- Email: [email protected]
Hazid, A Computer Aid for Hazard Identification
0957±5820/00/$10.00+0.00 q Institution of Chemical Engineers Trans IChemE, Vol 78, Part B, March 2000
HAZID, A COMPUTER AID FOR HAZARD IDENTIFICATION: 4. Learning Set, Main Study System, Output Quality and Validation Trials S. A. McCOY (ASSOCIATE MEMBER), S. J. WAKEMAN, F. D. LARKIN (ASSOCIATE MEMBER), P. W. H. CHUNG, A. G. RUSHTON (MEMBER) and F. P. LEES (FELLOW)² Department of Chemical Engineering, Loughborough University, Loughborough, UK
T
he hazard and operability, or HAZOP, study is a prime method for the identi®cation of hazards on process plants. This is the fourth in a series of papers which describe progress in the emulation of hazard identi®cation in the style of HAZOP. The work reported is embodied in a computer aid for hazard identi®cation, or HAZOP emulator, HAZID. The HAZID code is one of a suite of codes developed as part of the STOPHAZ project. The present paper describes the learning set of case study plants and the main case study system, used to improve the HAZID models by providing feedback on weak areas of the unit and ¯uid models. It also discusses the issues of correctness, completeness and conciseness in connection with output quality from HAZOP emulation. A test set of case studies were used to validate performanceÐthe results of the evaluation of HAZID using these case studies are also discussed. Companion papers describe: an overview of HAZID, with an account of HAZOP and HAZOP emulation, and of the issues underlying it, the structure of HAZID and the associated tools in the STOPHAZ package; the unit model system; the ¯uid model system and the evaluation of consequences; some development topics. Conclusions from the work are given at the close of the ®nal paper. Keywords: hazard identi®cation; HAZOP; computer-assisted hazard identi®cation.
INTRODUCTION
before. Towards the end of the STOPHAZ project, the output quality of the HAZID system was evaluated using a number of other plant systems which had not been used during the model development stage. A test protocol was developed to measure the value of the results produced by HAZID, in comparison to the results of a conventional HAZOP study, and this method was used to evaluate the performance of HAZID on ®ve `test set’ plants. This paper ®rst of all gives a description of the learning set used during model and program development, including the comparatively large benzene plant section used as a main study system. The issues of output quality are then analysed in terms of correctness, completeness and conciseness. A description of the test protocol, used to evaluate HAZID output for the test set plants, is then given. After a brief description of the test set plants used, the results of applying this protocol to the test set plants are discussed.
This paper is the fourth in a series on computer aiding of hazard identi®cation and describes the use of case study plant systems to evaluate, improve and quantitatively measure the quality of the output produced by the HAZOP emulation tool, HAZID. The content of the other papers is outlined in Part 11. During the development of the HAZID program, and during the development of the unit and ¯uid models used in conjunction with HAZID, it was often necessary to evaluate the quality of output produced by the system. A number of case study plants were used, not only to check the functionality of the HAZID system, but also to identify areas of weakness in the output produced. By addressing the weaknesses identi®ed, the unit and ¯uid models in the system were improved. The set of case study plant models used for this purpose was therefore dubbed the `learning set’. Whilst the performance of HAZID on the learning set plants may indicate progress, it is also important to know how HAZID will perform on a plant system never seen
LEARNING SET In order to test HAZID, information on a number of plant systems was collated to serve as a learning set. Many of these are systems which have been described in the
² Frank Lees (1931±1999), Professor of Plant Engineering, Loughborough University.
91
McCOY et al.
92
Figure 1. Learning set: water separator system (after Lawley2 ).
literature, in relation to HAZOP studies. This learning set has been used to guide the development of HAZID, and in particular of the unit model library. The systems are as follows: · · · · · · ·
Water separator system (Lawley2 ); Extended water separator system (Lawley2 ); Methanator (Wells and Phang3 ); Flammable reagent storage tank (Ozog4 ); Gas preheating section (Rushford5 ); Ammonia oxidation reactor (Sinnott6 ); Polyethylene reactor (Kavianian et al.7 ).
exposition of the HAZOP study. The items of equipment include a liquid-liquid separator, a heat exchanger, a pipeline, a pump and several valves. The ¯uids are an ole®ns mixture, water, nitrogen, pump lubricant and ole®n dimer. Features of interest include: · The ole®ns mixture is ¯ammable; · There is a possibility of water breakthrough at the separator; · A possibility of the pump lubricant being an emulsi®er; · Ole®n may polymerize and cause a blockage. Extended Water Separator System
Water Separator System The water separator system shown in Figure 1 is a section of a larger plant system described by Lawley2 in his classic
The extended water separator system shown in Figure 2 is the full plant system described by Lawley2 . Items of equipment additional to those mentioned above are a
Figure 2. Learning set: extended water separator system (after Lawley2 ).
Trans IChemE, Vol 78, Part B, March 2000
HAZID, A COMPUTER AID FOR HAZARD IDENTIFICATION: PART 4
93
Figure 3. Learning set: methanator (after Wells and Phang3 ).
Methanator Figure 3 shows a methanator plant system described by Wells and Phang3 . The items of equipment are a reactor, a gas-liquid separator, two heat exchangers and a centrifugal compressor. The ¯uids present are hydrogen and water. Features of interest are: · Flammable gases are present; · There is heat recycle; · A possibility of gas breakthrough at the separator; · The reaction is exothermic (runaway reaction); · The reactor is catalytic (catalyst poisoning); · A possibility of liquid droplets entering the compressor and causing damage. Flammable Reagent Storage Tank Figure 4. Learning set: ¯ammable reagent storage tank (after Ozog4 ).
storage tank and a reactor, and one additional ¯uid (steam) is present. The extra features of interest are: · There is a heat recycle; · The reaction is exothermic and may be subject to runaway; · The reactor is catalytic and catalyst poisoning may therefore be a consideration.
The ¯ammable reagent storage tank shown in Figure 4 is described by Ozog4 . The items of equipment are a blanketed storage tank, a pump and several valves and the ¯uids are the ¯ammable reagent and nitrogen. The main feature of interest is that the liquid reagent is ¯ammable. Gas Preheating Section The gas preheating section shown in Figure 5 is part of a larger plant system described by Rushford5 in relation to a HAZOP study. The items of equipment are a centrifugal compressor, a gas-liquid separator, a heat exchanger and a
Figure 5. Learning set: gas preheating section (after Rushford5 ).
Trans IChemE, Vol 78, Part B, March 2000
McCOY et al.
94
and ®ve pumps. The ¯uids present are ethylene, polyethylene, initiator and water. The features of interest are: · · · · ·
The presence of ¯ammable gases; Recycle of unused reactant; The reaction is exothermic (runaway reaction); A reaction initiator is present; There is polymer transportation. Units and Fluids Covered
Figure 6. Learning set: ammonia oxidation reactor (after Sinnott6 ).
valve and the ¯uids are gas, steam and oil. Features of interest are that there is a ¯ammable gas and the possibility of liquid droplets entering the compressor.
Table 1 summarizes the principal units in the learning set plants, suggesting that there is a core group of commonly occurring unit types and also that most systems contain one or two less common units. It should be borne in mind that the description of a unit as a `reactor’ or a `pump’ can obscure differences of detail which can be signi®cant for the HAZOP. The principal ¯uids in the systems are shown in Table 2. This suggests that there is a core group of commonly used ¯uids which are the utility ¯uids and that the process ¯uids are more likely to be speci®c to the particular process. MAIN STUDY SYSTEM: BENZENE PLANT
Ammonia Oxidation Reactor The ammonia oxidation reactor shown in Figure 6 is described by Sinnott6, in relation to a HAZOP study. The items of equipment are a ®lter, a centrifugal compressor, an evaporator, a reactor and a pump. The ¯uids are ammonia, air, nitrous gas and steam. Features of interest are that: · · · · ·
There is a cryogenic liquid; There is a toxic/¯ammable gas; There is ratio control of the reactants; The reaction is exothermic (runaway reaction); The reactor is catalytic (catalyst poisoning). Polyethylene Reactor System
The polyethylene reactor system shown in Figure 7 is described by Kavianian et al.3 The items of equipment are two centrifugal compressors, a reciprocating compressor, a jacketed reactor, a separator, a heat exchanger
The plant system principally used in this work, for developing and improving the unit models and ¯uid model systems, is a design for a benzene plant described originally by Wells, Seagrave and Whiteway8 . Process Description Benzene is produced by reacting toluene with hydrogen in the presence of a catalyst, methane being a by-product, The catalyst used in the process was not speci®ed in the original reference8 , but chromium oxide catalysts have been used for such processes. The major steps involved in the process are: · Fresh toluene is mixed with recycled toluene liquid, from the distillation column (T-101). The resulting mixture is fed to the storage tank (TK-101). · The toluene is pumped from the storage tank and mixed with a mixture of fresh and recycled unreacted hydrogen.
Figure 7. Learning set: polyethylene reactor (after Kavianian et al.7 ).
Trans IChemE, Vol 78, Part B, March 2000
HAZID, A COMPUTER AID FOR HAZARD IDENTIFICATION: PART 4
95
Table 1. Learning set: principal units. Plant Model Process unit
Lawley
Lawley (extended)
Y Y Y Y
Y Y Y Y
Y
Y Y Y
Pump Valve Pipeline Liquid-liquid separator Gas-liquid separator Heat exchanger Storage tank (inserted) Reactor Reactor (jacketed) Compressor Compressor (reciprocating) Filter Evaporator
Wells and Phang
Ozog
Rushford
Y Y
Y
Y Y
Sinnott
Kavianian et al.
Y
Y
Y Y
Y Y
Y Y
Y
Y
Y
Y
Y Y Y
Y Y
· The hydrogen/toluene mixture is vaporized in the heat exchangers (E-101A and B) and then superheated in the furnace (H-101), before being fed to the ®xed bed catalytic reactor (R-101). · The reactor product is cooled in a series of heat exchangers to condense the benzene and the unreacted toluene, leaving mainly hydrogen and methane. This gas is separated from the condensate and recycled. · The benzene/toluene mixture condensed from the reactor product stream is fed to the distillation column (T-101), where the benzene and toluene are separated from each other. The benzene (top product) is fed to storage and the toluene (bottom product) is recycled.
nitrogen and catalyst. For each of these chemicals a sheet was prepared giving property data and information on chemical hazards and means of handling. The second hazard study utilizes a set of guide words prompting for hazards such as Fire, Explosion, Noxious exposure, etc., which are applied to broad sections of the plant, such as Feed system, Reaction, Separation, etc. The third hazard study, which is the HAZOP proper, was conducted in the normal way by a team from the project, which included experienced industrial personnel. Besides the ELD, the study team generally requires additional background information on the plant, including operating procedures. Table 3 shows part of the output record of this HAZOP study.
Conventional Hazard Studies In order to provide a standard of comparison for HAZID, hazard studies were conducted on the benzene plant. A well established system is that operated by ICI, in which HAZOP is carried out as hazard study 3. Rather than launch directly into a HAZOP study, the normal procedure was followed of conducting hazard studies 1 and 2 ®rst. Hazard study 1 examines the properties of the substances handled in the plant. For the benzene plant the principal substances are: benzene, toluene, oxygen, hydrogen, methane,
HAZID Emulation of HAZOP HAZOP emulation using HAZID involves the user in the following activities: 1. Identi®cation of plant items which require unit models not already in the unit model library. 2. Creation of these unit models using the template library and Model Generation Tool, and their entry into the unit model library. Creation of an API database model for the
Table 2. Learning set: principal ¯uids. Plant Model Fluid Nitrogen Water Steam Air Ole®n Ole®n dimer Lubricant Hydrogen Flammable reagent Oil Ammonia Nitrous gas Ethylene Polyethylene Reaction initiator
Lawley
Lawley (extended)
Wells and Phang
Y Y
Y Y Y
Y
Y Y Y
Ozog
Rushford
Sinnott
Y
Y Y
Kavianian et al.
Y Y
Y Y Y
Trans IChemE, Vol 78, Part B, March 2000
Y Y Y Y Y Y Y Y
Toluene from BL to junction with recycle line
Item/Line/Stage
High pressure source
Locked-in Liquid hammer
High pressure
Already considered ± "" ±
Benzene-contaminated toluene ¯ow back to toluene source
Valve closed suddenly
Toluene BL low pressure
Potential liquid hammer
Isolated
No ¯ow
Reverse ¯ow
Potential lock-in and overpressure of feed line with hydraulic expansion
Supply pressure low Valve closed
Low tank level, potential problems on pumpÐto be considered later
± "" ±
Control valve passes when low or no demand
Instrument air failure opens valve?
±" " ±
±" "±
Potential tank over¯ow
Consequences
Bypass left open or opened in error
High pressure supply Control valve fails open
Causes
Low ¯ow
High ¯ow
Deviation
LIAL + LAL if LT has not failed high
LIAH LAH will work unless LT has failed to a low reading, hence need for the independent LIAH
Preventive or corrective action (safeguards) Action required
Assumed maximum pressure is less than line and in-line equipment pressure ratings
Decide if there is a problem with reverse ¯ow to toluene source
Ensure closing time on LCV and manual isolation is suf®ciently long to prevent liquid hammer pressure rise
Check if line can be isolated at source, e.g. by valve or NRV, and, if so, hydraulic pressure relief is required
Make control valve air fail close
1/12
1/11
1/10
1/6
1/5
Include in operating instructions the requirement to isolate the feed to the tank manually when there is an extended plant shutdown
1/3
1/2
1/1
Action Ref. No.
1/4
Action by
Con®rm over¯ow protection is as speci®ed following the Hazard Study 2 action
Remove LCV bypass to reduce risks of wrong operation or failures
Check maximum line pressure is within control valve actuation design limits Design LCV with inlet pressure on top of plug
Table 3. Benzene plant Hazard Study 3 (HAZOP): section of output record.
96 McCOY et al.
Trans IChemE, Vol 78, Part B, March 2000
Trans IChemE, Vol 78, Part B, March 2000 Note that LIC control action needs correct speci®cation to avoid integral saturation, e.g. by proportional action only
General
1/14c
Vent gas from blowing through needs to be vented safely, e.g. to vent header
1/16
1/15
1/14b
What facilities are required at benzene and source plant?
1/13b
1/13a
Action Ref. No.
1/14a
Action by
Consider means of isolating and blowing out transfer line: potential hazard of very high nitrogen/liquid ¯ow to tank, potential relief
Ensure all valves speci®ed as ®re-safe
Check possible scenarios for toluene to be supplied at high temperature
Action required
Who owns/inspects the inter-plant pipeline?
Testing
TI on tank
Preventive or corrective action (safeguards)
Equipment registration
Water from pressure testing or contaminated feed
Contaminants
No problem: freezing point is 958 C ê No known effect on process apart from loss of production
Fire
Cold ambient
Failure of equipment or isolation
Source toluene at higher temperature
Low temperature
Increases vapour from tank venting, toxic possibility
As Reverse ¯ow
Consequences
High temperature
Causes
Low pressure
Deviation
Notes: BL, battery limits; EIV, emergency isolation valve; FA, ¯ame arrestor; FCV, ¯ow control valve; H, high; L, low; LA, level alarm; LCV, level control valve; LIA, level indicator alarm; LIC, level indicator controller; LO, lock open; LOC, loss of containment; LT, level transmitter; NRV, non-return valve; PC, pressure control; PCV, pressure control valve; PI, pressure indicator; PIA, pressure indicator alarm; RO, restriction ori®ce; SHE, safety, health and environment; TI, temperature indicator.
Item/Line/Stage
Table 3. continued.
HAZID, A COMPUTER AID FOR HAZARD IDENTIFICATION: PART 4 97
McCOY et al.
98
unit using the Unit Model Application Tool. Creation of a corresponding icon, using the Graphical Con®guration Tool, and its entry into icon library. 3. Entry of the plant line diagram using the Graphical Tool and assignment of unit models to plant items. 4. Entry of the list of ¯uids in plant, of the unit attributes and of the stream attributes. 5. Selection of run options. 6. Selection of output options. 7. Run program. The unit models required for the benzene plant are: atmospheric storage tank, pump, emergency isolation valve, non-return valve, heat exchanger, furnace, reactor, knockout pot, distillation column and compressor. A section of the output report for the benzene plant is shown in Table 4. Earlier versions of AutoHAZID generated reports which contained a number of defects which have been remedied in later work. The improvements effected are discussed in the following sections. OUTPUT QUALITY The acceptability of a tool such as AutoHAZID depends on a number of factors, of which the two most signi®cant are the ease of data input and the quality of the output report. It is the latter which is considered here. A distinction may be made between the quality of the output produced by the inference process and the quality of the reporting of that output itself. Both are important. The output report gives information on scenarios and on protections against these. The requirements are therefore to: 1. 2. 3. 4. 5. 6.
Report valid and interesting scenarios; Report these scenarios in a concise but natural way; Avoid reporting incorrect scenarios; Avoid reporting valid but uninteresting scenarios; Report valid protections against the scenarios identi®ed; Avoid reporting incorrect protections.
Three key measures of quality in hazard identi®cation can thus be identi®ed: correctness, completeness and conciseness. While these are also important in conventional hazard identi®cation, their importance for HAZOP emulation is much more acute, because computer programs lack much of the `common sense’ world knowledge which humans take for granted. The issues of correctness, completeness and conciseness will be further discussed in the following sections. CORRECTNESS Errors in HAZOP emulation tend to be associated with the following features: 1. 2. 3. 4. 5.
Plant description; Unit models; Data entry; Ambiguity of in¯uences; Fluid and phase effects; Correctness of Plant Description
Incomplete information on the con®guration and states of equipment within a plant context is one potential source
of error. It is necessary to ensure that the plant description gives a full de®nition of these aspects. Con®gurational features include series, parallel or standby operation, staggered operation, etc. The example was given in the ®rst paper of two pumps on the ELD piped up in parallel. It is necessary to de®ne whether these are two 50% pumps operating in parallel, two 100% pumps operating in parallel, or one working pump and one standby. The state of an equipment is equally important. From the point of view of modelling, a normally closed valve is different from a normally open one, and different models are used. Correctness of Unit Models De®ciencies in the unit models are a potential source of error. Models which are used frequently are likely to have the bugs ironed out, but those which are used only infrequently or which have just been created by the user for the case in hand are more likely to contain defects. Some steps which can be taken to improve the correctness of a unit model, and its correct deployment in a plant description, include: · Documentation of model status; · Model selection aids; · Model generation aids. A unit model in the unit model library can be provided with information on the creator; the date created; whether or not it is the product of a full equipment HAZOP, as described below; the version number of the model, which is an indication of the extent to which it has been modi®ed; and the plant systems on which it has been used. This provides the user with some indication of the probable quality of the unit model. Most of the unit models required for a given plant system are likely to exist already in the unit model library. The user needs guidance, however, on selecting the right model. This problem will necessarily grow as more models, with ®ner differentiations, are added to the library. In the project this is addressed by the use of a hierarchical structure of parent and child models. There will generally be a small proportion of the unit models which are not found in the unit model library and which the user will therefore need to create and to enter into the library. Two model generation aids are provided: the Model Generation Tool and the template library. These have been described in Part 29. Errors in Data Entry Another potential source of error is simple mistakes made in entering data. AutoHAZID contains, at a number of points, checks on the input data. All model data are read through a parser, which ®nds any syntax errors and checks that no model or instance of a model has a name identical to another model or instance in the system. More rigorous tests are made on the consistency of the plant model information once it has been loaded. These tests check that all connections between ports are strictly `one-to-one’, that all connections required in unit models have been made in the plant description and that there are no non-zero ¯ow rates for ¯uids in dead-ends. A check is Trans IChemE, Vol 78, Part B, March 2000
HAZID, A COMPUTER AID FOR HAZARD IDENTIFICATION: PART 4 also made to see that all the named ¯uid components in the plant are known to the physical properties system, if that system is loaded. Ambiguity of Qualitative In¯uences The inference process used in HAZOP emulation is generally based on qualitative modelling. Such modelling has the defect that there is sometimes an ambiguity as to the dominant in¯uence on a variable, so that it is unresolved whether the net effect of the in¯uences is to cause a positive or a negative deviation in that variable. Ambiguity of in¯uences arises particularly in relation to the following con®gurations: · Headers and dividersÐProcess plants are replete with dividers, headers and divider-header combinations. · Feedback loopsÐAnother common feature in process plants is various forms of feedback loop. These include feedback control loops, material and heat recycle loops, kickback lines, etc. Fluid and Phase Effects Another potential source of error is ¯uid and phase effects. It is possible for the inference engine to develop fault paths which in reality are infeasible because they imply ¯uid states or phases which are incompatible with the path. An example is propagation of a low temperature by a ¯uid which would in fact freeze. One solution to this problem, discussed in Part 310, is to make use of the ¯uid model system to make a quantitative check, but this presupposes that the ¯uid data needed are available and have been correctly entered into the plant description.
99
Quality of HAZOP Turning to HAZOP emulation itself, it is probably fair to say that a balanced view of what needs to be done to ensure a high level of completeness must await further experience in the practical use of HAZID. But certain aspects are clear enough. In large part completeness depends on the HAZOP structure and the diversity of supporting techniques, and on the quality of the systems dealing with unit and ¯uid models. Suggestions made above, in connection with the correctness of unit models, are equally helpful for considering how to develop models which can be considered `complete’ in some respects. HAZOP Structure As already described, in the original work by Parmar and Lees19,20 no assumption was made initially as to the form the hazard identi®cation process should take. Candidate methods included, as well as HAZOP, topdown methods such as fault tree analysis and bottom-up methods such as failure modes and effects analysis. However, fault tree analysis requires for completeness that the user identify at the start all the top events. Likewise, failure modes and effects analysis requires identi®cation of all the failure modes. The problem appears open-ended. HAZOP, by contrast, has the unique feature that the systematic examination of each line using each guide word ensures at least that every deviation is considered, even if it does not guarantee any more than the other methods that every cause and every consequence is identi®ed. No doubt with perfect unit model and ¯uid model systems the various methods are equivalent, but given imperfection the HAZOP method appears more robust.
COMPLETENESS
Diversity of Supporting Techniques
The question of completeness in hazard identi®cation has been addressed particularly by Taylor11,12. A brief account of this work is given by Lees13. Further work on completeness, as an aspect of quality assurance, has been described by Rushton14. In the present work, the problem of completeness has been approached at two levels, in terms of alternatives to HAZOP and quality of HAZOP.
The point has already been made that in hazard identi®cation generally, industry has found it useful to utilize a variety of techniques, and that no one technique has supplanted the others. Likewise, it is expected that a high quality HAZOP emulator will use a diversity of reasoning techniques and rule sets to achieve an optimum result. Unit Models
Alternatives to HAZOP If one considers the way in which hazard identi®cation techniques have developed in the process industries, it is clear that a variety of methods are needed. Among the most widely used are HAZOP, failure modes and effects analysis, and fault tree analysis. The hazard study system used, for example, in ICI, involves some six levels of hazard study, each of which is different. Within this project the HAZOP emulator proper has been complemented by a con®guration checker which detects a small number of gross errors in the plant design. Another complementary tool is fault tree analysis. A method for the computer-aided synthesis of fault trees has been described by Kelly and Lees15±18. This methodology is similar to HAZID, particularly in respect of the plant description and input data and of the unit models. Trans IChemE, Vol 78, Part B, March 2000
The inference engine is able to generate fault paths and scenarios only if the corresponding faults are already there in the unit models. As an example, consider the consequence `high water content’ in the outlet ¯ow from a water separator. A ®rst model of this might have as a cause `high water content’ in the inlet ¯ow to the separator. A second version might add as a cause `high ¯ow’ into the separator. A third, and more sophisticated, version might include as a cause a contaminant which is a foaming agent in the inlet ¯ow. However, this enhancement of the water separator model does not alone suf®ce. For this last scenario to be realized, it is necessary for there to be a source of such a contaminant. This source might be a lubricant which leaks into the stream from a pump. Whether a fault path can be generated for such a scenario depends on the pump model.
McCOY et al.
100
Table 4. Benzene plant HAZOP emulation: section of output report. Deviation
Causes
Consequences
blPipe moreFlow in
blPipe leak to environment
toxic release 2, ®re/explosion risk 2
blPipe lessPressure in
lcv1 leak to environment, valve23 (etc) leak to environment, valve22 leak to environment, e107 leak to environment
toxic release 2, ®re/explosion risk 2
b1Pipe morePressure in
b1Pipe unit can be locked in
potential for liquid lock in and damage to unit by thermal expansion 3
blPipe moreTemp out
tolueneInlet high temp upstream, blPipe external ®re, blPipe hot weather
design temp exceeded
blPipe maintenance
blPipe no vents available
inadequate isolation and drainage 2
tk101 lessFlow in1
lcv1 control failureÐclosed, valve23 (etc) partly closed, e107 (etc) leak to environment, valve2 (etc) leak to environment, tolueneRecycle low pressure upstream, valve22 partly closed, valve1 (etc) leak to environment, tolueneInlet low pressure upstream, lcv1 (etc) leak to environment, blPipe (etc) leak to environment, valve22 (etc) leak to environment, dv1 opened or passing
potential layering and rollover 2
tk101 moreFlow out8
dv2 leak to environment
toxic release 2, ®re/explosion risk 2
tk101 moreFlow out2
eiv1 (etc) leak to environment, p101 a leak to environment, dv3 leak to environment, eiv2 (etc) leak to environment
toxic release 2, ®re/explosion risk 2
tk101 moreFlow out3
valve5 leak to environment
®re/explosion risk 2, toxic release 2
tk101 moreTemp liquid
blPipe external ®re, tk101 external ®re, tolueneInlet high temp upstream e107 moreTemp shell side out
design temp exceededÐstructural weakening 2
tk101 contamination liquid
tolueneInlet upstream contamination, e107 tube rupture, tolueneRecycle upstream contamination
liquid contents contaminated 3
tk101 lessLevel liquid
tk101 liquid leak to environment
gas breakthrough 3, ¯ammable liquid release 2, toxic liquid release 2
lcv1 control failureÐclosed, dv4 (etc) opened for passing, valve5 (etc) leak to environment, eiv2 opened or passing, dv2 leak to environment, valve22 (etc) leak to environment, dv2 opened or passing, dv1 (etc) leak to environment, valve4 (etc) leak to environment, valve23 (etc) partly closed, e107 (etc) leak to environment, tolueneRecycle low pressure upstream, valve1 (etc) leak to environment, blPipe (etc) leak to environment, valve3 (etc) leak to environment, lcv1 (etc) leak to environment, dv1 opened or passing, dv3 opened or passing, p101a leak to environment, valve22 partly closed, tolueneInlet low pressure upstream
gas breakthrough 3
lcv1 control failureÐopen, valve4 (etc) closed, tolueneInlet high pressure upstream, valve4 (etc) partly closed
vessel over®lling 2
tk101 moreLevel liquid
valve8 blockageÐfrozen ¯uid, e107 (etc) tube rupture, tolueneRecycle high pressure upstream, p101a noFlow in, valve1 opened or passing, p101a revFlow out, lcv1 passes when no ¯ow is desired tk101 lessPressure vapour
tk101 vapour leak to environment
air ingressÐexplosion risk 4, toxic vapour release 2, ¯ammable vapour release 2, vessel depressurisation 2
valve 11 leak to environment, tk101 lessTemp liquid, valve10 leak to environment
air ingressÐexplosion risk 4, vessel depressurisation 2
tk101 morePressure vapour
valve10 opened or passing, tk101 moreTemp liquid, valve11 opened or passing, vent1 incorrect sizing
possible overpressure rupture 2
tk101 moreTemp vapour
tk101 moreTemp liquid, tk101 external ®re
design temp exceededÐstructural weakening 2
tk101 notes
lt1 shared sensor
possible loss of control and alarm system due to sensor failure 3
tk101 maintenance
tk101 cannot isolate necessary lines
inadequate isolation and drainage 2
p101a noFlow in
valve4 (etc) closed
dry runningÐpossible pump rupture 2
p101a revFlow in
fcv1 control failureÐopen, e101a interface failure, p101a incorrect pump setup/installation, fcv1 passes when no ¯ow is desired, eiv1 (etc) leak to environment, e101b (etc) tube rupture, p101a morePressure out, toE103 low pressure downstream, e101a (etc) tube blockage, fromE106 high pressure upstream, hydrogenIn high pressure upstream, r101 outlet completely blocked, tk101 lessTemp liquid, r101 outlet blocked by frozen ¯uid, e101b moreTemp shell side out, reactorEf¯uent blockageÐfrozen ¯uid, reactorEf¯uent complete blockage downstream, valve16 opened or passing, reactorEf¯uent high pressure downstream, recycleGas high pressure upstream, r101 reactor coking, p101a loss of drive, recycleGas low temp upstream, r101 outlet partly blocked, hydrogenIn low temp upstream, r101 poor ¯ow distribution, p101b spare unit turned on, coolingGas high pressure upstream, e101a pressure surge
possible suction piping overpressure 2, seal failure due to reverse impeller rotation 2
Trans IChemE, Vol 78, Part B, March 2000
HAZID, A COMPUTER AID FOR HAZARD IDENTIFICATION: PART 4
101
Table 4. continued. Deviation
Causes
Consequences
r101 catalyst bed channelling
poor ¯ow distribution, 3, blockages and carbon buildup 3, hot and cold spots 3, seal failure due to reverse impeller rotation 2, possible suction piping overpressure 2
toE103 leak to environment
toxic release 2, seal failure due to reverse impeller rotation 2, ®re/ explosion risk 2, possible suction piping overpressure 2
p101a lessPressure in
dv3 (etc) leak to environment, p101a leak to environment, eiv2 opened or passing, eiv1 (etc) leak to environment, valve8 (etc) leak to environment, dv4 opened or passing, valve4 (etc) partly closed, dv3 opened or passing
cavitationÐpossible mechanical damage 3
p101a morePressure in
p101a unit can be locked in
potential for liquid lock in and damage to unit by thermal expansion 3
p101a lessTemp in
tk101 lessTemp liquid
seal failureÐfreezing of seal ¯uids 2
p101a moreGas in
tk101 lessLevel liquid
vapour lock 3, bearing overheatÐ loss of lubrication 3, pump damage Ðincreased vibration 3
p101a moreVapour in
tk101 moreTemp liquid, p101a external ®re, tk101 lessLevel liquid
cavitationÐpossible mechanical damage 3
p101a moreFlow out
valve8 partly closed, p101a lessPressure out, valve5 opened or passing, valve8 blockageÐfrozen ¯uid
possible motor overload or trip 3
p101a noFlow out
fcv1 fails closed, nrv1 completely blocked or closed, valve15 (etc) closed
possible pump casing overtemperature 2
p101a lessPressure out
dv8 (etc) leak to environment, nrv1 leak to environment, e101b (etc) leak to environment, valve11 leak to environment, reactorEf¯uent leak to environment, valve7 (etc) leak to environment, valve18 leak to environment, valve9 leak to environment, r101 leak to environment, nrv2 leak to environment, nrv3 leak to environment, valve10 leak to environment, fcv1 leak to environment
toxic release 2, ®re/explosion risk 2
h101 tube rupture
air into processÐpossible explosion 4, loss of ¯ameÐpossible explosion 4, major ®re or explosion 4
p101a morePressure out
fcv1 control failureÐclosed, toE103 low pressure downstream, p101a noFlow out, reactorEf¯uent high pressure downstream, nrv1 partly blocked or closed, r101 reactor coking, valve7 (etc) partly closed, hydrogenIn low temp upstream, valve8 blockageÐfrozen ¯uid, p101a pressure surge at startup or shutdown, valve8 partly closed, r101 outlet partly blocked, reactorEf¯uent blockageÐfrozen ¯uid, valve5 opened or passing, toE103 leak to environment, p101b spare unit turned on, e101a (etc) tube rupture, r101 poor ¯ow distribution, r101 main inlet partly blocked, hydrogenIn high pressure upstream, e101a pressure surge, fromE106 high pressure upstream, e101a interface failure, coolingGas high pressure upstream, recycleGas high pressure upstream, recycleGas low temp upstream, e101b moreTemp shell side out, tk101 lessTemp liquid, e101a leak to environment
possible seal overpressure 2, possible pump casing or delivery pipework overpressure 2
p101a moreTemp out
tk101 moreTemp liquid, p101a external ®re
possible pump casing overtemperature 2, possible seal overtemperature 2
p101a maintenance
p101a no vents available
inadequate isolation and drainage 2
e101a moreTemp tubeIn
p101a external ®re, recycleGas high temp upstream, tk101 moreTemp liquid, hydrogenIn high temp upstream
tube overtemperature rupture 3
e101a moreTemp shellIn
e101b moreTemp shell side out
shell overtemperature rupture 2
e101a morePressure tube
fcv1 control failureÐopen, fcv1 passes when no ¯ow is desired, e101a interface failure, fromE106 high pressure upstream, e101b moreTemp shell side out, hydrogenIn low temp upstream, e101a leak to environment, reactorEf¯uent high pressure downstream, toE103 leak to environment, recycleGas low temp upstream, toE103 low pressure downstream, p101b spare unit turned on, e101a (etc) tube rupture, recycleGas high pressure upstream, coolingGas high pressure upstream, valve16 opened or passing, e101a pressure surge, reactorEf¯uent blockageÐfrozen ¯uid, r101 poor ¯ow distribution, hydrogenIn high pressure upstream, r101 main inlet partly blocked, p101a morePressure out, r101 reactor coking, tk101 lessTemp liquid, r101 outlet partly blocked
tube overpressure rupture 3
Trans IChemE, Vol 78, Part B, March 2000
McCOY et al.
102
Table 4. continued. Deviation
Causes
Consequences
e101a morePressure shell
e101b (etc) tube rupture, fromE106 high pressure upstream, toE103 blockageÐfrozen ¯uid, toE103 high pressure downstream
shell overpressure rupture 2
e101a lessTemp shell
fcv1 control failureÐopen, p101a morePressure out, e101a (etc) shell blockage, recycleGas high pressure upstream, e101b lessTemp shell side out, r101 leak to environment, e101a (etc) leak to environment, fcv1 passes when no ¯ow is desired, e101a interface failure, h101 tube rupture, toE103 high pressure downstream, recycleGas low temp upstream, e101a (etc) tube rupture, reactorEf¯uent low pressure downstream, hydrogenIn low temp, upstream, toE103 blockageÐfrozen ¯uid, tk101 lessTemp liquid, toE103 complete blockage downstream, valve16 opened or passing, r101 catalyst bed channelling, r101 cold gas inlet partly blocked, reactorEf¯uent leak to environment, coolingGas low pressure upstream, fromE106 low pressure upstream, coolingGas blockageÐfrozen ¯uid, fromE106 blockageÐfrozen ¯uid, hydrogenIn high pressure upstream, fromE106 no ¯ow upstream, p101b spare unit turned on.
shell freezing 3
Some ways in which enhancement of the unit models can occur include: · Trial and error; · Unit HAZOPs; · Check-lists, guide words and inheritance. The most obvious and common process of enhancement is by running HAZID on different problems, identifying de®ciencies and rectifying these on an ad hoc basis, in other words by trial and error. A more structured technique, developed within the project, is to conduct a HAZOP of a single unit in order to capture expert knowledge and so produce an enhanced model. Since there is a core of commonly used equipments which occur with high frequency in HAZOP studies, it is well worth the effort to enhance the models of these units in this way. Equipments which were the subject of such single unit HAZOPs during the STOPHAZ project were: · · · · ·
Atmospheric storage tank; Centrifugal pump; Furnace; Heat exchanger; Reciprocating pump.
A third approach to enriching and developing the capabilities of unit models is the use of check-lists, quasicheck-lists and guide words. A simple check-list, or set of guide words, which can be applied to an equipment has been given by Parmar and Lees19,20 : 1. 2. 3. 4. 5.
Function; Hydraulics; Containment; Impurities; Environment.
A unit can be said to have a fault if it fails to perform satisfactorily in respect of any of these aspects. Failure of function depends on what the basic function of the equipment is: in a pump, failure might be a low delivery pressure, whilst in a water separator, it might be a high water content in the outlet ¯ow. Failure by hydraulics depends on the hydraulic system in the equipment: in a gas absorption column it might be ¯ooding or it might be loss of liquid level or gas breakthrough at the bottom of the column.
Failure of containment is essentially a leak or rupture, and includes fugitive emissions. Failure by impurities means introducing, into the ¯uid in the body of and/or leaving the equipment, anything which might be classed as an impurity: in a re¯ux column this might be broken packing accompanying the liquid leaving the packed section, whilst in a scrubber it might be liquid spray in the outlet gas. Failure by environmental problem includes any undesirable interaction between the equipment and its environment: one example is a hot surface which might cause injury, another the setting up of vibration which is transmitted to the rest of the plant. Fluid Model As described in Part 310, the ¯uid model is used to resolve queries as to whether or not identi®ed consequences are feasible, and to detect potential incompatibilities between process ¯uids which may come into contact with one another within the plant. With respect to ¯uid compatibility, in the current version the treatment is con®ned to binary compatibilities between ¯uids. In effect, whenever a ¯uid contacts another ¯uid, a check is made on compatibility and any incompatibility is ¯agged. Completeness here is essentially a matter of the quality of the compatibility tables. No particular method has been developed within the project for ensuring this, although some work has been done on sources of compatibility data and on the formats in which these are typically presented. With respect to the other ¯uid queries, the issues relate mainly to the numerical limits at which the ¯uid properties are to be evaluated. Completeness here is largely a matter of ensuring the quality of rules for setting these limits and making sure that wherever a rule is appropriate to verify a condition, it is applied in such a way that errs towards safety by allowing a fault path to succeed unless there is absolutely no way the rule can be satis®ed. CONCISENESS The crude output from the early versions of the HAZID program had defects which have also been reported by other workers and which can be regarded as characteristic. Trans IChemE, Vol 78, Part B, March 2000
HAZID, A COMPUTER AID FOR HAZARD IDENTIFICATION: PART 4
103
Table 5. Water separator system HAZOP emulation: report fragment with no ®lters applied. Deviation
Causes
BufferTank noFlow in
BufferTank lessLevel liquid
Consequences
levelControlValve1 closed, valve8 closed, valve8 blocked, valve7 closed, valve7, blocked, valve4 closed, valve4 blocked, halfMileLine blocked, pumpJ1a no ¯ow out
bufferTank loss of level, gas breakthrough to downstream units
valve2 closed, valve2 blocked, valve3 closed, valve3 blocked, feedInlet no ¯ow upstream
bufferTank loss of level, gas breakthrough to downstream units, pumpJ1a cavitation
levelControlValve1 closed, levelControlValve1 part closed, valve8 closed, valve8 part closed, valve8 blocked, valve7 closed, valve7 part closed, valve7 blocked, valve4 closed, valve4 part closed, valve4 blocked, halfMileLine blocked, pumpJ2a overspeed
bufferTank loss of level, gas breakthrough to downstream units
valve2 closed, valve2 blocked, valve3 closed, valve3 blocked, feedInlet no ¯ow upstream
bufferTank loss of level, gas breakthrough to downstream units, pumpJ1a cavitation
valve8 leak, valve7 leak, valve4 leak, valve17 leak, halfMileLine peak, pumpJ1a leak, valve3 leak, valve2 leak, valve6 leak, valve5 leak
bufferTank loss of level, gas breakthrough to downstream units, toxic release, ¯ammable release
Above all, the sheer exhaustiveness of the computer search made the volume of output unacceptable. A HAZOP emulator is intended to be an aid to the user, and its value is negated if examination of the output to identify scenarios which are correct and interesting requires more effort than to conduct a conventional HAZOP study. Review of the output produced by HAZID indicates that the major part of the unnecessary and undesirable output is accounted for by four main defects: 1. 2. 3. 4.
Invalid scenarios; Similar faults; Repeat scenarios; Fault clusters.
In HAZID, the ®rst of these defects is tackled by ¯uid model checks and by ensuring the correctness of unit models. The remaining three defects are tackled by using ®lters which signi®cantly reduce the volume of output produced by the program, without discarding any of the valuable results of HAZOP emulation. The impact of these methods is illustrated below by reference to an example of HAZID output. Table 5 gives a section of an output report from
AutoHAZID for the water separator system of Lawley given above as the ®rst item in the learning set. Invalid Scenarios The inference engine ®rst generates fault paths from the plant SDG model alone. It then uses the ¯uid model system to check whether these paths are feasible. If the ¯uid model is rudimentary, a large number of scenarios will be reported which are in fact invalid, but which have not been eliminated by the ¯uid model system. This is basically a matter of correctness rather than conciseness, but it is mentioned here, because it is also a prime cause of excessive output. Since this procedure is a check on the feasibility of the fault paths for the particular process concerned, it is referred to as a `process dependency’ ®lter. Table 6 gives the output report from the previous table modi®ed by application of an improved ¯uid model. Combination of Similar Faults A deviation frequently has a number of very similar causes. A common case is where `Low ¯ow’ or `No ¯ow’ can be caused by any one of many valves in a single line.
Table 6. Water separator system HAZOP emulation: report fragment with only process dependency ®lter applied. Deviation BufferTank noFlow in
BufferTank lessLevel liquid
Causes
Consequences
levelControlValve1 closed, valve8 closed, valve7 closed, valve4 closed
bufferTank loss of level gas breakthrough to downstream units
valve2 closed, valve3 closed, feedInlet no ¯ow upstream
bufferTank loss of level, gas breakthrough to downstream units, pumpJ1a cavitation
levelControlValve1 closed, levelControlValve1 part closed, valve8 closed, valve8 part closed, valve7 closed, valve7 part closed, valve4 closed, valve4 part closed, pumpJ2a overspeed
bufferTank loss of level, gas breakthrough to downstream units
valve2 closed, valve3 closed, feedInlet no ¯ow upstream
bufferTank loss of level, gas breakthrough to downstream units, pumpJ1a cavitation
valve8 leak, valve7 leak, valve4 leak, valve17 leak, halfMileLine leak, pumpJ1a leak, valve3 leak, valve2 leak, valve6 leak, valve5 leak
bufferTank loss of level, gas breakthrough to downstream units, toxic release, ¯ammable
Trans IChemE, Vol 78, Part B, March 2000
McCOY et al.
104
Table 7. Water separator system HAZOP emulation: report fragment with process dependency and similar fault ®lters applied. Deviation
Causes
BufferTank noFlow in
BufferTank lessLevel liquid
Consequences
levelControlValve1 closed, valve8 etc. closed
bufferTank loss of level, gas breakthrough to downstream units
valve2 etc. closed, feedInlet no ¯ow upstream
bufferTank loss of level, gas breakthrough to downstream units, pumpJ1a cavitation
levelControlValve1 closed, levelControlValve1 part closed, valve8 etc. closed, valve8 etc. part closed, pumpJ2a overspeed
bufferTank loss of level, gas breakthrough to downstream units
valve2 etc. closed, feedInlet no ¯ow upstream
bufferTank loss of level, gas breakthrough to downstream units, pumpJ1a cavitation
valve8 etc. leak, valve17 leak, halfMileLine leak, pumpJ1a leak, valve3 etc. leak, valve6 etc. leak
bufferTank loss of level, gas breakthrough to downstream units, toxic release, ¯ammable release
This case can be dealt with by using a ®lter which allows reporting of the ®rst fault in full but suppresses the other similar faults and adds simply `etc.’. Table 7 gives the output report from the previous table modi®ed by application of this ®lter. Discarding of Repeat Scenarios The search procedure in AutoHAZID frequently generates the same scenario more than once, albeit from a different deviation. In a conventional HAZOP, the team generally applies its own mental ®lter to such repeat scenarios. A ®lter is used in AutoHAZID to suppress repeat scenarios. Table 8 gives the output report from the previous table modi®ed by application of this ®lter. Fault Clusters Distinct from similar faults are fault clusters, in which the faults are various but tend to recur in association with
each other as clusters. In this case a ®lter is applied which determines whether the deviation being considered is caused by some cluster of faults which were reported in relation to a deviation already considered. If so, a reference is given to the earlier deviation, instead of listing all the faults. Table 9 gives the output report from the previous table modi®ed by application of this ®lter. The report shown in this table is therefore that obtained after application of the validity check and the three ®lters. The overall effect is to transform the output report of AutoHAZID to something much more akin to that obtained by a conventional HAZOP. USER TRIALS AND TEST PROTOCOL In order to evaluate the quality of hazard identi®cation offered by HAZID, a number of `user trials’ were carried out towards the end of the STOPHAZ project. A number of plant systems (which had not previously been
Table 8. Water separator system HAZOP emulation: report fragment with process dependency, similar fault and repeat scenario ®lters applied. Deviation BufferTank noFlow in
BufferTank lessLevel liquid
Causes
Consequences
levelControlValve1 closed, valve8 etc. closed
bufferTank loss of level, gas breakthrough to downstream units
valve2 etc. closed, feedInlet no ¯ow upstream
bufferTank loss of level, gas breakthrough to downstream units, pumpJ1a cavitation
levelControlValve1 part closed, valve8 etc. part closed, pump12a overspeed
bufferTank loss of level, gas breakthrough to downstream units
valve8 etc. leak, valve17 leak, halfMileLine leak, pumpJ1a leak, valve3 etc. leak, valve6 etc. leak
bufferTank loss of level, gas breakthrough to downstream units, toxic release, ¯ammable release
Table 9. Water separator system HAZOP emulation: report fragment with all four ®lters applied. Deviation
Causes
Consequences
BufferTank noFlow in
levelControlValve1 closed, valve8 etc. closed, pumpJ1a no ¯ow out
bufferTank loss of level, gas breakthrough to downstream units
BufferTank lessLevel liquid
levelControlValve1 part closed, valve8 part closed, pumpJ2a overspeed, pumpJ1a less pressure out
bufferTank loss of level, gas breakthrough to downstream units
valve8 etc. leak, halfMileLine leak, valve17 leak
bufferTank loss of level, gas breakthrough to downstream units, toxic release, ¯ammable release
Trans IChemE, Vol 78, Part B, March 2000
HAZID, A COMPUTER AID FOR HAZARD IDENTIFICATION: PART 4
105
Table 10. Classi®cation codes for analysis of HAZID output. Code 1 2 3 4 5 6 7 8 9a 9b 10 11
Interpretation Incorrect scenario identi®ed in HAZOP team’s report. Valid scenario identi®ed by the HAZOP team but not by HAZID. Valid scenario identi®ed by both the HAZOP team and HAZID but under unacceptable guideword in HAZID output. Valid scenario identi®ed by both the HAZOP team and HAZID under acceptable guideword in HAZID output. Protection incorrectly identi®ed by the HAZOP team. Protection identi®ed by the HAZOP team but not by HAZID. Protection identi®ed by both the HAZOP team and HAZID results. Incorrect scenario identi®ed by HAZID. Feasible and interesting scenario identi®ed by HAZID but not by the HAZOP team. Feasible but uninteresting scenario identi®ed by HAZID but not by the HAZOP team. Valid protection identi®ed by HAZID. Incorrect protection identi®ed by HAZID.
used to inform the development of HAZID models) were chosen to form a `test set’. The test set plants are described in the next section. At a specially convened workshop, each of the test set plants was subjected to a conventional HAZOP study, with the participation of industrial partners in the project consortium. The results of each HAZOP study were then compared to the corresponding HAZOP emulation report produced by HAZID. For use in these ®nal user trials, a formal protocol was developed which was intentionally structured to allow easy and precise statistical analysis of the trials, and comparison of the results obtained in conventional HAZOP studies with those produced by HAZID. By assigning classi®cations to the distinct scenarios identi®ed in the conventional HAZOP report and in the HAZID output report, it was possible to calculate the proportions of correct or relevant results in the reports. The classi®cation codes used for this protocol are shown in Table 10. The procedure adopted was to consider ®rst each scenario (cause-consequence pair) in the output report of the conventional HAZOP and to determine whether it was a valid scenario. For each of the distinct valid scenarios, the next question was whether the HAZID report identi®ed it and if so, whether it was associated in the HAZID report with an appropriate deviation. Any valid scenarios found in the HAZID report were `ticked off’ as having been considered. This decision procedure gave rise to a
classi®cation of 1, 2, 3 or 4, for each of the scenarios in the HAZOP report. A similar procedure was followed for the protections reported in association with each of these scenarios, giving each a class of 5, 6 or 7. This procedure of classi®cation then continued, processing those scenarios and protections identi®ed in the HAZID output report which had not already been seen (i.e. `ticked off’) in the HAZOP report. The classes given to HAZID scenarios in this exercise were 8, 9a and 9b and those given to HAZID protections were 10 and 11. TEST SET PLANTS The following were the systems selected by industrial partners within the STOPHAZ project, to form the `test set’ of plants for evaluation of HAZID: 1. 2. 3. 4. 5.
An ammonia absorber section; A b -trichloroethane storage section; A propane recti®cation system; A benzene storage section; A separation system. Ammonia Absorber Section
The ammonia absorber section takes as feed an ammonia-laden nitrogen stream and removes most of the
Figure 8. Test set: ammonia absorber.
Trans IChemE, Vol 78, Part B, March 2000
McCOY et al.
Figure 9. Test set: b -trichloroethane storage section.
106
Trans IChemE, Vol 78, Part B, March 2000
Figure 10. Test set: propane recti®cation section.
HAZID, A COMPUTER AID FOR HAZARD IDENTIFICATION: PART 4
Trans IChemE, Vol 78, Part B, March 2000
107
McCOY et al.
Figure 11. Test set: benzene storage section.
108
Trans IChemE, Vol 78, Part B, March 2000
Figure 12. Test set: separation system.
HAZID, A COMPUTER AID FOR HAZARD IDENTIFICATION: PART 4
Trans IChemE, Vol 78, Part B, March 2000
109
gas breakthrough 3
prv142 (etc) leak to environment, val131 leak to environment, val132 leak to environment, cep64 leak to environment, chv134 leak to environment
inl141 high temp upstream, no1_ref_tank hot weather, no1_ref_tank external ®re
inl141 upstream contamination
no1_ref_tank liquid leak to environment
chv134 leak to environment, no1_ref_tank morePressure vapour, prv145 (etc) leak to environment, inl141 no ¯ow upstream, prv142 partly closed, inl141 low pressure upstream, val132 partly closed, inl141 leak to environment, val66 leak to environment, cep64 leak to environment
no1_ref_tank moreFlow out8
no1_ref_tank moreTemp liquid
no1_ref_tank contamination liquid
no1_ref_tank lessLevel liquid
no1_ref_tank moreTemp vapour
no1_ref_tank moreTemp liquid, no1_ref_tank external ®re
no1_ref_tank moreTemp liquid
no1_ref_tank no drains available
cep64 air ingress into pump
val66 closed
val66 leak to environment, cep64 incorrect pump setup/installation, cep64 loss of drive
val133 (etc) leak to environment, cep64 leak to environment, val132 (etc) partly closed, chv134 partly blocked or closed, prv142 leak to environment, chv134 leak to environment, val131 partly closed, prv142 partly closed
cep64 unit can be locked in
no1_ref_tank moreTemp vapour
no1_ref_tank moreVapour vapour
no1_ref_tank maintenance
cep64 lessFlow in
cep64 noFlow in
cep64 revFlow in
cep64 lessPressure in
cep64 morePressure in
potential for liquid lock in and damage to unit by thermal expansion 3
cavitationÐpossible mechanical damage 3
possible suction piping overpressure 2, seal failure due to reverse impeller rotation 2
dry runningÐpossible pump rupture 2
possible internal explosive atmosphere 4
inadequate isolation and drainage 2
vacuum collapseÐincreased condensibles 2
design temp exceededÐstructural weakening 2
possible overpressure rupture 2
air ingressÐexplosion risk 4, possible vacuum collapse 2
no1_ref_tank lessTemp vapour
vessel over®lling 2
cep64 revFlow out
air ingressÐexplosion risk 4, ¯ammable vapour release 2, possible vacuum collapse 2, toxic vapour release 2
vessel over®lling 2
chv134 partly blocked or closed, val131 (etc) partly closed
no1_ref_tank vapour leak to environment
vessel over®lling 2
liquid contents contaminated 3
structural weakening 2
®re/explosion risk 2, toxic release 2
potential static, ®re/explosion hazard 3
chv134 completely blocked or closed, no1_ref_tank lessPressure vapour, cep64 noFlow in, inl141, high pressure upstream, val66 (etc) closed
no1_ref_tank morePressure vapour
no1_ref_tank lessPressure vapour
no1_ref_tank moreLevel liquid
gas breakthrough 3, ¯ammable liquid release 2, toxic liquid release 2
inl141 high pressure upstream, no1_ref_tank lessPressure vapour
no1_ref_tank moreFlow in6
®re/explosion risk 2, toxic release 2
inl141 leak to environment
inadequate pressure relief on vessel 5
no1_ref_tank no vent available
Consequence
no1_ref_tank lessFlow in6
Cause
no1_ref_tank morePressure in1
Deviation
Table 11. HAZID output report for benzene storage (extract).
ind148
ind148, chv65
ind148, prv60
ind148
ind148
ind148
chv65
ind148
ind148
ind148
ind148
ind148
Alarms and indicators
110 McCOY et al.
Trans IChemE, Vol 78, Part B, March 2000
Trans IChemE, Vol 78, Part B, March 2000
cep64 no drains available
cep64 maintenance
possible seal overpressure 2, possible pump casing or delivery pipework overpressure 2
out75 high pressure downstream, out124 high pressure downstream
inadequate isolation and drainage 2
possible pump casing overtemperature 2, possible seal overtemperature 2
large scale release of process material 2, possible pump casing or delivery pipework overpressure 2, possible seal overpressure 2
rev59 failure to reseat after opening, rev77 failure to reseat after opening
no1_ref_tank moreTemp liquid, cep64 lessFlow out, no2_ref_Tank moreTemp liquid, cep64 external ®re, no3_ref_tank moreTemp liquid
possible seal overpressure 2, possible pump casing or delivery pipework overpressure 2
rev59 opened or passing, rev77 opened or passing
cep64 moreTemp out
possible seal pressure 2, possible pump casing or delivery pipework overpressure 2
prv119 loss of control, prv60 loss of control, prv90 loss of control, prv118 loss of control, val84 (etc) partly closed, val82 partly closed, val88 partly closed, val86 (etc) partly closed, chv65 partly blocked or closed, val87 partly closed
toxic release 2, ®re/explosion risk 2
rev59 leak to environment, rev77 leak to environment
possible seal overpressure 2, possible pump casing or delivery pipework overpressure 2
®re/explosion risk 2, toxic release 2
prv60 leak to environment
cep64 pressure surge at startup or shut-down
®re/explosion risk 2, toxic release 2
val181 (etc) leak to environment, prv90 leak to environment, prv118 leak to environment, val85 leak to environment, val80 leak to environment, out75 leak to environment, val79 leak to environment, val87 leak to environment, prv119 leak to environment, pip101 leak to environment, out124 leak to environment, val88 leak to environment
cep64 morePressure out
toxic release 2, ®re/explosion risk 2
val84 (etc) leak to environment, chv65 leak to environment, val82 leak to environment, prv146 leak to environment
cep64 lessPressure out
possible seal overtemperature 2, possible pump casing overtemperature 2
possible motor overload or trip 3
cep64 lessPressure out
val68 closed, chv65 completely blocked or closed
possible motor overload or trip 3
cavitationÐpossible mechanical damage 3
cept64 pressure surge at startup or shut-down
no3_ref_tank lessLevel liquid
cep64 noFlow out
cep64 moreFlow out
cavitationÐpossible mechanical damage 3
no2_ref_Tank moreTemp liquid, cep64 external ®re, no1_ref_tank lessLevel liquid, no3_ref_tank moreTemp liquid, no1_ref_tank moreTemp liquid, no2_ref_Tank lessLevel liquid
pump damageÐincreased vibration 3, vapour lock 3, bearing overheatÐloss of lubrication 3
no1_ref_tank lessLevel liquid, no2_ref_Tank lessLevel liquid
cep64 moreVapour in
pump damageÐincreased vibration 3, vapour lock 3, bearing overheatÐloss of lubrication 3
no3_ref_tank lessLevel liquid, cep64 air ingress into pump
cep64 moreGas in
seal failureÐfreezing of seal ¯uids 2
Consequence
no1_ref_tank lessTemp liquid, no3_ref_tank lessTemp liquid, no2_ref_Tank lessTemp liquid
Cause
cep64 lessTemp in
Deviation
Table 11. continued.
ind148
ind148, rev77, rev59,
ind148, prv60
ind148, prv60
ind148
ind148, rev77, rev59, prv60, prv90
ind148, prv90
ind148
ind148, prv60
ind148, prv60, prv90
ind148, prv60, prv90
ind148, prv60
ind148
ind148
ind148
ind148, prv60
Alarms and indicators
HAZID, A COMPUTER AID FOR HAZARD IDENTIFICATION: PART 4 111
design temp exceeded 2 design temp exceeded 2
pip101 external ®re, pip101 hot weather
no1_ref_tank moreTemp liquid, cep64 lessFlow out, no2_ref_Tank moreTemp liquid, cep64 external ®re, no3_ref_tank moreTemp liquid
pip101 moreTemp out
gas breakthrough 3
inl140 leak to environment
inl140 high pressure upstream, no2_ref_Tank lessPressure vapour
inl140 high temp upstream, no2_ref_Tank hot weather, no2_ref_Tank external ®re
inl140 upstream contamination
no2_ref_Tank liquid leak to environment
chv134 leak to environment, no2_ref_Tank morePressure vapour, prv145 (etc) leak to environment, inl140 no ¯ow upstream, prv142 partly closed, inl140 low pressure upstream, val131 partly closed, inl140 lak to environment, val66 leak to environment, cep64 leak to environment
no2_ref_Tank lessFlow in6
no2_ref_Tank moreFlow in6
no2_ref_Tank moreTemp liquid
no2_ref_Tank contamination liquid
no2_ref_Tank lessLevel liquid
no2_ref_Tank moreTemp vapour
no2_ref_Tank moreTemp liquid, no2_ref_Tank external ®re
no2_ref_Tank moreTemp liquid
no2_ref_Tank no drains available
no2_ref_Tank moreTemp vapour
no2_ref_Tank moreVapour vapour
no2_ref_Tank maintenance
inadequate isolation and drainage 2
vacuum collapseÐincreased condensibles 2
design temp exceededÐstructural weakening 2
possible overpressure rupture 2
air ingressÐexplosion risk 4, possible vacuum collapse 2, ¯ammable vapour release 2, toxic vapour release 2
no2_ref_Tank lessTemp vapour
vessel over®lling 2
cep64 loss of drive, cep64 incorrect pump setup/installation
air ingressÐexplosion risk 4, possible vacuum collapse 2, ¯ammable vapour release 2, toxic vapour release 2
vessel over®lling 2
chv134 partly blocked or closed, val132 (etc) partly closed
no2_ref_Tank vapour leak to environment
vessel over®lling 2
liquid contents contaminated 3
design temp exceededÐstructural weakening 2
potential static ®re/explosion hazard 3
®re/explosion risk 2, toxic release 2
inadequate pressure on vessel 5
chv134 completely blocked or closed, no2_ref_Tank lessPressure vapour, cep64 noFlow in, inl140 high pressure upstream, val66 (etc) closed
no2_ref_Tank morePressure vapour
no2_ref_Tank lessPressure vapour
no2_ref_Tank moreLevel liquid
gas breakthrough 3, ¯ammable liquid release 2, toxic liquid release 2
no2_ref_Tank no vent available
no2_ref_Tank morePressure in1
possible upstream contamination 3
inl141 low pressure upstream
inl141 revFlow out
inadequate isolation and drainage 2
pip101 no drains available
pip101 maintenance
potential for liquid lock in and damage to unit by thermal expansion 3
pip101 unit can be locked in
pip101 morePressure in
cannot monitor pressure development at startup 4
Consequence
cep64 no pressure sensor on pump delivery
Cause
cep64 startup
Deviation
Table 11. continued.
ind148
ind148
ind148
ind148, chv65
ind148
ind148
ind148
ind148
ind148
ind148
ind148
Alarms and indicators
112 McCOY et al.
Trans IChemE, Vol 78, Part B, March 2000
mC-401-1ST air ingress into compressorÐat startup, mC-401-2ST air ingress into compressorÐat startup, p-402A air ingress into pump, p-401B air ingress into pump, p-401A air ingress into pump
inl43 leak to environment, val45 leak to environment
out44 leak to environment, e-401 leak to environment, val46 leak to environment
out44 high pressure downstream, val46 partly closed, inl43 high pressure upstream
inl43 high temp upstream
pV-4007 loss of control, lV-4015 control failure, pV-4006 fails open, lV-4015 fails open, fV-4001 fails open, pV-4006 control failure, lV-4008 control failure, lV-4008 fails open, fV-4001 control failure, pV-4007 blockageÐfrozen ¯uid, mC-401-2ST morePressure out, lV-4008 passes when no ¯ow is desired, p-402A morePressure out, 1st-sb-to high pressure downstream, water-LPvap high pressure upstream, toHX high pressure downstream, toHX blockageÐfrozen ¯uid, fV-4001 passes when no ¯ow is desired, p-401B morePressure out, p-401A morePressure out, pV-4006 passes when no ¯ow is desired, lV-4015 passes when no ¯ow is desired, v-402 morePressure vapour, e-401 tube rupture, fromC401 high pressure upstream, 1st-sb-to blockage±frozen ¯uid, p-402B spare unit turned on, mC-401-1ST morePressure out
mC-401 spill-back occurring, water-LPvap high temp upstream, v-402 moreTemp vapour, mC-401-1T external ®re, v-401 moreTemp vapour, mC-401-1ST spill-back occurring, mC-401-2ST external ®re
e-401 no drains available
pV-4007 loss of control, lV-4015 control failure, pV-4006 fails open, lV-4015 fails open, fV-4001 fails open, pV-4006 control failure, lV-4008 control failure, lV-4008 fails open, fV-4001 control failure, pV-4007 blockageÐfrozen ¯uid, mC-401-2ST morePressure out, lV-4008 passes when no ¯ow is desired, p-402A morePressure out, 1st-sb-to high pressure downstream, water-LPvap high pressure upstream, toHX high pressure downstream, toHX blockageÐfrozen ¯uid, fV-4001 passes when no ¯ow is desired, p-401A morePressure out, p-401B morePressure out, pV-4006 passes when no ¯ow is desired, lV-4015 passes when no ¯ow is desired, e-401 tube rupture, v-402 lessPressure vapour, fromC401 high pressure upstream, 1st-sb-to blockageÐfrozen ¯uid, p-402B spare unit turned on, mC-401-1ST morePressure out
v-402 no vent available
toHX contamination in
e-401 lessFlow tubeIn
Trans IChemE, Vol 78, Part B, March 2000
e-401 moreFlow tubeIn
e-401 morePressure tube
e-401 moreTemp tube
e-401 morePressure shell
e-401 moreTemp shell
e-401 maintenance
v-402 moreFlow in1
v-402 morePressure in1
inadequate pressure relief on vessel 5
liquid droplet entrainment 3
inadequate isolation and drainage 2
shell overtemperature rupture 2
shell overpressure rupture 2
tube overtemperature rupture 3
tube overpressure rupture 3
non-hazardous release 1
non-hazardous release 1
possible internal explosive atmosphere 4
possible upstream contamination 3
large scale release of process material 2
toHX complete blockage downstream, fromC401 low pressure upstream, toHX high pressure downstream, toHX blockageÐ frozen ¯uid
pSV-4001 failure to reseat after opening, pSV-4002 failure to reseat after opening
fromC401 revFlow out
toxic release 2, ®re/explosion risk 2
chv29 (etc) leak to environment, fV-4001 leak to environment, lV-4015 leak to environment, pSV-4002 leak to environment, 1st-sb-to leak to environment, toHX leak to environment, chv63 leak to environment, val83 (etc) leak to environment, e-401 leak to environment, lV-4008 leak to environment, val33 leak to environment, chv28 leak to environment, val77 leak to environment, val78 leak to environment, chv64 leak to environment, val54 leak to environment, p-402B leak to environment, val26 leak to environment, chv48 leak to environment, val27 leak to environment, pV-4007 leak to environment, pV-4006 leak to environment, water-LPvap leak to environment, pSV-4001 leak to environment
toxic release 2, ®re/explosion risk 2
fromC401 leak to environment
Consequence
fromC401 moreFlow out
Cause
fromC401 lessFlow out
Deviation
Table 12. HAZID output report for separation system (extract).
HAZID, A COMPUTER AID FOR HAZARD IDENTIFICATION: PART 4 113
pV-4007 loss of control, lV-4015 fails open, fV-4001 control failure, lV-4008 control failure, lV-4008 fails open, pV-4006 fails open, lV-4015 control failure, pV-4006 control failure, fV-4001 fails open, pV-4006 passes when no ¯ow is desired, mC-401-2ST morePressure out, lV-4008 passes when no ¯ow is desired, e-401 tube rupture, v-402 moreTemp vapour, fV-4001 passes when no ¯ow is desired, mC-401-1ST morePressure out, water-LPvap high pressure upstream, val53 partly closed, toHX high pressure, pV-4007 blockageÐfrozen ¯uid, val53 blockageÐfrozen ¯uid, toHX blockageÐfrozen ¯uid, p401B morePressure out, p-401A morePressure out, v-402 moreTemp liquid, lV-4015 passes when no ¯ow is desired, 1st-sb-to high pressure downstream, fromC401 high pressure upstream, p-402A morePressure out, ±402B spare unit turned on, 1st-sb-to blockage±frozen liquid
e-401 moreTemp shell side out, v-402 external ®re, v-402 moreTemp liquid
v-402 moreLevel liquid
v-402 moreTemp liquid
e-401 lessTemp shell side o ut, v-402 cold weather, v-402 increased concentration of volatiles
e-401 moreTemp shell side out, v-402 external ®re, v-402 hot weather
v-402 moreTemp vapour
v-402 moreLiquid vapour
v-402 moreVapour vapour
v-402 lessTemp liquid
v-402 moreTemp liquid
design temp exceededÐstructural weakening 2
freezing 3
vacuum collapseÐincreased condensibles 2
liquid droplet entrainment 3
design temp exceededÐstructural weakening 2
possible overpressure rupture 2
possible vacuum collapse 2
pV-4007 control failure, lV-4008 loss of control, fV-4001 loss of control, pV-4007 fails open, pV-4006 loss of control, lV-4015 loss of control, pSV-4008 failure to reseat after opening, pSV-4008 leak to environment, mC-401-2ST leak to environment, p-402A lessPressure out, mC-401-2ST inlet check valve damaged or worn, v-402 lessTemp vapour, val77 leak to environment, val61 (etc) partly closed, val77 partly closed, val26 leak to environment, val77 blockageÐfrozen ¯uid, val85 (etc) partly closed, pV-4006 leak to environment, p-401B lessPressure out, chv48 leak to environment, fromC401 leak to environment, pV-4006 blockageÐfrozen ¯uid, chv63 leak to environment, chv48 partly blocked or closed, pSV-4008 opened or passing, val78 leak to environnment, toHX low pressure downstream, lV-4008 blockageÐfrozen ¯uid, val53 leak to environment, val27 blockageÐfrozen ¯uid, fV-4001 leak to environment, chv28 (etc) leak to environment, val78 partly closed, chv28 (etc) partly blocked or closed, val78 blockageÐfrozen ¯uid, lV-4015 blockageÐfrozen ¯uid, pV-4007 leak to environment, val33 leak to environment, val62 (etc) leak to environment, fV-4001 blockageÐfrozen ¯uid, val62 (etc) blockageÐfrozen ¯uid, water-LPvap low pressure upstream, chv63 partly blocked or closed, water-LPvap leak to environment, lV-4008 leak to environment, pV-4007 passes when no ¯ow is desired, val27 leak to environment, val33 blockageÐfrozen ¯uid, toHX leak to environment, val33 partly closed, val85 (etc) leak to environment, val26 partly closed, val26 blockageÐfrozen ¯uid, val27 partly closed, water-LPvap blockageÐfrozen ¯uid, e-401 leak to environment, 1st-sb-to leak to environment, val85 (etc) blockageÐfrozen ¯uid, 1st-sb-to low pressure downstream, chv29 leak to environment, lV-4015 leak to environment, val54 leak to environment, chv29 partly blocked or closed, val54 blockage Ðfrozen ¯uid, p-401A lessPressure out, val54 partly closed, mC-401-1ST lessPressure out, pSV-4001 leak to environment, fromC401 low pressure upstream, pSV-4001 failure to reseat after opening, val61 leak to environment, pSV-4001 opened or passing, fromC401 blockageÐfrozen ¯uid, val61 blockageÐfrozen ¯uid, val62 partly closed, mC-401-ST lessPressure out, chv64 leak to environment, pSV-4002 opened or passing, chv64 partly blocked or closed, pSV-4002 failure to reseat after opening, p-402B leak to environment, pSV-4002 leak to environment
v-402 morePressure vapour
¯ammable vapour release 2, possible vacuum collapse 2, toxic vapour release 2
v-402 vapour leak to environment
v-402 lessPressure vapour
®re/explosion risk 2, toxic release 2
large scale release of process material 2
p-402A leak to environment, val59 leak to environment, val60 leak to environment
®re/explosion risk 2, toxic release 2
pSV-4008 failure to reseat after opening
Consequence
mC-401-2ST leak to environment, val53 leak to environment, pSV-4008 leak to environment
Cause
v-402 moreFlow out2
v-402 moreFlow out1
Deviation
Table 12. continued.
114 McCOY et al.
Trans IChemE, Vol 78, Part B, March 2000
Trans IChemE, Vol 78, Part B, March 2000
v-402 no drain available
e-401 tube rupture, water-LPvap low pressure upstream
out123 leak to environment
mC-401-2ST internals damaged
out123 moreFlow in
mC-401-2ST lessFlow in
particulates to downstream units 3
toxic release 2, ®re/explosion risk 2
possible upstream contamination 3
inadequate isolation and drainage 2
liquid droplet entrainment 3, vessel over®lling 2
water-LPvap high composition upstream, val59 blockageÐfrozen ¯uid, val60 blockageÐfrozen ¯uid, val59 partly closed, inl18 high composition upstream, val60 partly closed
water-LPvap revFlow out
vessel over®lling 2
pV-4007 loss of control, lV-4015 control failure, pV-4006 fails open, lV-4015 fails open, fV-4001 fails open, pV-4006 control failure, lV-4008 control failure, lV-4008 fails open, fV-4001 control failure, pV-4007 blockageÐfrozen ¯uid, mC-401-2ST morePressure out, lV-4008 passes when no ¯ow is desired, p-402A morePressure out, 1st-sb-to high pressure downstream, water-LPvap high pressure upstream, toHX high pressure downstream, toHX blockageÐfrozen ¯uid, fV-4001 passes when no ¯ow is desired, p401A morePressure out, p-401B morePressure out, pV-4006 passes when no ¯ow is desired, lV-4015 passes when no ¯ow is desired, e-401 tube rupture, v-402 lessPressure vapour, fromC401 high pressure upstream, 1st-sb-to blockageÐfrozen ¯uid, mC-401-1ST morePressure out
v-402 maintenance
v-402 moreLevel liquid
gas breakthrough 3
pV-4007 control failure, lV-4008 loss of control, fV-4001 loss of control, pV-4007 fails open, pV-4006 loss of control, lV-4015 loss of control, p402B leak to environment, val26 blockageÐfrozen ¯uid, val77 leak to environment, p-402B spare unit turned on, val77 partly closed, val82 (etc) partly closed, val77 blockageÐfrozen ¯uid, pV-4006 leak to environment, toHX low pressure downstream, chv48 leak to environment, val85 (etc) partly closed, pV-4006 blockageÐ frozen ¯uid, p401A lessPressure out, chv48 partly blocked or closed, fromC401 leak to environment, val78 leak to environment, chv63 leak to environment, p-402A leak to environment, inl18 low composition upstream, val26 leak to environment, fV-4001 leak to environment, val60 (etc) leak to environment, val78 partly closed, val27 blockageÐfrozen ¯uid, val78 blockageÐfrozen ¯uid, e-401 leak to environment, pV-4007 leak to environment, chv28 (etc) partly blocked or closed, val33 leak to environment, lV-4015 blockageÐfrozen ¯uid, fV-4001 blockageÐfrozen ¯uid, water-LPvap low composition upstream, water-LPvap low pressure upstream, val62 (etc) blockageÐfrozen liquid, water-LPvap leak to environment, chv63 partly blocked or closed, p-402A lessPressure out, pV-4007 passes when no ¯ow is desired, lV-4008 leak to environment, val33 blockageÐfrozen ¯uid, val27 leak to environment, val33 partly closed, toHX leak to environment, lV-4008 blockageÐfrozen ¯uid, val85 (etc) leak to environment, val26 partly closed, water-LPvap blockage
Ðfrozen ¯uid, val27 partly closed, 1st-sb-to leak to environment, val59 leak to environment, 1st-sb-to low pressure downstream, val85 (etc) blockageÐfrozen ¯uid, chv28 (etc) leak to environment, chv29 leak to environment, val54 leak to environment, lV-4015 leak to environment, val54 blockageÐfrozen ¯uid, chv29 partly blocked or closed, val54 partly closed, p-401B lessPressure out, mC-401-1ST lessPressure out, pSV-4001 leak to environment, pSV-4001 failure to reseat after opening, fromC401 low pressure upstream, pSV-4001 opened or passing, val61 leak to environment, fromC401 blockageÐfrozen ¯uid, val61 blockageÐfrozen ¯uid, C-401-2ST lessPressure out, pSV-4002 opened or passing, chv64 leak to environment, pSV-4002 failure to reseat after opening, chv64 partly blocked or closed, pSV-4002 leak to environment.
gas breakthrough 3, toxic liquid release 2, ¯ammable liquid release 2
v-402 liquid teak to environment
v-402 lessLevel liquid
liquid contents contaminated 3
Consequence
inl18 upstream contamination, e-401 tube rupture, mC-401-2ST air ingress into computerÐat startup, water-LPvap LPvap upstream contamination, mC-401-1ST air ingress into compressorÐat startup
Cause
v-402 contamination liquid
Deviation
Table 12. continued.
HAZID, A COMPUTER AID FOR HAZARD IDENTIFICATION: PART 4 115
val53 closed, mC-401-2ST check valve fails shut, val53 blockageÐfrozen ¯uid, mC-401-2ST loss of drive
lV-4008 control failure, pV-4007 loss of control, lV-4008 fails open, fV-4001 fails open, fV-4001 control failure, pV-4006 loss of control, lV-4015 control failure, lV-4015 fails open, pV-4006 blockageÐfrozen ¯uid, 1st-sb-to blockageÐfrozen ¯uid, p-401B morePressure out, val78 blockageÐfrozen ¯uid, val78 partly closed, val54 partly closed, water-LPvap high pressure upstream, val77 partly closed, mC-401-2ST external ®re, val77 blockageÐfrozen ¯uid, lV-4015 passes when no ¯ow is desired, toHX high pressure downstream, v-402 morePressure vapour, fromC401 high pressure upstream, val54 blockageÐfrozen ¯uid, mC-401-2ST outlet check valve ®tted in wrong direction, fV-4001 passes when no ¯ow is desired, lV-4008 passes when no ¯ow is desired, pV-4007 blockageÐfrozen ¯uid, toHX blockageÐfrozen ¯uid, mC-401-2ST pressure surge, 1st-sb-to high pressure downstream, e-401 tube rupture, p-402A morePressure out, p-402B spare unit turned on, mC-401-1ST morePressure out, p-401A morePressure out
v-402 moreTemp vapour, mC-401-2ST external ®re, mC-401-2ST spill-back occurring
mC-401-2ST no drains available
out50 leak to environment
val59 closed, val59 blockageÐfrozen ¯uid
lV-4008 fails closed, toHX blockageÐfrozen ¯uid, p-402A loss of drive, val83 (etc) closed, val59 leak to environment, p-402A incorrect pump setup/installation, val83 (etc) blockageÐfrozen ¯uid, toHX complete blockage downstream, toHX high pressure downstream, lV-4008 blockageÐfrozen ¯uid val60 leak to environment, p-402A leak to environment, p-402B spare unit turned on, val59 leak to environment, v-402 lessPressure vapour, val59 blockageÐfrozen ¯uid, p-402B leak to environment, val59 partly closed
mC-401-2ST noFlow out
mC-401-2ST morePressure out
mC-401-2ST moreTemp out
mC-401-2ST maintenance
out50 moreFlow in
p-402A noFlow in
p-402A revFlow in
v-402 lessTemp liquid
v-402 lessLevel liquid, p-402A air ingress into pump
v-402 moreTemp liquid, p-402A external ®re, v-402 lessLevel liquid
v-402 morePressure vapour, p-402A pressure surge at startup or shut-down, val60 blockageÐfrozen ¯uid, p0402A lessPressure out, val60 partly closed
val61 closed, chv63 blocked by frozen ¯uid, val61 blockageÐfrozen ¯uid, chv63 completely blocked or closed
p402A lessTemp in
p-402A moreGas in
p-402A moreVapour in
p-402A moreFlow out
p-402A noFlow out
possible seal overtemperature 2, possible pump casing overtemperature 2
possible motor overload or trip 3
cavitationÐpossible mechanical damage 3
pump damageÐincreased vibration 3, bearing overheatÐloss of lubrication 3, vapour lock 3
seal failureÐfreezing of seal ¯uids 2
potential for liquid lock in and damage to unit by thermal expansion 3
cavitationÐpossible mechanical damage 3
possible suction piping overpressure 2, seal failure due to reverse impeller rotation 2
dry runningÐpossible pump rupture 2
®re/explosion risk 2, toxic release 2
inadequate isolation and drainage 2
possible casing overtemperature 2
possible casing or delivery pipework overpressure 3, casing or pipework overpressure if relief system fails 2
casting or pipework overpressure if relief system fails 2
compressor damage 3
Consequence
Note: The ¯ag settings used for this table and the previous one, are: Display faults with no consequences, no; Filter out repeat fault-consequence pairs, yes; Display only faults with no protections, no; Display consequences with no causes, no; Display protections present, yes; Consequence rank threshold set at, 1; Filter out repeat faults, yes.
p-402A unit can be locked in
p402A morePressure in
p-402A lessPressure in
pV-4007 loss of control, lV-4015 control failure, lV-4015 fails open, pV-4006 fails open, lV-4008 control failure, fV-4001 fails open, pV-4006 control failure, fV-4001 control failure, lV-4008 fails open, e-401 tube rupture, pV-4007 blockageÐ frozen ¯uid, water-LPvap high pressure upstream, toHX high pressure downstream, p-402B spare unit turned on, mC-401-2ST morePressure out, fV-4001 passes when no ¯ow is desired, pV-4006 passes when no ¯ow is desired, lV-4008 passes when no ¯ow is desired, toHX blockageÐfrozen ¯uid, p-401B morePressure out, 1st-sb-to high pressure downstream, p-401A morePressure out, lV-4015 passes when no ¯ow is desired, v-402 lessPressure vapour, v-402 moreLevel liquid, fromC401 high pressure upstream, p-402A morePressure out, 1st-sb-to blockageÐfrozen ¯uid, mC-401-1ST morePressure out
Cause
mC-401-2ST moreLiquid in
Deviation
Table 12. continued.
116 McCOY et al.
Trans IChemE, Vol 78, Part B, March 2000
HAZID, A COMPUTER AID FOR HAZARD IDENTIFICATION: PART 4
117
Table 13. Summary analysis of trial results. Plant systems Absorber system
b -trichloroethane
storage
Propane recti®cation system
Benzene storage
Separation system
Scenarios identifed by conventional HAZOP also identi®ed by HAZID (%)
36
33
60
50
53
Scenarios identi®ed by HAZID which were judged to be correct (%)
49
33
69
83
53
Scenarios identi®ed by HAZID which were judged to be correct and of interest (%)
9.5
29
24
27
N/A
Protections identi®ed by HAZID which were judged to be correct (%)
9.5
29
N/A
77
N/A
ammonia by absorption into water. The feed gas stream is cooled before entering the absorber, which results in some condensation of water and ammonia. The water fed to the top of the absorber is chilled. A very small amount of sulphuric acid is added to the base of the absorber as stabilizer. The solution of ammonia in water is pumped forward for further treatment and the lean gas from the top of the absorber is fed forward for destruction. The plant diagram entered using the Graphical Tool is shown in Figure 8. Absorber feed cooler/condenser The gas feed contains mainly nitrogen but also some ammonia and water. The feed is at 2 bara and 708 C. It is cooled to 408 C with an uncontrolled ¯ow of cooling water. A two-phase mixture of gas and condensate ¯ows into the base of the absorber. Absorber The cooled/condensed gas stream enters the bottom of the absorber and chilled water at 58 C enters the top. A small ¯ow of sulphuric acid is fed to the bottom of the absorber and the pH of the stream leaving the absorber is controlled by manipulating this acid ¯ow. The pressure in the system is controlled by manipulating a control valve on the ¯ow in the gas line leaving the absorber. There is a relief valve on the bypass of this control valve. Feed forward The solution of ammonia in water is pumped from the absorber to a unit outside the plant section boundary. The ¯ow is controlled from the level in the base of the absorber. A small portion of the ¯ow is recycled to the absorber base through a restriction ori®ce. û-Trichloroethane Storage Section Crude b -trichloroethane is pumped at 4 bara and 20 to 508 C through a long line into a bunded stock tank. The level in the stock tank is not controlled, but a high level will cause an actuated valve in the inlet line to close. In order to guard against liquid hammer, this valve closes slowly. If an extra high level were to occur, the contents would over¯ow into the bund through a line which is sealed with a bursting disc; a head of liquid in the line will burst the disc. Trans IChemE, Vol 78, Part B, March 2000
A small ¯ow of nitrogen ¯ows into the tank through a bubbler. If the pressure in the tank falls, a pressure controller opens a control valve in a separate supply of nitrogen. The tank vents through a scrubber to atmosphere. The tank is ®tted with a pressure/vacuum relief valve and a ®re relief hatch. The plant diagram entered using the Graphical Tool is shown in Figure 9. Scrubber The scrubber removes vapours from the stock tank vent before release to atmosphere. Water ¯ows through it at a constant rate and out to an ef¯uent pit. The level at the base of the scrubber is maintained by a lute. Feed forward Material is pumped out of the stock tank by a set of two parallel pumps, one working and one spare. There is a spill-back line from the pump delivery to the tank through a restriction ori®ce. The feed from the pumps is mixed with another stream and is fed forward to another unit. The ¯ow of the other stream is measured and the ¯ow of b -trichloroethane is controlled in a ®xed ratio to the ¯ow of this other stream. Propane Recti®cation Section The propane recti®cation section consists of a distillation column and associated heat exchangers, pumps and separators, producing high quality propane for refrigeration. The column overhead vapour is condensed, using cooling water, and fed to a holding tank. Some liquid is pumped back to the column as re¯ux. The rest goes to a pipeline which leaves the plant section. The column reboiler is heated by a hot oil stream. The bottom product is cooled and fed to a pipeline which leaves the plant section. The propane product is removed from a tray near the top of the column and sent for storage outside the plant section. The plant diagram entered using the Graphical Tool is shown in Figure 10. Benzene Storage Section The supply section of this plant has three storage tanks, one of which is used at a given time to supply benzene. The
McCOY et al.
118
benzene is pumped from the operating tanks by a set of two parallel pumps, one working and one spare, which deliver a pressure of 20 bar. There are two parallel thermal relief valves close to the pumps. The ¯ow from the pumps is controlled by manipulating a control valve in the recycle line to one of the tanks. At the far end of a long line system the benzene is supplied to one of two alternative tank systems. The system used depends on the grade of the material. Flow is measured at both ends of the line and any signi®cant difference between the two ¯ows results in an alarm. The plant diagram entered using the Graphical Tool is shown in Figure 11. This benzene storage system is akin to but distinct from the storage section of the main study system, the benzene plant, described previously in this paper. Separation System The separation system is part of a light ends recovery plant. Only some of the units in the system have been considered: separators, heat exchangers, pumps and compressors. The main feed streams are (1) fractionator overhead vapours, (2) unstabilized naphtha and (3) cold LP vapour. The main products are (1) a sponge gas stream (mainly H2S, C2 and lighter hydrocarbons), which is sent to treatment, (2) LPG which is further treated for removal of H2S and then of mercaptans and (3) a stabilized naphtha which is sent to storage. The process may be summarized as follows: 1. Overhead vapours from the fractionator ¯ow to the compressor ®rst stage suction drum to remove any entrained liquid present in the stream. 2. The vapour stream is compressed, in the ®rst stage of a two-stage reciprocating compressor, and then mixed with cold LP vapour and wash water. 3. The vapour stream is cooled and fed to the compressor second stage suction drum to remove any liquid present. 4. The vapour stream is compressed, in the second stage of the reciprocating compressor, and then contacted with hydrocarbon liquid and water from the second stage suction drum, hydrocarbon liquid from the ®rst stage suction drum and rich oil. 5. The mixture then ¯ows through a condenser to the HP receiver where it is separated into three phases: hydrocarbon liquid, vapour and sour water. The plant diagram entered using the Graphical Tool is shown in Figure 12. RESULTS OF THE HAZID VALIDATION TRIALS As mentioned above, during the HAZID validation workshop, held towards the end of the project, each test set plant was assigned to a different user and for each a conventional HAZOP and a HAZOP emulation using HAZID were performed. The analysis of the ®rst three systems was straightforward. In the case of the benzene storage there were differences between the plant descriptions considered by the HAZOP team and by HAZID such that comparison of the two was considered unreliable as a measure of the effectiveness of HAZID. In the case of the separation
system the workshop team did not have time to complete their analysis. The output reports from AutoHAZID for the ®ve cases ran to 5, 6, 9, 6 and 14 pages. As illustrations, an extract from the output report for the benzene storage is given in Table 11 and an extract from the report for the separation system is given as Table 12. A summary of the analysis of the trial results is shown in Table 13. Measurement of HAZID Performance The main informal measure of the effectiveness of HAZID which has been used throughout the project has been the ratio of the scenarios found by HAZID and also by the HAZOP team to those found by the HAZOP team alone. This is also the prime criterion in the user trials. As Table 13 shows, the current version of HAZID, when applied by users other than the developers, ®nds some 33±60% of these scenarios. Factors Affecting Performance The performance is variable and this is attributed in part to the following factors: · The quality of the unit models used varied between the ®ve plant systems, some models having been tested more extensively than others; · Some of the plant systems used ¯uids about which HAZID had little or no property data; · Some of the plant systems were more complex than others, e.g. with or without recycles; · Team results could re¯ect different views among the teams about what is correct and interesting. Although HAZID currently ®nds a reasonable proportion of scenarios, this is masked by a large amount of information which is either correct but uninteresting, incompletely resolved or in some cases simply incorrect. Uninteresting Scenarios There are a number of ways in which the uninteresting scenarios could be culled. For example, one particularly common type of scenario is that associated with leaks, but the user may well ®nd these of little interest and wish to have them eliminated. Alternatively, consequence evaluation may be used to assign importance ranks to scenarios so that those of lower ranks may be suppressed from appearing in the output report. However, for the user to have con®dence in this, the rules for the evaluation of consequences need to be of good quality and the scenarios need to be available for the user to review on demand. Incomplete Resolution Incomplete resolution occurs because HAZID currently lacks a full ability to resolve whether a deviation will result in a signi®cant consequence. Whilst considerable progress has been made on this, there is work still to be done. A signi®cant cause of incomplete resolution, and in effect incorrect output, is the case where the magnitudes of deviations in the cause-consequence relationship are in Trans IChemE, Vol 78, Part B, March 2000
HAZID, A COMPUTER AID FOR HAZARD IDENTIFICATION: PART 4 reality not suf®cient to generate a consequence of interest. Thus it may be true that some cause gives rise to a speci®c deviation, and it may also be true that a speci®ed deviation (of suf®cient magnitude) will lead to a consequence of interest. At present if AutoHAZID identi®es such a case, but is unable to establish the suf®ciency/insuf®ciency of the magnitude of the deviation, then it will infer that the cause is capable of producing the consequence. Another aspect of this is that the plant is designed to withstand deviations up to a certain magnitude. Thus the loss of cooling water to a heat exchanger will result in the deviation `Overtemperature of the outlet process ¯uid’. Normally this will not be signi®cant, because the exchanger will have been designed to withstand the normal temperature of the inlet process ¯uid and the maximum temperature reached is the inlet process temperature. Solving these types of problems requires further work to enrich the ¯uid model system rules dealing with the magnitudes of propagated deviations. Operation using Minimal Information Whilst lack of information impairs HAZID’s performance, there is another way of looking at the matter. This is that HAZID is able to offer an analysis of the plant given no more than a minimal description. This is a deliberate and valuable design feature, since it is envisaged that one use of HAZID is upstream of conventional HAZOP, when not all the detailed information is available. In the user trials, those responsible for preparing the plant descriptions had speci®cally been asked not to complete all of the detail which can be entered. The information set which was de®ned by the users was that judged as the best compromise between input effort and output quality. In a system in which equipment and process data can be transferred automatically to HAZID, which is that envisaged for future exploitation, the need for such a compromise would be very much less. Protections HAZID did not perform very well in ®nding protections. This was expected, as the facility had only just been added and was largely untested.
119
REFERENCES 1. McCoy, S. A., Wakeman, S. J., Larkin, F. D., Jefferson, M. L., Chung, P. W. H., Rushton, A. G., Lees, F. P. and Heino, P. M., HAZID, a computer aid for hazard identi®cation: 1. The STOPHAZ package and the HAZID code: an overview, the issues and the structure, Trans IChemE, Part B, Proc Safe Env Prot, 77(B6): 317±327. 2. Lawley, H. G., 1974, Operability studies and hazard analysis, in Loss Prevention, vol. 8, 105 (AIChE, New York). 3. Wells, G. L. and Phang, C., 1992, A modi®ed form of HAZOP with emphasis on operability, in 7th Int Symp on Loss Prevention and Safety Promotion in the Process Industries, vol. 3, 139±1. 4. Ozog, H., 1985, Hazard identi®cation, analysis and control, Chem Eng, 92 (Feb. 18): 161. 5. Rushford, R., 1977, Hazard and operability studies in the chemical industries, Trans North East Instn Engrs Shipbuilders, 93(5): 117. 6. Sinnott, R. K., 1983, Safety and loss prevention, in Chemical Engineering (by J. M. Coulson and J. F. Richardson), Chp 9 (Pergamon Press). 7. Kavianian, H. R., Rao, J. K. and Brown, G. V., 1992, Application of Hazard Evaluation Techniques to the Design of Potentially Hazardous Industrial Chemical Processes. (Div. of Training and Manpower Devel., Nat Inst. Occup Safety and Health, Cincinnati, OH). 8. Wells, G. L., Seagrave, C. J. and Whiteway, R. N. C., 1977, Flowsheeting for Safety (IChemE, London). 9. McCoy, S. A., Wakeman, S. J., Larkin, F. D., Chung, P. W. H., Rushton, A. G. and Lees, F. P., HAZID, a computer aid for hazard identi®cation: 2. Unit model system, Trans IChemE, Part B, Proc Safe Env Prot, 77(B6): 328±334. 10. McCoy, S. A., Wakeman, S. J., Larkin, F. D., Chung, P. W. H., Rushton, A. G., Lees, F. P. and Heino, P. M., HAZID, a computer aid for hazard identi®cation: 3. The ¯uid model and consequence evaluation systems, Trans IChemE, Part B, Proc Safe Env Prot, 77(B6): 335±353. 11. Taylor, J. R., 1979, A Background to Risk Analysis (RisoÈ Nat Lab, RisoÈ, Denmark), vols. 1±4. 12. Taylor, J. R., 1981, Loss Prevention Bulletin (IChemE, Rugby), no. 46. 13. Lees, F. P., 1996, Loss Prevention in the Process Industries, vols 1±3, 2nd ed., (Butterworth-Heinemann, London). 14. Rushton, A. G., 1995, Quality Assurance of Hazard and Operability Study Performance in the Context of Offshore Safety. Report to HSE, Offshore Division. 15. Kelly, B. E. and Lees, F. P., 1986, The propagation of faults in process plant, 1, Modelling of fault propagation, Reliab Eng, 16: 1. 16. Kelly, B. E. and Lees, F. P., 1986, The propagation of faults in process plant, 2, Fault tree synthesis, Reliab Eng, 16: 39. 17. Kelly, B. E. and Lees, F. P., 1986, The propagation of faults in process plant, 3, An interactive, computer-based facility, Reliab Eng, 16: 63. 18. Kelly, B. E. and Lees, F. P., 1986, The propagation of faults in process plant, 4, Fault tree synthesis of a pump changeover system, Reliab Eng, 16: 87. 19. Parmar, J. C. and Lees, F. P., 1987, The propagation of faults in process plants: hazard identi®cation, Reliab Eng, 17: 277. 20. Parmar, J. C. and Lees, F. P., 1987, The propagation of faults in process plants: hazard identi®cation for a water separator system, Reliab Eng, 17: 303.
SUMMARY This paper has discussed two of the methods used in the STOPHAZ project for testing the performance of HAZID: the learning set and the test set case study plants. Firstly, the learning set and the main study system (the benzene plant) were introduced as a means of getting pointers to improvements needed in the unit and ¯uid model systems. Then, after discussing the issues of correctness, completeness and conciseness in connection with HAZID results, the test set plant systems were introduced. Finally, some results of the test set evaluations carried out at the end of the project were discussed. The next paper will discuss some ideas for possible future developments of the HAZID system and will offer some concluding comments on the work presented in this series of papers.
Trans IChemE, Vol 78, Part B, March 2000
ACKNOWLEDGEMENTS The authors would like to acknowledge the support of the Commission of the European Community (Esprit Project 8228: STOPHAZ), their colleagues at Loughborough, and the contributions of many personnel from their partners in this project: ICI, Snamprogetti, SFK, Intrasoft, TXT, Aspentech, Bureau Veritas, Hyprotech and VTT. Paul Chung acknowledges the support of BG and the Royal Academy of Engineering through a Senior Research Fellowship.
ADDRESS Correspondence concerning this paper should be addressed to Professor P. W. H. Chung, Department of Computer Science, Loughborough University, Loughborough LE11 3TU, UK. The manuscript was received 22 April 1998 and accepted for publication after revision 17 January 2000
HAZID, A COMPUTER AID FOR HAZARD IDENTIFICATION: 4. Learning Set, Main Study System, Output Quality and Validation Trials S. A. McCOY (ASSOCIATE MEMBER), S. J. WAKEMAN, F. D. LARKIN (ASSOCIATE MEMBER), P. W. H. CHUNG, A. G. RUSHTON (MEMBER) and F. P. LEES (FELLOW)² Department of Chemical Engineering, Loughborough University, Loughborough, UK
T
he hazard and operability, or HAZOP, study is a prime method for the identi®cation of hazards on process plants. This is the fourth in a series of papers which describe progress in the emulation of hazard identi®cation in the style of HAZOP. The work reported is embodied in a computer aid for hazard identi®cation, or HAZOP emulator, HAZID. The HAZID code is one of a suite of codes developed as part of the STOPHAZ project. The present paper describes the learning set of case study plants and the main case study system, used to improve the HAZID models by providing feedback on weak areas of the unit and ¯uid models. It also discusses the issues of correctness, completeness and conciseness in connection with output quality from HAZOP emulation. A test set of case studies were used to validate performanceÐthe results of the evaluation of HAZID using these case studies are also discussed. Companion papers describe: an overview of HAZID, with an account of HAZOP and HAZOP emulation, and of the issues underlying it, the structure of HAZID and the associated tools in the STOPHAZ package; the unit model system; the ¯uid model system and the evaluation of consequences; some development topics. Conclusions from the work are given at the close of the ®nal paper. Keywords: hazard identi®cation; HAZOP; computer-assisted hazard identi®cation.
INTRODUCTION
before. Towards the end of the STOPHAZ project, the output quality of the HAZID system was evaluated using a number of other plant systems which had not been used during the model development stage. A test protocol was developed to measure the value of the results produced by HAZID, in comparison to the results of a conventional HAZOP study, and this method was used to evaluate the performance of HAZID on ®ve `test set’ plants. This paper ®rst of all gives a description of the learning set used during model and program development, including the comparatively large benzene plant section used as a main study system. The issues of output quality are then analysed in terms of correctness, completeness and conciseness. A description of the test protocol, used to evaluate HAZID output for the test set plants, is then given. After a brief description of the test set plants used, the results of applying this protocol to the test set plants are discussed.
This paper is the fourth in a series on computer aiding of hazard identi®cation and describes the use of case study plant systems to evaluate, improve and quantitatively measure the quality of the output produced by the HAZOP emulation tool, HAZID. The content of the other papers is outlined in Part 11. During the development of the HAZID program, and during the development of the unit and ¯uid models used in conjunction with HAZID, it was often necessary to evaluate the quality of output produced by the system. A number of case study plants were used, not only to check the functionality of the HAZID system, but also to identify areas of weakness in the output produced. By addressing the weaknesses identi®ed, the unit and ¯uid models in the system were improved. The set of case study plant models used for this purpose was therefore dubbed the `learning set’. Whilst the performance of HAZID on the learning set plants may indicate progress, it is also important to know how HAZID will perform on a plant system never seen
LEARNING SET In order to test HAZID, information on a number of plant systems was collated to serve as a learning set. Many of these are systems which have been described in the
² Frank Lees (1931±1999), Professor of Plant Engineering, Loughborough University.
91
McCOY et al.
92
Figure 1. Learning set: water separator system (after Lawley2 ).
literature, in relation to HAZOP studies. This learning set has been used to guide the development of HAZID, and in particular of the unit model library. The systems are as follows: · · · · · · ·
Water separator system (Lawley2 ); Extended water separator system (Lawley2 ); Methanator (Wells and Phang3 ); Flammable reagent storage tank (Ozog4 ); Gas preheating section (Rushford5 ); Ammonia oxidation reactor (Sinnott6 ); Polyethylene reactor (Kavianian et al.7 ).
exposition of the HAZOP study. The items of equipment include a liquid-liquid separator, a heat exchanger, a pipeline, a pump and several valves. The ¯uids are an ole®ns mixture, water, nitrogen, pump lubricant and ole®n dimer. Features of interest include: · The ole®ns mixture is ¯ammable; · There is a possibility of water breakthrough at the separator; · A possibility of the pump lubricant being an emulsi®er; · Ole®n may polymerize and cause a blockage. Extended Water Separator System
Water Separator System The water separator system shown in Figure 1 is a section of a larger plant system described by Lawley2 in his classic
The extended water separator system shown in Figure 2 is the full plant system described by Lawley2 . Items of equipment additional to those mentioned above are a
Figure 2. Learning set: extended water separator system (after Lawley2 ).
Trans IChemE, Vol 78, Part B, March 2000
HAZID, A COMPUTER AID FOR HAZARD IDENTIFICATION: PART 4
93
Figure 3. Learning set: methanator (after Wells and Phang3 ).
Methanator Figure 3 shows a methanator plant system described by Wells and Phang3 . The items of equipment are a reactor, a gas-liquid separator, two heat exchangers and a centrifugal compressor. The ¯uids present are hydrogen and water. Features of interest are: · Flammable gases are present; · There is heat recycle; · A possibility of gas breakthrough at the separator; · The reaction is exothermic (runaway reaction); · The reactor is catalytic (catalyst poisoning); · A possibility of liquid droplets entering the compressor and causing damage. Flammable Reagent Storage Tank Figure 4. Learning set: ¯ammable reagent storage tank (after Ozog4 ).
storage tank and a reactor, and one additional ¯uid (steam) is present. The extra features of interest are: · There is a heat recycle; · The reaction is exothermic and may be subject to runaway; · The reactor is catalytic and catalyst poisoning may therefore be a consideration.
The ¯ammable reagent storage tank shown in Figure 4 is described by Ozog4 . The items of equipment are a blanketed storage tank, a pump and several valves and the ¯uids are the ¯ammable reagent and nitrogen. The main feature of interest is that the liquid reagent is ¯ammable. Gas Preheating Section The gas preheating section shown in Figure 5 is part of a larger plant system described by Rushford5 in relation to a HAZOP study. The items of equipment are a centrifugal compressor, a gas-liquid separator, a heat exchanger and a
Figure 5. Learning set: gas preheating section (after Rushford5 ).
Trans IChemE, Vol 78, Part B, March 2000
McCOY et al.
94
and ®ve pumps. The ¯uids present are ethylene, polyethylene, initiator and water. The features of interest are: · · · · ·
The presence of ¯ammable gases; Recycle of unused reactant; The reaction is exothermic (runaway reaction); A reaction initiator is present; There is polymer transportation. Units and Fluids Covered
Figure 6. Learning set: ammonia oxidation reactor (after Sinnott6 ).
valve and the ¯uids are gas, steam and oil. Features of interest are that there is a ¯ammable gas and the possibility of liquid droplets entering the compressor.
Table 1 summarizes the principal units in the learning set plants, suggesting that there is a core group of commonly occurring unit types and also that most systems contain one or two less common units. It should be borne in mind that the description of a unit as a `reactor’ or a `pump’ can obscure differences of detail which can be signi®cant for the HAZOP. The principal ¯uids in the systems are shown in Table 2. This suggests that there is a core group of commonly used ¯uids which are the utility ¯uids and that the process ¯uids are more likely to be speci®c to the particular process. MAIN STUDY SYSTEM: BENZENE PLANT
Ammonia Oxidation Reactor The ammonia oxidation reactor shown in Figure 6 is described by Sinnott6, in relation to a HAZOP study. The items of equipment are a ®lter, a centrifugal compressor, an evaporator, a reactor and a pump. The ¯uids are ammonia, air, nitrous gas and steam. Features of interest are that: · · · · ·
There is a cryogenic liquid; There is a toxic/¯ammable gas; There is ratio control of the reactants; The reaction is exothermic (runaway reaction); The reactor is catalytic (catalyst poisoning). Polyethylene Reactor System
The polyethylene reactor system shown in Figure 7 is described by Kavianian et al.3 The items of equipment are two centrifugal compressors, a reciprocating compressor, a jacketed reactor, a separator, a heat exchanger
The plant system principally used in this work, for developing and improving the unit models and ¯uid model systems, is a design for a benzene plant described originally by Wells, Seagrave and Whiteway8 . Process Description Benzene is produced by reacting toluene with hydrogen in the presence of a catalyst, methane being a by-product, The catalyst used in the process was not speci®ed in the original reference8 , but chromium oxide catalysts have been used for such processes. The major steps involved in the process are: · Fresh toluene is mixed with recycled toluene liquid, from the distillation column (T-101). The resulting mixture is fed to the storage tank (TK-101). · The toluene is pumped from the storage tank and mixed with a mixture of fresh and recycled unreacted hydrogen.
Figure 7. Learning set: polyethylene reactor (after Kavianian et al.7 ).
Trans IChemE, Vol 78, Part B, March 2000
HAZID, A COMPUTER AID FOR HAZARD IDENTIFICATION: PART 4
95
Table 1. Learning set: principal units. Plant Model Process unit
Lawley
Lawley (extended)
Y Y Y Y
Y Y Y Y
Y
Y Y Y
Pump Valve Pipeline Liquid-liquid separator Gas-liquid separator Heat exchanger Storage tank (inserted) Reactor Reactor (jacketed) Compressor Compressor (reciprocating) Filter Evaporator
Wells and Phang
Ozog
Rushford
Y Y
Y
Y Y
Sinnott
Kavianian et al.
Y
Y
Y Y
Y Y
Y Y
Y
Y
Y
Y
Y Y Y
Y Y
· The hydrogen/toluene mixture is vaporized in the heat exchangers (E-101A and B) and then superheated in the furnace (H-101), before being fed to the ®xed bed catalytic reactor (R-101). · The reactor product is cooled in a series of heat exchangers to condense the benzene and the unreacted toluene, leaving mainly hydrogen and methane. This gas is separated from the condensate and recycled. · The benzene/toluene mixture condensed from the reactor product stream is fed to the distillation column (T-101), where the benzene and toluene are separated from each other. The benzene (top product) is fed to storage and the toluene (bottom product) is recycled.
nitrogen and catalyst. For each of these chemicals a sheet was prepared giving property data and information on chemical hazards and means of handling. The second hazard study utilizes a set of guide words prompting for hazards such as Fire, Explosion, Noxious exposure, etc., which are applied to broad sections of the plant, such as Feed system, Reaction, Separation, etc. The third hazard study, which is the HAZOP proper, was conducted in the normal way by a team from the project, which included experienced industrial personnel. Besides the ELD, the study team generally requires additional background information on the plant, including operating procedures. Table 3 shows part of the output record of this HAZOP study.
Conventional Hazard Studies In order to provide a standard of comparison for HAZID, hazard studies were conducted on the benzene plant. A well established system is that operated by ICI, in which HAZOP is carried out as hazard study 3. Rather than launch directly into a HAZOP study, the normal procedure was followed of conducting hazard studies 1 and 2 ®rst. Hazard study 1 examines the properties of the substances handled in the plant. For the benzene plant the principal substances are: benzene, toluene, oxygen, hydrogen, methane,
HAZID Emulation of HAZOP HAZOP emulation using HAZID involves the user in the following activities: 1. Identi®cation of plant items which require unit models not already in the unit model library. 2. Creation of these unit models using the template library and Model Generation Tool, and their entry into the unit model library. Creation of an API database model for the
Table 2. Learning set: principal ¯uids. Plant Model Fluid Nitrogen Water Steam Air Ole®n Ole®n dimer Lubricant Hydrogen Flammable reagent Oil Ammonia Nitrous gas Ethylene Polyethylene Reaction initiator
Lawley
Lawley (extended)
Wells and Phang
Y Y
Y Y Y
Y
Y Y Y
Ozog
Rushford
Sinnott
Y
Y Y
Kavianian et al.
Y Y
Y Y Y
Trans IChemE, Vol 78, Part B, March 2000
Y Y Y Y Y Y Y Y
Toluene from BL to junction with recycle line
Item/Line/Stage
High pressure source
Locked-in Liquid hammer
High pressure
Already considered ± "" ±
Benzene-contaminated toluene ¯ow back to toluene source
Valve closed suddenly
Toluene BL low pressure
Potential liquid hammer
Isolated
No ¯ow
Reverse ¯ow
Potential lock-in and overpressure of feed line with hydraulic expansion
Supply pressure low Valve closed
Low tank level, potential problems on pumpÐto be considered later
± "" ±
Control valve passes when low or no demand
Instrument air failure opens valve?
±" " ±
±" "±
Potential tank over¯ow
Consequences
Bypass left open or opened in error
High pressure supply Control valve fails open
Causes
Low ¯ow
High ¯ow
Deviation
LIAL + LAL if LT has not failed high
LIAH LAH will work unless LT has failed to a low reading, hence need for the independent LIAH
Preventive or corrective action (safeguards) Action required
Assumed maximum pressure is less than line and in-line equipment pressure ratings
Decide if there is a problem with reverse ¯ow to toluene source
Ensure closing time on LCV and manual isolation is suf®ciently long to prevent liquid hammer pressure rise
Check if line can be isolated at source, e.g. by valve or NRV, and, if so, hydraulic pressure relief is required
Make control valve air fail close
1/12
1/11
1/10
1/6
1/5
Include in operating instructions the requirement to isolate the feed to the tank manually when there is an extended plant shutdown
1/3
1/2
1/1
Action Ref. No.
1/4
Action by
Con®rm over¯ow protection is as speci®ed following the Hazard Study 2 action
Remove LCV bypass to reduce risks of wrong operation or failures
Check maximum line pressure is within control valve actuation design limits Design LCV with inlet pressure on top of plug
Table 3. Benzene plant Hazard Study 3 (HAZOP): section of output record.
96 McCOY et al.
Trans IChemE, Vol 78, Part B, March 2000
Trans IChemE, Vol 78, Part B, March 2000 Note that LIC control action needs correct speci®cation to avoid integral saturation, e.g. by proportional action only
General
1/14c
Vent gas from blowing through needs to be vented safely, e.g. to vent header
1/16
1/15
1/14b
What facilities are required at benzene and source plant?
1/13b
1/13a
Action Ref. No.
1/14a
Action by
Consider means of isolating and blowing out transfer line: potential hazard of very high nitrogen/liquid ¯ow to tank, potential relief
Ensure all valves speci®ed as ®re-safe
Check possible scenarios for toluene to be supplied at high temperature
Action required
Who owns/inspects the inter-plant pipeline?
Testing
TI on tank
Preventive or corrective action (safeguards)
Equipment registration
Water from pressure testing or contaminated feed
Contaminants
No problem: freezing point is 958 C ê No known effect on process apart from loss of production
Fire
Cold ambient
Failure of equipment or isolation
Source toluene at higher temperature
Low temperature
Increases vapour from tank venting, toxic possibility
As Reverse ¯ow
Consequences
High temperature
Causes
Low pressure
Deviation
Notes: BL, battery limits; EIV, emergency isolation valve; FA, ¯ame arrestor; FCV, ¯ow control valve; H, high; L, low; LA, level alarm; LCV, level control valve; LIA, level indicator alarm; LIC, level indicator controller; LO, lock open; LOC, loss of containment; LT, level transmitter; NRV, non-return valve; PC, pressure control; PCV, pressure control valve; PI, pressure indicator; PIA, pressure indicator alarm; RO, restriction ori®ce; SHE, safety, health and environment; TI, temperature indicator.
Item/Line/Stage
Table 3. continued.
HAZID, A COMPUTER AID FOR HAZARD IDENTIFICATION: PART 4 97
McCOY et al.
98
unit using the Unit Model Application Tool. Creation of a corresponding icon, using the Graphical Con®guration Tool, and its entry into icon library. 3. Entry of the plant line diagram using the Graphical Tool and assignment of unit models to plant items. 4. Entry of the list of ¯uids in plant, of the unit attributes and of the stream attributes. 5. Selection of run options. 6. Selection of output options. 7. Run program. The unit models required for the benzene plant are: atmospheric storage tank, pump, emergency isolation valve, non-return valve, heat exchanger, furnace, reactor, knockout pot, distillation column and compressor. A section of the output report for the benzene plant is shown in Table 4. Earlier versions of AutoHAZID generated reports which contained a number of defects which have been remedied in later work. The improvements effected are discussed in the following sections. OUTPUT QUALITY The acceptability of a tool such as AutoHAZID depends on a number of factors, of which the two most signi®cant are the ease of data input and the quality of the output report. It is the latter which is considered here. A distinction may be made between the quality of the output produced by the inference process and the quality of the reporting of that output itself. Both are important. The output report gives information on scenarios and on protections against these. The requirements are therefore to: 1. 2. 3. 4. 5. 6.
Report valid and interesting scenarios; Report these scenarios in a concise but natural way; Avoid reporting incorrect scenarios; Avoid reporting valid but uninteresting scenarios; Report valid protections against the scenarios identi®ed; Avoid reporting incorrect protections.
Three key measures of quality in hazard identi®cation can thus be identi®ed: correctness, completeness and conciseness. While these are also important in conventional hazard identi®cation, their importance for HAZOP emulation is much more acute, because computer programs lack much of the `common sense’ world knowledge which humans take for granted. The issues of correctness, completeness and conciseness will be further discussed in the following sections. CORRECTNESS Errors in HAZOP emulation tend to be associated with the following features: 1. 2. 3. 4. 5.
Plant description; Unit models; Data entry; Ambiguity of in¯uences; Fluid and phase effects; Correctness of Plant Description
Incomplete information on the con®guration and states of equipment within a plant context is one potential source
of error. It is necessary to ensure that the plant description gives a full de®nition of these aspects. Con®gurational features include series, parallel or standby operation, staggered operation, etc. The example was given in the ®rst paper of two pumps on the ELD piped up in parallel. It is necessary to de®ne whether these are two 50% pumps operating in parallel, two 100% pumps operating in parallel, or one working pump and one standby. The state of an equipment is equally important. From the point of view of modelling, a normally closed valve is different from a normally open one, and different models are used. Correctness of Unit Models De®ciencies in the unit models are a potential source of error. Models which are used frequently are likely to have the bugs ironed out, but those which are used only infrequently or which have just been created by the user for the case in hand are more likely to contain defects. Some steps which can be taken to improve the correctness of a unit model, and its correct deployment in a plant description, include: · Documentation of model status; · Model selection aids; · Model generation aids. A unit model in the unit model library can be provided with information on the creator; the date created; whether or not it is the product of a full equipment HAZOP, as described below; the version number of the model, which is an indication of the extent to which it has been modi®ed; and the plant systems on which it has been used. This provides the user with some indication of the probable quality of the unit model. Most of the unit models required for a given plant system are likely to exist already in the unit model library. The user needs guidance, however, on selecting the right model. This problem will necessarily grow as more models, with ®ner differentiations, are added to the library. In the project this is addressed by the use of a hierarchical structure of parent and child models. There will generally be a small proportion of the unit models which are not found in the unit model library and which the user will therefore need to create and to enter into the library. Two model generation aids are provided: the Model Generation Tool and the template library. These have been described in Part 29. Errors in Data Entry Another potential source of error is simple mistakes made in entering data. AutoHAZID contains, at a number of points, checks on the input data. All model data are read through a parser, which ®nds any syntax errors and checks that no model or instance of a model has a name identical to another model or instance in the system. More rigorous tests are made on the consistency of the plant model information once it has been loaded. These tests check that all connections between ports are strictly `one-to-one’, that all connections required in unit models have been made in the plant description and that there are no non-zero ¯ow rates for ¯uids in dead-ends. A check is Trans IChemE, Vol 78, Part B, March 2000
HAZID, A COMPUTER AID FOR HAZARD IDENTIFICATION: PART 4 also made to see that all the named ¯uid components in the plant are known to the physical properties system, if that system is loaded. Ambiguity of Qualitative In¯uences The inference process used in HAZOP emulation is generally based on qualitative modelling. Such modelling has the defect that there is sometimes an ambiguity as to the dominant in¯uence on a variable, so that it is unresolved whether the net effect of the in¯uences is to cause a positive or a negative deviation in that variable. Ambiguity of in¯uences arises particularly in relation to the following con®gurations: · Headers and dividersÐProcess plants are replete with dividers, headers and divider-header combinations. · Feedback loopsÐAnother common feature in process plants is various forms of feedback loop. These include feedback control loops, material and heat recycle loops, kickback lines, etc. Fluid and Phase Effects Another potential source of error is ¯uid and phase effects. It is possible for the inference engine to develop fault paths which in reality are infeasible because they imply ¯uid states or phases which are incompatible with the path. An example is propagation of a low temperature by a ¯uid which would in fact freeze. One solution to this problem, discussed in Part 310, is to make use of the ¯uid model system to make a quantitative check, but this presupposes that the ¯uid data needed are available and have been correctly entered into the plant description.
99
Quality of HAZOP Turning to HAZOP emulation itself, it is probably fair to say that a balanced view of what needs to be done to ensure a high level of completeness must await further experience in the practical use of HAZID. But certain aspects are clear enough. In large part completeness depends on the HAZOP structure and the diversity of supporting techniques, and on the quality of the systems dealing with unit and ¯uid models. Suggestions made above, in connection with the correctness of unit models, are equally helpful for considering how to develop models which can be considered `complete’ in some respects. HAZOP Structure As already described, in the original work by Parmar and Lees19,20 no assumption was made initially as to the form the hazard identi®cation process should take. Candidate methods included, as well as HAZOP, topdown methods such as fault tree analysis and bottom-up methods such as failure modes and effects analysis. However, fault tree analysis requires for completeness that the user identify at the start all the top events. Likewise, failure modes and effects analysis requires identi®cation of all the failure modes. The problem appears open-ended. HAZOP, by contrast, has the unique feature that the systematic examination of each line using each guide word ensures at least that every deviation is considered, even if it does not guarantee any more than the other methods that every cause and every consequence is identi®ed. No doubt with perfect unit model and ¯uid model systems the various methods are equivalent, but given imperfection the HAZOP method appears more robust.
COMPLETENESS
Diversity of Supporting Techniques
The question of completeness in hazard identi®cation has been addressed particularly by Taylor11,12. A brief account of this work is given by Lees13. Further work on completeness, as an aspect of quality assurance, has been described by Rushton14. In the present work, the problem of completeness has been approached at two levels, in terms of alternatives to HAZOP and quality of HAZOP.
The point has already been made that in hazard identi®cation generally, industry has found it useful to utilize a variety of techniques, and that no one technique has supplanted the others. Likewise, it is expected that a high quality HAZOP emulator will use a diversity of reasoning techniques and rule sets to achieve an optimum result. Unit Models
Alternatives to HAZOP If one considers the way in which hazard identi®cation techniques have developed in the process industries, it is clear that a variety of methods are needed. Among the most widely used are HAZOP, failure modes and effects analysis, and fault tree analysis. The hazard study system used, for example, in ICI, involves some six levels of hazard study, each of which is different. Within this project the HAZOP emulator proper has been complemented by a con®guration checker which detects a small number of gross errors in the plant design. Another complementary tool is fault tree analysis. A method for the computer-aided synthesis of fault trees has been described by Kelly and Lees15±18. This methodology is similar to HAZID, particularly in respect of the plant description and input data and of the unit models. Trans IChemE, Vol 78, Part B, March 2000
The inference engine is able to generate fault paths and scenarios only if the corresponding faults are already there in the unit models. As an example, consider the consequence `high water content’ in the outlet ¯ow from a water separator. A ®rst model of this might have as a cause `high water content’ in the inlet ¯ow to the separator. A second version might add as a cause `high ¯ow’ into the separator. A third, and more sophisticated, version might include as a cause a contaminant which is a foaming agent in the inlet ¯ow. However, this enhancement of the water separator model does not alone suf®ce. For this last scenario to be realized, it is necessary for there to be a source of such a contaminant. This source might be a lubricant which leaks into the stream from a pump. Whether a fault path can be generated for such a scenario depends on the pump model.
McCOY et al.
100
Table 4. Benzene plant HAZOP emulation: section of output report. Deviation
Causes
Consequences
blPipe moreFlow in
blPipe leak to environment
toxic release 2, ®re/explosion risk 2
blPipe lessPressure in
lcv1 leak to environment, valve23 (etc) leak to environment, valve22 leak to environment, e107 leak to environment
toxic release 2, ®re/explosion risk 2
b1Pipe morePressure in
b1Pipe unit can be locked in
potential for liquid lock in and damage to unit by thermal expansion 3
blPipe moreTemp out
tolueneInlet high temp upstream, blPipe external ®re, blPipe hot weather
design temp exceeded
blPipe maintenance
blPipe no vents available
inadequate isolation and drainage 2
tk101 lessFlow in1
lcv1 control failureÐclosed, valve23 (etc) partly closed, e107 (etc) leak to environment, valve2 (etc) leak to environment, tolueneRecycle low pressure upstream, valve22 partly closed, valve1 (etc) leak to environment, tolueneInlet low pressure upstream, lcv1 (etc) leak to environment, blPipe (etc) leak to environment, valve22 (etc) leak to environment, dv1 opened or passing
potential layering and rollover 2
tk101 moreFlow out8
dv2 leak to environment
toxic release 2, ®re/explosion risk 2
tk101 moreFlow out2
eiv1 (etc) leak to environment, p101 a leak to environment, dv3 leak to environment, eiv2 (etc) leak to environment
toxic release 2, ®re/explosion risk 2
tk101 moreFlow out3
valve5 leak to environment
®re/explosion risk 2, toxic release 2
tk101 moreTemp liquid
blPipe external ®re, tk101 external ®re, tolueneInlet high temp upstream e107 moreTemp shell side out
design temp exceededÐstructural weakening 2
tk101 contamination liquid
tolueneInlet upstream contamination, e107 tube rupture, tolueneRecycle upstream contamination
liquid contents contaminated 3
tk101 lessLevel liquid
tk101 liquid leak to environment
gas breakthrough 3, ¯ammable liquid release 2, toxic liquid release 2
lcv1 control failureÐclosed, dv4 (etc) opened for passing, valve5 (etc) leak to environment, eiv2 opened or passing, dv2 leak to environment, valve22 (etc) leak to environment, dv2 opened or passing, dv1 (etc) leak to environment, valve4 (etc) leak to environment, valve23 (etc) partly closed, e107 (etc) leak to environment, tolueneRecycle low pressure upstream, valve1 (etc) leak to environment, blPipe (etc) leak to environment, valve3 (etc) leak to environment, lcv1 (etc) leak to environment, dv1 opened or passing, dv3 opened or passing, p101a leak to environment, valve22 partly closed, tolueneInlet low pressure upstream
gas breakthrough 3
lcv1 control failureÐopen, valve4 (etc) closed, tolueneInlet high pressure upstream, valve4 (etc) partly closed
vessel over®lling 2
tk101 moreLevel liquid
valve8 blockageÐfrozen ¯uid, e107 (etc) tube rupture, tolueneRecycle high pressure upstream, p101a noFlow in, valve1 opened or passing, p101a revFlow out, lcv1 passes when no ¯ow is desired tk101 lessPressure vapour
tk101 vapour leak to environment
air ingressÐexplosion risk 4, toxic vapour release 2, ¯ammable vapour release 2, vessel depressurisation 2
valve 11 leak to environment, tk101 lessTemp liquid, valve10 leak to environment
air ingressÐexplosion risk 4, vessel depressurisation 2
tk101 morePressure vapour
valve10 opened or passing, tk101 moreTemp liquid, valve11 opened or passing, vent1 incorrect sizing
possible overpressure rupture 2
tk101 moreTemp vapour
tk101 moreTemp liquid, tk101 external ®re
design temp exceededÐstructural weakening 2
tk101 notes
lt1 shared sensor
possible loss of control and alarm system due to sensor failure 3
tk101 maintenance
tk101 cannot isolate necessary lines
inadequate isolation and drainage 2
p101a noFlow in
valve4 (etc) closed
dry runningÐpossible pump rupture 2
p101a revFlow in
fcv1 control failureÐopen, e101a interface failure, p101a incorrect pump setup/installation, fcv1 passes when no ¯ow is desired, eiv1 (etc) leak to environment, e101b (etc) tube rupture, p101a morePressure out, toE103 low pressure downstream, e101a (etc) tube blockage, fromE106 high pressure upstream, hydrogenIn high pressure upstream, r101 outlet completely blocked, tk101 lessTemp liquid, r101 outlet blocked by frozen ¯uid, e101b moreTemp shell side out, reactorEf¯uent blockageÐfrozen ¯uid, reactorEf¯uent complete blockage downstream, valve16 opened or passing, reactorEf¯uent high pressure downstream, recycleGas high pressure upstream, r101 reactor coking, p101a loss of drive, recycleGas low temp upstream, r101 outlet partly blocked, hydrogenIn low temp upstream, r101 poor ¯ow distribution, p101b spare unit turned on, coolingGas high pressure upstream, e101a pressure surge
possible suction piping overpressure 2, seal failure due to reverse impeller rotation 2
Trans IChemE, Vol 78, Part B, March 2000
HAZID, A COMPUTER AID FOR HAZARD IDENTIFICATION: PART 4
101
Table 4. continued. Deviation
Causes
Consequences
r101 catalyst bed channelling
poor ¯ow distribution, 3, blockages and carbon buildup 3, hot and cold spots 3, seal failure due to reverse impeller rotation 2, possible suction piping overpressure 2
toE103 leak to environment
toxic release 2, seal failure due to reverse impeller rotation 2, ®re/ explosion risk 2, possible suction piping overpressure 2
p101a lessPressure in
dv3 (etc) leak to environment, p101a leak to environment, eiv2 opened or passing, eiv1 (etc) leak to environment, valve8 (etc) leak to environment, dv4 opened or passing, valve4 (etc) partly closed, dv3 opened or passing
cavitationÐpossible mechanical damage 3
p101a morePressure in
p101a unit can be locked in
potential for liquid lock in and damage to unit by thermal expansion 3
p101a lessTemp in
tk101 lessTemp liquid
seal failureÐfreezing of seal ¯uids 2
p101a moreGas in
tk101 lessLevel liquid
vapour lock 3, bearing overheatÐ loss of lubrication 3, pump damage Ðincreased vibration 3
p101a moreVapour in
tk101 moreTemp liquid, p101a external ®re, tk101 lessLevel liquid
cavitationÐpossible mechanical damage 3
p101a moreFlow out
valve8 partly closed, p101a lessPressure out, valve5 opened or passing, valve8 blockageÐfrozen ¯uid
possible motor overload or trip 3
p101a noFlow out
fcv1 fails closed, nrv1 completely blocked or closed, valve15 (etc) closed
possible pump casing overtemperature 2
p101a lessPressure out
dv8 (etc) leak to environment, nrv1 leak to environment, e101b (etc) leak to environment, valve11 leak to environment, reactorEf¯uent leak to environment, valve7 (etc) leak to environment, valve18 leak to environment, valve9 leak to environment, r101 leak to environment, nrv2 leak to environment, nrv3 leak to environment, valve10 leak to environment, fcv1 leak to environment
toxic release 2, ®re/explosion risk 2
h101 tube rupture
air into processÐpossible explosion 4, loss of ¯ameÐpossible explosion 4, major ®re or explosion 4
p101a morePressure out
fcv1 control failureÐclosed, toE103 low pressure downstream, p101a noFlow out, reactorEf¯uent high pressure downstream, nrv1 partly blocked or closed, r101 reactor coking, valve7 (etc) partly closed, hydrogenIn low temp upstream, valve8 blockageÐfrozen ¯uid, p101a pressure surge at startup or shutdown, valve8 partly closed, r101 outlet partly blocked, reactorEf¯uent blockageÐfrozen ¯uid, valve5 opened or passing, toE103 leak to environment, p101b spare unit turned on, e101a (etc) tube rupture, r101 poor ¯ow distribution, r101 main inlet partly blocked, hydrogenIn high pressure upstream, e101a pressure surge, fromE106 high pressure upstream, e101a interface failure, coolingGas high pressure upstream, recycleGas high pressure upstream, recycleGas low temp upstream, e101b moreTemp shell side out, tk101 lessTemp liquid, e101a leak to environment
possible seal overpressure 2, possible pump casing or delivery pipework overpressure 2
p101a moreTemp out
tk101 moreTemp liquid, p101a external ®re
possible pump casing overtemperature 2, possible seal overtemperature 2
p101a maintenance
p101a no vents available
inadequate isolation and drainage 2
e101a moreTemp tubeIn
p101a external ®re, recycleGas high temp upstream, tk101 moreTemp liquid, hydrogenIn high temp upstream
tube overtemperature rupture 3
e101a moreTemp shellIn
e101b moreTemp shell side out
shell overtemperature rupture 2
e101a morePressure tube
fcv1 control failureÐopen, fcv1 passes when no ¯ow is desired, e101a interface failure, fromE106 high pressure upstream, e101b moreTemp shell side out, hydrogenIn low temp upstream, e101a leak to environment, reactorEf¯uent high pressure downstream, toE103 leak to environment, recycleGas low temp upstream, toE103 low pressure downstream, p101b spare unit turned on, e101a (etc) tube rupture, recycleGas high pressure upstream, coolingGas high pressure upstream, valve16 opened or passing, e101a pressure surge, reactorEf¯uent blockageÐfrozen ¯uid, r101 poor ¯ow distribution, hydrogenIn high pressure upstream, r101 main inlet partly blocked, p101a morePressure out, r101 reactor coking, tk101 lessTemp liquid, r101 outlet partly blocked
tube overpressure rupture 3
Trans IChemE, Vol 78, Part B, March 2000
McCOY et al.
102
Table 4. continued. Deviation
Causes
Consequences
e101a morePressure shell
e101b (etc) tube rupture, fromE106 high pressure upstream, toE103 blockageÐfrozen ¯uid, toE103 high pressure downstream
shell overpressure rupture 2
e101a lessTemp shell
fcv1 control failureÐopen, p101a morePressure out, e101a (etc) shell blockage, recycleGas high pressure upstream, e101b lessTemp shell side out, r101 leak to environment, e101a (etc) leak to environment, fcv1 passes when no ¯ow is desired, e101a interface failure, h101 tube rupture, toE103 high pressure downstream, recycleGas low temp upstream, e101a (etc) tube rupture, reactorEf¯uent low pressure downstream, hydrogenIn low temp, upstream, toE103 blockageÐfrozen ¯uid, tk101 lessTemp liquid, toE103 complete blockage downstream, valve16 opened or passing, r101 catalyst bed channelling, r101 cold gas inlet partly blocked, reactorEf¯uent leak to environment, coolingGas low pressure upstream, fromE106 low pressure upstream, coolingGas blockageÐfrozen ¯uid, fromE106 blockageÐfrozen ¯uid, hydrogenIn high pressure upstream, fromE106 no ¯ow upstream, p101b spare unit turned on.
shell freezing 3
Some ways in which enhancement of the unit models can occur include: · Trial and error; · Unit HAZOPs; · Check-lists, guide words and inheritance. The most obvious and common process of enhancement is by running HAZID on different problems, identifying de®ciencies and rectifying these on an ad hoc basis, in other words by trial and error. A more structured technique, developed within the project, is to conduct a HAZOP of a single unit in order to capture expert knowledge and so produce an enhanced model. Since there is a core of commonly used equipments which occur with high frequency in HAZOP studies, it is well worth the effort to enhance the models of these units in this way. Equipments which were the subject of such single unit HAZOPs during the STOPHAZ project were: · · · · ·
Atmospheric storage tank; Centrifugal pump; Furnace; Heat exchanger; Reciprocating pump.
A third approach to enriching and developing the capabilities of unit models is the use of check-lists, quasicheck-lists and guide words. A simple check-list, or set of guide words, which can be applied to an equipment has been given by Parmar and Lees19,20 : 1. 2. 3. 4. 5.
Function; Hydraulics; Containment; Impurities; Environment.
A unit can be said to have a fault if it fails to perform satisfactorily in respect of any of these aspects. Failure of function depends on what the basic function of the equipment is: in a pump, failure might be a low delivery pressure, whilst in a water separator, it might be a high water content in the outlet ¯ow. Failure by hydraulics depends on the hydraulic system in the equipment: in a gas absorption column it might be ¯ooding or it might be loss of liquid level or gas breakthrough at the bottom of the column.
Failure of containment is essentially a leak or rupture, and includes fugitive emissions. Failure by impurities means introducing, into the ¯uid in the body of and/or leaving the equipment, anything which might be classed as an impurity: in a re¯ux column this might be broken packing accompanying the liquid leaving the packed section, whilst in a scrubber it might be liquid spray in the outlet gas. Failure by environmental problem includes any undesirable interaction between the equipment and its environment: one example is a hot surface which might cause injury, another the setting up of vibration which is transmitted to the rest of the plant. Fluid Model As described in Part 310, the ¯uid model is used to resolve queries as to whether or not identi®ed consequences are feasible, and to detect potential incompatibilities between process ¯uids which may come into contact with one another within the plant. With respect to ¯uid compatibility, in the current version the treatment is con®ned to binary compatibilities between ¯uids. In effect, whenever a ¯uid contacts another ¯uid, a check is made on compatibility and any incompatibility is ¯agged. Completeness here is essentially a matter of the quality of the compatibility tables. No particular method has been developed within the project for ensuring this, although some work has been done on sources of compatibility data and on the formats in which these are typically presented. With respect to the other ¯uid queries, the issues relate mainly to the numerical limits at which the ¯uid properties are to be evaluated. Completeness here is largely a matter of ensuring the quality of rules for setting these limits and making sure that wherever a rule is appropriate to verify a condition, it is applied in such a way that errs towards safety by allowing a fault path to succeed unless there is absolutely no way the rule can be satis®ed. CONCISENESS The crude output from the early versions of the HAZID program had defects which have also been reported by other workers and which can be regarded as characteristic. Trans IChemE, Vol 78, Part B, March 2000
HAZID, A COMPUTER AID FOR HAZARD IDENTIFICATION: PART 4
103
Table 5. Water separator system HAZOP emulation: report fragment with no ®lters applied. Deviation
Causes
BufferTank noFlow in
BufferTank lessLevel liquid
Consequences
levelControlValve1 closed, valve8 closed, valve8 blocked, valve7 closed, valve7, blocked, valve4 closed, valve4 blocked, halfMileLine blocked, pumpJ1a no ¯ow out
bufferTank loss of level, gas breakthrough to downstream units
valve2 closed, valve2 blocked, valve3 closed, valve3 blocked, feedInlet no ¯ow upstream
bufferTank loss of level, gas breakthrough to downstream units, pumpJ1a cavitation
levelControlValve1 closed, levelControlValve1 part closed, valve8 closed, valve8 part closed, valve8 blocked, valve7 closed, valve7 part closed, valve7 blocked, valve4 closed, valve4 part closed, valve4 blocked, halfMileLine blocked, pumpJ2a overspeed
bufferTank loss of level, gas breakthrough to downstream units
valve2 closed, valve2 blocked, valve3 closed, valve3 blocked, feedInlet no ¯ow upstream
bufferTank loss of level, gas breakthrough to downstream units, pumpJ1a cavitation
valve8 leak, valve7 leak, valve4 leak, valve17 leak, halfMileLine peak, pumpJ1a leak, valve3 leak, valve2 leak, valve6 leak, valve5 leak
bufferTank loss of level, gas breakthrough to downstream units, toxic release, ¯ammable release
Above all, the sheer exhaustiveness of the computer search made the volume of output unacceptable. A HAZOP emulator is intended to be an aid to the user, and its value is negated if examination of the output to identify scenarios which are correct and interesting requires more effort than to conduct a conventional HAZOP study. Review of the output produced by HAZID indicates that the major part of the unnecessary and undesirable output is accounted for by four main defects: 1. 2. 3. 4.
Invalid scenarios; Similar faults; Repeat scenarios; Fault clusters.
In HAZID, the ®rst of these defects is tackled by ¯uid model checks and by ensuring the correctness of unit models. The remaining three defects are tackled by using ®lters which signi®cantly reduce the volume of output produced by the program, without discarding any of the valuable results of HAZOP emulation. The impact of these methods is illustrated below by reference to an example of HAZID output. Table 5 gives a section of an output report from
AutoHAZID for the water separator system of Lawley given above as the ®rst item in the learning set. Invalid Scenarios The inference engine ®rst generates fault paths from the plant SDG model alone. It then uses the ¯uid model system to check whether these paths are feasible. If the ¯uid model is rudimentary, a large number of scenarios will be reported which are in fact invalid, but which have not been eliminated by the ¯uid model system. This is basically a matter of correctness rather than conciseness, but it is mentioned here, because it is also a prime cause of excessive output. Since this procedure is a check on the feasibility of the fault paths for the particular process concerned, it is referred to as a `process dependency’ ®lter. Table 6 gives the output report from the previous table modi®ed by application of an improved ¯uid model. Combination of Similar Faults A deviation frequently has a number of very similar causes. A common case is where `Low ¯ow’ or `No ¯ow’ can be caused by any one of many valves in a single line.
Table 6. Water separator system HAZOP emulation: report fragment with only process dependency ®lter applied. Deviation BufferTank noFlow in
BufferTank lessLevel liquid
Causes
Consequences
levelControlValve1 closed, valve8 closed, valve7 closed, valve4 closed
bufferTank loss of level gas breakthrough to downstream units
valve2 closed, valve3 closed, feedInlet no ¯ow upstream
bufferTank loss of level, gas breakthrough to downstream units, pumpJ1a cavitation
levelControlValve1 closed, levelControlValve1 part closed, valve8 closed, valve8 part closed, valve7 closed, valve7 part closed, valve4 closed, valve4 part closed, pumpJ2a overspeed
bufferTank loss of level, gas breakthrough to downstream units
valve2 closed, valve3 closed, feedInlet no ¯ow upstream
bufferTank loss of level, gas breakthrough to downstream units, pumpJ1a cavitation
valve8 leak, valve7 leak, valve4 leak, valve17 leak, halfMileLine leak, pumpJ1a leak, valve3 leak, valve2 leak, valve6 leak, valve5 leak
bufferTank loss of level, gas breakthrough to downstream units, toxic release, ¯ammable
Trans IChemE, Vol 78, Part B, March 2000
McCOY et al.
104
Table 7. Water separator system HAZOP emulation: report fragment with process dependency and similar fault ®lters applied. Deviation
Causes
BufferTank noFlow in
BufferTank lessLevel liquid
Consequences
levelControlValve1 closed, valve8 etc. closed
bufferTank loss of level, gas breakthrough to downstream units
valve2 etc. closed, feedInlet no ¯ow upstream
bufferTank loss of level, gas breakthrough to downstream units, pumpJ1a cavitation
levelControlValve1 closed, levelControlValve1 part closed, valve8 etc. closed, valve8 etc. part closed, pumpJ2a overspeed
bufferTank loss of level, gas breakthrough to downstream units
valve2 etc. closed, feedInlet no ¯ow upstream
bufferTank loss of level, gas breakthrough to downstream units, pumpJ1a cavitation
valve8 etc. leak, valve17 leak, halfMileLine leak, pumpJ1a leak, valve3 etc. leak, valve6 etc. leak
bufferTank loss of level, gas breakthrough to downstream units, toxic release, ¯ammable release
This case can be dealt with by using a ®lter which allows reporting of the ®rst fault in full but suppresses the other similar faults and adds simply `etc.’. Table 7 gives the output report from the previous table modi®ed by application of this ®lter. Discarding of Repeat Scenarios The search procedure in AutoHAZID frequently generates the same scenario more than once, albeit from a different deviation. In a conventional HAZOP, the team generally applies its own mental ®lter to such repeat scenarios. A ®lter is used in AutoHAZID to suppress repeat scenarios. Table 8 gives the output report from the previous table modi®ed by application of this ®lter. Fault Clusters Distinct from similar faults are fault clusters, in which the faults are various but tend to recur in association with
each other as clusters. In this case a ®lter is applied which determines whether the deviation being considered is caused by some cluster of faults which were reported in relation to a deviation already considered. If so, a reference is given to the earlier deviation, instead of listing all the faults. Table 9 gives the output report from the previous table modi®ed by application of this ®lter. The report shown in this table is therefore that obtained after application of the validity check and the three ®lters. The overall effect is to transform the output report of AutoHAZID to something much more akin to that obtained by a conventional HAZOP. USER TRIALS AND TEST PROTOCOL In order to evaluate the quality of hazard identi®cation offered by HAZID, a number of `user trials’ were carried out towards the end of the STOPHAZ project. A number of plant systems (which had not previously been
Table 8. Water separator system HAZOP emulation: report fragment with process dependency, similar fault and repeat scenario ®lters applied. Deviation BufferTank noFlow in
BufferTank lessLevel liquid
Causes
Consequences
levelControlValve1 closed, valve8 etc. closed
bufferTank loss of level, gas breakthrough to downstream units
valve2 etc. closed, feedInlet no ¯ow upstream
bufferTank loss of level, gas breakthrough to downstream units, pumpJ1a cavitation
levelControlValve1 part closed, valve8 etc. part closed, pump12a overspeed
bufferTank loss of level, gas breakthrough to downstream units
valve8 etc. leak, valve17 leak, halfMileLine leak, pumpJ1a leak, valve3 etc. leak, valve6 etc. leak
bufferTank loss of level, gas breakthrough to downstream units, toxic release, ¯ammable release
Table 9. Water separator system HAZOP emulation: report fragment with all four ®lters applied. Deviation
Causes
Consequences
BufferTank noFlow in
levelControlValve1 closed, valve8 etc. closed, pumpJ1a no ¯ow out
bufferTank loss of level, gas breakthrough to downstream units
BufferTank lessLevel liquid
levelControlValve1 part closed, valve8 part closed, pumpJ2a overspeed, pumpJ1a less pressure out
bufferTank loss of level, gas breakthrough to downstream units
valve8 etc. leak, halfMileLine leak, valve17 leak
bufferTank loss of level, gas breakthrough to downstream units, toxic release, ¯ammable release
Trans IChemE, Vol 78, Part B, March 2000
HAZID, A COMPUTER AID FOR HAZARD IDENTIFICATION: PART 4
105
Table 10. Classi®cation codes for analysis of HAZID output. Code 1 2 3 4 5 6 7 8 9a 9b 10 11
Interpretation Incorrect scenario identi®ed in HAZOP team’s report. Valid scenario identi®ed by the HAZOP team but not by HAZID. Valid scenario identi®ed by both the HAZOP team and HAZID but under unacceptable guideword in HAZID output. Valid scenario identi®ed by both the HAZOP team and HAZID under acceptable guideword in HAZID output. Protection incorrectly identi®ed by the HAZOP team. Protection identi®ed by the HAZOP team but not by HAZID. Protection identi®ed by both the HAZOP team and HAZID results. Incorrect scenario identi®ed by HAZID. Feasible and interesting scenario identi®ed by HAZID but not by the HAZOP team. Feasible but uninteresting scenario identi®ed by HAZID but not by the HAZOP team. Valid protection identi®ed by HAZID. Incorrect protection identi®ed by HAZID.
used to inform the development of HAZID models) were chosen to form a `test set’. The test set plants are described in the next section. At a specially convened workshop, each of the test set plants was subjected to a conventional HAZOP study, with the participation of industrial partners in the project consortium. The results of each HAZOP study were then compared to the corresponding HAZOP emulation report produced by HAZID. For use in these ®nal user trials, a formal protocol was developed which was intentionally structured to allow easy and precise statistical analysis of the trials, and comparison of the results obtained in conventional HAZOP studies with those produced by HAZID. By assigning classi®cations to the distinct scenarios identi®ed in the conventional HAZOP report and in the HAZID output report, it was possible to calculate the proportions of correct or relevant results in the reports. The classi®cation codes used for this protocol are shown in Table 10. The procedure adopted was to consider ®rst each scenario (cause-consequence pair) in the output report of the conventional HAZOP and to determine whether it was a valid scenario. For each of the distinct valid scenarios, the next question was whether the HAZID report identi®ed it and if so, whether it was associated in the HAZID report with an appropriate deviation. Any valid scenarios found in the HAZID report were `ticked off’ as having been considered. This decision procedure gave rise to a
classi®cation of 1, 2, 3 or 4, for each of the scenarios in the HAZOP report. A similar procedure was followed for the protections reported in association with each of these scenarios, giving each a class of 5, 6 or 7. This procedure of classi®cation then continued, processing those scenarios and protections identi®ed in the HAZID output report which had not already been seen (i.e. `ticked off’) in the HAZOP report. The classes given to HAZID scenarios in this exercise were 8, 9a and 9b and those given to HAZID protections were 10 and 11. TEST SET PLANTS The following were the systems selected by industrial partners within the STOPHAZ project, to form the `test set’ of plants for evaluation of HAZID: 1. 2. 3. 4. 5.
An ammonia absorber section; A b -trichloroethane storage section; A propane recti®cation system; A benzene storage section; A separation system. Ammonia Absorber Section
The ammonia absorber section takes as feed an ammonia-laden nitrogen stream and removes most of the
Figure 8. Test set: ammonia absorber.
Trans IChemE, Vol 78, Part B, March 2000
McCOY et al.
Figure 9. Test set: b -trichloroethane storage section.
106
Trans IChemE, Vol 78, Part B, March 2000
Figure 10. Test set: propane recti®cation section.
HAZID, A COMPUTER AID FOR HAZARD IDENTIFICATION: PART 4
Trans IChemE, Vol 78, Part B, March 2000
107
McCOY et al.
Figure 11. Test set: benzene storage section.
108
Trans IChemE, Vol 78, Part B, March 2000
Figure 12. Test set: separation system.
HAZID, A COMPUTER AID FOR HAZARD IDENTIFICATION: PART 4
Trans IChemE, Vol 78, Part B, March 2000
109
gas breakthrough 3
prv142 (etc) leak to environment, val131 leak to environment, val132 leak to environment, cep64 leak to environment, chv134 leak to environment
inl141 high temp upstream, no1_ref_tank hot weather, no1_ref_tank external ®re
inl141 upstream contamination
no1_ref_tank liquid leak to environment
chv134 leak to environment, no1_ref_tank morePressure vapour, prv145 (etc) leak to environment, inl141 no ¯ow upstream, prv142 partly closed, inl141 low pressure upstream, val132 partly closed, inl141 leak to environment, val66 leak to environment, cep64 leak to environment
no1_ref_tank moreFlow out8
no1_ref_tank moreTemp liquid
no1_ref_tank contamination liquid
no1_ref_tank lessLevel liquid
no1_ref_tank moreTemp vapour
no1_ref_tank moreTemp liquid, no1_ref_tank external ®re
no1_ref_tank moreTemp liquid
no1_ref_tank no drains available
cep64 air ingress into pump
val66 closed
val66 leak to environment, cep64 incorrect pump setup/installation, cep64 loss of drive
val133 (etc) leak to environment, cep64 leak to environment, val132 (etc) partly closed, chv134 partly blocked or closed, prv142 leak to environment, chv134 leak to environment, val131 partly closed, prv142 partly closed
cep64 unit can be locked in
no1_ref_tank moreTemp vapour
no1_ref_tank moreVapour vapour
no1_ref_tank maintenance
cep64 lessFlow in
cep64 noFlow in
cep64 revFlow in
cep64 lessPressure in
cep64 morePressure in
potential for liquid lock in and damage to unit by thermal expansion 3
cavitationÐpossible mechanical damage 3
possible suction piping overpressure 2, seal failure due to reverse impeller rotation 2
dry runningÐpossible pump rupture 2
possible internal explosive atmosphere 4
inadequate isolation and drainage 2
vacuum collapseÐincreased condensibles 2
design temp exceededÐstructural weakening 2
possible overpressure rupture 2
air ingressÐexplosion risk 4, possible vacuum collapse 2
no1_ref_tank lessTemp vapour
vessel over®lling 2
cep64 revFlow out
air ingressÐexplosion risk 4, ¯ammable vapour release 2, possible vacuum collapse 2, toxic vapour release 2
vessel over®lling 2
chv134 partly blocked or closed, val131 (etc) partly closed
no1_ref_tank vapour leak to environment
vessel over®lling 2
liquid contents contaminated 3
structural weakening 2
®re/explosion risk 2, toxic release 2
potential static, ®re/explosion hazard 3
chv134 completely blocked or closed, no1_ref_tank lessPressure vapour, cep64 noFlow in, inl141, high pressure upstream, val66 (etc) closed
no1_ref_tank morePressure vapour
no1_ref_tank lessPressure vapour
no1_ref_tank moreLevel liquid
gas breakthrough 3, ¯ammable liquid release 2, toxic liquid release 2
inl141 high pressure upstream, no1_ref_tank lessPressure vapour
no1_ref_tank moreFlow in6
®re/explosion risk 2, toxic release 2
inl141 leak to environment
inadequate pressure relief on vessel 5
no1_ref_tank no vent available
Consequence
no1_ref_tank lessFlow in6
Cause
no1_ref_tank morePressure in1
Deviation
Table 11. HAZID output report for benzene storage (extract).
ind148
ind148, chv65
ind148, prv60
ind148
ind148
ind148
chv65
ind148
ind148
ind148
ind148
ind148
Alarms and indicators
110 McCOY et al.
Trans IChemE, Vol 78, Part B, March 2000
Trans IChemE, Vol 78, Part B, March 2000
cep64 no drains available
cep64 maintenance
possible seal overpressure 2, possible pump casing or delivery pipework overpressure 2
out75 high pressure downstream, out124 high pressure downstream
inadequate isolation and drainage 2
possible pump casing overtemperature 2, possible seal overtemperature 2
large scale release of process material 2, possible pump casing or delivery pipework overpressure 2, possible seal overpressure 2
rev59 failure to reseat after opening, rev77 failure to reseat after opening
no1_ref_tank moreTemp liquid, cep64 lessFlow out, no2_ref_Tank moreTemp liquid, cep64 external ®re, no3_ref_tank moreTemp liquid
possible seal overpressure 2, possible pump casing or delivery pipework overpressure 2
rev59 opened or passing, rev77 opened or passing
cep64 moreTemp out
possible seal pressure 2, possible pump casing or delivery pipework overpressure 2
prv119 loss of control, prv60 loss of control, prv90 loss of control, prv118 loss of control, val84 (etc) partly closed, val82 partly closed, val88 partly closed, val86 (etc) partly closed, chv65 partly blocked or closed, val87 partly closed
toxic release 2, ®re/explosion risk 2
rev59 leak to environment, rev77 leak to environment
possible seal overpressure 2, possible pump casing or delivery pipework overpressure 2
®re/explosion risk 2, toxic release 2
prv60 leak to environment
cep64 pressure surge at startup or shut-down
®re/explosion risk 2, toxic release 2
val181 (etc) leak to environment, prv90 leak to environment, prv118 leak to environment, val85 leak to environment, val80 leak to environment, out75 leak to environment, val79 leak to environment, val87 leak to environment, prv119 leak to environment, pip101 leak to environment, out124 leak to environment, val88 leak to environment
cep64 morePressure out
toxic release 2, ®re/explosion risk 2
val84 (etc) leak to environment, chv65 leak to environment, val82 leak to environment, prv146 leak to environment
cep64 lessPressure out
possible seal overtemperature 2, possible pump casing overtemperature 2
possible motor overload or trip 3
cep64 lessPressure out
val68 closed, chv65 completely blocked or closed
possible motor overload or trip 3
cavitationÐpossible mechanical damage 3
cept64 pressure surge at startup or shut-down
no3_ref_tank lessLevel liquid
cep64 noFlow out
cep64 moreFlow out
cavitationÐpossible mechanical damage 3
no2_ref_Tank moreTemp liquid, cep64 external ®re, no1_ref_tank lessLevel liquid, no3_ref_tank moreTemp liquid, no1_ref_tank moreTemp liquid, no2_ref_Tank lessLevel liquid
pump damageÐincreased vibration 3, vapour lock 3, bearing overheatÐloss of lubrication 3
no1_ref_tank lessLevel liquid, no2_ref_Tank lessLevel liquid
cep64 moreVapour in
pump damageÐincreased vibration 3, vapour lock 3, bearing overheatÐloss of lubrication 3
no3_ref_tank lessLevel liquid, cep64 air ingress into pump
cep64 moreGas in
seal failureÐfreezing of seal ¯uids 2
Consequence
no1_ref_tank lessTemp liquid, no3_ref_tank lessTemp liquid, no2_ref_Tank lessTemp liquid
Cause
cep64 lessTemp in
Deviation
Table 11. continued.
ind148
ind148, rev77, rev59,
ind148, prv60
ind148, prv60
ind148
ind148, rev77, rev59, prv60, prv90
ind148, prv90
ind148
ind148, prv60
ind148, prv60, prv90
ind148, prv60, prv90
ind148, prv60
ind148
ind148
ind148
ind148, prv60
Alarms and indicators
HAZID, A COMPUTER AID FOR HAZARD IDENTIFICATION: PART 4 111
design temp exceeded 2 design temp exceeded 2
pip101 external ®re, pip101 hot weather
no1_ref_tank moreTemp liquid, cep64 lessFlow out, no2_ref_Tank moreTemp liquid, cep64 external ®re, no3_ref_tank moreTemp liquid
pip101 moreTemp out
gas breakthrough 3
inl140 leak to environment
inl140 high pressure upstream, no2_ref_Tank lessPressure vapour
inl140 high temp upstream, no2_ref_Tank hot weather, no2_ref_Tank external ®re
inl140 upstream contamination
no2_ref_Tank liquid leak to environment
chv134 leak to environment, no2_ref_Tank morePressure vapour, prv145 (etc) leak to environment, inl140 no ¯ow upstream, prv142 partly closed, inl140 low pressure upstream, val131 partly closed, inl140 lak to environment, val66 leak to environment, cep64 leak to environment
no2_ref_Tank lessFlow in6
no2_ref_Tank moreFlow in6
no2_ref_Tank moreTemp liquid
no2_ref_Tank contamination liquid
no2_ref_Tank lessLevel liquid
no2_ref_Tank moreTemp vapour
no2_ref_Tank moreTemp liquid, no2_ref_Tank external ®re
no2_ref_Tank moreTemp liquid
no2_ref_Tank no drains available
no2_ref_Tank moreTemp vapour
no2_ref_Tank moreVapour vapour
no2_ref_Tank maintenance
inadequate isolation and drainage 2
vacuum collapseÐincreased condensibles 2
design temp exceededÐstructural weakening 2
possible overpressure rupture 2
air ingressÐexplosion risk 4, possible vacuum collapse 2, ¯ammable vapour release 2, toxic vapour release 2
no2_ref_Tank lessTemp vapour
vessel over®lling 2
cep64 loss of drive, cep64 incorrect pump setup/installation
air ingressÐexplosion risk 4, possible vacuum collapse 2, ¯ammable vapour release 2, toxic vapour release 2
vessel over®lling 2
chv134 partly blocked or closed, val132 (etc) partly closed
no2_ref_Tank vapour leak to environment
vessel over®lling 2
liquid contents contaminated 3
design temp exceededÐstructural weakening 2
potential static ®re/explosion hazard 3
®re/explosion risk 2, toxic release 2
inadequate pressure on vessel 5
chv134 completely blocked or closed, no2_ref_Tank lessPressure vapour, cep64 noFlow in, inl140 high pressure upstream, val66 (etc) closed
no2_ref_Tank morePressure vapour
no2_ref_Tank lessPressure vapour
no2_ref_Tank moreLevel liquid
gas breakthrough 3, ¯ammable liquid release 2, toxic liquid release 2
no2_ref_Tank no vent available
no2_ref_Tank morePressure in1
possible upstream contamination 3
inl141 low pressure upstream
inl141 revFlow out
inadequate isolation and drainage 2
pip101 no drains available
pip101 maintenance
potential for liquid lock in and damage to unit by thermal expansion 3
pip101 unit can be locked in
pip101 morePressure in
cannot monitor pressure development at startup 4
Consequence
cep64 no pressure sensor on pump delivery
Cause
cep64 startup
Deviation
Table 11. continued.
ind148
ind148
ind148
ind148, chv65
ind148
ind148
ind148
ind148
ind148
ind148
ind148
Alarms and indicators
112 McCOY et al.
Trans IChemE, Vol 78, Part B, March 2000
mC-401-1ST air ingress into compressorÐat startup, mC-401-2ST air ingress into compressorÐat startup, p-402A air ingress into pump, p-401B air ingress into pump, p-401A air ingress into pump
inl43 leak to environment, val45 leak to environment
out44 leak to environment, e-401 leak to environment, val46 leak to environment
out44 high pressure downstream, val46 partly closed, inl43 high pressure upstream
inl43 high temp upstream
pV-4007 loss of control, lV-4015 control failure, pV-4006 fails open, lV-4015 fails open, fV-4001 fails open, pV-4006 control failure, lV-4008 control failure, lV-4008 fails open, fV-4001 control failure, pV-4007 blockageÐfrozen ¯uid, mC-401-2ST morePressure out, lV-4008 passes when no ¯ow is desired, p-402A morePressure out, 1st-sb-to high pressure downstream, water-LPvap high pressure upstream, toHX high pressure downstream, toHX blockageÐfrozen ¯uid, fV-4001 passes when no ¯ow is desired, p-401B morePressure out, p-401A morePressure out, pV-4006 passes when no ¯ow is desired, lV-4015 passes when no ¯ow is desired, v-402 morePressure vapour, e-401 tube rupture, fromC401 high pressure upstream, 1st-sb-to blockage±frozen ¯uid, p-402B spare unit turned on, mC-401-1ST morePressure out
mC-401 spill-back occurring, water-LPvap high temp upstream, v-402 moreTemp vapour, mC-401-1T external ®re, v-401 moreTemp vapour, mC-401-1ST spill-back occurring, mC-401-2ST external ®re
e-401 no drains available
pV-4007 loss of control, lV-4015 control failure, pV-4006 fails open, lV-4015 fails open, fV-4001 fails open, pV-4006 control failure, lV-4008 control failure, lV-4008 fails open, fV-4001 control failure, pV-4007 blockageÐfrozen ¯uid, mC-401-2ST morePressure out, lV-4008 passes when no ¯ow is desired, p-402A morePressure out, 1st-sb-to high pressure downstream, water-LPvap high pressure upstream, toHX high pressure downstream, toHX blockageÐfrozen ¯uid, fV-4001 passes when no ¯ow is desired, p-401A morePressure out, p-401B morePressure out, pV-4006 passes when no ¯ow is desired, lV-4015 passes when no ¯ow is desired, e-401 tube rupture, v-402 lessPressure vapour, fromC401 high pressure upstream, 1st-sb-to blockageÐfrozen ¯uid, p-402B spare unit turned on, mC-401-1ST morePressure out
v-402 no vent available
toHX contamination in
e-401 lessFlow tubeIn
Trans IChemE, Vol 78, Part B, March 2000
e-401 moreFlow tubeIn
e-401 morePressure tube
e-401 moreTemp tube
e-401 morePressure shell
e-401 moreTemp shell
e-401 maintenance
v-402 moreFlow in1
v-402 morePressure in1
inadequate pressure relief on vessel 5
liquid droplet entrainment 3
inadequate isolation and drainage 2
shell overtemperature rupture 2
shell overpressure rupture 2
tube overtemperature rupture 3
tube overpressure rupture 3
non-hazardous release 1
non-hazardous release 1
possible internal explosive atmosphere 4
possible upstream contamination 3
large scale release of process material 2
toHX complete blockage downstream, fromC401 low pressure upstream, toHX high pressure downstream, toHX blockageÐ frozen ¯uid
pSV-4001 failure to reseat after opening, pSV-4002 failure to reseat after opening
fromC401 revFlow out
toxic release 2, ®re/explosion risk 2
chv29 (etc) leak to environment, fV-4001 leak to environment, lV-4015 leak to environment, pSV-4002 leak to environment, 1st-sb-to leak to environment, toHX leak to environment, chv63 leak to environment, val83 (etc) leak to environment, e-401 leak to environment, lV-4008 leak to environment, val33 leak to environment, chv28 leak to environment, val77 leak to environment, val78 leak to environment, chv64 leak to environment, val54 leak to environment, p-402B leak to environment, val26 leak to environment, chv48 leak to environment, val27 leak to environment, pV-4007 leak to environment, pV-4006 leak to environment, water-LPvap leak to environment, pSV-4001 leak to environment
toxic release 2, ®re/explosion risk 2
fromC401 leak to environment
Consequence
fromC401 moreFlow out
Cause
fromC401 lessFlow out
Deviation
Table 12. HAZID output report for separation system (extract).
HAZID, A COMPUTER AID FOR HAZARD IDENTIFICATION: PART 4 113
pV-4007 loss of control, lV-4015 fails open, fV-4001 control failure, lV-4008 control failure, lV-4008 fails open, pV-4006 fails open, lV-4015 control failure, pV-4006 control failure, fV-4001 fails open, pV-4006 passes when no ¯ow is desired, mC-401-2ST morePressure out, lV-4008 passes when no ¯ow is desired, e-401 tube rupture, v-402 moreTemp vapour, fV-4001 passes when no ¯ow is desired, mC-401-1ST morePressure out, water-LPvap high pressure upstream, val53 partly closed, toHX high pressure, pV-4007 blockageÐfrozen ¯uid, val53 blockageÐfrozen ¯uid, toHX blockageÐfrozen ¯uid, p401B morePressure out, p-401A morePressure out, v-402 moreTemp liquid, lV-4015 passes when no ¯ow is desired, 1st-sb-to high pressure downstream, fromC401 high pressure upstream, p-402A morePressure out, ±402B spare unit turned on, 1st-sb-to blockage±frozen liquid
e-401 moreTemp shell side out, v-402 external ®re, v-402 moreTemp liquid
v-402 moreLevel liquid
v-402 moreTemp liquid
e-401 lessTemp shell side o ut, v-402 cold weather, v-402 increased concentration of volatiles
e-401 moreTemp shell side out, v-402 external ®re, v-402 hot weather
v-402 moreTemp vapour
v-402 moreLiquid vapour
v-402 moreVapour vapour
v-402 lessTemp liquid
v-402 moreTemp liquid
design temp exceededÐstructural weakening 2
freezing 3
vacuum collapseÐincreased condensibles 2
liquid droplet entrainment 3
design temp exceededÐstructural weakening 2
possible overpressure rupture 2
possible vacuum collapse 2
pV-4007 control failure, lV-4008 loss of control, fV-4001 loss of control, pV-4007 fails open, pV-4006 loss of control, lV-4015 loss of control, pSV-4008 failure to reseat after opening, pSV-4008 leak to environment, mC-401-2ST leak to environment, p-402A lessPressure out, mC-401-2ST inlet check valve damaged or worn, v-402 lessTemp vapour, val77 leak to environment, val61 (etc) partly closed, val77 partly closed, val26 leak to environment, val77 blockageÐfrozen ¯uid, val85 (etc) partly closed, pV-4006 leak to environment, p-401B lessPressure out, chv48 leak to environment, fromC401 leak to environment, pV-4006 blockageÐfrozen ¯uid, chv63 leak to environment, chv48 partly blocked or closed, pSV-4008 opened or passing, val78 leak to environnment, toHX low pressure downstream, lV-4008 blockageÐfrozen ¯uid, val53 leak to environment, val27 blockageÐfrozen ¯uid, fV-4001 leak to environment, chv28 (etc) leak to environment, val78 partly closed, chv28 (etc) partly blocked or closed, val78 blockageÐfrozen ¯uid, lV-4015 blockageÐfrozen ¯uid, pV-4007 leak to environment, val33 leak to environment, val62 (etc) leak to environment, fV-4001 blockageÐfrozen ¯uid, val62 (etc) blockageÐfrozen ¯uid, water-LPvap low pressure upstream, chv63 partly blocked or closed, water-LPvap leak to environment, lV-4008 leak to environment, pV-4007 passes when no ¯ow is desired, val27 leak to environment, val33 blockageÐfrozen ¯uid, toHX leak to environment, val33 partly closed, val85 (etc) leak to environment, val26 partly closed, val26 blockageÐfrozen ¯uid, val27 partly closed, water-LPvap blockageÐfrozen ¯uid, e-401 leak to environment, 1st-sb-to leak to environment, val85 (etc) blockageÐfrozen ¯uid, 1st-sb-to low pressure downstream, chv29 leak to environment, lV-4015 leak to environment, val54 leak to environment, chv29 partly blocked or closed, val54 blockage Ðfrozen ¯uid, p-401A lessPressure out, val54 partly closed, mC-401-1ST lessPressure out, pSV-4001 leak to environment, fromC401 low pressure upstream, pSV-4001 failure to reseat after opening, val61 leak to environment, pSV-4001 opened or passing, fromC401 blockageÐfrozen ¯uid, val61 blockageÐfrozen ¯uid, val62 partly closed, mC-401-ST lessPressure out, chv64 leak to environment, pSV-4002 opened or passing, chv64 partly blocked or closed, pSV-4002 failure to reseat after opening, p-402B leak to environment, pSV-4002 leak to environment
v-402 morePressure vapour
¯ammable vapour release 2, possible vacuum collapse 2, toxic vapour release 2
v-402 vapour leak to environment
v-402 lessPressure vapour
®re/explosion risk 2, toxic release 2
large scale release of process material 2
p-402A leak to environment, val59 leak to environment, val60 leak to environment
®re/explosion risk 2, toxic release 2
pSV-4008 failure to reseat after opening
Consequence
mC-401-2ST leak to environment, val53 leak to environment, pSV-4008 leak to environment
Cause
v-402 moreFlow out2
v-402 moreFlow out1
Deviation
Table 12. continued.
114 McCOY et al.
Trans IChemE, Vol 78, Part B, March 2000
Trans IChemE, Vol 78, Part B, March 2000
v-402 no drain available
e-401 tube rupture, water-LPvap low pressure upstream
out123 leak to environment
mC-401-2ST internals damaged
out123 moreFlow in
mC-401-2ST lessFlow in
particulates to downstream units 3
toxic release 2, ®re/explosion risk 2
possible upstream contamination 3
inadequate isolation and drainage 2
liquid droplet entrainment 3, vessel over®lling 2
water-LPvap high composition upstream, val59 blockageÐfrozen ¯uid, val60 blockageÐfrozen ¯uid, val59 partly closed, inl18 high composition upstream, val60 partly closed
water-LPvap revFlow out
vessel over®lling 2
pV-4007 loss of control, lV-4015 control failure, pV-4006 fails open, lV-4015 fails open, fV-4001 fails open, pV-4006 control failure, lV-4008 control failure, lV-4008 fails open, fV-4001 control failure, pV-4007 blockageÐfrozen ¯uid, mC-401-2ST morePressure out, lV-4008 passes when no ¯ow is desired, p-402A morePressure out, 1st-sb-to high pressure downstream, water-LPvap high pressure upstream, toHX high pressure downstream, toHX blockageÐfrozen ¯uid, fV-4001 passes when no ¯ow is desired, p401A morePressure out, p-401B morePressure out, pV-4006 passes when no ¯ow is desired, lV-4015 passes when no ¯ow is desired, e-401 tube rupture, v-402 lessPressure vapour, fromC401 high pressure upstream, 1st-sb-to blockageÐfrozen ¯uid, mC-401-1ST morePressure out
v-402 maintenance
v-402 moreLevel liquid
gas breakthrough 3
pV-4007 control failure, lV-4008 loss of control, fV-4001 loss of control, pV-4007 fails open, pV-4006 loss of control, lV-4015 loss of control, p402B leak to environment, val26 blockageÐfrozen ¯uid, val77 leak to environment, p-402B spare unit turned on, val77 partly closed, val82 (etc) partly closed, val77 blockageÐfrozen ¯uid, pV-4006 leak to environment, toHX low pressure downstream, chv48 leak to environment, val85 (etc) partly closed, pV-4006 blockageÐ frozen ¯uid, p401A lessPressure out, chv48 partly blocked or closed, fromC401 leak to environment, val78 leak to environment, chv63 leak to environment, p-402A leak to environment, inl18 low composition upstream, val26 leak to environment, fV-4001 leak to environment, val60 (etc) leak to environment, val78 partly closed, val27 blockageÐfrozen ¯uid, val78 blockageÐfrozen ¯uid, e-401 leak to environment, pV-4007 leak to environment, chv28 (etc) partly blocked or closed, val33 leak to environment, lV-4015 blockageÐfrozen ¯uid, fV-4001 blockageÐfrozen ¯uid, water-LPvap low composition upstream, water-LPvap low pressure upstream, val62 (etc) blockageÐfrozen liquid, water-LPvap leak to environment, chv63 partly blocked or closed, p-402A lessPressure out, pV-4007 passes when no ¯ow is desired, lV-4008 leak to environment, val33 blockageÐfrozen ¯uid, val27 leak to environment, val33 partly closed, toHX leak to environment, lV-4008 blockageÐfrozen ¯uid, val85 (etc) leak to environment, val26 partly closed, water-LPvap blockage
Ðfrozen ¯uid, val27 partly closed, 1st-sb-to leak to environment, val59 leak to environment, 1st-sb-to low pressure downstream, val85 (etc) blockageÐfrozen ¯uid, chv28 (etc) leak to environment, chv29 leak to environment, val54 leak to environment, lV-4015 leak to environment, val54 blockageÐfrozen ¯uid, chv29 partly blocked or closed, val54 partly closed, p-401B lessPressure out, mC-401-1ST lessPressure out, pSV-4001 leak to environment, pSV-4001 failure to reseat after opening, fromC401 low pressure upstream, pSV-4001 opened or passing, val61 leak to environment, fromC401 blockageÐfrozen ¯uid, val61 blockageÐfrozen ¯uid, C-401-2ST lessPressure out, pSV-4002 opened or passing, chv64 leak to environment, pSV-4002 failure to reseat after opening, chv64 partly blocked or closed, pSV-4002 leak to environment.
gas breakthrough 3, toxic liquid release 2, ¯ammable liquid release 2
v-402 liquid teak to environment
v-402 lessLevel liquid
liquid contents contaminated 3
Consequence
inl18 upstream contamination, e-401 tube rupture, mC-401-2ST air ingress into computerÐat startup, water-LPvap LPvap upstream contamination, mC-401-1ST air ingress into compressorÐat startup
Cause
v-402 contamination liquid
Deviation
Table 12. continued.
HAZID, A COMPUTER AID FOR HAZARD IDENTIFICATION: PART 4 115
val53 closed, mC-401-2ST check valve fails shut, val53 blockageÐfrozen ¯uid, mC-401-2ST loss of drive
lV-4008 control failure, pV-4007 loss of control, lV-4008 fails open, fV-4001 fails open, fV-4001 control failure, pV-4006 loss of control, lV-4015 control failure, lV-4015 fails open, pV-4006 blockageÐfrozen ¯uid, 1st-sb-to blockageÐfrozen ¯uid, p-401B morePressure out, val78 blockageÐfrozen ¯uid, val78 partly closed, val54 partly closed, water-LPvap high pressure upstream, val77 partly closed, mC-401-2ST external ®re, val77 blockageÐfrozen ¯uid, lV-4015 passes when no ¯ow is desired, toHX high pressure downstream, v-402 morePressure vapour, fromC401 high pressure upstream, val54 blockageÐfrozen ¯uid, mC-401-2ST outlet check valve ®tted in wrong direction, fV-4001 passes when no ¯ow is desired, lV-4008 passes when no ¯ow is desired, pV-4007 blockageÐfrozen ¯uid, toHX blockageÐfrozen ¯uid, mC-401-2ST pressure surge, 1st-sb-to high pressure downstream, e-401 tube rupture, p-402A morePressure out, p-402B spare unit turned on, mC-401-1ST morePressure out, p-401A morePressure out
v-402 moreTemp vapour, mC-401-2ST external ®re, mC-401-2ST spill-back occurring
mC-401-2ST no drains available
out50 leak to environment
val59 closed, val59 blockageÐfrozen ¯uid
lV-4008 fails closed, toHX blockageÐfrozen ¯uid, p-402A loss of drive, val83 (etc) closed, val59 leak to environment, p-402A incorrect pump setup/installation, val83 (etc) blockageÐfrozen ¯uid, toHX complete blockage downstream, toHX high pressure downstream, lV-4008 blockageÐfrozen ¯uid val60 leak to environment, p-402A leak to environment, p-402B spare unit turned on, val59 leak to environment, v-402 lessPressure vapour, val59 blockageÐfrozen ¯uid, p-402B leak to environment, val59 partly closed
mC-401-2ST noFlow out
mC-401-2ST morePressure out
mC-401-2ST moreTemp out
mC-401-2ST maintenance
out50 moreFlow in
p-402A noFlow in
p-402A revFlow in
v-402 lessTemp liquid
v-402 lessLevel liquid, p-402A air ingress into pump
v-402 moreTemp liquid, p-402A external ®re, v-402 lessLevel liquid
v-402 morePressure vapour, p-402A pressure surge at startup or shut-down, val60 blockageÐfrozen ¯uid, p0402A lessPressure out, val60 partly closed
val61 closed, chv63 blocked by frozen ¯uid, val61 blockageÐfrozen ¯uid, chv63 completely blocked or closed
p402A lessTemp in
p-402A moreGas in
p-402A moreVapour in
p-402A moreFlow out
p-402A noFlow out
possible seal overtemperature 2, possible pump casing overtemperature 2
possible motor overload or trip 3
cavitationÐpossible mechanical damage 3
pump damageÐincreased vibration 3, bearing overheatÐloss of lubrication 3, vapour lock 3
seal failureÐfreezing of seal ¯uids 2
potential for liquid lock in and damage to unit by thermal expansion 3
cavitationÐpossible mechanical damage 3
possible suction piping overpressure 2, seal failure due to reverse impeller rotation 2
dry runningÐpossible pump rupture 2
®re/explosion risk 2, toxic release 2
inadequate isolation and drainage 2
possible casing overtemperature 2
possible casing or delivery pipework overpressure 3, casing or pipework overpressure if relief system fails 2
casting or pipework overpressure if relief system fails 2
compressor damage 3
Consequence
Note: The ¯ag settings used for this table and the previous one, are: Display faults with no consequences, no; Filter out repeat fault-consequence pairs, yes; Display only faults with no protections, no; Display consequences with no causes, no; Display protections present, yes; Consequence rank threshold set at, 1; Filter out repeat faults, yes.
p-402A unit can be locked in
p402A morePressure in
p-402A lessPressure in
pV-4007 loss of control, lV-4015 control failure, lV-4015 fails open, pV-4006 fails open, lV-4008 control failure, fV-4001 fails open, pV-4006 control failure, fV-4001 control failure, lV-4008 fails open, e-401 tube rupture, pV-4007 blockageÐ frozen ¯uid, water-LPvap high pressure upstream, toHX high pressure downstream, p-402B spare unit turned on, mC-401-2ST morePressure out, fV-4001 passes when no ¯ow is desired, pV-4006 passes when no ¯ow is desired, lV-4008 passes when no ¯ow is desired, toHX blockageÐfrozen ¯uid, p-401B morePressure out, 1st-sb-to high pressure downstream, p-401A morePressure out, lV-4015 passes when no ¯ow is desired, v-402 lessPressure vapour, v-402 moreLevel liquid, fromC401 high pressure upstream, p-402A morePressure out, 1st-sb-to blockageÐfrozen ¯uid, mC-401-1ST morePressure out
Cause
mC-401-2ST moreLiquid in
Deviation
Table 12. continued.
116 McCOY et al.
Trans IChemE, Vol 78, Part B, March 2000
HAZID, A COMPUTER AID FOR HAZARD IDENTIFICATION: PART 4
117
Table 13. Summary analysis of trial results. Plant systems Absorber system
b -trichloroethane
storage
Propane recti®cation system
Benzene storage
Separation system
Scenarios identifed by conventional HAZOP also identi®ed by HAZID (%)
36
33
60
50
53
Scenarios identi®ed by HAZID which were judged to be correct (%)
49
33
69
83
53
Scenarios identi®ed by HAZID which were judged to be correct and of interest (%)
9.5
29
24
27
N/A
Protections identi®ed by HAZID which were judged to be correct (%)
9.5
29
N/A
77
N/A
ammonia by absorption into water. The feed gas stream is cooled before entering the absorber, which results in some condensation of water and ammonia. The water fed to the top of the absorber is chilled. A very small amount of sulphuric acid is added to the base of the absorber as stabilizer. The solution of ammonia in water is pumped forward for further treatment and the lean gas from the top of the absorber is fed forward for destruction. The plant diagram entered using the Graphical Tool is shown in Figure 8. Absorber feed cooler/condenser The gas feed contains mainly nitrogen but also some ammonia and water. The feed is at 2 bara and 708 C. It is cooled to 408 C with an uncontrolled ¯ow of cooling water. A two-phase mixture of gas and condensate ¯ows into the base of the absorber. Absorber The cooled/condensed gas stream enters the bottom of the absorber and chilled water at 58 C enters the top. A small ¯ow of sulphuric acid is fed to the bottom of the absorber and the pH of the stream leaving the absorber is controlled by manipulating this acid ¯ow. The pressure in the system is controlled by manipulating a control valve on the ¯ow in the gas line leaving the absorber. There is a relief valve on the bypass of this control valve. Feed forward The solution of ammonia in water is pumped from the absorber to a unit outside the plant section boundary. The ¯ow is controlled from the level in the base of the absorber. A small portion of the ¯ow is recycled to the absorber base through a restriction ori®ce. û-Trichloroethane Storage Section Crude b -trichloroethane is pumped at 4 bara and 20 to 508 C through a long line into a bunded stock tank. The level in the stock tank is not controlled, but a high level will cause an actuated valve in the inlet line to close. In order to guard against liquid hammer, this valve closes slowly. If an extra high level were to occur, the contents would over¯ow into the bund through a line which is sealed with a bursting disc; a head of liquid in the line will burst the disc. Trans IChemE, Vol 78, Part B, March 2000
A small ¯ow of nitrogen ¯ows into the tank through a bubbler. If the pressure in the tank falls, a pressure controller opens a control valve in a separate supply of nitrogen. The tank vents through a scrubber to atmosphere. The tank is ®tted with a pressure/vacuum relief valve and a ®re relief hatch. The plant diagram entered using the Graphical Tool is shown in Figure 9. Scrubber The scrubber removes vapours from the stock tank vent before release to atmosphere. Water ¯ows through it at a constant rate and out to an ef¯uent pit. The level at the base of the scrubber is maintained by a lute. Feed forward Material is pumped out of the stock tank by a set of two parallel pumps, one working and one spare. There is a spill-back line from the pump delivery to the tank through a restriction ori®ce. The feed from the pumps is mixed with another stream and is fed forward to another unit. The ¯ow of the other stream is measured and the ¯ow of b -trichloroethane is controlled in a ®xed ratio to the ¯ow of this other stream. Propane Recti®cation Section The propane recti®cation section consists of a distillation column and associated heat exchangers, pumps and separators, producing high quality propane for refrigeration. The column overhead vapour is condensed, using cooling water, and fed to a holding tank. Some liquid is pumped back to the column as re¯ux. The rest goes to a pipeline which leaves the plant section. The column reboiler is heated by a hot oil stream. The bottom product is cooled and fed to a pipeline which leaves the plant section. The propane product is removed from a tray near the top of the column and sent for storage outside the plant section. The plant diagram entered using the Graphical Tool is shown in Figure 10. Benzene Storage Section The supply section of this plant has three storage tanks, one of which is used at a given time to supply benzene. The
McCOY et al.
118
benzene is pumped from the operating tanks by a set of two parallel pumps, one working and one spare, which deliver a pressure of 20 bar. There are two parallel thermal relief valves close to the pumps. The ¯ow from the pumps is controlled by manipulating a control valve in the recycle line to one of the tanks. At the far end of a long line system the benzene is supplied to one of two alternative tank systems. The system used depends on the grade of the material. Flow is measured at both ends of the line and any signi®cant difference between the two ¯ows results in an alarm. The plant diagram entered using the Graphical Tool is shown in Figure 11. This benzene storage system is akin to but distinct from the storage section of the main study system, the benzene plant, described previously in this paper. Separation System The separation system is part of a light ends recovery plant. Only some of the units in the system have been considered: separators, heat exchangers, pumps and compressors. The main feed streams are (1) fractionator overhead vapours, (2) unstabilized naphtha and (3) cold LP vapour. The main products are (1) a sponge gas stream (mainly H2S, C2 and lighter hydrocarbons), which is sent to treatment, (2) LPG which is further treated for removal of H2S and then of mercaptans and (3) a stabilized naphtha which is sent to storage. The process may be summarized as follows: 1. Overhead vapours from the fractionator ¯ow to the compressor ®rst stage suction drum to remove any entrained liquid present in the stream. 2. The vapour stream is compressed, in the ®rst stage of a two-stage reciprocating compressor, and then mixed with cold LP vapour and wash water. 3. The vapour stream is cooled and fed to the compressor second stage suction drum to remove any liquid present. 4. The vapour stream is compressed, in the second stage of the reciprocating compressor, and then contacted with hydrocarbon liquid and water from the second stage suction drum, hydrocarbon liquid from the ®rst stage suction drum and rich oil. 5. The mixture then ¯ows through a condenser to the HP receiver where it is separated into three phases: hydrocarbon liquid, vapour and sour water. The plant diagram entered using the Graphical Tool is shown in Figure 12. RESULTS OF THE HAZID VALIDATION TRIALS As mentioned above, during the HAZID validation workshop, held towards the end of the project, each test set plant was assigned to a different user and for each a conventional HAZOP and a HAZOP emulation using HAZID were performed. The analysis of the ®rst three systems was straightforward. In the case of the benzene storage there were differences between the plant descriptions considered by the HAZOP team and by HAZID such that comparison of the two was considered unreliable as a measure of the effectiveness of HAZID. In the case of the separation
system the workshop team did not have time to complete their analysis. The output reports from AutoHAZID for the ®ve cases ran to 5, 6, 9, 6 and 14 pages. As illustrations, an extract from the output report for the benzene storage is given in Table 11 and an extract from the report for the separation system is given as Table 12. A summary of the analysis of the trial results is shown in Table 13. Measurement of HAZID Performance The main informal measure of the effectiveness of HAZID which has been used throughout the project has been the ratio of the scenarios found by HAZID and also by the HAZOP team to those found by the HAZOP team alone. This is also the prime criterion in the user trials. As Table 13 shows, the current version of HAZID, when applied by users other than the developers, ®nds some 33±60% of these scenarios. Factors Affecting Performance The performance is variable and this is attributed in part to the following factors: · The quality of the unit models used varied between the ®ve plant systems, some models having been tested more extensively than others; · Some of the plant systems used ¯uids about which HAZID had little or no property data; · Some of the plant systems were more complex than others, e.g. with or without recycles; · Team results could re¯ect different views among the teams about what is correct and interesting. Although HAZID currently ®nds a reasonable proportion of scenarios, this is masked by a large amount of information which is either correct but uninteresting, incompletely resolved or in some cases simply incorrect. Uninteresting Scenarios There are a number of ways in which the uninteresting scenarios could be culled. For example, one particularly common type of scenario is that associated with leaks, but the user may well ®nd these of little interest and wish to have them eliminated. Alternatively, consequence evaluation may be used to assign importance ranks to scenarios so that those of lower ranks may be suppressed from appearing in the output report. However, for the user to have con®dence in this, the rules for the evaluation of consequences need to be of good quality and the scenarios need to be available for the user to review on demand. Incomplete Resolution Incomplete resolution occurs because HAZID currently lacks a full ability to resolve whether a deviation will result in a signi®cant consequence. Whilst considerable progress has been made on this, there is work still to be done. A signi®cant cause of incomplete resolution, and in effect incorrect output, is the case where the magnitudes of deviations in the cause-consequence relationship are in Trans IChemE, Vol 78, Part B, March 2000
HAZID, A COMPUTER AID FOR HAZARD IDENTIFICATION: PART 4 reality not suf®cient to generate a consequence of interest. Thus it may be true that some cause gives rise to a speci®c deviation, and it may also be true that a speci®ed deviation (of suf®cient magnitude) will lead to a consequence of interest. At present if AutoHAZID identi®es such a case, but is unable to establish the suf®ciency/insuf®ciency of the magnitude of the deviation, then it will infer that the cause is capable of producing the consequence. Another aspect of this is that the plant is designed to withstand deviations up to a certain magnitude. Thus the loss of cooling water to a heat exchanger will result in the deviation `Overtemperature of the outlet process ¯uid’. Normally this will not be signi®cant, because the exchanger will have been designed to withstand the normal temperature of the inlet process ¯uid and the maximum temperature reached is the inlet process temperature. Solving these types of problems requires further work to enrich the ¯uid model system rules dealing with the magnitudes of propagated deviations. Operation using Minimal Information Whilst lack of information impairs HAZID’s performance, there is another way of looking at the matter. This is that HAZID is able to offer an analysis of the plant given no more than a minimal description. This is a deliberate and valuable design feature, since it is envisaged that one use of HAZID is upstream of conventional HAZOP, when not all the detailed information is available. In the user trials, those responsible for preparing the plant descriptions had speci®cally been asked not to complete all of the detail which can be entered. The information set which was de®ned by the users was that judged as the best compromise between input effort and output quality. In a system in which equipment and process data can be transferred automatically to HAZID, which is that envisaged for future exploitation, the need for such a compromise would be very much less. Protections HAZID did not perform very well in ®nding protections. This was expected, as the facility had only just been added and was largely untested.
119
REFERENCES 1. McCoy, S. A., Wakeman, S. J., Larkin, F. D., Jefferson, M. L., Chung, P. W. H., Rushton, A. G., Lees, F. P. and Heino, P. M., HAZID, a computer aid for hazard identi®cation: 1. The STOPHAZ package and the HAZID code: an overview, the issues and the structure, Trans IChemE, Part B, Proc Safe Env Prot, 77(B6): 317±327. 2. Lawley, H. G., 1974, Operability studies and hazard analysis, in Loss Prevention, vol. 8, 105 (AIChE, New York). 3. Wells, G. L. and Phang, C., 1992, A modi®ed form of HAZOP with emphasis on operability, in 7th Int Symp on Loss Prevention and Safety Promotion in the Process Industries, vol. 3, 139±1. 4. Ozog, H., 1985, Hazard identi®cation, analysis and control, Chem Eng, 92 (Feb. 18): 161. 5. Rushford, R., 1977, Hazard and operability studies in the chemical industries, Trans North East Instn Engrs Shipbuilders, 93(5): 117. 6. Sinnott, R. K., 1983, Safety and loss prevention, in Chemical Engineering (by J. M. Coulson and J. F. Richardson), Chp 9 (Pergamon Press). 7. Kavianian, H. R., Rao, J. K. and Brown, G. V., 1992, Application of Hazard Evaluation Techniques to the Design of Potentially Hazardous Industrial Chemical Processes. (Div. of Training and Manpower Devel., Nat Inst. Occup Safety and Health, Cincinnati, OH). 8. Wells, G. L., Seagrave, C. J. and Whiteway, R. N. C., 1977, Flowsheeting for Safety (IChemE, London). 9. McCoy, S. A., Wakeman, S. J., Larkin, F. D., Chung, P. W. H., Rushton, A. G. and Lees, F. P., HAZID, a computer aid for hazard identi®cation: 2. Unit model system, Trans IChemE, Part B, Proc Safe Env Prot, 77(B6): 328±334. 10. McCoy, S. A., Wakeman, S. J., Larkin, F. D., Chung, P. W. H., Rushton, A. G., Lees, F. P. and Heino, P. M., HAZID, a computer aid for hazard identi®cation: 3. The ¯uid model and consequence evaluation systems, Trans IChemE, Part B, Proc Safe Env Prot, 77(B6): 335±353. 11. Taylor, J. R., 1979, A Background to Risk Analysis (RisoÈ Nat Lab, RisoÈ, Denmark), vols. 1±4. 12. Taylor, J. R., 1981, Loss Prevention Bulletin (IChemE, Rugby), no. 46. 13. Lees, F. P., 1996, Loss Prevention in the Process Industries, vols 1±3, 2nd ed., (Butterworth-Heinemann, London). 14. Rushton, A. G., 1995, Quality Assurance of Hazard and Operability Study Performance in the Context of Offshore Safety. Report to HSE, Offshore Division. 15. Kelly, B. E. and Lees, F. P., 1986, The propagation of faults in process plant, 1, Modelling of fault propagation, Reliab Eng, 16: 1. 16. Kelly, B. E. and Lees, F. P., 1986, The propagation of faults in process plant, 2, Fault tree synthesis, Reliab Eng, 16: 39. 17. Kelly, B. E. and Lees, F. P., 1986, The propagation of faults in process plant, 3, An interactive, computer-based facility, Reliab Eng, 16: 63. 18. Kelly, B. E. and Lees, F. P., 1986, The propagation of faults in process plant, 4, Fault tree synthesis of a pump changeover system, Reliab Eng, 16: 87. 19. Parmar, J. C. and Lees, F. P., 1987, The propagation of faults in process plants: hazard identi®cation, Reliab Eng, 17: 277. 20. Parmar, J. C. and Lees, F. P., 1987, The propagation of faults in process plants: hazard identi®cation for a water separator system, Reliab Eng, 17: 303.
SUMMARY This paper has discussed two of the methods used in the STOPHAZ project for testing the performance of HAZID: the learning set and the test set case study plants. Firstly, the learning set and the main study system (the benzene plant) were introduced as a means of getting pointers to improvements needed in the unit and ¯uid model systems. Then, after discussing the issues of correctness, completeness and conciseness in connection with HAZID results, the test set plant systems were introduced. Finally, some results of the test set evaluations carried out at the end of the project were discussed. The next paper will discuss some ideas for possible future developments of the HAZID system and will offer some concluding comments on the work presented in this series of papers.
Trans IChemE, Vol 78, Part B, March 2000
ACKNOWLEDGEMENTS The authors would like to acknowledge the support of the Commission of the European Community (Esprit Project 8228: STOPHAZ), their colleagues at Loughborough, and the contributions of many personnel from their partners in this project: ICI, Snamprogetti, SFK, Intrasoft, TXT, Aspentech, Bureau Veritas, Hyprotech and VTT. Paul Chung acknowledges the support of BG and the Royal Academy of Engineering through a Senior Research Fellowship.
ADDRESS Correspondence concerning this paper should be addressed to Professor P. W. H. Chung, Department of Computer Science, Loughborough University, Loughborough LE11 3TU, UK. The manuscript was received 22 April 1998 and accepted for publication after revision 17 January 2000