OPERATIONS AND SUPPORT HAZARD ANALYSIS

One last transformation of the hazard analysis technique that is worth investigat-ing is the operations and support hazard analysis (O&SHA). Most hazard analyses (and safety analyses, in general) are directed toward uncovering hardware design problems; however, this is not the intent of an O&SHA. Simply put, an O&SHA identifies and evaluates the hazards associated with the operations of a system. As with all hazard analyses, it looks at hardware systems, software, facilities, support equipment, procedures, personnel, operating environment, natural environment, human–machine interfaces, and other interfaces, but with the telling difference of how all of these factors relate to the operation of the system by people. The O&SHA is a very useful technique to understand how operations-focused hazards impact the system. It is not a human factors analysis. See Chapter 8 for more on human factors analysis.

Many engineers perform an O&SHA instead of a hardware hazard analysis. This is not a particularly good idea since the operations of a system or plant are intrinsi-cally related to the hardware design. You may wish to use the O&SHA as a separate, more in-depth look at operational aspects of the system, but not in lieu of other analyses. Actually, the best idea is to combine the O&SHA with the hardware hazard analyses. Many times the human–machine interface is a very ambiguous area, and it is unclear which affects which.

Remember that the hazard reduction precedence indicates that using training or procedures to control hazards is the least effective method of hazard control.

Unfortunately, this method may be the only viable option, due to the high cost of redesign. The O&SHA is used many times during the modification or upgrade of a plant or process. But the best time to conduct an O&SHA is during the original design.

FIGURE 5.5 Sample facility functional tree.

TABLE 5.8 Sample Facility Hazard Analysis Element: Chemical Facility System: Processing Lab Subsystem: Exposure Control—Hazardous Materials Control Number Hazard Description Potential Causal Factors Potential Effects HRI Facility Risk Index Hazard Control Recommendation 2.4.01 or personnel asphyxiation High hydrogen concentration leads to a fire devices in facility.

Lack of hydrogen gas detectionPersonnel death, fire, or explosionID2Provide hydrogen gas detectors in lab areas that store and use hydrogen gas. Provide emergency power to the gas detection system. The alarm should sound both locally and on the emergency console in the process control center. 2.4.02Release of toxic or highly toxic gases.Lack of means to detect toxic and highly toxic gases

Personnel death or illnessIIA1Provide a continuous gas detection system to detect the presence of gas at or below the permissible exposure limit or ceiling limit in lab areas that store and use toxic and highly toxic gases. The detection system shall initiate a local alarm and an alarm in the emergency console in the process control center. The alarm shall be both visible and audible. The system shall be provided with emergency power. 2.4.03 toxic gasesUndetected buildup of hydrogen gas due to failure to accurately calibrate and maintain gas detection system.

Gas detection system illnessFire/explosion, personnel deathIBIProvide accurate calibration and follow written maintenance plan. (Continued)

TABLE 5.8 (Continued ) Sample Facility Hazard Analysis Element: Chemical FacilityDate: 05/05/2014 System: Processing LabAnalyst: John Doe Subsystem: Exposure Control—Hazardous MaterialsPage: 45 Effect of Recommendation on HRI

Effect of Recommendation on Facility Risk Index Hazard Control References Verification of Control Status of Control Notes IE3UFC 80.303 (a)(9); UFC 80.303 (a)(7)Review of Drwg. E607 and Design Spec. Section 16723.OPEN. Currently in design phase. Review scheduled for 5/14 Verify as-built drawings to actual hardware with facility walkdown. Conduct operational tests.OPEN. Inspection to be completed during acceptance inspection TBD date IIE3UFC 80.303 (a)(9); UFC 80.303 (a)(7)Review of Drwg. E607 and Design Spec. Section 16723.OPEN. Currently in design phase. Review scheduled for 5/14 Verify as-built drawings to actual hardware with facility walkdown. Conduct operational tests.

OPEN. Inspection to be completed during acceptance inspection TBD date IE3Plant quality assurance office to verify calibration and maintenance procedures are followed.

OPEN. Completion date TBD

Perform the O&SHA as you would conduct any other hazard analysis. Follow the same procedure as outlined earlier in this chapter. However, this time, concentrate more on

• Operation or task sequence

• Concurrent task effects and limitations

• Planned system configuration at each phase of activity

• Human–machine–environment interfaces

• Planned and unplanned operations in the system (and its subsystems)

• Hazardous operations

The typical operational sequences you should assess are

• Normal operations

• Testing

• Installation

• Modification

• Support operations

• Maintenance

• Transportation

• Storage operations

• Servicing operations

• Contingency operations

• Emergency operations

• Activation and decommissioning

• Postaccident operations

• Training

The O&SHA should review a host of plant activities and documentation. Review the various operational and maintenance procedures; look at the mental and physical demands placed on the operators. Verify that the timing of procedures and opera-tions is realistic. Section 8.2 goes into more detail about how to model human–

machine interactions.

PRACTICAL TIPS AND BEST PRACTICE

When engineers conduct an O&SHA or some other analysis of operations, they many times assume that operators follow the written procedures pre-cisely. Reality is vastly different. In fact, more times than not, operators take shortcuts and do not do exactly what the procedure states. Be sure to observe how the operators actually do their work. You will find a lot of surprises.

Review the written procedures. Verify the actual work performed (on all work shifts). Make sure that the various tasks do not lead to an accident. Some items to focus on include the following:

• Study each step of the operation and make sure that each individual step in the procedure is necessary, clearly understood, and conducted in a safe manner.

• Examine how human error (operator, maintenance, etc.) can alter the desired effects of the operation.

• If human error can affect a significant hazard, look for ways to control the hazard using the hazard reduction precedence.

• Any safety-critical operations must be clearly identified and assured of operation.

Table 5.9 shows a typical O&SHA worksheet. Of course, the worksheet can be in a tabular form as with the first two types of hazard analysis, but many engineers like to put each operational hazard on one worksheet. The figure shows such a format.

The only difference (besides visual) between the O&SHA and the other hazard analy-ses is that the O&SHA includes task descriptions and events leading up to hazard state.

Task descriptions describe the purpose of tasks or activities. It is important to remember to write the task or activity intended. The actual analysis of the task will verify if the operation really accomplishes what is intended.

Events leading up to the hazard state are an addition to the hazard analysis format.

The events can occur either sequentially or in parallel or both. In developing controls to prevent the development of the hazard state, remember that you have the opportunity to interrupt the hazard event sequence at various points. It is critical that you spend some time in deciding where you wish to intervene. A poor decision can be very expensive.

Note that the O&SHA addresses only human errors or operator errors—not hard-ware failures. This is its strength and its weakness. Because this hazard analysis technique focuses on the operations of a system, it is very good at identifying the kinds of operational hazards that are often obscure to the engineer. However, as the aforementioned example shows, this worksheet does not identify any structural or design inadequacies of the crane or other lifting hardware. It is precisely for this rea-son that the O&SHA should never be used alone, but only in tandem with a hardware hazard analysis or a subset of the overall SHA.