Escolar Documentos
Profissional Documentos
Cultura Documentos
Institutional Repository
Additional Information:
By
December1999
by A Jefferson1999.
In memory of my dad
Dr Alan Jefferson
1945-1999
- ii-
Abstract
One of the most popular techniques for hazard identification is a hazard and
operability study (HAZOP), in which a group of peopleattempt to identify creatively
the possible hazards by applying a methodical process whereby the effect of
deviationsto everyprocessvariableis consideredin everypart of the plant.
- iv-
Acknowledgments
-
Contents
ABSTRACT
-3-" iv
.........................................................................................
ACKNOWLEDGEMENTS v
.................................................................
vi
CONTENTS ..........................................................................................
X
INDEX OF FIGURES ..........................................................................
XII
INDEX OF TABLES .........................................................................
1 1
INTRODUCTION ...........................................................................
1.1 PROJECT OVERVIEW 1
......................................................................................
1.2 CONTMUTIONS 3
............................................................................................
1.3 LAyouT OF THE THiESIS 4
.................................................................................
6
2 CONVENTIONAL HAZOP ............................................................
2.1 ORIGINSOFHAZOP 6
......................................................................................
2.2 HAZOP PROCEDURE 8
.....................................................................................
2.3 HAZOP FAILINGS 11
.......................................................................................
2.4 HAZOP EFFECTIVENESS 13
............................................................ .................
2.5 DEvELoPmENT OF HAZOP PROCEDURE 14
......................................................
2.5.1 General Development of HAZOP Procedure 14
........................................
2.5.2 Development of Guide Words and Checklists 15
........................................
2.6 WORKEDExAmPLEs OF HAZOP APPLICATION 19
............................................
2.7 SummARY 21
............................................................................................ .......
3 IMPROVING CONVENTIONAL HAZOP PERFORMANCE. 23
3.1 EFFECTIVE
HAZOP TEAMS 23
.........................................................................
3.1.1 I-L4ZOP Team Composition 23
..................................................................
3.1.2 lL4ZOP Secretary 24
................................................................................
3.1.3 HAZOP TeamLeader 24
...........................................................................
3.1.4 HAZOP Meetings 25
.................................................................................
-A-
3.2 LESSONSLEARNEDFROMHAZOP IN INDUSTRY 26
..........................................
3.3 COMPUTERAIDS iN CONVENTIONALHAZOP 30
...............................................
3.4 CoNcLusioNs 31
.............................................................................................
4 AUTOMATED HAZOP 33
................................................................
4.1 CAUSAL RELATIONSHIPS
REPRESENTING 33
......................................................
4.2 AumMATED HAZOP SYSTEMOVERVIEW 35
..................................................
4.2.1 UnitModels 36
.........................................................................................
4.2.2 Plant Description 37
.................................................................................
4.2.3 InferenceEngine 38
..................................................................................
4.3 HAZOP EMULATION - PRELINUNARY STEPS 38
.........................................
4.4 HAZOP EMUATION FAULT'SAND CONSEQUENCES 40
-IDENTIFYING ..........
4.4.1 Representing Faults and Consequences 40
................................................
4.4.2 Identifying Process Variable Influences 40
................................................
4.4.3 Search Strategies 41
..................................................................................
4.4.4 Linking Causes and Consequences 43
.......................................................
4.5 RESEARCHAND DEVELOPMENTISSUES 44
........................................................
4.5.1 Configuration Defects 44
..........................................................................
4.5.2 Data Acquisition 45
..................................................................................
4.5.3 Protections 46
...........................................................................................
4.5.4 Search Efficiency 46
.................................................................................
4.5.5 Output Quality 46
.....................................................................................
4.6 CONCLUSIONS 47
.............................................................................................
- vii -
5.4.1 Cause- ConsequenceTypesin Hybrid HAZOP 71
....................................
5.5 SUMMARY 72
...................................................................................................
6 MODULAR HAZOP PROCEDURE 74
............................................
7 CASE STUDY 87
................................................................................
7.1 INTRODUCTION 87
............................................................................................
7.2 PROCEDURE 87
................................................................................................
7.3 REsums 90
.....................................................................................................
8 CONCLUSIONS 109
..........................................................................
8.1 CONTRIBUTIONS 109
........................................................................................
8.2 LIMITATIONS 110
.............................................................................................
8.3 FuRTHERWoRK III
........................................................................................
8.4 IMPLEMENTINGMODULAR HAZOP IN AN INDUSTRIALEN-viRoNmENT 113
.......
8.5 AUTOMATED MODULARILAZOP 114
...............................................................
REFERENCES 116
............................................................................
APPENDIX 1- CASE STUDY PREEL4,ZOPED RESULTS Al
............
APPENDIX 2- BENZENE PLANT MODULAR HAZOP A31
............
APPENDIX 3- MODULAR IIAZOP LIBRARY A41
...........................
A3.1 COOLING
WATERSUPPLY SYSTEM A42
..............................................................
A3.1.2 SpecificSub-ModulesAvailable A42
.........................................................
A3.2 REACTIOR
MODULES A44
...................................................................................
A3.2.1 ExothermicLiquid PhaseReactor A44
......................................................
A3.2.2 Requiredsub-modules A46
........................................................................
A3.2.3 Additional genericsub-modules A46
.........................................................
A3.2.4 ExothermicLiquid PhaseReactorSpecificSub-Modules A46
....................
- viii -
TANK MODULE
A3.3 ATmospnERic STORAGE A53
....................................................
A3.3.1 Requiredsub-modules A53
........................................................................
A3.3.2 Additional sub-modules A53
......................................................................
A3.3.3 Available SpecificSub-Modules......................................................... A53
- ix-
Index of rigures
FIGURE 2.1 - BASIC METHOD FOR CONVENTIONAL HAZARD AND OPERA131LITYSTUDIES
(HAZOP) 10
..........................................................................................................
FIGURE 4.1 - SMALL PLANT FRAGMENT 34
.....................................................................
FIGURE 4.2 - GENERAL ARCHITECTURE FOR AUTOMATED HAZOP SYSTEM 36
..............
FIGURE 4.3 - PARTIAL SIGNED DIRECTED GRAPH FOR A PIPE 37
.......................................
FIGURE 4.4 - BASIC METUOD FOR AUTOMATED HAZOP 39
............................................
FIGURE 4.5 - SIGNED DIRECTED GRAPH 40
....................................................................
FIGURE 4.6 - CONNECT10N BETWEEN FAULTS AND CONSEQUENCES 44
............................
FIGURE 5.1 - FIRST LEVEL OF DECOMPOSITION. COMPONENT LEVEL 51
...........................
FIGURE 5.2 - SECOND LEVEL OF DECOMPOSITION. EQUIPMENT MODULES 52
...................
FIGURE 5.3 - THIRD LEVEL OF DECOMPOSITION. FUNCTIONAL MODULES 53
....................
FIGURE 5.4 FOURTH (IIIGHEST) LEVEL OF DECOMPOSITION. PLANT LEVEL 54
- ..............
FIGURE 5.5 FOUR SETSOF EFFECTSNEED TO BE CONSIDERED FOR EACH MODULE 57
- .....
FIGURE 5.6 EFFECTS NEEDING CONSIDERATION WHEN TWO MODULES ARE
-
CONNECTED 57
.......................................................................................................
FIGURE 5.7 EFFECTS NEEDING CONSIDERATION WHEN TEREE MODULES ARE
-
CONNECTED IN SERIES 58
. .......................................................................................
FIGURE 5.8 POSSIBLE PATHS BETWEEN INITIAL CAUSES, VARIABLE DEVIATIONS AND
END EFFECTS 58
......................................................................................................
FIGURE 5.9 AN EXAMPLE OF AN INITIAL CAUSE-END EFFECT TYPE OF CAUSE-
CONSEQUENCE 65
...................................................................................................
FIGURE 5.10 AN EXAMPLE OF AN R41ML
- CAUSE-DIRECTLY PROPAGATED EFFECT TY PE
OF CAUSE-CONSEQUENCERELATIONSHIP 66
.............................................................
FIGURE 5.11 AN EXAMPLE OF AN INITIAL CAUSE-INDIRECTLY PROPAGATED EFFECT
-
TYPE OF CAUSE-CONSEQUENCERELATIONSHIP 66
....................................................
FIGURE 5.12 - AN EXAMPLE OF A VULNERABILITY-END EFFECT TYPE OF CAUSE
CONSEQUENCERELATIONSHIP 67
.............................................................................
FIGURE 5.13 - AN EXAMPLE OF A VULNERABILITY-DIRECTLY PROPAGATED EFFECT TYPE
OF CAUSE CONSEQUENCERELATIONSHIP 68
. ............................................................
FIGURE 5.14 - AN EXAMPLE OF A VULNERABILITY-END EFFECT TYPE OF CAUSE-
CONSEQUENCE................................................................................................... 69
FIGURE5.15 - AN EXAMPLEOFA VULNERABILITY-INDIRECTLYPROPAGATED
EFFECT
TYPEOF CAUSE-CONSEQUENCE
RELATIONSHIP 70
. ...................................................
FIGURE5.16 - POSSIBLEPATHSBETWEENCAUSEAND CONSEQUENCE
TYPESIN
MODULARHAZOP ............................................................................................. 71
A50
.......................................................................................................................
FIGUREA3.8 - REACTORSUB-MODULE- STIRRER A51
....................................................
FIGUREA3.9 STORAGETANK SUB-MODULE- FEEDWITH LEVEL CONTROL A52
- .............
FIGUREA3.10 STORAGETANK SUB-MODULE- FEEDwrmouT CONTROL A54
- ................
FIGUREA3.11 STORAGETANK SUB-MODULE- OUTLETVIA PARALLELPUMPS A54
- ........
FIGUREA3.12 NITROGENBLANKETINGSYSTEM A56
- ....................................................
- xi-
Index of tables
AND DISTANTCAUSES
ANDCONSEQUENCES 62
..................................................................
TABLE 6.1 - MODULE LIBRARY coNTENis ATmospHERic PRESSURE STORAGE TANK 75
- . ......
TABLE 6.2 - CoNvmnoNAL HAZOP PRoFoRmA 77
. .............................................................
TABLE 7.1 - EXAMPLE OF NMAL CAUSESFILJERED RESULTS 88
. ............................................
TABLE 7.2 - ExAmPLE OF VULNERABILITY FILTEREDREsums 88
. ...........................................
TABLE 7.3 SUE-MODUIESFORWASTEACID STORAGEMODULE 91
- .........................................
TABLE 7.4 SuB-moDuLEs FORNEuTRALisAiioN REACTORMODULE 92
..................................
TABLE 7.5 SuB-moDuLEs FoRTREATED WASTE STORAGEMODULE 93
- ..................................
TABLE 7.6 SuB-mowus FOR COOLING WATER SUPPLY MODULE 93
- .....................................
TABLE 7.7 WASTE ACID TREATMENTPLANT MODULAR HAZOP REsuLTs 95
- .........................
TABLE 8.1 PART OF PREHAZOPED RESULTSFOR STORAGETANK SHOWINGHOW REMARKS
-
COLUMNCANBEUSED 112
................................................................................................
TABLEAU WASTE AciD PLANTPREHAZOPED RESULTS FILTERED A2
- -IC ........................
TABLEA1.2 WASTEAm PLANTPREHAZOPEDRESULTS VUL FILTERED A21
- - ...................
TABLE A2.1 BENzENEPLANTMODULARHAZOP RESULTS A33
- ...........................................
TABLE All COOLINGwATER SYSTEMsm-mowas PREHAZOPED RESULTS A58
- - ..........
TABLE A3.2 ExoTilERMIC REACTOR SUB-MODULES PREHAZOPED (IC
- - RESULTS
FILTERED) A69
.................................................................................................................
TABLE A3.3 ExoTHERmic (VUL
- REAcToRsuB-mODULES- pRFjtAzopED RESULTS
FILTERED) A74
.................................................................................................................
TABLE A3.4 ROADTANKERSUB-MODULES (IC A75
- - PREHAZOPED RESULTS FILTERED) ....
TABLE A3.5 - ROADTANKERsuB-moDULES pRgjAZopED RESULTS (VUL FILTERED) A77
-
TABLE A3.6 - STORAGETANK SUB-MODULES PREHAZOPED (IC
RESULTS FILTERED) A79
- ...
TABLE A3.7 - THERMALox[DisER suB-moDuLES PREHAZOPEDRESULTS A89
- ...................
TABLE A3.8 - STORAGETANK SUB-MODULES PREHAZOPEDRESULTS A95
- ..........................
- xii -
BLANK IN ORIGINAL
1
Introduction
With the increased speed of many other parts of the design process, hazard
identification is becomingthe logjam in attemptsto speedup the designof new plants
still further.The speedingup of hazardidentificationhasbecomean urgentpriority as
the chemical industry seeks to speed up the building of new chemical plants.
However, above all, it is necessarythat
any hazard identification procedure
maximisesthe numberof hazardsidentified and any improvementshould not reduce
the numberof hazardsidentified.In orderto improvehazardidentificationtechniques,
improvementsneedto be madeto the procedures,rules and guidelinesthat make up
thesetechniques.
-I-
Therearethreemaintechniquesfor hazardidentification:
regimes, etc. are comparedwith the plant under considerationto see if similar
circumstances exist which may give rise to hazards.
What If -a group of people attempt to identify creatively the possibility for hazards
by applyingthe question,"What if?", in combinationwith known failure mechanisms
for equipmentandsystems,to all the itemsin the plant.
-2-
PAGE
MISSING
IN
ORIGINAL
analysehow effectiveHAZOP is in practice,andwhethertherewereany lessonsto be
learned.This was done by studying the original HAZOP results for part of a fairly
complexplant and comparingthe problemsidentified thereinwith problemsthat had
subsequentlycome to light on the plant and trying to establishwhether and/or how
improvementscould havebeenmade(detailsconfidential).
-4-
BLANK IN ORIGINAL
2 Conventional HAZOP
upon, amongst other things, physically dividing the plant up so that damagedue to
fire or explosiondoesnot exceeda certain limit, the wearing of safety gogglesand
helmets, training of new plant operators and anonymousreporting of near miss
incidents.
"The traditional methodof identifying hazards- in use from the dawn of technology
to the presentday - was to build the plant and see what happens- 'every dog is
allowed one bite'. Until it bites someonewe can say that we did not know it would.
This is not a bad methodwhen the size of the incident is limited but is no longer
satisfactorynow that we keep dogs,which may be as big as Bhopal (over 2000 killed
in one bite), or evenFlixborough(28 killed). We needto identify hazardsbeforethe
accidentsoccue'.
-6-
HAZOP was first developedand used by ICI in the late 1960s. HAZOP was a
developmentof methodstudiesand the earliestaccountof their use and evidenceof
their origins canbe found in Elliot & Owen (1968).They describea techniquecalled
critical examination and although the majority of their paper is concernedwith
optimising the designprocess,it doesinclude a sectiondiscussinghow the technique
could be usedto carry out gives "hazardsurveys".In particular it describesits use as
follows:
They also identify that the value lies in the way the thinking is done
Lawley (1973) published the first complete paper on the HAZOP technique.
Originally referredto as an "operability study", it was developedon the supposition
that the failure to identify most hazardswas due to the complex natureof the plant,
rather than a lack of knowledge on the part of the designteam. It is summarisedas
follows:
-7-
deviation from what is normally expected.The procedure,therefore,is to searchthe
The referenceto "critical examination7'clearly links this work to that of Elliot &
Owen (1968) describedabove.As well as a thorough descriptionof the "operability
study" procedure, and a detailedset of results for an operability study of part of an
olefm dimerisation plant, the paper also describes a technique called "hazard analysis"
using logic treesto derive a quantitativeassessment of serioushazards following their
identification.This is easilyrecognisableas FTA.
or engineering line diagram (ELD) and the sectionswill correspond to lines on the
MID or ELD. For batch processesthe model of the system may be the batch
operatinginstructions andthe sectionswill correspond to individual operations.
There are numerous texts that give detailed instructions on how to carry out HAZOP
in chemical plants (Chemical Industries Association Ltd, 1977; Kletz, 1992;
Knowlton, 1992; Lees, 1996). The basic principle for a continuous plant is for a group
approach taken is outlined in figure 2.1. This figures is a modified version of that
presented in the above texts. The two steps in the middle of the procedure, "Examine
-8-
applied, particularly by more experiencedHAZOP teams, in either order. This is
-9-
Selecta
line/vessel
I
Explain
intention
I
Apply
guideword
Develop
meaningful deviation
Examine Examine
possible causes consequences
ff Deltermine
hazards
Record discussion]
e
as appropriate
I
Mark line/vessel as
having been exarnined
I
-
10-
2.3 HAZOP Failings
Before looking at how HAZOP has developed and the possible methods for
improvementin the future, it is worth looking at the current failings of HAZOP and
why thesefailing exist. Ironically HAZOP is now suffering from the sameproblem
that chemicalplants were suffering from 20 yearsago. The problem usedto be that
becausea chemicalplant or processhad never beeninvolved in any incidentsthen it
was assumed that there were no hazardsassociatedwith it. One of the reasonsthat
HAZOP was introducedwas to combatthis attitude and provide a tool for deciding
whetherpotential problemsexistedor not. The problem now is that because,on the
whole, potential problemswith the applicationof the HAZOP methodologyhave not
beenassociatedwith any incidents,no one seesany needto changeit. (SeeCrawley
(1995) for an exception).
The problem stemsfrom the perceivedhigh cost of HAZOP due to the lengthof time
it takesto carry out HAZOP and the apparentlack of benefits.In fact, data collected
from 125 HAZOP basedhazard studies shows the cost of a hazard study is only
0.16%of the capital cost of a project (Gillet, 1995).In addition,the tangiblebenefits,
the benefits seen by project managers,the actual addition of safety measuresand
provision of protective equipment which safeguardthe company assets, is only a
small part of the total benefit. There are considerableintangible benefits including
behavioural,quality and corporateimagebenefits(Gillet, 1995).The main intangible
benefitrealisedby HAZOP is the training andknowledgegainedby teamparticipants.
This translates into more efficient commissioning of plant and improved plant
operation.For more intangiblebenefitsseePully (1993).Also, as designers,at leastin
some companies, are becomingmore aware of possiblehazardsand are coming up
with betterdesigns,HAZOP identifiesvery few, if any, real hazards.
could hang their expertise. In effect, each guide word prompted the experts to
-II-
considercertain problemsand HAZOP would have beenjust as effective whatever
words were used. The guide words provided a convenient alternative to long
checklists.In this way the HAZOP methodologyalso overcameone of the main
drawbacksof checklists.It is very easyto prove that checklistsare incomplete.It has
neverbeen possible to prove how complete HAZOP is. HAZOP also enablesa certain
amount of flexibility in its application. One of the advantagesof this being that a
certain amountof redundancy was introduced, if
so a problem was missed first time
round there was still likely to be the opportunity to it
pick up elsewhere.However,
this flexibility also introducespotential problems in the form of ambiguities.For
exampleit is ambiguouswhen studyinghigh flow whetherthat refersto high flow in
to the line being studiedor high flow out of it. Among experiencedHAZOP leaders
theseambiguitiesare realisedand they have developedtheir own rules for dealing
with them. This also relies on the leaderhaving good control over the membersof the
team so that the team acceptsthe interpretationof the guide words suppliedby the
leaderand they do not stray into consideringinterpretationsthat the leaderfeels are
inappropriate.
Less experiencedHAZOP teamsdo not have the expertiseto realise the problems
associatedwith eachof the guidewords andhavenot developedrules for overcoming
the ambiguities.The first of theseproblems meansthat HAZOP results are not as
completeas they could be. The latter problem leadsto HAZOP taking longer than it
should. This only servesto reinforce the perceptionthat HAZOP has a high cost for
little benefit. These problems are exacerbatedby the lack of adequatetraining
availablefor HAZOP team leaders.Although there are plenty of coursesavailableto
teach the basics of leading HAZOP teams, the best training can only be through
experienceof HAZOP meetings.Further, this experienceshould go beyond simply
contributing to HAZOP meetings.The ideal role to gain the necessaryexperience
must be as a HAZOP secretarywith appropriatecoaching from the HAZOP team
leader. However, in order to reduce the perceivedcost of HAZOP meetings,the
number of peopleinvolved in is
eachmeeting being reducedand the first role to go is
that of HAZOP secretary,often to be replacedby a computer.
- 12-
2.4 HAZOP Effectiveness
scenarios.
cause-consequence The WHATIF study is based on askingquestionsabout
What
possiblecauses. is really being askedis 'What are the consequences of..? ' The
- 13-
seemto maximisethe opportunitiesfor creativeinput and reducethe possibilitiesof
oversights.
The basic principles of HAZOP have remained unchanged since its development by
the process industry, and in particular ICI, 25 years ago. However, it is now used by a
wide range of industries extending far beyond the process industry including the
construction, electrical and transportation industries (Eggert, 1995 & Sankaran 1993).
Of course each industry and each individual company has made modifications to the
Along with the developmentof the HAZOP procedure,ICI developeda six stage
proceduredesignedto identify hazardsat different stagesin the life of the plant, from
initial project exploration through to commissioningand normal plant operation
(Gibson, 1976). Duxbury & Tumey (1989) give a more detailed descriptionof this
procedure.Haza d StudyI is intendedto make sure that the hazardsassociatedwith
the materialspresent in the plant are understood.It provides the basis for a safe
design.Hazard Study II is a top down considerationof the major hazads that may
exist within the plant. Potentiallymajor events,suchas fire, explosion,toxic release,
to
etc., are analysed see which represent hazards and suitable designs will be
developed,if necessary,to reducethesehazards.The HAZOP Procedureis part three
(HazardStudy111)of this six stageprocess.However,thereis little time savinggained
by using this six stageapproach.Haza d StudiesI and 11identify possibly problem
areasand address particularly hazardoussituationsbut they do not have the same
rigorous and detailed methodology that lies behind the successof HAZOP in
identifying possiblehazards.HazardStudiesIV, V andVI exist to checkthat the plant
is built as designed,that no new hazardshavebeenintroducedduring commissioning
and that any unforeseenhazards or operabilityproblemsare dealtwith.
-
14-
2.5.2 Developmentof Guide Words and Checklists
AS WELL Qualitative increase All the design and operating intentions are
AS achieved together with some additional
activity.
PART OF Qualitative decrease Only some of the intentions are achieved;
Table 2.1 - Guide words as originally applied in HAZOP. (From CIA 1977).
- 15-
Having been developedlargely in the petrochemicalsdivision of ICI, the original
HAZOP procedure(Lawley, 1973)was biasedheavily towards continuousprocesses.
This is illustratedby the typesof deviationassociatedwith eachof the guidewords:
NONE - No flow.
MORE OF - More of flow, temperature, pressure, viscosity, etc., i. e., higher flow,
higher temperature, or whatever, than there should be.
REVERSE - Reverseflow.
OTHER - What else apart from normal operations can happen, e.g., start-up,
shutdown, maintenance,catalyst change, failure of plant services.
additions.This eliminatesthe to
need combinea guide word with an intention. For
continuousplant the following list of deviationsshouldbe considered:
HIGH FLOW
LOW FLOW
NO FLOW
REVERSEFLOW
- 16-
HIGH/LOWPRESSURE
HIGH/LOWTEMPERATURE
HIGH/LOWLEVEL
HIGH/LOWMIXING
STATIC
HIGH/LOWCONCENTRATION
CONTAMINANTS
TESTING
START-UP
SHUT-DOWN
COMMISSIONING& MAINTENANCE.
VIBRATION
IMPACT
NATURALFREQUENCY
ENTRAINMENT
VORTEX
- 17-
the third with hazardousevents.Thesechecklists are then used at the appropriate
point in the HAZOP procedure.The initiating problems checklist is used to try to
identify causesof processdeviations.The consequences list is usedto try to identify
consequences. Finally the hazardous is
eventschecklist used to try to determinehow
seriousthe final outcomemay be. One problemwith Kelly's approachis that it places
too much emphasissolely on the identification of hazards.HAZOP is important in
that it also identifiesoperabilityproblems.Indeedone of the main benefitsof HAZOP
is the reductionin the numberof start-upmodificationsrequired.
many items of common process plant equipment. The use of computersto assist
HAZOP is discussedlater in Chapters3.3.
- 18-
noticedin
Thesechecklistswere introducedpartly to addressthe lack of completeness
someHAZOP results.However the checklistsare by no meansas rigorousas a proper
checklist and there is still a reliance on the expertiseof the team to fully realise
possible consequences. In fact it is only likely to make things worse. There is the
possibility that the checklistaspectbecomes a crutch for inexperiencedteams to lean
complete. This use of lists is not helped by the computer HAZOP aids available,
which presentlists of relevant parameters,causesand It
consequences. canrestrictthe
studyto the everydayparameterssuchas flow, pressureand temperature, it
when may
be more appropriateto consideralternativeparameterswhich might be suggestedif
the original HAZOP procedurewasapplied.
Lawley (1974) presentsthe results of the application of HAZOP to the feed section of
an olefm dimerisation plant. The part of the process studied is the transfer of olefin
from storage to a buffer and settling tank where the water impurity is settled out.
Although only a limited section of the plant is studied, the results given are thorough
and detailed.
Lawley (1976) gives the results for a study of an ethyleneoxide feed systemto a
group of batch As
reactors. with Lawley's the
other example, scope is limited but the
resultsgiven are detailedandthorough.
and passed through a suction catchpotbefore being fed to a compression train. The
results are detailedand include a wide variety of problems,a significant number of
by
which are generated the considerationof the guide word "other thaif'. Relatively
- 19-
few problemswere identified by the considerationof the guide words "more" and
"less".
Austin & Jeffreys (1979) carry out a HAZOP on the reactor section of the methyl
ethyl ketone plant described in their book. This HAZOP is interesting in that the
reactor section operates in a semi-batch manner, that is the normal operating
conditions of this part of the plant alter with time. There is plenty of background
information included as part of this worked example, including the design intention
and the design conditions for the different operating conditions of the part of the plant
being studied. The results presented are quite extensive and detailed. However, there
is no attempt made to identify any problems that may be due to such things as start-
up, shut-down and, of particular importance, maintenance.Austin & Jeffreys note that
this is a "truncated operability study" as only an isolated part of the plant is being
studied. They recognise that this introduces difficulties becausedeviations originating
upstream of the truncation point can only be specified in general terms. However,
their intention for presenting the study is to illustrate the principle of HAZOP and so
the completenessof the results is not paramount.
Kletz (1985) analyses a lOkm cross-country pipeline which transfers liquid propane
from a storagetank to a consumerplant buffer tank. This study generated39 actions
for just one line, the resultsgeneratedbeingvery clearanddetailed.
-20-
pipework above the top of the tank, then it is quite conceivablethat the tank will
rupture. Secondlythere is a valve V-8 included between the tank and its relief valve.
This leavesthe tank without any overpressureruptureprotectionif V-8 is closed.This
is not noted in the HAZOP resultsgiven, althoughit is presentin the FTA analysis
included in the paper.In addition to theseproblemsthe HAZOP results shown are
lacking in detail.
Although not presentedas a set of HAZOP resultsMcCluer & Whittle (1992) detail
some important safety recommendations generatedby HAZOP of fluid catalytic
cracking units (FCCUs). HAZOP of three FCCUs yielded between 150 and 200
for
recommendations eachunit. From these detailed, specific recommendations, II
were
generalisedrecommendations derived and theseare outlined in the paperalong
with a brief descriptionof the natureof the problemand how hazardsmay be realised.
These generalisedrecommendationslargely relate to hazardsand not operability
problems.Also includedis a detaileddescriptionof the operationof an FCCU and a
descriptionof the structureof the HAZOP.
2.7 Summary
-21-
BLANK IN ORIGINAL
3 Improving Conventional HAZOP Performance
can be maximised. Secondly, lessons from HAZOP experts, people with many years'
experience of carrying out HAZOP in industry are considered. Finally the role of
in
computer aids conventional HAZOP is looked at, and the pros and cons of their use
considered.
The members of the team should be selected to achieve the right balance of
knowledgeandexpertise.For HAZOP of a new chemicalplant design,the most likely
composition of a HAZOP team would be, project engineer, process engineer,
instrumentationdesignengineer,and an independentteam leader.In addition it may
if
include a researchchemist necessary.For HAZOP of an existing plant the team
would normally consistof the following people, plant supervisor,
plant foreman,plant
engineer,instrumentmanager,process investigation managerand independentteam
leader.For HAZOP of a modification or extensionto an existing plant then some
combination of thesetwo groupswould be used,bearingin mind that the total ought
not to exceedsix (Kletz, 1985).
-23-
3.1.2 HAZOP Secretary
The HAZOP secretaryor scribe plays an important part in the team, particularly in
recording, as appropriate,the discussions of the team as a whole. Goyal (1994)
identifies the following requirementsof a good scribe, basic engineering/technical
knowledge,linguistic skills, ability to type reasonablyfast and familiarity with the
recording system. In addition the scribe should have the ability to listen and pay
attentionto detail. However, in order to reducethe numberof participantsin a team,
some companies are combining the roles of the HAZOP leader and the HAZOP
secretary (Kletz, 1985). Apart from the advantage of reducing the personnel
requirement, there is also the advantage that the HAZOP leaderknows what is being
The HAZOP team leader is mainly responsible for making sure that the team follows
the HAZOP procedure. In addition he should make sure that the team works
widely recognised that many HAZOP team leaders adopt different approaches.It has
also been shown (Freeman et al., 1992) that expert HAZOP team leaders will conduct
a hazard study faster than their novice counterparts. Our own study (Jefferson et al,
1995a) confirms the finding of Freeman et al.
-24-
The main question arising from our analysis is, "How can novice HAZOP team
leadersbe trainedmost effectively?" An importantfeatureof HAZOP is that it can be
applied flexibly, either to identify first a consequenceof a certain deviation or to
identify first a cause of a deviation. However, novices do not appreciatethis
flexibility. This doesnot necessarilycompromisethe integrity of the HAZOP but can
lead to inefficient use of time. Proper training of novices is required to reducethis
inefficiency. Expert team leadersare markedout by their ability to choose,by some
mechanism,the most appropriateroute for the team to follow to identify efficiently
the causeconsequencescenariosof interest.Novices shouldbe madeawarethat they
can be flexible when leadingHAZOP meetings.It works most effectively when there
is no prescribed direction to follow from deviation to cause or deviation to
consequence.
One option for improving HAZOP is to make sure that the meetings are set up in such
a way that the HAZOP team members are given the best opportunity to perform at
their most effective. This includes things such as, making sure meetings are not too
long, allowing sufficient breaks during meetings and having a good environment for
the meeting.
compromise between reducing the overall time span required for the HAZOP and
allowing HAZOP participants as much time as possible to carry out their normal
duties. However, there is evidence that no such compromise is necessary.It has been
noted (Pully, 1993) that for a complete HAZOP of similar units, the number of hours
spent on the HAZOP was halved when meetings were held for only four hours per
day rather than 8 hours per day (half day sessionsas opposed to full day sessions).In
other words the overall time span for the complete HAZOP was the same. Dowell
(1994) suggests that meetings are restricted to 3-4 days per week with 6 hours of
meeting sessionseach day. The general consensusis that if any more hours per week
are spent carrying out the meetings, the participants become fatigued and there is
more pressure for them to miss HAZOP meetings in order to continue their normal
-25-
duties.Fatigueresultsin a lack of drive, enthusiasmand creativity, and makesfor less
A number of papersexist, written by people who have carried out HAZOP for a
number of years, detailing additional guide lines that they have developedover the
-26-
selectioncanaffect HAZOP performance.
Lihou (1986) gives somevaluable insights into how team membersshould perform
within a HAZOP team. He identifies the following roles and suggeststeam members
shouldbe ableto move freely betweenroles:
" Expert Informant: The person who can explain how a new processis
intendedto operateor how an existingplant is operated.
" Enthusiastic Pupil: The person who asks from clarification from the
-exper&' and/or the unbelieverthereby helping them to be sure that their
adviceis relevantin the currentsituation.
-27-
PAGE
MISSING
IN
ORIGINAL
PotentialHAZOP pitfalls identified are:
Some of the mistakeshe identifies are those associatedwith the role of the team
leader.They are:
0 wherefollow-up is difficult.
Making recommendations
General mistakes that can occur and which can hamper the progress of HAZOP are:
-29-
Suggestionsfor HAZOP managersand HAZOP team leadersfor settingup HAZOP
meetings
In the past few years, a number of computer programs have been developed to assist
in the carrying out of HAZOP (e.g. PrimaTech, 1994; Sigma-Lambda, 1995). On the
whole these are simple secretarial tools to provide a convenient way of turning the
deliberations of a HAZOP meeting into a formal, structured report. They also provide
a prompt for the team, suggestingthe next guide word and processvariable requiring
consideration. However, these computer tools have also, in general, not reduced the
time taken for hazard identification.
-30-
3.4 Conclusions
In the future there is the possibility that HAZOP will be performed automatically by
effective it will be in identifying all hazards. The next chapter looks at the
possibilities for improvement afforded by automating hazard identification.
-31-
BLANK IN ORIGINAL
4 Automated HAZOP
of
assurance completenessand therefore developed their initial versionof HAZID as,
in effect, a HAZOP emulator. There are now a number of researchprototypes
describedin the literature that adopt the sameapproachdevelopedby Parmer and
Lees (Zerkani and Rushton 1993; Venkatsubramanianand Vaidhyanathan1994;
Jeffersonet al. 1995b;Larkin et al. 1997;Wakemanet al. 1997).
-33-
hason othervariablesin the systern.
in2
-34-
The sign 'V' indicatesa negativeinfluence,i.e. Y will decreaseif X is increasedand
Y will increaseif X is decreased.
e Creationof the plant SDG from the information given in the plant model and
-35-
library.
component
Emulationof the conventionalHAZOP procedure.
Searchof the plant SDG for causesandconsequences
for a given deviation.
Component I
Library
Reiults
-36-
+,
arc([in,pressure], [out,pressure]),
arc([in,composition],+, [out,composition]),
otherarcs]
otherattributesrelatedto a pipe
*11]),
-37-
a CAD systemor constructedusing a text editor. The plant fragmentshown in figure
4.1 is describedas:
The inferenceenginetakesa plant descriptionas input and builds up the plant SDG
from the textual representationsof arcs in the unit library with regard to the unit
models and their connections as specified in the plant description. The inference
Figure 4.4 illustrates stepsin the method used to emulate conventiortal HAZOP.
IRGII/LOWFLOW
NO FLOW
REVERSEFLOW
1-UGII/LOWPRESSURE
I-HGHJLOWTENTERATURE
IUGH/LOW LEVEL
-38-
Theseprocessdeviationsare consideredin turn for every port, althoughthere is an
exception with HIGH and LOW LEVEL which are applied to vesselsonly.
Start
Select a
Dlant unit
Selecta
Select a
vrocess deviation
rFind
all consequencesof
faults and of deviation
I Repeat for I
all faults
Repeat for
all deviations
Repeat for
all ports
Repeat for
all lines/main units
End
-39-
4.4 HAZOP EMULATION - Identifying Faults and Consequences
Figure 4.5 showspart of the SDG of a plant fragmentwith two pipes and a valve.
Pipel is connectedto the inport of valvel and the outport of valvel is connectedto
the inport of pipe 2. Thetop, middle and bottom partsof the figure arethe mini-SDGs
for pipel, valvel and pipe2 respectively. The three parts are joined together by
linking the appropriateinterfacingnodes.
4
[in, flow] [out, flow] Pipel
-+ AL
...........................................................................................................................................
+ [fault, leak]
[consequence, contaminateenvironment]
4+
Valvel
[out, flow] [in, flow]
I**
, T-1-11-1-111-1---
........................................... ....... ..... ....................
................... . ....................
. ...... . ............
. ................
4
[in, flow] [out, flow] Pipe2
In the notation that is used here, each node in the graph that makesreferenceto a
process variable has two parts. The first part specifiesthe port and the secondthe
particular processvariable. When a noderepresentsa fault condition, the first part is
the word 'fault' and the secondpart is the fault description.When a node representsa
consequence, the first part is the word 'consequence' and the is
secondpart the
consequence description. Note that only nodes related to flow, and only one fault
Given the SDG of a plant, the way in which one variable affects another can be
by
established identifying an acyclic pathjoining the two nodesof interest.An acyclic
path has no node repeatedin it. The sign of the influencethat a changein the initial
-40-
node has on the fmal in
node the path is the product of all the signs in the path. For
example,given the SDG in figure 4.5, the in
way which the changein pipel [in, flow]
affectspipe2 [in, flow] is determinedby the following acyclic path:
The product of all the signs in the path is 'Y'. Therefore,an increasein pipel [in,
flow] will give rise to an increasein pipe2 [in, flow]; a decreasein pipel [in, flow]
will give rise to a decreasein pipe2 [in, flow]. If we considerthe effect of a leak in
Valvel then it has a positive influence on the in flow of pipel upstreambut has a
negativeinfluenceon the outflow of pipe2 downstream,i.e. a leak will result in more
flow in pipeI but lessflow in pipe2:
[out,flow]+'-+
[in,flow]*-- -"[out, flowjLo.[in,flow]
[fault,leakT:
If there does not exist a path joining any two nodes then the two nodes are
independent.
-41-
will happenif this pump stopsT
The answersto each type of question are found by using two different search
strategies,known as backwardand forward searchesrespectively.To answerthe first
type of question, we construct a path from the final event by following the arcs
backwardsin orderto determinewhat sequenceof influencescould havecausedit. To
answer the second type of question,we construct a path from the initial causeby
following the arcsforwardto determineany consequences of that event.
In emulatingHAZOP we are interestedin exploring all the faults that will lead to a
particulardeviationand all the consequences
associated
with the deviation. Therefore,
searcheshaveto be doneexhaustively,whethersearching forward or backwardfrom a
given node.The term exhaustivehere refers to the requirement that from somepoint
in the graphwe must ensurethat all possiblepathsthroughthe graphto its boundaries
are developed.Only by doing this can we be surethat all influencesbetweenthe given
nodeandeveryother nodehavebeenconsidered.
step of the searchwill produce N paths of length 1. If eachof those N arcs lead to
nodes which have M arcs leaving, then the next step will produce N*M Pathsof
length2.
singl.e.path as deeply as possible. When that path reachesa terminating node, the
algorithm will backtrackto the last node from which a new sub-pathremains to be
developedand attemptto extendfrom that node.Again this new developmentwill go
as deepaspossiblebeforebacktracking.
-42-
result.
Considering figure 4.6, if the original query was made concerning deviation 3, then
the inference engine traces back and finds two faults: cause I and cause 2. Having
found these faults it looks for consequences.Consequence 5 is directly linked to
deviation3. ConsequencesI and 2 are directly linked to cause 1. Consequence4 is
also identified as it is linked to deviation I which is in the path between the fault and
deviation 3 (the deviation under consideration). Consequence3 is identified as it is
linked to cause 2. The output generatedis shown in table 4.1.
-43-
cause3 7
consequence
deviation5 deviation6----o-
co 4
consequence consequence 5
a'-tion
dcvilonl 0-deviation2--P-d: 3-0- deviation40
cause cause2
consequence6
The preceding sections have given a general overview of the basic features of an
automated HAZOP system. This section highlights the research and development
issuesthat typically arise in developing a tool of this kind.
-44-
4.5.2 Data Acquisition
A common problem in computer aids for process plant design is that of data
The
acquisition. value of the tool is greatly reducedor evennegatedif the data input
are
overheads excessive. It might be expected, since computer aided design (CAD)
systemshave been around for some time, that there should be little problem in
downloadingbasic plant data,but in fact this is not the case.CAD systemsare still
fragmentedandthereis not a universalinterfaceinto which a computeraid of the kind
describedcanbe "plugged". The designerof sucha systemis thereforefacedwith the
to
need provide the interfacesnecessary for the acquisitionof the required data. The
mainpiecesof information requiredto representa chemicalplant are:
-45-
effort. The provisionof a unit model library is a partial solution, but experienceshows
that in most caseswhen constructinga new plant description it is necessaryto
configureone or two new models.It is therefore
necessary to provide some form of
tool to assistthe user in creatingthesemodels.The user can expectto find in the unit
model library the great majority of the modelsrequired. Guidance,however, should
be providedto ensurea correctselection.This points to the needfor a soundstructure
for the library.
4.5.3 Protections
Another issue is search efficiency and program run time. Despite the power of current
PCs,it is still necessaryto try to limit the searchesandto makethem as economicalas
practical. Some work on improving the search algorithm was carried out at
LoughboroughUniversity underthe STOPHAZproject (McCoy, 1999).
With regardto the format of the output record,the intent is that an automatedhazard
identification system should broadly follow that of a conventional HAZOP. It is
-46-
in
output HAZOP emulationsis that it
Another characteristicof computer-generated
tendsto includean excessivenumberof unimportantconsequences. In a conventional
HAZOP theseare "filtered out", often almost unconsciously.Handling of the large
number of "false positivee' is perhaps the single most significant problem in
developingan acceptabletool. It is necessaryto rank the consequences
and to remove
the lesssignificant,thoughthe user can be given somecontrol over the thresholdfor
reporting (McCoy
consequences. et al. 1999)
4.6 Conclusions
-47-
BLANK IN ORIGINAL
5 Modular HAZOP Theory and Principles
The first sectionof this chaptergives a summaryof what has beendone in modular
HAZOP relatedwork to setthe scene.The rest of the chapterdiscussesthe theory and
principles behind the modular HAZOP In
approach. particular it sets out definitions
that areusedin modularHAZOP.
1. Processinput-output structure.
2. Recycle structure.
3. Separationsequence.
4. Energy integration.
-49-
is eithersignificantor is not negatedby additionaltime spenton earlierHAZOP.
order to simplify the study procedure. For example, a pump set is unlikely to be
decomposedinto its componentparts - valves, impeller, motor, etc. - and each
considered separately.Instead,a setof knowledgerelevant to the module will be used.
in the caseof a pump this would include knowledgeof motor failure and impeller
failure.
-50-
5.2.1 Levels of Decomposition
Firstly at the lowest practical level of decomposition (figure 5.1) we can break each
item of a plant up into its basic constituent elements. These component modules are
At the next level of decomposition(figure 5.2) we can considerthe plant being made
of equipment modules. Theseare groups of components which perform functions at a
very simple level. These equipment modules may be pumps, heat exchangers,
pipelines,vessels,etc. Included within thesemodules will be the relevantvalves and
connecting pipes.This is the level at which HAZOP
experienced leaders conducttheir
meetings. They know that they do not needto considereachvalve or pipe and they
havebuilt up a set of knowledge,particularly of faults and consequences
for many of
theseequipmentmodules.
-3rl -
Separadon
Heat Ij Chemical
Pump I Pla6tB
Exchangerl
The next level of decomposition (figure 5.3) is to consider the plant as being made up
taken to perforrn hazard identification the larger the modules are the less time it is
likely to take to carry out modular HAZOP. On the other hand, the larger the modules
are the less likely it is that they will be re-used in future plants.
circumstances.For example, some of the connections to the plant may not be subject
to rigorous HAZOP, only known causes and consequenceswill be considered based
modes could be conceived, based on their previous experience of power supplies, only
complete failure would be considered. No consideration is normally given to the
components making up the power supply, it is treated strictly on a functional basis.
- s*L-
Figure 53 - Third level of decomposition. Functional modules.
-93-
Figure 5.4 - Fourth (highest) level of decomposition. Plant level.
It should be noted that there is some overlap between each of these levels of
decompositionas illustrated above.For example,a valve could be consideredas an
- S-f -
conventional HAZOP of the same plant, even if time is spent generating
preHAZOPed resultsfor moduleswhich may have no or limited possibility of reuse.
5.2.2 Sub-modules
-55-
variation of a sub-module as the effects on the module may be very slight and the
sameresults could be used for a variety of different sub-moduleconfigurations.If we
consideran inert gas venting sub-module for a stock tank module, it is possibleto
envisagea couple of different control strategies.However, in this case, similar
problems are encountered whatever arrangement is used, so it would not seem
necessary to have a different set of sub-module results for each, though some
additionalcommentsmay be appropriate.
The approach taken in modular HAZOP for dealing with the interconnections
betweenmodulesis to considerthe effectsmoduleswill haveon eachother. For each
module there will be four setsof effectsthat will needto be considered.Theseeffects
are illustratedin figure 5.5.
2. A set of module vulnerabilities - effects (from outside the module) that have an
effect on the module.Thesecan either give rise to hazardsinside the module or new
effectson othermodules.
3. A setof internalmoduleproblems.
-56-
Figure5.5 illustratesthesesetsof effectswith respectto a module.
latemal
Effects
Standard EffectsFrom
Module
cq 2!S(Ldffirogh
Figure 5.5 - Four setsof effects need to be considered for each module
I Internal
Internal
Effects Effects
Figure 5.6 - Effects needing consideration when two modules are connected.
- 5.7t -
I Internal I internal
Internal Effects
Effects Effecu
Figure 5.7 - Effects needing consideration when three modules are connected in series.
causes, variable deviations and end effect s. Obviously for hazard identification, the
'
paths of interestare complete pathsthat start at initial causes (causes) and.end at end
effects(consequences). Asterisks indicate incomplete paths.
Initial (a) -*
cause Endeffect(d)
*Initialcause(b) -+ Variabledeviation(g)
deviation(c)
*Variable -> Endeffect(h)
Figure 5.8 Possiblepaths between initial causes,variable deviations and end effects.
-rs -
For the variable deviations,we will use applicableprocess. However, in order to
reduce the number of matches and hence the number of effects that are propagated
betweenmodulesthese may be qualified where appropriateby the addition of the
stateof the material involved, i. e. liquid or vapour. If no qualification is given then
the effect appliesto all materialstates.Possiblehazardsare generatedwhen either an
initial causeis linked to a endeffect within a moduleor an initial causein one module
is linked via matchingvariabledeviationsto a endeffect in anothermodule.
rules so that any problemsthere may be with connectioncan be identified simply and
effectively.
In order to illustrate how a causein one part of a plant can have a consequence in a
different part of a plant, a study was made of conventionalHAZOP results.Causes
and consequences are defmed as either being local or distant. Local causesor
consequences occur somewhere on the line being studied. Distant causes or
occur
consequences on a different line to that being studied. This results in four
scenario
possiblecombinationsof causeconsequence
-59-
the line underconsiderationis dueto a causein anotherline.
-60-
Linefrom intermediatestorageto bufferisettlingtank
Guide Cause Local/dist Consequence Local/dis
vmrd antcause tant
consequ
ence
NoFlow 1 Nohydrocarbon
at Local Lossof feedto reaction Distant
intermediate
storage sectionandreduced
output.Polymerformedin
heatexchanger
underno
flowconditions
2 J1 Pumpfails(motorfault, Local Asfor I Distant
lossof drive,impeller
corrodedawayetc.)
3 Lineblockage,
isolation Local As for 1 Distant
valve
closedin erroror LCVfails Local J1 pumpoverheats. Local
shut
4 Linefracture Local Asfor 1 Distant
Local Hydrocarbon
discharged Local
intoareaadjacentto public
highway.
More 5 LCVfailsopenor LCV Local Settlingtankoverfills Local
Flow bypass
openin error. Local Incomplete
separation
of Distant
waterphasein tank,
leadingto problems
on
reactionsection.
More 6 valveclosedin
Isolation Local Transferlinesubjectedto Local
Pressure erroror LCVcloses,withJI fullpumpdeliveryor surge
pumprunning pressure
-
61 -
7 Thermalexpansion
in an Local Linefractureor flangeleak Local
isolatedvalvedsectiondue
to fireor strongsunlight
More 8 Highintermediate
storage Local Higherpressurein transfer Local
Temperat temperature lineandsettlingtank
ure
Less 9 Leakingflangeor valvestub Local Materiallossadjacentto Local
Flow notblankedandleaking publichighway
Less 10 Winterconditions Local Watersumpanddrainline Local
Temperat freezeup.
ure
High 11 Highwaterlevelin Local Watersumpfillsupmore Distant
water intermediate
storagetank quickly.Increased
chance
conc.in of waterphasepassingto
stream reactionsection.
High 12 Disturbance
ondistillation Distant Highersystempressure Local&
conc.of of
columnsupstream distant
lower intermediate
storage.
alkanes
or
alkenes
organic 13 Asfor 12 Distant rateof corrosion Local
Increased
acids of tankbase,sumpand
present drainline
Maintena 14 failure,flange
Equipment Local Linecannotbecompletely Local
nce leak,etc. drainedor purged.
I I --- I I II
Table 5.1 Example of HAZOP results (from Lawley, 1974), illustrating local and
distant causesand consequences.
-62-
5.4 Causeand ConsequenceTypes in Modular HAZOP
The types of causes defmed for modular HAZOP are initial causes, and
vulnerabilities.
The types of consequences defmed for modular HAZOP are end effects, directly
An initial causeis a fault within a module that gives rise to some effect, either a
propagated effect or an end effect. This terminology is used to explicitly define its
positionas the potentialstartof a fault path.
-63-
adjoining module to that being studied,equivalentto an effect in the other end of a
line in a conventionalHAZOP. It is either a consequenceof a vulnerability or a
of
consequence an initial cause.
-64-
-- -----------
----------
Shellside Shellside Environmental
leak (IC) inlet contamination (Ec)
S-M
EE=E,, J crreat
IC = Initial cause
Heat
exchanger I
module
vulnerability has an end effect associated with it, then a conventional local cause
consequencerelationship is formed. If the vulnerability is associated with a directly
effect
propagated (which will only occur rarely), then this may give rise to additional
local-local cause-consequence scenarios.Finally, if the vulnerability leads to an
indirectly propagatedeffect this may give rise to local-distant cause-consequence
scenarios. Of course if there is no vulnerability to any of the propagatedeffects
involved then there is no end effect linked to the initial cause,there is no complete
fault path andno causeconsequence
relationshipexists.
-65-
r----------------- --------
Heat
exchanger
Shellside module I
inlet
S-M
D Fouling of
HX tubes(IC)
Tubeside HX Tubeside I
Inlet care (outlet I
S-M S-M S-M I
I I
Low
Mflow
(LPE)
-
Shellside I I
outlet I
IC Initial cause
S-M I
I LPE = Local
---------------- --------I propagated effect
r ----------------------
Heat
exchanger
Shellside module
inlet
S-M
Fouling of
HX tubes(IC)
Tubeside HX Tubeside
inlet core outlet
S-M S-M S-M
-66-
Any
High S-M
pre sure I
(P Any
module I
Tubeside HX -Tutes- I
inlet core outlet I
S-M S-M S-M E:E= F-,,JI FFec. L
PE = Propagated
Shellside effect
outlet VUL = Vulnerability
S-M Heat
exchanger I
module
_I
-67-
r ---------- ----- ----------
Heat
exchanger
Shellside module I
inlet
S-M
*
Tubeside HX Tubeside I
inlet core outlet
S-M S-M S-M
L
------ -- --- ---- ------ A-ny---I
PE Propagated
module I
High flow Any effect
(PE) S-M
m
LPE = Local
propagated effect
VUL = Vulnerability
-68-
r---------- ------- --------
Heat
Shellside exchanger I
inlet module I
S-M
Tubeside HX Tubeside I
inlet core outlet i O
S-M S-M S-M
High/low
temperature
[S- hellside (RPE)
OL
outlet
I
High flow S-M
(VUL)
-- -- --- --- --------
Any PE Propagated
High flow module effect
(PE) Any
S-M
S RPE = Remote
-M I propagatedeffect
I VUL = Vulnerability
-69-
r---------- ------- --------Heat
exchanger
Shellside module
inlet
S-M
Tubeside HX
inlet core
S-M S-M
olymer-
isation in
Shellside HX tubes CW I
outlet
Low flow S-M
(VUL)
k----
-- --- --- --------
-70-
Initial cause(a) end effect (b)
considered.
-
71 -
exist where
causesand consequences the cause and consequence
are in different
sections.
5.5 Summary
This chapter has looked at the theory behind modular HAZOP and provides
definitions of terms used in modular HAZOP. This terminology will be used in the
following chaptersin which the modular HAZOP procedureis further explained.In
particular, this chapterprovidesan analysisof the size and form of modulesused in
the modular HAZOP procedureand how thesemodulesare broken down into sub-
It
modules. also shows how fault paths are built up betweeninitial causesand end
effects through propagatedeffects and vulnerabilities. These fault paths enablethe
determinationof effectsdueto the connectionof modulesandthe particularprocedure
-72-
BLANK IN ORIGINAL
6 Modular HAZOP Procedure
This chapter looks at the practicalities of applying modular HAZOP using the
theoreticalideasexploredin the previouschapter.This chapteris divided into three
parts. The first part gives an overview of how the theory from the previouschapter
be
can used as a general method for modular HAZOP. The secondpart details the
specific method developed.
It is anticipatedthat modular HAZOP be
can used a in
in
variety of situations a similar way to conventionalHAZOP. The third part outlines
someof theseapplications.
-74-
that mustbe satisfiedare,that for control valves,the samecontrol variableis being
used, for pumps, the sametype of pump is being used, for single or multiple pumps,
the appropriatesub-moduleis used,andfor any vesselssimilar vent arrangementsare
used. Requirements for matchingsub-modulesshould ideally be included in the
module library.
results.
-75-
The next stepis to usethe preHAZOPedresultsto generatethe HAZOP resultsfor the
plant. The HAZOP results are createdby identifying all possiblecauseconsequence
scenarioswhich exist either within modulesor through the connectionof modules.
Any causeswhich do not leadto consequences or consequences which haveno cause
are generally eliminated. This is done by tracing paths forward from all the initial
At a slightly more complex level are those initial causesand terminal consequences,
which occur, in directly adjacentsub-modules. These are however,relatively easyto
identify. It is only necessaryto matchlocally propagatedeffects due to initial causes
with vulnerabilities, which give rise to terminal in
consequences the directly adjacent
sub-module. These cause consequencescenarios are equivalent to causes and
consequencesat eitherend of a line in HAZOP.
conventional
The suggestionis that any remainingconsequences, which are not linked to causes,
are reviewedto determine if the vulnerability leadingto that consequence could have
-76-
Hazardous
realistic occurrence. scenariossuch as this should be recordedas part of
the modularHAZOP results.
open 1.2.1.2
Overflow
As stated above, the first step in the modular HAZOP procedureis to select the
requiredmodulesand then the appropriatesub-modulesthat makeup the plant under
The
consideration. modules and sub-modules selectedshould be documented and the
between
connections them needto be madeexplicit.
-77-
As part of a modular design procedurethe selectionof modules and sub-modules
would be relatively simple, as the designwould be basedon appropriatemodulesand
Any
sub-modules. descriptionof the plant would referencethe selectedmodulesand
and
sub-modules would include information on the between
connections them.
Given that modulardesignproceduresdo not yet exist for chemicalplant the selection
of modules and sub-modules would have to be made based upon traditionally
available design documents.
For conventionalHAZOP a detailed ELD is required,
however,for modularHAZOP, the samelevel of detail is not required,indeedit may
not be This
desirable. is becausea large amountof detail can be encompassed within
the sub-modules.All that is required is enoughinformation to be able to selectthe
correct sub-modules. A processflow diagrammay be a little short of information for
this selectionof sub-modules.PFDs will generallyonly have enoughinformation to
define the modulesinvolved. This is not to say that a modular HAZOP cannot be
performedwith just a PFD. If information is availableon which sub-modulesshould
be usedin particularsituations,basedon connectingmodulesand chemicalsinvolved,
then it should be possibleto selectthe required sub-modules.This approachwould
only be recommended as part of a unified modular design and modular HAZOP
approach. This thesis is not concerned with modular design though the use of sub-
modulescan be seento be a usefultechniquein a modulardesignprocedure.
-78-
Given that modular HAZOP does not require as much ELD detail as conventional
HAZOP, then it can be applied at an earlier stage of design. This has numerous
benefits. In particular it is easierto include any modifications suggestedand the
overall design time required can be reduced with significant savings. Because
conventional HAZOP can only start once a completeELD has been produced,design
and HAZOP cannot be carried out in parallel, and, in order to have the plant
operationalas soonas possible,ordering and construction often start while HAZOP is
still on-going.
In order to provide some flexibility within the preHAZOPed module results, the
conceptof sub-modules has been introduced. The aim is to optimisethe effectiveness
andefficiency of the moduleswhile minimising the numberrequired.
-79-
In developingpreHAZOPedmoduleresults,work was carried out at two levels. The
level of detail requireddiffers dependingon what is trying to be achieved.At a low
level of detail, generic preHAZOPedmodule results were developedto provide a
general framework on which more detailed modules can be built. However, they are
still useful for the
assessing potential of modular HAZOP, in particular how well the
faults and deviationsare propagatedthrough the plant. At this level of detail, it is
mainly just the susceptibilitiesand propagatedeffectsthat are required,and it is only
necessary to defme the module by its function and its inlets and outlets. At a high
level of detail fully preHAZOPedmoduleresultswere developed.This requiresthat
modulesare fully defmed in order that accurateand complete resultscan be drawn up.
corresponding consequences
causes, and safeguardsshouldbe complete.Obviously in
order to complete the generic preHAZOPed modules and convert them to fully
-80-
6.3 Computer support
HAZOP-PC has been used to store the preHAZOPed module results. The
-
81
-
preHAZOPed resultsare intendedto combine the detail of a checklist for eachmodule
with the interfaceinformation using the standard HAZOP guide words. The checklist
approachenablespast experience and expert knowledgeto be included.This means
that lessexperiencedengineerscanperform competenthazardidentification.
Guideword
Parameter
Deviation
Cause
Causecategory
Consequence
Consequence
category
Safeguards
Safeguardscategory
Recommendations
The guide word column is usedfor the guide words, as in conventionalHAZOP, no,
more, less,reverse,otherthan,etc.
The deviation column is derived by developingthe guide word with the parameter,
in
againas conventional HAZOP.
-82-
occur within the module. Secondly there are vulnerabilities. These are in capital
lettersandrepresentdeviationswhich havesomeeffect on the module.
-83-
of causesthat It
are vulnerabilities. is then necessaryto matchpropagatedeffectsand
vulnerabilitiesto determineif fault pathsexist.
The practical use of HAZOP-PC to carry out the modular HAZOP procedure is
discussedmore in the following chapter.
-84-
determinethe possibleeffectsof the new moduleon the rest of the plant. Finally, if a
module is modified, the existing preHAZOPed results can be modified and the
modularHAZOP procedure applied to the differencesagain.
-85-
BLANK IN ORIGINAL
Case study
7.1 Introduction
This chapter illustrates how the modular HAZOP procedure is used to carry out
hazardidentificationfor chemicalprocessplant.
7.2 Procedure
-87-
Cooling ter top up - single supply, single pump and float valve.
DEVIATI CAUSES CAT 1 CONSEQUENCES CAT SAFEGUARDS
ON
1. No I. I. Wine IC 1.1.1. Level in EE
Flow filter blocked. cold well cannot
Float valve fails be maintained.
shut. Cooling water
Pump failure. supply may be
restricted.
2. More 2.1. Float valve IC 2.1.1. Cold well EE 2.1.1.1. Suitable
Flow fails open. overflows. overflow to drain.
Contamination due
to dosing
chemicals.
2. Lower 2.1. Low ambient IC 2.1.1. Prolonged
Temperatu temperatureleads cold weather may
re to freezing, reduce
particularly as availability of
there may be no cooling water.
flow for long
periods of time.
Cooling ter top up - single supply, single pump and float valve.
DEVIA- CAUSES CAT I CONSEQUENCES CAT I SAFE- RECOMMENDATIONS
TION GUARDS
1. No 1.2.NO VUL 1.2.1.Level in cold well EE 1.2.1.1.If the supplyis
Flow FLOW FROM cannotbe maintained. unreliableconsiderthe
UPSTREAM Cooling watersupply needfor a backupsupply.
SUPPLY maybe r cted. Seeappropriatenode.
_ _
Table 7.2 - Example of vulnerability filtered results.
conventional HAZOP guide words which is not needed with modular HAZOP.
instead,in order to achievean efficient and effective alternative,lessflexibility in the
is
procedure required.
-88-
all the possibleinitial causeto end effect paths in the plant. This is done by finding
causesand end effects, where they exist, are eliminated until the report consists
substantiallyonly of initial causesandendeffect pairs.
The easiestway of achieving this is to edit the initial causesreport using a word
the
processor, HAZOP-PC generated reportshaving been suitablyconverted.
-89-
Suchvulnerabilitiesandeffectsshouldbe highlightedfor future action.
7.3 Results
For the purposeof this exercisea simple plant was devisedon a modularbasisusing
modulesand sub-modules from the module library.
-90-
the developmentof preHAZOPedresults, I had concentratedon developing such
commonmodulesand there was thereforelittle further work required in developing
thesemodulesfor the presentation.Thesecommon modulesare onesthat offer the
greatestpotentialtime savingsasthe preHAZOPedresultscan be frequentlyreused.
-91-
Module Name: Neutralisation reactor
Module Type: Exothermic liquid phasereactor
-92-
Module Name: Treatedwastestorage
Module Type: Atmosphericliquid storagetank
-93-
J
)
.1
3
)
4
Q (D
0=
Q) u
0-
CL ,
11
0
- 94-
Waste Acid Neutralisation Plant
-95-
DEVIA I CAUSES I CONSEQUENCES --TA SAFEGUARD I RECOMMENDATIO
TION S NS
High
temperature
alarm
Possiblerunawayreaction. High
Possibleexplosion temperature
alarm.
Low flow
alarm
Inadequateventingof storage Storagetank
tank. Vesseloverpressure relief valve.
rupture.
Staticbuild up in storagetank. Dip tubesfor Flammablefluids
filling storage only. If filling is not
tank. donevia dip tubes
checkdesign
assumptions.
Reverse Pumpnot running Reverseflow throughpump Separatenon-
Flow backinto cooling waterpond. returnvalves
on all pump
discharges.
Node:4Cooling watersupplymain-2 or morepumps.
Parameter:Maintenance
Intention:
Mainte High cooling water Unableto meetdemanddueto Plannedmaintenance
nance demand e.g. due to pump down for maintenance. shouldbe scheduled
hot weather. Unableto carry out maintenance for
dueto high periodsof low cooling
I cooling waterdemand. water demand.
Node: 5CoolingWaterPurgeto drain - manuallyadjusted.
Parameter:Flow
intention:
More Chemical Wastageof cooling waterand Orifice plate
Flow concentration dosingchemicals. to
monitoring fails minimise
requiringpurge maximum
valve to be opened possibleflow
morethan necessary. rate.
Purgevalve
Inadvertantlyleft
further openthan
Ire uired.
Less Purgevalve Increasedscaling,general
Flow insufficiently solidsdeposition, andfouling
open. problems.
Node: 6CoolingWaterAcid dosing- automaticallycontrolled.
Parameter:Flow
Intention:
Less Automaticdosing pH shouldbe maintained Routineand
Flow control fails, between pH7-8 to maintainnon- regular
deliveringlessacid scaling,non-corrosive testing.
thanrequired. conditionsin the system.
I I
Table 7.7 (cont.) Waste acid treatment Dlant modular HAZO P results.
-96-
I DEVIA I CAUSES I CONSEQUENCES SXFEGUARD RECOMMENDATIO
TION
I-
7
S NS 1
Low level
alarm.
Acid supply
exhausted.
More Automatic dosing pH should be maintained Routine and
Flow control fails, between pH7-8 to maintain non- regular
delivering more acid scaling, non-corrosive testing.
than required. conditions in the system.
Node: 7 Waste acid Storagetank vent to atmosphere
Parameter:Flow
Intention:
No/Les Vent line blocked or Tank overpressurerupture on Relief valve Minimise
s partially blocked filling. opportunities for vent
Flow blockage
Ensure flame arrestor
is maintained
correctly.
Tank vacuum Vacuum Minimise
collapse on relief opportunities for vent
discharge valve. blockage.
Ensure flame arrestor
is maintained correctly
Node: 7Waste acid Storagetank vent to atmosphere
Parameter:Temperature
Intention: Maintain temperature tank
-97-
DEVIA I CAUSES CONSEQUENCES isSAFEGUARD I RECOMMENDATIO
TION NS
-98-
I DEVIA I CAUSES CONSEQUENCES ----rSA-FEGUARD I RECOMMENDATIO
TION S NS
Composition
control
As Contaminationof Unwantedreaction. Considertestingtank
Well tank contents contentson a routine
As basis.
Flow
Node: 9WasteAcid Storagetank outlet
Parameter:Temperature
Intention
:
Node:9WasteAcid Storagetank outlet
Parameter:Pressure
Intention:
Lower Storagetank inlet Low tank level leadingto low Low flow
Pressur line blocked. pressure,low flow andpoor alarm
e Level in
control valve conversion reactor.
fails shut Low level
alarm
Level
indicator
Composition
control
Node: IOWasteAcid Storagetank feed inlet without control valve.
Parameter:Flow
Intention:
No Feedline blocked. Possibleinability to continue
Flow processat normalproduction
rates
Low tank level leadingto Low level
outlet pumpcavitation. alarm
Level
indicator
NO FLOW AT UPSTREAM
UNITS
NO FLOW FROM Possibleinability to continue
UPSTREAMUNIT processat normalproduction
rates.
Low tank level leadingto outlet Low level
pumpcavitation. alarm
Level
indicator
-More HIGH FLOW Inadequateventing.Vessel Relief valve.
Flow FROM UPSTREAM overpressure rupture.
UNIT
Staticbuild up. Dip tubesfor Flammablefluijs-
filling. only. If filling is not
donevia dip tubes
checkdesign
assumptions.
-99-
[D-EVIA I CAUSES -FEQUENCES isSAFEGUARD I RECOMMENDATIO
TION NS
- 100-
I DEVIA IIS
CAUSES CONSEQUENCES !S FEGUARD I RECOMMENDATIO
TION NS
Integralpump
high pressure
relief
valve
Pressure
indicator
Low flow
alarm
More Controlvalve fails Incompleteconversionof
Flow open reactants
- 101-
DEVIA CAUSES I CONSEQUENCES isSAFEGUARD I RECOMMENDATIO
TION NS
Environmental
damage.
Node: 12NeutralisationReactorliquid feedwith flow control
Parameter:Composition
Intention:
As CONTAMINATION Reactionmay not proceedas
Well FROM UPSTREAM required.
As UNITS
Compo
sition I
Node: BNeutralisationReactorliquid outlet with level control
Parameter:Flow
Intention:
No Outlet line blocked.. Reactoroverflows Low flow
Flow Pumpfailure. atram
Level control valve
fails shut.
High level
alarm
Low storagetank level leading Low flow
to outlet pumpcavitation. alarm
More Level control valve Level lost in reactor.
Flow fails open. Possibleoverheating,poor
conversion,sidereactions,etc.
Inadequateventingof storage Storagetank
tank. Vesseloverpressure relief valve.
rupture. I I
- 102-
DEVIA I CAUSES CONSEQUENCES isSAFEGUARD I RECOMMENDATIO
TION NS
- 103-
DEVIA I CAUSES CONSEQUENCES SA-FEGUARD I RECOMMENDATIO
TION S NS
Table 7. (cont.) Waste acid reatment plant modular HAZO results.
-104-
I DEVIA I CAUSES I CONSEQUENCES SAFEGUARD I RECOMMENDATIO
TION S NS
High pressure
alarm.
Rapidevaporationof storage Low flow Only a problemfor
tank contents. alarm tankswith openvent.
Increasedvapourconcentration Considerinstalling
aroundstoragetank, possibly High appropriatedetection
rising to a hazardouslevel. temperature equipmentif
alarm. appropriate.
High pressure
alarm.
More Controlvalve fails Reactiondoesnot proceedas
Flow open required.Poorconversion,side
reactions,etc.
High cooling waterdemand. Cancooling water
systemmaintain
adequatesupplyto
remainingsystems?
Node: 15NeutralisationReactorCoolingstreamin with temperaturecontrol
Parameter:Temperature
intention:
I I I I
Node: 16NeutralisationReactorCoolingstreamout with temperaturecontrol
Parameter:Flow
Intention:
No -
Recycleisolation Reactiontemperaturetoo high. Low flow Checkoperating
Flow valve closedin error. Reactiondoesnot proceedas alarm proc dures.
required.Poorconversion,side High
reactions,etc. temperature
Catalystdestroyed alarm
Possibleexplosionrisk. Relief valve
Low flow
alarm
High
temperature
alarm
Rapidevaporationof storage Low flow Only a problemfor
tank contents. alarm tankswith openvent.
Increasedvapourconcentration Considerinstalling
High
aroundstoragetank, possibly appropriatedetection
to
rising a hazardous level. temperature equipmentif
alarm appropriate.
Node: 17NeutralisationReactorcoolingvia recycle
Parameter:Flow
Intention:
No/Les Pumpfailure or poor Reactorbeginsto overheat. Someform of
s pump performance. Reaction may begin to run emergencycooling
Flow away.Possiblerisk of may be necessaryto
explosion. avoid explosionwhere
I that possibility exists. I
- 105-
DEVIA I CAUSES CONSEQUENCES isSAFEGUARD I RECOMMENDATIO
TION NS
- 106-
DEVIA I CAUSES I CONSEQUENCES --A- SAFEGUARD I RECOMMENDATIO
TION S NS
- 107-
BLANK IN ORIGINAL
8 Conclusions
8.1 Contributions
role of automated HAZOP was discussed and finally a new, modular HAZOP
-109-
importantfor a procedurewhich, as developed,is carricd out manuallyby only one or
two people.This contrastsstarkly with the level of decompositionusedin automated
HAZOP, which requiresthat each pump, valve, etc. be modelled. In particular it
allows for known problems with combinations of equipment to be represented.As
such,it is possibleto include much more expert knowledgein a sub-module than in a
collectionof more detailedmodelsmakingup that sub-module.Secondly,the fact that
the majority of cause-consequence scenariosexist in adjacent modules, and the
categorisationof locally and remotely propagatedeffects, reducesthe complexity of
the procedure.It enablesthe simpler fault paths,which make up most of the cause-
consequence scenarios, to be identified quickly, leaving a much reducednumber of
fault pathswhich require a more thoroughanalysis.Finally, I think the usefulnessof
the categories and a filtering tool, such as that provided by HAZOP-PC, in
simplifying the applicationof the procedureshouldnot be underestimated.
I believe that the modular HAZOP proceduredetailed in this thesis can be used to
provide quick hazard identification of chemical plant. Its application may be limited
to plant that have a large number of fairly standarditems, but in such casesit can
provide a significant improvement in the time takenfor hazad identification.The size
and structure of the models,and in particular the preHAZOPed results,allows a large
8.2 Limitations
- 110-
As identified above,the modular HAZOP procedureis not going to be universally
applicable.For certainplant, particularly where they are new, complex or otherwise
unique, the required preHAZOPed results may not exist it
and may not be worth
compiling them. In such cases, the HAZOP
conventional procedureprovidesthe best
- III-
Deviation Cause Consequence Safeguards Recommendations Remarks
High level Level Tank contents Overflow Overflow to be High level alarm
Table 8.1 - Part of preHAZOPed results for storage tank showing how remarks
column can be used.
-112-
and the effect of following by
one operation another in the same item of equipment
need to be considered. This is also likely to require, as its basis, a more systematic
approach to HAZOP of batch processplants than that originally specified.Work on
developingsuchan approachhasonly recentlybegun(MushtaqandChung,2000).
meeting.
- 113-
8.5 Automated modular HAZOP
-
114-
BLANK IN ORIGINAL
References
Austin, D. G. & Jeffreys,G. V.; "The Manufactureof Methyl Ethyl Ketone from 2-
Butanol." IChemE,London, 1979;Chapter12.
Black, J. M. & Ponton,J. W.; "A HierarchicalMethod for Line-by-Line Haza d and
Operability Studies." Interactions Between Process Design and Process Control,
1993;Chapter32, pp. 227-233.
Butler, P.; "Motivating people is the key to safety on processplant sites." Process
Engineering,August 1973;p. 79.
-116-
Douglas,J. M.; "ConceptualDesignof ChemicalProcesses.
" McGraw-Hill, 1988.
Dowell, III, A. M.; "Managing the PHA Team" Process Safety Progress, Vol. 13, No.
1, January1994;pp. 30-34.
Freeman,P, A., Lee, P, & McNamara,T. P.; "Plan HAZOP Studieswith an Expert
System." ChemicalEngineeringProgress,August 1992;pp. 28-32.
Gibson, S. B.; "WE FIXED THE FLOWSHEET SAFELY. " Process Engineering,
June1976;pp. 119- 120.
Hunt, A.; "Rules for Modelling In Computer Aided Fault Tree Synthesis.
" PhD
Thesis, Department of Chemical Engineering, Loughborough University of
Technology,1992.
- 117-
Hunt, A., Kelly, B. E., Mullhi, J. S., Lees,F. P. & Rushton,A. G.; "The propagation
of faults in processplants: 6, Overview of, and modelling for, fault tree "
synthesis.
Reliability Engineeringand SystemSafety,39,1993; pp. 173-194.
IrL M., Aoki, K, O'Shima,E. & Matsuyama,H.; "An Algorithm for Diagnosisof
" Computersin ChemicalEngineering,Vol
SystemFailuresin the ChemicalProcess.
3,1979; pp. 489-493.
- 118-
Kelly, B. E. & Lees,F. P. "The Propagationof Faults in ProcessPlant, 4, Fault Tree
Synthesisof a Pump ChangeoverSystenf' Reliability Engineering, 16,1986 (d); p.
87.
Lapp, S. A. & Powers,G. J.; IEEE Transon Reliability, R-26, April 1977;pp 2-11.
Larkin, F. D., Rushton, A. G., Chung, P. W. H., Lees, F. P., McCoy, S. A. &
Wakeman S. J.; "Computer-aidedHazard Identification: Methodology and System
Architecture." IChemE SymposiumSeriesNo. 141, HazardsXIII ProcessSafety -
The Future, 1997;pp. 337-348.
- 119-
Lees, F. P.; "Loss Prevention in the Process Industries: Haza d Identification,
Assessmentand Control. Volumes I to 3." Secondedition, Butterworths, Oxford,
1996.
Lees, F. P. & Kelly, B. E.; " The Propagation of Faults in Process Plants." Reliability
Engineering,Vol. 16,1,1986.
" 4th
Lowe, D. R. T. & Solomon, C. H.; "Hazard Identification Procedures.
InternationalSymposiumOn Loss PreventionAnd Safety Promotion In The Process
Industries,Vol. 1,80, pp. 246-282,1983.
McCoy, S. A., Wakeman, S. J., Larkin, F. D., Jefferson, M., Chung, P. W. H.,
Rushton,A. G., Lees,F. P. & Heino, P. M.; "HAZID, A ComputerAid for Haza d
Identification." TransIChemE,Vol. 77, PartB, 1999;pp. 317-327.
Martin-Solis, G., Andow, P. K& Lees,F. P.; "An Approachto Fault Tree Synthesis
for ProcessPlants." Proceedings2nd International Symposiumon Loss Prevention
Martin-Solis, G., Andow, P. K& Lees, F. P.; "Fault Tree Synthesisfor Real-Time
andDesign "
Applications. TransIChemE,Vol. 60,1980; pp. 14-20.
-120-
Mushtaq, F. & Chung, P. W. H.; "A Systematic HAZOP Procedure for Batch
Processes,And Its Application to Pipeless Plants." Journal of Loss Prevention in the
ProcessIndustries, 13,2000; pp. 41-48.
-121-
110.
Roach, J. R. & Lees, F. P.; "Some Features of and Activities in Hazard and
Operability(HAZOP) Studies." The ChemicalEngineer,October 1981;pp. 456-462.
Sigma-LambdaSoftware(Ility Engineering);'6HAZoplus.,,1995.
-122-
Toola, A.; "Plant level safety analysis." Journal of Loss Prevention in the Process
Industries,Vol. 5, No. 2,1992; pp. 119-124.
Wakeman,S. J., Chung, P. W. H., Rushton, A. G., Lees, F. P., Larkin, F. D. &
McCoy, S. A.; "Computer-aidedHaza d Identification: Fault Propagationand Fault-
ConsequenceScenarioFiltering." IChemE SymposiumSeriesNo. 141, Haza ds XIII
ProcessSafety- The Future, 1997;pp. 305-316.
- 123-
Appendix 1- CaseStudy preHAZOPed Results
This appendix contains the full list of preHAZOPed results used to generatethe
resultsof the casestudyof Chapter 7.
Table Al. 2 gives the preftAZOPed results generatedby filtering to include the
remaining cause-consequence scendios, i. e. those having a vulnerability (VUL) type
of cause.
Al -
Waste Acid Neutralisation Plant
Node: I Cooling Water top up - single supply, single pump and float valve.
Parameter: Flow
Intention:
CAUSES CAT CONSEQUENCES CAT SAFEGUARDS
DEVIAT RECOMMEND
ION ATIONS
1. No I. I. Inline IC 1.1.1. Level in EE
Flow filter blocked. cold well cannot
Float valve fails be maintained.
shut. Cooling water
Pump failure. supply may be
restricted.
2. More 2.1. Float valve ic 2.1.1. Cold well EE 2.1.1.1. Suitable
Flow fails open. overflows. overflow to drain.
Contamination due
to dosing
chemicals.
Node: I Cooling Water top up - single supply, single pump and float valve.
Parameter: Temperature
Intention:
2. Lower 2.1. Low ambient ic 2.1.1. Prolonged
Temperat temperature leads cold weather may
ure to freezing, reduce
particularly as availability of
there may be no cooling water.
flow for long
Lperiodsof time.
______
Node: 2Cooling water return to tower.
Fa-r-ameter: Flow
Intention: Maintain circulation of cooling water.
1. Less I. I. Purge to IC I. I. I. Cooling EE I. I. I. I. Regualr
Flow drain valve left water tower inspection.
open or fails performance falls
open. off. Cooling water
supply may be
restricted during
periods of high
deamand.
Node: 3Cooling Water Dosing - Chromate Dosing Outlet. Feed controlled by automatic dosing control.
Parameter:Flow
Intention:
A2
Intention:
1. Less I. I. Pump ic I. I. I. LESSFLOW DPE 1.1.1.1.
Flow failure. TO Appropriate
DOWNSTREAM alarmson pumps.
UNITS. Only likely
to be a problem
during periodsof
high demand.
1.1.1.2.Low flow
alarm
on supplymain.
2. 2.1. Pumpnot Ic 2.1.1.Reverse EE 2.1.1.1.Separate
Reverse running flow throughpump non-
Flow backinto cooling returnvalveson
waterpond. all pump
1discharges.
Node: 4Cooling watersupplymain -2 or morepumps.
Parameter:Maintenance
Intention:
I. partOf I. I. Highcooling ic 1.1.1.Unableto EE I. I. I. I. Planned
Maintena water demande.g. meetdemanddueto maintenance
nce due to hot pump down for shouldbe
weather. maintenance. scheduledfor
Unableto carry periodsof low
out maintenance cooling water
dueto high demand.
cooling water
demand.
f
Vode: 5CoolingWaterPurgeto drain - manually adjusted.
Parameter:Flow
Intention:
1. More 1.1.Chemical ic 1.1.1.Wastageof EE I. I. I. I. Orifice
Flow concentration cooling waterand plateto
monitoringfails dosingchemicals. minimise
requiringpurge maximum
valve to be possible
openedmorethan flow rate.
necessary.
Purgevalve
inadvertantly
left further open
thanrequired.
2. Less 2.1. Purgevalve ic 2.1.1.Increased EE
Flow insufficiently scaling,general
open. solidsdeposition,
andfouling
problems.
Node: Kooling WaterAcid dosing- automaticallycontrolled.
Parameter:Flow
Intention:
A3
1. Less 1.1.Automatic IC 1.1.1.pH should EE I. I. I. I. Routine
Flow dosingcontrol be maintained and
fails, delivering betweenpH7-8 to regulartesting.
lessacid than maintainnon- 1.1.1.2.Low
required. scaling,non- level alarm.
Acid supply corrosive
exhausted. conditionsin the
system.
2. More 2.1. Automatic IC 2.1.1.pH should EE 2.1.1.1.Routine
Flow dosingcontrol be maintained and
fails, delivering betweenpH7-8 to regulartesting.
moreacid than maintainnon-
required. scaling,non-
Acid supply corrosive
exhausted. conditions in the
system.
Node: 7Wasteacid Storagetank vent to atmosphere
Parameter:Flow
Intention:
1. 1.1. Vent line IC 1.1.1.Tank EE I. I. I. I. Minimise
I. I. I. I. Relief
No/Less blockedor overpressure valve opportunitiesfor
Flow partially blocked rupture on Iling vent blockage
1.1.1.2.Ensure
flamearrestoris
maintained
correctly.
1.1.2.Tank vacuum EE 1.1.2.1.Vacuum 1.1.2.1.Minimise
collapseon relief opportunities for
discharge valve. vent blockage.
1.1.2.2.Ensure
flame arrestoris
maintained
correctly
_jode-7Wasteacid Storagetank vent to atmosphere
Parameter:Temperature
Intention: aintaintemperaturetank
1 F _
-
Node. 7Wasteacid Storagetank vent to atmosphere
parameter:Pressure
Intention:Maintain in
atmosphericpressure tank
I I I I- I
ITo-de.8Wasteacid Storagetank overflow
Parameter:Flow
Intention:Allow tank to overflow safey
1. 1.1.Overflow IC I. I. I. No/partial EE 1.1.1.1.Level I. I. I. I. Ensure
No/Less blockedor tank overflow control opportunitiesfor
Flow partially blocked available. overflow
Possibletank 1.1.1.2.Level blocking
ruptureon indicator areminimised.
overfilling
A4
1.1.1.3.High
levelalarm
Node: 8Waste acid Storagetank overflow
Parameter: Temperature
intention:
A5
2.3.1.3.Consider
for
need remote
operationof
isolationvalve.
2.4. Pumpseals ic 2.4.1. EE 2.4.1.1. 2.4.1.1.Use
fail. Environmental Emergency cannedor seal-
contamination isolationvalve. lesspumpif
appropriate.
2.4.1.2.Pumpto
be adequately
bunded.
2.4.1.3.Consider
needfor remote
operationof
isolationvalve.
3. Less 3.1. Outlet line IC 3.1.1.LESSFLOW DPE 3.1.1.1.Flow
Flow partially TO control
blocked.Pumprunning DOWNSTREAM
incorrectly. UNIT
3.1.1.2.Low flow
alarm
3.2. Control IC 3.2.1.LESSFLOW DPE 3.2.1.1.Low flow
valve fails TO alarm.
insufficiently DOWNSTREAM
open. UNIT
4. As 4.1. IC 4.1.1. DPE
Well Contaminationof CONTAMINATION
As Flow tank contents OF
DOWNSTREAM
UNIT
5. 5.2. Outlet line ic 5.2.1.REVERSE DPE
Reverse ruptured. FLO
Flow W FROM
DOWNSTREAM
UNIT
Node 9WasteAcid Storagetank outlet
Ta-rameter.Temperature
intention:
A6
Parameter:Flow
Intention:
1. No I. I. Feedline IC 1.1.1.Possible EE
Flow blocked. inability to
continueprocess
at normal
1productionrates
1.1.2.Low tank EE 1.1.2.1.Low
level leadingto level alarm
outlet pump 1.1.2.2.Level
cavitation. indicato
1.1.3.NO FLOW DPE
AT
UPSTREAM
UNITS
3. Less 3.1. Feedline IC 3.1.1.Vessel EE 3.1.1.1.Level
Flow partially takes longerto indicator.
blocked. fill than normal
3.1.2.LOW FLOW DPE 3.1.2.1.Level
FROM UPSTREAM indicator.
UNIT f
-R-ode.- I OWasteAcid Storage
tank feedinlet without controlvalve.
Intention:
ENoddEljasteid
Storageynk fee inlet without controlvalve.
Parameter:Pressure
Intention:
r lffier 1.2.Feedline IC 1.2.1.Expansion IC 1.2.1.1. 1.2.1.1.Ensure
Pressure
ess isolated. of lockedin fluid Hydraulic operating
causeshydraulic pressurerelief instructions
overpressure preclude
ruptureof line. deliberate
isolationof line
without having
first drained
line.
1.2.1.2.Ensure
designminimises
opportunitesfor
isolationin
error dueto
control valves
failing etc.
A7
1.3.Manualvalve IC 1.3.1.LIQUID 1.3.1.1.Onlya
on storagetank HAMMER. HIGH problemfor long
inlet closes PRESSURETO pipelines.
quickly. UPSTREAM Ensureclosing
UNITS. time on control
valvesand
manual
valvesis long
enoughto avoid
liquid hammer.
Node: I ITreatedwasteInlet to tanker,controlled by batchmeter(tanker loading ope ations)
Parameter:Flow
Intention:
'TableAl. I )
(cont. - Wasteacid plant preHAZOPedresults- IC filtered.
A8
2. More 2.1. Control IC 2.1.1.Incomplete EE
Flow valve fails open conversionof
reactants
2.1.2. HIGH
CONCENTRATION
OF
REACTANT/
CONTAMINATION
TO
DOWNSTREAM
UNITS
2.1.3. HIGH FLOW IPE
TO UNITS
DOWNSTREAM
OF
REACTOR LIQUID
OUTLET
,
2.1.4. HIGH FLOW DPE
FROM UPSTREAM
UNITS
3. Less 3.1. Control IC 3.1.1. Reaction EE 3.1.1.1. Low flow
Flow valve fails does not proceed alarm
insufficiently as required. Poor
open conversion, side
reactions etc.
3.1.2. LESS IPE 3.1.2.1. Low flow
CONCENTRATION alarm
OF 3.1.2.2.
REACTANT/ Concentration
CONTAMINATION alarm
TO
UNITS
DOWSNTREAM
OF REACTOR
OUTLET
,
3.1.3. LESS FLOW DPE 3.1.3.1. Low flow
FROM UPSTREAM alarm
UNIT
Node: 12Neutralisation Reactor liquid feed wi th flow control
parameter: Temperature
Intention:
A9
2.2.2. EE
Environmental
damage.
Node: 12NeutralisationReactorliquid feedwith flow control
Parameter:Composition
Intention:
1. More I. I. HIGH 1.1.1.Reaction
Composit CONCENTRATION doesnot proceed
ion FROM UPSTREAM asrequired.
UNITS
1.1.2.
CONTAMINATION
(BY
REACTANT)TO
UNITS
DOWNSTREAM
OF
REACTOR
OUTLETS.
(Unlesssomeform
of concentration
control is used).
2. Less 2.1. LOW 2.1.1.Reaction
Composit CONCENTRATION doesnot proceed
ion FROM UPSTREAM asrequired
UNITS
2.1.2.
CONTAMINATION
TO
UNITS
DOWNSTREAM
OF REACTOR
OUTLETS.(Unless
someform of
concentration
control is used).
3. As 3.1. 3.1.1.Reaction
Well CONTAMINATION may not proceedas
As FROM UPSTREAM required.
Composit UNITS
ion
3.1.2.
CONTAMINATION
TO
UNITS
DOWNSTREAM
OF REACTOR
OUTLETS.
Node: 13NeutralisationReactorliquid outlet with level control
Parameter:Flow
Intention:
AIO
1. No 1.1.Outlet line IC I. I. I. Reactor EE 1.1.1.1.Low flow
Flow blocked. overflows alram
Pumpfailure. 1.1.1.2.High
level alarm
Level control
valve fails shut. 1.1.2.NO FLOW IPE 1.1.2.1.Low'flow
FROM UNITS alarm
UPSTREAMOF
REACTORFEED
2. More 2.1. Level IC 2.1.1.Level lost
Flow controlvalve in reactor.
fails open. Possible
overheating,poor
conversion,side
reactions,etc.
2.1.2.HIGH FLOW DPE
TO
DOWNSTREAM
UNITS
2.2. HIGH FLOW TO 2.2.1.Level lost
DOWNSTREAMUNITS in reactor.
Possible
overheating,poor
conversion,side
reactions,etc.
2.3. Outlet line IC 2.3.1.Reactor EE 2.3.
ruptured. contentslost to Emergency
environment. isolationmaybe
required.
3. Less 3.1. Level IC 3.1.1.Possible EE 3.1.1.1.High
Flow control fails to reactoroverflow. level alarm
opencontrol 3.1.1.2.Low
valve flowalarm
sufficiently. 3.1.2.LESSFLOW DPE 3.1.2.1.Low flow
TO alarm
DOWNSTREAM
UNITS
4. 4.1. Pumpfailure IC 4.1.1.REVERSE DPE
Reverse FLOW FROM
Flow DOWNSTREAM
UNITS
Node: 14NeutralisationReactorliquid feedwith concentrationcontrol
Parameter:Flow
Intention:
1. No I. I. Feedline IC I. I. I. Reaction EE I. I. I. I. Low flow
Flow blocked. doesnot proceed alarm
Controlvalve asrequired.Poor
fails shut. conversion,side
reactionsetc.
1.1.2.NO FLOW DPE 1.1.2.1.Low flow
FROM UPSTREAM alarm
UNITS
TableAl. I (cont.) - Wasteacid plant preHAZOPedresults- IC filtered.
All
1.1.3.LESSFLOW IPE 1.1.3.1.Low flow
TO UNITS alarm
DOWNSTREAM
OR
REACTORLIQUID
OUTLET
2. More 2.1. Control IC 2.1.1.Incomplete EE
Flow valve fails open conversionof
yreactants
2.1.2.HIGH FLOW IPE
TO UNITS
DOWNSTREAM
OF
REACTORLIQUID
OUTLET
,
2.1.3.HIGH FLOW DPE
FROM UPSTREAM
UNITS
3. Less 3.1. Control IC 3.1.1.Reaction EE 3.1.1.1.Low flow
Flow valve fails doesnot proceed alarm
insufficiently asrequired.Poor
open conversion,side
reactionsetc.
3.1.2.LESSFLOW DPE 3.1.2.1.Low flow
FROM UPSTREAM alarm
f UNIT
Node: 14NeutralisationReactorliquid feedwith concentrationcontrol
Parameter:Temperature
intention:
CONTAMINATION
TO
UNITS
DOWNSTREAM
OF REACTOR
OUTLETS.
Node: 15NeutralisationReactorCoolingstreamin with temperaturecontrol
Parameter:Flow
Intention:
1. No I I. I. Control 1.1.1.Runaway I. I. I. I. Low flow
Flow valve fails shut. reaction. alarm
A12
1.1.1.2.High
temperature
alarm.
1.1.2.Possible 1.1.2.1.Low flow
explosion. I alarm
1.1.2.2.High
temperature
alarm
1.1.2.3.High
pressure
alarm
1.1.2.4.Install
relief
valve
1.1.3.Catalyst 1.1.3.1.As for
destroyed. consequence
A13
2.1.2.MORE FLOW
DOWNSTREAM
OF
COOLING
STREAM OUT
2.1.3.MORE FLOW
FROM UPSTREAM
UNITS
2.1.4.LOW
TEMPERATURE
DOWNSTREAM
OF
REACTORLIQUID
OUTLET
,
2.1.5.LOW
TEMPERATURE
DOWNSTREAM
OF
REATOR VAPOUR
OUTLET
,
2.2. MORE FLOW 2.2.1.As for 2.2.1.1.Flow
FROM UPSTREAM cause1.1except control.
UNIT as for consequence 2.2.1.2.
2.1.3 Temperature
control.
3. Less 3.1. Control 3.1.1.Possible 3.1.1.1.High
Flow valve fails to runawayreaction. temperature
onensufficiently alarm.
3.1.1.2.Low flow
alarm
3.1.2.Possible
explosion
3.1.3.Reaction
doesnot proceed
asrequired.Poor
conversion,side
reactions,etc.
3.1.4.LESSFLOW
DOWNSTREAM
OF
COOLING
STREAM OUT
3.1.5.LESSFLOW
FROM UPSTREAM
UNITS
3.1.6.HIGH
TEMPERATURE
DOWNSTREAM
OF
REACTORLIQUID
OUTLET
J.
A14
3.1.7.HIGH
TEMPERATURE
DOWNSTREAM
OF
COOLING
STREAM OUT
3.2. LESSFLOW 3.2.1.As for 3.2.1.1.Flow
FROM UPSTREAM cause2.1 except control
UNIT as for consequence
3.1.5
Node: 15NeutralisationReactorCoolingstreamin with temperaturecontrol
Parameter:Temperature
Intention:
1. Higher I. I. HIGH I. I. I. Reaction 1.1.1.1.
Temperat TEMPERATUREFROM doesnot proceed Temperature
ure UPSTREAM UNIT as required. Poor control
conversion,side
reactions,etc.
1.1.2.Cooling
capacityreduced.
1.1.3.HIGH 1.1.3.1.
TEMPERATURE Temperature
TO control
UNITS
DOWNSTREAM
OF COOLING
STREAM
OUT
1.1.4.HIGH 1.1.4.1.
TEMPERATURE Temperature
TO control
UNITS
DOWNSTREAM
OF REACTOR
LIQUID
OUTLET
2. Lower 2.1. LOW 2.1.1. Reaction 2.1.1.1.
Temperat TEMPERATURE FROM does not proceed Temperature
UPSTREAM UNIT as required. Poor control.
ure
conversion,side
reactions,etc.
2.I. T Reaction 2.1.2.1.
proceedsslower Temperature
than expected. control.
2.1.3.LOW 2.1.3.1.
TEMPERATURE Temperature
TO control
UNITS
DOWNSTREAM
OF LIQUID
OUTLET
A15
2.1.4.LOW 2.1.4.1.
TEMPERATURE Temperature
DOWNSTREAM control
OF
COOLING
STREAM OUT
Node: 16NeutralisationReactorCoolingstreamout with temperaturecontrol
Parameter:Flow
intention:
1. No I. I. No FLOW TO 1.1.1.Reaction I. I. I. I. Low flow
Flow DOWNSTREAMUNIT temperaturetoo alarm
high. 1.1.1.2.High
temperature
alarm
Explosion.
Catalyst
destroyed.
1.1.2.Reaction 1.1.2.1.As for
doesnot proceed consequence
asrequired.Poor 1.1.1
conversion,side
reactions,etc.
1.1 3. NO FLOW 1.1.3.1.As for
.
FROM UNITS consequence
UPSTREAMOF 1.1.1
COOLING
STREAM IN
1.1.4.HIGH 1.1.4.1.As for
TEMPERATURE consequence
DOWNSTREAM 1.1.1
OF
LIQUID OUTLET
1.1.5.HIGH 1.1.5.1.As for
TEMPERATURE consequence
DOWNSTREAM 1.1.1
OF
VAPOUR OUTLET
2. More 2.1. HIGH FLOW TO 2.1.1.Low 2.1.1.1.
Flow DOWNSTREAM UNIT reaction Temperature
temperature control
2.1.2.Reaction 2.1.2.1.as for
doesnot proceed consequence
asrequired.Poor 1.1.1
conversion,side
reactionsetc.
2.1.3.HIGH FLOW 2.1.3.1.As for
FROM UNITS consequence
UPSTREAMOF 1.1.1
COOLING
STREAM IN
A16
2.1.4.LOW 2.1.4.1.as for
TEMPERATURE consequence
TO
DOWNSTREAM
UNITS
2.1.5. LOW 2.1.5.1. As for
TEMPERATURE consequence
DOWNSTREAM 1.1.1
OF
LIQUID OUTLET
3. Less 3.1. LOW FLOW TO 3.1.1. High
Flow DOWNSTREAM UNITS reaction
temperature.
3.1.2. Possible
1runaway reaction.
3.1.3. Reaction
does not proceed
as required. Poor
conversion, side
reactions, etc.
3.1.4. LOW FLOW
FROM UNITS
UPSTREAM OF
COOLING
STREAM IN
3.1.5. HIGH
TEMPERATURE
TO
DOWNSTREAM
UNITS
3.1.6. HIGH
TEMPERATURE
DOWNSTREAM
OF
LIQUID OUTLET
-To eutralisation Reactor cooling via recycle
Pnrameter: Flow
Intention:
1. 1.1. Pump failure IC I. I. I. Reactor EE I. I. I. I. Some
No/Less or poor pump begins to form of
Flow performance. overheat. Reaction emergency
may begin to run cooling may be
away. Possible necessaryto
risk of explosion. avoid explosion
where that
possibility
exists.
3. AS 3.1. IC 3.1.1. Reaction EE
Well Contamination of does not proceed
As Flow recycle stream by as required. Poor
cooling water due conversion, side
to heat exchanger reactions, etc.
ffiffif, Waste OPed results 1C filtere 1.
Table Al - acid Ph nt pre -
a ure.
A17
3.1.2. IPE
CONTAMINATION
WITH
COOLING WATER
TO
UNITS
DOWNSTREAM
OF REACTOR
OUTLET
Node: 18Treated, WasteStoragetank vent to atmosphere
Parameter:Flow
Intention: Enableflow into or out of tank to maintainatmosphericpr sure
1. 1.1.Vent line IC 1.1.1.Tank EE Relief 1.1.1.1.M inimise
No/Less blockedor overpressure valve opportunitiesfor
Flow partially blocked ruptureon filling vent blockage
1.1.1.2.Ensure
flame arrestoris
maintained
correctly.
1.1-2.Tank vacuum EE 1.1.2.1.Vacuum 1.1.2.1.Minimise
collapseon relief opportunitiesfor
discharge valve. vent blockage.
1.1.2.2.Ensure
flame arrestoris
maintained
correctly
Node: 18TreatedWasteStoragetank vent to atmosphere
Fair-ameter:
Temperature
intention: Maintain temperaturetank
A18
3. Less 3.1. Feedline IC 3.1.1.Vessel EE 3.1.1.1.Level
Flow partially takeslongerto indicator.
blocked. fill than normal
3.1.2.LOW FLOW DPE 3.1.2.1.Level
FROM UPSTREAM indicator.
UNIT I I
Node: 19TreatedWasteStoragetank feed inlet without control valve.
Parameter:Temperature
Intemt-ion:
A19
TableAl. I (cont.) - Wasteacid plant preHAZOPedresults- IC filtered.
A20
Project Name: Waste Acid Neutralisation Plant
Node: I Cooling Water top up - single supply, single pump and float valve.
Parameter:Flow
Intention:
A21
Parameter:T
: Maintain temperature tank
I II
-- T- I I
Node: 7Waste acid Storagetank vent to atmosphere
Parameter: Pressure
Intention: Maintain atmospheric ess e. n tank
1 7 ---T
Node: 8Waste acid Storagetank overflow
11
Parameter: Flow
intention: Allow tank to overflow safely
I I I II -I
Node: 8Wastc acid Storagetank overflow
Parameter: Temperature
Intention:
1.3.1.3. Integral
pump
high pressurerelief
valve
1.3.1.4. Pressure
indicator
1.3.1.5. Low flow
alarm
5. Reverse 5.1. Pumpfailure VUL 5. I. I. Material EE 5.1.1.1. Non-return
Flow and REVERSE incompatability valve.
FLOW
FROM
DOWNSTREAM
UNIT.
F-Node:Waste Acid Storagetank outlet
Parameter:T erature
Intention:
A22
Node: 9WasteAcid Storagetank outlet
parameter: Pressure
Intention:
1. Higher I. I. HIGH VUL I. I. I. LOWFLOWTO DPE I. I. I. I. Flow
Pressure PRESSUREAT DOWNSTREAM control
DOWNSTREAM UNIT
UNIT
e: I Acid
OWaste Storage
tank f eedinlet without controlvalve.
[ IParrai
ameter:Flow
=on:
Interel tion:
, en
niti
N0o,Flow 1.2.NO FLOW VUL 1.2.1.Possibleinability EE
FROM to continueprocess
UPSTREAM at normalproduction
UNIT rates.
1.2.2.Low tank level EE 1.2.2.1.Low level
leadingto outlet pump alarm
cavitation. 1.2.2.2.Level
indicator
2. -M-o-re- 2.1. HIGH FLOW VUL 2.1.1.Inadequate EE 2.1.1.1.Relief
Flow FROM venting.Vessel valve.
UPSTREAM overpressure rupture.
UNIT
-------- 2.1.2.Staticbuild up. EE 2.1.2.1.Dip tubes 2.1.2.1.
for filling. Flammablefluids
only. If filling is
not donevia dip
tubescheck
design
assumptions.
3. Less 3.2. LOWFLOW VUL 3.2.1.Vessel 3.2.1.1.Level
. FROM SOURCE takeslongerto indicator.
Flow
fill than normal.
4. As Well 4.1. WRONG VUL 4.1.1.Material EE 4.1.1.1.Ensure
As ]Flow MATERIAL AT incompatability appropriate
SOURCE measuresexist to
checkincoming
material.
Table Al. 2 )
(cont. - Wasteacid plant - preHAZOPedresultsVUL filter.
A23
4.2. VUL 4.2.1.Material EE
CONTAMINATI incompatibility
ON OF
MATERIAL AT
SOURCE
5. Reverse 5.I. REVERSE VUL 5.1.1.Liquid EE 5.1.1.1.Siphon
Flow FLOW siphonedout of breakon
ATSOURCE tank. dip tubes.
5.1.1.2.Non-rcturn
valve
Node: IOWasteAcid Storagetank f eedinlet without control valve.
Parameter:Temperature
Intention:
1. Higher I. I. HIGH VUL I. I. I. Rapid EE 1.1.1.1. 1.1.1.1.For
Temperature TEMPERATURE evaporationof Temperature systemwith vent
FROM tank contents. indicator headersystem,
UPSTREAM cansystemcope
UNIT with increasein
1.1.1.2.High ventingdueto
temperature hot weather
alarm actingon several
tanks?
1.1.2.Increased EE 1.1.2.1. 1.1.2.1.Only a
vapour Temperature problemfor tanks
concentration indicator. with openvent.
aroundtank, 1.1.2.2.High Consider
possiblyrising to temperature installing
a hazardouslevel. alarm. appropriategas
detection
equipmentif
appropriate.
Node: IOWaste Acid Storage tank feed inlet without control valve.
Parameter:Pressure
Intention:
1. Higher I. I. HIGH VUL I. I. I. Vessel IC I. I. I. I. Relief I. I. I. I. Ensure
Pressure PRESSURE overpressure valve. enting.
FROM rupture 1.1.1.2.Pressure
SOURCE indicator.
Node: I ITreated waste Inlet to tanker,controlled by batchmeter(tankerloadingoperations)
Parameter:Flow
Intention:
1. No Flow L I. NO FLOW VUL I. I. I. Tankernot EE
FROM filled as
UPSTREAM required.
UNIT
2. More 2.1. MORE VUL
Flow FLOW
FROM
UPSTREAM
UNIT
A24
3. Less 3.1. LESSFLOW VUL 3.1.1.Tanker EE 3.1.1.1.Overdue
Flow FROM takeslongerto filling
UPSTREAM fill than normal. alarm.
UNIT
Node: I ITreatedwasteInlet to tanker,controlledby batchmeter(tankerloadingoperations)
Parameter:Pressure
Intention:
1. Higher I. I. HIGH VUL I. I. I. Tanker EE Relief
Pressure PRESSURE overpressure valve
FROM rupture.
UPSTREAM
UNIT
2. Lower 2.1. LOW VUL 2.1.1.Vessel EE
Pressure PRESSURE takeslongerto
FROM fill than normal
UPSTREAM
UNIT
Node: I ITreatedwasteInlet to tanker,controlledby batchmeter(tankerloadingoperations)
Parameter:Composition
Intention:
A25
2.2.3.HIGH FLOW IPE 2.2.3.1.Flow
TO UNITS control
DOWNSTREAM OF
LIQUID REACTOR
I OUTLET 1
3. Less 3.2. LESSFLOW VUL 3.2.1.Reactiondoes EE 3.2.1.1.Low flow
Flow FROM not proceedas alarm
UPSTREAM required.Poor
UNITS conversion,side
reactionsetc.
3.2.2.LOW IPE 3.2.2.1.Low flow
CONCENTRATION alarm
OF REACTANT / 3.2.2.2.
CONTAMINATION Concentration
TO UNITS alarm
DOWNSTREAM OF
R OUTLET_
Node: 12NeutralisationReactorliquid feedwith flow control
Parameter:Temperature
Intention:
1. Higher 1.1.HIGH VUL I. I. I. Reaction EE
Temperature TEMPERATURE beginsto runaway. Temperature
FROM Possible control.
UPSTREAM Explosion.
UNITS
1.1.1.2.Relief
valve
required.
1.1.2.Reactiondoes EE 1.1.2.1.
not proceedas Temperature
required.Poor control
conversion,side
reactionsetc.
2. Lower 2.1. LOW VUL 2.1.1.Reactiondoes EE 2.1.1.1.
Temperature TEMPERATURE not proceedas Temperature
FROM required.Poor control
UPSTREAM conversion,side
UNITS reactionsetc.
2.1.2.Reaction EE 2.1.2.1.
doesnot proceed Temperature
at requiredrate. control
Node: 12NeutralisationReactorliquid feedwith flow control
Parameter:Pressure
Intention:
1. Higher I. I. HIGH VUL I. I. I. Reaction EE I. I. I. I. Pressure
Pressure PRESSURE doesnot proceed control
FROM asrequired.Poor
UPSTREAM conversion,side
UNITS reactions,etc.
A26
2. Lower 2.1. LOW VUL 2.1.1.Reaction EE 2.1.1.1.Pressure
Pressure PRESSURE doesnot proceed control
FROM as required.Poor
UPSTREAM conversion,side
UNITS reactionsetc.
Node: 12NeutralisationReactorliquid feedwith flow control
Parameter:Composition
Intention:
A27
1. Higher I. I. HIGH VUL 1.1.1.Reaction EE 1.1.1.1.
Temperature TEMPERATURE beginsto runaway. Temperature
FROM Possible control.
UPSTREAM explosion.
UNITS
1.1.1.2. Relief
valve
reouired.
1.1.2. Reaction E 1.1.2.1.
does not proceed Temperature
as required. Poor control
conversion, side
reactions etc.
2. Lower 2.1. LOW VUL 2.1.1. Reaction EE 2.1.1.1.
Temperature TEMPERATURE does not proceed Temperature
FROM as required. Poor control
UPSTREAM conversion, side
UNITS reactions etc.
2.1.2. Reaction EE 2.1.2.1.
does not proceed Temperature
at required rate. control
Node: 14Neutralisation Reactor iid feed with concentration control
Parameter: Composition
intcntion:
F-Node:15NeutralisationReactorCoolingstreamin withtemperaturecontrol
Parameter: Flow
intention:
A28
Lower LOW Reaction EE Temperature
Temperature TEMPERATURE VUL doesnot proceed control.
FROM asrequired.Poor
UPSTREAM conversion,side
UNIT reactions,etc.
Reaction EE Temperature
proceedsslower control.
than expected.
Node: 16NeutralisationReactorCooling streamout with temperaturecontrol
Parameter:Flow
Intention:
A29
3. Less 3.2. LOWFLOW VUL 3.2.1.Vesseltakes 3.2.1.1.Level
Flow FROM SOURCE longerto fill than indicator.
normal.
4. As Well 4.1. WRONG VUL 4.1.1.Material EE 4.1.LL Ensure
As Flow MATERIAL AT incompatability appropriate
SOURCE measuresexistto
check incoming
material.
4.2. VUL 4.2.1.Material EE
CONTAMINATI incompatibility
ON OF
MATERIAL AT
SOURCE
5. Re erse 5.I. REVERSE VUL 5.1.1.Liquid siphoned EE 5.1.1.1.Siphon
Flow FLOW AT out of tank. breakon dip tubes.
SOURCE
5.1.1.2.Non-return
valve
Node- 19TreatedWasteStoragetank feedinlet without control valve.
-parameter:Temperature
Tn-tention.
-
1. Higher I. I. HIGH VUL I. I. L Rapid EE 1.1.1.1. 1.1.1.1.For
Temperature TEMPERATURE evaporationof Temperature systemwith vent
FROM tank contents. indicator headersystem,
UPSTREAM cansystemcope
UNIT with increasein
1.1.1.2.High venting dueto
temperature hot weather
alarm actingon several
tanks?
1.1.2.Increased EE 1.1.2.1. 1.1.2.1.Only a
vapour Temperature problemfor tanks
concentration indicator. with openvent.
aroundtank, 1.1.2.2.High Consider
possiblyrising to temperature installing
a hazardouslevel. alarm. appropriategas
detection
equipmentif
L appropriate.
without control valve.
intention:
1. Higher I. I. HIGH VUL I. I. I. Vessel IC I. I. I. I. Relief I. I. I. I. Ensure
Pressure PRESSURE overpressure valve. adequateventing.
FROM rupture 1.1.1.2.Pressure
, SOURCE indicator.
A30
0
Appendix 2- BenzenePlant Modular HAZOP
This appendixhas results for the modular HAZOP of a benzeneplant. The plant is
illustratedin figure A2.1. The resultsarepresentedin tableA2.1.
A31
Figure A2.1 Benzeneplant
A32
Modul Sub- Devia Causes Consequences Safe- Recommend
e module -tion guards -ations
TKIO1 Toluene No Battery limit supply failure Possible inability
feed from flow Feed line blocked. to continue
battery Level control valve fails processat normal
I limit shut production rates
A33
Self High Externalfire Rapid evaporation Ensure
tempe of tank contents. adequatefire
rature Structural relief.
weakeningof
tank.
High ambienttemperature Rapidevaporation Insulatetank.
of tank contents.
A34
Less Overflow partially As for no flow. As for As for no
flow blocked. no flow. flow.
-1
1-0 Fuel gas No Burnercontrol fails shut LESS
in flow TEMPERATURE
HEATED
PRODUCTOUT
A35
Stack No Stackblocked. Flamefails. Burner
flow Damperfails shut. Flammablegas control
releasedto system
atmosphere.
Damperfails open. MORE
TEMPERATURE
HEATED
PRODUCTOUT
A36
MORE FLOW As above.
FROM
UPSTREAM
UNITS
Pumpsealsfail Environmental Usecanned
contamination. pumpsif
necessary.
Consider
requirement
for remote
isolation.
MORE FLOW
FROM
UPSTREAM
UNITS
LESSFLOW TO
DOWNSTREAM
UNITS
LESS FLOW
FROM
UPSTREAM
UNITS
A37
1-1101 Fuel Gas No Burnercontrol fails shut LESS
In flow TEMPERATURE
Flamefails. Flame
Explosive failure
atmosphere alarm.
develops. 0
Burner
control
system.
A38
More Stackdamperfails open MORE
flow TEMPERATURE
HIGH
TEMPERATURE
A39
Less Compressor operating LESS FLOW
flow incorrectly
A40
Appendix 3- Modular HAZOP Library
The following pages provide some examples of components of a module library. These
A41
AM Cooling Water Supply System
A3.1.1 Sub-ModulesRequired
0 Cooling WaterPond.
A42
A3.1.2.4 Cooling Water Supply Main
A43
A3.2 Reactor Modules
used.
A44
------------ Reactor twin feed, one feed
with flow control, one with
concentartion control
Vapour product
outlet with
pressure contro
----------------- --U
--------------
II
F Vapour
Outlet
Cooling
stream out
=-j
A45
A3.2.2 Required sub-modules
Reactor vessel.
Stirrer.
Catalyst.
Feed II Vapour
Outlet
Recycle j Liquid
Outlet
A46
Reactorliquid feedwith concentrationcontrol. (Node 12)
Reactorliquid feedwith level control.
-----------------------------------------------------
.................
......... >
Feed Vapour
Outlet
..................
Recycle Liquid
Outlet
...............
Figure A3.3 - Reactor twin feed with flow and concentration control.
A47
0-1,
........
....... -- --- -----------
X >
..........
Fee d .........
Vapour
Outlet
Reactor liquid
.........
Recycle Liquid tj
product outlet,
Outlet st
standard PL
pump
....... ......... with level control
Reactor cooling
via jacket
.......... >
Recycle Liquid
Outlet
.............
coolig
water out
Cooling
water In
A48
A3.2.4.4 Reactor Cooling System
required to the
represent interface equipment,either a reactorjacket or an external heat
exchanger.
>
.......... ..........
Feed Vapour
Outlet
L-
Recycle Liquid
Outlet
................ Ile
I
Cooling
stream out
III
Coolinq
stream in
nodes:
Nodes
............
.
>:
Feed Vapour
Outlet
A50
A3.2.4.6 Stirrer
>
Feed Vapour
Outlet
Reactor ..........
Liquid
Recycle
stirrer Outlet
A3.2.4.7 Catalyst
A51
Siphon
Break
Feed' Hole
A52
A3.3 Atmospheric Storage Tank Module
Storagetank vessel.
Storagetank feed(s).
Storagetank outlet.
Storagetank vent system.
Storagetank overflow.
None.
reactorfeeds.
A53
StoragE
Withou,
Kickback line
I
LJi
Figure A3.11 - Storage tank sub-module - outlet via parallel pumps.
A54
A3.3.3.6 StorageTank Outlet
For a nitrogen blanketedvent system,such as that illustrated in figure A3.12, use one
blanketsupplynodeandonevent to headernodefrom the following nodes:
A55
Figure A3.12 -Nitrogen blanket system.
A56
TEXT BOUND INTO
THE SPINE
BLANK IN ORIGINAL
m0* "i "0 lu
-3"a (D.M
"a9< <
lu n
0.
02M
m" t. a= I- ib Zm
rr 0 h-
(1 gL 0
(T & I-
m
W10
0.
cr 11 cr (b 0
0 Im Ph rr N n
P"
0
mmM-
(D 5 1.,
cr 4c r, () li
3
F1 1
0 0 80
Z- Nm
V IUn
,.
a0mV 10
(D to cr IE
.C0
0w IV aac
m -< 11) ty,
01 W>
Ea
00
,00
%D
c (D M 10 LA W
to " I" I- M 11X a c
tr CT 00 ta P" 113
rr
"zrw
0-0 0I 1-h
03 (D I rr
M
0 2) I-. 3
0.0
(Q
0-4
,a
0 tj 30 9Cw m IE 9 IE 10
10
0 -4 M 0 lu 0 . (D a000
000H m l< 0w m rr I.- -
H H- rr W. cr o-, 0- cr (I W.
I-. w D, = ju Pl% W
tr I.- cr w pi m cr 1
= lu (D to 9
ol W. a=0n ju 0
0
1E 0m0
cr cv
CA m (D ic a3 a 10 a=a
0m m cr - 0 lu r 0 m0<
rr rr -< P- 0 CD 11 11 rr cr cr a rr 0
0 l< 0 0 co
l IC
o"z9
C III w rr cm Ai 0
Co (I '4 1- 19
0 0 01
0 fT 0-
0
r-
0 trl 0
0 M lu
rr rr
.4
su
x
M
"I rr
0M
I..
(r
lu
w0r. =*
rr Q
"i CD
cr mw
0M0 ol P" 2
0 cr
=1 -I
0
r- Alnm
V*0
P,
80
n 000
; -r -< cm M
M=0
9 0a0"
-, 2
Ma0.14to 0
3 N cr 0
I,
m IU 0M
I
p.'
rr
CLT" ic m 2rr w
00 (D al IV ;
P) "m rr I.-
5 P. cr aw (D -
00m0 -ti
(D .0 P" "W
0
W01.- 10
to z
to"90W
tz rr
9c
-0
a
.
P 0
n
0 "1
rp
14
A59
Pl a "I
ju n
0 a
a
rr & I.
ei
0
cr
"h
cr
0
rr
,a
2z
0 ca
M
41 l
Rp to
2s H
" V6 Itt
JU I. A
1 ;
X
0
ol
rn
r
rr
Cl
W
rr IE
lu
w- rr
(v =M :0
0 rr 11 t1l
(010 :x
cr 30H
>
pi r_ 0
wmw0
-, cr -* =
=
10
li
A60
M IV " le "
Do
04 Q 09
ol (w
a=m
n. 3
M rr & I- rr & 0- W-0
=
ph
cr 0-4
0
M0 0-N
11 M=
0
= ul 0
cr IE w In vi 0
0 su
rr --A 88
=.
0
(D
11
-
-
rr 80
8
I-. ',
w
0-
vN
5;
I.
n cr
w =na
lu > m
cr
Ir 0.0 pf
M0 Ea
a tn cr W
'1
g -Z ?
CL
n
91,
a 8
:r :I tr :1 Aj -
JU cr w
2
(I aa
:IP.
L 119 ; 9L1=1
1=1Il
ta l< .
H- I.
-
fl. =to-
8m0cr11 0, (I M0
0 B
an Pi
r_
(D cr
to)
0ti
wc<
fT 3M
M "1 0
to
III tr X V3 rn
00
to A)s.- rr -
a. 01 =0a
c r- 11 cr z tr M
pi Cl -< =0 10 cr 0
V 0)
rr r_ 0m
M rr 0 Im a ca ,a n P" ,a
"0rza9 otr
cr 0 (D 00
r
rl
>n
>
I lu m Pi w Al "
NJ
C0 O A w ;A
X
ta o ILI
:w
"I
=1 0- t*
ju < t) NO 8
cl I (D PC "F
C:
0 Im
cr
"I
0.1 t2
cr
0
CL 0m3
ju wm
z2P. cr wM
0MW
0Zm
00
0 ol a
>
IV 0M"
a L 0
cr
00
192
Im
C-
I-.
CL * 3C gL 12m.
0CW.
I 0 '"1 6 a 0-1 pr :4 0-
bi -o - JU W. (D Z-
c=w
0Z0
0 0) rr fi KL 2: wV rr m t. z
c Ij 0a0: m tritn
r_ mX En
20n DA tr jo w
cr 5 1-- V' M 00
4 ni ). - CT b- 2 m 10 "0
CL 81
it r. m
Z00
rr :Z
"m&2
tr a" A) -4 9 "1 5 l
10 ju -.3
N0m 00 P" 0 10 En :c
10 10
m0r. Z 10 3 0
rr (D w
0
MV
>
A
A A
z
X
10
0
DW
M
<
M
rr
1
(010
to m0
atv
10 94 -4 a
m 0" wm a0
-<
?0 fu nm 10
cr
052* cr
w0 :1
CL 003 b-
0 Q 2X
00 10 ti
0 13 0
>
Ic 0 (b
ic CL
(b 0
.0
1-4
0 n
0
m r. - rr . M.
Mm
rr -, w ju bi cr w
lu mcr
0
:s0 zm 0 z 9)
00 fu = to En 95 W
rr 0)
rr rr m wm
W, - 0M
ILIr= P., I-
0 111
12.
X* M LO (2 n
0 5 W. 0 0 0
Im
CLcr r a =* t1l Q0 m
0 (v Z (D to
CT 0
z0
m 12,0 0
:3 2
0
M
cr
09cntmW a IE P, ti mN
1.0,W- 1.- 0 :r
---- M (D . Im
-, ; 0 ;
= rr = (D rr 1-- 0 ju b Irn.. X
rr ".
:r Im
rr 0" lu
5: tj- MW
0
0 rr - 0m-
10 M (v w cr r. 0-
I-olo folo sL -
lu 14 Q. W. rr CD
to rr 0 11 0 M lu -0 tr3 C)
a M
i
lz Cr 0 11
M 11 z 0) (D " "m c cr 1- 12.
I-- Il to lu a 0
> I. - rr > Ir
ju (D :3m "
P" rr 0. w ", z a
P" (D (D ju cr a= (a g (13
m i-- Pi n"0 5 fo cr
n b<1su(D a 0- 0 rr
" rr z 91tr :1 :q 3
0 cr (D cr cr of
0 tr 0 cr
CL
0
rr 00"; (D 00 L 01 ,0 'a '0 , m
a :: woa .0 Im I"a0 F W N0 bj
Im o
'r a3a 1- -4 of 'a l< (b i 14 ol ;
M fp . W.
0
trl
0, su 0'. 0 (v rr 11 Ph " P%
. c, 5 :3P,
:r0M
:3 WC 0 cr
A, 0 n
M cr W-
0 IL, ZM
. (D pi
tr
n0
0 'U 0MM`3
- m 0
:3 S2 0
:3
3
0g ty, m0 11 . I-l< 3 cr
ol cr
rr m fD I- ko 0W 0
n0 ju w v0 co)v :s cr 0
CT cr ftl cr 0
>
. W.
cr PC r02
0 0
14
w -- m0
a-, tj 01 < r. W. 0 a
1 V z
rr rr 00
0 tr z r-
rr 0 rr
IV
toAj
0%
A63
= b- ti ,0 6 tj
JU . tri lu Z .4w -n bi 41
t- < ei (b
Nv lu m 00 z
rr > (b Z0
cr 0 wV
b-. lu
rr 3
91 0 :3 XX
, (> Z
n mm
:x 0%0
0 11 CL.m
0 Mn .leN0 nz
00
mm(b 0
mm =*(I 0
%L . gL K- 1.- - rr 0 r.
M 0 3
W.cr
l' Z f. - 01
KM
Z 0 rb ju rr
";
mka mn (v 0
cr (Dwm P-r.
Cmr an 0.1. - rr >
9) ; %0 5
.. %:
cr 0
G) Plo
.m X -= Q ol 8
P"
= fu 9
ei 0am c , UN
W* Ol >
Z- W. lu
fi m >..(Z ti t..
1.. 0) w cr
0n (1 Q m n =
0 -3 N lu M
IT
%a
C, 0 0
C
c V
a. a.
0 ca
0
:i zr
0 c6. 0
2 lu
to b-
Z ti :im Z ti :Z E -
00 ju :i La 0 v3 ID
rr rr m m 2 lu cn
rr < h m
91 " w- W- l< - 10
N tr Z 0m
Z0
0 0
p =, m
0
OJrr * 0 ei
2 0 (D Z b-. 0 u2
ma
rr na
3 (D z0
0
10 m
tr
03 ic 0 :g0 bl 10 X s- Al bi N P.-
0- m- 0 :r b- - @I (D . rr
cr X6
Z rrN0 rT W 0 lu N- 0"
0 k-- zr. rr m r. - rr m 0 0 0
lu (1 lu ei (D 3
IU 1--- rr - 0M
l" 0Z0a h- rr r. k- t*
r
1- 0 ' kl ' p - 1.. e- . >
0
lu m o m. < rr cr tTj M
LG rr 0 b- 1-. lu
(D z- 0 gi k- = tr 0 0 cr
cr
? a.INN r. 0--10 c:
> rr a,
k<
MM0 (b ID rr 10 0
Z
Z
tim
(a 0 ta su
r.
0
cr
0
4) rr 0 rr rr 9
0 ul Ri
cr
n
0 C6
10 10 5> r- 0) W 0
n0 r- qi xZ m
0 rr m (1 - (b 00 IU 0 '
ti m0
rr 05 l lu l
0 m. (b c0 )- - Mt (b N. m
ZZm moi b- 0 th rr M Ph m Ph 0 0 0
n
0
cr 1- -0mn :3 :j=, 0 11 --3 0 JU 0
r. 0 zr -0<, O 0 MM rr 0
0
2 lu3 tr 00m-
12.0 rr M10< 1
>-11<
ib >
3
0=
p
00
rr
cr
(1 0 ju 0m m -m th w 3 rr Z 0
0
0 >- (D Z a
rr Z*0 >
rr 00 (1 - :jZ, oe w
), 0 0 tiv 0
wtlm < 9:
00 k-
ei 0 tr :i P-
rr
ON
A63
:cw t7 le X
1: -0
M SU M lu
1 th H In M1 In
n
<
0
V 0
.0
cr A) ":D, (b =m
-3 M oI
p cr
.4 rr 0 h-.
(b 12.0 m=M
cr
&0
w
9j 0 cr
U Z0 z
a"
2
0 0 01 M I"
M0 ; tr pqn CL"n '0'
P-hw 2Z (vs j X0XM2, 2= 0a
0'. M - W- - rr
:r n cr =-mMWQW > 0%
0 z r
0 0
cr> == mn 00
(v Ju
3 Q0 :r
(b " >
20, 0.
r. m
a
cr
rr M=
I- -
Z0
aa"
11
(Ir M Al 01
(D 0 la, , I< "
a. ---
- (w cr 0ma
to
cf,
1.- :3
1.. 0 >
X
li
cr
I? 0a ILI C A) 00" 3VZ00 0
I. :rM ol I. - to (a I-,' cr > r0 (1 o- W )-- =" I
00 0 (D M C P- -
cr Al 0 [a -I 3mN a
.=
". n
cr n5
Al m W. (D = m
cr n W. (A
P
0m
:r m=z LO
0 to cr
w cr 0 m0 mm0 rr
- 0 to r. U I =1 m c - lu "
I ') c
m 0
==
1.. Ic
a
= rr
W.
a. 0 %D -ta w0
IEnM 1 X 0 0
M P-M
--:r0- 0 a
11 MM- MM-
rr
pi t1i
I- rr 1 CD cr
rr 0M I- M
m 0 mM
pi ju M zU0 zrn 5
to z w lu (A
cr < m M Its "i Iola t1l
5m P" III pl. 1- 1.- K) W. 1- W. P., 00
0 ol n m lu
(D x
SL "i a,
cr 1-. :3 :10 0) Q 0
su 0 0 o ka 0 Q0 0
n cr t1l I
05 to z0 0
=w rr 9 a. m r- m
rr lu
pi
n a, w n
su 0 0
rr a 1
m m tri 0 en 0
> S.
I- M >
09 IE Qm W- 10 c 0 I-.
rr
W.
m W* r cr - w- '3 cr PI . 0 0 0
10 0 9) wz Ij w (D I..- Z pi
I- '- lu I- w.
"m "i 0 Al 1.1 cr
0M-
cr 1: s In 2- At
.
cr tj
0)
11 w
.
En
>r
0
P a lu (D (D pi -0 .,. I.. . >
lu " 0. w0 < cr ftl 0
La cr 0 Al t7l (D lu -0 tri 00
m =1 V 0) () M til (D a 0M
< . A'
m ri
-- rr >
P" rr 0. tr " cr W. z a rr 0
P" (D m0ar It: z (a
0 t* Ea
cr cr 0
0
z
1.- 0 4 lu 0
:I
m cr IL rr cr rr
0 0 pi
0 0
lal
u= a
0 WWPIN (DIU w
Al r_ 10 pq
j 0 ol a01., 5L
1 Pt M 'U L.
; =. 3 50 cr 9 11
w
W. P. - 0
cr W.:: =1
0 PA.0 OW. 1- 9)
0 to
%1 1-10M r tvi
Cr'"I m" 0 ju n-
cr Z. tr -0
:i l< 0"
'0 0 -3
Ln fl cr r
rm" cr C, 0
"* :4
0 9x0
5 tr M0M 0 En 0mW. .- P-hM M
cr 0wM cc> :j cr lExmawm = z
, 0 U, C 0 W. M '0 W IL 0 V
Im rr 0 P- "I rr fo 0t > M to 11 w 10 m0c :01
cr Z DI0, Co
m (DM-Z. m0m"
:r 01 fu cr 12,1- ZCm pq -3
0 Co
cr 0) La a, r0 l<
:r wa00 Z 0 Q0 A tr m-< P" Z 0
rr ol
cr -wU 0 #1 tw P.- 0
10 z 00 . " (D .- m ---LO
lal En
to w. = c to M (D
0 cr 9) tr Z
0 cr (D cr
-0
-j
Table A3.1 (cont.) - Cooling water system sub-modules - preHAZOPed results.
A64
-n %I
10
t2 Aj v
P I- in ol M "I
00 < 2,n
v IC:c )o
0 0
m 0.0
0 "Mz rr n
-n ce0 n :c
nn ti nnP,
00-00
0 :3w0=
C?rr - cr cr
11"" 1110
0000
tr
cr w cr En 13N
w M
n0
Pa. a 0. cr
00m0
m
t)
0
rr
M
0
0
%L
000-08
P 0.W
rX ju (/I cr
m go mm 3
00a5 cr cr 10
wmzMW. a lu
n" La cr
P-W.0 ju
0 cr
1 "a
Im M ju
1-0 a
9
M0w jl. a0
0.
0
M n
0
U cr cr
00. 0
m ol
M x
0
a El ;,
0
cr
>
-1 x0
ImW*0
rr I
110
lu
cr
fb
DO
M
M
z
Ila
w
OD
W. :3 rr "1 9n A
m0
In %a
0 00
=a0a00 00
m
lu m n 1 :10 ;
c cr CLto fo ty. I.-
P" I- :r<Mm (I )d cr M
1... "t "< Im 00n
-" " CT w
0,
n" tIr W"=M
K0
P (Q IV3 n 0
<-Z
(brr 0 () 0w
cr L Al =w tn
rr to t- W
< wo0
rr
cr
"M w CLnw
0n0 0
cr
M
L
1 10 to n m0m m
00M" 9 rr rr 10
mzM M Im
W. (I Aj PI
(v cr 14 m
3 -,- Im M
m0 - IL m :30eh M
W
tTl n
:po
vi 3
cr $.I
10
00
"Cl
03
m
0
W- ;a
lu
14xn
lu 0
tiLa
0-
rr B
0CV
cr
(1
%D
A66
-n
10
0 CT & s-
ti 0
11 iv 1
:x
V; 80
I
go
(T Im
cr n (T %*tr
ju m
W
m
N
; CLno N
00< m X9X
011k) Im (I 10
lu 03 0 (D 0 cr W. "W
a. . W. rr M cr (D :1w
0 tj = D) 14, w .1" rr
m.
QS I- - Vn
W :rnzAl 0
rr cr c 19 w 9
li cr
0 10
(D rr -W iWa 0.0 < tj
9 1.- L - P- crm ;0
1... 0 l< 0)
lu n=c p tr
cr
P., wm
jL
- " 9 8
ImPL0H
0 mZw IU
0 cr Or
mtA "0
3 0 t-i
0 0- <-
M J.A
m
m X
A
> a)
ul In
LT3
1-
0 r. a
'a. cr
1, lu
'I, n li tr ti
cr
fo
010
W
ri
cr
On
'x
0
z
Ell
113
lu
A67
10
P7 "I
Al 0
n
cr 0 M.
m L 0 W.lu
0 "M= rr n
z
> rr 9L aw cr M0 00
n V(D 0 a =' 00 0V
al I., :s I--ImI.- z w
I.- rr - I- rr N
m (0 0 o 0> 0. rb
C"
,u P r r.
.0
1 I-.
P" 8
rr '04
ar . = P9 1 rr
" I. to lu - 0- LQ Al a. rr
l< " ". W KmW. N 9 0
() $ cr to $ cr 11
0.9 1 (D I- M
a !, M1" I
:rm
ti E(I
r0 z lu 0 cr
mm m0m
rr 0 0.. rr W. w
M W. = M iL = cr
8
cr
I-
n
0nm
l< 00=
10 9N
Aj ;
0 (1 mV9 A
l< 00= pi
0=wj0. - m=W -j I. -
cr P- I- I=. cr 13, -- I=.
(D --- I-. co cr I., (v - W. CO Cr "
mg w-Po
P-* 1 rr I. -
a W.
rr =
to lu
rr P. 0
000
-
0.0 Z .0 2 :I
(D = C/I cr
9 Ia. M 11
0 A) 0) 0wm 10
0
I.- Ul =1 W.= I-- IT :r
z (p 0 0m
0rr
rr 0 ILI
rr 0,. A &1
cr 0 rr er
0 tr
1.-0 s.- 0
<
rl
m
N
W
A ;
Q ju to X
0
rr rr :
W, CT P- rr :ro
10
2)
Company:
Facility: Exothermic Reactor Pago
.1
Revision: 0 24 Mar 95
Node: 1 Reactor liquid feed with flow control
Parameter: Flow
3. Less 3.1. Feed line IC 3.1.1. Reaction does ZZ 3.1.1.1. Flow control
Flow partially blocked not proceed as
required. Poor
conversion, side
reactions etc.
3.2. Control valve IC 3.2.1. Reaction does Ev- 3.2.1.1. Flow control
fails insufficiently not proceed as
open required. Poor
conversion, side
reactions etc.
2.2.2. Environmental Ez
II I damage.
-j
Company:
Facility: Exothermic Reactor Page:
Revision: 0 24 Mar 95
Node: 2 Vapour Out
Parameter: Flow
CAUSES I
DEVIATION CAT CONSEQUENCES CAT SAFEGUARDS CAT RECOMMENDATIONS
1. so Flow 1.1. Vapour out line IC 1.1.1. Reaction does EZ Low flow
blocked. not proceed as alarm
Control valve fails required. Poor
shut. conversion, side
reactions etc.
3. Less 3.1. Vapour outlet IC 3.1.1. Reaction does EE 3.1.1.1. Flow control
Flow line partially blocked not proceed as
required. Poor 3.1.1.2. Low flow
conversion, side alarm
reactions, etc.
A70
Worksheet
company:
Facility: Exothermic Reactor Page :3
Revision: 0 24 Mar 95
Node: 3 Reactor liquid outlet with flow control
Parameter: Flow
A71
Worksheat
Company:
Facility: Exothermic Reactor Page:
Revision: 04 Sep 9S
'; ode: 10 Reactor vessel self
Parameter: Maintenance
A72
worksheet
Company:
Facility: Exothermic Reactor Page t
Revision: 0 24 Mar 95
Node tI Reactor liquid feed with flow control
Parameter: Flow
1. No Flow 1.2. NO FLOW FROM VUL 1.2.1. Reaction does EE 1.2.1.1. Low flow
UPSTREAM UNITS not proceed as alarm
required.
2. More 2.2. HIGH FLOW FROM VUL 2.2.1. Incomplete EE 2.2.1.1. Flow control
Flow UPSTREAM UNITS conversion of
reactants
3. Less 3.3. LESS FLOW FROM VUL 3.3.1. Reaction does ZZ 3.3.1.1. Flow control
Flow UPSTREAM UNITS not proceed as
required. Poor
conversion, side
reactions etc.
Revision: 0 24 Mar 9S
Node: I Reactor liquid feed with flow control
Parameter; Temperature
2. Lower 2.1. LOW TEMPERATURE VUL 2.1.1. Reaction does ZZ 2.1.1.1. Temperature
Temperatur FROM V? STR EAM UNITS not proceed an control
0 required. Poor
conversion, side
reactions etc.
2. Lower 2.1. LOW PRESSURE FROM VUL 2.1.1. Reaction does EZ 2.1.1.1. Pressure
Pressure UPSTREAM UNITS not proceed as control
required. Poor
conversion, side
reactions etc.
A73
Worksheet
Company:
Facility: Exothermic Reactor Page:
Revision: 0 24 Mar 9S
Node: 2 Vapour Out
parameter: Flow
1. No Flow 1.2. NO FLOW TO VUL 1.2.1. Reaction does EE 1.2.1.1. Low flow
DOWNSTREAMUNITS not proceed as alarm
required. Poor T
conversion, side
reactions etc.
1.2.2. NO FLOW AT IPE 1.2.2.1. Low flow
UNITS UPSTREAM OF alarm
REACTOR FEED
2. More 2.2. HIGH FLOW TO VUL 2.2.1. Insufficient EE 2.2.1.1. High flow
Flow DOWNSTREAMUNITS conversion of alarm.
reactants
2.2.1.2. Flow control
3. Less 3.3. LOW FLOW AT VUL 3.3.1. Reaction does EE 3.3.1.1. Low flow
Flow DOWNSTREAMUNITS not proceed as alarm
required. Poor
conversion, side
reactions etc.
Revision: 0 24 Mar 95
Node: 2 Vapour Out
Parameter: Pressure
Company:
Facility: Pagai I
Revision: 02 Jun 9S
Node: I Inlet to tanker, controlled by batch meter (tanker loading operations)
Parameter: Flow
2.4. Tanker moves off IC 2.4.1. Leak to LOC 2.4.1.1. Dry break 2.4.1.1. Loading bay
while loading environment. couplings. to be on level ground.
operation still in Ensure tanker can be
progress. 2.4.1.2. Tanker parked securely in bay
Driver drives off, immobilisation at a reasonable
tanker not parked interlock. distance from other
securely, or tanker in traffic.
conflict with other
traffic.
Revision: 0 12 Jun 95
Node: I Inlet to tanker, controlled by batch meter (tanker loading operations)
Parameter: Composition
1.2. Wrong material ill IC 1.2.1.1.2.1. Material LOC 1.2.1.1. Check tanker
tanker incompatibility. contents before
unloading if material
incompatibility is a
problem.
A75
Worksheet
Company:
Facility: Pagel 2
Revision: 0 12 Jun 95
Node: 2 Pumped outlet from tanker, no control (tanker offloading operations)
Parameter: Flow
1.1.2. NO FLOW TO PE
DOWNSTREAM UNIT
2. More 2.1. Hose ruptured. IC 2.1-1. Leak to LOC 2.1-1.1. Ensure hoe*@
Flow environment. are stored correctly,
inspected frequently
and changed regularly.
2.2. Tanker moves off Ic 2.2.1. Leak to LOC 2.2.1.1. Dry break 2.2-1.1. Loading bay
while offloading environment. coupling*. to be on level ground.
operation still in Ensure tanker can be
progress. 2.2.1.2. Tanker parked securely in bay
Driver drives off, immobilisation at a reasonable
tanker not parked interlock. distance from other
securely, or tanker in traffic.
conflict with other
traffic.
A76
Worksheet
Company:
Facility: Pagel a
Revision: 02 Jun 95
Node: I Inlet to tanker, controlled by batch meter (tanker loading operations)
Parameter: Flow
3. Less 3.1. LESS FLOW FROM VUL 3.1.1. Tanker takes LOC 3.1.1.1. Orverdus
Flow UPSTREAM UNIT longer to fill than filling alarm.
normal.
Revision: 0 12 Jun 95
Node: I Inlet to tanker, controlled by batch meter (tanker loading operations)
Parameter: Pressure
I CONSEQUENCES CAT RECOMMENDATIONS
D-SVIATION CAUSES CAT CAT SAFEGUARDS
2. Lower 2.1. LOW PRESSURE FROM VUL 2.1.1. Vessel takes LOC
Pressure UPSTREAM UNIT longer to fill than
I I normal
Company:
Facility: Page: 2
Revision: 0 12 Jun 95
Node: 2 Pumped outlet from tanker, no control (tanker offloading operations)
Parameter: Flow
A78
Worksheet
Company:
Facility: Page: 1
Revision: 02 Jun 95
Node: I storage tank feed inlet with level control an tank.
Parameter: Flow
2. More 2.1. Control valve IC 2.1.1. Inadequate EZ 2.1.1.1. Relief valve. 2.1.1.1. Size vent
Flow "ails open venting. Vessel adequately
overpressure rupture.
3. Less 3.1. Feed line IC 3.1.1. Vessel takes EZ 3.1.1.1. Level CON
Flow partially blocked. longer to fill than indicator.
Control valve fails normal
insufficiently open.
3.1.2. LOW FLOW AT DPE 3.1.2.1. Level CAU
UPSTREAM UNIT indicator.
Revision: 02 Jun 95
Node: I Storage tank feed inlet with level control on tank.
Parameter: Pressure
1. Higher 1.2. Feed line IC 1.2.1. Expansion of EZ 1.2.1.1. Hydraulic CON 1.2.1.1. Ensure
Pressure isolated. locked in fluid causes pressure relief operating instructions
hydraulic overpressure preclude deliberate
rupture of line. isolation of line
without having first
drained line.
Company:
Facility: Page: 2
Revision: 02 Jun 95
Node: 2 storage tank vent to atmosphere
Parameter: Flow
A80
worksheet
Company:
Facility: Page:
Revision: 02 Jun 95
Node: 3 Storage tank overflow
Parameter: Flow
1. No/Less 1.1. Overflow blocked IC 1.1.1. No/partial tank EE Level control CON Ensure
Flow or partially blocked overflow available. opportunities for
Possible tank rupture 1.1.1.2. Level CON overflow blocking are
on overfilling indicator minimised.
A81
Worksheet
Company:
Facility. P&90:
Revision: 02 Jun 9S
Node: 4 Storage tank outlet
Parameter: Flow
I
DEVIATION CAUSES CAT CONSEQUENCES CAT SAFEGUARDS CAT RECOMMENDATIONS
1.2. Flow control IC 1.2.1. NO FLOW TO DPE 1.2.1.1. Low flow CAU
valve fails shut. DOWNSTREAM UNIT alarm
Outlet line blocked
downstream of pump. 1-2.2. Full head pump EE 1.2.2.1. Kick back 1.2.2.1. Consider
pressure developed. line. designing equipment to
High pressure rupture withstand maximum pump
risk to outlet line. 1.2.2.2. Low flow delivery pressure.
Punp overheats, seals alarm.
damaged, possible
leak.
2.2. Spare pump IC 2.2.1. HIGH FLOW TO DPE 2.2.1.1. Flow control CON 2.2.1.1. Ensure
running in error DOWNSTREAM UNIT operating and
maintenance
instructions preclude
running parallel pumps
incorrectly.
2.3. Outlet line IC 2.3.1. Tank contents EE 2.3.1.1. Emergency CON 2.3.1.1. Ensure tank
ruptured lost to environment isolation valve is adequately bunded.
2.3.1.2. Locate
isolation valve as
near as possible to
tank.
2.4. Pump seals fail. IC 2.4.1. Environmental EE 2.4.1.1. Emergency CON 2.4.1.1. Use canned or
contamination isolation valve. seal-less pump if
appropriate.
2.4.1.2. Pump to be
adequately bunded.
2. Lower 2.1. Storage tank IC 2.1.1. Low tank level DPE 2.1.1.1. Low flow CAU
Pressure inlet line blocked. leading to Low alarm
Level control valve PRESSURE AT DOWNSTREAM
fails shut. UNIT 2.1.1.2. Low level CON
alarm
A82
worksheet
Company:
Facility: Page- 5
Revision: 02 Jun 9S
Node: S Storage tank self
Parameter: Temperature
1.2. High IC 1.2.1. Rapid EZ 1.2.1.1. Temperature CAU 1.2.1.1. Lag tank to
ambient
evaporation of tank indicator protect against high
temperature
contents ambient temperature if
necessary.
2.1. Cold IC 2.1.1. Possible EZ 2.1.1.1. Temperature CAU 2.1.1.1. Lag tank to
2. Lower weather
Temperatur freezing of contents indicator protect against cold
ambient temperature if
a
necessary.
Revision: 02 Jun 9S
Node: 5 Storage tank self
Parameter: Pressure
p.evision: 02 Jun 9S
Node: S Storage tank self
Parameter: Level
A83
. Worksheat
Company:
Facility: Page: 6
Revision: 02 Jun 9S
Node: 6 Storage tank vent in from inert blanket supply.
Parameter: Flow
1. No Flow I. I. Vent in line IC 1.1.1. Tank vacuum EE Vacuum relief CON Minimiso
blocked collapse valve opportunities for line
blockage.
3. Less 3.1. Vent in line IC 3.1.1. Tank vacuum EE 3.1.1.1. Vacuum relief CON Minimise
Flow partially blocked collapse valve opportunities for line
blockage
Revision: 02 Jun 95
Node: 6 Storage tank vent in from inert blanket supply.
Parameter: Pressure
2.1.1.2. Install
vacuum relief
A84
Workshaet
Company:
Facility: Page:
Revision: 02 Jun 95
Node: 7 Storage tank vent out to vent header
Parameter: Flow
1.1.1.2. install
relief valve
3. Less 3.1. Vent out line IC 3.1.1. Tank EE 3.1.1.1. Ensure vent
Flow partially blocked overpressure rupture out line is not prone
to blocking
3.1.1.2. Install
relief valve
Revision: 02 Jun 9S
Node: 7 Storage tank vent out to vent header
Parameter: Pressure
A85
Worksheet
Revision: 0 26 Jun 9S
Node: 3 Storage tank outlet via batch meter to tanker
Parameter: Flow
I
DEVIATION CAUSES CAT CONSEQUENCES CAT SATEGUAIMS C.AT RECOMMENDATIONS
2. More 2.1. Outlet line IC 2.1.1. Tank contents E-:' 2.1.1.1. Emergency 2.1-1-1. Ensure tank
Flow ruptures. lost to environment. isolation valve is adequately bunded.
Tanker filling hose
ruptured. 2.1.1.2. Locate
isolation valve as
near as possible to
tank.
2.3. Tanker moves off IC 2.3.1. Leak to EZ 2.3.1.1. Dry break 2.3.1.1. Loading bay
while loading environment. couplings. to be on level ground.
operation still in Ensure tanker can be
progress. 2.3.1.2. Tanker parked securely in bay
Driver drives off, immobilization at a reasonable
tanker not parked interlock. distance from other
securely, or tanker in traffic.
conflict with other
traffic.
3. Less 3.1. Outlet line IC 3.1.1. Tanker takes EZ 3.1.1.1. overdue 3.1.1.1. Ensure
Flow partially blocked. longer to fill than filling operators do not rely
alarm.
Batch meter control normal. solely on time taken
valve fails to fill tanker as an
insufficiently open. indicator as to when
Pump running to disconnect filling
incorrectly. hose.
Revision: 0 26 Jun 95
Node: 8 Storage tank outlet via batch meter to tanker
Parameter: Composition
1. Other 1.1. Wrong tanker IC 1.1.1. Material Em- 1.1-1.1. Use different
Than connected incompatibility. connectors where
compositio material
n incompat. bilty is a
problem to so wrong
tanker cannot be
connected easily.
1.2. Wrong material in IC 1.2.1. Material TZ 1.2.1.1. Check tanker
tanker incompatibility. contents before
unloading if material
incompatibility in a
problem.
1 f
A86
Worksheet
Company:
Facility: Page:
Revision: 0 26 Jun 9S
Node: 9 Storage tank inlet from tanker
Parameter: Flow
2.2. Tanker moves off IC 2.2.1. Leak to EZ 2.2.1.1. Dry break 2.2-1-1. Loading bay
while offloading environment. couplings. to be an level ground.
operation still .
in Ensure tanker can be
progress. 2.2.1.2. Tanker parked securely in bay
Driver drives off, immabilisation at a reasonable
tanker not parked interlock. distance from other
securely, or tanker in traffic.
conflict with other
traffic.
3 Less 3.1. Tanker outlet IC 3.1.1. Tank takes E-1 3.1.1.1. Ensure
How line longer to fill do not rely
partially than operators
blocked. normal. solely on time taken
to empty tanker as an
indicator as to when
to disconnect hose.
A87
worksheat
Company:
Facility: Paget 10
Revision: 0 21 Jul 9S
Node: 11 Storage tank feed inlet without control valve.
Parameter: Flow
3. Less 3.1. Feed line IC 3.1.1. Vessel takes EE 3.1.1.1. Level CON
Flow partially blocked. longer to fill than indicator.
normal
Revision: 0 21 Jul 9S
Node: 11 Storage tank feed inlet without control valve.
Parameter: Pressure
1. Higher 1.2. Feed line IC 1.2.1. Expansion of IC 1.2.1.1. Hydraulic 1.2.1.1. Ensure
Pressure isolated. locked in fluid causes pressure relief operating instructions
hydraulic overpressure preclude deliberate
rupture of line. isolation of line
without having first
drained line.
A88
N
0
"I n
0 0 rr I.
0-w
;j L 10 4 ow . -0 .
, In I- w to
rr In
to t* a tO m
rr r. m
0 Ir 0
0m 0 rr
x n
a0 0 0
=nz Im
rr 0M In m rr rr R
w=I o pq m
cr 0 2 0 0
w rr
0
0 n
O. MW m -om
0ar
W aotnw N Pw W" nmon-31--l- rr I m-c-te.. ntnt'n-40-W rrr%m-*, iw
x- 0 rr 0a a0 fb , 0 CPr0a 0 r. 00
0m
'a Al
t0"
W. 0
"F-P m
1 m
a lu
W-
0m P.-
o 0. 0 IL11
"'(1
(1 0
rr 0 go
craw0
40IL
.
x.
cr17
wQ ww
0
so m cl to wto
rr cr
m
tn M M m M m m
En M DI m V3 m M m
0, w nw nw 0. nw
0 0
0 SO p x
rr
mw 0 Ir Ir
0T 0 ta
0 t* >
M
x t,
x < ti:
Le <
la C er
0.
cr rrm o
0
m 9011 3mn 0
'
0 0
...........
M
-n tj M CM cr M tr w -n F- low 0 92
M z"lu r- 0 r_
ol -
0 -A
$. :0
R ;.
pq 0
0 j .60
l 2 i
" lu al N
c t 0K0 pi mw C
r-I
,t2 to D ID.r. .0
En m<0-" t/3 0 tr c cl ir 0
= 11 "0 m gi x
rr -, 1:
<m
z5
cr $I m 10
V,
c
w %0
0 - "m ; PO to
tTj
M
W - La w to U)
op
m P"
lu rr
I..
su
q ic 0N Di 0 -1 ic 0N ww 0M r_
rr ::
r
(D 0 A?
X0P. x- , rr =' 0 lu X-"
5Mxm0... I---
= 9
5091.. rr 9L - 0S 1- rr CL I... pr 0 ..
m =
P.0 (Dw
10 0. rr 1.
.- 03n.P.
ll - 00 Al
rr . to . 2
(4
1..
=1 2) 2) :rw pi
- 0 0 (D :10 tr M Z c) rr
m e-
11 ? 11 11 ' l 1
1-1 01 : 11 1., 0: : 01I l 10 X (4 KD
0 1-
KD
ov A) W,10 . m 9
pi " 0) mn
m3 IC rr z 0-. 06
n Aj s"n CL0 0 (r)
m P, 0 1-. (a 2)
r0m 0 p.. 0" m
rA
0 tr
S2,
nm
0= 0
iE l<
m= :; 0Z
0 rr m rr
rr m cr
0 0
cr x
P 0
0
ca m
rr
ci rr
m
t2
I
Z
z
ILI
A90
H ti
(0-3 tri 01 M wo
< ILI
10 = >f
>- > a =a WID
r? I t- I. -
(b Ki. 0 o0 rr up)
rr 00 pi M I< -4
r. m :Z
tlf%rN gL w
10 (A ei m
I- r? gL cr
(D 0w P" 0)
:10
() it n
cr, rr 0 11w
rr
m Di rr 0
0
lu fL -3 nxmw
cr 0., OOSWC - mw
11 0X- m
1.- .0 P-to
0 14 r. 9L
a tn w
Bmxmm ot P. 0 0.0 w 0m
0 (1 0- 11 cr =- aa P , )v In
m-a (D to pi I. - -- 0c I- er a 0- 0
10 ju 00- 0 tr 0 pq 0 tr I.- " 4 a
U0 cr =M lu P.- 0- -, = W= ca -
(D :r 01 0 -1 a 1.- 0 Im to La m< T3 2
m
.a9 W.
- rr
0
m0
Im
0 9
10
1--- (T
= l< a. -X
*to a
. X
to
I
()
IkAI
W m
K)
fr 0x -- M Q0 10 cr I
0 A) m 11 00 10 La " '.. 9
:Z W P% 00 pi 0 P%
(T
1.- 0Q 1.-0 w La
il 0 I'llo 0aaa
00 pt :1M
0 a 0
Mw
0 0
0
1-- 8 x
;j rr 11 0
0 11
0
0w 0w tn
3 til t: m
l< wM cr
0 rr 0C
r, 1
1 m
cr"r. 4 8
rr PV
0
a=
30 (W zw
(D 0 >
pi
cr 0 CTa I.,
rh=*='- 0 :rrr :r-m0.
rr em
0
0 ar a !,
ski m cr lip m cr
<a I-A N <aWI., tri
0wa. cr P"
P.-
n - 0N
W-0 -Z
r- a tr 9L0M Ir -
go "
ti
tr m09 Ir 0a9 >
Q. "a to 0 0 0. to a
0
0 0 l< 0
to 9 cr to 'o cr
a -j .: 0 11 a<0
M0 00
I)
0
r.
i
0 b-
r
aH
0=m
rr 0 1- 0 0 cr &W
< 0..
n C6 0 m0
0 pt M0
w0
z
w0
C: C: C:H W :r0
M tj
. -0
bi
m 04 w
Ul
2 -0w PA
x
ti s
o
m=
-
r_ 0
"n "I
Mw 11
ro
ex C2
m
Ell In %L p
0
tl x ;z
cr
cr M cn
M
vi 0 tr P"
rn (I
PC
M
a.
a 0H ;a0 m M. 'a IE m03w
n
-Ac: -0
M p Cw0 0r in w0ju Im
0 0 0) - "w ; r = * 0".
x
0X
rr
ju
.0mmw00
V pr In 9
Z50X01I. '. A E !,
rr rr 09M. 0-
q 1-4
t-I ol tr " -,- 09 al n lu M o.- nM rr w (a 1
>> t' Z
tl 0 to - w l< :eI:r -0cz-P"c r '5o6na0-
zZ * Do 2A m -%?A q.
> Mm 2 Sa 0
pe v :Z pa
0 cn pl cn :100
wz
A) 0 $1 m P. cxD 0
00am
X >g < m 0m00r. a
w :3aNP.
m4 cr M
mim MM
b.4 10 a. " "x cr - IT to 10
tl 7a 000 wc"- Ph
ca t
M u2 mM Z cr P%Im . cIr a-f, w
0>X mm 0 ;:o
> -3 z
U2 !2- 1110 *
ni m>
mw
ti cl
m
ftl
s
:C
x0 41
L2 s
2
m
r22
om.
ftl
mw . v"
ta W.
Pi08 0
cr
=1 m
1.
0.1 Id
0 tr
ah wW (b
cr 91
0
t-I
(12
:Z 0 0 'a m
!j ww Cr J.A
X
:1 ; ". 'a ; 0
D*
M
0
cr
Q x La a
W ju
0
X
l :C ty, s.
lu
Z to Z X
tz N
pG (9 2 M cl
01u 04. Z
< h- tr ti
w kl rr (D
gi 00
rr 0
>- X
z
(D 0 La
rr k-
(1
JN
A92
ol
n00
1--s
WID
W.ju
rr
D,0
a t:l
11
01
iE6 I
C'n,
"0g
10
Ict
0)
to
(0
A93
le
< lu <n8
2xZ30 (b Z0
1-. b...
>--O
1.. W.
rr
0
bi
tr
, #-m- 5
10 %0
w 0%
Z,
tT1
za
lu
lu
111 cm
Table A3.7 (cont.) - Thermal oxidiser sub-modules - preHAZOPed results.
A94
Worksheet
Company:
Facility: Page:
Revision: 02 Jun 95
Nods: 1 Storage tank feed inlet with level control on tank.
Parameter: Flow
2. More 2.1. Control valve IC 2.1.1. Inadequate EE 2.1.1.1. Relief valve. 2.1.1.1. Size vent
Flow fails open venting. Vessel adequately
overpressure rupture.
2.1-2. Static build EE 2.1.2.1. Dip tubes for 2.1.2.1. Flammable
UP. filling. fluids only.
If filling is not done
via dip tubes check
design assumptions.
3. Less 3.1. Feed line IC 3.1.1. Vessel takes EE 3.1.1.1. Level CON
Flow partially blocked. longer to fill than indicator.
Control valve fails normal
insufficiently open.
3.1.2. LOW FLOW AT DPE 3.1.2.1. Level CAU
UPSTREAM UNIT indicator.
Revision: 02 Jun 9S
Node: I Storage tank feed inlet with level control on tank.
Parameter: Pressure
1. Higher 1.2. Feed line IC 1.2.1. Expansion of EE 1.2.1.1. Hydraulic CON 1.2.1.1. Ensure
Pressure isolated. locked in fluid causes pressure relief operating instructions
hydraulic overpressure preclude deliberate
rupture of line. isolation of line
without having first
drained line.
- A95 -
Worksheet
Company:
Facility: Page:
Revision: 02 Jurx 95
Rode: 2 Storage tank vent to atmosphere
Parameter: Flow
1. No/Less 1.1. Vent line blocked IC 1.1.1. Tank EE Relief valve CON Minimize
Flow or partially blocked overpressure rupture opportunities for vent
on filling blockage
- A96 -
worksheat
Co,,TLpany:
Facility: Page 13
Revision: 02 Jun 95
Node: 3 Storage tank overflow
Parameter: Flow
1. No/Less 1.1. Overflow blocked IC 1.1.1. No/partial tank EE Level control CON Ensure
Flow or partially blocked overflow available. opportunities for
Possible tank rupture 1.1.1.2. Level CON overflow blocking are
on overfilling indicator minimized.
- A97 -
Worksheet
Company:
Facility: Page: 4
Revision% 02 Jun 95
Node: 4 Storage tank outlet
Parameter: Flow
1. No Flow 1.1. Outlet line IC 1.1.1. NO FLOW TO DPE Low flow CAU
blocked between tank DOWNSTREAMUNIT alarm
and pump.
Pump fails.
1.2. Flow control IC 1.2.1. NO FLOW TO DPE 1.2.1.1. Low flow CAU
valve fails shut. DOWNSTREAMUNIT alarm
Outlet line blocked
downstream of pump. 1.2.2. Full head pump EE 1.2.2.1. Kick back 1.2.2.1. Consider
pressure developed. line. designing equipment to
High pressure rupture withstand maximum pump
risk to outlet line. 1.2.2.2. Low flow delivery pressure.
Pump overheats, seals alarm.
damaged, possible
leak.
2.2. Spare pump IC 2.2.1. HIGH FLOW TO DPE 2.2.1.1. Flow control CON 2.2.1.1. Ensure
running in error DOWNSTREAMUNIT operating and
maintenance
instructions preclude
running parallel pumps
incorrectly.
2.3. Outlet line IC 2.3.1. Tank contents EE 2.3.1.1. Emergency CON 2.3.1.1. Ensure tank
ruptured lost to environment isolation valve is adequately bunded.
*
2.3.1.2. Locate
isolation valve as
near an possible to
tank.
2.4. Pump seals fail. IC 2.4.1. Environmental EE 2.4.1.1. Emergency CON 2.4.1.1. Use canned or
contamination isolation valve. seal-less pump if
appropriate.
2.4.1.2. Pump to be
adequately bunded.
3. Less 3.1. Outlet line IC 3.1.1. LESS FLOW To DPE 3.1.1.1. Flow control CON
Flow partially blocked. DOWNSTREAMUNIT
Pump running 3.1.1.2. Low flow CON
incorrectly. alarm
Revision: 02 Jun 95
Node: 4 Storage tank outlet
Parameter: Pressure
2. Lower 2.1. Storage tank IC 2.1.1. Low tank level DPE 2.1.1.1. Low flow CAU
Pressure inlet line blocked. leading to LOW alarm
Level control valve PRESSURE AT DOWNSTREAM
fails shut. UNIT 2.1.1.2. Low level CON
alarm
- A98 -
Worksheet
company:
Facility: Page 13
Revision: 02 Tun 95
Node: 5 Storage tank self
Parameter: Temperature
1.2. High ambient IC 1.2.1. Rapid EE 1.2.1.1. Temperature CAU 1.2.1.1. Lag tank to
temperature evaporation of tank indicator protect against high
contents ambient temperature if
necessary.
1.2.2. Possible pump ES 1.2.2.1. Temperature
cavitation indicator.
2. Lower 2.1. Cold weather IC 2.1.1. Possible EE 2.1.1.1. Temperature CAU 2.1.1.1. Lag tank to
Temperatur freezing of content* indicator protect against cold
e ambient temperature if
necessary.
Revision: 02 Jun 95
Node: 5 Storage tank self
Parameter: Pressure
Revision: 02 Jun 95
Node: 5 Storage tank self
Parameter: Level
1. Higher 1.1. Level control IC 1.1.1. Tank contents EE Overflow CON Overflow to
Level fails lost to environment be below tank roof.
Wrong level sensed due 1.1.1.2. High level CAU
to tank being filled alarm 1.1.1.2. Tank to be
with less dense adequately bunded.
material than 1.1.1.3. Level CAU I
anticipated. indicator
- A99 -
"" Worksheet
Company:
Facility: Page: 9
Revision: 02 Jun 95
Node: 6 Storage tank vent in from inert blanket supply.
Parameter: Flow
1. No Flow 1.1. Vent in line IC 1.1.1. Tank vacuum EE Vacuum relief CON Minimise
blocked collapse valve opportunities for line
blockage.
3. Less 3.1. Vent in line IC 3.1.1. Tank vacuum EE 3.1.1.1. Vacuum relief CON 3.1.1.1. Minimiss
Flow partially blocked collapse valve opportunities for line
blockage
Revision: 02 Jun, 95
Node: 6 Storage tank vent in from inert blanket supply.
Parameter: Pressure
2. Lower 2.1. Vent in line IC 2.1.1. Vacuum collapse EE 2.1.1.1. Ensure vent
Pressure blocked or partially in line is not prone
blocked to blocking
2.1.1.2. Install
vacuum relief
-c
- AIOO -
Worksheat
Company*
Facility: Pages
Revioion: 02 Jun 9S
Node: 7 Storage tank vent out to vent header
Parameter: Flow
1.1.1.2. Install
relief valve
3. Less 3.1. Vent out line IC 3.1.1. Tank EE 3.1.1.1. Ensure vent
Flow partially blocked overpressure rupture out line is not prone
to blocking
3.1.1.2. Install
relief valve
Revision: 02 Jun 95
Node: 7 Storage tank vent out to vent header
Parameter: Pressure
I I RECOMMENDATIONS
DEVIATION CAUSES CATI CONSEQUENCES CATI SAFEGUARDS CATI
I I. I. I. I I I
1. Higher I. I. Vent out line IC erpressure EE Install
Pressure blocked or partially rupture relief valvo
blocked
- AIOI -
Worksheet
Company:
Facility: Page 18
'., 'I Revision- 0 26 Jun 9S
.
Hode: 8 Storage tank outlet via batch meter to tanker
Parameter: Flow
2. More 2.1. Outlet line IC 2.1.1. Tank contents EE 2.1.1.1. Emergency 2.1-1.1. Ensure tank
Flow ruptures. lost to environment. isolation valve is adequately bunded.
Tanker filling hose
ruptured. 2.1.1.2. Locate
isolation valve as
near as possible to
tank.
2.3. Tanker moves off IC 2.3-1. Leak to EE 2.3.1.1. Dry break 2.3.1.1. Loading bay
while loading environment. couplings. to be on level ground.
operation still in Ensure tanker can be
progress. 2.3.1.2. Tanker parked securely in bay
Driver drives off, immobilisation at a reasonable
tanker not parked interlock. distance from other
securely, or tanker in traffic.
conflict with other
traffic.
3. Less 3.1. Outlet line IC 3.1-1. Tanker takes EE 3.1.1.1. Overdue 3.1.1.1. Ensure
Flow partially blocked. longer to-fill than filling do not rely
alarm. operators
Batch meter control normal.
fails solely on time taken
valve to fill tanker as an
insufficiently open. indicator as to when
Pump running to disconnect filling
l incorrectly. ho a a.
ACV. 16.10121. v 16 0w Un v
-
Node: 8 Storage tank outlet via batch meter to tanker
Parameter: Composition
- A102 -
Worksheat
Company:
Facility: Page: 9
Revision: 0 26 Jun 9S
Node: 9 Storage tank inlet from tanker
Parameter: Flow
- A103 -
Worksheet
Company:
Facility: Pag*t 10
Revision: 0 21 Jul 95
Node: 11 Storage tank feed inlet without control valve.
Parameter: Flow
3. Less 3.1. Feed line IC 3.1.1. Vessel takes EE 3.1.1.1. Level CON
Flow partially blocked. longer to fill than indicator.
normal
Revision: 0 21 Jul 9S
Node: 11 Storage tank feed inlet without control valve.
Parameter: Pressure
1. Higher 1.2. Feed line IC 1.2.1. Expansion of IC 1.2.1.1. Hydraulic 1.2.1.1. Ensure
Pressure isolated. locked in fluid causes pressure relief operating instructions
hydraulic overpressure preclude deliberate
rupture of line. isolation of line
without having first
drained line.
- A104 -
Worksheet
Company:
Facility: Paget I
Revision: 02 Jun 95
Node: 1 Storage tank feed inlet with level control on tank.
Parameter: Flow
2. More 2.2. HIGH FLOW FROM VUL 2.2.1. Inadequate 2.2.1.1. Relief valve.
Flow UPSTREAM UNIT venting. Vessel C r.
overpressure rupture.
3. Less 3.2. LOW FLOW FROM VUL 3.2.1. Vessel takes 3.2.1.1. Level
Flow UPSTREAM UNIT longer to fill than sr. indicator.
normal.
S. Reverse 5.1. REVERSE FLOW AT VUL 5.1.1. Liquid siphoned 5.1.1.1. Siphon break CON
Flow UPSTREAM UNIT out of tank. on dip tubes.
Revision: 02 Jun 95
Node: I Storage tank feed inlet with level control on tank.
Parameter: Temperature
1. Higher I. I. HIGH TEMPERATURE VUL 1.1.1. Rapid Temperature CAU For system
Temperatur FROM UPSTREAM UNIT evaporation of tank CE indicator with vent header
e contents. system, can System
1.1.1.2. High CAU cope with increase in
temperature alarm venting due to hot
weather acting on
several tanks?
1.1.2. Increased 1.1.2.1. Temperature 1.1.2.1. Only a
vapour concentration indicator. problem for tanks with
around tank, possibly open vent.
rising to a hazardous 1.1.2.2. High Consider installing
level. temperature alarm. appropriate gas
detection equipment if
appropriate.
Revision: 02 Jurx 95
Node: I Storage tank feed inlet with level control on tank.
Parameter: Pressure
1. Higher 1.1. HIGH PRESSURE AT VUL 1.1.1. Vessel 1.1-1-1. Relief valve. CON Ensure
Pressure UPSTREAM UNIT overpressure rupture 8zF- adequate venting.
1.1.1.2. Pressure CAU
indicator.
- A105 -
Worksheet
Company:
Facility: Page 8
Revision: 02 Jun 9S
Node: 4 Storage tank outlet
Parameter: Flow
1. No Flow 1.3. NO FLOW AT VUL 1.3.1. Full head pump - 1.3.1.1. High CON 1.3.1.1. Design
DOWNSTREAMUNITS pressure developed. pressure/low flow pump equipment to withstand
re
High Pressure rupture cut out switches. maximum pump delivery
risk to downstream pressure.
equipment. 1.3-1.2. Kick back CON
Pump overheats, seals line
damaged, possible
leak. 1.3.1.3. Integral pump CON
high pressure relief
valve
1.4. NO FLOW AT VUL 1.4.1. Full head pump LPE 1.4.1.1. Kick back 1.4.1.1. Consider
DOWNSTREAMUNITS pressure developed. line. designing equipment to
HIGH PRESSURE TO withstand maximum pump
DOWNSTREAMUNITS 1.4.1.2. Low flow delivery pressure.
alarm.
2. More 2. S. LESS PRESSURE AT VUL 2. S. 1. HIGH FLOW To LPE 2. S. 1.1. Flow control CON
Flow DOWNSTREAMUNIT DOWNSTREAMUNIT
3. Less 3.3. HIGH PRESSURE AT VUL 3.3.1. LOW FLOW TO LPE 3.3.1.1. Flow control CON
Flow DOWNSTREAMUNIT DOWNSTREAMUNIT
S. Reverse 5.1. Pump failure and VUL S. I. I. Material S. 1.1.1. Non-return CAU
Flow REVERSE FLOW FROM incompatability valve.
DOWNSTREAMUNIT.
Revision: 02 aun 95
Node: 4 Storage tank outlet
Parameter: Pressure
1. Higher 1.1. NO FLOW AT VUL 1.1.1. Full head pump LPE 1.1 * 1.1. Kick back Consider
Pressure DOWNSTREAMUNIT pressure developed. line designing equipment to
HIGH PRESSURE TO withstand maximum pump
DOWNSTREAMUNIT 1.1.1.2. Low flow delivery pressure.
alarm.
2. Lower 2.2. LESS FLOW AT VUL 2.2.1. HIGH PRESSURE LPE 2.2.1.1. Flow control CAU
Pressure DOWNSTREAMUNIT AT DOWNSTREAMUNIT
2.2.1.2. Low flow CAU
alarm
2.2.1.3. Pressure CON
indicator
2.3. HIGH FLOW AT VUL 2.3.1. LOW PRESSURE AT LPE 2.3.1.1. Flow control CAU
DOWNSTREAMUNITS DOWNSTREAMUNITS
- A106 -
Worksheet
Company:
Facility: Page 13
Revision: 02 Jun 9S
Node: 6 Storage tank vent in from inert blanket supply.
Parameter: Flow
1. No Flow 1.2. NO FLOW FROM VENT VOL 1.2.1. Tank vacuum 1.2.1.1. Vacuum relief CON 1.2.1.1. Ensure source
IN SOURCE collapse is sufficiently
it. r- valve
reliable.
4.1.2. Possible
explosion risk
S. Reverse 5.1. LOW PRESSURE AT VUL 5.1.1. CONTAMINATION LPE Install non-
Flow UPSTREAM UNIT OF VENT IN SOURCE return valve
Revision: 02 Jun 95
Node: 6 Storage tank vent in from inert blanket supply.
Parameter: Pressure
2.2.1.2. Install
vacuum relief
- A107 -
Worksheat
Company,
Facility: Pag* 14
Revision: 02 Jun 95
Node: 7 Storage tank vent out to vent header
Parameter: Flow
Revision: 02 Jun 95
Node: 7 Storage tank vent out to vent header
Parameter: Pressure
- A108 -
Workaheet
Company:
Facility: Page 15
Revision: 0 21 Jul 95
Node: 11 Storage tank feed inlet without control valve.
Parameter: Flow
2. More 2.1. HIGH FLOW FROM VUL 2.1.1. Inadequate 'C-C 2.1.1.1. Relief valve.
Flow UPSTREAM UNIT venting. Vessel
overpressure rupture.
3. Less 3.2. LOW FLOW FROM VUL 3.2.1. Vessel takes 3.2.1.1. Level
Flow SOURCE longer to fill than indicator.
normal.
VUL As above
4.2. CONTAMINATION OF VUL 4.2.1. Material
MATERIAL AT SOURCE incompatibility
5. Reverse 5.1. REVERSE FLOW AT VUL 5.1.1. Liquid siphoned 1EI; Siphon break CON
Flow SOURCE out of tank. on dip tubes.
Revision: 0 21 Jul 9S
Node: 11 Storage tank feed inlet without control valve.
Parameter: Temperature
1. Higher 1.1. HIGH TEMPERATURE VUL 1.1.1. Rapid Temperature For system
Temperatur FROM UPSTREAM UNIT evaporation of tank indicator with vent header
e contents. system, can system
1.1.1.2. High CAU cope with increase in
temperature alarm venting due to hot
weather acting on
several tanks?
Revision: 0 21 Tul 95
Node: 11 Storage tank feed inlet without control valve.
Parameter: Pressure
1. Higher 1.1. HIGH PRESSURE VUL 1.1.1. Vessel Relief valve. CON Ensure
Pressure FROM SOURCE overpressure rupture adequate venting.
1.1.1.2. Pressure CAU
indicator.
- A109 -