Tuesday, April 21, 2009

HAZID Hazard Identification

HAZID Hazard Identification


A HAZID study is carried out by a team of competent engineers from a mixture of disciplines and is led by a person who is experienced in the HAZID technique. Each area of the installation is considered against a checklist of hazards. Where it is agreed that a hazard exists in a particular area, the risk presented by the hazard is considered, and all possible means of either eliminating the hazard or controlling the risk and/or the necessity for further study are noted on a HAZID worksheet. Actions are assigned to either discipline groups or individuals to ensure the mitigating control, or further study is completed.

  • A hazard can be defined as any operation that could cause an Event (release of toxic, flammable or explosive chemicals, gases or any action) that could result in injury to personnel or harm to the environment.

An operational plant such as a nuclear reactor or critical systems operation such as weapons manufacture, handling and stowage or the operation of a passenger aircraft requires the design of a number of diverse interrelated systems, coexisting in the same limited physical space. The Process of Hazard Identification is the procedure to assess all the hazards that could directly and indirectly affect the safe operation of that plant and or system, and is referred to as the Hazard Identification procedure or HAZID. The procedure of hazard identification is broken down and categorised into the two streams that can affect the system both directly and indirectly, and is referred to as Internal Hazards and External Hazards.

A clear understanding of all the possible event chains leading to the most critical accident scenarios is needed to mitigate for example, the complexity of any plant and its operation, which nevertheless exposes it to any number of accident scenarios from interrelated systems which could provoke failure or domino effect from other systems, components or structures located within the proximity effecting the safe operation of the plant. These hazards are referred to as internal hazards and can include, but are not limited to, radioactive inventory, fires, impacts, overpressures and explosions. Likewise, a screening process is carried out to assess all possible hazards to the safe operation of the plant from all indirect events and can include extreme ambient temperatures, extreme wind, flooding, fire, explosions & overpressures, missiles, toxic gases, seismic, aircraft crash, and electro-magnetic interference, these hazards are referred to as external hazards.

Design basis hazard level

When relating to external and internal hazard assessment, a judgment on the frequencies at which hazard levels should be determined, in terms of Reactor Plant, guidance for this can be found in the HSE NII Safety Assessment Principals paper or (SAPs) and allow for plants that cannot give rise to large radiation doses to be designed against less onerous events. These SAPs therefore require a level of interpretation by the assessor and make it clear that all relevant external hazards should be considered when determining the design basis events for both probabilistic and deterministic safety cases and provide the numerical targets for assessing whether the risk from external hazards is tolerable and ALARP.


Seismic hazard definition should include a reasonable frequency distribution of accelerations, i.e. the ground response spectrum, often called the free field response spectrum. For design purposes, this has been the practice internationally, and in the UK, to use piecewise linear spectra based on a median-plus-standard deviation level of conservatism. Such spectra have been used for the design of new plant and for the design basis assessment of existing plant. More recently uniform hazard spectra (UHS) have also been derived. These spectra were developed for seismic PSA and aimed to have a risk of exceedance uniform for all frequencies (hence their name), unlike the varying conservatism implicit in piecewise linear spectra. UHS spectra have been derived for various confidence levels, including the expected level, which is appropriate for seismic PSA and assessors should consider whether all relevant external hazards are listed in the fault schedule. For natural hazards such a seismic the design basis event should be that which conservatively has a predicted return frequency not exceeding 10-4 per year (often, though not strictly accurately termed as the once in 10,000 year event). For a small proportion of nuclear safety related structures - those with modal frequencies of around 1 Hz or less - it may be necessary to consider long period ground motion arising from a large magnitude distant event. The need arises because the foregoing design spectra’s are dominated by the contribution from small to medium earthquakes with epicentres close to the site and by intent, do not significantly include the separate long period motion. This long period ground motion hazard may be considered separately from the design basis spectra, being a separate, infrequent hazard.

Aircraft crash

For aircraft crash structural demand depends on the mass, rigidity, velocity and engine location of any aircraft assumed to impact directly or skid onto the structure, and also the angle of incidence of the impact (direct or skidding). For these reasons, aircraft are often grouped into a small number of types - eg large commercial aircraft, light aircraft and military aircraft - to facilitate the analysis. In addition to structural effects, fuel fire is highly probable. This will be more significant for the heavier classes of aircraft because of the quantity of fuel carried. It may, however, be possible to exclude some (or all) classes of aircraft on the grounds of low probability (eg well below 10-7 per annum) of impact, thus obviating the need for structural design against impact or fuel fire. In order to assess the probability of impact, the safety case will normally derive an effective "target area" for the site, taking account of the plan area and height of safety related buildings, a representative range of angles of impact and so on, which can then be compared with the aircraft crash frequency per unit area.

Further details of a particular method are published by the IAEA (see below)

The estimated aircraft crash frequency may seek to take into account any flying restrictions which may apply to the site. If so, the assessor should be satisfied that this is justified. Liaison concerning flying restrictions around nuclear licensed sites is handled by NSD's Strategy Unit. The possible effects on safety related equipment from a nearby impact may need consideration.

Where aircraft impact is not excluded in accordance with principle P119, the type or types of aircraft and their associated load/time functions, or a bounding load/time function should be specified. The design basis analysis principles and the PSA principles should be satisfied, as appropriate, taking into account the direct impact of the aircraft on the structures, systems and components important to safety, secondary missiles, vibration effects and the effects of aircraft fuel burning externally to the buildings or other structures, or entering the buildings or structures. Further guidance is available from the IAEA.

Extreme ambient temperatures

The extreme ambient temperature hazard is ameliorated by the slow development of extreme conditions and the relatively long timescales for the plant to respond. It can be assumed that there will be at least several hours notice of extreme conditions developing, and often several days. High temperatures are a potential challenge to electrical equipment which may have essential safety functions. Low temperatures may through brittle fracture of safety related structures and/or the freezing of liquid filled systems pose a threat to safety functions. Low temperatures may also threaten cooling water supplies through freezing. The assessor should establish that the potential threats are recognised by the operators and appropriate prearranged responses are embodied in operating instructions.


Most UK nuclear facilities are potentially subject to flooding both by extreme precipitation directly onto the site, and indirectly from rivers and the sea. As with the other environmental hazards it is important to ensure that the most up-to-date information available for a specific site is used in the hazard assessment. The effects of climate change should also be taken into account (see section 4.5 below). By its very nature the definition of the flooding hazard at small annual probabilities of exceedance will be subject to significant uncertainty and it must be assumed that the natural phenomena which can be the cause of flooding may occur together. For example in the case of sea flooding, extreme wind not only affects wave heights but can also elevate still sea levels through storm surge. Storm surge can be additive or subtractive, and must be combined with the highest and lowest astronomical tides and with barometric effects. The hazard determination should therefore carefully examine the statistical dependencies in combining waves with still sea water levels. The flooding safety case should not be sensitive to the level of the hazard, and operational response may be required. As with the extreme temperature hazard it may be reasonable for the operational response to recognise some warning of extreme flooding, provided the necessary response measures can be initiated with sufficient margin.

Extreme wind

Licensees, any particular application should be assessed to ensure that there are no plant specific, i.e. local aerodynamic, effects which could exacerbate the wind loadings. Typical problems could be wind tunnelling between tall structures, or vortex shedding from upwind facilities. Any structure which is shown to be vulnerable to wind loading should be considered from this point of view and in addition the potential for damage from windborne missiles must be considered. A wind load reduced from one in fifty years to one in two years has been used for the design of some facilities, and is broadly consistent with the foregoing time at risk considerations.

Fire, explosion, missiles, toxic gases

The hazard here will arise either due to the conveyance of hazardous materials on adjacent transport routes (pipeline, rail, road and sea) or adjacent permanent / non-permanent facilities. Typical hazards, which may arise from industrial plants, may be from stored gas, fuel, explosives, pressure vessels or turbine disintegration. The external hazards safety case should consider all potential sources of external missiles and explosion.

Impacts and Shock loading

This can be due to external explosions and overpressures giving rise to shock loading and drop loads or impacts due to facility collapse, which may include cranes, building structures and systems. Here the Licensee should consider the withstand to shock loading, the possible impactors to the system from the facility, determining the largest single mass object from its potential drop height in free fall without structural interaction, or make a case for the probable (but bounding) collapse dynamics of the facility which can in some cases include structural interaction.

Electro-magnetic interference

The potential for electro-magnetic interference to instrumentation and control equipment should be considered. The primary natural source is electrical storms. External man-made sources include radar and communication systems. Depending on whether the hazard can be adequately controlled, the Licensee may need to provide screening within building structures to protect equipment from electro-magnetic interference or install instrumentation and control equipment of a proven electro-magnetic compatibility. Solar flare effects have been known to cause problems on long transmission lines at high latitudes in Canada, but on current knowledge are not expected to cause significant effects at the lower latitudes of the UK with its shorter transmission lines.

Sensitivity studies

It should also be borne in mind that forecast climate change is likely to have an impact on many of the external hazards addressed here. This is likely to include extreme ambient temperatures, wind and flooding. Licensees should be expected to take the latest available predictions over the projected life of the facility, which may need to include the decommissioning phase of the installation in the submissions.

Cliff edge

The Licensee will also need to demonstrate that there will not be a disproportionate increase in risk from an appropriate range of events which are more severe than the design basis event. This is generally known as the cliff edge effect. The way in which this principle is satisfied may depend on the nature of the hazard being addressed. For some hazards a point will be reached where there is a step change in the effect on the installation. In the case of external flooding, for example, the site defences become overtopped. In such cases, it needs to be shown that there is a reasonable margin between the design basis and the point at which this step change would occur. For other hazards, such as seismicity, the forces acting on the installation will continue to increase progressively with increasing size or proximity of the event. A demonstration is needed that there will not be a step change in the response of the installation to the hazard, in terms of the likelihood of a release of radioactivity, for an appropriate range of events more severe than the design basis event. There may be more than one way in which this can be achieved. In the case of seismic engineering, one approach which has been adopted has been to show that the response of the plant remains fully elastic up to a significant margin beyond the design basis. Alternatively, the trend for new design is increasingly to show that the plant will accommodate the seismic forces through a ductile response without any danger of a release of radioactivity occurring. The residual seismic risk from events less probable than the DBE can be a significant contributor to the total risk. It has also been demonstrated in numerous earthquakes that structural ductility is very desirable. Ductility provides a better assurance than elastic margins for the ability to withstand beyond design basis seismic events, and also gives confidence in the ability of structures to cope with the uncertainty in the actual hazard spectrum (peaks etc), uncertainties in the material data, uncertainty in the analyses, and uncertainty concerning other simultaneous loads. Ductility is increasingly being required by nuclear and non-nuclear structural seismic design standards even where the structure is designed to remain elastic under the design earthquake loads. It has previously been accepted that one satisfactory approach to the demonstration of absence of an adverse cliff edge effect is via the PSA. This has the merit, usually, of exploring the response of the plant to a wide range of hazard levels and is accepted internationally as a reasonable approach for external hazards. However, if this approach is adopted, the assessor should ensure that the hazard definition is reasonable for the more remote levels and that relevant equipment responses are reasonable, i.e. important structures are not omitted from consideration by virtue of alternative success paths.

If a PSA is not used to demonstrate the absence of an adverse cliff edge effect either an approximate PSA approach may be undertaken (a NUREG describes a technique for earthquake hazard or a deterministic-plus-engineering judgment approach may be made. As noted above, however, the detail of the approach needs to be appropriate to the nature of the hazard being addressed.

Single failure criterion

Safety systems required in response to any 10-4 annual probability of exceedance external hazard should comply with the single failure criterion. Where this is not feasible in the case of existing facilities, the risk must be shown to be tolerable and ALARP.

Reliability, redundancy, diversity and segregation

In assessing safety systems claimed to mitigate the effects of external hazards, the assessor should have due regard to Reliability, redundancy, diversity and segregation. External hazards may particularly give rise to common mode or common cause failures.

Example HAZID Tables

Share |

Sunday, April 12, 2009

Energy Efficiency in Steam Systems

Energy Efficiency in Steam Systems

In today’s typical process plants, preventing steam loss and improving condensate return are key opportunities to make a process more energy efficient.

To be the most effective, steam generally needs to be dry (such as for process usage), or superheated (for instance, for use in turbines). These requirements dictate utility-system operating procedures for generating the highest quality steam possible, and then distributing it to the points of use with minimal deterioration. Since steam becomes condensate after its heat energy is expended, strategies must be in place to remove condensate as quickly as it is formed, in the steam-supply portion of the circuit and during steam usage alike.

Furthermore, superheated steam is typically desuperheated by injecting hot condensate into the system. As a result, excessive wetness can also occur downstream of the desuperheating station. In either case, if such condensate is not removed from the steam supply, the negative impact on the steam system can be substantial, as seen in Table 1.

Improving condensate return. At many plants, the operators admittedly realize that condensate must be removed as quickly as it is formed, but a suitable condensate drainage or transportation system is not in place. In such cases, the condensate is often sewered or sent to a field drain. Some possible outcomes of removing condensate but not handling it effectively are outlined in Table 2.

Figure 1. Preferred method to drain jacketed pipe for high-melting-point fluids, such as sulfur

Condensate is traditionally removed from steam systems by steam traps or by equipment combinations involving level pots and outlet control valves. Process situations in which high backpressure from the downstream portion of the condensate-return system tend to create a "stall." Then, a different system incorporating both a pump and trap in the design is needed to drive the condensate while also trapping the steam; this process may be referred to as pump-trapping or power-trapping.

Because there are at least three condensate-drainage alternatives, it makes more sense to think in terms of required "condensate discharge locations" rather than referring to condensate removal devices indiscriminately as "steam traps." This broader mind-set helps avoid any predisposition to install steam traps in applications that need a different type of condensate drainage solution.

Figure 2. Alternative, practical redesign method for existing installations to drain jacketed pipe for high-melting-point fluids, such as sulfur (no “stall”)

Engineered separator-drains remove condensate that is entrained in a moving steam supply (including flash or regenerated steam). The result is highest quality steam delivered for plant use. Compare that to steam traps, which remove condensate that has already fallen out of the steam. As their name suggests, steam traps remove condensate and "trap steam." Meanwhile, level pots can be used in certain instances where steam traps cannot meet the high pressure or capacity requirements.

Special situations. There can be many situations in a plant where effective condensate removal requires specialized drainage designs. For instance, Figures 1 and 2 show two options for condensate drainage from a jacketed pipe that conveys high-melting-point materials, such as liquid sulfur or high-boiling hydrocarbons.

Other examples of specialized applications include options to effectively drain steam-supplied heat exchangers. A key consideration is to first determine whether a stall condition exists or not; when it does, condensate will not drain effectively through a simple steam trap. Such a situation typically arises when modulating steam pressure creates a negative pressure differential across the condensate drain device. So-called, Type II secondary pressure drainers of the pump-trap type are used on equipment with a negative pressure differential. Because wasted condensate is a valuable resource to be saved, use Type I secondary pressure drainers of a "pump only" type to recover collected condensate and power it back to the boiler.



Share |


Twitter Delicious Facebook Digg Stumbleupon Favorites