Three Sides to the Truth: The Engineer, The Operator, and The Data Historian

It is a truth, universally acknowledged, that a process plant must be in need of a HAZOP. And in many major companies, the ritual of the HAZOP means that every five years or so, a team sits down, sometimes with the previous assessment, sometimes with a blank database, and goes through the systematic and exciting task of applying guidewords to process flow, and identifying or clarifying what the consequences would be, what the safeguards are, and whether there is opportunity to prevent, control, or mitigate hazards and major operability problems.

Depending on the operation, what happens next can be very different. Sometimes the report becomes a “write-only document”, a box ticked in a procedure and it gathers literal or metaphorical dust on the shelf/file system. Sometimes they are revered texts, providing the definitive and only view on what might happen in the plant if something goes wrong, and anchoring risk assessments for years to come to the same conclusion – the HAZOP said this was the consequence, and the HAZOP is a wise and trusted source. It happens once every five years, is quite expensive, so it must be worth a lot. And it comes as a surprise to many if an incident occurs that they don’t find that exact outcome written in a cause-consequence pair in the HAZOP document.

Don’t get me wrong. A HAZOP is an important way to assess a plant. It provides a simple but powerful accident model: plant is at a steady state, then you deviate along one dimension (pressure, temperature, flow), consider the worst place that might reasonably lead you to, and assess the risk from there. It provides clarity on a number of important hazard types, like HP/LP interfaces, loss of level control, loss of temperature control, etc. When tied in with Layer of Protection Analysis, it provides an ecosystem of hazards and safeguards that can help us demonstrate that we are both in line with good practice and, where this is appropriate, managing risks to as low as reasonably practicable (which at its heart also includes being in line with good practice).

It might be obvious to say, but the key output from the HAZOP is our process-related major hazards. All process safety management systems rely on good identification of hazards, and this output is key to demonstrating that we are managing our risk appropriately. And things change, often slowly, but we need to be able to assess the impact of these changes. And even if a plant hasn’t physically changed any pipework or vessels, changes to feedstock or changes to the wider environment can change how the plant works. So, we need to periodically re-assess whether our process related major hazards are still valid, and our design still in line with good practice.

There are three important perspectives in play here.

The engineers, trained in understanding systems, thermodynamics, and flows of energy and fluid, can assess the likely impact of known changes on the plant, at various levels of granularity, device, unit operation and overall system. We are mindful of the design intent, and the fundamental limits of the system, and how that should mean the complex machine that is a production plant will perform. We have process models to help us assess the impact of changes, and mental models about how the plant should work.

The operators may not have such a deep knowledge of the thermodynamics and physical principles to how the plant works, but they generate a deep understanding of how the plant handles. The critical issue might not be how the plant works in a steady operation. It might be more important to consider how it changes from one point to another, as the plant responds to changes, and maybe provides unexpected demands on controls or trips.

The third perspective doesn’t have its own voice, but is the plant itself. Within the data captured on pressures, temperatures, flows, valve positions, controller outputs, motor speeds, surge controllers, turbine power, and the many terabytes of associated records, there lies a version of the truth of how the plant really works. It’s not perfect, and things like instrument calibration, malfunctions, and other ways that data gets corrupted get in the way. Sometimes it is just the sheer volume of data that makes it hard to spot issues.

A HAZOP brings together the engineer and the operator, and often the most interesting discussions are where there is a difference of opinion about how a system really works in practice. Those moments are like Leonard Cohen’s cracks that let the light get in. As a facilitator, I am mindful that these are often the most valuable part of the HAZOP, and exploring the truth in the light of those cracks can be the thing that most improves the current understanding of the risk. But in a conventional HAZOP, the voice of the plant itself isn’t heard much.

We’ve tried to do things differently in a recent study for an offshore facility. Mindful of the value of the HAZOP, we wanted to be sure that the current list of major process hazards was tested and refreshed. We wanted to make sure that the engineers and operators would have the opportunity to explore those cracks in understanding and operation. But we also wanted to let the plant speak. So the study included workshops for discussion on hazards. But also a deeper dive into how the controllers were working. On whether the valves were responding the way they should be. On whether the safety systems were achieving what we expected. We needed to end up with something that also supported the other assessments, like LOPA for key safety instrumented functions.

And how did it go? Well, for one, rather than spending a lot of time in the HAZOP re-identifying causes that didn’t end up being a significant concern, we had our engineer look at trends in data that didn’t end up being a significant concern. We had less face-to-face time with the operator and engineer, but used it to talk about the major hazards, rather than losing momentum and focus on the things that aren’t a problem. We found a few items that hadn’t been captured in the definitive HAZOP that we think are of concern. We found that there were a range of not-quite-so-serious consequences of loss of liquid level that had risked being overlooked by focusing a textbook major interface that no longer was of concern due to changes in arrival pressure. We asked a range of different questions that a HAZOP might never have formally considered. And we brought another diverse perspective on system performance that would not have been easy to inject into the normal HAZOP format. We’re now more confident that our key outputs are understood, and will test those subsequent to the study in a more traditional LOPA to ensure we are happy that the design is in line with good practice and ALARP.

I’d been facilitating a traditional HAZOP in parallel with this study, and that will also flow to a LOPA in due course. But we didn’t have the ability to bring the plant perspective in a meaningful way into the study. That may well be covered in the other operator’s case by other work they are doing with their data. At the end of my studies, I generally try to think about what we might have missed, or what assessments we have made that give an incorrect view on risk. For the traditional HAZOP, I think we’ve missed the chance to inject real data and generate more understanding. For our revised approach, there is the niggling suspicion that we missed something important in the data.

Both studies were for similar sized facilities, and actually, both studies involved similar engineering hours. But I know which one I think added more understanding of risk, and as a result, more value. My other client is constrained by corporate standards to continue to use the HAZOP as its five-yearly review of the process safety risks. And I will continue to have the conversation with them about how to get understanding from the plant data into this assessment.