GCPS 2013 __________________________________________________________________________

Performing a HAZOP on Start-up/Shutdown Procedures

Fareed Ebrahim
ACM Automation Inc.
#700, 940 6th Avenue SW
Calgary, Alberta
febrahim@acm.ca
German Luna-Mejias, P. Eng
ACM Automation Inc.
gluna@acm.ca

Prepared for Presentation at

American Institute of Chemical Engineers
2013 Spring Meeting
9th Global Congress on Process Safety
San Antonio, Texas
April 28 May 1, 2013
UNPUBLISHED

GCPS 2013 __________________________________________________________________________

AIChE shall not be responsible for statements or opinions contained

in papers or printed in its publications

GCPS 2013 __________________________________________________________________________

Performing a HAZOP on Start-up/Shutdown Procedures

Fareed Ebrahim
ACM Automation Inc.
#700, 940 6th Avenue SW
Calgary, Alberta
febrahim@acm.ca
German Luna-Mejias, P. Eng
ACM Automation Inc.
Keywords: Procedure HAZOP, Start-up/Shutdown

Abstract
Statistics show that approximately 65% of process safety related incidents occur during the startup/shutdown operations of the plant. Yet, the bulk of the risk assessments performed today focus
on the normal operation of the plant. A major contributor to the lack of start-up/shutdown risk
assessments is the lack of a strongly documented methodology. One method of performing this
assessment is through the HAZOP of start-up/shutdown procedures. This HAZOP involves a
step by step review of the procedure with consideration given to the sequencing, delay, or
missing of steps involved in the procedure. By performing this review, required permissives are
identified, contingencies are developed and essential safeguards are identified. This will help
ensure the operations team is confident that they are performing the start-up/shutdown in a safe
manner. This paper focuses on the framework for guidelines, procedures and templates that are
necessary to perform this HAZOP. A practical approach with examples is presented.

1. Introduction
Currently, it is common practice to reserve a deviation in a continuous process HAZOP for startup and shutdown issues. Unfortunately, during analysis, this deviation if often not explored to its
full potential. This abrupt analysis is often due to the lack of available information and expertise,
lack specificity within the deviation, and time constraints. Yet, statistics provide a compelling
argument to improve the rigour associated with start-up/shutdown analysis. Approximately 65%
of process safety related incidents occur during these modes of operations1. To improve the
rigour associated with the assessment of start-up/shutdown, the HAZOP technique must be
further extended to the procedures for these modes of operation. Many sources are available
which explore the fundamentals of performing such a HAZOP1,2, and therefore, this paper will
focus on developing a methodology by expanding upon the commonly used HAZOP technique
for normal operating modes.

GCPS 2013 __________________________________________________________________________

2. Preparing for the HAZOP

In order to ensure that a complete and accurate assessment is performed, compiling the correct
documents and team members for the HAZOP is of paramount importance. Just as there are key
documents required for a process HAZOP, specific documents are also required for the startup/shutdown procedure HAZOP.
2.1 Required Documentation
Firstly, the procedure for start-up/shutdown must be available. Just as the P&IDs are the central
document during a process HAZOP, the procedure will be the main focus in the startup/shutdown analysis and therefore, should be the most up-to-date revisions available. This
procedure can then be split into nodes or subsystems for analysis. Nodes or subsystems may be
defined as each individual step in the procedure.
Depending on the complexity of each step, it may be required to split the step into simplified
actions, which in turn become the node for analysis. Conversely, procedure steps may be
combined to develop a node based on timing requirements and the requirement for actions
needing to be performed simultaneously. Timing concerns associated with procedures will be
further discussed with the HAZOP deviations. As the implications of each procedure step may
not be immediately clear to the HAZOP facilitator, it is of utmost importance that nodes are
developed in conjunction with the operations personnel.
Once the nodes have been identified, and the complexity of the procedure understood, a decision
must be made on the degree of analysis for the HAZOP to be performed. Two methods of
analysis can be employed for the HAZOP a What-If? approach, or a guideword method. The
What-If? approach follows the same method as that used for a continuous process. If only an
extremely high level analysis is required, the What-If? methodology may be applied to the
entire procedure instead of applying it to nodes. Conversely, the application of the guideword
method provides a more structured approach. Generally, as the complexity of the procedure
increases, more guidewords should be employed in order to ensure a thorough analysis is
completed. PHA software3 contains pre-packaged guidewords to be used for analysis.
Explanation and application of the guidewords will be explored in Section 3.
Supporting documents for the procedure HAZOP include the following:
As-Built P&IDs
Isolation markup drawings - showing spec blind placement and position as per startup/shutdown modes
Shutdown keys - including permissives
Alarm lists
Alarm/Trip bypass procedures - including contingency plans
It is important to note that the shutdown keys and alarm lists may not outline which systems may
be bypassed during a start-up and shutdown. Therefore, it is critical to obtain the bypass

GCPS 2013 __________________________________________________________________________

information, as well as the operating window for all instrumentation that will be referenced
during the start-up/shutdown operation.
2.2 Required Personnel
In addition to compiling the correct documents for the session, it is of equal importance to ensure
the correct personnel are in the room during the HAZOP. Similar to a process HAZOP,
representation from the process team, instrumentation, and operation is required. It is suggested
to have extra representation from the operations group to provide a more diverse perspective for
the brainstorming process. Furthermore, if the HAZOP is being performed at the commissioning
phase, it is recommended for the construction manager or equivalent representative to be present.

3. Performing the HAZOP

3.1 Introducing Guidewords
Risk assessment software3 often includes preloaded libraries of guidewords for the HAZOP of
procedures. Table 1 below lists seven guidewords that can be used for the HAZOP. These
guidewords are listed in a suggested order for use in the HAZOP. Guidewords may be changed,
added or deleted based on the HAZOP team experience, process being analyzed, and corporate
guidelines. Note that the performance of a start-up/shutdown procedure HAZOP does not negate
the requirement to perform a pre-start-up safety review.
Table 1. Suggested Guidewords and Description for Procedure HAZOP
Guideword3
Description
Less
More
No
Reverse
Other than3
As well as3
Sooner/Later3

Not enough is done to adequately execute procedure

action.
Action is performed to a further extent than specified.
Action is fully omitted.
Actions in procedure are performed out of specified
sequence.
Action is performed that does not align with what is
specified.
The operator does another action, in addition to the
specified step being done correctly.2
Timing of action is incorrect.

All seven guidewords may not be used for each start-up/shutdown procedure being analyzed.
Guidewords should be applied based on the complexity of the procedure. An example of a
simplified method is the two-guideword approach2 is contained in Table 2 below.
Table 2. Two-Guideword approach for Procedure HAZOP2
Guideword
Description
Omit
Incorrect

Step is not done or part of the step is not done.

Step is not performed as intended.

GCPS 2013 __________________________________________________________________________

3.1

Application of Guidewords

In order to further illustrate the application of each guideword, a subsection of a mock,

simplified procedure (listed below) for a Reformer will be used. Guidewords from the two word
approach will not be further explored as they can be considered a subset of the initial seven. Note
that nodes will be assumed to be the individual procedure steps for the purpose of this
illustration. Consequences are not to be considered complete for use in industry HAZOPs but for
the purpose of example only.
Simplified Excerpt of Reformer Procedure:
1.
2.
3.
4.

Once pilots are lit, start lighting main burners (two per cell).
After completing the first ten pilots, light another ten but evenly distributed per cell.
Wait for 30 minutes or until the heater outlet temperature is stable
Continue lighting burners to increase the heater temperature at a rate of 50C/hour
until a temperature of 380C is reached.
5. Once temperature is stable and maintains at 380C, start injecting HP Steam and
continue lighting burners as required to prevent the heater temperature from dropping
below 350C.

3.2.1

Less

Example Deviation from Step 3: Adequate time is not allotted by operator for heater outlet
temperature to stabilize in an attempt to speed up start-up.
Consequence: Potential for a sudden temperature increase in heater leading to refractory damage
or flame impingement.
3.2.2 More
Example Deviation from Step 1: More than two burners are lit per cell in order to speed up startup of unit.
Consequence: Potential for a sudden temperature increase in heater leading to refractory damage
or flame impingement.
3.2.3 No
Example Deviation from Step 4: Additional burners are not lit by operator.
Consequence: If steam is injected into the heater when temperature is below 350C there will be
deactivation of catalyst within heater tubes.

GCPS 2013 __________________________________________________________________________

3.2.4 Reverse
Example: Deviation from Step 3: Additional burners are lit prior to stabilization of heater outlet
temperature.
Consequence: Potential for a sudden temperature increase in heater leading to refractory damage
or flame impingement.
3.2.5

As well as

Example: Deviation from Step 2: Steam is injected by operator as well as lighting the additional
burners.
Consequence: If steam is injected into the heater when temperature is below 350C there will be
deactivation of catalyst within heater tubes.
3.2.6

Other than

Example: Deviation from Step 5: Natural Gas is injected into the heater instead of Steam.
Consequence: Overheating of tubes in reactor leading to tube damage and potential explosion.
3.2.7

Sooner/Later

Example: Deviation from Step 5: Steam injected to heater prior to temperature reaching 350C.
Consequence: If steam is injected into the heater when temperature is below 350C there will be
deactivation of catalyst within heater tubes.
3.3

Applying a Risk Ranking

As HAZOPs have developed over time, there has been a continued emphasis to add more semiquantitative aspects to the study. A major element of this semi-quantitative aspect is the
application of a risk matrix. Unfortunately, risk matrices are designed using a per year time
frame. This per year concept is of course not applicable to a procedure. Therefore, when
performing the procedure HAZOP, two options are available. One, is to avoid the risk ranking
and perform a fully qualitative analysis. Second, is to apply the risk matrix by avoiding the
yearly references contained in the likelihood, and setting a default likelihood of making an error
in the procedure to correspond with highest likelihood available (ie. frequent) on the matrix. This
is to quantify the fact that there is a possibility to make a mistake in executing the procedure at
any given opportunity for execution. For example, if a procedure step is incorrectly worded,
there is an opportunity for error every time that step is executed. The consequence levels outlined

GCPS 2013 __________________________________________________________________________

in the risk matrix are not time constrained and therefore are easily applied to a start-up/shutdown
procedure HAZOP. Safeguards can then be applied in a fashion similar to process HAZOPs by
dropping the likelihood by one level.
3.4

Adding Safeguards

When applying safeguards to a procedure, it is of course of utmost importance to adhere to the

guidelines set out in IEC-61511 if they will be used as independent protection layers. In addition
to this, it is extremely important to ensure that the safeguard will not be bypassed during the
start-up or shutdown. In some cases, safeguards through a safety instrumented system may be
disabled during start-up or shutdown. It is extremely important to identify these bypasses and
ensure safeguards are not credited that will not be active. If a safeguard is bypassed, refer to
contingency planning documents in order to identify an alternative. Furthermore, it is of utmost
importance to ensure that the safeguards will in fact be within their operating range during startup and shutdown. One control related safeguard that is far more predominant in startup/shutdown procedure HAZOPs when compared to process HAZOPs are permissives. It is
therefore important to have these permissives identified, optimally on the shutdown key. In
addition to instrumentation safeguards, a double check to the operator performing the specified
action also acts as a valid safeguard.

4.

Conclusion

The application of the HAZOP technique to a start-up/shutdown procedure is an effective way to

improve the quality of analysis in these modes of operation. Just as in a normal operating mode
HAZOP, specific documentation and team members are required. Furthermore, the level of
rigour of the study may be adjusted by using a What-If? approach or by varying the number of
guidewords to be used. A risk ranking may be applied during a procedure HAZOP, but caution
must be applied in order to avoid diluting the risk of a situation by ensuring the procedure is
analyzed on a per opportunity (instead of a per year) basis. Safeguards must also be applied with
caution due to the potential for bypasses or conditions being out of the operating window of
certain instruments during start-up/shutdown. It is hoped that the application of the HAZOP
methodology to start-up and shutdown procedures will greatly reduce the number of incidents
that occur during these modes of operation.

GCPS 2013 __________________________________________________________________________

5. References
[1]

Bridges, Bill. "Paper: How to Efficiently Perform the Hazard Evaluation Required for
Non-Routine Modes of Operation (Start-up, Shutdown, Online Maintenance)." Proc. of
2011 Global Congress on Process Safety., 2011

[2]

CCPS. "9. Extensions and Special Applications." Guidelines for Hazard Evaluation
Procedures. New York: Center for Chemical Process Safety of the American Institute of
Chemical Engineers, 1992. 257-67.

[3]

Dyadem International Ltd. PHA-Pro. Computer software. Vers. 8.2.2.0.