advantagesare the
availability of extensive areas of help in HAZOP-PC and the ability to generate
reportseasily.

HAZOP-PC has been used to store the preHAZOPed module results. The

-
81
-
preHAZOPed resultsare intendedto combine the detail of a checklist for eachmodule
with the interfaceinformation using the standard HAZOP guide words. The checklist
approachenablespast experience and expert knowledgeto be included.This means
that lessexperiencedengineerscanperform competenthazardidentification.

HAZOP-PC has a large numberof columnsthat can be used for recordingHAZOP


information.For preHAZOPedresultsthe following columnsareused.

Guideword
Parameter
Deviation
Cause
Causecategory
Consequence
Consequence
category
Safeguards
Safeguardscategory
Recommendations

These HAZOP-PC columns are used in the following manner.

The guide word column is usedfor the guide words, as in conventionalHAZOP, no,
more, less,reverse,otherthan,etc.

The parametercolumn is used in the same way as it would be for conventional


HAZOP, for the parameters,flow, pressure,temperature,composition,etc.

The deviation column is derived by developingthe guide word with the parameter,
in
againas conventional HAZOP.

The causescolumn is used in a different way to normal and containstwo types of


informationwhich haveparticular meaningin modular HAZOP. Firstly there are the
initial causes.Theseare in lower caseletters and representpossiblefaults that may

-82-
occur within the module. Secondly there are vulnerabilities. These are in capital
lettersandrepresentdeviationswhich havesomeeffect on the module.

The next column is the causecategorycolumn.This column is importantas it is used


as a basis for filtering the HAZOP-PC output to facilitate the modular HAZOP
procedure. The two categories
are IC and VUL. IC representstypes of causewhich
are initial causesandVUL representstypesof causeswhich are vulnerabilities.

The consequences Firstly there are the


column containsthreetypes of consequences.
terminal consequences.Again these are in lower case letters and represent
consequencesthat manifestthemselveswithin the module. Then there are local and
remotepropagated effects.Theseare in capital lettersand representdeviations,which
are transferredbeyond the moduleboundary.

The consequencecategorycolumn is used in a similar way to the causecategory


column.The categories
are TC, LPE and RPE. Theserepresentterminal consequence,
local propagatedeffect andremotepropagatedeffect typesof consequences.

The safeguardscolumn is intendedto give some idea of possiblesafeguards,which


may alreadyexist, or which mayberequiredeitherto protectagainstthe consequences
or to removea particularcause.

The safeguardscategorycolumn is intendedto show whetherthe safeguardreduces


the likelihood of a particular cause or whether it reduces the severity of a
consequence.

Finally the recommendationscolumn details design and operating procedure


considerationswhich should be taken into account in order to reduce hazardsand
operabilityproblems.

Using HAZOP-PC it is possibleto generatefrom the preHAZOPedresults a sub-set


of these is
results which made up of only those types of causeswhich are initial
causes.The remainingsub-setof the preHAZOPedresults containsonly those types

-83-
of causesthat It
are vulnerabilities. is then necessaryto matchpropagatedeffectsand
vulnerabilitiesto determineif fault pathsexist.

The practical use of HAZOP-PC to carry out the modular HAZOP procedure is
discussedmore in the following chapter.

6.4 Applications of Modular HAZOP Procedure

A procedurehasbeendevelopedfor identifying hazardsin processplant using results


of hazard studies carried out on the modules that make up the plant. These
preHAZOPed results can be developedfrom results for generic modules,modified
from existing specific modulesor existing module results can be reused.Which of
theseis usedmay dependon the situationin which modularHAZOP is being applied.
Four anticipatedapplicationsfor modularHAZOP, which illustrate how the different
developmentsof preHAZOPedmodulesareused,are:

1. Application of existingpreHAZOPedmoduleresultsto new plants.


2. Replacementof one modulewith a different modulein an existingplant.
3. Modification of a modulewithin the contextof an existingplant.
4. Addition of a moduleto an existingplant.

For example a plant may contain a number of similar heat exchangersHX101-


HX106. PreHAZOPedresultswill be similar for eachof theseheat exchangersand
can be developedfrom the master heat exchangerpreHAZOPedresults document.
When preHAZOPedresults have beendevelopedfor all modulesthat make up the
plant, the modular HAZOP procedure will then be applied. This will take in to
account the different surroundingsof eachof the modules.If a new plant is developed
with similar heat exchangers then the preHAZOPed results can be reused.On the
other hand if one of the heat exchangers is to be replaced,say with IM01, then
preHAZOPed resultsfor this modulecan be comparedwith the original preHAZOPed
results. The full modular HAZOP procedure can then be applied to the differences
found betweenthe two setsof preHAZOPedresults.Similarly, if a plant is modified
by the addition of a new module, the modular HAZOP procedurecan be used to

-84-
determinethe possibleeffectsof the new moduleon the rest of the plant. Finally, if a

module is modified, the existing preHAZOPed results can be modified and the
modularHAZOP procedure applied to the differencesagain.

-85-
BLANK IN ORIGINAL
Case study

7.1 Introduction

This chapter illustrates how the modular HAZOP procedure is used to carry out
hazardidentificationfor chemicalprocessplant.

7.2 Procedure

For this exercise,the preHAZOPedresultswere generatedby myself, with someinput


from more experiencedpersonnelat ICI Technologyand LoughboroughUniversity,
using PrimaTech'sHAZOP-PC v3.02.

PrimaTech's HAZOP-PC v3.02 is essentiallya prompting and recording tool for


conventional HAZOP study meetings. However, it is particularly useful in this
application because it is possible,when generatingreports,to use user defined filters.
In particular, it is possibleto categorisecausesand consequences and then generatea
report filtered on these categories.In generatingpreHAZOPed results, the causes
were categorised as either "VUL", for vulnerabilities, or "IC", for initial causes.
Consequences were categorisedas either "EE" for end effects, "DPE" for directly
propagated effects, or "IPE" for indirectly propagated effects. Each of these
categories corresponds to the previouslydefined associations.For
cause-consequence
efficiently carrying out modular HAZOP, two reportswere generatedto makeup the
preHAZOPed results for a The
sub-module. first report, the initial causesreport, was
filtered on "IC" and the second,the vulnerabilities report, on "VUL". The reports
generatedcomprise all the columns associatedwith conventional HAZOP study
meetingswith the addition of the causeand consequencecategorycolumnsso that the
type of cause-consequence association could be easily ascertained. Table 7.1
illustratesa typical initial causesreport, the filtering have beencarried out to include

only those sectionsof the report where a causehaving a causecategorisedas "IC"


exists. The vulnerabilities report has the remaining sections of the preHAZOPed
resultswherea causehaving a causecategorisedas"VUL" exists,seetable 7.2.

-87-
Cooling ter top up - single supply, single pump and float valve.
DEVIATI CAUSES CAT 1 CONSEQUENCES CAT SAFEGUARDS
ON
1. No I. I. Wine IC 1.1.1. Level in EE
Flow filter blocked. cold well cannot
Float valve fails be maintained.
shut. Cooling water
Pump failure. supply may be
restricted.
2. More 2.1. Float valve IC 2.1.1. Cold well EE 2.1.1.1. Suitable
Flow fails open. overflows. overflow to drain.
Contamination due
to dosing
chemicals.
2. Lower 2.1. Low ambient IC 2.1.1. Prolonged
Temperatu temperatureleads cold weather may
re to freezing, reduce
particularly as availability of
there may be no cooling water.
flow for long
periods of time.

Table 7.1 - Example of initial causesfiltered results.

Cooling ter top up - single supply, single pump and float valve.
DEVIA- CAUSES CAT I CONSEQUENCES CAT I SAFE- RECOMMENDATIONS
TION GUARDS
1. No 1.2.NO VUL 1.2.1.Level in cold well EE 1.2.1.1.If the supplyis
Flow FLOW FROM cannotbe maintained. unreliableconsiderthe
UPSTREAM Cooling watersupply needfor a backupsupply.
SUPPLY maybe r cted. Seeappropriatenode.
_ _
Table 7.2 - Example of vulnerability filtered results.

To make the modular HAZOP procedure as easy as possible, all sub-module


vulnerabilities are included in the vulnerabilities report againsttheir corresponding
deviation.For example,a sub-module'svulnerability to low pressurewill be included
in the causes column of the preHAZOPed results alongside the deviation less

pressure,even though it, may have a low flow related Such


consequence. a cause-
consequencerelationship might, in a conventional HAZOP study meeting, be
identified underthe deviationlessflow. This is part of the redundancyassociatedwith

conventional HAZOP guide words which is not needed with modular HAZOP.
instead,in order to achievean efficient and effective alternative,lessflexibility in the
is
procedure required.

To generatethe completedmodularHAZOP report, it is necessaryto find and detail

-88-
all the possibleinitial causeto end effect paths in the plant. This is done by finding

where propagatedeffects in one sub-module have corresponding vulnerabilities in

another sub-module, and replacing the propagated effect by the consequences


with
associated the vulnerability. In this way, the steps in the paths betweeninitial

causesand end effects, where they exist, are eliminated until the report consists
substantiallyonly of initial causesandendeffect pairs.

To this end, it is first necessaryto collate all the preHAZOPedresultsrelating to the


plant being examined basedon the modules and sub-modulesidentified. The above
procedurecan then be carriedout relatively simply by going through the initial causes
report and for each propagated effect, recognisedby either "DPE" or "IPE" in the
consequences category column, determining whether a correspondingvulnerability
exists in the by
appropriatesub-module, referring to the vulnerabilitiesreport of the
preHAZOPed results of that sub-module,
and replacing the propagated effect by all
the consequences
associatedwith the vulnerability, including any propagatedeffects.
When including indirectly propagated effects it will be useful to add a label
specifying which sub-modulethey were originally associated
with. This will help in
identifying the appropriatesub-moduleto refer to when determiningwhether or not
thereis a correspondingvulnerability.

The easiestway of achieving this is to edit the initial causesreport using a word
the
processor, HAZOP-PC generated reportshaving been suitablyconverted.

Any propagatedeffects which do not have a correspondingvulnerability can be


deleted,except for propagatedeffects which have effects beyondthe boundariesof
the plant being These
scrutinised. be
should left in the final report until their effects
can be determined either by conventional HAZOP, by linking up with a modular
HAZOP report for a different plant, or by someother means.

Similarly, vulnerabilitieswhich exist at the plant boundariesshouldbe transferredinto


the final modular HAZOP report so that effects on the plant from causesoriginating
beyondthe plant boundarycan be determined.

-89-
Suchvulnerabilitiesandeffectsshouldbe highlightedfor future action.

Oncethe modularHAZOP report hasbeenreducedto initial cause-endeffect pairs, it


is necessaryto review the report to removeany of thesepairs that are irrelevantto the
plant being studied. This procedure can be aided by incorporating into the
preHAZOPed results appropriateremarks.For example,certain end effects may be

applicableonly if a flammable material is being used. This fact can be included in a


remarkscolumn and the modular HAZOP report can be reviewedon the basisof the
in
comments this column.

The preHAZOPedresultsmay also be providedwith a list of safeguardsthat can be


to
used warn of impendingproblems or mitigate consequences. Thesemay be used in

one of two ways. Either preexistingplant safeguards


only may be left in this column
in which caseoncethe modularHAZOP report is analysedthe efficacy or otherwise
of thesepreexistingmeasurescan be determined,
or all the safeguardmay be included
in the final modular HAZOP report in which case the need or otherwise of the
can
specifiedsafeguards be determinedwhenthe modularHAZOP report is analysed.

7.3 Results

For the purposeof this exercisea simple plant was devisedon a modularbasisusing
modulesand sub-modules from the module library.

The plant is a wasteacid treatmentplant. Wasteacid from the wasteacid storagetank


is reactedwith alkali supplied via a pipeline in a reactor provided with a cooling
recycle arrangement. The neutralisedproduct of this reaction is stored before being

transferred to tankers for disposal.A cooling water system is provided to provide


for
coolant the reactorrecycle.

This is an imaginaryplant and was usedas an exampleas part of a presentationand


workshop that I gave to ICI personnel.The modules that make up the plant are
considered to be relatively commonmodules with a large degreeof similarity and it is
for this reasonthat I put thesemodulestogetherto form the plant. Furthermore,during

-90-
the developmentof preHAZOPedresults, I had concentratedon developing such
commonmodulesand there was thereforelittle further work required in developing
thesemodulesfor the presentation.Thesecommon modulesare onesthat offer the
greatestpotentialtime savingsasthe preHAZOPedresultscan be frequentlyreused.

Figure 7.1 illustratesthe plant configuration.

Tables7.3 to 7.6 give the modulesandsub-moduleschosento representthe plant.

The resultsof the modularHAZOP procedureare given in table 7.7.

Module Name: Waste acid storage


Module Type: Atmospheric liquid storage tank

Generic Sub- Speciflcsub-modulesselected Connectivity


modulesrequired
(Referto module Name Node Module sub-module
library) no.
Storagetank inlet Storagetank inlet w/o control II
valve
Storagetank outlet Storagetank outlet,parallel 4 Neutralisation Reactorfeed
pumpW/o reactor
controlvalve
Storagetank Storagetank vessel 5
vessel
Storagetank vent Storagetank vent to 2
system atmosphere
Storagetank Storagetank overflow to seal 3
overflo pot I
Table 7.3 - Sub-modules for waste acid storage module.

-91-
Module Name: Neutralisation reactor
Module Type: Exothermic liquid phasereactor

Generic Sub- Specificsub-modulesselected Connectivity


modulesrequired
(Referto module Name Node Module sub-module
library) no.
Reactorfeed(1) Reactorfeedwith flow control I Wasteacid Storagetank
storage outlet
Reactorfeed(2) Reactorfeedwith 12
concentrationcontrol
Reactoroutlet Reactorliquid outlet with level II Treatedwaste Storagetank
control storagetank inlet
Reactorvent Reactorvent to atmosphere 14
system

Reactorcooling Reactorcoolingvia recycle 6


system
Cooling streamin Cooling water CWS Main
supply
Cooling streamout Cooling water CWS Return
supply 11
-
Table 7.4 Sub-modules for neutralisation reactor module.

-92-
Module Name: Treatedwastestorage
Module Type: Atmosphericliquid storagetank

Generic Sub- Specific sub-modules Connectivity


modulesrequired
(Referto module Name Node Module sub-module
library) no.
Storagetank inlet Storagetank inlet w/o control II Ncutralisation Reactor
valve I reactor outlet
Storagetank outlet Storagetank outlet,parallel 4 Treatedwaste Tanker
pumpw/o control valve loading
Storagetank Storagetank vessel 5
vessel
Storagetank vent Storagetank vent to 2
system atmosphere I
Storagetank Storagetank overflow to seal 3 I
overflow pot I II
Table 7.5 - Sub-modules for treated waste storage module.

Module Name: Cooling water supply


Module Type: Cooling water system

Generic Sub- Specificsub-modulesselected Connectivity


modulesrequired
(Referto module Name Node Module sub-module
library) no.
Cooling watertop Watertop up from reservoir I
up
Cooling water Coolingwater return 2 Neutralisation Cooling
return reactor streamout
Cooling water Cooling watermain with 5 Neutralisation Cooling
main multiple pumps reactor streamin
Dosing Dosing 4,6
&
Purge 9

Table 7.6- Sub-modulesfor coolingwater supply module.

-93-
J

)
.1

3
)
4

Q (D
0=
Q) u

0-

CL ,
11
0

Figure 7.1 - Modular HAZOP example - U-


t-0

waste acid plant configuration.

- 94-
Waste Acid Neutralisation Plant

Node: lCooling Watertop up - singlesupply,singlepumpandfloat valve.


Parameter:Flow
Intention:
DEVIA CAUSES CONSEQUENCES SAFEGUAR RECONMENDATI
TION DS ONS
No Inline filter blocked. Level in cold well cannotbe
Flow Float valve fails maintained.
shut. Cooling water supply may be
1Pump failure. restricted.
NO FLOW FROM Level in cold well cannotbe If the supplyis
UPSTREAM maintained. unreliableconsiderthe
SUPPLY Coolingwater supplymaybe needfor a backup
restricted. supply.See
appropriatenode.
More Float valve fails Cold well overflows. Suitable
Flow open. Contaminationof environment overflow to
by dosing chemicals. drain.
Node: I Cooling Watertop up - singlesupply,singlepumpand float valve.
Parameter:Temperature
Intention:
Lower Low ambient Prolongedcold weathermay
Temper temperatureleadsto reduceavailability of
ature freezing, particularly coolingwater.
astheremay be no
flow for long periods
of time.
Node: 2Coolingwaterreturnto tower.
Parameter:Flow
intention: Maintain circulationof cooling water.
Less Purgeto drain valve Cooling watertower Regualr
Flow left openor fails performance falls off. Cooling inspection.
open. water supply may be restricted
during periodsof high demand.
Node: 3CoolingWaterDosing- ChromateDosingOutlet. Feedcontrolledby automaticdosingcontrol.
Parameter:Flow
Intention:
1 -7 -
Node: 4Cooling wat r supplymain -2 or morepumps.
Parameter:Flow
Intention:
Less Pumpfailure. Reactionin reactordoesnot Appropriate Only likely to be a
Flow procedasrequired.Poor alarmson problemduring
conversionsidereactions,etc. pumps. periodsof high
demand.
Low flow
alarmon
supplymain.

Table 7. 7 Waste acid treatmeat plant modular HAZOP resuhs.

-95-
DEVIA I CAUSES I CONSEQUENCES --TA SAFEGUARD I RECOMMENDATIO
TION S NS

High
temperature
alarm
Possiblerunawayreaction. High
Possibleexplosion temperature
alarm.
Low flow
alarm
Inadequateventingof storage Storagetank
tank. Vesseloverpressure relief valve.
rupture.
Staticbuild up in storagetank. Dip tubesfor Flammablefluids
filling storage only. If filling is not
tank. donevia dip tubes
checkdesign
assumptions.
Reverse Pumpnot running Reverseflow throughpump Separatenon-
Flow backinto cooling waterpond. returnvalves
on all pump
discharges.
Node:4Cooling watersupplymain-2 or morepumps.
Parameter:Maintenance
Intention:
Mainte High cooling water Unableto meetdemanddueto Plannedmaintenance
nance demand e.g. due to pump down for maintenance. shouldbe scheduled
hot weather. Unableto carry out maintenance for
dueto high periodsof low cooling
I cooling waterdemand. water demand.
Node: 5CoolingWaterPurgeto drain - manuallyadjusted.
Parameter:Flow
intention:
More Chemical Wastageof cooling waterand Orifice plate
Flow concentration dosingchemicals. to
monitoring fails minimise
requiringpurge maximum
valve to be opened possibleflow
morethan necessary. rate.
Purgevalve
Inadvertantlyleft
further openthan
Ire uired.
Less Purgevalve Increasedscaling,general
Flow insufficiently solidsdeposition, andfouling
open. problems.
Node: 6CoolingWaterAcid dosing- automaticallycontrolled.
Parameter:Flow
Intention:
Less Automaticdosing pH shouldbe maintained Routineand
Flow control fails, between pH7-8 to maintainnon- regular
deliveringlessacid scaling,non-corrosive testing.
thanrequired. conditionsin the system.
I I
Table 7.7 (cont.) Waste acid treatment Dlant modular HAZO P results.

-96-
I DEVIA I CAUSES I CONSEQUENCES SXFEGUARD RECOMMENDATIO
TION
I-
7
S NS 1
Low level
alarm.
Acid supply
exhausted.
More Automatic dosing pH should be maintained Routine and
Flow control fails, between pH7-8 to maintain non- regular
delivering more acid scaling, non-corrosive testing.
than required. conditions in the system.
Node: 7 Waste acid Storagetank vent to atmosphere
Parameter:Flow
Intention:
No/Les Vent line blocked or Tank overpressurerupture on Relief valve Minimise
s partially blocked filling. opportunities for vent
Flow blockage
Ensure flame arrestor
is maintained
correctly.
Tank vacuum Vacuum Minimise
collapse on relief opportunities for vent
discharge valve. blockage.
Ensure flame arrestor
is maintained correctly
Node: 7Waste acid Storagetank vent to atmosphere
Parameter:Temperature
Intention: Maintain temperature tank

_Kode: 7Waste acid Storagetank vent to atmosphere


Parameter:Pressure
intention: Maintain atmospheric pressurein tank
II
ITo-de:Waste acid Storagetank overflow
Parameter:Flow
intention: Allow tank to overfl safel
NoALJ Overflow blockedor No/partialtank overflow Level control Ensureopportunities
s partially blocked available. for overflow blocking
Fvlow Possibletank ruptureon are minimised.
overfilling Level
indicator
High level
alarm
Node: Waste acid Storagetank overflow
Parameter:Temperature
Intention:

Node: Waste acid Storagetank overflow


Parameter:Pressure
Intention:

Node: Waste Acid Storagetank outlet


Parameter:Flow

Table 7.7 (cont.) Wasteacid treatmentplant modularHAZOP results.

-97-
DEVIA I CAUSES CONSEQUENCES isSAFEGUARD I RECOMMENDATIO
TION NS

Intention:Allow continuousflow of materialto process


No Outlet line blocked No reaction in reactor. Low flow
Flow between tank and alarm
pump.
Pump fails. Composition
control
Flow control valve No reaction in reactor. Low flow
fails shut. alarm
Outlet line blocked Composition
downstream of control
pump. Full head pump pressure Kick back onsider designing
developed. High pressure line. equipment to
rupture risk to outlet line. Low flow withstand maximum
Pump overheats, seals damaged, alarm. pump delivery
possible leak. pressure.
More Control valve fails Incomplete conversion of Composition
Flow open reactants. control
Spare pump running Incomplete conversion of Flow control. Ensure operating and
in error reactants. Maintenance
Composition instructions preclude
control. running parallel
pumps
Incorrectly.
Outlet line ruptured Tank contents lost to Emergency Ensure tank is
environment isolation valve adequately bunded.
Locate isolation valve
as near as possible to
tank.
Consider need ior
remote operation of
Isolation valve.
Pump seals fail. Environmental contamination Emergency Use canned or seat-
isolation less pump if
valve. appropriate.
Pump to be adequately
bunded.
Consider need for
remote operation of
Isolation valve.
Less Outlet line partially Reaction in reactor does not Flow control
Flow blocked. proceed as required. Poor
Pump running conversion rate.
incorrectly. Low flow
alarm
Composition
I control
Control Reaction in reactor does not Low flow
valve fails proceed as required. Poor alarm.
insufficiently conversion rate.
open.

Table7.7 (cont.) Wasteacid treatmentplant modularHAZOP results.

-98-
I DEVIA I CAUSES CONSEQUENCES ----rSA-FEGUARD I RECOMMENDATIO
TION S NS

Composition
control
As Contaminationof Unwantedreaction. Considertestingtank
Well tank contents contentson a routine
As basis.
Flow
Node: 9WasteAcid Storagetank outlet
Parameter:Temperature
Intention
:
Node:9WasteAcid Storagetank outlet
Parameter:Pressure
Intention:
Lower Storagetank inlet Low tank level leadingto low Low flow
Pressur line blocked. pressure,low flow andpoor alarm
e Level in
control valve conversion reactor.
fails shut Low level
alarm
Level
indicator
Composition
control
Node: IOWasteAcid Storagetank feed inlet without control valve.
Parameter:Flow
Intention:
No Feedline blocked. Possibleinability to continue
Flow processat normalproduction
rates
Low tank level leadingto Low level
outlet pumpcavitation. alarm
Level
indicator
NO FLOW AT UPSTREAM
UNITS
NO FLOW FROM Possibleinability to continue
UPSTREAMUNIT processat normalproduction
rates.
Low tank level leadingto outlet Low level
pumpcavitation. alarm
Level
indicator
-More HIGH FLOW Inadequateventing.Vessel Relief valve.
Flow FROM UPSTREAM overpressure rupture.
UNIT
Staticbuild up. Dip tubesfor Flammablefluijs-
filling. only. If filling is not
donevia dip tubes
checkdesign
assumptions.

Table7.7 (cont.) Wasteacid treatmentplant modularHAZOP results.

-99-
[D-EVIA I CAUSES -FEQUENCES isSAFEGUARD I RECOMMENDATIO
TION NS

Less Feedline partially LOW FLOW FROM Level


Flow blocked. UPSTREAMUNIT indicator.

As WRONG Material incompatability Ensureappropriate


Well MATERIAL AT measuresexistto
As SOURCE checkincoming
Flow material.
CONTAMINATION Material incompatibility
OF MATERIAL AT
SOURCE
Reverse REVERSEFLOW Liquid siphonedout of Siphonbreak
Flow ATSOURCE tank. on dip tubes. I
Non-return
I valve
Node: 1OWasteAcid Storagetank feedinlet without control valve.
Ta-rameter:Temperature
Intention:
Higher HIGH Rapidevaporationof Temperature For systemwith vent
Temper TEMPERATURE tank contents. indicator headersystem,can
ature FROM UPSTREAM systemcopewith
UNIT increasein venting
dueto hot weather
actingon several
tanks?
High
temperature
alarm
Increasedvapour Temperature Only a problemfor
concentration aroundtank, indicator. tankswith openvent.
possiblyrising ato hazardous Consider installing
level. appropriategas
detectionequipmentif
appropriate.
High
temperature
alarm.
Node: IOWasteAcid Storagetank feedinlet without control valve.
Parameter:Pressure
intention:
Higher Feedline isolated. Expansionof lockedin fluid Hydraulic Ensureoperating
Pressur causeshydraulicoverpressure pressurerelief instructionspreclude
rupture of line. deliberate isolationof
e
line without having
first drainedline.
Ensuredesign
minimises
opportunitesfor
isolationin error due
to control valves
failing etc.

Table 7.7 (cont.) Wasteacidtreatmentplant modularHAZOP results.

- 100-
I DEVIA IIS
CAUSES CONSEQUENCES !S FEGUARD I RECOMMENDATIO
TION NS

Manualvalve on Liquid hammer. Only a problemfor


storagetank inlet long
closesquickly. pipelines.Ensure
closingtime on
control
valvesand manual
valves is long enough
to avoid liquid
hammer.
HIGH PRESSURE Vesseloverpressure Relief valve. Ensureadequate
FROM SOURCE rupture venting.
Pressure
indicator.
Node: II TreatedwasteInlet to t anker,controlledby batchmeter(tankerloadingoperations)
Parameter:Flow
Intention
:
Node: I ITreatedwasteInlet to tanker,controlledby batchmeter(tankerloadingoperations)
Parameter:Pressure
Intention:
II I I
Node: I ITreatedwasteInlet to tanker,controlledby batchmeter(tankerloadingoperations)
Parameter:Composition
Intention:
I I I I
Node: 12NeutralisationReactorliquid feedwith flow control
Parameter:Flow
Intention:
No Feedline blocked. Reactiondoesnot proceed Low flow
Flow Controlvalve fails asrequired.Poor conversion, alarm
shut. sidereactionsetc.
Full headpumppressure High Designequipmentto
developedin storagetank outlet pressurellow withstandmaximum
pump.High pressurerupture flow pumpcut pumpdelivery
risk to downstreamequipment. out switches. pressure.
Pumpoverheats,sealsdamaged,
possibleleak.
Kick back line

Integralpump
high pressure
relief
valve

Pressure
indicator
Low flow
alarm
More Controlvalve fails Incompleteconversionof
Flow open reactants

Table 7.7 (cont.) Wasteacid treatmentplant modularHAZOP results.

- 101-
DEVIA CAUSES I CONSEQUENCES isSAFEGUARD I RECOMMENDATIO
TION NS

Inadequatestoragetank venting. Relief valve


Storagetank overpressure
rupture.
Staticbuild up in storagetank. Use dip tubes Flammablefluids
for filling only. If filling is done
storagetank. via dip tubescheck
designassumptions.
Less Controlvalve fails Reactiondoesnot proceed Low flow
Flow insufficiently open asrequired.Poor conversion, alarm
sidereactionsetc.
Node: 12NeutralisationReactorliquid feedwith flow control
Parameter:Temperature
Intention:
II I I
Node: 12NeutralisationReactorliquid feedwith flow control
Parameter:Pressure
Intention:
Lower Feedline leaking. Reactiondoesnot proceedas Pressure
Pressur required.Poorconversion,side control
e reactionsetc.
FLow control

Environmental
damage.
Node: 12NeutralisationReactorliquid feedwith flow control
Parameter:Composition
Intention:
As CONTAMINATION Reactionmay not proceedas
Well FROM UPSTREAM required.
As UNITS
Compo
sition I
Node: BNeutralisationReactorliquid outlet with level control
Parameter:Flow
Intention:
No Outlet line blocked.. Reactoroverflows Low flow
Flow Pumpfailure. atram
Level control valve
fails shut.
High level
alarm
Low storagetank level leading Low flow
to outlet pumpcavitation. alarm
More Level control valve Level lost in reactor.
Flow fails open. Possibleoverheating,poor
conversion,sidereactions,etc.
Inadequateventingof storage Storagetank
tank. Vesseloverpressure relief valve.
rupture. I I

Table7.7 (cont.) Wasteacid treatmentplant modularHAZOP results.

- 102-
DEVIA I CAUSES CONSEQUENCES isSAFEGUARD I RECOMMENDATIO
TION NS

Staticbuild up in storagetank. Dip tubesfor Flammablefluids


filling storage only. If filling is not
tank. donevia dip tubes
checkdesign
assumptions.
Outlet line ruptured. Reactorcontentslost to Emergency
environment. isolationmay
be
required.
Less Level control fails to Possiblereactoroverflow. High level
Flow opencontrolvalve alarm
sufficiently. Low flow
alarm
Reverse Pumpfailure Liquid siphonedout of storage Siphonbreak
Flow tank. on dip tubes.
Non-return
valve
Node: 14NeutralisationReactorliquid feedwith concentrationcontrol
Parameter:Flow
Intention:
No Feedline Reaction Low flow
Flow blocked. doesnot proceed alarm
Controlvalve asrequired.Poor
fails shut. conversion,side
reactionsetc.
NO FLOW FROM
UPSTREAM
UNITS
NO FLOW FROM Reactiondoesnot proceedas 1.2.1.1.Low
UPSTREAM required. flow alarm
UNITS
More Control Incompleteconversionof
Flow valve fails open reactants
Inadequateventingof storage Storagetank
tank. Vesseloverpressure relief valve.
rupture.
Staticbuild up in storagetank. Dip tubesfor Flammablefluids
filling storage only. If filling is not
tank. donevia dip tubes
checkdesign
assumptions.
HIGH FLOW FROM
UPSTREAM
UNITS
HIGH FLOW Incompleteconversionof
FROM UPSTREAM reactants
UNITS
Inadequateventingof storage Storagetank
tank. Vesseloverpressure relief valve.
rupture.

Table7.7 (cont.) Wasteacid treatmentplant modularHAZOP results.

- 103-
DEVIA I CAUSES CONSEQUENCES SA-FEGUARD I RECOMMENDATIO
TION S NS

Staticbuild up in storagetank. Dip tubesfor Flammablefluids


filling storage only. If filling is not
tank. donevia dip tubes
checkdesign
assumptions.
Less Controlvalve fails Reactiondoesnot proceedas Low flow
Flow insufficiently open required.Poorconversion,side alarm
reactionsetc.
LESSFLOW Low flow
FROM UPSTREAMUNIT alarm
LESSFLOW FROM Reactiondoesnot proceedas Low flow
UPSTREAM required.Poorconversion,side alarm
I UNITS I reactionsetc. I
Node: 14NeutralisationReactorliquid feedwith concentrationcontrol
Parameter:Temperature
Intention :

Node: 14NeutralisationReactorliquid feedwith concentrationcontrol


Parameter:Composition
Intention:
As CONTAMINATION Reactionmay not proceedas
Well FROM UPSTREAM required.
As UNITS
Compo,
sition I
Node: 15NeutralisationReactorCoolingstreamin with temperaturecontrol
Parameter:Flow
Intention:
No/Lcs Controlvalve fails Runawayreaction. Low flow
s Flow shut or fails to open Possibleexplosion. alarm
sufficiently. High
temperature
alarm.
High pressure
alarm.
Install relief
valve
Catalystdestroyed. Low flow If present.
alarm
High
temperature
alarm.
High pressure
alarm.
Reactiondoesnot proceed Low flow
As required.Poorconversion, alarm
sidereactions,etc. High
temperature
alarm.


Table 7. (cont.) Waste acid reatment plant modular HAZO results.

-104-
I DEVIA I CAUSES I CONSEQUENCES SAFEGUARD I RECOMMENDATIO
TION S NS

High pressure
alarm.
Rapidevaporationof storage Low flow Only a problemfor
tank contents. alarm tankswith openvent.
Increasedvapourconcentration Considerinstalling
aroundstoragetank, possibly High appropriatedetection
rising to a hazardouslevel. temperature equipmentif
alarm. appropriate.

High pressure
alarm.
More Controlvalve fails Reactiondoesnot proceedas
Flow open required.Poorconversion,side
reactions,etc.
High cooling waterdemand. Cancooling water
systemmaintain
adequatesupplyto
remainingsystems?
Node: 15NeutralisationReactorCoolingstreamin with temperaturecontrol
Parameter:Temperature
intention:
I I I I
Node: 16NeutralisationReactorCoolingstreamout with temperaturecontrol
Parameter:Flow
Intention:
No -
Recycleisolation Reactiontemperaturetoo high. Low flow Checkoperating
Flow valve closedin error. Reactiondoesnot proceedas alarm proc dures.
required.Poorconversion,side High
reactions,etc. temperature
Catalystdestroyed alarm
Possibleexplosionrisk. Relief valve
Low flow
alarm
High
temperature
alarm
Rapidevaporationof storage Low flow Only a problemfor
tank contents. alarm tankswith openvent.
Increasedvapourconcentration Considerinstalling
High
aroundstoragetank, possibly appropriatedetection
to
rising a hazardous level. temperature equipmentif
alarm appropriate.
Node: 17NeutralisationReactorcoolingvia recycle
Parameter:Flow
Intention:
No/Les Pumpfailure or poor Reactorbeginsto overheat. Someform of
s pump performance. Reaction may begin to run emergencycooling
Flow away.Possiblerisk of may be necessaryto
explosion. avoid explosionwhere
I that possibility exists. I

Table7.7 (cont.) Wasteacid treatmentplant modularHAZOP results.

- 105-
DEVIA I CAUSES CONSEQUENCES isSAFEGUARD I RECOMMENDATIO
TION NS

As Contaminationof Reactiondoesnot proceed


Well recyclestreamby asrequired.Poor conversion,
As cooling water dueto sidereactions,etc.
Flow heatexchanger
I interfacefailure. I
Node: 18TreatedWasteStoragetank vent to atmosphere
Parameter:Flow
Intention:Enableflow into or out of tank to maintainatmosphericpressure
No/Les Vent line blockedor Tank overpressure ruptureon Relief valve Minimise
s partially blocked filling opportunitiesfor vent
Flow blockage
Ensureflame arrestor
is maintained
correctly.
Tank vacuum Vacuum Minimise
collapseon relief opportunitiesfor vent
discharge valve. blockage.
Ensureflame arrestor
is maintainedcorrectly
Node: 18TreatedWasteStoragetank ventto atmosphere
Parameter:Temperature
Intention:Maintain temperaturetank

Node: 18TreatedWasteStoragetank vent to atmosphere


Parameter:Pressure
intention:Maintain atmosphericpressurein tank

Node: 19TreatedWasteStoragetank feedinlet without control valve.


Parameter:Flow
Intention:
No Feedline blocked. Possibleinability to continue
Flow processat normalproduction
rates
Low tank Low level
level leadingto alarm
outlet pump Level
cavitation. indicator
Reactoroverflows. Providesuitable
I overflow arrangement.
Node: 19TreatedWaste Storagetank feed inlet --
without control valve.
Parameter:Temperature
Intention:
II I I
Node: 19TreatedWasteStoragetank feed inlet without control valve.
Parameter:Pressure
Intention:

Table7.7 (cont.) Wasteacidtreatmentplant modularHAZOP results.

- 106-
DEVIA I CAUSES I CONSEQUENCES --A- SAFEGUARD I RECOMMENDATIO
TION S NS

Higher Feedline Expansionof lockedin fluid Hydraulic Ensureoperating


Pressur isolated. causeshydraulicoverpressure pressurerelief instructionspreclude
e ruptureof line. deliberateisolationof
line without having
first drainedline.
Ensuredesign
minimises
opportunitesfor
isolationin
error dueto control
valves failing etc.
Manualvalve on Liquid hammer Only a problemfor
storage tank inlet long
closesquickly. pipelines.Ensure
closingtime on
control
valvesand manual
valvesare long
enoughto avoid liquid
hammer.
Node: 20TreatedWasteStoragetank overflow
Parameter:Flow
Intention:Allow tank to overf! safely
No/Les Overflow No/partialtank overflow Level control Ensureopportunities
s blocked or available. Possibletank rupture for overflow blocking
Flow partially blocked on overfilling are minimised.
Level
indicator
High level
alarm
Node:20TreatedWasteStoragetank overflow
Parameter:Temperature
intention:

Node 20TreatedWasteStoragetank overflow


Parameter:Pressure
Intention:

Table 7.7 (cont.) Wasteacid treatmentplant modularHAZOP results.

- 107-
BLANK IN ORIGINAL
8 Conclusions

This chapterprovidessomeconclusionsrelating to the work describedin this thesis


in
and particular the modularHAZOP procedure. The final part of this chapterlooks

at how this work may be taken forward in the future.

8.1 Contributions

In looking at how to improve hazard identification of chemical plant through the


HAZOP procedure,three possible areas for improvementwere identified. Firstly
possible improvements
to the conventional
procedure were reviewed. Secondly,the

role of automated HAZOP was discussed and finally a new, modular HAZOP

procedurewas put forward.

It is fairly clear that minor modificationsto the conventionalHAZOP procedurewill


have only a marginal impact on the overall time taken to complete the hazard
identification of chemicalplant. However,there may be useful lessonswhich should
be borne in mind, particularly by inexperiencedHAZOP teams. There being no
time
substantial gainsforeseen by improving HAZOP in this way, this thesishas been

restrictedlargely to reviewingthe literaturerelating to suchimprovements.

As discussedearlier in the thesis, automatedHAZOP is an area that has attracted


much researcheffort. It offers potentially the timesaving
greatest but a large amount
of further is
work necessary before automated hazard identification of a chemical
plant produces completeand reliable results. Becauseof the large amount of work
being doneby otherpeoplein this field, this thesishasbeenrestrictedto reviewingthe

stateof the art.

The developmentof a modularHAZOP procedurehas formed the major part of this


thesis. In developing this procedure a number of important principles have been
identified. Firstly, the level of decompositionrequired, and in particular the use of
interchangeable for
sub-modules,provides a procedurewhich is adaptableto different
plant configurationsbut can also be quickly and easily applied. This is particularly

-109-
importantfor a procedurewhich, as developed,is carricd out manuallyby only one or
two people.This contrastsstarkly with the level of decompositionusedin automated
HAZOP, which requiresthat each pump, valve, etc. be modelled. In particular it
allows for known problems with combinations of equipment to be represented.As
such,it is possibleto include much more expert knowledgein a sub-module than in a
collectionof more detailedmodelsmakingup that sub-module.Secondly,the fact that
the majority of cause-consequence scenariosexist in adjacent modules, and the
categorisationof locally and remotely propagatedeffects, reducesthe complexity of
the procedure.It enablesthe simpler fault paths,which make up most of the cause-
consequence scenarios, to be identified quickly, leaving a much reducednumber of
fault pathswhich require a more thoroughanalysis.Finally, I think the usefulnessof
the categories and a filtering tool, such as that provided by HAZOP-PC, in
simplifying the applicationof the procedureshouldnot be underestimated.

I believe that the modular HAZOP proceduredetailed in this thesis can be used to
provide quick hazard identification of chemical plant. Its application may be limited
to plant that have a large number of fairly standarditems, but in such casesit can
provide a significant improvement in the time takenfor hazad identification.The size
and structure of the models,and in particular the preHAZOPed results,allows a large

amount of information, and in particular expert knowledgeregardingknown hazard


and operability problems, to be represented,whilst retaining the flexibility that
enablestheir useon a wide variety of chemicalplant.

8.2 Limitations

The main limitation surroundingthis work at present is the lack of a substantial


library of sub-modulesandcorrespondingpreHAZOPedresults.

It should also be noted that the current preHAZOPedresults should be treated as


examples only. They are by no means complete,and a fair amountof technicalexpert
input is required to developthem and bring them to an acceptableand industrially
applicablestandard.

- 110-
As identified above,the modular HAZOP procedureis not going to be universally
applicable.For certainplant, particularly where they are new, complex or otherwise
unique, the required preHAZOPed results may not exist it
and may not be worth
compiling them. In such cases, the HAZOP
conventional procedureprovidesthe best

route for hazardidentification.

It shouldalso be notedthat the proceduredescribedfor modularHAZOP is applicable


only to continuousprocessplant.

8.3 Further Work

One of the mainproblemsto be overcomein modularHAZOP is how to usethe


results. In particular, how to make sure that consideration is given to whetheror not
sufficient protection existsto preventor reduce the effectsof a possiblehazard.

In terms of reducingthe amountof time taken to carry out hazardstudiesit would


seem best to use the results as follows. The preHAZOPed results will contain all
for
protectionsnecessary safe operation of the module when considered in isolation.
No further considerationwill needto be given to the need for additionalprotections
due to hazards arising entirely within the module. For faults that have been
propagatedto find distant consequencesthen considerationwill have to be given to
determinewhetherthe existing protectionsare adequateor not. The main drawback
with this is
approach that modules may contain protective systemsthat are not
actually requiredand the capital and operatingcostsof the modulewill be higher than
necessary.However, it may be possibleto reducethe numberof protectionsnecessary
through referenceto remarksin the preHAZOPedresults.For example,a stock tank
containing a non-flammable non-toxic substancemay not require a high level alarm
and the possibility for this alarm to be omitted will be included in the preHAZOPed
results(table 8.1).

- III-
Deviation Cause Consequence Safeguards Recommendations Remarks

High level Level Tank contents Overflow Overflow to be High level alarm

control lost to below tank roof may not be


fails environment High level alarm required for non-
Tank to be flammable, non-
Level indicator adequately bunded I toxic liquids.

Table 8.1 - Part of preHAZOPed results for storage tank showing how remarks
column can be used.

The alternativeapproachis to make it a requirementthat all the results should be


checkedto ensurethat safeguardsand protectionsare adequateand not excessive.
However this will dramaticallyincreasethe time taken to carry out modularHAZOP
and there will no significant time benefit over conventionalHAZOP. The advantage
with this approach is that the preHAZOPed resultsdo not needto be as detailedas for
the first methodgiven that there is scopefor whoever is checkingthe resultsto add
safeguardsasnecessary.

It may of course be possible to combine the two above approaches.The former


approachcould be usedfor modules that occur commonlyand for which we can draw

up the detailed preHAZOPedresults required. The latter approachcan be used for


modules which do not yet have detailed preHAZOPed results though it is still
that
necessary all vulnerabilitiesand propagatedeffects are included. Detailed results
can be drawn up for modulesduring a HAZOP
conventional. study of the moduleand
these can subsequentlybe used (modified slightly if needed) whenever similar
in
modulesare considered the future.

As identified above,the procedureis currently applicableonly to continuousprocess


plant. In order to be able to be used for batchplant, appropriateterms would have to
be defined to describe the effects transmitted between modules, so that correct
matching acrossmodule boundaries could be caff ied out and fault pathsdeveloped.
It

would probably also be necessaryto have modules, or possibly sub-modules,


connected in time as well as space, i.e. each different operation carried out in a
particular item of equipment would require a different set of preHAZOPedresults,

-112-
and the effect of following by
one operation another in the same item of equipment
need to be considered. This is also likely to require, as its basis, a more systematic
approach to HAZOP of batch processplants than that originally specified.Work on
developingsuchan approachhasonly recentlybegun(MushtaqandChung,2000).

It is not clear how applicablethe modular HAZOP procedure is to other similar


continuous process industries, for example food processing.In fact the modular
HAZOP proceduremay be more applicable to such industries where a modular
approach to design is already taken. The identification of particular industries,

chemical,chemicalrelated and other, wherethe modular HAZOP procedure could be

more easilyandproductivelyappliedcould form the basisof useful investigations.

8.4 Implementing Modular HAZOP in an Industrial Environment

A further problemto be overcomeis the transferof the modularHAZOP procedureto

a real environment.Following the initial development of the HAZOP procedureand


its acceptanceas the standardtechniquefor hazardidentification, changeshave been
adoptedgradually and slowly, mainly as individual hazardstudy leadersappliednew
techniquesthey regardedor found to be improvements over the old techniques.The
modular HAZOP procedure is however more of a fundamental change and its

acceptance will require the supportof senior SHE This


personnel. of courserequires
that the modularHAZOP proceduregives resultsat leastas good as can be expected
from conventionalHAZOP. It will also be necessaryto show a significanttime saving
over conventional HAZOP. One possibility is that modular HAZOP will be used by

an individual prior to a formal HAZOP meeting. It will be usedto develop questions


and possible solutions for problems that will later be identified in the HAZOP

meeting.

Further examples will need to be tested before the completenessand ease of


applicationof modular HAZOP are fully known. In particularthis requiresthe further
developmentof modules.Examplesof modulesthat would be particularly useful are
sought.Furthermore,
as I identified at the start, modular HAZOP will becomemore
effectiveandattractiveas the designprocedurebecomes
more modular in nature.

- 113-
8.5 Automated modular HAZOP

Becauseof the simplicity and methodicalnatureof the modularHAZOP procedure,it


be
should possible to automate it. This would provide anotherrouteto automatingthe
HAZOP procedure.The level of decompositionchosen for modular HAZOP is
consideredto be much more useful for representingexpert knowledge relating to
hazardsin chemical plant, and this route may therefore have advantagesover the
automatedHAZOP routescurrently being investigated.

-
114-
BLANK IN ORIGINAL
References

Andow, P. K., Lees,F. P. & Murphy, C. P.; "THE PROPAGATION OF FAULTS IN


PROCESSPLANTS: A STATE OF THE ART REVIEW'. IChemE Symposium
SeriesNo. 58,1980; pp. 225-243.

Austin, D. G. & Jeffreys,G. V.; "The Manufactureof Methyl Ethyl Ketone from 2-
Butanol." IChemE,London, 1979;Chapter12.

Black, J. M. & Ponton,J. W.; "A HierarchicalMethod for Line-by-Line Haza d and
Operability Studies." Interactions Between Process Design and Process Control,
1993;Chapter32, pp. 227-233.

Butler, P.; "Motivating people is the key to safety on processplant sites." Process
Engineering,August 1973;p. 79.

Catino, C. A., Grantham, S. D. and Ungar L. H.; "Automatic Generation of


Qualitative Models of Chemical Process Units." Computers and Chemical
Engineering,Vol. 15,No 8,1991; pp 583-599.

ChemicalIndustriesAssociationLtd.; "A Guide to Haza d and Operability Studies".


ChemicalIndustry Safetyand Health Council of the ChemicalIndustriesAssociation,
1977.

Chung,P. W. H. " QualitativeAnalysis of ProcessPlant Behaviour." Proceedingsof


6th InternationalConferenceon Industrial and EngineeringApplications of Artificial
Intelligence,GordonandBreachSciencePublishers,1993;pp. 277-283.

Coad,P. & Yourdon,E. "Object-orientedAnalysis." 2nd edition; PrenticeHall, 1991.

Crawley, F. K; "Do hazardand operability studieshave their limitationsT ICheniE


LossPreventionBulletin, Issue121,February1995;pp. 3-5.

-116-
Douglas,J. M.; "ConceptualDesignof ChemicalProcesses.
" McGraw-Hill, 1988.

Dowell, III, A. M.; "Managing the PHA Team" Process Safety Progress, Vol. 13, No.
1, January1994;pp. 30-34.

Duxbury, H. A. & Turney, R. D.; "TECIHNIQUES FOR THE ANALYSIS AND


ASSESSMENTOF HAZARDS IN THE PROCESSINDUSTRIES." Paperpresented
to the New Mexico Technology ResearchCentre for Energetic Materials Open
Seminaron SafetyandHazardsEvaluation,II April 1989.

Eggert, G. IChemE Safety and Loss PreventionSubject Group HAZOP Workshop.


Alderley Edge, 15 September1985.

Elliot, D. M. & Owen,J. M.; "Critical Examinationin ProcessDesign." The Chemical


Engineer,223,1968; pp. CE377

Freeman,P, A., Lee, P, & McNamara,T. P.; "Plan HAZOP Studieswith an Expert
System." ChemicalEngineeringProgress,August 1992;pp. 28-32.

Gibson, S. B.; "WE FIXED THE FLOWSHEET SAFELY. " Process Engineering,
June1976;pp. 119- 120.

Gillet, J. E.; "Hazard study managementin the pharmaceuticalindustry." IChernE


Loss PreventionBulletin, Issue125,October1995;pp. 17-25.

Goyal, K. R.; "PRACTICAL EXAMPLES OF SAFETY RISK ASSESSN11ENT


IN
BAPCO." Loss PreventionBulletin, 112,1994;pp. 7-14.

Hunt, A.; "Rules for Modelling In Computer Aided Fault Tree Synthesis.
" PhD
Thesis, Department of Chemical Engineering, Loughborough University of
Technology,1992.

- 117-
Hunt, A., Kelly, B. E., Mullhi, J. S., Lees,F. P. & Rushton,A. G.; "The propagation
of faults in processplants: 6, Overview of, and modelling for, fault tree "
synthesis.
Reliability Engineeringand SystemSafety,39,1993; pp. 173-194.

Imperial Chemical IndustriesLtd.; "Safety, Health and Environment (SHE) Guide


B. " 1993.

IrL M., Aoki, K, O'Shima,E. & Matsuyama,H.; "An Algorithm for Diagnosisof
" Computersin ChemicalEngineering,Vol
SystemFailuresin the ChemicalProcess.
3,1979; pp. 489-493.

Jefferson,M., Midge, J. T. & Rushton,A. G.; "Activities andtime usagein Hazard


and Operability "
Studies. IChemEResearch
Event, Edinburgh,January1995(a).

Jefferson,M., Chung,P. W. H. & Rushton,A. G.; "Automated Haza d Idetification


by Emulation of Haza d and Operability Studies." 8th International Conferenceon
Industrial andEngineeringApplicationsof Artificial Intelligenceand Expert Systems,
Melboume,Australia,July 1995(b); pp. 765-770.

Jones, D. W.; "Lessons from HAZOP experiences." Hydrocarbon Processing, April


1992.

Kelly, B. E. & Lees,F. P. "The Propagationof Faults in ProcessPlant, 1, Modelling


of Fault "
Propagation. Reliability Engineering,16,1986 (a); p.

Kelly, B. E. & Lees,F. P. "The Propagationof Faults in ProcessPlant, 2, Fault Tree


" Reliability Engineering,16,1986 (b); p. 39.
Synthesis.

Kelly, B. E. & Lees, F. P. "The Propagationof Faults in ProcessPlant, 3, An


facility." Reliability Engineering,16,1986 (c); p. 63.
interactive,computer-based

- 118-
Kelly, B. E. & Lees,F. P. "The Propagationof Faults in ProcessPlant, 4, Fault Tree
Synthesisof a Pump ChangeoverSystenf' Reliability Engineering, 16,1986 (d); p.
87.

Kelly, W. J.; "Oversights and mythology in a HAZOP program." Hydrocarbon


Processing,October1991.

Kletz, T. A.; "Eliminating PotentialProcessHazards." ChemicalEngineering,April 1,


1985;pp. 48-68.

Kletz, T. A.; "HAZOP andHAZAN. " 3rd Edition, Hemisphere,1992.

Kletz, T. A.; "Some thoughtson Frank Crawley'sarticle." IChemE Loss Prevention


Bulletin, Issue121,February1995;p. 5.

Knowlton, R. E.; "A Manual of Hazard and Operability Studies." Chemetics


International,1992.

Lapp, S. A. & Powers,G. J.; IEEE Transon Reliability, R-26, April 1977;pp 2-11.

Larkin, F. D., Rushton, A. G., Chung, P. W. H., Lees, F. P., McCoy, S. A. &
Wakeman S. J.; "Computer-aidedHazard Identification: Methodology and System
Architecture." IChemE SymposiumSeriesNo. 141, HazardsXIII ProcessSafety -
The Future, 1997;pp. 337-348.

Lawley, H. G. "Operability StudiesAnd Hazard Analysis." Eighth Symposiumon


Loss Prevention in the Process Industries, Philadelphia, November 1973; Loss
Preventionvol. 8, pp. 105-116.[Also available in: ChemicalEngineeringProgress,
Vol. 70, No. 4, April 1974;pp. 45-56.]

Lawley, H. G.; "Size Up Plant HazardsThis Way." HydrocarbonProcessing,Volume


55, No. 4, April 1976;pp. 247-258.

- 119-
Lees, F. P.; "Loss Prevention in the Process Industries: Haza d Identification,
Assessmentand Control. Volumes I to 3." Secondedition, Butterworths, Oxford,
1996.

Lees, F. P. & Kelly, B. E.; " The Propagation of Faults in Process Plants." Reliability
Engineering,Vol. 16,1,1986.

Lihou, D.; "Operability studiesfor busypeople." The ChemicalEngineer,May 1986;


pp. 52,53.

" 4th
Lowe, D. R. T. & Solomon, C. H.; "Hazard Identification Procedures.
InternationalSymposiumOn Loss PreventionAnd Safety Promotion In The Process
Industries,Vol. 1,80, pp. 246-282,1983.

MacCallum, K. J.; "Understanding Relationships in Marine Systems Design."


Proceedingsof First InternationalMarine SystemsDesignConference,London, 1981;
pp 1-9.

McCluer, R. E. and Whittle, D. K; "Lessons learned from HAZOP reviews of


FCCUs." HydrocarbonProcessing,August 1992;pp. 140-C-140-L.

McCoy, S. A., Wakeman, S. J., Larkin, F. D., Jefferson, M., Chung, P. W. H.,
Rushton,A. G., Lees,F. P. & Heino, P. M.; "HAZID, A ComputerAid for Haza d
Identification." TransIChemE,Vol. 77, PartB, 1999;pp. 317-327.

Martin-Solis, G., Andow, P. K& Lees,F. P.; "An Approachto Fault Tree Synthesis
for ProcessPlants." Proceedings2nd International Symposiumon Loss Prevention

and SafetyPromotionin the Industries,


Process Heidelberg,1977;p. 367.

Martin-Solis, G., Andow, P. K& Lees, F. P.; "Fault Tree Synthesisfor Real-Time

andDesign "
Applications. TransIChemE,Vol. 60,1980; pp. 14-20.

-120-
Mushtaq, F. & Chung, P. W. H.; "A Systematic HAZOP Procedure for Batch
Processes,And Its Application to Pipeless Plants." Journal of Loss Prevention in the
ProcessIndustries, 13,2000; pp. 41-48.

OSHA; "ProcessSafety Managementof Highly HazardousChemicals,Explosives


and Blasting Agents; Final Rule.
" Departmentof Labour, OccupationalSafety and
Health Administration,FederalRegister,1992;pp. 6356-6417.

Oyeleye, 0.0. & Kramer M. A.; "Qualitative Simulation of Chemical Process


Analysis." AlChE Journal,Vol. 34, no. 9,1988; pp.1441-1454.
Systems:Steady-State

Oyeleye,0.0. & KramerA A.; "Guidelinesfor DevelopingSignedDirected Graph


Models." NUT, Laboratoryfor Intelligent Systemsin ProcessEngineeringReport 90-
069,1989.

Ozog, H.; "Haza d Identification, Analysis and Control." ChemicalEngineering,92,


1985;pp. 161-170.

Parmar, J. C. "A Method of Computer-AidedHaza d Identification In Chemical


ProcessPlant." PhD Thesis, Loughborough University, 1987.

Parmar,J. C. & Lees, F. P.; "The Propagationof Faults in ProcessPlants: Haza d


Identification. " Reliability Engineering, 17,1987(a); pp. 277-302.

Parmar,J. C. & Lees, F. P.; "The Propagationof Faults in ProcessPlants: Hazard


Identification for a Water SeparatorSystem." Reliability Engineering, 17,1987(a);
pp. 303-307.

PrimaTechInc.; "HAZOP-PC.Version3.00." 1994.

Pully, A. S.; "Utilization and Results of Haza d and Operability Studies in a


PetroleumRefmery." ProcessSafetyProgress,Vol. 12, No. 2, April 1993; pp. 106-

-121-
110.

Roach, J. R. & Lees, F. P.; "Some Features of and Activities in Hazard and
Operability(HAZOP) Studies." The ChemicalEngineer,October 1981;pp. 456-462.

Rushford, R.; "Haza d and Operability Studies in the Chemical Industries."


Transactionsof the North East CoastInstitution of Engineersand Shipbuilders,Vol.
93, no. 5,1977; pp. 117-124.

Rushton,A. G., Gowers,R. E., Edmondson,J. N. & Al-Hassan,T.; "HAZARD AND


OPERABILITY STUDY OF OFFSHORE INSTALLATIONS -A SURVEY OF
VARIATIONS IN PRACTICE." HazardsXII EuropeanAdvancesin ProcessSafety,
IChemE,Rugby, 1994;pp. 341-350.

Sankaran,N.; "Managementof Change- The SystematicUse of Hazard Evaluation


Proceduresand Audits." ProcessSafetyProgress,Vol. 12, no. 3, July 1993;pp. 181-
192.

Shafaghi,A., Andow, P. K& Lees, F. P. "Fault Tree SynthesisBasedon Control


Loop Structure." ChemicalEngineeringResearchand Design,Vol. 62,1984; pp. 101-
110.

Sigma-LambdaSoftware(Ility Engineering);'6HAZoplus.,,1995.

Smith, C., Inder, R. & Chung,P. W. H. "Knowledge Acquisition and Representation


for Product Configuration: Charting a Way Through a Company's Information
Jungle." Proceedings of the First International Conference on Industrial &
EngineeringApplications of Artificial Intelligence & Expert Systems,ACM Press,
1988;pp. 805-811.

Sweeney,J. C.; "ARCO ChemicarsHAZOP Experience.


" ProcessSafety Progress,
Vol. 12,No. 2, April 1993;pp. 83-91.

-122-
Toola, A.; "Plant level safety analysis." Journal of Loss Prevention in the Process
Industries,Vol. 5, No. 2,1992; pp. 119-124.

Venkatsubramanian,V. & Vaidyanathan,R. "A Knowledge Based Framework for


AutomatingHAZOP Analysis." AlChE Journal,Vol. 40, No. 3,1994; pp. 496-505.

Wakeman,S. J., Chung, P. W. H., Rushton, A. G., Lees, F. P., Larkin, F. D. &
McCoy, S. A.; "Computer-aidedHaza d Identification: Fault Propagationand Fault-
ConsequenceScenarioFiltering." IChemE SymposiumSeriesNo. 141, Haza ds XIII
ProcessSafety- The Future, 1997;pp. 305-316.

Winston,P.H.; "Artificial Intelligence",Addison Wesley,1984.

ZerkanLH. & Rushton,A. G.; "ComputerAid for Haza d Identification."


Proceedingsof 6th InternationalConferenceon Industrial andEngineering
Applicationsof Artificial Intelligence,GordonandBreachSciencePublishers,1993;
pp. 102-109.

- 123-
Appendix 1- CaseStudy preHAZOPed Results

This appendix contains the full list of preHAZOPed results used to generatethe
resultsof the casestudyof Chapter 7.

TableAl. I givesthe preHAZOPedresultsgeneratedby filtering to includeonly those


cause-consequence having
scenarios an initial cause(IC) type of cause.

Table Al. 2 gives the preftAZOPed results generatedby filtering to include the
remaining cause-consequence scendios, i. e. those having a vulnerability (VUL) type
of cause.

Al -
Waste Acid Neutralisation Plant

Node: I Cooling Water top up - single supply, single pump and float valve.
Parameter: Flow
Intention:
CAUSES CAT CONSEQUENCES CAT SAFEGUARDS
DEVIAT RECOMMEND
ION ATIONS
1. No I. I. Inline IC 1.1.1. Level in EE
Flow filter blocked. cold well cannot
Float valve fails be maintained.
shut. Cooling water
Pump failure. supply may be
restricted.
2. More 2.1. Float valve ic 2.1.1. Cold well EE 2.1.1.1. Suitable
Flow fails open. overflows. overflow to drain.
Contamination due
to dosing
chemicals.
Node: I Cooling Water top up - single supply, single pump and float valve.
Parameter: Temperature
Intention:
2. Lower 2.1. Low ambient ic 2.1.1. Prolonged
Temperat temperature leads cold weather may
ure to freezing, reduce
particularly as availability of
there may be no cooling water.
flow for long
Lperiodsof time.
______
Node: 2Cooling water return to tower.
Fa-r-ameter: Flow
Intention: Maintain circulation of cooling water.
1. Less I. I. Purge to IC I. I. I. Cooling EE I. I. I. I. Regualr
Flow drain valve left water tower inspection.
open or fails performance falls
open. off. Cooling water
supply may be
restricted during
periods of high
deamand.
Node: 3Cooling Water Dosing - Chromate Dosing Outlet. Feed controlled by automatic dosing control.
Parameter:Flow
Intention:

Node: 4Cooling water supply main -2 or more pumps.


Parameter:Flow

TableAl. I- Wasteacid plant preHAZOPedresults- IC filtered.

A2
Intention:
1. Less I. I. Pump ic I. I. I. LESSFLOW DPE 1.1.1.1.
Flow failure. TO Appropriate
DOWNSTREAM alarmson pumps.
UNITS. Only likely
to be a problem
during periodsof
high demand.
1.1.1.2.Low flow
alarm
on supplymain.
2. 2.1. Pumpnot Ic 2.1.1.Reverse EE 2.1.1.1.Separate
Reverse running flow throughpump non-
Flow backinto cooling returnvalveson
waterpond. all pump
1discharges.
Node: 4Cooling watersupplymain -2 or morepumps.
Parameter:Maintenance
Intention:
I. partOf I. I. Highcooling ic 1.1.1.Unableto EE I. I. I. I. Planned
Maintena water demande.g. meetdemanddueto maintenance
nce due to hot pump down for shouldbe
weather. maintenance. scheduledfor
Unableto carry periodsof low
out maintenance cooling water
dueto high demand.
cooling water
demand.
f
Vode: 5CoolingWaterPurgeto drain - manually adjusted.
Parameter:Flow
Intention:
1. More 1.1.Chemical ic 1.1.1.Wastageof EE I. I. I. I. Orifice
Flow concentration cooling waterand plateto
monitoringfails dosingchemicals. minimise
requiringpurge maximum
valve to be possible
openedmorethan flow rate.
necessary.
Purgevalve
inadvertantly
left further open
thanrequired.
2. Less 2.1. Purgevalve ic 2.1.1.Increased EE
Flow insufficiently scaling,general
open. solidsdeposition,
andfouling
problems.
Node: Kooling WaterAcid dosing- automaticallycontrolled.
Parameter:Flow
Intention:

TableAl. I (cont.) - Wasteacid plant preHAZOPedresults- IC filtered.

A3
1. Less 1.1.Automatic IC 1.1.1.pH should EE I. I. I. I. Routine
Flow dosingcontrol be maintained and
fails, delivering betweenpH7-8 to regulartesting.
lessacid than maintainnon- 1.1.1.2.Low
required. scaling,non- level alarm.
Acid supply corrosive
exhausted. conditionsin the
system.
2. More 2.1. Automatic IC 2.1.1.pH should EE 2.1.1.1.Routine
Flow dosingcontrol be maintained and
fails, delivering betweenpH7-8 to regulartesting.
moreacid than maintainnon-
required. scaling,non-
Acid supply corrosive
exhausted. conditions in the
system.
Node: 7Wasteacid Storagetank vent to atmosphere
Parameter:Flow
Intention:
1. 1.1. Vent line IC 1.1.1.Tank EE I. I. I. I. Minimise
I. I. I. I. Relief
No/Less blockedor overpressure valve opportunitiesfor
Flow partially blocked rupture on Iling vent blockage
1.1.1.2.Ensure
flamearrestoris
maintained
correctly.
1.1.2.Tank vacuum EE 1.1.2.1.Vacuum 1.1.2.1.Minimise
collapseon relief opportunities for
discharge valve. vent blockage.
1.1.2.2.Ensure
flame arrestoris
maintained
correctly
_jode-7Wasteacid Storagetank vent to atmosphere
Parameter:Temperature
Intention: aintaintemperaturetank
1 F _
-
Node. 7Wasteacid Storagetank vent to atmosphere
parameter:Pressure
Intention:Maintain in
atmosphericpressure tank
I I I I- I
ITo-de.8Wasteacid Storagetank overflow
Parameter:Flow
Intention:Allow tank to overflow safey
1. 1.1.Overflow IC I. I. I. No/partial EE 1.1.1.1.Level I. I. I. I. Ensure
No/Less blockedor tank overflow control opportunitiesfor
Flow partially blocked available. overflow
Possibletank 1.1.1.2.Level blocking
ruptureon indicator areminimised.
overfilling

Table Al I (cont.) - Waste acid pl I nt prel AZOPed results -I filtere

A4
1.1.1.3.High
levelalarm
Node: 8Waste acid Storagetank overflow
Parameter: Temperature
intention:

Node: 8Waste acid Storagetank overflow


Parameter: Pressure
Intention:

Node: 9Waste Acid Storagetank outlet


Parameter: Flow
Intention: Allow continuous flow of material t process
1. No I. I. Outlet line IC 1.1.1. NO FLOW DPE 1.1.1.1 Low flow
Flow blocked between TO alarm
tank and pump. DOWNSTREAM
Pump fails. UNIT
1.2. Flow control IC 1.2.1. NO FLOW DPE 1.2.1.1. Low flow
valve fails shut. TO alarm
Outlet line DOWNSTREAM
blocked UNIT
downstream of 1.2.2. Full head EE 1.2.2.1. Kick 1.2.2.1. Consider
pump. pump pressure back line. designing
developed. High 1.2.2.2. Low flow equipment to
pressurerupture alarm. withstand
risk to outlet maximum
line.
pump delivery
Pump overheats, pressure.
seals damaged,
possible leak.
2. More 2.1. Control IC 2.1.1. HIGHFLOW DPE
Flow valve fails open TO
DOWNSTREAM
UNIT
2.2. Sparepump IC 2.2.1. HIGHFLOW DPE 2.2.1.1: Flow 2.2.1.1. Ensure
running in error TO control operating and
DOWNSTREAM
maintenance
UNIT instructions
preclude running
parallel pumps
incorrectly.
2.3. Outlet line IC 2.3.1. Tank EE 2.3.1.1. 2.3.1.1. Ensure
ruptured contents lost to Emergency tank is
environment isolation valve adequately
bunded.
2.3.1.2. Locate
isolation valve
as near as
possible to tank.

TableAl. 1 (cont.) - Wasteacid plant preHAZOPedresults- IC filtered.

A5
2.3.1.3.Consider
for
need remote
operationof
isolationvalve.
2.4. Pumpseals ic 2.4.1. EE 2.4.1.1. 2.4.1.1.Use
fail. Environmental Emergency cannedor seal-
contamination isolationvalve. lesspumpif
appropriate.
2.4.1.2.Pumpto
be adequately
bunded.
2.4.1.3.Consider
needfor remote
operationof
isolationvalve.
3. Less 3.1. Outlet line IC 3.1.1.LESSFLOW DPE 3.1.1.1.Flow
Flow partially TO control
blocked.Pumprunning DOWNSTREAM
incorrectly. UNIT
3.1.1.2.Low flow
alarm
3.2. Control IC 3.2.1.LESSFLOW DPE 3.2.1.1.Low flow
valve fails TO alarm.
insufficiently DOWNSTREAM
open. UNIT
4. As 4.1. IC 4.1.1. DPE
Well Contaminationof CONTAMINATION
As Flow tank contents OF
DOWNSTREAM
UNIT
5. 5.2. Outlet line ic 5.2.1.REVERSE DPE
Reverse ruptured. FLO
Flow W FROM
DOWNSTREAM
UNIT
Node 9WasteAcid Storagetank outlet
Ta-rameter.Temperature
intention:

Node: 9WasteAcid Storagetank outlet


Parameter:Pressure
Intention:
2. Lower 2.1. Storagetank Ic 2.1.1.Low tank DPE 2.1.1.1.Low flow
Pressure inlet line level leadingto alarm
blocked. LOW PRESSURE 2.1.1.2.Low
AT level alarm
Level control DOWNSTREAM
valve fails shut. UNIT
12.1.1.3.Level
I I I 1 indicator
I Node: IOWasteAcid Storagetank feedinlet without control valve. .

TableAl. 1 (cont.) - Wasteacid plant preHAZOPedresults- IC filtered.

A6
Parameter:Flow
Intention:
1. No I. I. Feedline IC 1.1.1.Possible EE
Flow blocked. inability to
continueprocess
at normal
1productionrates
1.1.2.Low tank EE 1.1.2.1.Low
level leadingto level alarm
outlet pump 1.1.2.2.Level
cavitation. indicato
1.1.3.NO FLOW DPE
AT
UPSTREAM
UNITS
3. Less 3.1. Feedline IC 3.1.1.Vessel EE 3.1.1.1.Level
Flow partially takes longerto indicator.
blocked. fill than normal
3.1.2.LOW FLOW DPE 3.1.2.1.Level
FROM UPSTREAM indicator.
UNIT f
-R-ode.- I OWasteAcid Storage
tank feedinlet without controlvalve.

Intention:
ENoddEljasteid
Storageynk fee inlet without controlvalve.
Parameter:Pressure
Intention:
r lffier 1.2.Feedline IC 1.2.1.Expansion IC 1.2.1.1. 1.2.1.1.Ensure
Pressure
ess isolated. of lockedin fluid Hydraulic operating
causeshydraulic pressurerelief instructions
overpressure preclude
ruptureof line. deliberate
isolationof line
without having
first drained
line.
1.2.1.2.Ensure
designminimises
opportunitesfor
isolationin
error dueto
control valves
failing etc.

TableAl. I (cont.) - Wasteacid plant preHAZOPedresults- IC filtered.

A7
1.3.Manualvalve IC 1.3.1.LIQUID 1.3.1.1.Onlya
on storagetank HAMMER. HIGH problemfor long
inlet closes PRESSURETO pipelines.
quickly. UPSTREAM Ensureclosing
UNITS. time on control
valvesand
manual
valvesis long
enoughto avoid
liquid hammer.
Node: I ITreatedwasteInlet to tanker,controlled by batchmeter(tanker loading ope ations)
Parameter:Flow
Intention:

Node: I ITreatedwasteInlet to tanker,controlledby batchmeter(tankerloadingoperations)


parameter:Pressure
intention:

Node: I ITreatedwasteInlet to tanker,controlledby batchmeter(tankerloadingoperations)


Parameter:Composition
Intention:

Node: 12NeutralisationReactorliquid feedwith flow control


Parameter:Flow
Intention:
1. No I. I. Feedline IC I. I. I. Reaction EE I. I. I. I. Low flow
Flow blocked. does not proceed alarm
Controlvalve asrequired.Poor
fails shut. conversion,side
reactionsetc.
1.1.2.NO FLOW DPE 1.1.2.1.Low flow
FROM UPSTREAM alarm
UNITS
1.1.3.LOW IPE 1.1.3.1.Low flow
CONCENTRATION alarm
OF 1.1.3.2.
REACTANT/ Concentration
CONTAMINATION alarm
TO
UNITS
DOWNSTREAM
OF REACTOR
, OUTLETS
1.1.4.LESSFLOW IPE 1.1.4.1.Low flow
TO UNITS alarm
DOWNSTREAM
OR
REACTORLIQUID
OUTLET

'TableAl. I )
(cont. - Wasteacid plant preHAZOPedresults- IC filtered.

A8
2. More 2.1. Control IC 2.1.1.Incomplete EE
Flow valve fails open conversionof
reactants
2.1.2. HIGH
CONCENTRATION
OF
REACTANT/
CONTAMINATION
TO
DOWNSTREAM
UNITS
2.1.3. HIGH FLOW IPE
TO UNITS
DOWNSTREAM
OF
REACTOR LIQUID
OUTLET
,
2.1.4. HIGH FLOW DPE
FROM UPSTREAM
UNITS
3. Less 3.1. Control IC 3.1.1. Reaction EE 3.1.1.1. Low flow
Flow valve fails does not proceed alarm
insufficiently as required. Poor
open conversion, side
reactions etc.
3.1.2. LESS IPE 3.1.2.1. Low flow
CONCENTRATION alarm
OF 3.1.2.2.
REACTANT/ Concentration
CONTAMINATION alarm
TO
UNITS
DOWSNTREAM
OF REACTOR
OUTLET
,
3.1.3. LESS FLOW DPE 3.1.3.1. Low flow
FROM UPSTREAM alarm
UNIT
Node: 12Neutralisation Reactor liquid feed wi th flow control
parameter: Temperature
Intention:

Node: 12Neutralisation Reactor liquid feed with flow control


Parameter:Pressure
Intention:
2. Lower 2.2. Feed line IC 2.2.1. Reactionn EE 2.2.1.1. Pressure
Pressure leaking. does not proceed control
as required. Poor 2.2.1.2. FLow
conversion, side control
reactions etc.

TableAl. I (cont.) - Wasteacid PlantPreHAZOPedresults- IC filtered.

A9
2.2.2. EE
Environmental
damage.
Node: 12NeutralisationReactorliquid feedwith flow control
Parameter:Composition
Intention:
1. More I. I. HIGH 1.1.1.Reaction
Composit CONCENTRATION doesnot proceed
ion FROM UPSTREAM asrequired.
UNITS
1.1.2.
CONTAMINATION
(BY
REACTANT)TO
UNITS
DOWNSTREAM
OF
REACTOR
OUTLETS.
(Unlesssomeform
of concentration
control is used).
2. Less 2.1. LOW 2.1.1.Reaction
Composit CONCENTRATION doesnot proceed
ion FROM UPSTREAM asrequired
UNITS
2.1.2.
CONTAMINATION
TO
UNITS
DOWNSTREAM
OF REACTOR
OUTLETS.(Unless
someform of
concentration
control is used).
3. As 3.1. 3.1.1.Reaction
Well CONTAMINATION may not proceedas
As FROM UPSTREAM required.
Composit UNITS
ion
3.1.2.
CONTAMINATION
TO
UNITS
DOWNSTREAM
OF REACTOR
OUTLETS.
Node: 13NeutralisationReactorliquid outlet with level control
Parameter:Flow
Intention:

TableAl. I (cont.) - Wasteacid plant preHAZOPedresults- IC filtered.

AIO
1. No 1.1.Outlet line IC I. I. I. Reactor EE 1.1.1.1.Low flow
Flow blocked. overflows alram
Pumpfailure. 1.1.1.2.High
level alarm
Level control
valve fails shut. 1.1.2.NO FLOW IPE 1.1.2.1.Low'flow
FROM UNITS alarm
UPSTREAMOF
REACTORFEED
2. More 2.1. Level IC 2.1.1.Level lost
Flow controlvalve in reactor.
fails open. Possible
overheating,poor
conversion,side
reactions,etc.
2.1.2.HIGH FLOW DPE
TO
DOWNSTREAM
UNITS
2.2. HIGH FLOW TO 2.2.1.Level lost
DOWNSTREAMUNITS in reactor.
Possible
overheating,poor
conversion,side
reactions,etc.
2.3. Outlet line IC 2.3.1.Reactor EE 2.3.
ruptured. contentslost to Emergency
environment. isolationmaybe
required.
3. Less 3.1. Level IC 3.1.1.Possible EE 3.1.1.1.High
Flow control fails to reactoroverflow. level alarm
opencontrol 3.1.1.2.Low
valve flowalarm
sufficiently. 3.1.2.LESSFLOW DPE 3.1.2.1.Low flow
TO alarm
DOWNSTREAM
UNITS
4. 4.1. Pumpfailure IC 4.1.1.REVERSE DPE
Reverse FLOW FROM
Flow DOWNSTREAM
UNITS
Node: 14NeutralisationReactorliquid feedwith concentrationcontrol
Parameter:Flow
Intention:
1. No I. I. Feedline IC I. I. I. Reaction EE I. I. I. I. Low flow
Flow blocked. doesnot proceed alarm
Controlvalve asrequired.Poor
fails shut. conversion,side
reactionsetc.
1.1.2.NO FLOW DPE 1.1.2.1.Low flow
FROM UPSTREAM alarm
UNITS
TableAl. I (cont.) - Wasteacid plant preHAZOPedresults- IC filtered.

All
1.1.3.LESSFLOW IPE 1.1.3.1.Low flow
TO UNITS alarm
DOWNSTREAM
OR
REACTORLIQUID
OUTLET
2. More 2.1. Control IC 2.1.1.Incomplete EE
Flow valve fails open conversionof
yreactants
2.1.2.HIGH FLOW IPE
TO UNITS
DOWNSTREAM
OF
REACTORLIQUID
OUTLET
,
2.1.3.HIGH FLOW DPE
FROM UPSTREAM
UNITS
3. Less 3.1. Control IC 3.1.1.Reaction EE 3.1.1.1.Low flow
Flow valve fails doesnot proceed alarm
insufficiently asrequired.Poor
open conversion,side
reactionsetc.
3.1.2.LESSFLOW DPE 3.1.2.1.Low flow
FROM UPSTREAM alarm
f UNIT
Node: 14NeutralisationReactorliquid feedwith concentrationcontrol
Parameter:Temperature
intention:

Node: 14NeutralisationReactorliquid feedwith concentrationcontrol


parameter:Composition
intention:
1. As I. I. I. Reaction
Well CONTAMINATION may not proceedas
As FROM UPSTREAM required.
Composit UNITS
ion

CONTAMINATION
TO
UNITS
DOWNSTREAM
OF REACTOR
OUTLETS.
Node: 15NeutralisationReactorCoolingstreamin with temperaturecontrol
Parameter:Flow
Intention:
1. No I I. I. Control 1.1.1.Runaway I. I. I. I. Low flow
Flow valve fails shut. reaction. alarm

TableAl. I (cont.) - Wasteacid plant preHAZOPedresults- IC filtered.

A12
1.1.1.2.High
temperature
alarm.
1.1.2.Possible 1.1.2.1.Low flow
explosion. I alarm
1.1.2.2.High
temperature
alarm
1.1.2.3.High
pressure
alarm
1.1.2.4.Install
relief
valve
1.1.3.Catalyst 1.1.3.1.As for
destroyed. consequence

1.1.4.Reaction 1.1.4.1.As for


doesnot proceed consequence
asrequired.Poor 1.1.1
conversion,side
reactions,etc.
1.1.5.NO FLOW 1.1.5.1.As for
DOWSNTREAM consequence
OF
COOLING
STREAM OUT
1.1.6.NO FLOW 1.1.6.1.As for
FROM UPSTREAM consequence
UNITS
1.1.7.HIGH
TEMPERATURE
DOWNSTREAM
OF
REACTORLIQUID
OUTLET
.
1.1.8.HIGH
TEMPERATURE
DOWNSTREAM
OF
REACTOR
VAPOUR
OUTLET
,
1.2.NO FLOW FROM 1.2.L As for 1.2.1.1.As for
UPSTREAMUNITS cause1.1except cause1.1
as for consequence
1.1.6
2. More 2.1. Control 2.1.1.Reaction
Flow valve fails open doesnot proceed
asrequired.Poor
conversion,side
reactions,etc.
TableAl. I (cont.) - Wasteacid plant preHAZOPedresults- IC filtered.

A13
2.1.2.MORE FLOW
DOWNSTREAM
OF
COOLING
STREAM OUT
2.1.3.MORE FLOW
FROM UPSTREAM
UNITS
2.1.4.LOW
TEMPERATURE
DOWNSTREAM
OF
REACTORLIQUID
OUTLET
,
2.1.5.LOW
TEMPERATURE
DOWNSTREAM
OF
REATOR VAPOUR
OUTLET
,
2.2. MORE FLOW 2.2.1.As for 2.2.1.1.Flow
FROM UPSTREAM cause1.1except control.
UNIT as for consequence 2.2.1.2.
2.1.3 Temperature
control.
3. Less 3.1. Control 3.1.1.Possible 3.1.1.1.High
Flow valve fails to runawayreaction. temperature
onensufficiently alarm.
3.1.1.2.Low flow
alarm
3.1.2.Possible
explosion
3.1.3.Reaction
doesnot proceed
asrequired.Poor
conversion,side
reactions,etc.
3.1.4.LESSFLOW
DOWNSTREAM
OF
COOLING
STREAM OUT
3.1.5.LESSFLOW
FROM UPSTREAM
UNITS
3.1.6.HIGH
TEMPERATURE
DOWNSTREAM
OF
REACTORLIQUID
OUTLET
J.

TableAl. I (cont.) - Wasteacidplant preIIAZOPedresults- IC filtered.

A14
3.1.7.HIGH
TEMPERATURE
DOWNSTREAM
OF
COOLING
STREAM OUT
3.2. LESSFLOW 3.2.1.As for 3.2.1.1.Flow
FROM UPSTREAM cause2.1 except control
UNIT as for consequence
3.1.5
Node: 15NeutralisationReactorCoolingstreamin with temperaturecontrol
Parameter:Temperature
Intention:
1. Higher I. I. HIGH I. I. I. Reaction 1.1.1.1.
Temperat TEMPERATUREFROM doesnot proceed Temperature
ure UPSTREAM UNIT as required. Poor control
conversion,side
reactions,etc.
1.1.2.Cooling
capacityreduced.
1.1.3.HIGH 1.1.3.1.
TEMPERATURE Temperature
TO control
UNITS
DOWNSTREAM
OF COOLING
STREAM
OUT
1.1.4.HIGH 1.1.4.1.
TEMPERATURE Temperature
TO control
UNITS
DOWNSTREAM
OF REACTOR
LIQUID
OUTLET
2. Lower 2.1. LOW 2.1.1. Reaction 2.1.1.1.
Temperat TEMPERATURE FROM does not proceed Temperature
UPSTREAM UNIT as required. Poor control.
ure
conversion,side
reactions,etc.
2.I. T Reaction 2.1.2.1.
proceedsslower Temperature
than expected. control.
2.1.3.LOW 2.1.3.1.
TEMPERATURE Temperature
TO control
UNITS
DOWNSTREAM
OF LIQUID
OUTLET

TableAl. 1 (cont.) - Wasteacid PlantPreHAZOPedresults- IC filtered.

A15
2.1.4.LOW 2.1.4.1.
TEMPERATURE Temperature
DOWNSTREAM control
OF
COOLING
STREAM OUT
Node: 16NeutralisationReactorCoolingstreamout with temperaturecontrol
Parameter:Flow
intention:
1. No I. I. No FLOW TO 1.1.1.Reaction I. I. I. I. Low flow
Flow DOWNSTREAMUNIT temperaturetoo alarm
high. 1.1.1.2.High
temperature
alarm
Explosion.
Catalyst
destroyed.
1.1.2.Reaction 1.1.2.1.As for
doesnot proceed consequence
asrequired.Poor 1.1.1
conversion,side
reactions,etc.
1.1 3. NO FLOW 1.1.3.1.As for
.
FROM UNITS consequence
UPSTREAMOF 1.1.1
COOLING
STREAM IN
1.1.4.HIGH 1.1.4.1.As for
TEMPERATURE consequence
DOWNSTREAM 1.1.1
OF
LIQUID OUTLET
1.1.5.HIGH 1.1.5.1.As for
TEMPERATURE consequence
DOWNSTREAM 1.1.1
OF
VAPOUR OUTLET
2. More 2.1. HIGH FLOW TO 2.1.1.Low 2.1.1.1.
Flow DOWNSTREAM UNIT reaction Temperature
temperature control
2.1.2.Reaction 2.1.2.1.as for
doesnot proceed consequence
asrequired.Poor 1.1.1
conversion,side
reactionsetc.
2.1.3.HIGH FLOW 2.1.3.1.As for
FROM UNITS consequence
UPSTREAMOF 1.1.1
COOLING
STREAM IN

TableAl. 1 (cont.) - Wasteacid plant preHAZOPedresults- IC filtered.

A16
2.1.4.LOW 2.1.4.1.as for
TEMPERATURE consequence
TO
DOWNSTREAM
UNITS
2.1.5. LOW 2.1.5.1. As for
TEMPERATURE consequence
DOWNSTREAM 1.1.1
OF
LIQUID OUTLET
3. Less 3.1. LOW FLOW TO 3.1.1. High
Flow DOWNSTREAM UNITS reaction
temperature.
3.1.2. Possible
1runaway reaction.
3.1.3. Reaction
does not proceed
as required. Poor
conversion, side
reactions, etc.
3.1.4. LOW FLOW
FROM UNITS
UPSTREAM OF
COOLING
STREAM IN
3.1.5. HIGH
TEMPERATURE
TO
DOWNSTREAM
UNITS
3.1.6. HIGH
TEMPERATURE
DOWNSTREAM
OF
LIQUID OUTLET
-To eutralisation Reactor cooling via recycle
Pnrameter: Flow
Intention:
1. 1.1. Pump failure IC I. I. I. Reactor EE I. I. I. I. Some
No/Less or poor pump begins to form of
Flow performance. overheat. Reaction emergency
may begin to run cooling may be
away. Possible necessaryto
risk of explosion. avoid explosion
where that
possibility
exists.
3. AS 3.1. IC 3.1.1. Reaction EE
Well Contamination of does not proceed
As Flow recycle stream by as required. Poor
cooling water due conversion, side
to heat exchanger reactions, etc.
ffiffif, Waste OPed results 1C filtere 1.
Table Al - acid Ph nt pre -
a ure.
A17
3.1.2. IPE
CONTAMINATION
WITH
COOLING WATER
TO
UNITS
DOWNSTREAM
OF REACTOR
OUTLET
Node: 18Treated, WasteStoragetank vent to atmosphere
Parameter:Flow
Intention: Enableflow into or out of tank to maintainatmosphericpr sure
1. 1.1.Vent line IC 1.1.1.Tank EE Relief 1.1.1.1.M inimise
No/Less blockedor overpressure valve opportunitiesfor
Flow partially blocked ruptureon filling vent blockage
1.1.1.2.Ensure
flame arrestoris
maintained
correctly.
1.1-2.Tank vacuum EE 1.1.2.1.Vacuum 1.1.2.1.Minimise
collapseon relief opportunitiesfor
discharge valve. vent blockage.
1.1.2.2.Ensure
flame arrestoris
maintained
correctly
Node: 18TreatedWasteStoragetank vent to atmosphere
Fair-ameter:
Temperature
intention: Maintain temperaturetank

Node: 18TreatedWasteStoragetank vent to atmosphere


Far-ameterPressure
Intention:Maintain atmosphericpressurein tank

]Rode.- 19Treated Waste Storagetank feed inlet without control valve.


Parameter:Flow
Intention.
1. No I. I. Feedline IC I. I. I. Possible EE
Flow blocked. inability to
continueprocess
at normal
I productionrates
1.1.2.Low tank EE 1.1.2.1.Low
level leadingto level alarm
outlet pump 1.1.2.2.Level
cavitation. indicator
1.1.3.NO FLOW DPE
AT
UPSTREAM
UNITS

TableAl. 1 (cont.) - Wasteacid plant preHAZOPedresults- IC filtered.

A18
3. Less 3.1. Feedline IC 3.1.1.Vessel EE 3.1.1.1.Level
Flow partially takeslongerto indicator.
blocked. fill than normal
3.1.2.LOW FLOW DPE 3.1.2.1.Level
FROM UPSTREAM indicator.
UNIT I I
Node: 19TreatedWasteStoragetank feed inlet without control valve.
Parameter:Temperature
Intemt-ion:

Node: 19TreatedWasteStoragetank feedinlet without control valve.


Parameter:Pressure
Intention:
1. Higher 1.2.Feedline IC 1.2.1.Expansion IC 1.2.1.1. 1.2.1.1.Ensure
Pressure isolated. of lockedin fluid Hydraulic operating
causeshydraulic pressurerelief instructions
overpressure preclude
ruptureof line. deliberate
isolationof line
without having
first drained
line.
1.2.1.2.Ensure
designminimises
opportunitesfor
isolationin
error dueto
control valves
failing etc.
1.3.Manualvalve IC 1.3.1.LIQUID 1.3.1.1.Only a
on storagetank HAMMER. HIGH problemfor long
inlet closes PRESSURETO pipelines.
quickly. UPSTREAM Ensureclosing
UNITS. time on control
valvesand
manual
valvesis long
enoughto avoid
liquid hammer.
ode: 20Treated Waste Storagetank overfl=
Parameter:Flow
Intention:Allow tank to overflow sa y
1. 1.1.Overflow IC I-I-I- No/partial EE 1.1.1.1.Level I. I. I. I. Ensure
No/Less blockedor tank overflow control opportunities for
Flow partially blocked available. overflow
Possibletank 1.1.1.2.Level blocking
ruptureon indicator are minimised.
overfilling 1.1.1.3.High
level alarm
Node:20TreatedWasteStoragetank overflow
Parameter:Temperature
Intention:
TableAl. 1 (cont.) - Wasteacid plant preHAZOPedresults- IC filtered.

A19
TableAl. I (cont.) - Wasteacid plant preHAZOPedresults- IC filtered.

A20
Project Name: Waste Acid Neutralisation Plant

Node: I Cooling Water top up - single supply, single pump and float valve.
Parameter:Flow
Intention:

DEVIATION CAUSES CAT CONSEQUENCES CAT SAFEGUARDS


RECOMMENDA
TIONS

1. No Flow 1.2.NO FLOW VUL 1.2.1.Level in cold EE 1.2.1.1.If the


FROM well cannotbe supplyis
UPSTREAM maintained. unreliable
SUPPLY Coolingwater supply considerthe need
may be restricted. for a backup
supply.See
. I appropriatenode.
Node: lCoolin g Watertop up - singlesupply,singlepumpand float valve.
Parameter:Temperature
intention:

Node: 2Coolingwaterreturnto tower.


Parameter:Flow
Intention:Maintain circulationof co ling wat

Node: 3Cooling WaterDosing- ChromateDosingOutlet. Feedcontrolledby automaticdosingcontrol.


Parameter:Flow .
Intention:

Node: 4Coolingwatersupplymain-2 or morepum s.


Parameter:Flow
intention:

Node: 4Coolingwatersupplymain-2 or morepumps.


parameter:Maintenance
intention:

Node: 5CoolingWaterPurgeto drain- manuallyadjusted.


parameter:Flow
intention:
I II I I
Node: 6CoolingWaterAcid dosing- automaticallycontrolled.
Parameter:Flow
intention:

Node:7Wasteacid Storagetank vent to atmosphere


Parameter:Flow
Intention:Enableflow into or out of tank to maintainatmosphericpressure

I Nocle: '/ Wasteacia blorage tanK vent to atmosphere

TableAl. 2 - Wasteacid plant preHAZOPedresults- VUL filtered.

A21
Parameter:T
: Maintain temperature tank
I II
-- T- I I
Node: 7Waste acid Storagetank vent to atmosphere
Parameter: Pressure
Intention: Maintain atmospheric ess e. n tank
1 7 ---T
Node: 8Waste acid Storagetank overflow
11
Parameter: Flow
intention: Allow tank to overflow safely
I I I II -I
Node: 8Wastc acid Storagetank overflow
Parameter: Temperature
Intention:

Node: 8Waste acid Storagetank overflow


Parameter: Pressure
Intention:

Node: 9Waste Acid Storagetank outlet


Parameter: Flow
Intention: Allow continuous flow of material to process
DEVIATION CAUSES CAT CONSEQUENCES CAT SAFEGUARDS RECOMMENDA
TIONS
1. No Flow 1.3. NO FLOW VUL 1.3.1. Full head pump EE 1.3.1.1. High 1.3.1.1. Design
TO pressuredeveloped. pressure/low flow equipment to
DOWNSTREAM High pressurerupture pump withstand
UNITS risk to downstream cut out switches. maximum
equipment. Pump pump delivery
overheats, seals 1.3.1.2. Kick back pressure.
damaged,possible leak. line

1.3.1.3. Integral
pump
high pressurerelief
valve

1.3.1.4. Pressure
indicator
1.3.1.5. Low flow
alarm
5. Reverse 5.1. Pumpfailure VUL 5. I. I. Material EE 5.1.1.1. Non-return
Flow and REVERSE incompatability valve.
FLOW
FROM
DOWNSTREAM
UNIT.
F-Node:Waste Acid Storagetank outlet
Parameter:T erature
Intention:

TableAl. 2 (cont.) - Wasteacid plant preHAZOPedresults- VUL filtered.

A22
Node: 9WasteAcid Storagetank outlet
parameter: Pressure
Intention:
1. Higher I. I. HIGH VUL I. I. I. LOWFLOWTO DPE I. I. I. I. Flow
Pressure PRESSUREAT DOWNSTREAM control
DOWNSTREAM UNIT
UNIT

2. Lower 2.1. LOW VUL 2.1.1.HIGH FLOW DPE 2.I. I. I. Flow


pressure PRESSUREAT TO DOWNSTREAM control
DOWNSTREAM UNIT
UNIT

e: I Acid
OWaste Storage
tank f eedinlet without controlvalve.
[ IParrai
ameter:Flow
=on:
Interel tion:
, en
niti
N0o,Flow 1.2.NO FLOW VUL 1.2.1.Possibleinability EE
FROM to continueprocess
UPSTREAM at normalproduction
UNIT rates.
1.2.2.Low tank level EE 1.2.2.1.Low level
leadingto outlet pump alarm
cavitation. 1.2.2.2.Level
indicator
2. -M-o-re- 2.1. HIGH FLOW VUL 2.1.1.Inadequate EE 2.1.1.1.Relief
Flow FROM venting.Vessel valve.
UPSTREAM overpressure rupture.
UNIT
-------- 2.1.2.Staticbuild up. EE 2.1.2.1.Dip tubes 2.1.2.1.
for filling. Flammablefluids
only. If filling is
not donevia dip
tubescheck
design
assumptions.
3. Less 3.2. LOWFLOW VUL 3.2.1.Vessel 3.2.1.1.Level
. FROM SOURCE takeslongerto indicator.
Flow
fill than normal.
4. As Well 4.1. WRONG VUL 4.1.1.Material EE 4.1.1.1.Ensure
As ]Flow MATERIAL AT incompatability appropriate
SOURCE measuresexist to
checkincoming
material.

Table Al. 2 )
(cont. - Wasteacid plant - preHAZOPedresultsVUL filter.

A23
4.2. VUL 4.2.1.Material EE
CONTAMINATI incompatibility
ON OF
MATERIAL AT
SOURCE
5. Reverse 5.I. REVERSE VUL 5.1.1.Liquid EE 5.1.1.1.Siphon
Flow FLOW siphonedout of breakon
ATSOURCE tank. dip tubes.
5.1.1.2.Non-rcturn
valve
Node: IOWasteAcid Storagetank f eedinlet without control valve.
Parameter:Temperature
Intention:
1. Higher I. I. HIGH VUL I. I. I. Rapid EE 1.1.1.1. 1.1.1.1.For
Temperature TEMPERATURE evaporationof Temperature systemwith vent
FROM tank contents. indicator headersystem,
UPSTREAM cansystemcope
UNIT with increasein
1.1.1.2.High ventingdueto
temperature hot weather
alarm actingon several
tanks?
1.1.2.Increased EE 1.1.2.1. 1.1.2.1.Only a
vapour Temperature problemfor tanks
concentration indicator. with openvent.
aroundtank, 1.1.2.2.High Consider
possiblyrising to temperature installing
a hazardouslevel. alarm. appropriategas
detection
equipmentif
appropriate.
Node: IOWaste Acid Storage tank feed inlet without control valve.
Parameter:Pressure
Intention:
1. Higher I. I. HIGH VUL I. I. I. Vessel IC I. I. I. I. Relief I. I. I. I. Ensure
Pressure PRESSURE overpressure valve. enting.
FROM rupture 1.1.1.2.Pressure
SOURCE indicator.
Node: I ITreated waste Inlet to tanker,controlled by batchmeter(tankerloadingoperations)
Parameter:Flow
Intention:
1. No Flow L I. NO FLOW VUL I. I. I. Tankernot EE
FROM filled as
UPSTREAM required.
UNIT
2. More 2.1. MORE VUL
Flow FLOW
FROM
UPSTREAM
UNIT

TableAl. 2 (cont.) - Wasteacid plant preHAZOPedresults- VUL filtered.

A24
3. Less 3.1. LESSFLOW VUL 3.1.1.Tanker EE 3.1.1.1.Overdue
Flow FROM takeslongerto filling
UPSTREAM fill than normal. alarm.
UNIT
Node: I ITreatedwasteInlet to tanker,controlledby batchmeter(tankerloadingoperations)
Parameter:Pressure
Intention:
1. Higher I. I. HIGH VUL I. I. I. Tanker EE Relief
Pressure PRESSURE overpressure valve
FROM rupture.
UPSTREAM
UNIT
2. Lower 2.1. LOW VUL 2.1.1.Vessel EE
Pressure PRESSURE takeslongerto
FROM fill than normal
UPSTREAM
UNIT
Node: I ITreatedwasteInlet to tanker,controlledby batchmeter(tankerloadingoperations)
Parameter:Composition
Intention:

Node: 12NeutralisationReactorliquid feedwith flow control


Parameter:Flow
Intention:
1. No Flow 1.2.NO FLOW VUL 1.2.1.Reaction EE 1.2.1.1.Low flow
FROM doesnot proceed alarm
UPSTREAM asrequired.
UNITS
1.2.2.LOW IPE 1.2.2.1.Low flow
CONCENTRATION alarm
OF REACTANT / I
CONTAMINATION 1.2.2.2.
TO UNITS Concentration
DOWNSTREAM OR alarm
REACTOROUTLET
1.2.3.LESSFLOW IPE 1.2.3.1.Low flow
TO UNITS alarm
DOWNSTREAM OF
REACTOROUTLET
2. More 2.2. HIGH FLOW VUL 2.2.1.Incomplete EE 2.2.1.1.Flow
Flow FROM conversionof reactants control
UPSTREAM
UNITS
2.2.2.HIGH IPE
CONCENTRATION
OF REACTANT /
CONTAMINATION
TO UNITS
DOWNSTREAM OF
REACTOROUTLETS

TableAl. 2 (cont.) - Wasteacid plant - preHAZOPedresultsVUL filter.

A25
2.2.3.HIGH FLOW IPE 2.2.3.1.Flow
TO UNITS control
DOWNSTREAM OF
LIQUID REACTOR
I OUTLET 1
3. Less 3.2. LESSFLOW VUL 3.2.1.Reactiondoes EE 3.2.1.1.Low flow
Flow FROM not proceedas alarm
UPSTREAM required.Poor
UNITS conversion,side
reactionsetc.
3.2.2.LOW IPE 3.2.2.1.Low flow
CONCENTRATION alarm
OF REACTANT / 3.2.2.2.
CONTAMINATION Concentration
TO UNITS alarm
DOWNSTREAM OF
R OUTLET_
Node: 12NeutralisationReactorliquid feedwith flow control
Parameter:Temperature
Intention:
1. Higher 1.1.HIGH VUL I. I. I. Reaction EE
Temperature TEMPERATURE beginsto runaway. Temperature
FROM Possible control.
UPSTREAM Explosion.
UNITS
1.1.1.2.Relief
valve
required.
1.1.2.Reactiondoes EE 1.1.2.1.
not proceedas Temperature
required.Poor control
conversion,side
reactionsetc.
2. Lower 2.1. LOW VUL 2.1.1.Reactiondoes EE 2.1.1.1.
Temperature TEMPERATURE not proceedas Temperature
FROM required.Poor control
UPSTREAM conversion,side
UNITS reactionsetc.
2.1.2.Reaction EE 2.1.2.1.
doesnot proceed Temperature
at requiredrate. control
Node: 12NeutralisationReactorliquid feedwith flow control
Parameter:Pressure
Intention:
1. Higher I. I. HIGH VUL I. I. I. Reaction EE I. I. I. I. Pressure
Pressure PRESSURE doesnot proceed control
FROM asrequired.Poor
UPSTREAM conversion,side
UNITS reactions,etc.

TableAl. 2 (cont.) - Wasteacid plant preHAZOPedresults- VUL filtered.

A26
2. Lower 2.1. LOW VUL 2.1.1.Reaction EE 2.1.1.1.Pressure
Pressure PRESSURE doesnot proceed control
FROM as required.Poor
UPSTREAM conversion,side
UNITS reactionsetc.
Node: 12NeutralisationReactorliquid feedwith flow control
Parameter:Composition
Intention:

Node: BNeutralisationReactorliquid outlet with level control


Parameter:Flow
Intention:
1. No Flow 1.2.NO FLOW VUL 1.2.1.Reactor EE 1.2.1.1.Low flow
TO overflows. alarm
DOWNSTREAM
UNITS
1.2.2.NO FLOW IPE 1.2.2.1.Low flow
FROM UNITS alarm
UPSTREAMOF
REACTORFEED.
Node: 14NeutralisationReactorliquid feedwith concentrationcontrol
Parameter:Flow
Intention:
1. No Flow 1.2.NO FLOW VUL 1.2.1.Reactiondoes EE 1.2.1.1.Low flow
FROM not proceedas alarm
UPSTREAM required.
UNITS
1.2.2.LESSFLOW IPE 1.2.2.1.Low flow
TOUNITS alarm
DOWNSTREAM OF
REACTOROUTLET
2. M)re 2.2. HIGH FLOW VUL 2.2.1.Incomplete EE 2.2.1.1.Flow
Flow FROM conversionof reactants control
UPSTREAM
UNITS
2.2.2.HIGH FLOW IPE 2.2.2.1.Flow
TO UNITS control
DOWNSTREAM OF
LIQUID REACTOR
OUTLET
36L ;s 3.2. LESSFLOW VUL 3.2.1.Reaction EE 3.2.1.1.Low flow
Flow FROM doesnot proceed alarm
UPSTREAM asrequired.Poor
UNITS conversion,side
reactionsetc.
Node: 14Neutralisation Reactor liquid feed with concentration control
Para rieter:Temperature
fn-tention:

TableAl. 2 (cont.) - Wasteacid plant - preHAZOPedresultsVUL filter.

A27
1. Higher I. I. HIGH VUL 1.1.1.Reaction EE 1.1.1.1.
Temperature TEMPERATURE beginsto runaway. Temperature
FROM Possible control.
UPSTREAM explosion.
UNITS
1.1.1.2. Relief
valve
reouired.
1.1.2. Reaction E 1.1.2.1.
does not proceed Temperature
as required. Poor control
conversion, side
reactions etc.
2. Lower 2.1. LOW VUL 2.1.1. Reaction EE 2.1.1.1.
Temperature TEMPERATURE does not proceed Temperature
FROM as required. Poor control
UPSTREAM conversion, side
UNITS reactions etc.
2.1.2. Reaction EE 2.1.2.1.
does not proceed Temperature
at required rate. control
Node: 14Neutralisation Reactor iid feed with concentration control
Parameter: Composition
intcntion:

F-Node:15NeutralisationReactorCoolingstreamin withtemperaturecontrol
Parameter: Flow
intention:

Node: 15NeutralisationReactor stream in with temperature control


Parameter: Temperature
intention:
Higher HIGH Reaction EE Temperature
Temperature TEMPERATURE VUL does not proceed control
FROM as required. Poor
UPSTREAM conversion, side
UNIT reactions, etc.
Cooling capacity EE
reduced.
High cooling water
demand.
Rapid evaporation of IPE Temperature Only a problem
storagetank contents. control for tanks with
Increasedvapour open vent.
concentration around Consider
storagetank, possibly installing
rising to a hazardous appropriate
level. detection
equipment if

TableAl. 2 (cont.) - Wasteacid plant preHAZOPedresults- VUL filtered.

A28
Lower LOW Reaction EE Temperature
Temperature TEMPERATURE VUL doesnot proceed control.
FROM asrequired.Poor
UPSTREAM conversion,side
UNIT reactions,etc.
Reaction EE Temperature
proceedsslower control.
than expected.
Node: 16NeutralisationReactorCooling streamout with temperaturecontrol
Parameter:Flow
Intention:

Node: 17NeutralisationReactorcoolingvia recycle


parameter:Flow
Intention:

Node: 18TreatedWasteStoragetank vent to atmosphere


Parameter:Flow
Intention: Enableflow into or out of tank to maintainatmosphericpressure
I I I I I - T-
Node: 18TreatedWasteStoragetank vent to atmosphere -
Parameter:Temperature
Intention: Maintain temperaturetank
T I I I I I
Node: 18Treated - WasteStoragetank vent to atmosphere
Parameter:Pressure
Intention: Maintain atmosphericpressure.n tank

Node: 19TreatedWasteStoragetank feed inlet without control valve.


Parameter:Flow
Intention:
1. No Flow 1.2.NO FLOW VUL 1.2.1.Possible EE
FROM inability to
UPSTREAM continueprocess
UNIT at normal
production ates
1.2.2.Low tank EE 1.2.2.1.Low level
level leadingto alarm
outlet pump 1.2.2.2.Level
cavitation. indicator
2. More 2.1. HIGH FLOW VUL 2.1.1.Inadequate EE 2.1.1.1.Relief
Flow FROM venting.Vessel valve.
UPSTREAM overpressure
UNIT rupture.
2.1.2. Static EE 2.1.2.1.Dip tubes 2.1.2.1.
build up. for filling. Flammablefluids
only. If filling is
not done via dip
tubescheck
design
assumptions.

TableAl. 2 (cont.) - Wasteacid plant - preHAZOPedresultsVUL filter.

A29
3. Less 3.2. LOWFLOW VUL 3.2.1.Vesseltakes 3.2.1.1.Level
Flow FROM SOURCE longerto fill than indicator.
normal.
4. As Well 4.1. WRONG VUL 4.1.1.Material EE 4.1.LL Ensure
As Flow MATERIAL AT incompatability appropriate
SOURCE measuresexistto
check incoming
material.
4.2. VUL 4.2.1.Material EE
CONTAMINATI incompatibility
ON OF
MATERIAL AT
SOURCE
5. Re erse 5.I. REVERSE VUL 5.1.1.Liquid siphoned EE 5.1.1.1.Siphon
Flow FLOW AT out of tank. breakon dip tubes.
SOURCE
5.1.1.2.Non-return
valve
Node- 19TreatedWasteStoragetank feedinlet without control valve.
-parameter:Temperature
Tn-tention.
-
1. Higher I. I. HIGH VUL I. I. L Rapid EE 1.1.1.1. 1.1.1.1.For
Temperature TEMPERATURE evaporationof Temperature systemwith vent
FROM tank contents. indicator headersystem,
UPSTREAM cansystemcope
UNIT with increasein
1.1.1.2.High venting dueto
temperature hot weather
alarm actingon several
tanks?
1.1.2.Increased EE 1.1.2.1. 1.1.2.1.Only a
vapour Temperature problemfor tanks
concentration indicator. with openvent.
aroundtank, 1.1.2.2.High Consider
possiblyrising to temperature installing
a hazardouslevel. alarm. appropriategas
detection
equipmentif
L appropriate.
without control valve.

intention:
1. Higher I. I. HIGH VUL I. I. I. Vessel IC I. I. I. I. Relief I. I. I. I. Ensure
Pressure PRESSURE overpressure valve. adequateventing.
FROM rupture 1.1.1.2.Pressure
, SOURCE indicator.

TableAl. 2 (cont.) - Wasteacid plant preHAZOPedresults- VUL filtered.

A30
0
Appendix 2- BenzenePlant Modular HAZOP
This appendixhas results for the modular HAZOP of a benzeneplant. The plant is
illustratedin figure A2.1. The resultsarepresentedin tableA2.1.

This is a plant describedand illustratedby Douglas(1988). This plant wasused,in


particular for assessing during
performance, the development
of the modularHAZOP
the
methodology, developmentof CHEQUER (Jefferson et al., 1995(b))andfor the
STOPHAZproject (McCoy et al., 1999).This particularfigure wasdrawn-upby S. A.
McCoy.

A31
Figure A2.1 Benzeneplant

A32
Modul Sub- Devia Causes Consequences Safe- Recommend
e module -tion guards -ations
TKIO1 Toluene No Battery limit supply failure Possible inability
feed from flow Feed line blocked. to continue
battery Level control valve fails processat normal
I limit shut production rates

F Low Battery limit supply low Vessel takes


flow pressure longer to fill than
Level control valve fails normal.
part closed
Feed line partially blocked

High Battery limit high supply Inadequate Size vent


flow pressure venting. adequately.
Vessel Install relief
overpressure valve.
rupture.
Static build up Use dip tubes
for filling if
susceptibleto
static.
Level control valve fails As above. As above.
open.
Tank overflows Suitable
overflow
arrangements
Tank to be
bundedif
necessary.

Rever Back siphoning from tank Contamination of Use siphon


se battery limit breaks on dip
flow supply source. tubes.

TKIO1 Toluene No Feed line blocked Possible inability


Recycle flow to continue
Feed process at normal
production rates

Less Feed line partially blocked Vessel takes


flow longer than normal
to fill

Table A2.1 - Benzeneplant modularHAZOP results.

A33
Self High Externalfire Rapid evaporation Ensure
tempe of tank contents. adequatefire
rature Structural relief.
weakeningof
tank.
High ambienttemperature Rapidevaporation Insulatetank.
of tank contents.

Low Low ambienttemperature Vapourcondenses. Insulatetank.


tempe Air drawninto Use inert
rature tank, possible blanketif
flammable necessary.
atmosphere.
Vapourcondenses. Insulatetank.
Vacuumcollapse. Sizevent
adequately.
Install
vacuum
relief.

TKI01 Vent No Vent line blocked Overpressure Maintain


flow rupture flame
arrestor.
Minimise
oppurtunities
for vent
blockage.
Install relief
valve.
Vacuumcollapse Maintain
flame
arrestor.
Minimise
oppurtunities
for vent
blockage.
Install
vacuum
relief.

Less Vent line partially blocked As for no flow. As for no


flow flow.

TKI01 Overflow No Overflow blocked Tank ruptureon Level Ensure


flow overfilling. control opportunities
valve. for overflow
blockingare
minimised.

A34
Less Overflow partially As for no flow. As for As for no
flow blocked. no flow. flow.

TKI01 Outlet No Outlet line blocked. Furnacetubes


flow overheat.
possibletube
failure.

Less Outlet line partially LESSFLOW TO Flow


flow blocked. DOWNSTREAM control
UNIT valve.

More Outlet line ruptured Tank contentslost Bundtank.


flow to environment. Install
emergency
isolation
valve.

-1
1-0 Fuel gas No Burnercontrol fails shut LESS
in flow TEMPERATURE
HEATED
PRODUCTOUT

More Burnercontrol fails open MORE


flow TEMPERATURE
HEATED
PRODUCTOUT
Furnacetubes Burner
overheat. control
Furnacetubesfail. system
Burnersfail to ignite Releaseof Burner Use
flammablegas. control explosion
Explosionrisk. system doors

Less Burnercontrol fails partly Flamefails. Burner


flow open. Explosive control
Burnerspartially blocked. atmosphere system
develops.
LESS
TEMPERATURE
HEATED
PRODUCTOUT

TableA2.1 (cont.) - Benzeneplant modularHAZOP results.

A35
Stack No Stackblocked. Flamefails. Burner
flow Damperfails shut. Flammablegas control
releasedto system
atmosphere.
Damperfails open. MORE
TEMPERATURE
HEATED
PRODUCTOUT

Stackpartially blockedor LESS


damperfails partially TEMPERATURE
open. HEATED
PRODUCTOUT

Hot High Temperaturecontrol fails MORE


product tempe high TEMPERATURE
rature HEATED
PRODUCTOUT

Low Temperaturecontrol fails LESS


tempe low TEMPERATURE
rature HEATED
PRODUCTOUT

P101 Inlet/outl No Pumpfails. NO FLOW


et flow FROM
UPSTREAM
UNITS
Furncaetubes
overheat.Possible
tube failure.
Flow control valve fails Full headpressure Kick
closed. developed. back
Pumpoverheats. line.
Sealsdamaged.

More Sparepumprunningin MORE FLOW TO Ensure


flow error. DOWNSTREAM maintenance
UNIT instructions
preclude
running
parallel
pumps
incorrectly.
Flow
controller.

A36
MORE FLOW As above.
FROM
UPSTREAM
UNITS
Pumpsealsfail Environmental Usecanned
contamination. pumpsif
necessary.
Consider
requirement
for remote
isolation.
MORE FLOW
FROM
UPSTREAM
UNITS

LESSFLOW TO
DOWNSTREAM
UNITS

Flow control valve fails MORE FLOW TO


open. DOWNSTREAM
UNIT
MOREFLOW
FROM
UPSTREAM
UNITS

Less Flow control valve fails LESSFLOW TO


flow part open DOWNSTREAM
UNITS

LESS FLOW
FROM
UPSTREAM
UNITS

E101 Heated As Heatexchangerinterface CONTAMINATI


Stream well failure ON
out as DOWNSTREAM
flow

Cooled As Heatexchnagerinterface CONTAMINATI


Stream well failure ON
Out as DOWNSTREAM
flow

TableA2.1 (cont.) - Benzeneplant modularHAZOP results.

A37
1-1101 Fuel Gas No Burnercontrol fails shut LESS
In flow TEMPERATURE

More Burnercontrol fails open Furnacetubes Temper Is therea


flow overheat.Furnace ature needfor high
tubesfail. Serious indicato temperature
explosionrisk. r. alarm,high
0 temperature
Snuffing trip?
steam.
0
Damper
control.

Burnersfail to ignite Explosionrisk. Flame


failure
alarm.
0
Burner
control
system.

Less Burnercontrol fails to Flamefails. Flame


flow opensufficiently Explosive failure
atmosphere alarm.
develops. Burner
control
system.
LESS Damper
TEMPERATURE control.

Less Burnerspartially blocked. LESS Damper


pressu TEMPERATURE control.
re

Stack No Stackblocked. LESS


flow Damperfails shut. TEMPERATURE

Flamefails. Flame
Explosive failure
atmosphere alarm.
develops. 0
Burner
control
system.

A38
More Stackdamperfails open MORE
flow TEMPERATURE

ess Stackpartially blocked. LESS


flow 0 TEMPERATURE
Stackdamperfails to open
sufficiently.

Feed More Furnacetubesleak. Explosionrisk.


flow

11101 Reactor Low Leak to environment Environmental


feedfrom pressu damage.
HIOI re Fire / explosion
risk.

Recycle No Temperaturecontrol valve High temperature. High


feed flow fails shut. 0 tempcrat
Possiblerunaway ure
reaction. alarm.
0
Temper
ature
indicato
r.

HIGH
TEMPERATURE

High Temperaturecontrol valve Low temperature.


flow fails open Slow conversion.

Outlet Less Outlet line partially LESSFLOW


flow blockedby catalyst

Clol Inlet No Compressorfailure NO FLOW


flow I I I I

Table A2.1 (cont.) - Benzeneplant modularHAZOP results.

A39
Less Compressor operating LESS FLOW
flow incorrectly

Outlet Conta, Compressor oil lube CONTAMINATI


minati contaminatesrecycle ON
on stream

A40
Appendix 3- Modular HAZOP Library
The following pages provide some examples of components of a module library. These

componentscould include descriptions of the modules and sub-modulesincluding their


designandoperationphilosophy,line diagramsand, of course,the preIIAZOPedresults.

The first part of this appendixdescribesthe modelsand the secondpart containsthe


preHAZOPedresults.The nodesreferredto in the descriptionof the modelsub-modules
refer to the preHAZOPedresults.

A41
AM Cooling Water Supply System

A3.1.1 Sub-ModulesRequired

Cooling Water Tower.

Water top up.

Cooling Water Pond.

Cooling Water Supply Main.

Cooling Water Return.

Cooling Water Purge.

Cooling Water Dosing.

A3.1.2 Specific Sub-ModulesAvailable


The following specificsub-moduleshavebeendeveloped.

A3.1.2.1 Cooling Water Tower

Singletower with fan.


Multiple towerswith fans.

A3.1.2.2 Water Top Up

Pumpedwater top-up from reservoir. (Node 1)


Watertop up from headertank. (Node 10)

Watertop up from main.

A3.1.2.3 Cooling Water Pond

0 Cooling WaterPond.

A42
A3.1.2.4 Cooling Water Supply Main

9 Cooling water supplymain with multiple runningpumps. (Node5)

A3.1.2.5 Cooling Water Return

0 Cooling water return. (Nodc 2)

A3.1.2.6 Cooling Water Purge

Cooling water purge,manuallyadjusted. (Node 8)


Cooling water purge,automaticcontrol. (Node 9)

A3.1.2.7 Cooling Water Dosing

Choosesufficient dosingsub-modulesto minimiseproblemsdueto corrosion,scaling,and


micro-biological fouling.

NALCO A.Z. LITE Scaleand corrosion,automaticcontrol. (Node 6)


NALCO A.Z. LITE Scaleand corrosion,manualcontrol. (Node 7)
Acid dosing,automaticcontrol. (Node 11)
Acid dosing,manualcontrol. (Node 12)

A43
A3.2 Reactor Modules

Therearenumberof different typesof reactormodule.Theseexist mainly to differentiate


betweenthe different typesof reactionthat will occur, suchasexothermicor endothermic
and gasphaseor liquid phase.

The sub-modulesrequired will be different dependingon the particular reactor module

used.

A3.2.1 Exothermic Liquid Phase Reactor

Figure AM illustrateshow an exothermicreactor madeup of a variety of different sub-


modulestaken from the modulelibrary for the reactor.This is an exampleto illustrate how
be
the sub-modulescan addedtogetherto producea fairly complexmodule.

A44
------------ Reactor twin feed, one feed
with flow control, one with
concentartion control

Vapour product
outlet with
pressure contro
----------------- --U

--------------
II

F Vapour
Outlet

Reactor cooling via


jacket Reactor liquid
Reactor product outlet,
Recycle JTLIquid
stirrer Outlet standard pump
with level contr
Cooling Cooling
water in water out

Cooling
stream out

=-j

Reactor cooling via


Cooling external recycle
stream in

Figure AM -Example reactormodulemadeup of variety of sub-modules.

A45
A3.2.2 Required sub-modules

Reactor vessel.

Reactor liquid feed(s).

Reactor liquid outlet.

Reactor cooling system.

Reactor vent system.

A3.2.3 Additional generic sub-modules

Stirrer.
Catalyst.

A3.2.4 Exothermic Liquid Phase Reactor Specific Sub-Modules

A3.2.4.1 Reactor Vessel

Reactorvesselsub-moduleis illustratedin figure A3.2.

Feed II Vapour
Outlet

Recycle j Liquid
Outlet

Figure A3.2- Reactorvesselsub-module.

A3.2.4.2 Reactor Liquid Feed

The following sub-modulesare available:

0 Reactorliquid feedwith flow control. (Node 1)

A46
Reactorliquid feedwith concentrationcontrol. (Node 12)
Reactorliquid feedwith level control.

Use as many as are requiredto representdifferent reactorfeeds.Figure AM illustratesan


arrangementof reactor feeds comprising one feed with flow control and one feed with
concentrationcontrol comprisingthe appropriatesub-modules.
-------------
Reactor twin feed, one feed
with flow control, one with
concentartion control

-----------------------------------------------------

.................

......... >
Feed Vapour
Outlet

........ ................ >

..................

Recycle Liquid
Outlet
...............

Figure A3.3 - Reactor twin feed with flow and concentration control.

A3.2.4.3 Reactor Liquid Outlet

Use one of the following nodes:

Reactorliquid outlet with level control. (Figure A3.4) (Node 11)


Reactorliquid outlet with flow control. (Node 3)

A47
0-1,
........
....... -- --- -----------

X >
..........
Fee d .........
Vapour
Outlet

Reactor liquid
.........
Recycle Liquid tj
product outlet,
Outlet st
standard PL
pump
....... ......... with level control

Figure A3.4 - Reactor sub-module - liquid outlet with level control.

.......... > ......... >


Feed Vapour
utlet

Reactor cooling
via jacket
.......... >
Recycle Liquid
Outlet

.............
coolig
water out

Cooling
water In

Figure A3.5 - Reactor cooling via jacket.

A48
A3.2.4.4 Reactor Cooling System

The choiceof nodesdiffers dependingon the cooling systemequipmentused.Onecooling


stream in and one cooling stream out node will both be required. One other node is

required to the
represent interface equipment,either a reactorjacket or an external heat

exchanger.

Cooling streamin with temperaturecontrol. (Node4)


Cooling streamin without control valve. (Node 13)
Cooling streamout. (Node 5)
Reactorcoolingby jacket. (FigureA3.5)
Reactorcoolingvia externalrecycle.(FigureA3.6) (Node 6)
...............

>
.......... ..........
Feed Vapour
Outlet
L-

Recycle Liquid
Outlet

................ Ile
I

Cooling
stream out

III

Coolinq
stream in

Reactor cooling via


external recycle
A3.6- Reactorcoolingvia externalrecycle.
A3.2.4.5 Reactor Vent System

Choiceof nodesdependson the gasoutlet or venting arrangement.

For a simplevent to atmosphereusethe following node:

0 Reactorvent to atmosphere. (Node 14)

For a nitrogen blanketedvent systemuse the appropriatecombination of the following

nodes:

Nitrogen vent supply,continuousfeedthroughRO. (Node 15)


Nitrogen vent supplywith pressurecontrol. (Node 16)
Vent to headerwithout control valve. (Node 17)
Vent to headerwith pressurecontrol. (FigureA3.7) (Node 18)

Nodes

............

.
>:
Feed Vapour
Outlet

'**"*'*** >. : .......... >


Recycle Liquid
Outlet
................

Figure A3.7- Reactorsub-module- Vent to headerwith pressurecontrol.

A50
A3.2.4.6 Stirrer

Use the followmg node:

0 Reactor Stirrer. (Figure A3.8)

>
Feed Vapour
Outlet

Reactor ..........
Liquid
Recycle
stirrer Outlet

Figure A3.8 - Reactor sub-module- stirrer.

A3.2.4.7 Catalyst

Use the following node:

0 Fixed solid catalystbed.

A51
Siphon
Break
Feed' Hole

Storage Tank Feed


With Level Control

Figure A3.9- Storagetank sub-modules- feedwith levelcontrol.

A52
A3.3 Atmospheric Storage Tank Module

A3.3.1 Required sub-modules

Storagetank vessel.
Storagetank feed(s).
Storagetank outlet.
Storagetank vent system.
Storagetank overflow.

A3.3.2 Additional sub-modules

None.

A3.3.3 Available Specific Sub-Modules

A3.3.3.4 Storage Tank Vessel

Use the following node:

0 Storagetank vessel. (Node 5)

A3.3.3.5 StorageTank Feed

The following nodesmay be used.Use as manyas are requiredto representdifferent

reactorfeeds.

Storagetank feedwith flow control.

Storagetank feedwith level control. (FigureA3.9) (Node 1)


Storagetank feedwithout control valve. (FigureA3.10) (Node 13)

A53
StoragE
Withou,

Figure A3.10 - Storage tank sub-module - feed without control.

Kickback line

I
LJi
Figure A3.11 - Storage tank sub-module - outlet via parallel pumps.

A54
A3.3.3.6 StorageTank Outlet

Use one of the following nodes:

Storagetank outlet with flow control.


Storagetank outlet without control valve. (FigureAM 1) (Nodc 4)

A3.3.3.7 StorageTank Vent System

Choiceof nodesdependson the venting arrangement.

For a simplevent to atmosphereusethe following node:

0 Storagetank vent to atmosphere. (Node2)

For a nitrogen blanketedvent system,such as that illustrated in figure A3.12, use one
blanketsupplynodeandonevent to headernodefrom the following nodes:

Nitrogen blanketsupply,continuousfeedthroughRO. (Node 6)


Nitrogen blanketsupplywith pressurecontrol (Node 7)
Vent to headerwithout control valve (Node 8)
Vent to headerwith pressurecontrol (Node 9)

A3.3.3.8 StorageTank Overflow

0 Storagetank overflow (Node 3)

A55
Figure A3.12 -Nitrogen blanket system.

A56
TEXT BOUND INTO

THE SPINE
BLANK IN ORIGINAL
m0* "i "0 lu
-3"a (D.M
"a9< <
lu n
0.
02M
m" t. a= I- ib Zm
rr 0 h-
(1 gL 0
(T & I-
m
W10
0.
cr 11 cr (b 0

0 Im Ph rr N n
P"
0
mmM-
(D 5 1.,
cr 4c r, () li
3
F1 1
0 0 80
Z- Nm
V IUn
,.
a0mV 10
(D to cr IE
.C0

0w IV aac
m -< 11) ty,
01 W>

Ea
00
,00
%D
c (D M 10 LA W
to " I" I- M 11X a c
tr CT 00 ta P" 113
rr
"zrw
0-0 0I 1-h
03 (D I rr
M
0 2) I-. 3
0.0
(Q

0-4

,a
0 tj 30 9Cw m IE 9 IE 10
10
0 -4 M 0 lu 0 . (D a000
000H m l< 0w m rr I.- -
H H- rr W. cr o-, 0- cr (I W.
I-. w D, = ju Pl% W
tr I.- cr w pi m cr 1
= lu (D to 9
ol W. a=0n ju 0
0
1E 0m0
cr cv
CA m (D ic a3 a 10 a=a
0m m cr - 0 lu r 0 m0<
rr rr -< P- 0 CD 11 11 rr cr cr a rr 0
0 l< 0 0 co
l IC
o"z9
C III w rr cm Ai 0
Co (I '4 1- 19
0 0 01
0 fT 0-
0
r-

0 trl 0
0 M lu
rr rr
.4
su
x

M
"I rr
0M
I..
(r
lu

w0r. =*
rr Q
"i CD

cr mw
0M0 ol P" 2
0 cr
=1 -I
0
r- Alnm
V*0

P,

Table AM - Cooling water systemsub-modules- preHAZOPedresults.


A58
po
0m
0
0 ic
-3 MZ a)
rr 0 W.
M 9L 0
1 (v =
0
z . I, eJ

80
n 000
; -r -< cm M
M=0
9 0a0"
-, 2
Ma0.14to 0
3 N cr 0

I,
m IU 0M
I
p.'

rr

CLT" ic m 2rr w
00 (D al IV ;
P) "m rr I.-
5 P. cr aw (D -

00m0 -ti
(D .0 P" "W
0
W01.- 10
to z
to"90W
tz rr

9c
-0
a
.
P 0
n
0 "1
rp

14

Table AM (cont.) - Cooag water system sub-modules - preHAZOPed results.

A59
Pl a "I
ju n
0 a
a
rr & I.

ei
0

cr
"h

cr
0

rr

,a

2z
0 ca
M
41 l

Rp to
2s H
" V6 Itt

JU I. A
1 ;
X
0
ol
rn

r
rr

Cl
W

rr IE
lu
w- rr
(v =M :0
0 rr 11 t1l

(010 :x

cr 30H
>
pi r_ 0
wmw0
-, cr -* =
=

10
li

Table A3.1 (cont.) - Cooling water system sub-modules - preHAZOPed results.

A60
M IV " le "
Do
04 Q 09
ol (w

a=m
n. 3
M rr & I- rr & 0- W-0
=
ph
cr 0-4
0
M0 0-N
11 M=
0
= ul 0
cr IE w In vi 0
0 su
rr --A 88
=.
0
(D
11
-

-
rr 80
8
I-. ',
w
0-
vN
5;

I.
n cr
w =na
lu > m
cr
Ir 0.0 pf
M0 Ea
a tn cr W
'1

g -Z ?
CL

n
91,
a 8
:r :I tr :1 Aj -
JU cr w
2
(I aa
:IP.
L 119 ; 9L1=1
1=1Il
ta l< .
H- I.
-
fl. =to-
8m0cr11 0, (I M0
0 B
an Pi
r_
(D cr
to)
0ti
wc<
fT 3M
M "1 0
to
III tr X V3 rn
00

to A)s.- rr -
a. 01 =0a
c r- 11 cr z tr M
pi Cl -< =0 10 cr 0
V 0)
rr r_ 0m
M rr 0 Im a ca ,a n P" ,a
"0rza9 otr
cr 0 (D 00
r
rl
>n
>
I lu m Pi w Al "
NJ
C0 O A w ;A
X

ta o ILI
:w
"I
=1 0- t*
ju < t) NO 8
cl I (D PC "F
C:
0 Im
cr
"I
0.1 t2
cr
0

CL 0m3

ju wm
z2P. cr wM

0MW
0Zm
00
0 ol a
>
IV 0M"
a L 0

cr
00

192
Im

Table AM (cont.) - Cooling water system sub-modules - preHAZOPed results.


A62
"a
10
3 le b 0
rr 91 > (12 m W10
(D @lq .4 0 rro
Z rr 0 CL.0 m
lu 0 "M0 mm
I
Z0Z
n m%
rr JE " = 'n Ln0
0 9) - P.,
a0
0
0 pl
rr
00 8 cm
ic (b (Z
(b arm ka
lu lu > n ka
Z ti (Z
p 0 La
(1 0m cIr
cr rr P.- tn
er
0
c
0. lij
"i

C-

I-.

CL * 3C gL 12m.
0CW.
I 0 '"1 6 a 0-1 pr :4 0-
bi -o - JU W. (D Z-
c=w
0Z0
0 0) rr fi KL 2: wV rr m t. z
c Ij 0a0: m tritn
r_ mX En
20n DA tr jo w
cr 5 1-- V' M 00
4 ni ). - CT b- 2 m 10 "0
CL 81
it r. m
Z00
rr :Z
"m&2
tr a" A) -4 9 "1 5 l
10 ju -.3
N0m 00 P" 0 10 En :c
10 10
m0r. Z 10 3 0

rr (D w
0
MV
>
A

A A

z
X
10
0

DW
M
<
M
rr

1
(010
to m0
atv
10 94 -4 a
m 0" wm a0
-<
?0 fu nm 10
cr
052* cr
w0 :1

CL 003 b-

0 Q 2X
00 10 ti
0 13 0
>
Ic 0 (b
ic CL

(b 0

.0

Table AM (cont.) - Cooling water system sub-modules - preHAZOPed results.


A62
.1w Pil N w ty 10
0n
< AO
0 <
cr 0) v (D 0zm rr 0 aa I-110
M -1 1.- m cr 0- W. 0)
CL0 M0 rr 0
of 0
=0 :z
a P"
0"m
:c (A 0
(D 0 mnmn 00
"m 0- 0ArQ0
to 1 (0 WZ 00
0'. M - W. - rr )o a%
r? Z W. cr
0 wz 0s 0 C :1p.. w. <"
Pi
In oo rr mko nm0 "I la
lu on :01 cr M Immw
Lo 0 :r - n ), ILI
-Q n> rr 0 re to lu %a cr
0" 03 ju
N ON
M t. M0W.
5 rr n pi La -4 a t-4 ju m-n
W. :r0 -3 i... 1- 0
nm "I ", It, rr
w rr %0 o 0
0 r_ c, Ca
I C a
M
C, 0

1-4
0 n
0
m r. - rr . M.
Mm
rr -, w ju bi cr w
lu mcr
0
:s0 zm 0 z 9)
00 fu = to En 95 W
rr 0)
rr rr m wm
W, - 0M
ILIr= P., I-
0 111
12.
X* M LO (2 n
0 5 W. 0 0 0
Im
CLcr r a =* t1l Q0 m
0 (v Z (D to
CT 0
z0
m 12,0 0
:3 2
0
M
cr
09cntmW a IE P, ti mN
1.0,W- 1.- 0 :r
---- M (D . Im
-, ; 0 ;
= rr = (D rr 1-- 0 ju b Irn.. X
rr ".
:r Im
rr 0" lu
5: tj- MW
0
0 rr - 0m-
10 M (v w cr r. 0-
I-olo folo sL -
lu 14 Q. W. rr CD
to rr 0 11 0 M lu -0 tr3 C)
a M
i
lz Cr 0 11
M 11 z 0) (D " "m c cr 1- 12.
I-- Il to lu a 0
> I. - rr > Ir
ju (D :3m "
P" rr 0. w ", z a
P" (D (D ju cr a= (a g (13
m i-- Pi n"0 5 fo cr
n b<1su(D a 0- 0 rr
" rr z 91tr :1 :q 3
0 cr (D cr cr of
0 tr 0 cr

CL
0
rr 00"; (D 00 L 01 ,0 'a '0 , m
a :: woa .0 Im I"a0 F W N0 bj
Im o
'r a3a 1- -4 of 'a l< (b i 14 ol ;
M fp . W.
0
trl
0, su 0'. 0 (v rr 11 Ph " P%
. c, 5 :3P,
:r0M
:3 WC 0 cr
A, 0 n
M cr W-
0 IL, ZM
. (D pi
tr
n0
0 'U 0MM`3
- m 0
:3 S2 0
:3
3
0g ty, m0 11 . I-l< 3 cr
ol cr
rr m fD I- ko 0W 0
n0 ju w v0 co)v :s cr 0
CT cr ftl cr 0
>
. W.
cr PC r02
0 0
14
w -- m0
a-, tj 01 < r. W. 0 a
1 V z
rr rr 00

0 tr z r-
rr 0 rr

IV
toAj

0%

Table A3.1 (cont.) - Cooling water system sub-modules - preHAZOPed results.

A63
= b- ti ,0 6 tj
JU . tri lu Z .4w -n bi 41
t- < ei (b
Nv lu m 00 z
rr > (b Z0
cr 0 wV
b-. lu
rr 3
91 0 :3 XX
, (> Z
n mm
:x 0%0
0 11 CL.m
0 Mn .leN0 nz
00
mm(b 0
mm =*(I 0
%L . gL K- 1.- - rr 0 r.
M 0 3
W.cr
l' Z f. - 01
KM
Z 0 rb ju rr
";
mka mn (v 0
cr (Dwm P-r.
Cmr an 0.1. - rr >
9) ; %0 5
.. %:
cr 0
G) Plo
.m X -= Q ol 8
P"
= fu 9
ei 0am c , UN
W* Ol >
Z- W. lu
fi m >..(Z ti t..
1.. 0) w cr
0n (1 Q m n =
0 -3 N lu M
IT
%a
C, 0 0
C
c V
a. a.
0 ca

0
:i zr

0 c6. 0
2 lu
to b-
Z ti :im Z ti :Z E -
00 ju :i La 0 v3 ID
rr rr m m 2 lu cn
rr < h m
91 " w- W- l< - 10
N tr Z 0m
Z0
0 0
p =, m
0
OJrr * 0 ei
2 0 (D Z b-. 0 u2
ma
rr na
3 (D z0
0

10 m
tr
03 ic 0 :g0 bl 10 X s- Al bi N P.-
0- m- 0 :r b- - @I (D . rr
cr X6
Z rrN0 rT W 0 lu N- 0"
0 k-- zr. rr m r. - rr m 0 0 0
lu (1 lu ei (D 3
IU 1--- rr - 0M
l" 0Z0a h- rr r. k- t*
r
1- 0 ' kl ' p - 1.. e- . >
0
lu m o m. < rr cr tTj M
LG rr 0 b- 1-. lu
(D z- 0 gi k- = tr 0 0 cr
cr
? a.INN r. 0--10 c:
> rr a,
k<
MM0 (b ID rr 10 0
Z
Z
tim
(a 0 ta su
r.
0
cr
0
4) rr 0 rr rr 9
0 ul Ri
cr

n
0 C6
10 10 5> r- 0) W 0
n0 r- qi xZ m
0 rr m (1 - (b 00 IU 0 '
ti m0
rr 05 l lu l
0 m. (b c0 )- - Mt (b N. m
ZZm moi b- 0 th rr M Ph m Ph 0 0 0
n
0
cr 1- -0mn :3 :j=, 0 11 --3 0 JU 0
r. 0 zr -0<, O 0 MM rr 0
0
2 lu3 tr 00m-
12.0 rr M10< 1
>-11<
ib >
3
0=
p
00
rr
cr
(1 0 ju 0m m -m th w 3 rr Z 0
0
0 >- (D Z a
rr Z*0 >
rr 00 (1 - :jZ, oe w
), 0 0 tiv 0
wtlm < 9:
00 k-

ei 0 tr :i P-
rr

ON

Table AM (cont.) - Cooling water system sub-modules - preHAZOPed results.

A63
:cw t7 le X
1: -0
M SU M lu
1 th H In M1 In
n
<
0
V 0
.0
cr A) ":D, (b =m
-3 M oI
p cr
.4 rr 0 h-.
(b 12.0 m=M
cr
&0
w

9j 0 cr
U Z0 z
a"
2
0 0 01 M I"
M0 ; tr pqn CL"n '0'
P-hw 2Z (vs j X0XM2, 2= 0a
0'. M - W- - rr
:r n cr =-mMWQW > 0%
0 z r
0 0
cr> == mn 00
(v Ju
3 Q0 :r
(b " >
20, 0.
r. m
a
cr

rr M=
I- -
Z0
aa"
11
(Ir M Al 01
(D 0 la, , I< "
a. ---
- (w cr 0ma
to
cf,
1.- :3
1.. 0 >
X
li
cr
I? 0a ILI C A) 00" 3VZ00 0
I. :rM ol I. - to (a I-,' cr > r0 (1 o- W )-- =" I
00 0 (D M C P- -
cr Al 0 [a -I 3mN a
.=
". n
cr n5
Al m W. (D = m
cr n W. (A
P
0m
:r m=z LO
0 to cr
w cr 0 m0 mm0 rr
- 0 to r. U I =1 m c - lu "
I ') c
m 0
==
1.. Ic
a
= rr
W.
a. 0 %D -ta w0

IEnM 1 X 0 0
M P-M
--:r0- 0 a
11 MM- MM-
rr
pi t1i
I- rr 1 CD cr
rr 0M I- M
m 0 mM
pi ju M zU0 zrn 5
to z w lu (A
cr < m M Its "i Iola t1l
5m P" III pl. 1- 1.- K) W. 1- W. P., 00
0 ol n m lu
(D x
SL "i a,
cr 1-. :3 :10 0) Q 0
su 0 0 o ka 0 Q0 0
n cr t1l I
05 to z0 0
=w rr 9 a. m r- m
rr lu
pi
n a, w n
su 0 0
rr a 1

m m tri 0 en 0
> S.
I- M >
09 IE Qm W- 10 c 0 I-.
rr
W.
m W* r cr - w- '3 cr PI . 0 0 0
10 0 9) wz Ij w (D I..- Z pi
I- '- lu I- w.
"m "i 0 Al 1.1 cr
0M-
cr 1: s In 2- At
.
cr tj
0)

11 w
.
En
>r
0
P a lu (D (D pi -0 .,. I.. . >
lu " 0. w0 < cr ftl 0
La cr 0 Al t7l (D lu -0 tri 00
m =1 V 0) () M til (D a 0M
< . A'
m ri
-- rr >
P" rr 0. tr " cr W. z a rr 0
P" (D m0ar It: z (a
0 t* Ea
cr cr 0
0
z
1.- 0 4 lu 0
:I
m cr IL rr cr rr
0 0 pi
0 0

lal

9>Z li , M*P.* cr nmw m


---gonw r- su-- Z
a00"o 10 ju -ma == til r rr - 0
cram0
L 'o0 lu

u= a
0 WWPIN (DIU w
Al r_ 10 pq
j 0 ol a01., 5L
1 Pt M 'U L.
; =. 3 50 cr 9 11
w
W. P. - 0
cr W.:: =1
0 PA.0 OW. 1- 9)
0 to
%1 1-10M r tvi
Cr'"I m" 0 ju n-
cr Z. tr -0
:i l< 0"
'0 0 -3
Ln fl cr r
rm" cr C, 0
"* :4
0 9x0
5 tr M0M 0 En 0mW. .- P-hM M
cr 0wM cc> :j cr lExmawm = z
, 0 U, C 0 W. M '0 W IL 0 V
Im rr 0 P- "I rr fo 0t > M to 11 w 10 m0c :01
cr Z DI0, Co
m (DM-Z. m0m"
:r 01 fu cr 12,1- ZCm pq -3
0 Co
cr 0) La a, r0 l<
:r wa00 Z 0 Q0 A tr m-< P" Z 0
rr ol
cr -wU 0 #1 tw P.- 0
10 z 00 . " (D .- m ---LO
lal En
to w. = c to M (D
0 cr 9) tr Z
0 cr (D cr

-0

-j
Table A3.1 (cont.) - Cooling water system sub-modules - preHAZOPed results.

A64
-n %I
10
t2 Aj v
P I- in ol M "I
00 < 2,n
v IC:c )o
0 0
m 0.0
0 "Mz rr n
-n ce0 n :c
nn ti nnP,
00-00
0 :3w0=
C?rr - cr cr
11"" 1110
0000
tr

cr w cr En 13N
w M

n0
Pa. a 0. cr
00m0
m
t)
0
rr
M
0

0
%L
000-08
P 0.W
rX ju (/I cr
m go mm 3
00a5 cr cr 10
wmzMW. a lu
n" La cr
P-W.0 ju
0 cr
1 "a
Im M ju
1-0 a
9
M0w jl. a0
0.
0

M n
0
U cr cr
00. 0
m ol
M x
0
a El ;,
0
cr

>
-1 x0
ImW*0
rr I
110
lu
cr
fb

DO

M
M
z

Ila
w

OD

TableAM (cont.) - Cooling water systemsub-modules- preHAZOPedresults.


A65
41
0 44 lu n
wlo
cr >-
a
io P.
:1

W. :3 rr "1 9n A
m0
In %a
0 00
=a0a00 00
m
lu m n 1 :10 ;
c cr CLto fo ty. I.-
P" I- :r<Mm (I )d cr M
1... "t "< Im 00n
-" " CT w
0,
n" tIr W"=M
K0
P (Q IV3 n 0
<-Z
(brr 0 () 0w
cr L Al =w tn
rr to t- W
< wo0
rr
cr

"M w CLnw
0n0 0

cr
M
L
1 10 to n m0m m
00M" 9 rr rr 10
mzM M Im
W. (I Aj PI
(v cr 14 m
3 -,- Im M
m0 - IL m :30eh M
W

tTl n
:po
vi 3
cr $.I
10
00
"Cl

03

m
0

W- ;a
lu
14xn
lu 0
tiLa
0-
rr B
0CV

cr

(1

%D

Table AM (cont.) - Cooling water system sub-modules - preHAZOPed results.

A66
-n
10
0 CT & s-
ti 0
11 iv 1

:x
V; 80

I
go
(T Im
cr n (T %*tr
ju m
W

m
N
; CLno N
00< m X9X
011k) Im (I 10
lu 03 0 (D 0 cr W. "W
a. . W. rr M cr (D :1w
0 tj = D) 14, w .1" rr
m.
QS I- - Vn
W :rnzAl 0
rr cr c 19 w 9
li cr
0 10
(D rr -W iWa 0.0 < tj
9 1.- L - P- crm ;0
1... 0 l< 0)
lu n=c p tr
cr
P., wm
jL
- " 9 8
ImPL0H
0 mZw IU

0 cr Or
mtA "0

3 0 t-i
0 0- <-
M J.A
m
m X
A

> a)
ul In
LT3
1-
0 r. a
'a. cr
1, lu
'I, n li tr ti
cr
fo
010
W
ri
cr
On

'x

0
z

Ell

113
lu

Table AM (cont.) - Cooling water system sub-modules - preHAZOPed results.

A67
10
P7 "I
Al 0
n
cr 0 M.
m L 0 W.lu
0 "M= rr n
z

> rr 9L aw cr M0 00
n V(D 0 a =' 00 0V
al I., :s I--ImI.- z w
I.- rr - I- rr N
m (0 0 o 0> 0. rb
C"
,u P r r.
.0
1 I-.
P" 8
rr '04
ar . = P9 1 rr
" I. to lu - 0- LQ Al a. rr
l< " ". W KmW. N 9 0
() $ cr to $ cr 11
0.9 1 (D I- M
a !, M1" I
:rm
ti E(I

r0 z lu 0 cr
mm m0m
rr 0 0.. rr W. w
M W. = M iL = cr
8

cr
I-
n
0nm
l< 00=
10 9N
Aj ;
0 (1 mV9 A
l< 00= pi
0=wj0. - m=W -j I. -
cr P- I- I=. cr 13, -- I=.
(D --- I-. co cr I., (v - W. CO Cr "

mg w-Po
P-* 1 rr I. -
a W.
rr =
to lu
rr P. 0
000
-
0.0 Z .0 2 :I
(D = C/I cr
9 Ia. M 11
0 A) 0) 0wm 10
0
I.- Ul =1 W.= I-- IT :r
z (p 0 0m
0rr
rr 0 ILI
rr 0,. A &1
cr 0 rr er
0 tr
1.-0 s.- 0
<

rl
m

N
W
A ;
Q ju to X

0
rr rr :
W, CT P- rr :ro

10
2)

TableAM (cont.) - Coolingwater systemsub-modules- preHAZOPedresults.


A68
Worksheet

Company:
Facility: Exothermic Reactor Pago
.1
Revision: 0 24 Mar 95
Node: 1 Reactor liquid feed with flow control
Parameter: Flow

DEVIATION CAUSES CAT CONSEQUENCES CAT SAFEGUARDS CAT RECOMMENDATIONS

1. No Flow i. i. Feed line IC 1.1.1. Reaction does EE Low flow


blocked. not proceed as alarm
Control valve fails required. Poor
shut. conversion, side
reactions etc.

1.1.2. NO FLOW FROM DPE 1.1.2.1. Low flow


UPSTREAM UNITS alarm

2. More 2.1. control valve IC 2.1.1. Incomplete Ez


Flow fails open conversion of
reactants

2.1.2. HIGH FLOW TO IPE


UNIT DOWNSTREAM OF
REACTOR OUTLET

2.1.3. HIGH FLOW FROM DPE


UPSTREAM UNITS

3. Less 3.1. Feed line IC 3.1.1. Reaction does ZZ 3.1.1.1. Flow control
Flow partially blocked not proceed as
required. Poor
conversion, side
reactions etc.

3.1.2. LESS FLOW TO IPE 3.1.2.1. Flow control


UNIT DOWNSTREAM OF
REACTOR OUTLET

3.1.3. LESS FLOW FROM DPE 3.1.3.1. Flow control


UPSTREAM UNITS

3.2. Control valve IC 3.2.1. Reaction does Ev- 3.2.1.1. Flow control
fails insufficiently not proceed as
open required. Poor
conversion, side
reactions etc.

3.2.2. LESS FLOW TO XPE 3.2.2.1. FLow control


UNIT DOWNSTREAM OF
REACTOR OUTLET

3.2.3. LESS FLOW FROM DP-- 3.2.3.1. Flow control


UPSTREAM UNIT
I
Revision: 0 24 Mar 9S
Node: I Reactor liquid feed with flow control
Parameter: Pressure

D--VIATION CAUSES CAT CONSEQUZNCES CAT SA-5-D7JARDS CAT RECOMMMATIONS

2. Lower 2.2. Feed line IC 2.2.1. Reactiona does Ez 2.2.1.1. Pressure


Pressure leaking. not proceed as control
required. Poor
conversion, side 2.2.1.2. FLow control
reactions etc.

2.2.2. Environmental Ez
II I damage.
-j

mAZOP-PC 3.02 by Primatech Inc.

Table A3.2 - Exothermicreactorsub-modules- preHAZOPedresults(IC filtered).


A69
Worksheet

Company:
Facility: Exothermic Reactor Page:

Revision: 0 24 Mar 95
Node: 2 Vapour Out
Parameter: Flow

CAUSES I
DEVIATION CAT CONSEQUENCES CAT SAFEGUARDS CAT RECOMMENDATIONS

1. so Flow 1.1. Vapour out line IC 1.1.1. Reaction does EZ Low flow
blocked. not proceed as alarm
Control valve fails required. Poor
shut. conversion, side
reactions etc.

1.1.2. NO FLOW AT IPE 1.1.2.1. Low flow


UNITS UPSTREAM OF alram
REACTOR FEED

1.1.3. NO FLOW TO DPE 1.1.3.1. Low flow


DOWNSTREAM UNITS alarm

2. More 2.1. Control valve IC 2.1.1. Insufficient EE 2.1.1.1. High flow


Flow fails open conversion of alarm
reactants.

2.1.2. MORE FLOW FROM IPZ 2.1.2.1. High flow


UNITS UPSTREAM OF alarm
REACTOR FEED

2.1.3. MORE FLOW TO DPE 2.1.3.. 1. High flow


DOWNSTREAM UNITS alarm

3. Less 3.1. Vapour outlet IC 3.1.1. Reaction does EE 3.1.1.1. Flow control
Flow line partially blocked not proceed as
required. Poor 3.1.1.2. Low flow
conversion, side alarm
reactions, etc.

3.1.2. LOW FLOW TO DPE 3.1.2.1. Flow control


DOWNSTREAM UNITS
3.1.2.2. Low flow
alarm
3.1.3. LOW FLOW FROM IPE 3.1.3.1. Flow control
UNITS UPSTREAM OF
REACTOR FEED 3.1.3.2. Low flow
alarm

3.2. Control valve IC 3.2.1. Reaction does Ez 3.2.1.1. Low flow


fails insufficiently not procedd as alarm
open required. Poor
conversion, side
reactions etc.

3.2.2. LOW FLOW TO DPE 3.2.2.1. Low flow


DOWNSTREAM UNITS alarm
3.2 3. LOW FLOW FROM IPE 3.2.3.1. Low flow
UNHS UPSTREAM OF alarm
REACTOR FEED
I I I
Fevision: 0 24 Mar 9S
Node: 2 Vapour Out
Parameter: Pressure

D-TVZATION CAUSES CAT CONSEQUENCES CAT SAFEGUARDS CATI RECOMMENDATIONS

2. Lower 2.1. Vapour out line IC 2.1-1. Environmental EE


Pressure leaks to atmosphere damage

2.1.2. Reaction does EE


not proceed an
required. Poor
conversion, side
reactions, etc.

FAZOP-PC 3.02 by Primatech Inc.

Table A3.2 (cont.) - Exothermicreactorsub-modules- preHAZOPedresults(IC filtered).

A70
Worksheet

company:
Facility: Exothermic Reactor Page :3

Revision: 0 24 Mar 95
Node: 3 Reactor liquid outlet with flow control
Parameter: Flow

DEVIATION CAUSES CAT CONSEQUENCES CAT SAFEGUARDS CAT RECOMMENDATIONS

1. No 1.1. Outlet line IC 1.1.1. Reactor EE Low flow


Flow: blocked overflows alram

1.1.1.2. High level


alarm
1.1-2. Reaction does EE 1.1.2.1. Low flow
not proceed an alarm
required. Poor
conversion, side
effects, etc.

1.1.3. NO FLOW FROM XPE 1.1.3.1. Low flow


UNITS UPSTREAM OF alarm
REACTOR FEED

VAZOP-PC 3.02 by Primatech Inc.

Table A3.2 (cont.) - Exothermicreactorsub-modules- preHAZOPedresults(IC filtered).

A71
Worksheat
Company:
Facility: Exothermic Reactor Page:

Revision: 04 Sep 9S
'; ode: 10 Reactor vessel self
Parameter: Maintenance

DEVIATION CAUSES CAT CONSEQUENCES CAT SAFEGUARDS CAT RECOMMENDATIONS

1. 1.1. Incorrect IC 1.1.1. Toxic dust ZZ permit to Ensure


Catalyst procedures. hazard. work. reaction vessel can be
Removal Reactor improperly isolated and cleaned
MainCenanc isolated. 1.1.1.2. Vessel prior to personnel
e Spent catalyst isolated by slip enetering vessel.
disposed of plates and removable Ensure personnel
incorrectly. spools /elbows. entering vessel have
all necessary
protective equipment
and are trained in its
use.
Ensure correct
equipment is available
for safe removal of
spent catalyst.
Ensure spent catalyst
can be disposed of
safely and in
accordance with
statutory
requirements.

I: AZOP-PC 3.02 by Primatech Inc.

Table A3.2 (cont.) - Exothermicreactorsub-modules- preHAZOPedresults(IC filtered).

A72
worksheet

Company:
Facility: Exothermic Reactor Page t

Revision: 0 24 Mar 95
Node tI Reactor liquid feed with flow control
Parameter: Flow

DEVIATION CAUSES CAT CONSEQUENCES CAT SAFEGUARDS CAT RECOMMENDATIONS

1. No Flow 1.2. NO FLOW FROM VUL 1.2.1. Reaction does EE 1.2.1.1. Low flow
UPSTREAM UNITS not proceed as alarm
required.

1.2.2. NO FLOW TO IPE 1.2.2.1. Low flow


UNITS DOWNSTREAM OF alarm
REACTOR OUTLET

2. More 2.2. HIGH FLOW FROM VUL 2.2.1. Incomplete EE 2.2.1.1. Flow control
Flow UPSTREAM UNITS conversion of
reactants

2.2.2. HIGH FLOW TO XPE 2.2.2.1. Flow control


UNIT DOWNSTREAM OF
REACTOR OUTLET

3. Less 3.3. LESS FLOW FROM VUL 3.3.1. Reaction does ZZ 3.3.1.1. Flow control
Flow UPSTREAM UNITS not proceed as
required. Poor
conversion, side
reactions etc.

3.3.2. LESS FLOW TO IPE 3. i. 2.1. Flow control


WIT DOWNSTREAM OF
REACTOR OUTLET

Revision: 0 24 Mar 9S
Node: I Reactor liquid feed with flow control
Parameter; Temperature

DEVIATION CALTSES CAT CONSEQUENCES CATI SAFEGUARDS CAT RECOtOZENDATZONS

1. Higher 1.1. HIGH TEMPERATURE VUL 1.1.1. Reaction begins EE Temperature


Temperatur FROM UPSTREAM UNITS to runaway. Possible control.
e explosion.
1.1.1.2. Relief valve
required.

1.1.2. Reaction does ZE 1.1.2.1. Temperature


not proceed as control
required. Poor
conversion, side
reactions etc.

2. Lower 2.1. LOW TEMPERATURE VUL 2.1.1. Reaction does ZZ 2.1.1.1. Temperature
Temperatur FROM V? STR EAM UNITS not proceed an control
0 required. Poor
conversion, side
reactions etc.

2.1.2. Reaction does ZZ 2.1.2.1. Temperature


not proceed at control
required rate.
I I I
Revision: 0 24 Mar 9S
Node: I Reactor liquid feed-with flow control
Parameter: Pressure

DEVIATION CAUSES CAT CONSEQUENCES CAT S; F-tatr-RDS CAT

1. Higher 1.1. HIGH PRESSURE VUL 1.1.1. Reaction does EZ Pressure


pressure FROM UPSTREAM UNITS not proceed as control
required. Poor
conversion, side
reactions, etc.

2. Lower 2.1. LOW PRESSURE FROM VUL 2.1.1. Reaction does EZ 2.1.1.1. Pressure
Pressure UPSTREAM UNITS not proceed as control
required. Poor
conversion, side
reactions etc.

HAZOP-PC 3.02 by Primatech Inc.

Table AM - Exothermic reactor sub-modules - preHAZOPed results (VUL filtered).

A73
Worksheet

Company:
Facility: Exothermic Reactor Page:

Revision: 0 24 Mar 9S
Node: 2 Vapour Out
parameter: Flow

DEVIATION CAUSES CAT CONSEQUENCES CAT SAFEGUARDS CAT RECOMMENDATIONS

1. No Flow 1.2. NO FLOW TO VUL 1.2.1. Reaction does EE 1.2.1.1. Low flow
DOWNSTREAMUNITS not proceed as alarm
required. Poor T
conversion, side
reactions etc.
1.2.2. NO FLOW AT IPE 1.2.2.1. Low flow
UNITS UPSTREAM OF alarm
REACTOR FEED

2. More 2.2. HIGH FLOW TO VUL 2.2.1. Insufficient EE 2.2.1.1. High flow
Flow DOWNSTREAMUNITS conversion of alarm.
reactants
2.2.1.2. Flow control

2.2.2. MORE FLOW FROM IPE 2.2.2.1. High flow


UNITS UPSTREAM OF alarm
REACTOR FEED
2.2.2.2. Flow control

3. Less 3.3. LOW FLOW AT VUL 3.3.1. Reaction does EE 3.3.1.1. Low flow
Flow DOWNSTREAMUNITS not proceed as alarm
required. Poor
conversion, side
reactions etc.

3.3.2. LOW FLOW FROM IPE 3.3.2.1. Low flow


UNITS UPSTREAM OF alarm.
REACTOR FEED

Revision: 0 24 Mar 95
Node: 2 Vapour Out
Parameter: Pressure

DEVIATION CAUSES CAT CONSEQUENCES CAT SAFEGUARDS CAT RECOMMENDATIONS

1. Higher I. I. HIGH PRESSURE AT VUL 1.1.1. Reaction does EZ


Pressure DOWNSTREAMUNIT not proceed as
required. Poor
conversion, side
reactions, etc.

2. Lower 12.2. LOW PRESSURE AT VUL 2.2.1. Reaction does EE


Pressure I DOWNSTREAMUNIT not proceed as
required
I I I I 1- 1

HAZOP-PC 3.02 by Primatech Inc.

Table A3.3 (cont.) - Exothermicreactorsub-modules- preHAZOPedresults(VUL filtered).


A74
Workshect

Company:
Facility: Pagai I

Revision: 02 Jun 9S
Node: I Inlet to tanker, controlled by batch meter (tanker loading operations)
Parameter: Flow

DEVIATION CAUSES CAT CONSEQUENCES CAT SAFEGUARDS CAT RECOMMENDATIONS

2. More 2.2. Batch meter IC 2.2.1. Tanker LOC 2.2.1.1. overfilling


Flow control valve fails overfilled alarm
open.
operator enters wrong 2.2.1.2. Pressure trip
amount into batch
meter control.

2.3. Hose ruptured. IC 2.3.1. Leak to LOC 2.2.1-1. Ensure hoses


environment. are stored correctly,
inspected frequently
and changed regularly.

2.4. Tanker moves off IC 2.4.1. Leak to LOC 2.4.1.1. Dry break 2.4.1.1. Loading bay
while loading environment. couplings. to be on level ground.
operation still in Ensure tanker can be
progress. 2.4.1.2. Tanker parked securely in bay
Driver drives off, immobilisation at a reasonable
tanker not parked interlock. distance from other
securely, or tanker in traffic.
conflict with other
traffic.

Revision: 0 12 Jun 95
Node: I Inlet to tanker, controlled by batch meter (tanker loading operations)
Parameter: Composition

DEVIATION CAUSES CAT CONSEQUENCES CATI SAE-EGL-ARDS CAT RECOMMENDATIONS

1. Other 1.1. Wrong tanker IC 1.1.1. Material LOC Use different


Than connected incompatibility. connectors where
Compositio material
n incompatibilty is a
problem to so wrong
tanker cannot be
connected easily.

1.2. Wrong material ill IC 1.2.1.1.2.1. Material LOC 1.2.1.1. Check tanker
tanker incompatibility. contents before
unloading if material
incompatibility is a
problem.

HAZOP-PC 3.02 by Primatech Inc.

Table AM - Road tanker sub-modules- preHAZOPed results (IC filtered).

A75
Worksheet

Company:
Facility: Pagel 2

Revision: 0 12 Jun 95
Node: 2 Pumped outlet from tanker, no control (tanker offloading operations)
Parameter: Flow

DEVIATION CAUSES CAT CONSEQUENCES CAT SAFETUARDS CAT RECOMMENDATIONS

1. No Flow 1.1. Tanker outlet IC I. I. I. Tanker not LOC


line blocked. emptied an required.

1.1.2. NO FLOW TO PE
DOWNSTREAM UNIT

2. More 2.1. Hose ruptured. IC 2.1-1. Leak to LOC 2.1-1.1. Ensure hoe*@
Flow environment. are stored correctly,
inspected frequently
and changed regularly.
2.2. Tanker moves off Ic 2.2.1. Leak to LOC 2.2.1.1. Dry break 2.2-1.1. Loading bay
while offloading environment. coupling*. to be on level ground.
operation still in Ensure tanker can be
progress. 2.2.1.2. Tanker parked securely in bay
Driver drives off, immobilisation at a reasonable
tanker not parked interlock. distance from other
securely, or tanker in traffic.
conflict with other
traffic.

3. Less 3.1. Tanker outlet IC 3.1-1. Tanker takes LOC


Flow line partially longer to empty than
blocked. normal

3.1.2. LESS FLOW TO PE


DOWNSTREAM UNIT

4. Reverse 4.1. Discharge pump IC 4.1.1. REVERSE FLOW AT PE 4.1.1.1. Non-return


Flow fails DOWNSTREAM UNIT valve

HAZOP-PC 3.02 by Primatech Inc.

Table A3.4 (cont.) - Roadtankersub-modules- preHAZOPedresults(IC filtered).

A76
Worksheet

Company:
Facility: Pagel a

Revision: 02 Jun 95
Node: I Inlet to tanker, controlled by batch meter (tanker loading operations)
Parameter: Flow

DEVIATION CAUSES CAT CONSEQUENCES CAT SAFEGUARDS CAT RECOMMENDATIONS

1. No Flow 1.1. NO FLOW FROM VUL 1.1.1. Tanker not LOC


UPSTREAM UNIT filled an required.

2. More 2.1. MORE FLOW FROM VUL


Flow UPSTREAM UNIT

3. Less 3.1. LESS FLOW FROM VUL 3.1.1. Tanker takes LOC 3.1.1.1. Orverdus
Flow UPSTREAM UNIT longer to fill than filling alarm.
normal.

Revision: 0 12 Jun 95
Node: I Inlet to tanker, controlled by batch meter (tanker loading operations)
Parameter: Pressure
I CONSEQUENCES CAT RECOMMENDATIONS
D-SVIATION CAUSES CAT CAT SAFEGUARDS

1. Higher I. I. HIGH PRESSURE VUL 1.1.1. Tanker LOC Relief valve


Pressure FROM UPSTREAM UNIT overpressure rupture.

2. Lower 2.1. LOW PRESSURE FROM VUL 2.1.1. Vessel takes LOC
Pressure UPSTREAM UNIT longer to fill than
I I normal

HAZOP-PC 3.02 by Primatech Inc.

Table A3.5 Roadtankersub-modules- preHAZOPedresults(VUL filtered).


-
A77
Workshe*t

Company:
Facility: Page: 2

Revision: 0 12 Jun 95
Node: 2 Pumped outlet from tanker, no control (tanker offloading operations)
Parameter: Flow

DEVIATION CAUSES CAT CONSEQUENCES CAT SAFEGUARDS CAT RECOMMENDATIONS

1. No Flow 1.2. NO FLOW AT VUL 1.2.1. Tanker not LOC


DOWNSTREAM UNIT emptied as required

3. Lose 3.2. LESS FLOW TO VUL 3.2.1. Tanker takes LOC


Flow DOWNSTREAM UNIT longer to empty than
normal

4. Reverse 4.2. REVERSE FLOW FROM VUL 4.2.1. Tanker LOC


Flow DOWNSTREAM UNIT overfills.
I II Environmental damage.

HAZOP-PC 3.02 by Primatech Inc.

Table A3.5 (cont.) - Roadtankersub-modules- preHAZOPedresults(VUL filtered).

A78
Worksheet

Company:
Facility: Page: 1

Revision: 02 Jun 95
Node: I storage tank feed inlet with level control an tank.
Parameter: Flow

DEVIATION CAUSES CAT CONSEQUENCES CAT SAFEGUARDS CATI RECOMMENDATIONS

1. No Flow 1.1. Feed line IC I. I. I. Possible ZZ


blocked. inability to continue
Level control valve process at normal
fails shut. production rates
1.1.2. Low tank level EE 1.1.2.1. Low level CON
leading to outlet pump alarm
cavitation.
1.1.2.2. Level CON
indicator

1.1.3. NO FLOW AT DPE


UPSTREAM UNITS

2. More 2.1. Control valve IC 2.1.1. Inadequate EZ 2.1.1.1. Relief valve. 2.1.1.1. Size vent
Flow "ails open venting. Vessel adequately
overpressure rupture.

2.1.2. Static build ZZ 2.1.2.1. Dip tubes for 2.1.2.1. Flammable


up. filling. fluids only.
if filling is not done
via dip tubes check
design assumptions.

2.1.3. MORE FLOW AT DPE


UPSTREAM UNITS

3. Less 3.1. Feed line IC 3.1.1. Vessel takes EZ 3.1.1.1. Level CON
Flow partially blocked. longer to fill than indicator.
Control valve fails normal
insufficiently open.
3.1.2. LOW FLOW AT DPE 3.1.2.1. Level CAU
UPSTREAM UNIT indicator.

Revision: 02 Jun 95
Node: I Storage tank feed inlet with level control on tank.
Parameter: Pressure

DEVIATION CAUSES CAT CONSEQUENCES CAT SAFE=RDS CAT RECOZOMMATIONS

1. Higher 1.2. Feed line IC 1.2.1. Expansion of EZ 1.2.1.1. Hydraulic CON 1.2.1.1. Ensure
Pressure isolated. locked in fluid causes pressure relief operating instructions
hydraulic overpressure preclude deliberate
rupture of line. isolation of line
without having first
drained line.

1.2.1.2. Ensure design


minimises opportunit*s
for isolation in error
due to control valves
failing etc.
1.3. Level. control IC 1.3.1. LIQUID HAMMER. DP-T 1.3.1.1. Only a
valve closes quickly. HIGH PRESSURE TO problem for long
Manual valve on UPSTREAM UNITS. pipelines.
storage tank inlet Ensure closing time on
closes quickly. control valves and
Manual valves is long
enough to avoid liquid
hammer.

HAZOP-PC 3.02 by Primatech Inc.

TableA3.6 - Storagetank sub-modules- preHAZOPedresults(IC filtered).


A79
Worksheet

Company:
Facility: Page: 2

Revision: 02 Jun 95
Node: 2 storage tank vent to atmosphere
Parameter: Flow

DEVIATION CAUSES CAT CONSEQUENCES CAT SAFEGUARDS CATI RECOMMMATIONS

1. No/Less I. I. Vent line blocked IC I. I. I. Tank EE Relief valve CON Minimise


Flow or partially blocked overpressure rupture opportunities for vent
on filling blockage

1.1.1.2. Ensure flame


arrestor is maintained
correctly.

1.1.2. Tank vacuum EZ 1.1.2.1. Vacuum relief CON 1.1.2.1. Minimise


collapse on discharge valve. opportunities for vent
blockage.

1.1.2.2. Ensure flame


arrestor is maintained
correctly

HAZOP-PC 3.02 by Primatech Inc.

Table A3.6 (cont.) - Storagetank sub-modules- preHAZOPedresults(IC filtered).

A80
worksheet

Company:
Facility: Page:

Revision: 02 Jun 95
Node: 3 Storage tank overflow
Parameter: Flow

CAUSES CAT CONSEQtMNCES CAT SAFEGUXUS CAT RECOMMENDATIONS


DEVIATION

1. No/Less 1.1. Overflow blocked IC 1.1.1. No/partial tank EE Level control CON Ensure
Flow or partially blocked overflow available. opportunities for
Possible tank rupture 1.1.1.2. Level CON overflow blocking are
on overfilling indicator minimised.

1.1.1.3. High level CON


alarm

HAZOP-PC 3.02 by Primatech Inc.

Table A3.6 (cont.) - Storagetank sub-modules- preHAZOPedresults(IC filtered).

A81
Worksheet

Company:
Facility. P&90:

Revision: 02 Jun 9S
Node: 4 Storage tank outlet
Parameter: Flow

I
DEVIATION CAUSES CAT CONSEQUENCES CAT SAFEGUARDS CAT RECOMMENDATIONS

1. No Flow 1.1. Outlet line IC I. I. I. NO FLOW TO DPE Low flow CAU


blocked between tank DOWNSTREAM UNIT alarm
and Pump.
Pump fails.

1.2. Flow control IC 1.2.1. NO FLOW TO DPE 1.2.1.1. Low flow CAU
valve fails shut. DOWNSTREAM UNIT alarm
Outlet line blocked
downstream of pump. 1-2.2. Full head pump EE 1.2.2.1. Kick back 1.2.2.1. Consider
pressure developed. line. designing equipment to
High pressure rupture withstand maximum pump
risk to outlet line. 1.2.2.2. Low flow delivery pressure.
Punp overheats, seals alarm.
damaged, possible
leak.

2. More 2.1. Control valve IC 2.1.1. HIGH FLOW TO DPE


Flow fails open DOWNSTREAM UNIT

2.2. Spare pump IC 2.2.1. HIGH FLOW TO DPE 2.2.1.1. Flow control CON 2.2.1.1. Ensure
running in error DOWNSTREAM UNIT operating and
maintenance
instructions preclude
running parallel pumps
incorrectly.

2.3. Outlet line IC 2.3.1. Tank contents EE 2.3.1.1. Emergency CON 2.3.1.1. Ensure tank
ruptured lost to environment isolation valve is adequately bunded.

2.3.1.2. Locate
isolation valve as
near as possible to
tank.

2.3.1.3. Consider need


for remote operation
of isolation valve.

2.4. Pump seals fail. IC 2.4.1. Environmental EE 2.4.1.1. Emergency CON 2.4.1.1. Use canned or
contamination isolation valve. seal-less pump if
appropriate.

2.4.1.2. Pump to be
adequately bunded.

2.4.1.3. Consider need


for remote operation
of isolation valve.
3. Less 3.1. Outlet line IC 3.1.1. LESS FLOW TO DPE 3.1.1.1. Flow control CON
Flow partially blocked. DOWNSTREAM UN.IT *
Pump running 3.1.1.2. Low flow CON
incorrectly. alarm
3.2. Control valve IC 3.2.1. LESS FLOW TO DPE 3.2.1.1. Low flow
fails insufficiently DOWNSTREAM UNIT alarm.
open.

4. As Well 4.1. Contamination of IC 4.1.1. CONTAMINATION DPE


As Flow tank contents OF DOWNSTREAM UNIT

S. Reverse 5.2. Outlet line IC 5.2.1. REVERSE FLO W DPE


Flow ruptured. FROM DOWNSTREAM UNIT
1 f I
Revision: 02 Jun 9S
Node: 4 Storage tank outlet
Parameter: Pressure
I
DEVI AT I ON CAUSES CAT CONSEQUENCES CAT SAFIrcu; URDS CAT RZC01'CIMMATIONS

2. Lower 2.1. Storage tank IC 2.1.1. Low tank level DPE 2.1.1.1. Low flow CAU
Pressure inlet line blocked. leading to Low alarm
Level control valve PRESSURE AT DOWNSTREAM
fails shut. UNIT 2.1.1.2. Low level CON
alarm

2.1.1.3. Level CON


indicator
I II

F=OP-PC 3.02 by Primatech Inc.

Table A3.6 (cont.) - Storagetank sub-modules- preHAZOPedresults(IC filtered).

A82
worksheet

Company:
Facility: Page- 5

Revision: 02 Jun 9S
Node: S Storage tank self
Parameter: Temperature

CAUSES CAT CONSEQUENCES CAT SAFEGUARDS CAT RECOMMM-DATIONS


DEVIATION

1. Higher 1.1. Fire IC 1.1.1. Rapid ZE Emergency CON


Temperatur evaporation of tank fire relief valve.
0 contents.

1.1.2. Structural ZE 1.1.2.1. Ensure


weakening of tank. adequate fire relief
equipment exists.

1.2. High IC 1.2.1. Rapid EZ 1.2.1.1. Temperature CAU 1.2.1.1. Lag tank to
ambient
evaporation of tank indicator protect against high
temperature
contents ambient temperature if
necessary.

1,2.2. Possible pump EZ 1.2.2.1. Temperature


cavitation indicator.

2.1. Cold IC 2.1.1. Possible EZ 2.1.1.1. Temperature CAU 2.1.1.1. Lag tank to
2. Lower weather
Temperatur freezing of contents indicator protect against cold
ambient temperature if
a
necessary.

2.1.1.2. Install trace


Z eating if necessary.

2.1.2. Rapid EZ 2.1.2.1. Install CON


condensation of vacuum relief.
vapour. Possible
vacuum collapse. 2.1.2.2. Temperature CAU
indicator
2.1.3. Condensation of EE 2.1.3.1. Temperature CAU 2.1.3.1. Use inert
vapour draw* air into indicator blanket if necessary.
tank. See blanket in and
vent out ncdes.

2.1.4. Pump seals EZ 2.1.4.1. Temperature CA,


damaged indicator

Revision: 02 Jun 9S
Node: 5 Storage tank self
Parameter: Pressure

DEVIATION CAUSES CAT CONSEQUENCES CAT SAFEGUARDS CAT RECO10=3ATIONS

Fluid for IC 1.1.1. Tank ET Design tank


Pressure hydraulic test is overpressure rupture to contain all
denser than fluid tank appropriate fluids.
designed for

p.evision: 02 Jun 9S
Node: S Storage tank self
Parameter: Level

D--rVIA-4IODT CAUSZ,S CAT CONSZQ7ENCz3 CAT SAF-r.=RDS CATI R-ECOM--%-.


)AT IONS

1.1. Level IC 1.1.1. Tank contents Ez Overflow CON Overflow to


1. Higher control
Levei fails lost to environment be below tank roof.
Wrong level sensed due 1.1.1.2. High level CAU
to tank being filled alarm 1.1.1.2. Tank to be
less dense adecr4ately bunded.
with
material than 1.1.1.3. Level CATJ
anticipated. indicator

F; kZOP-PC 3.0.1 by Primatech Inc.

Table A3.6 (cont.) - Storagetank sub-modules- preHAZOPedresults(IC filtered).

A83
. Worksheat

Company:
Facility: Page: 6

Revision: 02 Jun 9S
Node: 6 Storage tank vent in from inert blanket supply.
Parameter: Flow

CAUSES CAT CONSEQUENCES I


DEVIATION CAT SAFEGUARDS CAT RECOMMENDXTIONS

1. No Flow I. I. Vent in line IC 1.1.1. Tank vacuum EE Vacuum relief CON Minimiso
blocked collapse valve opportunities for line
blockage.

3. Less 3.1. Vent in line IC 3.1.1. Tank vacuum EE 3.1.1.1. Vacuum relief CON Minimise
Flow partially blocked collapse valve opportunities for line
blockage

Revision: 02 Jun 95
Node: 6 Storage tank vent in from inert blanket supply.
Parameter: Pressure

DEVIATION CAUSES CAT -CONSEatr&NCES CAT SAFEG=DS CAT RECOMMENDATIONS

1. Higher 1.1. Pressure control IC 1.1.1. Tank EE Install


Pressure failure of blanket overpressure rupture relief valve
2. Lower 2.1. Vent in line IC 2.1.1. Vacuum collapse EE 2.1.1.1. Ensure vent
Pressure blocked or partially in line is not prone
blocked to blocking

2.1.1.2. Install
vacuum relief

HAZOP-PC 3.02 by Primatech Inc.

TableA3.6 (cont.) - Storage


tanksub-modules
- preHAZOPed (IC
results filtered).

A84
Workshaet

Company:
Facility: Page:

Revision: 02 Jun 95
Node: 7 Storage tank vent out to vent header
Parameter: Flow

DEVIATION CAUSES CAT CONSEQUENCES CAT SAFEGUARDS CAT RECOMMENI)ATIONS

1. No Flow I. I. Vent out line IC 1.1.1. Tank EE Ensure vent


blocked overpreassure rupture out line is not prone
to blocking

1.1.1.2. install
relief valve

2. More 2.1. Vent out line IC 2.1.1. Rapid EE


Flow open in error evaporation of tank
contents

3. Less 3.1. Vent out line IC 3.1.1. Tank EE 3.1.1.1. Ensure vent
Flow partially blocked overpressure rupture out line is not prone
to blocking

3.1.1.2. Install
relief valve

Revision: 02 Jun 9S
Node: 7 Storage tank vent out to vent header
Parameter: Pressure

DEVIATION CAUSES CAT CONSEQUEENCES CAT SATEGUAMS CAT RECOK'-MNDATIONS

i. Higher I. I. Vent out line IC 1.1.1. Overpressure EE Install


Pressure blocked or partially rupture relief valve
blocked

HAZOP-PC 3.02 by Primatech Inc.

Table A3.6 (cont.) - Storagetank sub-modules- preHAZOPedresults(IC filtered).

A85
Worksheet

Revision: 0 26 Jun 9S
Node: 3 Storage tank outlet via batch meter to tanker
Parameter: Flow
I
DEVIATION CAUSES CAT CONSEQUENCES CAT SATEGUAIMS C.AT RECOMMENDATIONS

1. No Flow 1.1. Outlet line IC 1.1.1. Tanker not EE


blocked between pump filled as required.
and tanker.
SaEEh meter control 1.1.2. Full head pump EE 1.1.2.1. Kick back
valve fails closed. pressure developed. line
Pump overheats, seals
damaged, possible
leak.

1.2. Pump fails. IC 1.2.1. Tanker not EE


Outlet line blocked filled as required.
between storage tank
and pump.

2. More 2.1. Outlet line IC 2.1.1. Tank contents E-:' 2.1.1.1. Emergency 2.1-1-1. Ensure tank
Flow ruptures. lost to environment. isolation valve is adequately bunded.
Tanker filling hose
ruptured. 2.1.1.2. Locate
isolation valve as
near as possible to
tank.

2.1-1-3. Consider need


! or remote operation
of isolation valve.
2.1.1.4. Ensure tanker
filling hose* are
stored correctly,
inspected frequently
and changed regularly.
2.2. Batch meter IC 2.2-1. Tanker E-- 2.2.1.1. overfilling 2.2-1.1. Consider
control valve fails overfilled alarm effects &. change in
open. six* of standard
Operator enters wrong 2.2.1.2. Pressure trip tanker will have on
amount into batch tanker loading
meter control. operations.
Tanker smaller than
ey.pected.
Tanker already
partially filled.

2.3. Tanker moves off IC 2.3.1. Leak to EZ 2.3.1.1. Dry break 2.3.1.1. Loading bay
while loading environment. couplings. to be on level ground.
operation still in Ensure tanker can be
progress. 2.3.1.2. Tanker parked securely in bay
Driver drives off, immobilization at a reasonable
tanker not parked interlock. distance from other
securely, or tanker in traffic.
conflict with other
traffic.

3. Less 3.1. Outlet line IC 3.1.1. Tanker takes EZ 3.1.1.1. overdue 3.1.1.1. Ensure
Flow partially blocked. longer to fill than filling operators do not rely
alarm.
Batch meter control normal. solely on time taken
valve fails to fill tanker as an
insufficiently open. indicator as to when
Pump running to disconnect filling
incorrectly. hose.

Revision: 0 26 Jun 95
Node: 8 Storage tank outlet via batch meter to tanker
Parameter: Composition

CAUSES CAT CONSEQUENCES I


DEVIATION CAT SAFE(YJA-RDS CAT RECOV.vF-'IDATIONS

1. Other 1.1. Wrong tanker IC 1.1.1. Material Em- 1.1-1.1. Use different
Than connected incompatibility. connectors where
compositio material
n incompat. bilty is a
problem to so wrong
tanker cannot be
connected easily.
1.2. Wrong material in IC 1.2.1. Material TZ 1.2.1.1. Check tanker
tanker incompatibility. contents before
unloading if material
incompatibility in a
problem.
1 f

HAZOP-PC 3.02 by Primatech Inc.

Table A3.6 (cont.) - Storagetank sub-modules- preHAZOPedresults(IC filtered).

A86
Worksheet

Company:
Facility: Page:
Revision: 0 26 Jun 9S
Node: 9 Storage tank inlet from tanker
Parameter: Flow

DEVIATION CAUSES CAT CONSEQUENCES CATI SAFEGUARDS CAT RECOMMMATIONS

1. No Flow I. I. Tanker outlet IC I. I. I. Possible EE


line blocked. inability to continue
process at normal
production rates.

1.1.2. Low tank level EE


leading to outlet pump
cavitation

2. More 2.1. Hose ruptured. IC 2.1.1. Leak to EZ 2.1-1-1. Ensure hoses


Flow environment. are stored correctly,
inspected frequently
and changed regularly.

2.2. Tanker moves off IC 2.2.1. Leak to EZ 2.2.1.1. Dry break 2.2-1-1. Loading bay
while offloading environment. couplings. to be an level ground.
operation still .
in Ensure tanker can be
progress. 2.2.1.2. Tanker parked securely in bay
Driver drives off, immabilisation at a reasonable
tanker not parked interlock. distance from other
securely, or tanker in traffic.
conflict with other
traffic.

2.3. Larger tanker IC 2.3.1. Possible ZZ 2.3.1.1. Consider


than expected. inability to offload effects change in
tanker completely standard size of tank
without overfilling will have on tanker
storage tank. offloading operations.

3 Less 3.1. Tanker outlet IC 3.1.1. Tank takes E-1 3.1.1.1. Ensure
How line longer to fill do not rely
partially than operators
blocked. normal. solely on time taken
to empty tanker as an
indicator as to when
to disconnect hose.

4. Reverse 4.1. Discharge pump IC 4.1.1. Reverse flow EZ 4.1.1.1. I; on-r*turn


Flow fails from storage tank. valve
Tanker overfilling.
4.1.1.2. Siphon break
on dip tubes.

u=OP-PC 3.02 by Primatech Inc.

Table A3.6 (cont.) - Storagetank sub-modules- preHAZOPedresults(IC filtered).

A87
worksheat

Company:
Facility: Paget 10

Revision: 0 21 Jul 9S
Node: 11 Storage tank feed inlet without control valve.
Parameter: Flow

DEVIATION CATUTSES CAT CONSEQUENCF-S CAT SAFEGUARDS CAT RECOMMENDATIONS

1. No Flow I. I. reed line IC 1.1-1. Possible ZE


blocked. inability to continue
process at normal
production rates

1.1.2. Low tank level EE 1.1.2.1. Low level CON


leading to outlet pump alarm
cavitation.
1.1.2.2. Level CON
indicator

1.1.3. NO FLOW AT DPE


UPSTREAM UNITS

3. Less 3.1. Feed line IC 3.1.1. Vessel takes EE 3.1.1.1. Level CON
Flow partially blocked. longer to fill than indicator.
normal

3.1.2. LOW FLOW FROM DPE 3.1.2.1. Level CAU


UPSTRZX*4 UNIT indicator.
T

Revision: 0 21 Jul 9S
Node: 11 Storage tank feed inlet without control valve.
Parameter: Pressure

DEVIATION CAUSES CAT CONSEQUENCES CATI SAFEGUARDS CAT RECOMMENDATIONS

1. Higher 1.2. Feed line IC 1.2.1. Expansion of IC 1.2.1.1. Hydraulic 1.2.1.1. Ensure
Pressure isolated. locked in fluid causes pressure relief operating instructions
hydraulic overpressure preclude deliberate
rupture of line. isolation of line
without having first
drained line.

1.2.1.2. Ensure design


minimises opportunites
for isolation in error
due to control valves
failing etc.

1.3. Manual valve on IC 1.3.1. LIQUID HAMMZR. 1.3.1.1. Only a


storage tank inlet HIGH PRESSURE TO problem for long
closes quickly. UPSTREAM UNITS. pipelines.
Ensure closing time on
control valves and
manual valves in long
enough to avoid liquid
hammer.

HAZOP-PC 3.02 by Primatech Inc.

Table A3.6 (cont.) - Storagetank sub-modules- preHAZOPedresults(IC filtered).

A88
N
0
"I n
0 0 rr I.
0-w

;j L 10 4 ow . -0 .
, In I- w to

rr In
to t* a tO m
rr r. m
0 Ir 0
0m 0 rr

x n
a0 0 0
=nz Im
rr 0M In m rr rr R
w=I o pq m
cr 0 2 0 0
w rr
0

0 n
O. MW m -om
0ar
W aotnw N Pw W" nmon-31--l- rr I m-c-te.. ntnt'n-40-W rrr%m-*, iw
x- 0 rr 0a a0 fb , 0 CPr0a 0 r. 00

0 prM to W ; rrl-o 0 r , 'o


w0 0'.Wa wo t- 1-- 21"mn0 tj 0 w w"ano
0m
0
0 "a, Z
= m .000-
W. -1 1- . , 9 0a lun so cr .
- z7 11 0 tr m.
Im 0=0 5 0,0 n
=x lu b (r w0 tr 14-
& 01 th
, 9mz0 .1a0w 3a0,
11cr m< *n
W. x .aw
tn "" "* ,"m Ia. x"
.0
Kp i"r wa"a
N0
Ia. x"
-0 1ma
-4 at 04m c ta
lu ""= 19 a ,a"f, I C, = 4 a it 0m m
Im 9 1x to w ILI 9 F r.? -t " 0. N cr P" 91. x3
0 "a a 0 Im a 0m
1--
0Va

0m
'a Al
t0"

W. 0
"F-P m
1 m
a lu
W-
0m P.-

o 0. 0 IL11
"'(1
(1 0
rr 0 go
craw0
40IL
.
x.
cr17
wQ ww

0
so m cl to wto

rr cr
m

Z,w 000 =. " r. a, 11


w ILI 0-0 -
0
Mw 0 P. I.- W.
a? cr a 0NP.
0

tn M M m M m m
En M DI m V3 m M m
0, w nw nw 0. nw
0 0
0 SO p x
rr
mw 0 Ir Ir
0T 0 ta
0 t* >
M
x t,
x < ti:
Le <
la C er
0.
cr rrm o
0
m 9011 3mn 0
'
0 0

...........
M

TableA3.7 - Thermaloxidiser sub-modules- preHAZOPedresults.


A89
t) t- U 10 (b Ni w ti ?n
-0N PI . 0 m (1 m
a < < < < (1
10 - b w* N.4 h-.8
a ;> (b Z0 IU
0 mM .4 0 m* N- 3lu
Mm0 KL 0
fo 0m 0 11 (D =
" z

-n tj M CM cr M tr w -n F- low 0 92
M z"lu r- 0 r_
ol -
0 -A
$. :0
R ;.
pq 0
0 j .60
l 2 i
" lu al N
c t 0K0 pi mw C
r-I
,t2 to D ID.r. .0
En m<0-" t/3 0 tr c cl ir 0
= 11 "0 m gi x
rr -, 1:
<m
z5
cr $I m 10
V,
c
w %0

0 - "m ; PO to
tTj
M
W - La w to U)
op
m P"
lu rr
I..
su

q ic 0N Di 0 -1 ic 0N ww 0M r_
rr ::
r
(D 0 A?
X0P. x- , rr =' 0 lu X-"
5Mxm0... I---
= 9
5091.. rr 9L - 0S 1- rr CL I... pr 0 ..
m =
P.0 (Dw
10 0. rr 1.
.- 03n.P.
ll - 00 Al
rr . to . 2
(4
1..
=1 2) 2) :rw pi
- 0 0 (D :10 tr M Z c) rr
m e-
11 ? 11 11 ' l 1
1-1 01 : 11 1., 0: : 01I l 10 X (4 KD
0 1-
KD
ov A) W,10 . m 9
pi " 0) mn
m3 IC rr z 0-. 06
n Aj s"n CL0 0 (r)
m P, 0 1-. (a 2)
r0m 0 p.. 0" m
rA
0 tr
S2,
nm
0= 0
iE l<
m= :; 0Z
0 rr m rr
rr m cr
0 0

cr x
P 0
0
ca m

rr
ci rr

m
t2

I
Z
z

ILI

Table A3.7 (cont.) - Thermal oxidiser sub-modules - preHAZOPed results.

A90
H ti
(0-3 tri 01 M wo
< ILI
10 = >f
>- > a =a WID
r? I t- I. -
(b Ki. 0 o0 rr up)
rr 00 pi M I< -4
r. m :Z

tlf%rN gL w

10 (A ei m
I- r? gL cr
(D 0w P" 0)
:10
() it n
cr, rr 0 11w

rr
m Di rr 0
0

lu fL -3 nxmw
cr 0., OOSWC - mw
11 0X- m
1.- .0 P-to
0 14 r. 9L
a tn w
Bmxmm ot P. 0 0.0 w 0m
0 (1 0- 11 cr =- aa P , )v In
m-a (D to pi I. - -- 0c I- er a 0- 0
10 ju 00- 0 tr 0 pq 0 tr I.- " 4 a
U0 cr =M lu P.- 0- -, = W= ca -
(D :r 01 0 -1 a 1.- 0 Im to La m< T3 2
m
.a9 W.
- rr
0
m0
Im
0 9
10
1--- (T
= l< a. -X
*to a
. X
to
I
()
IkAI
W m
K)
fr 0x -- M Q0 10 cr I
0 A) m 11 00 10 La " '.. 9
:Z W P% 00 pi 0 P%
(T

1.- 0Q 1.-0 w La
il 0 I'llo 0aaa
00 pt :1M
0 a 0

Mw
0 0
0

1-- 8 x
;j rr 11 0
0 11
0
0w 0w tn
3 til t: m
l< wM cr
0 rr 0C
r, 1
1 m
cr"r. 4 8
rr PV
0
a=
30 (W zw
(D 0 >
pi

cr 0 CTa I.,
rh=*='- 0 :rrr :r-m0.
rr em
0
0 ar a !,
ski m cr lip m cr
<a I-A N <aWI., tri
0wa. cr P"
P.-
n - 0N
W-0 -Z
r- a tr 9L0M Ir -
go "
ti
tr m09 Ir 0a9 >
Q. "a to 0 0 0. to a
0
0 0 l< 0

to 9 cr to 'o cr
a -j .: 0 11 a<0
M0 00

I)

Table A3.7 (cont.) - Thermaloxidiser sub-modules- preHAZOPedresults.


A91
9 )- ti MV v
'Vw
01 le
11 . pi "I w pi !- a "I
N .
?10
0) < 0
ol 0

0
r.
i
0 b-
r
aH
0=m
rr 0 1- 0 0 cr &W
< 0..

n C6 0 m0

0 pt M0
w0
z
w0
C: C: C:H W :r0
M tj
. -0
bi
m 04 w
Ul
2 -0w PA
x
ti s
o
m=
-
r_ 0
"n "I
Mw 11
ro
ex C2
m
Ell In %L p
0

tl x ;z
cr
cr M cn
M
vi 0 tr P"
rn (I

PC
M
a.
a 0H ;a0 m M. 'a IE m03w
n
-Ac: -0
M p Cw0 0r in w0ju Im
0 0 0) - "w ; r = * 0".
x
0X
rr
ju
.0mmw00
V pr In 9
Z50X01I. '. A E !,
rr rr 09M. 0-
q 1-4
t-I ol tr " -,- 09 al n lu M o.- nM rr w (a 1
>> t' Z
tl 0 to - w l< :eI:r -0cz-P"c r '5o6na0-
zZ * Do 2A m -%?A q.
> Mm 2 Sa 0
pe v :Z pa
0 cn pl cn :100
wz
A) 0 $1 m P. cxD 0
00am
X >g < m 0m00r. a
w :3aNP.
m4 cr M
mim MM
b.4 10 a. " "x cr - IT to 10
tl 7a 000 wc"- Ph
ca t
M u2 mM Z cr P%Im . cIr a-f, w
0>X mm 0 ;:o
> -3 z
U2 !2- 1110 *
ni m>
mw
ti cl
m
ftl
s
:C
x0 41
L2 s

2
m
r22
om.
ftl
mw . v"
ta W.
Pi08 0
cr
=1 m
1.
0.1 Id
0 tr
ah wW (b
cr 91

0
t-I
(12

:Z 0 0 'a m

!j ww Cr J.A

X
:1 ; ". 'a ; 0

D*
M
0
cr
Q x La a

W ju

0
X

l :C ty, s.

lu
Z to Z X
tz N
pG (9 2 M cl
01u 04. Z
< h- tr ti
w kl rr (D
gi 00
rr 0
>- X
z
(D 0 La
rr k-

(1

JN

- ble A3.7 (cont.) - Thermaloxidiser sub-modules- preHAZOPedresults.

A92
ol
n00
1--s
WID
W.ju
rr

D,0
a t:l

11
01

iE6 I
C'n,
"0g

10

Ict
0)
to
(0

TableA3.7 (cont.) - Thermaloxidiser sub-modules- preHAZOPedresults.

A93
le
< lu <n8
2xZ30 (b Z0
1-. b...
>--O
1.. W.
rr
0
bi
tr
, #-m- 5
10 %0
w 0%

Z,

tT1

za

lu
lu

111 cm
Table A3.7 (cont.) - Thermal oxidiser sub-modules - preHAZOPed results.

A94
Worksheet
Company:
Facility: Page:

Revision: 02 Jun 95
Nods: 1 Storage tank feed inlet with level control on tank.
Parameter: Flow

DEVIATION CAUSES CATI CONSEQUENCES CAT SAFEGUARDS CAT RECOMMENDATIONS

1. No Flow 1.1. Feed line IC 1.1.1. Possible EE


blocked. inability to continue
Level control valve process at normal
fails shut. production rates
1.1.2. Low tank level EE 1.1.2.1. Low level CON
leading to outlet pump alarm
cavitation.
1.1.2.2. Level CON
indicator

1.1.3. NO FLOW AT DPE


UPSTREAM UNITS

2. More 2.1. Control valve IC 2.1.1. Inadequate EE 2.1.1.1. Relief valve. 2.1.1.1. Size vent
Flow fails open venting. Vessel adequately
overpressure rupture.
2.1-2. Static build EE 2.1.2.1. Dip tubes for 2.1.2.1. Flammable
UP. filling. fluids only.
If filling is not done
via dip tubes check
design assumptions.

2.1.3. MORE FLOW AT DPE


UPSTREAM UNITS

3. Less 3.1. Feed line IC 3.1.1. Vessel takes EE 3.1.1.1. Level CON
Flow partially blocked. longer to fill than indicator.
Control valve fails normal
insufficiently open.
3.1.2. LOW FLOW AT DPE 3.1.2.1. Level CAU
UPSTREAM UNIT indicator.

Revision: 02 Jun 9S
Node: I Storage tank feed inlet with level control on tank.
Parameter: Pressure

DEVIATION CAUSES CAT CONSEQUENCES CAT SAFEGUARDS CAT RECOMMENDATIONS

1. Higher 1.2. Feed line IC 1.2.1. Expansion of EE 1.2.1.1. Hydraulic CON 1.2.1.1. Ensure
Pressure isolated. locked in fluid causes pressure relief operating instructions
hydraulic overpressure preclude deliberate
rupture of line. isolation of line
without having first
drained line.

1.2.1.2. Ensure design


minimizes opportunites
for isolation in error
due to control valves
failing etc.
1.3. Level control IC 1.3.1. LIQUID HAMMER. DPE 1.3.1.1. Only a
valve closes quickly. HIGH PRESSURE TO problem for long
Manual valve on UPSTREAM UNITS. pipelines.
storage tank inlet Ensure closing time on
closes quickly. control valves and
manual valves is long
enough to avoid liquid
hammer.

KAZOP-PC 3.02 by Primatech Inc.

TableA3.8 - Storagetank sub-modules


- preHAZOPed
results(IC filtered).

- A95 -
Worksheet

Company:
Facility: Page:

Revision: 02 Jurx 95
Rode: 2 Storage tank vent to atmosphere
Parameter: Flow

DEVIATION CAUSES CATI CONSEQUENCES CAT SAFEGUARDS CAT RECOMMENDATIONS

1. No/Less 1.1. Vent line blocked IC 1.1.1. Tank EE Relief valve CON Minimize
Flow or partially blocked overpressure rupture opportunities for vent
on filling blockage

1.1.1.2. Ensure flame


arrestor is maintained
correctly.

1.1.2. Tank vacuum EE 1.1.2.1. Vacuum relief CON 1.1.2.1. Minimize


collapse on discharge valve. opportunities for vent
blockage.

1.1.2.2. Ensure flame


arrestor is maintained
correctly

HAZOP-PC 3.02 by Primatech Inc.

Table A3.8 (cont.) - Storagetank sub-modules- preHAZOPedresults(IC filtered).

- A96 -
worksheat

Co,,TLpany:
Facility: Page 13

Revision: 02 Jun 95
Node: 3 Storage tank overflow
Parameter: Flow

DEVIATION CAUSES CAT CONSEQUENCES CAT SAFEGUARDS CATI RECOMMENDATIONS

1. No/Less 1.1. Overflow blocked IC 1.1.1. No/partial tank EE Level control CON Ensure
Flow or partially blocked overflow available. opportunities for
Possible tank rupture 1.1.1.2. Level CON overflow blocking are
on overfilling indicator minimized.

1.1.1.3. High level CON


alarm

HAZOP-PC 3.02 by Primatech Inc.

Table A3.8 (cont.) - Storagetank sub-modules- preHAZOPedresults(IC filtered).

- A97 -
Worksheet

Company:
Facility: Page: 4

Revision% 02 Jun 95
Node: 4 Storage tank outlet
Parameter: Flow

DEVIATION CAUSES CAT CONSEQUENCES CATI SAFEGUARDS CAT RECOMMENDATIONS

1. No Flow 1.1. Outlet line IC 1.1.1. NO FLOW TO DPE Low flow CAU
blocked between tank DOWNSTREAMUNIT alarm
and pump.
Pump fails.

1.2. Flow control IC 1.2.1. NO FLOW TO DPE 1.2.1.1. Low flow CAU
valve fails shut. DOWNSTREAMUNIT alarm
Outlet line blocked
downstream of pump. 1.2.2. Full head pump EE 1.2.2.1. Kick back 1.2.2.1. Consider
pressure developed. line. designing equipment to
High pressure rupture withstand maximum pump
risk to outlet line. 1.2.2.2. Low flow delivery pressure.
Pump overheats, seals alarm.
damaged, possible
leak.

2. More 2.1. Control valve IC 2.1.1. HIGH FLOW TO DPE


Flow fails open DOWNSTREAMUNIT

2.2. Spare pump IC 2.2.1. HIGH FLOW TO DPE 2.2.1.1. Flow control CON 2.2.1.1. Ensure
running in error DOWNSTREAMUNIT operating and
maintenance
instructions preclude
running parallel pumps
incorrectly.

2.3. Outlet line IC 2.3.1. Tank contents EE 2.3.1.1. Emergency CON 2.3.1.1. Ensure tank
ruptured lost to environment isolation valve is adequately bunded.
*
2.3.1.2. Locate
isolation valve as
near an possible to
tank.

2.3.1.3. Consider need


for remote operation
of isolation valve.

2.4. Pump seals fail. IC 2.4.1. Environmental EE 2.4.1.1. Emergency CON 2.4.1.1. Use canned or
contamination isolation valve. seal-less pump if
appropriate.

2.4.1.2. Pump to be
adequately bunded.

2.4.1.3. Consider need


for remote operation
of isolation valve.

3. Less 3.1. Outlet line IC 3.1.1. LESS FLOW To DPE 3.1.1.1. Flow control CON
Flow partially blocked. DOWNSTREAMUNIT
Pump running 3.1.1.2. Low flow CON
incorrectly. alarm

3.2. Control valve IC 3.2.1. LESS*FLOW To DPE 3.2.1.1. Low flow


fails insufficiently DOWNSTREAMUNIT alarm.
open.

4. As Well 4.1. Contamination of IC 4.1.1. CONTAMINATION DPE


As Flow tank contents OF DOWNSTREAMUNIT

S. Reverse 5.2. Outlet line IC S. 2.1. REVERSE FLO W DPE


Flow ruptured. FROM DOWNSTREAMUNIT

Revision: 02 Jun 95
Node: 4 Storage tank outlet
Parameter: Pressure

DEVIATION CAUSES CATI CONSEQUENCES CAT SAFEGUARDS CAT RECOMMENDATIONS

2. Lower 2.1. Storage tank IC 2.1.1. Low tank level DPE 2.1.1.1. Low flow CAU
Pressure inlet line blocked. leading to LOW alarm
Level control valve PRESSURE AT DOWNSTREAM
fails shut. UNIT 2.1.1.2. Low level CON
alarm

2.1.1.3. Level CON


indicator I II

HAZOP-PC 3.02 by Primatech Inc.

TableA3.8 (cont.) - Storagetank sub-modules- preHAZOPedresults(IC filtered).

- A98 -
Worksheet

company:
Facility: Page 13

Revision: 02 Tun 95
Node: 5 Storage tank self
Parameter: Temperature

DEVIATION CAUSES CAT CONSEQUENCES CAT SAFEGUARDS CATI RECOMMENDATIONS

i. Higher 1.1. Fire IC 1.1.1. Rapid EE Emergency CON


Temperatur evaporation of tank fire relief valve.
a contents.

1.1.2. Structural EE 1.1.2.1. Ensure


weakening of tank. adequate fire relief
equipment exists.

1.2. High ambient IC 1.2.1. Rapid EE 1.2.1.1. Temperature CAU 1.2.1.1. Lag tank to
temperature evaporation of tank indicator protect against high
contents ambient temperature if
necessary.
1.2.2. Possible pump ES 1.2.2.1. Temperature
cavitation indicator.

2. Lower 2.1. Cold weather IC 2.1.1. Possible EE 2.1.1.1. Temperature CAU 2.1.1.1. Lag tank to
Temperatur freezing of content* indicator protect against cold
e ambient temperature if
necessary.

2.1.1.2. Install trace


heating if necessary.

2.1.2. Rapid EE 2.1.2.1. Install CON


condensation of vacuum relief.
vapour. Possible
vacuum collapse. 2.1.2.2. Temperature CAU
indicator

2.1.3. Condensation of EE 2.1.3.1. Temperature CAU 2.1.3.1. Use inert


vapour draws air into indicator blanket if necessary.
tank. See blanket in and
vent out nodes.
2.1.4. Pump seals EE 2.1.4.1. Temperature CAU
damaged indicator

Revision: 02 Jun 95
Node: 5 Storage tank self
Parameter: Pressure

DEVIATION CAUSES CAT CONSEQUENCES CAT SAFEGUARDS CAT RECOMMENDATIONS

1. Higher 1.1. Fluid for IC 1.1.1. Tank EE Design tank


Pressure hydraulic test is overpressure rupture to contain all
denser than fluid tank appropriate fluids.
designed for

Revision: 02 Jun 95
Node: 5 Storage tank self
Parameter: Level

DEVIATION CAUSES CATI CONSEQUENCES CAT SAFEGUARDS CAT RECOMMMMATIONS

1. Higher 1.1. Level control IC 1.1.1. Tank contents EE Overflow CON Overflow to
Level fails lost to environment be below tank roof.
Wrong level sensed due 1.1.1.2. High level CAU
to tank being filled alarm 1.1.1.2. Tank to be
with less dense adequately bunded.
material than 1.1.1.3. Level CAU I
anticipated. indicator

HAZOP-PC 3.02 by Primatech Inc.

TableA3.8 (cont.) - Storagetank sub-modules- preHAZOPedresults(IC filtered).

- A99 -
"" Worksheet

Company:
Facility: Page: 9

Revision: 02 Jun 95
Node: 6 Storage tank vent in from inert blanket supply.
Parameter: Flow

DEVIATION CAUSES CAT CONSEQUENCES CAT SAFEGUARDS CATI RECOMMENDATIONS

1. No Flow 1.1. Vent in line IC 1.1.1. Tank vacuum EE Vacuum relief CON Minimise
blocked collapse valve opportunities for line
blockage.

3. Less 3.1. Vent in line IC 3.1.1. Tank vacuum EE 3.1.1.1. Vacuum relief CON 3.1.1.1. Minimiss
Flow partially blocked collapse valve opportunities for line
blockage

Revision: 02 Jun, 95
Node: 6 Storage tank vent in from inert blanket supply.
Parameter: Pressure

DEVIATION CAUSES CAT CONSEQUENCES CAT SAFEGUARDS CAT RECOMMENDATIONS

1. Higher 1.1. Pressure control IC I. I. I. Tank EE Install


Pressure failure of blanket overpressure rupture relief valve

2. Lower 2.1. Vent in line IC 2.1.1. Vacuum collapse EE 2.1.1.1. Ensure vent
Pressure blocked or partially in line is not prone
blocked to blocking

2.1.1.2. Install
vacuum relief

-c

HAZOP-PC 3.02 by Primatech Inc.

TableA3.8 (cont.) - Storagetank sub-modules- preHAZOPedresults(IC filtered).

- AIOO -
Worksheat

Company*
Facility: Pages

Revioion: 02 Jun 9S
Node: 7 Storage tank vent out to vent header
Parameter: Flow

DEVIATION CAUSES CAT CONSEQUENCES CAT SAFEGUARDS CAT RECOMMENDATIONS

1. No Flow I. I. Vent out line IC 1.1.1. Tank EE Ensure vent


blocked overpresesure rupture out line in not prone
to blocking

1.1.1.2. Install
relief valve

2. More 2.1. Vent out line IC 2.1.1. Rapid EE


Flow open in error evaporation of tank
contents

3. Less 3.1. Vent out line IC 3.1.1. Tank EE 3.1.1.1. Ensure vent
Flow partially blocked overpressure rupture out line is not prone
to blocking

3.1.1.2. Install
relief valve

Revision: 02 Jun 95
Node: 7 Storage tank vent out to vent header
Parameter: Pressure
I I RECOMMENDATIONS
DEVIATION CAUSES CATI CONSEQUENCES CATI SAFEGUARDS CATI
I I. I. I. I I I
1. Higher I. I. Vent out line IC erpressure EE Install
Pressure blocked or partially rupture relief valvo
blocked

HAZOP-PC 3.02 by Primatech Inc.


-..

TableA3.8 (cont.) - Storagetank sub-modules- preHAZOPedresults(IC filtered).

- AIOI -
Worksheet

Company:
Facility: Page 18
'., 'I Revision- 0 26 Jun 9S
.
Hode: 8 Storage tank outlet via batch meter to tanker
Parameter: Flow

DEVIATION CAUSES CAT CONSEQUENCES ICAT I ICAT I


SAFEGUARDS RECOMMENDATIONS
1. No Flow I. I. Outlet line IC 1.1.1 Tanker not EE
blocked between pump as required.
and tanker.
BaEEh meter control 1.1-2. Full head pump EE 1.1.2.1. Kick back
valve fails closed. pressure developed. line
Pump overheats, seals
damaged, possible
leak.

1.2. Pump fails. IC 1.2.1. Tanker not EE


Outlet line blocked filled as required.
between storage tank
and pump -

2. More 2.1. Outlet line IC 2.1.1. Tank contents EE 2.1.1.1. Emergency 2.1-1.1. Ensure tank
Flow ruptures. lost to environment. isolation valve is adequately bunded.
Tanker filling hose
ruptured. 2.1.1.2. Locate
isolation valve as
near as possible to
tank.

2.1.1.3. Consider need


for remote operation
of isolation valve.
2.1.1.4. Ensure tanker
filling hoses are
stored correctly,
inspected frequently
and changed regularly.
2.2. Batch meter IC 2.2.1. Tanker EE 2.2.1.1. Overfilling 2.2-1.1. Consider
control valve fails overfilled alarm in
effects a change
open. size of standard
Operator enters wrong 2.2.1.2. Pressure trip tanker will have on
amount into batch tanker loading
meter control. operations.
Tanker smaller than
expected.
Tanker already
partially filled.

2.3. Tanker moves off IC 2.3-1. Leak to EE 2.3.1.1. Dry break 2.3.1.1. Loading bay
while loading environment. couplings. to be on level ground.
operation still in Ensure tanker can be
progress. 2.3.1.2. Tanker parked securely in bay
Driver drives off, immobilisation at a reasonable
tanker not parked interlock. distance from other
securely, or tanker in traffic.
conflict with other
traffic.

3. Less 3.1. Outlet line IC 3.1-1. Tanker takes EE 3.1.1.1. Overdue 3.1.1.1. Ensure
Flow partially blocked. longer to-fill than filling do not rely
alarm. operators
Batch meter control normal.
fails solely on time taken
valve to fill tanker as an
insufficiently open. indicator as to when
Pump running to disconnect filling
l incorrectly. ho a a.
ACV. 16.10121. v 16 0w Un v
-
Node: 8 Storage tank outlet via batch meter to tanker
Parameter: Composition

DEVIATION CAUSES CAT CONSEQUENCES CAT SAFEGUARDS CAT RECOMMENDATIONS


1. Other 1.1. Wrong tanker IC 1.1.1. Material EE Use different
Than connected incompatibility.
connectors where
compositio
material
n incompatibilty in a
problem to so wrong
tanker cannot be
connected easily.
1.2. Wrong material in IC 1.2.1. Material EE 1.2.1.1. Check tanker
tanker incompatibility. before
contents
unloading if material
incompatibility is a
problem.

HAZOP-PC 3.02 by Primatech Inc.

Table A3.8 (cont.) - Storagetank sub-modules- preHAZOPedresults(IC filtered).

- A102 -
Worksheat

Company:
Facility: Page: 9

Revision: 0 26 Jun 9S
Node: 9 Storage tank inlet from tanker
Parameter: Flow

DEVIATION CAUSES CAT CONSEQUENCES CAT SAFEGUARDS CAT RECOMMENDATIONS

1. No Flow 1.1. Tanker outlet IC 1.1.1. Possible EE


line blocked. inability to continue
process at normal
production rates.

1.1-2. Low tank level EE


leading to outlet pump
cavitation

2. More 2.1. Hose ruptured. IC 2.1.1. Leak to EE 2.1.1.1. Ensure hoses


Flow environment. are stored correctly,
inspected frequently
and changed regularly.
2.2. Tanker moves off IC 2.2.1. Leak to EE 2.2.1.1. Dry break 2.2.1.1. Loading bay
while offloading environment. coupling*. to be on level ground.
operation still in Ensure tanker can be
progress. 2.2.1.2. Tanker parked securely in bay
Driver drives off, immobilination at a reasonable
tanker not parked interlock. distance from other
securely, or tanker in traffic.
conflict with other
traffic.

2.3. Larger tanker IC 2.3.1. Possible EE 2.3.1.1. Consider


than expected. inability to offload effect* change in
tanker completely standard size of tank
without overfilling will have on tanker
storage tank. offloading operations.

3. Less 3.1. Tanker outlet IC 3.1.1. Tank takes EE 3.1.1.1. Ensure


Flow line partially longer to fill than operators do not rely
blocked. normal. solely on time taken
to empty tanker as an
indicator as to when
to disconnect hose.

4. Reverse 4.1. Discharge pump IC 4.1.1. Reverse flow EE 4.1.1.1. Non-return


Flow fails from storage tank. valve
Tanker overfilling.
4.1.1.2. Siphon break
on dip tubes.

HAZOP-PC 3.02 by Primatech Inc.

TableA3.8 (cont.) - Storagetank sub-modules- preHAZOPedresults(IC filtered).

- A103 -
Worksheet

Company:
Facility: Pag*t 10

Revision: 0 21 Jul 95
Node: 11 Storage tank feed inlet without control valve.
Parameter: Flow

DEVIATION CAUSES CAT CONSEQUENCES CAT SAFEGUARDS CAT RECOMMENDATIONS

1. No Flow 1.1. Feed line IC 1.1.1. Possible EE


blocked. inability to continue
Process at normal
production rates
1.1.2. Low tank level EE 1.1.2.1. Low level COX
leading to outlet pump alarm
cavitation.
1.1.2.2. Level CON
indicator

1.1.3. NO FLOW AT DPE


UPSTREAM UNITS

3. Less 3.1. Feed line IC 3.1.1. Vessel takes EE 3.1.1.1. Level CON
Flow partially blocked. longer to fill than indicator.
normal

3.1.2. LOW FLOW FROM DPE 3.1.2.1. Level CXU


UPSTREAM UNIT indicator.

Revision: 0 21 Jul 9S
Node: 11 Storage tank feed inlet without control valve.
Parameter: Pressure

DEVIATION CAUSES CAT CONSEQUENCES CATI SAFEGUARDS CAT RECOMMENDATIONS

1. Higher 1.2. Feed line IC 1.2.1. Expansion of IC 1.2.1.1. Hydraulic 1.2.1.1. Ensure
Pressure isolated. locked in fluid causes pressure relief operating instructions
hydraulic overpressure preclude deliberate
rupture of line. isolation of line
without having first
drained line.

1.2.1.2. Ensure design


minimises opportunites
for isolation in error
due to control valves
failing etc.
1.3. Manual valve on IC 1.3.1. LIQUID HAMMER. 1.3.1.1. Only a
storage tank inlet HIGH PRESSURE TO problem for long
close* quickly. UPSTREAM UNITS. pipelines.
Ensure closing time on
control valves and
manual valves is long
enough to avoid liquid
hammer.

HAZOP-PC 3.02 by Primatech Inc.


--

TableA3.8 (cont.) - Storagetank sub-modules- PreHAZOPedresults(IC filtered).

- A104 -
Worksheet

Company:
Facility: Paget I

Revision: 02 Jun 95
Node: 1 Storage tank feed inlet with level control on tank.
Parameter: Flow

DEVIATION CAUSES CAT CONSEQUENCES CAT SAFEGUARDS CATI RECOMMENDATIONS

1. No Flow 1.2. NO FLOW FROM VUL 1.2.1. Possible


SOURCE inability to continue
process at normal
production rates

1.2.2. Low tank level 1.2.2.1. Low level


leading to outlet pump alarm
cavitation.
1.2.2.2. Level
indicator

2. More 2.2. HIGH FLOW FROM VUL 2.2.1. Inadequate 2.2.1.1. Relief valve.
Flow UPSTREAM UNIT venting. Vessel C r.
overpressure rupture.

2.2.2. Static build 2.2.2.1. Dip tubes for 2.2.2.1. Flammable


UP- filling. fluids only.
If filling is not done
via dip tube* chock
design assumptions.

3. Less 3.2. LOW FLOW FROM VUL 3.2.1. Vessel takes 3.2.1.1. Level
Flow UPSTREAM UNIT longer to fill than sr. indicator.
normal.

4. As Well 4.1. WRONGMATERIAL VUL 4.1.1. Material 4.1.1.1. Ensure


As Flow FROM UPSTREAM UNIT incompatability ec appropriate measures
exist to check
incoming material.

4.2. CONTAMINATED VUL 4.2.1. An above


MATERIAL FROM UPSTREAM
UNIT

S. Reverse 5.1. REVERSE FLOW AT VUL 5.1.1. Liquid siphoned 5.1.1.1. Siphon break CON
Flow UPSTREAM UNIT out of tank. on dip tubes.

S. 1.1.2. Non-return CAU


valve

Revision: 02 Jun 95
Node: I Storage tank feed inlet with level control on tank.
Parameter: Temperature

DEVIATION CAUSES CAT CONSEQUENCES CAT SAFEGUARDS CAT RECOMMENDATIONS

1. Higher I. I. HIGH TEMPERATURE VUL 1.1.1. Rapid Temperature CAU For system
Temperatur FROM UPSTREAM UNIT evaporation of tank CE indicator with vent header
e contents. system, can System
1.1.1.2. High CAU cope with increase in
temperature alarm venting due to hot
weather acting on
several tanks?
1.1.2. Increased 1.1.2.1. Temperature 1.1.2.1. Only a
vapour concentration indicator. problem for tanks with
around tank, possibly open vent.
rising to a hazardous 1.1.2.2. High Consider installing
level. temperature alarm. appropriate gas
detection equipment if
appropriate.
Revision: 02 Jurx 95
Node: I Storage tank feed inlet with level control on tank.
Parameter: Pressure

DEVIATION CAUSES CAT CONSEQUENCES CAT SAFEGUARDS CAT RECOMMENDATIONS

1. Higher 1.1. HIGH PRESSURE AT VUL 1.1.1. Vessel 1.1-1-1. Relief valve. CON Ensure
Pressure UPSTREAM UNIT overpressure rupture 8zF- adequate venting.
1.1.1.2. Pressure CAU
indicator.

HAZOP-PC 3.02 by Primatech Inc.

Table A3.8 - Storagetank sub-modules- preHAZOPedresults(VUL filtered).

- A105 -
Worksheet

Company:
Facility: Page 8

Revision: 02 Jun 9S
Node: 4 Storage tank outlet
Parameter: Flow

DEVIATION CAUSES CAT CONSEQUENCES CAT SAFEGUARDS CATI RECOMMENDATIONS

1. No Flow 1.3. NO FLOW AT VUL 1.3.1. Full head pump - 1.3.1.1. High CON 1.3.1.1. Design
DOWNSTREAMUNITS pressure developed. pressure/low flow pump equipment to withstand
re
High Pressure rupture cut out switches. maximum pump delivery
risk to downstream pressure.
equipment. 1.3-1.2. Kick back CON
Pump overheats, seals line
damaged, possible
leak. 1.3.1.3. Integral pump CON
high pressure relief
valve

1.3-1.4. Pressure CON


indicator

1.3.1. S. Low flow CON


alarm

1.4. NO FLOW AT VUL 1.4.1. Full head pump LPE 1.4.1.1. Kick back 1.4.1.1. Consider
DOWNSTREAMUNITS pressure developed. line. designing equipment to
HIGH PRESSURE TO withstand maximum pump
DOWNSTREAMUNITS 1.4.1.2. Low flow delivery pressure.
alarm.
2. More 2. S. LESS PRESSURE AT VUL 2. S. 1. HIGH FLOW To LPE 2. S. 1.1. Flow control CON
Flow DOWNSTREAMUNIT DOWNSTREAMUNIT

3. Less 3.3. HIGH PRESSURE AT VUL 3.3.1. LOW FLOW TO LPE 3.3.1.1. Flow control CON
Flow DOWNSTREAMUNIT DOWNSTREAMUNIT

S. Reverse 5.1. Pump failure and VUL S. I. I. Material S. 1.1.1. Non-return CAU
Flow REVERSE FLOW FROM incompatability valve.
DOWNSTREAMUNIT.

Revision: 02 aun 95
Node: 4 Storage tank outlet
Parameter: Pressure

DEVIATION CAUSES CAT CONSEQUENCES CATI SAFEGUARDS CAT RECOMMENDATIONS

1. Higher 1.1. NO FLOW AT VUL 1.1.1. Full head pump LPE 1.1 * 1.1. Kick back Consider
Pressure DOWNSTREAMUNIT pressure developed. line designing equipment to
HIGH PRESSURE TO withstand maximum pump
DOWNSTREAMUNIT 1.1.1.2. Low flow delivery pressure.
alarm.

2. Lower 2.2. LESS FLOW AT VUL 2.2.1. HIGH PRESSURE LPE 2.2.1.1. Flow control CAU
Pressure DOWNSTREAMUNIT AT DOWNSTREAMUNIT
2.2.1.2. Low flow CAU
alarm
2.2.1.3. Pressure CON
indicator

2.3. HIGH FLOW AT VUL 2.3.1. LOW PRESSURE AT LPE 2.3.1.1. Flow control CAU
DOWNSTREAMUNITS DOWNSTREAMUNITS

HAZOP-PC 3.02 by Primatech Inc.

TableA3.8 (cont.) - Storagetank sub-modules- preHAZOPedresults(VUL filtered).

- A106 -
Worksheet
Company:
Facility: Page 13

Revision: 02 Jun 9S
Node: 6 Storage tank vent in from inert blanket supply.
Parameter: Flow

DEVIATION CAUSES CAT CONSEQUENCES CAT SAFEGUARDS CAT RECOMMENDATIONS

1. No Flow 1.2. NO FLOW FROM VENT VOL 1.2.1. Tank vacuum 1.2.1.1. Vacuum relief CON 1.2.1.1. Ensure source
IN SOURCE collapse is sufficiently
it. r- valve
reliable.

2. More 2.1. HIGH FLOW FROM VUL 2.1.1. Rapid


Flow VENT IN SOURCE evaporation of tank
contents ec
3. Less 3.2. LOW FLOW FROM VUL 3.2.1. Tank vacuum 3.2.1.1. Vacuum relief
Flow VENT IN SOURCE collapse F-9 valve

4. As Well 4.1. WRONGMATERIAL VUL 4.1.1. Material 4.1.1.1. Ensure risk


As Flow FROM VENT IN SOURCE incompatability of wrong material in
source in sufficiently
small.

4.1.2. Possible
explosion risk

4.2. CONTAMINATION OF VUL 4.2.1. Material


VENT IN SOURCE incompatability

S. Reverse 5.1. LOW PRESSURE AT VUL 5.1.1. CONTAMINATION LPE Install non-
Flow UPSTREAM UNIT OF VENT IN SOURCE return valve
Revision: 02 Jun 95
Node: 6 Storage tank vent in from inert blanket supply.
Parameter: Pressure

DEVIATION CAUSES CAT CONSEQUENCES CAT SAFEGUARDS CAT RECOMMENDATIONS


i
2. Lower 2.2. LOW PRESSURE FROM VUL 2.2.1. Vacuum collapse 2.2.1.1. Check
Pressure VENT IN SOURCE Cc reliability of vent in
source

2.2.1.2. Install
vacuum relief

HAZOP-PC 3.02 by Primatech Inc.

TableA3.8 (cont.) - Storagetank sub-modules- preHAZOPedresults(VUL filtered).

- A107 -
Worksheat

Company,
Facility: Pag* 14

Revision: 02 Jun 95
Node: 7 Storage tank vent out to vent header
Parameter: Flow

DEVIATION CAUSES CAT CONSEQUENCES CAT SAFEGUARDS CAT RECOMMENDATIONS

3. Less 3.2. LOW FLOW TO VUL 3.2.1. Tank Cc 3.2.1.1. Install


Flow DOWNSTREAMUNIT overpressure rupture relief valve

4. Reverse 4.1. HIGH PRESSURE AT VUL 4.1.1. Material CE


Flow DOWNSTREAMUNIT incompatability

4.1.2. Explosion risk F-9

Revision: 02 Jun 95
Node: 7 Storage tank vent out to vent header
Parameter: Pressure

DEVIATION. CAUSES CAT CONSEQUENCES CAT SAFEGUARDS CAT RECOMMENDATIONS

1. Higher 1.2. NO FLOW AT VUL 1.2.1. Overpressure F-9 1.2.1.1. Install


Pressure DOWNSTREAM UNIT. rupture relief valve
LESS FLOW AT
DOWNSTREAM UNIT.

HAZOP-PC 3.02 by Primatech Inc.

TableA3.8 (cont.) - Storagetank sub-modules- preHAZOPedresults(VUL filtered).

- A108 -
Workaheet

Company:
Facility: Page 15

Revision: 0 21 Jul 95
Node: 11 Storage tank feed inlet without control valve.
Parameter: Flow

DEVIATION CAUSES CAT CONSEQUENCES CATI SAFEGUARDS CAT RECOMMENDATIONS

1. No Flow 1.2. NO FLOW FROM VUL 1.2.1. Possible cc


UPSTREAM UNIT inability to continue
process at normal
production rates

1.2.2. Low tank level SE 1.2.2.1. Low level


leading to outlet pump alarm
cavitation.
1.2.2.2. Level
indicator

2. More 2.1. HIGH FLOW FROM VUL 2.1.1. Inadequate 'C-C 2.1.1.1. Relief valve.
Flow UPSTREAM UNIT venting. Vessel
overpressure rupture.

2.1.2. Static build F_ 2.1.2.1. Dip tubes for 2.1.2.1. Flammable


UP. filling. fluids only.
if filling is not done
via dip tubes check
design assumptions.

3. Less 3.2. LOW FLOW FROM VUL 3.2.1. Vessel takes 3.2.1.1. Level
Flow SOURCE longer to fill than indicator.
normal.

4. As Well 4.1. WRONGMATERIAL AT VUL 4.1.1. Material 4.1.1.1. Ensure


As Flow SOURCE incompatability appropriate measures
exist to check
incoming material.

VUL As above
4.2. CONTAMINATION OF VUL 4.2.1. Material
MATERIAL AT SOURCE incompatibility

5. Reverse 5.1. REVERSE FLOW AT VUL 5.1.1. Liquid siphoned 1EI; Siphon break CON
Flow SOURCE out of tank. on dip tubes.

5.1.1.2. Non-return CAU


valve

Revision: 0 21 Jul 9S
Node: 11 Storage tank feed inlet without control valve.
Parameter: Temperature

DEVIATION CAUSES CAT CONSEQUENCES CAT SAFEGUARDS CATI RECOMMENDATIONS

1. Higher 1.1. HIGH TEMPERATURE VUL 1.1.1. Rapid Temperature For system
Temperatur FROM UPSTREAM UNIT evaporation of tank indicator with vent header
e contents. system, can system
1.1.1.2. High CAU cope with increase in
temperature alarm venting due to hot
weather acting on
several tanks?

1.1.2. Increased 1.1.2.1. Temperature 1.1.2.1. Only a


vapour concentration indicator. problem for tanks with
around tank, possibly open vent.
rising to a hazardous 1.1.2.2. High Consider installing
level. temperature alarm. appropriate gas
detection equipment if
I jappropriate.

Revision: 0 21 Tul 95
Node: 11 Storage tank feed inlet without control valve.
Parameter: Pressure

DEVIATION CAUSES CAT CONSEQUENCES CAT SAFEGUARDS CAT RECOMMENDATIONS

1. Higher 1.1. HIGH PRESSURE VUL 1.1.1. Vessel Relief valve. CON Ensure
Pressure FROM SOURCE overpressure rupture adequate venting.
1.1.1.2. Pressure CAU
indicator.

HAZOP-PC 3.02 by Primatech Inc.


-

TableA3.8 (cont.) - Storagetank sub-modules- preHAZOPedresults(VUL filtered).

- A109 -

Você também pode gostar