You are on page 1of 248



Trevor Kletz

The Author

Knownthroughoutthe process
industriesas a gifted communicator
on safety matters, TrevorKletz has
wide knowledgeof both practice and
theory. Hejoined Imperial Chemical
Industries on graduating as a chemist
and spent eight years in research,
sixteen in production management
and the last fourteen as safety adviser
to the Petrochemicals Division.
On retiringfrom ICI he joined
Loughborough University of
Technology, at first full-time and
then from 1986 as a Visiting Fellow.
He has written nine booksand
more than a hundred papers on
loss prevention and process safety
and is a Fellow of the Royal
AcademyofEngineering, the
the Royal Society of Chemistry
and the American Institute of


Hazop and Hazan

Identifying and assessing
process industry hazards

Hazop and Hazan

Identifying and assessing
process industry hazards
Fourth edition

Trevor Kletz


The information in this bookis given in good

faith and beliefin its accuracy, but does not
imply the acceptance of any legal liability or
responsibility whatsoever, by the Institution,
or by theauthor, for the consequences of its
use or misusein any particularcircumstances.
All rightsreserved.No part of this publication
may be reproduced, stored in a retrieval
system, or transmitted, in any form or by any
means, electronic, mechanical, photocopying,
recording or otherwise, without the prior
permission ofthe publisher.

Published by
Institution ofChemical Engineers,
Davis Building,
165189 Railway Terrace,
Rugby, WarwickshireCV2I 3HQ, UK
IChemEis a Registered Charity

1999 Trevor Kletz


Printed in the United Kingdom by Galliards, GreatYarmouth


The Institution

of Chemical Engineers' example

syllabus for an accredited

degreein chemical engineering'features 'Systematic identification and quantification ofhazards, including hazardand operability studies',and this bookis

intended to spread knowledge of these subjects.

The first edition was basedon lecture notesthat I had used for several years
for teaching these subjects to undergraduate and graduatestudents, to mature
students attending short courses on loss prevention and to former colleagues
attending in-house courses in industry. University departments of chemical
engineering may therefore find the book useful. It may also be useful for
in-house courses in industry, It is intended as an introduction to the subject
rather than a handbook for experts.
A few suggestions on the presentation of the material maybe helpful.
Chapter 1 puts the material in contextand can form an introduction to the
first session of a course.
Chapter 2 deals with identification of hazards by hazard and operability
studies (Hazop) and requires at least two hours. It could be presented as a
lecture in one hour but it is better if those present can complete the various
columns in Table2.2 (pages 1415), the lecturer(or discussion leader) writing
themdown on a boardas they do so. The group must, of course, be allowed to
come to different conclusions than those in the table if they wish to do so.
There is no right answer. The group may consider that those who drew up
Table2.2 went too far ordid not go far enough, and the group could be right.
If possible the group should not exceed 20 people; the fewer the better, as
long as at least five or six are present.
Chapter 3 deals with the quantification of hazards by hazard analysis
(Hazan) and requires at least three hours. Mature students seem able to take
threehours at a stretch, but not undergraduates!
Chapter 4 describessome of the points to look for when reading hazard
analyses carriedout by others. It is intended for maturestudents.
Chapter5 briefly discusses someof the objections that have beenraised to
Hazop and Hazan.


Chapter6 discusses sources of data and confidence limits.

Chapter7 gives a brief historyof Hazop and Hazan.
The subjects discussedin this book and many other aspects ofloss prevention are treatedmore extensively in F.P. Lees' Loss Prevention in the Process
Industries (second edition, three volumes, Butterworth-Heinemann, 1996),
especially Chapters79 (referred to in later pagesas Lees).
Thanks are due to the many colleagueswho provided ideas forthis book or
commented on the draftand to the Science and Engineering Research Council
for financial support for the first edition.
For the thirdeditionI corrected a few misprints, addedafew words of additional explanation here and there (especially in Sections 3.4 and 5.3 and in
Chapters 6 and 7) and included some new references and some examples of
accidents that could have been prevented by Hazop. In this fourth edition,
about40% longerthan the third, the basic plan is unchanged. I have not added
descriptions of more complex methods ofcalculation whichmight givea little
more accuracy. Instead I have tried to answermore of the questions that I am
often asked, tried to increase awareness of the pitfallswhich awaitthe unwary
and added more examples of the applications ofHazopand Hazan. A training
package on the subjectof this book is available from the Institution ofChemical Engineers2.
I have often beenirritatedby authors whouse phrases such as, 'as discussed
in an earlier chapter' without saying which one. I have thereforeincluded
cross-references whenever a topic is discussed under more thanone heading.
To avoid the clumsy phrases 'he or she' and 'him or her' I haveused 'he'
and 'him'. Thoughtherehas beena welcome increase in the numberofwomen
employed in the process industries the manager, designerand accidentvictim
arestill usually male.
I would like to thank the many people without whose work and advice I
would havebeen unable to write this bookor prepare the successiveeditions.
Finally, I havetried to follow the advice ofJosephPulitzer(18471911):

'Put it beforethembriefly so theywill read it,

clearly so theywillappreciate it,
picturesquely so theywill remember it,
and, above all, accuratelyso theywill be guidedby its light.'




Accreditation ofUniversityChemical EngineeringCoursesA GuideforUniversity Departments, November 1996, Appendix 1, paragraph 10.1 (Institution of
Chemical Engineers, Rugby, UK).
Anon, 1999, Interactive Training Package No. 034, Hazop and Hazan and
Multi-stage HazardStudy(Institution ofChemical Engineers, Rugby, UK).

Pagc blank
in original




Hazard identification andassessment





A note on nomenclature


Legal requirements

Hazard and operability studies(Hazop)

What is a Hazop?
2.2 Who carries out a Hazop, andwhat should be recorded?
2.3 Whenis a Hazop carried out and how long does ittake?
2.4 Some points towatchduring Hazop
2.5 An example ofa Hazop
2.6 Coulda computer carry out a Hazop?
2.7 The limitations of Hazop
2.8 'Do we need to Hazop this plant?' 'It is only a simpleproject'or
'It is similar tothe last one'
2.9 The use ofquantitative methods duringHazop
2.10 Theuse ofHazop in other industries
2.11 Other methods ofidentification
2.12 Auditing Hazop
2.13 Conclusion


Appendix to Chapter 2 Someaccidentsthat could have

been prevented by Hazops
A2.1 Reverse flow
A2.2 Bhopal
A2.3 Afire in a watersump
A2.4 A protective device that did notwork
A2.5 Servicesand modifications two neglected areas
A2.6 A computer-controlled batch reaction







A2.7 Abbeystead an explosion in a water pumpingstation

A2.8 TheSellafield leak
A2.9 Formation of separate layers
A2.10The need for different sorts of knowledge
A2.1 1 An incident from another industry



Hazard analysis (Hazan)








Why do we wantto apply numerical methodsto safety problems?

Thestages of Hazan


Choosing targets orcriteria


Estimating how oftenan incidentwill occur

Pitfalls in Hazan




The man or woman in the middle

Examples of Hazan


A summaryofthe main sources oferror in Hazan





3.10 Afinalnote


Appendix to Chapter 3 Belt and braces


A manager's guideto hazard analysis






Arithmetic, algebra and units




Theunforeseen hazards







Human reliability


Comparison with experience






4.10 Closed shop or openshop?


Objections to Hazop and Hazan

Objections to Hazop



Technical objections to Hazan



Popular objections


Theregulator's view

to Hazan

Appendix to Chapter 5 Limitations on the application

quantitative methods to railwaytravel



Sourcesofdata and confidence limits

Data banks and data books






If failure has neveroccurred



Confidence limits





Data on mechanical equipment may be data on people



Pitfalls in extrapolating data


The history ofHazop and Hazan










Addendum 1 An atlasof safety thinking


Addendum 2 Mythsof Hazop and Hazan





Pago blank
in original


'We Athenians in our persons take our decisions onpolicy and

submit them to proper discussion. The worst thing is to rush into

action before the consequences have been properly debated.
And this is another point where we differfrom otherpeople: we
are capableat the same time oftaking risks and estimating them
beforehand. Others are brave out ofignorance;and when they
stop to think they begin tofear. But the man who can most truly
be accountedbrave is he who best knows the meaning ofwhat is
sweet in life, and what is terrible, and then goes out undeterred
to meet what is to come.'
From Pericles' funeral oration in Thucydides' History ofthe Peloponnesian Wars,
Ca. 430 BC (quotedin ProbabilisticSafety Assessment andManagement,

P.C. Cacciabue and IA. Papazoglu, Springer, 1996)


'... there'sa tremendous gap between what can be done and

what is actuallydone, and a greatdeal hinges on the quality of

the personnel in any given organisation.
'Success depends on an awareness ofallpossiblefailure
modes, and whenever a designeris either ignorant of or
uninterested in, or disinclined to think in termsoffailure, he can
inadvertently invite it.'
IvarsPeterson, FatalDefrct,Random House, 1996, page 111


Hazard identification
and assessment
'The great end ofltfe is notknowledge but action.'
T.H. Huxley(18251895)

1.1 Introduction
The techniquesfor identifying hazards for finding out what hazards are
and the techniques for assessingthosehazards
present in a plantor process
for decidinghow far we ought to go in removingthe hazardsor protecting
are often confused. Figure 1.1 may help to make the
people from them
differences clear.
The left-hand side shows someofthe methods used for identifying hazards
and problems that makeoperation difficult.
Some hazards and problems are obvious. For example, if we manufacture
ethylene oxide by mixing oxygen and ethylene close to the explosive limitwe
do not need a special technique to tell us that if we get the proportions wrong
there maybe a big bang.
The traditional method of identifying hazards in use from the dawn of
was to build the plant and see what
technology until the present day
'every dog is allowedone bite'. Until it bitessomeone, we can say
that we did not know it would. This is not a bad method when the size of an
incidentis limited but is no longersatisfactory now that we keep dogswhich

Methods of identifying hazards

Sec what happens

Figure 1.1 Methodsof identifying and assessing hazards

Methods ofassessinghazards
Codes ofpractice
Hazard analysis


maybe as big as Bhopal (over2000killedin one bite) orevenFlixborough (28

killed). We need to identify hazardsbeforethe accidents occur.
Check-lists are often used to identify hazards but their disadvantage is that
items not on the list are not brought forward for consideration and our minds
are closed to them. Check-lists maybe satisfactory ifthere is little or no innovation and all the hazardshavebeen met before,but are least satisfactory when
the design is new.
For this reason the process industries havecometo preferthe more creative
oropen-ended technique known as a hazardand operability study orHazop.It
is described in Chapter2. It is now widely used on designs for new plants and
plantextensionsbut, becauseof the effort involved, has been less widelyused
on existingplants.
Samuel Coleridge describedhistoryas a lantern on the stern', illuminating
the hazards the ship has passed through rather than those that lie ahead. It is
better to illuminate the hazards we have passed through than not illuminate
themat all, as we maypass the same way again, but we should try to see them
beforewe meet them. Hazop can be a lantern on the bow.
Unfortunately we do not always learn from the hazards we have passed
through,but that is outside the scopeofthis book1'2.
Othermethods of identifying hazards are describedin Lees, Chapter8, and
aresummarized in Section 2.11,page 54.
After we have identifiedthe hazards we have to decide how far to go in
removingthem or in protecting people and property. Some of the methods
used are listedon the right-hand sideofFigure 1.1. Sometimes thereis acheap
and obviousway ofremoving the hazard;sometimes our experience or a code
of practicetell us what to do. Sometimes it is less easy to decide. We can then
try to work out the probability of an accident and the extent of the consequences and compare them with a target or criterion. This method is called
hazard analysis or Hazan in this book. Sometimes a five-minute estimation is
sufficient. On other occasions detailedstudiescan take many weeks.
Hazop can and should be applied to all new designs, unless we are making
an exact copy of an existingplant which has been proved satisfactory, as we
need to know all the hazards and all the problems that can prevent efficient
there are
operation. Hazan on the other hand should be used selectively
neither the need, the data nor the resources to attempt to quantify every
problemon every plant. Caning3 has describeda Hazop whichproduced326
recommendations of which only seven justifieda detailedhazardanalysis.
In the development of a design the Hazop comes first. We identify the
hazardsand the problems that preventefficientoperation and then decide what
to do about them. However, ifthereisan obvious major hazardwe may starton


Table 1.1 The differences between Hazop and Hazan



identifies hazards

Assesses hazards

Preferred technique:

Selective technique:
use when othersfail

use on every project



Done by a team

Done by one or two people


'What if'?'

Risk analysis
Risk assessment
Probabilistic riskassessment(PRA)
Quantitative risk assessment(QRA)

the Hazan before the Hazop is carried out.In a Hazop the operability part is as
important as the hazard part. In most studies more operating problems are
identifiedthan hazards.
Hazop and Hazan are often confused, and Hazop is sometimes used to
describe any technique for identifying hazards. Figure 1.1 and Table 1.1
should makethe difference clear. However, ifsomeone asksyou to carry out a
Hazop or Hazan on a design,flrst makesure that the questioner is clear on the
difference betweenthem and is usingthe terms correctly.
The techniques described in later chapters are sophisticated techniques
which enablecompanies to use their resources more effectively. They assume
that the general level ofmanagement is competent, that the plantwill be operated and maintained in the mannerassumedby the design team and in accordance with good management and engineering practice. In particular they
assume that protective systemswill be tested regularly and repaired promptly
when necessary.
Ifthese assumptions arenot true then Hazop and Hazan are a wasteoftime.
It is no use identifying hazardsor estimating theirprobability if no-onewants
to do anything about them; it is no use installing trips and alarms ifno-one is
going to use or maintain them. The time spent on Hazopand Hazan would be
better spent on bringing the safety consciousness of employees and management up to standard. The following is a summary of a paper by Atallah and
Guzman on doingthis in developing countries4 (and perhaps elsewhere):
Be patientwhenyou are waitingfor data, prompt whenaskedfor advice.
Include in your team someone who speaksthe local language.


Submit your report in draft for comment; justify your criticisms and
Photograph problemareas.
Visit the plant at night.
Wearall therequired protective clothing and followall the safety rules.
Expectto be askedabout subjects not coveredin theremit.
Provide theclient with copiesofreferences, codes, and so on, not just a list

Involve the client in your audit.

Learn as much as you can beforehand about the customsand cultureof the

country, expect a cultural shock and do not discuss politicsor religion.

If you wishto introduce Hazopand/orHazan into an organization in which
they have not been used before, you should start small. Do not try to set up a
large team capable of studying all new and existingdesigns.Instead apply the
methods to one or two problems. If your colleaguesfindthat the methods are
useful they will ask for more and the use ofthe techniques will grow.If, on the
other hand, the methods do not suit your organization, little has beenlost.
Despite all our efforts we shall fail to foresee every hazard and some will
result in accidents. We should learn from these accidents, not only froni those
that result in seriousinjury or damagebut also from those that do not for
example,leaks that do not ignite. If these 'near-misses' are not investigated
and the lessons made known to those concerned, next time injury or damage
In my formercompany, IC!, Hazop and Hazan form part of a series of six
hazard studies carried out on new projects as theyprogress5. They are:
(I) Exploratory phase identification of basic hazards and assessment of
suitability of possible sites.
(2) Flowsheet phase identification and assessment of significant hazards,
using Hazan.
(3) Detailed design Hazop.
a check that decisionsmade in earlier studieshave been
(4) Construction
(5) Commissioning final inspection.
safety audit and reviewofmodifications.
(6) Post-commissioning
It seems from this list that theassessment of hazards is carriedout in Study
2 beforethe hazards havebeen identified by Hazopin Study 3 However, the
obvioushazards should be assessed as soon as possible. The Hazopwill identify other hazards, most of which will be assessed qualitatively during the
Hazop, but some of which will have to be assessed outside the meeting by


Section 2.7 (page 41) discusses

the limitations of the Six-stage procedure

and of Hazop in particular. It alsomakesit clear that assessing the probability

and size of a hazard, though valuable and often necessary, is always a
second-best choice.When we can we shouldavoid the hazard. Before we estimate the probability that a toxic or flammable substance will leak and the
injury and damage that will result, we should ask if a non-flammable or
non-toxic material could be used instead or ifitis possible to use so little ofthe
hazardous material that it would not matterifit all leaked out.

1.2 A note on nomenclature

has several other names (see Table 1.1 on page 3). When I
wrotemy firstpaper on the use ofquantitative methods ofassessing risksin the
chemical industry6 I started by usingthe term 'risk analysis'. Then I realized
that ICI had sponsored abookentitledRisk Analysis7whichdescribedmethods
of assessing the commercial risks of a project. I therefore introduced the term
'hazardanalysis' instead, but other writersoften use 'risk analysis'.
In an attempt to standardize nomenclature the Institution of Chemical Engineers has published a guide8. It suggests that 'hazard analysis' is used to
describe methods of identifying hazards and estimating the probability and
consequences of an incident but that it should exclude the crucial final stepof
decidingwhat should be done about them (seeChapter3). The book suggests
that what I call hazard analysis (or Hazan) shouldbe called 'risk assessment'.
Many writers, particularly in the US,call it 'quantified (or quantitative) risk
assessment' (QRA) or 'probabilistic risk assessment' (PRA) and the former
term is now used by the UK Healthand SafetyExecutive9.
I havenevertheless continued to use 'hazardanalysis' in thesame sense as I
used it in the firsteditionof this bookbecausethe term is still widely used with
this meaning, especially in the chemical industry, and becauseits contraction,
Hazan, contrasts conveniently with Hazop. (Hazop and Risk Assessment
would not be a good title for this book.) Figure 1 .2 (page 6) summarizes the
differentways in whichthe various terms are used.
The following are some ofthe other terms used:
A hazard is a substance, object or situation that can give rise to injury or
Hazard analysis


A risk is the likelihood that an accident or damage of a particulartype and

severity will occur in a particular periodoftime or as the result of a particular

action orevent. It maybe expressed as a frequency (the numberofoccurrences
per year or other period of time) or as the probability that it will occur
following a particular action or event. For example, if I never carry an


umbrellaI estimate that I will get wet 20 times/year; if I go out today without
an umbrellaI estimate that the probability that I will get wet is 0.3 (30%). Risk
is thus a measure ofthe likelihood of specific consequences.
A hazard may be serious but the risk from it may be small. For example,
experience over many years shows that in the UK, on average, less than one
person per yearhas beenkilled by the transport of flammable chemicals. The
risk of being killedin this way is therefore small, less than I in 60 million per
person per year, though the hazard, the potential for damage and injury, is
Figure 1.3 shows the definition of risk adoptedby the EuropeanCommunity for use in risk assessment10.
The consequences of a hazard may be immediate or long-term. Thus fires
and explosions and some toxicchemicals such as chlorine produceimmediate
injuries. Other chemicals such as asbestos produce ill effects only after many
years have passed. Ultraviolet radiation produces both immediate effects
(sunburn) and long-term effects(skincancer).
Some consequences are deterministic (that is, theyalwaysfollowexposure)
while others are probabilistic (that is, they may or may not follow). For
example. ifan objectis dropped from the top ofa structure it will alwaysfall to
the ground (deterministic) but the effects are probabilistic. It may kill
someone, may cause serious injury, may cause slight injury or may merely


Hazard analysis


Risk assessment

Identification of
Estimation of
how often
Estimation of
Comparison with a

criterion and a

Figure1.2 Some definitions compared

Quantified risk assessment (QRA) and probabilistic risk assessment(PRA) are usually
synonyms for 'hazardanalysis',as used in this book, but the terms may be widenedto
include the identificationof hazards


to the
is a
considered function




frequencyand durationofexposure


harm that


probability ofoccunenceofhazardous event




possibility of avoidingorlimitingtheharm

Figure1.3 The European Community'sdefinition ofrisk

In the same way, exposure to high concentrations of certain

chemicals will always cause injury (though the precise degree of injury will
vary). Exposure to low levels may result in cancer, the extentof the exposure
determining the probability of contracting the disease rather than its severity.
The aim of this bookis to help readers manage probabilistic events.
cause damage.

1.3 Legal requirements

In theUK thelaw requires all employers to carry out a five-step risk assessment1 1,12:


Lookfor the hazards.

Decide who might be harmed and how.

Evaluate the risks.

Record the findings.
Review the assessment from time to time.
In many casesa simplewalk round followedby aconsideration ofthe findings may be sufficient for steps (l)(3) but in other cases a Hazop, perhaps
followed by a Hazan, may be necessary. Special regulations apply to major
hazards and to offshore installations and a formal hazard identification
followedby a quantitative assessment ofthe risksmaybe required. Many other
countries have similarrequirements.

Referencesin Chapter 1

I. Kletz, TA., 1980, Organisations haveno memory, LossPrevention, 13: 1.

Kletz,TA., 1993, Lessons from Disaster How Organisationshaveno Memory


and Accidents Recur (Institution of Chemical Engineers, Rugby. UK, and Gulf
Publishing Company, Houston, Texas, USA).


Caning,N., 1986, Hazopstudy ofBAPCO'sFCCUcomplex,AmericanPetroleum

In,rtitute Committeeon Safrtvand FireProtectionSpring Meeting, Denver, Colorado, USA, 8Il April.
4. Atallah, S. and Guzman, E., 1988, Safety audits in developing countries, Symposium SeriesNo. 1/0, 35 (Institution of Chemical Engineers, Rugby, UK).
5. Hawksley, J.L., The SatetvPractitioner,October 1987, 10.
6. Kletz, TA., 1971, Hazard analysis a quantitativeapproachto safety, Symposium Series
75 (Institution ofChemical Engineers, Rugby, UK).
7. Imperial Chemical Industries Ltd. 1968. Assessing Projects:Book 5, RiskAnalysis
(Methuen, London, UK).
8. Jones, D.A. (ed). 1992, Nomenclature for Hazard and Risk Assessment in the
Process industries,2nd edition (Institution ofChemical Engineers, Rugby, UK).
9. Health and Safety Executive, 1989, Quantified Risk Assessment: Its Input toDecision Making (HMSO, London, UK).
10. European Community, 1996, EN 1050: Safety Machinery Principlesfor Risk
Assessment, quotedby Bauer,C-O., 1998. Technology, Lawandinsurance,3 (I):
11. Health and Safety Executive, 1997, 5 Steps to Risk Assessment (HSE Books,
Sudhury. UK).
12. Health and Safety Executive. 1998, 5 Steps to Risk Assessment Cave Studies
(HSEBooks, Sudbury. UK).

Hazard and

operability studies
'Since the destructionof/he Temple, the gift

RabbiEudemusof Haifa
'Thereis a way of gomg about one'swork in
chemicalengineeringmore certain and less
expensive than the time-honoured processof

George E. Davis34

21 What is a Hazop?

As I explained in Chapter 1, a hazard and operability study is the method

recommended for identifying hazards and problemswhich prevent efficient
operation. In what follows the technique is described as it would be applied to
a continuous plant.Modifications of the technique, so that it can be applied to
batchplants, are describedonly briefly(in Section 2.1.1,page 16).References
I and 2 give more detail.
Hazop is a technique which provides opportunities for people to let their
imaginations go free and think of all possible ways in whichhazards or operto reduce the chance that something is
ating problems might arise, but

missed it is done in a systematic way, and each pipeline and each sort of
hazard is considered in turn. The study is carried out by a team so that the
members can stimulate each other and build uponeach other's ideas.
A pipeline for this purpose is one joining two main plant items for
example, we might start with the line leading from the feed tank through the
feed pumpto the first feed heater. A seriesofguide words are appliedto this
line in turn. The words are:




NONE, for example, means no forwardflow or reverse flow when there

shouldbe forwardflow. We ask:
Couldthere be no flow?
If so,how could it arise?
Whataretheconsequences of no flow?
Are the consequences hazardous or do they prevent efficient operation?
If so, can we prevent no flow (or protect against the consequences) by
changing the design or method ofoperation?
If so, does the size ofthe hazard orproblem (that is, the severityofthe consequences multiplied by the probabilityofoccurrence)justify the extraexpense?
The same questions are then applied to 'reverseflow' and we thenmove on
to the nextguide word, MORE OF.Couldtherebe 'more flow' thandesign?If
so, how could it arise? And so on. The same questions are asked about 'more
pressure' and 'more temperature' and, if they are important, about other
parameters such as 'more radioactivity' or 'more viscosity'.Table 2.1 summarizes the meaningsof the guide wordswhile Figure 2.1 summarizes the whole

Table 2.1 Deviations generated by each guide word

Guide word



No lorward flow when thereshould be

reverse flow


More ofany relevant physical propertythan thereshould be

eg, higher flow (rate or totalquantity), highertemperature,


ie, no flow or

higherpressure,higher viscosity, etc

Less of any relevant physical propertythan thereshould be
eg, lower flow (rate or total quantity), lower temperature,
lowerpressure, etc


Composition of system different from what it should be

eg, changein ratio of components, component missing, etc


More components presentin the system than thereshould be

eg. extraphase present(vapour, solid),impurities (air,
water, acids, corrosion products), etc
What else can happen apartfrom normal operation eg,
start-up, shutdown, uprating, low rate running, alternative
operation mode, failureofplant services, maintenance,
catalystchange, etc




Figure 2.1 Hazopprocedure



When all the lines leading into a vessel havebeen studied, the guide word
OTHER THAN is applied to the vessel. It is not essential to apply the other
guide wordsto this item as any problems shouldcome to light when the inlet
and exit lines are studied. However, to reduce the chance that something is
missed,the guide words should be applied to any operation carriedout in the
vessel. For example, if settling takes place we ask if it is possible to have no
settling, reverse settling (that is, mixing), more settling or less settling, and
similarly for stirring, heating, cooling and any other operations (see Section
2.8.4,page 50).
Some team leadersuse 'Relief' as a backup guide word (see Section 2.11,
page 54).
Pay special attention to intermediate storage vessels. As arule,no change is
supposed to take placethereexcept emptying orfillingbutchangesintemperature orcomposition maytake place,particularly whenthe contentsare allowed

to standfor longerthan usual3.

Always consider the failure of automatic equipment as a possible cause of
thedeviations. Forexample, no flow maybe due to a trip or controllerfailing
to open a valve or closing it at thewrongtime.
Human error should also always be considered as a possible cause of the
deviations. Thus no flow maybe due to someone failingto open a valve. This
can occur for a number ofreasons:

The operatormay not have known that the valveshouldhave beenopened;

theintention was wrong. We may haveto improve training and instructions or

simplify thejob.
The operator mayhavedecidedthat it was unnecessary to open the valve at
that time or that other tasks were more urgent. We may have to explain the
reasons for instructions and makesure they are followed.
The valve may havebeentoo stiffor out of reach.
Most likely ofall, there mayhavebeena slip or lapse ofattention; the intention was correctbut was not fulfilled. Everyone has slips and lapses of attention from time to time and they cannot be prevented, though various actions
may make them less likely. If the consequences are serious we should remove
or reduce the opportunities for error by changing the design or method of
working (orprotectpeoplefrom the consequences or makerecovery possible).
(See Sections 3.7 and 4.7 on pages 130 and 162 and Reference 36.)
The Hazop alsoprovidesan opportunity to check that a numberof detailed
points havebeenconsidered during design. The team shouldask:
What types of gasket have been used? Should spiral wound ones be used?
Has the numberoftypesbeenkept to a minimum? (Themore typeswe use, the
greaterthe chancethat the wrongsort will be used.)



Has the numberof typesof nuts and bolts beenkept to a minimum?

Are the valves used ofa type, such as rising spindle valves, whoseposition

can be seen at a glance? If ball valves or cocks are used, can the handles be
fittedin the wrongposition?
Are spectacle plates installed whenever regular slip-plating (blinding)of a
joint (for maintenance or to prevent contamination) is foreseen?
Access is normally considered later in design, when a model of the plant
(real or on computer) is available, but the Hazopteam should note any points
that needspecialattention for example, valves that will haveto be operated
frequently or in an emergency, and shouldtherefore be easy to reach.
Ozog'7 describesa variation of the normal Hazop procedure in which the
guide wordsare appliedto equipment(including pumps) insteadoflines.
Start-up, shutdown and other abnormal conditions such as catalystregenerationshouldbe considered during Hazop as well as normal operation.
Table 2.2 (pages 1415) describes in detail the results of a Hazop on the
part of the design shown in Figure 2.2. More details are given in Section 2.5,
page 34. The procedure will become cleareras you go through each item in the
table in turn. To get the mostout ofTable 2.2, display Figure2.2 (pages 16-l7)
on a screen in front of the team, or give copies to each member, and ask
everyone to carry out a Hazop on it, with the discussion leaderacting as team
leader. The results can then be compared with those in Table 2.2.
However, do not considerTable2.2 to be the correctanswer. Those taking
part in the discussion mayfeel that the authors ofTable2.2 went toofar, or did
not go far enough, and they could be right.
Table2.2 was basedon a real study of an actualdesign. It is not a synthetic
exercise, but it is written upin more detail thanessential in a real life situation.
The use ofHazop is widespread and in the oil and chemical industries most
companies now say that all new designs are Hazoped or examined in a similar
way.However, becauseofthe work involved many old plantshavenever been
Hazoped. If they have beenextensively modified, as most have, then a Hazop
is well worth while.On an old refinery 17 Hazops over seven years resulted in

over 500 actions37.



Table 2.2 Results ofHazopof proposed olefin/dimerization unit: line section from
intermediate storage to buffer/settling tank
(From Reference 5. Reproduced withpermission ofthe American Institute of
Chemical Engineersand Dr HG. Lawley. Copyright 1974 AIChE.
All rightsreserved.)
Guide word


Pos,sible causes


No low

(I) Nohydrocarbonavailableat intermediatestorage


(2) pump fails(motorfault,loss of drive, impeller corroded


(3) Line blockage, isolation valve closed inerror, or LCVtails shut

(4) Line fracture


More flow

(5) LCVfailsopen or LCVbypass open inerror

More pressure

(6) Isolation valve closed inerror or LCV closes, with JI pump


(7)Thermal expansion inan isolated valvedsection due tofireor

strong sunlight



More temperature

(5) Highintermediate storage temperature

Less flow

(9) Leakitig flangeofsalvedstub notblankedand leaking


(10) Winterconditions

concentration in

(II) Highwaterlevel inintermediate storage tank


concentration of
lower alkanes or

(12) l)isturhance ondistillation columns upstream of intermediate



Organic acids

(13) As for(12)



(14) Equipment failure. flangeleak, etc





Loss of feedto reactionsectionand reduced output.

Polymerformed inheat exchanger underno flow

(a) Ensuregood communicationswithintermediate


(b) Install low level alarm on settlingtank LIC


Coveredby (hi

storage operator


Coveredby (h)
Ic) Install kickbackon pumps
(d)CheckdesignofJI pumpstrainers


Coveredby (b)
(e) Institute regularpatrolling and inspectionof
transfer line

Settlingtank overfills

(f) Install high level alarmonLIC and checksizing

it pumpoverheats
Hydrocarbon dischargedinto area adjacentto public


ofrelief oppositeliquid overfilling

(g)Institute locking olTprocedureforLCV bypass

when not in use
(hiExtendJ2 pump suctionline to 12" abovetank

Incompleteseparation ofwaterphase in tank, leading

to problemsonreactionsection
Transferlinesubjectedto full pumpdelivery or surge

0)Coveredby (C) exceptwhen kickbackblockedor


isolated.Checkline, EQ and flangeratingsand

reducestrokingspeed of LCV necessary. install a
PG upstream ofLCVandan independent PGon
settling tank.

Line fractureorflangelead

(k) Install thermalexpansionreliefon valvedsection

(relief discharge routeto be decidedlater in study)

Higher pressure in transferline and settlingtank

(I) ('heck whetherthereisadequate warning of high


temperature at intermediatestorage.


Material lossadjacent to public highway

Coveredhy (ci and the cheeks in

Water iumpand drain line freeze up

(iii) Lag water sumpdown to drain valve and steam

trace drain valve and drain line downstream

Water sumpfills up morequickly. Increased chance

of waterphase passingto reaction section.

(n) Arrangeforfrequentdraining offofwaterfrom

intermediatestorage tank. Install high interfacelevel
alarm on sump.

Higher systcnlpressure

)p) Checkthat design ofsettling tankand associated

pipework,including relief valve sizing, will cope
withsudden ingressof morevolatile hydrocarbons

Increased rate

ofcorrosionof tank base, sumpand

drain line
Line cannothe completelydrainedorpurged

(q) Checksuitability ofmaterials


)r) Install tow-pointdrain and purgepoint

downstream of LCV. Also N2 sent on settlingtank.


/2mile line section

Jl transferpumps


(oneworking. one spare)

Drain and N2purge

Figure 2.2 Feed sectionofproposed olefindimerization plant

2.1.1 Batch processes

In studying a batchplantit is necessary to apply the guide words to the instructions as well as to the pipelines. For example, if an instruction states that I
tonne of A has to be chargedto a reactor,the team shouldconsider deviations
such as:

CHARGEPARTOF A (if A is a mixture)


From reactor



290 psig

and reactor

To after-cooler

Drain andN2purge

REVERSE CHARGEA (that is, can flow occur from the reactor to the A
container?) This canbe the most serious deviation (seeSection A2.1, page61)

The writing of operating instructions is often left until design is complete

andconstruction is welladvanced. Ifthe Hazop is left until then any changesto
the equipment may be difficult and expensive. The instructions for batch
processes shouldbe written early.


Delay in adding reactantsor carrying out subsequent operations can have

serious results. For example, the explosion at Seveso in 197618 occurred
becausea reactor was left to stand for the weekendpart way through a batch.
Reference 19 describes another example.
As in the Hazop ofa continuous plant,we shouldalsoask what will happen
if temperature or pressure (or any other parameter of importance) deviates
from the designintention.
There are furtherdetails in References I and 2.
Rushton38has suggested making a cup oftea as an exercise in the Hazop of
a batch process. Table 2.3 shows the 'operating instructions' from a packetof

Table 2.3 Some resultsofa Hazopofa batch process: making a cup of tea
The instructions studied (from apacketofone-cup tea bags) are givenopposite.
Note that someinstructions are implied for example, put water in kettle.
For more detailedinstructions see British Standard 6008and ISO 3103.


Guide word



No watercollected in kettle



No understanding


Too muchwaterin kettle




Tea bag left in cup for too long





'one-cup' tea bags and a few ofthe points that mightcomeout ofa Hazop. It is
easy for a team withoutpracticalexperience to cometo the conclusion that the
process is so hazardous and the result so uncertain that the task should not be

The fourth deviation ('Temperature')will be familiarto anyone who has

orderedtea in an American hotel. The second deviation ('No understanding')
is not fanciful.Immigrant workers do not always understand instructions and
misunderstandings have occurred between air traffic controllers and air crew.
In one case a controllertold a pilot to 'pull up' but he did not know that this
meant 'increasealtitude'.Theresult was an accident. In anothercase departure

I Use onlyfresh water(do not reboil water)

Use one tea bag per cup
Pourwateronto tea as soonas it has boiled


Stir immediately
Leavefor 35 minutes depending on strength preferred
Pressthe bag against the side ofthe cup with a spoon and remove



Action required

I No water supply
2 Tap fails closed

No tea

a Keepbottled water for

3 Operator does not

No tea or poortea

use in emergency

h Print instructions in
other languages

understand English

4 Tap fails open or is left Spillagewhilefilling

c Fill oversink
Overflow due to expansion d Use kettlewithexternal
open for too long
on heating
level indicator and train
operatorto check level
before heating

5 Wateris belowboiling

Tea is too weak


Train operator to check

that water is boiling
f Avoid tea in American

6 Distraction

Tea is too strong

7 Teabag pressed too

hardagainst side of cup


g Use timer
h Train operator to steady
cup withother hand



ofan aircraft was heldup becauseamemberofthecabincrew reported that the

emergency lights were out.They were,in fact, illuminated but the speakerhad
heard the phrase 'thesun is out' and so reported that the lights were out38.
Batch-type operations that are carried out on a continuous plant

example,conditioning equipment catalystchange
a similar way by listing the sequence of operations and applying the guide

wordsto each step.

Oncomputer-controlled plants the instructions to the computer (the applicationssoftware) should be studied as well as the line diagrams. For example,
if the computer is instructed to take a certainaction whena temperature rises,
the team considers the possible consequences of this action as well as the
consequences of the computer failing to take action. On a batch plant the
consequences may be different at each stage of the batch. On a continuous
plant the consequences may be different during start-up, shutdown, catalyst
regeneration, and so on.
The appendix to this chapter (see Section A2.6, page 65) describes a
dangerous incident that occurred because the design and operating teams
assumed that the computer would always take care of alarmsituations and did
not considerin detail the consequences ofeach actionat each stage.

2.2 Who carries out a Hazop, and what

should be recorded?
A Hazop is carriedout by a team. For a new design the usual team is as follows:
Projector design engineer
Usually a mechanical engineer and, at this stage of the project, the person
responsible for keeping the costs within the sum sanctioned. The project
engineerwants to minimize changes but at the same time find out now rather
than later ifthere are any unknownhazards or operating problems.
Process engineer
Usually the chemical engineerwho drewup the flowsheet.
Commissioning manager

Usually a chemical engineer, the commissioning managerwill haveto startup

and operatethe plantand is therefore inclined to press for any changes that will
make life easier.
Control system design engineer

Modernplantscontain sophisticated control and trip systems and Hazops often

result in the addition of yet more instrumentation.


Research chemist

If new chemistry is involved.

Independent team leader
An expertin the Hazop technique, not theplant.Thejob ofthe team leader is to
ensure that the team follows the procedure. To be a successful team leaderyou
needto be skilled in leading a team of peoplewho are not responsible to you,
and be the sort of person who pays meticulous attention to detail. It is easy to
underestimate the ability required. It is not ajob that anyone can do. The team
leadermay alsosupply the safetydepartment'sviewon the pointsdiscussed. If
not, a representative from this department should be present.

Theteam as a whole shouldhave a widerangeofknowledge and experience

(see Section A2. 10, page72).
If the plant has been designed by a contractor, the Hazop team should
contain people from both the contractor and client organizations, and certain
functions mayhave to be duplicated.
On a computer-controlled plant, particularly a computer-controlled batch
plant, the software engineer should be a member of the Hazop team, which
shouldinclude at least one otherpersonwhounderstands the computer logic.If
the team does not includesuch a person. a dialogueis impossible and the team
cannotbe sure that the softwareengineerunderstands the process and has met
the design requirements. See Section A2.6, page 65.
While the team members have a common objective
a safe and operable
designers, especially the
design engineer responsible for costs, want to keep the costs down. The
commissioning manager wants an easy start-up. This conflict of interests
ensures that the prosand cons ofeach proposal are thoroughly explored before
an agreed decision is reached. However, if the design engineerhas a much
stronger personality than the other members, the team may stray too far
towardseconomy. Otherteams may err the otherway. The team leadertries to
correct any imbalance. To quote Sir John Harvey-Jones, 'In industry the
optimallevel of conflictis not zero'20.
If the team cannot agree, the team leader should suggest that the point is
considered outside the meeting. Sometimes a decision is postponed while
or even
expert advice is sought for example, from a materials expert
while research is carried out. Sometimes a decision is postponed so that a
quantitative estimateof the hazardcan be made, using the methods described
in Chapter3. Sometimes a quick,quantitative estimate can be madeduring the
meeting(see Section 2.9. page 50).


Normally people's views converge towardsagreement. If views are getting

further apart and members of the team are starting to dig their heels in, the
team leader should suggest that the discussion on the point at issue is postponed and that someone prepares a note on the pros and cons of various
possible coursesof action, which can be circulated to all concerned.
If an existingplant is being studied then the team should include several
peoplewith experience ofthe plant. A typical team is:
Plant manager

for plant operation. (Note for US readers: in the UK the term,

'plant manager' describes someonewho would be known as a supervisor or


superintendent in most US companies.)

The foreman knows what actually happens rather than what is supposed to
Plant engineer
Responsible for mechanical maintenance,

the plant engineerknows many of

the faults that occur.

Control engineer

for instrument maintenance (including testing

trips), as well as the installation ofnew instruments.

Process investigation manager

Responsible for investigating technical problems

tory results to plant-scale operations.

of alarms and

and for transferring labora-

Independentteam leader

Ifan existing plantis being modified orextended, the team shouldconsistof

a combination of thosedescribed, but do not lettheteam get too big as it holds
up progress.Six or seven peopleare usually enough.
1-lazop teams, apart from the team leader, do not require much training.
They can pick up the techniques as they go along. If anyone is presentfor the
first time, the team leader should start with 10 minutes of explanation.
However, ifpossible, new team members should attend a half-daylectureand
discussion based on this chapter. The Institution of Chemical Engineers can
supply a training package33.The team leader should, however, start the discussion of each line or plant item by explaining, or asking someoneto explain, its


It mightbe thoughtthat membership of a Hazop team is 'thepropertoil of

artless industry, a task that requires neither the light of learning, nor the
of genius, but may be successfully performed without any higher
qualitythan that ofbearing burthenswith dull patience and ... sluggishresolution',to quote Dr Johnson21. This is not the case. The best team members are
creativeand uninhibited people who can think of new and original ways for
thingstogo wrong and are nottoo shy to suggest them. In a Hazop, donot hesitate to suggest impossibly crazydeviations, causes,consequences or solutions
as they may lead other people to think of similar but possible deviations, etc.
Zetlin writes. '1 look at everything and try to imagine disaster. I am always
scared. Imagination and fear arc among the best engineering tools for

preventing tragedy'
Another featureofgoodteam members is a mental ragbag ofbits and pieces
of knowledge that they have built up over theyears. Such peoplemay be able
to recall that a situation similar to that under discussion caused an incident
elsewhere. They need not remember the details so long as they can alert the
team to possibilities that should be considered and perhaps investigated
further. For an example, see Section A2.7, page67.
Note that the team members, except for the team leader, are experts on the
process. They will,by this stage,havebeenimmersed in it for between one and
two years. Hazop is not a technique for bringing fresh minds to work on a
problem. It is a technique for allowing thoseexpertin the process to bring their
knowledge and experience to bear systematically, so that problems are less
likely to be missed.
The complexity of modern plantsmakeit difficult orimpossible to see what
mightgo wrongunless we go through the design systematically. Fewaccidents
occur becausethe design team members lack knowledge; most errors in design
occur because they fail to apply their knowledge. Hazop givesthem an opportunity to go through the design line by line, deviation by deviation, to see what
they havemissed.
The team should have the authority to agreemost changes there and then.
Progress is slow if every change has to be referred to someone who is not
present. The team members shouldtry toavoid sending deputies. They lack the
knowledge of previous meetings and might not havethe authority to approve
changes: as a result progress is held up. Somepeoplehave told me that this is
impracticable in their companies as all changeshave to be approved at a high
level. This does not matter so long as the team members feel confident that
most of their recommendations will he accepted withoutargument. However,
ifthediscussions in theHazop meetings haveto be gone through again, time is
wasted. In addition, the team mayhe temptedto add somefat so that the boss


has something to remove. But he may not know the fat from the meat.
I haveknown somepeople saythat thejob of the Flazop team is to identify
problems and that finding solutionsshould be left to the project team. If the
Hazop team is made up as I havesuggested, experience shows that it can find
solutions to most problems, withoutthe needforanothermeeting with many of
the same people present. However, some problems may have to left until
expertadvice has been obtained.
The team leaderoften acts as secretary as well as safety department representative. He writes up his notes after the meetingand circulates them before
the next meeting. As alreadystated,it is not necessary to write them up in the
degree of detail shown in Table 2.2 (pages 1415). Figure 2.3 shows a
suggested form for the first few actions agreed in Table 2.2. However, the
tendency today is to write up the notes in more detail than in the past, in the
style of Table 2.2 rather than that of Figure 2.3, so that the company can
demonstrate, if necessary, that it has done everything reasonably possible to
identify the hazards.
Some companies consider that all Hazops should be written up in great
detail. If the design is queried in the future, the Hazop records can be
consulted. There is some force in the argument but the extrawork is considerable and, in practice, most Hazopreports are rarely,if ever, consultedoncethe
plant is on line.
A numberofcomputerprograms are nowavailable forrecordingthe results
ofHazopstudiesas they arise. Copiesof the actionsagreed and thereasonsfor
them are available immediately after the meeting, without rewriting or
retyping. The display can be projected onto a largescreen, so that all the team
members can see it and can confirmthat they agree with the decisions. The
programs also remind the team of the deviations to be considered and their
usual causes. A survey in 1995 in the UK showed that about half the compaflies questioned were using computerized recording and the number is
growing. Table2.4 (page 26) shows some ofthe factors to be considered when
choosinga program. Turney32 says that these programs produce more effective meetings, more accurate action lists (and thus quicker action) and fewer
misunderstandings (seealso Section 2.6, page37).
A few weeks after the Hazop the team leadershouldcall the team together,
check on progress made and recirculate the report form (Figure 2.3) with the
'Follow-up'column completed.
Although Hazop is a valuable technique, no-one jumps out of bed on a
Monday morning shouting, 'Hooray! I've got a Hazop today!'. The need to
consider every deviation on every line can becometedious. Bewareof making
it more so by bureaucratic procedures such as insistingon excessiverecording


Study title:


Preparedby: independentTeam Leader (IC)

Study team: DesignEngineer(DE)
Commissioning Manager(CM)
Instrument Design Engineer (IDE)
ResearchChemist (RC)
Independent TeamLeader (IC)

Project No
Sheet 1 of
Line Diagram Nos


Study Operating Action notes and queries

ref. no. deviation

No flow

Action Follow-up

Ensure goodcommunications with

intermediate storage


Install low level alarmon settling

tank LIC


Install kick-back on JI pumps


Check designofJI pumpstrainers


Instituteregularpatrolling and
inspection oftransferline


More flow Installhighlevel alarm on LIC


Check sizingofrelief valve opposite



Institute locking offprocedure for

LIC bypasswhen not in use


Extend J2 pump suction line to 12

above tank base


Figure 2.3 Hazard and operability study actionreport



Table2.4 Some factorsto be considered when choosing a programfor recording

the results ofHazops
(Based in part on a list issued by the Safety and LossPrevention Subject Group of
the Institution of Chemical Engineers, January 1998)

Is it simple to use? I-low muchtraining is required?

Is it well-proven?
What are the initialand ongoingcosts?
What is the availability and quality of support?

Are updates available?

Is it compatible withother programs (including e-mail and internet)?

What other studies are included? (eg, FMEA. see Section 2.12 on page56)
Can it be customized? (eg, can additional columns be added to indicate items
whichhaveto he reported to internal or external authorities?)
Does it include a comprehensive list ofprompts?
How does it monitoractionsarid changes?
How are data ofl failureratesincluded? (for use in rankingprobabilities)
Can it be linked to accidentdatabases?
Does it havea spell-check facility?
Is it possible to carry out a freetext search ofreports?

or discussing everything twice (or three times) in the Hazop meeting and
afterwards with the boss or the projectteam.There is a net loss if in our eagerness to document everything and explain it to everybody we discover less
information worth documenting. If Hazop and similarsystemsare not acceptable to creativeminds, they will never succeed.

2.3 When is a Hazop carried out and how

long does it take?

A Hazop cannotbe carriedout beforethe line diagrams, complete with control

instrumentation (that is, process and instrumentation diagrams) are complete.
It should be carried out as soon as possible thereafter, before detailed design
starts. The 'window of opportunity' is thus limited, so plan the meetings well
in advance. It is no use waiting until the line diagrams are ready and then
expecting the members of the team to he available.
Ifan existingplantis being studied the firststepis tobringtheline diagrams
up to date or check that they are up to date.Carryingout a Hazop on an incorrect line diagram is the most useless occupation in the world. It is as effective
as settingOUt on ajourney with a railway timetableten yearsout ofdate.


A Hazop usually takes 1.53 hours per main plant item (still, furnace,
reactor, heater, and so on). ifthe plantis similarto an existingone it will take
1 .5 hours per item but ifthe process is new it maytake 3 hours per item. inexperienced teams, of course,take longerthan experienced ones. References 40
and 41 describemore sophisticated methods ofestimating the time required.
Meetings are usually restricted to 3 hours, 2 or 3 days perweek,to givethe
team time to attend to their other dutiesand becausethe imagination tiresafter
3 hours at a stretch. If the members of the team have to be gathered from a
distance, longer periods of working, perhapsevery morning for a week, may
haveto be accepted. Resist any temptation to work 8 or more hours per day for
a week, as attention inevitably Ilags. It is the results of a Hazopthat are important, not the numberof hours spenton it.
The Hazop on a large project may take several months, even with two or
three teams working in parallel on different sections of the plant. It is thus
necessary to either:
(a) Holdup detaileddesign and construction until the Hazopis complete; or
(b) Allow detailed design and construction to go ahead and risk having to
modify the detailed design or evenalter the plantwhen the results of the Hazop
are known.
Ideally, the design should be plannedto allow time for(a) but ifcompletion
is urgent(b) may haveto be accepted.
Section 2.7 (page 41) suggests that a preliminary Hazop is carriedout on the
flowsheet beforedetaileddesign starts. This will take much less time than the
Hazop ofthe line diagrams.
Investigations of Hazop by a combined industry/university team showed
that time spenton explanation at the startofaHazopreducedthe time spenton
the Hazop itself. They also found that interesting or difficult cases can take
excessive time and that inexperienced teams tend to be too rigid in their
approach and that this causes delay. For example, teams usually discuss the
possible causes ofa deviation beforetheydiscuss the consequences, as ifthere
is no possible cause the consequences do not matter. However, experienced
teams are flexible and sometimes find it better to discuss the consequences

2.4 Some points to watch during Hazop

2.4.1 Don't get carriedaway

it is possible for a team to get carried away by enthusiasm and install expensiveequipmentto guard against unlikely hazards. The team leadercan counter



this by asking how often the hazard will occur and how serious the consequences will be. Sometimes the team leader maysuggest a full hazardanalysis,
as described in Chapter 3. but more often a problem can be brought into
perspective by just quoting a few figures or asking a team memberto do so.
How often havesimilarpumps leaked in the past? How often do flanged joints
leak and howfar do the leaks spread? How often do operators forgetto close a
valve when an alarm sounds? Section 2.9 (page 50) describesa five-minute
Hazancarried out during a Hazop meeting. The mosteffectiveteam leaders are
trainedin Hazan as well as Hazop.
2.4.2 Different sorts of actions
The team consistsmainly of engineers. They like hardware solutions, but
sometimes a hardwaresolution is impossible or too expensiveand we have to
makea change in methods or improve the training of the operators thatis,
we change the software. We cannotspend our way out of every problem. Table
2.2 (pages 14IS) gives examples of software solutions as well as hardware
ones. (See the notes on human error in Section 2. I on page 12.)
Contractors, in particular, should choose solutions appropriate to the
sophistication and experience of their client. It is no use installing elaborate
trips if the client has neither the skill nor the will to use them. Look for less
sophisticated solutions.
The actions agreed are normally changes (in equipmentor procedures) to
prevent deviations occurring (or to giveprotection against the consequences or
toprovideopportunities forrecovery), not actions to deal with theresultsofthe
deviation (such as handling a leak or fighting a fire). I have known Hazop
teams merely decide what they would do if a leak occurred, not how they
would prevent it. While we shouldconsider how we deal with thoseleaks that
occur despite our efforts, the main emphasis in a Hazop should be on
2.4.3 Modifications
When Hazop team members approve a design they are approving what they
see on the drawings in front of them. If the design is changed, either before
construction or on the completed plant. then the approval is longer valid. All
modifications should therefore be Hazoped before they take place and then
inspected after completion to make sure that they have been carried out
correctly and look right. What does not look right is usually not right and
shouldat least be checked.
For example, duringa shutdown a heat exchanger was found to be so dirty
that it could not be cleaned in the time available. It was thereforedecided to


bypassit until the next shutdown. Figure 2.4 shows the bypass pipework. The
largehorizontal pipe bypassesthe tubesand the inverted U bypassesthe shell.
Shortly before start-upthe senior engineer on the site had a final look round.
Something did not look right. What?The answeris on page 30.
Many people believe that Hazop is unsuitable for small modifications
becauseit is difficult to assemble a team every time we wish to install a new
valveor sample point orraisethe operating temperature. However, many accidents have occurred because modifications had unforeseen and unpleasant
side-effects3'4'43.If proposals are not 'Hazoped',therefore, they should still be
thoroughly probed beforethey are authorized. A guide sheet for helping us to
do this is shown in Table2.5 (pages 3132).
Donot overlookthefollowing modifications:
temporary modifications as wellas permanentones;
start-upmodifications as well as thoseon established plants;
cheap modifications as well as expensiveones;
modifications to procedures, process materials or operating conditions, as
wellas modifications to equipment.
Reference 44 includestables, similarto Table2.5, for examining changes to
process materials and procedures. Reference 45 describes an alternative

Figure 2.4 Does this equipmentlookright?Ifnot, what is wrong?



Whatwas wrongwith the equipment shown in Figure 2.4

Before the shutdown the heat exchangersat on the floor and supported
the large pipes leading to and from the tubes. Now these pipes have to
supportthe large horizontal pipe which has replaced the tube side of the
heat exchanger. This will subject the connecting pipes to a downward
thrustthat theywere not designedto take. There is an isometricdrawing

in Reference 3.

If the effects of a modification are not realized beforehand, then further

modifications may be needed later. A modification that has not been thoroughly thought through can result in a chain of further modifications during
the subsequent months, possibly in distantparts of the plant46.
2.4.4 'We don't need a Hazop. We employ goodpeople and
rely on their knowledge and experience'
A Hazop is no substitutefor knowledge and experience. It is not a sausage
machine which consumes line diagrams and produces listsofmodifications. It
merely harnesses the knowledge and experience of the team in a systematic
and concerted way. Because designs are so complicated the team members
cannot apply their knowledge and experience without this crutch for their
thinking. If the team lacks knowledge and experience the Hazop will produce
nothing worthwhile.
'Good people' sometimes work in isolation. Pegram writes, 'workingindependently, the solving of a problem by one discipline can become a problem of
another' and 'low costengineering solutions from one point of view may not
necessarily end up as overalllow cost'22. Hazop ensures that hazardsandoperating problemsare considered systematically by people from different functions working together. Experience shows that start-up, shutdown and other
abnormal conditions are often overlooked by functional groups working in
isolation. For an example,see Section A2.l0.4, page74.
The opposite of the heading to this section is the beliefthat good systems
can be a substitute for goodpeople. All that systemscan do, however, is ensure
that people's knowledge and experience are applied systematically and thus
reduce the chancethat something is missed. Ifpeoplelack knowledge or experience (or commitment) then systems such as Hazop are empty shells. People
will go through the motions but theoutputwill be poor. Good peoplewithout a
system will achieve less than their full potential, but if people lack knowledge
and experience thensystemswill achieve nothing. This is a particulardangerat


Table2.5 A procedure for safety assessment of modifications (from Reference 3)

A possibleextraquestion is 'What is the worstthing that can go wrong?'


Reg. No.:

Underlinethose factors that have been changed by the proposal

Process conditions
flash point
reaction conditions

Operating methods

preparation for maintenance
abnormal operation
emergency operation
layoutand positioning ofcontrols and

trip and alarm testing
maintenance procedures

Safety equipment
fire-fighting and detection systems
safetyequipment for personnel
Environmental conditions
liquid effluent
solid effluent

Engineeringhardwareand design
line diagram

plant layout

materials ofconstruction
loads on, or strength of:
foundations, structures, vessels
temporary orpermanent:
valves, slip-plates
restriction plates, filters
instrumentation and controlsystems
tripsand alarms
lightning protection
rate ofcorrosion
rate oferosion
isolation for maintenance
fire protection ofcables
access for:
operation, maintenance, vehicles,
plant, fire-fighting

(Continued overleaf)



Within the categories listed below,does

the proposal:

Yes What problemsare

or createdaffecting plant and
no orpersonnelsafety? dated
Recommended action?

Reliefand blowdown
(I) Introduceoralterany potential cause of
over/underpressuringthe systemorpart ofit?
(2) tntroduceor alter any potential cause of
higheror lower temperaturein the system or

part of it?
(3) Introduce a risk ofcreating a vacuum in the
systenior part of it?
(4) In any way affect equipmentalready
installed for the purpose ofpreventing or
mininli/ing over or under pressure?

Area classification
(5) Introduceor alter the locationofpotential
leaks of flammablematerial?
(6) Alter the chemical compositionor the
physicalpropertiesofthe process material?
i7) Introduce ness or alter existing electrical
Safety equipment
(8) Require the provisionofadditionalsafety
(9) Affect existing safety equipment?

Operationand design
(10) Introduce new oralterexisting hardware?

(II) Requireconsiderationof the relevant

Codes of Practiceand Specifications?
(12) Aflct the processorequipmentupstream
or downstreamofthe change?

(13) Affectsafe access for personnel and places of work and safe layout?
(14) Require resision of equipmentinspection

(IS) Affect any existingtripor alarm system or

require additionaltrip oralarm protection?
(16) Aft)ct the reactionstability or
controllabilityof the process?
(17) Affect existing operatingor maintenance
procedures or require ness procedures?
I8) Alter the coniposiIion ol. or means of
disposal of, eflinent?
(19) Alter noise levels?
Safety assessor
Checked by



Plant Manager

Checked by



a time when companies are reducing manning and the over-tfties are looked
upon as expenses to be eliminated rather than assets in which thirty years'
salary has been invested. Seniormanagers should systematically assess, from
time to time, the levels of knowledge and experience needed and ensure that
they are maintained. This is an area where systematic methods have not been
applied as thoroughly as elsewhere. In the UK the Health and Safety Executive
has recently instructed a major company to set up a formal systemfor controlling changesto its organization.
2.4.5 'Do it for us'

to say to a design contractor, 'We are understaffed and you are the experts, so why don't you do the Hazop for us?'23.
The client should be involved as well as the contractor becausethe client
will have to operate the plant. The Hazop gives the client's staff an understanding of the reasons for various design featuresand helps them write the
operating instructions. Even if the client's staff know little to start with about
the problems specific to the particular process, they will be able to apply
general chemical engineering and scientific knowledge as well as common
Companies have been known

sense knowledge (see Section 2.6, page 38). Writing in a differentcontext,

Pegram says, '... The only effective team is one that owns the problem. The
team must therefore comprise the individuals who are responsible for implementing the results of the study, not an external group of experts'22. The
actions agreed at a Hazop include changesin procedures as well as changes to
equipment (see Section 2.4.2, page 28) and while the contractoris responsible
for the latter, the client is responsible for the former. (In addition, Section 2.13
on page 56 containsa note on the less obviousbenefitsofHazop.)
2.4.6 Knock-on effects
Whena changein design (or operating conditions) is made during a Hazop, it
mayhaveeffectselsewherein the plant,including the sections already studied.
For example, during a Hazop the team decided to connect an alternative
cooling water supply to a heat exchanger. The original water supplywas clean
but the alternative was contaminated, and so the team had to changethe grade
of steel used for the heat exchanger and connecting lines. It also had to
consider the effectsof reverse flow in the original lines24.
2.4.7 'Leave it until the Hazop'
Design engineershavebeenknownto say, when someonesuggests a changein

design. 'Don't bother me now. We'll be having a Hazop later on. Let's talk
about it then'.



This is the wrongapproach. A Hazopis a final check on a basically sound

design to make sure that no unforeseen effectshavebeenoverlooked. It should
not replace the normal consultations and discussions that take place while a
design is being developed. A Hazop meeting is not the right place for redesigning the plant;there are too many people present and it distracts from the
mainpurposeofthe meeting which is the criticalexamination of the design on
the table9
2.4.8 Just look at deviations from design standards
Onecompanyhas tried to simplify Hazop byjust looking for deviationsfrom
its design codes and standards. This maybe OK if there is little or no innovation butifthereis innovation and thereusually is some the existingcodes
may not cover the new circumstances. For example, a hydraulic crane tried to
lifi a load that was too heavy for the fully extended jib and fell onto the plant;
no alarm sounded. The crane was fitted with all the alarms required by the
current codes and they were all in working order. However, the codes were
wr!tten for mechanical strut cranes. Hydraulic cranes have an extra degree of
freedom the length of thejib can be changed and therefore an extraalarm
is needed, but no-one had realizedthis47.

2.4.9 Relevance
Thoughthe members ofa Hazop team havethe necessary knowledge they may
fail to see its relevance. Thus, they may not realize that an open vent on a
vessel is, in effect, a relief valveand should be treated with the same respect.
Its size should not be altered unless we have gone though the same procedure
as we would gothrough before changing the sizeofa reliefvalve, and it should
be registered for regular inspection. Another example: chimneys are commonplace, we all know how they work,but we sometimes fail to recognize that an
open drain and an open venton the same unit may producean upward flow of
air, in effecta chimney48.
Leathley and Nicholls suggest that presenting case studies(sometimes from
unrelated industries) beforea Hazopcan widenthe team's view ofwhat might
happen and encourage widerthinking49.

2.5 An example of a Hazop

Table 2.2 (pages1415) gives the results of a Hazop on the plant shown in
Figure 2.2 (pages 1617). It shows the feed section of a proposed olefin
dimerization unit and details are as follows.


An alkene/alkane fraction containingsmall amounts of suspended water is

continuously pumped from a bulk intermediate storage tank via a 1 km
(half-mile) pipeline into a buffer/settling tank where residual water is settled
out. The alkene/alkane mixture then passes via a feed/product heat exchanger
and preheater to the reaction section. The water, whichhas an adverse effecton
thedimerization catalyst, is runoffmanually from the settling tank at intervals.
Residencetime in the reaction section must be held within closely defined
limits to ensure adequate conversion of the alkene but to avoid excessive
formation ofpolymer.
This design has proved valuable as a training exercise as it provides examples of many differentaspects of Hazop and may also introduce students to a
number of chemical engineering points that they have not previously met, as
shown by the following notes. The item numbers referto the 'Possiblecauses'
column of Table2.2 and the letters to the 'Action required' column.

(I) Right at the start we see that the first two actions required are a software
one and a hardwareone, thus emphasizing that Hazop is not just concerned
with the hardware. This flrstitem brought thecommissioning manager'sattention to the fact that his raw material came from a storage area 1 km away
controlled by a different manager and operators who did not haveto cope with
the results of a loss offeed. Whosejob was it to monitorthe stock and see that

it did not run out?Although the storage operatorwas Ofl the job, the plantoperators had more incentive as theyhad to deal with the consequences ifthe stock
runs out.
Note that a deviation in one line may produce consequences elsewhere in
the plant. Thus 'no flow' in the line we are studying in this example may have
effectsfurtheron in the plant,in the line leadingto the reactor, where'no flow'
may result in higher temperatures and the formation of polymer. In a batch
process a deviation at one stage may have consequences at a later stage (see
Section A2.9. page 71).

(I )(b) A low flow alarmmight be installed instead ofa low level alarmbut it is
better to measure directly what we want to know, and the low level alarm is
(3)(c) Note that a kick-back line is shown after pumpJ2 on the next line to be
studied. A kick-back is cheaperthan a high-temperature trip and requires less
maintenance. Students shouldbe reminded that the lifetimecost of an instrument is about twice the capital cost (afterdiscounting) if testing and maintenance are included. Instruments (and computers) cost twice what you think


they will cost.In addition,management effort is needed to makesure that the

testing and maintenance are carried out.
(4) Line fracture is unlikely but serious. How far should we go in taking
precautions? This item caii produce a livelydebate betweenthosewho wishto
ignore the problem and those who want leak detectors, emergency isolation
valves, etc. The action agreed is a compromise.
(5)(f) This illustrates the need, in sizing reliefvalves, to ask whethertheyhave

to passgas or liquid.

(5)(g) Locking-off the bypass makes it harderto open it quickly if the control
valve fails shut. Do we need a bypass?How often will the control valve fail

(5)(h) The team members might havedecided that they wished to increase the
sizeofthe buffer/settling tank, originally sufficient for 20 minutes settling time
but reducedby the action proposed. If so, theymighthavefound that it was too
late to do so asthe vessel was on the critical pathandhad already beenordered.
Section 2.7 (page 41) recommends a preliminary Hazop on the flowsheet at a
time whensuch changes can be made.
(6) This item introduces students
met before.

to liquid hammer,which they may not have

Note that we often have more than one chance to pick up a hazard. When
discussing no flow' item (3)] the team members realizedthat line blockage
would cause a rise in pressure but they decided to leave discussion of the
consequences until they cameto the deviation 'more pressure'. If theyhad not
realized, when discussing item (3), that line blockage could cause a rise in
pressure, then they had another opportunity to do so later. Sections 2.8.4and
A2.8 (pages 50 and 67) describe other examples.

(9) Somedrainsin Figure 2.2 are shown blanked, others not. All drainsshould
be blanked unless used regularly by the process team.

(I l)Regular draining of the intermediate storage tank will prevent gross

amounts of water going forwardto the settling tank. Can we not rely on the
storage operator? Is a high interface alarm necessary? On the other hand,
excess water will damagethe catalyst. It is unwiseto rely for its removal on a


man in another plant who may not realizeits importance and does not haveto
handlethe consequences if the water goes forward.
An automatic controllerto remove water, operatedby the interface level
indicator, is not recommended as ifit failsoil will flow to drain and maynot be
(1 2)Havethe distillation columns

been designedfor a particular concentration

of loweralkanes and alkenes (and a particular alkane/alkene ratio) or a range

ofconcentrations? If the former,what will be theeffectofchanges in concentration and ratio on throughputand performance? This item brings home to
students that in designing equipment they should always ask what departure
from flowsheetcan he expectedand estimatethe effects on their design.
Reference 5 gives the results of a Hazop ofa second line in thedimerization
unit.Otherexamples of Hazops can be found in References 6, 7. 8, ID, 13 and
14. The examples described in References 7 and 8 are rathercomplexfor a first
exercise but those describedin References 6, 13 and 14 should be suitable.
Reference 6 deals with a plant in which a gas stream is heated and then passes
to a compressor suction catchpot which is fittedwith a high level alarm and a
high level trip. Reference 13 studies a systemfor heatingrefrigerated propane
before pumpingit down a long mild steel pipeline to a receivingplant. The
reliability of the heating system must be high or the pipeline mayget too cold
and become brittle. Reference 14 studiesa nitric acid plant,and Reference 10
laboratory design.
Reference 7 describes a study on a complex, highly-instrumented system
for preventing reverse flow while Reference 8, part ofan Institution of Chemical Engineers model design project. describesa system of several reactors
fittedwith remotely-operated changeovervalves.
Roach and Lees9 and Jefferson e! 0j42have analysed the activities that take
placeduring a Hazop.

2.6 Could a computer carry out a Hazop?

Computers can certainly

be used as an aid in Hazop studies. Programs are

available for recordingthe results ofstudies(seeSection 2.2. page 24), and the
programs can also remind teams of the possible causes of various deviations
and possible remedies so that they are less likely to overlook them.Thus ifthe
team is considering no flow' in a pipeline, the computercan remind them that
possible causes are an empty suction vessel, a pump failure (which in turn
could he due to failure of the power supply, the motor, the coupling or the
pump itself), a blockage, a closed valve, a slip-plate, a broken pipe or high


pressure in the delivery vessel. Pitt et a150 have devised a procedure for calcu-

lating the effects of deviations. However, these programs are not what people
mean when they ask the question about computers and a Hazop. They are
asking if the computer could examinethe line diagram,say what deviations
can occur,and why, and suggest changes to the design or method ofoperation,
perhaps using an expert system. Before answering this question, two points
shouldbe considered.
The first is that Hazop is a creativeexercise and those who are best at it are
people who can let their minds go free and think of all the possible ways in
whichdeviations might occur and possible methods of prevention and control
(seeSection 2.2, page 20). To quote from a bookon artificial intelligence25:
these sort of techniques ... ,nay eventual/vproduce machines with a
capacityfor manipulating logical rules that will match, or even exceed, our
own. But logic is just one aspect ofhuman intelligence, andone whose importance can easily be overrated. For ...ftictorssuch as intuition andflairpay a
very large part in our thinking, even in areas like science wherelogic ostensihls'reigns supreme. For example, most ofthe scientists whohave recounted
how they came to make an important discovery or to achieve a significant
breakthrough have stressed that when they fbund the answer to the crucial
problem they intuitively recognised it to he right and on/v subsequent/v went
back and worked out why it was right.'
The secondpoint is that the knowledge used in a Hazopis 'broad and deep'
while expert systems are suitableonly for 'narrow and deep' knowledge26.
The knowledge used in a Hazop canbe divided into fourtypes26 (seeFigure
2.5). The following examples of each type are taken from the Hazop of the
dimerization plant described in Section 2.5:
Plant-specific knowledge

For example: the monomermay polymerize if it is kept too long at reaction

temperature. It shouldbe possible to put this knowledgeinto an expertsystem
but the information would be useful for one studyonly (and perhaps for later
studies of plantextensions or modifications).
General process engineeringknowledge

For example: a pumppumpingagainstadead headwill overheatand this may

lead to gland failure, a leak and a fire; if the residence time in a settler falls,
settling may be incomplete. It should be possible in theory to put this knowledge into an expert system but the taskwould be enormous avastamountof


Plant specific

The easiesttoput intoan

expert system but not worth
theeffortas itwould he used
so little

Generalprocess engineering

Difficulty ofputting into an

expert system increases

Everyday (common sense)

Figure 2.5 Typesofknowledge

knowledge would have to he incorporated, much ofit 'good engineering practice' which is not usually written down. Expertsystemsare most suitable for
restricted subject areas (knowledge domains). Furthermore, engineers 'know
what they don't know' know (or should know) the limitations of their
knowledge and when they ought to call in an expert. It would be difficultto
incorporate this 'negative knowledge'into an expert system. An expert system
could he used during Hazop to answer questions on, say, corrosion to avoid
calling in a corrosion expert,but only the team members can tell that they are
getting out of their depth and that it is time to call in the expert (human or
General scientific knowledge
For example:water mayfreeze ifthe temperature falls below 0C; if a closed
system full of liquid is heated, the pressure will rise. The difficulty of putting
the knowledge into an expert system is even greater than for general process
engineering knowledge.
Everyday or common sense knowledge

For example:if a line is broken, the contents will leakout; the men whohaveto
cope with the effects of plant upsets are more likely than other men to take
actionto prevent them;a mancannot hearthe telephone ifhe is out ofearshot.
The difficulties here are greater still and may be beyond the power of any
expert system. To quote from Reference 25 again:


'The knowledge employed by an expert, unlike the commonplace, casual/v

acquiredknowledge we re/v on in our ever'day afJirs, is likely to beJbrmalized, codifiable and, aboveall, alreadyfitted into a deductive framework. The
reasoningprocesses employed by a doctor making a diagnosis, an engineer
analysinga design or a lawyer preparing briefare, in other words, much
more nearly analogous to a computerrunninga program than the vague and
ill-defined sort ofreasoning we engagein when we think about more mundane

In Hazop we are concerned with mundane matters as well as purely technical

ones,as Section 2.5 shows (page 35).
Despite these difficulties, attempts have been made to computerize the
identification of deviations, their causes and their consequences and the
assessment ofthe precautions taken.For example, Venkatsumbramanian and
Vaidhyanathan5' and Wakeman et a!52 have describedcomputer Hazops of
the dimerization unit describedin Sections 2.1 and 2.5. Taking the deviation
'no flow' as an example, the programs found the same causes as in the original
study (suction tankempty, pumpfails, line blockage and line rupture)and the
same consequences (pump overheats and possibly leaks, loss offeed to reaction section with consequent overheating and formation of polymer). In the
original study the discussion of the first cause (suction tank empty) drew the
plantmanager'sattention to the fact that the raw material came from a storage
area 1 km away controlled by a differentmanagerand by operatorswhowould
not haveto copewith the results of a loss of supply. He decidedthat he could
not trust them to monitorthe stock and would have to make his own team
responsible. Someonein the Hazop team pointed out that the solitary storage
area operatoron duty at any one time was often out ofearshot ofhis telephone
and alarms; shouldthe new plant supplyhim with a radio? The discussion of
these facts at the original Hazop is summed up in Table 2.1 by the action,
'Ensure good communication with the intermediate storage operator'. Software has a long way to go before it can uncoverthe facts that lie behind this
statement! (Plant manager is used in the UK sense, equivalentto supervisor in
the USA.)
Wakeman ef a!52 are commendably frank about the limitations and objectives of their program. called Auto-HAZID. Theirpaper lists problems rather
than solutions. Auto-HAZID is not intended to replace the Hazopmeeting but
to save time by producing a list of problems for consideration at the meeting.
The problems identified are those that arise out of the failureof equipmentor
interactions between items of equipment, not those that arise out of


interactions between people. So hazardteams are unlikely to become redundant in the foreseeable future.
So far there has been little industrial experience of these techniques, but
industry has been involved in their development.
Duringa Hazop study, particularly whenthe technology is new to the team,
someone often half-remembers a hazard. It would be useful to be able to call
up detailsof hazards, of accidents which they have caused and of the actions
recommended to prevent a recurrence. Although computerized databases are
available they suffer from a common weakness: they are eithergo or no-go
that is, they find a precise match with the chosen keywords or they do not. To
overcome this Chung et al are developing a fuzzy search tool which uses
case-based reasoning. The key words are arranged in hierarchies resembling
family trees. If the program cannot find a precise match it looks for matches
with the parents or siblings of the keywords and, ifthat is unsuccessful, with
more distant relatives. For example, suppose we wish to find information on
the road transportof sulphuric acid. If no match can befound,the program will
look for matches with the rail transport of sulphuric acid, with its transportby
any means, or with the road transport(or just transport) of other acids, or for
their storage. If these searches fail it mightlook for the transportofcorrosive
chemicals or their storage.
The program is not intended merely, or even primarily, for use by Hazop
teams.It could be used by designers, by anyone lookingfor information and, in
a somewhat different form, by process operators. In this case information
would be displayed automatically when hazardous conditions are

2.7 The limitationsof Hazop (see also SectionA2.lO,page 72)

Hazop cannot, of course, detect every weakness in design. in particular, it

cannotdraw attention to weaknesses in layout. It will also miss hazardsdue to
leaks on lines that pass through or close to a unit but carry a material that is not
used on that unit. This can be overcome by using an additional guide word
Hazop assumes that the design assumptions are followedduring construction and operation. If, say, the wrong material of construction is used or equipmentis not tested as assumed, then problems may result. Hazop teams may,of
course, draw attention to circumstances where special measures should be
taken to ensure that the rightmaterials are used or tests carried out, and may
question the wisdom of including equipment such as bypasses around trip
valves or isolation valves belowrelief valves.


Hazop as describedaboveis carried out late in design.Itbrings hazards and

operating problems to light at a time whenthey can be put right with an indiarubberrather than a welding set, but at a time when it is too late to makefundamental changes in design.

For example, referring to Section 2.5, note (12) (page 37), the Hazop might
bring to light the fact that the concentration of light ends mightvary markedly
from design and that the still shouldbe redesigned to allow for this. It is probably too late to do this; the still may havealready been ordered. Section 2.5,
note (5)(h) (page 36), contains another example: by the time of the Hazop it
mayhavebeen too late to increase the size of the settling tank.
Such problemscan be picked up earlier if a preliminary or coarse-scale'
Hazop is carried out on the Ilowsheet before it is passed to the engineering
department for detailed design, a year or more before the line diagrams are
available. Like a normal Hazop it can be applied to continuous and batch

The following are someof the pointsbrought out in a preliminary Hazop of

the design for a batch reactor, followed by a stripping section in which an
excess ofone reactantis removed undervacuum.
If the reactoris overfilled it overflowsinto a pot which is fittedwith a high
level alarm. Why not fit the high level alarm on the reactorand dispense with
the pot?
What would it cost to design thereactorto withstand the vacuumproduced
by the stripper, thus avoiding the need for a vacuumrelief valve which would
allow air to be sucked into the reactor, producing a flammable mixture?
Why do we need two filters per reactor?Will a change in type allow us to
manage with one?
By suitable choice ofbottomspump, canwe reducethe height ofthestripper
aboveground level and thus reduce the cost of the structure?
Can the heat exchangers be designedto withstand the maximum pressures
that can be developed under all but fire conditions, thus avoiding the needfor
A material proposed for removal ofcolourmay be unsuitable on toxicological grounds.

These arejust a few of the 66 points that came up during three three-hour
meetings. Many of the points would have come up in any case but withouta
Hazopmany might have been missedor might not have come up until it was
too late to change the design.
While the results of several line diagram Hazops have been described in
detail (see the list at end of Section 2.5, page 37), very few fiowsheet Hazops
havebeendescribed in the same way.Table2.6 (pages 44-45) lists someofthe


that came out of a coarse-scale Hazop of the polyethylene plant shown

in Figure2.6. Ethyleneat 1500 bar and 175C is fed, with a reaction initiator,
into the reactorwhere 1525% of it polymerizes. A cooling jacket removes the
heat of reaction. The product is separated from the unconverted gas in two
separators and thegas is recycled56.As with the dimerization unit discussed in
Section 2.5, you may feel that the recommendations go too far or not far
enough. Reference 15 describes many changes that havebeenmadeas a result
of flowsheet Hazops and References I I and 12 describetwo early studies of
tlowsheets using critical examination (see Section 7.1, page 203) rather than

Figure 2.6 Simplified diagram ofa polyethylene plant

(Reproduced by permission ofthe National institute ofOccupational Health
and Salty)


Table 2.6 Part ofa coarse-scale Hazopof apolyethylene plant

(Reproduced by permission oftheNational Institute ofOccupational Safety
and Health)
Guide word



Parameter: Reactor temperature



Runaway reaction in reactor


Pooror no reaction;
poor quality product



Parameter: Flow rate ofethylene, polyethyleneand initiator

NO (polyethylene)

No flow

LESS (ethylene)

Less flow

Levelbuild-upin reactor
System upset;

productquality affected;
system shutdown
MORE (initiator)

More flow

More polymerization;
possibility of runaway
conditions; productquality


Less flow

Less polymerization;
imbalance affects
downstream equipment such
as heat exchangers

There is an important difference between an ordinary Hazop and a

coarse-scale Hazop of a flowsheet. In an ordinary Hazop deviations from
design are considered undesirable. We look for causes of deviations and ways
of preventing them. In coarse-scale Hazop, however, we are also trying to
generate alternatives. In considering, say, 'more of' temperature, we do not
just ask if it can occur and if itwould be undesirable but we alsoask ifit might




Coolantpumpto reactor fails

Provide temperaturecontrol
Provide high temperature sensor/alarm

Provide pressurereliefvalve withautomatic

feed from temperature control system
Provide sparecoolantpump
Coolanttemperature high

Use heatexchangertemperature control to

adjUSt inletcoolertemperature

Coolanttemperature low

Provide temperature monitoring in reactor

Use heatexchangerto adjustinletcoolant

Meltpump I fails
Initiator pumpmalfunction

Providelevel controlin reactor with

automatic flow through a sparepump
Provide a sparecompressor withautomatic
switch from the failedcompressor

Provide adequate flow controls on both

initiator and monomer linesto maintain the
desired initiator to monomer ratio

Make-up and recyclegas

compressor failure

Provide flow controllers on ethyleneand


not be better to operate at higher temperatures. Some Hazop teams always

question the adequacy ofthe design parameters.

designedto generate deviations was developed from a techcritical
which was designedto generate alternatives.
To generate alternatives we may therefore need to go back to something akin
to the original technique. In particular, we may need an extra guide word,


AVOID (the
need). Table 2.7 (from Reference II) is an extractfrom an early
criticalexamination of a flowsheet.
Even a coarse-scale Hazop is too late for some major changes in plant
design. A similartypeofstudyis needed at the conceptual or business analysis
stage when we decide which product to make, by what route and where to
locate the plant. For example, at Bhopal in 1984 an intermediate, methyl
isocyanate (MIC), leakedout ofa large continuous plant and killedover 2000
people. Ifthe same raw materials are allowed to react in a different order, no
MICis produced. It is too late to suggest at the flowsheet stage that the orderof
reaction, on a continuous plant, should be changed. That decision has to be
made rightat the beginning of the design process (seealso Section A2.2. page
Alternatively, ifwe use the MICroute we can reduceor eliminate the intermediatestock and use the MIC as soon as it is formed. The decision to do so
can he made at any time, even when the plant is on line, but money will be
saved ifthe decision is made early in design.

Table 2.7 An extractfrom the critical examination ofa flowsheet showing the
generation ofalternatives by successive questioning
(From Reference II)
Statement: Designa distillationcolumn
Successive questionsand answers

Alternativeideas generated

To separate A Irom B.

(i) Separate them someother way

Because the recycle reactor won't crack
A mixed with B.

(i) Find an alternative market which

will take A and B.
(ii) Change the process so we don't

eg, fractional crystallization

(ii) Don't separatethemat all

make B.
Because the furnace temperature isn't

(i) Change the reactorconditions so

that A and B can he cracked.

Because tube materials won'tstand a


(i) Find anothertube materialto stand

higher temperatures.
(ii) Find catalyst to permitcrackingat


Couldwe go further?Woulda differentinsecticide be safer to manufacture

than theone madeat Bhopal? Instead ofmanufacturing an insecticide could we
developinsect-resistant plants or use natural predators? I am not saying we
should; only that such questions might be asked.
A theologian27 once said, '... all great controversies depend on both sides
sharing a false premise'. In controversies about whether or not to spend money
on a particular safety proposal, the design engineer may think he has gone far
enough and the commissioning manager may disagree. The common false
premise is the belief that we have to spend money to increase safety. If safety
studies are made early in design this may not be the case plants can be both
cheaper and safer15, for two reasons: (I) if we can reduce the amount of
hazardous material in a plant or use a safer material instead we need less
added-on protective equipment; and (2) if we can reduce the amount of
hazardous material the plant will be smaller and therefore cheaper'5. Plants in
which hazards have been avoided are inherently safe. Their safety does not
depend on protective equipment which might fail orbe neglected. Theirsafetyis
more robust.

A clever man has been described as one who finds ways out of an
unpleasant situation into which a wise man would never have got himself.
Wise men cany out safety studiesearly in design.
Of course, every company carriesout many studies beforeembarking on a
design. What is lacking in most companies at the conceptual and flowsheet
stages of projects, however, is the systematic. formal, structured examination
which is characteristic of a Hazop. The normal Hazop questions are not
suitable at the conceptual stage but Chapter 10 of Reference 15 suggests some
alternatives. It also gives many examples of hazards that have been or could be
reduced or avoided by Hazop type studiesat the conceptualor tlowsheet stages.
A nuisance during a conventional Hazop is the person who asksif the right
product is being made in the right way at the rightplace. It is by then far too
late to ask such questions.If the person asks them then, perhaps there was no
opportunity to ask themearlier.

2.8 'Do we need to Hazop this plant?' 'It is only a simple

project' or 'It is similarto the last one'
2.8.1 An example
So many of the things that go wrong occur on small, simple

or repeat units
where people feel that the full treatment is unnecessary. 'It is only a storage
project and we have done many of these before!' 'It is only a pipeline and a
coupleofpumps.' 'It is only a service system.'



Feed todistillation column

To later stagesofplant
Used forstart-uponly

Figure 2.7 Twelvepointscameout of a 1-lazop in this bitofplant

Ifdesigners talk like this, suggest they try a Hazopand see what comes out
of it. Afterthefirstmeetingor two they usually want to continue.
Figure 2.7 shows part of a line diagram on which the design team was

persuaded, somewhat reluctantly, to carry out a Hazop. 12 points which had

been overlooked came out of the study. Here are fourofthem:
if the pump stops, reverse flow will occur through the kick-back line. The
non-return valveshouldbe downstream ofthis line.
If the pumpstops, reverse flow mayoccur through the start-up line. Should
there be a non-return valve in this line?
The restriction plate in the kick-hack line might be replaced by a flow
controllerto save power.
No provision has been made for slip-rings or spectacle plates so that the
pump can be isolated by slip-plates for maintenance.
The design team readilyagreedto study the rest of the plant.
Similar studieshave recommended the use of a length of narrowbore line
instead ofa restriction plate, as it is less easy to remove a length ofline.

2.8.2 Another example

Thetank shown in Figure 2.8 was being filledfrom another tanksomedistance
away. The pumpused for emptyingthe tank was not running but its kick-back
line had beenleft open.When the tankwas nearlyfull the high level tripclosed
the valve in the filling line. The gaugepressure in the fillingline rose to 20 bar
(300 psi) and burstthe pumpwhich normally operated at a gaugepressure of3

bar (45 psi).



Line used forfillingtank

Figure 2.8 When the automatic valve closed, the pump was overpressured

A Hazop had been carried out on the plant,but this section was not studied
as it was 'only an off-plot' a tank,apumpanda few valves too simplefor
any hazardsto pass unnoticed, or so it was thought. Consideration of 'reverse
flow' through the kick-back line (or 'more of pressure' in the filling line)
would have disclosed the hazard.
Afterthe incident the kick-back line was rerouted backto the tank.
2.8.3 Servicesystems
All service lines (including steam, water, compressed air, nitrogenand drain
lines) should be 'Hazoped'as well as process lines (seeSections A2.3 and A2.5,
pages 63 and 64). Pearson16 lists some of the questions which arise during

Hazops of service systems:

Should power supplies to equipmentbe duplicated?
Should equipmentbe duplicated or triplicated?
Should we use steam or electricity or a combination for pumps and
Should we provideautomatic start for spare pumps?
Should we provide voltage protection for key equipmentwhich must be
kept on line or restartedquickly?
In whichorder should equipmentbe restartedafter a powerfailure?
Dowe need emergency power supplies for lighting,communication equipment, and so on?
Shouldcontrol valves fail open or shut or 'stay put'?
How will emergency equipment such as diesel generators be cooled ifplant
cooling water is not available?




2.8.4 Small branches

Donotoverlooksmall brancheswhich may not havebeengiven a line number.

For example,a tank was fitted with a tundish so that it could be dosed with
stabilizing chemicals. The effects of adding too much or too little additive(or
thewrong additive, or adding it atthewrong time) should obviously be considered during Hazop but might be overlookedif the team studied only lineswith
line numbers. (On the other hand, theymighthavepickedit up by considering
operations taking place insidea vessel, as suggested in Section 2.1 on page 12;
anotherexample ofthe way in which Hazopoften givesus a second chance24.)

2.9 The use of quantitative methods during Hazop

The following exampleshowshowa quick calculation can resolve adifference
of opinion between the members of a Hazop team. It acts as a link to the next
chapter in which numerical methods are considered in more detail.
Ona design a compressor suction catchpot was fittedwith a level controller
and a high level trip to shut down the machine (Figure 2.9). The commissioning manageraskedfor a secondindependent trip becausefailure ofthe trip
could result in damage to the machine which wouldbe expensive to repair. The


LZ Highlevel trip
LC Level controller

Figure 2.9 Do we needa second highlevel trip?



design engineer, responsible for controlling the cost, was opposed: this, he
said, would be gold-plating. A simple calculation (see Section 3.5 on page 105
for an explanation ofthe terms used)helpedto resolve the conflict.
The trip will have a fail-danger rate of about once in two years. With
monthly testing the fractional deadtime will be 0.02.
The demand rate results from the failureofthe level controller. Experience
shows that a typical figure is onceevery two years or 0.5/year. A hazard will
therefore occur once in 100 yearsor, more precisely, thereis a I in 100 chance
that it will occur in any one yearor a I in 10 chancethat it will occurduringthe
10-year life ofthe plant. Everyone agreed that this was too high.
They also saw that therewas more thanone way of reducing the hazard rate.
They could improvethe control system and reduce the demand rate, or they
could improve the trip system and reducethe fractional dead time. It may not
he necessary to duplicate all the trip system; it may be sufficient to duplicate
the trip initiator.
If thehazardunder discussion is a runaway reaction, then quantihcation is
more difficult. A key question to ask, according to Stoessel57,is, 'If cooling is
lost, howlong do we havebeforea runaway occurs?' Iflthe time is less than20
minutes, automatic protection is probably necessary. It maybe necessary for a
longertimescale if the operatorcoversmany units.Another key question is, 'If
a reaction mixture is left standing, and the cooling cannotpreventa runaway,
howlong do we have beforea runaway occurs?' Ifthe time is less thana day an
alarm or automatic protection maybe necessary.

2.10 The use of Hazop in other industries

Hazop was pioneered in the chemical industry (see Chapter7) and soonspread

to the oil and pharmaceutical55industries and later to food processing3559,all

basically similar industries. In the food industry the emphasis has been on

identifying ways in whichcontamination could occur rather than other operatingand safetyproblems. This section discussessomeother applications.
In considering whether or not Hazop could be applied in a new context,
remember that Hazop grew out of critical examination (see Sections 2.7 and
7.1, pages 45 and 203) and that the original form ofthe techniquemay he more
suitable than the modification (Hazop) developed to meet the process industry's needs.
Hazop has beenappliedto laboratory design1 and to laboratory operations.
One study of a new operation disclosedthe fact that the chemists intended to
convey cylinders of hydrogen cyanide to the top floor in the lift!


Hazop has alsobeen applied to the manufacture of a product usinggenetically modified organisms (GMOs)28. A modification of Hazop known as
GENHAZ has been proposed for identifying ways in which GMOs might
affect the environment29.Table2.8 isan extract from a hypothetical GENHAZ
study: the proposed experimental insertion into potatoesof an imaginary gene
(TP) that is toxic to a specific caterpillar. The studyraises questions for investigation; theycannothe answered on the spot.
2.10.1 Mechanicalhazards
Knowlton2 has describedthe application of Hazopto some mechanical problems. For example, a sterilization autoclave had to be loaded with a stack of
trays using a fork-lifttruck. Application of the deviation 'more of' disclosed
that if the driver moved the load too far forwardit could damage the rear wall
of theautoclave. Application of thedeviation 'as well as' disclosed that if the
driver raised the load it could damage an instrument that measured the
humidity and perhaps also damage the roof.
Similarly, too rapid operation could cause spillage and led the team to ask
how spillages would be handled.
2.10.2 Nuclear power
The nuclear power industry was slow to adopt Hazop, preferring instead a
technique known as failure mode and effect analysis (FMEA) (see Section
2.11. page 54).
In Hazop we startwith adeviation and ask howit might occur.For example,
'more offlow' in a pipeline mightbe caused by the failure of aflow controller.
There will probably be other possible causes as well (see Table 2.2, pages
1415).In FMEAwestart with a component andwork out the consequences of
failure. If we start with the flow controller, one of the consequences of its
failure may be too high a flow in a pipeline. There will probably be other
consequences as well.
in the line diagram sense, the essentials of a nuclearreactor arerelatively
simple: a hot coreheats water.In this senseit is much simpler than the average
chemical plant. On the other hand, the nuclear reactor contains far more
protective equipment to prevent it getting out of control and to commission
emergency cooling systems, and so on. The obvious first approach of the
nuclearengineers was therefore to ask, 'What will happen if a component of
the protective systems fails'?' and then examine each component in turn.
However, the cooling systems(normal and stand-by) and service lines on
nuclear power stations would benefit from Hazopand this is now recognized.


Table 2.8 An extractfrom a hypothetical GENHAZ study: the experimental

insertion into potatoes of an imaginery gene(TP) whichis toxic to a specific
(Reproduced by permission ofthe RoyalCommission on Environmental Pollution)





The TP genemightbe expressed in another part of the plant

besides the leaves.


(a) Otherregions ofthe plant, apartfrom the leaves, might

becometoxicto non-target organisms.For example:
Roots and tubers.-Toxic to humans, soil organisms?
Hairs.- Urticaceous ifTP is in the planthairs? Cultivated
potatoes are not normally hairy but thereis a wildhairy type
whichis highly pest resistant and is used in breeding.
Pollen: Would pollen containingTP be poisonous to beesor
induce an allergic reaction in humans or other animals?
Nectar:Wouldnectarcontaining TP produce toxic honey?
(b) TP mightconcentrate in atissueother than the leaves.


The TP geneand promoter mighthave mutated to he activein

another region ofthe plant.


Forconsequences (a) and (b), consider:

(i) What mightcome into contactwith, or eat, the different
parts ofthe plant.
(ii) The mode ofactionofTP on boththe targetand non-target
organisms, including humans.
(iii) The toxicological information on proteins similartoTP.


TP mightbe present in deadcaterpillars.

Thesecaterpillars mighthe toxicto predatorsor decomposer


The caterpillars have ingested the leaves containing TP which

is lethally toxic to them.


Considerthis possibility and its implications.



2.10.3 Other activities

McElvey ci al have applied Hazop to the use ofliquid ammoniaas a fertilizer

by farmers. Their 95 recommendations were addressed to several different
groups equipment manufacturers,vendors and distributors as well as
Medical equipment seems an obviousfield for the application of Hazop
(and otherrisk management methods) but little has been published. Somework
has been done on blood transfusion equipment61.
Hazop has been applied to defence systems, including a helicopterfault
warning system. Causes, consequences and recommendations are quoted for
25 deviations to 'data flow'62.
Tweeddale et a163 have applied a technique similarto Hazop to railways.
Government decisions often have unforeseen outcomes, the result of 'narrowness of view, impatience, unreflectiveness and self-delusion', according to
one writer64. Could Hazop help?Perhaps, but only if there is a willingness to
look more deeplyat proposals.

2.11 Other methodsof identification

This sectiondiscussespossiblealternativesto Hazop for identifying hazards,
all of which arc discussedin Lees. As discussed in Chapter 1, building the
plant and waiting to see what happens is no longeracceptable and check-lists
cannot spot new hazards. Failure mode and effect analysis (FMEA) was
described in Section 2.10.2 (page 52), which explainedwhy Hazop is more
suitable for the process industries. Event tree analysis (ETA) is a variation on
FMEA. A weakness of FMEA and ETA is that theycannot detect those incidentswhich occur when equipment functions as required, but the requirement
(that is, the specification) is wrong. Safetyand reliability are not the same. To
someextentthis can also be true of Hazop, as Hazop teams normally assume,
when discussing, say, 'more of pressure', that the design pressure is adequate.
However, in practice, a team that discovers that 'more ofpressure' and 'less of
pressure' are both hazardous is bound to ask if the design pressureis adequate.
Some teams alwaysquestion the design pressure, temperature, and so on. And
someteam leaders use 'Relief' as a backup guide word.
In computer-controlled plants specification errors are the major cause of
problems, as shown by the example in Section A2.6, page 65.
A flowsheet Hazop (Section 2.7, page 41) should discuss alternatives as
well as deviations and ask if the design pressure is the optimumone.
'What if' analysis is a sort of simplified FMEA;we ask what would be the
result of a limited number of major upsets such as failure of power, cooling


water,pumps,andso on. Some 'What if' analyses are more detailed. They ask,
for example,for each pipeline, what will be the result of more or less flow,
temperature, pressure, and so on. If we also ask, as we obviously should, if
these deviations are possible, then we havegot a Hazop.
Fault trees(Section 3.5.9, page 113), mainlyused as a method ofestimating
theprobability ofan event, have sometimes beenrecommended for identifying
hazards. A fault tree is the reverse of an FMEA. In FMEA we start with a
component failure and deduce possible results. In a fault tree we start with a
top event' such as a fire or explosion and work back to find the errors and
component failures that could lead to it. Its weakness as a method of identification is that we may not realize that certain top eventscan occur and therefore
not look for the routes to them.Fault treestell us howtop eventsoccurbut not
what top eventscanoccur.
Auditsand inspectionsare a necessary complement to Hazops because they
can tell us whether or not the plant is built, operated and maintained in accordance with the design assumptions. They are particularly necessary during and
after construction as the failure of construction teams to follow the design in
detail or to follow good engineering practicewhen details are left to them is a
major cause of incidents65. A weakness of many auditsis that they check that
methods of working are sound and are followed but do not check that all the
hazards havebeen identified. Turney and Roff havedescribed a 'process hazards
review (PHR), a mixture of What if' and check-lists, which is designed to
overcome this. Many past incidents were studied to identify possible hazards.
Unlike many ofthe techniquesdescribed in the literature, over a hundred studies
had been carried out by the time their paper was published66.
Auditors are not policemen. Theirjob is to spot the hazards, physical and
procedural, that the plantstaff have missed through lack of specialized knowledge, shortage oftime or overfamiliarity.
STOPHAZ is a group of computer programs designed to bring hazards to
theattention ofdesigners at an early stage and thus reduce thenumberofproblenis that are not discovered until a Hazop is carried out late in design67. It
includesAuto-HAZID, describedin Section 2.6, page 37.
Several attempts have been made to comparethe effectiveness of various
identification techniques. According to Turney and Pitblado, a study of past
incidentsshowed that Hazop could haveprevented 29% ofthe design incidents
and 6% of the operational incidents, a higherproportion than any other technique.Reviewsof human factors could haveprevented 24% ofthe operational
one continTaylor69 has describedan experiment in whichtwo designs
80% ofthe
ways. Hazop


faults on the continuous plant but only 22% of those on the batch plant.
However, his batch Hazop did not include consideration of the deviations
listed in Section 2.1.1 (page 16) which were considered under action error
analysis' rather than Hazop. Most of the other faults were detected during
commissioning and were not spotted during the Hazop becausethe team did
not havethe necessary knowledge. As stated in Section 2.4.4(page 30), Hazop
is no substitutefor knowledge and experience and its effectiveness depends on
theknowledge and experience ofthe team.Accordingto Skelton, even inexperienced teams, such as students on a Hazop course, find about 80% of the
hazardsand those missed are mainly minor72.

2.12 Auditing Hazop

As the use of any technique becomes more widespread its quality is liable to
decrease. There is therefore aneedto beable to auditthe qualityof a Hazop. At
a workshop on Hazop held in 1995 theauditing of Hazop was selectedas the
most pressing current topic70. The best method of auditing is to sit in on a
because the Hazop is complete
Hazop. Ifthat is not practicable forexample,
Rushton71 has described an audit scheme. The auditor samples the documentation produced by theHazopand looks for evidencethat various modes of
operation such as start-up, shutdown and maintenance havebeenconsidered in addition to normal operation, that the knowledge and experience ofthe
team members were adequate, that the same people attended throughout and
did so regularly, that the recommendations made were carriedout,andthat any
late changes in design were studied. If the plant has already been commissioned the auditorshould examine the problems that have arisen and see ifthey
could reasonably havebeen spotted duringthe Hazop. Altogetherthere are six
pages of suggested questions. The auditorshouldtalk to the team members to
gaintheir impressions and assesstheir knowledge and experience.

2.13 Conclusion
Carling30 has described the effects of using Hazop in his company. The bene-

fits went far beyond a simple list of recommendations for a safer plant. The
interaction between team members broughtabout a profound change in individual and departmental attitudes. Staff began to seek one another out to
discuss possible consequences ofproposed changes, problems were discussed
more openly, departmental rivalries and barriers receded. The dangers of
working in isolation and the consequences of ill-judged and hasty actions
became better appreciated. Knowledge, ideas and experience became shared
more fully to the benefit of the individual and the company.


Carting's companyadoptedHazop after experiencing several serious incidents. Buzzelli writes31, 'For an industry so proud of its technical sal'ety
achievement it is humbling to have to admitthat most of our significant safety
improvements were developed in response to plantaccidents'.
It does not have to be so. Hazop provides us with a lantern on the bow
(Chapter 1). a way of seeing hazardsbeforethey wreckour ship.

References in Chapter






ChemicalIndustriesAssociation,London, 1977,Hazardand OperabilityStudies.

Knowlton, R.E.. 1981, An introduction to Hazard And Operability Studies
(Chemetics International, Vancouver, Canada).
Kletz,T.A.. 1976, Chemical EngineeringProgress, 72 (II): 48.
Kletz, T.A., 1988, What Went Wrong? Case Historiesof Process Plant Disaslers, 2nd edition, Chapter 2 (Gulf Publishing Company,Houston. Texas, USA),
and Lees, Chapter21.
Lawley,HG.. 1974. Chemical Engineering Progress,70 (4): 45.
Rushford, R., 1977, North-East Coastinstitution ofEngineersand Shipbuilders:
Transactions. 93: 117.
Lawley, H.G., 1976, Hydrocarbon Processing,55 (4): 247. Reprinted in Vervalin,
C.H. (Cd), 1981, Fire ProtectionManual For HydrocarbonProcessmg Plants.
Volume 2, 94 (Gulf Publishing Company, Houston, Texas, USA).
Austin, D.G. and Jeffreys. G.V., 1979. The Manufticture ofMethyl Ethyl Ketone
from 2-hutanol, Chapter 12 (Institution ofChemical Engineers, Rugby, UK).
Roach, J. and Lees, F.P., 1981. The Chemical Engineer, No. 373: 456.
Knowlton, RE. 1976. R & D Management, 7 (1): 1.
Elliott, D.M. and Owen,J.M., 1968.The Chemical Engineer, No. 223: CE 377.
Binstead, D.S., 16 January 1960, Chemistry and industry, 59.
KletL,T.A., 1 April 1985, Chemical Engineering, 92(7): 48.
Sinnott, R.K.. 1983, in Coulson,J.M. and Richardson, iF. (eds), Chemical Engineering, Volume 6, Chapter9.5 (Pergamon Press, Oxford, UK).
Kletz, T.A., 1998, ProcessPlants A Handbook ftrInherently SaferDesign.2nd
edition (Taylor & Francis, Philadelphia, Pennsylvania, USA).
Pearson, L., 1984, The operation of utilitysystems, institution ofChemical Engineer.s Loss' Prevention Subject Group Meeting,
Kletz. T.A., 1994, Learning from Accidents, 2nd edition, Chapter 9
(Butterworth-Heinemann. Oxford,UK).
Health and Safety Executive, March 1977, The Explosion at the Dow Chemical
iactorv, King'sLynn,27 June 1976 (HMSO, London, UK).
Harvey-Jones, J.H.. l988, Making itHappen,28 (Collins, London, UK).
Johnson. 5.. 1755, A Dictionary ofthe English Language, Introduction.




22. Pegram, N., 1990, The Chemical Engineer, No. 482: 37.
23. McKelvey, T.C. and Zerafa, M.J., 1990, Vital 1-lazop leadership skills and techniques, American Institute oJ Chemwal EngineersSummer NaiionalMeeting, San
Diego, California, 1922August.
24. Rushton, AG.. 1989. Computerintegrated process engineering, Symposium Series
No. /14,27 (Institution ofChemical Engineers, Rugby.UK).
25. Aleksander, 1. and Burnett, P., 1987, Thinking Machines, 107. 196 (Knopf, New
York. USA).
26. Ferguson, G. and Andow, P.K.. 1986, Process plant safety and artificial intelligence, World Congress of Chemical Engineering, Tokyo,Paper 14153. Volume

II, 1092.
27. A 4th century theologian quoted by N. MacGregor, 1991. RoyalSociety ofArts
journal, 139 (5415): 191.
28. Gustafson, R.M., Stahr. J.J. and Burke, D.H., 1987, The use of safety and risk
assessment procedures in the analysis of biological process systems: a ease study
ofthe VeraxSystem 2000, ASME /05th WinterAnnualMeeting, 13/S December.
29. Royal Commission on Ensironmental Pollution, 1991, Fourteenth Report:
A System for the Critical Appraisal of Proposals /0 Release
Genetically Moditted Organismsinto the Environment(1-IMSO, London. UK).
30. Carling. N., 1986. Hazop study ofBAPCO'sFCCUconiplex,American Petroleum
institute Committee on Satciv and Fire ProjectionSpringMeeting. Denver, Colo-

rado, 8/ April.
31. Buzzelli, D.T., 1990, Plant/OperationsProgress,

9(3): 145.

32. Turney. RD., 1991, The application of Total Quality Management to hazard
studies and their recording, SymposiumSerie,sNo. /24, 299 (Institution ofChem-

cal Engineers. Rugby, UK).

33. Anon, 1999, Interactive Training Package No. 034, Hazop and




Multi-stage Hazard Study (Institution ofChemical Engineers, Rugby. UK).

Davis, G.E..quotedby Hodgson, M., 1982, The Chemical Engineer, No. 380: 163.
van Schothorsi, M. and Jongeneel, 5.. 1994. Food Control, 5 (4): 107.
Kletz, TA.. 199l.An Engineer'.s View ofHuman Error. 2nd edition (Institution of
Chemical Engineers, Rugby. UK).
Goyal. R.K.. 1993, LossPrevention Bulletin. No. 112: 7.
Rushton. AG., 1997. private communication.
Zeilin. L.. quoted by Pelrowski, H., 1994. Design Paradigms, 3 (Cambridge
University Press, New York, USA).
Freeman, R.A., L,cc,R. and McNamara, T.P., 1992, Chemical Engineering Progress,
88 (8): 28.
Khan Fl. and Ahhasi, S.A., 997, Journal of Lo.s.s Prevention in the Proce,s,s
lndu,strit,s, It) (4):249.
Jefferson,M., Illidge,iT. and Rushton, AG., 1995. Activities and time usage in
hazard and operability studies, The 1995IChemE Research Event. 16 (Institution
of Chemical Engineers, Rugby. UK).


43. Sanders, RE., 1999. Chemical Process Safely: Learning,trom Case Histories
(Butterworth-Heinemann, Newton, Massachusetts, USA).

44. Anon, 1994,LossPrevention Bulletin, No. 120: 13.

45. West, Hi-I., Mannan, MS., Danna, R. and Stafford, E.M., 1998, Chemical EngineeringProgress,94 (6): 25.
46. Kletz, TA., 1986, Plant/Operations Progress,5 (3): 136.
47. Kletz, TA.. 1991. An Engineer's View ofHuman Error, 2nd edition, Section 3.3
(Institution ofChemical Engineers, Rugby, UK).

48. Kletz, T.A.. 1998, What Went Wrong Case HistoriesofProcessPlant Disasters.
4th edition, Section 17.13 (Gulf Publishing Company.Houston, Texas,USA).
49. Leathley, B. and Nicholls, D., 1998. LossPreventionBulletin, No 139:8.
50. Pitt, M.J., Flower, J.R. and Ben-Emhmmed, M.K., 1995. Computer simulation in




Hazop studies, SymposiumSeries No. 139,499(Institution ofChemical Engineers.

Rugby. UK).
Venkatsumbrarnanian. V. and Vaidhyanathan, R.. 1994, AJChE Journal, 40 (3):
Wakeman, Si. et a!. 1997. Computeraided hazard identification: fault propagation and fault-consequence scenario filtering, and Larkin, F.D. et al, Computer
aided hazard identification: methodology and system architecture, Symposium
SeriesNo. /4/, 305 and 337 (Institution ofChemical Engineers, Rugby,UK).
Jefferson, M.. Chung, P.W.H. and Kletz, TA., 1997. Learningthe lessons from
pastaccidents, SymposiumSeriesNo. /4/, 217 (Institution ofChemical Engineers,
Rugby, UK).
Chung, P.W.H. and Jefferson,M., 1998, Computers and Chemical Engineering,
22 (supplement): s729.
Chung, P.W.H. and Jefferson, M.. 1998, internationalJournal ofAppliedintelli-

gence, 9: 129.
56. Kavianian, H.R.. Rao, J.K. and Brown, G.V.. 1992, Application ofHazardEvaluation Techniques to the Design of Potentially Hazardous industrial Chemical
Processe,r (US Department of Health and Human Resources, Cincinnati. Ohio,

57. Stoessel, F., 1993, Chemical Engineering Progress,89(10): 68.

58. Gillett, J.E., 1997, Hazard Study and Risk Assessment in the Pharmaceutical
industry(Interpharm Press. Buffalo Grove, Illinois, USA).
59. Mayes. T. and Kilsby, D.C.. 1989, I'oodQuality Pref. I: 53.
60. McElvey, T. et al, 1992, Journal ofLossPrevention in the Process industries,5
(5): 297.
61. Tweeddale, H.M.. 1994. Transfimsion Science, 15 (1): 5.
62. A Guideline fer Hazop Studies on Systems which include a ProgrammableElectronic System, 1995 (Ministry of Delnce. London, UK).
63. Tweeddale, N.M.. Cameron. R.F. and Sylvester, S.S., 1992, Journal of Loss
Preventionin the Processindustries,5 (5): 279.
64. Burgess. T., April 1995 (reviewing Failure ofBritishGovernment: The Politicsof




the Poll Tax by D. Butlerci ul, Oxford University Press,1994). RoyalSocietyof

Art.v Journal, 66.

65. Kletz, TA., 1994, Learning trom Accidents, 2nd edition, Chapter l6
(Butterworth-Heinernann, Oxford, UK).
66. Turney, R.D and Roff.M.F., 1995, in Mewis. J.J. etal, LossPreventionand Safi-tv
Promotion in the Proces.r Jndustrie.r Proceedingsof the 8th International
Symposium.93 (Elsevier, Amsterdam, The Netherlands).
67. Preston, M.L. and Richards. D.C., 1995, STOPHAZ: A tool supporting safer
process design, Symposium Series No. 139, 5 17 (Institution of Chemical Engineers, Rugby, UK).
68. Turney, R. and Pitbiado,R., 1996, Risk Assessment in the Process industries, 14
(institution ofChemical Engineers, Rugby, UK).
69. Taylor, JR., 1982, Evaluation ofcosts, completeness and benefits for risk analysis
procedures, international Symposium on Risk and Safety Analysis, Bonn,
Germany, 68July.
70. Turner,S., 1996. The Chemical Engineer, No.606: 13.
71. Rushton, AG., 1996, Quality Assurance of Hazop, Report No. OTO 96 002
(Health and Safety Executive. Sheffield, UK).
72. Skelton, R.L., 1998, Loss PreventionBulletin, No. 142: 12.

Two new reports on Hazopwere announced while this bookwas in production:

The European Process Safety Centre, the Chemical Industries Association and the
Institution of Chemical Engineers arejointly revising Reference I above,for publication in late 1999.
The International Electrotechnical Commission has prepared a draft standard(IEC
61882),defining Hazop. It may be issuedin final form in 2000and copied as a British


Appendix to Chapter 2
Some accidents that could have
been prevented by Hazops


Reverse flow

Many accidentshave occurred because process materials flowed in the opposite direction to that expected and the fact that this could occur was not foreseen. For example, ethylene oxide and ammonia were reacted to make
ethanolamine. Someammonia flowed from the reactor, in the wrong direction,
along the ethylene oxide transferline into the ethylene oxide tank,past several
non-return valvesand a positivepump. It got past the pumpthrough the relief
valve whichdischarged into the pump suction line. The ammoniareacted with
30 m3 of ethylene oxide in the tank which ruptured violently. The released
ethyleneoxide vapour exploded causing damage and destruction over a wide
A hazard and operability study would have disclosedthe fact that reverse
flow could occur. Reference 7 of Chapter2 describes in detail a Hazop of a
On another occasion some paraffinpassed from a reactor up a chlorine
transferline and reacted with liquid chlorine in a catchpot. Bitsof the catchpot
were found 30 m away2.
On many occasions process materials have entered service lines, either
becausethe service pressure was lower thanusual or the process pressure was
higher than usual. The contamination has then spread via the service lines
(steam, air, nitrogen, water) to other parts of the plant. On one occasion
ethylene entered a steam main through a leaking heat exchanger. Another
branch ofthe steam main supplied a space heaterin the basement ofthe control
room and the condensate was discharged to an open drain inside the building.
Ethyleneaccumulated in the basement, and was ignited (probably by the electric equipment, which was not protected), destroying the building. Again, a
Hazop would have disclosed the route takenby the ethylene.
Forother examples of accidents due to reverse flow that could be prevented
by Hazop, see Reference 3.



A2.2 Bhopal

On 3 December1984therewas a leak ofmethylisocyanate from a storage tank

in the Union Carbideplantat Bhopal, India, and the vapour spread beyondthe
plant boundary to a shanty town which had grown up aroundthe plant. Over
2000people were killed. According to the official company report4 the material in the tankhad become contaminated with water and chloroform, causing a
runaway reaction. The precise route of the contamination is not known
mayhavebeendue to sabotage8 but a Hazop might have shown up possible
ways in which contamination could have occurred and would have drawn
attention to the need to keep all supplies of water well away from methyl
isocyanate, with which it reacts violently.
However, therewas much more wrongat Bhopal than the lack of a Hazop.
When the relief valve on the storage tank lifted, the scrubbing system which
should haveabsorbed the vapour, the flare system which should have burned
any vapour which got past the scrubbing system, and the refrigeration system
which should have kept the tank cool were out of commission or not in full
working order. As stated in Chapter1. Hazopis a waste oftime ifthe assumptions on which it is based that the plant will be operated in the manner
assumed by the designer and in accordance with goodpractice are nottrue.
Equally important, was it reallynecessary to store so much hazardous material? Methyl isocyanate was an intermediate, not a product or raw material,
convenient hut not essential to store. A Hazop on the flowsheet or a similar
study at the earlier conceptual stage, as suggested in Section 2.7 (page 41),
might haveled the decision team to question the need forso much intermediate
'Whatyou don't have, can't leak'5.

A2.3 A fire in a water sump

The sumpshownin Figure 2.10 contained water with a layerof light oil on top.
Welding had to take placenearby so the sumpwas emptied completely with an
ejector and filled with clean water to the level of the overflow pipe. When a
spark fell into the sump, there was an explosion and fire. The U-bend had not
been emptied and there was a layerof oil in the bend on top ofthe water.
A Hazop would havedisclosedthe hazard if the preparation of the equipment for maintenance had been considered. The equipment got little consideration during design as it was not part of the main plant, only a system for
collecting a wastewater stream (seeSection 2.8, page47).



Overflow to drain
(12 inch diameter)

Figure 2.10 The sump was emptiedand filledwithclean waterhut oil was
left in the U-bend

Water (reactor stopper)

Remotely operated valve


Figure 2.11 Whena runaway reaction occurred, instead ofthe waterenteringthe

reactor, the increased pressure blew out the water

A2.4 A protective device that did not work

A reactor was fitted with a head tank containing water (Figure 2.11). If the
contents of the reactor got too hot and the reaction started to run away, the
operator was supposed to open the remotely operatedvalve SO that the water



would flow by gravity into the reactorand coolthe contents. Unfortunately the
designers overlooked the fact that when the reaction started to run away the
pressure in the reactorwould rise. Whenthe valve was opened the water was
blown out ofthe vent! The reactorexploded and the subsequent fire destroyed

A2.5 Services and modifications two neglectedareas

A blown fuse dc-energized part of an instrument panel and thetrip systemshut
the plant down safely: a turbine and pumps stopped, flows stopped and the
furnace tripped. The condensate pumps continued to run, as planned, so that
the steam drum which fed the waste heat boilers did not get empty. In fact it
filled up completely in two minutes and the condensate overflowed into the
steam main (Figure 2.12).
The turbine was driven by hot gases from the furnace hut could be started
with steam. The operators decided to turn the turbine slowly (to prevent
damage to the shaft). As no furnace gas was available they cracked open the
steam valve. Condensate came into contact with the hot line from the furnace
and the line ruptured. Three men were sprayed with steam and hot condensate
and two of themwere killed.
Hazops shouldconsider the results of powerand other service failures (see
Section 2.8, page 47) and the action to be taken should be covered in plant
training and instructions.


Hot furnace
(start-up power supply)

Toother steam users

To waste
heat boilers

Condensate make-up

Figure 2.12 When the steam valve was opened, condensate enteredthe hot line
from the furnace


The plant instrumentation had originally been very well organized but, as
instruments were removed and others added, it became difficult to tell which
instruments were connected to which power supply. All modifications,
including modifications to instrument and electrical systems, should be
reviewed by Hazop or. if they are minor, by a similartechnique (see Section
2.4.3, page 28).
After the incident the steam drum was made larger so that it contained
enough condensate to remove residualheat from the process withoutmake-up,
an inherently safer design It)

A2.6 A computer-controlled batch reaction (Figure 2.13)

The computer was programmed so that, if a fault occurred in the plant, all
controlled variables would be left as they were and an alarm sounded. The
computer received a signaltellingit that therewas a low oil level in a gearbox.
The computer did as it had been told: sounded an alarmand left the controls as
theywere. By coincidence, a catalyst hadjust beenaddedto the reactorand the




Figure 2.13 Computer-controlled batch reactor


computer had just started to increase the cooling water flow to the reflux
condenser. The computer kept the flow at a low value. The reactoroverheated,
the relief valve lifted, and the contents of the reactor were discharged to
The operators responded to the alarm by looking for the cause ofthe low oil
level. They established that the level was normal and that the low-level signal
was false, hut by this time the reactorhad overheated. A Hazop had beendone
on the plant but those concerned did not understand what went on inside the
computer and treated it as a black box'
something that will do what we
want it to do withoutthe need to understand what goes on inside it. They did
not Hazop the instructions to the computer.
Whatthey should havedone is:
(I) Ask precisely what action the computer will take for all possible deviations (reverse how, more flow, loss of power, loss of input or output signal,
and SO on).
(2) Ask what the consequences will be.
(3) Ifthe consequences are hazardous or prevent efficientoperation, consider
what alternative instructions might he given to the computer or what independent backup system might he required.
The incident provides a goodexample of the results of blanketinstructions
(to computers or people) such as, 'When a fault develops, do this'. All faults
shouldbe considered separately duringa Hazop,for all operating modes. The
action to be takenduring start-up maybe differentfrom that to be takenduring
normal running or later in a hatch. This is a lot of work, but is unavoidable if
accidents are to be prevented.
As technologists we like to know how machines work and like to take them
to bits. We should extend this curiosity to computer programs and not treat
them as 'black boxes'. It is not necessary to understand all the details of the
electronics, but it is necessary to understand the details of the logic
to know
precisely what instructions havebeen given to the computer.
There may have been a misunderstanding between the operating manager
and the softwareengineer. Whenthe manager asked forall controlled variables
to be left as they are whenan alarm sounds, did he mean that the cooling water
flow should remain steady or that the temperature should remain steady?As
stated in Section 2.2 (page 21). when a computer-controlled plant is 'Hazoped'
the software engineershould be a member ofthe team.
An amusing example of a failure to consider all eventualities occurred
during the night when summer time ended. An operator put the clock on a
computer back one hour. The computer then shut the plant down for an hour
until the clockcaught up with the program'7.


gives other examples of incidents on computer-controlled

beenprevented by Hazops. It alsoreviews modifications
ofHazop, knownas Chazop, that are suitable for studyingthe specifications of
Reference 12

computer-controlled systems.

A2.7 Abbeystead


explosion in a water

pumping station

At Abbeystead, water was pumpedfrom one river to another through a tunnel.

In an incidentin May 1984, whenpumping stopped somewater was allowedto
drain out ofthe tunnel leaving a void. Methane from the rocks below accumulated in the void and, when pumpingwas restarted, was pushed through vent
valves into a pumphouse where it exploded, killing 16 people, most of them
local residents whowere visiting the plant.
If anyone had realizedthat methane might be present, the explosion could
havebeen prevented by keepingthe tunnel full of water or by discharging the
vent valves into the open air. In addition, smoking, the probablecause ofignition, could have been prohibited (though we should not rely on this alone).
None ofthesethingswere done becauseno-onerealizedthat methane might be
present. Published papers contain references to the presence of dissolved
methane in water supplies but these references were not known to the water
supplyengineers. The knowledge was in the wrong place'.
Could a 1-lazop haveprevented the accident? Only if one of the team knew
or suspected that methane might be present. He need not have known the
details so long as he could recall the fact from the depths of his memory. As
mentioned in Section 2.2 (page 23). good Hazop team members are people
who haveaccumulated, by experience and reading, a mental ragbag of bits and
pieces of knowledge that may come in useful one day. A Hazop provides
opportunities for the recall of long-forgotten bits of knowledge that might
otherwise never pass through the conscious mind again.

A2.8 The Sellafield leak

Acause clbre in 1983 was a leak ofradioactive material intothesea from the
British NuclearFuelsLimited(BNFL) plant at Sellafield, Cumbria. It was the
subject of two official reports6'7 which agreed that the discharge was due to
human error,though it is not entirelyclear whether theerror was duetolack of
communication between shifts, poor training or wrongjudgement. Both official reports failedto point out that the leak was the result of a simple design
error that would havebeen detected by a Hazop,if one had beencarriedout.


50 mm (2 inch)
return line to plant

From plant

line to sea

250mm (10 inch)

lineto sea

Figure 2.14 Simplified line diagram ofthe waste disposal system at Sellafield

As a result of the human error some material which was not suitable for
discharge to sea was moved to the sea tanks (seeFigure 2.14). This should not
havemattered as BNFI. thought it had 'secondchance' design the ability to
pump material back from the sea tanks to the plant. Unfortunately the return
route used part ofthe discharge line to sea. The return line was 2 inches diameter, the sea line was 10 inches diameter, so solids settled out in the section of
the sea line where the linearflow rate was low and were later washed out to
sea. The design looks as if it might have been the result of a modification.
Whetherit was or not,it is the sort of design errorthat would be pickedup by a

At a meeting where I suggested this someonedoubted it, so I asked three

experienced Hazop team leaders if theyagreed. All three saidthat a competent

team should pick up the design error but they suggested different ways in
which this would be done. I describe them here to demonstrate that a point
missedwhile considering one deviation can often be pickedup underanother.
(Thereis some redundancy in Hazop.)
Team leader I
'I feel sure that the cause described would have been identified by a Hazop
with a competent team.
This is because, when studyingthe recycle mode of operation for reprocessing of off-spec waste product, the team's attention would be focused on
the very important matter of achieving complete transfer of the material,
including the contents of the common section of line, back to the plant. If the
off-spec waste product happened to he a solution, questions would he asked


on, for example,the effectiveness of water displacement by flushing back to

the plant. If the off-spec waste product happened to be a solid/liquid mixture
(as for the case in point), questions would similarlybe asked on the effectivenessof water flushing of the 10 inchline bearing in mind the restriction to flow
viathe 2 inchdownstream system, and also possible changes in elevation. In
thelatter case,the team would alsobe particularly concerned with howto wash
theoff-spec solid out of the sea tank. Forsuch a hazardous system. attention
would, in fact, be focused throughout on how best to get all the solid safely
back to the plantfor reprocessing.
'The final outcome of a Hazop on this systemwould probably be to opt for
an entirely independent returnline from the sea tanksto the plant, thereby not
only avoiding the common line section, but also reducing the chanceofinadvertent discharge of off-spec waste to sea via passing or wrongly opened

Team leader 2
'Onecan never be absolutely certain that all possible situations are considered
during a Hazop, but I feel reasonably certain that this operability problem
would have been discussed in some detail (providing the technique was
applied by experienced people) underone or more ofthe following headings:

(a) NO FLOW: One reason for 'No flow' in the 2 inch line could be wrong
routing for example, all the off-spec material entering the seadue to leaking
valves, incorrect valve operation, etc. How would we know that we were
putting off-spec material into the sea?

(h) LESS FLOW: Again, leaking valves would allow off-spec material into
the sea, and a reduced flow to the plant, etc. Also, possible restriction or
blockage due to settlement ofsolids would certainly be discussed.
(c) MORE FLOW: The team would have checked design flow rates and
commented on the differentvelocities in the 10 inch and 2 inch line sections
and possible consequences.
questioned methods of analysis, where samples were taken, and how we
ensured that the contents ofboth the sea tank and the 10 inch line section were
suitable to dump into the sea. Indeed, when the 10 inch route to the sea was
studied the problem ofcontamination would againbe discussed.


(e) SAFETY: Environmentalconsiderationswould haveagainmadethe team

ask how we would know that the material being dumped was safe, and what
were the consequences ofdumpingunsafe material?'

Team leader 3
'I believe that theline ofquestioning would be as follows:

(a) NO FLOW: Misrouting opening of the 10 inch sea line in error when
material should be returned to the plant for reprocessing; this would raise
furtherpoints of sampling, valvelocations and the need for interlocks.
(h) REVERSE FLOW: Direct connection between plant and sea via the
common manifold whatpreventshackflowand howreliable isthe system?
(c) LESS FLOW: Contamination implications of incomplete purging of
the systembetween batchdischarges. How will the operatorsknow that the sea
tankand dischargeline havebeen emptied and purged following a discharge?
What are the consequences of contamination due to accumulation of material
in dead spaces in the common dischargesystem? A team with knowledge of
slurry-handling plants would be aware ofthe problems of deposition resulting
from reduced flow velocities. For example, it is common practice to provide
recirculating ring mains on centrifuge feed systems to avoid deposition and

(d) MORE TEMPERATURE: Again, a team with knowledge of slurry

handling would raisecomments on solubility effects.
(e) PARTOF: The team would ask how the operatorwould know that the end
point had been established.'

I raised these questions myself. With an experienced team more points

would he raised.

Settling of a solid when the linear flow rate is reducedis a well-known

hazard. When the River Irwell was diverted into the Manchester Ship Canal,
GeorgeE. ofthe founders ofchemicalengineering, forecastthat the
canal and the lower reaches of the river would form a large settling tank and
organic material would putrefy. In the summerafter the canalopened the smell
was so had that passenger boattrafficwas abandoned13.


From reactor aiidcentrifuge

Circulation line

Valves closedbut


To distillation

Figure 2.15 Waterenteredthe feed vessel through leakingvalves

A2.9 Formation of separate layers

Reaction productwas stored in a feed vessel until it could be batch distilled.
Water used for washing out some equipment passed through two closed but
leaking valves into the feed vessel. Some water was always present and was
removed early in the distillation when the temperature was low. On this occasion, so much water was present that, unknown to the operators. it formed a
separate, upper layer in the feed vessel (Figure 2.15). The lower layer was
pumped into the distillation column first and the water in it removed. The
temperature in the column then rose. When the upper layerwas pumped into
the column an unexpected (and previously unknown) reaction occurred
between water and a solvent. The product of this reaction was recycled to the
reactor with the recoveredsolvent where it causeda runaway reaction and an
explosion. The chemistry involved is describedin References 14 and 15.
This incidentshows that Hazop teams should pay particularattention to the
following points:

Whatwill be theconsequence ofadding water (or addingmore water if it is

normally present)? This question should always be asked because unwanted


water can so easily turn up as the result of corrosion, leaking valves, failure to
disconnect a hose or accumulation in a dead-end or becauseit has been left
behind after a wash-out.
Can the presence of water (or anything else) cause formation of a separate
layerand, if so, what will he the consequence?
Forany deviation, look for consequences in other parts of the plant and at
later times, notjust for local and immediate ones (seeSection 2.5(1), page35).
Unexpected formation of a separate layer was the cause of one of the few
serious criticality incidents that have occurred on nuclear processing plants. In
1958. at Los Alamos, USA, the liquid in four tanks had to he washed with
solvent to recover some plutonium. Each tank should have been treated separately hut instead their contents were combined in a single tank, together with
plutonium residues that had accumulated in the tanks over a period of seven
years. The acid present in one ofthe streams caused an emulsion to break and the
plutonium concentrated in the upper layer. This layerwas too thin to be critical
but when the stirrerwas started up the layerbecame thickernearthe axisofthe
stirrer and criticality occurred. One man was killed. Afterwards unnecessary
transfer lines were blocked to reduce opportunities for incorrect movements.
A review of criticality incidents shows that many could have been
prevented by Hazop as they were due to reliance on valves which leaked,
excessivecomplication, unforeseen flows through temporary lines, inadvertent
siphoning and entrainment.

A2.10 The need for differentsorts of knowledge

This sectionshows how hazards have been or could be missed, becausethe

team did not include people with the right sort ofknowledge.
A2.lO.1 The needfor practical knowledge
Figure2. 16 shows a floating rooftank located in a bund. The tank contains oil.
Rainwater can be drained from the roofinto the bund and from there into the
main drainage system. Suppose a Hazop team is considering whether any
substance 'other than' water can get into the main drainage system. For this to
occurthere would haveto be a holein thehose, and both valves would have to
he left open. An inexperienced team mightdecidethat a triplecoincidence is so
improbable that thereis no needto consider it further. However, someone with
knowledge of the practicalities of plant operation would realize that during
prolonged rain the operators may leave both drain valves open, whatever the
instructions say. to avoid frequent visitsto the tank. Any hole in the hose will
thencontaminate the main drainage systemwith oil 8



To waterway

Figure 2.16 Shouldwe assume that the hose mightleak and the two valves mightbe
left open all at the same time?
(Reprinted by permission of Hydrocarbon Processing, April 1992, copyright 1992 by
Gulf PublishingCo. all rights reserved)
Accidents are sometimes said to be due to an unlikely coincidence that
could not havebeenforeseen, but theyare usually not true coincidences. As in
this case, two (or more) failures are latent or ongoing faults that exist for
significant periods of time. When a third failure occurs, an incident is
A2.10.2 The need for specialized knowledge
A vessel containedliquid sulphur (melting point 120C). A Hazop was carried
out on the t1owsheet the team considered 'more of pressure' and decided that
the precautions taken to prevent choking of the vent, which included a lute,
were adequate. At a later Hazop ofthe line diagram, when considering 'more
oftemperature'. someonepointed out that the viscosity ofsulphur rises sharply
aboveabout 200C. This temperature could not be reached in normal operation
hut could he reached ifthe vessel was exposed to fire. The sulphur in the lute
could then become so viscous that it would prevent relief of the vessel. The
relief systemhad to be redesigned'9.
A solvent tank was ventedthrough a seal pot.An electricheaterwas added
later. The reason is not stated in the report, but was presumably to prevent
freezing in cold weather. The modification was Hazoped hut all the members
of the team were chemicalengineers no electrical engineeror representative
of the supplierwas present. None of the chemical engineersrealizedthat the
temperature ofthe heatercould rise abovethe auto-ignition temperature of the
solvent ii' the liquid level in the seal pot was lost20.


A2.10.3 The need for local knowledge

During the Hazop of a batchprocess the team askedwhatmight be addedto the
reactor other than' the materials that shouldbe present. The word they actually used was 'contamination'.Someonepointed out that organic acids could
cause a runaway. Further discussion revealed the fact that organic acids were
used in another process and were stored in the same warehouse and in the same
colourand type of drum as one of the reactants21.
A2.10.4 The need for knowledge of other people's activities
A plant was fitted with blowdown valves which were operated by
high-pressure gas. On a cold day, a leak on the plantcaughtfire. The operators
isolated the feed and tried to blow off the pressurein the plant. The blowdown
valves failed to open as there was some water in the impulselines and it had
frozen. As a result the fire continued for longer and caused more damage than
it would otherwise have done.
I-low the water got into the impulselineswas at first a mystery. At a Hazop
two years earlier, when the plant was modified, the team were asked if water
could get into the impulse lines and they said 'No'.
Occasionally the valves had to be operatedduring a shutdown, when no
high-pressure gas was available. The maintenance team members were asked
to operate the valves but not told how to do so. They used water and a
hydraulic pump. None of the Hazop team members, which includedthe operator shopsteward,knewthat the valves had been operated in this way.
Hazops are only as good as the knowledge and experience of the people
present. If they do not know what goes on, the Hazop cannot bring out the

A2.10.5 The need for knowledge of what happens beyond the

edge of the drawing
The output of one plant is often the raw material of another. A change in
quality or reliability, of little or no importance to the supplier, may affect the
consumer. Here are threeexamples:
Someusers of nitrogen require tracesofoxygen. An increase in the purityof
thesupply can upsettheir process.
The source of a high pressure drop in a hydrogenation reactor was, after
much lost production, traced to a change in the plant that supplied the
hydrogen. Charcoal was used to remove traces of oil. A slightly finer grade
was supplied and charged. Some of it passed through its support, travelled
along the pipe to the hydrogenation reactorand choked thedistributionholes in

its catalyst retaining plate22.



Designers in many countries take the high reliability of public electricity

suppliers for granted. They then do the same when designing
country where the supplyis unreliable.


a plant for a

An incident from another industry

The Therac25,a development of earlier machines, produces electron beams

for irradiating cancer patients. They can he irradiated directly or with X-rays
generated by the electronbeam hitting a target. Much higherenergybeams arc
used to produce X-rays than for direct irradiation. As the result of a software
error a number ofpatients were directly irradiated with high energy beams. A
systematic hazard identification procedure would have shown that absenceof
the target was potentially dangerous and that it should be physically impossible to operate in high energy mode unless the target was in place. The fatal
error was relying on software interlocks23'24.


Thanks are due to Messrs. H.G. Lawley, FR. Mitchell and R. Parvin for assistance with Section A2.8. Sections A2.35 are reprinted from Journal of Los's

Prevention in the Processindustries.4, TrevorKletz, Incidents that could have

been prevented by HAZOP, 128129, Copyright 1991, with permission from
Elsevier Science.

References in Appendix to Chapter 2



Troyan,i.E. and Le Vine, L.Y.. 1968. Lays Prevention. 2: 125.

Oliveria. l).B., 1973. HydrocarbonProcessing, 52 (3): I 12.
Kleti., TA.. 1998. What Went Wroig? Case Historiesa! Chemical Plajit Disasters,4th edition, Chapter 18 (Gull Publishing Company. Houston, Texas. USA).
Union Carbide Corporation, Danbury, Connecticut, USA. March 1985, Bhopal
Met/ni l,socvanate incident iniestiganan Team Report.
Klcts, TA.. 1998, Process Plants: A Handbook fir Inherent/i' Safr Design
(Taylor & Francis, Philadelphia. Pennsylvania. USA).
Health and Salety Executive, 1984. The Contamination ofthe Beach incident at
BNFL Sc//afield (HMSO, London, UK).
Radiochemical Inspectorate. 1984. ,4n incident Lewling to Contcanj,iation ofthe
Beaches Near to the BIVEL WindscaleandCaider Works(Department ofthe Environment. London. UK).



Kalelkar, AS., 1988. Investigations of large magnitude incidents Bhopal as a

case study, Symposium Series No. 1/0, 553 (Institution of Chemical Engineers.
Rugby, UK).
9. Hill, R., 1988, JournalofLossPrevention in the Process Industries. I (1): 25.
10. Gibson, TO.. 989,Plant/Operarions Progress,8 (4): 209.
II. Health and Safety Executive. 1985. The Abbeystead Explosion (HMSO, London.

KIds, TA., Chung, P.W.l-l., Broomfield, E. and Shen-Orr. C., 1995, Computer
Controland Human Error(Institution of Chemical Engineers, Rugby. UK).
13. Slainthorp, F., 1990, The Chemical Engineer, No. 480: 16.
14. Mooney. D.G.. 1991. An overview of the Shell fluoroaromalics plant explosion.
SymposiumSeries No. /24, 381 (Institution ofChemical Engineers, Rugby.UK).
IS. Kletz. TA., 1991, Loss PreventionBulletin, No. 100: 21.
16. Stratton, WE., 1989, A Review ofCriticality Accidents, ReportNo. DOE/NCT04

(US Dept of Energy).

AM.,8 September 1988, New Scientist.
18. Jones. D.W.. 1992. Hydrocarbon Processing, 71(4): 77.
19. Kolodji. B.P., 1992, Hazard resolutions in sulfur plants from design through
start-up, AIChE Summer NationalMeeting, Paper 70d.
20. Vaughan, N., 998, iChemE.Saftv and Loss Prevention Subject Group News17. Wray,

letter, No.9: 3.
21. Collins. R.L., 1995, Chemical EngineeringProgress.91(4): 48.
22. Klctz, TA., 1998. What Went Wrong Case Historie,sofProces,sPlantDisasters.
4th edition. Section 2.6(a) (Gulf Publishing Company,Houston. Texas, USA).
23. Lcveson, N.G., 1995. Safeware: System Saft'ty and Computers. Appendix A

24. Peterson, 1.,



FatalDefrct. Chapter2 (Random House, NewYork. USA).

Hazard analysis
When von can measure what von are
speaking aboutandexpress it in numbers,
you know something about it.
Lord Kelvin

'The swift do notwin the race,

nor the strong the battle;

bread does not belongto the wise,
nor wealth to the shrewd,
nor success to the skil,t111;
for timeand chancegocernall.
Ecclesiastes, 9: Il

3.1 Objective

The objectiveof this chapteris to helpreaders manage probabilistic events or,

more precisely, to apply quantitative methods to safety problems. Youcannot,
however, expect a brief guide like this to make you fully competent. You
shoulddiscuss your first attempts with an experienced analyst.
Hazard analysis is not an esoteric technique that can be practisedonly by
those who haveserved an apprenticeship in the art. It can be practised by any
competent technologist provided he discusses his first attempts with someone
more experienced (seeSection 4.10, page 165).
Assessing a hazard, by Hazan or any other technique, shouldbe our second
choice. Wheneverwe can we should avoidthehazardby changing the design27
(seeSection 2.7, page41). Many booksand courses on Hazanfail to makethis
clear. They seem to assume that the hazard is unavoidable and therefore we
should estimate the probability that it will occur and its consequences and
make them as low as is required by our criteria(or, to use the legal phrase, as
low as reasonably practicablesee Section 3.3, page 81). They rarely point
out that it is often possible to avoid a hazard. Of course, we cannot always do
so; it is often impossible or too expensive, but we can do so more often than
most peoplebelieve.



3.2 Why do we want to apply numerical

methods to safety problems?
The horizontalaxis ofFigure3.1 shows expenditure on safetyover and above
that necessary for a workableplant, and the vertical axis shows the money we
getbackin return. In the left-hand area safetyis goodbusiness by spending
money on safety, apart from preventing injuries, our plants blow up or burn
down less often and we make more profit.
In the nextarea safetyis poor business we get somemoney backfor our
safetyexpenditure but not as much as we would get by investing our money in
other ways.
If we go on spending money on safety we move into the third area where
safety is bad business hut good humanity moneyis spent so that people do
not get hurt and we do not expect to get any material profit backin return
and finally into the fourth area where we are spending so much on safety that
we go out ofbusiness. Ourproductsbecome SO expensive that no-onewill buy
them; our company is bankrupt and we are out of a job. The public are
deprived of the benefitsthey could get from our products. We have to decide
whereto draw the line between the last two areas.Usually this is a qualitative
judgement but it is often possible to make it quantitative. The methods for
doing so are called, in this book, hazard analysis or Hazan. Other names are
risk analysis, quantitative risk assessment (QRA) and probabilistic risk assessment (PRA) (see Section 1.2, page5).




Figure 3.1 The effects of increasing expenditure on safety



I use the term hazard analysisratherthan risk analysis as risk analysis has
beenused to describe methods of estimating commercial risks (seeReferences
I and 2) and hazard analysis because, as we shall see, an essential step is
breaking down the events leading to the hazardinto their constituent steps.
While Hazop is a technique that can, and I think should, be appliedto every
new design and major modification, Hazanis, as stated in Section 1 .1 (page 1),
a selective technique. It is neither necessary nor possible to quantify every
hazard on every plant. Unfortunately the apparentprecision of Hazan appeals
to the legislative mind and in some countries the authorities have suggested
that every hazard should be quantified.
Hazan is not,ofcourse, a technique for showing that expenditure on additional safety measures is necessary. Often it shows that the hazardis small and
that furtherexpenditure is unnecessary.
1-lazan does more than tell us the size of a risk. Especially when fault trees
(Section 3.5.9, page 113) are used, it shows how the hazard arises, which
contributing factors are the most important and which are the most effective
ways of reducing the risk. Most of all, it helps us to allocate our resources in
themost effective way. If we deal with each problem as it arises, theend result
maybe the opposite of that intended. This is common in politics28 and can also
occur in engineering. It can result in massive expenditure on preventing a repetition of the last accident while greater risks, which have not so far caused
injury, are unrecognized and ignored.
When hazard analysis was first used in the chemical industry, in the late
1960s and early l970s, it was applied mainly to well-defined (though often
complex) problems, such as those involving instrumented protectivesystems,
for which good reliability data were available(for examples see Section 3.8,
page 133). ('Good' means that the data did not vary greatly between different
plantsor industries or conditions of use.) Later, hazard analysis was extended
to much more ill-defined problems involving many sequential steps for
example, how often will a piece of equipmentleak, how big will the leak be,
howfar will it spread, howoften will it ignite, what overpressure will be devel()ped ifit does and what injuries and damage will be caused by the explosion or
heatradiation? Confidence in the accuracy was obviously lowerhut comparative values were better than absolute ones. Most of the controversy that has
been attached to hazard analysis (see Section 5.3, page 181) applies to these
studies. Those describedin Section 3.8 (page 133) are typical of the various
types of study carriedout today.



3.3 The stages of Hazan

Every Hazan,howeversimple. consistsof three steps:

(i) Estimating how often theincidentwill occur.
(ii) Estimating the consequences to:
the public and the environment;
plantand profits.
In both (i) and (ii), whenever possible, estimatesshouldbe based on past
experience. However, sometimes there is no past experience, either because
the design is new or the incident has never happened, and in these cases we
haveto use synthetic methods. By combining theprobability of an incidentand
the size of the consequences we are able to compareinfrequentbut serious
incidents with more frequentbut less serious incidents (but see Section 3.4.3.
page 90).
(iii) Comparing the results of (i) and (ii) with a targetor criterion in order to
decide whether or not action to reduce the probability of occurrence or
minimize the consequences is desirable, or whether the hazardcan be ignored.
at least for the time being.
The methods used in step (i) are probabilistic. We estimate how often, on
average, the incident will occur but not whenit will occur.
The methods used in step (ii) are partly probabilistic, partly deterministic.
Forexample. ifthereis a leak offlammable gas, we can only estimate the probability that it will ignite. If it does we can estimate the heat radiation and the
way in which it will attenuate with distance (deterministic). If a person is
exposed to the radiation, we can estimate the probability that deathor certain
degreesofinjury will occur. At high levels deathsare certain and the estimate
is deterministic. High levels of radioactivity cause burns (deterministic). At
low levels the probability of disease, not the seriousness of the disease,
increases with the dose.
My elder granddaughter, when not quite three years old, was seen to be
picking up crumbsfrom the floor and eating them.Her parents said, 'Don'tdo
that: it will make you poorly'. With commendable logic, she said, 'I'm not
poorly'. Her parents had not explained to her the difference between a probabilistic and a deterministic result or, more simply, the difference between
'sometimes' and 'always'. (They had also not explained that results can be
immediate or delayed: see Sections 1.2 and 5.2.6, pages 5 and 176.)
In the following pages we first discuss step (iii), then step(i). Discussion of
step (ii) is not attempted. The methods used differ for each type of hazard
fires, explosions and releasesof toxic gas
and the number of calculation
methods available is enormous; for example, over a hundred methods for



calculating gas dispersion havebeenpublished49. Referto specialist textbooks

or to Lees. Pitbiado and Turney have provided a good summary of the
methods54. Some of the pitfalls in consequence calculations are discussedin
Chapters4 and 5 ofthis book; theycan affectthe accuracyoftheoverallcalculation. Computer programs are available for carrying out these consequence
analyses and in the more sophisticated programs the resultsare combined with
estimates of probability and risk contours are drawn. For an example, see
Reference 25. When using these models it is important to understand the
methods they use and their limitations. If this is not done they may be used
outside their range of application (see Section 3.5.4, page 108).
The biggest uncertainty in step(ii is determining the size of the leak. Gas
dispersion or explosion overpressure calculations are often carried out with
great accuracy although the amount of material leaking out can only be
guessed. Withersis one of the few authors who has providedestimatesofthe
probability of leaks of various magnitude29.
Many writers are reluctant to discuss step (iii). but it is little use knowing
that a plant will blow up once in 1000 yearswith a 50% chancethat someone
will be killed, unless we can use this information to help us decide whetherwe
should reduce the probability (or protect people from the consequences) or
whetherthe risk is so small, compared with all the other risks around us, that
we should ignore it and devote our attention to biggerrisks. For this reason step
(iii), setting a targetorcriterion, is discussed (in Section 3.4, page90) before step
(i), estimating howoften an incident will occur (Section 3.5, page 105).
Who should answerthe threequestions? The firsttwo questions can only be
answered by expert knowledge, or by expert judgement if information is
lacking. The third question is a matter on which everybody, and especially
those exposed to the risk, has a right to comment. The expert has a duty to
provide information on comparative risks, in a way that the audience can understand, but has no greaterrightthan anyone else to decide what risksother people
should accept. If the public wish to spend money on removing what the expert
thinks is a trivial risk, they have a right, in a democracy, to do so. In the end it is
the public'smoney that is spent. not a company's or the government's, as the
cost is passed on to them through prices or taxes (see Section 3.4.4, page 93).
In the UK the law has long recognized that we cannot do everything
possible to prevent accidents. We are required to do only what is reasonably
practicable', weighing in the balance the cost of prevention, in money,time
and trouble, and comparing it with the size ofthe risk, ifthereis agrossdisproportion between them, the risk being insignificant in relation to the cost,
removal or reduction of the risk is not necessary. To use the legal phrase, it is
not as low as reasonably practicable (ALARP) (see Section 3.4, page 86).



Hazan attempts to quantify this phrase and has therefore been accepted fairly
readily by the Health and Safety Executive and safety professionals. (ALARP
does not meanAs Low As Regulations Permit;ifit is reasonably practicable to
reduce risksfurtherwe are expectedto do so.)
In contrast, in the United States there has been much more pressure to
remove every risk and companies have been reluctant to admitthat there is a
low level of risk that is tolerable or acceptable. However, there are signs of
change in both regulatory and case law. The US Office ofNuclearand Facility
Safety. part of the Department of the Environment, usesALARA(As Low As
Reasonably Achievable) and a Supreme CourtRuling states56:

'if ... the odds are one in a billion thataperson willdiefrom cancerby taking
a drink of chlorinated water, the risk clearly could not be considered significant. On the otherhand, if the odds are one in a thousandthat regular inhala
lion qf gasoline vapors that are 2% henzenewill heflital, a reasonable person
might wellconsiderthe risk significant and takeappropriatesteps to decrease
or eliminateit.
Note that the Supreme Court make the common error of not stating their
units. Are they referring to one drink of chlorinated water and to a lifetime's
exposure to 2% benzene in gasoline?
Similarly in Germany, according to Brown57:
in German law ... one maynot legal/vpose a risk to the public from one '5
enterprise. Thispositively inhibits' the development of assessmentsthat recognize risk as an inevitableconstituent of lif'.' it makes people tread warily, and
The EuropeanCommunityas awholehas not accepted the use ofthe phrase
'reasonably practicable' but it has accepted a requirement to carry out risk
assessments. This shouldcome to much the same,as therewould he no point in
assessing risk unless the action required depends on the size of the risk.
However, while 'reasonably practicable' is backed by case law, there is so far
no case law on risk assessment58,
The concept of' ALARA goes hack a long way. In the 16th century Rabbi
Schlomo Cohen of Greece wrote59:
'The damage causedto thetownspeople by the vats used by the dyeingindustry
is extremely great and has to be considered as similar to smoke and bad
odours, Howevem; sincethe textile industryis the main basisforthe livelihood


of thepeopleof this town, it is incwnhent upon the neighbours to suffer the

damage. This is an enlargementof the principle that where a person is doing
work that is essentialto his livelihood and which it is notpossible to do elsewhere. the neighbours do not havethe right toprevent it.

in practice. of course, the decision whether or not to reduce a particular

hazard will usually be made by the responsible manager, taking into account
any generally accepted or company criteria, the views of employees and the
public and, of course, the views of the Health and Safety Executive (see
Section 3.4, page 85) or other regulatory authority. However, the hazard
analyst who calculates the probability and consequences of the hazard should
not merely display them to the manager, but should say what he thinksshould
be done. The managerdoes not have to accept the analyst's views hut the
analyst, like all experts. should not merely provide information and display
alternatives but should make clear recommendations. Only when he does so
can he expect a salary comparable with that ofthe managerhe advises.
In brief, the stages in hazardanalysis are:
(I) How often?
(ii) How big?
(iii) So what?
If you can remember these six words you will know what to do (though not
howto do it) if you are ever askedto carry out a hazardanalysis. You will also
know what to look forin hazardanalyses carriedout by others (seeChapter4).
As mentioned in Section 1.2 (page 5). the Institution ofChemical Engineers
defines hazard analysis as the identification of undesired events that lead to
thematerialization of a hazard. the analysis of the mechanisms by whichthese
undesired events could occur and usually the estimation of the extent, magnitude and likelihood of any harmful effects'
According to this definition hazard analysis includes the identification of
hazards (considered in Chapter2) and stages (i) and (ii) above, but not stage
(iii). The reportsuggests that what I call hazard analysis should he called risk
assessment. As already stated, stages (i) and (ii) are pointlessunless we also
carry out stage (iii).
If you are asked to carry out a hazard analysis or you ask someone else to
carry one out, make sure that you both understand what is meant by thesewords.

3.4 Choosing targets or criteria

When injury is unlikely we can comparethe annual cost of preventing an accident with the average annual cost of the accident. Suppose an accident will


cause 1 M worth of damage and is estimatedto occur oncein 1000 years, an

average cost of 1000/year. Then it is worth spending up to 1000/year to
prevent it but not more.Capitalcostscan be converted to maintenance, depreciation and interest. Future costs should be discounted, although the data are
often not accurate enough to make this worthwhile (but see Section 6.1, last
paragraph, page 196).
This method could be used for all accidents if we could put a valueon injuries and life, but thereis no generally agreedfigureforthem (seeSection 3.4.7,
page 100). So instead we set a target.
Forexample,in fixingtheheight ofhandrails rounda placeofwork,the law
does not ask us to compare the costoffitting themwith the value ofthe lives of
thepeoplewho would otherwise fall off. It fixes a height for thehandrails (36
inchesto 45 inches). A sort of intuitive Hazan shows that with handrails ofthis
height the chanceoffalling over them,thoughnot zero, is so small that we are
justified in ignoring it. Similarly, we fix a 'height' or level for the risk to life.
In settingthis level we should remember that we areall at risk all thetime,
whatever we do, evenstaying at home.We acceptthe riskswhen we consider
that, by doing so, something worthwhile is achieved. We go rock climbingor
sailing or we smoke becausewe consider the pleasure is worth the risk. We
takejobs as airlinepilots or soldiers or we become missionaries among cannibalsbecausewe considerthat the pay, orthe interest of thejob, or the benefitit
brings to others, makesthe risk worthwhile.
At work there is likely to be a slight risk, whatever we do to remove known
risks. By accepting this risk we earn our living and we makegoodsthat enable
us and others to lead a fullerlife.
A widely-used targetfor the risk to lifeofemployees, discussed in the next
section, is the fatal accident rate (FAR). Risks to the public are discussedin
Section 3.4.4, page93.
But it is not always necessary to estimate the risk to life. When we are
making a change it is often sufficient to say that the new design must be as safe
as, preferably safer than, that which has been generally accepted without
complaint. For example:
If trips are used instead of relief valves they should have a probability of
failure 10 timeslower3'4 (seeSection 3.8.5, page 138).
If equipment which might cause ignition is introduced into a Zone 2 area it
shouldbe no more likely to spark thanthe electrical equipment already there.
A new form of transport should be no more hazardous, preferably less
hazardous, thanthe old form.

For other examples, see Section 3.4.8, page 103.



Risks which are within a target or criterion are sometimes called 'acceptable risks', but I do not like this phrase.We haveno rightto decide what risks
are acceptable to other peopleand we shouldnever knowingly fail to act when
otherpeople's livesare at risk; but we cannot do everything at once we have
to set priorities.
More pragmatically, particularly when talking to a wider audience than
fellow technologists, the use of the phrase 'acceptable risk' often causes
people to takeexception. 'Whatrighthaveyou,' theysay, to decide what risks
are acceptable to me?' But everyone has problems with priorities; most people
realize that we cannotdo everything at once, and theyare more likelyto listen
ifwe talk about priorities.
The UK Health and Safety Executive proposes30 that the phrase 'tolerable
risk' should be used instead of 'acceptable risk'. 'Tolerable' has been
defined31 as 'that which is borne, albeit reluctantly, while "acceptable"
denotes somehigherdegreeofapprobation'.
The UK Health and SafetyExecutive alsoproposesthat instead of one level
ofrisk thereshouldbe two: an upperlevel which is never exceeded and a lower
level which should be regarded as 'broadly acceptable'.This is defined as a
level which does not worry us or cause us to alter our ordinary behaviourin
any way; it would not be reasonable to consider further improvements ifthese
involved a cost. In between theupperand lowerlevels the risk is reducedifitis
reasonably practicable to do so. Risks near the upperlevel are tolerated only
when reduction is impracticable or grossly disproportionate to the cost (see
Figure 3.2 on page 86). Cost-benefit analysis, comparing the costofreducing a
hazard with the benefits,shouldbe used to determine whetheror not an action
is reasonably practicable30'32.
We do not, of course, remove priority problems by asking for more
resources. We merely move the targetlevel to a different point.
Apart from the main uses of Hazan in helping us decide whether or not
that is, in helping us
expenditure on particularsafetymeasures is justified
set priorities it can alsohelp us to:
resolve design choices, forexample,between reliefvalvesand instrumented
protective systems(trips) (see Section 3.8.5, page 138);
decide how much redundancy or diversity (see Section 3.6.4, page 123) to
build into a protective system;
settesting, inspectionand maintenanceschedules(see Section 3.5.3, page107).
The proposals illustrated in Figure 3.2 (page 86) have been widely quoted
buttheir full implications have not yet beenrealizedoracted upon. We still fix
absolute standards for measurements such as the concentration of harmful
gases and vapours in the workplace atmosphere or the concentration of




Risk cannotbe
justifiedexcept in




Tolerable only ifreduction

is not practicable orits cost
is disproportionate to the
improvement gained

The 'as lowas reasonably

practicable' or Tolerability
(Risk is undertaken only if
benefitis desired)

(Noneedfordetailed working to
demonstrate that the risk is as low as

Tolerable ifcost of
reduction would exceedthe
improvement gained

Necessary to maintain assurance that

risk staysat this level

reasonably practicable)


Figure 3.2 Levels ofrisk and ALARP(Table 3.1(b)suggestsvalues for the

horizontal lines)

(Reproduced by permission ofthe Health and Safety Executive)



impurities in drinking water or seawateron bathing beaches. There is a large
measure of judgement in fixing such limits, and they incorporate generous
safety factors, yet we act as if exceeding them is dangerous and spare no
expense to get below them, It would he more sensible, and consistent with the
tolerable risk policy,to fix an intolerable level,to beexceededonly in the most
exceptional circumstances, and a broadly acceptable level, and in-between to
reducethe concentration in so far as is reasonab]y practicable.
3.4.1 Risksto employees the fatal accident rate (FAR)
FAR is defined as the numberof fatal accidents in a group of 1000 men in a
working lifetime (108 hours). Table 3.1(a) (page 88) shows sometypical figures.
Forweekly-paid employees in the chemical industry the FAR was, at the
time thefollowing criterion was drawnup. about 4 (the same as the average for
all activities coveredby the UK Factories Act).
This was made up of:
ordinary industrial risks (eg, falling downstairs or getting run over): 2;
chemical risks (, toxic releaseor spillage ofcorrosive chemical): 2.
If we were sure that we had identified all the chemical risks attached to a
particular job, we said that the man doing the job should not be exposed, for
these chemical risks, to a FAR greaterthan 2. We would eliminate or reduce,
as a matter of priority, any such riskson new or existingplants.
It would be wrong to spend our resources on reducing the risk to people
who are already exposed to below-average risks, instead we should give
priority to those riskswhichare aboveaverage.
Often we are not sure that we haveidentifiedall the chemical risks and so
we say that any single one, considered in isolation, should not expose an
employee to a FAR greaterthan0.4. We will eliminateorreduce, as a matterof
priority, any hazardon a new or existingplantthat exceeds this figure. We are
thus assuming that there are about five significant chemical risks on a typical
plant. There is a case for reducing these figures of 2 and 0.4 now that the
average FAR in the chemical industry has come down.
Experience has shown that the costs ofachieving the original target, though
often substantial, are not unbearable. They may involve the company in an

If you spend your working lifetime in a factory of 1000 men, then during your
time there, if the FAR is 4, 4 of your fellow workers will be killed in industrial
accidents, but about20 will be killedin other accidents (mostly Ofl the roads and in
the home) and about370 will die from disease,including about40 from the effects
of smoking, ifpresent ratescontinue.



Table3.1 Risks to life from employment

(a) UK 19871990 (exceptwhere stated)

Risk per person

per year
Firemen in London 1940


Policemen in Northern Ireland 19731992


Health and Safety Executive tolerablelimit


Offshore oil and gas


Deep sea fishing

Coal mining





All premises coveredby the Factories Act



Chemical and alliedindustries


All manufacturing industry


Vehicle manufacture


Clothing manufacture


Health and Safety Executive broadly

acceptable limit


The FAR is the numberof fatalities in

1000 people in a working lifetime.

l0 working hours

100 x to
125 x io
84 x l0
14.5 x l0
10 x l0
9.6 x l0
8 X l0
7.4 x l0
2.4 x l0
2.3 x l0
1.2 x l0
0.1 x io
0.1 x l0
2000 X
140 x

that is, in a groupof

The figurefor offshoreoil and gas includes the 165 people killedby the fire and
explosion on the PiperAlphaoil platform in 1988.
The figures in the first two rows are from Reference 60, the Health and Safety
Executive figures from Reference 32 and the remainder from Lees, page 2/9.
expenditure which some of its competitors do not incur. Some of the extra
expenditure can be recouped in lower insurance premiums; some can be
recouped by the greaterplant reliability which safetymeasures often produce;
the rest is a self-imposed 'tax' which has to be balancedby greaterefficiency.
Note that when estimating a FAR for comparison with the targetwe should
estimatethe FAR for the personor group at highestrisk, not the average for all
theemployees on theplant. It would be no consolation to me, if I complained
that I was exposed to a high risk, to be told, 'Don'tworry. The averagefor you


Table3.1 Risks to life from employment

(b) The Health and Safety Executive'sproposals

Risk per person

per year
Maximum tolerablerisk:

public (nuclear)





Legal limit from ionizing radiation:

employees (50 niSv/yr)



Maximum toleratedrisk from ionizing

employees (15 mSv/yr)



Broadly acceptable risk:

employees and public


Negligible risk:
employees and public


x l0-


See Section 5.2.6(page 176) for an explanation ofthe limitsfor ionizing radiation.
FARs are not quotedfor public risks because the number of hoursfor whichpeople
are exposedis so variable. The risk per year is a bettermeasure.

and your fellowworkers is low'. It may be all rightfor thembut it certainly is

not for me. Also, if we used the average risk, we could reduceit by employing
more people in low risk activities.
As mentioned already, the Health and Safety Executive has proposed an
upper limit of risk which should not be exceeded and a lower level below
which risks should be regarded as broadly acceptable. For employees, the
proposed upper level is
per year (FAR50) whichseemsrather high but,
as the figuresin Table3.1(a)show, somerisksofthis size are in fact tolerated.
For the public the upper level is 10 timeslower
per year) but 100 times
3.4.4, page 93). The
per year)
thepublic is 106
proposed broadIy acceptable'
by only relatively safe
per year. For employees
industries such as clothing manufacture, so most industry is in the ALARP
region. The ratio between the unacceptable and the broadly acceptable region
is 1000for employees and 100 for the public32(see Table 3.1(b)).






Sincethe passage of the Health and Safety at Work, etc Act in 1974 there
has been a gradual move awayfrom prescriptive regulations, which tell people
exactly what they should do, to goal-setting ones, which set objectives to be
achieved. There is advice on how to achieve them, but it does not have to be
followed. The requirement to assess risks and the settingofrisk targets are part
of this new approach.
It is not,ofcourse, necessary or even possible to assess every risk quantitatively. Most risks are minor and can be assessed qualitatively. The Healthand
Safety Executive usually requires quantitative assessments of nuclear and
offshore risks and may ask for them in other cases. Major hazards are more
likely to be accepted by them if they are supported by a quantitative

34.2 Converting FARto hazard rate

The hazard (or incident) rate is the rate at which dangerous incidents occur.
Suppose the man at greatest risk is killed every time the dangerous incident
occurs (this is an example, not a typical situation), then it must not occur more
often than:

0.4 incident in 108 working hours or

oncein 2.5 X 108 workinghours

= 30.000 years

or 3 X I5 incident/year that is, the probability of occurrence should not

exceed 3 x l0/year (for a shift job).
For ajob manned only during day hours the corresponding figuresare once
in 120.000 yearsor 8 X I06 incident/year.
If the man at greatest risk is killed every tenth time the incident occurs then
the target hazard rate is:

oncein 3000 yearsor

3 X I
and so on.

3.4.3 Multiple casualties

What is the target hazard rate if more than one person is killed?
Consider two eases:
(A) One person is killedevery year for 100 years.
(B) IOU peopleare killedonce in 100 years.


Should the preventionof(B) have higher priority than thepreventionof (A), or
vice versa? The arguments in favour ofgiving priorityto thepreventionof(B) are:
The press, public and Parliament make more fuss about (B), whilst they
usually ignore (A). The public perceive' (B) as worse: as servants ofthe public
we must therefore givepriority to the prevention of(B).
(B) disruptsthe organization and the local community and the wounds take
longerto heal. It maycause production to be haltedfor a long time, perhapsfor
ever,and new requirements may he introduced.
Various writers have therefore proposed that the tolerable hazard rate for
(B) should be the tolerable hazard rate for (A) divided by log N, or N or N2,
whereN is the numberof people killedper incident. However, these formulae
arequite arbitrary and if we divide thehazardrate by N2, or even N, we may
getsuch low hazard ratesthat they are impossible to achieve.
Gibson5 has suggested that we can allow for the widereffectsby estimating
thefinancial costs of disruption of production, etc. and comparing them with
thecosts ofprevention. This maybe a more effective and defensible method
than introducing arbitrary factors.
It is true that as servants of the public we shoulddo what they want, but a
good servant does not obey unthinkingly; he points out the consequences ofhis
instructions. If we think the public's perception of risks is wrong, we should
say so. and say why we think so. Perhaps the public think that preventing
events like (B) will reduce the numberof people killed accidentally; it would
actuallyhave very little effecton the total numberkilled.
The argument in favourof giving priority to the prevention of(A) is that (B)
will probably never happen (if the plant lasts 10 years the odds are 10 to I
against) but that(A) almost certainly will happen one person will probably be
killedevery year so why not give priority to preventing the deaths of those
who will probably be killed, rather than to preventing events which will probably never happen? This argument becomes stronger ifwe consider case(C):
(C) 1000 people are killed once in 1000 years. In this case it is 100 to I that
nobody will be killed during the life of the plant.
The simplest and fairest view seems to be to give equal priority to the
prevention of(A) and (B) we're just as dead in case (A) as in case (B).
If we give priority to the prevention of (B) we are taking resources away
from the prevention of (A) and, in effect. saying to the people who will be
killedone at a time that we considertheir deathsas less important than others.
We should treat all people the same.
There may, however, he an economic argument for preventing (B), as
arguedby Gibson, even though the risk is so small that we would not normally
spend resources on reducing it further.



Considernowtwo more cases:

(D) A plantblows up oncein 1000 years killing the singleoperator.
(E) A similarplant, less automated, alsoblowsup oncein 1000 yearsbut kills
all 10 operators. The FAR is the same in both cases, therisk to all 11 operators is
the same but some way of drawing attention to the higherexposure involved in
Case (E) is desirable. Lees6suggests that the number killed, the accident fatality
number, should be quoted as well as the FAR (see Section 3.8.4, page 137).

Table 3.2 Somenon-occupationalrisks

Risk ofdeathper personper year

Roadaccidents (UK)
Road accidents (US)
All accidents (UK)
Murder (UK)
Smoking 20 cigarettes/day

Drinking(I bottle wine/day)

Rock climbing (100 h/yr)
All risks, man aged 20
All risks, man aged60
Lightning (UK)
Release from nuclearpower
station (at 1 km)

280 X


24 x
30 I0
500 X l0
75 x l0400 x l0
100 x I0
1000 0
10 X

X 1


Floodingofdykes (Holland)
Fall of aircraft (UK)

0.2 x

Hit by meteorite




in 360)

(1 in 10,000)
(1 in 4000)
(1 in 3300)
(1 in 100,000)

(I in 200)
(I in 1300)
(I in 250)
(I in 1000)

(I in 100)
(I in 10 million)
(1 in 10 million)
(I in 10 million)
(I in 50 million)

in 100 billion)


Mostfiguresare taken from References 32, 34 and 35.

Mostofthe risks are averaged over the wholepopulation but are notalways

equally distributed; the veryold and the veryyoung,for example, are more likely
than others to be killedin an accident;smokers are more likely than non-smokers to

get cancer.

The figures for smoking, drinkingand rockclimbing apply onlyto thosewho

carry out these activities.


3.4.4 Risks to the public

Table3.2 shows the risk ofdeath, per year, for a number of non-occupational
activities, including activities such as driving and smoking that we accept
voluntarily and others that are imposed on us without our permission. The
figures are approximate and should be used with caution. Nevertheless they
show that we accept voluntarily activities that expose us to risks of iO or
more per year, sometimes a lot more, while many of the involuntary risksare
much lower. We accept, with little or no complaint, a number of involuntary
risks (forexample,from lightning or falling aircraft) whichexposeus to arisk
of deathof about I
or less per year.
We thus have a possible basis for considering risks to the public at large
from an industrial activity.If the average risk to those exposed is more than
per person per year, we will eliminateor reduce the risk as a matteror
priority.If it is already less it would not be rightto spend scarceresources on
reducing the risk further. It would be like spending additional money, above
that already spent, on protecting peoplefrom lightning. There are more important hazards to be dealt with first.
The lasttwo paragraphs appeared in the earliereditionsof this book. Since
thenthe Health and Safety Executive has made the proposalsdescribed at the
end of Section 3.4.1 and summarized in Figure 3.2 and Table 3.1(b). It
suggests that a risk of 106 per yearis 'broadly acceptable',though not negligible. Itquotesthe following example to show howsmall this risk is compared
to the other risksto which we are exposed. Suppose 10,000 peoplelive near a
nuclear power station and as a result are exposed to an average risk of death
(fromcancer) of 106 per yearin addition to the normal risk; 106 per yearis
ratherless than Io per lifetime. Regardlessofwherethey live, about 2500of
the 10,000 people will die from cancer. As a result of the nuclear plant, this
number will rise to 250161. And this estimate is based on the pessimistic
assumption that the risk is proportional to the dose.
As well as considering the average risk we should consider the person at
greatest risk. A man aged20 yearshas aprobability ofdeathfrom all causes of
1 in 1000 per year. (The figure for a younger man is not much less.) An
increase of 1% from industrial risks is hardly likely to cause him much
concern, and an increase of0.1%shouldcertainly not do so. This gives arange
to 106 per year. The peopleatgreatestrisk are usually thosewholive
nearest to the factorybut in the case of nuclearrisk may be those whosediet



exposesthem to more radiationthan otherpeople for example,

a large amount of shellfish.
Why did I suggest a lowerfigure
per year) for the average risk than
to 106 range for the person at greatest risk? Consider a town of








U 106








Figure 3.3

FNcurvefor chlorineinstallation. AB shows

a suggested criterion.

(Crown copyright is reproduced withthe permission ofthe Controller of Her

Majesty'sStationery Office)
500,000 peoplein which a chemical plantimposes somerisk on all the inhabitants, though some of them, of course, are at greater risk than others. If the
average risk is I
per year, on average one person will be killed every 20
death occurs the firstone will probablyhave been
years; by
forgotten. If the average risk is 106, on average someone will be killedevery
two years and the public would considerthis quite intolerable. In a democracy
all criteriafor risk (and everything else that affects them) must be acceptable to
thepublic (seeSection 5.3, page 181).There is adifference, ofcourse, between



deaths that are clearly due to an industry and a theoretical rise (of one in
several thousand) in the number ofpeopledyingfrom disease.
We have considered averagerisks and the person at greatestrisk. Another
way ofexpressing risk to the public is to draw a graphof the numberof people
killed (N) againstthe cumulative frequency of the event (F). Figure3.3 (from
Reference 30) shows an FN line for a particularchlorine installation and, for
comparison, a proposed criterion (the line AB). Both lines refer to casualties,
not deaths; Reference 30 suggests that about one third of them will result in
death. Note that the probability that 10 or 100 peoplewill becomecasualties is
higher than allowed by the criterion, but that there is a limit to the possible
numberofcasualties. Note also that the frequenciesare cumulative that is,
thepoint on the graph for N=10 (say), gives the frequency of events which
cause 10 or more casualties.
Thejagged line in Figure 3.3 isa prediction byexperts ofwhat will occur (if
the assumptions on which it is based are correct); only experts in the technology are able to derive it. (In other cases the FN line may be based on the
historical record.) In contrast, the line AB is basedonjudgement;it shows the
level of risk that people will, it is believed, tolerate.Everyonehas a right to
commenton its position, especially those exposed to the risk, and the expert
has no greaterrightto do so than anyone else (see Section 3.3, page80).







It is difficultto explainFNcurves to the public.They pick on the fact that

a largenumberofcasualties or deaths can occurbut do not graspthat theprob-

ability ofthis happening is astronomically low. In Figure3.3, for example, the

frequency of an incidentcausing 100 casualties is less than iO per year. If
100,000 people live near the chlorine installation, the chance that a particular
person, picked at random, will become a casualty in such an incident is less
than 108 per year. Imagine this page being so long that it stretches from
London to Newcastle (about 500 km); 108 is the probability that if two
peopleareaskedto choosea line oftype at random they will pickthe same one.
This probability is nevertheless considered too high and if the risk can be
reduced to the level shown by the target line AB, the page would have to
stretch from London to New York.










10 -

'' N
"N N












Figure 3.4

FNcurvesfor someUK societalrisks(see opposite for key)

(Reproduced by permission ofthe Health and Safety Executive)



Figure 3.4 is an FN curvefor a numberof societal risks62.
We shouldneverdecide that arisk is tolerable on the basisof an FN curve
alone. We should alsoconsiderthe peopleat greatestrisk.
Other criteria for risks to the public are reviewed in Reference 17. The
criteria vary but it is generally agreed that the public should be exposed to
much lower risks than employees. People choose to work for a particular
company or industry but members of the public have risks imposed on them
against their will. Butthe public are furtherawayfrom the source ofthe hazard
so in practicethe risk to employees may be more important. For example, the
pressure developed by an explosion decreases with distance; the risk to the
public is usually so much less than the risk to employees that reducing the
latter is the more important task. However, this maynot be the case if houses
havebeen built close to the factoryfence.
Key to Figure3.4
I: Collapse of a tower block, before the collapse at Ronan Point(a block offlats in
London which collapsedin 1968as the result ofa gas leak and explosion),
assumingthere are 300 such blocks in the UK

2: Collapse oftower block, after changes made followingRonan Point.

3: Canvey Island,an island in the Thames Estuary containingmany oil and chemical

plants,before improvements.
4: Ditto, with recommendedimprovements.
5: Ditto, 2nd report. This wasjudged tobejust about tolerable.

6: A harbour: risk to the population onshore from a spillage ofLPG from a ship
before improvements.
7: The harbour,after improvements.

8: EllesmerePort: proposedretail development near a complex of chemical plants.

9: Level crossings.
It): Recommended bytheAdvisory CommitteeonMajorHazards(1st Report, 1976) as
tolerabletbr asingleplant.

II: Sizewell nuclear power station, design requirement(includingdelayed deaths).

Note that the risk is much lower than theothers.

12: Maximum tolerable level to thepublic from an industrial activity.
Fornuclear risks the maximumtolerable level is a tenthof this (see Section 3.4.1
and Reference32).
13: Suggestedmaximum tolerable level forapossibleprogramme ofpressured water
reactors(see Reference 32).
14: Goole Hook: housing developmentsnear an ammoniumnitrate plant.
15: A harbourhandling explosives,near atown, before improvements.
Although the risk was less than at Canvey island, public concern caused it to be
reduced even further.
16: St Fergus to Moss Morrannaturalgas liquids pipeline(200 km).
17: Flooding ofthe River Thames.before constructionofthe Thames Barrier.
18: Ditto, after constructionofthe Barrier.



3.4.5 Why consider only fatal accidents?

As pointed out by Heinrich many years ago, there is a relationship between
fatal, lost-time, minorand no-injury accidents (in which only material damage
is caused). If we halve fatal accidents from a particular cause, we halve
lost-time accidents, minoraccidents and no-injuryaccidents fromthat cause.If
we halve the number of deaths from explosions on a particular plant, for
example, we probably alsohalvethe number of lost-time accidents and minor
accidents caused by explosions and the material damage they cause.
Note that halving the total number of fatal accidents in a factory will not
necessarily halve the total number of lost-time(or minor) accidents, as the
ratio of lost-time to fatal accidents differs for differentsorts of accidents. For
example, it is about 25() for transportaccidents, but about 20,000 foraccidents
involving the use oftools.
Several writershavesuggested combining measures ofdeath, injury, illness
and damage into a 'unified index of woe'63. For example, Christen er a!64
suggest the nine measures shown in Table 3.3 with their suggested relative
weightings. However, such figures are quitearbitrary. If such an index is used,
it should be possible for to see howit is derived so that the effectofvaryingthe
measures and their weightings can be studied.


Table 3.3 Relative measuresfor computing a unified indexofwoe

(From Reference 64. Reproduced withpermission ofthe American Instituteof
Chemical Engineers. Copyright 1994 AIChE.All rights reserved.)

Value giving an
impact of0.2

Value giving an
impact of 0.6

Number of deaths


Number of injuredpersons



Number of evacuees



Duration ofalarm,person-days



Number of deadanimals



Area ofdamaged ecosystem, km2


Area ofcontaminated soil,km2


Area ofpollutedgroundwater, km2



Discounted expenditure,



The numbers in the centre column arc considered to produce a similar impacton the
public (to be precise.the same membership of a fuzzy set).Those in the righthand
column produce a similarbut greaterimpact. The Impacts are combined (sec
Reference 64 for details)to produce a total impact, called a disastervalue'.
(Others call it an indexofwoe.) For Bhopal (over2000 killed) the index is set at I.
Flixhorough (28 killed) is then 0.50, Seveso (t) killed) is 0.71 and the 986 pollution
ofthe Rhine at BasIc (0 killed)is 0.51.The authorsof Reference 64 admit that the
assignment ofrelative impacts is verysubjective but the method does allow various
factors besidesthe risk to life to be taken into account.

3.4.6 Removefirstthe risks that are cheapest to remove

An alternative approach to target Setting is to give priority to the expenditure
which saves the most livesperM spentt6. This method would save morelives
for a given expenditure so whydo we not use it? There are threereasons:
The first is moral.An employee or a member ofthe public mayacceptthat a
risk is SO small, compared with other risksaroundus, that it is tolerable, but he
(or she) will hardly accepta risk becauseit is expensive to remove. It may be
betterfor societyas a whole, but not for him (or her).
Restating the same objection in other words, although we might reducethe
total numberofpeoplekilled in an organization orsociety by concentrating the
riskson afew individuals, we are notpreparedtodo so: we preferto spread the
risksmore or less equally, or at least ensure that no-oneis exposed to a level of
risk that would be regarded as intolerable. Note that in industry the lives saved



are notional. If we do spend money on reducing a particularrisk, all we are

doing is making the already low risk of an accident even lower. It is unlikely
that anyone's life will actually be savedand this makes it easier to adopt the
moral attitude just described. In road safety, on the other hand, we are dealing
with real lives; more lives will actually be saved if we spend our money in a
more cost-effective way, and in this field of activity attempts are made to
spend money in ways that do save the most livesper M spent.We do not try
to equalize the risks between differentcategories ofroad user,thoughit could
perhaps be argued that pedestrians who are exposed against their will
should be subjected to a lowerrisk (seeSection 4.3.1,page 157).
The secondreasonis pragmatic. If we agree to removerisksthat arecheap
to remove but to accept those that are expensiveto remove, then there is a
temptation for every design engineerand manager to say that the risks on his
plant are expensive to remove. If, however, all risks must be reducedbelow a
certain level,then experience shows that design engineers and plant managers
do find 'reasonablypracticable'ways of reducing thembelowthat level.
A third reason is that the usual procedure in industry has alwaysbeen to
work to a risk criterion, not a cost one. (See the note on handrails in Section
3.4, page 84.)
Despite these comments, the cost of saving a life is useful in industry as a
secondary criterion. If the notional costof saving a life is greatlyin excess of
the normal for the industry, then we shouldnot exceedthe usualrisk criterion,
but we should look for a cheaper solution. Experience shows that in practiceit
can usually he found. There is usually more than one solution to every
problem. As already discussed (see Section 3.4, page 85), the Health and
Safety Executive has suggested the use of two criteria, an upper one that
should neverbe exceeded and a lower, broadly acceptable, one whichwe need
not strive to get below. In between therisk should be reduced ifit is reasonably
practicable to do so, and cost-benefit analysis shouldbe used to helpus decide
if a particularproposal is reasonably practicable. To carry out such calculations we needto know the valueto put on a life.
3.4.7 The cost of saving a life
Variouswayshavebeen suggested for estimating the cost ofsavingalife. One
is the valueof a person's futurecontribution to society; anotheris the cost of
damagesawarded by the Courts. But the valueof any articleor service is not
what it coststo produce it. or the futurebenefitsit will bring, but what people
areprepared to pay for it the test ofthe marketplace.Table 3.4 summarizes
someofthe pricesthat are actuallypaidto save a life and it will be seenthat the


() spent to savealife

Table 3.4 Some estimatesof the money


Increasing tax on cigarettes

Anti-smoking propaganda
Cervical cancerscreening
Artificial kidneys
Intensive care

Liver transplants



Various schemes implemented



Agriculture (employees)
Rolloverprotection for tractors
Pharmaceuticals (employees)
Pharmaceuticals (public)
Chemical industry (employees) (typicalfigure)
Nuclearindustry (employees and public)

I .3M


Smoke alarms



Preventing collapseof high-rise flats

Giving members of social class 5 a socialclass 2
income(familyof4 youngpeople)
ThirdWorld starvation



All figures are takenfrom Reference 36, are corrected to 1999 pricesand referto
the UK.They are approximate and somemay havebeenoutdated by changes in
technology. US figures are often higher.
A 10% increase in the tax on tobacco decreases smoking by about5% so there is
a net increase in revenue.
Ifwe spendlOMon anti-smoking propaganda and as a result 2000people (less
than I smoker in 10,000)give up smoking, S00 liveswould be savedat a cost of
The death rate (for almost all agesand causes) of members of socialclass 5
(unskilled occupations) is about 1.8 times that of members of social classes I
(professional occupations) and 2 (managerial occupations). It can be arguedthat, in
the longrun,a risk in income to the social class 2 level will produce a socialclass 2




range is enormous. Doctors can save livesfor a few thousands or tensof thousands of pounds per life savedand road engineers fora few hundred thousands
per life saved, while industry spends millions and the nuclearindustry tens of
millions (even more according to someestimates) per life saved.
Most of the values in Table 3.4 are implicit
that is, unknown to the
people who authorize the expenditure, as they rarely divide the costs of their
proposals by the numberof lives that will be saved. No other commodity or
service shows such a variation, a range of 106, in the price paid. (Electricity
from watch batteries costs I O timeselectricity from the mainsbut we pay for
the convenience.)
What value then should we use in cost-benefit calculations? I suggest the
typical value for the particular industry or activity (such as the chemical
industry or road safety) in which we are engaged. Society as a whole might
benefitifthe chemical or nuclear industries spentless on safetyand the money
saved was given to the road engineersor to doctors, but there is no social
mechanism formaking the transfer. All we can do, as technologists, is to spend
theresources we control to thebest advantage. As citizens, of course, we can
advocatea transferof resources if we wish to do so.
The figuresin Table 3.4 are far from accurate. They are takenfrom various
estimates published between 1967 and 1985, corrected to 1999 prices (for
details see Reference 36), and some may have been made out of date by
changes in technology. They vary over such a wide range, however, that errors
introduced in this way are probablyunimportant (see also Section 3.8.1. page

The Health and Safety Executive has published a review of the extent to
which risk assessment, including cost-benefit analysis, is used withingovernment departments65'66.It shows that these methods are often used to decide
priorities within departments but that they are not used to decide priorities
between departments. as can be seen from the figuresin Table 3.4.
This can also be seen by comparing the standard of safety required in the
Channel Tunnel with that required in the ferries which offer an alternative
method oftransportfrom England to the Continent. In the Channel Tunnel the
Health and SafetyExecutive has insisted on standards higherthan those used
on any other tunnel anywhere in the world67. But despite the disaster at
Zeebrugge in 1987 and similar incidents elsewhere in the world68, there has
been little improvement in ferry standards69.
Ofcourse, inconsistency is thepriceofprogress and we cannot expectevery
piece ofold equipment to meet the highest contemporary standards, but nevertheless would some ofthe money spenton the Channel Tunnelpotentially save
more lives ifit had been spenton the ferries?


The US regulatoryagenciesare requiredto estimate the cost per life saved

beforeintroducing new regulations. The valuesobtained by differentagencies
vary betweenone and eightmillion dollars (at 1991 prices)70.
3.4.8 Comparing old and new
In Section 3.4 1 pointed out that insteadof comparing a risk with a target or
criterion we can comparealternatives. For example,a chemical intermediate
was carried200 milesby road from one plantto another for furtherprocessing.
The intermediate was in the form of an aqueous solution and so was harmless,
but money was being spent to transportwater. It was therefore proposed to
transportan alternative intermediate which was water-free but corrosive. The
quantity of material to be transported would be reduced by over 80%. The
question was whetherthe risk to the public from the transportofthe hazardous
chemical was so low that it should be accepted,bearing in mind that a safer,
though bulkier, material could be transported instead. It was assumed that the
chemical could be carried in high-quality vehicles by well-trained drivers.
Calculations using average figuresfor the number of people killed in ordinary road accidents and in accidents involving chemicals showedthat reducing
thevolume of material to he transportedby 80% would, on average, save one
life every 12 years, even allowing for the fact than an accident involving a
tanker ofcorrosive chemicals is very slightly more likely to result in a fatality
than an accident involving a tanker ofharmlessmaterial.
A detailed quantitative study of the risks of transporting hazardous
substances7t concludes that the risks are tolerable but not negligible and
should therefore he reduced when it is reasonably practicable to do so. The
report is a good example of the use of quantitative risk assessment. it suggests
that 2M(at 1991 values) shouldbe used, in cost-benefit calculations, for the
valueof a life. (Compare the figures in Table3.4.)
The report,however, has a major weakness. Chapter 10 concludes that one
cannotgenerally say that road is safer thanrail or vice versa. However, it does
not take ordinary road accidents into account. if it did so, rail transportwould
probablyhe safer than road. The Health and Safety Executive said that any
consideration of ordinary road accidents was outside their remit but for the
accident victim the result is much the same whetherhe or she is killedby the
vehicle or by the contents, and the probability ofbeing killedby the vehicle is
much greater.
Another omissionin the report is any mention of the claim that vehicles
carrying hazardous loads are involved in fewer accidents than other heavy
vehicles. According to Reference 72. 'the involvement of hazardous materials


in accidents seems to be at least one orderofmagnitudelowerthanthat ofordinary traffic'. If this is true, chlorine tankers are less hazardous than milk

AfterFlixborough a BBC reporter, standing in front ofthe plant, described

the explosion as 'theprice ofnylon'. Many peoplemust havewondered ifit is
worth taking riskswith men's livesso that we can havebettershirtsand underclothes. However, in our climate we have to wear something. How does the
'fatal accidentcontent' ofwool or cotton clothescomparewith that of clothes
made from synthetic fibres? The former is certainly higher. The price of any
article is the price of the labour used to make it, capital costs being other
people's labour. Agriculture is a high accident industry; so therewill be more
fatal accidents in wool or cotton shirts than in nylon shirts.
In general, thenewertechnologies are safer thanthe old.Nuclearelectricity
claims fewer lives than electricity made from coal; plastic goods 'contain'
feweraccidents than similararticles made from ironor wood.
3.4.9 Risks to the environment
Increasingly,companiesare having to consider risks to the environment as
well as risksto people. The principle to be followed is much the same as for
safety. According to a government guide73:
'Where appropriate (for exanple, where there is uncertaintycombined with
the possibility ofthe irreversibleloss ofvaluedresources), actions shouldbe
based on the precautionaryprincipleifthe balance oflikely costsand benefits
just(fies it. Even then, the action taken and the costs incurred should be in
proportion to the risk.'

Theterm ALARP (As Low As is Reasonably Practical)is not used for environmental risks. The terms used instead are Best Practicable Environmental
Option(BPEO) and Best Available Technology Not Entailing Excessive Cost
(BATNEEC). A BPEOis the optionwhichprovidesthe most benefit or least
harm to the environment as a whole at an acceptable cost. BATNEEC means
that the costsofavoiding damage to the environment should bejustifiedby the
benefits. Old reportsuse the phraseBest Practicable Means instead. Reference
74 discusses the precisemeaningsof these terms.
Both BPEO and BATNEEC imply the use of cost-benefit analysis when
possible and References 38 and 53 describe attempts to apply it to environmental risks
that is, to compare the costs of pollution with the costs of
are comparatively easy to estimate. Someof the costs of
estimated; for example, the costsof cleaning, corrosion


and soundinsulation.We can also estimate the amountpeople are willing to

pay in extra travel and housing costs to avoid living in polluted areas. It is
much more difficult to put a price on the intangibles,such as the aesthetic
value of pleasant surroundings or the desire to preserveas much as possible
of the natural worldand theevidenceof thepast. As with the value of a life
(Section 3.4.7, page 100), their valueis whateverwe are prepared to pay to
preserve them; this can be estimatedby subtracting all the tangible benefits
from the cost ofpreventionwe are willingto pay, and seeingwhat is left. As
with the valueof life, thecalculationis rarely made. Peoplewant the benefits
and would rather not know the price, unaware that they are paying it. In a
world in which many people are still sufferingmalnutritionand preventable
disease, the valueofsomeexpenditureon improving the environmentmaybe
doubted. We should at least know what it is costing and what else could be
done with the money.
It is also difficult to specify types of incidentand frequencies that can be
considered intolerable or broadly acceptable. A first attempt in that direction
has been made by the UK Department of the Environment. It has listed 13
events that could constitute major environmental accidents. They include
permanent or long-term damage to defined areas of land and water, damage
(undefined) to an ancient monument, contamination of a water supply, making
it unfitto drink and affectingmore than 10,000 people, and death (or inability
to reproduce) of 1% ofany species97.Ifthese events areto be considered intolerable, we may wellend up payingmore to save the life ofan animal than of a
person. Whileloss of 1% ofthe world's population of, say, chimpanzees, may
wellbe a major accident, it is difficultto feel the same about 1% of a species of

3.5 Estimatinghow often an incident will occur

As alreadymentioned,the methods described in this section are used whenwe

cannotuse past experience.

3.5.1 Some definitions

Hazard (or incident) rate, H
The rate (occasions/year) at which hazards occur; for example, the rate at
whichthe pressure in a vessel exceeds the designpressureor the rate at which
thelevel in a tank getstoo high and the tank overflows.


Protective system

A device installed to prevent the hazard occurring; for example, a relief valve
or a high level trip.
Test interval. T
Protective systems shouldbe tested at regularintervals to see ifthey are inactive or dead'. The time between successivetests is the test interval.
Demand rate, D

The rate (occasions/year) at which a protectivesystem is called on to act; for

example, the rate at which the pressure rises to the reliefvalve set pressureor
the rale at which a level rises to the set point of the high level trip. Demand' is
used in the Frenchsense(demander = to ask).
Failure rate. f
The rate (occasions/year) at which a protective system develops faults. The
faults of most interest to us are fail-danger faults which prevent the protective
systemoperating, but fail-safe faults can alsooccur. Theseresult in the protective systemoperating when it should not; forexample,a reliefvalve lifts below
its set pressure or a high level trip operates when the level is normal (see
Section 3.5.10, page 118).
Most failures are random and this is assumedin what follows. However.
failures can be high when equipment is new and when it is worn out (that is,
just after birthand during old age).
Fractional dead time, fdt
The fraction of the time that a protective system is inactive. This means that it
is the non-availability or the probability that it will fail to operate when
required (fdt = I availability).

If the protective

system never failed to operate when required, then the

hazard rate H would he 0. If there were no protective system then the hazard
rate would be equal to the demand rate D. Usually the protective system is
inoperative or deadfor a (small) fraction ofthe time.
A hazardresultswhena demandoccurs during a deadperiod,hence:

H = D x fdt (but see Section 3.5.6, page 110).

For other definitions see Reference 33.
Some ofthe figures used in the following examples are typical while others

are merelyexamples.



3.5.2 Example 1 relief valves
The failure ofsomeequipment is obvious and is soonnoticed by the operators.

Reliefvalves and trips, however, are normally not operating and their failures
renlain latent or unrevealed until a demand occurs. Hence we haveto test them
regularly to detect failures.
Tests on relief valves show that fail-dangerfaults which will prevent them
lifting within 20% of the set pressure occur at a rate of 0.01/year(once in 100
years a typical figure).
Let test interval T = 1 year (a typical figure).
Failure occurs on average half-way betweentests. Thereforethe reliefvalve
is dead for six months ('2 T) every 100 (1/f) yearsor for 1/200 or 0.005 of the
time ('2jT). This is the fractional dead time. Suppose the demand rateD is
1/year (an example). A hazard results when a demandoccurs during the time
that the reliefvalve is dead. The reliefvalveis deadfor 1/200ofthe time, there
is one demandper year. so there is a hazard once iii 200 years.

Expressed more precisely:

hazard rate

= demand rate X fractional dead time

= I) X '2fT
= I x 0.005
= 0.005/year

or once in 200 years. (The more accurate formula in Section 3.5.6, page 110,
givesonce in 250 years.)
We could not determine this figureby countingthe numberof occasions on
which vessels have been overpressured becausethis occurs so rarely, but we
have been able to estimateit from the results of tests on relief valves.
Note that in this example a hazard is defined as taking a vessel more than
20% above its design pressure.Not all these 'hazards' will result in vessel
rupture or even a leak.
Relief valvefailures are discussed in detail by Maher ci ai.
3.5.3 Example2 simple trips
Assume that:

Fail-danger faults develop at a rate fof onceevery twoyears, or0.5/year(a

typical figure). much more frequently than with reliefvalves.
The test interval T is I week(0.02/year, rather frequent).
The demandrate D is I/year(an example).



Calculatethe fractionaldead time and the hazard rate.

Answer: The trip is deadfor 3.5 days every two years;therefore

= 0.005

fractional deadtime

and hazardrate

= I X 0.005
= 0.005/year or I in 200 years.
= 0.02

2 x 365

With monthly testing, fractional dead time

= I in 48 years.
and hazardrate
Withannualtesting,fractional deadtime
and hazardrate


= I in 4 years.

(Themore accurateformulain Section 3.5.6, page 110, gives 1 in 5 years.)

If a trip is never tested, then after a few yearsthefractionaldeadtime will

that is, the trip will be 'dead', and the hazard rate will be the
probably be I
same as the demandrate.
Some companies test 'critical' trips and alarms but not 'non-critical'ones.
Ifa trip or alarmis so unimportantthat it does not needto be tested, it is probably not needed. If its failure rate is 0.5/yearthen after four years the probabilitythat it will be in working orderis less than 10%. (However, ifan alarmis
fittedto a controlor indicating instrument, certain failures such as a failure
of the sensor may be obvious to the operators and it will then be repaired.)
If the trip is tested yearly, then the hazard rate is only reduced from
once/year with no trip to once in five years. If the trip is so unimportantthat
annual testingis sufficient, then the trip is probably not necessary.
Ifwe take into account the time thetrip is deadwhile it is being tested,then
weekly testing maynot givethe lowest hazard rate and monthly testing maybe
better. Because trips fail more often than relief valves they have to be tested
more often.
3.5A Example3 frequentdemands on a trip
Let failure ratef = 0.5/year(as before)
test interval T = 0.1 year (fiveweeks,a typical figure)
demand rate D = 100/year (much greaterthan before).



Calculatethe fractional dead time and the hazard rate.

Answer: Usingthe formula:
Hazard rate
Hazard rate

= D x 0.5 fT
= 100 X 0.5 X 0.5 X 0.1
= 2.5/year.

In fact, the hazard will be almost the same as the failure rate (0.5/year)
therewill almost always be a demand in the deadperiod;
the fault will then be disclosed and repaired.
2.5/yearwould be the right answer if, when a hazardoccurred,we did not
repair the trip but left ii in a failed state until the next test was due.
Testing in this situation is a wasteoftime as almostall failures are followed
by a demand beforethe nexttestis due. ifyou findthis example hard to follow,
consider the brakes on a car.

3.5.5 Brakes on cars anotherexample of frequentdemands on a trip

Let failure ratef = 0.1/year(a typical figure')
test interval T = 1 year (as requiredby law)
demandrateD = l04/year(a guess).

Usingthe formula:
Hazard rate

= D x 0.5fT

x 0.5 x 0.1 x 1

= 500/year!

Not even the worst drivers have this many accidents. The true answer is
Thesetwo examples showhow we can get absurd answers if we substitute
figuresin a formula(or computerprogram) without understanding the reality
behind them. For another example see Reference 39. So the simple intuitive
formuladerived in Section 3.5.1 (page 105):
hazard rate = demand rate X fractional dead time
must be incorrect.



3.5.6 A more accurate formula

Hazard rate =
failure rate
T = test interval
D = demand rate


IfDT/2 is small, this becomes

Hazard rate

= 0.5fDT

IfDT/2 is large, this becomes

Hazard rate

The exponentialformulaaboveis correctonly whenfTis small and applies

only to a singleprotective system.
Forn identical systems, all testedat the same time,
Hazard rate

f P1


ex[_ ii + I

when fT is small.
The applicability of the two equations can be understood by looking at
Figure 3.5 which shows the relationship between the hazard rate H and
demand rate D.

H =t(1 e J)1L2)


Figure 3.5 The relationship between hazard rate and demand rate


Table3.5 Dependence of hazard rate on test interval and demandrate



per year

H = '2JDT

H =f(1


per year





























WhenDT = I thedifference between the two values ofH is only about25% hut for
higher values ofDT the difference increases veryquickly.

Table 3.5 shows how the methodused for calculating H becomes increasingly important as DTrises. The figuresapply to a reliefvalve; thefailureratef
is assumedto be 0.01/yearand thetest interval Tis assumedto be 2 years.
3.5.7 Two protedive systemsin parallel
Examples are two 100% relief valves in parallel or two high level trips (see
Figure 3.6).
Let FA, FB be the fractional deadtimesofsystemsA and B. The set points
of the two systems are, by accident or design.never exactly the same. Assume
A respondsfirst that is, ifA and B are two relief valves. A is set at a slightly
lowerpressure; if A and B are two high level trips, A is set at a lowerlevel.

Demand rate =D

Figure 3.6 Two protectivesystems in parallel



The demandrate on A = D.
The frequency ofdemandsto which A does not respondis FAD.
This is the demandrate on B.
Therefore it seems at first sight that the fractional dead time of the
combined systemshouldbe FAFB and the hazardrate shouldbe D FAFB.
FAFB and the hazard rate is
Actually the fractional dead time is
D FAFBbecausethedemands on B tendto occur towards theend ofa proof
test interval when there is a more-than-average likelihood that B will have

If A and B are tested at different timesthehazard rate can be shown to be

0.83 D FAFB40.
Like the example in Section 3.5.4, this shows the perils of intuitivemathematics.For another example ofnon-random demands, see Section 3.6.7 (page

Systems containing two (or more) identical devices in parallel are called
redundant. Systems containing two (or more) differentdevices in parallel are
called diverse.

3.5.8 Twoprotectivesystemsin series

An example is a relief valve and a bursting disc in series (Figure3.7). ('Failure' of a bursting disc in this contextmeansfailure to burstwhen the required
bursting pressure is reached.)
If A or B fails the system is dead.
The fdt of the whole system =
or FA + FB (if FA, FB are small).
If we connectin series many itemsof equipment each of which has a high
theoverall systemmay be
reliability that is, a low fractional dead time
very unreliable. For example, ifthere are 10 items and each has an fdt of 0.05,
the overall fdt will be about 0.4. For this reason, in high-risksituations, novel
systems take a long time to become established and provendesignsof aircraft
and nuclearreactorscontinueto dominate the market75.

Demand rate D

Figure3.7 Twoprotective systems in series






Reliefvalve dead

Figure 3.8 Fault treeswith AND' gates. Note that afrequency is multiplied by


3.5.9 Fault trees

Fault trees are widely used in Hazan to set down in a logical way the events
leading to a hazardous occurrence. They allow us to see the variouscombinations of events that are needed and the various ways in which the chain of
events can be broken. They allow us to calculate the probability of the
hazardous event from other probabilities that are known. Some examples of
fault trees are shown in Figures 3.8 and 3.9 (page 114).
In drawing a fault tree we start on the left with the hazardous event; for
example, that common industrial hazard a free meal* (the logic is the same if
you regard it as a desirable event) or the overpressuring of a vessel. Some
people startat the top instead of the left so the hazardous eventis often called
thetop event. We thenwork from leftto right(or top to bottom) drawing in the
various events that lead up to the top event. Then we work back inserting
numbers and estimate the frequency of the top event.
The points at which two branchesofa treejoin are known as gates; they can
be AND' or OR gates.

Not a problem in universities.



Figure3.8 showstwo examples of SAND' gates. Both a meeting with lunch
AND an invitation are required for a free meal.Note that a frequency is multiplied by a probability. A common beginner's mistake is to multiply two
frequencies. Two or more probabilities can be multiplied together (as in
Section 3.5.7, page III).
In Figure 3.9 the fault treeshave been extended and OR' gates are shown.
We needvisitorsor a training course hut not both to get a free meal. Note that
at an OR gate the two rates are added (or two or more probabilities as in
Section 3.5.8, page 112).
In practice we stop drawing when we have data for the frequency of the
events or the probability of the conditions on the right (or the bottom) of the
Suppose we are asked to revise Figure 3.9(a). We examine records for 10
years. carry out a regression analysis, allow for the effect of the changing
economic situation atid conclude that the visitor rate is more likely to be
12/year or 20/year instead of 15/year. The effect on the frequency of the top
event is negligible. Similarly, detailed study may show that instead of 5

Top event



Figure 3.9 Fault trees with AND and OR' gates. Note that frequeneic.sare added
at the OR' gates.



trainingcoursesperyear we should expect 3, or perhaps 8. Again, the effecton

the final answeris small. The numberoffree meals isbetween 1.5 and 2.8/year
and is unlikely to be nearthese limits.
A more serioussource oferror is that we haveoverlooked the fact that some
visitors may stay to dinner. If half of themdo and the probability of an invitation is the same, the free meal rate rises to 2.75/year.
More serious still, suppose a new boss decides that all the staff should meet
together over a free lunch onceper week for an informal discussion. The free
meal rate rises to 48/year (assuming 4 weeks holiday) + 2/year from other
causes = 50/year. Our original result is out by a factor of25
This simpleexample shows that most errors in Hazanare not due to errors
in the data but to errors in drawing the fault tree, to a failure to foresee all the
hazards or all the ways in which the hazard could arise. Time is usually better
spent looking for all the hazards and all the sources of hazard than in quantifying with evergreaterprecision thosewe have alreadyfound. There is another
example of an unforeseen error in Section 4.4. page 158.
In Figures 3.8 and 3.9 we assume that the probability of being invited to
lunch isthe same forthe two sorts oflunch. This maynot be so. In Figure3.10,
Figure 3.9(a) has been redrawn to aIlcw for the fact that the probability of
being invited to lunch with visitorsmayhe different to the probability ofbeing
invited to lunch with a training course.

Figure 3.10 Figure3.9(a) redrawn to showdifferent probabilities on

different branches



An industrialequivalentmight be that the probability that an operator will

take the correct action when an alarm sounds is not fixed. hut differs for
different alarms. Some alarms might be morenoticeable orhe might he trained
to pay more attention to them.
It may he useful to summarize what has been said about 'AND' and 'OR'
gates. At school we were taught that AND means add.
Remember that in drawing fault trees:

OR meansadd
AND means multiply (as in probabilitycalculations).
As already stated, estimating hazard rates is not the only use of faulttrees.
They helpus think out all the ways in which the hazard can arise and they show
us which branchesofthe tree contribute themost towards the hazard rate.They
show us how we can reduce the hazard rate and which methods will be most
effective. For example, in the case of the free meal, we can reduce the hazard
rate,the numberoffree meals per year,by reducing the numberof visitors or
the numberof training courses or by reducing the probability that we shall be
invited. We also see that halving the numberof visitorswill he more effective
than halving the numberof trainingcourses.
In accountancy the figure produced at the end of a calculation, the bottom
line, is the one that counts. Risk assessment is different. The way the final
figure, the frequency of the top event, is derivedis as important,perhaps more
important,than the figure itself76.
To prevent confusion between rates and probabilities,always enterthe units
when drawing fault trees. If we are not clear whether the figure for the top
eventis a rate or a probability we cannot draw the tree correctly. The firsttime
Figure 3.9(a) was published the editor thought that '/year' had been omitted
from the invitation' box in error, as it appeared in every other box, so he
inserted it! Some authors suggest that we should write '/demand' after fractional dead times, as I have done in Figure 3.10.
Confusion over units is a common mistake in Hazan as a whole, notjust in
drawing fault trees. I considerthis furtherin Section 4.2, page 153.
Another common error is confusing rates and duration.In one of the Andy
Capp cartoons the eponymous hero was asked it rained during a week he
spent in the Lake District. He said ii rained twice, 'Once for three days and
once for fburdays'. The rate was low, twice per week, but the fractional dead
time for dry weather was almost 100%.
As an exercise draw a faulttree for 'car fails to start'.
Many people producefault trees like Figure 3.11. A better one is shown in
Figure 3.12. The need to take humanfailures into account as well as equipment
failures is discussed furtherin Section 3.7, page 130.




Figure 3.11 Fault tree

fir car fails to start'

As Figure 3.11
Operator error












Figure 3.12 Revised faulttree for 'carfails to start'



3.5.10 Redundancyand voting systems

As well as fail-dangerfaults,there are the so-called fail-safe faults or spurious
trips the protective equipmentoperates although there is no hazard. For
example,a relief valve lifts light or a high level trip operates when the level is
normal. I say 'so-called' becausethey maybe unsafe in other ways; theymay
result in a dischargeto atmosphere or an unnecessary suddenshutdown of the
plant, which may cause a leak. They give protective systems a bad nameand
make them unpopular with plant operators who may be tempted to bypass
them (see later).
The 1996 Channel Tunnel fire providesa good example of the hazards of
some 'fail-safe' designs. Heavy road vehicles are carried through the tunnel on
railway wagons. These are fitted with supports (props) which are lowered when
vehicles are being loaded and unloaded. If a prop descends at other times, an
alarm sounds in the driving cab and the driveris instructed to stop the train. Ifa
fire occurs drivers are instructed not to stop until theyare out ofthe tunnel.
Soon after the fire alarm sounded another alarm indicated that a prop had
dropped. The driverthenhad contradictory instructions and decided to stop the
train (as a dropped prop might derail it). The prop had not dropped, the alarm
was spurious and stopping the train greatly increased the damage to the train
and to the tunnel. The official reportis not entirelyclearhut it seems likely that
the prop alarm was the result ofdamage tothe alarmsystem by the fire and that
the alarm system had been designed to 'fail safe' if an alarm occurred. It is
highly improbable that a random failure occurred by coincidence during the
fire77'78. Fail-safe failures maybe safe in one respect but hazardous in another.
Table 3.6 shows how the fractional dead time depends on the fail-danger
fault rate and fail-safe fault rate S when there is some duplication of the
protective system. This is calledredundancyif the protective systemsare the
same or diversity if they are different. For example, two level measuring
devices on a tank is an example ofredundancy while a level measuring device
combined with a device for measuring the weight of liquid in the tank is an
example of diversity.
Section 3.5.7 (page III) explains why the fractional dead time of a
l-out-of-2 system is '3f2T2 and not '2fT X '2fT '4f2T2.Similar arguments apply to the other systems40.
In a I -out-of-2 system the trip operates if eitherof two devices indicates a
hazard forexample,
a high level. A I-out-of-3 systemis similar. The whole
trip, including the valve, may he duplicated (or triplicated) but often only the
measuring instrument is duplicated (or triplicated).
A 2-out-of-3 system (lastline) is an example ofa voting system. Two out of
threemeasuring instruments haveto indicatea hazardbeforethe trip operates.



Table 3.6

Hazard rates for various combinations ofprotectivesystems



Fractional deadtime


'2 fT












Only the measuring instruments are 2-out-of-3, not the valve. The valve may,
ofcourse, be duplicated(or even triplicated) if this is necessary to achieve the
required reliability.
Voting reduces the fail-safeor spurious trip rate and is used when spurious
trips would upset production. It does not give increased safety. A l-out-of-2
system is three times safer than a 2-out-of-3 system.
It is helpful to remember thatfail-safefaults are normally disclosed as soon
as they occur. They result in a spurious trip. But fail-danger faults remain
hidden(latent,or unrevealed) until there is a test ordemand. The formula 3S2T
for the fail-safe faults/year of a 2-out-of-3 system assumes that the faults are
not disclosed. In practice, a singlefault signal usually sounds an alarm and the
fault is thereby disclosed. this is the case, then instead ofthe test interval T
the repairtime shouldbe used in the frmula (or. more precisely,the timefrom
the alarm sounding to the completionof the repair).
On both voting and non-voting systems it is sometimes possible. by a
change in design, to turn a hidden fault into a revealed one. For example, the
failure ofan alarm bell or hooter is hidden. If it fails, it is out of action until it is
tested and repaired. We test frequentlyand accept a small chance that we may
not know when an alarm occurs. we wantgreater reliability, then instead ofa
bell that rings when an alarm is signalled we can have a device that sounds
continuallyhut becomes louderwhen there is an alarm. the sound stops, we
know something is wrong. Another example: failure of the front light on a
bicycle is noticed at once; failure of the rear light is not. the two lights are in
series, failure of eitheris noticed(hut then we have no lights at all)79.
Before installing voting systems to reduce spurious trips we shouldcheck
that the spurious trips are due to the inherentfeatures of the instrumentation






and not to someother factorsuch as poor testingor maintenance. Forexample.

in 1984 84% ofthe trips on US nuclearpower stations were spurious but half
of them occurred on only 10% of the plants; this suggests that standards on
these plants were lower than on others. (In the worst incident several people
were nearly drowned when water sprays. equivalent to 60 inches of rain per
hour,operatedinside a containment building41.)
Rushton50 has devised a systematic procedure for deciding which trip
system configuration (I-out-of-I. I -out-of-2, 2-out-of-3, and so on) is most
suitable for a particular application.

3.6 Pitfalls in Hazan

So far the methods of Hazan appear straightforward. But a numberof pitfalls
awaitthe unwary. Two are discussed in Sections 3.5.4(frequent demands) and
3.5.9 (fault trees) on pages 108 and 113. Others are discussedbelow. We start
with data. Although errors in data, as shown in Section 3.5.9 on page 113, are
not the most important errors, they nevertheless do occurand we should be on
the lookout for them. Chapter6 gives someinformation on sources of data.
3.6.1 Data may be inapplicable
For example,publisheddata on pumps may apply to differenttypes, liquids,
pressures, temperatures, corrosivities, and so on. If we use the data without
checkingthat conditions are similar, we may introduce serious errors. Leakage
ratesfrom flanged joints in afactoryhandling a corrosive chemical werefound
to be many times higherthanin afactoryhandling cleanpetroleum liquids. In a
study of a cross-country sulphuric acid pipeline, failure rates for other
cross-country pipelineswere at first used. It was then realizedthat the failure
mechanism was quite different, because a major cause of corrosion in
sulphuric acid pipelines is turbulent scouring of the protective sulphate film
that forms on the insideof the pipelines80.
Instruments arc similar wherever they are installed and their failure rates in
differentindustries are unlikely to differ7 by a factor of more than 3 or 4. This
is not true of mechanical equipment. Sections 4.6 and 6.4 (pages 160 and 197)
havemore to say oti this.
Note that a failure rate that is acceptablefor one application may be quite
unacceptable for another. A man drove30,000 miles/year on business. His car
brokedown 3 times/year, usually far from home, so he discarded it as unreliable, bought another and gave the old one to his wife. She drove 3000
miles/year. The carbrokedown,near home, once in 3 years. She found it quite


3.6.2 Data applyto the past

Designs change, and not necessarily for the better. For example, a component
in an instrument might be made nowadays of aluminium alloy or plastic
instead of steel. The manufacturer regards the change as trivial and does not
tell his customers. But thenew component failsmorefrequentlyor soonerthan
the old one.
A plant contained equipment to restart it automatically if powerfailed and
was restored within 0.1 second. The manufacturer of the equipment, without
tellinganyone, changed the delay time to I second. This led to an explosion.
Data on the frequency of fires on equipment (forexample,storage tanks) or
plants (for example, ammonia plants) may he no longer valid as people may
have learnt the lessons of past fires and changed the designs or methods of
operation. I have often complained that organizations soon forget the lessons
of the pastand allow accidents to recur,but it would he goingtoo farto saythat
organizations never remember.
3.6.3 Data affected by maintenance or operating policy
On beveragevendingmachines,for every 100 'demands':
the right drink was obtained 94 times: and
the wrong drink was obtained6 times.
Therefore the FAILURE RATE = 6%.
Before we assume that better machines are needed, let us see how the
failure rate is made up. Wrong drink includes cold drinks, no drinks, short
measures, and so on. (We niust always definewhat is meant by a failure.)

(a) Two of the failures in every 100 were due to the operator pressing the
wrong button. Therefore:
= 2%
= 4%
Bettermechanical reliability
remove, at the most, two thirds
of the faults.To remove the otherswe would have to look at the factorswhich
affect operator error (such as better layout of the panel, locating the machine
wheredistraction is less, and so on).

(b) 98 demandsin every 100 were made on machines in the office and there
were 2 failures. The remaining 2 demandswere made on machines in a local
entertainment centre and every demand(2% of the total) resulted in a failure.


= 2%
= 2%
= 100%
This shows that misleading results can be obtained if we group together
widely differing data.For example, you can drown in a lakeofaverage depth 6
inches (Figure 3.13).
A similarerror was madeby a politician whosaid, ... provisionallaboratory identificationsof Salmonella infections in humans amounted to 24,000
cases in 1988 ... otherfigures suggest that half of these were due to a strain
associated with poultry and eggs', and went on to imply that action was therefore necessary to counter the infection in eggs42. However, many people
believed that nearly all the infections were due to poultry. According to one
estimate only one egg in 7000was infected.
Similarly, the former Albanian dictator Enver Hoxha was quoted in the
press43 as saying, 'Togetherwith the Chinese, the Albanians form one quarter
of the world's population.

(c) One failure was due to a brokencup. Therefore:


= 2%

= 1%
= 100%


Figure 3.13


We now see that a more reliable machine would reducethe failurerate by

only 1%. We could do as well by buyingbettercups or perhaps by redesigning
the panel to reduceoperatorerror.
Are the machines at the entertainment centreofatypethat are more liableto
break down or is the management
the system for reporting and repairing
faults different?Perhapsthe users treat the machines differently.
Here is a more technical example of the way in whichdata can he affected
by maintenance policy. Bellows were found to fail at a rate of I in 50 per year.
Most ofthe failures did not result in largeleaks but theycaused shutdowns and
loss of production. The failure rate seems high. Do we needa betterproduct?
Analysis ofthe failures showed that some were due to specifying the wrong
material of construction but most were due to poor installation. The failurerate
does not give us information about bellows but information about the engineers who specify and install them. Data on the failure rate of mechanical
equipmentis often really data on the failure rate of people (see Section 6.4.
page 197).
If we wishto reducethe failure rate we should:
specify material ofconstruction correctly;
take more care over installation.
The first should not he difficult but the second is difficult. In practice
bellows should he avoided when possible (by building expansion bends into
the pipework) and more care taken over the installation of thosewe have.
A man had three Ford cars and crashed each of them, so he decided to try
another make. Does this tell us something about Fordcars or about the man?
In the extreme, failure rates may not tell us anything about the equipment
hut instead may tell us howoften the equipment experiences circumstances it
cannot survive. A common cause of the failure of cross-country pipelines is
damage by excavation machines.

3.6.4 The impossibly low fractional dead time redundancy and diversity
Consider a I -out-of-3 trip systeni.
Assume that the fractional dead time of each system = 102
= 2 X (l02)3
Then the fractional dead time of the total system

= 2x


(that is, 1 minuteper year).

It would be
if testingwere staggered (seeSection 3.5.7, page III).
Do we really believe that our instrument engineerscan provide us with a
protective system that is dead for only 1 minute per year? This calculation is
wrong as it ignorestwo factors:
(a) The time the trips are out ofactionfor testing.




(b) Common niode failures. For example, all three instruments are from the
same manufacturer's batch and have a common manufacturing fault, all three
instruments are affected by contaminants in the instrumentair or process stream,
all three impulse linesare affected by mechanical damage or flooding ofa duct,
or all three instruments are maintained by the same nian who makes the same
error.Two orthreeprotective systems are never completely independent.
Therefore, we assume that the fractional dead time ofa redundant system is
never less than toa(that is, 1 hour peryear) and is often only
(that is, 10
hours per year). As we can get lo with two trips, a third trip is not worth
installing(exceptas part of a voting system).
For example, wearing a secondpair ofbraces attached to the same buttons
may reducethe chanceofour trousers fallingdown. Failure ofthe buttons (the
common mode) is now the biggest cause of failure and adding a third pair of
braces, attached to the same buttons, will make no further improvement.
With a diverse system (that is. one in which the approach to a hazardous
condition is measured in differentways
say by a change in an analysis. a
change in pressure and a change in temperature), b5 (6 minutesper year)
may he possible with an extremely complex protectivesystem44.For example,
belt and bracesare betterthantwo pairs ofbraces. This example illustrates the
perils of using thorough mathematics and ignoring practicalities.
Another example of a common mode failure is shown in Figure 3. 14(a), (b)
and (c). A pressure switch installed on a firewater main switcheson a pump
when the pressurefalls. The failure rate is 0.8/year, the test interval T is 0.1
year and the demand rate D is 10/year. The hazard rate H. the frequency with
which the pump failsto starton demand,


= D x 0.5 fT
= 10 x 0.5 x 0.8 x 0.1
= 0.4/yearor once in 2.5 years
or oncein 3.2 years if we use the more accurate formulain Section 3.5.6(page
I It)).

The systemshown in (b) was therefore installed. The hazardrate fell to only
once in 4 years as the most likely reason for failure of the pressure switch is
choking ofthe impulseline. The system shown in (c) has a hazardrate of once
in 77 years.
Watch out for phoney redundancy parallel or series systems that look as
if they are duplicated but the duplication is ineffective. Here are three
Two bursting discs were installed in series so that the failure of one (below
the intended failure pressure) would not interrupt production. The upstream





Fire watermain


Fire watermain

Figure 3.14 A commonmodefailure; (h) is little more reliable than (a); (c) is better

one was accidentally installed upside down and it rupturedat a low pressure.
The second disc was then ruptured by the shock wave and pieces of the first

The casingof the Challengerspace shuttle was madein two parts. with an
0-ring seal between the two parts. Realizing that the 0-rings were weak
features, the designers decided to duplicate them. However, this was ineffective as one ring in a pair is liable to be grippedmore tightly than the other83.
If twodevices,connected in seriesor parallel, are tested as a pairthen failure
is not detected until both have failed. For example, if there are two valves in
series and we wish to check that they are isolating, we should check them


individually. Ifwe check themas a pair we are not getting thefull advantage of
redundancy. Two valves in parallel can, of course, be tested as a pair if we
wish to check that both are isolating, but not ifwe wishto check that neither is
blocked. Several incidents have occurred on US nuclear power stations
becauseduplicate systems were tested as a unit84.
Redundancy and diversity are effective when failures are random. They are
less effective when failures are due to wear (see Section 3.6.7, page 130) and
least effective when failures are systemic. For example, if failure is due to
corrosion two identical systems will corrode at the same rate. Two diverse
systems made, say, from different materials of construction, may give extra
protection but they may both corrode. The ultimate example of a systemic
failure is an error or ambiguity in an instruction (to people or computers).
People may (and often do) say, 'This can't be right, whoever wrote it must
meansomething else'; computers can't.
3.6.5 More about common mode failures
What is wrong with the trip system shown in Figure 3. 15?.
The pressurein the vessel is measured by the pressuretransmitter (PT) and
controlled by the pressure indicatorcontroller (PlC) which adjuststhe setting






Solenoid operated valve

Figure 3.15 Original trip system. What is wrong withit?



on the motor valve. If this control systemfails to work and the pressure rises
above the set point, then the high pressure switch and trip (PSZ) operate to
close the motor valve. At the same time the high pressure alarm (PA')

This trip system is almost useless. The most likelycauses ofthe pressurein
the vessel gettingtoo high are:
(I) Failureofthe pressure transmitter (PT) or choking of the impulseline. If
eitheroccursthe trip will not know thereis a high pressurein the vessel.
(2) Motor valve sticks open. In this case the trip will know that there is a high
pressure in the vessel and will send a signalto the motor valve, but the motor
valve will not respond.
(3) Failure of the pressureindicator(PlC). In this case the trip will work.
(3) is less likely than (I) or (2) as the PlC is in the clean atmosphere of the
control roomwhile the PT and valve are out on the plant. The trip will therefore
operate on less than one thirdofthe occasions when we want it to operate. Such
a trip is not worth having. It is neither'nowt nor summat'.It maydo more harm
than good, as we mayexpect itto operate and notwatch thepressure so closely.
The system shown in Figure 3.16 has a high reliability. The high pressure
trip and alarm(PSZAHI)has an independent connection to the vessel and operates a separate motor valve. There is a cross-connection to the control valve.


Figure 3.16 Modifiedtrip system



A high pressure switch (PS) and pre-alarm (PA) give a warning that the
pressure is approaching the trip setting and allow the operatorto take action.
This pre-alarm will operateif the rise in pressure is due to failureof the pressure indicatorcontroller (PlC) or motor valvebut not if it is due to failure of
the pressure transmitter (PT). if a high pressure occurs the pre-alarm will
operate on about two occasions out of three and the trip on almost all
The system shown in Figure 3.16 is expensive. That shown in Figure 3.15
mayhave beena compromise between no trip and the design shown in Figure
3. 16, but it is a compromise that is worsethan eitherextreme.
Another example of common mode failure: a group of chemical factories
believed that power failure was impossible as their supply was duplicated.
They did not realizethat both supplies came from the same 132 kV overhead
power lines. A fire in a warehouse underneath the power lines caused a
complete loss of power and several incidents in the chemical factories,
including a fire51.
3.6.6 Designer's intentions not followed
The tank shown in Figure 3.17 was filled once/day. Originally the operator
switchedoff the pump when the tank was full. After 5 years the inevitable
happened. One day the operator allowed his attention to wander and the tank
was overfilled. A high-level trip was theninstalled. To everyone'ssurprise, the
tank was overfilled again after 1 year.

Figure 3.17 Tank fitted withhighlevel trip



The trip had been used as a process controller to switch off the pumpwhen
thelevel rose to the set point. The operatorno longer watched the level. The
managerknew this and thought that better use was being made of the operator's time. When the trip failed, as it was bound to do after a year or two,
another spillage occurred.
It is almost inevitable that the operator will use the trip in this way. We
should either remove the trip and accept an occasional spillage or install two
trips one to function as a process controller and one to act when the
controller fails. The singletrip increased the probability of a spillage.
In this example and the last one we saw that no trip was a reasonable soluti()n and so was a good trip. The compromise solution was a wasteof money.
On occasions eitherof two extremes makessensebut a compromise does not.
(Because this is true of instrumentation do not assume it is true elsewhere.)
A similar incident occurred on a plant in which a delivery tank was filled
frequently from a suction tank. To reduce effort, the operators switched offthe
pump between transfers but did not close any valves. They relied on a
non-return valve to prevent reverse flow. Inevitably, one day the non-return
valve failed (a piece of wire had become trapped in it). and reverse flow
occurred from the delivery tank, backwards through the pump to the suction
tank,which was overfilled.
If we increase the demand rate on a protective system we increase the
failure rate. When more protective systems are addedto a plantthere maybe a
tendency for operators to increase the demandrate on them and if they do we
may soon be back with the old failure rate. For example, suppose a high
temperature alarm is added to a reactor. The operator may say. 'There is no
need to watch the temperature now. The alarm will do it for me'. The extra
equipmenthas then achieved nothing except more expense and more equipment to maintain. It is a useful exercise to calculate the hazardrates ofour trip
systems, from failure rates, demand rates and test intervals (as described in
Section 3.5.3, page 107). We mayfind that to get an acceptable hazard rate we
haveto assume that nine out often deviations are spotted by operatorsbefore
the trip operates. Do operatorsrealizethis? Do managersrealizethis?
If we comment Ofl a design and thedesigner says, Don't bothermewith it
now. Bring it up at the Hazop?', we are increasingthe demandrate on the
Hazop. The chance that the meeting will miss something increases. Hazop
should he a final check that nothing has been missed, not an occasion to
discuss known weaknesses in the design (see Section 2.4.7, page 33).



3.6.7 Non-random failures

A new plant had two 100% compressors (one working, one spare). The failure
rate and the time required for repair were known.Calculation showed that if
failures are random, the off-line time would be 0.04% (3 hours per year). The
actual off-line time was 1.8% (144 hours per year). Why?
The failure ratesand repair timeswere as expectedbut the failures were not

random; most occurred soonaftera compressor had been put on line. This may
have been due to wrong diagnosis of the fault, installation of wrong parts or
incorrect re-assembly.
Mathematical techniques (Weihull analysis) for handling non-random
failure are available ifthe needto use them is recognized5.
Most machinery, perhaps all equipmentwith movingparts, seems to fail in
a non-random way. One study showedthat valve failure is due to wear45.
Motor cars provide another example of non-random failure they are more
likely to require attention during the week after servicing than at any other
time. If you had two cars (one working, one spare) and one had just been
serviced, would you leave it unused until the other broke down or required
servicing? Equipment after repair is asbad as new,rather thanas goodas new.
Non-random incidents can he due to non-random demands as well as
non-random failures of equipment. A study showed that bank cash machines
failed to operate when required on 17% of the occasions on which they were
used. The banks said that the non-availability of the machines was only half
this figure. The banks quoted an average availability round the clock but the
trials measured the availability at the time ofuse. Usageis heavy at weekends
when thereis usually no-one available to repair or refill the niachines46.
There is another example ofnon-random demands in Section 3.5.7, page 111.

3.7 The man or woman in the middle

Figure 3.18 illustratesa common plant situation. When the alarm sounds the
operator has to go outside and close a valvewithin, say, 10 minutes.
The reliability of the alarm is known. Ifit is too low it is easy to improve it
that is, by adding in parallel identical
by adding redundancy or diversity
components or differentcomponents capable ofperforming the same function
(see Section 3.5.10. page 118). The reliability of the valve is known roughly
and if we do not think it is high enough we can use a betterqualityvalve or two
valves in series. But what about the reliability of the operator? Will he always
close the right valve in the required time?
At one time peopleassumed he would or should.Ifhe did not he should
he told to pay more attention. Otherpeoplehavegone to the otherextremeand



Easy to improve?


Known accurately

Known roughly



Figure 3.18 Reliabilities in a man/machine system

saidthat sooner or later all operatorsmake errors and therefore we need fully
automatic equipment.
Both these extremes are unscientific. We should not say, 'The operator
always should' or 'The operator never will' but ask why he does not always
close the right valve in the required time and how often he will do so. The
failure to close the valve in the required time may be due to lack oftraining or
instructions (mistakes
he does not know he should do so), to a deliberate
decision not to do so (violations), to lack of physical or mental ability or (and
this is the most likely reason) to a momentary slip or lapse of attention. It is
difficult to estimate the probability of the first three causes (but see later),
though we can assume that failures for these reasons will continue in an
organization at the same rate as in the past, unless there is evidence ofchange.
Violations would be better called non-compliances as many (and perhaps
most) ofthemare due toa genuinebeliefthat therules are unnecessary or inappropriate and that thereis a better method of doingthe job.
The probability ofa slip or lapse of attention can he estimatedroughly. The
answerwill depend on the degreeof stress and distraction and the suggestions
in Table 3.7 (page 132) mayhelp us make ajudgement.
En carrying out a familiar routine, such as starting up a batch reactor, a
typical failure rate is I in 1000 ftr each operation (frr example, close valve).
Some of these failures will be immediately apparent hut others will not9
Note that the figuresin Table3.7 assume that the operators are welltrained,
capable and willing. As already stated, it is difficult to give a figure for the
probabilitythat this assumption is correct; it can vary from 0 to I depending
on the policy ofthe company.We can howevermake a rough estimateof the
as we all do in
probabilitythat a man will have a moment's aberration
(see Section 4.7,
forget carry
page 162).




Table3.7 Suggestedhumanfailurerates
I in

When complex and rapid action is needed to avoida serious incident.

The operator will not really be as unreliable as this hut he will he very
unreliable and we should assume this figure and install fullyautomatic

I in 10
I in 100

In a busycontrolroom whereotheralarms are sounding, the telephone

is ringing, people are asking for permits-to-work. and so on.
In a quietcontrolrooni. for example. a storage area control room
ifthe man is present.

A figure between these last two may be estimated.

I in 1000

Ifthe valve to he closed is immediately belowthe alarm

It must alsobe remembered that not all tasks can he prescribed. Sometimes
the operatorhas to diagnosethe correctactionfrom the alarmand other instrument signals and maynot do SC) correctly, particularly ifthe instruments are not
reading correctly. This happened at Three Mile Islandt0.
Poor management may result in neglect and a high rate of equipment
failure. A method proposed for allowing for this is to multiply generic hardware failure rates by a factor between 0.1 and 10 which is a measure of the
competence of the management. The factor is derived from an audit using a
standard set of questions85.In a more advanced method developed by Hurst et
a!86 a detailedanalysis of the underlying causes of various types of failure is
used to weightthe audit factor. For example,according to the authors 24% of
vessel failures could be prevented by human factor reviews. In deriving the
audit factor for vessel failures the auditmarksfor human factors are weighted
This method does providea possible way ofmaking someallowance for the
fact that employees may be poorly trained,instructed or supervised, lack motivation, or do not have the necessary ability. It is rough justice, however, as
managers may not be uniformly weak in all these areas. More importantly,
bettermanagement will havelittle effecton slips and lapses ofattention, which
are due to innate weaknesses in human nature. To prevent them,or makethem
less likely, we havett) remove or reduceopportunities for human error, a task
for designers as well as managers. We can estimatethe frequency of slips and
lapsesof attention from data such as those in Table3.7.
Like all Hazans, data derived from these studies may not he accurate but
may pinpoint the areas in which improvement will be most effective.


Finally, rememberthat installing a fully-automatic systemdoes not remove
our dependence on people. instead of relying on the operator we are now
dependenton the people whodesign, install, test and maintain the fully automatic equipment. They also make errors. They work underconditions of less
stress so we may improve the overall reliability by installing fully-automatic
systems but we shouldnot kid ourselves that wehave removed our dependence
on people.
For a fullerdiscussion of human error, see Reference 9.

3.8 Examples of Hazan

The descriptionswhich follow are typical of Hazans carried out today. They
include well-defined problems using good data, mainly on instruments (for
example, Sections 3.8.2 and 3.8.5 and those referenced in 3.8.9). and less
well-defined problems where order-of-magnitude accuracy is the bestthat can
be expected (for example. Sections 3.8.4 and 3.8.6), though conclusions
should err on the safe side. Sections 3.8.1 and 3.8.3 lie between these two
extremes (see alsoSection 6.3. page 196).

3.8.1 A betterprotectivesystemor a better material of construction'

A plant47handled ethylene gas at 100C. Afterconstruction was complete. it
was realized that instrument failure could result in the cold gas reaching some
mild steel pipework. If it did, the pipework might fractureand the gas would
then escape and might ignite. Two methods of protection were considered:
replacing the mild steel by stainless steel at a considerable cost or improving
the trip system at one quarterof the cost.
The improved trip systemcontained three independent layers of protection
(seeFigure3.19 on page 134):
(1) A high level alarm on a catchpot.
(2) A high level trip, set at ahigherlevel,which closeda valve on the inlet line
to the catchpot.
(3) A low temperature trip on the gas exit line from the catchpot whichclosed
a valve in the gasline. (Thecatchpot and overhead line were madefrom stainless steel but the line led to a mild steel line.)
The fractional deadtime ofthe redesigned trip system was calculated from
data on the reliability ofthe components and the test frequency. It was assumed
that the operator would ignore the alarm on one quarter of the occasions on
which it operated. The demand rate was estimated from experience on similar


Gas (normal route)

Gas(not intended for
use when gas is cold)


Mild steel

TZLO Low temperature trip

LAH Highlevel alarm

Highlevel trip


Level controller


Figure 3.19 Protective system to prevent overcoolingof mild steel pipeline

plants. The hazardrate thefrequencywith whichcoldgas would contactthe

mild steel
was found to be once in 10,000 years or once in 2500years for
the wholeplantwhichcontained four similarsystems.
It was assumedthat on one tenth of the occasions on which the tripsystem
failedthere would be a leak and an explosion and the operatorwould bekilled,
almostcertainly an overestimate. The operatorwill therefore be killed oncein
25,000 years giving a FAR of 0.45 (see Section 3.4.2, page 90), close to the
target of 0.4 for a single risk considered in isolation (see Section 3.4.1, page
87). It was therefore agreed that the protective system, as modified, was
adequate. and that it was not necessary to replace the mild steel.
If the mild steel had been replaced, the already low risk would have been
made even lower and the cost per life saved (see Section 3.4.7, page 100)
would havebeen about 15DM at 1970 prices(about1500M at 1999 prices).


This cost is a notional one that is, spending the money would make an
already low risk even lowerbut it is very unlikely that anyone will be killed if
the money is not spent. In contrast, many of the costsof saving a life listed in
Table 3.4 are not notional real lives will be savedif more money is spent on
health or road safety.
Note that the decision might have been differentif the hazard had been
identified during design. Unfortunately no Hazop was carriedout.

3.8.2 Stopping a reaction

A reactor (Figure 3.20) was fitted with a kill system48. If measurements

showed that the reaction was getting out of control, the kill valves openedand

a catalystpoison, stored undernitrogen pressure, was injected. To preventthe

poison leaking into the reactorand to reducethe chanceof spurious operation,
the kill valve was duplicated in series and both kill valves were 'fail closed'.
The kill system could alsobe activated by the operator.
Originally, ifthe kill systemfailed to operate, a bursting disc, connected to
acatchpol,would burstand prevent damage to the reactor. After a plantexpansion the bursting disc was flU longer big enough to prevent damage and it


Kill signal to



Figure 3.20 Reactor with kill system



Table 3 Comparison ofreliability ofkill system configurations




Probability offailure
compared to Case 4

Single valve
(fail closed)

1.6 X



(fail closed)

2.6 N



Single valve
(fail open)

1.1 N 102


Single valve
(fail open)
(includes operator action)

8.2 x I


Parallel valves

6.6 X



(fail open)
(includes operator action)

became necessary to improve the reliability ofthe kill system. Table 3.8 shows
several cases that were considered. Case 2 was the existingsystem. It can be
seen that the kill systemwould be over threetimesmore reliable ifthe two 'fail
closed' valveswere replaced by a single 'fail open' valve (Case4). If the site
coolingwater supplyfailed, the operatorwould haveto activate the killsystem
and an allowance was madeforthe probability that he would fail to do so.
Installing two parallel kill valves (Case 5) makes only a slight improvement
in reliability. If a Hazan had not been carried out, this optionwould probably
have been adoptedon the philosophy that 'ifone is good, two must be better'.
The Hazan showed that the least reliable component ofthe kill system was the
solenoid valve that actuated the kill valve. Duplication of the solenoid valve
gave almost the same reliability as Case 5.

3.8.3 Inset or parallel berths for gas tankers?

A company wanted to construct a berth alongsidea river bank for loading
liquefied gas. The port authority was concerned that while a ship was at the
berth another ship, passing along the river, might go out ofcontrol and collide
with the gas ship.They suggested that the berth shouldbe located in a specially
constructed inlet at right angles to the bank.


Few, ifany. liquefied gas ships havebeen involved in collisions in harbours.

The probability of a collision was therefore estimated from the frequency of
collisions to other ships serious enough to haveruptured the tankson agas ship.
This study showed that a collision between a ship and the bank, while it was
manoeuvring into a confined space, was several times more likely than a collision between two ships while one was tied up at a berth. Constructing an inlet
would havemade acollision more,not less, probable. This conclusion was valid
fir the particular riverbut maynot be true forotherrivers.
At first sight constructing an insetberth seemed an obvious way of increasing
safety. Numerical treatment of the problem showed that the obvious solution
actually increased therisk. The study also showedthat the most effective way of
reducing the probability ofa collision is to prohibit the movement ofships in the
opposite direction when a gas ship is moving. Some of the staff of the port
authority had not seen a problem dealt with in this way before. Although they
accepted the conclusion they felt it was not in accordance with common sense
and had an uneasy feeling that theywere being blinded by science.
3.8.4 The effects of plants on nearbyhouses
Tweeddale76 has described the studies carried out with a computer model on

the risk imposed by a petrochemical site on its neighbourhood. The first study
was madewhenthreetenders were received for a new unit.Two of the designs
required a bufferzoneof 100 iii between the unit and the nearest houses while
the third design required 300 m. The difference between the estimates was
more significant than the actual figuresand detailedexamination of the calculations drew attention to a feature in the third design which had been
The model was then used to look at the total risk from all the units on the
site. It was about three times the target that the company had set itself, though
within the margin of error. This confirmed the gut feeling of the staff that the
nearest houses were rather closer than they would haveliked but not so close
as to be demonstrably unsafe. The model was thenused to pinpointthe features
that contributed most to the risk. When another new unit was planned the
model was run oncemore.Againit showed a risk on the wrongsideofborderline and changes were made to the design and layout to reduce the risk.
Without the results of these calculations the project team would have found it
hard to justify the extra cost.
However, the studies assumed good standards of management and operation. Tweeddale comments that perhaps the studies shouldhave assessed the
probability that this would continue to he the case. Management standards, like
hardware, can fail.


Ellis87 (of the Health and Safety Executive) has described a similar but
simpler study of a hypothetical application for planning permission for a
130-bedroom hotel. The proposed site was 500650 m from a water treatment
plantcontaining two 40 tonne chlorine tanks and a road tanker offloading hay.
Calculation showed that the contourrepresenting a risk of 106 per personper
year passed through the hotel. This is just on the limit of acceptability (see
Section 3.4.1,page87) but,as a large number ofpeoplemight he in the hotelat
the same time, the Health and Safety Executive would suggest that the hotelbe
moved further away (see Section 3.4.3. page90).
3.8.5 Use ofslam-shut valves instead of relief valves
In the UK, naturalgas is distributed ata gaugepressureof 70 bar and letdown
to 35 bar and thento 7 bar and 2 bar for customer use. Ifreliefvalves were used
to protect against failure of the let-down control system there would be noisy
discharges of gas in built-upareas and the releases might catchfire or explode.
Slam-shut ball valves, powered by high-pressure gas or bottled nitrogen, have
therefore been used for over 20 years instead of relief valves. They isolate the
high-pressure gas if the pressure downstream of the let-down valves rises
above a pre-set value.
The use ofinstrumented protective systemsinstead ofrelief valves has been
advocated within ICI since the early 1970s4 (for example, in a paper called
'Are safety valves old hat?'88), hut many engineers were at first reluctant to
use them. (They were, however, used to protect against explosions as relief
valves could not operate quickly enough.)Startingin 1985, a detailed study
was made of the use of slam-shut valves in place of relief valves on an
ammonia plant.Nine valves were needed. To achieve the reliability required it
was necessary to have two pressure switches, made by different manufacturers, sending electrical signals to a one-out-of-two voting system (that is,
either signal trips the valve shut). The output from the voting system triggers
three solenoid valves; two of them vent compressed air from the cylinder
which is holding the isolation valve open and the third sends air to the other
side of the piston. There is a spring on this side of the piston hut the air
provides diversity (Figure 3.21). The valvesare tested every three months and
the probability that any one will fail to operate is less than I in 1000 per
demand or about 1.5 X
per year. A single valve failing to operate is
equipment. The design was discussed with the
Health and Safety Executive which raised no objection.
Anyone considering a similar installation should consult the original
paper89 which gives details of the design, the testing arrangements, code
requirements, and so on. The paper shows Hazan at its best: the problem is




Manual by-passvalve (locked shutexcept fortesting)

Figure 3.21 Arrangement ofslamshut valves on a let-down system

(Reproduced by permission of the American Institute ofChemical Engineers.
Copyright 1997 AIChE)

clearly defined; goodquality data are available; the assumptions, including the
testing necessary, are clearly set out: the model of the process is realistic.
Whateverone'sreservations about the application ofHazan to risks from a site
as a whole, there is no reason to doubt the valueof studies such as this one (see
the last paragraph of Section 3.2, page 79).
3.8.6 Fermi estimates and electrical area classification
The physicistEnrico Fermi had a reputation for making quick numerical estimales of the answer to a problem or query90. For example, how many piano
tuners are therein the area coveredby my telephone directory? The population
is about a million, say250,00() households. If one in five owns a piano which is
tuned every five yearstherewill be about 50,000tunings per year. Ifeach tuner
tunesfive pianos per day for 250 days per year,or 1250 per year,there will be
about eight tuners. But many piano tuners are part-time
they tune other


carry out repairs, sell pianos so the actual number will be

higher, perhaps 12. Thisestimateis not accurate, the true figurecould easily be
five or 30. butit givesus aquick,approximate answer. Yellow pagesshowthat
the actual figure is 16.
Thesequick estimates are usually not too far out as we are unlikely to over(or under-) estimate every figure. They are sometimes adequatefor a first look
ata problem and mayshowthat the answeris so clearthat thereis no needfor a
For example, consider electrical area classification. Zone 2 areas are those
in which a flammable atmosphere is not likely to occur undernormaloperation
and if it does occur will exist for only a short time. Can we be more precise?
How long can it exist?
Assunie a motoror otheritemofZone2 electricequipmentis surrounded by
flammable gas or vapourfor 10 hours per year.
Experience shows that equipmentcertified for use in Zone 2 will develop
faults which cause sparking or overheating oncein 100 years.
There are about hours per year so a spark will coincide with gas or
vapour and there will be a fire or explosion about once in l0 years.
Observation shows that someone is within 3 m ofa particularmotorfor 5%
of the time. Assume that anyone within this distance is killed.
A fatality will therefore occur oncein 20 x l0 years. Ifthere are 100 items
of electric equipmenton the plant there will a fatality oncein 20.000 years. If
we makethe pessimistic assumption that it is alwaysthe same four people (on
shifts) whocomewithin3 m, then they are exposed to a risk ofdeath ofoncein
80,000 yearsor 1.25 X I
per year(FAR0.625, close to our targetof0.4 for
any risk considered in isolation (see Section 3.4. I, page87).
In this case the estimates are almostall biased in one direction. It takestime
for gas to diffuseinto Zone 2 equipment, it is unlikely thateveryone within3 m
would he killed and we have assumed that all the risk is concentrated on one
person in each shift. In many parts of a Zone 2 area leaks are very rare, thus
reducing the average risk. We can therefore, as a practical ru1e of thumb',
define a Zone 2 area as one in which flammable gas is present for up to 10
hours per year91.


3.8.7 The resuI of not quantifyingrisks

In 198731 peoplewere killed and many injured by a fire in King's Cross
Underground railway station in London. The official report92 made 157
recommendations. In 1992 the new managing director of London Underground accepted the 'damning criticism of the way we were managing the
company'.However, he felt that in someplaces the reporthad gone too far as it


had failed to use quantitative risk assessment (QRA) or cost-benefit analysis

and had made recommendations that would produce little benefit. For
example, London Underground faced expenditure of 100M over a year to

comply with fire precaution regulations to save about a fifthofa life per year;
'We don't think that'sgood value for money'. After the fire London Underground had brought London virtually to its kneesby attacking every escalator
and tearing out all the wood'. Intuitively, that had seemed a good idea but
calculations showed that this would reduce the probability of a serious escalator fire from once in six yearsto once in nine, while installation of sophisticated sensors and automatic sprinklers would reducethe probability to once in
a thousand years.
The managing director also praised QRA for compelling people to face the
setting of safety spending priorities and the valuation of human life and
accused media persons, politicians and others of publicly implying infinite
value foreach life. Yet motoring, flying,and indeed all activity,would ceaseif
we did not accepta trade-offbetween risk and benefit. Nevertheless, QRA did
not supersede judgementbut should lie alongsideit93.
Similar criticisms were made in a report produced for the Health and Safety
Executive following an incident in 1992 when two suspect briefcases were
found in a train. Seven trains were stopped in tunnels during a morning rushhour
as there were more trains on the line thantherewere stations to stop them at. It
took five hours to evacuate all 6000 passengers, 70 of whom were taken to
hospital with heat exhaustion. Smoke from a short circuit on one of the trains
added to the confusion and if it had developed into a fire the result might have
disastrous. The briefcases turned out to be harmless pieces oflost luggage.
The report says that closure and evacuation of stations may not alwaysbe
theright response. It recommends that railway staff are given training,similar
to that given to airportstaff, to helpthemassessthe seriousness of bombwarnings.On fireprevention thereport is morepositive. It saysthat as a result of the
actiontakensince 1987 the situationhas been transformed and fire prevention
shouldno longerclaim a lion's shareofresources. Instead QRAshouldbe used
to assess priorities. The existing legislation, based on regulations whichmust
he followed, shouldbe replaced by one basedon the quantitative assessment of

3.8.8 Balancing probabilitiesand consequences

The risk of injury or damage depends on the size andprobabilityofa leak.Is it
more effective to reducethe size or reducethe probability? Hazan mayhelpus
answerthis question.


If the inventoryin aplant or storage area is reduced, the maximum size ofa
leak will be less and so the consequences will be less but the probability of a
leak will not be changed. Reducing the numberof leak points such as valves,
drains, pumps, and soon, maybe more effective than reducing the inventory in
the existingequipment. If it is possible to take a vessel out of service, however,
thenthere will he fewerplacesfrom whichleaks can occur and both the probability and maximum size ofa leak will be lower52.
Is it betterto enclose equipmentthat handles chlorine in a building, so that
any leaks are confined, or would the money be better spent on reducing the
probability and/or the size of leaks?Detailed examination of a particularcase
showedthat containment was very expensive, had disadvantages and did not
greatlyreducethe risk95.
Liquefied petroleum gas (LPG) had to be piped across country for storage
in a well. Two options were considered: pumping at high pressure(about 100
bar) so that the LPG could go straight into the well, and pumpingat low pressure (35 bar), when another pump would be needed near the well. With the
secondoptionthere would be more sources of leaks and more leaks,as pumps
leak far more often than pipes. However, with the first option, if the pipe did
rupture the leak would be larger. As the pipelinefollowedopen country the
first option was chosen, as it was cheaper,but the decision would havebeen
different ifpeoplehad lived near the pipeline96.
3.8.9 Other examples
Lawley'1"2'3 hasdescribed three hazard analyses in detail, showing fault
treesand explainingthe derivation of each item ofdata used. The first11, which
is quoted by Lees, Chapter 9, analyses the precautions taken to prevent a series
of crystallizers overflowing, the second12 analyses the precautions taken to
prevent a pipeline gettingso cold that it becomes brittleand might fail, and the
third13 analyses the precautions takento prevent loss of level in the base of a
distillation column and discharge of high pressuregas intoa low pressure tank.
Reference 24 describes how the methods of Hazan have been applied to a
numberof other high-technology industries.
The subject ofthis chapter is discussed more fully in References 1317 and in
Lees. Chapter 9. References 16 and 17 deal particularly with risks to the public.
Reference 17 reviews the various targets or criteria that have been proposed.
There is an enormous literature on the philosophy of risk acceptability,
most of which deals with the more philosophical difficulties, and does not
offer much advice to the practitioner. References 1822 and 26 are typical of
these publications while References 23, 98 and 99 are more practical in their


3.9 A summary of the main sources of error in Hazan

(1) Failureto foresee all the hazards or all the ways in which a hazard can
arise (seeSection 3.5.9,page 113).
(2) Errorsin the logic (see Sections 3.5.4and3.6.5,pages 108 and 126).
(3) Failure to foresee that protection may not be fully effective becauseof
poor design (see Section 3.6.4, page 123) or becausetime of action has been
(4) Design assumptions not correct; for example,less testing, more demands,
failures not random (seeSection 3.6.7, page 130), differentmode ofoperation
(seeSection 3.6.6, page 128).
(5) Common mode failures (seeSections 3.6.4and 3.6.5,pages 123 and 126).
(6) Wrong data (see Sections, pages 120121).
Some other errors are discussed in Chapter4.

3.10 Afinal note

To many peoplethe calculations of this chapterand others on the subjectmay
seem cold-blooded or evencallous. Safety, like everything else,can be bought
at a price. The more we spend on safety, the less we have with which to fight
poverty and disease or to spend on those goodsand services which make life
worth living,for ourselves and others. Whatever money we makeavailable for
safety we should spend in such a way that it produces the maximum benefit.
There is nothing humanitarian in spending lavishly to reduce a particular
hazard which has been brought to our attention, and ignoring the others.
Those whomakethe sort ofcalculations describedin this chapter, far from
being cold-blooded or callous, are the most effective humanitarians, as they
allocate the resources available in a way which will produce the maximum
benefit to their fellow men.

References in Chapter 3

I. ICI, 1968,Assessing Projects:Book 5, RiskAnalysis (Methuen,London. UK).



Kerridge,A.E., 1982,HydrocarbonProcessing, 61(12): 56.

Kletz, TA., 1996, Dispelling Chemical Engineering Myths, 3rd edition.5 (Taylor
& Francis, Washington, DC, USA).
Kletz,T.A. and Lawley, HG., 12 May 1975, Chemical Engineering, 81.
Gibson. S.B.. 1976, Chemical Engineering Progress,72(2): 59.
Lees, F.P., 1980, in Proceedingsof the Third international Symposium on Loss
Prevention and Sali'tv Promotionin the Process industries.6/426(Swiss Society
of Chemical Industries).
Lees, F.P., 1976, A reviewofinstrument failuredata,Symposium SeriesNo. 47, 73
(Institution of Chemical Engineers. Rugby, UK). See also Lees, Section 13.6.









Aird, R.J., 1980,Reliability assessment ofpumps,Convention on FluidMachinery

Failure, paperC145/80 (Institution of MechanicalEngineers,London, UK). See
also Lees, Chapter7.
KIetz. TA., 199!, An Engineer'sView of1-luman Error. 2nd edition (Institution of
Chemical Engineers, Rugby, UK).
Kletz, T.A., 1994. Learning from Accidents, 2nd edition, Chapter II
(Butterworth-Heinemann, Oxford, UK).
Lawley, 1-1G.. 1974, Chemical Engineering Progress,70(4): 45.
Lawley, H.G., 1980. Reliability Engineering, (2): 89.
Kletz, T.A. and Lawley. 1-1G.. 1982, in High Risk Safety Technology, edited by
A.E. Green, Chapter2.1 (Wiley, London. UK).
Kletz,T.A., 1977, HydrocarbonProcessing, 56 (5): 297.
Kletz,TA., 197$, Chemical EngineeringProgress,74(10): 47.
Kletz, T.A., 1976, in Chemical Engineering in a Changing World, Proceedingsof
the World Congress of Chemical Engineering, edited by W.T. Koetsier, 397
(Elsevier, Amsterdam, The Netherlands).
Klctz,TA., 1982, Reliability Engineering, 3 (4): 325.
Lowrance, W.W., 1976, OfAcceptable Risk (Kaufmann, Los Altos, California,
Council for Science and Society. 1975, TheAcceptability ofRisks(Rose, London,

20. The RoyalSociety, 1992, TheAssessment and Perception of Risk (London, UK).
21. Schwing. R.C. and Albers, W.A. (eds), 1980. Societal Risk Assessmeni (Plenum
Press, NewYork, USAand London, UK).
22. The Royal Society, 1992, Risk:Analysis, Perception and Management Report

ofa Study Group (London, UK).

23. Griffiths, R.F. (ed), 198!, Dealingwith Risk (Manchester University Press, UK).
24. Green, A.E. (cd), 1982. HighRisk Saftiv Technology (Wiley, London.UK).
25. Pitblado. R.M.. Shaw, Si. and Stevens. G., 1990, The SAFETI risk assessment
packageand case study applications, .Svmposium SeriesNo. 120.5 I (Institution of
Chemical Engineers, Rugby, UK).

26. Risk Ana( .sis in the Process Industries Report ofthe International StudyGroup
on Risk Analysis, 1985 (Institution ofChemical Engineers. Rugby,UK).
27. KIet,, T.A., 1998. Process Plants: A Handbook jir Inherently Saft'r Design
(Taylor& Francis, Philadelphia, Pennsylvania, USA).
28. Mann, M.. 1986, Journal ofthe RoyalSociety ofArts, 134 (5358): 396.
29. Withers. J., 198$, MajorindustrialHazards,8597 (Gower, Aldershot. UK).
30. Health and Safety Executive, 1989, Risk Criteria
Land-usePlanning in the
Vicinityof MajorindustrialHazard.r (HMSO, London, UK).
3!. Barnes, M., 1988. The Hincklev PointPublic Inquiry: Report,Chapters 34 and 35


(HMSO, London, UK).

32. Health and Safety Executive, 1992, The Tolerability of Risk from Nuclear Power
Stations, 2nd edition (HMSO. London. UK).



33. Jones.D.A. (ed). 1992, Nomenclature jhr Hazard and Risk Assessment in the
Process Industries. 2nd edition(Institution of Chemical Engineers, Rugby, UK).
34. British Medical Association. 1987, Living with Risk (Wiley, Chichester, UK).
35. Risk Communication, Risk Statistics and Risk Comparisons, 1988 (Chemical
Manufacturers Association, Washington, DC. USA).
36. Kletz. TA., 1988. in EngineeringRisk and Hazard Assessment, edited by A.
Kandel and E. Avni, II (CRCPress, Boca Raton,Florida. USA).
37. Mahcr, S.T. ci al, 1988, Relief valve testing optimisation programme for the
cost-effective control ol major hazards, Symposium Series No. /10. 117 (Institution of Chemical Engineers. Rugby, UK).
38. Programmes Analysis Unit, 1972, An Economic and Technical Appraisal ofAir
Pollution in the UK (HMSO, London, UK).
39. Kletz. TA., 1996, Dispelling Chemical Engineering Myths, 125 (Taylor &
Francis, Philadelphia. Pennsylvania. USA).
40. Lees',Tables 13.17 and 13.18.
41. O'Mara, R.L. and Bergeron, C.B., 1987. Inherent safety how to keep a new
safety system from causingan accident. American Institute ofChemicalEngineers'
AnnualMeeting,New York, 1520 November.
42. Lloyd, T., 1989, The Chemical Engineer,No 458: 15.
43. NetTer. S., 1 June 1991, The DailyTelegraph, IS.
44. Stewart, R.M., 1971, High integrity protective systems, SymposiumSerie.vNo. 34,
99 (InstitutionofChemical Engineers. Rugby, UK).
45. Process News. July 1989. 8 (Institution of Mechanical Engineers Process Industries Division. London.UK)(summary ofpaperby D.W. Heckle and Dr Young).
46. Which?. February 1991, 71.
47. Kletz, TA.. 1971. Hazard analysis a quantitativeapproachto safety, Sympo,rium Series No.34.75(Institution ofChemical Engineers, Rugby,UK).
48. French. R.W., Olsen, R.E. and Peloquin, G.L.. 1990, Transactions' of the institution ofChemicalEngineers, Part B, Process Safety andEnvironmentalProtection,
68 (BI): 7,
49. Goyal, R.K.and Al-Jurashi, N.M., 1991, .lournalofLoss Prevention in the Process
Industries. 4 (3): 151
50. Rushton, AG., 1991. Transactions' of the institution of ChemicalEngineers, Part
B, Process' Sofety and Environmental Protection.69 (B4): 200.
SI. Ratcliffe, KB., 1991, Los's'PreventionBulletin, No. 098: 21.
52. Schaler, L.C.. 1990. Plant/OperationsProgress, 9 (1)50.
53. Barde. J-P. and Pearce, D.W.. 1991, Valuingthe Environment (Earthscan, London,


54. Pithlado, R. and Turney. R. (eds), 1996, Risk Assessment in the Process'industries',
2nd edition,Chapter3 (Institution ofChemical Engineers, Rugby, UK).
55. US Department of the Environment, 1998. Operating Experience Weekly
Summary, No. 9826, 6 (Washington, DC, USA).
56. DNV, 1998, Techin/. Winter/Spring,3.




ofthe institution ofChemical Engineers, Part B,

ProcessSatetv and Environmental Protection,72 (B I): I

57. Brown. M., 1994, Transactions

58. Everley, M., 1996, Health & Safely at Work, 18 (10): 18.
59. Hoffman, R. and Schmidt. S.L., 1997, old Wine New Flasks, 49(Freeman, New
York, USA).
60. Hambly. E.C.. I May 1992. PreventingDisasters, RoyalinstitutionDiscourse.
61. Health and Safety Executive Nuclear Safety Division, 1995, NuclearSafety Newsletter.7: 3.
62. Health and Safety Executive, 1989, Quantified Rick Assessment: its Inputto Decision Making (HMSO, London, UK).
63. Cohen,A.V. and Pritchard, D.K., 1980, Comparative risk ofelectricity production
systems: a critical survey of the literature. HSE Research Paper
London, UK).
64. Christen, P., Bohnenhlust, H. and Seitz, S., 1994. Proces.s SafrtyProgress, 13 (4):
65. Interdepartmental Liaison Group on Risk Assessment. 1996. Use of Risk Assessnientin Government Departments (Health and Safety Executive, London, UK).
66. McQuaid. J.. 1995, institution of Chemical Engineers, Part B,
ProcessSafi'iv and 1:nvironmenlal Protection,73 (B4): S39.
67. Mortcn, A., 1995, Eliminating Risksfirthe Travelling Public (Royal Academy of
Engineering, London. UK).
68. Kletz. TA.. 1994. Learning from Accidents, 2nd edition, Chapter 20
(Butterworth-Heinemann, Oxford, UK).
69. Ro-Ro Ferries and the Safety of the Travelling Public, 1997 (Royal Academy of
Engineering, London. UK).
70. Philley, JO., 1992, Plant/Operations Progress, 11(4): 218.
71 . Health and Salety Commission, 1991, Major HazardAspects ofthe Transportof
DangerousSub,stance,s (HMSO, London, UK).
72. The Risks of Fuel Transport, 1982, Proceedings of a conference sponsored by
HazardousCargo Bulletin (Oyez. London, UK). Quoted by Clifton,ii., April
1984, The effect of wall thickness on the behaviourof aluminium and steel road
tankers carrying flammable liquidswhen they are engulfedin flames, ReportNo.
SRD R 29/. page6 (UKAEA).
73. Department of the Environment. 1995, A Guide to Risk Assessment and Risk
Management/orEnvironmental Protection(HMSO, l..ondon,UK).
74. Goats, G.C., 1996, The Safrtv & Health Practitioner, 14 (12): 20.
75. Withers, J., 1988. Major Industrial Hazards,208 (Gower. Aldershot, UK).
76. Tweeddale, H.M., 1992. Tran,saction,sof the Institution of Chemical Engineers,
PartB, Process .Sa/etv and Environmental Protection,70 (B2): 70.
77. Lindley, J., 1997, Ls,s Prevention Bulletin, No. 136: 7.
78. Inquiryinto the Fire on Heavy Goocl,s VehicleShuttle 7539 on 18 November /996,
1997 (1-IMSO. London, UK).
79. Rushton. AG.. 1997. private communication.




80. Tweeddale, l-l.M., 1994, Risk assessment models,




National Safety Conference,

Sydney, Australia, May.
Rushton, AG., l995, The allocationof failurerates to containment components,
with particular referenceto hydraulic transients, Symposium Series No. /39, 453
(Institution ofChemical Engineers, Rugby, UK).
Anon, 1996, LossPrevention Bulletin, No. 130: 8.
Bell, T.E. and Esch, E., February 1987, IEEE Spectrum, 136.
Corcoran, W.R., 1993, Risk Management Quarterly(published by US Department
ofEnergy, Washington, DC), 1 (3): 2.
Pitblado, R.M.. Williams.J.C. and Slater, D.H., 1989, Plant/OperationsProgress,

9(3): 169.
86. Hurst, NW.. Bellamy. Li. and Wright, M.S., 1992, Research models of safety
management of onshore majorhazards and their possible application to offshore
safety,SymposiumSeriesNo. J30, 129 (Institution ofChemical Engineers. Rugby,

87. Ellis, A.F. and Pokorny. B., 1992, Continuous and episodic risksThe assessment link, Center/icrChemical Process Scitetyinternational Conforence on Risk
Analysis, Human Factors and Human Reliability in Process Safety.
88. Kletz, T.A.,September 1974, Chemical Processing, 77.
89. McConnell. R.A., 1997. Process Sati'tv Progress, 16 (2): 61.
90. von Bayer, H.C.. 1988, The Sciences, 28 (5): 2.
91. Benjaminsen, J.M. and Wiechen. RH., 1968, HydrocarbonProcessing. 47: 121.
92. Fennell. D., 1988, investigation into the King's CrossUndergroundFire (HMSO,
London, UK).
93. Conway, A., 1992, Atom, No 420:9.
94. Appleton, B., 1992, TheAppleton Report (HMSO, London, UK).
95. Purdy, G. and Wasilewski, 1994,JournalofLo,rsPreventionin the Process indus-

tries,7 (2): 147.

96. Goyal. R.K.. 1993, Transactions of the Institution otChemical Engineers, PartB,
Process Safety and Environmental Protection, 71 (B2): 117.
97. interpretation at Major Accident to the Environment for the Purposes of the
CJMAH Regulations A Guidance Note. 1991 (Department of the Environment,
London, UK). Quotedby Wilday, A.J., Ali, M.W.and Wu,Y., 1998, Index method
br cost-effective assessment of risk to the environment from accidental releases,
Symposium SeriesNo. /44,475 (Institution of Chemical Engineers, Rugby, UK).
98. Cooper. MG., 1985. Risk: Man-mac/cHazardsto Man (Clarendon Press, Oxford.

99. Williams, D.R.. 1998, What isSafo?, The Risks ofLiving in a NuclearAge(Royal
Society of Chemistry, Cambridge, UK).


Appendix to Chapter 3
Belt and braces

is a simple example of the application of numerical methods to safety

problems, showing how a hazard can be reduced to any desired level but not

eliminated completely.
The accident we wish to prevent is our trousers falling down and injuring
our self-esteem. Braces are liable to break and the protection they give is not
considered adequate. Assume that breakagethrough wear and tear is prevented
by regular inspection and replacementand that we are concernedonly with
failure due to inherent weaknesses or faults in manufacture which cannotbe
detected beforehand and which are randomevents.
Experience shows that, on average, each pair of braces breaks after ten
years' service. Experience also shows that belts fail in the same way and as
frequently as braces. Collapse of our trousersonce in ten years is not considered acceptable.
How often will a belt and braces fail together? Ifone failsthen itwill not be
detecteduntil the item is removed at the end ofthe day. Assuming it is worn for
sixteen hours per day, then, on average,every manis wearing a broken belt for
eight hours every ten yearsand brokenbracesfor eighthours every ten years.
The fractional deadtime (fdt) ofthe braces is




and the fdt of the belt is the same.

The chance of the second protective device failing while the first one is

dead' is:

hazard rate = demand rate x fdt


X 0.000137 = 2.74 X l05/year

or once in 3650() years.



Failure of belt and bracestogether, therefore, occurs once in 36,500 years.

At the individual level this risk is tolerable. However, there are about
25,000,000 men in Great Britain so that, even if every man wears 'belt and
braces', 685 men will lose their trousersevery year. At the national level it is
considered intolerable that so many menshouldbe embarrassed in this way.
To reducethe risk further,every man could wear a thirdprotective device,a
second pair ofbraces. This would reducethe failure rate forthe individual man
to once in 133,000,000 years and for the country as a whole to once in five
years. A thirdprotective device, however, involves considerable extra capital
expenditure and makes the system so complicated that peoplemay fail to use
it. An alternative is to get every man to inspecthis belt and bracesevery two
hours to see if eitherhas broken. This will reducethe failure rate for the individual to oncein 36,500 x 8 = 292,000yearsand forthe country as a wholeto
685/8 = 85 men/year.This may be considered tolerable but is it possible to
persuademen to inspect their 'protectivesystems' with the necessary regularity and what would it cost in education to persuadethem to do so?

Coincidentfailure ofbelt and braces can occurin three ways:

(a)Beltfails when bothpairs ofbraces havealreadyfailed;
(b)Braces I fail when belt and braces 2 havealreadyfailed;
(c)Braces 2 fail when belt and braces I havealreadyfailed.

The fdt for a l-out-of-2system is 'f2T2 (see Table3.5, page III)

f = failure rate (0.1/year)

T = test interval (1/365 year)

For each failure mode the hazard rate

= demand rate x fdt

= 0.1 x 'f2T2


= 7.5 X l0/year
or oncein 133,000,000 years.
The calculations are approximate as they do not make any allowance for
commonmodefailures (see Sections3.6.4and 3.6.5, pages 123 and 126).




This example illustrates the following general points:

(I) The risk can be reduced to any desired level by duplication ofprotective

equipmentbut it cannot be completely eliminated. Some slight risk always

remains. Even with three protective devices it could happen that coincident
failure occurs not after 133,000,000 years.but next year.
(2) The method used here is sound but the result is only as good as the input
data.Ifthe failure rate forbelt orbracesis notonce in ten yearsbut oncein five
ortwentyyears, thentheconclusion will be in error, notby a factor of two, but
by a factor of four for two protective devices and by a factor ofeight for three
protective devices.
(3) The event which we wish to prevent is not collapse of our trousersbut
injury to our self-esteem. Half (say) of the collapses will occur when we are
alone or at home and will not matter, thus introducing an extrafactoroftwo. (It
is not explosions we wish to prevent but the damage and injury they cause;
explosions which produce neither may be acceptable.)
(4) A risk which is tolerable
community as a whole.

to an individual may not be tolerable to the

(5) It is easier to devise protective equipmentor systems than to persuade

people to use them. More accidents result from a failure to use equipment
properly than from faults in the equipment. The large number of unwanted
pregnancies, for example,is not due to failure of the 'protectiveequipment'
but to the failure of the 'operators', through ignorance, unpreparedness or
deliberate choice to use the equipment and methods available.
(6) This account is incomplete in one respect. It does not allow for the fact that
men may occasionally forget to wear all their protective equipmentor may
decide not to bother(seeSection 3.7, page 130).



Braces havc prevented more serious accidents thanthe loss ofone'strousers.

This plaque is displayed at the Clontarf Picnic Grounds, Sydney, Australia.

Prince Alfred,
IDuke of Edinburgh
(Son 0f Queen

At the Clontarf Picnic Grounds
on the i2th lvtarch, 8G8, one


0'Farrell attempted to

the then Duke of

Prince Alfred.
Prince Alfred miraculously
escaped serious injury. The
assassin's bullet was impeded
by the double thickness 0f the
Duke's trouser braces. The
Prince was conveyed to
Government House where he
was operated on a few days
later. The surgeon was assisted
in the operation by two nurses

trained by Florence Nightingale.

The young prince recovered


A manager's guide
to hazard analysis
'Aristotle maintainedthat women havefewer
tee/h than men;althoughhe was twice marriedit
neveroccurredto himto verify this statement by
examining his wives' mouths.

'We havetofinda way otmaking the important

measurable, notthe measurableimportant.'
RobertMacnarnara, formerUS Secretary ofDefense

4.1 Introduction
During the last 100 years managershave become increasingly dependenton
the adviceofexperts of all sorts. The days have long gone when one man
George Stephenson could survey and construct a railway line, design and
construct the engineand drive it on the firstjourney. Perhaps an unconscious
desire to be such an engineer is shown by those who display one of
Stephenson'sengineson their ties!
it is always temptingfor a busy person, whether he is managing a plant,
workshop or design team, to simplylook at the last pageof the expert's report
and accept his conclusion. The managercannot, as a rule, check the whole
report and, even given the time, such reports often contain incomprehensible
mathematics. This chapter is intended to help managers locateand check a few

key pointsin reports on hazardanalysis.

Tweeddale6 has described an extreme example of the results of leaving
decisions to hired experts: a regulatory authority asked a company to preparea
safety casefor aproposed new plant. The company'sown staff were busywith
the design so the company asked a consultant to prepare the safety case for
them. The regulatory authority did not havesufficient staffto review the report
so they hired another consultant to do so for them.
Tweeddale comments that this was rather like a student hiring someone to
attend a course and sit an examination on his behalf,becausehe is too busy or
incompetent to do so himself while, for the same reason, the examinerhires
someone to set and mark the exampapers.
There should, of course, be a continuing dialogue between the experts
(hired or in-house) and the clients during the development ofa hazard analysis,


and in the course of it the managershould ask the questions below. Nevertheless, on someoccasions a seniormanagermay be presented with an analysis as
the justification for a proposal to spend (or not spend) some money, and in
these cases he will be questioning a finished or draftreport.As a rule the first
issuesofHazanreports should be drafts.
The following, for ease of style, is addressed to managers. The firstpoint to
check is that the three questions in Section 3.3 (page 80) havebeen answered.

Does the

Say how often
the incident will occur?

Sayhow big theconsequences will be?

Recommend what we shoulddo?

Blinding decision-makers with incomprehensible calculations is nothing

new. The Roman emperor Valentian III (reigned 425455 AD) complained
that 'those responsible put out a smokescreen of minute calculations involved
in impenetrable obscurity'. (He was discussing tax collectors. They continued
'their corrupt bullying with arrogance and impunity scarcely disturbedby the
distantsoundofunenforceable Imperial threats')7.

4.2 Arithmetic, algebra and units

As a rule there is no need for the manager to check the arithmetic. To do so is

very time-consuming. it is unusual to find errors (most that are found do not
matteranyway)and the analyst should havehad it checked already.
Similarly, there should be no need to check the algebra. If the analyst is
experienced he will havecombined his rates and probabilities correctlyat the
'AND' and 'OR' gates of his fault trees (seeSection 3.5.9, page 113). Ifhe is
not experienced, he should have had his algebra checked by a more experienced person. If you think that the analyst may be new to the game, ask him
who has been over his algebra.
It is, however, useful to look at fault treesor calculations and see that the
units are clearly stated at each point,andthat ratesand probabilities are clearly
distinguished. If they are not, they can easily get muddled. Two rates have
beenmultiplied on more than one occasion (seeSection 3.5.9, page 113).
Also look out for statements in the text, particularly in the conclusion and
summaries, such as 'the probability (or target) is
Probability of what?
Of an
injured (and, if so, any
personor a particular person?), per year,per event, per hour orper what?(See
thequotation from the US SupremeCourtin Section 3.3, page82.)
These, of course, are elementary mistakes made only by inexperienced or




An amusing example ofa failure to quote units is provided by a newspaper
article which stated that members ofsocial classes I and 2 havea lowerprobability of dyingthan the rest of the population. The probability ofdying is, of
course, I for all ofus! The writermeantthat the probability ofdyingperyear is
lower for a member of social classes I and 2.
A readercommented that about half the scientists who have ever lived are
still alive, so on the basisof historical evidence, for a scientist the probability
of dying is nearer0.5 than I! This has beentrue every year since 16508. This
shows how wrong conclusions can he drawn if we use data unthinkingly
without understanding their limitations (seeSection 3.6.3, page 121).
Look out for meaningless units in comparisons and conclusions. For
example, if two radioactive hazardsare being compared, a comparison based
on becquerels (or curies) is meaningless unless the isotope mix is exactly the
sanie. A becquerel (Bq) is defined as one atom undergoing a transition per
second but the energy released can vary over a range of
(A curie,the old
unit,is 3.7 x 1010 Bq.)
Similarly, a comparison of two plants or companies on the basis of the
numbers of dangerous occurrences is usually meaningless as standards of
reporting are so variable. Ifatargetis set for the number, it is almost always met!
The most widely used measure of safety, the lost-time accident rate, is
deeply flawed. All lost-time accidents are not comparable: better that 100
peopleare absentfor a few days with minorbruisesthanone personis blinded
or paralysed. In addition, lost-timeaccidents are now so few in most companies that their rate measures luck and the willingness of injured people to
continue at work. A low lost-lime accident rate does not indicate that technical
safety problems are undergood control.


4.3 The model

Every Hazanis based on a model ofthe plantandthe way hazards arise. Asthis
is frequently expressed as,a fault tree themodel is often called 'the logic'.
The analyst rarely knows enough about the plant to draw up the model
unaided, and discussion with plant staff is necessary. Nevertheless misunderstandings may arise. If the analystis an engineerhe may not fully understand
the chemistry: ifhe is a chemist he may not fully understand the engineering.
On a new design the drawings, in theory, contain the necessary information on
the hardware hut do not showhow it will be used.
Often a managerexplaininga plant to an expert will fail to mention facts
which he has come to take for granted but which are not obvious to outsiders.
He maythus fail to tell the analystthat one ofthe chemicals handledfreezes at



5C. The analyst then fails to include frozen pipelines in the list of initiating
events which can cause a pipeline to block. Similarly, an analystmaydecide to
estimate the leak rate from a circulating gas system in the eventofpipe failure.
The analyst asks for the flow rate and is told that it is, say, 10,000 m3/h. He
does not ask and is not told that the total amount of gas in the system is only
1000 m3. It is. ofcourse, an advantage to employ analysts with experience of
design and/or production.
In checking an analysis, the managershouldtherefore ask:
Haveany unusual propertiesof the process materials beenconsidered?
Haveany limitations on flow rates, heat inputs, etc, providedby the inventory orequipmentbeenconsidered?
Have alternative methods of operation, such as regeneration of catalyst
beds, been considered?
Havestart-upand shutdown been considered?
Does automatic protection protect against all demands or only someofthem?
Has the model been discussed with the maintenance organization (particularly the instrument maintenance organization) as well as the operating team?
If the model is buried in a computer program it will not be transparent and
the managerwill haveto dig deepwhenhe questions the analyst.
An example of a sophisticated error in the model is provided by the
anti-growth movementand theircalculations of impending doom:

'In eflect, what the Club of Rome report did was to assume that all "had.s
such as pollution, demand for ftod and raw materials, and so on, would
increase exponentially tar everand ever, and all "goods ", suchas techniques
to reducepollutionper unil o/ output, or supplies oftbod and raw materials,
could only in 'i-ease by finite a/flaunts.
'Clearly, however generous are these finite amounts, it does not need a
computerto show that, one day, the "hads" must exceedthe 'goods
in the words of Lord Ashhyt "if we fed doom-laden assumptions
into computers it is notsurprisingthat theypredict doom
Thomas Malthus made the same error in 1816 in his book Essay on the
Principle ofPopulation. He forecastthat the production of food would rise
arithmetically while the population would rise geometrically. If he had been
correctEuropeans would havebegun starving to deathin a few generations. In
fact, agricultural production increased substantially as a result ofthe discovery
by Justus von Liebig that minerals were essential to plantgrowth21.
The manager should look out for features in a model which make the
answers inevitable, regardless of the data (seealso Section 6.6, page 199).


A classical example of a wrong model is the estimation of the age of the

earthby William Thomson (later Lord Kelvin)in 1842. By assuming that the
earth was originally as hot as the sun and has been cooling ever since it was
formed, he estimated its age as 100 million years (with a possible range of
20400 million years). This was too short, biologists and geologists said, for
the evolution of today's floraand fauna and rocks. Thomsons reputation was
immense and his advocacy of his view held up the acceptance ofother views
on the evolution of both rocks and life. The error in his model was not found
until the end of the century when radioactivity was found to be keeping the
earth warm9.
4.3.1 The parameters
Related to a wrong model is the choice of the wrongparameterfor measurement of a target. Here are someexamples:
(a) Formany yearsambulance crews werejudgedby the speed with which the
first casualties from an accident reached hospital. As a result victims were
rushed to hospital when it would have beenbetterto treat themon the spott0.














Level ofexposure

Figure 4.1 Relationbetweenrisk ofdisease and the distribution ofdifferentlevelsof

exposureto acausalfactor. The broken curve shows the new (lower) distribution of
exposureafter a population-wide controlmeasure. (Based on Reference 10)


(b) People with high blood pressureare more likely to havea stroke thanthose
with lower blood pressure. Nevertheless most strokes occur to people with
bloodpressures in the middlerange as thereare many more peoplewith blood
pressure in this range. The most successful way to reduce the number of
strokes would be to lowerthe blood pressure of the population as a whole, to
move from curve A to curve B in Figure 4.1. A 5% reduction in bloodpressure
would prevent 75,000 strokes per year (30% of the total) while targetingthe
5% of the population with the highest bloodpressurewould prevent only half
as many''. (This illustrates the dilemma discussed in Section 3.4.6 on page99:
shouldwe try to save the most livesper million pounds spentor shouldwe try
to protectthepeopleat greatest risk?)
It is possible that similar arguments might apply to, say, corrosion

(c) Students at the FrenchGrande Ecoles cost threetimes as much, per term,
as those at French universities. But the Grand Ecoles have virtually no
drop-outs while the universities havea 60% drop-out ratet2.
(d) Railway companies are under pressure to improve timekeeping. As a
result connections leavebeforethe connecting train has arrivedand passengers
reach their destination later than if the connection had waited. The correct
parameter is not the lateness ofthe trains but the lateness of the passengers.

(e) The conclusion of an investigation can be influenced by the choice of

criterion. Did UK trains get faster between 1980/1 and 198 1/2? The figures in
the first line ofTable4.1 were produced to prove that theyhad. The numberof
trains travelling at more than 90 mph between stops rose by 26%. Critics

Table 4.1 Did trainsget fasterbetween 1980/8! and 198 1/82?



% change

Numberoftrainsat >90 mph




Numberoftrainsat >95 mph




Numberoftrainsat >100 mph




Miles at >90 mph



+ 17

Miles at >95 mph










the figures in the next lineto showthat numberoftrains travelling at

more than 95 mph had fallen by 20%. However, the (small) numberof trains
travelling at more than 100 mph rose by 60%. The lowerpart of Table 4.1
shows that similarvariations in the conclusions are reached if we compare the
distances coveredin excess ofthe three speeds instead of numbersof trains13.

4.4 The unforeseen hazards

The biggesterrors in Hazan arisenot in the analysis itselfbut in the failure to
foresee all the causes of hazards or all the hazards that can arise. For example,
a study of variousmethods of transporting a liquefiedflammable gas showed
that road transport was safer than a pipeline fewer people would be killed
permillion tons transported. A manager presented with thisresult found it hard
to believe. By questioning the analyst he discovered that he had taken into
accountthe probability that the tanker driver and others would be killed by a
fire or explosion hut had ignored the probability that they would be killed by
an ordinary road accident.
As described in Section 3.4.8 on page 103, a detailedquantitative study by
the Health and Safety Executive of the risks of transporting dangerous
substances is flawedby the same error. It compares the risks of road and rail
transportbut does not consider ordinary road accidents and thus ignores the
largest contribution by far to the road transportrisk14. In the UK about 3500
peopleperyear are killedby road accidents but on average less thanone person
per year by a road accident in which a dangerous substance is directly
Analysts sometimes concentrate so much on serious but unlikely accidents
that they overlook simpleones. For example, a Hazan showed that the probability of a leak of a toxic material was acceptably low. At times small fragile
packages containing toxicsubstances had to be moved but they were conveyed
in trolleys and keptin them. However, when theliftwas out of orderapackage
was carried downstairs and placed on a table. It slid off and the contents
A light-hearted example of failure to foresee all the causes of a hazard is
providedby a studyof free meals' (seeSection 3.5.9,page 113). There can, of
course, sometimes be unforeseen benefits. See the Appendix to Chapter 3,

page 151.
In general, ask what methods havebeen used to identify all the hazards. Has
a Hazop been carriedout? Ifnot, what other methods have been used to identify hazards?


4.5 The assumptions

a list of assumptions on which it is based. The

to see ifhe agrees with them. For example,how
managershould look for
often are trips, relief valves and other protective devices tested?How often is
stand-by equipment tried out? Are the figures quoted realistic and likely to be
followed? Is there a monitoring system? Will the testing still be carried out
when the start-up managerhas left and others have taken his place? These
questions are particularly important ifthe plantis to be located overseasand/or
operatedby anothercompany whichmay not have the same attitude towards
testing and is not underdirectcontrol.
In addition to the listedassumptions, every Hazan makes certain assumptions which are usually not written down. The managershould be aware of
these and check their applicability to the particular case. The principal
unwritten assumptions are listedin Table4.2.
The analysis should include

Table4.2 Assumptions which may not be true


Cases in which itmaynot be true

(a) Failure is random.

Duringthe birthpangsand old age of equipment,

and following repairsto machinery.
See Section 3.6.7, page 130.
When failure ratesordemandratesare high.
(Many of the equations used applyonlywhen
failureand demandratesare low.)
See Section 3.5.4, page 108.

(b) Failure ratesand demand

ratesare low.

(c) Testing is perfect.

Whentesting interferes with production.

(d) Repair timeis negligible.

Whenspares are not stocked.

Whenflowsare high but inventories small.

See Section 4.3. page 154.
(f) Substances haveno unusual Whensubstances haveunusually high(or low)
melting or boiling points, are near their critical
pointsor have otherunusual properties for
example, the viscosity of sulphur increases as the
(e) Flows are not limited by

temperature rises.

(g) The plant is designed,

operated and maintained
according to good management
and engineering standards,

Overseas, subsidiary or remotely-situated plants

whichdo not receive as muchmanagement
attention as the main plants ('Rot starts atthe



if assumptions

are not true, then mathematical techniques are

available for handling other assumptions, but the need to use them must be
recognized(seeLees, Chapter7). Similarly, ifwe recognize that assumptions
(e) and (f) are not true, we can allow for this, If assumption (g) is not true,
Hazan is a waste of time. As I pointed out in Chapter 1, it is no use calculatingthe probability of unlikely events if serious incidentsare likely as the
result of a poor permit-to-worksystem, lack of instructions, 'Heath Robinson' methods of maintenance, and so on. Hazan is a sophisticated technique
for good organizations which wish to allocate their resources sensibly and
improve their standards.It should not be used until the basic management is


For example,a leak of a toxic chemical produced unpleasant effects in a

shopping centreseveral hundred metresaway. A recorderhad beenshowing an
abnormal reading for threeweeksbeforethe leak occurred but no-one operator, supervisor or manager had noticed (or, if theynoticed it, they ignored
it). The investigators decided that estimating the probability of a recurrence
would be a waste ofeffort;training in the fundamentals ofplantoperation was

more important15.
In some cases it may be possible to assess the probability that an assumption
will cease to be true. For example, in my firstpaper on Hazant6I assumed that
for 10% of the time the nitrogen blanketing on a storage tank would not he in
operation. At the time I had experience of a factory in which moribund nitrogen
blanketing equipment had been brought back into operation. The operators (and
some more senior people) wondered why this was necessary as there had been
no incidents that nitrogen blanketing could haveprevented. Standards ofcompliance were therefore poor. (This changed after an explosion in a storage tank,
described elsewhere'7.) Actions imposed by authority rather than conviction
soonceasewhen the boss moves or loses interest. When aHazanassumes higher
standards of management than have been usual, perhaps it should assess the
probability that theywill he maintained (seeSection 3.S.4, page 137).
Working closely with clients, a hazard analystmay 'go native' and accept
uncritically their estimates of the adequacy of existingand proposed procedural safeguards.

4.6 Data
Errors can arisebecausedata are inapplicable or misinterpreted

(see Sections
pages 120121). The managershould therefore look at the data
used to see if they seem about right. For instruments the data are well,



the analyst is unlikely to be far out, but this is not true of

mechanical equipment(see Section 6.4, page 197).
established and

Two examples

ofinapplicable data:

The probability of a leak on a flanged pipejoint in a workshandling corro-

sivechemicals was found tobe about 10timeshigherthanon a works handling

The probability ofa leak on a sulphuric acid pipeline was unusually high as
erosion removed a protective film of sulphate (see Section 3.6.1,page 120).
An example of misinterpreted data:
A largegearbox required forced lubrication and was providedwith two oil
pumps. one on-line, one on auto-start. Nevertheless, the calculated rate of
failure resultedin the gearbox being starved of oil once in 30 years, a probability that was judged to be too high. Furtherexamination of the data showed
that it was based on a published figure for the failureof pumps, but that only
10% of the failures would actuallyresult in immediateloss of oil pressure.
The source of data should be stated even if it is only the 'plant manager's
guesstimate'.The example of the Canvey Island Report2 could usefully be
followedand data classified as follows:
Assessed statistically from historical data: a scientifically-based figure to
which a standard deviation could be attached.
Based on statistics as far as possible but withsomemissing figures supplied


Estimated by comparison with previous cases for which fault tree assessments havebeen made.

'Dummy' figures: likely to be always uncertain; a subjective judgement

must be made.
Fault tree synthesis: an analytically-based figure which can
entlyarrivedat by others.

be independ-

Managers can reasonably expect analysts to classify their data in this or a

In many Hazans some data are inaccurate, little better than informed
guesses, while others are based on a largenumberof observations. If the inaccurate data havea largeeffecton the probability ofthe top event, tryingto estimate the otherswith greataccuracyis a waste oftime. Yet it is often done.For
example, when estimating the effect of a leak of hazardous material, the size
assumed forthe leak (called the 'source term') is often little more thana guess.
Yet very precise and complex calculations are thencarriedout to findout how
it will disperse and what the effects will be. In estimating the probability that
an operatorwill respond to an alarm in the correct way within the required


time, people hesitatebetweenestimatesof I in 10 and I in 100, and then use

the chosenfigure in calculations madeto several significantfigures.
F. Hoyle quotes the following figuresused for the percentage ofsolar radiation reflected by various surfaces in estimations of the greenhouse effect:


Dustand ozone 7%
Surface (average) 5% (it can vary from 3% foroceans to 80% forsnowfields)
He then continues18:

'it really isn't very sensible to make approximations like those and then to
perthrna highly complicated computercalculation, while claiming the arithmeticalaccuracyofthe computeras the standard for the whole investigation.
Once the precise detail of the Earth's reflectivity has beenlost, the investigation has been so degradedthat meritcannot be recoveredby attention toarithJfleliC.'

The Victorian biologist, Thomas Henry Huxley, said much the same in

what you gel out depends on what you put in; and as the grandest mill in
theworld will not extractwheatflour from peascods, sopages offormulaewill
not get a frtinite result outof loosedata.'

It is important to distinguish between those data that affect the final result

significantly andthose that do not.Consequence calculations are usually series

calculations in which errors in the data are carried through to the final figure.
In most probability calculations data from many branches of a fault tree are
combined and errors in some data mayhave little effect(see Section 6.2, page

4.7 Humanreliability

ignored the operator, assuming he would always

do what he was required to do. Other analysts went to the other extreme,
assuming the operator would always fail, and recommended fully-automatic
Some early hazard analyses



Nowadays, analysts realize that it is necessary to estimate how often an

operatorwill,for example, close the right valve within the required time when
an alarm sounds. However, there is a temptation to overestimate human reliability in order to get the result required. Ask what figures have been used.
Some suggestions are given in Section 3.7 (page 130) and in Reference 4. If
theanalyst has madesignificantly different assumptions, his reasons for doing
so should he questioned.
As well as errors by operators, errors by people testing and maintaining
equipmenthaveto be considered. Has the analyst done so?
The error rates listed in Section 3.7 are about the minimum that can be
expected in a well-run organization due to the inevitable failures of human
nature. The remarks made in Section 4.5 (page 159) about the quality of the
management apply here as well. If they do not run a 'tightship', if peopleare
not trained, ifthereare no instructions, ifno-onecares and monitors, then error
rates will be much higher and Hazan is a waste of time. First improve the
The following is an example of the errors that can easily arise in assessing
human reliability. An analysis included an assessment of the probability that a
road tanker would be connected up to the wrong pipe. As the two types of
tanker in use were fitted with differentsize connections corresponding to the
two sizes of pipe, the chanceof a wrong connection seemed small. This view
was later revised when it was realized that the operatorshad collected a vast
array of adaptors which enabled them to connect any tanker to any pipe.

4.8 The recommendations

Suppose the analyst has proved to your satisfaction that a hazard is too high

and that a proposed course of action will reduce it to an acceptablelevel at a

reasonable cost. The solution has probably been generated by the plant or
design team, rather than by the analyst alone, but you should still ask what
other solutions havebeenconsidered. In particular, is it possible to providean
inherently safer solution, to avoid the hazard rather than control it? (See
Section 2.7, page 41.)
Donotconfusea low probability with zero probability. A youngdoctorwas
giving patients with Hodgkin's disease (a form of cancer) a treatment which
was known to have a cure rate of90%. He has describedhis distress whenhis
sixth patientdied. He had translated a 90% cure rate into a 100% curerate and
was mentally unprepared for the inevitable failures5.


Figure 4.2


In the process industries we often forecastmuch lower hazardrates;

per year is not uncommon. When a hazard occurs it may be that an unlikely
event has occurred by chance (Figure 4.2); it is more likely that one of the
assumptions on which the calculation was based is no longer true. For
example, testingmay havelapsed.

4.9 Comparison with experience

Is the result ofthe Hazanin accordance with experience and common sense? If
not the Hazan must be wrong. This is obvious, of course, and would not be
worth saying if analysts had not, on a number of occasions, been so carried
away by enthusiasm for their calculations that they forgot (like Aristotle)to
comparethem with experience. For example, a numberof theoretical studies
of chlorine and ammonia releaseshave forecastlarge numbersof casualties.
When releaseshave actuallyoccurred, the casualties have been few. Yet the
studies do not say this. It was alwaysrealizedthat casualties could be high if


conditionswere exactlyright and this has beentragically demonstrated by the

events at Bhopal. However, most toxic gas releasesproduce nothing like the
theoretically possible numberof casualties and the reports should state this.
One studyconcluded that the probability of the drain valve Ofl a tank bund
being left open after draining was 1 in 108 operations as the valve was fitted
with a warning light whichwas illuminated wheneverthe valvewas open and
could be seen by the operatoron his rounds. This conclusion would be absurd
to anyone with experience of plantoperations as it apparently madeno allowance ftr failure ofthe bulb or for the varioustypes ofhuman error that might
occur, from ignorance of the purposeof the light to failure to carry out the

4.10 Closed shop or open shop?

Should the managers and the designers call in experts to carry out hazardanal-

yses for them (a closed shop policy) or should managers and designers make
their own analyses (an open shoppolicy)? To quote Kelly et a13:
As the level of detail required by the reliabilityanalyst increases, so do his
demands on the designer's time and experience. At somepoint it becomes
more effective to train the designer in reliability techniques than to train the
reliability analyst in design techniques.
Hazan is not so esoteric that it can be practised only by an eliteband of the
initiated. Engineers engaged mainly in design or operations can be trainedto
apply it. It should be our long-term objective for design teams tocarry out their
ownstudies. The experts in Hazan should train,check,helpand encourage, but
not necessarily do all the work, They shouldbe sharersofthe tools,not keepers
of the tools. At the same time we should remember the words of Thomas

in Arithmetic, unpractisedmenmust, and Professorsthemselves ,nay often,

erreand end upftilse'.

Table 4.3 (page 166) comparesthe ways in which experts in Hazan (and
those in other specialized branches of engineering, in-houseand contracted)
should try to act today and the ways in which they have often acted in the
past20 (see alsoFigure 5. I on page 178).



Table4.3 Old andnewstyleadvisers compared

Old styleadviser

Newstyle adviser

Waitsfor requests

Offers his services

Dealswithadhoc problems
Does all the work

Develops long-term relationships

Uses jargon

Uses the client'svocabulary

Issuesa report
Works in his own department

Issuesajoint reportwiththe client

Concentrates on use of the tools

Concentrates on helpingthe client

Works for his supervisor

Works for the client

Keeper ofthe tools

Sharerofthe tools

Develops the technology

Givesequal weightto applyingthe

Trains, checks,helps, encourages

Spends time in the client's department

Works on technically challenging

Works on projects important to the


Is a world class expert

Belongsto a worldclass company

Does not get so close to the client that he
'goes native' and acceptsthe client's

Accepts the client's assumptions

assumptions uncritically

References in Chapter 4

Beckerman, W., 23 November 1979, TheTimes HigherEducation Supplement, 14.





Convey An Investigation ofPotential Hazards in the Canvev Island/J'hurrock

Area, 1978,48(HMSO, London, UK).
Kelly. A.P., Torn, A. and Emon,D,E., 1979, The role ofprobability analysis in the
GCFR safety programme, NEA/IAEA GCFE Safety SpecialistMeeting, Brussels,
/3/5 March.
Kletz. TA.. 1991, An Engineer's View of Human Error, 2nd edition, especially
Chapter 7 (Institution ofChemical Engineers, Rugby, UK).
Peschel, R. and E., 28 April 1990, BritishMedicalJournal, 1145.
Tweeddale, H.M., 1993, in Health, Safety and Loss Prevention in the Oil,
Chemical and Process Industries (proceedings ofa conference held in Singapore
on 1519 February), 124 (Butterworth-Heinemann, Oxford,UK).
Grant, M., 1990. The Fall ofthe Roman Empire, 56 (Macmillan, NewYork,USA
and Weidenfeld and Nicolson, London, UK).





Price,D., quotedby Kealey,T., 1997 in What Risk? Science, PolicyandPublic

Health,editedby R. Bate,26! (Butterworth-Heinemann, Oxford, UK).
Heilman,H., 1998, Great Feudsin Science, Chapter6 (Wiley, NewYork,USA).
Hines, K., 1992, Foreword to Neal, W., With DisastrousConsequences ..., xvii
(Hisarlik, Weiwyn Garden City, UK).
Kurtz. Z., March 1993,Journal ofthe Royal Society ofArts, 244 (reviewing Rose,
G., TheStrategyof Preventive Medicine (Oxford Medical Publications, UK)).
RoyalAcademy ofEngineeringNewsletter, Spring 1998,2.
These figuresappeared in a railway magazine in late 1982 or early 1983.
Advisory Committee on Dangerous Substances, 1991, Major HazardAspectsof
the Transport ofHazardous Substances (1-IMSO, London, UK).
Tweeddale, H.M., 1992, Transactions of the institution ot Chemical Engineers,
PartB. Process Safrtvand Environmental Protection,70 (B2):70.
Kletz, T.A., 1971, Hazard analysis A quantitative approach to safety, Svmposium Series No.34. 75 (Institution ofChemical Engineers, Rugby, UK).
Kletz, T.A., 1994. Learning from Accidents, 2nd edition, Chapter 6
(Butterworth-Heinemann, Oxford, UK).

18. Hoyle. F., 1996, in TheGlobal WarmingDebate,editedby R. Bate, 180 (European

Science & Environment Forum. London. UK).

19. Tweeddale, H.M., 1994, Conducting a peer reviewof a safetystudy,Chemeca94
Conterence, Perth, Australia,September.
20. Based on White, J., Agreda, C. and Rauch, H., 1993. Old thinking vs. New
thinking for statisticians, CACHE Conference on Computer-Aided ProcessOperations. Crested Butte, Colorado, 1813July.
21. Victorin, M. and Warren, N.. 1998, Chemistry in Britain,34(12): 45.
Some ot the material in this chapter is reprinted Imm ReliahthtvEngineering.I, T.A.
K!etz, Hazard analysis the managerand the expert, 3543, Copyright 1981, with
permission Irom ElsevierScience.


Objections to
Hazop and Hazan
She hadonemajor jailing in thatshe tended to
quantify benefits. Thus areas ofendeavour which

could not he quantified, suchas education, fell

into decline.
Newspaper reporton Mrs Thatcher,
November 1990

'To capture thepublic's imagination... we have

to make simplified dramatic statements, and little
mention ofany doubtsone might have
Each ofus has to decide the right balance
between being effective and beinghonest.
S. Schneider28

This chapter discusses some of the objections that have been raised to the
methods discussed in Chapters 2 and 3, mainlyChapter3.

5.1 Objectionsto Hazop

The main objection to Hazop is that it results in expensive additions to plant

cost and results in the project being overspent. The main objection to visiting
the doctoris that it may result in expensive bills for treatment.
Hazop is a technique for identifying problems. Ifthe remedy is too expensive (and we cannotfind a cheaperone) thenwe can, ifwe wish, decide to live
with the problem. We can say that the remedy is not 'reasonablypracticable'.
This is a perfectly justifiable stance, though experience shows that there is
always, or nearly always, a reasonably practicable way of meeting the targets
described in Chapter3. Ifthe obvious remedy is too expensive, our ability as
engineersenables us to findacheapersolution. It is notjustifiable,however, to
fail to look for problems becausewe may not like what we find.
If you wish to adopt Hazop in your company, do not start by setting up a
large team. Start by applying it to one or two designs and see if you find it
useful. If so, the demandfor it will grow (seeSection 2.8, page47).
Another objection to Hazop is that it takes up the time ofthe designers and
prevents themgettingon with thedesign.Again, this is like not goingtosee the


doctorbecausewe do not havetime to do so. If we waituntil we become seriouslyill we may losemore time in theend. Experiencehas shown that the time
spent in carryingout a Hazop. thoughit maydelaycompletion of the design,is
well repaidin asmootherstart-up, earlierachievement of flowsheet output and
trouble-free operation. One survey of four Hazop studies showed that apart
from an increase in safetythe financial savings werebetweenfive and 80 times
the additional cost29.
A thirdobjection, that 'goodpeople' are a substitutefor Hazop,is discussed
in Section 2.4.4, page 30.
One company has suggested that to save time a Hazop shouldlook only for
departures from its design standards5. This maybe acceptable if the process is
a familiar one in which all hazardshavebeenrecognized and allowed forbut if
we arc innovating, and thereis usually someinnovation, new hazardsmay not
be recognized. Also, in most companies, standards lag behindthe latest informationand ideas.

5.2 Technical objections to Flazan

Insufficientdata are available for meaningful calculations
It is true that theapplication ofthetechnique is often limitedby the availability
ofdata.Good dataare available on instruments and on standard fittings such as
relief valves, and such data from one company or organization can be applied
in another, with little error. Rut the same is nottrue ofmost mechanical equipment, as discussed in Sections (pages 120121) and 6.4 (page
197). Failureratesdepend on the environment, on the maintenance policy and
on the way the equipment is treated. In-house data usually haveto be used.
However, even if little data are available, meaningful calculations may be
possible, as illustrated by Section 3.8.6 (page 139) and by the following.
Should a remotely-operated emergency isolation valve be installed in the
suction line of a pumpto isolate any major leaks that occur?Manual isolation
will be impossible as most leaks will catch fire. The fire damage,including
loss of production. is estimated at about 100,000 but we do not know how

often the pumpwill leak.

The cost of installing the remotely-operated valve is 10,000 or, say,
3000/year(depreciation, maintenance and return on capital). If the probability of a major leak is greaterthan once in 33 years the expenditure is justified. We may not need to start looking for failure data on pumps. Our
experience maytell us that, particularly on a hot or cold duty, the failure rates
of our pumps are well abovethis figure.


5.2.2 The models of the accidentsare so oversimplified that they

bearlittle relationto reality

Many incidentscenariosare simple. For example, suppose the failure oflevel
control and trip systems can result in a vessel overflowing; Hazan can tell us
how often the trip should be tested and whether any additional protective
equipment is necessary to reducethe overflow to any desired level (seeSection
2.9, page 50). Section 3.8 (page 133) describes some more complex but
well-defined examples and also some less well-defined situations where
nevertheless Hazan was helpful in arriving at a decision. Very complex
systems have been analysed on nuclear reactors and on an ethylene oxide
5.2.3 Not all hazards will have been identifiedso it is pointless
quantifyingthosethat have been
This can be a validobjection. Chapters 2 and 3 stress the importance ofidentifying hazards. It is little use quantifying somehazards iflarger ones have been
overlooked. Time is usually better spent looking for other hazards, or other
ways in which the hazards can occur, than in quantifying with ever greater
accuracy the hazards we havealreadydiscovered.
5.2.4 Human errors,including management errors, cannot be allowedfor
Section 3.7 (page 130) shows that it is possible to take human error into
accountand the examples discussed in References 1113 and 25 ofChapter3
describe in detail how this is done.
Several systems have now been devised 1or carrying out an audit of the
management, awardingmarks undervarious headingsand multiplying equipment failure rates, or theoverall risk for a site, by factors which may vary over
a wide range2022 (seeSection 3.7, page 132).
However, as stated in ChapterI and Section 4.5 (page 159), ifmanagement
is incompetent, it is betterto improve the management thanintroduce sophisticated techniques.
5.2.5 The resources requiredare excessive
As with Hazop,do not start with a large team. Start by applying Hazan to one
or two problems and see if peoplefindit useful. Ifso, the demandfor the technique will grow.
All service functions can grow out-of-hand if they are allowed to tackle
every problem that the clients bringforward. As discussedin Chapter1, Hazan
should be applied only to thoseproblemsthat cannotbe answered by reference
to experience or generally accepted up-to-date codesof practice.


Table 5.1 Principlesofhazard categorization for rapid ranking

(FromReference 6, reproduced by permission ofMr i.E. Gillett and
Process Engineering)
Area atrisk


of risk














I in 10 chance

















Total loss of



Very ninor





NI nor


I in Ill








Eflect on


ofa fatality







local and

Severe local





(pressure to






1/lO yrs



Ill))1 yrs

Irequcircy if



lvB These typical comparative Irguresaregiven Or illustration rindshould not he takenasapplicableto all
situationsnor takento iridiculeabsolute levelsot acceptability.The cash figures have been increased in Iinc
with inflation.

Iftherearemoreproblems to be analysed than can be dealt with in the time

available, thena rapid rankingtechnique can be used to put the problems into a
sort of batting order so that the biggest risks, or those about which least is
known,can be studied first. For example, thehazardscan be assigned to one of
the five categories shown in Table 5.1 and the expectedfrequency of occurrencecompared with the bottom line ofTable5.1. Table5.2 (page 172) is then


Table 5.2 Rapid ranking: final ranking

(From Reference 6. reproduced by permission of Mr J.E. Gillett and
Process Engineering)

Expected freque ncy compared with guidefrequency

(see Table


Same (=)


DIC at team's discretion

Normally C, but Equally

ifupperend of damaging

Uncertain (U)


potential raised
to B at team's

hazard as those

below A hut if
lower end of
potential cculd
be lowered to B
at team's

estimates should

not be difficult
at this category
may be a lack of
which requires

A/B at team's

Major hazard

discretion. Such
potential should
he better


4 and 5

B/C at team's

B, but can be


raised to A at

Major hazard

Such potential
should he better

used to derive prioritiesbetween A, the highest, and D, the lowest6. Note that
this is not a technique for rapid Hazan but merely a technique for helping us
decide which hazards shouldbe analysed first.
Somewhat similar techniques have been devised for the rapid assessmentof
less serious hazards when the size of the risk makes a full Hazan unnecessary
(or the sparsity of data makes it impossible)7'332. Table 5.3, from a draft
standard for safety-related systems52, is a good example of such systems. The
'risk classes' are the same as those shown in Figure 3.2 (page 86). The
numbers in part (c) of the table (page 174) are not part of the standard and are
merely suggestions. They maydiffer for different industries.



Table 5.3(a) A semi-quantitative method for the classification of risks: risk classes
(FromReference 52)
Risk class



Class I


Unacceptable region

Class II

Undesirable, and tolerable only if

reduction impracticable orcost
grossly disproportionate to benefit


Class Ill

Tolerable if cost ofreduction greater ALARPregion

than benefit

Class IV

Broadly acceptable

Not quitenegligible

Table 5.3(b) A semi-quantitative method for the classification ofrisks:

risk classification from consequence and frequency
(FromReference 52)















Extracts from draft IEC 6I508.-l: 1998 are reproduced with the permission of
BSI underlicence number PD\ 1999 0567. Complete copies ofthe standard can
be obtained by post from BSI Customer Services, 389 Chiswick HighRoad,
London W4 4AL,UK.

Readers should remember that draftstandardsaresubject to change.



Table5.3(c) A semi-quantitative method for the classification ofrisks:

possibleinterpretations ofconsequence and frequency categories

Manypeople killed


Serious injuries toone or more people

Broadly acceptable

Minorinjuries only

Several people killed


More than once in 10 years

Once in 10100years
Oncein 1001000 years

100010,000 years
10,000100,000 years

Oncein more than 1,000,000 years

Table 5.3(c) is not part ofthe draftinternational standard IEC 61508I (Reference
52) from whichTables 5.3(a) and (b) havebeentaken.It is merely apossible
interpretation oftheconsequence and frequencies categories shown in (a) and (b).
The 'critical' definition is consistent withFigure3.2 and Table3.1(b). assuming the
people killedare employees and the factory is small. Negligible' in the original has
beenchanged to 'broadlyacceptable'for consistency with Figure 3.2.

My personal view is that if we are goingto give numerical values to terms

such as 'probable' and 'improbable' we might just as well use the numbers,
forgetabout the namesand use Figure 3.2 (page 86) and Table 3.1(h) (page 89)
for deciding what action to take.
Table 5.4 is an example of a rapid ranking method for a particularoperation, delivering petrol to a fillingstation. Possiblecontrol measures are listed
and there are similar tables for other operations at sites wherepetrol is stored
and dispensed. The scoring system is not 'a precisereflectionof the degree of
hazardor risk, It may help,however, to establish priorities'33.
Thesequick methods involve a much largerdegreeof judgement than afull
Hazan. It is sometimes suggested than it would be simpler and quicker to use
judgementat the outset to decide the actionto be taken. However, the process
of considering each step (identification, probability, consequence, action)
separately results in much betterjudgements30 (see Section 6.2, page 196).


Table 5.4 An exampleof rapid ranking: deliveryofpetrolto a fillingstation

(Reproduced by permission oftheHealth and Safety Executive)
Delivery (and venting).
From the following table select one descriptorfor each aspect which best fits your site.



Locationofthe lill points

(Don't forget to includeany off-set fill)

Fill point located withina building

Fill point located withinapproximately

Petrol s'apours niav accumulate in die

areaof the/illpoint, during the delivery
operation. The likelihood ojan incident is
increased ifignition sources are not
control/ed. People nearthe fillpointare
at risk not protected,

(pavements, short cuts,paths. ctc)

Fill point located within6 nietres ofa
building (12 metres residential
accommodation) which has doors.
windows orother openings or is not
suitablyprotected toallow at least half an


4 metres ofapublic thoroughfare


hour ormore for escape

Fill point located more than 6 metres
from a building (12 metresifresidential

accommodation) orwithin6 metres of a

building which has no doors, windows or

otheropenings or is suitablyprotected to
allow at leasthalfan houror more for

Tankeraccess/exit (includingthe road

tankerstanding area)
Thelikelihoodofan incidentinvolving
the tanker is increased there are
difficulties manoeuvring it or it
off-load.sjroniaposition whereit could
he hithr other vehicles. Thetankermay
needto exit the site quick/vin the event of
an emergency.



Site features in respect ofspillage

The greater theextentto whic/t spilt
petrol can escape traintitesite, the more
likelyit istoconic into co;ttact with a
sourceof ignition orpresent a risk to

Tankerwholly or partly offsite when

Entryand/orexitto thesite is difficult
for the tanker
Tankerwholly Ofl site when unloading


but has to reverse or manoeuvre within

the site

Tankerwholly on site whenunloading

and driver ableto drive on and offsite

without reversing

Spill readily escapes from site toarea

where it may he a danger topeople
Spill escapesto placewhereit will not
present a danger to people
Spill retained in drainage system on






5.2.6 It cannot be applied to industrialdisease

Reference 3 describes an attempt to compare hazards which produce immediate

effects with thosewhich produce long-term effects. The results indicate that the
allocation of resources between the two sorts ofhazards is not out by more than
an orderof magnitude. This may not sound very good but is not bad for problems ofresource allocation. As shown in Section 3.4.7 (page 100), the financial
resources spenton saving a life can vary over a range of a million to one.
As an example consider ionizing radiation. Ifwe havemoreresources available for saving life, should we spend them on preventing accidents which kill
people quickly, or on reducing exposureto radiation?
The International Committee on Radiological Protection recommend that
the maximum dose for an employee should not exceed 50 millisieverts
(mSv)/year. Formany yearsit was believed that this would givea risk ofdeath
of 5 x l0 per year or a FAR of 25 (see Section 3.4.1, page 87). Very few
people are actually exposed to the maximum dose but nevertheless it does
seem rather high when we bear in mind that the average FAR for manufacturing industry in the UK is about 1. Much of the UK chemical industry
regards 2 as an upper level for all chemical risks (Section 3.4.1, page 89), but
workers in the chemical industry are also exposed to health risks. People
exposed to ionizing radiation are exposed to other risks as well.
However, the radioactivity dose limits tare not to be taken as a target, but
rather as the lower limit of values that are not acceptable ... a properly
managed practiceshouldneverexposeworkersor the public to anywhere near
the limit'25. The figure of 50 mSv should be compared with the maximum
tolerable risk (FAR 50 or
per year) shown in Figure 3.2 (page 86) and
Table3.1 (pages 8889).
There is nowevidencethat the risk from radiationmay be as much as three
times higherthanwas originally thought, butto compensate for this the nuclear
industry in the UK has set 15 mSv/year as the maximum tolerable level.
Average doses are now about a tenth of this figure and only a few employees
are exposed to 10 mSv.
Similarcomparisons are madein Reference 3 for coal dust,asbestos, chemicals as a wholeand industry as a whole.
In considering these comparisons, remember that acute risks such as fires,
explosions, falls and some toxic chemicals kill peopleimmediately while radiation (and many toxic chemicals) kill them 2040 years later. Many people
argue that a higherdeath rate from these long-term risks is therefore tolerable.
On the other hand industrial disease may produce many years of illness and
reduced quality of life followedby death at the time of retirement whenone is
looking forward to well-earned leisure. Perhaps these effectscan be offset and




all deaths regardedas equally undesirable.Griffiths comes to the same conclusion.

He arguesthat theuncertaintiesinmany hazard analysesare large enough to overshadow the effects of delaying death for up to 20 years34. Whatever our views it
seems that the risksfrom acute and long-term risks are within a factor of 10 and
thatthe allocationofresourcesbetween them in the pasthas not been too far out.

It is often done badly

Perhaps,but if so we shouldlearnto do it better. Ifsomepeoplesay that 2 + 3
= 6, wedo not say that arithmetic is useless and should not be used. Instead we
suggest that they learn to do it properly.

Writing in 1980 about the nuclear industry, Joksimovic and Vesely23


It's amazing how many risk "experts" instantlysurftzce when agenciesand

companies are willing to spend money on risk analyses. In every useful PRA
(probabilistic risk assessment) to he pe!jrmed in the near future, we would
hazard a guess that there flight be at least 10 useless "number crunching"
exercises performed. The trick might he to see the rose in the weedpatch.
'In spite of these problems and pitftills, we continue to be optimistic
because our convictions that PRA provides the only way to address and
balance many nuclear safety issues.

Pltblado arguesthat to improve the qualityoftheir hazardanalyses consultants should expend more effort on the activities that come before and afterwards(Figure 5.1, page 178) rather than on the Hazan itself35.
5.2.8 The results do not agree with thoseobtained by other
methods of calculation

During the Sizewell B public inquiry widely differentfigures were produced

for the failure rates of large pressure vessels. Extrapolations from experience
produced higher figures than metallurgical studies. To understand the reasons
for the difference consider the probability that the sun will fail to rise
tomorrow morningt. My experience covers about 28,000 days and duringthat
time the sun has risen every morning. I am therefore 86% confident, on the
basis of my experience, that the chance that the sun will not rise tomorrow
morning is less than I in l4,000. It may he very much less but experience is
no guide. However, I have other reasons for believingthat the probability is a
lot less than the figure quoted. A model has been developed to explain the
movements ofthe heavenly bodies and it fits observations so well that we have
a high degree of confidence in its accuracy.




Establish clientneeds
Educate clientin
details ofstudy Collect relevantinformation
Identify whatcan go wrong
Undertake consequence


Estimate failure
Calculate risk results


Investigate mitigation
Past QRAstudies

Betterbalanced QRAstudy

Figure 5.1 Two ways of allocating effort in a haLard study

(Reprinted from Journal of Loss Prevention in the Process Industries, 7 (4): 360.
Pitblado, R.. Copyright 1994. withpermission from ElsevierScience)
5.2.9 No-one will takeany account ofthe results ofthe
Ilazan in making decisions
This may be true if we are considering risks which havebecomethe subject of
public debate. Governments, local authorities, the media, pressuregroupsand
the public may continue to press for what they want. However, the vast
majority of hazard analyses are concernedwith in-plant problems in which
emotions are not aroitsed (for example, thosedescribedin Sections 3.8.2 and
3.8.5, pages 135 and 138). Even when emotions are aroused, we should put
forward the facts and hope that in time reason will prevail. (However, this
aloneis not sufficient. See Section 5.3, especially 5.3. IS. page 187.)

5.2.10 You cannot decide everything on numbers

Of course you cannot. Hazan is an aid to management judgement, not a
machine for making decisions. But managers will make betterjudgementsif
they hae relevant information, especially numerical information.



If your gut feeling (or experienced judgement, to give it a more

high-sounding title)differs from the results ofan analysis, try to puzzle out and
explainthe reasonsfor the difference. Is it past experience of a similarsituation, suspicion of technical arguments you cannotfullyunderstand, distrustof

someone'sjudgement? If you can put your feelingsinto words you are more
likelyto convinceothers.
What are the alternative methods you can use if you decide to ignore a
Hazan? The first is to rely entirely on gut feeling'. Unfortunately different
guts feel differently and a dialogueis difficult. Numerical methods do allow a
dialogueto take place. If one person saysthat risk A is high and anotherthat it
is not, a dialogue is difficult. If we havea scale formeasuring risksa dialogue
becomes possible (seeSection 2.9, page50).
In making a decision in matters that affectthe public a managermust take
public opinion into account. Ultimately, in a democracy, governments mustact
in accordance with public opinion. They may have to take action that their own
judgementtells them is incorrect. This is part of the democratic process. The
advocates of Hazan do not seek an alternative to public opinion; they seek to
persuade it. They look for an alternative to a policy of giving the most to those
whoshoutthe loudest. Publicopinionshouldnot be confused with the opinion
of the mediaor of self-appointed pressuregroups.
As an example of the way that governments feel compelled to take other
factors into account, consider the introduction ofunleaded petrol.According to
Everest36. whowas in the Department of the Environment (DoE) at the time:

'The introduction of unleaded

petrol was supported by the DoEwhostrong/v
argued its (a5( in the inter-Department debate that accompanies the developmentofgoi'ernnentpolicies.However, this supportwas not basedoii a careful
analysis of the scientific or health considerations linked to the importance (t
this particular pathway and the role oflow levels of lead on children's behaviour and intelligence, indeed there were reservations on both these accounts
by scientific and medicalprofessionalsin both the DoE and Health Departments. The policy drive was based prinarilyon the political necessity for the
DoE to be seen to take a positn'e role in promoting environmental protection,
both at home and in the European Community. This political necessity

thegrowingstrengthofpopular environjnental sentiment;

thestrengtho/the single issuepressure groups
the imminent general election of1983.



A more philosophical objection to Hazanis that deaths from industrial accidents,smoking, sportand contaminants in food are not the same and therefore
cannot be compared. However, comparing differentthings is what managementis about. Resources are not unlimited and we have to decide how to allocate them between safety, protection of the environment, improving working
conditions, increasing the wealth ofthe community, and so on. Information on
the relativesizes ofvariousrisksand the costsof removing themwill helpus to
makebetterdecisions. Of course, we alsohaveto takeinto account the public's
aversion to differentrisks, as discussedin Section 5.3. Andwhile deathsfrom
differentcauses are undoubtedly different, theyare probablyless differentthan
most of the alternatives we have to choose between, at work and in everyday
life. We are just as dead whichever way we die.
Some writers, notably Cotgrove4, havesuggested that much of the opposition to Hazan comes from people who have a differentparadigm or set of
valuesto thosewhoadvocatetechnological advance. They are moreconcerned
with protection of the environment, for example, than with output or efficiency.They opposethe values oftechnologists rather thanthe systematic allocation of resources but the two are linked in their minds. In fact, though it
shows that sonic risksare trivialand hardly worth botheringabout.Hazanhas
probably resulted in a largeincrease in expenditure on safety.
Accountants try to quantify everything financially and thus, according to
Malpasand Watson26,overlookwhat they call 'Options for the future' that
is, expenditure which does not show a good rate of return but nevertheless
makes it possible to pursuepromising linesofdevelopment.
5.2.11 Changes in technical objections to Hazan

In 1985 the International Study Groupon Risk Analysispublisheda shortbook

on risk assessment37 followed, 11 years later, by a second edition38. A
comparison of the two versions shows how risk assessment has matured and
become accepted in the intervening years, particularly in those countries that
once doubted its value. Reviewing the earlier version39, I said that it was like a
report on sex by a committee of churchmen: some were in favour, some
opposed. The result was a compromise that said it was acceptable, in certain
circumstances, after due consideration and preparation, providedyou realized
that it is not an end in itself but part of a widerapproach. This, I suggested,
made everyone happy. Those in favour were free to go ahead while those
against felt that their stand had been supported and they had put a brake on
excess.Theonly peoplewho were nothappywere thosewho wanted advice on
how to do it; but they could look elsewhere.


The Study Group that prepared the firsteditionwas set up at the suggestion
of people from Germany and Holland who were opposedto quantitative risk
assessment (QRA) or rather to the way it was being misused by the authorities in theircountries andwanted to kill it. They found,to theirsurprise, that
people from UK industry were in favour. The report concluded that QRA
could help or hinder, depending on the legislative environment.
The new (1996) edition is very different. Since 1985. churchmen have
become more liberal about sex and those engineers who had doubts about
QRA havebecomemore willingto accept it. The new edition contains lots of
soundadviceon how to carry out risk assessment it is twice as long and
has none of the 'be careful, just stick a toe in the water' approach of the old
edition. Problems and limitations are described but not carriedto excess.

5.3 Popular objections to Hazan

A number ofwritershave analysed the factorsthat determinethe public's attitude to risks and the following is based on the work of Lee10, Slovic et
Sandman12and Kauffman18.The probability of an incident is, of course, one
of the factors that the public take into account but not theonly one, and even
here the public's knowledge of the relative size of different probabilities is
often far removed from their actual sizes. Their knowledge of the numbers
killed by differenthazards is not too far out but their knowledge of relative
rates bears little relation to reality. For example,the risk from pesticideresidues in food,a subject ofpopularconcern, is far less thanthe risk from natural
poisons. Otherfactors that affectthe public's attitude are discussed below.
5.3.1 Voluntary or imposed?
We acceptwithoutcomplaintrisks such as smoking or rock-climbing that we
choose to follow, but object to risks such as those from industry that are
imposed on us withoutour permission. For this reason many writersbelieveit
may be counterproductive to use cigarettes as a unit of risk (Figure 5.2, page

5.3.2 Under our control

We accept more readily risks, such as driving, that we feel are under our
control, than risks such as those from industry, railway accidents or pollution
that are not underour control. We hold the meat closer to the knife if we are
holding the knife.


Figure 5.2

5.3.3 Natural or man-made

We acceptmore readily natural risks such as those from floods, storms, radon
and natural foods and drugs than man-made risks such as those from industry,
nuclearpower stations, pesticides, food additives and synthetic drugs. This is
oneofthe less defensible ofthe public'sviews,in part,it isdue to the mistaken
beliefthat little can he done about Acts of God,as they are sometimes called;
in fact, floods,droughts and faminesare dueto mismanagement ratherthan too
much or too little rain while the effects of earthquakes, volcanos and hurricanes areoften magnified by mismanagement'3. In part,the public's attitude is
due to an equallymistaken belief that natural foods and drugs are alwaysgood
for us. In fact, the average US diet contains about 1.5 g/day of natural pesticides but only about 0.15 mg/day (10,000 times less) of synthetic pesticides.
Many ofthe naturalpesticides present in food would neverbe approvedifthey
were tested in the same way as synthetic pesticides4I5. Similarly, natural
drugs can be sold without goingthrough therigoroustestingnecessary fornew
synthetic drugs. Plants contain natural pesticides becausethey cannot pull up
theirrootsand run awayorfightbackwith tooth and claw; their only defenceis
to poison(or prick) their enemies.




5.3.4 Familiarity
We readily acceptfamiliar risks such as those of driving, long-established
drugs such as aspirin and traditional industries such as farming, but are less
ready to acceptunfamiliar riskssuch as thoseofnew drugs and nuclearpower.
We know the size of familiarhazards (Figure 5.3). Road accidents kill about
5000peopleperyear in the UK. This is terrible but at least the extentis known;
we are confident that the number killed this year will not be 10,000. In
contrast, although we may agree that nuclearpowerand the chemical industry
will probably kill no-one this year, we donotfeel sure therewill not be another
Bhopal or anotherChernobyl.
5.3.5 Experience
we have personal experience ofa risk, we are waryof it in future. Ifshellfish,
say, have made us ill we may avoid them in the future even though we know
that we are unlikely to he offered another contaminated batch. Similarly, ifthe
local factory has caused pollution in the past we tendnot to believe assurances
that all will be well in the future.


Figure 5.3


5.3.6 Dread
Heart diseasekilts about twice as many people as cancer but nevertheless
many peoplewould support the expenditure ofgreatersums on cancer prevention as cancer inspires so much more dread. This is not a decision made in
ignorance as almost every family has experience of both.
5.3.7 I benefit

We acceptthe risk of driving becausethe benefits of the car are clear and
obvious. The benefitsof the chemical industry are not obvious. All it seems to
do is to produceunpleasant chemicals with unpronounceable namesin orderto
increase its sordid profits. At best, it provides employment and exports. Most
people do not realizethat it providesthe essentialsfora standard oflivingthat
has vastly improved the length and quality oflife.
We acceptrisks from which we earn a living or deriveother benefits. When
thegovernment was considering whether ornot to allow British NuclearFuels'
new plant for reprocessing spent nuclearfuel (THORP) to start up, the leader
of the local Council was reportedas saying, 'A delay in thestart of THORP
will lead to 20% unemployment in this area by next December. That would
have a devastating effect. The effects on unemployment, on the health of our
people, their morale, the crimerate, dietaryhabits, infant mortality, and so on,
would likewise be devastating'40.
5.3.8 Morality
Far more people are killedby cars than are murdered, but murderis still less
acceptable. We would be outraged if the police stopped trying to catch
murderers, or child abusers, and looked for dangerous drivers instead, even if
more lives would be savedin that way.
5.3.9 Numbers moreimportantthan rate
How many people could be killed? To the public the number of people that
could be killed is more important than the probability that they will be killed.
The airlines realized 20 or more years ago that as the number of flights
increased the numberof accidents could not be allowedto increase in proportion or there would be a public outcry. They found it possible to decrease the
rate so that the number remainedroughly constant. We find the death of 10
people at a time less acceptablethan the death of one person per year for 10
years (seeSection 3.4.3, page 90).
Similarly, the public seem to believe that the consequence of an action
measures the degree ofnegligence. It does not,if a car is parked on ahill without
the brakes on, and rolls down, the negligence is the same whatever the result.


5.3.10 Associations

Nuclearpower reminds us of atomic bombs;electricity from the sun, wind or

water reminds us of pleasant summer days in the freshair. The realityis rather
different; more people havebeen killed by the collapse of dams than by any
other peacetime artefact (seethe noteon page 189).
5.3.11 Publicityand certainty
The more space the press devoteto a hazard, the greaterit is perceived to be.
Drugsthat could relieve the pain and suffering of many are withdrawn when
the press highlightadverseeffectsin a few users.Thosewho shoutthe loudest
havethe most influence. Most peopledo notknow what theair qualitywas like
in the l950s and think pollution has got worse.
Certainty sells. While many environmentalists have no doubts (at least in
public) about the accuracy oftheir views, thoseofscientists are, as always, full
of qualifications. It is easy to sayon thebasisofa few observations that something is hazardous, impossible to prove with complete certainty that it is not.
Everest writes, 'Onthe whole, economists seem to be less ready thanscientists
to qualify their advice,a point whichendearsthemto politicians'36.
Events near to home get more publicity and have more effect than distant
ones. During 1984 the states of Alabama, Louisiana, Mississippi and West
Virginiahad about the same numberof oil spillsas California, Massachusetts,
New York and Texas. The media reported three times as many spill stories
from the latter states,wheremore peopleand more reporterslive4t.
5.3.12 The victims are known in advance
There is almost no limit to the resources we will spend to rescue someone
trappedin an old mine, for example,but we do little to helpthose whowill be
killed on the roadsnext weekas we do not know whothey will be.
5.3.13 Conceptual problems
Many people find it difficult to graspthe following concepts. As a result,it is
harderfor themto understand the natureof risk.
The difference


deterministicand probabilistic causes

We still meet peoplewho say that smoking cannotcause lung cancer because
their grandfather smoked heavily and lived to be 90. Perhaps they would
understand us betterif, instead of usinglong words, we saidthat someeffects
alwaysoccur, while othersoccur sometimes, that somethingsmayhappen, but
others will happen (seeSection 3.3, page 80).



As quotedin Section 4.8 on page 163, a young doctorwas treatingpatients

with Hodgkin'sdisease, a form of cancer, which has a cure rate of 90%. He
was very distressed when his sixth patient died. Yet 0.9 x 0.9 X 0.9 x 0.9 X
0.9 x 0.9 = 0.53, so there is about a 50% chance that one patient in six will
die. Mentally, he had translated a 90% curerate into a 100% cure rate42.
The meaning of small concentrations
Some concentrations can now be measured in parts per trillion (l0). It is
hard for most people to grasp how infinitesimal that is. One part per trillionis
the width ofhuman hair in the distance round the world; it is a singlesecondin
320centuries; it is a pinch of salt in 10,000 tons ofpotato crisps43.One part per
billion is two or three grains of salt in a swimming pool; the thickness of a
credit cardcompared with 1000 kilometres44.
A small change in a big risk is worsethan a big change in a small risk

A I % increase in fatal heart attacks in the UK would probablyproduce little

comment hut would result in 1250 more deaths per year. A 100% increase in a
disease which kills 10 people per year would kill an extra ID, hut would
provoke talk of an epidemic45.
Other concepts
'We like to tell ourselves that we are superior to the people who burned
witches centuries ago but we are still prone to the same basic mental errors:
seeing patterns where thereare none, assuming cause wherethereis only coincidence, and creating widespread alarm from scanty evidence'46.
As a hypothetical example of seeing cause where there is none, suppose a
survey showed that peoplewhoeat morethen the average amount ofchips also
suffer more than the average from chilblains and this was unlikely to be due to
chance. This would not prove that chips cause chilblains, nor would it prove
that chilblains produce a craving for chips. A more likely reason would be that
chips(in excess) and chilblains are both found more frequently than average in
people who have an unhealthy lifestyle. Anotherexample: smokers are more
likely than others to have an unhealthy lifestyle; so will their partners. whether
or not they smoke. This niay account for much of the ill-health attributed to
secondary smoking47.

5.3.14 Judging the messenger

If we can't understand the message, wejudge the messenger. The spokesman
for industry, a new drug. pesticides or any other hazard, real or perceived, is



more likely to be listened to if he comes across as an open,courteous, caring

person whoadmits past mistakes, speaks in language we can understand and is
one of us. The last may be the most difficult as the industry or company
spokesman is often more educated thanhis audience, has a differentaccentand
comes from a different part of the country. An anthropologist, describing his
attempts to relate to a group of fisherman, wrote16, ... they said that my
speech, like my clothes, was too clean ... the Ranger alsotold me ...,'Your
body language just didn'tfit in with theirs ... you stoodtoo erect, while they
tend to slouch with their thumbs cocked in their pockets. And you made too
much eye contact, while they preferto look awayand fidget".
Two other points to remember, according to Aaron: most people go to
public meetings in the hope that someonewill listen to their concerns rather
thanto he spoken to, and public communication, written or spoken, shouldbe
set at a level understandable by 12 to 14 year olds48.

5.3.15 Conclusion
Sandman admitsthat real peopledie becausewe are more concerned about the

factors discussed herethan about the actual probability ofbeing killed. But, he
adds, we also valuefairness, moral values and individual freedom, sometimes
more thanlife itself.
It is not sufficient therefore to present the facts and hope that in time the
public will acceptthem; the power ofa beliefdoes not depend on its truth. We
should also try to answer the public'sconcerns, rational and irrational. Unfortunately most of these concerns tend to makethe man in the street oppose the
chemical and nuclearindustries (the risks are imposed, not under his control,
man-made, unfamiliar and dreaded;past experience has been unpleasant; the
industries do not obviously benefithim: and the spokesmen for the industries
are often outsiders) and this is reinforcedby the media's desire for disaster,
their daily bread (every reporterhas Jeremiah as a middle name). There is no
easy solution butthe improvement in the image ofBritish NuclearFuelsduring
the I990s shows what can be done, thoughit still has a long way to go.

5.4 The regulator's view

Rimington,a formerDirector General ofthe Health and Safety Executive, has

described the factors that compelthe regulatorto take up a rationalist position
that is, one that is supported, as far as possible, by prediction, number and


'First, becausein ourpolitical traditionsuch aposition is a traditionalway of
attacking politicalproblems... It enables somesemblance ofstructureddebate
to takeplace, compel would-be combatantsto think, and implicitlysets outthe
limits ofpossibleaction.
'Second, there is an insistentpressure on someone in myposition to demonStrate that publicmoney is being spentfbrsomemeasurablebenefitand that
goes forprivate money too
'Third, there is an equally insistentpressurefor safty standards to be set
and enforced andfin- hazardousactivity to he sanctionedby someone, and that
someone is the regulator
'I would havehardlyfelt the needto say this, were it notforthe existence of
a good deal of literature which discussesrisk and decision-making almost
entirely in terms ofpublic perceptionofrisks almostas though that were the
onivtactor. Whatever the state ofpublic debate on this or that risk, the regulator, ofallpeople, cannotduck both havingandstatinghis standards because
the business of the world has to go on unless and until the political mechanisms intervene.'

The UK is fortunate to have a regulatory organization that takes such a

rational view. In the US the American Institute of Chemical Engineers has
stated the case for 'risk-based decision-making'50:
'The publicperceptionthat zero risk is the only safeleveldrivespolicy-makers
topush even greater risk reduction, despite the fact that costs rapidlyincrease
and benefits rapidly decrease as risk-reduction methods achieve levels

approachingzero. As a result, theproblemsthat technicalexperts believepose

the mnost seriou.srisk are not necessarily theproblemsthat governments target
for the most aggressiveaction
'To compensate for uncertainties ... EPA [Environmental Protection
Agency] relies on worst-case scenarios and adopr.s conservative default
assumptions to ensure protectionof the public health. When several conservative estimates and a.csumnptionsare multipliedin the processqfdeveloping risk
assessments, the resulting risk assessment becomes overly conservative and
not reflective ot the actual risk.

Rimington'scomment on public perception being treated as the only factor

to be considered hasbeen expanded by Bruce51:

'Individualism used to mean the right to act as one wished providedit did not
harm othersand the right tohold views radicallyat odds with the consensus


It is now asserted as the right to decide what is and is not true ... a steady
increase in expenditure on tbrmal education has been accompanied by a
decline in faith in the possibility ofauthoritativeknowledge ... The inevitable
consequence is relativism, not just in matters of behaviour we have long
passed thepoint ofbeing abletoagree on howwe shouldbehave but nowin
the realms of knowledge. The judgeinentsof any group of experts can be
dismissed with
flippant assertion of partiality. "they would say that,
wouldn't they? ". Any layman who can read can claim to understand the
origins ofthe world or the causesofdepression ... the very idea ofauthoritative knowledge is underattack in such spheresas science and medicine, where
it seems obvious that there is a vast gulf between the expert and the lay

Ultimately, however, ifthe Health and Safety Executive and other experts
cannotconvincethe public that a risk is negligible, they will haveto remove or
reduce it. This, after all, is democracy in action. In 1983 Fremlin24 wrote,
'When little children are afraid of the dark, you put a light there, eventhough
you know there is nothingto be afraid of. It would therefore be sensible ifthe
Government insisted now on getting the amounts lof radioactive materiall
dispersed from Windscale reduced, not because this is faintly necessary to
reducecancer,but in orderto show peoplethat theycare, and to put their minds
at rest'. Since then the Governmenthas done just this.
Finally, let us remember that the experts do not always agree with each
other (seeFigure 6.2, page201) and are not alwaysright(see Section 4.3, page
154). They are, however, more likely to be right than thosewhose knowledge
comesonly from the newspapers and television.

Further reading

of Chapter3. Reference 27 is a good

introduction to the
energy production.

See Reference 2 and References 1822

A note on dams (see Section 5.3.10, page 185)

In August 1979 a dam collapsed in India. I quoted (in Reference 17) a press
reportwhich said that 15,000 peoplehad been killed. After someonehad cast
doubton this figurea search through backnumbersof The Daily Telegraph for
August and September 197919 found the following reports on the numbers



13 August:
14 August:
15 August:
18 August:
23 August:
11 September:

A thousand to several thousand

Up to 3000
Up to 25,000
At least 1405; earlierthe Mayorhad said at least 25,000
Morethan 2000

The incident may therefore havekilledmore peoplethanBhopal. Whatever

the true figure, no-one seems to havecared very much or commented on the
discrepancies. Why are peopleso much more concerned about chemical engineering disasters thancivil engineering disasters? Perhaps becausedams have
pleasant associations, reminding us of summer days in the country, but chemical factoriesdo not.

References in Chapter 5








Stewart,R.M., 1971, Highintegrityprotective systems, SymposiumSeriesNo. 34,

99 (Institution ofChemical Engineers, Rugby. UK).
Joschek, HI., 1983, Plant/Operations Progress,2 (I): 1.
Kletz. TA.. 1988, in EngineeringRisk and Hazard Assessment, edited by A.
Kandel and E. Avi, Volume I, I (CRCPress, BocaRaton, Florida, USA).
Cotgrove, 5., 1981, Risk, value judgement and political legitimacy, in Dealing
with Risk, edited by R.F. Griffiths,122 (Manchester University Press, UK).
Solomon. C.H., 1983, LossPrevention Bulletin, No. 052: 10.
Gillett. J.. 1985. ProcessEngineering, 66 (2): 19.
Keey. RB., 1991, Transactions ofthe institution of Chemical Engineers, Part B,
ProcessSafety and Environmental Protection.69 (B2): 85.
Sizewell B Public inquiry: Transcriptof Proceedings, 8 June 1984.
Kletz, TA., 1990, improving Chemical industryPractices A New Lookat Old
Myths of the Chemical Industry, 92 (Hemisphere. New York, USA).
Lee, T.R., 1986, The Science o/theTotalEnvironment, 51: 125.
Slovic, PB., Fischhoff, B. and Lichtenstein, S., 1980, Facts and fears: understandingperceived risks, in SocietalRisk Assessment, editedby R.C. Schwingand
WA. Albers, 181 (Plenum Press, New York. USA).
Sandman, P.M., 1989. Hazard versus outrage: how the publicsees environmental
risk, American institute of Chemical EngineersSummer Meeting, Philadelphia,
Pennsylvania, 21 August.
Wijkman, A. and Timberlake, L., 1986, NaturalDisastersActs ofGodorAct,s
of Man?, 6, 29 and 30 (International tnstitute for Research and Development,
London, UK).
Johnson. J., 1991, Chemistry in Britain, 27(2): 112.
Ames, B.N., October 1989, Chemtech, 590.


Gmelch, G., September 1990, NaturalHistory,32.

Health andSaiy at Work, August 1986, 8: 10.
Kauffman, GB., 1991, Chemistry in Britain,27 (6)512.
Chaney. M., private communication.
20. Pitblado, R.M.,Williams, J.C. and Slater, D.H., 1991, Plant/OperationsProgress.

9(3): 169.
21. Hurst, N.W., Bellamy, Li., Geyer, T.A.W. and Astley, iA., 1991, Journal of
HazardousMaterials,26: 159.
22. Hurst, N.W., Bellamy, L.J. and Wright,M.S., 1992, Research models of safety
management of onshoremajor hazardsand their possible application to offshore
safety,SymposiumSeriesNo. 130, 129 (Institution of Chemical Engineers, Rugby.


Joko.simovic,V. and Vesely, W.E., 1980, Reliability Engineering, 1(1): 72.
Fremlin, J.H., 21 November1983, quoted in The Daily Telegraph.
Kovan, R. and Conway, A., 1991, Atom, No. 416: 20.
Malpas, R. and Watson, S.J.J., 1991, Technology and Wealth Creation (Fellowship ofEngineering, London, UK).
Luton Industrial College, 1991, Energy A Matter ofLife and Death (Merlin
Books, Braunton, Devon, UK).
Schneider, S., 1996, quoted in The GlobalWarming Debate,editedby R. Bate, 253
(European Science & Environment Forum, London, UK).
Sanders, R., 1998, A view of what we do: Making safetysecond nature,Mary Kay
O'ConnorProcess Saft'ty CenterSymposium: Beyond RegulatoryCompliance
Making SafetySecondNature, College Station, TX, USA, 3031 March.
Tweeddale, H.M.. Cameron. R.F. and Sylvester, S.S., 1992, Journal of Loss
Preventionin the Processindustries,5 (5): 279.
Gillett, i.E., 1996, Hazard Study and Risk Assessment in the Pharmaceutical
Industry,Appendix 5 (Interpharm Press, Buffalo Grove, Illinois, USA).
Maddison, T.E. cud, 1995, LossPrevention Bulletin, No. 125: 11.
Health and Safety Executive, 1996, Dispensing Petrol (HSE Books, Sudbury,
Griffiths, R.F.. 1994, Journal of LossPrevention in the Process industries,7 (5):
Pithlado, R., 1994, Journal of Loss Preventionin the Process industries,7 (4):
Everest, D., 1997. in What Risk?Science, Politicsand Human Health,editedby R.
Bate, 242 and 253 (Butterworth-Heinemann, Oxford, UK).
Risk Analysis in the ProcessIndustries Reportofthe InternationalStudyGroup
on RiskAnalysis, 1985 (Institution of Chemical EngineersRugby, UK).
Pitblado, R. and Turney, R. (eds), 1996, Risk Asse,s.sment in the ProcessIndustries,
2nd edition (Institution of Chemical Engineers, Rugby, UK).
Kletz,T.A., 1985. The Chemical Engineer,No.414: 72.
Sellafield Newsletter, 22 December 1992.



41. Sandman. P.M., 1996, in What Risk? Science, PoliticsandHuman Health, edited
by R. Bate,276 (Butterworth-Heinemann, Oxford. UK).
42. Peschel, R. and E., 28 April 1990, British MedicalJournal, 1145.
43. Dow Chemical Company, undated, Lifein the Balance (DowChemical Company,
Midland, Michigan, USA).

44. BritishMedical Association, 1987, Living with Risk, 141 (Wiley, Chichester, UK).
45. Darymple, T., 1998, MassLisieria, 132 (Deutsch, London,UK).
46. Bate, R. (ed), 1996, What Risk? Science, Politics and Human Health, Preface
(Butterworth-Heinemann, Oxford, UK).

47. Nilsson, R., 1996. in What Risk? Science, Politicsand HumanHealth,editedby R.

Bate (Butterworth-Heinemann, Oxford, UK).
48. Aaron,S., 1998. IndustrialEmergency Journal, 3 (2): 24.
49. Rimington, J.D.. 1995, Transactions oftheinstitution of Chemical Engineers, Part
B, Process &ttety and Environmental Protection,73 (B3): 173.
50. AIChE Government Relations Committee, 1997, Principles/br Risk-based Decision-making in Public Policy (American Institute of Chemical Engineers, New
York, USA).

51. Bruce, S.. 1995, Religion in Britain, 122 (Oxford University Press, Oxford,UK).
52. International Electrotechnical Commission, 1998, Draft international Standard
IEC 6/508i: Functional Safety of Electrical/Electronic/Programmable
Electronic Safety-related Systems (IEC, Geneva, Switzerland).


Appendix to Chapter 5
Limitations on the application
of quantitative methods to
railway travel
The following letter appeared in Reliahilit}'Engineering, 1981, 2: 77. It shows

howarguments with somemeritmaybe used to arrive atthe wrong conclusion.

At first sight

a railway timetable appearsto offer a precise, numerical and

generally applicable method for calculating the time required for a railway
journey and the probable starting and finishing times. However, experience
over a number of years has shown that this optimism is not justified and the
limitations of the method are such as to render it unsuitable for widespread
application, though it may be useful in a few limitedareas.
l'he serious limitations on the use of railway timetables result from the
following well-established facts:
The answers obtainedassume that all possible routes between the starting
and finishingpoints are known and have therefore been investigated. In fact,
this is often not the case and routes which have not been thought of provide
possible pathways, particularly under abnormal operating conditions such as
Sundays, BankHolidays and nights.
The timetable is an expression of intention or, at the best, of past performance, ratherthan offuture performance. It is not unknown for trains to fail to
run or to run late.
The railways are subjectto human error on the part ofthe drivers, signalmen
and station staff. Numerous detailed reports, over many years, have established this beyond reasonable doubt. There is no satisfactory way of making
allowance forthese errors in estimating journey times, despitethe considerable
effort expended in recent yearson the studyofhuman reliability.
The complexity of the timetables is such that extensive, detailed and
time-consuming studies are necessary to evaluatejourney times. The necessary resources of manpowerand time are rarely available.
Timetable data are usually shown to a degreeofaccuracythat is untrueand
misleading. Times of arrival and departure are shown to the nearest minutefor



journeysthat may take 10 hours or more. Users are misled into thinking that a
degreeof accuracy is attainable that is not, in fact, the case.

It is clear that the use of railway timetables for the estimation of journey
durations and arrival and departure times cannot be recommended and that
they should not be used for this purposejust turn up at the station and hope
therewill be a train.


Sources of data and

confidence limits
Errorsusing inadequaledata are muchless
than thoseusing no data atall.
Charles Babbage(17921871)

6.1 Data banks and data books

Errorscausedby using inapplicable data are discussed in Sections

(pages 120121) and 4.6 (page 160). This section provides a few notes on
sources of data.
The bestsource ofdata, especially forinstruments and electrical equipment,
is the Data Bank operated for the SRD Association by AEA Technology,
Warrington, UK. Member organizations pay an annual subscription and are
expected to contribute data. In return theyhave access to the data providedby
AEA Technology and by other subscribers. The American Institute of Chemical Engineers (AIChE) has published a book of data4 and guidelines on its
useu. Dhillon and Viswanath5 havelisted 367 sources ofdata.
Dataare discussed by Lees. Chapter7, Section 20. while his Appendix 14
lists much published data and gives references to other sources. References 6
and 7 also providesomedata and Reference 6 has a chapteron data banks.
Many large companies have produced their own data books which summarize data obtained from AEA Technology, the literature and internal sources.
Unfortunately these are often misused. The intention of the compilers is that a
readerwill look in the data book to see ifthereare any data on, say, relief valve
failure rates and will then consult the original references for details. Unfortunately many users take a figurefrom the data book, do notbotherto consult the
original source and maymiss important qualifications.
For example, there is a well-known report on pressure vessel failures1
which gives a 'catastrophic failure rate' of 4.2 X
per vessel-year. It
defines 'catastrophic failure' as destructionof the vessel or component, or a
failure so severeas to necessitate major repairs or replacement'. The definition
thus includes defects which are found during inspection or test and do not
result in a leak. The figureis often quoted withoutthe definition. Readers who
do not take the troubleto referto the original paper assumethat 'catastrophic'
meansdestruction in servicewith releaseofthe contents, and are misled.
Companies which collect and publish data may he more responsible and




havehigherstandards thanothersand their datamay therefore not betypical of

the industry as a whole12.
According to Young8, Exxon has collecteddata on the probability oflosses
of various sizes on various types ofrefineryand chemical plant equipment. Its
graphs of loss against probability are the financial equivalent of the F--N
curves describedin Section 3.4.4 (page 93). He quotes a few examples. For
one type of equipment he does not say which
the probability ofa loss of
$IOM or greater(1986 prices) is 4 in 10,000 yearsand the probability ofa loss
of$I000 is 1 in 100 years. Such data,iftheybecamegenerally available, could
be used to carry out hazard analyses of thetype describedat thebeginning of
Section 3.4 (page 83), in which the cost of an incident is compared with the
cost ofprevention.

6.2 If failure has never occurred

If failure ofa component has never occurred in, say, 100 component-years of
operation, it is often assumed that a failure will occur in the next year. We can
then be 86% confident that the average failure rate is one in 50 component-years or less. It may be very much less (see Section 5.2.8,page 177 and
Reference 2).

If there are many components in a system and many of them have never

failed, it is straining credulityto assumethat they will all fail next year.
Sometimes no failure data are available and an estimate has to be supplied
by an experienced person. Somepeople maythen ask, 'If we have to estimate
thefailure data, why not estimate the answerto the whole problem?'.
If we break problems down into their component parts, answering them
with factswhenpossible and with opinion only whenno factsare available, we
are more likely to get a correct answer than ifwe try to guess the answer to the
Fault tree calculations are not 'series' calculations in which a 10% error in
the input is carried through to the output. They are 'parallel' calculations in
which differentstreams are combined and most errors in the data have little
effecton the final answer. If we put 10% impurityin the water entering a long
pipelinewithout branches, therewill be 10% impurity in the output, However,
if we put 10% impurityin one of the streams feeding a river, there will not be
10% impurity in the water reaching the sea.

6.3 Confidence limits

Hazan is not an exact science. Many estimates of the probability ofan incident

can be out by a factor of three or four, and a factor of 10 is by no means



uncommon (see Section 3.8, especially 3.8.6 on page 139). Estimates are
usually conservative as analysts prefer to err on the safe side. Relatively few
estimates havebeen validated by experience; inevitably so, as most deal with
rare events. One study3 looked at the estimatedreliabilities of 130 different
engineering systems and pieces of equipment and showed that 10% of the
observed values were within a factor of two of the estimate, 90% within a
factor of four.These were well-defined systems.
Hazard analysts could well place estimates on the accuracy of their data
(seeSection 4.6, page 160) and the final result. But the meaning ofsuch confidence limitsshouldbe made clear. They can allow for uncertainties in the data
but not for errors in the logic, for failure to identify all the ways in which
hazards can occuror forerrors in estimates ofhumanreliability. In practice the
firsttwo are usually much more importantthanerrors in the data.
Even the uncertainties in the data allowedfor in the confidence limits are
not the complete range of uncertainties. The confidence limitsallow for uncertainties due to sample size but not, of course, to errors due to changes in
design. use of inapplicable data, and so on.
Suppose a Hazan shows that an event will occur on average once in 100
years. Ifthe eventoccurs next year (or nextweek)this does not prove that the
estimatewas wrong (though it may be).Iftheeventoccurs randomly,then it is
equallylikely to occur in any year in the next 100 years.This point is misunderstoodby many people.
Onthe other hand, few accidents occur becausethe unlikely oddsofone in
so many thousand years actually come off (see Section 4.8, page 163). More
often, after an accident has occurred,it is found that some ofthe assumptions
on which the analysis was basedare incorrect. Forexample,testing ofprotective equipment has lapsed or is not thorough, or the faults found are not
promptly rectified.
Different estimatesof consequences may differ greatly, particularly where
gas dispersion is involved, hut in recent years the estimates have converged
(see Section 6.6, page 199).

6.4 Data on mechanical equipment may be

data on people
The failurerate of instruments is much the same,withina factor of about four,
for all industries and environments (Lees, Section 13.7). We can use someone
else's data with confidence. With mechanical equipment the situation is


different.As the examples of bellowsand vending machines in Section 3.6.3

show (page 121), the failure rate can vary a good deal between one plant and
another depending on the conditions of use and the quality of installation,
operation and maintenance. Data on pipework failures tell us more about the
quality ofdesign,construction and operation than about the inherent properties
of the pipe. Machinery sometimes fails because it has not been lubricated
correctly; failure data thentell us something about the training andcompetence
of the operating team but little about theinherent properties of the machinery.
Thedata tell us that the machinery will not withstand lack of lubrication but we
probably know that already9.
Of course, whenever possible we should use user-friendly plants which
cannot be assembled incorrectly and which can withstand poor maintenance
and operatio&(see Section 5.2.4,page 170).
Ifwe arelookingfor data on, say, accidents while filling a road tanker,the
probability can vary over a wide range, such as 10: 1, depending on the standards ofthe organization. Anderson and Gould13haveexamined thisoperation
in detail and listedthe factors that havemost influenceon theprobability:
Are thereinterlocked barriers?
Are pressuredrop and leak tests carriedout beforeeach transfer?
Is there an emergency shutdown system?
Is there an interlock to the tanker'sbrakes?
Are hoses examined before each transferand replaced whennecessary?
J.H. Gould14has used fault tree analysis to derivea failure rate for chlorine
storage vessels of the type used at water treatmentworks. As the vessels are
filled infrequently. overfilling combined with a failure of the relief system
contribute little to the top event. The failure rate for vessels filled frequently
would be higher: this shows one of the pitfalls of using data on equipment
failure without knowing their background and limitations (see Section 3.6.1,

page 120).

6.5 Chaos
Dataon consequences are usually relatedto data on inputs in a consistentway.
If we increase theheat input to a vessel we expect the contentsto get hotter,
though the actual rate will depend on many factors and can be very fast if a
runawayreaction starts. In chaotic systems the consequences are apparently
patternless. In some cases the system is unstable and a small change in the
input can produce a big change in the output. In other cases the output is
related to the input in a complex way which may be difficultto unravel. The
system is deterministic but it is hard to predict the results.


This is illustrated by the following. During a conference on reliability we

adjourned to a sandwich bar for lunch.Our requests were written down by the
man at the counter and passed to the sandwich maker. The order in whichthe
sandwiches were produced seemed to bear no relation to the orderin which we
had made our requests and I remarked that the output was stochastic rather
than deterministic. Furtherobservation showed that it was in fact deterministic
but in a complexway. The man on the counter put the orders on top of each
other until he had accumulated six and then passed them to the sandwich
makerwho worked through them in the reverse order, top one first. (He was
clearlya discipleof St Matthew: 'But many that are first shall be last; and the
last shall be first'.)

6.6 Pitfalls in extrapolating data

6.6.1 Cut-offs and discontinuities

In Figure 6.1 the horizontal axis is a measure of a dose or action and the
vertical axis is a measure of the response or effect.
When the dose is I, theresponse is 2.
When the dose is 2, theresponse is 4.
When the dose is 3, theresponse is 6.
When the dose is 4. can we say thattheresponse will be 8?






Figure 6.1 Extrapolation looks reasonable



PLANE (hours)





Figure 6.2 .. until we knowthe meaning ofthe number

Many peoplewould say that we can. To estimatethe effectsof low concentrations ofradiation or toxicchemicals, we measurethe effectsofhigh concentrations and thenextrapolate to low concentrations.
In Figure 6.2 I have added meanings to the figures. The horizontal axis
gives the numberof enginesthat have failedon a four-engine aircraft and the
vertical axis gives the delay in arrival at the destination.
If one engine failstheplanewill be 2 hours late.
If two enginesfail the plane will he 4 hours late.
If threeengines fail the plane will be 6 hours late.
But if all four enginesfail the planewill not be 8 hours late!
S.J. Gould has shown that over the yearsHershey chocolate bars havegradually got smaller. By extrapolating the figures he has calculated the date at
which the bars will have zeroweight'5.

6.6.2 Which factors affectthe data?

Figure 6.3 showssevendifferentestimates of the amount ofdioxinrequiredto
increase the risk ofcontacting cancer by one in amillion. The highest estimate
is 2000times the lowest. All the estimates are based on the same data for the
effectsof largedoses on rats hut differentmathematical models were used to
extendthe data down to low doses in humans16.



0. a



0. .0
















= EnvironmentalProtectionAgency (US)
= CenterforDisease Control (US)

= Food and Drug Administration (US)

= NewYork State
= World HealthOrganization

for thecarcinogenic effects ofdioxin are

Figure 6.3 Nine different risk estimates
basedon the same dose-response data in laboratory rats, and all give the dailyintake
believedto be associated withone additional case ofcancerper million people.
Yet the dioxin quantities differby almost 2000times between the lowestand highest
estimates, becausedifferent mathematical models were used to extend the lab data
downto low doses.
(Reproduced by permission of Scientific American Science and Medicine)

6.6.3 The Texas sharpshooter

The Texas sharpshooter empties his gun at the barn door and then draws a
target round the bullet holes. Similarly, some people mark the locationsof a
disease (or other effect) on a map, draw a circle round the inevitable clusters
and say theremust bea cause in the area. The tighterthe boundaries are drawn,
thehigherthe disease rate will be. Threecasesofleukaemiain a small town are
not surprising but if the three people went to school together, or live in the
same neighbourhood or work for the same company, the three cases are made
to look alarming. The probability that they went to school together by chance
maybe low but the probability that they havea factor ofsome sort in common


is not so low. A more scientific approach is to divide the country into areas (or
into population groups, by occupation. social class, dietary habits, and so on)
and then compare the incidence of disease in them17.

References in Chapter6

I. Smith,T.A. and Warwick, R.G., 1981,A SurseyofPressure Vessels in the UK for




the Period /9621978and its Relevance to NuclearPrimary Circuits, ReportNo.

SRD R203 (UKAtomic Energy Authority, Warrington, UK).
Kletz.TA., 1996, Dispelling Chemical EngineeringMyths, 3rd edition. 87 (Taylor
& Francis, Philadelphia. Pennsylvania, USA).
Smith, E.R., 1981, The Correlation Between the Predicted and the Observed
Reliabilities of Components, Equipment and Systems, ReporlNo. NCSR R18 (UK
Atomic Energy Authority. Warrington, UK).
Centerfor Chemical Process Safety, 1989, Guidelines jhrProcessEquipment Reliability Data, with Data Tables (American Institute of Chemical Engineers, New
York. USA).
Dhillon, B.S. and Viswanath, 1-IC.. 1990,Microelectronic Reliability, 30(4): 723.
Green, A.E. and Bourne, JR., 1972, Reliability Technology (Wiley, Chichester,


Green, A.E. (ed), 1982, HighRisk Safi'tv Technology (Wiley, Chichester, UK).
Young, R.S., 1986, Risk analysis appliedto refinery safetyexpenditure, American
Petroleum Institute Committee on Safety and Fire Protection Spring Meeting,
8li April.
9. Kletz, TA., 1985. Reliability Engineering, 11(4): 185.
10. Kletz, TA., 1998, Process Plants: A Handbook ofInherently Saft'rDesign,2nd
edition (Taylor & Francis, Philadelphia, Pennsylvania, USA).
11. Center for Chemical Process Safety, 1998, Guidelines thr Improving Plant Reliability through Data Collection and Analysis (American Institute of Chemical
Engineers, NewYork,USA).
12. Tweeddale, H.M., 1994, Conducting a peer reviewof a safetystudy,Chemeca94
Conference, Perth, Australia,September.

13. Anderson, M. and Gould,J.H., 1997,The development ofsite-specific failurerates

for use in risk assessments ofmajor hazard sites, SymposiumSeries No. 14/, 317
(Institution of Chemical Engineers, Rugby, UK).
14. Gould,J.H.. 1996, Loss PreventionBulletin, No. 127: 12.
IS. Gould, Si.. 1984, Hen's Teeth and Horse's Toes, 313 (PenguinBooks, London,
16. Silbergeld. E.K.,Nov/Dec 1995, Scientific American Science and Medicine, 48.
17. Mahesuaran. R. and Staines. A., 7 April 1997, Chemistry andindustry,254.


The history of
Hazop and Hazan
No revolutionary'idea arises withouta

SJ. Gould6
while (Leonardoda Vinci's) mechanics and
engineering are, fortheir breadthanddepth of
experience, unique and at times aheadoftheir times,
they are not afruit ripenedalone in a desert.
M. Cianchi7

7.1 Hazop

In 1963 the Heavy Organic Chemicals(HOC, later Petrochemicals) Division

of ICI was designing a plant for the production of phenol and acetone from
cumene. It was a time when the cry was for 'minimum capitalcost' (ratherthan
minimum lifetime cost or maximum profit) and the design had beenpruned of
all inessential features. Somepeoplefelt that it had beenprunedtoo far. It was
also a time when method study and, in particular, 'critical examination' were
in vogue. Critical examination is a formal technique for examiningan activity
and generating alternatives by asking, 'What is achieved?', 'What else could
he achieved?' and so on, as shown in Table7.1 (page 2(4).
The production manager, K.W. Gee, had recently spent a year in ICI's
Central Work Study Department. (The statusof work studywas so high at the
time that a high flier could he seconded there for a year.) He decided to see if
critical examination coUld he applied to the design ofthe phenol plant in order
to bring out into the open any deficiencies in design and find the best way of
spending any extramoney that might he available. A team was set up including
the commissioning manager (iA. Wade), the plant manager (A. Barker) and
an expert in method study and critical examination (GB. Harron). During
1964 they met for three full days per week for four months, examining the
phenol plantline diagrams line by line and covering acres of paper with all the
questions and answers. They discovered many potential hazards and operating
problems that had not been foreseen, modifying the technique as they did so.
Harron later wrote, 'We concocted an approach for trial ... and to cut a long
story short this approach did not work. Not becauseit did not do the job hut
becauseit was too detailed, penetrated into too many corners, all good stuffbut


Table 7.1 Critical examination

Description ofelement


The present facts



HOWis it



What ELSE could

What SHOULD be

be achieved?


Page . . . Date



How ELSE could it I-low SHOULD it

he achieved?
be achieved?

WHEN is it


When ELSEcould
it be achieved?

WHERE is it


Where ELSE could Where SHOULD it

itbe achieved?
be achieved?

WHO achieved it?


Who ELSE could



When SHOULD it
be achieved?

achieve it?


life wasjust too short. After a good many tries we came up with an approach
which has much ofthe principle ofcriticalexamination butwas somewhat bent
in style'. The essence of the new approach was that a technique designedto
identify alternatives was modified so that it identified deviations8. It was
recognizably Hazop as we know it today though it was further modified during
later studiesto the form describedin Chapter2.
The following are a few of the safety points that came out of this early
Hazop (though that term was not used then; the exercise was described as a
method studyor hazardinvestigation). Someof the points are now includedin
design specifications but were not included at the time.
Bypasses around control valves which areconnected to safety trips should
be deleted. Use of a bypassrendersthe safetytrip useless.
Nitrogen should be used for vacuum breakingto preventthe ingress of air
into a hot system.
Breaktanksshouldhe fittedin the townwater supply to preventcontamination by reverse flow.
The relief valve system should be checked for places in which liquid could
A slip.-plateshould be fittedin the feed line to [vessel Xl to prevent liquid
leaking in beforeconditions are correct.
Vent valvesshould be fitted to all blowing points so that the pressurecan be
blown offbefore hoses are disconnected.
A ventvalveshould be fittedto a high pressure filter sothat the pressure can
be blown offbeforethe filter is opened for cleaning.
Extended spindles shouldbe fitted to the valveson acid tanks to reducethe
risk that operators maybe splashedby leaks.
Special equipment should be designed forcharging and discharging catalysts
and otherauxiliary materials, to remove thedangers thatgowith improvisation.
Note that all these points are written as recommendations. Today most
Hazop teams would not say 'should' but simply 'Delete bypasses... etc'.
More operating points than safety ones came out of the study. This was
expected. The remit of the team was 'To devote themselves full-time to
obtaining and studying information from all sources and to take any necessary
decisions on broadplant design aimedat ensuringthat the phenol plantwould
start up quickly and satisfactorily that it will produce its design output and
quality of products; that it will operate safely and its effluents will be satisfactorily treated'. Today many, perhaps most, Hazops produce more operating
points than safety ones.
A few monthsbefore the phenol study was undertaken in ICI HOCDivision
at Billingham, the Mond Divisionat Runcorn carried out a similar but very



much shorterstudy (it occupieda team of four for 21 hours, a fortieth of the
time taken by the HOC study) on a semi-technical plant. The remit for this
studywas 'To evaluatethe process for hazardswhichmay ariseduringoperation of the semi-technical plant. Particularattention to be paid to the effectof
impurities in raw materials, build-up of products in recycle systems,
maloperation and equipment failures'.
In 1968 D.M.Elliott and J.M. OwenofMondDivisiondescribedthe use of
critical examination for generatingalternatives in theearly stages ofdesign,as
Even earlier, in 1960, D.S. Binsted
suggested in Section 2.7 (page
described a similar application in ICI Organics Division. However, these
applications of critical examination never became as popular as Hazop,
perhaps because they were before their time but more probably because,
compared with Hazop, they were too cumbersome and time-consuming.
The ICT Central Work Study Department in London played a part in integrating the Mond and HOC forms of the developing Hazop technique and
spreading knowledge of it throughout the company. A report by G.K. Cooper
dated November 1964 brings out clearly the difference between Hazop and
critical examination:


Suppose one significantword in the description ofa process is "Stirred", and

take the guide-wordEliminate, ie No Stirring. In normal[critical] examination oftheprocess one would be looking at the necessity to stir, and recording
possible advantages and disadvantages ofnot doingso. In HazardInvestigation [that is, what we now call Hazop], on the other hand, one is seeking
possible causes ofsuch a situation (eg, motor not switchedon; motor burnt
out: paddle blades broken; etc), and what hazards to personnel, plant, or
product might happen as a result of it (eg, intense local heating with ofi-spec.
product and loss of hatch; possible risk of explosion; ifproduct coagulates
plantmayhave to he strippeddown, etc).

Later, the report said:

A HazardInvestigation afft.rdsa means ofproducingon paper inasystematic
and thorough fashion, and in advance of plantstart-up, potential hazards to
the plant, process and personnel, and ofmaking recommendationsto eliminate thehazards. Where the Companypolicydemandsthat plants he built with
minimumcapital expenditure and with minimumsparage [numberof spares],
and yet with immediate high outputson start-up, the needfor Hazard Investigation becomes obvious.'



Reading this report over 30 years later, the need for a better Company
policy seems equallyobvious.
ICT Pharmaceuticals Division adoptedHazop enthusiastically and the first
use ofthe technique outside ICI occurred in 1967 when R.E. Knowlton (then in
Central Work Study Department) led a study for Ilford Ltd8. The flrst
published paper on Hazop was H.G. Lawley's 1974 paper from which the
example in Section 2.5 (page 34) has beentaken. It was presentedat the American Institute of Chemical Engineers LossPrevention Symposium in Philadelphia the previous year (held, incidentally, in the hotel which later became
famous as the site of the first recognized outbreak of Legionnaire's disease)
and aroused interest from the outset. Gradually other companies adopted
Hazop. The first contractor to do so was probably ChemeticsInternational,
then part-owned by ICI.
Mond Division later integrated Hazop into a six-stage hazard study
programme extending from the early stages of design through to
post-commissioning1 . Hazop is the thirdstage (see Section 1 .1, page 1).

7.2 Hazan
7.2.1 Early history

Who determines our future: the fates, the gods or ourselves?Greeks, early
Christians and Muslims believed that everything was in the lap ofthe gods(or
God). Probability theory and risk management did not emerge until people
came to believe that they were to some degreefree agents. This did not occur
until the Renaissance when people developed freedom of thought, a wish to
experiment and a desire to control the future17. Even today, not everyone
believes that he or she is a free agent. Cupitt writes, In every civilization from
the Bronze Age to the present day, the common people have been gamblers,
believers in fortune who know that life is a lottery
and we should not be
surprised. That, indeed, is how it looksto them'18.
Tait has reviewed the application ofprobabilistic methods to engineering19.
In any engineering structure the loadL and strength S are notpreciselydefined
but vary about a mean value. Failure may occur ifLis a maximum whenS is a
minimum. However largewe make S, complete safety is never achievedbut is
approached asymptotically (Figure 7. I, page 208). If we knowL and the variation in L and S and can define an acceptable failurerate, we can fix a design
value for S.
The firstuse ofstatistical techniques in this way was Chaplin'sstudy ofiron
chains in 188013 but the methods were not widely used until about 60 years
later. Why was this? On a visit to Wigan PierI saw two magnificent preserved



Figure7.1 Overlapping distributions ofload L and strength S

1907 steam engines(Figure7.2) which oncesupplied all the powerneededfor

a large cotton mill. With two steam engines, built like battleships, and six
boilers the operators never had to worry about the reliability of their power
supply. Todaywe need to consider the reliability ofour equipmentbecauseit is
less reliable than it oncewas and because we cannotafford massive provision
of spares. In addition, of course, we are less tolerant of failures that lead to
accidents and pollution.
In 1939 Pugsley and Fairthorne14 pointed out that it was possible, from
historical data, to calculate the probability that the forces acting on an aircraft
would exceedthe design loading, due to gusts ofwindand other causes. They
then continued, ... in present-day civil flying the critical accident rate at
which the general public passes from acceptance to opposition is of the order
of I accident per
flying hours ... it is suggested that the critical rate for
structural accidentsin civil flying may be taken as of the order of I accident
flyinghours. This is, of course,only a rough estimatefor the purpose
Hazan is based on similar principles to the technique of operations research
developed during the I 93945 war as 'a scientific method for providing executives with a scientific basis for decisions' 5 Thus operations research showed
that aircraft would be more effective when used on anti-submarine duties than
on bombing Germany andthat larger convoys would result in fewership losses.
R.V. Jones has described another example. At first sight it seemed that the
fittingof dc-icing equipmentwas bound to save aircraft. However, the weight
of the dc-icing equipmentmeant that each bomber would carry fewer bombs
and more aircraft would be needed to deliver the same bomb load. Knowing
the rate of casualties inflicted by the German defence,Temple was able to
work out how many more bomberswould be shot down. It was substantially
greaterthan the number that would he savedby dc-icing equipment20.





Figure 7.2 Trencherfield cotton mill. Wigan Pier. Withthese two steamengines
and six boilers,the reliability of the powersupply was not a problem.


In thepost-waryearsnumerical methods were adoptedin many fields in

which they had previously beenlittle used. Thus an obituaryofA.V. Hill, the
medical statistician who, in 1952, first showed the connection between
smoking and lung cancer, said that he 'had a great impact on a profession that
had hitherto dismissed quantitative values't6.
7.2.2 Applicationto industrialsafety
The use of numerical methods for determining standards and priorities in
safety was pioneered in the nuclearindustry, especially by F.R. Farmert'2.
The use ofthese methods in the chemical industry dates back to the design
and construction by ICI HOC Division in the 1960s of two plants in which
ethylene was oxidizedby oxygen in the vapour phase; one plant was for the
manufactureof vinyl acetate and the other for the manufacture of ethylene
oxide.Both had to operateclose to the flammable limitand it was obvious that,
if the concentrations of the reactants departed only slightly from operating
conditions, a serious explosion could result. Protection by blast walls was
impracticable and the Instrument Design Groupwere asked if the plant could
be made safe by instrumentation. It was at once realizedthat:
(a) Instrumentation can he designed to reduce the chance of an explosion to
any desired level, hut zero is approached asymptotically and can never be
reached. Therefore:
(b) It is necessary to definethe level of safety to be achieved.
The first attempt to define the level of safety stated that working on the
oxidation plantsshouldhe as safeas travellingby train. Laterthis was changed
to say that working on the oxidation plants should not be significantly more
dangerous than workingon an average ICI plant. This change meant a slight
increase in the standard ofsafety3.
To design an instrumented safety system to achieve this standard, the
methods described in Chapter3 had to he used. The design has been described
by R.M. Stewart, the engineerresponsible for it4.
At the time Stewart was designing the protective systemsfor the oxidation
plants, I was independently trying to apply numerical methods to a range of
other problems and produced standards similarto Stewart's5.
Also, at about the same time, an electrical engineer in HOC Division, V.F.
Lord, was tryingto find a rational basis for deciding when Zone 2 (then called
Division 2) electrical equipment could he used instead of the more expensive
and difficult-to-maintainflameproofZone I equipment.So-called 'non-sparking'
Zone 2 equipment does not spark in normal use hut can spark if a fault
develops, typicallyonce in 100 years. The chance that this will coincide with a
leak is small as aZone 2 is. by definition, one in whicha leak offlammablegas



or vapouris not likelyto occur under normal conditions and, ifit does occur,
will existforonly a shorttime. Lord suggested that a Zone 2 area shouldhe one
in which flammable gas or vapour is present for less than 10 hours per year
and, if so, it can be shown that the FAR for a plant operatorfrom this risk is
tolerable (see Section 3.8.6, page I39). Otherworkers arrived independently
at similarconclusionst2.
During the 1970s Hazan was applied to many chemical industry problems
by many workers, outstanding among whom were S.B. Gibson and HG.
Lawley. During the 1980s and 1990s growth continued and many computer
programs were developed, particularly for the calculation ofconsequences.
Although cost-benefit analysis was mentioned in my firstpaper5 and some
examples of the cost of saving a life were listed (see Sections 3.4.67, pages
99102), there has been less interest in them than in the calculation of probabilities and consequences.

References in Chapter

Farmer,FR., 1967,Atom, No. 128: 152.

2. Farmer, FR., 1971, Experience in the reduction of risk Symposium SeriesNo.34,
82 (Institution of Chemical Engineers, Rugby, UK).
3. Kletz. T.A., 977. What are the causes of change and innovation in safety'?,
Pro eedtng.r of the Second International Symposium on Loss Prevention and
Safrtv Promotion in the Proces,',industries,I (Dechema.Frankfurt, Germany).
4. Stewart,R.M.. 1971 High Integrityprotectivesystems,Svmpos,uniSeries No..4,
99 (Institution of Chemical Engineers, Rugby, UK).
5. Klelz, TA.. 1971. Hazard analysis a quantitativeapproachto safety, Svmposlum Serie.sNo.34. 75 (Institution of Chemical Engineers, Rugby, UK).
6. Gould,Si.. 1987. An Urchin in the Storm, 52 (Norton, New York, USA).
7. Cianchi. M., 1988. Leonardo'.s Machines,12 (Beocci Editore, Florence, Italy).
8. Knowlton. RE.. 1989. The widespread acceptability of hazard and operability
studies, 13/h international Symposiumon the PreventionojOccupationalRisks in
the Chemicalindustry, Budapest,August.
9. Elliott,D.M.and Owen,J.M., 196$, l'he ChemicalEngineer. No. 223: CE377.
10. Binsted,D.S., 16January1960,Chemistryandindustry,59.
II. Turney. RD., 1990, Tron.sacuon,s of the institution?fChemical Engineers, Part B,
Process Sqtety and Lnvironmental Protection.6$ (B I ): 12.
12. Benjaminsen. J.M. and Wiechen, RI-I., 196$, HydrocarhonProcessing, 47 (8):


13. Pugsley, AG., 1966, The Safety of S/rue/ores (Arnold. London, UK) (quoted by
Tail. N.R.S., 1987. Endeavour, 11(4): 192).
14. Pugsley, AG. and Fairthorne, R.A.. May 1939. Note on Airworthiness Statistics
(FIMSO, London. UK).




15. Blackett, P.M.S., 1962, StudiesofWar, 169, 173 and 210 (Oliver and Boyd,Edinburgh, UK).
16. The Dour Telegraph, 23 April 1991.
17. Bernstein, P.L., 1996, Against the Gods The Remarkable Story of Risk, 35,
4344, 54 (Wiley, New York, USA).

18. Cupitt. D.. 997, After God The Future of Religion, 30 (Weidenfeld and
Nicolson, London, UK).
19. TaiL, N.R.S., 1993, ReliabilityEngineeringand System Safety. 40: 119.
20. Jones, R.V.. 13 April 1968, Chemisir and Industry, 470.



All human activities involve some risk. It can be reducedbut not eliminated
Hazard and operability study(Hazop) is now a maturetechnique for identifying hazards withoutwaiting for an accident to occur (Chapter 2).
Hazard analysis (Hazan) is now amaturetechnique for estimating the probability and consequences of a hazard and comparing them with a target or
criterion (Chapters 35).
Takentogether, the two techniques allow us to allocate our resources so that
we deal with the biggest problemsfirstand in the most effective way. Neither
technique will be effective,however, unless there is a commitment to safety at
all levels (Chapter 1).
Cost-benefit analysis is less well-established so far as safety is concerned,
but nevertheless has a part to play (Sections 3.4 and 3.9, pages 83 and 143).
Hazard analysis and cost-benefit analysis are difficultsubjects to explainto
the public but nevertheless we shouldtry to do so. The hazards oftechnology
should be balancedagainst the benefits (Sections 3.4 and 5.3, pages 83 and

'The most versatileand ambitious species are thosewhich have evolvedmechanisms capable of recognizing and facing threais heftre they have had a
chance to inflict expensive andpossiblyirreparable damage.'
Jonathan Miller. 1978, The Body in Question, 216 (Cape)


Addendum 1
An atlas of safety thinking

In hisAtlasofManagement Thinking (Penguin Books, London,1983) Edward

de Bono says that simple pictures can be more powerful than words for
conveying ideas. His book is a collection of what he calls 'non-verbalsense
images for management situations'. The drawings', he says, 'do not have to
be accurate and descriptive but they do haveto be simple enough to lodge in
the memory. They should not be examined in detail in the way a diagram is
examined, because they are not diagrams. They are intendedto convey the
"flavour" ofthe situation described'.
In the following I have tried to express the ideas of this book in similar,
simple drawings in the hope that they may stick in people's memories rather
betterthanthey havedone when they havebeen expressed in words. They are
notas abstract as de Bono's diagrams but nevertheless mayhelp us to recall the
concepts described in this book.
(1) Identify what can go wrong?


(ie, table may not

be level)

The firstand most importantstage in any hazard study is to identify the things that
can gowrong and produce accidentsoroperatingproblems.Itis little use studying
small hazards ifwe have failed to realize thatbigger ones are round the corner.


(2) Howbig will the consequencesbe?

We needto know the consequences toemployees, members ofthe public, plant

and profits, nowand in the long term.The best way offinding out is to look at
past experience but sometimes there is no experience and we have to use
synthetic methods.

(3) How often will it occur?

We need to know how often the hazard will occur. Again, the best way is to
look at past experience but sometimes there is no experience and we have to
use synthetic methods.


(4) Prevention

How can we preventthe accident occurring, or makeit less probable orprotect

people from the consequences?

(5) Whatshouldwe do?

We should comparethe risk (that is, the probability times the consequences)
with generally accepted codesand standards or with the other risksaroundus.


(6) Is it worth the cost?

We should also compare the cost ofprevention with the cost of the accidentin
orderto see ifthe remedy is 'reasonably practicable' or ifwe shouldlook for a

(7) Prevention 2

What are the disadvantages of our solution? Gluing the tumbler to the table
may be acceptable if it is used to store pencils but not if it is used for drinks.
Perhapswe can think of a better method. A plastictumblerwill not break but
thecontentscan still spill. We shouldanswerthis question before the table is
made or the tumbler ordered.


Addendum 2
Myths of Hazop and Hazan

In my bookDispelling ChemicalEngineering Myths1 I list nearly 100 beliefs

about technology, management and the environment which are not wholly
true,thoughthere is usually a measure oftruth in them. Gujar2 has published a
collection ofsimilarstatements on Hazop and Hazanwhich hehas comeacross
during insuranceaudits. The following is based on his paper,thoughitdoes not
follow it exactly. Most of the points madehave already beendiscussedin the
book but it may be useful to havethemcollected together.
Hazop and Hazan are the hammers and spannersqtthe chemical industry.
This makes them sound too easy. They are, in fact, sophisticated tools which
require long, detailedapplication. They are not quick fixes.

I/a company usesHazopand Hazan we don't need 10 worry about the compe
tencc 0/the management.
All Hazop and Hazan can do is apply people's knowledge and experience in a
systematic way so as to make the most of it. If peoplelack knowledge, experience or commitment, Hazop and Hazaii are a wasteoftime (seeSection 2.4.4,
page 30).
Top rate people don 't need Hazop and Hazan.
This is the opposite ofthe last myth.Modernplantsare so complicated that no
one can see all that can go wrong and assess its consequences unless they
follow a systematic procedure. Without Hazop and Hazan (or similar techniques), no one will achievetheir full potential (seeSection 2.4.4. page30).

It's no use dippinga toe in the water.

we are going to use Hazop andHazan

we have got to apply them to every design, new and old.
On the contrary, we should start small by applying Hazop to one or two
projectsand see if we find it useful. II. we do, we can gradually increase our
effort until we are Hazoping all new plants and as many old ones as resources


permit. Hazan,however,is a selective technique and there is no needto work

out the precise probability and consequences of every hazard identified by
Hazop. Onlya few problems should needtreating in this way (seeSection 1.1,


Hazan, U applied thoroughly, will

(in theory) prevent even'

They will not for at least three reasons: (a) Being human, we will not spot
everything that might go wrong; (b) People will not always act in the way we
have assumed theywill; and (c) Hazop cannot, by its nature, preventmechanical accidents, such as people bumpinginto equipment which has been badly
Since Hazop will discoverall the hazards, we don't need to learn aboutpast
Techniques discover nothing; only people discover hazards; techniques can
help them do so. Hazop helps people apply their knowledge and experience,
and much of that comes from learning and remembering the lessons ofthe past.
Hazop and Hazan can he carried out atany time.
In fact,the window of opportunity for a Hazop of the line diagrams is small. It
cannotbe carriedout until the line diagrams are ready but if it is left too late
then detailed design, even construction, will have started and expensive
changes will be necessary. Similarly, Hazops of flowsheets must be made at
the appropriate time (see Sections 2.3 and 2.7, pages 26 and 41). Hazans
cannotbe carriedout until the hazards are recognized. Some of them may be
obviousfrom the starthut othersmaybe brought to lightby the Hazop and then
the answers will be wanted as soon as possible.
The differences between Hazop and Hazan are well-known.
They are wellknownto those whouse them regularly but many people are not
awareof the difference. If someone asksyou to carry outa Hazop (or a Hazan),
before you do so, make sure that it is really what they want (see cartoon on
page 95).
The Hazop guide words (see Section 2.1. page 9) are inviolate, should not he
changedandneednot he added to.
They are based on long experience hut, nevertheless, if you find other words
are useful, by all means use them, particularly if you are applying Hazop
outside the typeofactivity for which it was originally designed. For example,


GENHAZ (see Section 2.10,page51) usesthe guide wordsWHEN ELSE and

WHEREELSE as well as the familiarones MORE, PART OF and OTHER
The composition ofthe Hazop team (see Section 2.2, page 20) should not he
On the contrary, if a plant has specific problems(for example,ifcorrosion is
serious), an expert in these problemsshould join the team. But do not have
experts sitting in the meeting just in casetheir advice is needed.

ifa plant is computer-controlled, then the control system need not be/cannot
he Hazoped.

On the contrary, it is vital to Hazopthe instructions given to the computer (the

applications software) as, unlike operators, the computer cannotrecognize and
query instructions that are ambiguous, lack precision or are simply wrong.
Also, softwareengineers are rarely also chemical engineers and can easily
misunderstand the chemical engineer's requirements (see Sections 2.6 and
A2.6. pages 37 and 65).
With the passage oftime 1-lazops and Hazansare getting betterand better.
In some ways this is true; the best are getting better. However, as with any
technique, as more and more people start to use it the standard can easily fall
and it can become a perfunctory exercise, carried out becausethe company
rules (or the regulators) require it and not becausethose present reallyfeel it is
worthwhile. Some auditing of the quality of Hazops and Hazans is therefore
desirable (see Section 2. 12, page56).
The Hazopteam leader's job is a simple one.
To many personnel managers, all the teamleaderseems to do is ask a few simple
questions (such as 'Could there be more flow?') in the right order. In fact the
team leader has to be skilled in the control of a diverse group of independent-minded peoplewho are not responsible to him and may be more senior. In
addition, he has to prevent the team going too far by asking, when necessary,
'How often will this occur?'. 'Whatwill the consequences be?', 'What will the
modificationcostbe?' and 'Doesthe riskjustifythecost?'. He should have some
knowledge of Hazan and be able to cany out a rough comparison of risks and
coststhen and there(seeSection 2.2, page21).

Contractorscan do a Hazop; the client neednot be involved.

Unless the people who are going to operate the plant take part in the Hazop


they will not know why the plant was designedthe way it is and the designers
will not know about problems of concern to the operating staff (see Section
2.4.5, page33).
Anyweaknesses in the designcan he left until the Hazop.
Hazop is a check on the design to spot points that have been overlooked. It
should not replace the normal consultations and discussions that take place
while a design is being developed (seeSection 2.4.7, page33).
Computers can carry out a Hazop.
Computersare now widely used for recordingresultsand remindingteams of
thecommon causesof deviations. Programshave alsobeen developed, but so
far little used, forproducinga listoftechnicalproblemsfor consideration.A
computeris highly unlikely to be ableto identify the problemsthat arise out
of interactions, or failures to interact,betweenpeople (see Section 2.6, page

Mostproblemsthat arise duringa Hazop can be solved cheaply by addingon

extra trips.
Many are solved that way but not as cheaply as we usually think. Testing and
maintaining an extra trip costs about as much as purchase and installation,
even afterdiscounting. Tripscosttwicewhat we think. In addition, a considerable management effort is needed to make sure that the testing is carried out.
Procedures can corrode faster than steel and vanish without trace once
managers lose interest (seeSection 2.5(3),page 35). Instead of installing extra
trips, it is betterto carry out systematic studiesearlierin design to findways of
avoiding the hazards(see Section 2.7, page 42).
The use ofHazopis confined to the chemical and allied industries.
In fact, modified in variousways, Hazop has been used in many other industries such as food processing, genetic engineering, laboratory operations.
mechanical operations, defence systems and nuclear power (see Section 2.10
and Table2.8, pages51 and 53).

Hazopresults in expensive additionstoplantcost.

Hazop uncovers problems and ways of removing them. If the problemsare
very expensive to remove and the risksare not intolerable (in the legal phrase,
if removing them is not 'reasonablypracticable'),we do not have to remove
them (seeSections 3.4 and 5.1, pages 83 and 168). But it is wrong to close our
eyes in case we do not like what we see.


We shouldfirst remove (or reduce) the risks that are cheapestto remove (or


At first sight this seems reasonable as it will save the most lives for a given
expenditure. However, on moral grounds we usually prefer to remove (or
reduce) those risks that are considered intolerably high. We can use costs to
help us decide between different ways of removing (or reducing) a risk and
also to help us decide whetherfurther reduction in a tolerable but still significant risk is justified (seeSection 3.4.6, page99).
Tripsystems shouldalwavsftuil safr.
When trips fail safe they operate even though there is nothing wrong with
conditions on the plant. Suppose a trip is designedto shut down a plant when
the temperature rises abovea presetvalue. If the trip develops a fault the plant
is shut down unnecessarily. This maybe safer thanletting the plantgettoo hot,
but may still be hazardous as the sudden shutdown may cause leaks. The
phrase 'fail-safe' misleads people into thinking that the action is not
hazardous. In fact, there are cases where the 'fail-safe' action may be less safe
than the alternative (see Section 3.5.10, page 118).
If spurious operation is frequent, operators are tempted to bypass the trip.
We can reduce the number of spurious trips by usingvoting systems. Before
doing so we should look for other possible causes of frequent spurious trips,
such as poor maintenance (see Section 3.5.10,page 118).
Whenthe Hazopmeetings havebeenheld and the Hazan report issued, the job

is done.
No, thejob is not over until actionshave been agreed and carried out. Unless
actions are given to a named personnothingwill happen. All actions should be
tracked until they are complete and have been inspected by the originator to
make sure that they havebeen completed correctlyand look right. What does
not look rightis usually not rightand shouldat least be checked.
Morepowerful computers can compensate for deficiencies in models or data.
Stated as bluntly as this, the myth is obvious nonsense. Nevertheless, people
sometimes act as if it was true. More and more complex models, requiring
greater computing power, are devised for estimating the dispersion of gas
leaks, for example, and the pressures developed if they ignite. Yet the size of
the leak is determined by an arbitrary rule, such as assuming that the largest
pipe will break, producing two open ends (see Section 4.6, page 160 and the
quotations therefrom F. Hoyle and T.H. Huxley, page 162).
There are some further mythsin Section 5.2, page 169.


References in Addendum 2


Kletz, T.A., 1996, Dispelling Chemical EngineeringMyths (Taylor & Francis,

Philadelphia, Pennsylvania, USA).
Gujar, AM., 1996, Journal ofLoss Preventionin the Process Industries', 9 (6):





automatic start

5556, 132, 170

121, 161

acceptability criteria(see tolerability
accident content(of products)
104 backfiow (see reverse flow)
87103 batch processes
accidents, fatal
1620,52, 5556,
6566, 13I
28 BATNEEC (see BestAvailableTechActs of God
nology Not Entailing Excessive Cost)
1920, 93, 184, 200,
123, 198
3. 22, 3436. 42, 51, belt and braces
6566, 9394, 108, 116, benzene
118I 19. 126 128, 133. 163
Best Available TechnologyNot

ALARP (as low as reasonably


81, 6


103104, 138139, 158
ambulance crews
54. 61, 164
appearances, a problem

153, 161162,222
artificial intelligence
6, 176
assessment of hazards (see hazard

185, 190


62. 159160


Entailing ExcessiveCost
BestPracticable Environmental
Option (BPEO)
2.4647,62, 165, 183,
bicycle lights

blinds(see slip-plates)
blood pressure
BPEO (see BestPracticable
Environmental Option)
124, 148151

brakes(on cars)
British NuclearFuels (see also



184, 187



112, 124125, 135



communication, between software

and other engineers
comparing different things
competence (of management)

calculation, errors in

75, 163, 184186,
189. 200201, 210



109, 116, 120, 123,

130, 181. 184185

cash machines


50, 133. 135





Channel Tunnel
102. 118
check valves (see non-return valves)
2, 54
184, 187


6,61, 82, 9597. 138,

closed shop
Club ofRome
clusters (of data)
coal dust
codes ofpractice
common modefailures

142, 164, 198


2,34, 170




50, 1 30

compromise solution
2()2 I, 6567
computer control
for recording Hazops
24, 26
software errors
concentration changes, effects of
connections, wrong
8081, 197,
consequence analysis

deterministic and
probabilistic compared

80, 185,

of deviations 10, 28, 38, 40, 52. 6870
as a measure of negligence
consequences and probability
4. 27, 55
21, 28, 33, 220
contradictory instructions
cost-benefit analysis 85, 100, 103104,
8384, 87, 99100,
143, 169, 188, 196, 203

of pollution
of safety
of saving a life
costsand safety


100103, 133,
135, 141

23. 38




critical examination







185, 189190

data on failure and


79, 160165,
169, 172, 193202

accuracy of
appliesto past
confidence limits
effectof maintenance
and operating policy
on instruments
on mechanical equipment
pitfalls in
types of



driving (see cars)

drop-outs (from university)
182183. 186
duration and rate confused

earth. age of


electrical area classification



170. 198


120123, 198202

21C21 I

electricity supplies
104105, 179180
ETA (see event tree analysis)
1,43, 61, 133,210
event tree analysis (ETA)
21, 3033
comparison with calculation 164, 177
learning from
30, 80, 121



57, 105106
71I 17. 159
on 1-lazop
designintention not followed 128129

dependence on
management of
qualities needed

developing countries
deviations (see also consequences
10. 1617, 23, 2728,
3538, 40. 44, 52, 6870, 205
from design standards
1316, 3438,40
disease, industrial
dispersion (of leaks)
37, 46
118, 124126, 130
34, 36,72.

134, 140, 158, 176,210

explosive limit
extrapolation, errors in



81, 152

18, 6162, 64, 67, 80, 97,


9597, 196

106, 118I 19. 222

failuredata (see data on failure
and reliability)
failuremodeand effect
52. 5455
analysis (FMEA)
71130, 159



126, 130, 159



FAR (see fatalaccident rate)

fatalaccident rate (FAR)
fault trees
55, 113117, 153154
Fermi estimates
62, 7374, 80, 118, 121.
128, 140141, 158.

169, 176



10. 6870
4. 42
FMEA (see failure mode and
food processing
182 183
fractional dead time
71117, 133. 148
'free lunches'

gases, liquefied

136137, 142, 158

genetically modifiedorganisms


errors in (see pitfallsin)

introduction of
limitations of

133142, 148ISO

4, 219
5, 193194, 219

morality of
objections to
108109, 115, 120130,
pitfalls in
153165. 199202.218222





recommendations from
stages of
types ofproblem examined
hazard (definition)
hazard and operability studies
175. 129, 158, 203207
2426, 37, 40
3, 30, 62
audits of
56, 220
of hatch plants
benefits of


by computer


912, 16, 41,45.


4246, 206, 221





159160, 197
136 137

confidence limits

206. 219220
'gut feeling' (see judgement)

1-lazan (see hazard analysis)
hazard analysis (Hazan)

17, 21, 28,

5051, 77202, 207217

acceptance of results
agreement withexpectation
application to disease

6567, 220
3437. 6175
experts in
4246, 206, 221

in food industry


of genetically modified organisms 52

of government




introduction of

4, 48, 168, 170

oflaboratory design


limitations of 4147, 54. 7275, 219

of mechanical hazards
ofmedical equipment
misuse of
2830, 64
over-enthusiasm in
4246. 206, 221
36, 68
redundancy in
2024, 220
17, 26, 33, 42, 219, 221
28, 35. 40
when necessary
hazard rates
90, 105117,

techniques compared
incident rate (see hazard rates)
'index of woe'
inherently safer design



47,65. 163


1618, 33, 131132, 163
instruments (see also alarms,protective
systems, trips)
interlocks (see trips)
Trwell, River



81, 174, 178179, 189


124130, 148150

hazard studies
4, 207, 214217
operability studies)
Health and Safety at Work.etc Act
Health and Safety Executive 33, 83, 85.
8990,93, 100, 102, 138. 141,158.
184, 186
heat exchangers
28, 33
human error


198, 205

12, 6768, 116. 121,

130133. 162163. 165, 170

identification ofhazards

175, 115,

158, 168170


Kelvin. Lord
kill systems
King's Cross
knock-on effects


35, 4849
6364, 135136

21, 3033, 56. 218219

beyond the drawing


ofothers' activities


in wrong place

'lanternon the stern'

23, 67





7,8182. 181




28. 120, 134. 140,

158, 16016], 169,
205, 210, 222
probability and size
100103. 133,


size of
life, cost ofsaving

135, 141
liquefied gases (see gases,liquefied)
liquid hammer
load and strength
London Underground
lost-time accident rate


preparation for

3536,74. 120123.

130, 160, 163, 169

48, 62

competence of

effecton failurerates

methods (see procedures)

methyl isocyanate
models, errors in
knock-on effects of
multiple casualties

46, 62

154158. 170
2830, 65, 73


184, 187


natural gas


74. 205
nitrogen blanketing
non-random demands
112, 130
non-random failures
126, 130, 159
non-return valves
48, 129
nuclearpower(see also criticality,
93, 120, 126, 182,
183, 185, 187
numbers cannot
nuts and


132, 159160,
163, 170, 198

management failure
123, 137, 160, 163
probability of
Manchester Ship Canal
materials of construction
121. 123,
133 134
meaningless (see also
parameters, choiceof)
medical equipment

old plants
open shop
operations research
operatorerror (see humanerror)
'optionsfor the future'



ownership ofproblems



parallel systems 111112, 125126, 196
parameters, choiceof (see also
measurements, meaningless) 156158
181182, 186
pipe branches, small
9, 6770, 72
failure of
36. 64, 120, 123,
133, 142, 161
pitfalls (see
analysis, pitfalls in)
plants,effecton public
155, 179, 181, 183,
PRA (see probabilistic risk
premises, false
10, 18
85, 87, 91, 141, 171, 177
probabilistic risk assessment (PRA)
(see also hazard analysis)
3. 5
ofan incident
8083. 115120,

ofhuman error

148150. 210211
131132, 165

probability and consequences

ownership of
and solutions
procedures, limitations of
process hazards reviews
protective equipment, failure to use 150
protective systems (see also alarms.


effecton operators
in placeofreliefvalves 84, 138139
public opinion
179, 188
35, 37, 40, 42, 4748, 64, 67,
120, 124, 128129, 161, 169

QRA(see quantitative risk assessment)
quantitative risk assessment(QRA)
(see also hazard analysis)
3, 5

radioactivity (see also nuclearpower)

6770, 72, 80, 89, 104,

154, 176, 184, 189,200



54, 118, 181
157158, 193194
transport of chemicals
103. 158
rapid ranking
rate and duration confused
reactionkill systems
6364, 135136
'reasonably practicable'

8 182, 85.
100, 168,221

118, 124128, 130






ofelectricity supplies


reliability data (see data on failure

and reliability)
relief valves
34, 36, 62. 84, 106107,
111112, 118, 138139,

reverse flow

159, 169, 205

177, 185
10. 17, 33, 37,



risk analysis(seealso hazard

risk assessment
3, 67
risk criteria(see tolerability criteria)


acuteand longterm

of alternatives
cheapest to remove
conceptual problemswith
experience of
from radioactivity


57. 78

89, 176


91, 96,
88, 93,97
person at greatest
size and probability
9092, 184
to employees
8790, 176
to the environment

to the public


8597,99, 105
under ourcontrol
83, 181
versus benefits
93, 181
road(see also cars)
103104, 158
158. 198

51. 6566, 71
runaway reactions

seal pots



'secondchance' design
Sellafield (see also Bdtish
NuclearFuels, Windscale)
separation, of liquids
series systems
service lines


46, 7172
112, 124126, 196

ships, collisions of
spectacle plates
stand-by equipment
Stephenson, George
systems, limitations of

47. 49, 61,64

12, 35, 36


10, 13, 28, 30

13. 48,
10, 13, 29, 30,66


12, 35, 40
46, 62

73, 159
30. 218219


3536, 40, 4849, 6162,

68, 121, 128129, 142, 160, 205
floating roof

tO. 18
3, 3536.41, 120, 123, 125126,
138, 159, 163164, 197
of protective equipment
Texas sharpshooter



2, 83105. 210
tolerability criteria
113, 116
toxicchemicals (see also specific
chemicals such as chlorine)
176, 200
35, 131132
3,22, 28, 35, 48, 50SI, 64,
8485, 106109, III, 118120,
124, 126129, 133134,

159, 170,205,221,222



two-phase systems

62, 7172

United States


vending machines
operations in
vinyl acetate

121, 198

34, 67, 73, 205

177, 195
13 1132

voting systems


6264,67, 74
62, 7172

Weibull analysis
'what-if' analysis
Wigan Pier
Windscale (see also Sellafleld)



116, 153154


valve by-passes
1213, 34, 130131
emergency isolation
48, 129


34, 36, 62. 84, 106107,

1111 12,

118, 138139,
159, 169, 205





By the same author


Computer Control and Human Error


* Lessons from Disaster

HowOrganisations Have no
Memoryand Accidents Recur
1993, ISBN 0 85295 3070

* AnEngineer'sViewof Human Error


2nd edn, 1996, ISBN 085295 265 1

Process Plants: A Handbook for
Inherently SaferDesign
Taylor& Francis
2nd edn, 1998, ISBN 1 56032 619 0
Dispelling Chemical Engineering Myths
Taylor& Francis
3rd edn, 1996, ISBN1 56032 438 4

WhatWentWrong? Case Histories

of Process Plant Disasters
Gulf Publishing
4th edn, 1998, ISBN 0 88415 920 5
Learningfrom Accidents

2nd edn, 1994, ISBN 0 7506 1952 X

Critical AspectsofSafety
and LossPrevention
408 04429 2

* Available from IChemE, Rugby, UK.

Formore details or to request an
IChemEbook catalogue, e-mail




Trevor Kletz
The techniques ofHazopand Hazan were developed to identify
and assess hazards in the process industries.Their use leads to
safer plant, the eliminationofmany operational problems at the
design stage and improvement in reliability. They will only be
effective,however,ifthereis a commitment to safety at all levels
in an organization.Understandingthe practical issues involved
in the correctimplementationof these techniques is the theme
of this book.
1-lazopandIfazan:1k'ntljjingandAssessirig Process Indusiry

Hazards byTrevor Kktz, nowin its fourth edition, provides the

basics of applying hazard and operability study (I-la-sop) and
hazard analysis (Uazan). Substantially revised an(l updated, this
classic, easily accessible introduction to the subject prosides
essential rcadifig f w cver nic who i -uds t k ,v usnil
from undergraduates through tO working
process safety
engineers providing plenty of practical advice troin the
authorand 1m)re examples of Hazopand Flazan applications.

ISBN 0852954212

Da'is Building

16189 Railwa'i

Rugby CV2 1






-f t 55


9 780852 954218