You are on page 1of 26

Process SHE Guide 13

HAZARD STUDY METHODOLOGY


PART 3 - HAZARD STUDY 3

This Guide is issued by ICI Technology on behalf of the


Process Safety, Health and Environment Interest Group for internal circulation within ICI only.

This document will only be kept up to date when issued to the holder of a registered binder
S&TIS/11602

Process SHE Guide No. 13


Hazard Study Methodology
(August 1997 Edition)
CONTENTS

PAGE

3.0

INTRODUCTION.......................................................................................................................................................................... 3

3.0.1
3.0.2
3.0.3
3.0.4
3.0.5
3.0.6
3.0.7

Purpose ............................................................................................................................................................................................ 3
Team ................................................................................................................................................................................................. 3
Timing ............................................................................................................................................................................................... 4
Requirements ................................................................................................................................................................................ 4
Preparation ..................................................................................................................................................................................... 5
Documentation .............................................................................................................................................................................. 5
Method .............................................................................................................................................................................................. 6

3.1

CONTINUOUS PROCESSES................................................................................................................................................ 7

3.2

BATCH PROCESSES ............................................................................................................................................................... 8

3.3

BATCH PROCESS REACTION HAZARDS ................................................................................................................. 12

3.4

USE OF HAZARD STUDY TECHNIQUES IN INITIAL STUDIES....................................................................... 13

3.5

MAINTENANCE AND OPERATING PROCEDURES .............................................................................................. 13

3.6

PROGRAMMABLE ELECTRONIC SYSTEMS ........................................................................................................... 14

3.7

MECHANICAL HANDLING OPERATIONS................................................................................................................... 15

3.8

ELECTRICAL SYSTEMS ...................................................................................................................................................... 15

3.9

CHANGES TO EXISTING PROCESSES ...................................................................................................................... 22

3.10

BUILDINGS ................................................................................................................................................................................. 23

3.11

DESIGN CHANGES ................................................................................................................................................................ 23

3.12

OTHER STUDIES .................................................................................................................................................................... 23

3.13

HAZARD STUDY 3 ACTION REVIEWS ........................................................................................................................ 25

Part 3 - Hazard Study 3


Page 1
S&TIS/11602

Process SHE Guide No. 13


Hazard Study Methodology
(August 1997 Edition)
FIGURES
3.1
HAZARD STUDY 3 - CONTINUOUS PROCESS GUIDE DIAGRAM .................................................................. 9
3.2
HAZARD STUDY 3 - BATCH PROCESS GUIDE DIAGRAM ............................................................................... 10
3.3
HAZARD STUDY 3 - METHOD FOR BATCH PROCESSES ............................................................................... 11
3.4
HAZARD STUDY 3 - OPERATING/MAINTENANCE PROCEDURES GUIDE DIAGRAM ...................... 13
3.5
HAZARD STUDY 3 - PES BLOCK DIAGRAM (TYPICAL)..................................................................................... 16
3.6
DCS FMEA METHOD ............................................................................................................................................................. 17
3.7
PROCESS CONTROL SYSTEM I/O FEATURES ..................................................................................................... 18
3.8
PES SYSTEM FEATURES .................................................................................................................................................. 19
3.9
HAZARD STUDY 3 - MECHANICAL HANDLING OPERATIONS GUIDE DIAGRAM ............................... 20
3.10
HAZARD STUDY 3 - ELECTRICAL SYSTEMS GUIDE DIAGRAM................................................................... 21
3.11
HAZARD STUDY 3 OF BUILDING DESIGN AND OPERABILITY ..................................................................... 24

Copyright Imperial Chemicals Industries PLC 1997

Part 3 - Hazard Study 3


Page 2
S&TIS/11602

Process SHE Guide No. 13


Hazard Study Methodology
(August 1997 Edition)
3.0

INTRODUCTION

3.0.1

Purpose
The purpose of Hazard Study 3 is to review the design and/or procedures to identify any hazards or
obstacles to operability which could arise, particularly through deviations from the design intent. In the
case of process plant, this will be based on the study of firm Engineering Line Diagrams and outline
operating procedures and outline commissioning procedures. The consequences of deviations are
identified and, where necessary, appropriate corrective actions initiated.
The study also provides an opportunity to review potential maintenance and quality problems.
Key aspects include:
(a)

A detailed, systematic study of the design and outline operating and maintenance procedures
to identify the consequences of deviation from design intent.

(b)

Consideration of transient operating conditions during start-up, shutdown, plant upsets and
emergencies.

(c)

Consideration of potential exposure of employees to harmful effects during routine operations


including maintenance, decontamination etc.

The main justification for the detailed and time consuming studies is the elimination of potential
hazards. This approach should ensure that projects are commissioned promptly and safely and that
the need for late changes is minimised. However, very important and valuable spin-offs can result
from questioning operational and maintenance considerations such as routine testing and maintenance
of equipment. The Hazard Study team should record any decisions taken on the depth of study (i.e.,
the statement 'no hazard' does not mean 'no problem').
The techniques described in this part of the Guide are searching and exhaustive. Where there are
significant hazards, e.g., on new designs and on those handling hazardous materials, the techniques
need to be applied rigorously and thoroughly. It should also be recognised that the repetitive
application of the techniques in places where there are no hazards can lead to much wasted effort and
divert scarce resources away from real problems. It is therefore necessary to apply care both in cases
where there are no significant hazards and also in cases where the design has already been subjected
to a detailed, well recorded series of hazard studies. In the latter case, a thorough consideration of the
implications of all changes, making reference to the records of the earlier studies may provide the
necessary assurance of safety. It is important in these cases that the records are updated to provide
full hazard documentation for the system being studied
The ICI Hazard Study 3 is the "HAZOP" technique as referred to in US Federal Legislation on Major
Hazard Plants, OSHA 29CFR Part 1910 and specified in the AIChE, Centre for Chemical Process
Safety "Guidelines for Hazard Evaluation Procedures".
3.0.2

Team
The team composition should be agreed by the Hazard Study Leader and the Project Manager. The
normal composition of the team is:
(a)

Hazard Study Leader.

(b)

Project Manager (or nominee).

(c)

Appropriate Functional Engineer(s) (e.g. Process Engineer).

(d)

Operations or Site Representative.

(e)

Control/Electrical Engineer (where appropriate).

For studies on existing plants, the study team should include operators or maintainers where
appropriate.
Part 3 - Hazard Study 3
Page 3
S&TIS/11602

Process SHE Guide No. 13


Hazard Study Methodology
(August 1997 Edition)

In addition an Occupational Hygienist and/or an Environmental Specialist may join the team where
agreed at Hazard Study 1.
3.0.3

Timing
Process Hazard Study 3 is best carried out when firm Engineering Line Diagrams with outline
operating, commissioning, maintenance and test procedures are available. Hazard Study 2 for the
relevant section with its actions/recommendations should be complete as far as is practicable.
PES Hazard Study 3 is best carried out when the PES system design is at an advanced stage but not
necessarily complete. Most major design decisions should have been taken. The status of the process
Hazard Study 3 is not significant.

3.0.4

Requirements
For the Hazard Study 3 of Batch and Continuous processes the following should be available if
applicable:
(a)

A firm Engineering Line Diagram or Process and Instrument Diagram.

(b)

Outline operating, commissioning, maintenance and test procedures in so far as these are not
obvious from the design.

(c)

Actions/recommendations from Hazard Study 2 should be completed as far as is practicable.

(d)

Classification of the 'type' and 'grading' of alarm and trip systems; for a suitable standard see
EDG.CEE.02.75.

(e)

Area electrical classification drawings where zoned areas have been identified.

(f)

Relief systems philosophy, for a suitable standard see EDP.WOR.05.11.

(g)

List of vessels and pipework to be registered as requiring periodic inspection, for a suitable
standard see EDP.WOR.05.14.

(h)

List of Critical Machine Systems, for a suitable standard (see GEP 5, EDP.MAC.66.02 and
EDG.MAC.24.01).

(j)

DCS input/output allocation philosophy.

In addition, for Batch processes a full sequence description is required.


It is important to check that the documentation, e.g. line diagrams, to be studied is acceptable to the
Site. Too often project drawings have to be redrawn or modified at a later stage to make them
compatible with existing site drawings and standards.
This basic check can avoid an
abortive/ineffective study. The drawings should be registered in the Site system subsequent to the
studies.
For Construction Activities identified in Hazard Study 2 or HAZCON as worthy of detailed
consideration, method statements should be available for study at phased stages in the construction
programme.
For Hazard Study 3 of Programmable Electronic Systems the following should be available:
(1)

Specifications.

(2)

Configuration diagrams.

(3)

Block diagram representation.

(4)

Input/output card signal allocation.

Part 3 - Hazard Study 3


Page 4
S&TIS/11602

Process SHE Guide No. 13


Hazard Study Methodology
(August 1997 Edition)

System manuals will be useful. The responsibility for input/output card allocation checks and line for
line software (sequence) checks lies with the respective designing engineer and not with the Hazard
Study 3. The Hazard Study 3 should verify that these responsibilities have been accepted and
performed.
There needs to be adequate availability of team members, recognising practical limitations (e.g.
meetings should be less than 3 hours duration/day and there should be less than 3/week on a regular
basis).
There needs to be a plan for review meetings (for actions and recommendations raised).
3.0.5

Preparation
For maximum effectiveness and efficiency, meetings should take place in a comfortable room with
adequate light, ventilation and quietness, etc.
Where team members are new to Hazard Studies, the attitude of team members to questioning of their
design by an 'outsider' may be very negative. The need for some training before the first meeting, or
at the beginning of the first meeting, needs to be considered. A video is available from ICI Engineering
Technology Process Safety Section.
Prior to the meeting, the Hazard Study Leader should verify with the Project Manager that the
documentation is available and at a suitable stage of development. Ideally, the information will be
circulated to the Hazard Study Team at least a week in advance.

3.0.6

Documentation
Documentation, in the form of the record of the Hazard Study meetings, and supporting documents
together with evidence of the completion of all actions should be filed in the Project Safety, Health and
Environment Dossier (SHED - STD/F/01022). It is important that the marked up Engineering Line
Diagrams, or a good copy, micro-fiche or 35 mm photographic slides of the material, are also retained
in the SHE Dossier (SHED) together with the Hazard Study records.
It may be necessary for hazard assessments to be carried out as actions from Hazard Study 2 or 3.
Such assessments should be issued as separate documents and included in the Safety, Health &
Environment Dossier.
Documentation should include records of the equipment studied, the causes of deviations from design
intent considered, and the effects of potential hazards identified. These should be recorded on
standard forms (see STD/F/01015) and STD/F/01017).
In most cases, where hazards or operability problems are exposed in the detailed systematic
examination, measures will have been taken in the design to prevent or correct unwanted events.
These will include such things as conformance with Codes of Practice, selection of appropriate
equipment, alarms/trips, procedures, etc. These should be acknowledged on the relevant forms.
However, the Hazard Study 3 is likely to raise detailed questions which typically may address the
feasibility of routine proof testing, the problems of maintaining specific items of equipment, the role
and responsibilities of people, etc. Such questions in many cases can not be resolved in the Hazard
Study Meetings and actions/recommendations will need to be recorded and allocated to nominated
persons - not necessarily members of the Hazard Study Team. Such actions/recommendations will
need to be reviewed as part of the hazard study process.
Common to each record form are definitions of Project No., Drawing No. (and Revision No.), team
members, date and meeting No.s. This key information is important for future information retrieval.
Often overlooked is the need to retain a copy of the Engineering Line Diagram which was studied.
Such an oversight can lead to confusion in future years when attempts are made to correlate the
Hazard Study notes to current drawings which, through subsequent revisions, no longer accurately
match the original design.

Part 3 - Hazard Study 3


Page 5
S&TIS/11602

Process SHE Guide No. 13


Hazard Study Methodology
(August 1997 Edition)
Meeting records for circulation should consider including copies, e.g. reduced in size, of the ELD.
Project Management should ensure that project documentation, area classification, relief philosophy,
vessel and piping registration, critical machines is updated for use at a hazard study.
Following the completion of Hazard Study 3, any modifications made to the design, including those
made during the commissioning stage, will need to be controlled. A procedure for controlling design
changes should be agreed. See PP 25 for an example.
Important requirements for the study are outline operating and maintenance procedures/instructions
which may be refined during the study. The retrieval of hazard study notes and drawings, relevant at
the time of study, should be facilitated by appropriate referencing and filing because future
modifications may well necessitate recovery of the original detailed design philosophy.
On some projects, where construction/demolition work is necessary on existing operations, working
plant or in close proximity to hazardous pipe-routes or processes, it may be necessary to examine
systematically selective activities at appropriate stages in the construction/demolition program. This
involves examination of the 'method' statement. Construction and demolition activities are addressed
by the procedures outlined in EDG.CON.50.01 (HAZCON).
3.0.7

Method
It is important that the whole team understands the process being studied if each member is to make
an effective contribution to the meeting. A few minutes needs to be allowed for this activity at the start
of the meeting.
Then the Hazard Study Leader will use his experience to guide the team to select the best starting
point for each study. The normal systematic approach on chemical plants is to examine firstly the
process lines into a vessel, then the process lines out of a vessel and finally the vessel.
Ensure everyone understands what is being discussed. Much fruitless work can be avoided if each
team member is kept aware of the exact item being discussed. This can require special attention
during a long series of concentrated Hazard Studies.
Ascertain the design basis. The Process Design Engineer will normally know the basis for the design
being studied, although there may be areas where experts in Control Engineering, etc., may be more
appropriate to provide this information to the team. Earlier Hazard Study work may also be referred to
as part of this design basis. A written summary should be available for reference and for inclusion in
the Hazard Study report/notes.
Explore the possibilities and capture ideas. The Hazard Study Leader needs to encourage the team in
thinking about the possible ways that deviations can occur and the possible outcomes. Sometimes an
idea will be brought out which would be more appropriate at a later stage of the study. This idea
should be noted for use later. However, it is important to filter out real concerns from trivia. The
Hazard Study Leader needs to draw the discussion together to decide whether or not problems need
further action or whether the discussion needs to be recorded. This should be done with the
involvement of the whole team.
It is important that ideas are not ignored or rejected without due consideration, since the contributor
may lose interest and take a less active role in the meeting.
Regulate the progress and control the width of thinking. The Hazard Study Leader needs to exercise
some control over the speed of progress of the team. There are times when progress needs to be
speeded up because over-detailed thinking, or consideration of design changes is taking too much of
the time. There are also times when the team is keen to move along quickly and the Hazard Study
Leader needs to restrain progress if significant items could be missed.
It is important to encourage the team, and a little light-heartedness and a break for refreshment can
help to maintain concentration. The original hazard study procedure, developed in the early 1970s for
examining Engineering Line Diagrams with the aid of a guide diagram, has now been developed and
extended from continuous chemical processes to batch processes, selected operating and

Part 3 - Hazard Study 3


Page 6
S&TIS/11602

Process SHE Guide No. 13


Hazard Study Methodology
(August 1997 Edition)
maintenance procedures, computer or PLC systems, selected construction activities and mechanical
handling operations. Increasing use is being made of the technique in the study of modifications to
existing processes, which, although they involve relatively minor costs, could have the potential for
significant hazards and/or financial loss.
The recording of the study on the standard form should be a true record of the decisions reached by
the study team. Some record of reasons including rejected scenarios may be of use to those using the
record in the future. Some of the deviation guidewords may not have any causes or consequences
and the reasons for this may be obvious, in this case there is no need to make any record. It may be
appropriate to make a single record where perhaps a piping system has been designed for all
attainable temperatures and pressures.
In some countries, a full record is required by the national authorities "to prove that all deviations have
been considered". Local requirements should be known and followed.
The recording in the meeting may be done by the leader or by another member of the team at the
discretion of the Hazard Study Leader. There are a number of computer based systems to assist in the
recording of hazard study records.
The standard record sheet, standard form STD/F/01015, has an entry for the person to progress the
actions to be named and a date for the action review by which action should be complete.

3.1

CONTINUOUS PROCESSES
Studies of continuous chemical processes are carried out in a series of meetings where Engineering
Line Diagrams are examined, line by line, vessel by vessel, using a list of guidewords to stimulate the
Hazard Study team's consideration of all conceivable deviations from design intent.
The detailed examination of cause and effect of deviations in both normal and abnormal plant
operation is designed to minimise problems at commissioning and start-up, and to ensure continued
safe and reliable operation of the plant. This systematic study of design detail should identify areas of
concern which can, if necessary, be resolved outside the hazard study meeting.
The list of guidewords in Figure 3.1 is worked through systematically by the team of mixed disciplines,
led by the trained Hazard Study Leader. The process lines and vessels examined are marked on the
Engineering Line Diagram and listed on the record form, (see STD/F/01015). The Hazard Study Leader
is responsible for ensuring the Hazard Study records are of a satisfactory quality. Should the cause
and effect of a deviation (e.g., low flow) cause no hazard, environmental, health, operability or quality
problems then no comment may be needed in the summary on the standard form. It will be assumed
that 'deviations' excluded from the standard list of guidewords have been considered but dismissed
and their exclusion from the form summary is not an oversight, but in the interest of brevity and team
efficiency.
Continuous processes also entail discontinuous operations (e.g., start up, controlled shutdown,
emergency shutdown). These should be treated in a similar fashion as batch processes.
Should potential problems be identified, then a record of the preventative or corrective measures
designed to minimise the likelihood and consequences should be specified. Any further action should
be noted and progressed outside the meeting. Where extensive discussions are held, these should
also be recorded even if they have not lead to identification of a hazard.
Should the Hazard Study 3 call into question the fundamental rationale of the hazard control measures
agreed at Hazard Study 2, then it is the responsibility of the Project Manager (or nominee) to ensure
that the Hazard Study 2 report is updated. In some countries this may be a legal requirement (e.g.
OSHA, SEVESO directive).

Part 3 - Hazard Study 3


Page 7
S&TIS/11602

Process SHE Guide No. 13


Hazard Study Methodology
(August 1997 Edition)

3.2

BATCH PROCESSES
The general characteristics of batch plants as compared with continuous plants are as follows:
(a)

The status of the various parts of the plants are changing cyclically with respect to time, and
therefore a line diagram alone gives a very incomplete picture.

(b)

The processes are usually multistage and the individual units multipurpose. For example, in a
chemical reactor the process steps could involve:
(i)
charge solvent;
(ii)
charge reactants;
(iii)
heat to reaction temperature;
(iv)
add final components at controlled rate;
(v)
cool down products to discharge temperature;
(vi)
discharge.

(c)

Batch plants are often multiproduct and reaction units usually have to be cleaned out and
modified when changing from one product to another.

(d)

From the comments above it will be clear that there can be several 'norms' for batch plants.
At the very least there will be two:
(1)
(2)

an "active" state when the item is in use; and


an "inactive" state when the item is not in use.

This is in contrast to a continuous plant where, when in steady state operation, a fixed 'norm'
in terms of flow, pressure, temperature etc. can be defined for each and every part of the
plant.
(e)

Operators may take part in some of the process activities such as charging material from
drums or removing product from filters. Even well trained and well-motivated operators will
make occasional mistakes.

During the study the question should be asked "How often will an operator make a mistake?" and not
"If an operator makes a mistake ...". If the consequences are serious the possibility of error should be
designed out.
For the purpose of the hazard study, in addition to the Engineering Line Diagram, which describes the
plant, it will be necessary to know the sequence of process operations. This can be in a variety of
forms, usually a process summary (such as a batch master print-out), but could be a logic diagram, dot
chart or sequence flow chart. With complicated or proprietary items of equipment a considerable
amount of preparatory work may be necessary before the study.
The approach usually adopted in a hazard and operability study of a batch process is to apply the guide
words initially (see Figure 3.2) to each step of the process. Applied to a vessel such as a reactor this
would lead to the examination of various lines which could then be marked off on the line diagram as
having been examined.
Other lines not identified with a normal process step (e.g., relief lines, vents, etc.), would then be
examined before moving on to the next major item of equipment.
The detailed sequence of the examination is shown in Figure 3.3.

Part 3 - Hazard Study 3


Page 8
S&TIS/11602

FIGURE 3.1

S&TIS/11602

(August 1997 Edition)

Process SHE Guide No. 13


Hazard Study Methodology

HAZARD STUDY 3 - CONTINUOUS PROCESS GUIDE DIAGRAM

Part 3 - Hazard Study 3


Page 9

Process SHE Guide No. 13


Hazard Study Methodology
(August 1997 Edition)

FIGURE 3.2

HAZARD STUDY 3 - BATCH PROCESS GUIDE DIAGRAM

Guide Word
NO
(NOT
NONE)

Meaning

Example of Deviation

OR The activity is not carried out No flow in pipe


or ceases
No reactant charged to process
Batch not cooled
Check omitted
No catalyst, etc.

MORE OF

A quantitative increase in an More (higher, longer) quantity,


activity
flow, temperature, pressure, batch,
concentration, time

LESS OF

A quantitative decrease in an Less (lower, shorter) of above


activity

MORE THAN OR AS A further activity occurs in Impurities present, extra phase


WELL AS
addition to the original (solid or gas in liquid phase)
activity
extra (unplanned) process operation
PART OF

The incomplete performance Reduced strength, missing


of an activity
component, operation only part
completed

REVERSE

Inversion of the activity

SOONER/LATER
THAN

An activity occurring at the The activity occurs at the wrong


wrong time relative to other time
activities

OTHER (THAN)

Part 3 - Hazard Study 3


Page 10
S&TIS/11602

Back-flow or back-pressure
Heat rather than cool

Wrong material charged.


Non-routine conditions, start-up,
shut-down, maintenance; cleaning,
etc.
Failure of services.

Process SHE Guide No. 13


Hazard Study Methodology
(August 1997 Edition)

FIGURE 3.3

HAZARD STUDY 3 - METHOD FOR BATCH PROCESSES

BEGINNING
1.

2.

3.

4.

5.

6.

7.

8.

9.

10.

11.

12.

13.

14.

15.

16.

17.

18.

19.

20.

21.

22.

Select first step/operation of process.


Relate to appropriate line on line diagram.
Explain intention (when line active).
Apply first Guide Word.
Develop meaningful deviation.
Examine possible causes.
Examine consequences.
Identify hazards.
Make suitable record for action.
Repeat 5 to 9 for all meaningful deviations from first Guide
Word.
Repeat for all the Guide Words.
Apply the Guide Words to the alternative "inactive" state.
Mark line as having been examined.
Repeat 2 to 13 for each step/operation of the process (associated with the one vessel).
Select auxiliary line (e.g. relief valve, vent, heating system).
Explain intention of auxiliary line.
Repeat 4 to 12 for the auxiliary line.
Mark auxiliary line as having been examined.
Repeat 15 to 18 for all auxiliary lines.
Mark vessel as having been examined.
Consider if any equipment is critical and needs to be registered, e.g. critical machines,
pipework, vessels, lifting gear, etc.
Select next step in the process and continue until the line diagram has been fully examined.

When all the lines have been examined, consider whether there are additional factors, e.g., computer
failure
or services failure, which could affect the whole plant.

Part 3 - Hazard Study 3


Page 11
S&TIS/11602

Process SHE Guide No. 13


Hazard Study Methodology
(August 1997 Edition)
Significant points to bear in mind in the study of a batch process are:
(i)

Multipurpose lines will have more than one 'normal' state and each should be examined.

(ii)

Services, e.g. heating/cooling systems, can be examined in detail at the heating/cooling step
or can be 'mopped up' before the process sequence moves on to another vessel.

(iii)

The omission of one or more steps in the process is not uncommon and the consequences of
such possible maloperations need to be examined.

(iv)

In batch processes Quantity is a critical parameter. More of quantity should always address
the possibility of a double charge, which is a common error.

(v)

For many process steps only the first Guide Word (NO/NOT) will be relevant. If the operation
is to "check vessel empty", then it either is or isn't (though various causes may be identified
for the not-empty condition).

(vi)

In multiproduct plants, the first and last batches of a campaign are different and need to be
treated as such.

Problems can include:


(a)

The need to check that vessels are empty.

(b)

Water contamination of the first batch of a campaign.

(c)

The handling of recycled materials and heels.

(d)

The defeat of instrumented trips to start the first batch of a campaign.

The effect of agitation failure and temperature deviation needs to be considered at each step in the
process.
Lastly, it is worth stressing that a deviation in one part of a batch process sequence, or at a particular
time, may not necessarily result in a hazard at that time or place, but may manifest itself elsewhere or
later.
On batch processes it may be more appropriate to examine the various stages in the process, from
approval of the recipe through the batch cycle to discharge and decontamination.

3.3

BATCH PROCESS REACTION HAZARDS


Batch reactions are prone to special problems if the process is exothermic or can produce gas.
Excessive temperature and/or pressure may be developed without careful control of the progress of
reaction.
Two methods of control are commonly used:
(a)

In "all-in" reactions, all reactants are charged and reaction is completed by subjecting the
mixture to an appropriate temperature/pressure programme. Control may be lost if cooling
fails during an exothermic phase or if the effects of scale-up are not taken into account.

(b)

In "progressive addition" reactions, a key reactant is charged under conditions which will
ensure rapid consumption. Accumulation due to inappropriate temperature, poor mixing or
other reasons is a common cause of hazard.

The latter technique is preferred, where practicable, for potentially hazardous batch reactions.

Part 3 - Hazard Study 3


Page 12
S&TIS/11602

Process SHE Guide No. 13


Hazard Study Methodology
(August 1997 Edition)

3.4

USE OF HAZARD STUDY TECHNIQUES IN INITIAL STUDIES


The guideword approach may be used to identify potential major hazards arising from process
deviations prior to the flow sheeting stage of a project. In this case, a process summary (based on
laboratory work) is examined without reference to plant hardware.
This approach (which is an extension of material compatibility studies) is particularly useful for
complex reactions. It can reveal the need for further process development before progressing to a flow
sheet, or for pinpointing critical control features which need to be incorporated in the flowsheet and line
diagram.

3.5

MAINTENANCE AND OPERATING PROCEDURES


Where human error has been identified, for example in Hazard Study 2 as a significant contributor to
the risk of hazards, then selective detailed examination of operating, maintenance, start-up and shut
down procedures may be justified.
In selected cases, the hazard study team may consider it prudent to examine detailed
operating/maintenance procedures (e.g. reactor start-up). The guide diagram in Figure 3.4 has been
used quite effectively for this purpose. In recommending its use, consideration should be given to the
initial state of the plant. Should the state be different from that expected, the action required and/or
consequences expected should be considered and recorded. Where potential events are caused by
operator error then the cause should be stated as operator error.
The decision to extend the Hazard Studies into a detailed study of 'procedures' will be influenced if
human error has been identified at the Hazard Study 2 stage as a significant contributor to the risk of
hazards or environmental problems.

FIGURE 3.4

HAZARD STUDY 3 - OPERATING/MAINTENANCE PROCEDURES GUIDE


DIAGRAM

For application to the overall task and/or each unit activity


Parameter

Purpose

Deviation

WHAT has to be done? WHY; for what purpose?

What if omitted?
What else?
As well/instead?

When?

Why then?

Earlier/later?

Where?

Why there?

Elsewhere?

How?

Why that way?

Some other way?

How much?

Why that much?

More/less?

How fast?

Why that fast?

Faster/slower

How often?

Why that often?

More/less often?

Who?

Why them?

Someone else?

What else can go wrong?


The statement on the initial state of the plant implies an inspection - against a check list - by the
operator. It seems prudent to enquire what may happen if the operator finds any part of the plant in
other than the required state and takes steps to correct the state, for example, he opens a closed valve
which should have been open before starting the procedure detailed.

Part 3 - Hazard Study 3


Page 13
S&TIS/11602

Process SHE Guide No. 13


Hazard Study Methodology
(August 1997 Edition)

3.6

PROGRAMMABLE ELECTRONIC SYSTEMS


A PES is different from the process units or other activities in that the PES, itself, has only limited
ability to be a direct hazard, e.g. damage to an operators health due to poor ergonomics, electrocution
etc. The main concern is the ability to initiate hazards in the plant or its inability to correct and avert
dangerous process events. The effect of partial or complete PES failure should be considered when
studying the process (i.e. ELDs). The PES hazard study is thus directed to understanding, reducing or
eliminating PES failures.
There are some basic problems in applying a conventional Hazard Study 3 line by line deviation
analysis to PES. The complexities of systems involving software means that rigorous studies are not
possible. Any analytical study of a system involving software will take an impossibly long time. It may
be practical and important to study some of the critical logic flows using the deviation guideword
system; the need for this should be identified in this procedure.
Studies of Programmable Electronic Systems are best approached with block diagram representations
(see Figure 3.5) of the equipment within defined cut points. The interfaces between each item of
equipment can be systematically examined. Identify the hardware and software features of the system
and conduct a Failure Modes and Effects Analysis (FMEA). This type of analysis is better suited to the
nature of a PES and to the knowledge that the design team will have of the PES. An FMEA considers
each part of the PES and asks how can it fail (mode) and what will the effect be (effect). It then goes
on to ask "How is the operator made aware?" and "What diagnostic or corrective measures are
present?".
The best approach is to start by looking at each type of input signal starting with the measuring device.
In addition to failures, intermittent failures, partial failures and recovery from failure should be
considered. Then consider each type of output signal and then the identifiable functions of the PES.
Some advice:
(a)

Duplicated hardware is a common approach by the suppliers to a requirement for increased


reliability. Their calculations of reliability rates for duplicate systems are of little value as they
usually ignore dependency (i.e. common cause and common mode errors). The operation
and resetting of duplicate systems should be studied.

(b)

Multi-channel cards have a number of different failure modes which should all be identified.
The allocation of signals to cards should be a joint Control/Electrical and Process activity.

(c)

The DCS system software is beyond the scope of this study. It is recommended that a
statement about the suppliers Quality design system and their internal or external auditing is
obtained.

(d)

The features of one suppliers DCS or PLC may be similar so information should be sought
from previous studies. This can mean that there is no need to invite a representative from the
manufacturer to the study.

(e)

There will be many power supplies, most of which will be duplicated for reliability. All failures
should be alarmed in a way that the operator will be aware.

(f)

All identified system failures will probably be alarmed to the operator by a message. These
messages are likely to be infrequent and not immediately understandable. How will the
operator respond to these error messages, who will he contact, and what level of training will
they have been given?

(g)

Connection to a network or any form of remote communications introduces security problems


due to inadvertent or deliberate contact. The protection against unwanted access will
probably be software based, the protection means needs to be identified and a periodic test
needs to be defined to demonstrate that the protection is still effective.

Part 3 - Hazard Study 3


Page 14
S&TIS/11602

Process SHE Guide No. 13


Hazard Study Methodology
(August 1997 Edition)
(h)

PES systems can easily produce an overload of alarms. In the event of a plant upset, the
operator may be faced with hundreds of alarms and miss a critical alarm in a sea of trivia.
Alarms should be prioritised.

Recording may be on a conventional Hazard Study 3 record form (STD/F/01015), or on the specific
FMEA form (STD/F/01017).
Advanced Control Systems can be studied using these techniques but such a study will not address the
control actions that an ACS is capable of taking.
The guidewords in Figure 3.7 have been used on some projects to prompt detailed consideration of the
failure modes of modern PLC type control systems and, whilst capable of further refinement, the
approach does encourage a structured examination of each key unit in the control loop (e.g. DP cell,
P/I, controller/computer, I/P, control valve). Many new instruments contain PLCs (DP cells, density
meters, controllers etc.) and their failure modes can be very different from conventional instruments
(e.g., loss of input can default, such that automatic control reverts to manual without any audible
alarm). Such novel failure mechanisms can only be revealed by lateral consideration of cause/effect
deviations in input/output circuitry and software programs. In particular, the wider implications of
dependency or common mode failure should be addressed.

3.7

MECHANICAL HANDLING OPERATIONS


In Hazard Study 2, significant hazards of Mechanical Handling relate to moving objects/equipment,
where inadequate control can lead to serious injury by virtue of stored potential or kinetic energy. (e.g.
mixing equipment, palletisers, conveyors, rail shunting, etc.).
For the more detailed Hazard Study 3, the guide diagram for chemical hazards is inappropriate for
detailed study of such activities and the guidance suggested in Figure 3.9 has been used to greater
benefit when addressing the potential for e.g., 'blockages' and 'loss of control'.
Packaged units are a common feature in mechanical handling equipment and 'loss of control' is a
foreseeable failure mechanism. The majority of packaged units are delivered with control units fitted
as standard off-the-shelf items - not always compatible with ICI E/I purchasing standards and
increasingly involving programmable micro-processors.
In most cases, it is advantageous to study the interface between such units and the chemical plant
because of the hostile environment, site specific service constraints and significance of unit failure for
the chemical process (e.g., chemical may solidify if the unit stops). In particular, hazards can arise
when electrical isolation of drives is not independent from associated control/interlock circuits.
One of the main problems in using packaged units is the lack of readily available information on control
circuits and operating function. However, it is suggested that Figure 3.9 will promote useful dialogue
with the supplier before the units arrive on site unsuitable for demanding duties in often novel chemical
processes where routine maintenance and testing have not been addressed.

3.8

ELECTRICAL SYSTEMS
On electrical systems, a one line diagram or a block diagram representation should be examined
systematically to identify novel failure mechanisms only revealed by creative thinking about
cause/effect deviations in input/output circuitry and software programming.

Part 3 - Hazard Study 3


Page 15
S&TIS/11602

FIGURE 3.5

(August 1997 Edition)

Process SHE Guide No. 13


Hazard Study Methodology

HAZARD STUDY 3 - PES BLOCK DIAGRAM (TYPICAL)

Part 3 - Hazard Study 3


Page 16
S&TIS/11602

Process SHE Guide No. 13


Hazard Study Methodology
(August 1997 Edition)

FIGURE 3.6

DCS FMEA METHOD


Identify system to be analysed

Divide system into features and functions


(The tables may be used as check lists)

Select a feature or function to be studied

Identify a failure mode of that feature or function

Determine the effect of the failure

Determine how the operator is made aware of the failure

Identify any preventative or corrective measures

If any actions are needed specify them

Are there any other failure modes which have different effects

Determine the effect of the failure

Determine how the operator is made aware of the failure

Identify any preventative or corrective measures

If any actions are needed specify them

Repeat for all features and functions

Part 3 - Hazard Study 3


Page 17
S&TIS/11602

Process SHE Guide No. 13


Hazard Study Methodology
(August 1997 Edition)

FIGURE 3.7

PROCESS CONTROL SYSTEM I/O FEATURES


Feature or Function

Failure mode

Notes

Transmitters

open circuit
short circuit
frozen signal
drifting signal
noise

F, P, T, L, Q, W
and converters

Smart transmitters

open circuit
short circuit
frozen signal
drifting signal
diagnostics
reconfiguration

Analogue input cards

single loop
multi loop

Digital input cards

single loop
multi loop

Analogue output cards

single loop
multi loop

open circuit
short circuit

Digital output cards

single loop
multi loop

open circuit
short circuit

Part 3 - Hazard Study 3


Page 18
S&TIS/11602

Process SHE Guide No. 13


Hazard Study Methodology
(August 1997 Edition)

FIGURE 3.8

PES SYSTEM FEATURES


Feature or Function

Guideword

Notes

Power supply

main supply
individual PSUs
voltage dips

consider loss and


resumption

System highways

failure
external links
time delays

Standby system

configuration
failure

Links between PESs

low speed
loss of data
timing

Operator displays

no update
system diagnostics

Engineering displays
Ergonomics
Security

passwords
access

Fire

protection
detection
alarms
extinguishing

Environment

dust
chemicals
stability

PES Security

position
water ingress
physical damage
RFI/ESD

Training

operators
maintainers
system keeper

Commissioning

commissioning
testing

Operation

maintenance
modification
back up

operating instructions

of information

Part 3 - Hazard Study 3


Page 19
S&TIS/11602

FIGURE 3.9

(August 1997 Edition)

Process SHE Guide No. 13


Hazard Study Methodology

HAZARD STUDY 3 - MECHANICAL HANDLING OPERATIONS GUIDE


DIAGRAM

Part 3 - Hazard Study 3


Page 20
S&TIS/11602

FIGURE 3.10

S&TIS/11602

(August 1997 Edition)

Process SHE Guide No. 13


Hazard Study Methodology

HAZARD STUDY 3 - ELECTRICAL SYSTEMS GUIDE DIAGRAM

Part 3 - Hazard Study 3


Page 21

Process SHE Guide No. 13


Hazard Study Methodology
(August 1997 Edition)

3.9

CHANGES TO EXISTING PROCESSES


On occasions it may be appropriate to examine existing plants to identify all conceivable differences
between a plant prior to modification and after modification. Generally, such hazard studies would
supplement Site Modification procedures.
Examples of modifications which fall into this category are:
(a)

Replacing old instrumentation with modern versions (often with inbuilt PLCs).

(b)

Re-configuring an instrument panel in the control room.

(c)

Replacing switchgear or power supplies.

(d)

Re-routing pipework, cables etc.

(e)

Recipe/process changes outside the defined range of composition/quantities, pressure,


temperature, time, etc.

(f)

A new source of feedstock which may contain trace constituents new to the process.

It is often instructive to make a comprehensive list of every conceivable factor that may change and
then to consider systematically the possible implications. The hazard study team should be
encouraged to consider, within clearly defined boundaries, changes to:
(1)

HARDWARE
(i)
Equipment.

(2)

SOFTWARE
(i)
Operating Procedure
(ii)
Maintenance Procedure
(iii)
Routine Proof Testing

Such an approach is likely to identify, for example, the need for:


(i)

Corrections to E/I proof testing schedules.

(ii)

Drawing updates.

(iii)

Requirement for retraining.

(iv)

Careful consideration of new modes of instrument failure.

(v)

Consideration of new and novel human error event scenarios not previously foreseen with the
old system.

(vi)

Consideration of the display of panel, VDU, alarm information.

Such an approach will focus the hazard study team's attention on the significance of key differences
between the before and after situation - although the basic process/function remains unchanged.
It is also important in these situations to consider the hazards that could arise during the transition, and
to examine the adequacy of emergency procedures/systems. It may be that certain differences are
more significant at different stages of the transition and therefore a systematic examination of key
steps in a phased completion may be necessary.
The hazard study team should decide whether a formal Hazard Study 1 & 2 and/or line-by-line ELD
study could be an added benefit. They should record their reasoning on the Site Modification
Procedure documentation.

Part 3 - Hazard Study 3


Page 22
S&TIS/11602

Process SHE Guide No. 13


Hazard Study Methodology
(August 1997 Edition)

3.10

BUILDINGS
In Hazard Study 2, consideration will have been given to the physical layout of buildings and to the
containment of noxious and harmful substances and the 'top events' such as fire, explosion, pollution,
etc., will have been considered. At this later stage in the project it is often useful to use the Hazard
Study 3 techniques (see Figure 3.11) to ensure that there is also a clear understanding of non-SHE
items (e.g. the detailed operating and maintenance aspects) which will be fundamental to the
satisfactory performance of the building. This is of particular importance when considering novel
techniques and/or systems to be incorporated in the project.
Factors worthy of further consideration should be highlighted, judged on the degree of novelty or
uncertainty attached to them, and/or on the impact their non-conformance will have on the final
operation of the project.
These factors should be listed and the Hazard Study Leader should then select the most appropriate
form of study normally selected from the previous methods to examine, for example drains, ventilation
systems, etc.
A separate study, Hazcon, has been developed for construction and demolition activities; for more
details see EDG.CON.50.01.

3.11

DESIGN CHANGES
Following the completion of Hazard Study 3 any modification made to the design, including those
made during the commissioning stage, will need to be controlled. For a suitable procedure see PP.25.
Established change control procedures should be used, the changes being approved by the Project
Manager and Commissioning Manager and referenced in the Project Safety, Health and Environment
Dossier.

3.12

OTHER STUDIES
The engineering function should produce or update area electrical classification drawings where zoned
areas have been identified during the Hazard Study 2 and 3 stages of a project.
The Project Manager should ensure that appropriate links are maintained with the 'Fire Process
Review' panel and arrange for key correspondence to be included in the SHE Dossier.

Part 3 - Hazard Study 3


Page 23
S&TIS/11602

Process SHE Guide No. 13


Hazard Study Methodology
(August 1997 Edition)

FIGURE 3.11

HAZARD STUDY 3 OF BUILDING DESIGN AND OPERABILITY

Part 3 - Hazard Study 3


Page 24
S&TIS/11602

Process SHE Guide No. 13


Hazard Study Methodology
(August 1997 Edition)

3.13

HAZARD STUDY 3 ACTION REVIEWS


Review meetings are the responsibility of, and will very often be led by, the Project Engineer. Design
changes and the action trail need to be auditable; it is recommended that a complete list of actions is
created showing that the actions have been closed, (see STD/F/01011). The Hazard Study Leader
does, however, have an important function at this stage in checking that the concerns of the Hazard
Study Team have been properly satisfied:
(a)

Check actions have been implemented.

(b)

There is a need to check that the actions/recommendations from the Hazard Study have been
implemented in the way expected and that this has not introduced new hazards.

(c)

Problems of insufficiently thought out solutions.

(d)

The Hazard Study Leader needs to consider:


(1)
Does solution deal with concern?
(2)
Does solution introduce new concerns?

(e)

Some new Hazard Study work is often necessary if significant changes to the design or
operation are involved in the proposed solutions.

(f)

It is usual for the Project Manager to notify the Hazard Study Leader of any significant
changes in the design or operation which have been made subsequent to the Hazard Study 3.
They can then decide whether it is necessary to hold a further Hazard Study meeting to
consider the changes.

(g)

All modifications made to Engineering Line Diagrams after Hazard Study 3 should be formally
recorded and reviewed at the Hazard Study 4 stage. For a suitable procedure see PP.25 'Change Control'

Part 3 - Hazard Study 3


Page 25
S&TIS/11602