Element IA4:
Element IA4:
Identifying Hazards,
Identifying Hazards,
Assessing and E
Contents
Contents
Introduction
Introduction
55Sources of Information to Support Hazard Identication
Sources of Information to Support Hazard Identication
and Risk Assessment
and Risk Assessment
66Internal
Internal Sources Sources 66
External
External Sources Sources 77
Hazard Identication Techniques
Hazard Identication Techniques
1010Observation 10
Observation 10
T
Task ask / / Job Job Safety Safety Analysis Analysis 1010
Consultation 12
Consultation 12
Document
Document Review Review 1212
Injury
Injury and and Ill-health Ill-health Reports Reports 1212
Failure
Failure Tracing Tracing Methods Methods 1212
Assessment and Evaluation of Risk
Assessment and Evaluation of Risk
1313Denitions 13
Denitions 13
Risk
Risk Assessment Assessment Involves Involves Five Five Steps Steps 1414
Summary 19
Summary 19
Organisational
Organisational Arrangements Arrangements 2020
Failure Tracing Methodologies
Failure Tracing Methodologies
2121Hazard
Hazard and and Operability Operability Studies Studies (HAZOP) (HAZOP) 2121
Fault
Fault Tree Tree Analysis Analysis (FTA) (FTA) 3333
Event
Event Tree Tree Analysis Analysis (ETA) (ETA) 4141
References
Introduction
Introduction
Identifying hazards, assessing and evaluating risk is an important and integral part of a much
Identifying hazards, assessing and evaluating risk is an important and integral part of a much
wider process known as Risk Management. This process not only incorporates the above
wider process known as Risk Management. This process not only incorporates the above
activities but also includes the areas of risk control, monitor and review.
activities but also includes the areas of risk control, monitor and review.
Risk Management can be dened as
Risk Management can be dened as “….the eradication or minimisation of the adverse effects“….the eradication or minimisation of the adverse effects
of…risks to which an organisation is exposed”.
of…risks to which an organisation is exposed”.(Ridley and Channing, 1999).(Ridley and Channing, 1999).
The following diagram demonstrates risk management as a ow diagram. See later for further
The following diagram demonstrates risk management as a ow diagram. See later for further
explanation of the terms used.
explanation of the terms used.
Figure 1: Flow Diagram Representing Risk Management
Figure 1: Flow Diagram Representing Risk Management
Risk Risk Identification Identification Risk Risk Analysis Analysis Risk Control Risk Control Risk Risk Financing Financing Loss Loss Control Control Risk Risk Avoidance Avoidance Risk Risk Risk Reduction Risk Reduction Risk Risk Retention Retention Risk Risk Transfer Transfer Monitor Monitor Review Review
The process of risk management is complex and contains a range of practices leading to the
The process of risk management is complex and contains a range of practices leading to the
control of all elements of risk in the workplace. It is important to appreciate that this process
control of all elements of risk in the workplace. It is important to appreciate that this process
is not solely a health and safety model but can be applied to all business risks e.g. security,
is not solely a health and safety model but can be applied to all business risks e.g. security,
product liability, product quality etc.
Sources of Information to
Support Hazard Identication
and Risk Assessment
When identifying hazards for the purpose of conducting risk assessments and subsequent evaluation of the risks, the employer must consider the source of data for the evaluation which can be either internal to an organisation or external.
Internal Sources
▪ Health and safety practitioner (Adviser / Ofcer, etc.);
▪ interpretation of legislation, advice on company procedures and systems. ▪ Health and safety representative;
▪ concerns and suggestions from the workforce, understanding of current work methods.
▪ Inspection reports;
▪ identication of problem areas and frequently occurring uncontrolled hazards. ▪ Accident and incident records, data and rates (incidence, frequency, severity etc);
▪ highlighting commonly occurring events together with their frequencies and / or trends.
▪ Ill health reports and their prevalence;
▪ highlighting potential health and welfare hazards together with trends of occurrence. ▪ Existing risk assessments;
▪ information on currently identied hazards, their level of risk and the controls which should be in place
▪ Plant registers;
▪ helping to identify the breadth of workplace hazards by examining the plant equipment and machinery used for the processes / tasks
▪ Safety committee minutes;
▪ records of discussions and agreed action associated with past events, reported hazards, near misses or safety concerns.
▪ Policies;
▪ information on how the organisation is proposing to manage the hazards and risk facing its operation
▪ Medical records;
▪ information of health surveillance results which could indicate new or uncontrolled hazards, and
External Sources
National Safety Organisations / Professional
Institutions
▪ Institution of Occupational Safety and Health (IOSH), etc.: ▪ Journals, posters, booklets, videos, books.
Suppliers / Manufacturers
▪ Suppliers of substances, plant, equipment, etc.; and ▪ Data sheets, manuals.The Internet
A number of sites exist relating to health and safety including: www.santia-training.co.uk (Santia Training Services website).
Care must be taken when relying on data sourced from the internet since its use is unregulated. This makes for a vast data source but untrustworthy sites may exist.
Libraries
International, European and British Standards.
Consultants and Specialists
Santia Training Services.The Occupational Health and Safety Consultants Register offers a searchable database for suitable qualied consultants operating in the eld of health and safety.
www.ohscr.org
Trade Unions
For many years trade associations and trade unions have provided a very useful source of information about occupational hazards and particularly about best practice in the control of risks. The Engineering Employers Federation, for example, publishes a range of risk assessment documents. Both trade unions and trade associations also frequently provide a telephone help-line service to their members on health and safety matters.
International Information Sources
The International Labour Organisation (ILO)
The International Labour Organisation is the United Nations (UN) specialised agency which seeks the promotion of social justice and internationally recognised human and labour rights. It was founded in 1919 and is the only surviving major creation of the Treaty of Versailles which brought the League of Nations into being and it became the rst specialised agency of the UN in 1946.
The ILO formulates international labour standards in the form of Conventions (mandatory) and Recommendations (non-mandatory) setting minimum standards of basic labour rights: Freedom of association, the right to organise, collective bargaining, abolition of forced labour, equality of opportunity and treatment, and other standards regulating conditions across the entire spectrum of work related issues. It provides technical assistance primarily in the elds of:
▪ Vocational training and vocational rehabilitation; ▪ Employment policy;
▪ Labour administration;
▪ Labour law and industrial relations; ▪ Working conditions;
▪ Management development; ▪ Co-operatives;
▪ Social security; and
▪ Labour statistics and occupational safety and health.
It promotes the development of independent employers’ and workers’ organisations and provides training and advisory services to those organisations. Within the UN system, the ILO has a unique tripartite structure with workers and employers participating as equal partners with governments.
In order to attain these objectives, the ILO assists members States as well as employers’ and workers’ organisations in ratifying ILO Conventions and implementing international labour standards. Since 1994 the ILO has been engaged in a process of modernising and strengt hening its labour standards system.
European Agency for Safety at Work
The European Agency for Safety and Health at Work aims to make Europe’s workplaces safer, healthier and more productive. The European Agency acts as a catalyst for developing, collecting, analysing and disseminating information that improves the state of occupational safety and health in Europe.
The Agency is also a tripartite European Union organisation and brings together representatives from three key decision-making groups in each of the EU Member States - government, employer and worker organisations.
Located in Bilbao (Spain) the Agency has co-ordinated a network since 1997 with Focal Points in each Member State of the Union.
The World Health Organisation (WHO)
The World Health Organisation, the United Nations specialised agency for health, was established on 7 April 1948. WHO’s objective, as set out in its Constitution, is the attainment by all peoples of the highest possible level of health. Health is dened in WHO’s Constitution as a state of complete physical, mental and social well-being and not merely the absence of disease or inrmity.
Hazard Identication
Techniques
Observation
Strictly, safety observations should be considered to be a monitoring tool or technique rather than a hazard identication exercise. The reasons for avoiding an over reliance on workplace observations as a means of identifying hazards are:
▪ If for example, an inspection failed to identify any unsafe electrical equipment / wiring it would not be listed as a hazard and might not be assessed. The use of electrical equipment clearly needs to be assessed very thoroughly;
▪ Psychological, biological and ergonomic hazards are not easy to identify by visual inspection; and
▪ Visual inspections are poor at detecting unsafe acts, lack of training and inadequate operating procedures, all of which are key issues in risk assessment.
Task / Job Safety Analysis
Job Safety Analysis is a work study technique in which a task is carefully observed and every detail recorded. The process is often used in conjunction with the development of safe systems of work, work instructions, safety training, etc. The method of working is then evaluated so as to identify hazards. An ‘ideal’ safe method is then developed and implemented.
The process is as follows:
▪ Select the process to be studied. Priorities are often based on previous accidents, etc.; ▪ Record in detail how the job is done, the equipment and materials used and any hazards
involved. This is best done by observation and discussion with those ‘job holders’ actually doing the job under review;
▪ Evaluate the risks involved in the activity (refer to accident records, etc.);
▪ Develop a written safe system for carrying out the work, accounting for control of the hazards and risks identied. Using the MEEP approach (discussed later) can be very useful. At this stage reference is made to legislation, codes of practice, etc.;
▪ Implement the safe system providing relevant instruction, information and training and, where necessary, emergency procedures and equipment; and
▪ Maintain the system (by supervision, etc.) and monitor those who carry out the work to ensure that the system does not deteriorate.
The information can be recorded on a chart or JSA worksheet, there is no predened format for the recording of JSA work but will be determined by the organisation systems and the needs of the employer.
MEEP Approach
All risks arising from the work activity must be assessed.
The activity can be broken down into individual elements so that hazards - conditions or actions, at each stage can be analysed.
The degree of detail of analysis should depend on the level of risk involved, but in any case all components of the work should be included in the analysis.
A useful approach to ensuring the key areas are considered for analysis is to consider the four main elements of the activity.
Materials
What materials does the activity have the potential to expose employees to and how are they handled, mechanically or manually?
Equipment and Plant
What is used? Is it suitable? Consider the design and ergonomic factors, maintenance routines and statutory inspections where applicable, guarding arrangements, isolation from energy sources and other hazards which the equipment may produce such as noise and vibration.
Environment
Take into account the levels of lighting, heating, environmental noise, ventilation, welfare facilities, etc. Does the condition of oors, seating, access to, egress from, means of escape, layout, and working space have an adverse effect on exposure to risks? Remember that for outdoor activities the weather can change very quickly and the hazards on a bright July morning are very different to a dark November afternoon.
People
Consider who is involved and their levels of competence. Is there specic information, training, instruction that is required and what level of supervision is adequate for the task being analysed? Do particular disabilities, the presence of the public or other persons have an effect on the activity and the level of risk involved?
Task analysis should then consider these points in adequate depth to ensure the development of a safe system of work.
Consultation
It is good practice to use the knowledge and experience of managers and operators when identifying hazards in the workplace. Consultation with a competent person who has specialist training and experience, or membership of a professional body, can assist in the identication of hazards.
The combined knowledge and experiences of the workforce should not be underestimated. Not only can it be a source of a wealth of information, but also involvement of the workforce will enhance their perception of risk and their compliance with resulting control measures.
Document Review
Information relevant to the risk assessment process may be obtained from a review of internal documentation, e.g. existing risk assessment records, safety committee minutes, training and maintenance records, etc. Hazard information can also be obtained from external sources, e.g. legislation, codes of practice, guidance, manufacturers and suppliers, etc.
Injury and Ill-health Reports
Accident statistics can be a useful tool when identifying risks which are not well controlled. When analysed, the statistical information can be manipulated to provide important causal leads on risk areas where action should have been taken or indeed where the action taken is not appropriate to minimise the risks. The organisation should have specic event recording systems in place to ensure that all relevant data is gathered in sufcient detail to facilitate proper analysis.
Failure Tracing Methods
Other methods that can be used to identify hazards are techniques known as “Failure tracing Methods” and include;
▪ Hazard and Operability Studies (HAZOP); ▪ Fault Tree Analysis; and,
▪ Event Tree Analysis.
Assessment and Evaluation of
Risk
The primary purpose of risk assessment is to enable decisions to be made on the need for action and on the priority of action, for example a hazard assessed as high risk will require immediate action and perhaps considerable expenditure whereas a low or negligible risk can be given a less pressing timescale for action and costs expended may be limited. This is based on the ‘reasonably practicable’ principle. A different approach will be necessary in the case of absolute legal requirements or those qualied only by the word ‘practicable’.
Before discussing the process of assessing and evaluating risk there must rst be clarication on the key terminologies.
Denitions
Hazard
One denition of hazard is anything with ‘the potential to cause harm’ (MHSWR, 1999)
This is as very broad denition and in many ways can be interpreted to mean anything. It would be helpful therefore to categorise hazards to make identication easier. Hazards may be either: ▪ Physical, e.g. machinery, electricity, heat, noise, gravity;
▪ Chemical, e.g. water, acid, alkali, oils;
▪ Biological, e.g. HIV virus, legionella, hepatitis virus (usually a disease causing agent); ▪ Ergonomic, e.g. physical stress, wrongly sited controls and indications; and
▪ Psychological, e.g. workload / pressure / hours of work, trauma.
Risk
Again from the normal use of the word, i.e. the dictionary denition is ‘chance of disaster or loss’. Clearly this implies a certain probability of occurrence or likelihood. Again for the purpose of assessing and evaluating risk this must be clear and is dened as ‘the probability of harm from a particular hazard being realised’.
For example, noise is a hazard, i.e. has the potential to cause harm. The risk is the likelihood that it actually will cause harm. Clearly this is dependent on a number of different factors (risk factors) such as how loud the noise is, how long an individual is exposed to the noise, the frequency of the noise, the individuals’ personal characteristics / predisposition to suffering with noise related effects, previous exposure and so on.
Most people undertake risk assessment as a normal part of their every day lives. Activities, such as crossing the road and driving to work, routinely call for a complex and ongoing analysis of the hazards and risks involved in order to avoid damage and injury. Therefore most people are able to recognise hazards as they develop and take corrective action. People do, for a variety of reasons, have widely different perceptions regarding risk and would nd it difcult to apply their experience to formal workplace risk assessments.
Suitable and Sufcient
There is not an internationally recognised denition of the term “suitable and sufcient”. However, in the UK, the Approved Code of Practice to The Management of Health and Safety at Work Regulations 1999 (HSC 2000, L21) highlights that the following should be considered with regards to risk assessment:
▪ It should identify all foreseeable risks arising from or in connection with work; ▪ The level of detail should be proportionate to the risk;
▪ Insignicant risks can usually be ignored as can risks arising from routine activities associated with life in general, unless the work activity compounds or signicantly alters the risks;
▪ The level of risk arising from the work activity should determine the degree of sophistication of the risk assessment;
▪ It should be appropriate to the nature of the work; and
▪ It should identify the period of time for which it is likely to remain valid.
Risk Assessment Involves Five Steps
There are many variations on the risk assessment process, the following system is based on the UK ‘5 Steps to Risk Assessment’ IND (G) 163L published by HSE (HSE 1998)
1. Look for and identify the hazards;
2. Decide who might be harmed and in what circumstances;
3. Evaluate the risks arising from the hazards and decide whether the existing precautions are adequate or more should be done;
4. Record the signicant ndings; and
5. Review the assessment if there is a signicant change or evidence that the original as -sessment was inadequate.
Identifying the Hazards
Hazard identication can be completed in a number of different ways using different techniques as discussed earlier in this element. Methods include proactive workplace observations, job safety (task) analysis, consultation and document review and reactive examination of accident and ill-health reports.
Who May be Harmed and in What
Circumstances
It is important to ensure that all groups of employees and others who might be affected are considered. Do not forget ofce staff, night cleaners, maintenance staff, security guards, visitors, the general public and those who might be especially at risk, e.g. young persons, new or inexperienced workers, those who work alone, any disabled staff or pregnant workers.
Evaluating the Risks
Risk assessment requires an evaluation of two principal factors:
▪ Likelihood - a subjective or objective evaluation of the probability of occurrence; and ▪ Severity – the scale of the consequences of the occurrence.
Likelihood
This requires an assessment or evaluation of the likelihood (probability) of the hazard resulting in a loss. Consideration will need to be given to the following:
▪ Where is the hazard?
▪ How many people are affected? ▪ How knowledgeable are they?
▪ How many times does the hazard occur (frequency)?
▪ What is the extent of possible exposure (duration, time, concentrations etc.)?
Severity
This requires an assessment or evaluation of the possible outcome(s) if the hazard was not sufciently controlled and things went wrong.
This can be assessed by relating to accident statistics or experience. In some cases the information can be obtained from manufacturers’ data, national or regulatory guidance or other published information.
In selecting the appropriate category it is important to be realistic. For example, it is remotely possible that someone tripping over a cable in an ofce may be killed, the most probable result is bruising or at worst a fractured bone. If however the cable is trailing across the top of a very busy stairs then a single death or even multiple deaths could be a more appropriate assessment.
Factors that may inuence the severity outcome of the hazard being realised include issues such as: speed of movement of machinery parts, voltage and current in relation to electrical work, weight and shape of objects to be lifted in relation to manual handling, etc.
Qualitative and Quantitative Risk Assessment
The judgement of risk rating may be via a qualitative means, which is based on the experience and expertise of the assessor or semi-quantitative techniques may be used, which provide a simple scoring mechanism and allows the risks to be rated and prioritised. Semi-quantitative techniques are particularly useful for justifying expenditure on risk control relative to other risks. Quantitative assessments from probability data may also be used where the data is available. Risk rating using qualitative or semi-quantitative means is often referred to as ‘relativistic’ assessment since it is scored relative to other risks, whereas quantitative assessments are often described as ‘probabilistic’ assessments.
Specic techniques such as Hazard and Operability Studies (HAZOP), Fault Tree Analysis (FTA), and Event Tree Analysis (ETA) can be used to determine the frequency of events occurring or the probability that a particular event will occur. Probability theory is based on the scale that extends from 0 – 1, where zero represents no occurrence and 1 represents a certainty. Where the data is available for a series of linked events, e.g. a ammable gas release followed by an ignition source, then the nal probability of the last event can be calculated. In order to carry out advanced risk assessment techniques, the numerical data must be supplied. Truly quantitative assessments based on the probabilities of events (such as the failure of safety critical components, etc.) are difcult to apply in most situations. This is because the data needed to calculate probabilities is simply not available. Such techniques are applied in high risk processes and industries such as nuclear installations and in aviation for example.
Risk Rating
Estimating likelihood and severity can be useful when determining priority as regards the effort required to deal with the risk. This semi-quantitative approach is not absolutely essential and, even when it is used, it should not mask the main purposes of the assessment as discussed earlier. There are many versions of the technique. The following system is taken from the HSE document ‘Successful Health and Safety Management’, HSG 65 (HSE 2003).
The Likelihood of harm:
1 Low (where harm will seldom occur). 2 Medium (where harm will occur frequently).
3 High (where it is certain or near certain that harm will occur). The Severity of harm:
1 Minor (for example, all other injuries including those where people are off for periods of up to seven days).
2 Medium (for example, injuries where people may be off work for more than seven days)
Table 1: Risk Ranking Matrix
Severity of Harm
Minor (1) Medium (2) Major (3)
Likelihood of Harm
Low(1) 1 2 3
Medium(2) 2 4 6
High(3) 3 6 9
Multiply the Severity number by the Likelihood number to arrive at the risk factor for each hazard. This produces a number on a scale of 1 to 9. These numbers provide an indication of priority and the extent of the risk, the higher the number the greater the priority and risk and therefore the more resources which may be needed to control the risk.
Table 2: Action Required 6 or 9
High risk and may require considerable resources, e.g. special equipment training, high levels of supervision, and consideration of the most effective methods of eliminating or controlling hazards
2, 3 or 4 Signicant risk and will require an appropriate level of resources to control the risk
1 Low risk but reasonable actions should still be taken to try to further reduce these risks, if possible
Note that this system provides an indication of risk only and is based on subjective judgement therefore employers must satisfy themselves that the risk assessment and the actions taken to deal with the hazards they have identied are adequate.
A more complicated technique will involve giving numerical ratings to a number of factors such as the numbers of people exposed to hazards, and the number of times a hazard has occurred. The number of times an accident has resulted from this type of hazard in the past can also form part of the assessment.
Some organisations use a matrix similar to the one above but with four, or more usually ve, rows and columns for likelihood and severity.
Temporary Situations
The assessment should not only take account of risks arising from routine operations, but also from temporary situations such as:
▪ Maintenance operations; ▪ Cleaning;
▪ Shutdown activities;
▪ Breakdown situations; and ▪ Increased activity levels
Record the Signicant Findings
The record should lead management to take the relevant actions to protect health and safety. It should therefore be linked to other documents such as the health and safety policy and may refer to procedures and health and safety arrangements. It also forms the basis for the organisation’s action plan.
The records should therefore cover the following key points:
▪ Identication of signicant ndings such as the hazards and the risks they present; ▪ Identication of existing controls and the need for further controls as necessary;
▪ Identication of the individuals affected which could include persons not directly under the control of the employer, e.g. members of the public; and
▪ Reference to other documents where appropriate, e.g. national guidance, etc.
The format of the record is not laid down in law but it should not over complicate the assessment nor trivialise the risks. National guidance and standard recording templates may be available such as from the HSE in the UK on their website http://www.hse.gov.uk/risk/casestudies/index.htm
Review
Assessments should be reviewed if:
▪ There is reason to suspect that it is no longer valid; and
▪ There has been a signicant change in the matters to which it relates.
Evidence of injuries, ill-health or near misses would be among the reasons for suspecting that an assessment may no longer be valid. Accident / incident investigations should routinely consider whether or not the risk assessment needs to be reviewed.
Some of the ‘signicant changes’ that might require a review of the risk assessment are: ▪ The workplace layout;
▪ Increased work throughput / rate;
▪ New process or plant which is not covered in the original assessment or introduces a signicant change to the working environment;
▪ The competence of the people carrying out the work; ▪ New legal requirements;
▪ New information about the hazards; and
▪ Evidence that the original assessment is inadequate.
Summary
The risk assessment should:
▪ Ensure the signicant risks and hazards are addressed;
▪ Ensure all aspects of the work activity are reviewed, including routine and non-routine activities such as maintenance, cleaning operations, loading and unloading vehicles, changes to production cycles etc.
▪ Cover all parts of the work activity, including those that are not under the immediate supervision of the employer, such as employees working off site as contractors, workers from one organisation temporarily working for another organisation, self employed people, home workers and mobile employees;
▪ Consider situations where workers visit members of the public in the home, e.g. nurses, and address any risks arising from potential dangers.
A structured approach to risk assessment should ensure all signicant hazards are addressed. Which ever method is chosen it should reect the skills and abilities of the individuals carrying out the assessment.
Organisational Arrangements
Organisational arrangements for implementing the risk assessment programme should involve employees and their representatives deciding on preventive and protective measures and implementing those requirements in the workplace. This may be achieved by the use of formal health and safety committees where they exist, and by the use of team-working, where employees are involved in deciding on the appropriate preventive and protective measures and written procedures etc;
Establishing effective means of communication and consultation in which a positive approach to health and safety is visible and clear. Adequate health and safety information should be provided and communicated to employees and their representatives, so informed decisions can be made about the choice of preventive and protective measures. Effective communication will ensure that employees are provided with sufcient information so that control measures can be implemented effectively.
There needs to be in place suitable and sufcient organisational arrangement s for implementing and maintaining an effective risk assessment programme, including;
▪ Procedures for risk assessment; ▪ Recording protocols;
▪ Training of risk assessors;
▪ Competence standards required; ▪ Responsibilities to ensure completion; ▪ Authorisation and follow-up of actions; and ▪ Monitoring and review.
Failure Tracing Methodologies
Several formal methods of assessing risk and minimising the consequences have developed such as:
▪ Hazard and Operability Studies; (HAZOP); ▪ Fault Tree Analysis (FTA); and
▪ Event Tree Analysis (ETA).
Hazard and Operability Studies
(HAZOP)
HAZOP studies are procedural tools designed to highlight the deciency and shortcomings in the design and operation of industrial plants. HAZOP studies aim to identify hazards and operability problems in plants, which if they were to occur, could reduce the plant’s ability to achieve target productivity in a safe manner. It was initially developed by Imperial Chemical Industries (ICI) Ltd for improving the safety of their chemical plants. The procedure proved to be so successful that it gained acceptance within industry as a useful tool for qualitative hazard analysis. The technique is now widely used as a standard procedure for safety assessment in the process, chemical, petroleum industries and many others.
There are four primary reasons for carrying out a HAZOP on high risk plants: ▪ To protect workers / society;
▪ To reduce taxes;
▪ To comply with legal requirements for suitable and sufcient risk assessment; and ▪ To provide detailed knowledge of plant.
The principle of reasonable practicability means to assess risk, and proportion new measures of control to such assessments. This has led to a methodology of quantied risk assessment which is an important element in producing a balanced decision on the precautions to be applied to reduce the components of the overall risk, particularly where major hazards are concerned, and for prioritising or targeting control measures.
At the design stage, HAZOP will cost about 1.5 to 2% of the total project cost; for existing plant the cost may be as high as 5% of the original cost. It is an expensive process and it is important to consider whether the expense is necessary to complete a ‘suitable and sufcient risk assessment’.
Key Defnitions
Intention: How the plant is expected to perform.
Guidewords: Used to qualify or quantify intention in order to discover deviations. (No, less, more, part of, as well as, reverse and other than). See Table 3.
Study nodes: Locations on plant and instrumentation (P&I) drawings setting scope of studies.
Deviations: Departures from design intent such as changes in quantity; changes in physical condition; changes in chemical condition; start up / shutdown conditions; changes inside the vessel; and emergency situations. Once a deviation has been shown to have a conceivable or realistic cause, it can be treated as meaningful.
Causes: Reasons deviations might occur.
Consequences: Results of deviations from design intent.
The questioning is focused in turn on every part of the design. Each part is subjected to a number of questions formulated around a number of guidewords, which are derived from method study techniques. In effect, the guidewords are used to ensure that the questions, which are posed to test the integrity of each part of the design, will explore every conceivable way in which that design could deviate from the design intention.
Table 3: List of Guidewords
Guidewords Meanings Comments No or Not The complete negation of the
intensions
No part of the intentions is achieved but nothing else happens
More or Less Quantitative increases or decreases
These refer to quantities and properties such as low ow rates and temperature as well as activities like HEAT and REACT
As Well As A qualitative increase All the design and operating intentions are achieved
together with some additional activity
Part Of A qualitative decrease Only some of the intentions are achieved; some are not Reverse The logical opposite of the
intention
This is most applicable to activities, for example reverse ow or chemical reaction. It can also be applied to substances, e.g. ‘POISON’ instead of
Existing Control
Like all base line risk assessments, existing controls should be documented in detail or referred to e.g. standard operating conditions, when considering future upgrades, changes etc.
Further Action
This should be detailed and numbered for easy reference. Once ‘checking’ items have been eliminated the nal document can be produced.
Application of HAZOP Studies
The HAZOP technique can be applied to new plants as well as existing plants, whole plants or parts of the facilities, as required. HAZOP can also be applied at every phase of project development, conceptual design and planning, detailed design, construction, commissioning, and operation. Ideally, HAZOP should be conducted at the design stage, as this allows design alterations with minimum additional costs. However, it is also useful when upgrading plants. Particular features of the HAZOP technique are the team approach and the key denitions employed in the studies.
Team Approach
HAZOP utilises the collective effort of a multidisciplinary team to investigate possible variations and deviations from the design intent. The team will be chaired by an experienced facilitator who will guide and supervise the team throughout the study.
The team will possess a blend of expertise and skills reecting the operational requirements of the plant under investigation. A typical team will consist of a safety engineer, process engineer, instrumentation engineer, electrical engineer, operation engineer, and mechanical engineer. Other science and engineering disciplines may be added to the team to suit the particular requirements of a specic plant.
There are ten stages in implementing a HAZOP study. These are described below.
1. Dene the Objectives and Scope of the Study
The objectives and scope of the study should be dened by management. These will differ depending on the stage of a project / plant.
For new plant (conceptual stage) the study scope may focus on a check of the safety of the proposed plant design or verication of the effectiveness of safety systems
For existing plant the scope may include improvement in the safety of the existing plant or upgrade, or examining the impact of proposed modications. Additionally the HAZOP scope may be focussed into a particular area such as power or the interaction with operators.
2. Select the Team Leader (Chairman and Secretary)
The team leader plays a vital role in the success of the HAZOP study. The team leader should be an independent and experienced HAZOP facilitator with knowledge of chemical engineering, e.g. valve actuation, etc. and process design principles. The main task of the team leader is to identify problems, dene study nodes, guide the team members and maintain their concentration on the tasks assigned to them. Prior to arranging meetings, the team leader estimates the team-hours needed for the study, the schedules, durations and frequencies of the sessions. The team leader prepares a plan for the sequence of the study based on how the plant is operated, to ensure that the study is implemented methodically.
3. Select the Team
The rest of the team should be skilled engineers in the disciplines relevant to the plant operation, and an experienced plant operator with detailed knowledge of the process. The selection of the size and composition of the team should ensure that the group approach is maintained and that the team possesses the levels of knowledge necessary to ensure a complete study.
4. Dene Physical Boundaries
In their investigation, the team denes the physical boundaries of the systems and equipment on which the HAZOP is carried out. The boundaries are usually marked on P&I actuation drawings (plant and instrumentation) that describe the overall layout of the plant, equipment, vessels, piping instruments, valve types, and process parameters such as ow, temperature, pressure, volume, etc.
5. Collect the Data
Typically, the data consists of line diagrams, P&I diagrams, owsheets, plant layouts, isometrics and fabrication drawings, plant operations instructions, instrument sequence control charts, logic diagrams, and equipment manufacturers’ manuals.
6. Process the Data
This can vary from plant to plant. In continuous process plants the processing of data is minimal as the existing up-to-date owsheets and Plant & Instrumentation (P&I) diagrams usually contain enough information for the study. With batch process plants, processing of the data is more extensive, mainly because of the amount of manual operations involved.
7. Design Review
The team is assisted by a set of checklists and the P&l diagrams. The checklists are applied at specic areas in the plant known as study nodes. These nodes are points where the process parameters (pressure, temperatures, ow, etc.) have a dened design intent. Between these nodes are the plant components (pumps, vessels, heat exchangers, etc.) which can cause changes in the parameters.
8. Record the Results
The recording process is a crucial part of the HAZOP study and it is important that all ideas are recorded using the HAZOP form. This form is best lled in by an experienced engineer who understands the discussions and records the ndings accurately.
9. Implement Design Modications
The team detects possible causes of the deviations and recommends corrective actions. Corrective action may include design modications, or the implementation of additional safety features, for example re-sizing of equipment, piping lines, installation of relief valves, new written procedures, provision of PPE, information to contractors, and may also include many checking actions to conrm the design intention or ow parameter, etc. The team leader assigns the implementation of each corrective action to the relevant discipline specialist. Progress is monitored at the next meeting of the team.
10. Reporting
The nal report is compiled by the team leader for submission to management. The report should be concise and accurate in detail. The report contains information about major deviations from design intent, details of recommended design modications, and capital
A Simple Example for a Continuous Plant
To illustrate the principles of the examination procedure, consider a plant in which chemicals A and B react together to form a product C.
Figure 2: Example of a Simple Process Plant Chemical A Chemical B Product C Pump 1 Pump 2 Valve 3 Valve 1 Valve 4 Valve 2 To Process
Suppose that the chemistry of the process is such that the concentration of raw material B must never exceed that of A otherwise an explosion may occur.
Referring to Figure 2 start with the pipeline extending from the suction side of the pump which delivers raw material A to where it enters the reaction vessel.
The intention is partly described by the owsheet and partly by the process control requirements to transfer A at some specied rate. The rst deviation is that obtai ned by applying the guideword NO or NOT to the intention. This is combined with the intention to give:
No Transfer of A
The owsheet is then examined to establish the causes which might produce a complete cessation of the ow of ‘A’. These causes could be:
▪ Supply tank is empty; or ▪ Pump fails to turn due to: ▪ mechanical failure; ▪ electrical failure;
▪ pump being switched off, or ▪ Pipeline is fractured; or
▪ Isolation valve is closed.
Clearly some at least of these are conceivable causes and so this is a meaningful deviation. Next the consequences are considered. Complete cessation of ow of ‘A’ would very soon lead to an excess of ‘B’ over ‘A’ in the reaction vessel and consequently to a risk of explosion. Therefore a hazard in the design is discovered and this is noted for further consideration. The next guideword, which is MORE, is now applied. The deviation is:
More ‘A’ is passed into the Reaction Vessel
The cause would be that the characteristics of the pump might, under some circumstances, produce excessive ow rate. If this cause is accepted as realistic, the consequences should be considered:
▪ The reaction produces ‘C’ contaminated with an excess of ‘A’ which goes on into the next stage of the process; and
▪ The excess ow into the reaction vessel means that some will leave the vessel by the overow.
Figure 2: Example of a Simple Process Plant (repeated from previous page) Chemical A Chemical B Product C Pump 1 Pump 2 Valve 3 Valve 1 Valve 4 Valve 2 To Process
The next guideword, which is LESS, is now applied. The deviation is: Less ‘A’ is passed into the Reaction Vessel
The causes are a little different from those when the deviation was the complete cessation of ow of ‘A’:
▪ Low level in the supply tank;
▪ The isolation valve is slightly closed; ▪ The pipeline is partly blocked; or
▪ The pump fails to produce full ow because: ▪ the impellers are eroded; or
▪ the valves are worn, etc.
Clearly these are conceivable causes and so this is a meaningful deviation.
The consequence is similar to no ow and so the potential hazard is of a possible explosion. The other guidewords are applied in a similar way.
As well as:
▪ The transfer of some component in addition to ‘A’, e.g. the supply tank is contaminated. This may cause a chemical reaction or dilute ‘A’;
Part of:
The other related deviation is that which occurs when the design intention is incompletely achieved. The guidewords are PART OF and the deviation PART OF TRANSFER ‘A’. This could mean:
▪ A component of ‘A’ is missing. Here a knowledge of the composition of ‘A’ is required so the effects of the missing component can be assessed, e.g. ‘A’ decomposes in the process or incorrect quality of supply.
Reverse:
The guideword is REVERSE and the deviation REVERSE TRANSFER OF ‘A’. This means ow from the reactor back though the pump. The owsheet is examined to see if this is possible and the consequences are assessed.
Other than:
Lastly, there is the complete substitution of the design intention by something else. The guidewords are OTHER THAN and the deviation is OTHER THAN TRANSFER.
This could mean the transfer of a different material. The owsheet is examined to see if this is possible. Substitution could arise in a number of ways. For example, the wrong material could be delivered or change in the nature of the activity, for example, can ‘A’ solidify instead of being transferred?
Table 4: Completed HAZOP Study Results p o s i t i o n : B N / S L n t : 1 : T r a n s f e r l i n e f o r m S u p p l y T a n k A t o R e a c t o r t e n t i o n : ‘ X ’ M a t e r i a l : A A c t i v i t y : T r a n s f e r C o n t i n u o u s l y S o u r c e : T a n k f o r A D e s t i n a t i o n : R e a c t o r C a u s e C o n s e q u e n c e E x i s t i n g P r e c a u t i o n s A c t i o n R e q u i r e d t e r i a l ‘ A ’ S u p p l y t a n k ‘ A ’ i s e m p t y N o o w o f ‘ A ’ i n t o r e a c t o r E x p l o s i o n N o n e s h o w n C o n s i d e r i n s t a l l a t i o n o f t a n k ‘ A ’ o f a l o w l e v e l a l a r m p l u s a l o w l e v e l t r i p t o s t o p p u m p ‘ B ’ a n s f e r o f ‘ A ’ t a k e s P u m p ‘ A ’ s t o p p e d , l i n e b l o c k e d E x p l o s i o n N o n e s h o w n M e a s u r e m e n t o f o w r a t e f o r m a t e r i a l ‘ A ’ p l u s a l o w o w a l a r m a n d a l o w l e v e l t r i p w h i c h t r i p s p u m p ‘ B ’ a n s f e r o f ‘ A ’ W r o n g s i z e i m p e l l e r W r o n g p u m p t t e d P o s s i b l e r e d u c t i o n i n y i e l d R e a c t i o n v e s s e l o v e r o w N o n e C h e c k p u m p o w s a n d c h a r a c t e r i s t i c s d u r i n g c o m m i s s i o n i n g ’ L o w l e v e l i n t a n k I n a d e q u a t e n e t p o s i t i v e s u c t i o n h e a d P o s s i b l e v o r t e x i n g a n d l e a d i n g t o a n e x p l o s i o n I n a d e q u a t e o w N o n e L o w l e v e l a l a r m i n t a n k – s a m e a s 1 w r a t e o f ‘ A ’ L i n e p a r t i a l l y b l o c k e d , l e a k a g e , p u m p u n d e r - p e r f o r m i n g , e t c . E x p l o s i o n N o n e s h o w n S a m e a s 2 a s ‘ A ’ . T h e r e i s o t h e r r i a l a l s o p r e s e n t i n y t a n k C o n t a m i n a t e d s u p p l y t o t a n k N o t k n o w n C o n t e n t s o f a l l t a n k e r s c h e c k e d a n d a n a l y s e d p r i o r t o d i s c h a r g e i n t o t a n k C h e c k o p e r a t i n g p r o c e d u r e
D e v i a t i o n C a u s e C o n s e q u e n c e E x i s t i n g P r e c a u t i o n s A c t i o n R e q u i r e d 7 . A s w e l l a s t r a n s f e r r i n g A , s o m e t h i n g e l s e h a p p e n s s u c h a s c o r r o s i o n , e r o s i o n , c r y s t a l l i s a t i o n o r d e c o m p o s i t i o n T h e p o t e n t i a l f o r e a c h w o u l d n e e d t o b e c o n s i d e r e d i n t h e l i g h t o f m o r e s p e c i c d e t a i l s 8 . A s w e l l a s t r a n s f e r t o t h e r e a c t o r t h e r e a r e e x t e r n a l l e a k s L i n e , v a l v e o r g l a n d l e a k s E n v i r o n m e n t a l c o n t a m i n a t i o n P o s s i b l e e x p l o s i o n P i p i n g c o d e L o c a t e o w s e n s o r f o r t r i p a s c l o s e a s p o s s i b l e t o t h e r e a c t o r 9 . P a r t o f ‘ A ’ . A Q u a l i t a t i v e d e c r e a s e i n ‘ A ’ D e c o m p o s e s Q u a l i t y o f s u p p l y L e s s ‘ A ’ d e l i v e r e d t o p r o c e s s T a n k e r c o n t e n t s i d e n t i t y c h e c k e d a n d a n a l y s e d p r i o r t o d i s c h a r g e C h e c k m a t e r i a l c h e m i c a l p r o p e r t i e s 1 0 . R e v e r s e d i r e c t i o n o f o w . M a t e r i a l o w s f r o m r e a c t o r t o s u p p l y t a n k . P r e s s u r e i n r e a c t o r h i g h e r t h a n p u m p d i s c h a r g e p r e s s u r e B a c k c o n t a m i n a t i o n o f s u p p l y t a n k w i t h r e a c t i o n m a t e r i a l N o n e s h o w n C o n s i d e r i n s t a l l i n g a n o n - r e t u r n v a l v e i n t h e l i n e 1 1 . M a t e r i a l o t h e r t h a n ‘ A ’ i n s u p p l y t a n k W o u l d d e p e n d o n m a t e r i a l 1 2 . O t h e r t h a n t r a n s f e r C o m p l e t e l y d i f f e r e n t a c t i v i t y , e . g . f r e e z e , c r y s t a l l i s e E x p l o d e U n k n o w n I n v e s t i g a t e p o s s i b i l i t i e s a n d r e p o r t
When the pipeline which introduces raw material ‘A’ has been examined, it is marked on the owsheet as having been checked. The next part of the design is then chosen for study and this could be the pipeline which introduces raw material ‘B’ into the reaction vessel. This sequence is repeated for every part of the design, each line, the vessel auxiliaries such as stirrers, any services to the vessel such as the provision of heating and cooling and the vessel itself. This particular approach is sometimes called the ‘line by line’ method.
Only under exceptional circumstances is a written record made of every step of the examination. It is more usual to carry out the steps mentally and verbally in discussion and to write down only the potential hazards and their causes.
The proposed action is also noted if it can be agreed straight away. If there is some doubt about the action or if further information is required, the matter must be brought forward to a subsequent meeting.
Relation to Other Analysis Tools
HAZOP may be used in conjunction with other dependability analysis methods such as Fault Tree Analysis (FTA). The combinations may be utilised in situations when:
▪ The HAZOP analysis clearly indicates that the performance of a particular item of equipment is critical and needs to be examined in considerable depth; or
▪ Having examined single element/single characteristic deviations by HAZOP it is decided to assess the effect of multiple deviations using FTA, or to quantify the likelihood of the failures, again using FTA.
To model the possibility of system failures two types of model are commonly used. These are tree like diagrams which set out to show rstly the different outcomes of a specic event and secondly the combination of events that can lead to a specic event. They are called fault trees and event trees.
Fault Tree Analysis (FTA)
FTA provides a systematic approach to the identication of the combinations of possible occurrences in a system that could combine to result in an undesirable outcome. FTA can combine hardware failures and human failures. The analysis is a ‘reverse thinking’ process, whereby the immediate causes of an undesired top event are identied. Each of the immediate causes are then analysed to identify basic causes.
The possible combinations of occurrences, once identied, are displayed graphically in a fault tree.
FTA can be useful in identifying a list of potential failures.
Limitations in the use and application of FTA include a lack of data since it is notoriously difcult to establish reliable probability data for events and event combinations. The FTA principle also considers a number of multiple underlying causes to events and can therefore become extremely complex in their application.
How to Carry Out a FTA
It is essential to dene the boundaries of the study to limit it to a manageable size. It is important to select and dene the ‘top event’. This could typically be:
▪ Machine or process failure; ▪ Component failure;
▪ An accident; ▪ An explosion; or ▪ A system failure.
The fault tree is then constructed downward from the top event. It will look like an inverted tree, branching downwards rather than upwards.
The tree is constructed by identifying and correctly relating all events and combinations and / or sequences of events that could result in the top event. These are related through AND / OR gates.
AND / OR Gates
If a top event could only occur if both sub-event A and sub-event B occurred, this would be represented using an AND gate as illustrated in Figure 3.
For example the top event could represent a person falling from a ladder, which could be caused both by the person overreaching (sub-event A) and the ladder slipping laterally (sub-event B).
Figure 3: And Gate Sub-Event B Sub-Event A Top Event AND
If a top event could only occur if either sub-event A or sub-event B occurred, this would be represented using an OR gate as illustrated in Figure 4.
For example the top event could represent a fork-lift truck overturning, which could be caused by either lateral (sub-event A) or longitudinal instability (sub-event B).
Figure 4: Or Gate Top Event OR Sub-Event B Sub-Event A
Figure 5 demonstrates the construction of a fault tree for the top (undesired) event of a re in a multi-storey car park. Note that when a sub-event is not developed any further the convention is to place it in a diamond shape rather than a rectangle, and nal or basic events are placed in a circle.
Figure 5: Example Fault Tree – Fire in a Multi-Storey Car Park
2nd Level Events Top Event
1st Level Events
Fire in a Multi-Storey Car Park
Fuel Oxygen Ignition Source
Surface
Coating Rubbish Petrol
Electrical
Fault Arson Smoking
If the failure rate or probability of basic causes can be determined, often from statistical analysis, then the following can be determined:
▪ How likely the top event occurs, i.e. the probability; and
Probability and Frequency
The probability and frequency of the top event occurring can now be calculated.
Probability: is a measure of the chance of occurrence expressed as a number between 0 and 1. Frequency: is the number of occurrences within a given time period.
The main distinction is that frequency has units with the most common being number of events per year whilst probability is unitless and expressed as a fraction from 0 to 1.
An example of the use of both probability and frequency is for example the probability of being knocked over by a car every time someone crosses the road might be 1 in a million (expressed numerically as 1 x 10-6 or 0.000001).
Suppose that person crosses the road 1,000 times per year. Then each of those 1,000 times they cross they have a probability of being knocked over of 1 in a million (0.000001).
Therefore the frequency per year of being knocked over by a car would be;
The number of times they cross the road per year X the probability of being knocked over each time they cross..
1,000 x 0.000001 = 0.001 per year or 1 event every 1,000 years (expressed numerically as 1 x 10-3 or 0.001).
In a work context another example might be the probability that a particular button might fail when demanded might be 1 in 100 (expressed numerically as 1 x 10-2 or 0.01). If the button
is only demanded once every 10 years (0.1 per year) then the frequency of the button failing would be 1 in 1000 (0.1 x 0.01), i.e. once every 1000 years (expressed numerically as 1 x 10-3
or 0.001).
It should be noted that there is no direct conversion from probability to frequency and from a mathematical point of view this would not be possible because one measure is dimensionless (no units) and one has units.
Numerical Evaluation of Fault Tree
1. FOR AN ‘AND’ GATE
For an AND gate the probability of the top event occurring is calculated by multiplying the probabilities of the causes, beginning at the lower level basic causes working up to the top event.
If P1 = Probability of Basic Cause 1 and P2 = Probability of Basic Cause 2 and P = Probability of Top Event Then P = P1 x P2
Figure 6: Numerical Evaluation of Fault Tree (AND Gate) Basic Cause 2 P2 Basic Cause 1 P1 Top Event P = P1 X P2 AND
NOTE: For AND Gates multiply probabilities.
2. FOR AN ‘OR’ GATE
For an OR gate the probability of the top event occurring is calculated by adding the probabilities of the causes, beginning at the lower level basic causes working up to the top event.
If P1 = Probability of Basic Cause 1 and P2 = Probability of Basic Cause 2 and P = Probability of Top Event Then P = P1 + P2
Figure 7: Numerical Evaluation of Fault Tree (OR Gate)
Basic Cause 2 P2 Basic Cause 1 P1 Top Event P = P1 + P2 OR
AND / OR Gate Rules
As stated previously, due to the fact that frequencies have units and probabilities do not; they are unitless, care must be taken when drawing the fault tree to ensure that it is mathematically correct.
In practice this means that a frequency and a probability cannot be added together in the form of an OR gate. However, they can be multiplied together in an AND gate. AND or OR gates made up of all probabilities or all frequencies can be multiplied or added respectively.
OR Gates – Sub events must be all probabilities or all frequencies, not a mixture of both. AND Gates – Sub events of probabilities and frequencies can be multiplied together but the
resultant calculation will be a frequency.
Frequency of Top Event
Most fault trees will consist of a combination of OR and AND gates, which can be analysed by starting at the lowest level and working up to the top event.
By using these multiplication and addition rules, the frequency of the top event occurring can be calculated.
If the frequency of the top event is calculated as the number of occurrences per year (e.g. 0.1 per year), then the number of years before the event will occur can also be calculated as the reciprocal of the occurrences per year (e.g. 1 / 0.1 = 1 every 10 years).
1
1 in x years = ---frequency per year
Once the frequency of the top event is known then it can be compared with tolerability of risk gures when deciding if the risk is ALARP. In order to reduce the frequency of the top event, risk reduction measures should be applied to the basic causes. By reducing the probability of basic causes the frequency of the top event is reduced.
Example
Construct a Fault Tree for an accident occurring between a vehicle on the roundabout in collision with a vehicle entering the roundabout.
Figure 8: Accident on a Roundabout
Table 5: Roundabout Frequency Data
Sub Event Frequency (per year) Brakefailure 0.01
Drivingtoofast 0.05 Poortyres 0.001 Poorvisibility 0.05
Suicide 0.001
Driverfainted 0.01 Probability P of Vehicle ‘on roundabout’ is 0.2
Using the data in Table 5 and the above probability, determine the Frequency of an Accident on the roundabout
Figure 9: Example of a Fault Tree Numerical Analysis - Accident on a Roundabout Vehicle on roundabout 2n Level Events Top Event 1st Level Events Crash on roundabout Vehicle could not stop Vehicle approaching roundabout does not stop
Brake
failure Too fast Poor tyres
Poor
visibility Suicide
Driver fainted Driver did not
stop vehicle 3rd Level Basic Events OR OR OR AND 0.2