HAZID Hazard Identification

HAZID Hazard Identification

7.0 Introduction

A HAZID study is carried out by a team of competent engineers from a mixture of disciplines and is led by a person who is experienced in the HAZID technique. Each area of the installation is considered against a checklist of hazards. Where it is agreed that a hazard exists in a particular area, the risk presented by the hazard is considered, and all possible means of either eliminating the hazard or controlling the risk and/or the necessity for further study are noted on a HAZID worksheet. Actions are assigned to either discipline groups or individuals to ensure the mitigating control, or further study is completed.

• A hazard can be defined as any operation that could cause an Event (release of toxic, flammable or explosive chemicals, gases or any action) that could result in injury to personnel or harm to the environment.

An operational plant such as a nuclear reactor or critical systems operation such as weapons manufacture, handling and stowage or the operation of a passenger aircraft requires the design of a number of diverse interrelated systems, coexisting in the same limited physical space. The Process of Hazard Identification is the procedure to assess all the hazards that could directly and indirectly affect the safe operation of that plant and or system, and is referred to as the Hazard Identification procedure or HAZID. The procedure of hazard identification is broken down and categorised into the two streams that can affect the system both directly and indirectly, and is referred to as Internal Hazards and External Hazards.

A clear understanding of all the possible event chains leading to the most critical accident scenarios is needed to mitigate for example, the complexity of any plant and its operation, which nevertheless exposes it to any number of accident scenarios from interrelated systems which could provoke failure or domino effect from other systems, components or structures located within the proximity effecting the safe operation of the plant. These hazards are referred to as internal hazards and can include, but are not limited to, radioactive inventory, fires, impacts, overpressures and explosions. Likewise, a screening process is carried out to assess all possible hazards to the safe operation of the plant from all indirect events and can include extreme ambient temperatures, extreme wind, flooding, fire, explosions & overpressures, missiles, toxic gases, seismic, aircraft crash, and electro-magnetic interference, these hazards are referred to as external hazards.

7.1 Design basis hazard level

When relating to external and internal hazard assessment, a judgment on the frequencies at which hazard levels should be determined, in terms of Reactor Plant, guidance for this can be found in the HSE NII Safety Assessment Principals paper or (SAPs) and allow for plants that cannot give rise to large radiation doses to be designed against less onerous events. These SAPs therefore require a level of interpretation by the assessor and make it clear that all relevant external hazards should be considered when determining the design basis events for both probabilistic and deterministic safety cases and provide the numerical targets for assessing whether the risk from external hazards is tolerable and ALARP.

7.2 Seismic

Seismic hazard definition should include a reasonable frequency distribution of accelerations, i.e. the ground response spectrum, often called the free field response spectrum. For design purposes, this has been the practice internationally, and in the UK, to use piecewise linear spectra based on a median-plus-standard deviation level of conservatism. Such spectra have been used for the design of new plant and for the design basis assessment of existing plant. More recently uniform hazard spectra (UHS) have also been derived. These spectra were developed for seismic PSA and aimed to have a risk of exceedance uniform for all frequencies (hence their name), unlike the varying conservatism implicit in piecewise linear spectra. UHS spectra have been derived for various confidence levels, including the expected level, which is appropriate for seismic PSA and assessors should consider whether all relevant external hazards are listed in the fault schedule. For natural hazards such a seismic the design basis event should be that which conservatively has a predicted return frequency not exceeding 10-4 per year (often, though not strictly accurately termed as the once in 10,000 year event). For a small proportion of nuclear safety related structures - those with modal frequencies of around 1 Hz or less - it may be necessary to consider long period ground motion arising from a large magnitude distant event. The need arises because the foregoing design spectra’s are dominated by the contribution from small to medium earthquakes with epicentres close to the site and by intent, do not significantly include the separate long period motion. This long period ground motion hazard may be considered separately from the design basis spectra, being a separate, infrequent hazard.

7.3 Aircraft crash

For aircraft crash structural demand depends on the mass, rigidity, velocity and engine location of any aircraft assumed to impact directly or skid onto the structure, and also the angle of incidence of the impact (direct or skidding). For these reasons, aircraft are often grouped into a small number of types - eg large commercial aircraft, light aircraft and military aircraft - to facilitate the analysis. In addition to structural effects, fuel fire is highly probable. This will be more significant for the heavier classes of aircraft because of the quantity of fuel carried. It may, however, be possible to exclude some (or all) classes of aircraft on the grounds of low probability (eg well below 10-7 per annum) of impact, thus obviating the need for structural design against impact or fuel fire. In order to assess the probability of impact, the safety case will normally derive an effective "target area" for the site, taking account of the plan area and height of safety related buildings, a representative range of angles of impact and so on, which can then be compared with the aircraft crash frequency per unit area.

Further details of a particular method are published by the IAEA (see below)

The estimated aircraft crash frequency may seek to take into account any flying restrictions which may apply to the site. If so, the assessor should be satisfied that this is justified. Liaison concerning flying restrictions around nuclear licensed sites is handled by NSD's Strategy Unit. The possible effects on safety related equipment from a nearby impact may need consideration.

Where aircraft impact is not excluded in accordance with principle P119, the type or types of aircraft and their associated load/time functions, or a bounding load/time function should be specified. The design basis analysis principles and the PSA principles should be satisfied, as appropriate, taking into account the direct impact of the aircraft on the structures, systems and components important to safety, secondary missiles, vibration effects and the effects of aircraft fuel burning externally to the buildings or other structures, or entering the buildings or structures. Further guidance is available from the IAEA.

7.4 Extreme ambient temperatures

The extreme ambient temperature hazard is ameliorated by the slow development of extreme conditions and the relatively long timescales for the plant to respond. It can be assumed that there will be at least several hours notice of extreme conditions developing, and often several days. High temperatures are a potential challenge to electrical equipment which may have essential safety functions. Low temperatures may through brittle fracture of safety related structures and/or the freezing of liquid filled systems pose a threat to safety functions. Low temperatures may also threaten cooling water supplies through freezing. The assessor should establish that the potential threats are recognised by the operators and appropriate prearranged responses are embodied in operating instructions.

7.5 Flooding

Most UK nuclear facilities are potentially subject to flooding both by extreme precipitation directly onto the site, and indirectly from rivers and the sea. As with the other environmental hazards it is important to ensure that the most up-to-date information available for a specific site is used in the hazard assessment. The effects of climate change should also be taken into account (see section 4.5 below). By its very nature the definition of the flooding hazard at small annual probabilities of exceedance will be subject to significant uncertainty and it must be assumed that the natural phenomena which can be the cause of flooding may occur together. For example in the case of sea flooding, extreme wind not only affects wave heights but can also elevate still sea levels through storm surge. Storm surge can be additive or subtractive, and must be combined with the highest and lowest astronomical tides and with barometric effects. The hazard determination should therefore carefully examine the statistical dependencies in combining waves with still sea water levels. The flooding safety case should not be sensitive to the level of the hazard, and operational response may be required. As with the extreme temperature hazard it may be reasonable for the operational response to recognise some warning of extreme flooding, provided the necessary response measures can be initiated with sufficient margin.

7.6 Extreme wind

Licensees, any particular application should be assessed to ensure that there are no plant specific, i.e. local aerodynamic, effects which could exacerbate the wind loadings. Typical problems could be wind tunnelling between tall structures, or vortex shedding from upwind facilities. Any structure which is shown to be vulnerable to wind loading should be considered from this point of view and in addition the potential for damage from windborne missiles must be considered. A wind load reduced from one in fifty years to one in two years has been used for the design of some facilities, and is broadly consistent with the foregoing time at risk considerations.

7.7 Fire, explosion, missiles, toxic gases

The hazard here will arise either due to the conveyance of hazardous materials on adjacent transport routes (pipeline, rail, road and sea) or adjacent permanent / non-permanent facilities. Typical hazards, which may arise from industrial plants, may be from stored gas, fuel, explosives, pressure vessels or turbine disintegration. The external hazards safety case should consider all potential sources of external missiles and explosion.

7.8 Impacts and Shock loading

This can be due to external explosions and overpressures giving rise to shock loading and drop loads or impacts due to facility collapse, which may include cranes, building structures and systems. Here the Licensee should consider the withstand to shock loading, the possible impactors to the system from the facility, determining the largest single mass object from its potential drop height in free fall without structural interaction, or make a case for the probable (but bounding) collapse dynamics of the facility which can in some cases include structural interaction.

7.9 Electro-magnetic interference

The potential for electro-magnetic interference to instrumentation and control equipment should be considered. The primary natural source is electrical storms. External man-made sources include radar and communication systems. Depending on whether the hazard can be adequately controlled, the Licensee may need to provide screening within building structures to protect equipment from electro-magnetic interference or install instrumentation and control equipment of a proven electro-magnetic compatibility. Solar flare effects have been known to cause problems on long transmission lines at high latitudes in Canada, but on current knowledge are not expected to cause significant effects at the lower latitudes of the UK with its shorter transmission lines.

7.10 Sensitivity studies

It should also be borne in mind that forecast climate change is likely to have an impact on many of the external hazards addressed here. This is likely to include extreme ambient temperatures, wind and flooding. Licensees should be expected to take the latest available predictions over the projected life of the facility, which may need to include the decommissioning phase of the installation in the submissions.

7.11 Cliff edge

The Licensee will also need to demonstrate that there will not be a disproportionate increase in risk from an appropriate range of events which are more severe than the design basis event. This is generally known as the cliff edge effect. The way in which this principle is satisfied may depend on the nature of the hazard being addressed. For some hazards a point will be reached where there is a step change in the effect on the installation. In the case of external flooding, for example, the site defences become overtopped. In such cases, it needs to be shown that there is a reasonable margin between the design basis and the point at which this step change would occur. For other hazards, such as seismicity, the forces acting on the installation will continue to increase progressively with increasing size or proximity of the event. A demonstration is needed that there will not be a step change in the response of the installation to the hazard, in terms of the likelihood of a release of radioactivity, for an appropriate range of events more severe than the design basis event. There may be more than one way in which this can be achieved. In the case of seismic engineering, one approach which has been adopted has been to show that the response of the plant remains fully elastic up to a significant margin beyond the design basis. Alternatively, the trend for new design is increasingly to show that the plant will accommodate the seismic forces through a ductile response without any danger of a release of radioactivity occurring. The residual seismic risk from events less probable than the DBE can be a significant contributor to the total risk. It has also been demonstrated in numerous earthquakes that structural ductility is very desirable. Ductility provides a better assurance than elastic margins for the ability to withstand beyond design basis seismic events, and also gives confidence in the ability of structures to cope with the uncertainty in the actual hazard spectrum (peaks etc), uncertainties in the material data, uncertainty in the analyses, and uncertainty concerning other simultaneous loads. Ductility is increasingly being required by nuclear and non-nuclear structural seismic design standards even where the structure is designed to remain elastic under the design earthquake loads. It has previously been accepted that one satisfactory approach to the demonstration of absence of an adverse cliff edge effect is via the PSA. This has the merit, usually, of exploring the response of the plant to a wide range of hazard levels and is accepted internationally as a reasonable approach for external hazards. However, if this approach is adopted, the assessor should ensure that the hazard definition is reasonable for the more remote levels and that relevant equipment responses are reasonable, i.e. important structures are not omitted from consideration by virtue of alternative success paths.

If a PSA is not used to demonstrate the absence of an adverse cliff edge effect either an approximate PSA approach may be undertaken (a NUREG describes a technique for earthquake hazard or a deterministic-plus-engineering judgment approach may be made. As noted above, however, the detail of the approach needs to be appropriate to the nature of the hazard being addressed.

7.12 Single failure criterion

Safety systems required in response to any 10-4 annual probability of exceedance external hazard should comply with the single failure criterion. Where this is not feasible in the case of existing facilities, the risk must be shown to be tolerable and ALARP.

7.13 Reliability, redundancy, diversity and segregation

In assessing safety systems claimed to mitigate the effects of external hazards, the assessor should have due regard to Reliability, redundancy, diversity and segregation. External hazards may particularly give rise to common mode or common cause failures.

7.14 Example HAZID Tables

External and Environmental Hazards
Hazard Type	Guideword	Expanders
Natural Hazards	Extreme Weather	Temperature extremes, Waves, Wind, Dust, Flooding, Sandstorms, Ice, Blizzards
	Lightning
	Seismic Activity
	Erosion	Ground slide, Coastal, Riverine
	Subsidence	Ground structure, Foundations, Reservoir depletion
Environmental Impact	Discharges to Air	Flaring, Venting, Fugitive emissions, Energy efficiency
	Discharges to Water	Drainage, Water quality, Waste disposal options
	Discharges to Soil	Drainage, Chemical spillage, Waste disposal options
	Location and Layout	Previous land use, Vulnerable fauna and flora, Visual impact, Local population, Area minimisation
External & 3rd Party Hazards	Sabotage	Internal & external security threats
	Terrorist Activity	Riots, Civil disturbance, Strikes, Military action, Political unrest
	Third Party Activities	Farming, Fishing, Local industry
	Helicopter / Aircraft Crash

 

Facility Internal Hazards
Hazard Type	Guideword	Expanders
Process Hazards	Process Releases - Unignited	Gas clouds, Gas detection, Emergency response
	Process releases - Ignited	Fire, Explosion, Heat, Smoke, Fire detection, Emergency response
	Process releases - toxic	H2S detection, Emergency response
	Flaring	Heat, Ignition source, Location
	Venting	Discharge to atmosphere, Location, Dispersion
	Draining
	Sampling	Operator Error
Accommodation and non-process area hazards	Non Process Fires	Control rooms, Accommodation
	Smoke Ingress	Ingress to safe areas, HVAC shutdown
	Gas Ingress	Ingress to safe areas, HVAC shutdown
	Stacking and storage

 
------------------------------------------------------------------