Hazard Analysis
What is Hazard Analysis ?
It is a step by step, orderly breakdown of jobs ascertaining the hazard involved, with the objectives of presenting an efficient, safe me method of doing the job and pointing out any inherent hazards which are still present.
Hazard analysis is a critical component of planning for hazardous material releases. It is identification of undesired events that may lead to the realization of the hazard; the analysis of the mechanism by which those undesired events could occur and the estimation of the extent, magnitude & relative likelihood of any harmful effects.
To analyze the safety of a major hazard installation as well as its potential hazards, a hazard analysis should be carried out covering the following areas :
Which toxic, reactive, explosive or flammable substances in the installation constitute a major hazard;
Which failures or errors could cause abnormal conditions leading to a major accident;
The consequences of a major accident for the workers, people living or working outside the installation, or the environment;
Prevention measures for accidents;
Mitigation of the consequences of an accident.
HAZARD MANAGEMENT
Application of safety and health principles is normal in the day to day operation of a plant. However, the potential for major accidents caused by the rapid growth in the production, storage and use of hazardous substances requires a well-defined and systematic approach to prevent and control major hazards. This entails dealing with the safety aspects of siting, planning, design, construction and operation of the plants.
Major Accident: The European Communities in its Directive of 1982 defined the term as an occurrence such as a major emission, fire or explosion resulting from uncontrolled developments in the course of an industrial activity.
A major hazard is generally associated with the potential for fire, explosion or dispersion of toxic chemicals. It usually involves release of material from containment detrimental to people and the environment.
Major hazard facilities have to be operated to a very high safety standard, which requires state of the art techniques and management practices to prevent any major disasters affecting employees, the community and the environment at large.
Major Hazard Facility: A facility that meets the criteria as detailed in the National Code of Practice for the Control of Major Hazard Facilities.
It is the duty of management to organise and implement a major hazard control system and in particular to:
 |
provide the necessary information required to identify major hazards. |
|
conduct the hazard assessment. |
|
report to relevant authorities the results of the assessment. |
|
set up an emergency response plan for any eventuality. |
|
take measures to improve plant safety. |
MAJOR HAZARD IDENTIFICATION
In order to implement a system of controls for major hazards successfully, management must identify the following:
|
what explosive, flammable or toxic substances in the facility constitute a major hazard? |
|
which system failures or operational malfunctions can cause abnormal conditions leading to a major accident? |
|
what can be done to prevent operational malfunctions and system failures? |
|
should a major accident occur, what are the consequences of an explosion, fire or toxic release for the employees, surrounding community, the plant and the environment? |
|
what can be done to mitigate the consequences of an accident? |
An effective way for management to fulfil its responsibility to control major hazards is to conduct an assessment with a view to understanding why accidents occur and how they can be prevented or at least mitigated. When carrying out the assessment, management should:
|
analyse all existing safety concepts and develop new ones. |
|
identify collateral hazards associated with the major hazard. |
|
develop optimum technical and organisational measures for protection against abnormal plant operation. |
When conducting a hazard assessment, it is necessary to follow procedures and techniques that have been modelled to aid the assessment process. Some well-documented techniques to formalise hazard assessment are:
|
Preliminary Hazard Analysis (PHA). |
|
Hazard and Operability study (HAZOP). |
|
Fault Tree Analysis (FTA) |
|
Failure Modes, Effects and Criticality Analysis (FMEA and FMECA). |
A hazard assessment should include a study of the probable consequences of any system or operational malfunction and is referred to as "accident consequence analysis".
The outcome of the assessment exercise would be to develop and implement control measures to ensure that the major hazard facility is operated with "as low as reasonably possible" (ALARP) risk and has an emergency response plan in place.
ALARP: As low as reasonably possible - the principle of reducing risk to ensure hazards which fall between 'intolerable' and 'acceptable' levels are reduced, as far as reasonably practicable, to acceptable levels.
Is plant/installation a major hazard?
Is there any explosive, flammable or toxic substance?
Does quantity exceed threshold levels?
Threshold Levels: The potential for a major hazard accident is a function of both the inherent nature of the substance and the quantity that is present. Threshold levels derived using this empirical function determine whether a major hazard assessment study is required.
If yes to above questions:
|
conduct preliminary hazard analysis to determine if further assessment needed. |
|
conduct hazard and operability study or similar. |
|
perform accident consequence analysis. |
|
identify causes for potential major hazard accidents. |
|
develop controls for operation of major hazard installation. |
|
develop emergency/contingency plan to mitigate consequences of any major hazard accident. |
PRELIMINARY HAZARD ANALYSIS (PHA)
PHA: Preliminary hazard analysis - the process of identifying major hazards to determine the type of accidents involving toxic, flammable or explosive materials that can occur.
The preliminary hazard analysis is the first step in conducting a hazard assessment. A preliminary hazard analysis is fast and cost effective; and since it identifies the key problem areas, evaluation should always begin using this method. The results of a preliminary hazard analysis identifies which systems or processes require further examination and which systems are less significant in the context of major hazard control.
Management must always undertake a Preliminary Hazard Analysis to identify which systems or processes require further investigation.
The breakdown in system elements (plant components, for example, storage tanks, pressure vessels) or the events (overloading of a tank, process overrun) that can lead to hazardous conditions are specified. For example, it is necessary to identify component failures that can result in the release of a toxic gas or to the formation of an explosive atmosphere. The results are recorded or tabulated and based on the findings, the systems for further evaluation are established.
Individual components such as storage tanks, reaction vessels, pipes, pumps, relief valves, sterilisers, and mixers are then examined more closely using other evaluation techniques.
This example preliminary hazard analysis (PHA) is that of a simple chemical process involving the mixture of two substances:
Chemical Explosion. |
Mixing/Storage Vessel. |
Material Y exceeds X due to cessation of flow of material X. |
|
HAZARD AND OPERABILITY STUDY (HAZOP)
HAZOP: Hazard and Operability study - the process of assessing hazards and developing control measures to prevent accidents involving toxic, flammable or explosive materials to facilitate safe operation of major hazard installations. It takes a representation of a system and analyses how its operation may lead to an unsafe deviation from the intent of the system.
The next step of the assessment phase is to consider the deviations from normal operations in systems, or operational malfunctions identified in the preliminary hazard analysis (PHA) that could lead to a hazardous situation. This entails a detailed examination of the system and mode of operation.
The results of the preliminary hazard analysis are fully examined in the Hazard and Operability (HAZOP) study to identify and understand all serious hazards.
The hazard and operability study enables a critical in-depth evaluation of the system and process classified as relevant in the preliminary hazard analysis. The HAZOP technique questions systematically every part of the process in order to establish how deviations from the intended design can occur and determines how these deviations can give rise to hazardous situations.
The examination focuses on every part of the design, in sequence, subjecting each part to a number of specially formulated questions derived from method study techniques. The questions will test the integrity of each part of the design to conceive how the design can deviate from the intended design. A number of theoretical deviations are produced and each will be considered to determine how it can be caused and what are the consequences.
Some of the probable causes may be unrealistic and can be rejected. Some of the consequences may be insignificant and will not be further considered. Deviations conceived as possible with potentially serious consequences are noted for remedial action.
The study is progressed from one part of the design to the next until the whole plant has been examined. Possible deviations and all associated hazards identified during the examination are then addressed if the solutions are obvious and not likely to affect other parts of the design. However, additional information is often required before modifications to designs can be made.
The outcomes from examinations will normally consist of a combination of decisions and additional questions that have to be addressed by re-evaluations. This process will continue until the desired outcome is achieved.
USE PHA RESULTS FOR HAZOP STUDY OF DESIGN
The results of the preliminary hazard analysis are used in the Hazard and Operability study (HAZOP).
Consider a chemical reaction between two substances X and Y to form a product Z, where the concentration of raw material Y must never exceed that of X, otherwise an explosion will occur. The design can either be descriptive or diagrammatic and defines the intended process and the expected mode of operation.
Starting with the pipeline from the inlet of the feed pump that delivers the raw material X to where it enters the reaction vessel, the design is examined and the operation analysed for possible malfunction. Keys or guide words (DOES NOT, MORE ) are used to conduct the examination of the system.
The process control requirement is for raw material X to be transferred at a specified rate into the reaction vessel. The first deviation to consider is interruption to the transfer (transfer DOES NOT occur) caused by:
| supply tank being empty.
pump fails to function due to mechanical failure, electrical failure or operational failure (pump switched off).
pipeline fracture/leakage.
isolation valve is closed. |
Evidently some of the above causes are conceivable and so the deviation is relevant. The consequence of any of the above malfunction is now considered. A cessation of flow of X will result in excess of Y in the reaction vessel increasing the risk of an explosion. A hazard is therefore identified in the design and warrants further consideration.
The next process control requirement is that the transfer rate is exceeded ie. MORE is pumped into the reaction vessel. If the probable cause is accepted as realistic then the consequences are considered which in this case would be that:
| Z is contaminated with excess X which will affect the next stage of the process. |
| the excess flow into the reaction vessel can lead to overflow from the vessel. |
Further information is then obtained to decide the consequential hazard. Similar analysis is carried out for other parts of the process (eg. transfer of material Y) until all the potential major hazards associated with the process are considered.
FAULT TREE ANALYSIS (FTA)/EVENT TREE ANALYSIS (ETA)
ETA & FTA: Event/Fault tree analysis - consists of an analysis of possible causes starting at a system level and working down through the system, sub-system, equipment and component, identifying all possible causes. (What faults might we expect? How may they be arrived at?)
Assessment methods which allow quantifying the probability of an accident and the risk associated with plant operation based on the graphic description of accident sequences employ the fault tree or event tree analysis (FTA or ETA) techniques.
Fault Tree Analysis is a logical method of analysing how and why a disaster could occur. It is a great technique for working out the overall probability of a catastrophic event occurring, such as a melt-down in a nuclear power plant where the substantial cost involved is obviously necessary.
These methods are used to carry out a mathematical analysis of the accident sequences and have been used to determine the reliability of electronic systems. They are also widely used in the nuclear industry but may not be suitable for general assessment of major hazard because it involves substantial effort and cost.
| No water flow occurs if both pumps fail or if the control valve fails.
If the individual initiating event probabilitiesP(A), P(B),andP(C)are known, then the probability ofP(T)the top or end event can be calculated. |
Fault tree analysis is a logical method of analysing how and why a disaster could occur. It is a graphical technique that starts with the end event which is the accident or disaster (eg. nuclear fuel melt-down) and works backward to find the initiating event or combination of events that would lead to the final event. If the probabilities of each potential initiating event are known or can be estimated, the probability of the end or "top" event can be calculated.
The fault-tree is a logic diagram based on the principle of multi-causality that traces all the branches of events that could contribute to an accident or failure.
Data on individual components may be obtained from manufacturers' reliability statistics or quality assurance information. Specific failure rate data for individual items can also be obtained from reliability data banks, such as that operated by the United Kingdom Atomic Energy Authority's (UKAEA) System Reliability Service.
Aspects such as maintenance schedules, condition monitoring, replacement criteria and human reliability/failure should also be taken into account.
It is a good technique for summing individual probabilities to obtain the overall probability of the event occurring.
FAILURE MODE AND EFFECTS ANALYSIS (FMEA)
FMEA & FMECA: Failure modes, effects and criticality analysis - techniques used to determine the likelihood of a safety related system achieving the required safety functions under all the stated conditions within a stated period.(If we start from here, where will this lead us? Where will there be a failure or failures?)
The kinds of failures that could happen are examined, and their effects in terms of maximum potential loss are evaluated.
System |
Component |
Failure Mode |
Failure Effect |
Scrubber |
Water pump |
Inadequate water flow |
Increased environmental pollution |
FMEAs are performed at the component level to determine possible ways that equipment can fail and to determine the effect of such failures on the system. FMEA is used to ensure component failure modes and their effects have been considered and either eliminated or controlled; that information for maintenance and operational manuals has been provided; and that input to other safety analyses has been generated.
An FMEA analysis would form part of an overall HAZOP study.
ACCIDENT CONSEQUENCE ANALYSIS
Accident consequence analysis is used to finalise the risk assessment and help determine the necessary control measures.
Conducting an analysis of the consequences that a potential major accident could have on the plant, employees, neighbourhood and environment completes the hazard assessment. The accident consequence analysis should include:
| description of the accident (pump failure, tank or pipe rupture, valve failure).
quantity of material (toxic, flammable, explosive) likely to be released.
dispersion pattern of the material released (if gas or evaporating liquid) (This involves mathematical modelling).
physical impact/effects (toxic, heat radiation, blast wave, contamination) (This involves using models to determine impacts). |
The results of the accident consequence analysis are used to determine and provide protective measures such as alarm systems, pressure relief systems, fire-fighting systems and formulate emergency response procedures.
SAFE OPERATION OF MAJOR HAZARD INSTALLATIONS
The risk assessment will eventually identify a number of potential failures within the plant. Decisions have to be made and manufacturers consulted to eliminate or reduce the risk of failures. To operate any major hazard facilities safely it is necessary to understand how to control the hazards.
A prerequisite for the safe operation of a plant is that components are designed to withstand the operational parameters and thus confine any hazardous substances within the process. Failures are caused by:
| inappropriate design to withstand internal pressures, external forces, corrosive media and extreme temperatures.
component failures - pumps, blowers, stirrers, compressors.
failure of control systems - pressure and temperature sensors, level controllers, control units, process computers, flow meters.
failure of safety systems - pressure relief, safety valves, flare towers, neutralisation mechanisms.
construction/fabrication failures - welds, flanges, gaskets, electrical wiring. |
Any of the above failures or malfunction may cause a major accident. After the hazard assessment is carried out these are addressed at the planning stage of a plant or modifications are made to existing plant.
Components are designed and selected with the view of possible accidents, taking into consideration, factors such as:
| static and dynamic loads.
internal and external pressures.
corrosion.
extremes in operating temperatures.
natural forces (wind, earthquake). |
Approved design standards set the minimum requirements for major hazard installations. Based on the outcomes of the hazard and operability (HAZOP) study, particular consideration must be given to components of pressurised systems containing explosive, flammable or toxic gases or liquids.
Proper plant design and maintenance can avoid component failures. However, deviations from normal operating conditions require a thorough examination of the operational procedures. Some of the system malfunctions that can contribute to deviations in operating conditions are:
| failures in the start up or shut down procedures that can create an atmosphere that may explode.
breakdown in the monitoring and processing of critical process parameters, such as pressure, temperature, volume, flow-rate.
failure in the manual supply of substances to the process.
formation of secondary products, residues or impurities detrimental to the process.
failure of utilities such as electricity, compressed air, nitrogen, insufficient coolant, insufficient steam or heating. |
An examination of the behaviour of the entire system/plant in the event of any of the above failures is necessary before the consequences are understood. Safety measures can be developed to minimise risks by providing reliable process controls, sound operating procedures and an efficient maintenance regime.
Process controls are incorporated in the design of major hazard installations to achieve safe operation of plant within design limits. These controls comprise various safety systems in the form of automatic controls and shutdowns, safety mechanisms and devices, alarm systems and manual controls.
The control system keeps a process variable within safe limits when it deviates from its normal range. The process variable can be temperature, pressure, flow-rate, mixing ratio, heating or cooling rate and even, rate of liquidation or solidification.
Any control system can have problems in rare operating conditions, for instance, during start-up or shutdown phases and special consideration have to be made for such situations. All major hazard installations will require some form of safety system depending on the hazards present. These can be:
| systems to prevent deviation from permissible operating conditions ie. pressure relief systems, temperature/pressure/flow sensors, overflow prevention mechanisms and safety shut-down/shut-off devices.
systems equipped for additional reliability where safety systems can take over if safety components fail. for example, a second coolant pump may be installed which automatically starts up if the service pump breaks down and the process is not shutdown.
systems which provide back-up utilities such as, batteries, pressure gas cylinders, buffer-storage tanks; to supply electricity, nitrogen, compressed air in case of primary source failure.
alarm systems to monitor process parameters (temperature, pressure, and flow rate), detect safety related component failure, gas leaks, fire or smoke and failure of safety devices.
technical protective measures to limit the consequence of an accident, such as, gas detectors, water sprays, water jets, steam sprays, collecting tanks and bunds. |
The ability to operate a major hazard installation requires a well-trained workforce capable of human intervention in the event of an emergency. Plant can be highly automated with minimal need for manual operation; however, behavioural and organisational errors by operating personnel can lead to hazardous situations. Some of these common errors include:
| operating wrong controls, valves and supply lines.
mix-up of hazardous substances.
safety devices disconnected due to frequent false alarms.
improper maintenance or repair work (unauthorised welding, incorrect gaskets).
wrong communication between personnel. |
The above behavioural errors can occur due to: inadequate task specific training for the operational personnel; operating personnel being unaware of the potential hazard; and too much responsibility (expectations) being placed on operational personnel.
To minimise behavioural and organisational errors, operating personnel must be carefully selected to ensure only reliable and competent persons are employed. The personnel must be trained regularly on the safe operating procedures and performance reviewed. These are crucial for effective management of personnel on major hazard sites.
Systems which prevent behavioural and organisational errors include:
| proper labelling, packaging, receiving inspection and analysis to avoid material mix-ups.
interlocking of safety related valves and switches which may not operate simultaneously.
use of different sized connections at loading stations to prevent mix-up of reactive substances (eg. sulphuric and nitric acids).
clear markings and displays on control panels, knobs and switches.
safeguarding against inadvertent switching actions.
proper communication devices for plant personnel.
appropriate training of personnel. |
A proper preventive maintenance program and selection & training of personnel are critical for safe operation of major hazard facilities.
The safe operation of a plant and the reliability of any safety related systems are only as good as the maintenance and monitoring of the systems. It is imperative, for this reason, that a proper maintenance and monitoring regime be established and strictly adhered to which should include the following tasks:
| checking of safety related operating conditions both at control stations and on site.
physical inspection of safety related components of the plant.
monitoring of safety related utilities, eg. electricity, coolant, compressed air.
documentation of maintenance work specifying maintenance intervals and type of work to be performed and rigid adherence to the program. |
The maintenance and monitoring program must also specify the qualifications and experience required of personnel to perform the tasks.
On site inspections should be planned and a schedule drawn up with operating conditions clearly defined for adherence during inspection work.
Repair work can be a major source of accidents. Strict procedures and conditions are required for carrying out repair work such as welding components containing flammable substances. The procedures should cover:
| nature of the work requiring shut-down of the plant.
qualifications required of personnel to undertake the tasks.
quality requirements of the work to be performed.
level of supervision for the work. |
A plant cannot be designed to operate free of human intervention. Personnel can have positive or negative influence on the safe operation of the plant, irrespective of the technical measures provided to ensure plant safety. To enhance the positive attributes and influence of this intervention, the selection and training of personnel should include relevant information covering:
| hazards of the process/substances used.
operating conditions, including start-up/shut-down procedures.
emergency response in case of malfunctions or accidents.
historical cases of accidents and near misses in similar plant. |
External factors and events can lead to a major hazardous situation, which are beyond the control of the management but must be considered when siting and designing the plant. Some of these factors or events are:
| loading/unloading stations mishaps.
incidents such as a crane dropping a load.
external accidents involving rail, road, shipping, air traffic.
neighbouring plant/installations mishaps.
external impacts caused by natural forces such as earthquakes, inclement weather and subsidence due to mining or construction activities.
sabotage or mischievous acts by personnel or other persons. |
Emergency response plans and procedures must be developed taking into account any such eventuality.
MITIGATION OF CONSEQUENCES
No major hazard installation can ever be absolutely safe, even after a complete hazard assessment has been carried out and all necessary measures taken to prevent possible plant failure. The safety regime formulated to operate the plant safely must therefore address and provide measures that can mitigate the consequences of an accident.
Comprehensive emergency plans are essential because if the worst happens the consequences must be mitigated
Procedures for dealing mainly with the release of hazardous substances should provide counter-measures to contain and localise the impact of the accident. This would require the plant management to:
| provide a trained fire brigade in-house that can immediately respond to emergencies.
provide alarm systems directly alerting the fire brigade and public emergency services.
formulate an emergency plan explaining the organisational procedures, alarm and communication routes, guidelines for fighting the emergency, information about the hazardous substances and describing possible scenarios arising from an accident.
develop with relevant authorities a contingency plan for possible evacuation from the vicinity.
provide antidotes for possible release of toxic substances (normally to be administered by medical or para-medical personnel). |
The above measures must subjugate the hazards identified in the assessment. In order to achieve this appropriate training for plant and emergency response personnel must be provided and regular rehearsals conducted to maintain awareness and preparedness.