Methodology for the Generationand Evaluation of Safety SystemAlternatives Based on ExtendedHazopNaveed Ramzan, Fred Compart, and Werner WittLehrstuhl Anlagen und Sicherheitstechnik, Brandenburgische Technische Universitat, Cottbus 03044, Germany;ramzan50@hotmail.com (for correspondence)

Published online 16 October 2006 in Wiley InterScience (www.interscience.wiley.com). DOI 10.1002/prs.10161

Process safety is paramount in the secure and via-ble operation of any chemical process plant. Manytechniques and methodologies have been defined overthe years to undertake steps that will ensure a safeoperating environment at a chemical facility. How-ever, until now, process simulation has found verylittle or no use in safety-related studies. This arti-cle introduces a systematic framework based onExtended Hazop (that is, Hazop supported by disturb-ance simulation related to process malfunctions.) TheExtended Hazop differs from standard Hazop in doc-umenting results, classification of frequency and con-sequences of process deviations, and application of arisk potential matrix (Hazop decision matrix). In thisarticle, the Extended Hazop method is explained.Application of this method will be demonstrated in aseparate article. � 2006 American Institute of Chemi-cal Engineers Process Saf Prog 26: 35–42, 2007

Keywords: process safety; disturbance simulation;risk potential matrix

1. INTRODUCTION

The chemical processing industries have a historyof major accidents such as Fixborough (UK), Seveso(Italy), Bhopal (India), and Toulouse (France) [1]. Asthe result of various consequences caused by suchaccidents, plant safety has particular importance inthe chemical processing industries. Recent advancesin the field of process safety/risk have replaced the

old concept of accident prevention [2]. This includeshazard identification and design of new engineeringfeatures to prevent losses. Many techniques havebeen developed for hazard identification and safety/risk analysis over the years. In the chemical process-ing industries the most common tools are safetyreviews, process hazard checklist, relative ranking(hazard indices), preliminary hazard analysis, What-ifanalysis, hazard and operability study (HAZOP), fail-ure modes and effect analysis (FMEA), fault tree anal-ysis (FTA), event tree analysis (ETA), layers-of-protec-tion analysis (LOPA), cause consequence analysis,and human reliability analysis. No single techniquecan support all the aspects of safety/risk [3], so theprocess of safety/risk assessment is best achievedthrough a systematic approach using combinations ofthe above-cited techniques. Therefore, safety/riskanalysis methodologies are based on combinations ofthese techniques.

Several methodologies of risk analysis have beenpresented so far and are thoroughly described in text-books and the literature [4–8]. Tixier et al. identifiedmore then 60 methodologies for risk analysis ofindustrial plants and sorted these methodologies intotwo principal groups: qualitative and quantitative.Each group is further divided into three categories:only deterministic; only probabilistic; and a combina-tion of deterministic and probabilistic approaches [8].

Of course, it should be noted that currently nouniversally agreed-upon standard of safety/risk analy-sis methodology exists [9]. In fact, the actual method-ology used in any organization will be a result ofthe integration of distinct tools and techniques as� 2006 American Institute of Chemical Engineers

Process Safety Progress (Vol.26, No.1) March 2007 35

required by site-specific factors and the decisionaland judgmental contribution of the analyst or theplant manager. Effective hazard analysis requires aclear definition of the scope and objectives of thestudy and current information about the processchemicals and process technology.

In addition to conventional techniques, processdisturbance simulation can be powerful for safetyexaminations. Here, process disturbance simulationmeans use of dynamic simulation to study the effectof large variations of design/operational parametersdisturbances (such as flow with respect to maximumpump capacity) and failure of components (such asloss of reflux pump or loss of cooling water to con-denser) on the dynamic behavior of a system ratherthan a study of small disturbances for control looptuning or control system design. For each kind of dis-turbance, the effect of differences between the simu-lation model and a real plant, such as reverse flowon the results, should be considered. Deerberg et al.[10] and Can et al. [11] describe the use of processdisturbance simulation for the study of operationalfailures of two-phase semibatch processes and a

methanol/water distillation column, respectively.Detailed simulation of operational failures providesinformation about changes of the process parameters.Therefore, in this article a methodology based on acombination of conventional risk analysis techniquesand process disturbance simulation is presented forsafety/risk analysis and optimization.

2. METHODOLOGY BASED ON EXTENDED HAZOP

The purpose of this methodology is to determinerisk from operational disturbances and to developeffective risk reductions. It can be divided into thefollowing steps (see Figure 1):

Step I: Description of System and Objectives ofAnalysis (before starting safety/risk analysis)

For efficient safety/risk studies, the analyst musthave an accurate description of the system to be inves-tigated and a clear objective of the analysis study.Therefore, in this step the purpose, objectives, andscope of the study are clearly defined. A team under atrained and experience leader with five to seven peo-ple including experts of the design and operation of

Figure 1. Simplified block diagram of methodology based on Extended Hazop.

36 March 2007 Published on behalf of the AIChE DOI 10.1002/prs Process Safety Progress (Vol.26, No.1)

the subject process is formulated [9]. The necessary in-formation required for the study—such as processflow diagrams, piping and instrumentation diagrams,plant layout schematics, material safety data sheets,equipment data sheets, operating instructions, start-upand emergency shutdown procedures, and processlimits—is gathered from plant documentation.

Step II: Safety/Risk Analysis—Extended Hazop(identification of weak points by extendedHazop and risk potential matrix)

One of the biggest sources of error in hazard anal-ysis is failure to identify the ways in which a hazardcan occur. Therefore, hazard identification is anessential feature and first step of any standard safety/risk analysis methodology. The hazard and operabil-ity study (Hazop), developed by ICI in 1963, is oneof the best techniques for this step and is widelyused (such as in the chemical industry). It is a sys-tematic study, conducted by a highly expert team, toidentify hazards in the process plants and to identifyoperability problems that, although not hazards,could compromise a plant’s productivity.

This technique uses guidewords to assist the analy-sis team in considering the causes and consequencesof deviations. High levels of mental performance andalertness for a long span of time are needed for itseffective and fruitful conduct. Findings of the Hazopdiscussion meetings are recorded using a Hazopworksheet. The entries generally included in theHazop worksheets are reference number, guideword,deviation, possible causes, consequences, safeguards,and actions. A typical process Hazop worksheettaken from IEC 61882 is shown in Figure 2 [12].

Completing Hazops requires much time and, inthe case of well-known established processes, mostof the questions provide no new aspects. To reduce

these disadvantages without sacrificing principles ofHazop, modified versions of the Hazop techniqueshave been proposed (such as Mini-HAZOP by safetydepartment of BASF [13] and OptHazop by Khan andAbbasi [14]).

Our intention is to identify weak points arisingfrom disturbances in operation, which may or maynot be hazardous, to improve safety, operability, and/or profit at the same time. Analysis of the influenceof disturbances (failures) on the behavior of the proc-ess is based on shortcut or simplified hand calcula-tions supported by dynamic simulation. A variety ofcommercial simulators such as Hysys, Speedup,gPROMS, and Aspen Dynamics are available fordynamic simulation. Among these, Aspen Dynamicsis a powerful and easy-to-use tool, which enablesusers to realize the benefits of dynamic simulation. Itis tightly integrated with Aspen Tech’s steady-statesimulator Aspen PlusTM. Within Aspen PlusTM, steady-state simulations can be cast into dynamic simulationin Aspen Dynamics by specifying additional engineer-ing detailed parameters, including pressure/flow rela-tionship, and equipment dimensions. Normally, thedynamic process model developed in Aspen Dynam-ics is used to examine process operability and controlalternatives and not to troubleshoot operational prob-lems. Because of this, applications of a simulationtool like Aspen Dynamics for analysis of safety-related process malfunctions might not describe real-ity. The analyst has to consider the simulation basisand constraints before using the results.

Extended Hazop (Hazop supported by dynamicsimulation) is performed to generate different safety-related proposals along with identification of hazards,while all the time preserving the essential elements ofthe original Hazop approaches. Extended Hazop dif-fers from the standard Hazop approach in the follow-ing aspects:

Figure 2. Process Hazop worksheet (source IEC 61882).

Process Safety Progress (Vol.26, No.1) Published on behalf of the AIChE DOI 10.1002/prs March 2007 37

(1) Use of Dynamic SimulationIn Extended Hazop, the physical consequences of

the possible causes of the process parameter devia-tions are identified using dynamic simulation of theprocess.

(2) Classification of Risk ConsequencesEach established consequence (hazard) is ranked

by a consequence class rating called (C) from 0(lowest) to 8 (highest), giving a scoring chart for theconsequences (Table1).

(3) Classification of FrequencyThe frequency of occurrence for each possible

consequence (hazard) is established by giving a fre-quency class, called (F), according to the scoring

chart for frequency (Table2). Definition of frequencyclass may be supported by event tree and/or faulttree analysis techniques.

(4) Way of Documenting the Hazop ResultsThe Extended Hazop methodology worksheet for

documenting the Hazop team results is shown in Fig-ure 3. Below consequence the physical scenario hasto be documented first and next risk-related conse-quences would be documented. For each frequencyand consequence, a class has to be established.

(5) Way of Ranking the Hazop ResultsIn extended Hazop methodology, a risk potential

matrix (Hazop decision matrix) is integrated for rank-ing Hazop results.

Table 1. Scoring chart for consequence.

Effect Class

FinancialLoss(Euro) Community

Consequences

Pilot Plant Production

Functionimpairment

0 <10 No effect on people Product qualitylowering (brief)

1 101–102 Nuisance effect Product qualitylowering

2 102–103 Minor irritation effectto people andlocal news

Product qualitylowering (long-term)

Functionalloss

3 103–104 Moderate irritationeffects to peopleand noncomplianceto laws, local news

Productiondisturbance (brief)

Soil contaminationEmission by pressure

relief into the line4 104–105 Moderate irritation

effects to peopleand environment;single injuries andregional news

Production disturbanceMaterial release

from the pipingHeating element

defective (burn through)Pump damage

(pressure impacts)Soil contamination

5 105–106 Significant effectsto people andenvironment;>1 injuries andregional news

Production disturbance(long-term)

Emission bypressure reliefto atmosphere

Fire (pump/heatexchanger/evaporator)

Safety andenvironmentalpollution

6 106–107 Major effects to peopleand environment,multiple injuries,fatality likely;regional news

Fire

7 107–108 Severe effects to peopleand environment,fatality; regional news

Column burst

8 >108 Multiple fatalities andprocess shutdowncertain; internationalnews

Explosion

38 March 2007 Published on behalf of the AIChE DOI 10.1002/prs Process Safety Progress (Vol.26, No.1)

A sample Extended Hazop work sheet for a distil-lation column is shown in Figure 4. The detailedapplication of this methodology is discussed in a sep-arate report [15].

Step III: Safety/Risk Assessment—Risk PotentialMatrix (Hazop decision matrix)

The rows of the matrix show the established fre-quency class of identified consequences (Hazards)caused by process deviations (see Table2). Althoughthe columns show the established consequence classof the hazards identified (see Table1), each cell in thematrix represents a risk category. The Hazop decisionmatrix divides the risk category into four levels asdescribed below:

Risk level I(the dark area in the upper right-hand corner ):

The scenario in this level is intolerable and immedi-ate action is needed to reduce that risk category.

Risk level II(light diagonal area with horizontal lines ): The

scenario in this level is tolerable but not acceptable forlong periods of time, so action at the next scheduledmaintenance is needed to reduce that risk category.

Risk level III(diagonal area with grids ): The scenario in this

level is acceptable and any action to reduce that riskcategory is optional.

Table 2. Scoring chart for frequency.

Class

Frequency of Occurring Incident

Frequency(Yr�1) Comprehension Examples from Literature

9 <10�8 Very very small Catastrophic rupture or leakageof pipe of diameter > 150 mm

8 10�8–10�7 Very small Catastrophic rupture of pipe ofdiameter � 50 mm

7 10�7–10�6 Small Catastrophic rupture of fractionatingsystem (excluding piping); storagetank rupture

6 10�6–10�5 Less small Pipe residual failure, 100 m fullbreach; double-wall tank leakage

5 10�5–10�4 Moderate Process vessel leakage of � 1 mm diameter4 10�4–10�3 Less moderate Pump leakage; heat exchanger leakage3 10�3–10�2 Less high Safety valve open spuriously; large

external fire2 10�2–10�1 High Cooling water failure; BPCS instrument

loop failure1 10�1–100 Very high Operator failure; regulator failure;

solenoid valve failure0 >100 Very very high Power failure in developing countries;

operators failure under high stress

Figure 3. Extended Hazop worksheet.

Process Safety Progress (Vol.26, No.1) Published on behalf of the AIChE DOI 10.1002/prs March 2007 39

Risk level IV(the white area in the lower left-hand corner &):

The scenario in this level needs no action.Figure 5 shows the risk potential matrix (Hazop

decision matrix) and this is used for:

• Documentation of the status of the plant safety• Order of magnitude ranking of events• Selection and development of optimization proposals• Importance of improvement• Documentation of improved status of the plantsafety

The application of risk potential matrix (Hazop deci-sion matrix) in Extended Hazop is shown in Figure 6.Arrows shows the transformation of entries from theExtended Hazop worksheet to the Hazop decision ma-trix. The identity number (ID) of each possible cause/initiating event from the fourth column of the ExtendedHazop worksheet is placed in the cell of the firstHazop decision matrix determined from the rating F(frequency class) and C (consequence class) from thesixth column of the Extended Hazop sheet. The recom-mended actions for this scenario will be placed fromthe seventh column of Extended Hazop sheet to thebottom of the Hazop decision matrix. Similarly, theidentity number of each possible cause/initiating eventis placed in the cell of the second Hazop decision ma-trix determined from the ratings F and C from theeighth column of the Extended Hazop worksheet. First,the Hazop decision matrix will show the existing statusand, second, the Hazop decision matrix shows the

Figure 5. Risk potential matrix (Hazop decision matrix).

Figure 4. Extended Hazop worksheet for distillation column unit.

40 March 2007 Published on behalf of the AIChE DOI 10.1002/prs Process Safety Progress (Vol.26, No.1)

improved plant status after recommended actions. Forexample, in Figure 6, arrows 1 and 2 show the transferof ID 1.1 of a possible cause/initiating event from thefourth column of the Extended Hazop worksheet tothe cell of the first and second Hazop decision matricesdetermined by ratings F and C from the sixth andeighth columns of the Extended Hazop worksheet,respectively, as shown by arrows 3 and 4. Arrow 5shows the transfer of recommended action (A) fromthe seventh column for ID 1.1 to the bottom of the firstHazop decision matrix.

Similarly, all results from the Extended Hazopworksheets are transferred to the Hazop decision ma-trix. After completion of this process, safety-relatedproposals are generated in the next step by analyzingthe decision matrix as shown by arrow 6.

Step IV: Safety/Risk System Optimization(development and analysis of optimizationproposals)

Keeping in view the risk target and results of theExtended Hazop discussion, safety-related optimiza-tion proposals are developed and analyzed in thisstep. The optimization proposals can be developed attwo levels:

1. Simple optimization proposals (such as addition ofpressure alarm or change of location of the sensorwithin the Extended Hazop discussion)

2. Optimization proposals related to severe scenarios

by evaluating the risk potential matrix (Hazop de-cision matrix)

These optimization proposals are evaluated usingdynamic simulation, event tree analysis, and/or faulttree analysis. The optimum safety measure meetingthe required risk category reduction is selected. Tech-niques for setting up event trees and fault trees arediscussed in CCPS guidelines [5,6], Wells [7], Schreiber[16], and CONCAWE Report 10/82 [17].

3. CONCLUSIONS

A systematic methodology supported by dynamicsimulation and conventional techniques for identifica-tion of operational failures and analyzing effects ofdesign improvements in a safety system is discussed.Extended Hazop (Hazop supported by dynamic simu-lations), used to identify weak points and system opti-mization, covers both safety and operational failures.The risk potential matrix (Hazop decision matrix) isintegrated within extended Hazop guides to generatesystem optimization proposals. Success of the method-ology depends on the quality (applicability) of thedynamic model, data, and experience of the teammembers/analyst. Of course, as is the case in all simu-lation studies, obtaining a good model that is a truerepresentation of the process is the key issue. This isnot possible for every process or every variable withina process. However, where dynamic models are used,

Figure 6. Application of risk potential matrix (Hazop decision matrix) in Extended Hazop.

Process Safety Progress (Vol.26, No.1) Published on behalf of the AIChE DOI 10.1002/prs March 2007 41

effort can be made to validate the model in the area ofapplication. Although commercial simulation tools suchas Aspen Dynamics are not designed for such studies,the dynamic simulation in combination with Hazopand event tree analysis is a powerful tool for safetyexaminations and system optimization. The methodol-ogy identifies the sequence of events that can lead tononsevere and severe incidents and provide insightsinto the strengths and weakness of the technology andsafety systems. This methodology is useful for safetyconcept definition, safety analysis, and safety systemdesign and optimization. Application of this methodol-ogy to a distillation unit will be described in a futurearticle.

LITERATURE CITED

1. F.I. Khan and S.A. Abbasi, Risk analysis of a pe-trochemical industry using ORA (Optimal RiskAnalysis) procedure, Process Safety Prog 20(2001), 95–110.

2. D.A. Crowl and J.F. Louvar, Chemical processsafety: Fundamentals with applications, PrenticeHall, Upper Saddle River, NJ, 1999, pp. 471–508.

3. A.C. Caputo, M. Palumbo, and R. Tartaglia, Faulttree analysis for risk assessment in the Borexinoexperiment, Process Safety Prog 23 (2004), 121–131.

4. B. Skeleton, Process safety analysis: An introduction,Institution of Chemical Engineers, Rugby, UK, 1997.

5. Center for Chemical Process Safety (CCPS),Guidelines for hazard evaluation procedures,CCPS, American Institute of Chemical Engineers,New York, 1992, pp. 131–151.

6. Center for Chemical Process Safety (CCPS),Guidelines for chemical process quantitative riskanalysis, CCPS, American Institute of ChemicalEngineers, New York, 2000, pp. 297–387.

7. G. Wells, Hazard identification and risk assess-ment, Institution of Chemical Engineers, Rugby,UK, 1996.

8. J. Tixier, G. Dussere, O. Salvi, and D. Gaston,Review of 62 risk analysis methodologies of indus-trial plants, J Loss Prev Process Ind 15 (2002),291–303.

9. N.J. Bahr, System safety engineering and riskassessment: A practical approach, Taylor & Fran-cis, New York, 1997.

10. G. Deerberg, S. Schluter, A. Steiff, and W. Witt,Simulation of operational failures in two-phasesemi batch processes, Chem Eng Sci 51 (1996),3113–3118.

11. U. Can, M. Jimoh, J. Steinbach, and G. Wozny,Simulation and experimental analysis of opera-tional failures in a distillation column, Sep PurifTechnol 29 (2002), 163–170.

12. International Electrotechnical Commission (IEC),Hazard and operability studies (HAZOP stud-ies)—Application guide (Document IEC 61882),IEC, Geneva, Switzerland, 2001.

13. G. Grossman and D. Fromm, HAZOP-proof ammo-nia plant: A new way of defining a safe and reliabledesign, Plant/Oper Prog 10 (1991), 223–227.

14. F.I. Khan and S.A. Abbasi, OptHAZOP: An optimaland effective procedure to conduct HAZOP Study,J Loss Prev Process Ind 10 (1997), 191–201.

15. N. Ramzan, F. Compart, and W. Witt, Applicationof extended Hazop and event tree analysis forinvestigating operational failures and safety opti-mization of distillation column unit, ProcessSafety Prog 25 (2006), 000–000.

16. A.M. Schreiber, Using event trees and fault trees,Chem Eng 8 (1982), 115–120.

17. Conservation of Clean Air and Water in Europe(CONCAWE), Methodologies for hazard analysisand risk assessment in the petroleum refiningand storage industry, Report No. 10/82, CON-CAWE, Den Haag, The Netherlands, 1982.

18. T.A. Kletz, Hazop—Past and future, Reliab EngSyst Safety, 55 (1997), 263–266.

42 March 2007 Published on behalf of the AIChE DOI 10.1002/prs Process Safety Progress (Vol.26, No.1)