important; an expert who changes his (or her) mind frequently
might cause difficulties dealing with HAZOP issues.
What is the main criterion for the team selection? The
selection of technical members should ensure that the
majority of questions likely to be raised during the study can
be answered at the meeting.
HAZOP meeting
The HAZOP study of each section of a machinery package
is usually followed a defined procedure. Some examples are
given below:
First, an engineer should outline the broad purpose of
the section of machinery package under study and displayed
on the relevant P&IDs. The machinery engineer/vendor
representative then gives an outline including design features,
operating conditions, descriptions of items and details of
equipment. The vendor representative should then answer
any general questions about the scope and intent of the
machinery package design. The first section or area of the
design is highlighted for study, typically an area where gas
flows into compressor package(s), often known as suction
system. The detailed line-by-line study should commence at
this point. The HAZOP leader then leads the group through
the HAZOP guide words. Each guide word is a prompt, such as
“more of or high pressure”, which identifies a deviation from
normal operating conditions that may lead to a hazardous
event or significant operability problem. This is used to
prompt discussion of the possible causes and effects of high
pressure. If, in the opinion of the team, the safeguards for the
combination of consequences and likelihood of a credible
event are inadequate then an action is recorded in minutes.
For major risk areas the need for action is assessed
quantitatively (by a hazard analysis or a reliability analysis).
For less significant risks, the need for action can be based
on experience and judgment. For machinery packages,
the nominated HAZOP team members and an authorised
machinery vendor representative can usually address all
actions.
The main aim of a HAZOP meeting is to find problems
needing solution, rather than the actual solution. If the group
become tied down by trying to resolve a problem, the issue
should be recorded as requiring further review outside the
meeting so the study can proceeded. All changes agreed at
the meeting need also to be noted with some being marked
on the HAZOP master P&IDs. All actions should be recorded in
the minutes as well as significant discussion points which do
not result in any actions. The latter should be recorded as a
means to record the basis of safety for a potential hazardous
event or operability problem.
Causes of a hazard or a problem
It is necessary to be thorough in listing causes of deviations. A
deviation is considered realistic if there are sufficient causes
to believe the deviation can occur. However, only credible
causes should be listed. The HAZOP team judgment is used to
decide whether to include events with a very low probability
of occurring. However, determining which events have a low
probability of occurring means that credible causes are not
overlooked. There are three basic types of causes:
)
Human error: acts of omission or commission by an
operator, designer, constructor or other person creating a
hazard that could possibly result in a release of hazardous
or flammable material, such as natural gas.
)
Equipment failure: a mechanical, structural or operating
failure results in the release of hazardous or flammable
material.
)
External events: items outside the machinery package
being reviewed affect the operation of package (facility)
to the extent that the release of hazardous or flammable
material is possible (or other emergency situations).
External events include upsets on adjacent facilities
affecting the safe operation of the station (or node) being
studied, loss of utilities, and exposure from weather and
seismic activity.
The level of detail required in describing causes of a
deviation depends on whether or not the cause of the upset
occurs inside or outside the node. For example, suppose that
a compressor suction drum includes a level controller as part
of a node. Suppose the level control valve closes resulting
in a high liquid level condition (which can result in alarm and
compressor shutdown). Since the valve and controller are part
of the node, the causes should be stated in more detail. The
valve may close because the wrong set point was input by
an operator (human error); the valve may fail closed due to
mechanical failure of the valve; or the valve may close due to
loss of instrument air to the compressor station (it might be
an external event).
Consequences and safeguards
If the HAZOP team determines that a cause can result in
the release of hazardous situation, then safeguards should
be identified. In other words, safeguards should be included
whenever the team determines that a combination of cause
and consequence presents a credible process hazard. The
additional systems, engineered designs and written procedures
that are designed to prevent a hazardous situation, particularly
a catastrophic release of hazardous or flammable material,
are examples of safeguards. Other examples are systems
that are designed to detect and give early warning following
an initiating cause of a release of hazardous or flammable
material.
The team should take care when listing safeguards.
Hazards analysis requires an evaluation of the consequences
of failure of engineering and administrative controls, therefore
a careful determination of whether or not these items can
actually be considered safeguards should be made.
88
World Pipelines
/
SEPTEMBER 2014
