Originally issued: April 13, 2021
Carsten Acker, P.L.(Eng.), FS Eng (TÜV Rheinland)
Director of Operations
Watchmen Instrumented Safety Experts Ltd.
Process Hazard Assessments, A Cost Savings Measure
Process Hazard Assessments (PHA's) are often performed for reasons such as standard compliance or for due diligence reasons. These are all good reasons to perform a hazard assessment, however not all companies fully buy into the need for them and often try to minimize the time spent on this effort or avoid it altogether when possible. Have you ever considered that a well run PHA may actually save the company money in the long run? In addition to improved safety and environmental protection, this should be the goal. But first some context and why they are necessary. Let us consider an example of an application involving a pressure reduction of a flammable gas in an area that is normally unmanned and not located in an environmentally sensitive area as we consider the standard requirements and potential benefits of a PHA.
What are the requirements? Is my project exempt? Why should I bother?
The requirements may vary in each jurisdiction, however the core principles tend to be the same. Occupational Health and Safety standards specify a requirement to protect the public and workers from hazards posed by a company’s operations. In 2017, the National Standard of Canada CAN/CSA Z767-17 lays out a very broad definition on the usage of this standard in industrial applications. It states that the standard, “identifies the requirements for a Process Safety Management system for facilities and worksites handling or storing materials that are potentially hazardous, either due to an inherent chemical, biological, toxicological, or physical property of those materials, or due to the material’s potential or kinetic energy.” As you can see, there is virtually no industrial facility too small to be considered out of the scope of that definition and our pressure reduction example is no exception.
CAN/CSA Z767-17 and other National Standards may be used to assess the minimum threshold of process safety management due diligence in the event of court proceedings following an industrial accident. In 2004, Bill C-45 established a legal duty of care including serious penalties for violations of organizations, including corporations, their representatives and those who direct the work of others. Bill C-45 section 217.1 reads, “Everyone who undertakes, or has the authority, to direct how another person does work or performs a task is under a legal duty to take reasonable steps to prevent bodily harm to that person, or any other person, arising from that work or task.” With the addition of Bill C-45, the risks of not performing due diligence to protect workers or the public are high. This risk applies not only for the corporation but also for anyone with a duty for care including project engineers assigned responsibility for the PHA. The standards are intentionally not prescriptive in their hazard assessment requirements so that a user can apply different hazard assessment techniques to a variety of unique applications. Fortunately, there are a variety of hazard assessment methodologies to choose from which meet your technical and financial needs under the guidance of a competent risk management professional.
Getting the most from your Risk Assessments is about technique
Hazard assessments can be performed multiple times during a project and the technique may vary depending on the scope. At a minimum, a hazard assessment should be performed on the fully formed design. The advantage of performing additional hazard assessments early in design is that the ability for improvements (i.e., hazard elimination or substitution) is greater due to the low cost of changes at this stage. When identified late in design, the potential to make changes is lower and the cost impact is much higher.
The What-If analysis technique is pretty much how it sounds. The engineered drawings are broken into smaller systems and the facilitator asks questions framed by “What-If” about various components and processes to identify and analyze hazards. This and the other hazard assessments compare the scenario risk against the owner’s risk systems typically documented in a risk matrix to determine if existing safeguards are sufficient and when needed, identify opportunities for improvement. This format is less structured, less intensive, and therefore has less up-front cost than the more common HAZOP technique described below. It has similar inputs and outputs as the other techniques and is appropriate for projects in the feasibility phase or on low complexity systems. When used on a large project in the early stages of design involving hazardous processes, it should be followed by a more stringent hazard assessment technique closer to design conclusion.
A HAZard and OPerability (HAZOP) review is the most common process hazard assessment technique. It functions much like a, “What-If” but with more structure. The process under scrutiny is broken into manageable nodes and pre-defined guidewords are applied to identify and analyze hazards. This assessment will answer the question, “What consequence can be expected if our proposed pressure reduction control fails, and what safeguards are in place to protect the downstream equipment?”. This example is referred to as single jeopardy since only one failure needs to occur for the hazard to be realized (excluding safeguards). Using a qualitative approach for this example, it is likely that multiple safeguards would be required to drive the risk into an acceptable level due to the overpressure potential of this combustible product. In some cases, these additional protection layers may not have been considered in the original design and therefore may not have been budgeted for. Before making costly design changes, further analysis will help to remove conservatism and better quantify the level of risk reduction needed to avoid taking an overly conservative approach. This is where LOPA comes in.
The previously described techniques are qualitative and therefore in most instances should not be used for hazardous processes without a quantitative approach such as Layer of Protection Analysis (LOPA) to compliment them. CAN/CSA Z767-17 states that, “The hazard assessment should be quantitative in nature for scenarios that can result in large scale health, safety, or environmental consequences.” The most efficient way to conduct a hazard assessment with a LOPA is to use the qualitative processes described above as a sorting mechanism to identify high risk scenarios. The low risk scenarios are assessed using the HAZOP/”What-If”. The high risk scenarios are sent to LOPA to be analyzed with no further review needed in a HAZOP setting.
LOPA is a semi-quantitative hazard assessment technique with many similar input and outputs as the techniques listed above. Being more quantitative in nature, LOPA is more rigorous than HAZOP/”What-If” requiring more effort of stakeholders while allowing for removal of some conservatism built into qualitative techniques. The team can take partial credit for conditional factors (such as probability of occupancy, probability of ignition or time-at-risk) that would not be appropriate in a qualitative assessment. In our example, taking credit for a low occupancy level in the area would certainly be factored into the health and safety consequence discussions and may reduce the risk reduction requirements for the proposed safeguard(s). Reducing the assessment effort on low-risk scenarios and re-distributing the effort to high-risk scenarios removes conservatism and often results in less recommendations for costly changes, saving the project money.
LOPA also provides the ability to specify a high integrity function to provide multiple orders of magnitude of risk reduction in the form of a Safety Instrumented Function (SIF), rather than needing to design multiple protection layers to close risk gaps. In our example, the design team may exercise the option to consolidate multiple low-integrity safeguards into a single high-integrity safeguard, which could result in a cost savings.
Properly documented scenarios
Whichever hazard assessment technique is utilized, it is important that it be documented appropriately so the powerful information contained within can be put to good use. Avoid getting caught in the weeds documenting incomplete thoughts, missing important scenarios or spending exorbitant time on low-risk scenarios. Document the root concern taking into consideration the most severe credible outcomes. Assess risk without planned safeguards, so we can understand how many safeguards are necessary taking into consideration the fact that safeguards can fail. Consider “knock-on” consequences that occur when a safeguarding strategy transfers risk elsewhere (i.e. pressure relief device discharging toxic material into the atmosphere). Use the PHA to identify safety critical elements, then make sure these safeguards are properly deployed. Be specific when documenting safeguard tags, equipment tags and drawing references so they can be searched and kept up to date. Organize the report in a way that users can easily find important information and can clearly understand the hazards in the process.
Safeguard identification is one of the most common improperly documented components in a hazard assessment. For a safeguard to be effective it must be “Specific”, “Auditable”, “Independent”, and “Dependable”.
The safeguard must be “Specific” to the hazard and not rely upon an indirect measurement.
If a safeguard is not properly documented and “Auditable”, it is likely that it will not be properly designed, installed, and maintained to perform the intended function. A poor audit trial is harder to support due diligence should an accident occur.
Safeguards that are not “Independent” cannot be relied upon to act appropriately when common elements have failed causing the initial hazard. Logic solver independence requirements can be complicated and at times contentious. BPCS and SIS independence requirements are defined in detail in IEC 61511. Specific attention should be paid to BPCS independence with a corporate policy defined prior to performing a hazard assessment.
Credited safeguards must be “Dependable” in preventing the hazard under consideration. If the safeguard will only work sometimes, then risk should be assessed assuming the safeguard may not be reliable and a better safeguard should be considered.
Can a risk assessment pay for itself, or even save money?
Hazard assessments are almost always viewed under the lens of costing extra money, when they can certainly be viewed in a more nuanced way. There are some obvious costs associated with performing the hazard assessment. They include the cost of the hazard assessment proceedings itself and the cost of implementing recommendations for improvements that arise. These costs can be controlled by the team with guidance from a facilitator experienced with multiple hazard assessment techniques, and safeguarding design strategies. Competency in multiple assessment techniques breeds agility and efficiency. Safeguarding solution design competency also aids in applying the right solution for the application. The facilitator should have proven practical experience in complex safeguard design such as Safety Instrumented Systems (SIL rated instrumented safeguards) particularly for high-risk scenarios that will be evaluated in a LOPA.
The potential cost savings associated with a hazard assessment can be substantial and deserves consideration. Hazards are inherent to industrial processes and cannot be eliminated entirely, but they can be managed. We cannot manage what we do not measure, and hazard assessments are required to measure risk.
Using the ALARP principle (As Low As Reasonably Practicable), the decision on whether to invest in additional safeguards can be evaluated using a cost-benefit calculation. ALARP is a frequently used term which often is misunderstood and/or misapplied. Your hazard assessment should attempt to identify ways to reduce the risk further when the residual risk is above the low threshold. From a strictly fiscal perspective, one can annualize the cost of a fatality and then quantify the year over year benefits of reducing the frequency of a fatality. Using simplified calculations, consider our example where a fatality could cost a corporation $2,000,000, and the corporation had the opportunity to reduce the likelihood of a fatality from 1 in 100 per years to 1 in 10,000 per years using an additional safeguard. Without the benefit of mitigation from an additional safeguard, the annualized cost of a single fatality would be $20,000 (2,000,000/100). With mitigation provided by an additional safeguard, the annualized cost of a fatality would be $200 (2,000,000/10,000). Using our pressure reduction design example, if the annualized cost of additional mitigation (including lifecycle maintenance costs) is less than $19,800 per year, the company would see a financial benefit of proceeding with the implementation of the risk mitigation in addition to the obvious moral reasons for doing so. Performing this calculation provides the owner with a reasonable approach to these decisions, and shows due diligence when deciding to refrain from adding additional safeguarding equipment. Choosing not to install a device with an annualized cost of $15,000 would not meet the ALARP principle and the design may be found not to be reasonably adequate upon an investigation.
While process risk assessments may seem as though they are expensive and time-consuming, recognize that they are required and when they are conducted under the leadership of an experienced professional, the benefits should not be underestimated.
Originally issued: October 25, 2021
Carsten Acker, P.L.(Eng.), FS Eng (TÜV Rheinland), CSP
Director of Operations
Watchmen Instrumented Safety Experts Ltd.
Overpressure scenarios are usually part of the higher risk scenarios considered in a process risk assessment such as a HAZOP. In the absence of protection measures, overpressure events can be very violent, and it is quite easy to conceive that a fatality would result. It is a relief to know that a reliable protection device exists and that, in some circumstances, you can take multiple HAZOP credits for it. Pressure Relief Valves (labelled many ways such as PSV, PRV, etc.) are highly reliable mechanical overpressure protection devices which automatically divert matter to a safe location upon a dangerous high-pressure event. The simple nature of the device and the increased degree of rigor by which they are operated and maintained make them an excellent choice for reducing your risk of overpressure. The tendency is to label these relief valves as greater than 99% reliable in hazard assessments without diving too deep into the details. There are some considerations that should be accounted for before overestimating the reliability of these safeguards.
Quite simply put, relief valves have ratings by which they are certified to operate. Among other parameters, relief valves are rated to relieve a certain volume of matter when the inlet pressure raises above a threshold. Setting the pressure threshold setpoint is the simple part of the equation as you are protecting a piece of equipment that also has a pressure rating. You want to calibrate the relief valve setpoint accordingly. The more complex part of the equation is determining the appropriate flow rating to use with a relief valve. If you have a relief valve that is too large, this results in “chattering” by which the relief valve slams open and closed rapidly causing material damage. If you have a relief valve that is too small, you cannot keep up with the inlet flow and the pressure will continue to rise above the setpoint and an overpressure event can materialize.
Reliance Upon Other Elements
The stated sizing case for these relief valves is often in relation to external equipment such as blocked flow, upstream valve failure, or reverse flow across multiple check valves. When the protection offered by a relief valve is dependent on a less reliable piece of infrastructure, this degrades the overall reliability of the relief device. For instance, a relief valve sizing case for flow across a restriction orifice would be considered highly reliable in most circumstances. The restriction orifice is an even simpler device which sits in the process piping and is not easily circumvented. When properly deployed, this would meet the criteria of being labelled greater than 99% reliable. If the same relief valve is sized for flow across a 50% open control valve which has a fail open actuator in severe service and is only prevented from opening 100% by software logic, the PSV reliability would be greatly reduced. The reliability of the protection layer is a summation of the failure rates of the elements utilized. In this example, the protection provided by the PSV is dependent on successful operation of the loop controlling the control valve and therefore, would be LESS reliable that the control valve itself. The control valve is typically considered no higher than 90% reliable. Simply put, the overall protection provided by this relief valve could be considered 89.1% (99% of 90%).
Before considering your relief valve to be greater than 99% reliable, your designers should assess the information that went into the sizing case. When the sizing case involves a control valve, designers should be aware that mechanical valve stem travel stops tend to be more reliable than programming and that valve orifice sizes (including bypass valves) should be considered safety critical elements and treated with the same maintenance rigor as the relief valve itself.
Considerations for Redundancy
Multiple relief valves are commonly implemented for a variety of reasons such as limiting flare header sizing and for differing sizing scenarios. When multiple relief valves need to act to provide protection against a single hazard, it should be understood that this can be less reliable than a single appropriately sized relief valve since a failure of either valve may result in an overpressure event. Crediting multiple relief valves in a 2 X 50% arrangement as greater than 99% reliable in a more conservative HAZOP approach should be avoided here. A 98% (99% plus 99%) reliability could be considered if common cause failures have been properly assessed.
Multiple relief valves each with full capacity are sometimes the best choice for overpressure protection. Naturally, when designers consider the effectiveness of 2 X 100% capacity arrangements, they know that this is more reliable than a single relief valve which is sized appropriately. Due to common cause failures, this redundant relief valve arrangement should be considered only 1 order of magnitude more reliable than the non-redundant design however. The redundant relief valve would be considered 90% reliable. The reliability of, 2 X 100% clean service relief valves can be considered 99.90% reliable and not 99.99% when discussed in a HAZOP or LOPA.
When a relief valve is undersized for an upstream valve failure, it is common practice to reduce the size of the upstream source valve and add redundancy to the upstream valving configuration. When assessed as a single jeopardy failure, the relief valve can be considered >99% reliable against the upstream source failure. When designing an overpressure strategy using redundant upstream supplies, be mindful of common cause and common mode failures for those upstream supplies. They should have independent pressure controllers each having their own tie-in location to the process located where plugging potential in minimized.
In the CCPS Guidelines for Initiating Events and Independent Protection Layers in Layer of Protection Analysis, it does state that the assumption for a 99% reliable relief valve is based on the service being clean and that it is inspected and tested periodically. Designers should take note if their service is actually considered clean. H2S, vibration, and entrained solids are examples of processes which may not fall under the clean service category. Keep in mind that these mechanical valves are normally in the closed position. The only way to know if these valves are operational and not seized is through periodic testing or when the valve is called to provide protection against overpressure. If the process is severe service or subject to scale build-up, plugging or freezing, these valves may not work when called to act. In these cases, it would not be appropriate to consider these valves as 99% reliable.
A common practice is to apply a lower reliability credit for dirty service such as 90% reliable. In addition to this, it may be necessary to define a more frequent test frequency for severe service relief valves. This should be defined in a corporate standard to support safe, effective, and repeatable risk analysis by different teams on different projects.
Note that a rupture disk may be deployed upstream of the relief valve to keep the valve in clean service. The rupture disk should be appropriately cleaned periodically as well. Pressure monitoring between the rupture disk and relief valve is needed to ensure a pin hole leak does not develop in the rupture disk which would disable the rupture disk.
While it is convenient to assume multiple credits would apply to all relief valves in hazard assessments, the associated underestimation in risk can be a costly and, in some cases, fatal mistake. When in doubt, use a conservative approach to risk estimation and assign actions for further follow-up when necessary.
CCPS Guidelines for Initiating Events and Independent Protection Layers in LOPA published in 2015
Watchmen Instrumented Safety Experts (WISE) is a Functional Safety Engineering company with specialized expertise in preventative and mitigative instrumented safety. Our expertise includes HAZOP & LOPA Facilitation, SIL / SIS Calculations and Consulting, Alarm Management, Fire and Gas Systems Engineering. Consult one of our experts for your instrumented safety project today.
Copyright © 2018 Watchmen Instrumented Safety Experts - All Rights Reserved.