You are on page 1of 12


Hazard Evaluation
Second Edition with Worked Examples
of the
American Institute of Chemical Engineers
345 East 47th Street, New York, NY 10017
Copyright 1992
American Institute of Chemical Engineers
345 East 47th Street, New York, NY 10017
All rights reserved. No part of this publication may be reproduced, stored
in a retrieval system, or transmitted in any form or by any means, electronic,
mechanical, photocopying, recording, or otherwise without the prior permission
of the copyright owner.
Library of Congress Cataloging-in-Publication Data
Guidelines for hazard evaluation procedures : with worked examples-2nd ed.
p. cm.
Includes bibliographical references and index.
ISBN 0-^8169-0491-X
1. Chemical plants Safety measures. 2. Petroleum refineries
Safety measures. 3. Hazardous materialsSafety Measures
I. American Institute of Chemical Engineers. Center for Chemical
Process Safety. II. Title: Hazard evaluation procedures.
TP155.5.G77 1992
660'.2904-<lc20 91-41715
This book is available at a special discount when ordered in bulk quantities.
For information, contact the Center for Chemical Process Safety at the
address given above.
Third printing April 1995
It is sincerely hoped that the information presented in this document will lead to an even more impressive
safety record for the entire chemical industry; however, neither the American Institute of Chemical
Engineers, its consultants, CCPS Subcommittee members, their employers, their employers' officers and
directors, nor JBF Associates, Inc. warrant or represent, expressly or implied, the correctness or accuracy
of the information presented in this document. Furthermore, the chemical process plant described in Part
II of this book, as well as the people and companies, is fictitious; any similarity to existing plants or
companies or to living people is purely coincidental. Therefore, the users of this document accept any legal
liability or responsibility whatsoever for the consequence of its use or misuse.
ACGffl American Conference of Government and Industrial Hygienists
AIChE American Institute of Chemical Engineers
AIChE^4)ffiRS American Institute of Chemical Engineers Design Institute
for Emergency Relief Systems
AIChEDEPPR American Institute of Chemical Engineers Design Institute
for Physical Property Data
American Industrial Hygiene Association
API American Petroleum Institute
ARC Accelerating Rate Calorimeter
ASSE American Society of Safety Engineers
CCA Cause-Consequence Analysis
CCF Common Cause Failure
CCPS Center for Chemical Process Safety
CEI Chemical Exposure Index
CMA Chemical Manufacturers Association
CPI Chemical Process Industry
CPQRA Chemical Process Quantitative Risk Analysis
EPA Environmental Protection Agency
ERPG Emergency Response Planning Guidelines
ETA. Event Ttee Analysis
F&EI Fire and Explosion Index
FMEA Failure Modes and Effects Analysis
FMECA Failure Modes, Effects, and Criticality Analysis
FTA Fault Ttee Analysis
HAZOP Hazard and Operability Analysis
Hazard Identification
HE Hazard Evaluation
HEP Hazard Evaluation Procedures
HRA Human Reliability Analysis
IChemE Institution of Chemical Engineers (United Kingdom)
ICI Imperial Chemical Industries
Immediately Dangerous to Life and Health
L-CLQ Lethal Concentration Low
Lethal Concentration, 50% Mortality
LD^ Lethal Dose, 50% Mortality
LEL Lower Explosive Limit
LFL Lower Flammable Limit
MSDS Material Safety Data Sheet
MORT Management Oversight and Risk Tfree
OSHA Occupational Safety and Health Administration
PEL Permissible Exposure Level
PFD Process Flow Diagram
PHA Preliminary Hazard Analysis
& Piping and Instrumentation Diagram
PSM Process Safety Management
R&D Research and Development
SCBA Self Contained Breathing Apparatus
SHI Substance Hazard Index
STEL Short Term Exposure Limit
TLV Threshold Limit Value
UEL Upper Explosive Limit
UFL Upper Flammable Limit
VSP Vent Sizing Package
Accident, accident scenario, or accident sequence: An unplanned event or sequence of
events that results in undesirable consequences. An incident with specific safety
consequences or impacts.
Acute hazard: The potential for injury or damage to occur as a result of an
instantaneous or short duration exposure to the effects of an accident.
Administrative control: A procedural requirement for directing and/or checking
engineered systems or human performance associated with plant operations.
Audit (process safety audit): An inspection of a plant or process unit, drawings,
procedures, emergency plans, and/or management systems, etc., usually by an
independent, impartial team. (See 'Safety Review" for contrast.)
Autoignition temperature: The lowest temperature at which a fuel/oxidant mixture will
spontaneously ignite under specified test conditions.
Basic event: An event in a fault tree that represents the lowest level of resolution in the
model such that no further development is necessary (e.g., equipment item failure,
human failure, or external event).
Branch point: A node with two paths in an event tree or cause-consequence diagram.
One path represents success of a safety function and the other path represents failure
of the function.
Cause-Consequence Analysis: A method for illustrating the possible outcomes arising
from the logical combination of selected input events or states. A combination of
Fault Ttee and Event Ttee models.
Checklist (traditional): A detailed list of desired system attributes or steps for a system
or operator to perform. Usually written from experience and used to assess the
acceptability or status of the system or operation compared to established norms.
Chronic hazard: The potential for injury or damage to occur as a result of prolonged
exposure to an undesirable condition.
Common cause failure: The occurrence of two or more failures that result from a single
event or circumstance.
Consequence: The direct, undesirable result of an accident sequence usually involving
a fire, explosion, or release of toxic material. Consequence descriptions may be
qualitative or quantitative estimates of the effects of an accident in terms of factors
such as health impacts, economic loss, and environmental damage.
Consequence analysis: The analysis of the effects of incident outcome cases independent
of frequency or probability.
CPQRA: The abbreviation for Chemical Process Quantitative Risk Analysis. The
process of hazard identification, followed by numerical evaluation of incident
consequences and frequencies, and their combination into an overall measure of risk
when applied to the chemical process industry. Ordinarily applied to episodic events.
Is related to Probabilistic Risk Assessment (PRA) used in the nuclear industry.
Daw fire and explosion index (F&EI): A method (developed by Dow Chemical
Company) for ranking the relative fire and explosion risk associated with a process.
Analysts calculate various hazard and exposure indexes using material characteristics
and process data.
Emergency response planning guidelines (ERPG): A system of guidelines for airborne
concentrations of toxic materials prepared by the AIHA. For example, ERPG-2 is
the maximum airborne concentration below which, it is believed, nearly all
individuals could be exposed for up to one hour without experiencing or developing
serious health effects that could impair an individual's ability to take protective
Engineered control: A specific hardware or software system designed to maintain a
process within safe operating limits, to safely shut it down in the event of a process
upset, or to reduce human exposure to the effects of an upset.
Episodic event: An unplanned event of limited duration, usually associated with an
Episodic release: A release of limited duration, usually associated with an accident.
Error-Ukefy situation: A work situation in which the performance shaping factors are
not compatible with the capabilities, limitations, or needs of the worker. In such
situations, workers are much more likely to make mistakes, particularly under
stressful conditions.
Event: An occurrence related to equipment performance or human action, or an
occurrence external to the system that causes system upset. In this document an
event is either the cause of or a contributor to an incident or accident, or is a
response to an accident's initiating event.
Event sequence: A specific, unplanned series of events composed of an initiating event
and intermediate events that may lead to an incident.
Event tree: A logic model that graphically portrays the combinations of events and
circumstances in an accident sequence.
External event: Event external to the system/plant caused by (1) a natural hazard
earthquake, flood, tornado, extreme temperature, lightning, etc., or (2) a human-
induced event aircraft crash, missile, nearby industrial activity, fire, sabotage, etc.
Failure mode: A symptom, condition, or fashion in which hardware fails. A failure
mode might be identified as loss of function; premature function (function without
demand); an out-of-tolerance condition; or a simple physical characteristic such as
a leak observed during inspection.
Failure Modes and Effects Analysis (FMEA): A systematic, tabular method for
evaluating and documenting the causes and effects of known types of component
Failure Modes, E ffects, and Criticality Analysis (FME CA): A variation of FMEA that
includes a quantitative estimate of the significance of the consequence of a failure
Fault event: A failure event in a fault tree that requires further development.
Fault tree: A logic model that graphically portrays the combinations of failures that can
lead to a specific main failure or accident of interest (Tbp event).
frequency. The number of occurrences per unit time at which observed events occur
or are predicted to occur.
Hazard: An inherent physical or chemical characteristic that has the potential for
causing harm to people, property, or the environment. In this document it is the
combination of a hazardous material, an operating environment, and certain
unplanned events that could result in an accident.
Hazard analysis: See hazard evaluation.
Hazard and Operabitity (HAZOP) Analysis: A systematic method in which process
hazards and potential operating problems are identified using a series of guide words
to investigate process deviations.
Hazard checklist: An experience-based list of hazards, potential accident situations, or
other process safety concerns used to stimulate the identification of hazardous
situations for a process or operation.
Hazard evaluation (HE ): The analysis of the significance of hazardous situations
associated with a process or activity. Uses qualitative techniques to pinpoint
weaknesses in the design and operation of facilities that could lead to accidents.
Hazard identification: The pinpointing of material, system, process, and plant
characteristics that can produce undesirable consequences through the occurrence of
an accident.
Hazard review: See hazard evaluation.
Human error. Any human action (or lack thereof) that exceeds some limit of
acceptability (i.e., an out-of-tolerance action) where the limits of human performance
are defined by the system. Includes actions by designers, operators, or managers that
may contribute to or result in accidents.
Human factors: A discipline concerned with designing machines, operations, and work
environments to match human capabilities, limitations, and needs. Among human
factors specialists, this general term includes any technical work (engineering,
procedure writing, worker training, worker selection, etc.) related to the person in
operator-machine systems.
Human Reliability Analysis (HRA): A method used to evaluate whether necessary
human actions, tasks, or jobs will be completed successfully within a required time
period. In the Guidelines, HRA is used strictly in a qualitative context. Also used
to determine the probability that no extraneous human actions detrimental to the
system will be performed.
HRA event tree: A graphical model of sequential events in which the tree limbs
designate human actions and other events as well as different conditions or
influences upon these events.
Initiating event: The first event in an event sequence. Can result in an accident unless
engineered protection systems or human actions intervene to prevent or mitigate the
Intermediate event: An event that propagates or mitigates the initiating event during an
accident sequence.
Likelihood: A measure of the expected probability or frequency of an event's
Minimal cut set: A combination of failures necessary and sufficient to cause the
occurrence of the Tbp event in a fault tree.
Mitigation system: Equipment and/or procedures designed to interfere with incident
propagation and/or reduce incident consequences.
Mond Index: An extension of the Dow F&EI, developed by ICI, which also addresses
chemical toxicity hazards.
Operator. An individual responsible for monitoring, controlling, and performing tasks
as necessary to accomplish the productive activities of a system. Often used in a
generic sense to include people who perform all kinds of tasks (e.g., reading,
calibration, maintenance).
Performance shaping factor (PSF): Any factor that influences human performance.
PSFs include factors intrinsic to an individual (personality, skill, etc.) and factors in
the work situation (task demands, plant policies, hardware design, training, etc.).
Process safety management:. A program or activity involving the application of
management principles and analytical techniques to ensure the safety of process
facilities. Sometimes called process hazard management.
Protective system: Systems including, for example, pressure relief valves, that prevent the
occurrence of or mitigate the effects of an accident.
Quantitative risk analysis: The systematic development of numerical estimates of the
expected frequency and/or consequence of potential accidents associated with a
facility or operation based on engineering evaluation and mathematical techniques.
Rare event: An event or accident whose expected frequency is very small. The event
is not statistically expected to occur during the normal life of a facility or operation.
Recovery factors: Feedback factors that limit or prevent the undesirable consequences
of a human error.
Risk: The combination of the expected frequency (eventstyear) and consequence
(effects/event) of a single accident or a group of accidents.
Risk assessment: The process by which the results of a risk analysis (i.e., risk estimates)
are used to make decisions, either through relative ranking of risk reduction
strategies or through comparison with risk targets.
Risk management: The systematic application of management policies, procedures, and
practices to the tasks of analyzing, assessing, and controlling risk in order to protect
employees, the general public, the environment, and company assets.
Risk measures: Ways of combining and expressing information on likelihood with the
magnitude of loss or injury (e.g., risk indexes, individual risk measures, and societal
risk measures).
Safety Review (process safety review): An inspection of a plant or process unit, drawings,
procedures, emergency plans, and/or management systems, etc., usually by a team and
usually problem-solving in nature. (See 'Audit" for contrast.)
Safety system: Equipment and/or procedures designed to limit or terminate an accident
sequence, thus mitigating the accident and its consequences.
Scribe/recorder A hazard evaluation team member who is responsible for capturing the
significant results of discussions that occur during an HE team meeting.
Task analysis: A human error analysis method that requires breaking down a procedure
or overall task into unit tasks and combining this information in the form of event
trees. It involves determining the detailed performance required of people and
equipment and determining the effects of environmental conditions, malfunctions,
and other unexpected events on both.
Top event: The undesired event or incident at the 'top* of a fault tree that is traced
downward to more basic failures using Boolean logic gates to determine the event's
possible causes.
Undeveloped event. An event in a fault tree that is not developed because it is of no
significance or because more detailed information is unavailable.
Worst case: A conservative (high) estimate of the consequences of the most severe
accident identified.
Worst credible case: The most severe accident considered plausible or reasonably
The Center for Chemical Process Safety (CCPS) thanks all of the members of the
Hazard Evaluation Procedures (HEP) Subcommittee for providing technical guidance
in the preparation of this document. CCPS also expresses its appreciation to the
members of the Tfechnical Steering Committee for their advice and support.
The chair of the HEP Subcommittee was Dennis C. Hendershot of Rohm and
Haas Company and the CCPS staff liaison was Ray Witter. The Subcommittee had
the following additional members:
Samuel Y. Bridges Jay E. Giffin
Elf Atochem North America, Inc. Union Carbide Chemicals &
Plastics Inc.
Gus L. Constan
Dow Corning Corporation Robert M. Rosen
BASF Corporation
William E Early
Stone & Webster Charles J. TWardowski, Jr.
Engineering Corporation ICI Americas Inc.
Walter L. Frank Robert C. Wade
Du Pont Amoco Oil Company
JBF Associates, Inc. (JBFA) prepared this edition of the Guidelines for Hazard
E valuation Procedures, Second E dition with Worked E xamples. These Guidelines are
divided into two parts: Part IGuidelines for Hazard E valuation Procedures and Part
II Worked E xamples for Hazard E valuation Procedures. J. Steven Arendt was
JBFAs Project Manager and lead author of the HEP Guidelines. David F. Montague
was lead author of the HEP Worked E xamples. The other principal authors on
JBFAs team were Myron L. Casada, Donald K. Lorenzo, and David A. Walker.
William G. Bridges, David J. Campbell, John Q. Kirkman, and David 1C Whittle also
contributed to these Guidelines.
Pan I HE P Guidelines contains several new chapters covering topics such as
hazard identification methods, preparation for hazard evaluation studies, and follow-
up considerations. The remaining chapters of Pan I are extensively revised versions
of the material from the first edition, developed in 1985 by Battelle Columbus
Laboratories and the following members of the original HEP Subcommittee:
Edwin J. Bassler Gary A Page
Stone & Webster American Cyanamid
Engineering Corporation Corporation
Harold S. Kemp
AIChE Past President
Walter Kohfeldt
Exxon Chemical (now retired)
Stanley J. Schechter
Rohm and Haas Company
Robert A. Smith
Dow Chemical Company
As a companion to the HEP Guidelines, JBF Associates also developed Part II
Worked Examples for Hazard Evaluation Procedures. The HEP Worked Examples
contains entirely new material designed to help illustrate the real-life application of
hazard evaluation techniques.
The authors of the HEP Guidelines and the HEP Worked Examples are indebted
to the technical publications personnel at JBFA. Kelley S. Alters was the editor
for this project and Curt A. Rogers, Catherine Y. Carter and Sarah Y. Auklkington
were the proofreaders. Cora R. Everett and Nicole Lepoutre-Baldocchi created the
graphics. Finally, Angela L. Hardeman prepared the manuscript for publication.
CCPS also gratefully acknowledges the comments submitted by the following
peer reviewers:
Stanley E. Anderson
Rohm and Haas Tfexas,
Joseph P. Balkey
Union Carbide Chemicals &
Plastics Inc.
Charles Burgdorf
Elf Atochem North
America, Inc.
Arthur F. Burk
Du Pont
Donald C. Clagett, Ph.D
GE Plastics
Daniel A. Crowl
Wayne State University
Robert E. DeHart II
Mobil Oil Corporation
A. M. Dowell III
Rohm and Haas Tfexas,
Jay Eberhardt
ICI Americas Inc.
Joseph F. Louvar
BASF Corporation
William K. Lutz
Union Carbide Chemicals &
Plastics Inc.
R. Craig Matthiessen
U.S. Environmental
Protection Agency
Ray L. Mendelsohn
Du Pont
C. Donald Miller
Union Carbide Chemicals &
Plastics Inc.
N. Sankaran
UNOCAL Corporation
Mike Sawyer
Science Applications
International Corporation
Mike Sherrod
Stone & Webster Engineering
Gary R. Van Sciver
Rohm and Haas Company
Mark Eidson
Stone & Webster
Engineering Corporation
Barry Gibson
Kathleen A. Haines
ICI Americas, Inc.
Steven A. Lapp, Ph.D.
Design Sciences, Inc.
Dennis E. Wade
Monsanto (now retired)
Johnny O. Wright
Amoco Corporation
Their insight and suggestions helped ensure a balanced perspective for the Guidelines.