From my experience as a HAZOP leader, there are several challenges I have experienced that could compromise the integrity of the recorded minutes. Below I will discuss some of these challenges and include approaches to ensure a high-quality HAZOP. Some of these are quite common, others not so much.
Double Jeopardy
One of the most common misconceptions is the concept of double jeopardy. Firstly, what is it? Secondly, what it’s not? Thirdly, when and when not to consider it?
Double jeopardy is defined as the simultaneous occurrence of two unrelated initiating events.
Some examples of double jeopardy are as follows:
- Heat exchanger tube rupture coincident with instrument air failure.
- Spurious failure of pressure control loop coincident with human error on an unrelated system
- Power failure coincident with unrelated physical impact (e.g., vehicle)
Double jeopardy is not the simultaneous occurrence of one initiating event with the failure of a safeguard to protect against the consequences of that event. This is probably the most common misconception regarding double jeopardy.
Some examples of what’s not double jeopardy but are commonly misconceived as double jeopardy are as follows:
- Spurious failure of a pressure control loop and the failure of a high-pressure trip and/or pressure relief valve to activate, to prevent overpressure of process equipment.
- High vibration of a compressor or turbine and the failure of vibration monitoring/trips to activate/trip the machine.
- Spurious failure of level monitoring in a gasoline storage tank and the failure of overfill protection system to activate.
True double jeopardy scenarios are not normally considered in a HAZOP; however, this is not always the case. There may be some double jeopardy scenarios that could realistically occur (such during an emergency) and as such it’s up to the HAZOP team and Facilitator to consider their inclusion. It’s always better to be more conservative and include a cause and consider later in the risk assessment phase.
Ad: HAZOP Participants E-Learning (ICHEME Approved) From $130 USD
Fail Safe Equipment
Another common misconception is regarding fail safe equipment. Equipment such as valves are often designed to fail “safe” on loss of instrument air or power. However, this does not mean that a valve cannot ever fail dangerous. A valve’s fail-safe position only defines how the valve will fail on loss of motive power/air, but there are many other ways in which a valve could fail dangerous. E.g., it could become stuck in a dangerous position, if not well maintained. In the case of a control valve, it could also fail dangerous due to an error in the logic solver or sensing element (transmitter) commanding the valve to a dangerous position. A HAZOP should normally consider that a valve could fail in any position (safe or dangerous).
It has not happened here before !
Statements such as “We’ve been operating for 40 years and that has never happened on our plant" occasionally are mentioned in workshops. The main purpose of a HAZOP is to identify hazards and just because an incident has not happened before does not mean that the hazard does not exist. It’s also important to be aware that most process safety incidents are low probability, high consequence scenarios and a plant may be able to operate for decades without any serious incidents even though there are many hazards present. This could be because there were sufficient safeguards in place to prevent the final consequence from happening, or it could be down to having been lucky so far, but this good fortune is not guaranteed in the future.
Not Escalating a Scenario to the Final Consequence
I have come across some HAZOPs where the final consequences have not been documented well. An example of this might be “spurious failure of a pressure control loop leading to high pressure in the downstream process”. In this scenario, it must be considered whether the failure (without any mitigation or intervention) could exceed the design conditions of downstream equipment and lead to a loss of containment of a hazardous (flammable, toxic etc.) substance.
For example, the consequences of spurious failure of a pressure control loop might be overpressure of process equipment leading to rupture, loss of containment of flammable gas, fire/explosion, and fatalities. Once the unmitigated consequence is assessed, we would then list what safeguards we have in place, e.g., high pressure alarm, operator response, high pressure trip, mechanical overpressure protection, fire and gas detection/protection, emergency response etc.
The final consequence is also not the activation of a control measure. In the above example, the consequences of spurious failure of a pressure control loop are not that the high-pressure trip will trip the plant and save us from disaster.
HAZOP Minutes Not Detailed Enough
Another common HAZOP pitfall is not being specific enough in the minutes. A poorly defined cause could appear as: “level control failure leading to low level and pump damage and seal failure”. The problem with this cause definition is that it’s not specific enough about which equipment it’s referring to. This can be a problem where there is a complex process with multiple vessels, pumps, and control loops in the process and even sometimes on one drawing. It might’ve been obvious to the HAZOP team at the time what is being referred to, but unless it’s recorded specifically and accurately, the context is likely to be lost in the future. All equipment and locations in a HAZOP should be tagged where possible.
If you have any other thoughts regarding other types of failures, drop us a message.