Process Safety Engineering

Second unit: Hazard Analysis & Risk Assessment

Instructed by:
Harshad Shrigondekar
Assistant Professor
Centre of Excellence in
Safety Engineering & Analytics (COE-SEA),
IIT Kharagpur
harshad@coesea.iitkgp.ac.in
 Let us understand Hazard Analysis
• Why? - to identify hazards, hazard effects, & hazard causal factors
• Ultimate goal?
• Performed to systematically examine the system, subsystem, facility,
components, software, personnel, & their interrelationships
• 2 categories of hazard analyses: types & techniques
• Type defines an analysis category (e.g., detailed design analysis), &
technique defines a unique analysis methodology (e.g., fault tree analysis)

Preferred & referred book for Hazard Analysis: Ericson, C. A. (2015). Hazard analysis techniques for system safety.
John Wiley & Sons
2
Hazard filters – various HATs

• 1 particular HAT does not necessarily identify all the hazards within a system
• Each HAT acts like a filter that identifies certain types of hazards
3
System life cycle & various hazard analyses

4
 Major Attributes of Analysis Techniques
✓ Qualitative/quantitative
✓ Level of detail: design detail that can be evaluated by the technique
✓ Data required: type & level of design data required for the technique
✓ Program timing: effective time during system development for the technique
✓ Time required: relative amount of time required for the analysis
✓ Inductive/deductive
✓ Complexity
✓ Difficulty
✓ Technical expertise
✓ Tools required: technique is standalone or additional tools are necessary
✓ Cost
✓ Primary safety tool: a primary or secondary safety tool

5
Attributes of Analysis Techniques

6
 Inductive Vs Deductive Techniques
Inductive Deductive

Methodology ✓ Going from the specific to the general ✓ Going from the general to the specific

General ✓ System is broken down into individual ✓ General nature of the hazard has
characteristics components already been identified
✓ Potential failures for each component ✓ System is reviewed to define the
✓ Effects of each failure cause of each hazard
✓ What-if? ✓ How-can?
Applicability ✓ Systems with few components ✓ All sizes of systems
✓ Systems where single-point failures (SPFs) are ✓ Developed for complex systems
predominant ✓ Designed to identify hazards caused
✓ Preliminary or overview analysis by multiple failures
Potential ✓ Difficult to apply to complex systems ✓ Detailed system documentation
pitfalls ✓ Large number of components to consider required
✓ Consideration of failure combinations becomes ✓ Large amount of data involved
difficult ✓ Time consuming

Which is better? 7
 Qualitative Vs Quantitative
Qualitative Quantitative
Numerical results No Yes
Cost Lower Higher
Subjective/objective Subjective Objective
Difficulty Lower Higher
Complexity Lower Higher
Data Less detailed More detailed
Technical expertise Lower Higher
Time required Lower Higher
Tools required Seldom Usually
Accuracy Lower Higher
Which is better?

8
 Preliminary Hazard List
✓ During conceptual or preliminary design - starting point for all subsequent hazard analyses
✓ Every hazard identified on the PHL will be analyzed with more detailed analysis techniques
✓ Primary purpose?
✓ Secondary purpose: to identify safety critical parameters & mishap categories
✓ Intent: to affect the design for safety ASAP in the development program
✓ Can be performed on a subsystem, a single system, or an integrated set of systems

Overview of PHL
9
 Steps of PHL
1. Define system: Define, scope, & bound the system. Define the mission, mission phases, & mission environments.
Understand the system design, operational concepts, & major system components
2. Plan PHL: Establish PHL goals, definitions, worksheets, schedule, & process. Identify system elements & functions to be
analyzed
3. Select team: Select all team members to participate in PHL & establish responsibilities. Utilize team member expertise
from several different disciplines (e.g. design, test, manufacturing, etc.)
4. Acquire data: Acquire all of the necessary design, operational, & process data needed for the analysis (e.g. equipment lists,
functional diagrams, operational concepts, etc.). Acquire hazard checklists, lessons learned, & other hazard data applicable
to the system.
5. Conduct PHL: Construct list of hardware components & system functions. Evaluate conceptual system hardware, system
operational functions, system energy sources, system software functions. Compare with hazard checklists
6. Build hazard list: Develop list of identified & suspected system hazards & potential system mishaps. Identify SCFs & TLMs if
possible from information available
7. Recommend corrective action: Recommend safety guidelines & design safety methods that will eliminate or mitigate
hazards
8. Document PHL: Document the entire PHL process & PHL worksheets in a PHL report. Include conclusions &
recommendations
▪ Typical hazard checklists
✓ Energy sources, Hazardous functions, Hazardous operations, Hazardous components, Hazardous materials, Lessons
learned from similar type systems, Undesired mishaps, Failure mode & failure state considerations

Vincoli, J. W. (2014). Basic guide to system safety. John Wiley & Sons
Ericson, C. A. (2015). Hazard analysis techniques for system safety. John Wiley & Sons 10
PHL Methodology

Example 11
PHL worksheet

12
 Hazard checklist for energy sources
1. Fuels 13. Pumps, blowers, fans
2. Electrical generators 14. Pressure containers
3. Propellants 15. Rotating machinery
4. RF energy sources 16. Spring-loaded devices
5. Radioactive energy sources 17. Actuating devices
6. Explosive charges 18. Suspension systems
7. Falling objects 19. Nuclear
8. Charged electrical capacitors 20. Gas generators
9. Catapulted objects 21. Cryogenics
10. Storage batteries
11. Heating devices
12. Static electrical charges

13
 Hazard checklist for general sources
1. Acceleration ✓ Low
2. Contamination ✓ Rapid change
3. Corrosion 16.Leakage
4. Chemical dissociation 17.Moisture
5. Electrical 18.Radiation
6. Thermal Shock ✓ Thermal
7. Inadvertent activation ✓ Electromagnetic
8. Power source failure ✓ Ionizing
9. Explosion ✓ Ultraviolet
10.Fire 19.Chemical replacement
11.Heat & temperature 20.Shock (mechanical)
✓ High temperature 21.Stress concentrations
✓ Low temperature 22.Stress reversals
✓ Temperature variations 23.Structural damage or failure
12.High humidity 24.Toxicity
13.Low humidity 25.Vibration & noise
14.Oxidation 26.Weather & environment
15.Pressure 27.Gravity
✓ High 14
 Hazard checklist for general operations
1. Welding
2. Cleaning
3. Extreme temperature operations
4. Extreme weight operations
5. Hoisting, handling, & assembly operations
6. Test chamber operations
7. Proof test of major components/subsystems/systems
8. Propellant loading/transfer/handling
9. High-energy pressurization/hydrostatic-pneumatic testing
10.Nuclear component handling/checkout
11.Ordnance installation/checkout/test
12.Tank entry/confined space entry
13.Transport & handling of end item
14.Manned vehicle tests
15.Static firing
15
 Hazard checklist for failure states
1. Fails to o perate
2. Operates incorrectly/erroneously
3. Operates inadvertently
4. Operates at incorrect time (early, late)
5. Unable to stop operation
6. Receives erroneous data
7. Sends erroneous data

16
Ace missile system – System hardware category

17
Thermal Power Plant

18
 Preliminary Hazard Analysis
✓ Falls under PD-HAT type
✓ Identifying hazards, their associated causal factors, effects, level of risk, & mitigating design measures
when detailed design information is not available
✓ Every hazard identified on the PHL will be analyzed with more detailed analysis
✓ Gross hazard analysis & potential hazard analysis
✓ Intent: to affect the design for safety ASAP in the development program
✓ Can be performed on a subsystem, a single system, or an integrated set of systems

19
 Steps of PHA
1. Define system: Define, scope, & bound the system. Define the mission, mission phases, & mission environments.
Understand the system design, operational concepts, & major system components
2. Plan PHL: Establish PHA definitions, worksheets, schedule, & process. Identify system elements & functions to be analyzed
3. Establish safety criteria: Identify applicable design safety criteria, safety precepts/principles, safety guidelines, & safety
critical factors
4. Acquire data: Acquire all of the necessary design, operational, & process data needed for the analysis (e.g., functional
diagrams, drawings, operational concepts, etc.). Acquire hazard checklists, lessons learned, & other hazard data applicable
to the system. Acquire all regulatory data & information that are applicable.
5. Conduct PHA: Construct list of equipment, functions, & energy sources. Compare conceptual system hardware, system
operational functions, system energy sources, system software functions with hazard checklists & TLMs. Expand the list of
SCFs & TLMs & utilize in the analysis. Be cognizant of functional relationships, timing, & concurrent functions when
identifying hazards.
6. Evaluate risk: Identify the level of mishap risk presented for each identified hazard, both with & without hazard mitigations
in the system design
7. Recommend corrective action: Recommend safety guidelines & design safety methods that will eliminate or mitigate
hazards. Translate the recommendations into SSRs. Also, identify safety features already in the design or procedures that
are present for hazard mitigation.
8. Monitor corrective action: Review test results to ensure that safety recommendations & SSRs are effective in mitigating
hazards as anticipated
9. Track hazards: Transfer newly identified hazards into the HTS. Update the HTS as hazards, HCFs, & risk are identified in the
PHA
10. Document PHA: Document the entire PHL process & PHL worksheets in a PHL report. Include conclusions &
recommendations 20
PHA Methodology

21
PHA worksheet

22
PHA worksheet

23
 Fault tree analysis
1. Systems analysis technique used to determine the root causes & probability of occurrence
of a specified undesired event
2. An undesired event: event that is identified as objectionable & unwanted
3. Such as a potential accident, hazardous condition, or undesired failure mode
4. I/D?
5. Qualitative/quantitative
6. A model that logically & graphically represents the various combinations of possible events,
both faulty & normal, occurring in a system that lead to an UE
7. AKA logic tree analysis & logic diagram analysis
8. Falls under SD-HAT, can be applied during any lifecycle phase of a system—from concept to
usage – Earlier is better
9. Time- & cost-saving feature: only those system elements that contribute to the occurrence
of the undesired event need to be analyzed
10.Robust, rigorous, & structured methodology - Boolean algebra, logic, & probability theory
11.Although classified as a hazard analysis, it is primarily used as a root cause analysis (RCA)
tool to identify & evaluate HCFs. In addition, it can provide a probability risk assessment
12. It is evaluated to determine the critical cut sets (CSs) & probability of failure 24
 FTA Overview
1. Not suitable when single
point of failures
2. The strength: ability to
identify combinations of
basic equipment &
human failures that can
lead to an accident,
allowing the analyst to
focus preventive
measures on significant
basic causes.
3. Preferred to analyze
highly-redundant
systems & high-energy
systems with high
severity
25
FTA Steps

26
 Building Blocks
1. Categories:
• Basic
events
• Gate events
• Conditional
events
• Transfer
events

FT symbols for basic events, conditions, & transfers

27
 Building Blocks

The output occurs only if all of the inputs occur together

The output occurs only if at least one of the inputs occurs.

The output occurs only if all of the inputs occur together, &
A must occur before B. The priority statement is contained
in the Condition symbol

The output occurs if either of the inputs occurs, but not

both. The exclusivity statement is contained in the
Condition symbol

The output occurs only if the input event occurs & the
attached condition is satisfied.

FT symbols for gate events 28

FT transfers & MOE/MOB

29
 FTA – Basics of construction
1. After identifying the top UE, sub-undesired events are identified & structured into what is
referred to as the top fault tree layer. The actual deductive analysis begins with the
development of the fault flow or cause-and-effect relationship of fault & normal events
through the system
2. In developing the structure of the FT, certain procedures must consistently be followed in a
repetitive manner
3. Procedure evolves around three principal concepts
• The I–N–S concept
• The SS–SC concept
• The P–S–C concept
4. A command failure is an expected, or intended, event that occurs at an undesired time due
to specific failures, e.g.: Relay coil
5. What downstream event commands the event to occur?
6. At the finish of each FT branch, the command path will terminate in primary &/or
secondary events

30
FT building steps

31
 FTA – Construction errors
1. Complete basic required data for each FT
node (node type, node name, & text)
2. Give every node a unique identifying
name
3. No gate-to-gate connections are allowed
(always have text box)
4. Always place relevant text in text box;
never leave it blank
5. State event fault state exactly & precisely;
use state transition wording
6. Complete the definition of all inputs to a 10. Assume no miracles (i.e., miraculous
gate before proceeding component failure blocks other failures from
7. Keep events on their relative level for causing UE)
clarity 11. I–N–S, P–S–C, & SS–SC are analysis
8. Use meaningful naming convention concepts; do not use these words in text
9. Do not draw lines from two gates to a boxes
single input (use the MOE methodology) 32
 FTA – Cut sets

1. One of the key products from FTA

2. Identify the component failures &/or event combinations that can cause the top UE to occur
3. Provide one mechanism for probability calculations
4. A low-order CS indicates high safety vulnerability. A single-order CS (i.e., a single-point
failure) tends to cause the greatest risk
5. A high-order CS indicates low safety vulnerability. A high-order CS (e.g., a five-input AND
gate) tends to have a comparatively small probability & therefore presents less system risk.
6. For a large total number of CS the analyst needs to evaluate the collective risk on the top
UE. This is because all of the CS added together might reach an unacceptable value.
33
 MOCUS (method of obtaining cut sets) algorithm

CSs ORed

Observation: AND gates increase number of elements in a CS & that OR gates increase the
number of CSs
34
 MOCUS Vs Bottom-up Algorithm

Henley, E. J., & Kumamoto, H. (1996). Probabilistic risk assessment & management for engineers & scientists. In IEEE Press
35
Gate by gate method

Inclusion–exclusion
approximation

Can you derive the expression?

36
Example Use any algorithm to arrive at
Cutsets, draw the equivalent
FTA with cutsets & evaluate the
probability of G1

37
 Reliability
1. Probability of success: Reliability (R) of a component, which is calculated by
2. Probability of failure: Unreliability (Q)

Evaluate the probability of light

failure without considering
inclusion-exclusion
approximation

38
 Importance measures
1. To identify weak links in the system design
2. To identify the components that will provide the most cost-effective mitigation
3. To evaluate the sensitivity of the top event probability to an increase or decrease in the
probability of any event in the fault tree
4. To evaluate disparity in contribution to the top event probability
5. Cut set (CS) importance

39
 Event tree analysis (ETA)
1. Alternative to FTA in 1974
2. Identifying & evaluating the sequence of events in a potential accident scenario following the
occurrence of an initiating event
3. Utilizes a visual logic tree structure known as an event tree (ET) or ETD
4. Objective : to determine whether the initiating event will develop into a serious mishap or if the
event is sufficiently controlled by the safety systems & procedures implemented in the system
design
5. Falls under the system design hazard analysis type (SD-HAT)
6. Worksheet: Event tree diagram (ETD), which provides
I. Initiating event
II. System pivotal events
III. Outcomes
IV. Event & outcome probabilities
7. Consequence path: safe operation path, a degraded operation path, & an unsafe operation path
8. Provides a PRA of the risk associated with each potential outcome
9. To model an entire system, with analysis coverage given to subsystems, assemblies, components,
software, procedures, environment, & human error
10. I/D?
40
 ETA (Continued)
1. PRA: Risk is based upon a set of triplets: Accident scenarios—what can go wrong?

Accident scenario concept

Common mistakes

ETA overview 41
ETA process

42
 ETD development

Binary split – mutually

exclusive

43
Event tree examples

44
Event tree example

45
(https://www.asems.mod.uk)

Event tree examples

46
 Event tree example

Event tree for a single track railway

Henley, E. J., & Kumamoto, H. (1996). Probabilistic risk assessment & management for engineers & scientists. In IEEE Press
47
 Failure Mode & Effects Analysis (FMEA)
1. Process of identifying potential design weaknesses i) Coil short circuit: to supply; to contacts to
2. Reliability improvement tool: for analyzing potential ground; to signal lines
failure modes & calculating subsystem, assembly, or j) Coil resistance: low/high
unit failure rates k) Coil overheating
3. Inductive technique l) Coil over magnetized or excessive hysteresis
4. Falls under the (DD-HAT) (same effect as contacts stuck closed or slow in
5. Manner by which an item fails; the mode or state the opening)
item is in after it fails. 7. Considers every mode of failure of every
6. A relay may fail by component
a) contacts stuck closed 8. Quantitative or qualitative
b) contacts slow in opening 9. RPN
c) contacts stuck open 10. Fault: Undesired anomaly in the functional
d) contacts slow in closing operation of an equipment or system. The occurrence
e) contact short circuit of an undesired state, which may be the result of a
I. to ground failure
II. to supply 11. FMECA
III. between contacts 12. Drawbacks:
IV. to signal lines I. Considers only single item failures & not the
f) Contacts chattering combination of items failure
g) Contacts arcing, generating noise II. Does not identify hazards arising from events
h) Coil open circuit other than failures 48
FMEA concept

49
Failure modes

50
FMEA worksheet - Reliability

51
FMEA worksheet – Safety/Reliability

52
 FMEA worksheet – Safety/Reliability

Basic failure categories for hardware items include:

1. Complete failure
2. Partial failure
3. Intermittent failure
53
Example: Missile Battery

54
Example: FMEA worksheet

55
Example: FMEA worksheet (Continued)

56
Example: Landing Gear

57
Example: FMEA worksheet

58
Example: FMEA worksheet (Continued)

59
Process Plants

60
 Hazard & Operability (HAZOP)
1. HAZOP analysis = HAZOP study (HAZOPS)
2. Purpose: identify the potential for system deviations from intended operational intent
3. Potential system deviations then lead to possible system hazards
4. Systematically questioning every part of the process to establish how deviations from the design intent can
arise - whether such deviations & their consequences can have a negative effect upon the safe & efficient
operation of the system
5. Discover credible causes of deviations from design intent – less obvious & not previously observed
6. A team of individuals with expertise in different areas, such as engineering, chemistry, safety, operations, &
maintenance
7. Many commercial software packages are available in the market such as SafetyCulture, ProcessMAP, Phast,
etc.

61
Process parameters & guide words for the deviation

HAZOPS Vs FMEA
62
Process parameters & guide words for the deviation

63
Few more process parameters

64
Guide words

65
Guide words

66
Flow Diagram

67
 Worksheet

HAZOPS Vs PHA
Please refer Ericson, C. A. (2015). Hazard analysis techniques for system safety. John Wiley & Sons for the example of HAZOPS

68
 Example

pHIC 2

CV-102 TK-102
(base feed tank)
pHT 2
pHIC 1
pHT 1

pHE 2 pHE 1

CV-101
TK-100 TK-101
(pH adjustment tank) (acid feed tank)

69
Example

70
 Example
• A phosphoric acid solution & an ammonia solution are provided through flow control
valves to an agitated reactor.
• The ammonia & phosphoric acid react to form diammonium phosphate (DAP), a
nonhazardous product.
• The DAP flows from the reactor to an open-top storage tank.
• Relief valves are provided on the storage tanks & the reactor with discharges to outside of
the enclosed work area.
• If too much phosphoric acid is fed to the reactor (compared to the ammonia feed rate), an
off- specification product is created, but the reaction is safe.
• If the ammonia & phosphoric acid flow rates both increase, the rate of energy release may
accelerate, & the reactor, as designed, may be unable to handle the resulting increase in
temperature & pressure.
• If too much ammonia is fed to the reactor (as compared to the normal phosphoric acid feed
rate), unreacted ammonia may carry over to the DAP storage tank.
• Any residual ammonia in the DAP tank will be released into the enclosed work area,
causing personnel exposure.
• Ammonia detectors & alarms are provided in the work area. 71
 Accident & Loss Statistics
• Important measures of the effectiveness of safety programs
• Valuable for determining if a process is safe or whether a safety procedure is working effectively
• OSHA incidence rate
• Fatal accident rate (FAR)
• Fatality rate, or deaths per person per year
• Occupational Safety & Health Administration of the United States Government
• The OSHA incidence rate is based on cases per 100 worker years. A worker year is assumed to contain
2000 hours (50 work weeks/year X 40 hours/week)
• Thus, based on 200,000 hours of worker exposure to a hazard
• It is calculated from the number of occupational injuries & illnesses & the total number of employee
hours worked during the applicable period
• Based on injuries & illness Vs Based on lost workdays
• FAR reports the number of fatalities based on 1000 employees working their entire lifetime
• The employees are assumed to work a total of 50 years. Thus the FAR is based on 108 working hours.
• Fatality rate or deaths per person per year: independent of the number of hours actually worked
• Reports only the number of fatalities expected per person per year.
• Useful for performing calculations on the general population, where the number of exposed hours is
poorly defined
• A process has a reported FAR of 4. If an employee works a standard 8-hr shift 300 days per year, compute
the deaths per person per year. 72
 Accident Statistics for Selected Industries

Crowl, D. A., & Louvar, J. F. (2001). Chemical process safety: fundamentals with applications. Pearson Education 73
Thank you!! Questions?