STRUCTURED WHAT IF CHECKLIST

INITIAL AND WRAP UP DISCUSSIONS -

REGULATORY REQUIREMENTS

HAZARDS OF THE PROCESS

PREVIOUS INCIDENT WITH CATASTROPHIC

POTENTIAL
®
ENGINEERING AND ADMINISTRATIVE CONTROLS

CONSEQUENCES OF FAILURES OF
ENGINEERING AND ADMINISTRATIVE CONTROLS

FACILITY SITING/LAYOUT

QUALITY EVALUATION OF SAFETY AND HEALTH

EFFECTS

OTHER REGULATORY ISSUES

sTRuCTURED wHAlr lF QUESTloN

CATEGORIES

MATERIAL PROBLEMS (MP)

EXTERNAL EFFECTS OR INFLUENCES (EE/l)

 OPERATING ERRORS AND OTHER HUMAN FACTORS
(OE&HF)

ANALYTICAL OR SAMPLING ERRORS (A/SE)

EQUIPMENT/lNSTRUMENTATION MALFUNCTION (E/IM)

PROCESS UPSETS OF UNSPECIFIED ORIGIN (PUUO)

UTILITY FAILURES (UF)

lNTEGRITY FAILURE OR LOSS OF CONTAINMENT

(lF/LOC)

EMERGENCY OPERATIONS (EO)

ENVIRONMENTAL RELEASE (ER)

®
 lvIATERIAL PR0BLEIVIS (MP)

This question category provides an opportunity to explore the know or

documented potential hazards and the special conditions which may need to be
maintained in order to safety store, handle and process the raw materials,
intermediates and finished products which will be present in the process. Some
ideas for questions include, but are not limited to:

• Flammability?

• Thermal instability?

• Flash points?

• Static electrical charge build up and discharged can occur

(grounding/bonding)?

• Safe storage temperature?

• Safe storage pressure?

• Reactivity (with process chemicals, process service side fluids, fire fighting
agents, etc.)?

• TOxicity?

• Exposure limits (personal protective equipment requirements)?

• Physical properiies (freezing point, boiling point, viscosity, etc)?

• CorrosMty? ®
• Contamination from outside sources?

• Contamination through process connections?

• Mixing hazards?

• Settling hazards?

• Pyrophoric potential

• The process/storage temperature is sufflciently high that unexpected or

unwanted water can cause a hazard?
 Note this item is potentially of greater significance when lack of adequate
isolation during non-continuous operations is considered.

EXTERNAL EFFECTS OR INFLUENCES (EE/l)

This question category is intended to help identify the effect of outside forces or
demand scenarios which might result in the development of some of the hazards
identified during discussions of material problems (MP). [ncluded might be
natural phenomena ranging from volcanos which could send hot mud flooding
into the plant, to freezing weather which might cause a polymerization inhibitor to
precipitate from a monomer (ultimately leading to a runaway reaction and
subsequent environmental release) or freezing in a line (which could lead to
integrity failure or loss of containment). Also to be considered are man-made
random events such as arson, civil disturbances, or a nearby explosion which
® might in some way impact the unit being reviewed? Some ideas for questions
include, but are not limited to:

NATURE

• Highwinds?

• Flooding?

• Extreme cold?

• Extreme heat?
• High humidity?

• Lowhumidity?

® • An earthquake occurs?

• A hurricane occurs?
• Atornado occurs?

MAN MADE

• A crane drops its load on safety critical piping, equipment or

instrumentation?

• A crane upsets and impacts?

• Maintenance activity disrupts (vessel lining, instrument lines, etc.)?

• A forklift impacts?
 • Atruck impacts?

• Arailcarimpacts?

• Aircraft (or falling parts) impacts?

• Over pressure or shrapnel impact from a nearby explosion?

• Arson?

• Sabotage?

• Civil disturbance/

• Poor access to equipment or instrumentation results in adverse affects (on

®
maintenance adequacy, operational inattention, emergency response
situations)?

• An external fire impinges on equipment?

OPERATING ERRORS AND OTHER HUMAN FACTORS (OE&HF)

For each mode of operation (e.g. charging, start-up, shutdown, reaction, stand-
by, etc) the SWIFT team should imagine itself in the operator's role and devise
questions related to every conceivable way to mistreat the process represented
on the flow sheets. lt is important to remember that many operating errors are
the result of inadequate training or poorly written or incomplete instructions.
Some ideas for questioning include, but are not limited to:

TASK CHARACTERISTICS ®
• Tasktoo complex?

• Taskisboring?

INFORMATION

• Toomuch?

• Toolittle?

• Incorrect?
 • lncomplete?

TIME/SEQUENCE

• Notenough timeto respond?

• Toosoon?

• Toolate?

• Wrong sequence?

• Toooften?

® • Too infrequently?

Note these items are potentially of greater significance when non-continuous

operation is considered.

ACT'ON

• Toomuch?

• Toolitt'e?

• Wrong location?

• lncorrect chemical used?

• Substitution because of unavailability or convenience?

® • Makes an unauthorized change in procedure?

• Makes an unauthorized change in equipment?

• A control is bypassed or otherwise disabled?

• Controls are in manual?

• Safety system bypassed or otherwise disabled?

• Poor communication (especially between shifts)?

ERGONOMICS
 • Controls areconfusing?

• Procedure is confusing?

• Feedback is inadequate?

• Piping (manifold, etc) is confusing?

• Necessary equipment is hard to access?

• Necessary equipment is difflcult to operate?

• Necessary equipment is unavailable?

• Drawings incomplete, misleading or confusing?

Note these items are potentially of greater significance when non-continuous

operation is considered.

TRAINING (EIVIPLOYEES AND APPROPRIATE CONTRACTORS)

• Insufficient knowledge?

• lnsufflcient training (initial, refresher)?

• lnadequate skill level (performance not adequately monitored)?

• lnadequate instruction

SURROUNDINGS

• Real hazard adversely affects judgment? ®

• Perceived hazard adversely affects judgment?

• Operator discomfort adversely affects performance?

• (Noise, Humidity, temperature HVAC protective gear cumbersome)

• Weather (lightning, ice storm, etc) prevents the operator from taking
necessary action?

• Personnel hazards (e.g. exposed hot pipes, missjng hand rails, and close
quarters) adversely affect operator performance.
 WORK ORGANIZATION

• Task responsibility is not assigned?

• lnsufficient motivation?

• Afraid ofmaking a mistake?

Note these items are potentially of greater significance when non-continuous

operation is considered.

ANALYTICAL OR SAMPLING ERRORS (A/SE)

The team should consider and devise questions related to all potential analytical
or sampling requirements or operations. This category of questions could range
from the importance of controlling slime in a cooling tower loop, to failing to
obtain critical process control data, or even injuries occurring to lab technicians
who must analyze a thermally unstable intermediate. Some ideas for questions
include, but are not limited to:

• Sample is nottaken?

• Difflculty in obtaining a representative sample?

• Sample is notanalyzed?

• Significance oftest results not understood by operator?

® • Test results are delayed?

• Test results are incorrect?

• Sample is thermally unstable?

• Sample is pressure sensitive?

• Sample procedure is unsafe?

• ln line analytical device out of calibration?

• Lab based analytical device out of calibration?

 • Sample point leftopen orleaking?

Note these items are potentially of greater significance when non-continuous

operation is considered.

EQUIPMENT/lNSTRUMENT IVIALFUNCTION (E/IIvl)

The team should consider and devise questions related to all potential significant
mechanical and instrumentation failures. Many of these failures will probably be
obvjous because of the equipment shown on the P&lD or as the result of
previous operating errors and other human factors (OE&FH) discussions. In fact
some (OE&HF) inputs may also be recognized as demands which may result in
equipment/instrumentation malfunction (E/lM). lt is important to examine
instrument and control system failures which might be significant. lt is crucial for
the team to take note of protective device and systems which must remain
operative if the varjous mechanical and human demands are to be prevented
from causing a hazard. Protective system proof testing schedules should also be
reviewed. Some ideas for questions include, but are not limited to:

PUMPS

• Pumpfailstopump?

• Pumpseal leaks?

• Pump cavitates?

• Pump is deadheaded?

• Pump runs backwards following maintenance?

• Pump impeller size (increased or decreased) during maintenance?

BLOWERS

• Blowers fail to pump?

• Blowerseals leaks?

• Blower runs backwards following maintenance?

• Blower has excessive lube oil present in outlet?

 10

COMPRESSOR

• Compressor fails to compress?

• Compressor seals leaks?

• Compressoris in surge?

• Compressor is choked?

• Liquid reaches compressor?

• Other(e.g. runstoo hot, high vibration)

® VAIHNF!S

• Valve fails closed?

• Valvefails open?

• Valveleaksby?

• Valve packing leaks?

• Valvecannot be opened on demand?

• Valve cannot be closed on demand?

• Valve does not control (flow/pressure) properly

Note these items are potentially of greater significance when non-continuous

® operation is considered.

VESSELS

• Pressure design rating is exceeded?

• Vacuum design rating is exceeded?

• Temperature design rating is exceeded (high or low)?

SŢRUCTURE

• Loadings have been increased significantly since the original design?

 11

• Critical piping or equipment shifts because of inadequate suppori as the

result of aging or settling, etc.?

• Piping supports are not adequately designed (emergency venting thrust,

thermal expansion, vibration, and earthquake?

• Not adequately fireproofed (critical equipment and piping supporis and

critical control and safety instrumentation and wiring)?

OTHER COIVIPONENTS IN PROCESS FLOW

• Lineplugs?

• Strainer plugs?

• Control orifice plugs?

• Corrosion (internal, external)?

• Erosion?

Note these items are potentially of greater significance when non-continuous

operation is considered.

AGITATloN

• Agitator stops?

• Agjtation is insufficient?

• Agitation starts at an inappropriate time?

CONTROL INSTRUMENTATION

• Flowcontrol loopfails?

• Temperature control loop fails?

• Pressure control loop fails?

• Level control loopfails

• Process computer/Djstributed control system fails?

• Failure condition is inappropriate?

 12

Note these items are potentially of greater significance when non-continuous

operation is considered.

ELECTRICAL

• Area classification is impaired?

• The integrity of components is not adequately maintained (equipment,

cables, conduits, cabinets, connections)?

• Emergency power fails (not tested and maintained)?

SAFETY INSTRUMENTATION

• Flowshutdown fails?

• Temperature shut down fails?

• Pressure shut down fails?

• Level shutdown fails?

• Vibration shut down fails?

• Hydrocarbon detection/shut down fails?

• Toxic vapor/gas detection/shut down fails?

• Shutdown interlock fails to work when needed (e.g., inadequate testing)?

• Shutdown interlock activates when it is not needed?

• Hydrocarbon detection/shutdown fails?

• Failure condition is inappropriate?

• Are common cause failures (process side-plugging or fouling etc. eternal

critical jnstrument lines destroyed by fire, etc.) possible?
Note these items are potentially of greater significance when non-continuous
operation is considered.

SAFETY DEVICES

• Emergency relief opens lower than set point?

 13

• Emergency relief opens (pressure trapped between leaking rupture disk

and emergency relief valve (PSV), incorrect set point, excessive back
pressure downstream, etc) than intended set point?

• Emergency relieffails to open?

• Emergency relief capacity is inadequate (e.g. design basis, throughput

increased from original design, additional users on the header)?

• Emergency relief discharged location is inappropriate?

• Fire protection system (automation future, manually activated equipment

too close to fire inaccessible, etc.)Fails?

• Fire protection capacity (undersize, incorrect agent(s) used, etc) is

inadequate?

• Fire (or release) detection inadequate in remote or unattended area?

Note these items are potentially of greater significance when non-continuous

operation is considered.

PROCESS UPSETS OF UNSPECIFIED ORIGIN (PUUO)

This question category is intended to be a "catch all" for additional demands,

hazards or scenarios which were some how overlooked (may not have been
obvious, or just did not fit into any of the previous categories) during discussions
of other question categories. This category also should serve as a reminder that
the materials and process conditions within a system or subsystem may be
directly influenced by the conditions at the point of interface with other systems or
subsystems. A brief review (even a mini HAZOP if the team considers it
necessary) is made by the team to determine whether "anything else" is
important. Some ideas for questions include, but are not limited to:

FLOW

• Lowornoflowoccurs?

• High flowoccurs?

• Reverse flow occurs?

 14

TEMPERATURE

• High temperature occurs?

• Low temperature occurs?

PRESSURE

• High pressure occurs?

• Low pressure occurs?

• Avacuum isdrawn?

• Required vacuum is not established?

Note these items are potentially of greater significance when non-continuous

operation is considered.

CHEMISTRY

• PHistoohigh?

• Phistoolow?

• Reaction rate issluggish?

• Reaction rate is rapid?

• An unstable material is produced?

®
• An incompatible material is introduced?

PHASE

• Foaming occurs?

• Separation is poor?

• A phase inversion occurs?

• Flashing occurs?
 15

EXPLOSIVE

• An explosive dust concentration is produced within the equipment?

• An explosive dust concentration is produced external to the process?

• An explosive vapor concentration is produced within the equipment?

• An explosive vapor concentration is produced external to the process?

• Static charge generated by falling or moving, non-conductive liquid?

• Flammable in contact with electrical components or hot surfaces?

Note these items are potentially of greater significance when non-continuous

operation is considered.

UTILITY FAILURES (UF)

This question category is straight forward but care should be taken to note that
external effects or influences (EE/l), analy{ical or sampling errors (A/SE),
operatjng errors and other human factors (OE&HF) and electrical/instrumentation
malfunction (E/lM) demands and hazards which may cause a utility failure (UF)
type hazard to develop. Some ideas for questions include, but are not limited to :

• Cooling waterfails?

• Refrigeration fajls?

• Powerfails?

• Steamfajls?

Airfails?

• lnertfails?

• HVAC system fails?

• Communications system fails?

• Fire water system fails?

• Effluent removal/treatment fails?

 16

• Vacuumfails?

Note these items are potentially of greater significance when non-continuous

operation is considered.

INTEGRITY FAILURE 0R LOSS OF CONTAINMENT (lF/LOC)

This question category should draw heavily upon all the preceding categories.
Additional care concerning the accurance and detail of the logical interaction of
previous errors and/or failures with each other should be considered. lntegrity
failure or loss of containment (lF/LOC) hazards certainly can introduce some
additional considerations such as normal and emergency venting. However,
some combination of the demands and hazards previously identified will probably
represent the major basis for those scenarios which could result. It should also
® be noted that vessels, Iines, pumps and various other components need to be
considered in this discussion, and the size of such failures should be specified
(small leak, catastrophic failure, etc.). Some ideas for questions include, but are
not limited to:

PROCESS CAUSED

• Run away decomposition reaction?

• Run away polymerization reaction?

Components?

• Cryogenic failure (include unintended flash cooling possibly from relief

devices) as the result of exceeding the lower temperature specification of
material of construction?

• A heatexchangertube fails?

• Pressure leakage from adjacent process sections?

• Statichead?

• Repeated extreme cycling of conditions (pressure, temperature,

concentrations, etc.)?

Note these items are potentially of greater significance when non-continuous

operation is considered
 17

INHERENT T0 THE MATERIALS

• Either internal or external corrosion (include stress corrosion cracking) failure

occurs?

• Hydrogen embrittlement occurs

• Erosion failure occurs

• Fatigue occurs

• Incorrect material of construction for the service (include: piping, vessels,

pumps, seals, flanges, gaskets, valve internals, etc.)?

• Normalwearandtear
®
• lnadequate design rating for the service (temperature, pressure)?

Note these items are potentially of greater significance when non-continuous

operation is considered.

EMERGENCY OPERATIONS (EO)

lf the team has been thorough in its analysis of the ultimate effects of the various
consequences relating to all the previous categories, new issues will rarely be
discovered at this stage. lt is, however, very important to consider emergency
operations independently because errors or failures related directly to the
emergency condition or emergency procedures may not have readily apparent
when the emergency was discussed in the context of the precipitating events.
Possible escalation of minor situations during emergencies should also be
evaluated by the team. Consider how the process will be operated or shut down
if such condjtions should occur. Some ideas for questions include, but are not
limited to:

• An internal fire occurs?

• And external explosion occurs?

• A physical over pressure occurs?

• A physical under pressure occurs?

• Afire occurs in a nearby unit?

 18

• An external fire occurs within the unit?

• An explosion occurs in a nearby unit?

• An internal explosion occurs within the unit?

• Atoxic release occurs in a nearby unit?

• A toxic release occurs within the unit?

• Combination failures (e.g. fire or explosion ruptures fire main which can
not be isolated using sectional valves, etc.)?

• Emergency system inaccessible because of incident?

® • Emergency system inoperative (not tested, operator not trained, etc)?

• Clear responsibilities not assigned (either on-site or off-site: response,

declaring an emergency, public notification, public relations)?

Note these items are potentially of greater significance when non-continuous

operation is considered.

ENVIRONIVIENTAL RELEASE (ER)

The most obvious release will be that caused by integrity failure or loss of
containment (lF/LOC). However, correctly functioning emergency events,
various mechanical failures and operating errors must also be considered.
Resultant effects such as toxic clouds, fires or explosions scenarios which are
identified as occurring external to the process may need to be developed further
® as fault trees or event trees with the identified environmental release (ER)
causes as the starting points. Some ideas for questioning include, but are not
limited to:

• This event or scenario is not covered by the emergency plan?

• An event of this magnitude is not addressed by the emergency plan?

• The emergency plan is out of date (personnel roles, authority, training,

communication, specific response requirements?

• The resources for coping with this particular emergency are inadequate
(PPE for responders and operators, emergency medical treatment and
first aid, decontamination, fire fighting)?
 !\
+_
19

• The response team has not been trained to deal with, this type of
scenario?

• Any unacceptable fugitive emissions during normal operations or during

intermittent (e.g. truck loading) operations?

• Leak/release detection capability is not adequate?

• The sources of all potential releases can not be isolated in timely manner?

• The potential effects from a leak/release have not been adequately

considered?

• The ljkely impact zone (safe distances and places of refuge, evacuation
routes) or effects of a leak/release have not been estimated?
C
• Mitigation of a leak/release is not possible or is impractical?

• Site security and control is inadequate?

• The alarm system fails is inadequate or misleading?

Note these items are potentially of greater significance when non-continuous

operation is considered.

J....'`!

`. `1 _