How To Assess Hazards

Risk & Safety
23rd February 2017

Article by Gary Pilkington

Re-introducing the background and full range of techniques available for hazard assessment

“Reports that say that something hasn’t happened are always interesting to me, because as we know, there are known knowns; there are things we know we know. We also know there are known unknowns; that is to say we know there are some things we do not know. But there are also unknown unknowns – the ones we don’t know we don’t know. And if one looks throughout the history of our country and other free countries, it is the latter category that tends to be the difficult one.” Donald Rumsfeld.

Former US congressman Donald Rumsfeld gave this answer to a question relating to evidence linking the government of Iraq with the supply of weapons of mass destruction to terrorist groups.

However, it is equally apt when talking about the knowledge needed to understand and prevent the causes of major accidents on process plant. Drawing a parallel it could be said that the purpose of hazard assessment is to ensure that we do not have any unknown unknowns in our facilities. It is a cornerstone of effective process safety management. It is a key element in the Energy Institute Process Safety Framework and in the CCPS Risk Based Process Safety Management guidance.

The concept of hazard assessment is not new, but in my experience I have noticed changes in its application in practice over the past decades. And there is a new generation (or two) of engineers who perhaps are not fully aware of the background or the full range of techniques available. This article takes a step back to re-introduce hazard assessment in its wider sense.

Hazards & Hazard Assessment

Let’s start by defining hazards. There are many complicated and technical descriptions used when discussing hazards in the workplace, but a simple definition is that a hazard is something with the potential to cause harm – to people, to the environment, or to business.

Of course, many things have the potential to cause harm. Electricity can potentially electrocute someone; flammable gas could potentially explode; and someone at height could potentially fall. Hazards are often divided into two categories:

those associated with stored physical energy – potential energy, kinetic energy, heat, pressure, electrical energy and so on; and
those associated with material properties – explosivity, chemical reactivity, toxicity, and corrosivity.

A comprehensive list of likely hazards is given in ISO 17776. Knowing that we have these inherent hazards on our facilities is of limited use to us. They are all around us both in the workplace and at home.

What we really need to know is how the hazard can result in harm occurring, and what the extent of the harm is. We could refer to these as the cause and the consequence, respectively. Once we understand how the harm could be realised we can specify the controls needed to prevent the harm from occurring. These controls are often referred to as safeguards, or barriers.

It is the progression along the pathway from cause to consequence, and the identification of safeguards needed to prevent this progression, that we are trying to understand when undertaking a hazard assessment.

It is the progression along the pathway from cause to consequence, and the identification of safeguards needed to prevent this progression, that we are trying to understand when undertaking a hazard assessment

Historical Perspective

Much has been written elsewhere about the history of hazard assessment, mostly in terms of the development of HAZOP. Probably the best summary of this is in the IChemE book HAZOP and HAZAN by Trevor Kletz. I will just give a brief synopsis here – more detail can be found in the book if required.

The methodology evolved through the 1960s within ICI in response to a need to better avoid failures and incidents in new technology manufacturing plants with ever increasing complexity. Its evolution appeared to be occurring in several divisions in the company, almost in parallel, based on a concept at the time known as ‘critical examination’ – a structured and analytical approach which uses creative thinking techniques to any given problem.

Through trial and error, that technique was modified, and morphed into the HAZOP methodology familiar to us today.

It became clear to ICI during the development and subsequent use of HAZOP that problems can arise when applying the technique at the wrong stage of a project. If it is applied too early in a project then the design may not have had sufficient thought, leading to the HAZOP becoming a design review, resulting in many changes and perhaps a need to re-HAZOP the process. Too late, and the design may be already frozen with little opportunity to redesign if opportunities for inherent safety are identified.

To overcome this, ICI developed a six-stage hazard study procedure:

HS1 – Concept

HS2 – Project development

HS3 – Detailed design

HS4 – Construction

HS5 – Commissioning

HS6 – Post startup

As you can imagine, at HS1 there is much less information and detail available than at HS3, therefore, what can be achieved in the early stages is limited. Nevertheless, this procedure allows for a series of hazard identification studies to be carried out over the project lifecycle. The benefit of this is two-fold:

the earlier you identify possible hazardous conditions or events, the easier it is to modify the process and eliminate them; and
if you look at something at several opportunities, in different ways, you are likely to find more hazardous conditions or events.

Taking the last point, we know that no hazard identification is perfect, so for the sake of argument let’s assume that the efficiency is 95% – that is 95% of hazardous events are identified each time we conduct a hazard identification study. This leaves 5% that are not identified – so conducting a single analysis will leave us with 5% of the hazardous events as unknown unknowns.

Now let’s say we look at the process several times in different ways. What is likely to happen is that some of the hazardous events missed the first time will be found on the second or third pass – leaving fewer unknown unknowns in the plant.

In practice, the first assessment would identify the easy-to-find hazardous events. The last 5% are more difficult to find, so the ICI six-step procedure dealt with this by using techniques with increasing rigour as the procedure advanced through the stages.

It is worth noting that since this procedure was developed, it is commonplace to see two additional stages – HS0 and HS7. HS0 is an inherent safety-focussed review aimed at eliminating hazards and hazardous events early on. HS7 is at the end of the project lifecycle and looks at hazards due to the decommissioning and demolition of the plant.

A Lifecycle Approach to Hazard Assessment

As can be seen from the above, hazard assessment could be considered a lifecycle approach, at least for projects. Figure 1 shows a typical alignment with the key hazard identification steps and a typical project schedule.

In practice, most of the hazard assessment work is carried out in the early stages from HS0 to HS3, so here I’ll consider the intent and some techniques used in each of these steps only. In the latter stages most of the effort is focussed on verifying that recommended controls have been implemented.

HS0/HS1 – Concept

An inherent safety review should be carried out as early as possible in the project. An inherently safer design is one that avoids hazards instead of controlling them, particularly by reducing the amount of hazardous material and the number of hazardous operations in the plant.

The original concepts for an inherently safer approach were originally published in a 1978 article by Trevor Kletz entitled “What you Don’t Have, Can’t Leak”. This contained four principles that are still relevant today, albeit worded slightly differently:

Substitute/eliminate

Replace a substance with a less hazardous material or processing route. Replace a hazardous procedure with one that is less hazardous. Of course, it is preferable to eliminate the hazards completely, but in practice it is not always possible.

Minimise

Use smaller quantities of hazardous materials when the use of such materials cannot be avoided. Perform a hazardous procedure, as few times as possible when the procedure is unavoidable.

Moderate

Use hazardous materials in their least hazardous forms or identify processing options that involve less severe processing conditions, eg lower operating pressures or lower reaction temperatures.

Simplify

Design processes, processing equipment and procedures which are less complex, to eliminate opportunities for errors.

This forms a hierarchy of sorts and leads naturally to a set of questions that structure the inherent safety review.

Very early on in designing a process, perhaps at HS0, the focus would be on the first two principles. For example, in my experience in the pharmaceutical industry, the initial process chemistry was compared against a list of hazardous chemicals and reaction groups, and if one was identified the chemists would be tasked with finding a different manufacturing path that eliminated the hazardous part of the reaction.

Of course it was not always possible to eliminate the hazard. It was sometimes the case that the safer route did not have as good a yield, or was more expensive to manufacture, so maybe a trade-off was needed. It is likely that several manufacturing options are available, and part of the assessment will be to decide which of these options are viable. There are now further opportunities to continue down the inherent safety hierarchy and minimise the inherent hazards present on the plant.

A preliminary project assessment is needed to identify any residual inherent hazards of process chemicals, site suitability and probable environmental impact. Often, this assessment is carried out using checklists such as facility siting checklists. These will aid the engineer to ask questions regarding the location of the facility, and the suitability of the existing infrastructure to handle the new process and the process hazards.

For example, ICI Mond Division developed a fire and explosion index to help make comparative assessments and to quantify the inherent hazards with the process. DOW Chemical also developed a similar index, (this is still available for purchase) and also developed a chemical exposure index to take toxic chemicals into account.

The basic procedure divides the process into a number of unit areas, and then selects the dominant material in the area. A material factor is determined for the material based on its physical properties, and this is modified for process parameters, quantities and location.

The individual indexes from each unit can be combined to give an overall potential hazard index for the plant. Using this technique we can quantify the effects of moving down the inherent safety hierarchy – for example, reducing inventories, changing process conditions and using less hazardous forms of the materials. This all helps to identify the best – least hazardous – process solution.

At this point a number of feasibility studies may be carried out and basic process safety information gathered. For example, understanding the exothermic properties of reactants and reactions, dust explosion properties, effluent handling capability, availability of feedstock, transportation risks in getting hazardous chemicals to the site, environmental impact studies, and so on.

At the end of the concept phase, we ask whether there are any ‘showstoppers’, which are issues so insurmountable that it is not worth carrying on with the project.

HS2 – Project development

Now a viable process has been chosen, the design will progress. There will be a rough idea as to the main items of equipment needed, the operating conditions, and the materials inside the process. The key manufacturing steps will be available. This in turn is sufficient information to produce a process flowsheet.

From a hazard assessment perspective, what we need to do now is identify the major hazards and the safety features that are needed to ensure risks are “as low as reasonably practicable”.

In the ICI six-stage procedure, this is perhaps the most critical step. This is where creative thinking is needed to evaluate the process. Any hazard assessment at this stage is likely to be mentally tiring, as it requires a huge amount of creative thinking and ‘mind experiments’ to identify the potential hazardous events. It is also important that the right experience and expertise are in the room.

This means that a great deal of time is needed on large projects to fully identify all of the hazardous events that could occur. Key personnel will need to be present for this time, and remain focussed, so they may not be available for other project activities.

Because this is a critical point in the project development, both time and resource may be at a premium. This is particularly the case in today’s fast-track project environment where everyone seems to want everything yesterday and where there is a need to identify and order time-critical equipment early on. Unfortunately, as a consequence, often insufficient time and resource is applied to HS2.

Insufficient time on considering the process now means that further opportunities to build inherent safety into the project are missed. It is the last chance to significantly influence the detailed design before the design is fixed and apply the inherent safety hierarchy.

The methodology often used at HS2 is most commonly known as a HAZID (hazard identification).

There is no one methodology for HAZID and several variations exist. In general the plant is broken down into small parts or by main items of equipment to focus the study on specific areas. Then, the inherent hazards due to the materials and the process conditions are identified, along with the worst-case consequences that could occur should the control of these hazards be lost. ISO 17776 can help with the identification of the inherent hazards, and this is often done by a checklist approach.

Next, for each undesirable consequence, the scenarios that could cause them are fully developed. It is this scenario development that requires lateral thinking, as the scenario should lead from the initiating event, such as an equipment failure or a human error, through to the harm realised, such as fatalities or environmental damage. Finally, the measures needed to prevent or mitigate the scenario are identified.

In order to facilitate this process, a template containing guidewords is often used. The guidewords in the template are business specific – for example, for an offshore facility there would be guidewords concerning shipping and transportation not relevant for an onshore facility. A batch chemical plant might have guidewords on typical reaction hazards. Figure 2 shows a fictional example of a HAZID worksheet.

This sequence is repeated for all parts of the facility until all possible hazardous events have been identified and analysed. The resulting scenarios and control/mitigation measures are then typically collated for reference by the project in a document often referred to as a hazard register.

The hazard register contains the safety measures for the facility – it defines the basis of safety – and is used by the project team to guide them on the design. It is one reference used to develop a detailed design ready for construction. There is an ongoing debate about what should be included in the detailed design as the project manages the overall costs.

HS3 – Detailed design

Now we are at the point where we want to ensure that the detailed design is correct, and that the plant will operate, start up and shut down safety and efficiency. All of the hazardous events raised in the earlier studies should have been addressed, and the necessary controls included.

Several studies will be done to verify the effectiveness of some of the controls. Examples include pressure relief and emergency blowdown studies, hazardous area classifications, facility siting studies, and detailed consequence assessments. Fire and gas detection and emergency response strategies will be developed. Procedures will be drafted. The output from all of these activities will feed into the original hazard assessment, and the controls may change as a result.

We need to do a sense check now, to make sure we haven’t missed anything, and that we are confident of the design so that it can be handed over for construction to start. Since we now have more detail available, we can apply a more rigorous method of hazard assessment – this is where we do a HAZOP (hazard and operability study). The HAZOP is a structured and systematic methodology for hazard assessment. It reviews the design to find design and engineering issues that may have been missed, either due to the complexity of the process, or perhaps they were simply overlooked.

The HAZOP methodology is well documented and a good resource is the IChemE book HAZOP – Guide to Best Practice. The basic methodology challenges the ‘design intent’ by systematically looking at possible deviations from this intent. The plant is broken down into manageable sections, or ‘nodes’, and for each node in turn the HAZOP team uses a list of guidewords and process parameters to identify the deviations to be studied.

For each deviation, the team identifies possible causes and consequences of the deviation, whether the existing safeguards are sufficient, and if not makes a recommendation to include additional controls in the design.

It is worth mentioning again that the HAZOP is a check step and is not meant to be a design tool. This is why I suggested earlier that the most important part of the hazard assessment process is the HAZID at HS2.

In theory, if a good enough job is done at HS2, the HAZOP will only confirm what we have already thought about, and there will be no new findings. In practice, there will be fewer recommendations made.

Unfortunately, it is my observation that the time given to designing a plant has been squeezed and fast tracked to a point that engineers have less and less time. It is a common occurrence that the HAZOP is done before the design is sufficiently mature, and a consequence of this is that the study inevitably reverts to a design review. If engineers are given enough time to properly analyse and think through the problems, they will do a good job and create a good design, but excessive time pressure will invariably lead to errors, oversights and shortcuts.

I recall on one project I was involved in the engineers were having difficulty with a particular issue, and the conclusion of the team was “leave it until the HAZOP and let them sort it out” – sorry, but the HAZOP is not a design tool and it will only come back as a recommendation, after a lot of wasted time in the HAZOP!

Another time pressure occurs because the HAZOP is one of the last activities in FEED. Often there is a fixed deadline for delivering FEED, and exceeding this may incur penalties for the contract engineering company. This means that if the project is behind schedule, the time allocated for the HAZOP is squeezed, resulting in overly-long sessions and days. Human factors then come into play, affecting the ability for critical thinking and decision-making.

It is probably worth mentioning at this point that we don’t only need to rely on the HAZOP methodology and that there are other tools that can be used. HAZOP was originally developed for complex, continuous processes and the structure put in place to ensure that things are not overlooked because of the complexity. Sometimes it seems that the HAZOP methodology is forced into use for everything, but in some cases it is cumbersome, not intuitive, and a simpler tool might be more effective.

An example of this is a batch process such as a chemical reaction or a powder handling process. There are many such processes in the pharmaceutical and food industries for example. In these types of processes, which are often accompanied by step-by-step procedures, I have found a ‘what-if’ type approach can work well.

The what-if methodology develops a series of questions. What if the pump power fails? What if the temperature exceeds the setpoint? What-if the wrong material is charged? The scenario is then assessed and the consequences and controls are developed as in previous studies.

Often there is some structure applied to aid the study, and what-if/checklist approaches, or structured what-if (SWIFT) techniques are available. These both use guidewords to support the team. Perhaps because I am used to HAZOP, I use the HAZOP guidewords to help identify the what-if questions. For example, assume the following is a step in a process:

Charge 100 kg of powder X into reactor A containing 500 L of liquid M.

You can easily generate a series of what-if questions.

It can be quite a powerful technique and what’s more, it tends to engage the team more than HAZOP because it is intuitive and easy to follow. Sometimes less is more, and even on plants where a HAZOP is used as the primary tool, there may be areas that would benefit from an alternate tool such as what-if.

Risk Assessment

So far, I have not mentioned risk. This is deliberate. The main purpose of hazard assessment is to understand the cause – consequent pathways, and for major accidents, how bad the consequences can be.

Often I see a ‘risk ranking’ section built into hazard assessment templates. This is normally a function of severity (a numerical value assigned to the consequences) multiplied by likelihood (a numerical value assigned to the frequency of the event). In my experience, teams have no trouble assigning the severity value, however, struggle to assign likelihood values. This can lead to protracted debate and, frankly, distract the team from the key objective.

If you have read Richard Gowland’s article How to LOPA (issue 899, May 2016) you will know that the LOPA technique is a technique for determining risk. There is not much value, therefore, to do a risk assessment at the hazard assessment since, for major/serious events at least, it should be done at LOPA. Hazard identification, and the hazard register, does provide the scenarios to input into the LOPA.

Management of Change

When a change is made to the facility, it is possible that the change could compromise the existing basis of safety. It may also introduce new hazardous events inadvertently, even if the intent of the change is to remove known hazards. Once the design is complete, usually this is the end of FEED when the design is frozen; all changes to the design need to be controlled. Once the plant is constructed and commissioned, control of change needs to be rigorously applied for the life of the facility.

There needs to be, therefore, an element of hazard assessment whenever a change is proposed. The hazard assessment methodology should also match the complexity of the change or the plant to be changed. Perhaps the best guide is to look at the original hazard assessment, and redo that assessment to create a new version using the same methodology. Most hazard assessments are now electronic, so creating a new revision from the old is relatively straightforward. Ultimately, the hazard register will be updated to include any new hazards, or to remove hazards no longer relevant.

Revalidation

Most major accident hazard legislation has a requirement to revalidate or review hazard assessments on a periodic – usually 5-yearly – basis. Historically, a typical revalidation requires a review of changes and incidents that have occurred over the period since the last review. If a large number of changes have occurred, there is a concern regarding the possible interactions between all of the changes combined, and it is not unusual to see companies redo all of the hazard assessment – a long and costly exercise.

If changes are managed as suggested above, the hazard assessment will always incorporate the changes as you go, and will always be the latest version. Interaction between various changes would be caught by each revision. The effort required for revalidation would be significantly reduced.

And Finally

This How-to article has provided an overview on hazard assessment for major accident hazards. As is the nature of this type of article, it only provides an overview of the key aspects, and it is recommended that the resources mentioned are considered for further information.

Hazard assessment is an important tool in our fight against major accidents. It tells us what can go wrong, how it can go wrong, and how bad it will be. We cannot control what we don’t know. The biggest enemy to a rigorous hazard assessment is time. Let’s take the time to identify as many of the unknown unknowns as we can!

Disclaimer: This article is provided for guidance alone. Expert engineering advice should be sought before application.