Abstract
A detailed description of all the stages of a HAZOP study of a batch operation, illustrated for a reaction stage of a multistep process. The company, site, and process are described, and general process data provided including the appropriate P&ID. A full description and design intention is given for the selected node. A detailed report from the HAZOP study is provided.
Keywords
Batch HAZOP; sequential HAZOP; reaction step; process description; P&ID, HAZOP report.
This example illustrates the following aspects of a HAZOP study:
• an overall description of the plant and process;
• the selection of the stages of the process for study;
– the detailed description and the design intention;
– a list of the parameters and guidewords used;
– a part of the HAZOP study report, illustrating some of the deviations with consequences, safeguards, and actions.
The example has been fabricated, although it is intended to resemble a real operation. For simplicity, the main reactants are simply labeled A and B.
The company is a long-established general chemical manufacturing company, employing over 2000 people at several sites in the UK. It has a good safety record and routinely uses HAZOP study for new plant, new processes, and major modifications. A central safety group oversees this activity and provides trained leaders for all process hazard studies on new plant or processes. The six-stage process hazard study system is used, with HAZOP study as the usual method used at stage three.
The site concerned with this process is on the outskirts of an industrial city and employs 350 people. It lies between a river and a major road and, on one side, is close to an old housing estate. There are a number of continuous processes and several general-purpose batch units on-site. The operation to be examined is for a new process in one of the batch units which will be adapted to the needs of this process. Laboratory work has been done to determine the batch size and conditions. Reaction hazard investigations have been carried out to identify the reaction hazards and to define a basis for safety.
The essential elements of the process are as follows. The sodium salt of an organic reactant, A, is formed by adding caustic soda solution to A in a large reaction vessel. The process is mildly exothermic; a slight excess of caustic is used to maintain the pH around 11. The salt is then reacted with a second organic material, B, added at a controlled rate from a measure vessel. This reaction is very exothermic, and cooling is required. To obtain a high-quality product, the reaction needs to be carried out at between 55–60°C.
The section of the batch plant to be used for the reaction stage consists of two measure vessels at level two that will be used for the caustic soda solution and for reactant B. The required amounts are taken from drums on weigh scales, using vacuum. The feed to the reactor at level one is by gravity. Component A is pumped from drums directly into the reactor followed by a line flush with water. After the reaction is complete, as confirmed by analysis of a sample, the products are pumped to another vessel for further processing.
Component A is a solid, mp 30°C, flash point 45°C, with a long-term exposure limit (LTEL) of 10 ppm. Component B is a liquid, mp 5°C, bp 122°C, flash point 10°C, with a LTEL of 2 ppm and it causes chemical burns on skin contact. The solution of A in caustic soda and the product solution after reaction of B are all single-phase systems.
From consideration of the draft operating procedure, based on the laboratory investigations, the stages marked ✓ were selected for HAZOP study:
1 | Check plant set-up | |
✓ | 2 | Measure 250 kg of 30% caustic solution to vessel F1 |
3 | Melt two drums of A in a drum heater | |
✓ | 4 | Pump 425 kg of A to reaction vessel F3 |
5 | Flush line with 100 L of water | |
6 | Heat F3 and contents to 55°C | |
✓ | 7 | Run caustic from F1 to F3 |
✓ | 8 | Measure 375 kg of component B to vessel F2 |
✓ | 9 | Reaction stage: controlled feed of B from F2 to F3 |
✓ | 10 | Workout for 20 min (combined with step 9 for HAZOP study) (see Table A4.1, pages 132–137) |
11 | Sample and check product | |
✓ | 12 | Pump contents of F3 to F4 |
13 | Wash F3 with 200 L of water | |
14 | Pump wash water to F4 |
The basis for not selecting some stages is that they are simple, familiar steps of low hazard potential, with little chance of incorrect execution or omission by the operators.
Table A4.1
HAZOP study on steps 9 and 10 (reaction and workout) (to be used in conjunction with figure A4.1, pages 126–127)
Ref. | Parameter | Deviation | Possible Cause | Consequence | Safeguard/Protection | No | Action | On |
1 | Quantity/step | No B is added—step omitted | Operator error, for example, at shift handover. MV307 closed after maintenance | Spoilt batch | Detected at sampling and can easily be corrected. Batch sheet requires analysis to be signed off by supervisor | 1.1 | Start-up check to confirm that MV307 is open | TB |
1.2 | Operating procedure to include a sight glass check that flow is established | TB | ||||||
2 | Quantity | Excess of B is added | F2 not fully emptied from last batch | Excess of B in product: batch will be out of specification | Detected at sampling but a special procedure will then be required | 2.1 | Operating procedure to include a check on vessel F2 before B is measured out | TB |
3 | Quantity | Too little of B is added | Blockage in line or at OP1 | Batch out of specification and process delay | Detected at sampling | 3.1 | Check procedure for clearing line and OP1 when transfer line holds component B | FL |
3.2 | Batch sheet to require a check that F2 is empty at end of the addition stage | TB | ||||||
4 | Quantity | Too much of A is present | Error at earlier stage resulting in small excess (double charging covered in HAZOP of addition step) | Batch out of specification and process delay | Detected at sampling | 4.1 | Check that procedure will be written to cover this case and include in training program | JH |
5 | Quantity | Too little A is present | Error at earlier stage resulting in small deficiency | Batch out of specification and process delay. Not easily corrected | Detected at sampling | 5.1 | Evaluate likelihood of this deviation and, if necessary, draw up procedure | MS |
6 | Flow (rate) | Too fast | Corrosion/erosion of OP1 | Reaction rate and heat release increased. May eventually exceed vessel cooling capacity leading to over-temperature | Independent alarms TICA 32/33 located in a manned control room | 6.1 | Check that OP1 material is compatible with component B | BT |
7 | Flow (rate) | Too fast | Wrong OP fitted at OP1 after maintenance | Could quickly exceed the vessel cooling capacity, causing a reaction runaway and demand on BD2 | TICA32/33 located in a manned control and BD2 relieving to dump tank. Good control of maintenance | 7.1 | Specify OP1 size in operating procedure and ensure problem is covered in operator training | TB |
7.2 | Confirm flowrate at OP1 at the water trials stage | FL | ||||||
7.3 | Control sequence to include trip closure of AV203 and fully open CV303 in the event of over-temperature | AW | ||||||
8 | Flow (rate) | Too fast | MV306 is open and so orifice plate OP1 is bypassed | Will very quickly exceed the vessel cooling capacity and lead to a reaction runaway and demand on BD2 | TICA32/33 to manned control room and BD2 relief to dump tank. BD2 is sized for addition at maximum possible flow rate in a 25 mm line | 8.1 | MV306 to be locked closed as it is not used in this process | FL |
8.2 | Include sensing of BD action to give alarm and to close AV203 | AW | ||||||
8.3 | Consider removal of OP2 from the cooling water inlet line so full cooling capacity will be available. Take into account the original purpose of OP2 in controlling heating rates/cooling profiles/blowdown of condensate | FL | ||||||
9 | Flow (rate) | Too slow | Partial blockage in line or at orifice plate OP1 | Batch time extended | Operator will note problem when seeking to move to next stage | 9.1 | Covered by actions 3.1 and 3.2 | FL |
TB | ||||||||
10 | Flow | Elsewhere | Crack or leak at BD2 (action 8.2 only detects full burst) | Loss of contaminated nitrogen to dump tank and eventually to atmosphere | None | 10.1 | Put BD2 on a regular checking schedule | FL |
11 | Temperature | High | Control problem or faulty temperature signal (reads low) | Overheating will occur, with contributions from the heating system. Most serious condition would be common effect since both temperature probes are in the same pocket in F2 | None unless the fault also leads to a low temperature alarm when operator intervention could be expected | 11.1 | Check whether it is possible to physically separate the two temperature probes (control and protection) to reduce common cause effects | FL |
12 | Temperature | High | Loss of cooling water (a low probability event) | Overheating. Runaway if cooling water is not restored or the addition halted | TICA32/33 are located in the manned control room and BD2 relieves to dump tank | 12.1 | Covered by action 7.3 | AW |
13 | Temperature | High | Jacket not switched from steam to cooling water after earlier step | Overheating with possible reaction runaway | TICA32/33 to manned control room and BD2 relieves to dump tank | 13.1 | Control program to include checks that valve CV301 on the steam line is closed | AW |
14 | Temperature | Low | Control problem or faulty temperature signal (reads high) | Poor quality batch. Extreme outcome is cessation of reaction and accumulation of unreacted B | TAL from TICA 32 | 14.1 | Take TAL from both the control and the protection temperature sensors | AW |
14.2 | Determine suitable interval for calibration checks on TICs | FL | ||||||
15 | Pressure | High/low | No causes identified in addition to the runaway situations discussed above | |||||
16 | Reaction rate | High/low | No additional causes found | |||||
17 | Mix | No mixing | Mechanical coupling fails or agitator blade becomes detached | Risk of accumulation of unmixed B leading to uncontrolled reaction | Possibly detected by low motor current alarm | 17.1 | Add a rotation sensor to the shaft of the stirrer; interlock to reactant feed valve AV203 | AW |
18 | Mix | No mixing | Motor failure | Risk of accumulation of unmixed B leading to uncontrolled reaction | Alarm on motor current (low) | 18.1 | Existing safeguard adequate provided action 17.1 is implemented | AW |
18.2 | Develop a safe operating procedure for restarting a batch after accumulation has occurred | BT | ||||||
19 | Mix | Less mixing | Viscous mixture formed | Stirring becomes inefficient and unmixed B may accumulate | May be alarmed by sensor added in action 17.1 | 19.1 | Check viscosity under extreme conditions to decide if action is needed. If so, include an alarm on high motor current | BT |
20 | Mix | Reverse | Incorrect connection after maintenance | Stirring becomes inefficient and unmixed B may accumulate | None | 20.1 | Include a check on stirrer operation in the commissioning trials and in the maintenance procedures | TB |
21 | Composition | Part of | Wrong ratio of reactants covered under high/low quantity | |||||
22 | Composition | As well as | Wrong drum used when charging component B | Unpredictable but minimum will be a spoilt batch | Covered in HAZOP of the charging step | 22.1 | Review actions from earlier HAZOP and ensure that the purchasing department specifies a distinct drum color | MS |
23 | Control | None | Complete loss of control computer | System moves to fail safe condition | Design assumes a period of operation of the computer on its UPS. Ultimate protection is provided by BD2 | 23.1 | Check that fail safe settings include isolation of feed of B, continued stirring and full cooling to vessel jacket | AW |
24 | Control | Part of | Selective failure. Most serious would be loss of temperature sensors/control | Possible undetected overheating | Ultimate protection is provided by BD2 | 24.1 | Check that the temperature sensors connect to different input boards | AW |
24.2 | Include temperature comparison (TICA32/22) in the checks and add a difference alarm | AW | ||||||
25 | Operator action | Sooner | Step started early | Starting temperature is low. Reactant may accumulate and then cause runaway reaction once mixing starts | Ultimate protection is provided by BD2 | 25.1 | Specify the lowest safe starting temperature | BT |
25.2 | Provide software interlock to prevent low temperature start | AW | ||||||
26 | Operator action | Part of | Workout period is shortened if the addition is slow (for any reason) | Uncertain—basis for inclusion of the workout period is not clear | 26.1 | Carry out further laboratory work to determine the importance of the workout and to define the minimum allowable time | BT | |
27 | Services | Loss of instrument air | All valves move to assigned failure positions | 27.1 | Review the failure modes of all valves to ensure specification is correct | JH | ||
28 | Services | Power loss | Unpredicted failure, cut cable, and so on | Stirrer stops. Computer moves plant to a safe hold position | Computer has its own UPS | 28.1 | Include this condition in the check under 27.1 | AW |
28.2 | Consider need for planned restart procedure after such an interruption | JH | ||||||
29 | Maintenance | Work on AV203 | Valve problem on AV203 during the transfer | AV203 cannot be isolated from F2 for safe maintenance | None | 29.1 | Put additional manual valves in the F2/F3 line | FL |
29.2 | As a general action, review the P&ID to ensure all key items can be isolated | FL | ||||||
30 | Vessel entry (F3) | Other activity | Inspection or other requirement for entry to vessel | Risk to operator from inert atmosphere, especially nitrogen | Spades installed on all lines | 30.1 | Review the isolation of F3, including possible insertion of flexible section into the nitrogen line so that it can be disconnected and blanked off. Need to cover F2 as well since it has its own nitrogen supply and is linked to F3 | MS |
31 | Drainage | Leak of B | Leaking flange on transfer line from F2 to F3 | Some loss of component B into process area | All spillages in this area run to a common sump | 31.1 | Check the materials in use on adjacent units for potential incompatibility | FL |
31.2 | Operating procedure to include a routine inspection of the transfer line at the stage of the process | TB | ||||||
32 | pH | High/low | Imbalance in quantities of A or caustic added previously | Batch quality affected unless initial pH is range 10–11.5 | None | 32.1 | Operating procedure to include a check on pH before this step is initiated | TB |
32.2 | Consider need for a procedure for correction of pH | BT | ||||||
33 | Trip action | Out of range condition | Any | Control system moves the plant to a predetermined state based on the trip signals | 33.1 | Prepare matrix to show which valves act in each trip scenario. Review the matrix at next HAZOP meeting | JH | |
34 | Operator PPE | Exposure | Leakage or spillage | Contamination | Standard procedures | 34.1 | Confirm that procedures exist for all materials handled in the process | TB |
During the HAZOP study, the team is expected to consider all potential SHE hazards as well as operability problems.
The HAZOP study team
Name | Discipline | Job Title | Role/Represents | Years |
Mike Stopner | Chemist | Safety Advisor | Leader | 25 |
Jennie Howard | Chem Eng | Project Engineer | Design team | 7 |
Tom Bailey | Shift supervisor | Operations | 17 | |
Bob Teryl | Chemist | R&D Chemist | Process development | 12 |
Andy Wires | Electrical Eng | Control Engineer | Control/instruments | 3 |
Frank Laycrew | Mech Eng | Site Engineer | Services/maintenance | 14 |
Karl Jones | Chem Eng | Trainee Project Engineer | Scribe | 1 |
All are full-time employees of the company and, apart from KJ, have previous experience of HAZOP study, including training on a 2-day in-house course. MS has also attended an external 4-day training course on HAZOP study leadership and has been leading studies throughout his time in the central safety department (5 years).
Documents include a set of P&IDs showing the plant as it will be set up for the operation including spaded lines and any new connections. A separate P&ID is used for each stage of the HAZOP, marked up showing the actual items of the plant involved in that stage and showing which valves are open (Figure A4.1 for steps 9 and 10). Full details of plant and equipment specifications are available if required. The other items made available to the team are:
• process description and outline operating procedure;
• reaction hazard review covering laboratory studies of the chemistry, reaction kinetics and thermodynamics. Results from differential scanning calorimetry analysis of components A, B, and the reaction product; adiabatic calorimetry data, including reaction simulation. The basis of safety was derived from this work;
• material safety data sheets for all reactants; the available hazard data for the product;
As a consequence of the previous steps, the state of the plant at the start of this step is that the reaction vessel, F3, contains 425 kg of component A, 100 L of water, and 250 kg of 30% caustic. Component A has been converted to the sodium salt and sufficient excess caustic is present to raise the pH to 11. The stirrer is running and the mixture is controlled at 55–60°C, using hot water to the vessel jacket. The vessel is open to the scrubber through a condenser, set to return any condensed liquids to F3. Measure vessel F2 contains 375 kg of component B that is to be run down to F3 over a period of about 3 hour at 2 kg min−1. The flow rate is controlled by the orifice plate, OP1. Both F2 and F3 are operated at atmospheric pressure under nitrogen to prevent the formation of a flammable atmosphere. The continuous feed of nitrogen into each vessel is vented through the scrubber. The scrubber is operated to reduce the levels of vapor A and B to below their LTEL values to permit safe discharge at a high level.
The basis for safety was developed from work initiated in HS 2. It requires:
• The rate of heat evolution from the amount of B present in the reactor does not exceed the cooling capacity of the reactor. For this to be achieved, all the following conditions must be maintained:
– the rate of addition of B is controlled at 2 kg min−1;
– there is continuous stirring to avoid accumulation of B;
– the temperature is kept above 40°C to minimize accumulation of B;
• If runaway reaction does occur, the reaction vessel is protected by the rupture of the bursting disc which relieves to a dump tank from which the resulting vent is acceptable at the expected frequency.
From the earlier hazard reviews, the worst case event is identified as a runaway reaction which is not fully relieved by the bursting disc. In this circumstance, it is estimated that the reactor design pressure could be exceeded by a factor of 1.5. Reactor rupture is possible but is of low probability. The consequences of vessel rupture would be the possibility of operator fatality and severe local contamination which, if an aerosol cloud forms, could be blown off-site. The worst effect of this is if the wind direction was toward the local housing estate. The operation of the bursting disc is crucial to avoidance of this event, and it has been sized on the basis of small-scale experiments providing data for use with the DIERS design rules.
As the previous steps have been subjected to HAZOP study, it is assumed that there is negligible chance that they are not as described unless new causes are found.
Step nine is started by opening valve AV203, all other conditions having been set previously. The operator initiates the step from a control panel through the computer control system. Apart from occasional checks during the 3 hour addition, the operator relies on the alarms to indicate any deviation from the set conditions. Alarms are set to indicate stirrer motor failure, and low and high temperatures of 50°C and 65°C, respectively. If the temperature reaches 70°C, the valve AV203 is automatically tripped to close. Step 10 (working out for 20 min) follows on directly from step nine with no change in the system or the settings. At 3½ hour from the start of the reaction stage the computer closes AV203, puts the system to hold and awaits an operator input.
The following guidewords (and abbreviations) are used.
The team leader has prepared preselected combinations of parameters and guidewords that give meaningful deviations, as shown in Table A4.2 (page 138). Team members are given opportunities to extend this list. Only those combinations generating a significant discussion are recorded in the HAZOP tables as no realistic meanings or likely causes were found for some. It was found that some of the later combinations had been adequately examined under earlier pairings—for example, “part of composition” was mostly dealt with by “more/less quantity.” Some additional deviations came up during the analysis.
Table A4.2
Preliminary list of applicable combinations of parameters and guidewords
Guidewords | |||||||||
Parameter | N | M | L | R | PO | AWA | WE | EL | O |
Quantity | ✓ | ✓ | ✓ | ✓ | |||||
Flow | ✓ | ✓ | ✓ | ✓ | ✓ | ||||
Temperature | ✓ | ✓ | |||||||
Pressure | ✓ | ✓ | |||||||
Reaction | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | |||
Mix | ✓ | ✓ | ✓ | ||||||
Step | ✓ | ✓ | |||||||
Control | ✓ | ✓ | ✓ | ||||||
Composition | ✓ | ✓ | |||||||
Operator action | ✓ | ✓ | ✓ | ✓ |
The following “parameters” are also considered under the guideword “other (other than)”:
Action in emergencies—for example, fire, explosion, and toxic leak—is considered for the whole process at the completion of the HAZOP study of all the individual stages.
Step—reaction and workout, steps 9 and 10 (see Table A4.1, pages 132–137);
Team—MS (leader), JH, TB, BT, AW, FL, KJ (scribe);
Drawing—P&ID (see Figure A4.1, pages 126–127);
A measured quantity of component B is added by gravity feed from F2 to the prepared mixture in F3 at 55–60°C. The step is initiated by the operator using the computer control system and the addition is started by opening valve AV203, all other valves being preset. The addition takes about 3 hours followed by a short workout period. The total time for these steps is 3½ hour after which AV203 is closed and the system held awaiting an operator command.
To transfer by gravity from the measure vessel F2, and to completely react, 375 kg of component B with the stirred aqueous solution of the sodium salt of 425 kg of component A in F3. The transfer rate is to be controlled at 2 kg min−1 by orifice plate OP1. The reaction temperature in F3 is to be controlled in the range 55–60°C. On completion of the addition, the reaction mixture is stirred for 20–30 min before sampling. A nitrogen atmosphere is maintained in F2 and F3 at the flow rates established in previous steps.
This report is from the first analysis by the team. Since the earlier steps in the process have already been studied, some deviations—for example, wrong amount of A is present—have already been considered. Entries will only occur for these deviations for new causes or new consequences suggested by the team. The team took one session developing this report.
The numbering system adopted is to have an item number for every row of the analysis and to relate the actions to that number. Where two or more actions result they are numbered as, for example, 14.1 and 14.2. Some action numbers are not used such as 15 and 16.
A response/comment column is available but not shown. It is used to enter the responses to the actions and to record any further comments by the HAZOP study team.