Hazard Evaluation Procedures

Hazard_Evaluation_Procedures/Hazard Evaluation Procedures/10D2C3DBEEB39F6078C4BA6CDBC651A.pdf15Detailed Engineering Phase

An Illustration of the Fault Ttee andEvent Ttee Analysis Methods

15.1 Problem Definition

Background

The pilot plant test runs have been completed, and ABC is now ready to buildtheir first world-scale VCM plant. ABC's design engineering company has completedthe first drawings (Revision 0) of the plant Before making further drawing changes,ABC performed a HAZOP Analysis on the plant design to help identify safety andoperability concerns that could be remedied during this phase of the project.

One concern that repeatedly arose in the HAZOP Analysis was the potentialfor incinerator explosions several parts of the plant were targeted as having thepotential for creating upsets that could lead to an incinerator explosion. While theHAZOP team noted that the incinerator had several hardwired interlocks tosafeguard against such an event, they were not sure that the interlocks would providean adequate level of protection. Therefore, they recommended that Fault Ttee andEvent Ttee Analyses be performed to investigate potential incinerator accidents.

The business team accepted the HAZOP team's recommendation. But thebusiness team worried about making changes so late in the design process; theincinerator is a packaged system, and ABC must place their order for such a systemabout two years before they need it. The business team asked that ABC's processhazards analysis group complete the analysis quickly in order to avoid project delays,but (1) the process hazards analysis group does not have personnel available toperform this "rush" job and (2) their analysts have limited experience in performingFault Ttee and Event Ttee Analyses. The group recommended hiring a contractorthat has hazard evaluation and incinerator experience to perform the analysis.

Available Resources

The volume of information on the VCM plant is now quite extensive.However, the consultant has indicated that only certain information will be neededfor the analysis. In particular, the following available information will be used:

Piping and instrumentation diagram of the incinerator (Figure 15.1)

C=lSCRUBBERSIZE: 1.0. X 32* -TYPE: PACKED COLUMNMATERIAL: GLASS-LINEDCARBON STEEL

=1INCINERATOR

DESIGN: 300 X 106 BTU/HRMATERIAL: ACID SERVICEREFRACTORY/CARBON STEELSAFELOCATIONSAFELOCATION

FUELCAS

VENTGAS

RATIOCONTROLLER

SAFELOCATION

INCINERATORF-1

FROME-1

QUENCHTANKT-1

SCRUBBERC-1

CAUSTICSUPPLY

PLANTWATERDESCRIPTIONDATE

DATEDATE

DRAWN BYDFMI CHECKED BY

ABC VCM PLANTANYWHERE. USA

PUMP J-1

INCINERATOR/SCRUBBERDRAWNC NO.G-157SCALE: NONE

SEE APPENDIX FOR DEFINITIONSOF SYMBOLS AND NOMENCLATURE

MECHANICALSTOP FORMIN. FLOWAIR FAN t 1SCREEN

Figure 15.1 VCM plant incinerator P&ID.

Documentation from previous HE studies (including the most recentHAZOP Analysis)

A description of the incinerator and its operating procedures(provided by the vendor)

A description of the incinerator interlocks (provided by the vendor,Tkble 15.1)

Design specifications of the incinerator, quench tank, and scrubber

Selection cf Hazard Evaluation Technique

For this particular phase of the VCM project, two HE studies were to beperformed: one on the Revision 0 plant design and another on the potentialincinerator explosions. The HAZOP Analysis technique was selected for the firststudy because a HAZOP Analysis can accurately identify potentially significant safetyand operability issues. The technique is also broad in scope and is applicable to alarge number of processes. ABC personnel performed the HAZOP Analysis on theRevision 0 design of the plant; an engineer from the design engineering firmparticipated in this review.

The HAZOP team suggested that the Fault Ttee Analysis technique be usedfor evaluating potential incinerator explosions. While ABC's process hazards analysisgroup thought that other HE methods might be just as effective, they concurred thata Fault Ttee Analysis would best suit their needs. Specifically, the hazards analysisgroup stated that they would consider only HE methods designed to analyze aparticular problem in a highly complex and redundant system (the Fault TteeAnalysis approach is the most commonly selected method in this case). However,the process hazards analysis group also noted that they had not performed manyFault Ttee Analyses and suggested a consultant be used for this particular effort.ABC hired Mr. Joe Consultant of Fault Ttee, Inc. to perform a Fault Ttee Analysisof potential incinerator explosions.

Tkble 15.1 VCM Plant Incinerator Shutdown Interlocks

Interlock

Low-Low Air Fkn Discharge Pressure

No Flame Detected

Low-Low Fuel Gas Pressure

High Incinerator Tfemperature (3-out-of-4 sensors high)Low Incinerator Tbmperature (3-out-of-4 sensors low)Low Quench T&nk LevelLow Scrubber pH

High Scrubber Stack Tbmperature

Number

PSLL-1

PSLL-2

TAH-2A/B/C/D

TAL-2A/B/C/D

Study Preparation

Mr. Consultant has performed numerous Fault Itee Analyses. Preparation foreach analysis involves the following steps: (1) understanding the system design andoperation, (2) defining the problem to be analyzed, and (3) defining the scope of theanalysis. Tb prepare for the analysis, Mr. Consultant reviews both the availabledocumentation on the incinerator system (P&IDs, system description, shutdowninterlock list, vendor-supplied operating manual, etc.) and the previous HE studiescompleted on the VCM plant. Since the plant is still being designed, Mr. Consultantreviews only the design model and drawings to understand the VCM unit layout. Healso visits the plant site for a day to review the plant layout and to discuss withoperators how they would operate the incinerator under both normal and emergencyconditions. The information gathered during this visit helps Mr. Consultantunderstand how operating actions (or lack thereof) may prevent or contribute topotential incinerator accidents. Mr. Consultant also interviews some ABC operatorswho are likely to transfer to the new plant. Finally, he contacts the designengineering firm to discuss the design bases for the incinerator package.

At the end of the site visit Mr. Consultant meets with ABC's process hazardanalyst, who is serving as ABC's main technical contact, to further define theproblem and its scope. Initially, ABC requested that the team model onlyincinerator explosions caused by plant upsets. However, Mr. Consultant points outthat incinerator fires, toxic releases, and inadvertent shutdowns may also be ofconcern. He also notes that the actions taken by protective interlocks that helpprevent an explosion (or other incident) depend on the cause of the incineratorupset. In similar studies, Mr. Consultant found the Event Ttee Analysis method tobe an efficient way to identify the combination of protection system failures that canlead to adverse consequences.

After further discussion, Mr. Consultant and the process hazards analysis groupagree that fault tree and event tree models should be developed for all major safetyincidents involving the incinerator system. However, operational problems (e.g., aninadvertent shutdown) and external events (e.g., floods, aircraft crashes, earthquakes)will not be considered, and utility system failures will not be modeled in detail. Also,the analysis will assume the plant and incinerator are initially operating normally.Mr. Consultant and ABC's process hazard analyst agree that start-up and shutdownoperations are also very important; however, too little information exists to analyzethese operations at this time.

153, Analysis Description

The analysis procedure Mr. Consultant uses for this study involves the stepslisted in Tkble 1S.2. The first step, defining the problem, is completed during thepreparation phase. But before Mr. Consultant develops the preliminary event trees(step two), he reviews the design and operation of the incinerator system. He findsthat the incinerator consists of three distinct components: the incinerator firebox, thequench tank, and the scrubber. The firebox is designed to burn all the flammablematerials released into the vent header from the VCM plant. After combustion, thehot gases are cooled by a water spray in the quench tank and then scrubbed toremove toxic materials.

15.2 Steps in a Combined Fbult Ttee and Event Dree Analysis

Define the problem(s) of concern Develop event tree model(s) Review and revise event tree model(s) Develop fault tree model(s) Review and revise fault tree model(s) Identify accident scenarios leading to consequences of concern

Determine minimal cut sets for accident sequences

Evaluate results and make recommendations

The HAZOP Analysis of the VCM plant design identified some VCM unitprocess upsets that would lead to large material releases to the incinerator. Theteam hypothesized that some of these releases might overwhelm the incinerator,extinguishing the flame and possibly causing an explosion. This factor must also beincorporated into the event trees.

Tb develop the event trees, Mr. Consultant first composes a list of initiatingevents that would challenge the incinerator safety system; he composes this list byreviewing the HAZOP Analysis results and by using his own experience. For eachof these initiating events, he then identifies the incinerator system functions thatwould safely mitigate the upset. With this information, he draws event trees thatportray the conditions, system successes, and system failures that lead to significantsafety consequences. Note that if only one consequence is of concern, and allaccident initiating events challenge the same safeguards, then Fault TYee Analysisalone may be sufficient to model the incinerator's risk.

Figure 15.2 is one of the event trees Mr. Consultant developed. This event treefor an undefined process upset initiating event includes the following safety systemfunctions and process circumstances:

1. A significant unit upset occurs.

2. The upset does (or does not) extinguish the firebox flame.

3. The incinerator shutdown interlocks trip and shut down theincinerator. (Note: The HAZOP team did not identify any processupsets that would overheat the incinerator.)

4. The quench system cools the hot gases from the incinerator.

5. The scrubber effectively removes the toxic materials from the wastegas.

IDENTIFIERSEQUENCEACRONYMS

SCRUBBERWORKS(S)

QUENCH SYSTEMWORKS(Q)

INCINERATORSHUTDOWN(1)

FIREBOXFLAME NOT

EXTINGUISHED(F)SIGNIFICANTUNIT UPSET CONSEQUENCESAFE RELEASE :

MODERATE TOXIC !RELEASE ;

LARGE TOXICRELEASE, ISCRUBBER DAMAGE jMODERATE jFLAMMABLE iRELEASE

MODERATEFLAMMABLE AND jTOXIC RELEASE !

MODERATE ]FLAMMABLE AND !LARGE TOXICRELEASE, MINORSCRUBBER DAMAGE

EXPLOSION.TOXIC RELEASE I

F =FAILURE OF EVENT FF =SUCCESS OF EVENT F

Figure 15.2 Example event tree for the VCM plantgeneric process upset initiating event.

Not all of these actions/conditions apply to every accident scenario. For example,accident scenario 1-3 (i.e., an upset occurs that does not extinguish the firebox flame)shows that if the quench system fails, then the scrubber cannot effectively removetoxic materials from the waste gas. This same scenario shows that if the fireboxflame is not extinguished, then the incinerator shutdown system is not challenged(but the quench system is).

Figure 15.3 shows another event tree for the system; this time, the initiatingevent is low fuel gas pressure. Initially, Mr. Consultant thought this event tree wouldbe identical to Figure 15.2, with the exception of the initiating event. However,during consultation with ABC design engineers and the incinerator vendor, helearned that low fuel gas pressure would probably force the flame in the firebox togo out. Thus, he deletes the "flame not extinguished" branch from event trees forall initiating events that challenge the incinerator safety system.

After developing event trees, Mr. Consultant reviews and revises these eventtrees with the ABC process hazard analyst and process design team before developingthe fault trees. During this review Mr. Consultant and ABC's engineers discuss thebasis for the event tree logic. In particular, he traces through each accident sequencedepicted on each event tree, defining which upset initiated the problem, which safetyfunctions are working or have failed, and which incinerator flame conditions exist.With this information, the review team determines a qualitative description of theconsequences of each accident scenario depicted in the event trees.

Next, Mr. Consultant develops fault trees for each of the system failuresrepresented by branch points in the event trees. The initiating events and theircauses are well understood; thus, fault tree models are not developed for theseevents. However, the following system failures are modeled:

The incinerator shutdown system fails to trip the incinerator (givena flameout condition exists).

The quench system fails to adequately cool the waste gas.

The scrubber system fails to adequately remove toxic materials fromthe waste gas.

In developing the fault trees, Mr. Consultant assumes each system is capableof performing its design intention if it operates reliably. Thus, the fault treesgraphically illustrate combinations of equipment failures and human errors thatincapacitate the systems. Figure 15.4 is the preliminary fault tree Mr. Consultantdeveloped for the incinerator shutdown system. The fault tree logic proceeds fromthe top down, expanding fault events into the logical combinations of componentfailures, human errors, and subsystem failures that will not be developed furtherbecause they contain adequate detail for identifying system weaknesses or becausethey are outside the boundary conditions of the study. Tkble 15.3 lists the procedurehe followed in developing this fault tree.

Mr. Consultant has already defined the Tbp events based on his Event TVeeAnalysis. Tb develop the tree top structure for the incinerator shutdown system, hefirst follows the flow of shutdown signals through this system. For the shutdownsystem to work, it must (1) sense the upset condition, (2) process the trip signal(s)properly, and (3) close the fuel gas and vent gas shutoff valves. Failure to perform

CONSEQUENCE

MODERATEFLAMMABLERELEASE

MODERATEFLAMMABLE ANDTOXIC RELEASE

MODERATEFLAMMABLE ANDLARGE TOXICRELEASE, MINORSCRUBBER DAMAGE

EXPLOSION,TOXIC RELEASE

IDENTIFIERSEQUENCEACRONYMS

SCRUBBERWORKS(S)

QUENCH SYSTEMWORKS(Q)

INCINERATORSHUTDOWN0)LOW FUELGAS PRESSURE

I =FAILURE OF EVENT II ^SUCCESS OF EVENT I

Figure 153 Example event tree for the VCM plantlow fuel gas pressure initiating event.

Figure 15.4 Preliminary fault tree developed for the incinerator shutdown system.

RCV- ANDRCV- STICKOPEN

/STICKSOPENfccv-STICKSOPEN

RCV-2CSTICKSOPENRCV-2ASTICKSOPEN

NO SHUTDOWNSIGNAL FROM FUELGAS PSLL-2

RCV-2A ANDRCV-2C STICKOPEN

FUEL SHUTOFF VALVES1 FAL TO CLOSEON COMMAND

fccv-?STICKSOPEN TONQNEmTOA

NO SHUTDOWNSIGNAL FROMTAH-2A/D

NO SHUTDOWNSIGNAL FROMSCRUBBER XAL-2

I NO SHUTDOWNSIGNAL FROM QUENCHTANK LAL-3

k) SHUTDOWN SIGNAL FROM INCINERATORTAL-2A/D

NO SHUTDOWNSIGNAL FROMNdNERATOR LM.-1

SHUTDOWN SIGNALTO NONERATOR5/D CONTRaLER

,^ L^FALS -FALSEFLAMESENSED

TAL-2AFALS -FALSEUGH^TAL-2DSFALS -FALSE, j

'TAL-ZC^FALS -FALSE, HGHy

NO SHUTDOWNSIGNAL FROMNCINERATOR UVL-1

NO SHUTDOWN SIGNAL[ FROM INCfCRATORTAL-2A/D

NO SHUTDOWN SIGNAL| TO NCNERATORS/D CONTROLLER

I NO. SHUTDOWNBGfW. FROM.-OUENCH TANK:tAL-3

'NOT APPLICABLENO.SHUTDOWNsxm FROMSCRLJB8Ert.XAL-2

2-OUT-OF-4FALLRES NEEDED

TAL-2CSFALS -^FALSEHIGHtAL-2frFALS -FALSEi UGH

/TAL-2D\FALS -^FALSEUGH

'NOT APRCAaE'

NO.SHUTDOWNSOW. FROMTAH42A/D

NOT APKlGABLENtt.SHUTDOWNSIGNAL-.FROM FUELGAS PSLL-2

NOT APfLCAaE'RCV-2A

rRCV-2CSTICKSOPEN

RCV-2A ANDRCV-2C STICKOPENRCV-3A ANDRCV-3C STKXOPEN

rRCV-3CSTICKSOPEN

fUEL SHUTOFF NALVESFAL TO CLOSE |ON COMMANDS/bfOTNTRCULER

EVENT I NFIGURE &2MQNERATOR SHUTDOWTSYSTEM FALS TO TRFHNQNERATOR. GACN AFUJMEOUT CONDfTION EXE TS

RCV-3CRCV-3A

RCV-3ASUCKSOPENRCV-1CRCV-2A

TAL-2DTAL-2CTAL-2BTAL-2A

RCV-4PLC

EXPLOSION(SCENARIO 1-7IN FIGURE 15.2)

SIGNIFICANTUNIT

FIREBOXFLAME

EXTINGUISHED

INCINERATOR SHUTDOWNSYSTEM FAILS TO TRIPINCINERATOR, GIVEN AFLAMEOUT CONDITION

EXISTSFFBm-i

(SEE HAZOP FOR CAUSES)

IfUONERATOR SHUTDOWN! YSTEM FALS TO TRH EVENT I INFIGURE 15.2FIGURE 15.6

FUEL SHUTOFF VALVESFAL TO CLOSEON COMMAND/RCV-4\/ STICKS \(OPEN )INCINERATOR

S/|TCONTRa|ERXJUTPUK

SHUTDOWN SIGNALTO INCINERATORS/0 CONTROLLER

NO SHUTDOWNSIGNAL FROMINCNERATOR UVL-1 *-TAL-2A/D2-OUT-OF-4FALURES NEEDED

RCV-2A ANDRCV-2C STICKOPEN Bfcff^ScOPEN

RCV-3CSTICKSOPENRCV-3ASTICKSOPEN

RCV-2C

RCV-2ASTICKSOPEN

TAL-2DFALS -FALSEv HIGH .Jiti2?/flff.

752?,4?

^E-FLAME^SENSE^

Figure 15.6 Fault tree for accident scenario 1-7explosion.

PLC RCV-4

RCV-3CRCV-3A

TAL-20TAL-2C

TAL-2BTAL-2A

While not shown here, Mr. Consultant also used the event trees and fault treesto find accident sequence cut sets that lead to other significant safety impacts (e.g.,flammable releases, toxic releases). Again, this information provides insight intosystem weaknesses and places where improvements might be most effective.

153 Results

The Fault Ttee and Event Ttee Analyses resulted in a set of failure logicmodels, lists of accident sequence cut sets for each significant safety impact ofconcern, and recommendations for improving the system. Example fault tree andevent tree models are shown in the previous section. Tkble 15.4 lists some of theaccident sequence cut sets (using the basic event names listed on the fault trees)identified for explosions. This list shows that three or more failures are needed tocreate an incinerator explosion. However, closer examination of this list reveals two

Tkble 15.4 Sample Accident Sequence Minimal Cut Sets IncineratorExplosion

Minimal Cut Set No. 1 Significant unit upset Firebox flame extinguished Incinerator shutdown controller

fails no trip output

Minimal Cut Set No. 2 Significant unit upset Firebox flame extinguished RCV-2A sticks open RCV-2C sticks open

Minimal Cut Set No. 3 Significant unit upset Firebox flame extinguished RCV-3A sticks open RCV-3C sticks open

Minimal Cut Set No. 4Significant unit upsetFirebox flame extinguishedUVL-1 fails - false highTAH/L-2A fails - false highTAH/L-2B fails - false high

Minimal Cut Set No. 5Significant unit upsetFirebox flame extinguishedUVL-1 fails false highTAH/L-2A fails - false highTAH/L-2C fails - false high

Minimal Cut Set Na 6 Significant unit upset Firebox flame extinguished UVL-1 fails - false high TAH/L-2A fails - false high TAH/L-2D fails false highMinimal Cut Set Na 7 Significant unit upset Firebox flame extinguished UVL-1 fails false high TAH/L-2B fails false high TAH/L-2C fails false high

Minimal Cut Set No. 8Significant unit upsetFirebox flame extinguishedUVL-1 fails false highTAH/L-2B fails - false highTAH/L-2D fails false high

Minimal Cut Set No. 9Significant unit upsetFirebox flame extinguishedUVL-1 fails - false highTAH/L-2C fails - false highTAH/L-2D fails - false high

Minimal Cut Set No. 10 Significant unit upset Firebox flame extinguished RCV-4 sticks open to incinerator

things: (1) if the PLC or vent isolation valve (RCV-4) alone is faulty, and a severeunit upset (IE-1) is severe enough to extinguish the flame (FFE), this may lead toan explosion, and (2) if the thermocouples (TAH/L-2A/B/C/D) cannot quickly detecta flameout (via low temperature), then the flame scanner (UVL-1) is the onlyeffective sensor for protecting the incinerator.

l&ble 15.5 lists some of the recommendations Mr. Consultant made. Most ofthese recommendations are based on evaluation of the accident sequence cut sets.

Mr. Consultant documents the results of the Rmlt Dree and Event DreeAnalyses and sends them to ABC's process hazard analyst The report that includesthe results describes the scope of the problem analyzed, the analysis methods used,and Mr. Consultant's results and recommendations. It also includes the fault treeand event tree models. ABC's analyst (Ms. Deal) prepares an executive summary ofthis report for the VCM business team.

15.4 R>llow-Up

The VCM business team reviewed Mr. Consultant's recommendations and actedon them. In particular, they asked the design engineering firm to incorporate all thesuggested design changes, with the exception of the double block and bleed valve onthe vent gas line. The team decided to delay any action on this recommendation,pending input from ABC's environmental group, who must decide whether they willallow vent gases to be released directly to the atmosphere in the event of anemergency.

15.5 Conclusions and Observations

The combined Fault Ttee and Event Ttee Analysis was very useful in helpingABC understand some of the weaknesses of the incinerator design. However, FaultTree Analysis and Event Ttee Analysis methods are narrowly focused and require

Tkble 15.5 Incinerator Safety Improvement Alternatives

Consider using a PLC that has self-checking capability in the shutdown system Consider installing a redundant flame scanner Perform a common cause failure analysis (CCFA) of the redundant valves

and redundant instrumentation (see the Guidelines for Chemical ProcessQuantitative Risk Assessment for CCFA details)

Determine if the incinerator thermocouples can detect a flameout (due to lowtemperature) quickly enough to initiate a shutdown before explosive volumesof gas collect in the incinerator

Consider tripping the fuel gas flow control valve closed when a shutdownsignal occurs

Consider installing double block and bleed valves on the vent gas tine

Tkble 15.6 Combined Riult Tfree and Event Analysis Staff Requirementsfor the Detailed Engineering Phase

Personnel

Consultant

ABC Reviewers?

Preparation (hr)24

Bvahmtkn (hr)150

Documentation (hr)100

^Average per ABC reviewer.

skilled personnel to apply them; therefore, ABC does not use these methods often,and prefers to use consultants when one of these methods is chosen. There isanother reason ABC doesn't often use these methods: the more broad-brushmethods, such as HAZOP Analysis, FMEA, Checklist Analysis, etc., have beeneffective HE methods for evaluating most of ABC's systems.

The time required to perform the combined Fault TVee and Event TteeAnalysis is summarized in 15.6. Note that many fault trees and event treeswere developed in this analysis, only a few of which are shown in this chapter. Thestaff requirements shown in Tkble 15.6 reflect the time it took to develop, analyze,and document all of these models.

It is worth noting that, in this example, the use of one HE study resulted in arecommendation to use another HE method. The HAZOP team who reviewed thedetailed design of the VCM plant recognized that the incinerator system was acomplex, highly redundant design. While the HAZOP Analysis method can identifysingle failures with potentially significant consequences, it is not an efficient methodfor finding multiple failures that lead to serious accidents. The HAZOP teamquickly recognized that the incinerator could fail in ways that had very seriousconsequences. However, because of the high level of redundancy in the incinerator'ssafeguards, the team recommended that this system be examined in detail withanother, more appropriate HE tool Fault TVee Analysis.

Finally, the incinerator system was evaluated in a detailed manner, in partbecause it was not designed by ABC. It is commendable that ABC wants tothoroughly understand the vendor's incinerator package and ensure the highest levelof safety. However, ABC should also be sure to apply the same rigorous reviews totheir own work.

Front MatterList of TablesList of FiguresTable of ContentsPart I. Guidelines for Hazard Evaluation ProceduresPart II. Worked Examples for Hazard Evaluation ProceduresPreface to the Worked ExamplesManagement Overview for the Worked Examples

9. Introduction to the Worked Examples10. Description of the Example Facility and Process11. Hazard Identification for the Example Process12. Research and Development Phase - An Illustration of the What-If Analysis Method13. Conceptual Design Phase - An Illustration of the PHA Method14. Pilot Plant Operation Phase - An Illustration of the HAZOP Analysis Method15. Detailed Engineering Phase - An Illustration of the Fault Tree and Event Tree Analysis Methods15.1 Problem Definition15.2 Analysis Description15.3 Results15.4 Follow-Up15.5 Conclusions and Observations

16. Construction/Start-Up Phase - An Illustration of the Checklist Analysis and Safety Review Methods17. Routine Operation Phase - An Illustration of the HAZOP Analysis Method for Periodic Review18. Plant Expansion Phase - An Illustration of the Relative Ranking and HAZOP Analysis Methods for a Batch Process19. Incident Investigation Phase - An Illustration of the FMEA and HRA Methods20. Decommissioning Phase - An Illustration of the What-If/Checklist Analysis MethodAppendicesIndex

Hazard_Evaluation_Procedures/Hazard Evaluation Procedures/13C52CF91DBF840924C95C775AD2B34.pdf4Overview of HazardEvaluation Techniques

The purpose of this chapter is to summarize important aspects of each of the hazardevaluation (HE) techniques covered in the Guidelines. Readers who want a quickoverview of a particular technique can read the appropriate section in this chapter.Although all 12 techniques covered in the Guidelines are given equal treatment, notall of the methods are appropriate for every set of hazard evaluation circumstances.Several of the techniques discussed in this chapter are more appropriately used forperforming general process hazard studies usually early during the life of a process.These techniques (i.e., Safety Review, Checklist Analysis, Relative Ranking, PHA,and What-If Analysis) are efficient at taking a "broad-brush19 look at the inherenthazards of a large plant or complex process. Using these techniques before a processis commissioned can significantly improve the cost-effectiveness of subsequent safetyimprovement efforts.

Other HE techniques covered in the Guidelines (i.e., What-If7Checklist Analysis,HAZOP Analysis, and FMEA) are excellent choices for performing detailed analysesof a wide range of hazards during the design phase of the process and during routineoperation. These approaches are also used to identify hazardous situations, whichcan then be studied with even more sophisticated analysis techniques.

Some of the HE techniques covered in the Guidelines should be reserved foruse in special situations requiring detailed analysis of one or a few specific hazardoussituations of concern. These techniques, (i.e., Fault Ttee Analysis, Event TfreeAnalysis, Cause-Consequence Analysis, and Human Reliability Analysis) requirespecially trained and skilled practitioners. Analysts are cautioned to use thesemethods on tightly focused problems since they require significantly more time andeffort to perform than do the more broad-brush approaches.

For each HE technique, the following areas are covered: description, purpose,types of results, and resource requirements. The "Description,11 "Purpose," and""types of Results" sections of this chapter outline what organizations can expect toachieve with particular HE methods. This information is essential to understandingthe significance of factors that can influence the selection of an appropriate HEtechnique (Chapter 5). Those who need more information on using a specific HEtechnique should refer to Chapter 6.

The "Resource Requirements" sections provide some basic information on theskills, materials, and effort required to perform HE studies. Tb help usersunderstand the magnitude of the task they are accepting when they choose aparticular HE technique, some rough estimates of the amount of effort generallyrequired to perform a study are provided. However, estimating the time and effort

needed to apply a particular HE technique is more art than science, because theactual time to perform a study is influenced by many factors some of which are notquantifiable.

One important factor is the complexity and size of the problem. Tb accountfor this influence and give analysts some idea of the effort that will be needed toperform HE studies, estimates are based on two typical types of analysis problems:a simple/small system and a complexflarge process.

Simple/Small System For example, a chemical unloading and storagesystem consisting of a rail car unloading station, transfer lines, pumps,storage tank, and pressure control/vapor return lines.

Complex/Large Process For example, a chemical reaction processconsisting of a feed system, reaction section, product separation andrecovery, emergency relief system, and associated connecting piping andcontrol systems. This process may contain from 10-20 major vessels,including reactors, columns, and accumulators.

These two examples are used to base rough estimates of the amount of timespent by each participant in an HE study. For each technique, the performance ofan HE study is divided into three basic phases: preparation, evaluation, anddocumentation. Preparation involves all the activities discussed in Chapter 2 (e.g.,collecting information, defining the analysis scope, and organizing meetings).Evaluation includes the actual analysis activity that is associated with the chosen HEtechnique (e.g., for a What-If analysis, holding the team meetings). For certaintechniques that involve construction of a complex failure logic model, a modeldevelopment phase is also included. The documentation phase includes not onlyrecording significant results in HE team meetings, but also developing, reviewing, andcompleting a formal HE report containing a brief process description, discussion ofimportant results, tables or logic models (if any), and a brief explanation of thesignificance of action items.

The technical labor estimates are given in hours, days, and weeks. Fortechniques involving a team, certain individuals may participate in only one or twophases, such as a HAZOP meeting (evaluation phase). Others, notably the HE teamleader, will work during all phases. Ranges are given to provide some idea of theinfluence that other factors can have on the time required to do the job (e.g.,experience of team).

These estimates are provided only to give analysts a rough idea of the effortthey should allocate for performing an HE study. However, because are so manyother jactors that influence time and ^ort, analysts shouM use these estimates with caution. The actual time required for a study may be much greater (or somewhat less) these estimates indicate. As analysts and organizations gain experience with eachHE technique, they should become better equipped to accurately estimate the sizeof HE studies for their facilities and become more efficient in the performance ofHE studies.

4.1 Safety Review

Description

Undoubtedly, the Safety Review technique wasthe first HE method ever used. This technique, whichmay also be referred to as a Process Safety Review, aDesign Review, or a Loss Prevention Review can beused at any stage of the life of a process. Whenperformed on existing facilities, the Safety Reviewtypically involves a walk-through inspection that canvary from an informal, routine visual examination, toa formal examination, performed by a team, that takesseveral weeks. For processes that are still beingdesigned, a design project team might, for example,review a set of drawings during a meeting.

Safety Reviews are intended to identify plant conditions or operatingprocedures that could lead to an accident and result in injuries, significant propertydamage, or environmental impacts. A typical Safety Review includes interviews withmany people in the plant: operators, maintenance staff, engineers, management,safety staff, and others, depending upon the plant organization. Safety Reviewsshould be viewed as cooperative efforts to improve the overall safety andperformance of the plant, rather than as an interference to normal operations or asa punitive reaction to a perceived problem. Cooperation is essential; people arelikely to become defensive unless considerable effort is made to present the reviewas a benefit to affected plant personnel and designers. Having the support andinvolvement of all these groups results in a thorough examination.

The Safety Review usually focuses on major risk situations. Judging generalhousekeeping and morale are not the normal objectives of a safety review, althoughthey can be significant indicators of places where improvements are needed. TheSafety Review should complement other process safety activities, such as routinevisual inspections, and other HE techniques such as Checklist Analysis and What-IfAnalysis.

At the end of the Safety Review, the analyst makes recommendations forspecific actions that are needed, justifies the recommendations, recommendsresponsibilities, and lists completion dates. A follow-up evaluation or reinspectionmay be planned to verify that corrective actions have been completed correctly.

Purpose

Safety Reviews can be used to ensure that the plant and its operating andmaintenance practices match the design intent and construction standards. TheSafety Review procedure (1) keeps operating personnel alert to the process hazards,(2) reviews operating procedures for necessary revisions, (3) seeks to identifyequipment or process changes that could have introduced new hazards, (4) evaluatesthe design basis of control and safety systems, (5) reviews the application of newtechnology to existing hazards, and (6) reviews the adequacy of maintenance and

safety inspections. The Safety Review technique is often used to perform a pre-startup safety review of a process.

Types of Results

Safety Review results are qualitative descriptions of potential safety problemsand suggested corrective actions. The inspection team's report includes deviationsfrom the design intentions as well as authorized procedures and lists of newlydiscovered safety issues. Responsibility for implementing the corrective actionremains with the plant management.

Resource Requirements

For a comprehensive review, the team members will need access to applicablecodes and standards; previous safety studies; detailed plant descriptions, such asP&IDs and flowcharts; plant procedures for start-up, shutdown, normal operation,maintenance, and emergencies; personnel injury reports; hazardous incident reports;maintenance records, such as critical instrument checks, pressure relief valve tests,and pressure vessel inspections; and process material characteristics (i.e., toxicity andreactivity information).

The personnel assigned to Safety Review inspections must be very familiar withsafety standards and procedures. Special technical skills and experience are helpfulfor evaluating instrumentation, electrical systems, pressure vessels, process materialsand chemistry, and other special-emphasis topics. Tkble 4.1 lists estimates of thetime needed from each team member to perform a safety review.

4.2 Checklist Analysis

Description

A Checklist Analysis uses a written list of itemsor procedural steps to verify the status of a system.Traditional checklists vary widely in level of detailand are frequently used to indicate compliance withstandards and practices. The Checklist Analysisapproach is easy to use and can be applied at anystage of the process's lifetime. Checklists can be usedto familiarize inexperienced personnel with a processby having them compare a process's attributes tovarious checklist requirements. Checklists alsoprovide a common basis for management review ofthe analyst's assessments of a process or operation.

A detailed checklist provides the basis for a standard evaluation of processhazards. It can be as extensive as necessary to satisfy the specific situation, but itshould be applied conscientiously in order to identify problems that require furtherattention. Generic hazard checklists are often combined with other HE techniques

Tkble4.1 Tune Estimates for Using the Safety Review Tfechnique

Simple/SmallSystem

Complex/LargeProcess

Preparation*

2 to 4 hr

1 to 3 days

Evaluation

6 to 12 hr

3 to 5 days

Documentation"

4 to 8 hr

3 to 6 days

^Primarily the team leader.

to evaluate hazardous situations. Checklists are limited by their authors' experience;therefore, they should be developed by authors with varied backgrounds who haveextensive experience with the systems they are analyzing. Frequently, checklists arecreated by simply organizing information from current relevant codes, standards, andregulations. Checklists should be viewed as living documents and should be auditedand updated regularly.

Many organizations use standard checklists to control the development of aproject from initial design through plant decommissioning. The completedchecklist must frequently be approved by various staff members and managers beforea project can move from one stage to the next. In this way, it serves as both a meansof communication and as a form of control. Checklists are normally used in hardcopy form, although in some cases computer-based versions can be used.

Purpose

Traditional checklists are used primarily to ensure that organizations arecomplying with standard practices. In some cases, analysts use a more generalchecklist in combination with another HE method to discover common hazards thatthe checklist alone might miss (see Section 4.6, What-If/Checklist Analysis).

Types of Results

lb create a traditional checklist, the analyst defines standard design oroperating practices, then uses them to generate a list of questions based ondeficiencies or differences. A completed checklist contains "yes," "no,* "notapplicable," or "needs more information11 answers to the questions. Qualitativeresults vary with the specific situation, but generally they lead to a "yes11 or "no*decision about compliance with standard procedures. In addition, knowledge of thesedeficiencies usually leads to an easily developed list of possible safety improvementalternatives for managers to consider.

Tb properly perform this technique, you need an appropriate checklist, anengineering design procedures and operating practices manual, and someone to

Tkble4.2 Time Estimates for Using the Checklist Analysis Technique

Scope Preparation Evaluation Documentation

Simple/SmallSystem 2 to 4 hr 4 to 8 hr 4 to 8 hr

Complex/LargeProcess 1 to 3 days 3 to 5 days 2 to 4 days

complete the checklist who has basic knowledge of the process being reviewed. If arelevant checklist is available from previous work, analysts should be able to use itas long as they have the necessary guidance. If no relevant checklist exists, oneperson (sometimes several people) must prepare a checklist and perform theevaluation. An experienced manager or staff engineer should then review theChecklist Analysis results and direct the next action.

The Checklist Analysis method is versatile. The type of evaluation performedwith a checklist can vary: it can be used quickly for simple evaluations or for moreexpensive in-depth evaluations. It is a highly cost-effective way to identifycustomarily recognized hazards. Table 4.2 is an estimate of the time it takes toperform an HE study using the Checklist Analysis technique.

43 Relative Ranking

Description

Relative Ranking is actually an analysis strategyrather than a single, well-defined analysis method.This strategy allows hazard analysts to compare theattributes of several processes or activities todetermine whether they possess hazardouscharacteristics that are significant enough to warrantfurther study. Relative Ranking can also be used tocompare several process siting, generic design, orequipment layout options, and provide informationconcerning which alternative appears to be the "best," or least hazardous, option.These comparisons are based on numerical values that represent the relative level ofsignificance that the analyst gives to each hazard. Relative Ranking studies shouldnormally be performed early in the life of a process, before the detailed design iscompleted, or early in the development of an existing facility's hazard analysisprogram. However, the Relative Ranking method can also be applied to an existingprocess to pinpoint the hazards of various aspects of process operation.

Several formal Relative Ranking methods are widely used. For example, theDow Fire and Explosion Index (F&EI) has been in existence for many years, and abooklet describing this method, published by the AIChE, is in its seventh printing.

The Dow F&EI evaluates the existence and significance of fire and explosion hazardsin many large areas of a process facility. The analyst divides a process or activity intoseparate process units and assigns indexes based on material, physical, and chemicalcharacteristics; process conditions; plant arrangement and equipment layoutconsiderations; and other factors. The various factors are combined into an F&EIscore that can be ranked against the scores of other process units that are evaluated.The Dow F&EI can also be used by experienced analysts to gain insights on whengeneral safety system improvements (e.g., fire protection) may be needed. Anothermethod that is less well known and documented in the U.S.A. is the ICI Mond Index.This index is used to evaluate the chemical and toxicity hazards, as well as fire andexplosion hazards, associated with a process area or operation.

Many organizations have created their own specialized indexes to rank thehazards associated with facilities, processes, and operations. For example, the DowChemical Company has several indexes that it uses to evaluate and manage the riskof its processes and activities. One of them is called the Chemical Exposure Index(CEI). The CEI is used to rank the relative acute health hazards associated withpotential chemical releases. The CEI uses a simple formula to rank the use of anytoxic chemical, based on five factors: (1) a measure of toxicity, (2) quantity of volatilematerial available for release, (3) distance to each area of concern, (4) molecularweight of the chemical being evaluated, and (5) process variables that can affect theconditions of a release such as temperature, pressure, reactivity, and so forth.

Some specialized indexes have been developed and used by organizations todetermine the application of certain recommended industry practices or regulatoryrequirements. For example, the U.S. Environmental Protection Agency developeda ranking method (the Threshold Planning Quantity [TPQ] Index) to help determinewhich materials should be considered extremely hazardous when used in emergencyresponse planning activities associated with SARA Title HI. Recently, theOccupational Safety and Health Administration and the American PetroleumInstitute have suggested using a Substance Hazard Index (SHI) to help determinewhether special process safety management efforts should be directed at particularprocesses or industrial activities.

Purpose

The main purpose of using Relative Ranking methods is to determine theprocess areas or operations that are the most significant with respect to the hazardof concern in a given study. The theory behind Relative Ranking methods has itsroots in the three basic questions used in risk analysis: (1) What can go wrong? (2)How likely is it? and (3) What would the effects be? The philosophy behindRelative Ranking approaches is to address these risk analysis questions to determinethe relative importance of processes and activities from a safety standpoint beforeperforming additional and more costly hazard evaluation or risk analysis studies.Thus, approximate relationships of process attributes are compared to determinewhich areas present the greater relative hazard or risk. Subsequently, additional HEstudies may first be performed on the more significant areas of concern.

Types of Results

All Relative Ranking methods should result in an ordered list of processes,equipment, operations, or activities. This list may have several stratified layersrepresenting levels of significance. Other results such as indexes, scores, factorscales, graphs, etc., depend upon the particular technique used to perform theranking. It is important to note that while these techniques all try to answer thethree questions of risk analysis in some way, analysts should not consider the resultsof such studies as robust estimates of the risk associated with a process or activity.The Relative Ranking technique is usually not based on specific accident sequences;thus, it does not normally lend itself to developing specific safety improvementrecommendations.

The information requirements of a Relative Ranking study depend upon eachranking method's unique needs. Generally, a Relative Ranking study will requirebasic physical and chemical data on the substances used in the process or activity.These studies do not normally require detailed process drawings; however,information on the maximum inventories of materials, the plant's process conditions,and geographic layout of material storage areas is usually needed.

A Relative Ranking study can be carried out by a single analyst. Severalanalysts can work together on a large, complex process when they are experiencedwith the Relative Ranking technique and have access to all of the input data neededfor the study. It is often better to have a trained analyst working with someone whocan quickly locate and interpret the necessary material and process data needed forthe analysis. Although more than one analyst may be needed, depending upon thecomplexity and size of the process or activity and the number and type of hazards,it is crucial that all of the analysts are "calibrated" in the same way so theirjudgments are consistent.

The time and cost of performing an HE study using the Relative Rankingapproach will depend upon the technique chosen, the input data requirements, andthe number of process areas and hazards evaluated. 4.3 lists estimates of thetime it would take to perform an HE study using a Relative Ranking technique.

Tkble43 Time Estimates for Using the Relative Ranking Technique

Simple/SmallSystem

Preparation

2 to 4 hr

1 to 3 days

Evaluation

4 to 8 hr

3 to 5 days

Documentation

4 to 8 hr

3 to 5 days

4.4 Preliminary Hazard Analysis

Description

A Preliminary Hazard Analysis (PHA) is atechnique that is derived from the U.S. MilitaryStandard System Safety Program Requirements. APHA focuses in a general way on the hazardousmaterials and major process areas of a plant. It ismost often conducted early in the development of aprocess when there is little information on designdetails or operating procedures, and is often aprecursor to further hazard analyses. It is included inthese Guidelines to illustrate a cost-effective way toidentify hazards early in a plant's life. Because of itsmilitary heritage, the PHA technique is sometimes used to review process areaswhere energy can be released in an uncontrolled manner.

A PHA formulates a list of hazards and generic hazardous situations byconsidering the following process characteristics:

Raw materials, intermediate Operating environmentand final products, and theirreactivity Operational activities (testing,

maintenance, etc.) Plant equipment

Interfaces among system Facility layout components

One or more hazard analysts assess the significance of process hazards andassign a criticality ranking to each particular situation. This criticality ranking isused to prioritize any recommendations for improving safety that emerge from theteam's analysis.

Purpose

The PHA is often used to evaluate hazards early in the life of a process. APHA is generally applied during the conceptual design or R&D phase of a processplant and can be very useful when making site selection decisions. It is alsocommonly used as a design review tool before a process P&ID is developed.

While the PHA technique is normally used in the preliminary phase of plantdevelopment for cases where experience provides little or no insight into potentialsafety problems, it may also be helpful when analyzing large existing facilities orwhen prioritizing hazards when circumstances prevent a more extensive techniquefrom being used.

Tfacs of ResultsA PHA yields a qualitative description of the hazards related to a process

design. A PHA also provides a qualitative ranking of hazardous situations that canbe used to prioritize recommendations for reducing or eliminating hazards insubsequent phases of the life cycle of the process.

Using the PHA technique requires that analysts have access to available plantdesign criteria, equipment specifications, material specifications, and other sourcesof information. A PHA can be performed by one or two people who have a processsafety background. Less-experienced staff can perform a PHA, but the study may notbe as exhaustive or as detailed, since this approach requires the analysts to use asignificant amount of judgment. Table 4.4 lists estimates of the time needed toperform an HE study using the PHA technique.

Tkble4.4 Time Estimates for Using the PHA Tfechnique

Simple/SmallSystem

Preparation*

4 to 8 hr

1 to 3 days

Evaluation

1 to 3 days

4 to 7 days

Documentation11

1 to 2 days

4 to 7 days

*Ibam leader only.

4.5 What-If Analysis

Description

The What-If Analysis technique is abrainstorming approach in which a group ofexperienced people familiar with the subject processask questions or voice concerns about possibleundesired events. It is not as inherently structured assome other techniques (e.g., HAZOP Analysis andFMEA). Instead, it requires the analyst to adapt thebasic concept to the specific application. Very littleinformation has been published on the What-IfAnalysis method or its application. However, it isfrequently used by industry at nearly every stage ofthe life of a process and has a good reputation among those skilled in its use.

The What-If Analysis concept encourages the HE team to think of questionsthat begin with "What-If." However, any process safety concern can be voiced, evenif it is not phrased as a question. For example:

I'm concerned about having the wrong material delivered.

What if Pump A stops running during start-up?

What if the operator opens valve insteae-of A?

Usually, the scribe records all of the questions on a chart pad, marking board,or word processor. Then the questions are divided into specific areas of investigation(usually related to consequences of interest), such as electrical safety, fire protection,or personnel safety. Each area is subsequently addressed by a team of one or moreknowledgeable people. The questions are formulated based on experience andapplied to existing drawings and process descriptions; for an operating plant, theinvestigation may include interviews with plant staff not represented on the HE team.(There may be no specific pattern or order to these questions, unless the leaderprovides a logical pattern such as dividing the process into functional systems.) Andthe questions can address any off-normal condition related to the plant, not justcomponent failures or process variations.

Purpose

The purpose of a What-If Analysis is to identify hazards, hazardous situations,or specific accident events that could produce an undesirable consequence. Anexperienced group of people identifies possible accident situations, theirconsequences, and existing safeguards, then suggests alternatives for risk reduction.The method can involve examination of possible deviations from the design,construction, modification, or operating intent. It requires a basic understanding ofthe process intention, along with the ability to mentally combine possible deviationsfrom the design intent that could result in an accident. This is a powerful procedureif the staff is experienced; otherwise, the results are likely to be incomplete.

Types of Route

In its simplest form, the What-If Analysis technique generates a list ofquestions and answers about the process. It may also result in a tabular listing ofhazardous situations (with no ranking of or quantitative implication for the identifiedpotential accident scenarios), their consequences, safeguards, and possible options forrisk reduction.

Since What-If Analysis is so flexible, it can be performed at any stage of theprocess's life, using whatever process information and knowledge is available. Foreach area of the process, two or three people should be assigned to perform theanalysis; however, a larger team may be preferred. It is better to use a larger group

4.6 What fTChecklist Analysis

Description

The What-H/Checklist Analysis techniquecombines the creative, brainstorming features of theWhat-If Analysis method (Section 4.5) with thesystematic features of the Checklist Analysis method(Section 4.2). This hybrid method capitalizes on thestrengths and compensates for the individualshortcomings of the separate approaches. Forexample, the Checklist Analysis method is anexperience-based technique, and the quality of an HEstudy performed using this approach is highly dependent on the experience of thechecklist's authors. If the checklist is not complete, then the analysis may noteffectively address a hazardous situation. The What-If Analysis portion of thetechnique encourages the HE team to consider potential accident events andconsequences that are beyond the experience of the authors of a good checklist, andthus are not covered on the checklist. Conversely, the checklist portion of thistechnique lends a more systematic nature to the What-If Analysis. The What-If/Checklist Analysis technique may be used at any stage of a process's life.

Like most other HE methods, the method works best when performed by ateam experienced in the subject process. This technique is generally used to analyzethe most common hazards that exist in a process. Although it is able to evaluate the

Tkble4.5 Tune Estimates for Using the What-If Analysis Tbchnique

Simple/SmallSystem

Preparation*

4 to 8 hr

1 to 3 days

Evaluation

4 to 8 hr

3 to 5 days

Documentation*

1 to 2 days

1 to 3 weeks

^Primarily, team leader and scribe.

for a complex process, dividing the process into smaller pieces, than to use a smallgroup for a long time on the whole process.

The time and cost of a What-If Analysis are proportional to the plantcomplexity and number of areas to be analyzed. Once an organization has gainedexperience with it, the What-If Analysis method can become a cost-efficient meansfor evaluating hazards during any project phase. Table 4.5 lists estimates of the timeneeded to perform an HE study using the What-If Analysis technique.

significance of accidents at almost any level of detail, the What-ItfChecklist Analysismethod usually focuses on a less detailed level of resolution than, for example, theFMEA technique. Often, a What-ItyChecklist Analysis is the first hazard evaluationperformed on a process, and as such, it is a precursor for subsequent, more detailedstudies.

Purpose

The purpose of a What-IiyChecklist Analysis is to identify hazards, consider thegeneral types of accidents that can occur in a process or activity, evaluate in aqualitative fashion the effects of these accidents, and determine whether thesafeguards against these potential accident situations appear adequate. Frequently,the HE team members will suggest ways for reducing the risk of operating theprocess.

Types of ResultsAn HE team using the What-WChecklist Analysis technique usually generates

a table of potential accident situations, effects, safeguards, and action items. Theresults from such a study may also include a completed checklist. However, someorganizations use a narrative style to document the results of such studies.

Most What-ItfChecklist Analyses are performed by a team of personnelexperienced in the design, operation, and maintenance of the subject process. Thenumber of people needed for such a study depends upon the complexity of theprocess, and to some extent, the stage of life at which the process is being evaluated.Normally, an HE study using this technique requires fewer people and shortermeetings than does a more structured technique such as HAZOP Analysis. Table4.6 lists estimates of the time needed to perform an HE study using the What-If/Checklist Analysis technique.

Tkbte4.6 Time Estimates for Using the What-If/Checldist Analysis Technique

Simple/SmallSystem

Preparation*

6 to 12 hr

1 to 3 days

"Primarily, team leader and scribe.

Evaluation

6 to 12 hr

4 to 7 days

Drxrumcntfltfoi/*

4 to8hr

1 to 3 weeks

4.7 Hazard and Operabffity Analysis

Description

The Hazard and Operability Analysis (HAZOP)technique was developed to identify and evaluatesafety hazards in a process plant, and to identifyOperability problems which, although not hazardous,could compromise the plant's ability to achieve designproductivity. Although originally developed to antici-pate hazards and Operability problems for technologywith which organizations have little experience, it hasbeen found to be very effective for use with existingoperations. Use of the HAZOP Analysis techniquerequires a detailed source of information concerningthe design and operation of a process. Thus, it is most often used to analyzeprocesses during or after the detailed design stage. Several variations of the HAZOPAnalysis technique are in practice in the chemical industry.

In HAZOP Analysis, an interdisciplinary team uses a creative, systematicapproach to identify hazard and Operability problems resulting from deviations fromthe process's design intent that could lead to undesirable consequences. Anexperienced team leader systematically guides the team through the plant designusing a fixed set of words (called "guide words"). These guide words are applied atspecific points or "study nodes" in the plant design and are combined with specificprocess parameters to identify potential deviations from the plant's intendedoperation.

For example, the guide word "No" combined with the process parameter"Flow" results in the deviation "No Flow." Sometimes, a leader will use checklistsor process experience to help the team develop the necessary list of deviations thatthe team will consider in the HAZOP meetings. The team then agrees on possiblecauses of the deviations (e.g., operator error blocks in pump), the consequences ofdeviations (e.g., pump overheats), and the safeguards applicable to the deviations(e.g., pressure relief valve on the pump discharge line). If the causes andconsequences are significant and the safeguards are inadequate, the team mayrecommend a follow-up action for management consideration. In some cases, theteam may identify a deviation with a realistic cause but unknown consequences (e.g.,an unknown reaction product) and recommend follow-up studies to determine thepossible consequences.

Purpose

The purpose of a HAZOP Analysis is to carefully review a process or operationin a systematic fashion to determine whether process deviations can lead toundesirable consequences. This technique can be used for continuous or batchprocesses and can be adapted to evaluate written procedures. The HAZOP teamlists potential causes and consequences of the deviation as well as existing safeguards

protecting against the deviation. When the team determines that inadequateprotection exists for a credible deviation, it usually recommends that action be takento reduce the risk.

'types of ResultsThe results of a HAZOP Analysis are the team's findings, which include

identification of hazards and operating problems; recommendation's for changes indesign, procedures, etc., to improve the system; and recommendations to conductstudies of areas where no conclusion was possible due to a lack of information. Theresults of team discussions concerning the causes, effects, and safeguards fordeviations for each node or section of the process are recorded in a column-formattable.

The HAZOP Analysis requires accurate, up-to-date P&IDs or equivalentdrawings, and other detailed process information, such as operating procedures. AHAZOP Analysis also requires considerable knowledge of the process,instrumentation, and operation; this information is usually provided by teammembers who are experts in these areas. Trained and experienced leaders are anessential part of an efficient, high quality HAZOP Analysis.

The HAZOP team for a large, complex process may consist of five to sevenpeople with a variety of experience: design, engineering, operations maintenance, andso forth. One team member leads the analysis and another (the scribe) typicallyrecords the results of the team's deliberations. For a simple process or in a limitedscope review, a team can have as few as three or four people as long as the peoplehave the necessary technical skills and experience. Tkble 4.7 lists estimates of thetime needed to perform an HE study using the HAZOP Analysis technique.

Ikble 4.7 Time Estimates for Using the HAZOP Analysis Technique

Simple/SmallSystem

Preparation*

8 to 12 hr

2 to 4 days

Evaluation

1 to 3 days

1 to 3 weeks

Documentation^

2 to 6 days

2 to 6 weeks

"Primarily, team leader and scribe, although others may work some during thisphase.

^Tfeam leader and scribe only. May be lower for experienced scribes usingcomputer software in the HAZOP Analysis meeting(s).

4.8 Failure Modes and Effects Analysis

Description

A Failure Modes and Effects Analysis (FMEA)tabulates failure modes of equipment and their effectson a system or plant. The failure mode describes howequipment fails (open, closed, on, off, leaks, etc.).The effect of the failure mode is determined by thesystem's response to the equipment failure. AnFMEA identifies single failure modes that eitherdirectly result in or contribute significantly to anaccident. Human operator errors are usually notexamined directly in an FMEA; however, the effectsof a misoperation as a result of human error areusually indicated by an equipment failure mode. An FMEA is not efficient foridentifying an exhaustive list of combinations of equipment failures that lead toaccidents.

Purpose

The purpose of an FMEA is to identify single equipment and system failuremodes and each failure mode's potential effect(s) on the system or plant. Thisanalysis typically generates recommendations for increasing equipment reliability,thus improving process safety.

'types of Results

An FMEA generates a qualitative, systematic reference list of equipment,failure modes, and effects. A worst-case estimate of consequences resulting fromsingle failures is included. The FMEA may be easily updated for design changes orsystem/plant modifications. FMEA results are usually documented in a column-format table. Hazard analysts usually include suggestions for improving safety inappropriate items in the table.

Using the FMEA approach requires the following data and information sources:a system or plant equipment list or P&ID, knowledge of equipment function andfailure modes, and knowledge of system or plant function and responses toequipment failures.

FMEAs can be performed by single analysts, but these analyses should bereviewed by others to help ensure completeness. Staff requirements will vary withthe size and complexity of equipment items being analyzed. All analysts involved inthe FMEA should be familiar with the equipment functions and failure modes andhow the failures might affect other portions of the system or plant.

The time and cost of an FMEA is proportional to the size of the process andnumber of components analyzed. On the average, an hour is sufficient for analyzing

1kble4.8 Time Estimates for Using the FMEA Technique

ScopeSimple/Small

System

Preparation

2 to 6 hr

1 to 3 days

Evaluation

1 to 3 days

1 to 3 weeks

Documentation I

1 to 3 days

2 to 4 weeks

two to four equipment items. As with any HE study of systems with similarequipment performing similar functions, the time requirements are reducedsignificantly due to the repetitive nature of the evaluations. Tkble 4.8 lists estimatesof the time needed to perform an HE study using the FMEA technique.

4.9 Fault Thee Analysis

Description

Fault Ttee Analysis (FTA) is a deductivetechnique that focuses on one particular accident ormain system failure, and provides a method fordetermining causes of that event. The fault tree is agraphical model that displays the variouscombinations of equipment failures and human errorsthat can result in the main system failure of interest(called the Tbp event). The strength of FTA as aqualitative tool is its ability to identify thecombinations of basic equipment failures and humanerrors that can lead to an accident. This allows thehazard analyst to focus preventive or mitigative measures on significant basic causesto reduce the likelihood of an accident.

Purpose

The purpose of an FTA is to identify combinations of equipment failures andhuman errors that can result in an accident. FTA is well suited for analyses of highlyredundant systems. For systems particularly vulnerable to single failures that canlead to accidents, it is better to use a single-failure-oriented technique such as FMEAor HAZOP Analysis. FTA is often employed in situations where another HEtechnique (e.g., HAZOP Analysis) has pinpointed an important accident of interestthat requires more detailed analysis.

'types of ResultsAn FTA produces system failure logic models that use Boolean logic gates (i.e.,

AND, OR) to describe how equipment failures and human errors can combine to

cause a main system failure. Many fault tree models may result from the analysis ofa large process; the actual number of models depends on how selective the hazardanalyst was in choosing the Tbp event(s) of concern. The fault tree analyst usuallysolves each logic model to generate a list of failures, called minimal cut sets, that canresult in the Tbp event. These lists of minimal cut sets can be qualitatively rankedby the number and type (e.g., hardware, procedural) of failures in each cut set. Cutsets containing more failures are generally less likely than those containing fewerfailures. Inspection of these lists of minimal cut sets reveals system design/operationweaknesses for which the analysts may suggest possible safety improvementalternatives.

Using FTA requires a detailed understanding of how the plant or systemfunctions, detailed process drawings and procedures, and knowledge of componentfailure modes and their effects. Organizations wanting to perform an FTA shoulduse well-trained and experienced analysts to ensure an efficient and high qualityanalysis.

Qualified analysts can develop fault trees by themselves, but they must have adetailed understanding of the process and, even then, the models should be reviewedwith the engineers, operators, and other personnel who have operating experiencewith the systems and equipment that are included in the analysis. A singleanalyst/single fault tree approach promotes continuity within the fault tree, but theanalyst must have access to all of the information needed to define the failures thatcontribute to the Tbp event. A team approach may be used if the subject processis extremely complex or more than one fault tree is needed, with each qualified teammember concentrating on one individual fault tree. Interaction among teammembers and other experienced personnel is necessary to ensure consistency in thedevelopment of related or linked models.

Time and cost requirements for an FTA depend on the complexity of thesystems involved in the analysis and the level of resolution of the analysis. Modelinga single Tbp event involving a simple process with an experienced team could requirea day or less. Complex systems and large problems with many potential accidentevents could require many weeks or months, even with an experienced analysis team.Ikble 4.9 lists estimates for the time needed to perform an HE study using the FTAtechnique.

4.9 Time Estimates for Using the Rmtt "Bee Analysis Technique

Simple/SmallSystem

Preparation

1 to3 days

4 to 6 days

ModdConstruction

3 to 6 days

2 to 3 weeks

QualitativeEvaluation

2 to 4 days

1 to 4 weeks

Documentation

3 to 5 days

3 to 5 weeks

4.10 Event Ttee Analysis

Description

An event tree graphically shows the possibleoutcomes of an accident that results from aninitiating event (a specific equipment failure orhuman error). An Event Ttee Analysis (ETA)considers the responses of safety systems andoperators to the initiating event when determiningthe accident's potential outcomes. The results of theEvent Ttee Analysis are accident sequences; that is,sets of failures or errors that lead to an accident.These results describe the possible accident outcomesin terms of the sequence of events (successes orfailures of safety functions) that follow an initiating event. An Event ' Analysisis well suited for analyzing complex processes that have several layers of safetysystems or emergency procedures in place to respond to specific initiating events.

Purpose

Event trees are used to identify the various accidents that can occur in acomplex process. After these individual accident sequences are identified, thespecific combinations of failures that can lead to the accidents can then bedetermined using Fault Analysis.

'types of Results

The results of an Event Itee Analysis are the event tree models and the safetysystem successes or failures that lead to each defined outcome. Accident sequencesdepicted in an event tree represent logical AND combinations of events; thus, thesesequences can be put into the form of a fault tree model for further qualitativeanalysis. Analysts use these results to identify design and procedural weaknesses, andnormally provide recommendations for reducing the likelihood and/or consequencesof the analyzed potential accidents.

Using ETA requires knowledge of potential initiating events (that is, equipmentfailures or system upsets that can potentially cause an accident), and knowledge ofsafety system functions or emergency procedures that potentially mitigate the effectsof each initiating event.

An Event Itee Analysis can be performed by a single analyst as long as theanalyst has a detailed knowledge of the system, but a team of two to four people isoften preferred. The team approach promotes brainstorming, which results in amore complete event tree. The team should include at least one member withknowledge of Event Ttee Analysis, and the remaining members should haveknowledge of the processes and experience working with the systems included in theanalysis.

4.11 Cause-Consequence Analysis

Description

A Cause-Consequence Analysis (CCA) isa blend of Fault TVee and Event TVee Analyses(discussed in the preceding sections). A majorstrength of a Cause-Consequence Analysis is itsuse as a communication tool: the cause-consequence diagram displays the relationshipsbetween the accident outcomes (consequences)and their basic causes. This technique is mostcommonly used when the failure logic of theanalyzed accidents is rather simple, since thegraphical form, which combines both fault treesand event trees on the same diagram, canbecome quite detailed.

Purpose

As the name suggests, the purpose of a Cause-Consequence Analysis is toidentify the basic causes and consequences of potential accidents.

'types of Results

A Cause-Consequence Analysis generates diagrams portraying accidentsequences and qualitative descriptions of potential accident outcomes.

4.10 Time Estimates for Using the Event Ttee Analysis Tbdmique

Simple/SmallSystem

Preparation

1 to 2 days

4 to 6 days

ModelConstruction

1 to 3 days

1 to 2 weeks

1 to 2 days

1 to 2 weeks

Documentation

3 to 5 days

3 to 5 weeks

Time and cost requirements for an Event Ttee Analysis depend on the numberand complexity of initiating events and safety functions included in the analysis.Several days should be sufficient for the team to evaluate several initiating events fora simple process; complex processes could require many weeks. Tkble 4.10 listsestimates of the time needed to perform an HE study using the ETA technique.

NO YES

Using CCA requires knowledge of the following data and information sources:knowledge of component failures or process upsets that could cause accidents,knowledge of safety systems or emergency procedures that can influence the outcomeof an accident, and knowledge of the potential impacts of all of these failures.

A Cause-Consequence Analysis is best performed by a small team (two-to-fourpeople) with a variety of experience. One team member should be experienced inCCA (or Fault Tree and Event Tree Analysis), while the remaining members shouldhave experience with the design and operation of the systems included in the analysis.

Time and cost requirements for a CCA are highly dependent on the number,complexity, and level of resolution of the events included in the analysis. Scoping-type analyses for several initiating events can usually be accomplished in a week orless. Detailed CCA studies may require many weeks, depending on the complexityof any supporting fault trees. Tkble 4.11 lists estimates of the time needed toperform an HE study using the CCA technique.

4.12 Human Reliability Analysis

Description

A Human Reliability Analysis (HRA) is asystematic evaluation of the factors that influence theperformance of operators, maintenance staff,technicians, and other plant personnel. It involvesone of several types of task analyses; these types ofanalyses describe a task's physical and environmentalcharacteristics, along with the skills, knowledge, andcapabilities required of those who perform the tasks.A Human Reliability Analysis will identify error-likelysituations that can cause or lead to accidents. AHuman Reliability Analysis can also be used to tracethe causes of human errors. Human Reliability Analysis is usually performed inconjunction with other hazard evaluation techniques.

Tkble4.ll Time Estimates for Using the Cause-Consequence AnalysisTechnique

Simple/SmallSystem

Preparation

1 to 2 days

4 to 6 days

ModelConstruction

1 to 3 days

1 to 2 weeks

1 to 3 days

1 to 2 weeks

Documentation

3 to 5 days

3 to 5 weeks

Purpose

The purpose of Human Reliability Analysis is to identify potential humanerrors and their effects, or to identify the underlying causes of human errors.

'types of Results

A Human Reliability Analysis systematically lists the errors likely to beencountered during normal or emergency operation, factors contributing to sucherrors, and proposed system modifications to reduce the likelihood of such errors.The results are qualitative, but may be quantified. The analysis includes identifyingsystem interfaces affected by particular errors, and ranking these errors in relationto the others, based on probability of occurrence or severity of consequences. Theresults are easily updated for design changes or system, plant, or trainingmodifications.

Using Human Reliability Analysis requires the following data and informationsources: plant procedures; information from interviews of plant personnel; knowledgeof plant layout, function, or task allocation; control panel layout; and alarm systemlayout.

Staffing requirements vary based on the scope of the analysis. Generally, oneor two analysts with human factors training should be able to perform an HRA fora facility. The analyst(s) should be familiar with interviewing techniques and shouldhave access to plant personnel; to pertinent information, such as procedures andschematic drawings; and to the facility. The analyst should be familiar with (or knowsomeone who is familiar with) the plant response or consequences caused by varioushuman errors.

The time and cost for this type of analysis are proportional to the size andnumber of tasks, systems, or errors being analyzed. As little as an hour should besufficient to conduct a rough HRA of the tasks associated with a simple plantprocedure. The time required to identify likely sources of a given type of error willvary with the complexity of the tasks involved, but this analysis could also becompleted in as little as an hour. If the results of a single task analysis were usedto investigate several sources of potential human error, the time requirement persource of error would be significantly decreased. Identifying potential modificationsto reduce the incidence of human errors would not add materially to the timerequired for a Human Reliability Analysis. Tkble 4.12 lists estimates of the timeneeded to perform an HE study using the HRA technique.

Tkble 4.12 Time Estimates for Using the Human Reliability Analysis Technique

Simple/SmallSystem

Preparation

4 to 8 hours

1 to 3 days

ModelConstruction

1 to 3 days

1 to 2 weeks

1 to 2 days

1 to 2 weeks

Documentation

3 to 5 days

1 to 3 weeks

Front MatterList of TablesList of FiguresTable of ContentsPart I. Guidelines for Hazard Evaluation ProceduresPreface to the GuidelinesManagement Overview of the Guidelines

1. Introduction to the Guidelines2. Preparing for Hazard Evaluation Studies3. Hazard Identification Methods and Results4. Overview of Hazard Evaluation Techniques4.1 Safety Review4.2 Checklist Analysis4.3 Relative Ranking4.4 Preliminary Hazard Analysis4.5 What-If Analysis4.6 What-If/Checklist Analysis4.7 Hazard and Operability Analysis4.8 Failure Modes and Effects Analysis4.9 Fault Tree Analysis4.10 Event Tree Analysis4.11 Cause-Consequence Analysis4.12 Human Reliability Analysis

5. Selecting Hazard Evaluation Techniques6. Using Hazard Evaluation Techniques7. Analysis Follow-Up Considerations8. Future Research and DevelopmentPart II. Worked Examples for Hazard Evaluation ProceduresAppendicesIndex

Hazard_Evaluation_Procedures/Hazard Evaluation Procedures/24F41351E30C7BCB8926FD07EB755A5.pdfReferences1. E P. Lees, Loss Prevention in the Process Industries, Vols. 1 and 2,

Butterworth's, London, 1980.2. H. R. Greenberg and J. J. Cramer, eds., Risk Assessment and Risk Management

for the Chemical Process Industry, (ISBN 0-442-23438-4), Van NostrandReinhold, New York, 1991.

3. Chemical Process Hazard Review, ACS Symposium Series 274, AmericanChemical Society, Washington, DC, 1985.

6.6 What-IiTCbccklist Analysis

Technical Approach

The What-ItfChecklist Analysis technique is acombination of two previously discussed HE methods:What-If Analysis (Section 6.5) and Checklist Analysis(Section 6.2). The method is usually performed by ateam of personnel experienced with the subjectprocess. The team uses the What-If Analysistechnique to brainstorm the various types of accidentsthat can occur within the process. Then the teamuses one or more checklists to help fill in any gapsthey may have missed. The checklists used in thisportion of the analysis differ somewhat fromtraditional checklists of desired design, procedural, and operating attributes (seeSection 6.2). Rather than focusing on a specific list of design or operating features,checklists used in a What-H7Checklist Analysis are more general and focus on sourcesof hazards and accidents. These checklists are intended to inspire creative thoughtabout the types and sources of hazards associated with the process.

The combined use of these two methods emphasizes their main positivefeatures (i.e., the creativity of What-If Analysis and the experience-basedthoroughness of a checklist) while at the same time compensating for theirshortcomings when used separately. For example, a traditional checklist of a subjectprocess, by definition, is based on the relevant project experience the author is ableto accumulate from various sources. Sometimes, particularly if there is little relevantindustry or company experience available on the subject process, the checklist islikely to provide incomplete insights into the design, procedural, and operatingfeatures necessary for a safe process, and a more general checklist is required. TheWhat-If part of the analysis uses a team's creativity and experience to brainstormpotential accident situations. Since the What-If Analysis method is usually not asdetailed, systematic, or thorough as some of the more regimented approaches (e.g.,HAZOP Analysis, FMEA), use of a checklist permits the HE team to fill in any gapsin their thought process.

The What-WChecklist Analysis technique can be used for any type of processor activity at virtually any stage in the life of the process. Normally, the method isused to examine the potential effects and significance of accident situations at a more

general level than some of the more detailed approaches. For example, a What-ItyChecklist Analysis might consider the issue "What happens if the reactor feedstream is contaminated?" Ultimately, the level of resolution of a What-WChecklistAnalysis can be as detailed as the HE team chooses.

Analysis Procedure

A What-IiyChecklist Analysis consists of the following steps: (1) preparing forthe review, (2) developing a list of What-If questions and issues, (3) using a checklistto cover any gaps, (4) evaluating each of the questions and issues, and (5)documenting the results.1"4 A variation of this procedure is for the team to reversethe order of steps 2 and 3 or to develop What-If questions concurrently as theyprogress through a detailed checklist.

Preparing for the Review. Chapter 2 of these Guidelines provides generalguidance for preparing for team-based HE studies. For a What-ItfChecklist Analysis,the HE team leader assembles a qualified team, determines the physical andanalytical scope for the proposed study, and, if the process/activity is rather large,divides it into functions, physical areas, or tasks to provide some order to the reviewof the process. (Section 6.5 discusses the important aspects of preparing for a What-If Analysis; these will not be repeated here.) For the checklist portion of thisanalysis, the HE team leader should obtain or develop an appropriate checklist forthe team to use in conjunction with the What-If Analysis. The checklist should focuson general hazardous characteristics of the process or operation. Appendix contains an example of a detailed checklist that an HE team leader could use as thebasis for constructing checklists appropriate for almost any analysis.

Developing a List of What-If Questions and Issues. Section 6.5 describes theapproach an HE team uses when meeting to develop questions and issues involvingpotential accident situations.

Using a checklist to cover any gaps. Once the team has identified all of thequestions and issues it can in a particular area or step of the process or activity, theHE team leader will use the checklist he or she previously obtained (or prepared).The team considers each checklist item to see whether any other potential accidentsituations or concerns arise. If so, these are evaluated in the same way as theoriginal What-If questions (the checklist is reviewed for each area or step in theprocess or activity). In some cases it may be more desirable to have the HE teambrainstorm the hazards and potential accident situations of a process before using thechecklist.1 In other situations, effective results can be obtained by beginning with achecklist and using items in it to create What-If questions and issues that might nototherwise have been considered, However, if the checklist is used first, leadersshould take precautions to avoid letting the checklist restrict the creativity andimagination of the team.

Evaluating Each of the Questions and Issues. After developing questions andissues involving potential accident situations, the team considers each accidentsituation or safety concern; qualitatively determines the potential effects of theaccident implied by the situation or concern; and lists existing safeguards to prevent,

mitigate, or contain the effects of the potential accident. The team then evaluatesthe significance of each situation and determines whether a particular safetyimprovement option should be recommended. This process is repeated for each areaor step of the process or activity. Sometimes this evaluation is performed by specificteam members outside the team meeting and is subsequently reviewed by the team.

Documenting the Results. The results of a What-If/Checklist Analysis aredocumented in the same way as the results for a What-If Analysis (see Section 6.5).Usually the scribe will use a marking board, chart pad, or word processor linked toan overhead projector to record questions, issues, effects, safeguards, action items,etc., during the meeting. Following the meeting the HE team leader and scribeusually summarize these results in a tabular form similar to that shown in 6.7.For a What-If/Checklist Analysis, the HE team may also document the completionof the checklist to help illustrate the completeness of the study.

Anticipated Work Product

A typical report contains a listing of potential accident situations, effects,safeguards, and action items generated in the meetings often in tabular form.However, some analysts document the results in a narrative text format. Sometimesthe HE team will provide management with more detailed explanations of theanalysis recommendations. Chapter 7 provides additional information concerninganalysis follow-up considerations.

Computer Software Aids

SAFEPLAN (DuPont, Westlake Village, California) is the only softwareprogram specifically designed to perform What-If/Checklist Analysis that was foundto be commercially available. Hazard analysts should also be able to use the softwarelisted in the What-If Analysis, Checklist Analysis, and HAZOP Analysis sections.In addition, standard word processing and spreadsheet programs can help analystsdocument the results of What-If/Checklist Analysis studies.

Example

Tb increase production, the K. R. Mody Chemical Company has installed a newtransfer line between its existing 90-ton chlorine storage tank and its reactor feedtank. Before each batch, the operator must transfer one ton of chlorine into the feedtank; the new line will allow this to be done in about one hour (with the old line ittook about three hours). Nitrogen pressure will be used to force the liquid chlorinethrough the mile-long, uninsulated, welded pipeline in the elevated rack be

Hazard Evaluation Procedures

Documents

Internal Product Evaluation Standards and Procedures ... · Internal Product Evaluation Standards and Procedures - Recommendation Internal Product Evaluation Standards and Procedures

HSE Management in Petroleum and offshore industries · Hazard evaluation: Hazard evaluation can be performed at any stage.If the hazard evaluation shows low probability and minimum

Retail Hazard Evaluation Checklist1

Health Hazard Evaluation Report 1972-0019-0016 · PDF fileHEALTH HAZARD EVALUATION REPORT 72-19-16 HAZARD EVALUATION SERVICES BRJ.1.NCH . ... mu)t·lple occasions to di$continue the

Geotechnical Investigation and Geologic Hazard Evaluation

EARTHQUAKE HAZARD EVALUATION IN THE PACIFIC …

FINANCIAL EVALUATION PROCEDURES

Job Hazard Analysis & Safe Work Procedures Workshop

NOISE HAZARD EVALUATION

Habitat Evaluation Procedures

Seismic Hazard Evaluation Report for · PDF fileSeismic Hazard Evaluation Report for Science Building One July 2, 2009 MI0906028.00 . Science Building One ... Using the procedures

Hazard Evaluation Labs (HEL)

Desktop Geotechnical and Geologic Hazard Evaluation

PROPOSAL EVALUATION PROCEDURES - IN.gov. Proposal Evaluation Procedures.pdf · PROPOSAL EVALUATION PROCEDURES 1.1 PROPOSAL EVALUATION PROCEDURES A group of personnel has been selected

TOPICAL HAZARD EVALUATION PROGRRM OF CANDIDATE …

2008 Midwest Regional Sankaran Hazard Evaluation Procedures

Redbook: Guidelines for Hazard Evaluation Procedures ...€¦ · Redbook: Guidelines for Hazard Evaluation Procedures ... u HE Organized Effort to Identify & Analyze the Significance

Health Hazard Evaluation

Hazard Communication Training for · As a Hazard Communication trainer, ... Hazard Communication Training for Trainers. 4. ... Accidental release measures lists emergency procedures;

HEALTH HAZARD EVALUATION AND TECHNICAL ASSISTANCE REPORT · HEALTH HAZARD EVALUATION AND TECHNICAL ASSISTANCE REPORT ... The Hazard Evaluation and Technical Assistance Branch of the