Safety

Assess Hazards
with Process Flow
Failure Modes Analysis
Rosalynn J. MacGregor, P.Eng. Process flow failure modes (PFFM) analysis is
Sapphire Engineering Services, Ltd.
an intuitive, process-flow-directed way
to identify potentially hazardous scenarios.
Learn how to apply this technique
to your process hazard reviews.

I
nadequate process hazard analysis (PHA) has played a
role in serious process safety incidents. A U.S. Chemi-
cal Safety and Hazard Investigation Board (CSB) study
of 15 major events that occurred during 19982008 found
that 12 involved credible failure scenarios that should have
been identified by PHA reviews for those facilities (1).
Such a finding indicates that there may be deficiencies in
the PHA methods currently used.
The standard tool for process hazard analysis, the
hazard and operability (HAZOP) study (2), has several
drawbacks. It is counterintuitive, time consuming, and
theoretically rigorous to a fault; in addition, it requires a
skilled facilitator in order to produce good results.
An alternative approach, the process flow failure
modes (PFFM) method, is a more intuitive and less time-
consuming means to identify and address potential process
hazards. PFFM review has been accepted as a valid way
for facilities that handle hazardous chemicals to conduct
the PHAs required under the U.S. Occupational Safety and
Health Administrations (OSHA) process safety manage-
ment (PSM) standard.
This article introduces the PFFM technique, explains
how it differs from HAZOP, and provides an example that
applies PFFM to an oil production facility. It also describes
how PFFM can be incorporated into a more traditional
HAZOP PHA review structure.

PFFM basics
PFFM vs. HAZOP Developed in Canada in the 1980s, PFFM is a struc-

P FFM differs from HAZOP in several ways. Here are

some of the unique characteristics of PFFM.
The PFFM method uses a field-checked safeguard-
ing flow diagram (SFD) instead of piping and instrumen-
tation diagrams (P&IDs), although P&IDs can be used if
time and resources prevent the development of SFDs.
The reference drawings (SFDs or P&IDs) are divided
into smaller sections (similar to HAZOP nodes, but frequently
smaller). PFFM defines the size of a node based on the time
it takes to review a cause; each node should represent about
an hour of work by the team. This makes it easy to predict
how long the review will take, and to plan the effort.
A reference list of process failures (the LIST) is used
as the basis for the review.
Worksheets are pre-populated with causes in a
systematic way, following the process flow.
tured, systematic what-if technique that follows the process
flow, i.e., the flow of materials from the inlet feed line to
a process unit, through all of the process vessels in order,
to the finished product outlet lines. It has not been widely
used, but it is gradually gaining acceptance. This concept
(although not called PFFM) is described in Ref. 3.
Like other PHA methods (including HAZOP) PFFM
is structured around a process diagram that is divided into
sections (or nodes), although the type of process dia-
gram used in the analysis and the way nodes are defined
(discussed later) differ. At the heart of PFFM is a list of
possible failures (referred to as the LIST), which is used to
pre-populate the analysis worksheets.
The scope of the review is broken into nodes, and the
nodes are numbered sequentially. Common practice is to

48 www.aiche.org/cep March 2013 CEP Copyright 2013 American Institute of Chemical Engineers (AIChE)
highlight each node in a different color for ease of refer- For the barn example, the PFFM process starts by ask-
ence, as shown in Figure 1 (p. 50). The team uses the refer- ing: What could possibly go wrong? For example, what
ence drawing(s) to study the process in detail to identify could happen if the barn door is left open? The team then
process hazard causes, one node at a time. identifies the potential consequences of such a failure: The
horses would escape from the barn.
Backward vs. forward thinking This is a subtle but very important difference, especially
A major drawback of the HAZOP method is that it relies when dealing with complex processes. It is much easier
on a backward way of thinking to identify potential hazards. to think of a consequence by first thinking of a simple,
Backward thinking. The HAZOP method is based on the straightforward cause. This simple, logical, straightforward
concept that hazardous events are preceded by deviations manner of thinking is much less tiring.
from design and standard operating conditions, so potential
hazards are identified by considering process deviations. The safeguarding flow diagram
Common deviations evaluated during a HAZOP study PFFM is based on a safeguarding flow diagram (SFD),
include high flow, low flow, reverse flow, high temperature, which is tailored to PHAs and focuses on the process equip-
and low temperature. Such a procedure, whereby PHA team ment and the safety-critical devices protecting that equip-
members identify possible deviations and then seek to iden- ment (4). Although HAZOP reviews employ P&IDs, SFDs
tify the failures that could cause each deviation, requires are recommended (but not required) for PFFM reviews.
backward thinking. Worse, it presumes Article continues on next page
that the team is actually aware of all of the
Table 1. The HAZOP method evaluates hazards using a backward way of
relevant causes of a given deviation (or is thinking that first looks at deviations and then identifies their causes.
able to think of them during the meeting),
HAZOP HAZOP
and this may not be the case for a compli- Node Deviation HAZOP Cause HAZOP Consequence
cated process or piping network.
Barn High Flow Barn door is left partially Horses escape from barn;
Table 1 illustrates the challenges associ-
or wide open loss of containment of
ated with backward thinking. The columns horses
are shown in this order because this is the
Reverse Flow Backflow of deer into Deer eat grain; financial loss
order in which team members must think barn to farmer
when using the HAZOP method: first iden-
Garage and Low/No Flow Car is out of gas Car fails to start; driver is
tify a deviation, and then list its cause(s). Driveway late for work
For example, suppose the node of inter-
Car battery is dead Car fails to start; driver is
est is a barn. In the HAZOP process, the late for work
team starts with a deviation such as high
Car starter/alternator Car fails to start; driver is
flow and asks the question: How could has failed late for work
high flow occur in the barn? One way high
Driver of car cannot find Car fails to start; driver is
flow could occur is if the barn door is left keys late for work
open. The team then identifies the potential
Table 2. The PFFM method follows the flow of the process and
consequence of leaving the barn door open.
is a more intuitive way of identifying hazards.
As shown in Table 1, this could result in
horses escaping from the barn. The process PFFM Node
(Section) PFFM Cause (Failure) PFFM Consequence
moves on to consider another deviation,
such as reverse flow, and asks how such a Barn Barn door is left partially or Horses escape from barn; loss of
wide open containment of horses
deviation could occur in the barn.
This counterintuitive way of think- Backflow of deer into barn Deer eat grain; financial loss to
farmer
ing is exhausting, cumbersome, and time
consuming often tempting HAZOP Garage and Car is out of gas Car fails to start; driver is late for
Driveway work
teams with limited time and/or resources
to postpone the HAZOP review, rush the Car battery is dead Car fails to start; driver is late for
work
review, or take shortcuts.
Forward thinking. As its name sug- Car starter/alternator has failed Car fails to start; driver is late for
work
gests, the PFFM technique looks for
hazards by following the process flow. Driver of car cannot find keys Car fails to start; driver is late for
work
Table 2 shows the PFFM thought process.

Copyright 2013 American Institute of Chemical Engineers (AIChE) CEP March 2013 www.aiche.org/cep 49
Safety

Of the various types of engineering drawings (5), the be included in a PHA review to follow process lines across
P&ID provides the most detail. While necessary for docu- multiple drawings and identify consequences on possibly
mentation and other purposes, the level of detail of P&IDs several drawings is time consuming and complicated, and
is unnecessary for PHAs and can distract team members, can result in the team missing some hazards.
making it difficult to focus on the process concern being At the other end of the spectrum is the process flow dia-
discussed. Flipping through the dozens of P&IDs that may gram (PFD), which contains much less detail than a P&ID.
HT-2.18 PV-2.26 HT-2.19 PV-2.27
Force Circulation Heat Exchanger Slop O/H Condenser Slop O/H
Shell Tube Separator Shell Tube Separator
Des. Temp. 177C 177C Des. Temp. 177C Des. Temp. 149C 149C Des. Temp. 177C
Des. Press. 689 kPa (g) 1,103 kPa(g) Des. Press. 689 kPa (g) Des. Press. 1,172 kPa (g) 345 kPa(g) Des. Press. 828 kPa (g)

To Flare
CSO
177

TV
123
Set Pressure Deaerated
689 kPa(g) To Atm. Water Return
PSV KV PSV FO
132 106 134

PV
PV PAH PV Set Pressure 142
141 141 124
345 kPa(g)
520 kPa(g)
Set Pressure FO
Steam Supply FC FC 1,172 kPa(g) PSV PSV
135 136

CHD
To PV-2.26
Level Bridle PV
Set Pressure To 143
1,103 kPa(g) Atm.
PSV RO Fuel Gas
133 HT-2.19
104
Set Pressure
To PV-2.27 PSV
1,034 kPa(g)
Deaerated TAHL
Level Bridle PV-2.26 123 137
CHD Water Supply
LAH
HT-2.18 Deluent 117
1,100 kPa(g)
LAHH LAHL
128 126
SP
Condensate T
LAL TAL
125 124 RO
101 PV-2.27
RO
103

From Slop Pump

PM-2.33
PM-18.50

Slop O/H
SP CHD To Sales
RO
102

To Production
FV TAL Separators
140 125
Slop from
Header
FC

LV
118
Slop O/H Water
To Water
FO Treating
SP
PM-2.36R1

Slop Bottoms
To HT-209A/B

LV
117
Slop Oil
To Closed To Storage
FO
Hydrocarbon Drain
PM-2.34
PM-2.34 PM-2.33 SP PM-2.36R1
Bottoms Product Pump Slop Oil Recirculation Pump Produced Water Pump
2.2 L/s 754 kPa(g) 18.9 L/s 141 kPa(g) 3.7 L/s 1,235 kPa(g)
Max shutoff pressure 1,143 kPa(g) Max shutoff pressure 548 kPa(g) Max shutoff pressure 1,490 kPa(g)

PFFM Nodes Symbol Legend Nomenclature

Node 1 Normally Open Gate Valve CSC: Car Sealed Closed L/U: Lock-Up
Node 2 Pressure Safety Valve
Normally Closed Gate Valve CSO: Car Sealed Open NNF: Normally No Flow
Node 3 Globe Valve Vacuum Relief Valve ESD: Emergency Shutdown S/D: Shutdown
Node 4 Check Valve Blind in Open Position FC: Fail Closed SO: Steam Out
Node 5
Control Valve Blind in Closed Position FO: Fail Open SP: Sample Point
Node 6
Solenoid Valve FV: Full Vacuum TSO: Tight Shut-off
Node 7 Steam Trap
LC: Locked Closed
T

Node 8
Pressure Regulator LO: Locked Open
Node 9

p Figure 1. A safeguarding flow diagram displays the relevant equipment, piping, and safety devices necessary for a PFFM review. Each color identifies a
different node, which is defined such that each node consumes about one hour of review time.

50 www.aiche.org/cep March 2013 CEP Copyright 2013 American Institute of Chemical Engineers (AIChE)
PFDs cannot be used for PHA reviews because they lack
sufficient detail for identifying all potential process hazards.
SFDs bridge the level-of-detail gap between P&IDs and
PFDs. They show all of the equipment and safety devices
that are relevant to the PHA scope, without unnecessary
clutter, such as the material and energy balance information
found on PFDs, flow, temperature, or pressure indicators
(which are shown only when used as safeguarding devices),
instrumentation and control signals, instrument air or other
sensing lines, utility services (unless these are the subject
of the review), sample point details, construction details
and notes, and so on. These diagrams are displayed on the
least number of pages with the least number of interfaces
between drawings. Details that are unique to SFDs are the
maximum shutoff pressures of rotating equipment (e.g.,
centrifugal pumps, compressors, and blowers), high/low
pressure interfaces, a bold font for any safeguarding instru-
ments and pressure or vacuum relief devices, and only those
drawing notes that relate to process safety concerns.
While use of the SFD is not mandatory for successful
application of the PFFM technique, it is recommended,
particularly in situations where the P&IDs are out of date,
jam-packed, or difficult to read. In addition, if more than
10 P&IDs are required, or if individual nodes cover more
than three P&IDs, an SFD should be used.
A sample SFD is presented in Figure 1. The P&ID it
was taken from is relatively small and self-contained, and
of reasonably good quality. However, PHA reviews can
involve many different P&IDs for a single node, which can
become unmanageable for reviews with a lot of nodes. In
To Atmosphere
Set Pressure PSV
689 kPa(g) 132
PV
141 PAH
PV
124
520 kPa(g) 124
Steam
Supply FC FC
Set Pressure PSV
1,103 kPa(g) 133
RO
104
CHD
HT-2.18
Condensate T
PM-2.33 Node 2 Analysis
Starts Here
p Figure 2. The example applies the PFFM technique to Node 2.
Copyright 2013 American Institute of Chemical Engineers (AIChE)
such reviews, participants spend a significant amount of
time flipping through pages of drawings while each mem-
ber of the team tries to grasp the contents of that particular
node. This is not only a waste of time, but also presents
almost unavoidable opportunities for missing process
hazards. A typical process unit can be presented on a single
accordion-style SFD drawing with about 1235 folds.
Putting PFFM to work
To illustrate the application of PFFM and how it
compares to HAZOP, consider the following hypothetical
analysis of Node 2 in Figure 2 (which is an enlargement of
the blue section of Figure 1). Node 2 includes the slop oil
recirculation pump (PM-2.33), the forced-circulation heat
exchanger (HT-2.18), and the piping and devices associated
with this equipment. Table 3 provides the HAZOP analysis
results for Node 2, and Table 4 shows the PFFM results for
the same node. Notice that the PFFM review provides all
of the same information as HAZOP, but it is in one table
and follows the process flow. The possible failure causes
associated with various process elements are provided
in the LIST. For convenience, the LIST has been broken
down into Tables 514.
The PFFM review of Node 2 begins at the liquid outlet
nozzle from the slop treater vessel (PV-2.26), since this is
where the flow begins. The first question the team asks is:
If something goes wrong here, will the outlet line from the
vessel become plugged (Table 5)?
The analysis then follows the piping to the next process
element, in this case a spectacle blind. The normal position
of the blind is open, so the question is: What if the
blind is left in the closed position (for instance, after
maintenance work)?
Continuing forward through the piping, the
next element encountered is a check valve (Table 6).
Check valves exist to prevent backflow, so the failure
mode is that the check valve fails to prevent backflow,
i.e., it sticks open.
The next element of Node 2 is pump PM-2.33.
Several failure causes are typically associated with
pumps (Table 7); the ones that apply to this centrifu-
gal pump are:
pump stops pumping due to mechanical or
PV-2.26 electrical failure
pump seal failure occurs.
The analysis continues in this way. In reviewing
heat exchanger HT-2.18, the tubeside is considered
first and then the shellside (Table 8). The shellside
includes a steam supply. Because the steam enters
the node at this point, the six causes in the top por-
tion of Table 5 are considered for this steam supply
stream (as they are for every stream that enters any
CEP March 2013 www.aiche.org/cep 51
Safety

node). The steam condensate leaves the node after exit-
ing the heat exchanger, so the two causes in the bottom
section of Table 5 are considered: the stream is blocked
downstream (after it has left the node), and backflow
occurs into the node from the downstream processes. In
total, 15 causes are applied to the heat exchanger and its
associated piping within Node 2.
The last element encountered along the piping back
to the slop treater vessel is a restriction orifice (RO-104).
Failure modes for this type of device (Table 6) include: it
becomes plugged; flow through it stops; or it is eroded or
corroded, allowing excessive flow.
Once all of the individual failure causes have been listed,
the external fire and system failure causes are evaluated (Table
10). For this facility, five system failure causes fire, power
failure, instrument air failure, steam failure, and heat tracing
failure must be considered.
All of these failure modes must be considered for every

Table 3. In a HAZOP review, a separate table of possible causes is generated for each deviation.
Node 2 of the process shown in Figure 1, which includes a slop oil recirculation pump (PM-2.33), a forced-circulation
heat exchanger (HT-2.18), and associated equipment, required 11 tables.*
Table 3a. Deviation 1: Higher Flow
1. Steam trap on upstream side of PV-141 in steam line to HT-2.18 fails open
2. PV-141 in steam supply to HT-2.18 fails open
3. PV-124 in steam supply to HT-2.18 fails open
4. Steam trap on shellside outlet of HT-2.18 fails open
5. RO-104 in feed line to PV-2.26 from HT-2.18 becomes eroded or is corroded away

Table 3b. Deviation 2: Lower Flow/No Flow

1. Outlet from PV-2.26 (slop separator) to PM-2.33 becomes plugged with damaged internals or solids build-up
2. PM-2.33 stops due to mechanical or electrical failure
3. Steam trap on upstream side of PV-141 in steam line to HT-2.18 becomes plugged or is blocked in, or trap fails closed
4. PV-141 or PV-124 in steam supply to HT-2.18 fails closed, or block valve in line is closed
5. Discharge line to atmosphere from PSV-132 on steam supply line to HT-2.18 becomes blocked by ice or debris
6. Discharge line to grade from PSV-132 on steam supply line to HT-2.18 becomes blocked by ice or debris
7. Line to atmosphere from shellside of HT-2.18 becomes blocked by ice or debris, or block valve is closed when required to be open
8. Steam trap on shellside outlet of HT-2.18 becomes plugged, block valve is closed, or steam trap fails closed
9. 70-kPa condensate return line from shellside of HT-2.18 is blocked downstream
10. Discharge line from PSV-133 to closed hydrocarbon drain (CHD) becomes plugged on tubeside of HT-2.18
Table 3c. Deviation 3: Reverse Flow; Misdirected Flow Table 3g. Deviation 7: Lower Temperature
1. Check valve in line from PV-2.26 to PM-2.33 sticks open 1. Temperature decreases in steam supply to HT-2.18 and PV-2.26
2. Block valve from shellside of HT-2.18 is left open Table 3h. Deviation 8: Other Than Phase
3. Bypass around steam trap on shellside outlet of HT-2.18 is left 1. Steam supply to HT-2.18 and PV-2.26 contains liquid
open
Table 3i. Deviation 9: Other Than Composition
4. Block valve to hose connection on bypass around HT-2.18
shellside outlet steam trap is left open 1. Steam supply to HT-2.18 and PV-2.26 is contaminated
5. Backflow from 70-kPa condensate system to HT-2.18 occurs Table 3j. Deviation 10: Maintenance Hazards
Table 3d. Deviation 4: Higher Pressure 1. Seal failure occurs on PM-2.33
1. Pressure increases in 520-kPa steam supply to shellside of 2. Tube rupture occurs in HT-2.18
HT-2.18 and PV-2.26 (on slop separator)
Table 3k. Deviation 11: System Failure
Table 3e. Deviation 5: Lower Pressure (utilities power, instrument air, steam, cooling,
1. Pressure is lost in 520-kPa steam supply to shellside of HT-2.18 heat tracing, process control systems)
and PV-2.26 1. Power failure occurs in vicinity of PM-2.33 and HT-2.18
Table 3f. Deviation 6: Higher Temperature 2. Instrument air failure occurs in vicinity of PM-2.33 and HT-2.18
1. Temperature increases in steam supply to HT-2.18 and PV-2.26 3. Steam failure occurs in vicinity of PM-2.33 and HT-2.18
2. Fire occurs in vicinity of PM-2.33 and HT-2.18 4. Heat tracing failure occurs in vicinity of PM-2.33 and HT-2.18

*The 11 tables are combined here for convenience.

52 www.aiche.org/cep March 2013 CEP Copyright 2013 American Institute of Chemical Engineers (AIChE)
 Table 4. PFFM analysis generates one table listing all possible
causes of failure in a node.
Causes
1. Outlet from PV-2.26 (slop separator) to PM-2.33 (slop oil recirculation
pump) becomes plugged with damaged internals or solids build-up
2. Check valve in line from PV-2.26 to PM-2.33 sticks open
3. PM-2.33 stops due to mechanical or electrical failure
4. Seal failure occurs on PM-2.33
5. Pressure is lost in 520-kPa steam supply to shellside of HT-2.18 and
PV-2.26
6. Pressure increases in 520-kPa steam supply to shellside of HT-2.18
and PV-2.26
7. Temperature decreases in steam supply to HT-2.18 and PV-2.26
8. Temperature increases in steam supply to HT-2.18 and PV-2.26
9. Steam supply to HT-2.18 and PV-2.26 is contaminated
10. Steam supply to HT-2.18 and PV-2.26 contains liquid
11. Steam trap on upstream side of PV-141 in steam line to HT-2.18
becomes plugged or is blocked in, or steam trap fails closed
12. Steam trap on upstream side of PV-141 in steam line to HT-2.18 fails
open
13. PV-141 in steam supply to HT-2.18 fails open
14. PV-124 in steam supply to HT-2.18 fails open
15. PV-141 or PV-124 in steam supply to HT-2.18 fails closed, or block
valve in line is closed
16. Discharge line to atmosphere from PSV-132 on steam supply line to
HT-2.18 becomes blocked by ice or debris
17. Discharge line to grade from PSV-132 on steam supply line to
HT-2.18 becomes blocked by ice or debris
18. Tube rupture occurs in HT-2.18
19. Block valve from shellside of HT-2.18 is left open to atmospheric vent
20. Line to atmosphere from shellside of HT-2.18 becomes blocked by
ice or debris, or block valve is closed when required to be open
21. Steam trap on shellside outlet of HT-2.18 becomes plugged, block
valve is closed, or steam trap fails closed
22. Steam trap on shellside outlet of HT-2.18 fails open
23. Bypass around steam trap on shellside outlet of HT-2.18 is left open
24. Block valve to hose connection on bypass around HT-2.18 shellside
outlet steam trap is left open
25. 70-kPa condensate return line from HT-2.18 shellside is blocked
downstream
26. Backflow from 70-kPa condensate system to HT-2.18 occurs
27. Discharge line from PSV-133 to CHD becomes plugged on
tubeside of HT-2.18
28. RO-104 in feed line to PV-2.26 from HT-2.18 becomes plugged off
29. RO-104 in feed line to PV-2.26 from HT-2.18 becomes eroded or is
corroded away
30. Fire occurs in vicinity of PM-2.33 and HT-2.18
31. Power failure occurs in vicinity of PM-2.33 and HT-2.18
32. Instrument air failure occurs in vicinity of PM-2.33 and HT-2.18
33. Steam failure occurs in vicinity of PM-2.33 and HT-2.18
34. Heat tracing failure occurs in vicinity of PM-2.33 and HT-2.18
Copyright 2013 American Institute of Chemical Engineers (AIChE)
operating scenario, including normal operation, start-up,
planned shutdown, emergency shutdown, and unusual
operating modes (e.g., vessels bypassed, equipment out
for maintenance, etc.). Other operational considerations
include: equipment spacing, sampling, and ease of
accomplishing required tasks.
To identify causes using the HAZOP deviation
approach, the team chooses one deviation (e.g., low
flow), and considers what could cause low flow at each
piece of equipment in the node. While doing this, the
leader typically highlights (or colors) the piping that is
examined as the team works its way through the node.
The problem with this approach is that as the team
reviews additional deviations, it is difficult to remember
which parts of the node have already been analyzed with
regard to which deviations. This is a problem for facilita-
tors who pre-populate worksheets before a review as well
as review teams that are using the blank-page approach.
Table 5. The portion of the LIST that pertains to
streams entering and exiting the node of interest is
shown here.
Streams Entering the Node
Pressure increases in incoming stream
Pressure decreases in incoming stream
Temperature increases in incoming stream
Temperature decreases in incoming stream
Incoming stream is contaminated (e.g., light ends, heavy
ends, salts, chemical additives, pH, etc.)
Incoming stream contains unexpected phases (e.g., solids,
liquid hydrocarbons or water, vapor)
Streams Exiting the Node
Flow is blocked downstream
Backflow into exiting stream occurs from downstream
equipment
Table 6. The LIST for piping.
Piping Segments
Piping segment is blocked in with heat tracing on (or off)
Piping segment is blocked in and ambient temperature
changes
Any dead legs in this section/node?
Check valve sticks open and forward flow stops
Atmospheric vent line from atmospheric sump, vessel,
drum, etc. becomes plugged
Hose rupture occurs
Expansion joint failure occurs
Restriction orifice becomes plugged
Restriction orifice erodes or corrodes away
Pipelines
Pipeline leak or rupture occurs
Article continues on next page
CEP March 2013 www.aiche.org/cep 53
Safety
In contrast, with PFFM, each piece of piping and equip-
ment is covered once. After it has been colored as part of
the node, it does not need to be revisited. In this way, it is
clear which parts of the process have been considered so
far: If it is colored, it is done, and it does not need to be
reviewed again. The review team only goes back to a node
that has been reviewed to evaluate system failure causes
(e.g., fire, power outage, etc.). This differs from HAZOP,
in which each node is evaluated for each of the applicable
deviations (e.g., low flow, high flow, blocked flow, etc.).
This speeds up reviews by approximately 25% compared
with the HAZOP deviation approach.
The LIST
Tables 514 comprise the LIST of possible process
failures for the most common types of equipment, piping,
and operational scenarios. The LIST has evolved during
more than 15 years of using it for process hazards analysis in
operating facilities and in facilities at the design stage. Every
attempt has been made to make the LIST comprehensive and
Table 7. The LIST for pumps and compressors.
Pumps
Online pump stops due to mechanical or electrical failure
Check valve sticks open on pump discharge and pump stops
Pump started with suction block valve closed
Pump started with discharge block valve closed
Check valve sticks open on discharge of standby pump with
suction and discharge block valves both left open
Check valve sticks open on discharge of standby pump with
suction block valve closed and discharge block valve left open
Variable-frequency drive (VFD) fails and speeds up (or slows
down) the pump
More pumps in parallel service are operating than required
Pump seal (packing, etc.) failure occurs
Suction (or discharge) vibration dampener fails on positive-
displacement (PD) pump
Compressors
Online compressor stops due to mechanical or electrical failure
Check valve sticks open on compressor discharge and
compressor stops
Compressor started with suction block valve closed
Compressor started with discharge block valve closed
Check valve sticks open on discharge of standby compressor
with suction and discharge block valves both left open
Check valve sticks open on discharge of standby compressor
with suction block valve closed and discharge block valve open
VFD fails and speeds up (or slows down) the compressor
More compressors in parallel service are operating than required
Compressor seal (packing, etc.) failure occurs
Suction (or discharge) vibration dampener fails on PD compressor
54 www.aiche.org/cep March 2013 CEP
complete. However, users should aim to improve and add to
the LIST as new failure modes are identified (for instance, as
new technologies are developed and situations change).
These tables can be used to fill in the cause section of
the PFFM worksheets. In preparing for the review, a facili-
tator or other team member (even junior personnel, as long
as they can read a P&ID or SFD) can list virtually every
individual process failure cause that could occur in a facil-
ity. Then during the PHA meeting, the team simply needs
to confirm the causes that apply to the node being studied.
Since many companies are familiar only with the
HAZOP technique and are leery of other methods, PHA
facilitators may need to conform with their organizations
HAZOP structures and hierarchies. However, this does
not preclude the use of PFFM. A very effective way of
pre-populating the causes for a HAZOP review is to start
with a list of causes generated by PFFM. Once the list is
completed for a node, each cause can be copied and pasted
into the most appropriate deviation worksheet within
that node. This takes very little time, and the results are
indistinguishable from HAZOP worksheets that have been
pre-populated using the standard, more time-consuming
and omission-prone deviation approach.
Reference 6 provides case studies that compare the
outcomes of the HAZOP and PFFM techniques.
Identifying all causes is not the whole job
The data from the CSB study (1) suggest that the fail-
ure to identify credible failure scenarios can result in very
serious consequences, and that credible failure scenarios
are sometimes missed during PHA reviews. To identify
all potential failure scenarios and their consequences, all
potential causes must also be identified.
However, identification of causes will not necessar-
ily lead to identification of every process hazard. For
example, the team might pose the cause Pump discharge
block valve closed and determine that the consequence is
Flow stops, no hazard, when the consequence is actually
discharge-piping overpressure.
Other common mistakes include: not accurately identi-
fying the backflow consequences for check valves that are
stuck in the open position; failure to consider the effects of
lighter hydrocarbon contamination of feed streams (e.g.,
flashing); and failure to consider every impact of heat trac-
ing failures (e.g., pressure safety valve inlet and/or outlet
piping may freeze and become blocked completely, etc.).
The first step in applying the PFFM technique is to iden-
tify all of the potential causes of process hazards that may
arise from failures within the process. Next, use engineer-
ing knowledge and some imagination when considering the
consequences of those causes. This challenge of using your
imagination applies equally to HAZOP and PFFM.
Copyright 2013 American Institute of Chemical Engineers (AIChE)
 Table 8. The LIST for heat exchangers. Table 10. The LIST for systemic failures.
Shell-and-Tube Heat Exchangers Systemic Failures
Shellside is blocked in while tubeside fluid is flowing High/low ambient temperature
Tubeside is blocked in while shellside fluid is flowing Fire (consider equipment spacing as well as overpressure, etc.
Tube rupture occurs concerns)
Tube leak occurs Power failure
Shellside is blocked in while exchanger is shut down Instrument air failure
Tubeside is blocked in while exchanger is shut down Steam failure
Inadequate heat exchange Cooling medium failure
Excessive heat exchange Heating medium failure
Heat tracing failure
Air-Cooled Heat Exchangers
Other utility failure, as applicable (e.g., nitrogen, refrigeration)
Excessive cooling occurs in exchanger
Failure of control signal from remote controller or remote control
Tube rupture occurs
system
Tube leak occurs
Emergency isolation capabilities
Fan stops due to mechanical or electrical failure
Commissioning issues (new equipment)
Inadequate cooling due to fouling
Startup/shutdown issues, such as:
Exchanger is blocked in during shutdown
Do safeguarding instruments need to be bypassed to start
Other Heat Exchangers (Plate-and-Frame, Spiral, etc.) up the unit?
Hot side is blocked in while cold-side fluid is flowing Can a fired heater burner be lit safely by the operator?
Cold side is blocked in while hot-side fluid is flowing Are the operators having to open or close very large
manual valves to start up or shut down equipment?
Rupture occurs between hot and cold sides
When starting up (or shutting down) equipment, does it
Leak occurs between hot and cold sides
pass through temperatures, pressures, or flow conditions
Hot side is blocked in while exchanger is shut down that have not yet been considered?
Cold side is blocked in while exchanger is shut down
Inadequate heat exchange Table 11. The LIST that pertains to equipment maintenance.
Excessive heat exchange Maintenance
Access Issues, such as
Table 9. The LIST for valves.
If a heat exchanger tube bundle needs to be removed, will
Control Valves
there be enough room for the equipment and pulled bundle?
Fail open If a chemical storage tank must be refilled from a tanker
Fail open with bypass open truck, is there space available for the truck during offloading?
Fail closed with bypass closed In a purchased equipment skid, is the piping so tightly laid
out that personnel cannot access control valves or other
Manual Block Valves
instrumentation safely?
Normally closed block valve is left open, or opened during
Are manual block valves that are frequently operated
normal operation
located at the correct height (should be between shoulder
Normally open block valve is left closed, or closed during and knee height)?
normal operation
Equipment Spacing or Location Issues, such as
Vent, Drain, and Bleed Valves Is any equipment located within the sterile radius (which is
Vent, drain, or bleed valve is opened during normal operation set by the allowable radiation limit) around the flare stack?
Vent, drain, or bleed valve is left open at startup Is the flame in a fired heater at an appropriate distance
from atmospheric vents that could contain hydrocarbon
Emergency or Remotely Operated Valves (e.g., Isolation,
vapor during an upset condition?
Depressuring, Venting, Purging)
Equipment Maintenance Isolation Issues, such as
Emergency isolation valve fails to close when required
For parallel pumps or filters, can one pump or filter be
Emergency isolation valve fails closed during normal operation safely isolated for maintenance according to regulatory
Emergency depressuring, venting, or purge valve fails to open requirements and/or company policy? Are more isolation
when required valves needed?
Emergency depressuring, venting, or purge valve fails open Equipment Reliability Issues (especially for any equipment
during normal operation identified as safeguarding devices)

Article continues on next page

Copyright 2013 American Institute of Chemical Engineers (AIChE) CEP March 2013 www.aiche.org/cep 55
Safety
Table 12. The LIST for miscellaneous equipment and devices.
Dryers, Molecular Sieve Units, etc.
Media becomes plugged or deactivated
Switching valve failure occurs (consider all modes of operation, each liquid phase)
and individual valve failures)
Media is too active (i.e., absorbs/adsorbs unwanted components)
Media must be changed or partially removed (bed exposed to Failure of individual internals (depends on nature of internals
atmosphere, or vessel entry concerns)
Fired Heaters
Tube leak or tube rupture occurs
Combustion air supply filter becomes plugged
Induced-draft (ID) or forced-draft (FD) fan stops
Natural-draft (ND), ID, or FD damper is wide open
ND, ID, or FD damper is closed
Flame arrester is plugged or otherwise damaged
Tubes (or other heat-transfer surface) are fouled
Excessive heat is transferred
Insufficient heat is transferred
If a bath is used, bath leaks and liquid level is lost
If a heating bath is used, medium degrades or is contaminated
For fuel supply issues, see valve failure modes
Filters and Strainers
Filter/strainer becomes plugged
Media is not replaced in filter/strainer after maintenance
Backflow into filter/strainer occurs during cleaning/change-out
Pressure-Relief Devices
Pressure-relief device sticks closed in dirty/sticky service
Pressure-relief device freezes closed (if credible)
Pressure-relief device opens and fails to reseat (when discharge Methodology, Hydrocarbon Processing, 83 (4), pp. 8186
is to another part of the process, i.e., pump suction, process (Apr. 2004).
vessel, etc., and not easily detected)
Pressure/vacuum device fails to close after operation is restored ing Devices: The Safeguarding Drawing, presented at the
to normal pressure
Rupture disc fails to rupture when required
Rupture disc ruptures during normal operation (or during upset)
Table 13. The LIST for truck loading and offloading.
Trucks at Loading/Offloading Stations
Hose rupture occurs or coupling becomes disconnected during Houston, TX (Apr. 15, 2012).
loading/offloading
Truck moves during loading/offloading
Static charge accumulates during loading/offloading
Vehicle collides with truck during loading/offloading
Loading is not stopped when truck is full (or vessel is empty)
Offloading is not stopped when truck is empty (or vessel is full)
Incorrect or contaminated material offloaded
Material loaded to contaminated or wrong truck
Loading/offloading rate too high
Loading/offloading rate too low
56 www.aiche.org/cep March 2013 CEP
Table 14. The LIST for vessels.
Vessels and Tanks
Rate of inflow to vessel exceeds rate of outflow (consider for
Rate of outflow from vessel exceeds rate of inflow (consider for
each liquid phase)
i.e., internals collapse and block outlet nozzle, weirs collapse)
Heating coils or cooling coil failure occurs
Mixer/agitator failure ocurs
Packing in mixers/agitators fails
Distillation Columns
Tray collapse occurs
Trays become fouled
Reactors
Catalyst is deactivated or fouled, or reaction stops
Catalyst bed is plugged
Excessive reaction rate, or runaway reaction
Internals fail
Literature Cited
1. Kaszniak, M., Oversights and Omissions in Process Hazard
Analyses: Lessons Learned from CSB Investigations, pre-
sented at the 2009 AIChE Spring Meeting, 5th Global Congress
on Process Safety, 43rd Annual Loss Prevention Symposium,
Tampa, FL (Apr. 2630, 2009).
2. Center for Chemical Process Safety, Guidelines for Hazard
Evaluation Procedures, 2nd ed., American Institute of Chemical
Engineers, New York, NY, and John Wiley and Sons, Hoboken,
NJ, p. 133 (1992).
3. Ego, D., and R. MacGregor, Improve Your Facilitys PHA
4. Wong, D., and R. MacGregor, Harmonization of Safeguard-
2008 Canadian Society for Chemical Engineering Conference,
Ottawa, ON (Oct. 1922, 2008).
5. Nasby, G., Using Process Flowsheets as Communication
Tools, Chem. Eng. Progress, 108 (10), pp. 3644 (Oct. 2012).
6. MacGregor, R., Comparing PHA Review Techniques A
Case History on Review Meeting Dynamics and Missed Haz-
ards, presented at the 8th Global Congress on Process Safety,
RoSaLynn J. MacGReGoR, P.enG., has worked as a self-employed process
safety professional at Sapphire Engineering Services, Ltd. since 2001.
When she wrote this article, she served as a senior health, safety, and
environmental specialist on contract to PMO Global Services in Calgary,
Alberta; she is currently on contract to ACM Automation, Inc. (940 6th
Ave., #700, Calgary, AB, T2P 3T1; Phone: (250) 804-4748; Email: sesco@
xplornet.com). She has over 25 years of experience in the oil and gas
and petrochemicals industries, and held positions in process, environ-
mental, and operations engineering, as well as technical department
management, prior to specializing in process safety. She holds a BASc
from the Univ. of British Columbia and an MSc from the Univ. of Alberta,
both in chemical engineering, and is a registered professional engineer
in Alberta and British Columbia. CEP
Copyright 2013 American Institute of Chemical Engineers (AIChE)