When "wait and see" isn't good enough: applying HAZOP at Genelba1 October 2003
Benjamín Guzmán and Jorge Vugdelija, Petrobras Energia, Buenos Aires, Argentina Although originating in the petrochemical industry, HAZOP (HAZards and OPerability) techniques can be successfully applied to power plants to proactively identify and address potential problems in operation, with the overall goal of improving reliability and economics. The Genelba CCGT in Argentina has been a pioneer in this field, employing HAZOP techniques to good effect and developing/adapting them where necessary for power plant applications.
The commissioning of new power plants is rarely without difficulties. Some of the problems encountered, generally unforeseen in the original design process, can result in delays long enough to impact project financing. Unfortunately this is not the end of it. Once the commissioning stage is finished, the plant operator may find new and unexpected problems, mainly during the first years of commercial operation.
Although a trial run period is included in all power plant projects, this is not enough to reveal all the hidden issues of the design under a wide range of operating regimes, output power levels, weather conditions, etc.
Even in the case of plants that have been running for long periods, operators may find themselves unexpectedly in risky situations with potential for major failures in the plant.
Due to the high degree of competition in most electricity markets, this is not a state of affairs that can be allowed to continue. It has become necessary to adopt a truly proactive attitude when dealing with design-related operational problems. A "wait and see" policy is no longer acceptable.
HAZOP techniques applied successfully in other industries for many years constitute a useful tool when focusing on this issue.
The Genelba case
Central Termoeléctrica Genelba is a CCGT power plant based on Siemens V94.3A gas turbines with a 2+1 arrangement. The plant is located 50 km from Buenos Aires, Argentina. Genelba started its commercial operation in 1999 as a merchant power plant in the deregulated and competitive Argentine market.
Once in commercial operation, in 2000 Genelba registered its quality management system in accordance with ISO 9000:2000. The plant also has ISO 14001 for its environmental management system and OSAHS 18001 for its safety and occupational health system.
Within this framework, and having adopted the "continuous improvement" culture at an early stage, the plant has implemented an effective deviation control procedure, consisting of several detection instruments and a robust follow-up process.
However, even when each identified deviation was successfully dealt with, and repetition was effectively prevented, there was an issue that disturbed the plant personnel every time it happened: the appearance of new and unknown problems! And the question "How can we attack them in a really proactive way?" remained unanswered. It was then when we decided to adopt HAZOP techniques.
HAZOP is a methodology for detecting operational hazards and problems in the process industry. In particular HAZOP techniques have been well established for many years in the petrochemical sector, which in fact gave birth to the concept. ICI introduced HAZOP techniques in the early 1960s and they immediately became standard practice in petrochemicals. Later on, HAZOP techniques started to be used to some extent in the nuclear and food industry.
HAZOP's combination of two features makes it a powerful tool. It involves both a multidisciplinary team working in a creative environment of brainstorming, and, at the same time, a systematic methodology to ensure that every aspect of a system is analysed. Due to this combination, HAZOP is preferable to other tools such as CheckLists, What If and FMEA among others used in the process industries.
The design phase of new facilities is the ideal time to begin studies of this type. In this phase, improvement recommendations arising from the study can be rapidly introduced. Then, during the construction and assembly phase, it must be verified that the project has been developed according to what was previously planned.
Implementing HAZOP at a plant already in operation involves a lot of hard work. In this case, conducting the studies is much more complicated since it is known beforehand that certain features of the facilities cannot be modified because it would not be affordable.
However, experience has shown that the method is effective anyway, and that it is fairly easy to improve most weak aspects that may appear.
Every HAZOP study takes a considerable amount of time. Thus it is necessary to strategically choose the plant sections to be analysed and the priority systems.
It is advisable to start with the systems where faults are more likely to cause significant damage to facilities and/or personnel as well as plant trips.
HAZOP should be applied to the following systems in the case of a combined cycle plant using natural gas:
• turbine lube oil systems;
• instrumentation air systems;
• condensate water system; and
• feedwater system.
The fuel system can also be analysed, especially in plants using liquid fuels or coal gasification.
Those systems which have caused a great deal of inconvenience to the plant operator, or those requiring according to local laws a risk analysis can also be included in the above list.
As a guideline, it should be noted that a complete HAZOP study of a turbine lube oil system takes a trained team about 160 working hours.
Bearing in mind the time required by a HAZOP study, for new plant projects, a good practice is to start system construction and assembly once 50% of the study has been carried out.
Publications listed at the end of this article describe HAZOP in detail.1,2 The following paragraphs and the flow diagram (Figure 1) describe the basic steps involved in a HAZOP study.
The starting point of the study is the piping & instrumentation diagram of the system to be studied. The team also relies on information from the system's operation and maintenance manual, design intent documents, data sheets, system component manuals, etc.
Taking the P&ID, which represents the whole process, the system is divided into nodes. In general nodes involve the main components of the system under study. For instance, the nodes for a turbine lube system are: main lube oil pump, aux. lube oil pump, oil cooler, temperature control valve, etc.
In the next step, starting with one of the nodes, the team identifies the physical parameters that are representative of the node operating condition. The typical parameters are: temperature, pressure, flow, level, humidity, etc.
In the third step, the team identifies possible node deviations by combining the physical parameters with the so-called HAZOP "guide words". Typical guide words are: MORE OF; LESS OF; PART OF; MORE THAN; NONE; OTHER THAN.
Each guide word is applied to every one of the physical parameters of the node. For example, the following guide words are applicable to the pressure parameter of the main lube oil pump node: MORE OF pressure at pump discharge, LESS OF pressure at pump discharge, NONE OF pressure at pump discharge, etc. Not all guide words are applicable to all parameters. What is more the team can apply a new guide word to a specific physical parameter in a particular node.
The method involves the combination of parameters with guide words and ensures that the team faces all possible deviations in the node under study.
Then brainstorming begins with the analysis and discussion of the possible causes leading to these deviations. Every cause is recorded.
The next step is to analyse the consequences of the identified deviations. Both the consequences in the system under study and in the node itself are considered. This analysis also involves looking at safety issues effects on personnel.
The next step is to analyse the existing safeguards to mitigate the consequences of each deviationpossible-cause group. When there are no safeguards or when they do not provide enough protection against associated consequences, team members discuss actions required to solve the problem and formulate relevant recommendations. When the HAZOP study team cannot easily come up with a solution to address a particular weakness, a recommendation is made to investigate the matterfurther.
All the nodes in a system are analysed one by one. Once all the possible deviations in a node are checked the team continues with another node of the system.
The whole analysis is thoroughly recorded during the study. In order to do that, there is a log for every parameter of every node. This log must be completed with all the findings. Figure 2 shows a simplified log typical of the HAZOP studies as applied at Genelba.
The final outcome of the HAZOP study is a set of recommendations which, as a whole, potentially minimise the risk level of the system under study. A suibsequent analysis should assess every recommendation and its related risks in order to determine the actions to be implemented.
Building on HAZOP
Application of traditional HAZOP has proven ineffective in identifying operability problems and process risks related to instrumentation and control systems (I&C) as well as electrical equipment.
Both I&C and the electric equipment present particular modes of failure that do not come to light after applying traditional HAZOP guide words. In fact, I&C systems are becoming more and more sophisticated so specific skills are required for their analysis. Team members do not generally possess these skills since teams are formed bearing in mind the aspects of the process itself. Although people from I&C and the electrical area are normally included in HAZOP teams, the team as a whole cannot usually deal with these systems' specific problems.
That is why it was necessary to incorporate other studies to detect risks in these areas: CHAZOP computer HAZOP focuses on the plant instrumentation and control systems; ELHAZOP ELectric HAZOP focuses on the electric systems.
To carry out CHAZOP, Genelba opted for guidance issued by the UK Health & Safety Executive3 since plant staff believed it would better fit in with the needs of the power plant. CHAZOP techniques are not as widely used as traditional HAZOP.
The tailored CHAZOP used for Genelba contains basically three phases:
Phase 1. The analysis is guided by possible failures and modes of failure of the different components connected to the control system inputs and outputs. The following devices are analysed: binary instruments; analog instruments; control drivers (motors, electric valves, etc); command devices in console or panel (set-points, on/off commands, auto/manual stations); others.
The following guide words are applied to each device: more signal than necessary; less signal than necessary; signal bad quality; bounce (for digital signals); oscillation (for analog signals); invariable signal; operator wrong commands (on in error, off in error, very high set-point, very low set-point, manual in error, auto in error, etc); others.
These guide words are applied to every plant device. An assessment is made of the possible causes of deviation, previous warnings to the operator, automation malfunction, actions required by the operator and existing redundancies. Direct redundancies (double application of instruments to measure the same variable at the same point) as well as indirect redundancies (existing instruments in other points in the process that can help detect problems in the first set of instrumentation) are considered. Recommendations are issued based on the results of this assessment and critical aspects of the control system under study.
In this first phase, a log for every device should be completed. Each type of device has its own tailored log to allow proper assessment of its modes of failure.
Phase 2. This phase involves an analysis of the hardware used in the control system; that is, possible hardware failures and their consequences are assessed. Information from phase 1 with regard to existing redundancies for each device needs to be borne in mind when checking that no single hardware failure can lead to the loss of a measure and its existing redundancy. Of course, no single failure should result in a turbine or plant trip. Any malfunction should be recorded and new recommendations must be issued.
Phase 3. Lastly, since complex control loops and sequential logics need special treatment, What if? is applied to them, involving considerable team effort. The team analyses situations that go beyond any plant input/output failures.
In the case of ELHAZOP, not being able to find any background information about the application of HAZOP to electric systems, it was necessary to develop our own methodology.
After analysing some alternatives, and based on the results of the first approaches, ELHAZOP was eventually turned into a kind of What If? with a structured and systematized methodology and clearly defined questions. These questions are experience-based and focus the discussion on key aspects of the processes, limiting the open-ended discussions of traditional HAZOP.
What we found at Genelba
The following are examples of some HAZOP findings at the Genelba power plant:
6 When the plant is out of service, and during the time it takes the steam turbine to get cool, service water is used instead of auxiliary cooling water for lube oil system cooling. This operation is risky every time service water pressure is higher than oil pressure in the cooler. In case of pipe puncture, the oil system would be contaminated by water.
6 The filter of the lifting oil system of the steam turbine has an oil plate next to the draining pipe to collect draining oil. Due to the plate position, when the filter is carelessly purged the oil in the system at 150 bar would bounce over the plate reaching the operator and components at high temperature.
6 The pump of the lube oil system side filter has no automatic shutdown due to high differential pressure in the filter. Although the filter is outside the lube oil system, should it collapse, impurities and filter parts would get into the tank, representing a serious risk for pumps and the rest of the equipment. An automatic pump shutdown was configured, since the side filter pump is not an essential piece of equipment for normal plant operation.
6 With regard to redundancy, a large number of weaknesses were detected in the DCS I/O. In all these cases, the occurrence of a single failure in an I/O station or in an I/O station's daisy chain would have caused a total or partial plant trip. The weak aspects were addressed by rearranging the DCS I/O. This rearrangement has proved satisfactory since after the modifications there have been a large number of events where, if the original arrangement had not been changed, plant availability would have been reduced.
6 The lack of an anti-bounce logic in a DCS digital input of a thermostat was detected. If a failure causes a bounce effect in this signal, an oil cooling fan switches intermittently from off to on eventually damaging the motor and/or its associated MCC device. An anti-bounce logic system was therefore implemented.
6 The logics for handling redundant analog measures in a 2 out of 3 structure were wrongly designed. When one of the signals was diverted or its measure became bad quality, the measure was eliminated from the mean value calculation, but as soon as the signal returned, it was included again in the calculation without the need for operator confirmation. If there were an intermittent failure in a particular measurement, calculation of the mean value would experience strong oscillations, causing some instability in the process that might result in a plant trip. Consequently the original 2 out of 3 logics for drum levels and other critical measurements were redesigned.
6 The high temperature protection relay of a low voltage transformer - 6.6kV/380V - did not have a redundant power supply. In case of a fault on this single source, it would lead to a plant trip.
6 Some issues were detected in the LV switchgear cubicles, in particular potentially dangerous interconnections between signalling and control circuits.
6 The operating sequence of the black start diesel generators was automated in order to work as an emergency diesel generator in extreme conditions. An automatic start-up and synchronisation operation mode was designed for them due to the lack of a 6.6 kV supply.
6 The mechanical protection level of one of the DC emergency lube pumps was wrong. Water spray from the fire fighting system could have caused problems for this pump.
While HAZOP applied in the petrochemical industry helps identify mostly safety problems, Genelba experience has shown that HAZOP used in a combined cycle power plant fuelled with natural gas mainly helps detect operational problems related to quality such as plant availability and reliability issues.
HAZOP application in a plant in operation requires a great deal of effort and dedication. People clearly have other responsibilities that may hamper, prolong, and reduce the quality of the HAZOP study. So to succeed, the study must be part of the plant "vision" and so should be understood by every member of the plant staff.
HAZOP teams will rarely unearth serious problems. In an operating plant, there are usually experienced staff able to recognise and solve obvious problems, so a special study is not required to detect them. However, consider how many minor problems have led to plant trips in your own power plants!
For new projects, because a HAZOP study takes time, you cannot always wait until it is 100% complete before construction proceeds. As already noted, 50% HAZOP completion might be reasonable target.
Due regard must be taken throughout a power plant HAZOP study to any problems related to operating conditions outside the normal cycling, shutdowns, major overhauls, etc. It is important to control power supply redundancies, check valve malfunctions, DCS hardware redundancy, smart or silly? control logics and the proper functioning of existing operating procedures.
Sometimes, it is not easy to determine how important a specific finding is since there may be no previous experience with it. The prevalent implicit belief is "Every dog is allowed one bite".1 So before the dog bites someone, it is possible to say: "I did not know it would happen". However, the goals of HAZOP studies should be always borne in mind: to anticipate facts and mitigate problems before they occur.
HAZOP techniques, which were first used in the petrochemical industry, have proven satisfactory in CCGT power plants. This shows that adopting best practices from other industries may benefit power plant O&M activities.
On the basis of the Genelba experience, the effort involved in the application of HAZOP to an operating CCGT plant is cost-effective if just one gas turbine trip can be avoided; subsequently, all the further benefits arising from the HAZOP study are profitable for the business.
HAZOP should be a must in every new power plant design process. The intense competitive pressures and the present rather poor profitability in the power industry do not really allow the luxury of a "wait and see" policy for identifying power plant problems in operation.
Competence and experience are not enough to achieve the standards of reliability called for nowadays; systematic studies sre also needed.
To summarise: "... a good design requires good people, experience and use of HAZOP".3