SPE SPE-146192

"Learning the lessons - retrospective HAZOPs" Mr Ian L Herbert, ABB Consulting

Copyright 2011, Society of Petroleum Engineers This paper was prepared for presentation at the SPE Offshore Europe Oil and Gas Conference and Exhibition held in Aberdeen, UK, 6–8 September 2011. This paper was selected for presentation by an SPE program committee following review of information contained in an abstract submitted by the author(s). Contents of the paper have not been reviewed by the Society of Petroleum Engineers and are subject to correction by the author(s). The material does not necessarily reflect any position of the Society of Petroleum Engineers, its officers, or members. Electronic reproduction, distribution, or storage of any part of this paper without the written consent of the Society of Petroleum Engineers is prohibited. Permission to reproduce in print is restricted to an abstract of not more than 300 words; illustrations may not be copied. The abstract must contain conspicuous acknowledgment of SPE copyright.

Abstract

This paper provides operators of up-stream oil and gas assets an over view of some of the lessons leant from a range of retrospective full Hazard and operability studies (HAZOPs).

The Baker report into the Texas City incident highlighted the need for robust Process Hazard Analysis. This strengthened an already growing understanding for the need to re-validate the hazard identification for existing assets. HAZOP is recognized as a systematic methodology for the identification and initial assessment of process hazards. As a result full retrospective HAZOPs have now been undertaken for a number of upstream oil and gas facilities over the past few years. This paper aims to share the learning from these retrospective HAZOPs of existing installations. Key areas are a) How to do it better: taking into consideration that HAZOP fits into a wider Process Safety Structure, need for plant /process experience, preparation and the raising of recommendations/actions, close out of recommendations/actions, etc and b) Some common themes identified from the HAZOP exercise: such as with, losses in knowledge, flare systems, Level instrumentation, Drainage/effluent systems, utility systems, methanol systems, redundant equipment, MOC failures, reliance on operators and procedure failures, aging equipment (isolation).

This paper also details potential ‘what next’ for PHA Hazard identification, as the effort and commitment to periodic full retrospective HAZOPs is considerable. However, the consequences for organizations in not remaining vigilant on changes to their asset Hazards can be significant.

Introduction

Full retrospective HAZOPs have been undertaken for a number of up (and down) stream oil and gas assets in order to re-validate the safe operation of an asset. The importance of adequate Process Hazard analysis has been indicated in the Baker1 report following the Texas City incident. The need to revalidate process hazard analyses has also been identified and is detailed in the CCPS book on revalidating Process Hazard Analysis2, which includes HAZOP as a suitable methodology. HAZOP provides a structured approach to process hazard analysis, as indicated in the Mogford report3, which if carried out correctly should ensure that hazard scenarios and their associated safeguarding measures are identified.

The main reason for revalidation is that Hazards change and in general the understanding of Hazards also increases. The

acceptability of the associated hazard risks also decrease over time. The following factors can all lead to a requirement to revisit the Process hazard analysis of an asset:

Operational learning – the original design and/or operational basis is shown, in practice, to be incorrect. Incidents – both directly on the installation, but also in similar/ third party operations Process changes – changes in composition/ concentration, Pressure/ temperature/ flow, new equipment (new

modules / tie-backs, etc, start up / shut down rates, etc Management changes – Reduced manning, move to automatic operation, move to man-u-matic (as a result of

instrument failures for example), Increased maintenance requirements, Change in ownership, etc New Knowledge – New corrosion knowledge, new environmental knowledge, revised fire/explosion knowledge,

Hydrate modelling. MOC/ previous PHA failures – too specific without reviewing wider implications, incomplete coverage, etc Regulatory changes – the need for through reviews, new regulations (risk based), changes in public perception.

2 SPE SPE-146192

The interaction of Revalidation HAZOPs is showing in Figure 1. The rest of this paper looks at areas in which revalidation HAZOP exercises can be improved, to ensure that the best can be obtained from the considerable revalidation HAZOP effort.

The bigger picture – HAZOP is no longer a standalone exercise

It used to be the case that HAZOPs used to be standalone exercises, comprised of knowledgeable teams reviewing the design and operation of proposed process operations. These used to throw out a massive list of ‘HAZOP actions’ ranging from minor uncertainties and design queries through to significant design concerns and the identification of previously unaware Hazards or operational issues. No structured prioritization was given to these actions. Details of the Hazardous situation and the various safeguards was usually at a high level, with little attempt at any quantification of the risk associated with the identified scenarios (risk ranking). Acceptability of the safeguarding measures was qualitative based on the judgment of the HAZOP team. In addition there was little linkage between the HAZOP and follow up activities. As a result large numbers of HAZOP actions were quickly closed out or even forgotten. The linkage between safety cases and quantified risk assessments to HAZOP studies was also very general. The fact that the HAZOP studies had not disproved the safety case scenarios was in part used to validate the safety case.

Use of risk matrices, should be made in all HAZOPs now undertaken. This provides a good semi-quantified assessment of

the identified Hazard scenarios, which in turn provides an initial and more quantified assessment of the suitability of the safeguards. In addition it provides a basis for prioritisation of recommendations. Ideally the risk matrix should be of the order of 5 consequence categories by 6 or 7 likelihood categories. Matrices with fewer categories have been applied, but the coarseness of these tables and the pessimism in the HAZOP meetings, results in significantly high numbers of high risk scenarios. Preparation of these risk matrices and their use is required and is covered in the following section.

Links to Safety Instrument System (SIL) assessments, safety case updates, and other post HAZOP exercises also need to be

taken into consideration when undertaking and recording revalidation HAZOPs. As such fuller details of the discussions and plant items/processes need to be included in the HAZOP records. This should include full tag numbers for safeguard measures (instrument trips/alarms, PSVs, Etc), SOP numbers and revisions (where standards/ procedures are referenced a check of these documents to ensure that they do cover the areas detailed by the HAZOP), full details of the consequences, etc. The most significant linkage from revalidation HAZOPs has been into the determination of integrity levels for safety instrument systems (SISs). Where both the safety instrument function (SIF) and other protective systems should be reviewed and detailed. Revalidation HAZOPs should review the function of SISs to ensure that they cover the identified scenario in which they are highlighted as providing protection. This should look at trip set points and speed and types of response. The revalidation HAZOP should also, as far as possible, provide details on other (independent) layers of protection and should record these in the HAZOP minutes. Details on the HAZOP team determination on the scale of potential consequences for each scenario should also be recorded. This additional information is invaluable to later Integrity Level (SIL / LOPA) studies.

Preparation, team composition, experience and running

The fundamental difference between project HAZOPs and operational revalidation HAZOPs is that the revalidation

HAZOPs are based on actual operating experience. The initial project HAZOPs will have focused on trying to get the design and initial operation right. The revalidation HAZOP looks at where this initial design and operation has been shown to be incorrect or no longer suitable for the current operation. As such the revalidation HAZOP relies much more on the operating knowledge of the team and the supporting records from the asset. This means that team composition, competency and supporting records are of greater importance. A list of documentation used to support revalidation HAZOPs is listed in Table 1. Because of the scale of such information commonly referenced material should be available are hard copies, where as minor referenced documentation should be available as electronic versions.

To ensure that there is knowledge of the actual operation of the asset the revalidation HAZOP team must include direct

operational experience of the area under consideration, and process knowledge of the reasons behind any design and operational changes. The operational knowledge should be fulfilled by having an experienced operator (or supervisor) with direct experience of operating, or having recently operated, the area under consideration. The process knowledge should be provided by a member from the asset projects or engineering support team. This should be someone who is again familiar with the area under review and is knowledgeable of any previous projects, past and current design/operational issues, and any improvement/ previous action plans that are still outstanding (asset integrity, production limits, etc). Other key revalidation team members include specialist area knowledge when required. Examples such as E/I engineers on systems where there are complex trip systems, mechanical/rotating machines engineer on turbines and compressors, third party engineers, etc. These do not need to be permanent team members, but are required to ensure that there is a high level of knowledge in the team when reviewing these specialist areas. An independent process engineer should also be present in revalidation HAZOPs. This should be someone who can play the process ‘devils advocate’ and should have a good degree of personnel operational and design experience.

SPE SPE-146192 3

The revalidation HAZOP chairman needs to have, in addition to knowledge and experience in running HAZOPs, a wider understanding of Process safety and Process risk assessment. The Chair is now critical in ensuring that the findings from the revalidation HAZOP link in with other process safety assessments. For example they should have knowledge of SIS assessment methods (LOPA), general risk assessment (particularly as they will be required to lead the team through the consequence and likelihood rankings for the risk matrix determination), Safety Case requirements, Human factors, etc.

As detailed in the previous section, semi-quantified risk assessment through the use of the risk matrices should be part of

revalidation HAZOPs (and also project HAZOPs). In order to aid this use of risk matrices it has been found that an initial high level HAZID exercise is a useful starting point for the core team members (Chair, operator(s), asset process engineer(s), independent process engineer, E/I engineer). In particular this helps to define the Consequence determinations and can be seen as a means for calibrating the risk matrix. The asset is broken down into a number of operational sections and a set of high level HAZID guidewords applied to these areas. This is then used to define and understand the potential scale of consequences, e.g. size of fires/ explosions, financial losses (asset damage and business interruption), and environmental consequences. Reference to safety case (QRA) and other process safety assessments at this stage also helps to ensure that the consequences detailed in the HAZOP are in line with these assessments and more importantly where scenarios may differ for example where a new scenario is identified. In addition to this initial HAZID calibration exercise a table of resultant consequence categories should also be developed to aid the revalidation HAZOP team in defining the appropriate category level in the main HAZOP.

Due to the requirement to record greater amounts of information in the HAZOP minutes, it has been found that running the

revalidation HAZOPs with a scribe (needs good technical understanding and good typing skills, a good HAZOP scribe is one that records the main issues being discussed and does not require the team to dictate the discussion) is best. The HAZOP minutes have also been recorded as the meetings progress, with the minutes being shown via a projector or on a large screen.

Recommendations (Actions) arising from HAZOP

Improved control over the raising and handling of HAZOP recommendations has also been included in revalidation HAZOPs. This is because increased focus has been placed on the findings from the revalidation HAZOP exercise. In some cases the numbers of outstanding HAZOP recommendations/action has been included in management KPIs. This has lead to the following changes in the rising and handling of HAZOP recommendations / actions. The first is that in order to control the number of overall HAZOP recommendations raised minor areas of concern have been recorded as HAZOP ‘Observations’ rather than formal HAZOP recommendations. Leaving formal HAZOP recommendations as those that the team has identified as of justifiable concern and which could affect the risk profile of the scenario (a basic ALARP argument). The ‘observations’ have been recorded in a separate spreadsheet and for example have covered the following areas:

Minor drawing check/ changes Minor design check/change Minor procedure update Locked valve register (inclusion/ exclusion/ upgrade) SRD check / change Dead leg register (usually inclusion of potential new deadlegs) HP/LP interface register (inclusion/ exclusion) C&E issues / checks Alarm rationalization (issues/ potential areas for improvement) PSV list (confirmation of suitability)

Single re-validation HAZOP recommendation actions have then been raised to ensure that the ‘observations’ identified for

particular areas are reviewed and actioned. It has also been possible to classify the main HAZOP recommendations. An example of the categories used is given in table 2. This is helpful as it can provide some linking of multiple recommendations into a single HAZOP action. It is also useful in determining the areas in which the asset has the most issues and can be used to identify overall weaknesses in the asset operation.

Using the risk matrix also allows for prioritisation to be given to the HAZOP recommendations. High risk

recommendations can be feed back to the asset management for immediate action (should be referred back within one week of the recommendation being identified). Lower risk level recommendations should have a longer time scale for feeding back and for closure. For example medium level risk recommendations are usually reported after the completion of the section/unit in which they are identified and low level risk recommendations are held until the completion of the full HAZOP. Some organisations are also combining the risk ranking with additional recommendation prioritisations. Such that newly identified hazards even at medium risk levels are given a high priority. The revalidation HAZOP should establish with the asset management the means for prioritising revalidation HAZOP recommendations. This should ensure that these

4 SPE SPE-146192

recommendations are correctly fed into the Process safety management system and are actioned within the appropriate time scales.

The revalidation HAZOP recommendation wording has also been the subject of review. The recommendations, a far as

possible, need to apply SMART principals (Specific, Measurable, Achievable, Realistic and Timely) when wording. In particular avoid use of ‘consider’ in the recommendation wording. The number of recommendations raised and the effort required closing out recommendations, particularly for low risk recommendations, means that consideration may be limited and insufficient. It has also been found that individual recommendation sheets should be generated. These sheets should containing not only the recommendation wording, but also details of the causes, consequences, section in which it was identified and even the identifying guide words in order to retain the context of the recommendation and assist those that may be called upon to close the recommendation. Care should be taken with some HAZOP recording software that extracts the recommendations only, as this loses the context in which the recommendation was raised and makes later response to the recommendation more difficult. Asset management should also ensure that they know how they will handle the recommendations arising from the HAZOP. For large revalidation HAZOP exercises, given the number of recommendations that can be generated, a separate HAZOP recommendation close out project has proved to be the most successful means for ensuring timely close out of HAZOP recommendations.

Areas that have generated common findings

The previous sections have covered general areas where revalidation HAZOPs have improved the way in which the HAZOPs have been undertaken and carried out. This section highlights some areas where common (cross asset) issues have been identified during revalidation HAZOPs.

Loss of knowledge. In particular of the original basis of design/ basis of safety. A number of operations have been

reviewed where the current operation differs considerably from the original design intent. This has been the result of creeping changes, process condition changes, original design failures and equipment failures. In some cases a commissioning operation has been then adopted as the current mode of operation. Without the original basis of design (BOD) it has been difficult to a) determine where changes in operation have occurred, as the current operation is accepted as the original design basis, and b) where changes have occurred (and these are known) it is difficult to sometimes understand the reason for the change and/or any original operating concerns. Asset management (particularly where ownership changes) should ensure that they maintain a history of changes in the basis of design, with details on the reason for changes and some linkage to show where these changes were reviewed.

Flare systems. Design, HP-LP interfaces and temperature concerns. Many issues have been identified with flare systems.

These have resulted from additional units being added to existing systems with failures to monitor HP/LP interfaces (introduction of isolation valves, etc), two phase flow issues and high liquid levels in KO drums, mixing of wet and dry flare systems with potential cold gas mixing and ice potential formation, high pressure let down with cold JT effects potentially below design conditions of the flare materials, and alternative discharge routes due to back pressures particularly on LP flare systems.

Level instrumentation and control. Level instrumentation on vessels (separators, KO vessels, suction scrubbers, etc) has

been found to be unreliable and subject to failures. These have included blockages of instrument bridles, interface monitoring difficulties, effects of foaming, effects of containments, reliance on single type of level detection and control means and unreliability due to process (material concentration/composition) changes. This has increased the potential for loss of level control on vessels.

Drainage systems and effluent systems. Increased loading on systems due to increased produced water. Additional drainage

points from additional equipment and failure to ensure that drainage routes do not introduce new HP/LP interface points or possible release points in the event of gas break through to the drains systems. Failures in the capacity and effectiveness of effluent disposal systems have also been found, with failures of caisson pump out systems and oil water separation systems.

Utility systems. Failure with Pneumatic air and power supplies have been found. Main failure is insufficient capacity and

unreliably of the systems. Additional equipment has been added to processes without an increase to the capacity of supporting utility systems. Stand-by compressors and generators are commonly now required for routine operations e.g. start-up. In addition the reliability of these systems has been decreasing. The effects of utility system failures although not resulting in significant life safety hazards has been identified as a significant business hazard.

Methanol systems. Additions of sub-sea tie backs and increased water content has increased hydrate potentials. This has

increased the extent and reliance on methanol systems. Hazards identified have been increased methanol inventories (not considered in safety cases), increased pressure ratings on existing systems and introduction of new HP/LP interface points

SPE SPE-146192 5

including pressurisation of process system from methanol systems, and unsafe disposal routes from methanol PSV discharges (open lines to hazardous drains).

Redundant equipment. With changes to operation a number of units are no longer operational, particularly where they are

associated with redundant production. This has resulted in a number of potential deadlegs which may be suffering increased / unmonitored corrosion and potential failures. Isolation of redundant equipment has also been identified as a concern, particularly where a temporary isolation of equipment then turns into long term isolation. The potential for the ‘redundant’ equipment to still contain a hazardous inventory and failure to maintain inspection and maintenance increases loss of containment risks on these items.

MOCs. Many MOCs have been found to have been incompletely closed out. Many failures to update Process Safety

Information (PSI), including up-dating of P&IDs have been found. In addition a number of MOCs, when fully reviewed, have been found to have introduced potentially new concerns up/down stream of the area of the MOC. This has been as a result of the reviews in MOCs focusing on the direct MOC area. The potential for knock on issues further afield is sometimes incompletely assessed. This is also true where there have been a number of minor MOCs and other small creeping changes, where the overall effect is greater than the sum of the parts.

Large reliance on procedures and operator competency. Failures to ensure that procedures are kept up to date / reflect

changes etc have been found. In addition increased reliance on operators has been found to cope with equipment failures ‘workarounds’ e.g. level control on vessels as detailed above, and additional workloads from changed production, e.g. changes from original basis of design. Some operating shift teams have made minor changes to operating procedures, keeping their own notes on some operations. These have not been reviewed or incorporated into up-dated procedures. In addition in some operations the operating HAZOP team members have reported on the need for increased vigilance to avoid potential issues. However, these operational ‘human factor’ concerns have not been picked up in management reviews. For example the question ‘which operations give you the greatest concern and required the greatest concentration and workload’ may not have been asked of the various shift teams. This should be part of the Human factors consideration when undertaking the revalidation HAZOPs.

Aging equipment and equipment failures. In additional to increased equipment failures resulting in increased numbers of

operator controlled workarounds (see reliance on operators above), the main concern identified with aging equipment has been operation of valves. In particular it has been the operation of isolation valves and the ability to ensure positive isolation. Performance standards on safety critical isolation valves (ESD and EBD valves) have been able to maintain the required level of integrity for these valves. However, poor isolation of maintenance valves has been found to result in requirements to isolate larger sections of plant in order to undertaken maintenance and testing, including that required to test safety critical isolation valves. Larger section isolation leads to greater business losses and increased human error in incorrect isolation, particularly where the isolation may be some distance from the item requiring isolation.

What next – should full HAZOP be repeated?

But why carry out full HAZOPs for revalidation? Is it needed in all cases of PHA revalidation? The need for full revalidation HAZOP should be based on some form of assessment of the nature of hazards and associated risks presented by an operation. Although a number of operators have adopted full HAZOPs as the main revalidation exercise, as the methodology providing the greatest structure and depth.

Full HAZOPs of a platform can take of the order of 100 to 120 meeting days and can generate 100s to 1000’s of

recommendations depending on the age of the asset, the nature of the Hazards and the complexity of the processes. This is both an expensive exercise, but more importantly takes a considerable amount of critical (operational) manpower commitment. As such full Retrospective HAZOPS cannot be run at high frequencies. Frequencies of the order of once every 5 to 10 years have been put forward. Another problem in repeating full revalidation HAZOPs at regular frequencies is where there are only minor changes between the revalidation exercises. When undertaking the repeat HAZOP a significant amount is unchanged from the previous review. As such the HAZOP team gets buried by the lack of any new issues that it can lose focus on any minor or creeping changes. If a full HAZOP is to be undertaken it should not be done by comparison to avoid getting caught in the ‘no significant change’ circle.

However, full revalidation HAZOPs should be undertaken on systems where there are a significant number of changes,

including where there have been MOCs. This should extend to systems slightly up and down stream of the location of the changes. This is to ensure that the effects of the changes, in total, have been considered. This can be a good verification of the MOC process, which could be the sole means for reviewing and assessing changes between the periodic PHA revalidations. The means to identify where full revalidation HAZOPs are required should be determined via a top level HAZID type exercise. Similar to the Risk matrix calibration, this review exercise breaks the asset into a number of operation units/systems. It then applies a set of guidewords to identify change issues and any other Hazard concerns. These guidewords can include

6 SPE SPE-146192

process condition changes (Temperature/Pressure/Flow), Human factors as well as asset integrity issues (long term weakening, fatigue failures, etc). Reference to the inputs to a validation HAZOP – see left hand side of Figure 1 and in the initial section, can also be undertaken. The conclusions from this HAZID review can then be used to determine the number and scale of the sections requiring full revalidation HAZOP.

This HAZID (operational / process hazard review) review, does not require a significant amount of time and manpower,

and can be undertaken for offshore assets in a period of a few weeks. As such this HAZID review can be undertaken on a higher frequency basis. A 5 year period between major PHA revalidations is in the life and rate of change to up-stream oil and gas assets a significant duration. Many changes and significant learning can, and have, occurred within a 5 year period. Undertaking a more regular (yearly or bi-annual) operational hazard review is a means for reviewing the changes and other potential risk acceptance factors on the process safety of an operating asset. Regular Hazard reviews should be considered by operating companies to ensure that any changes to operating hazards, not picked up by or outwith the MOC are suitably managed.

Reference List

1. Baker, et al, “The Report Of The BP U.S. Refineries Independent Safety Review Panel”, USA (January 2007). 2. CCPS, “Revalidating Process Hazard Analysis”, Centre for Chemical Process Safety, USA (2001). 3. BP p.l.c., John Mogford, “Fatal Accident Investigation Report, Isomerization Unit Explosion Final Report”, (December 2005), P

64.

SPE SPE-146192 7

Figures

Figure 1: Table 1: Revalidation HAZOP supporting documentation

Information Required Format

Process P&IDs, inc P&ID legend sheet (including instrumentation legend and SPE details) HARD COPY

Vendor P&IDs HARD COPY

Piping class specifications, and Materials of construction, inc vessel design details EITHER

PFDs - Heat and Material Balances, Inventory Safe upper and lower operating limits, operating envelopes

HARD COPY

Previous PHAs. HAZID, what if, HAZOP or LOPA reports E-COPY

Alarm and trip settings (including Interlock/trip activation and response descriptions), Plus ESD /EBD philosophy.

E-COPY

Control system philosophy and description HARD COPY

Shutdown matrices (cause and effect diagrams) HARD COPY

Pressure relief, flare, vent and depressurising information a) Relief valve data sheets b) Scenarios considered for sizing of devices c) Flare/disposal systems design and sizing information, including comprehensive list of common failure scenarios (i.e. power failure) and effects on flare loadings and flare system backpressure. Also valve capacities where gas breakthrough can occur.

EITHER

Changes to design since the last HAZOP or PHA E-COPY

Operating procedures (start-up, operating, shutdown, emergency) (required for a procedural HAZOP).

HARD COPY

Previous process safety accident/incident/near miss reports EITHER

Process description (BOD) and process chemistry EITHER

Facility plot plan/unit layout drawings. General arrangement and elevation drawings, including electrical area classification and drainage

HARD COPY

Pump and compressor operating curves and dead head pressures E-COPY

Fire protection design philosophy and basis E-COPY

Inspection and testing results, maintenance records, operational history and current condition of process equipment

E-COPY

MSDSs (material safety datasheets) HARD COPY

Design codes and standards employed E-COPY

Locked Valve Registers E-COPY

SRD Registers E-COPY

Deadleg Register E-COPY

HP/LP Interface E-COPY

Hose Register E-COPY

  Operational learning   

Incidents   

Process/ 

management Change 

Risk acceptance 

change   

New  knowledge   

Previous PHA/ 

MOC failure   

Regulatory 

change  

Re‐validation 

HAZOP 

Risk Matrix  

Team 

competency 

Data 

preparation

Team 

composition

MOC process   

SIS Assessment 

(LOPA/SIL)   

Safety Case 

revision    

Asset 

management   

Procedure 

review/ update   

KPIs – review / 

update/ new 

PSI  update

8 SPE SPE-146192

Table 2: ABB HAZOP recommendation classification

1. Information need (further information required to full assess) 2. Procedure review/update 3. Design/operation check 4. Hardware changes including instrumentation 5. SIS - IL determination 6. Maintenance procedures, inspection & testing 7. Risk assessment or specialist review 8. P&ID check/update 9. Training