Hazop, risk assessment and troubleshooting

Published on: 

Risk assessments and “Hazard and Operability Analysis” (Hazop) have been used as systematic studies and tools for risk management. Complex, large packages may require several Hazop reviews and risk assessments. These may be performed at different stages.

For very large and complicated machinery packages, sometime two or three Hazop reviews are needed. The first Hazop is planned during an initial development stage, sometimes before the machinery package is ordered. This is a good recommendation because any change in the scope will be included in bidding stage and consequently in the order.

This first Hazop might be done a little later, for instance, at the preliminary design after the package order. For example, it might be planned after the kick-off meeting of the package. In most cases, just one Hazop is needed and this Hazop is planned at the detailed design when the design of machinery package is at an advanced stage -- 85%-95% completion of design -- or at the final design stage. For very critical, difficult packages where two or three Hazop reviews might be needed, the second or third Hazop might be done at this final design stage.

Risk assessment

The design rating versus operating conditions for each piece of equipment should be carefully checked and verified. Deviations may cause specified design ratings to be exceeded.

Means of pressure relief for each piece of equipment should be carefully checked. It should be verified that PZVs cannot be isolated from the equipment they are intended to protect.

Eyewashing or safety shower stations should be located at proper locations. Heaters have caused many problems. They should be properly sized. Heaters should be checked for adequate alarms in the event of loss of flow, such as during tube skin temperature alarms.

Cooling water exchangers are employed in lubrication oil systems, cooling systems, VSD packages and so on. A PSV on the cooling water side should be provided for thermal relief. A block valve on the inlet/outlet of cooling water to an exchanger that is closed can result in serious malfunctions such as high cooling water pressure. The consequences of control valve failure scenarios (open or closed) should be evaluated for each and every control valve.

A common mistake is using an indicator or an alarm that derives its signal from a control loop as a safeguard if that control loop is the cause of the problem under study.

Typically, a fire protection system (or response) is a safeguard. Generally, no credit for safeguards is taken when developing consequences. For instance, even though a high-level alarm/trip of a knock-out drum would activate a downstream equipment shutdown (for example a turbocompressor trip), consequences should be liquid carryover and damage to downstream equipment which could be a sensitive compressor. The high-level alarm/trip should then be listed as a safeguard.


Hazop recommendationsHazop recommendations can come as below:

  • Add an indicator, alarm, trip or interlock
  • Develop or change a procedure such as an operating procedure or a preventive maintenance procedure
  • Modify the system
  • Conduct a more detailed safety review or a design review on a specific topic
  • Develop a protection or an emergency solution. For instance, provide a means to isolate, improve explosion (or fire) protection, or improve an emergency response.

Too many alarms can be as bad as too few. Unfortunately, many Hazop cases have resulted in new alarms which were often not fully thought through and were sometimes not appropriate. This is a major reason for having many alarms for packages and floods of alarms during operation. Floods of alarms and messages from automatic systems distract the human operator from dealing with the actual problem, increase the stress on the operation team, and conceal important new information among a deluge of low-value, repeat or consequential warnings. Optimum numbers of alarms should always be considered for any machinery package.

Hazop vs. troubleshootingThe Hazop meeting and associated procedures should be followed for any machinery Hazop. Based on experience, the systematic method of Hazop which has been followed in a Hazop meeting with a team of experts and its standard format with special guidewords, deviations, and so on are the best available way for Hazop of machinery packages. This is a structured and systematic technique for examination and risk management, and best for identifying and managing potential hazards. However, this format and technique are not appropriate for some studies and analysis.

While the Hazop meeting and its procedure is very effective in its designated job, the same method is not necessarily effective in troubleshooting. For example, the troubleshooting of turbomachines should involve a wide range of operation and maintenance personnel, technicians, field persons, and even labourers working on machines. These are a completely different group with Hazop experts.

In a Hazop-type meeting environment, some of these individuals may hesitate to express all their ideas that might actually provide vital cues for troubleshooting. Usually, information could be lost or masked if someone tries to perform a troubleshooting task in a Hazop format.

The author of this article has been invited to some of these troubleshooting meetings which were done in the format of Hazop. The results were not satisfactory; hours of discussions happened without any useful result. The frank and systematic discussions in a Hazop meeting with 7-9 experts cannot be implemented during a machinery troubleshooting exercise that involves many different personnel from groups such maintenance technicians, junior operators, field technicians, site personnel, and so on.

In a troubleshooting task, all involved personnel should be interviewed, often two or three times. The group includes many different people such as principal engineers, reliability engineers, shift operation engineers, maintenance technicians and field machinery labors. The number of personnel involved could be more than 15, sometimes more than 20 or 25. A troubleshooting exercise would be more successful if the machinery engineer takes the lead and discusses the matter with each involved person in a one-on-one meeting.

Case study: next flange ratingFor turbomachinery packages, if the pressure and temperature conditions are more than 90% of the maximum allowable conditions by the flange codes, they may be required to move to the next rating class since the flange codes (such as ASME-B16.5) were mainly provided for static equipment and piping and not for rotating machineries. The marginal pressure-temperature ratings might result in leakages under severe dynamic loadings on rotating equipment or turbo-machinery packages. In Hazop terms, it is a deviation which could cause the specified ratings to be exceeded.

For example, the ASME-B16.5 standard covers pressure-temperature ratings, materials, and dimensions of flanges. For a turbocompressor skid for a high-pressure hydrogen service, the operating pressure with respect to the operating temperature resulted in around 92% of the class 600# allowable conditions. However, in practice, such a flange rating has leaked in similar turbocompressor packages due to large dynamic and vibration loads in the compressor package. In other words, for piping and static equipment with those conditions (92% of the class 600# allowable conditions), the selected flange rating (600#) could be sufficient and suitable. However, this was not the case for the flanges inside a turbocompressor package. Based on experience and scientific reasons, it was decided to improve all piping and flange rating inside turbocompressor package (including the battery limits of the package) to class 900#. The piping outside the package remained at 600# rating.