574 5 Safety and Risk i n Engineering Design The cause-consequence diagram is reduced to a minimal form by, firstly, remov- ing any redundant decision boxes and, secondly, manipulating any common failure events that exist on the same path . The common failure events can be extracted as common sub-modules or individual events. This process is equivalent to construct- ing the fault tree, converting it to a BDD, and identifying and extracting indepen- dent sub-modules. An algorithm has been developed that will produce the correct cause-conseq uence diagram and calculate the exact system failure probability for static systems with binary success or failure responses to the trigger event. This is achieved without having to construct the fault tree of the system and retains the documented failure logic of the system (Ridley et al. 1996) The minimised cause-consequencediagram is then analysed using a BDD analy- sis procedure. Thus, exact, rather than approximate calculations are performed. The advantages of the cause-consequence diagram are: • The diagram can be constructed directly from system description. • Dependencies in the system can be incorporated in the analysis. • The system is modularised to increase efficiency. • Exact calculation procedures are adopted. Repeated events The four-stage procedure developed to construct and analyse a cause-consequence diagram is capable of dealing with the events that occur in more than one fault-tree structure attached to the decision boxes in any sequence path. The CCD method can deal with repeated events in a more efficient way to that used for FTA (Ridley et al. 1996). Using the CCD method, there is no need to obtain the Boolean expression of the top event and then manipulate it to produce a minimal form prior to analysis. The converse approach of the cause-consequence method deals with sequences of events that either occur (fail) or do not occur (work ). The probability of a partic- ular outcome is obtained by summation of the probabilities o f all paths that lead to the outcome. Summation of the probabilities of the mutually exclusive paths in the reduced diagram yields a result similar to that obtained from the fault tree fol- lowing Boolean reduction. An algorithm has been developed that can trace through a cause-consequence diagram, and identify and extract any repeated basic events in more than one fault-tree structure on the same sequence path (Bryant 1986; Ridley et al. 1996). The procedural steps used in the extraction algorithm ar e the following: 1. Identify the fault-tree structures in the path under inspection. 2. Each fault tree in a path undergoes a modularisation process to identify inde- pendence. The identified independentsub-trees are then individually considered for further analysis. 3. The independent sub-trees for each fault-tree diagram are compared with one another and following, the identification of any common sub-trees or individual basic events, the cause-consequence diagram is modified. 5.2 Theoretical Overview of Safety and Risk in Engineering Design 575 4. The cause-consequence diagram is modified by applying the following rules: a. Following the identification of a common sub-tree or basic event, the com- mon element is extracted and set as a new decision box at the highest point in the cause-consequence diagram with all dependencies below it. b. The cause-consequence diagram is then duplicated on each branch starting from the new decision box. c. Having developed a single decision box for the common sub-tree or basic event, the decision boxes that contained the common event prior to extrac- tion require modification. The common event/s are set to 1 (TRUE) in the fault trees following the NO outlet branch from the new decision box,as this indicates failure, and 0 (FALSE) in the fault trees following the YES outlet branch to signify that th e common event(s) are valid. d. After extraction of the common sub-tree or basic event, each fault tree that has been modified requires reorganisation.Each fault tree containing the ex- tracted Boolean variable is inspected and the fault trees modified by setting the Boolean variable to represent the path taken in the cause-consequence diagram. e. The cause-consequence diagram is then reduced to a minimal form by re- moving any redundant decision boxes identified. This procedure is repeated until all sequence paths have been inspected and no re- peated sub-trees or basic events discovered. For better clarity on the application of the procedural steps used in this extraction algorithm,an example of the techniqueis given in Sect. 5.2.4 dealing with safety and risk evaluation. The technique has been applied to a simple high-pressureprotection system. The basic functions of the system are to prevent the passage of a high- pressure surge originating from upstream pumping of process material in order to protect process vessels located downstream of the surge. 5.2.1.5 Hazar dous Operability Studies in Engineering Design Hazardous operability (HAZOP) studies are based on the principle that a team ap- proach to hazards analysis will identify more potential problems in process designs than would the combined results of individual designers of various disciplines and expertise who are working separately. The expertise is brought together during HA- ZOP sessions and, through a collaborative brainstorming effort, a thorough review is made of the process design under consideration. The HAZOP study focuses on specific portions of the process called ‘nodes’. Generally, these are identified from the pipe and instruments diagram (P&ID) of the process before the study begins. A process parameter is identified (for example, flow), and an intention is created for the node under consideration. Then, a series of guidewords is combined with the parameter ‘flow’ to create deviations.Forexam- ple, the guideword ‘no’ is combined with the parameter flow to give the deviation ‘no flow’. The team then focuses on listing all the credible causes of a ‘no flow’ de- 576 5 Safety and Risk i n Engineering Design viation, beginning with the cause that can result in the worst possible consequence the team can think of at the time. Once the causes are recorded, the team lists the consequences, safeguards and any recommendations deemed appropriate. The pro- cess is repeated for the next deviation, and so on until completion of the node. The study then focuses on the next node and the process is repeated. HAZOP studies concentrate on identifying both hazards as well as operability problems. While the HAZOP study is designed to identify hazards through a systematic approach, more than 80% of the study’s recommendations are operability problems, and per se not hazards. Although hazard identification is the main focus, operability problems are identified for their potential to lead to process hazards, or for their negative impact on the environ ment, or profitability of the engineered installation. The d efinition of hazard is given as “any operation that could possibly cause a catastrophic release of toxic, flammable or explosive chemicals, or any action that could result in injury to personnel”, whereas the definition of operability is given as “any operation inside the specific design under consideration that would cause a shutdown that could possibly lead to a violation of safety and health or environmental regulations, or negatively impact the profitability of the engineered installation”. a) Design Representations A fairly wide range of design representations are in use in process engineering de- sign and it is possible for any of these to be the basis of a HAZOP study. The use of m athematically form ed representations for safety-related software systems is increasing and also these can be used for a HAZOP study. Examples of design representations include: • block diagrams • flow charts • data flow diagrams • object oriented design diagrams • state transition diagrams • timing d iagrams • logic diagrams • electrical circuit diagrams. The design representations used should cover all aspects of the system that could relate to hazards. If a single design representation does not, or cannot, cover all the relevant attributes or credible failures, then one or more other forms of representa- tion should be used. The following issues are relevant in the decision of whether or not a further design representation is necessary (DEF STAN 00-58 2000): • If dynamic behaviour is critical, such that hazards may result from incorrect se- quencing, a representation such as a state transition diagram may be necessary. 5.2 Theoretical Overview of Safety and Risk in Engineering Design 577 • If the system h as multiple states (such as start-up, normal operation, and shut- down), then representations of all of these should be available. Operating in- structions or procedures should be included in the representation to be studied. • If the timing of events is crucial, such that hazards could arise from timing devi- ations, a timing diagram is necessary. • If, during a study, a question arises regarding the possibility of a hazard, and this cannot be answered by considering the attributes available on the design representation being studied, there is the likelihood that a further representation is necessary. b) Entities and Their Attributes It is the responsibility of someone familiar with the design, at the planning stage of a HAZOP study, to identify and document, for each component and interconnection on each design representation, the entities and their attributes, and also the attributes of any components to be studied. When the interconnection between two points is being studied, each type of flow should be identified asan entityin its own right, and every attribute relevant to each entity should be listed and studied, as it is common for there to be several types o f data flow between two points. For example, there may be both information and control data. c) Deviations from Design Intent A HAZOP study mayoften concentrate on the interactions, and address components in detail only if an understandingof their failure modes is essential to the assessment of deviations from design intent on interconnections. If components are to be stud- ied, then their associated attributes need to be identified. It should be noted that the term ‘components’ is used in the broadest sense and includes hardware, software, mechanical, electrical and electronic elements. The examination of components is not unique to HAZOP studies but this technique provides a systematic means of re- viewing their possible failure causes and consequences. The deviations from design intent on the interactions are, however, the novel feature of HAZOP studies. Con- sidering the interactions between components is useful as a preliminary technique if the failure modes o f the components are not known at the early phases of the engi- neering design process, or if the failure modes are found to be very complex at the later detail design phase. d) Guidewords and Interpretations The principle of the use of guidewords is that, once a component or interconnection on the design representation has been selected for study, an entity on it(there may be one or more) and an attribute of the entity are chosen. A guideword is then applied to 578 5 Safety and Risk i n Engineering Design Table 5.5 Standard interpretations for process/chemical industry guidewords Guideword Standard interpretation in process/chemical industry No No part of the design intention is achieved More A quantitative increase Less A quantitative decrease As well as All design intent achieved but with additional results Part of Only some of the intention is achieved Reverse Reverse flow in pipes and reverse chemical reactions Other than A result other than the original intention is achieved the attribute. For example, if the guideword ‘m ore’ is applied to the attribute ‘value’, it may generate the questions ‘what are the possible causes of the value of this entity being greater than the design intent?’ or ‘what are the consequences?’. Inquiries are made into these questions and the results recorded. This process is repeated for each guideword in turn, and the whole process is then carried out for each other attribute of the entity being studied. Typical guidewords used in HAZOP studies are: no, more, less, as well as, reverse, other than. The choice of guidewords should be considered carefully, as a guideword that is too specific maylimit ideas and discussion, and onethat is toogeneral may notfocus the HAZOP study efficiently. Guidewords may be interp reted differently when applied to different design representations for different types of processes, as well as at different stages of a system’s life cycle. When guidewords are chosen for a HAZOP study, their interpretations should be defined, as each guideword may have more than one interpretation in the context of its application to the design representation. The guideword interpretations in Table 5.5 are normally adequate for the process engineering industry (DEF STAN 00-58 2000). Interpretations of attribute-guideword combinations Combinations of specific guidewords and attributes, in the context of the particular design representation, need interpretation according to standard guidelines as given in Table 5.5. A matrix may be a convenient way of expressing attribute-guideword combinations. Exam- ples in Table 5.6 provide a matrix of interpretations of the guidewords in the context of design representations and attributes appropriate to those representations. e) Selection of Process Parameters The selection and application of process parameters in HAZOP studies of process engineering designs will depend on the type of process being considered, the equip- ment in the process, and the process intent. The most common specific process parameters that should be considered are flow, temperature, pressure and, where appropriate, level. In almost all instances, these parameters should be evaluated for 5.2 Theoretical Overview of Safety and Risk in Engineering Design 579 Table 5.6 Matrix of attributes and guideword interpretations for mechanical systems Attribute No More Less As well as Part of Reverse Other than Generic meanings No part of the intention is achiev ed Quantitative increase Quantitative decrease All design intent with additional results Only some of the intent is achiev ed The logical opposite of the intention Result other than original intention Torque No torque appears Higher than expected Lo wer than expected N/A N/A Torque is reversed Torque is cyclic Load No load Higher than expected Lo wer than expected N/A N/A N/A Load is in unexpected direction Speed No speed Overspeed Underspeed N/A N/A N/A Fluctuating Force No force More than expected Less than expected N/A N/A N/A In wrong direction Temperature No temp. Higher than Lower than N/A N/A N/A N/A Containment Complete failure of containment N/A N/A N/A Partial loss of containment N/A N/A Material Complete failure N/A Less of material Corrosion is persistent Fatigue, failure N/A Creep 580 5 Safety and Risk i n Engineering Design every node. The team’scommentsconcerningthese p arameters must be documented without exception. Additionally, the node should be screened for application of the remaining specific parameters such as those given in the list below. These should be recorded only if there is a hazard or operability problem associated with the param- eter. A sample set of specific process parameters includes the following: flow, temperature, pressure, composition, phase, level, relief, instrumentation, sampling, corrosion, erosion, services, utilities, maintenance, addition, safety, reac- tion, inserting, purging, contamination. Specific process parameters should b e considered when evaluating each node. If a particular parameter does not change from one node to the next, then it is not necessary to repeat all of the deviations that were considered in the previous node. Guideword-parameter combinations—exploring deviations from design intent The HAZOP study creates deviations from the engineering design intent by combin- ing guidewords(no,more, less, etc.)with process parameters, resulting in a possible deviation from the design intent. For example,whenthe guideword ‘no’ is combined with the parameter ‘flow’, the deviation ‘no flow’ results. The design team would then list all credible causes that will result in a ‘no flow’ condition for the specific node. Not all guideword-parameter combinations are meaningful, as the following examples indicate: no flow no temperature no pressure no reaction more flow m ore temperature more pressure as well as reaction less flow less temperature less pressure part of reaction reverse flow – – other than reaction f) The Concept of Point of Reference When defining nodes and performing a HAZOP study on a particular node, it is useful to use the concept of point of reference (POR) in the evaluation of deviations. For example, in considering a node consisting of acidified gas piping up to the inlet tank of a reverse jet scrubber vessel, if the deviation ‘no flow’ is applied, then a dilemma results when considering the causes of ‘no flow’ due to pipe rupture of the acid inlet line (with safety and environmentalconsequences). The term ‘no flow’ is ambiguous, since there is still a flow of gas to the inlet tank but no flow through the acid piping to the inlet tank of the scrubber vessel. A POR should, therefore, be clearly established at the time the node is defined, at the downstream terminus of the node. g) Screening for Causes of Deviations It is necessary to be thorough in listing causes of deviations. A deviation is consid- ered realistic if there are sufficient causes to consider th at the deviation can occur. 5.2 Theoretical Overview of Safety and Risk in Engineering Design 581 However, only credible causes should be listed. Team judgment is used to decide whether to include events with a very low probability of occurrence. Expert judg- ment is required in d etermining what events have a low probability of occur ring, so that credible causes are not overlooked. There are three basic types of causes: • Human error, in the form of acts of omission or commission by an operator, designer or constructor, creating a hazard that could possibly result in a release of hazardous or flammable material. • Equipment failure, in which a mechanical, structural or operating failure results in the release of h azardous or flammable material. • External events, in which items outside the unit being reviewed affect the opera- tion of the unit to the extent that the release of hazardous or flammable material is possible. External events include upsets on adjacent units affecting the safe operation of the unit (or node) being studied, loss of utilities, and exposure from weather and seismic activity. The level of detail required in describing causes of a deviation depends on whether or not the cause occurs inside or outside the node. For example, suppose that the inlet tank of the reverse jet scrubber includes a level controller as part of the node, where the level control valve results in a high- level co ndition in the closed mode. Since th e valve and c ontroller are part of the node, the causes should be stated in more detail because the valve may fail closed due to mechanical failure of the valve (internal event), or the valve may close due to loss of instrument air to the unit (external event). If the level controller was outside the node being studied, it would be sufficient to merely state ‘level control valve LV-XXXX closes’. When the analysis considers the node in which the level con- troller is located, then more detail can be listed for the various causes. h) Consequences and Safeguards The primary purpose of a HAZOP study is the identification of scenarios that would lead to the r elease of h azardous or flammable material into the atmosphere, thereby exposing workers to injury. It is thus always necessary to determine, as exactly as possible, all consequences of any credible causes of a hazardous release of toxic material. This serves a twofold purpose, in that it aids in determining a risk ranking of multiple hazards, so that priority can be estab lished in addressing the most se- vere hazards first; furthermore, it aids in determining whether a particular deviation results in an operability problem or hazard . If the HAZOP study team concludes from the consequences that a particular cause of a deviation results in an operability problem only, then further investigation should end in this case, and consider the next cause, deviation or node. If the HAZOP study team determines that the cause will result in the release of hazardous or flammable material, then safeguards should be identified. Safeguards should be included whenever a combination of cause and consequence presents 582 5 Safety and Risk i n Engineering Design a credible process hazard . The b asis of what co nstitutes a safeguard can be sum- marised in the following criteria: • Those systems and/or written procedures that are designed to p revent a catas- trophic release of hazardous or flammable material. • Those systems that are designed to detect and give early warning following the initiating cause of a release of hazardous or flammable material. • Those systems and/or written procedures that mitigate the consequences of a re- lease of hazardous or flammable material. The HAZOP study team should use care when listing safeguards. Hazards analysis requires an evaluation of the consequences of failure of engineering and administra- tive controls, so a careful determination of whether or not these items can actually be considered safeguards must be made. In addition, the team should consider re- alistic multiple failures and simultaneous events when evaluating whether or not any of the above safeguards will actually function as such in the event of an occur- rence. i) Deriving Recommendations Recommendations are m ade when the safeguards for a given hazard scenario, as judged by an assessment of the risk of the scenario, are inadequate to protect against the h azard. ‘Action items’ and ‘information needs’ are those recommendations that have been assigned for follow-up by one of the team members. Implementation of hazard analysis recommendations may follow the following guidelines: • High-priority action items should be resolved within 4 months. • Medium-priority action items should be resolved within 4–6 months. • Lower-priority action items should be resolved following medium-priorityitems. Review of all recommendations made in HAZOP studies must be made to deter- mine relative priorities and determine a schedule of implementation. After each rec- ommendation has been reviewed, all resolutions should be recorded in a tracking document and kept on file. Recommendations include design, operating or main- tenance changes that reduce or eliminate deviations, causes and/or consequences. Recommendations identified in a hazard analysis are considered to be preliminary in nature. 5.2.1.6 Risk Analysis in Engineering Design Risk analysis methodology used for determining the integrity of engineering design are g rouped into two categories: hazards identification and risk estimation.This level of risk analysis is usually for making an assessment of equipment criticality during preliminary design throughthe use ofa risk priority number (RPN) technique 5.2 Theoretical Overview of Safety and Risk in Engineering Design 583 (Bowles et al. 1994). Although the technique has been described in Sect. 3.2.2.5, some of the basic features are repeated here in summary. This method prioritises risk by calculating arisk prioritynumberfor a component failure mode using three factors: • Failure mode occurrence probability. • Failure effect severity. • Failure detection pr obability. The risk prio rity number is computed by multiplying the rankings on a scale from 1 to 10 assigned to each of these three factors, and is expressed by the relationship: RPN =(OR)(SR)(DR) (5.5) where: RPN = the risk priority number OR = the occurrence ranking SR = the severity ranking DR = the detectio n ranking. Risk estimation, as adopted by the European Community (EC 1996) for use in risk assessment, is defined in the following format: Risk, related to an identified hazard, is a function of the probability of its occurrence with respect to the frequency and duration of exposure to the hazard, and the means of avoiding it, and the severity of the accident or incident that can result from the hazard. Thus, risk can be quantified as the product of the level of severity of the risk (i.e. disaster or loss), with its probability of occurrence (i.e. chance). This can be formulated as the following: Risk = Severity×Probability (5.6) From the definition, severity is the disaster or loss incurred. The measure of severity can be quantified in two events: accidents and incidents. The measure of probability can be quantified in the form of appropriate statistical probability dis- tributions or measures of statistical likelihood. In this regard, an accident is an un- desired event that results in disastrous physical harm to a person. An incident is an undesired event that could result in a loss. In the context of safety, this loss is in the form of an asset loss, which implies damage to equipment or property. Risk is thus an indication of the degree of safety, determined on the basis of two considera- tions, the first according to design criteria, and the second according to operational performance: • The estimated degree of safety. This is assessed according to the contribution of: – the ‘estimated disabling injury frequency’ arising from functional failure of the item, . process engineering industry (DEF STAN 0 0-5 8 2000). Interpretations of attribute-guideword combinations Combinations of specific guidewords and attributes, in the context of the particular design. identified in a hazard analysis are considered to be preliminary in nature. 5.2.1.6 Risk Analysis in Engineering Design Risk analysis methodology used for determining the integrity of engineering design are. one another and following, the identification of any common sub-trees or individual basic events, the cause-consequence diagram is modified. 5.2 Theoretical Overview of Safety and Risk in Engineering Design