Journal of Loss Prevention in the Process Industries 49 (2017) 266e279

Contents lists available at ScienceDirect

Journal of Loss Prevention in the Process Industries

journal homepage: www.elsevier.com/locate/jlp

Results matter: Three case studies comparing and contrasting PFFM

and HazOp PHA reviews
R.J. MacGregor
Sapphire Engineering Services Ltd., 880, Alexander Road, Enderby, British Columbia, V0E 1V3, Canada

a r t i c l e i n f o a b s t r a c t

Article history: Complete, thorough, and correct process safety management depends to a large extent on complete,
Received 2 April 2017 thorough, and correct process hazard identification, both before and during the process hazards analysis
Received in revised form (PHA) review. Findings from the examination of incidents and disasters in industry indicate that PHA
7 July 2017
reviews fail to identify a significant number of process hazards. This is unacceptable: we cannot manage
Accepted 8 July 2017
a hazard if we don't know that it exists, and incidents will continue to occur if PHA reviews continue to
Available online 9 July 2017
overlook process hazards.
HAZOP is widely recognized as the standard for conducting thorough PHA reviews, but it is not the
Keywords:
Hazard and operability (HAZOP) studies
only technique available. In this paper, outcomes of three actual HAZOP reviews in the oil & gas industry
Failure mode and effects analysis (FMEA) are compared and contrasted with the results for the same facilities using Process Flow Failure Modes
Process hazard analysis (PHA) (PFFM). PFFM is a unique method, best described as a highly efficient, highly effective cross between
FMEA and HAZOP, enhanced by a customized visual tool. Differences in the success rate of the two
methodologies to identify process hazards are quantified and discussed with the aim of improving the
industry success rate in identifying process hazards during PHA reviews in a cost-effective, straightfor-
ward manner.
© 2017 The Author. Published by Elsevier Ltd. This is an open access article under the CC BY license
(http://creativecommons.org/licenses/by/4.0/).

1. Introduction fault and that there is no better way to conduct a PHA review.
In this paper, three separate HAZOP reviews are analyzed and
One of the major goals of a Process Hazards Analysis (PHA) re- categorized, expanding upon previous work (MacGregor, 2012).
view is to identify process hazards. For identified process hazards, These are actual reviews for actual facilities, and the companies
safeguards (i.e. protective devices and/or practices) are then listed who commissioned the reviews were satisfied with the results. The
and recommendations are made when necessary. However, anal- results of the HAZOP reviews are compared with an analysis of the
ysis of industrial disasters in the U.S. between 1998 and 2008 shows same facilities using PFFM. Comparing the two methods proves that
that one of the main contributing factors in those disasters was the PFFM is superior to HAZOP in identifying process hazards, in less
failure to identify that the hazard existed in the first place. The time and with less stress on meeting participants.
sustained rate and severity of process safety incidents in the past
decade demonstrate that PHA reviews are still leaving process
hazards unidentified. This is unacceptable: We cannot manage a 2. The process hazards analysis (PHA) review
hazard if we don't know that it exists.
The Hazards and Operability Review method (HAZOP) is widely Essentially, a PHA review is a study of a given process scope
recognized as the standard for conducting thorough PHA reviews, (pump station, oil well battery, process unit, i.e. Crude Unit, Gas
but it frequently fails to identify process hazards. This is usually Recovery Unit, etc.) to:
blamed on an inexperienced facilitator, lack of management sup-
port to the review team or meeting, and so forth. It is rarely blamed 1. Identify process threats to the facility that may lead to an un-
on the method itself, implying that the method itself is without controlled loss of containment (LOC) of a hazardous material.
Typically, a LOC is considered to be possible if the equipment is
taken outside of its design envelope (design pressure (min./
max.), design temperature (min./max.), or if an atmospheric
E-mail address: [email protected]. vessel is flooded (causing a spill to grade), or if material is

http://dx.doi.org/10.1016/j.jlp.2017.07.004
0950-4230/© 2017 The Author. Published by Elsevier Ltd. This is an open access article under the CC BY license (http://creativecommons.org/licenses/by/4.0/).
 R.J. MacGregor / Journal of Loss Prevention in the Process Industries 49 (2017) 266e279 267

inadvertently released to the atmosphere by incorrect valve HAZOP review done today is much more complete. To test this, the
operation. two PHA methodologies were compared for the same three
2. Identify the controls in place to prevent the uncontrolled loss of facilities:
containment identified in step (1): PSVs (pressure safety valves),
alarms, automatic trips or shutdowns, operating procedures, etc. 1. A Heavy Oil facility upgrade, involving gas receiving, separation,
3. Decide whether the controls in place are adequate to control the and compression facilities
risks, and if they aren't, to make recommendations to improve 2. A Natural Gas well installation
them. 3. A Delayed Coking Unit

The purpose of the PHA is to protect people and equipment. The The two methodologies compared are:
means of identifying the threats that exist is by considering dis-
turbances to the normal operations of the process: blocking flow, 1. HAZOP
changing compositions, power failures, etc. 2. Process Flow Failure Modes
The scope of a given review is usually too large to be considered
as a whole. Therefore, it is typical to divide the review scope into HAZOP is the most widely-known PHA methodology, typically
“nodes”, or “sections”, typically numbered and highlighted in using these steps:
different colours. Disturbances to the nodes or sections of the
process facility are then evaluated, with the intent that the overall
Select a node
effects of the disturbance will be considered wherever they occur
Describe intention of the node
(upstream of the node/section, within the node/section, down-
Identify major hazards
stream of the node/section, or a combination thereof).
Apply a deviation (temperature/pressure)
PHA reviews are properly conducted by multidisciplinary teams
Brainstorm possible causes
of individuals who are knowledgeable in the process and the
Develop potential consequences
equipment in the scope of the review. Participation by both oper-
Determine the safeguards/barriers
ations and technical people is essential to a successful review.
Propose recommendations/action items

Apply the next deviation in the same way until all deviations
3. Setting a baseline have been considered

Proceed to the next node
The U.S. Chemical Safety Board (CSB) conducts investigations of
selected process safety incidents in that country. Incidents exam- The scope of the review for a given facility is encompassed by
ined that occurred in the U.S. between 1998 and 2008 (Kaszniak, the nodes. If any of the review scope is missing in the nodes
2009) are summarized below in terms of the causes of serious identification, this may or may not be obvious to the review team
process safety incidents: when looking at the process and instrumentation drawings
(P&IDs). The deviations are generally pre-determined according to

Twenty-one (21) major incidents were studied. the company HAZOP procedure and/or template: failure to identify

The total number of injuries from those incidents was 282. deviations may or may not be a concerndin fact, too many de-

The total number of fatalities from those incidents was 39. viations may also be an issue.
In PFFM, coloured sections of the facility (similar to nodes) are
The data for the property loss and other financial losses from defined, but the review process is slightly different:
those incidents is not available in the report, but it was likely Prior to the meeting:
substantial.
The descriptions of the incidents studied detailed the various
Following the process flow path sequentially,1 disturb the
types of failures that contributed to each incident (Kaszniak, 2009). normal process operation by failing system components or
Fig. 1 displays the number of incidents in which each type of failure committing operator errors (the current checklist of process
contributed to an incident. Several of the incidents had multiple flow failure modes is displayed in Table 8: THE LIST at the end of
contributing factors. Failure to identify credible causes during PHA this paper). Use these to pre-populate the causes for each
reviews occurs with the greatest frequency; reducing the frequency component in each section
of this deficiency could save lives and reduce injury frequencies.
It is preferred, but not mandatory, to develop a Safeguarding
Since HAZOP is almost the universal method used for PHA review in Flow Diagram (SFD) for the facility to be studied. This is similar
the U.S. and has been for the past thirty-five years, ensuring the to a Process Flow Diagram, but, instead of heat and material
ability of HAZOP reviews to identify all credible failure scenarios balances, devices important to maintaining process safety in the
would reduce the number of incidents, fatalities, and injuries in unit are displayed in bold font, pump maximum shutoff pres-
future. A short foray into Process Safety networking websites (for sures are shown, high/low pressure interfaces are delineated,
example, Linked In) indicates that this is a formidable challenge and locked and/or car sealed valves are indicated. Manual block
and that success is elusive and difficult to sustain. valves, including drains and bleeds, are shown, but process
Another option is simply to adopt a better PHA review technique control loops are not. The SFD makes the scope of the review
that has the strength of HAZOP, with fewer of its defi- very clear, and makes it as easy as possible to “see” hazard-
cienciesdnamely, a technique that is significantly better at iden- sdmuch easier than flipping through several pages of (often
tifying all potential causes of process safety incidents. crowded) process & instrumentation diagrams. The SFD is

4. Approach used for the case studies

1
Following the process flow path is critical to the success of the method, and it
The CSB paper (Kaszniak, 2009) examined serious incidents. But means that each valve, pump, heat exchanger, filter, vessel, etc. is considered in the
fortunately, serious incidents are the exception rather than the rule. order in which the process fluid encounters the equipment as it flows from the inlet
Perhaps their PHA reviews were unusually deficient, and the typical of the process unit through to the outlet of the process unit.
268 R.J. MacGregor / Journal of Loss Prevention in the Process Industries 49 (2017) 266e279

14
12
10
Credible Scenarios missed =
8 Causes missed
6
4
2
0

Fig. 1. Contributing factors to serious incidents (source: Kaszniak, 2009).

developed and field checked prior to the PFFM PHA review, so review team and reducing participation. Each review followed the
that it is clear what the normal positions of manual block valves same overall methodology: a HAZOP deviation approach, with 15
are, whether car seals and locks are actually installed in the field, “standard” deviations to prompt team thought, risk ranking, and
what the actual set pressures for PSVs are, and whether new recommendations assigned to identifiable individuals. These re-
piping and/or tubing has been installed (or any removed) versus views relied on facility P&IDs as their primary reference drawings.
that shown on the P&IDs. For an example of a Safeguarding Flow To minimize bias and maximize applicability of the findings, the
Diagram, click on the “SFD” page in the website www. HAZOP reviews selected involved:
sapphireengineering.ca.

Three individual experienced safety professionals facilitated the
During the meeting reviews, to avoid bias due to the preferences/strengths/weak-
nesses of any one individual

Select a section
Three separate types of oil & gas facilities were selected,

Consider the pre-populated causes in order of the process flow designed by separate project design teams in separate client

Develop potential consequences firms

Determine the safeguards/barriers
Three different review teams, with no one individual appearing

Propose recommendations/action items on any of the other two teams

If pre-population has missed any causes, the team adds the
Three different client sites with different ownership histories.
causes in the order of the process flow and determines safe-
guards/barriers and recommendations/action items in the same The drawings from each of the three reviews were then used
way as for pre-populated causes with the Process Flow Failure Modes technique. The drawings with

Proceed to the next section the coloured nodes indicated were used, so that the statistics
generated could be broken down cleanly between the two meth-
PFFM is described in more detail elsewhere (Ego and MacGregor, odologies, node by node. The HAZOP worksheets were not opened,
2004, and MacGregor, 2013). to prevent any biasing of the PFFM worksheets with information
A precursor to identifying all credible failure scenarios is to from the HAZOP worksheets.
identify all of the potential causes of those failure scenarios. It is First, the PFFM worksheets were pre-populated with causes for
stated above that missed credible failure scenarios was an issue in all three case studies. For the Case Study #3, a full PHA review was
major incidents in the past. Failure scenarios are in the “conse- conducted.2 Finally, the worksheets were compared between the
quences” category. But to identify all potential failure scenarios, all HAZOP and PFFM methodologies for each case.
potential causes must also be identified. This is where failures can
be missed, and it is where the analysis of the case studies has been 5. The case studies
focused.
A HAZOP review as well as the PFFM method was applied to the One of the frustrations that emerged during this study is the
same process plant facilities, and both procedures were carefully frequency of duplication of line items (including causes) that occurs
selected and applied to protect against biasing. For each case study, in HAZOP reviews.3 Clients may see a thick pile of worksheets and
the HAZOP review was done first, with a review team in a meeting from that assume that there has been a very thorough and sys-
room, as per common practice in industry. Each HAZOP review tematic review of the facility. However, very often there is a lot of
meeting had an experienced HAZOP facilitator whose method is to
examine the facility drawings prior to the review meeting, lay out
the nodes, and make separate notes on what he views as being the 2
This included development of a Safeguarding Flow Diagram (SFD) for Case
potential hazards and areas that need particular attention. Again, as Study 3, which was used as the primary reference drawing in the PFFM review
per common practice, these facilitators did not enter causes into the meeting.
3
worksheets prior to the review meeting to avoid “leading” the Since PFFM lists each cause only once, by design, there is inherently no dupli-
cation of cause/safeguard/recommendation line items.
 R.J. MacGregor / Journal of Loss Prevention in the Process Industries 49 (2017) 266e279 269

Table 1
C. S. #1: Heavy Oil facility infrastructure upgrade, total & unduplicated causes compared.

Node Node HAZOP Total # HAZOP Total # Unduplicated PFFM Total # PFFM Total # Unduplicated % HAZOP Causes Identified, vs PFFM
Number Description Causes Listed Causes Listed Causes Listed Causes Listed (Unduplicated)

1 Pig Catcher 24 23 24 24 96%

2 Gas/Liquid 18 15 13 13 115%
Separator
3 Gas Handling 18 18 46 46 39%
Piping
4 Flare Interface 2 2 10 10 20%
TOTAL 62 58 93 93 63% average

duplication of line items in the various deviations in a node. There trend in the number of causes identified. Early in the HAZOP review
is frequently duplication of line items among several neighbouring meeting, the number of causes identified is nearly on a par with the
nodes as well. The duplicate causes/safeguards/recommendations PFFM technique. However, later in the review, the percentage
sets do not compensate for the failure to identify missed causes. drops. One possible reason for this is that the team was getting tired
and was unable to be as thorough as they were earlier in the review.
(HAZOP teams get tired more quickly due to the non-intuitive na-
5.1. Case study 1: Heavy oil facility infrastructure upgrade ture of the HAZOP review process (Effect (i.e. low/no flow)/Cause
(i.e. normally open manual block valve closed & others to be listed)
The facilities examined in C.S. #1 are fairly simple. No heat ex- approach vs Cause (i.e. normally open manual block valve
changers or rotating equipment is involved. However, H2S is pre- closed)/Effect (i.e. flow stops, upstream pressure increases, up-
sent and flammable gases and liquids are present at elevated stream vessel floods, downstream pump cavitates) approach used
pressures. A LOC from this facility could result in one or more fa- in PFFM.))5 Another possible reason is that the meeting time was
talities as well as financial losses in excess of $1 million Canadian running out, and the team was rushed to complete the review.
dollars. The results of the reviews are displayed in Table 1. Perhaps it is a combination of bothdeither way, the number of
A significant number of unduplicated causes were identified by causes identified later in the review meeting is much lower
PFFM as compared with HAZOP. These can be grouped into compared with those generated by PFFM.
categories:
5.2. Case study 2: Natural gas well surface facility

System failure causes: The HAZOP review included no system
failure causes at all (pool fire scenarios, loss of power, loss of The facilities examined in C.S. #2 are fairly simple. Again, no
instrument air, etc.). Using PFFM, every applicable system failure heat exchangers or rotating equipment is involved. However,
cause is listed
flammable gases and liquids are present at elevated pressures, and

In the Gas Handling Piping Node, Node 3, several incoming the facility feeds a downstream unit that handles sour fluid. A LOC
streams enter the scope of the review. In PFFM, each of these
due to a failure in this facility could result in one or more fatalities
streams is subject to 6 questions: high/low incoming pressure as well as financial losses of up to $1 million Canadian dollars. The
and temperature, and contamination (unwanted phases,
results of the reviews are shown in Table 2. In every node, the PFFM
composition changes) technique identified more potential causes of process hazards; in

In the Gas Handling Piping Node, there are several control
the first two nodes, more than twice as many causes were listed.
valves. PFFM, properly done, asks what happens when the A significant number of unduplicated causes were identified by
control valve fails open. It also asks what happens if the control PFFM as compared with HAZOP. These can be grouped into
valve fails open, with its bypass open, as this can present a categories:
hazard not previously identified in the design stage, and which
does not exist with the control valve open alone
System failure causes: The HAZOP review included fewer sys-

In the Flare Interface Node, several streams leave the scope of tem failure causes (pool fire scenario, loss of power, loss of in-
the review. In PFFM, each of these streams has two causes strument air, etc.). Using PFFM, every applicable system failure
associated: blocked flow downstream, and backflow into the cause is listed
facilities from the downstream unit
In the Wellhead Node, Node 1, two incoming streams (well
tubing and well casing) enter the scope of the review. In PFFM,
In C.S. #1, five causes were identified in the HAZOP review that each of these streams is subject to 6 questions: high/low
could not have been identified via PFFM pre-population from incoming pressure and temperature, and contamination (un-
P&IDs.4 These five causes dealt with physical equipment locations, wanted phases, composition changes)
pigging frequencies, and special maintenance concerns. The extra
items identified in the HAZOP review that were not listed in the
pre-populated PFFM worksheets were, without exception, identi- 5
According to one client, “PFFM puts all consequences together. One cause could
fiable only by operations or maintenance personnel from the fa- generate a whole bunch of consequences, and they are all listed together. While in
cility, and therefore were not identifiable prior to the review HAZOP, it has to consider the same cause over and over again in temperature,
meeting. pressure, then flow; and the recommendation generated from HAZOP might only
solve that specific concern (P, T, Q), not all the concerns generated by the causes.
One other observation that can be drawn from C.S. #1 is the
“For double jeopardy, PFFM actually considers scenarios (e.g, when operating and
when shut down) when certain event happens. They are normally considered
“Rare” in HAZOP due to the fact that it requires double jeopardy, but in reality, the
4
Resources did not support production of SFDs for C.S. #1 & #2, and the same two events could happen more often than an operator accidentally closing a
P&IDs for the facilities that were used for the HAZOP reviews were also used for the manual valve, or closing a valve to isolate one section and at the same time isolates
PFFM worksheets preparation. other sections that has no PSV”.
270 R.J. MacGregor / Journal of Loss Prevention in the Process Industries 49 (2017) 266e279

Table 2
Case study 2: Natural Gas well surface facility, total causes comparison.

Node Node HAZOP Total # HAZOP Total # Unduplicated Causes PFFM Total # PFFM Total # Unduplicated % HAZOP Causes Identified, vs PFFM
Number Description Causes Listed Listed (Notes 1e4) Causes Listed Causes Listed (Unduplicated)

1 Wellhead 11 11 24 24 46%
2 Methanol 20 18 41 41 44%
Injection
3 Separator 21 20 34 34 59%
4 Fuel Gas 20 18 20 20 90%
System
TOTAL 72 67 119 119 56% average

Note 1. 3 items related to maintenance and physical location.

Note 2. 1 item about injection quills for methanol injection points.
Note 3. 1 out of scope item, hail storm, forest fire.
Note 4. 3 items maintenance related or out of scope.

In Nodes 2 and 3, holding tanks are included. The Methanol Tank cracking of the large hydrocarbon molecules occurs (see schematic,
in Node 2 is filled by tank truck, while the Produced Water Tank Fig. 2). The hot fluid is carried from the fired heaters to an in-
in Node 3 is emptied by tank truck. In PFFM, truck loading/ service, or on-line, coke drum, where the thermal cracking re-
unloading activities entail 8 causes for truck offloading to a tank, actions stop due to cooling by quench oil. Thermal cracking forms
and 5 questions for truck loading from a tank. Most of these lighter, more marketable hydrocarbon molecules and coke. The
were not discussed in the HAZOP review. coke settles in the coke drum, while the oil continues through to a

There are several piping segments in Node 3 for draining of fractionation column downstream. When the coke drum is full of
vessels, level bridles, and strainers to the Produced Water Tank. coke, the drum is taken off line, isolated, cooled, and the coke is
PFFM follows the process flow, considering each failure as it removed. DCUs have at least two coke drums in parallel, so that one
progresses through the drawing. HAZOP does not, typically, and drum can be on line while the other is having the coke removed.
it did not for Case 2. More general “catch-all” causes were The DCU studied for this paper included:
phrased, as is typically the case for HAZOP reviews when the
size of a node starts to get out of hand.
Two fired heaters, totalling three process stream passes plus two
steam superheating passes
The extra items identified in the HAZOP review that were not
25 pumps, 11 pressure vessels, 10 heat exchangers
listed in the pre-populated PFFM worksheets were, with three
Coke drilling and coke removal equipment
exceptions, identifiable only by operations or maintenance
6 main coke drum operating modes (each with several steps
personnel from the facility, and therefore not identifiable prior to involving multiple swings of switching valves), on a 15e20 h
the review meeting. The exceptions were: cycle)

1. The HAZOP team recognized that there are no injection quills for A HAZOP review was conducted in first, and a PFFM review was
the methanol injection points. Presence of design engineers in conducted at a later date. Only one team member, an operator, was
the review meeting made this identifiable. common to both reviews. The HAZOP was not made available to the
2. Forest fire and hail storm were identified as being potential PFFM review team until most of the PFFM review was complete,
emergency situations for this facility. Typically, personnel who and none of it was used to influence the PFFM review. As it
work at the facility will identify such hazards, based on their happened, the PFFM review covered more scope than the HAZOP
experiences at that geographical location. While such items review. To enable a direct comparison of the two methods, then, the
could be listed beforehand by the facilitator, PFFM practice so far PFFM review results were rearranged into two groups: (1) match-
has been not to pre-populate for them. This is because process ing the HAZOP review scope, and (2) additional scope. Then, the
hazards are not typically influenced by storm or other external material in group (1) was rearranged to match the noding used for
conditions except with respect to power and utility outages, fire the HAZOP review.
case, blocked flow downstream, loss of flow upstream, etc. Of A direct comparison of the findings from the two reviews with
course, individual client preference can allow for pre-population matching scopes is displayed in Figs. 3e5, and in Table 3. For the
of any number of “non-traditional” causes, as desired, similar to same review scope:
HAZOP reviews.
3. Maintenance or operational concerns related to unique equip- 1. PFFM identified more than twice the number of causes identi-
ment and its physical location. fied by HAZOP
2. PFFM identified more than 2.5 times the number of conse-
In C. S. #2, the HAZOP review showed more consistency in quences identified by HAZOP
identifying hazards as the nodes progressed, which is a difference 3. PFFM generated over one third more recommendations than
from the trend in C. S. #1. were generated in the HAZOP review6

5.3. Case study 3: Delayed coking unit

6
C. S. #3 involved complete HAZOP and PFFM reviews, and Since the operating company had some time in which to implement the HAZOP
therefore more comparing and contrasting is possible for this case. review recommendations because it was done earlier, there should have been fewer
recommendations from the PFFM review, not more. Further, the HAZOP review
The complexity of the process unit contributes to the validity of the recommendations contained many specific changes to specific valve operations,
findings. Briefly, a Delayed Coking Unit (DCU) is one in which heavy, which were encompassed in a single PFFM review recommendation to implement a
thick oil is heated in fired heaters to temperatures at which thermal planned, well defined controls improvement project.
 R.J. MacGregor / Journal of Loss Prevention in the Process Industries 49 (2017) 266e279 271

Fig. 2. Delayed Coking Unit schematic.

Table 3 shows that over one third of the recommendations made recommendations, which tend to focus on P&IDs alone.
in the Hazop review were implemented before the PFFM review Fifteen of the Hazop review recommendations were duplicated
commenced. Another third of the Hazop recommendations still in the PFFM review. Nine of the Hazop review recommendations
applied, but either were considered to be addressed by existing were, on examination, were either impractical to implement or so
safeguards or were covered by the PFFM scope of work. It is unclear as to be incomprehensible.
important to note that PFFM includes field checking of a safe- 118 review recommendations were made in PFFM that were not
guarding flow diagram to confirm the positions of manual block made in the Hazop review, and the vast majority were in actionable
valves, existence of piping, boiler plate data on vessels, etc. This risk categories. These generally involved overpressure or over-
makes unnecessary a certain percentage of Hazop heating risks to equipment. The site has a 4-tier risk ranking

# Causes
0 20 40 60 80 100 120 140 160

1
2
3
4
5
6
7
8
9
10
Node #

11
12
13
14
15 HAZOP PFFM

16
17
18
19
20 HAZOP Total: 688
PFFM Total: 1470 (2.14X)
21
22

Fig. 3. C.S. #3: Number of causes in each node (matched scopes).

272 R.J. MacGregor / Journal of Loss Prevention in the Process Industries 49 (2017) 266e279

# Consequences
0 50 100 150 200 250

1
2
3
4
5
6
7
8
9
10
Node #

11
12
13
HAZOP PFFM
14
15
16
17
18
19
20 HAZOP Total: 829
PFFM Total: 2097 (2.53X)
21
22

Fig. 4. C.S. #3: Number of consequences in each node (matched scopes).

system: low, moderate, serious, and critical. PFFM review unique other failures, which are already considered in other types of
recommendations classified as “moderate risk” had a total of 252 causes, this is redundant
causesd18 of which had no existing safeguards. PFFM unique re- 3. Used six different causes for high aerial cooler temperature,
view recommendations classified as “serious risk” had a total of ten with mostly common safeguards. PFFM used two. In spite of this,
causesdfour of which had no existing safeguards. No “critical risk” the HAZOP missed design temperature issues on two overhead
recommendations were made. drums
Twenty-nine recommendations were made in PFFM for equip- 4. Neglected valves and blinds that were incorrectly positioned in
ment not covered in the Hazop review, and again, the vast majority the field, since it assumed that the P&IDs represented the actual
were in actionable risk categories. This demonstrates that reduc- facility (PFFM includes field checking to confirm actual positions
tion of review scope to meet the time constraints, funding con- of manual block valves and blinds, including the positions of
straints, and/or to manage the burden of a Hazop review on team locked or car sealed valves)
members vs the simplicity of conducting a PFFM review is not 5. Missed some maintenance isolation concerns
justified. 6. Did not consider pool fire or jet fire scenarios
An estimate of the review meeting time necessary for the 7. Missed overheating potential for a shell and tube heat
matching scope PFFM review is 10.1 days; the HAZOP review took exchanger in the no flow case, as well as overpressure risk in the
12 days. (While no such direct comparison was possible for C.S. #1 tube rupture case
or #2, a similar wellsite review to C.S. #2 was conducted by the 8. Missed potential for some pumps to overpressure downstream
author which showed 25% savings in review meeting duration equipment in blocked flow cases
using PFFM.) 9. Scope did not cover the entire process unit, and therefore some
Due to the large scope of C.S. #3, it would be onerous to analyse hazards were missed, such as the potential to overpressure
all of the causes in both reviews and to compare and contrast these turbine steam exhaust lines due to blocked flow and the po-
in detail. However, some general observations can be made (these tential to overpressure drain or pumpout lines by incorrect
from a review of the first 3½ nodes out of 22). The HAZOP review: operation of manual block valves.

1. Failed to consider disturbances in feed streams entering the unit Because C.S. #3 had complete reviews for both PHA methods,
in a systematic way (high and low pressure, high and low further comparison is possible. For instance, was the higher num-
temperature) ber of causes posed by PFFM produced a greater number of unique
2. Included heat supply failure to O'Brien boxes in most nodes as a causesdor were the causes just paraphrasing each other? An
cause. Since such failures generally result in control valve or analysis of the two sets of worksheets was done side-by-side, and
 R.J. MacGregor / Journal of Loss Prevention in the Process Industries 49 (2017) 266e279 273

# RecommendaƟons
0 2 4 6 8 10 12 14 16 18

1
2
3
4
5
6
7
8
9
10
Node #

11
12
13
HAZOP PFFM
14
15
16
17
18
HAZOP Total: 93
19 PFFM Total: 125 (1.34X)
20
21
22

Fig. 5. C.S. #3: Number of recommendations in each node (matched scopes).

Table 3
C.S. #3: Analysis of review recommendations, HAZOP vs PFFM.

Recommendation Category HAZOP PFFM Review Count PEOPLE

Review RISK LEVEL
Count (Note 1)

Obsolete Recommendations 37 0
Relevant & Appearing in Both Reviews 7 7
Relevant & Appearing in Both Reviews (but covered by one single recommendation in PFFM Review) 8 1
Review recommendation in HAZOP review; PFFM review managed with existing safeguards 23 0
Review recommendation in HAZOP review; PFFM covered implicitly (field check or PSV load calculation checks) 8 0
Inappropriate/Unrealistic Recommendations 9 0
Unique & Relevant (Common Review Scope) 1 118 S: 3
(Note 2) MD: 81
MN: 1
NR: 33
Unique & Relevant (Extra Review Scope) 0 27 S: 1
MD: 18
MN: 0
NR: 8
TOTAL 93 153 145

Note 1. S ¼ Serious (risk is high enough to require immediate action to mitigate); MD ¼ Medium (risk mitigation can be planned); MN ¼ Low (risk mitigation action not
requireddimplement if desired); NR ¼ No risk ranking (usually an escalation factor to an already existing risk).
Note 2. PFFM causes pre-population missed a hose failure causedfacilitator oversight, not fault of PFFM method. This was ranked as a Medium risk in the Hazop review.

all causes that were essentially the same in both reviews were Table 5 shows that the unique causes identified by PFFM pro-
deleted. What remains is a set of unique causes that were identified duced four times as many unique recommendations. Furthermore,
by the two reviews The results are shown in Table 4. Table 5 shows at least five of the HAZOP recommendations had become obsolete
the number of recommendations generated with respect to the by the time the PFFM review was held, because they had been
same analysis. implemented.
274 R.J. MacGregor / Journal of Loss Prevention in the Process Industries 49 (2017) 266e279

Table 4
Case study 3: delayed coker, total & unique causes comparison (for same review scope).

HAZOP Total # PFFM Total # Causes % HAZOP Total Causes HAZOP Total # Unique PFFM Total # Unique % HAZOP Total Unique Causes
Causes Listed Listed Identified, vs PFFM Causes Listed Causes Listed Identified, vs PFFM

688 1470 47% 95 1024 9.3%

Table 5
Case study 3: delayed coker, total & unique recommendations comparison (for same review scope).

HAZOP Total # PFFM Total # % HAZOP Total Rec'ns, HAZOP Total # Rec'ns for Unique PFFM Total # Rec'ns for Unique % HAZOP Total # Rec'ns for Unique Causes
Rec'ns Rec'ns vs PFFM Causes Listed Causes Listed Identified, vs PFFM

95 123 77% 27 111 24%

Number of Causes/Consequences/RecommendaƟons
0 10 20 30 40 50 60 70

23

24

25

26

27

28

29 Causes

30
Consequences
Node #

31
Recomm'ns
32

33

34

35

36

37
Sum # Causes: 425
38 Sum # Consequences: 524
Sum # RecommendaƟons: 29
39

Fig. 6. C.S. #3: PFFM review extra scope covered.

5.3.1. Additional scope reviewed by PFFM for C.S. #3
Start-up/Recirculation Piping (1 node þ causes in 2 others)
The PFFM review covered more scope, as mentioned above.
Coke handling facilities (1 node)
Since HAZOP uses P&IDs, crowded or confusing layouts can result
Slop Oil header (1 node)
in overlooked scope. Field checked SFDs are generated for PFFM
reviews of complex facilities, greatly reducing the likelihood of The results of the additional PFFM reviewed equipment are
missed equipment. Additional scope covered in the PFFM review shown on Fig. 6. A significant benefit includes the 29 recommen-
was: dations that were made. To cover this additional scope took 1.9
more days, for a total of 13 review days for the PFFM review versus

Two chemical injection packages þ cutting oil (3 nodes) 12 for the HAZOP review. Some of the review recommendations

Steam superheaters in Coker Furnaces (2 nodes) from this additional scope included:

Utilities sides of S&T Exchangers (2 nodes)

Pump Steam Turbines (1 node þ causes in 3 others) 1. Access to the safety shower could become hazardous if antifoam

Steam Blowdown Drum & Pumps (2 nodes) has been spilled at the antifoam skid. Mitigate

Reboiler in Blowdown Tower (1 node)
 R.J. MacGregor / Journal of Loss Prevention in the Process Industries 49 (2017) 266e279 275

Table 6
Total causes comparison, all three case studies.

Case Study HAZOP Total # Causes HAZOP Total # Unduplicated PFFM Total # Causes PFFM Total # Unduplicated % HAZOP Causes Identified, vs
Number Listed Causes Listed Listed Causes Listed PFFM (Total)

1 62 58 93 93 67%
2 72 67 119 119 61%
3 688 n/a 1470 n/a 47%
TOTAL 822 n/a 1682 n/a 49% (weighted)

Table 7
Potential serious missed causes (annually, for one facilitator).

Description Value Calculation Result

# Causes in all reviews by one facilitator in one year 63797 n/a 6379
Average Annual Causes Missed by HAZOP vs PFFM 51% (from Table 5 above) 0.51*6379 3253.3
Average Annual Missed Causes that Could Result in LOC (est.) 10% (estimated) 0.10*3253.3 325.3
Average Annual Missed LOC Causes Without Adequate Safeguards 10% (estimated) 0.10*325.3 32.5

2. Ensure proper set pressure of chemical skid PSVs to prevent
Shortcutting of the HAZOP methodologydfeed stream hazards
backflow of oil to tote tanks, which could cause a flammable spill due to high/low pressure or high/low temperature were not
3. Run dedicated flush oil line to antifoam line so that switching included in one of the reviews
valve in flush oil header can function as needed to prevent
Shortcutting of the HAZOP methodologydthe assumption in
escalation factors in unit (switching valve is part of unit emer- the reviews is that, since the failure of rotating equipment and
gency isolation system) control/isolation valve failures have been individually consid-
4. Deal with out-of-service steam superheater coils in fired heaters ered, the power failure case (or instrument air case, as appro-
to eliminate associated hazards with current configuration priate) has been covered. This is not so, because instrument air
5. Two recommendations dealing with safe, reliable damper failure can cause multiple valves to fail, while power failures can
operation on fired heaters cause multiple pumps, certain types of valves, and electric heat
6. Ensure functionality and correct sizing of PSV on cooling water tracing to fail simultaneously
side of a process exchanger
Lack of systematic consideration of manual block valves being in
7. Address potential personnel burn hazard from current steam the wrong position in even moderately complex piping arran-
blowdown valve vent configuration gementsdHAZOP methodology inherently makes these failure
8. Several recommendations to address potential to cross- cases difficult to visualize, describe, and fit into a given deviation
contaminate two separate slop systems, which could cause
The assumption in HAZOP that all locked or car sealed valves
tank failure and LOC hot, flammable, sour fluid and blinds will be in the positions indicated on the P&IDs causes
9. Installation of start-up bypass around a high pressure steam some hazards to be missed. Operators in the HAZOP review may
isolation valve not raise the fact that the P&ID is incorrect in a given case
because they are unsure themselves, or they have the impres-
None of these recommendations is superfluous, and their value sion that it is unimportant because other (possibly inadequate)
is readily apparent. What is a concern is that they arose from safeguards exist, or because they are confused about which
equipment that was not even considered within the scope of the exact valve or blind the team is currently discussing
HAZOP review.
Tendency to move the meeting on from the analysis of a given
deviation or cause before all credible causes or consequences
have been identifieddthis is worse for HAZOP because HAZOP
teams get tired more quickly (common example: overheating of
6. Summary
drums or cold sides of exchangers, once overpressure and
blocked flow hazards identified)
The data from the CSB paper (Kaszniak, 2009) makes it clear that

Following the deviation approach, the teams came up with
the failure to identify credible failure scenarios can result in very
complicated causes to fit the deviations. Simple failure scenarios
serious consequences, and that credible failure scenarios are
(i.e. stuck open check valves, a single pump failure) are missed in
sometimes missed during PHA reviews. Failure scenarios are in the
the confusion.
“Consequences” category, and to identify all potential failure sce-

Use of complex P&IDs for noding and analysis, resulting in
narios, all potential causes must also be identified. This is where
missed equipment & piping, missed high/low pressure in-
failures can be missed, and it is where the analysis of the case
terfaces, and in missed hazards
studies was focused.
The CSB paper (Kaszniak, 2009) examined serious incidents.
Given the data shown above, and below in Table 6, the PHA reviews
Are there any shortcomings of PFFM compared with HAZOP?
involved in the CSB paper incidents were not unusually deficient,
PFFM requires more lead time for the facilitator to prepare for the
and the typical HAZOP review done today not much more
review meeting, mainly to pre-populate the causesdtypically, 1e5
complete.
man-days more than for a HAZOP review. If, as is recommended, a
Why did the HAZOP reviews fail to identify all the causesdand,
field checked Safeguarding Flow Diagram is to be developed, three
therefore, all of the potential hazards? Analysis of the differences in
months of lead time may be required for an operating facility. (For a
the case studies shows:

Shortcutting of the HAZOP methodologydfire case is not

7
considered at all in two of these reviews The author's actual from 2015da slow year.
276 R.J. MacGregor / Journal of Loss Prevention in the Process Industries 49 (2017) 266e279

Table 8
THE LIST (to be used to pre-populate worksheet causes via the PFFM Methodology (ref. “Assess Hazards with Process Flow Failure Modes Analysis”, CEP March 2013).

THE LIST, rev. July, 2016

Entering scope of review drawing:

Pressure increases in incoming stream

Pressure decreases in incoming stream

Temperature increases in incoming stream

Temperature decreases in incoming stream

Incoming stream is contaminated (light ends, heavy ends, salts, chemical additives, pH, etc., etc.)

Incoming stream contains unwanted phases (solids, liquid HC or aqueous, vapour)
Control Valves (similar logic & questions can be applied to steam traps & other automatic draining or venting devices):

fail open

fail open, with or without bypass open

fail closeddor partially closed8 (bypass assumed closed)
Manual block valves:

Normally closed block valve left open, or opened during normal operation

Normally open block valve left closed, or closed during normal operation (or partially closed8)
Vent, Drain & Bleed valves:

Vent, drain, or bleed valve opened during normal operation

Vent, drain, or bleed valve left open at start-up
Emergency (or remotely operated) isolation, depressuring, venting, purging valves:

Emergency isolation valve fails to close when required

Emergency isolation valve fails closed during normal operation

Emergency depressuring, venting or purge valve fails to open when required

Emergency depressuring, venting or purge valve fails open during normal operation
Heat Exchangers (Shell & Tube):

Tube(s) become plugged

Tube rupture occurs

Tube leak occurs

Shell side blocked in (inlet & outlet) while tube side flowing

Shell side blocked in (inlet & outlet) while exchanger is shut down

Tube side blocked in (inlet & outlet) while shell side flowing

Tube side blocked in (inlet & outlet) while exchanger is shut down

Inadequate heat exchange (if shell and tube sides are both process streams, this question may be asked for both streams individually)

Excessive heat exchange (if shell and tube sides are both process streams, this question may be asked for both streams individually)
Heat Exchangers (aerial coolers):

Tube(s) become plugged

Tube rupture occurs

Tube leak occurs

Excessive cooling of tube side fluid occurs in exchanger

Inadequate cooling of tube side fluid occurs in exchanger

Fan stops due to mechanical or electrical failure

Exchanger blocked in (inlet & outlet) during shutdown
Heat Exchangers (plate & frame, spirals, etc.):

Hot side plugs off

Cold side plugs off

Leak occurs between hot & cold sides

Rupture occurs between hot & cold sides

Inadequate heat exchange (if hot and cold sides are both process streams, this question may be asked for both streams individually)

Excessive heat exchange (if hot and cold sides are both process streams, this question may be asked for both streams individually)

Hot side blocked in (inlet & outlet) while cold side flowing

Hot side blocked in (inlet & outlet) while exchanger is shut down

Cold side blocked in (inlet & outlet) while hot side flowing

Cold side blocked in (inlet & outlet) while exchanger is shut down
Piping segments, miscellaneous fittings:

Piping segment left blocked in with heat tracing on (or off)

Piping segment left blocked in and ambient temperature changes

Any dead legs in this section/node?

Check valve sticks open and forward flow stops

Atmospheric vent line becomes plugged from atmospheric sump, vessel, drum, etc.

Hose rupture occurs or hose becomes disconnected

Expansion joint failure occurs

Restriction orifice plugs

Restriction orifice erodes/corrodes away
Pipelines:
Table 8 (continued )

THE LIST, rev. July, 2016

Pipeline leak or rupture occurs

Pumps:

Suction block valve closed on pump (while pump running, or during pump start-up)

Suction strainer becomes plugged

Suction vibration dampener fails on PD pump

Online pump stops due to mechanical or electrical failure

For batch service pumps: pump running when not required

For batch service pumps: pump not running when required

Pump seal (packing, etc.) failure occurs

VFD fails and speeds up (or slows down) the pump

More pumps in parallel service operating than required

Check valve sticks open on pump discharge (and pump stops)

Discharge block valve closed on pump (while pump running, or during pump start-up)

Check valve sticks open on discharge of standby pump with suction and discharge block valves both left open

Check valve sticks open on discharge of standby pump with suction block valve closed and discharge block valve left open

Discharge vibration dampener fails on PD pump

For chemical injection pumps specifically: Injection rate set too low

For chemical injection pumps specifically: Injection rate set too high
Compressors:

Suction block valve closed (while compressor running, or during start-up)

Suction strainer becomes plugged

Suction vibration dampener fails on PD compressor

Online compressor stops due to mechanical or electrical failure

VFD fails and speeds up (or slows down) the compressor

More compressors in parallel service operating than required

Compressor seal (packing, etc.) failure occurs

Discharge block valve closed (while compressor running, or during start-up)

Check valve sticks open on compressor discharge (and compressor stops)

Check valve sticks open on discharge of standby compressor with suction and discharge block valves both left open

Check valve sticks open on discharge of standby compressor with suction block valve closed and discharge block valve left open

Discharge vibration dampener fails on PD compressor
Vessels/Tanks:

Rate of inflow to vessel exceeds rate of outflow (consider for each liquid phase)

Rate of outflow from vessel exceeds rate of inflow (consider for each liquid phase)

Failure of individual internals (depends on nature of internalsdi.e. demister mat plugs, internals collapse and block outlet nozzle, weirs collapse, etc.)

Failure of heating coils or cooling coils

Failure of mixers/agitators

Packing failure of mixers/agitators

Solids accumulate in vessel

Material in vessel ages/decomposes or otherwise changes composition over time (shelf life of chemical in storage; biological growth in diesel fuel, stratification of
chemical mixture in storage, other)dgenerally relevant only for chemical injection tote tanks or storage tanks, but ask the question if unsuredteam can always
answer “not applicable” or “not credible”
Pressure relief devices:

Pressure relief device sticks closed in dirty/sticky service

Pressure relief device freezes closed (if credible)

Pressure relief device opens and fails to reseat (when discharge is to another part of the process, i.e. pump suction, process vessel, etc., and not easily detected)

Pressure/vacuum device fails to close after operation restored to normal pressure

Rupture disc fails to rupture when required

Rupture disc ruptures during normal operation (or during upset)
Distillation Columns:

Tray collapse occurs

Trays become fouled
Reactors:

Catalyst deactivated/fouled, or reaction stops

Catalyst bed plugs off

Excessive reaction rate, or runaway reaction

Internals failure

Catalyst residue left in piping during catalyst change-out (watch out for offgasing while vessel is open, presenting personnel hazards due to toxic gases)
Dryers, molecular sieve units, etc.

Media becomes plugged

Media is deactivated

Switching valve failure occurs (consider all modes of operation, consider individual valve failures)

Media is too active (or absorbs/adsorbs unwanted components)

Media must be changed or partially removed (bed exposed to atmosphere/vessel entry concerns)

Media residue left in piping during change-out (watch out for offgasing while vessel is open, presenting personnel hazards due to toxic gases)
Fired Heaters

Tubes (or other heat transfer surface) fouled

Tube leak or tube rupture occurs

Combustion air supply filter plugs off

ID or FD fan stops

ND, ID or FD damper wide open

ND, ID or FD damper closed

Flame arrestor plugs off or is otherwise damaged

Excessive heat transferred to process fluid

Insufficient heat transferred to process fluid

If a bath is used, bath leaks and liquid level lost

If a heating bath is used, medium deteriorates or is contaminated

For fuel supply issues, see valve failure types

Refractory failure occurs
(continued on next page)
278 R.J. MacGregor / Journal of Loss Prevention in the Process Industries 49 (2017) 266e279

Table 8 (continued )

THE LIST, rev. July, 2016

Filters/strainers

Filter/strainer becomes plugged

Media not replaced in filter/strainer after maintenance

Backflow into filter/strainer during cleaning/change-out
Operational:

Normal operating mode

Start-up modedconsider all of the above as required, including cold s/u

Planned Shutdown modedconsider all of the above as required

Emergency Shutdown modedconsider all of the above as required

Unusual operating modesdvessels bypassed, equipment out for maintenance, etc.

Equipment spacing

Sampling

Ease of accomplishing required tasks (human factors)

etc. etc. etc.
Trucks at loading/offloading stations:

Hose rupture occurs or coupling becomes disconnected during loading/offloading

Truck moves during loading/offloading

Static charge accumulates during loading/offloading

Vehicle collides with truck during loading/offloading

Loading not stopped when truck full (or suction vessel empty)

Offloading not stopped when truck empty (or destination vessel full)

Incorrect or contaminated material offloaded

Material loaded to contaminated or wrong truck

Loading/offloading rate too high

Loading/offloading rate too low
Maintenance:

Equipment with lower-than-desired reliability (especially any identified as SG devices)

Equipment isolation concerns with respect to preparing equipment for maintenance
Dust or other fine solids:

Static electrical build-up occurs in area where dust is present

Heat accumulation occurs in area where dust is present (friction, other)

Dust explosion hazards in area
Streams leaving scope of the review drawing

Flow is blocked downstream

Backflow into leaving stream occurs from downstream equipment
System Failures (considered only for last stream associated with a given vessel, pump, etc., or group thereofdmust be considered for every piece of equipment in the
review)

Pool Firedconsider equipment spacing as well as overpressure, etc. concerns

Jet Firedconsider equipment spacing as well as fireproofing aspects

Power failure (sometimes local power failure and total failure present different consequences, so the team may list more than one unmitigated consequence for this
cause, or may want to consider more than one cause)

Instrument air failure (sometimes local instrument air failure and total failure present different consequences, so the team may list more than one unmitigated
consequence for this cause, or may want to consider more than one cause)

Steam failure

Cooling medium failure

Heating medium failure

Heat tracing failure

Other utility failure, as applicable (nitrogen, refrigeration, utility air, etc.)

Blocked in liquid thermal expansion concerns (in cased any were missed when asked per the piping segment or heat exchanger question sets above)

Dead leg concerns in the area

Low temperature brittle fracture concerns (carbon steel becomes brittle at temperatures < 29  C, which can occur in cold climates or if auto-refrigeration is a factor for
the process during normal or process upset conditions)

Start-up/shutdown issues in the area

Equipment spacing/location concerns in the area

Emergency isolation (and depressurization) concerns

Maintenance isolation concerns in the area

Failure of control signal from remote DCS/PLC (if and as appropriate)

Commissioning issues (new equipment)

NOTE TO THE USER: This list is based on over 20 years of use for process hazards analysis in operating facilities and in facilities at the design stage. Every attempt has been
made to make the list comprehensive and complete. However, due to human frailties, new technologies, and other factors, the list may not be complete. The user should make
every effort to improve and add to the list as new failure modes are identified. Sharing these additions with the author would be much appreciated ([email protected]), in
the interest of identifying all significant process hazards during every review exercise. The most up-to-date version of “THE LIST” may be sourced at the blog: pffm.wordpress.
com or via www.sapphireengineering.ca.

new project review, the SFD may be developed in conjunction with one facilitator, for only one year. When the number of facilitators
the P&IDs, so the required lead time will be 1e5 man-days more involved in HAZOP reviews, world-wide, every year, is considered,
than for a HAZOP review.) However, the superior process safety there is enormous potential for damage and loss of life. It is no
results and more efficient use of the team's time during the review wonder, therefore, that incidents continue to occur.
meeting more than compensate for this shortcoming.
Table 7 applies the results of the HAZOP/PFFM case study
comparisons to one facilitator's year's reviews: 32.5 unidentified
serious incidents could be lurking in these facilities, any one of 8
Partially closed valves can present a hazard if there is not enough flow to
which could occur while those facilities are in operationdfor only sustain an effective purge, sweep, or to keep a flame lit (flare, furnace, boiler, etc.).
 R.J. MacGregor / Journal of Loss Prevention in the Process Industries 49 (2017) 266e279 279

7. Conclusion meeting duration when PFFM was used, while at the same time
delivering better results. The more complex the facility, the more
Findings from the examination of incidents and disasters in superior were the PFFM results. Surely, this is compelling evidence
industry indicate that not all process hazards are recognized during for incorporating the PFFM technique into all of our PHA reviews
PHA reviewsdin fact, failure to recognise that a hazard existed was going forward.
the most common cause of major incidents (Kaszniak, 2009). This is
a compelling case for change: we cannot manage a hazard if we
don't know that it exists, and PHA review teams must make every
reasonable effort to identify all process hazardsdeven those that References
are not easy to discern.
Ego, D., MacGregor, R., April 2004. Improve your facility's PHA methodology.
In these case studies, outcomes of three actual HAZOP reviews Hydrocarb. Process. 81e86.
in the oil & gas industry have been compared with the results of Kaszniak, M., April 26e30, 2009. Oversights and omissions in process hazard an-
alyses: lessons learned from CSB investigations. presented at the AIChE 2009
Process Flow Failure Modes (PFFM), a “cold eyes” structured what-if
Spring National Meeting. In: 5th Global Congress on Process Safety, 43rd
examination method. For the same facilities, PFFM identified a Annual Loss Prevention Symposium, Tampa, Florida.
weighted average of twice as many causes as the HAZOP review MacGregor, R., April 1-4, 2012. Comparing PHA Review Techniques: a Case History
meetings did, and therefore was able to identify far more potential on Review Meeting Dynamics and Missed Hazards. presented at the 8th Global
Congress on Process Safety, Houston, Texas.
hazards. Case Study #3 was the most direct comparison between MacGregor, R., March, 2013. Assess hazards with process flow failure modes anal-
the two methods, and showed approximately 15% savings in review ysis. Chem. Eng. Prog. 48e56.