Hazard Analysis Techniques for Functional Safety (Part 2: HAZOP and ETA)

Hi everyone! In my previous article named Hazard Analysis Techniques for Functional Safety (Part 1: FTA and FMEA), I have introduced about FTA and FMEA methods for Hazard Analysis. In this article, I will continue introducing two more popular methods are HAZOP and ETA which are essential for identifying and mitigating risks in various industries, particularly in engineering and process safety.

1. HAZOP (Hazard and Operability Study)

1.1. Introduction to HAZOP

HAZOP is a systematic, inductive technique used to identify potential hazards and operational issues in a process. It aims to ensure that the system operates safely and efficiently, by uncovering potential deviations from normal operations and their consequences.

It was first developed within the chemical domain by ICI in the 1960s, and is nowadays most notably used in the process industries, such as the chemical, petrochemical, and nuclear industries, although it may also be used in other domains.

HAZOP is based on a team approach to hazard analysis, with the idea that a team of experts will be able to identify more problems than a set of individuals working separately. It is typically carried out by a team comprising several engineers with different backgrounds and competencies (for instance, experts of the domain and engineers with extensive training in hazard analysis techniques).

The objective of HAZOP is to investigate the basic set of operations of the system under analysis, consider the possible deviations from normal operation, and identify their potential hazardous effects. As for FMEA, once hazards have been identified, it is possible to suggest corrective actions on the system that might help in preventing them or reducing their impact.

As a risk assessment tool, HAZOP is often described as:

• A brainstorming technique
• A qualitative risk assessment tool
• An inductive risk assessment tool, meaning that it is a “bottom-up” risk identification approach, where success relies on the ability of subject matter experts (SMEs) to predict deviations based on past experiences and general subject matter expertise

1.2. HAZOP Analysis Process

Step 1. Preparation:

• Define the Scope: Clearly outline the process or system to be analyzed.
• Assemble a HAZOP Team: Gather a multidisciplinary team with expertise relevant to the process.
• Collect data and planning

Step 2. Identify Nodes: Break down the process into manageable sections or "nodes." Each node represents a part of the system where hazards might occur.

• Note that: Each node typically has an associated process parameter and a design intention that states the operational conditions under which the process must take place for correct operation.
• For instance, if we consider the flow of a chemical substance through a pipe, from a source tank to a destination, the parameter could be the flow itself or a characteristic of the flow, for example, the temperature or pressure of the substance while flowing through the pipe.

Step 3. Use Guide Words: Apply a set of predefined guide words (e.g., “No”, “More”, “Less”, "Reverse", “As well as,” "Early", "Late", “Before,” “After”, etc.) to systematically explore deviations from the design intent.

• Note that: The guidewords and their meaning are generally defined depending on the specific domain in which HAZOP is carried out.

Step 4. Analyze Deviations: For each node and guide word combination, identify possible deviations from the intended operation and their causes.

Step 5. Assess Consequences: Evaluate the potential consequences of each deviation, considering factors like safety, environmental impact, and operational efficiency.

Step 6. Determine Safeguards: Identify existing controls or safeguards that mitigate the identified risks. If necessary, propose additional measures.

Step 7. Document Findings: Record the results of the analysis, including identified hazards, their causes, potential consequences, and recommended actions.

Step 8. Follow-Up: Implement recommended changes and follow up to ensure that they effectively address the identified hazards.

The results of HAZOP are typically recorded in a HAZOP table, where each entry contains a specification of the parameters and deviations analyzed, together with a description of the relevant causes, the consequences on the system, and possibly corrective actions suggested by the HAZOP team in order tor educe risk to an acceptable level.

A simple example of HAZOP table is presented in the following table:

1.3. HAZOP Summary

Advantages:

• Provides a structured approach to hazard identification.
• Facilitates team-based brainstorming and discussion.
• Helps identify both safety and operability issues.

Disadvantages:

• Can be time-consuming and resource-intensive.
• Requires a well-structured team and process understanding.

2. ETA (Event Tree Analysis)

2.1. Introduction to ETA

Event Tree Analysis (ETA) is an inductive technique used to assess the likelihood and consequences of different potential events or failures within a system. It focuses on understanding how an initiating (or accidental) event can lead to various outcomes based on different sequences of events.

ETA was first used in the 1960s within the nuclear industry but is now also utilized in other domains, such as indifferent process industries and in transportation. ETA can be considered an alternative with respect to other classical techniques such as FTA and FMEA.

By studying all relevant accidental (initiating) events (that have been identified by a preliminary hazard analysis, a HAZOP, or some other technique), the ETA can be used to identify all potential accident scenarios and sequences in a complex system.

2.2. ETA Process

ETA starts from an initiating event, typically drawn at the left of the diagram, and proceeds from left to right, branching on further events that are identified during the analysis, to determine the possible consequences on the system.

The following steps are suggested to develop an ETA:

Step 1. Define the Initiating Event: Identify the starting point or initial event that could potentially lead to a series of outcomes (e.g., a system failure, operator error).

• An initiating (accidental) event is defined as the first significant deviation from a normal situation that may lead to unwanted consequences (e.g., gas leak, falling object, start of fire).
• An accidental event may lead to many different consequences. The potential consequences may be illustrated by a consequence spectrum.

Notes: When defining an initiating (accidental) even, we should answer the following questions:

1. What type of event is it? (e.g., leak, fire, unintended stop)
2. Where does the event take place? (e.g., in the control room, on the road)
3. When does the even occur? (e.g., during normal operation, during maintenance, during driving the car)        

Hints: An accidental event may be caused by:

• System or equipment failure
• Human error
• Process upset

Step 2. Develop the Event Tree: Create a tree diagram starting from the initiating event, branching out to represent different sequences of events and potential outcomes. Each branch represents a different path the event could take based on various conditions and responses.

• Typically, binary branching ("True" and "False") is used; that is, either an event or its complement is assumed to occur (e.g., success or failure of a sub-system that is supposed to intervene in response to the event identified in the previous layer of the tree).
• The tree is developed until the desired consequences on the system, called end events or end outcome scenarios, have been reached. In practice, many event trees are ended before the "final" consequences are reached.
• As a difference compared with FTA (Fault Tree Analysis), the events may correspond either to expected operations of the system under analysis (e.g., opening or closing of a valve), or to fault conditions (e.g., a valve failing stuck closed).

Step 3. Assess Branch Probabilities: For each branch of the tree, estimate the probabilities of different outcomes based on available data or expert judgment.

• Given that each event produces a branch in the diagram, the complete tree will contain 2^N branches, with N being the number of events. For this reason, and given that both normal and hazardous operations are considered in the analysis, event trees can result in very large trees for complex systems.
• Similar to fault trees, event trees can be quantified. This is done by assigning probabilities to each branch of the tree, and combining the probabilities of each branch to obtain a probability for each outcome scenario.

Step 4. Calculate Outcomes: Evaluate the potential consequences of each outcome, considering factors like safety, environmental impact, and operational disruption.

• Under the hypothesis of independent failures, the probability of an outcome scenario is computed by multiplying the frequency of occurrence of the initiating event by the probabilities of the branch points encountered along the corresponding branch.

Step 5: Determine Risk Mitigation for decision-making: Identify potential control measures or safeguards that could reduce the likelihood or severity of adverse outcomes. The results from the event tree analysis may be used to:

• Judge the acceptability of the system
• Identify improvement opportunities
• Make recommendations for improvements
• Justify allocation of resources for improvements.

Step 6. Document and Review: Document the event tree, probabilities, outcomes, and recommended actions. Review the analysis to ensure completeness and accuracy.

A simple example of event tree is shown in Figure 6:

2.3. ETA Summary

Advantages:

• Provides a clear visualization of how different events can lead to various outcomes.
• Helps in understanding complex systems and interactions.
• Useful for quantifying risk and assessing the effectiveness of safeguards.
• Good basis for evaluating the need for new / improved procedures and safety functions.

Disadvantages:

• Can become complex for systems with many possible outcomes because not standard for the graphical representation of the event tree.
• Requires accurate data and assumptions for probability assessments.
• Only one initiating event can be studied in each analysis.
• Not well suited for handing common cause failures in the quantitative analyses.
• The event tree does not show acts of omission.

3. Conclusion

• HAZOP focuses on systematically identifying hazards and operational issues through team discussions and guide words. It is more qualitative and comprehensive in nature.
• ETA is more quantitative and focused on the sequence of events leading from an initiating event to various outcomes. It’s particularly useful for understanding how failures propagate through a system.

Both methods are complementary and can be used together to provide a thorough hazard analysis. HAZOP can be used to identify potential hazards, while ETA can help in understanding the consequences and likelihood of those hazards evolving into significant issues.

Reference:

[1] Marco Bozzano (2011), Design and Safety Assessment of Critical Systems.

[2] FMEA Handbook v4.2 (issued by Ford Motor Company)

[3] ISO26262-Part 2, 3, 4, 5:2018

[4] Google photos

[5] https://pqri.org/wp-content/uploads/2015/08/pdf/HAZOP_Training_Guide.pdf

[6] https://www.ntnu.edu/documents/624876/1277590549/chapt03-eta.pdf/6f3e1b19-4824-4812-adc8-9762d2201c22