GUIDELINES FOR

Hazard EvaluationProcedures

Second Edition with Worked Examples

CENTER FOR CHEMICAL PROCESS SAFETYof the

American Institute of Chemical Engineers345 East 47th Street, New York, NY 10017

Copyright © 1992

American Institute of Chemical Engineers

345 East 47th Street, New York, NY 10017

All rights reserved. No part of this publication may be reproduced, storedin a retrieval system, or transmitted in any form or by any means, electronic,mechanical, photocopying, recording, or otherwise without the prior permissionof the copyright owner.

Library of Congress Cataloging-in-Publication Data

Guidelines for hazard evaluation procedures : with worked examples-—2nd ed.

p. cm.

Includes bibliographical references and index.

ISBN 0-̂ 8169-0491-X

1. Chemical plants Safety measures. 2. Petroleum refineries—Safety measures. 3. Hazardous materials—Safety MeasuresI. American Institute of Chemical Engineers. Center for ChemicalProcess Safety. II. Title: Hazard evaluation procedures.TP155.5.G77 1992660'.2904-<lc20 91-41715

CIP

This book is available at a special discount when ordered in bulk quantities.For information, contact the Center for Chemical Process Safety at theaddress given above.

Third printing April 1995

It is sincerely hoped that the information presented in this document will lead to an even more impressivesafety record for the entire chemical industry; however, neither the American Institute of ChemicalEngineers, its consultants, CCPS Subcommittee members, their employers, their employers' officers anddirectors, nor JBF Associates, Inc. warrant or represent, expressly or implied, the correctness or accuracyof the information presented in this document. Furthermore, the chemical process plant described in PartII of this book, as well as the people and companies, is fictitious; any similarity to existing plants orcompanies or to living people is purely coincidental. Therefore, the users of this document accept any legalliability or responsibility whatsoever for the consequence of its use or misuse.

Abbreviations

ACGffl American Conference of Government and Industrial Hygienists

AIChE American Institute of Chemical Engineers

AIChE^4)ffiRS American Institute of Chemical Engineers — Design Institutefor Emergency Relief Systems

AIChE—DEPPR American Institute of Chemical Engineers — Design Institutefor Physical Property Data

АША American Industrial Hygiene Association

API American Petroleum Institute

ARC Accelerating Rate Calorimeter

ASSE American Society of Safety Engineers

CCA Cause-Consequence Analysis

CCF Common Cause Failure

CCPS Center for Chemical Process Safety

CEI Chemical Exposure Index

CMA Chemical Manufacturers Association

CPI Chemical Process Industry

CPQRA Chemical Process Quantitative Risk Analysis

EPA Environmental Protection Agency

ERPG Emergency Response Planning Guidelines

ETA. Event Ttee Analysis

F&EI Fire and Explosion Index

FMEA Failure Modes and Effects Analysis

FMECA Failure Modes, Effects, and Criticality Analysis

FTA Fault Ttee Analysis

HAZOP Hazard and Operability Analysis

Ш Hazard Identification

HE Hazard Evaluation

HEP Hazard Evaluation Procedures

HRA Human Reliability Analysis

IChemE Institution of Chemical Engineers (United Kingdom)

ICI Imperial Chemical Industries

ГОШ Immediately Dangerous to Life and Health

L-CLQ Lethal Concentration Low

ЬСзд Lethal Concentration, 50% Mortality

LD^ Lethal Dose, 50% Mortality

LEL Lower Explosive Limit

LFL Lower Flammable Limit

MSDS Material Safety Data Sheet

MORT Management Oversight and Risk Tfree

OSHA Occupational Safety and Health Administration

PEL Permissible Exposure Level

PFD Process Flow Diagram

PHA Preliminary Hazard Analysis

Р&ГО Piping and Instrumentation Diagram

PSM Process Safety Management

R&D Research and Development

SCBA Self Contained Breathing Apparatus

SHI Substance Hazard Index

STEL Short Term Exposure Limit

TLV Threshold Limit Value

UEL Upper Explosive Limit

UFL Upper Flammable Limit

VSP Vent Sizing Package

Glossary

Accident, accident scenario, or accident sequence: An unplanned event or sequence ofevents that results in undesirable consequences. An incident with specific safetyconsequences or impacts.

Acute hazard: The potential for injury or damage to occur as a result of aninstantaneous or short duration exposure to the effects of an accident.

Administrative control: A procedural requirement for directing and/or checkingengineered systems or human performance associated with plant operations.

Audit (process safety audit): An inspection of a plant or process unit, drawings,procedures, emergency plans, and/or management systems, etc., usually by anindependent, impartial team. (See 'Safety Review" for contrast.)

Autoignition temperature: The lowest temperature at which a fuel/oxidant mixture willspontaneously ignite under specified test conditions.

Basic event: An event in a fault tree that represents the lowest level of resolution in themodel such that no further development is necessary (e.g., equipment item failure,human failure, or external event).

Branch point: A node with two paths in an event tree or cause-consequence diagram.One path represents success of a safety function and the other path represents failureof the function.

Cause-Consequence Analysis: A method for illustrating the possible outcomes arisingfrom the logical combination of selected input events or states. A combination ofFault Ttee and Event Ttee models.

Checklist (traditional): A detailed list of desired system attributes or steps for a systemor operator to perform. Usually written from experience and used to assess theacceptability or status of the system or operation compared to established norms.

Chronic hazard: The potential for injury or damage to occur as a result of prolongedexposure to an undesirable condition.

Common cause failure: The occurrence of two or more failures that result from a singleevent or circumstance.

Consequence: The direct, undesirable result of an accident sequence usually involvinga fire, explosion, or release of toxic material. Consequence descriptions may bequalitative or quantitative estimates of the effects of an accident in terms of factorssuch as health impacts, economic loss, and environmental damage.

Consequence analysis: The analysis of the effects of incident outcome cases independentof frequency or probability.

CPQRA: The abbreviation for Chemical Process Quantitative Risk Analysis. Theprocess of hazard identification, followed by numerical evaluation of incidentconsequences and frequencies, and their combination into an overall measure of riskwhen applied to the chemical process industry. Ordinarily applied to episodic events.Is related to Probabilistic Risk Assessment (PRA) used in the nuclear industry.

Daw fire and explosion index (F&EI): A method (developed by Dow ChemicalCompany) for ranking the relative fire and explosion risk associated with a process.Analysts calculate various hazard and exposure indexes using material characteristicsand process data.

Emergency response planning guidelines (ERPG): A system of guidelines for airborneconcentrations of toxic materials prepared by the AIHA. For example, ERPG-2 isthe maximum airborne concentration below which, it is believed, nearly allindividuals could be exposed for up to one hour without experiencing or developingserious health effects that could impair an individual's ability to take protectiveaction.

Engineered control: A specific hardware or software system designed to maintain aprocess within safe operating limits, to safely shut it down in the event of a processupset, or to reduce human exposure to the effects of an upset.

Episodic event: An unplanned event of limited duration, usually associated with anaccident.

Episodic release: A release of limited duration, usually associated with an accident.

Error-Ukefy situation: A work situation in which the performance shaping factors arenot compatible with the capabilities, limitations, or needs of the worker. In suchsituations, workers are much more likely to make mistakes, particularly understressful conditions.

Event: An occurrence related to equipment performance or human action, or anoccurrence external to the system that causes system upset. In this document anevent is either the cause of or a contributor to an incident or accident, or is aresponse to an accident's initiating event.

Event sequence: A specific, unplanned series of events composed of an initiating eventand intermediate events that may lead to an incident.

Event tree: A logic model that graphically portrays the combinations of events andcircumstances in an accident sequence.

External event: Event external to the system/plant caused by (1) a natural hazard —earthquake, flood, tornado, extreme temperature, lightning, etc., or (2) a human-induced event — aircraft crash, missile, nearby industrial activity, fire, sabotage, etc.

Failure mode: A symptom, condition, or fashion in which hardware fails. A failuremode might be identified as loss of function; premature function (function withoutdemand); an out-of-tolerance condition; or a simple physical characteristic such asa leak observed during inspection.

Failure Modes and Effects Analysis (FMEA): A systematic, tabular method forevaluating and documenting the causes and effects of known types of componentfailures.

Failure Modes, Effects, and Criticality Analysis (FMECA): A variation of FMEA thatincludes a quantitative estimate of the significance of the consequence of a failuremode.

Fault event: A failure event in a fault tree that requires further development.

Fault tree: A logic model that graphically portrays the combinations of failures that canlead to a specific main failure or accident of interest (Tbp event).

frequency. The number of occurrences per unit time at which observed events occuror are predicted to occur.

Hazard: An inherent physical or chemical characteristic that has the potential forcausing harm to people, property, or the environment. In this document it is thecombination of a hazardous material, an operating environment, and certainunplanned events that could result in an accident.

Hazard analysis: See hazard evaluation.

Hazard and Operabitity (HAZOP) Analysis: A systematic method in which processhazards and potential operating problems are identified using a series of guide wordsto investigate process deviations.

Hazard checklist: An experience-based list of hazards, potential accident situations, orother process safety concerns used to stimulate the identification of hazardoussituations for a process or operation.

Hazard evaluation (HE): The analysis of the significance of hazardous situationsassociated with a process or activity. Uses qualitative techniques to pinpointweaknesses in the design and operation of facilities that could lead to accidents.

Hazard identification: The pinpointing of material, system, process, and plantcharacteristics that can produce undesirable consequences through the occurrence ofan accident.

Hazard review: See hazard evaluation.

Human error. Any human action (or lack thereof) that exceeds some limit ofacceptability (i.e., an out-of-tolerance action) where the limits of human performanceare defined by the system. Includes actions by designers, operators, or managers thatmay contribute to or result in accidents.

Human factors: A discipline concerned with designing machines, operations, and workenvironments to match human capabilities, limitations, and needs. Among humanfactors specialists, this general term includes any technical work (engineering,procedure writing, worker training, worker selection, etc.) related to the person inoperator-machine systems.

Human Reliability Analysis (HRA): A method used to evaluate whether necessaryhuman actions, tasks, or jobs will be completed successfully within a required timeperiod. In the Guidelines, HRA is used strictly in a qualitative context. Also usedto determine the probability that no extraneous human actions detrimental to thesystem will be performed.

HRA event tree: A graphical model of sequential events in which the tree limbsdesignate human actions and other events as well as different conditions orinfluences upon these events.

Initiating event: The first event in an event sequence. Can result in an accident unlessengineered protection systems or human actions intervene to prevent or mitigate theaccident.

Intermediate event: An event that propagates or mitigates the initiating event during anaccident sequence.

Likelihood: A measure of the expected probability or frequency of an event'soccurrence.

Minimal cut set: A combination of failures necessary and sufficient to cause theoccurrence of the Tbp event in a fault tree.

Mitigation system: Equipment and/or procedures designed to interfere with incidentpropagation and/or reduce incident consequences.

Mond Index: An extension of the Dow F&EI, developed by ICI, which also addresseschemical toxicity hazards.

Operator. An individual responsible for monitoring, controlling, and performing tasksas necessary to accomplish the productive activities of a system. Often used in ageneric sense to include people who perform all kinds of tasks (e.g., reading,calibration, maintenance).

Performance shaping factor (PSF): Any factor that influences human performance.PSFs include factors intrinsic to an individual (personality, skill, etc.) and factors inthe work situation (task demands, plant policies, hardware design, training, etc.).

Process safety management:. A program or activity involving the application ofmanagement principles and analytical techniques to ensure the safety of processfacilities. Sometimes called process hazard management.

Protective system: Systems including, for example, pressure relief valves, that prevent theoccurrence of or mitigate the effects of an accident.

Quantitative risk analysis: The systematic development of numerical estimates of theexpected frequency and/or consequence of potential accidents associated with afacility or operation based on engineering evaluation and mathematical techniques.

Rare event: An event or accident whose expected frequency is very small. The eventis not statistically expected to occur during the normal life of a facility or operation.

Recovery factors: Feedback factors that limit or prevent the undesirable consequencesof a human error.

Risk: The combination of the expected frequency (eventstyear) and consequence(effects/event) of a single accident or a group of accidents.

Risk assessment: The process by which the results of a risk analysis (i.e., risk estimates)are used to make decisions, either through relative ranking of risk reductionstrategies or through comparison with risk targets.

Risk management: The systematic application of management policies, procedures, andpractices to the tasks of analyzing, assessing, and controlling risk in order to protectemployees, the general public, the environment, and company assets.

Risk measures: Ways of combining and expressing information on likelihood with themagnitude of loss or injury (e.g., risk indexes, individual risk measures, and societalrisk measures).

Safety Review (process safety review): An inspection of a plant or process unit, drawings,procedures, emergency plans, and/or management systems, etc., usually by a team andusually problem-solving in nature. (See 'Audit" for contrast.)

Safety system: Equipment and/or procedures designed to limit or terminate an accidentsequence, thus mitigating the accident and its consequences.

Scribe/recorder A hazard evaluation team member who is responsible for capturing thesignificant results of discussions that occur during an HE team meeting.

Task analysis: A human error analysis method that requires breaking down a procedureor overall task into unit tasks and combining this information in the form of eventtrees. It involves determining the detailed performance required of people andequipment and determining the effects of environmental conditions, malfunctions,and other unexpected events on both.

Top event: The undesired event or incident at the 'top* of a fault tree that is traceddownward to more basic failures using Boolean logic gates to determine the event'spossible causes.

Undeveloped event. An event in a fault tree that is not developed because it is of nosignificance or because more detailed information is unavailable.

Worst case: A conservative (high) estimate of the consequences of the most severeaccident identified.

Worst credible case: The most severe accident considered plausible or reasonablybelievable.

Acknowledgments

The Center for Chemical Process Safety (CCPS) thanks all of the members of theHazard Evaluation Procedures (HEP) Subcommittee for providing technical guidancein the preparation of this document. CCPS also expresses its appreciation to themembers of the Tfechnical Steering Committee for their advice and support.

The chair of the HEP Subcommittee was Dennis C. Hendershot of Rohm andHaas Company and the CCPS staff liaison was Ray Witter. The Subcommittee hadthe following additional members:

Samuel Y. Bridges Jay E. GiffinElf Atochem North America, Inc. Union Carbide Chemicals &

Plastics Inc.Gus L. ConstanDow Corning Corporation Robert M. Rosen

BASF CorporationWilliam E EarlyStone & Webster Charles J. TWardowski, Jr.Engineering Corporation ICI Americas Inc.

Walter L. Frank Robert C. WadeDu Pont Amoco Oil Company

JBF Associates, Inc. (JBFA) prepared this edition of the Guidelines for HazardEvaluation Procedures, Second Edition with Worked Examples. These Guidelines aredivided into two parts: Part I—Guidelines for Hazard Evaluation Procedures and PartII — Worked Examples for Hazard Evaluation Procedures. J. Steven Arendt wasJBFAs Project Manager and lead author of the HEP Guidelines. David F. Montaguewas lead author of the HEP Worked Examples. The other principal authors onJBFAs team were Myron L. Casada, Donald K. Lorenzo, and David A. Walker.William G. Bridges, David J. Campbell, John Q. Kirkman, and David 1C Whittle alsocontributed to these Guidelines.

Pan I —HEP Guidelines contains several new chapters covering topics such ashazard identification methods, preparation for hazard evaluation studies, and follow-up considerations. The remaining chapters of Pan I are extensively revised versionsof the material from the first edition, developed in 1985 by Battelle ColumbusLaboratories and the following members of the original HEP Subcommittee:

Edwin J. Bassler Gary A PageStone & Webster American Cyanamid

Engineering Corporation Corporation

Harold S. KempAIChE Past President

Walter С KohfeldtExxon Chemical (now retired)

Stanley J. SchechterRohm and Haas Company

Robert A. SmithDow Chemical Company

As a companion to the HEP Guidelines, JBF Associates also developed Part II— Worked Examples for Hazard Evaluation Procedures. The HEP Worked Examplescontains entirely new material designed to help illustrate the real-life application ofhazard evaluation techniques.

The authors of the HEP Guidelines and the HEP Worked Examples are indebtedto the technical publications personnel at JBFA. Kelley S. Alters was the editorfor this project and Curt A. Rogers, Catherine Y. Carter and Sarah Y. Auklkingtonwere the proofreaders. Cora R. Everett and Nicole Lepoutre-Baldocchi created thegraphics. Finally, Angela L. Hardeman prepared the manuscript for publication.

CCPS also gratefully acknowledges the comments submitted by the followingpeer reviewers:

Stanley E. AndersonRohm and Haas Tfexas,

Incorporated

Joseph P. BalkeyUnion Carbide Chemicals &

Plastics Inc.

Charles BurgdorfElf Atochem North

America, Inc.

Arthur F. BurkDu Pont

Donald C. Clagett, Ph.DGE Plastics

Daniel A. CrowlWayne State University

Robert E. DeHart IIMobil Oil Corporation

A. M. Dowell IIIRohm and Haas Tfexas,

Incorporated

Jay EberhardtICI Americas Inc.

Joseph F. LouvarBASF Corporation

William K. LutzUnion Carbide Chemicals &

Plastics Inc.

R. Craig MatthiessenU.S. Environmental

Protection Agency

Ray L. MendelsohnDu Pont

C. Donald MillerUnion Carbide Chemicals &

Plastics Inc.

N. SankaranUNOCAL Corporation

Mike SawyerScience Applications

International Corporation

Mike SherrodStone & Webster Engineering

Corporation

Gary R. Van SciverRohm and Haas Company

Mark EidsonStone & Webster

Engineering Corporation

Barry GibsonDuPont

Kathleen A. HainesICI Americas, Inc.

Steven A. Lapp, Ph.D.Design Sciences, Inc.

Dennis E. WadeMonsanto (now retired)

Johnny O. WrightAmoco Corporation

Their insight and suggestions helped ensure a balanced perspective for the Guidelines.