FAQs

HAZOP means Hazard and Operability Study and is a systematic method for identifying hazards and evaluating safeguards. The methodology is in line with internationally recognised Risk Assessment techniques, such as: IEC EN 61511-2, EN ISO 17776.

HAZOP is a structured “brainstorming”, based on assumed deviations from normal operation that could represent hazards. The system is divided into manageable sections (nodes), deviations are determined using parameters and key words, then possible consequences as well as existing safeguards are identified. The HAZOP-Team decides whether the safeguards are sufficient based on risk evaluation (usually based on Client’s Risk Acceptance Criteria). If residual risk is not acceptable or ALARP, additional measures or further investigation are recommended.

IEC 61511 defines the Safety Life Cycle for Functional Safety Management. The initial Hazard and Risk Assessment (HRA) shall take place during the Analysis phase, based on an early version of the P&IDs and C&E chart. After completion of the initial HAZOP, MOC procedures should be applied to monitor and evaluate any changes during further design and implementation phases that might impact HAZOP assumptions or safeguards. HAZOP should be reviewed/updated prior to commissioning as part of a pre-startup safety review (PSSR) procedure and throughout the plant operating life, latest every five years.

HAZOP is attended by key members of Client’s (Owner / Operator), Engineer’s and Contractor’s project team covering following disciplines:

• Process / Design Engineer
• Project Engineer
• Instrument/Electrical Engineer
• O&M Representative
• Safety Engineer

The HAZOP is led by an independent Chairman and findings are recorded by the HAZOP Scribe.

• HAZOP is not an engineering review meeting. If problems are identified, they shall be referred for separate action
• HAZOP is generally qualitative based on experience of participants. Risk ranking is carried out based on main criteria ‚safety‘ and ‚environment‘ (financial impact, by agreement). In case of ALARP residual risk it shall be considered if additional action is required
•  ‘Frozen’ documents required, changes shall be evaluated by separate MOC procedure
• Causes are generally to be taken within the node only; however, influences upstream / downstream project interfaces shall be considered
• Consequences and safeguards may occur anywhere inside and outside the node (however, only within HAZOP scope as defined in PIDs)

For a remote HAZOP, an additional etiquette for video-conferencing should be applied.

Guidewords are the tools that are used to systematically direct the HAZOP Study. They are words or phrases that, when considered together with a parameter, form a hypothetical deviation for the Team to consider. The basic guide words are: NO, MORE, LESS, AS WELL AS, PART OF, REVERSE and OTHER THAN.

Guidewords are combined with process Parameters such as: FLOW, PRESSURE, TEMPERATURE, and LEVEL, or General parameters, such as MAINTENANCE, START-UP / SHUTDOWN and others, describe operations more so than physical aspects of the process.

The combination of Guideword and Parameter gives a Deviation Matrix which identifies departures from the design intention. This is the starting point for the HAZOP-Team to brainstorm causes, consequences, safeguards and residual risk of the identified hazards.

Each HAZOP deviation is analysed identifying the potential Causes, including:

• Malfunction of process control systems;
• Blockages;
• Operational Error (e.g. opening wrong valve, failure to respond to signals, etc.);
• Faulty maintenance activities;
• Failure of utilities (power supply, control system, or other utilities).

Further guidelines in relation to causes are:

• Equipment is assumed to be designed to appropriate earthquake, wind, and storm and other environmental requirements, therefore these are not treated as Causes
• Manual valves marked as LO/LC/CSO/CSC will not be considered to change their position by operator error as a cause

For each realistic deviation identified, the associated Consequences are analysed without accounting for the existing safeguards. Related hazards are listed such as: fire, explosion, release of flammable or toxic material, environmental damage, off-spec. products, loss of production, etc.

Consequences may cause hazard/risk to the following protection categories:

• Personal safety (site personnel, off-site third parties)
• Environment
• Asset, Financial impact
• Owner/Operator Reputation
• Availability

In evaluating the consequences, it is normal to account for the design margins to assess whether a loss of containment (LOC) can occur, e.g. overpressure and LOC is typically credible when pressure can become higher than the hydraulic test pressure, rather than the simple design pressure (DP) or Maximum Incidental Pressure (MIP) of the pipe.

For credible deviation/consequence combinations, the HAZOP-Team considers what safeguards/mitigating features exist and whether these sufficient or not, depending upon the severity of the expected outcomes. Valid safeguards have to be independent from the systems/devices which are causing the deviation under analysis.

Typical safeguards are:

• Independent systems (e.g. SSV, ESD)
• PSV’s / TSV’s
• Alarms in manned Control Room (only when operator / dispatcher is granted with a sufficient intervention time and there is a clear procedure for action)

Devices generally NOT considered as valid Safeguards:

• Local Alarms
• Alarms in Control Room when the time gap between Alarm activation and Consequence is not sufficient for operator / dispatcher effective intervention
• Indication without Alarm (even if in Control Room); Check valves are not considered as a means for eliminating backflow, but credit may be given for reduction of backflow

Typical examples of Safety Instrumented Safeguards are:

• High High Level Trips
• High High Pressure automatic shutdowns
• Low Low Level shutdowns

Non-Instrumented Safeguards are functions which do NOT initiate an automatic trip or shutdown action by themselves, but that can either prevent or help control or mitigate the issue and may be considered as an Independent Layer of Protection (ILP). Typical examples of Non-Instrumented Safeguards are:

• High Level Alarms
• Mechanical Overfilling
• High Pressure vents (PSVs)
• Procedures (clearly defined, tested and auditable)
• Check valves are not considered as a means for eliminating backflow, but credit may be given for reduction of backflow

Double jeopardy is the occurrence of two independent deviations or two initiating events at the same time. In determining if the causes are independent, careful consideration should be given to common mode failures and process dependencies. Failure of a safety device in response to a control system failure or human error would not be considered double jeopardy. For example, a PSV failing to open on demand in response to high pressure is not double jeopardy.

Care needs to be taken when excluding events because of ‘double jeopardy’. If the HAZOP-Team decides that a particular cause is credible, this shall be evaluated regardless of whether this is ‘double jeopardy’ or not.

CHAZOP (Control Hazard and Operability Study) identifies hazard and operability issues associated with control and computer systems. It follows the same methodology as HAZOP, however, using appropriate documents and Guidewords.

CHAZOP documentation requirements include: Control System Network Architecture Schematic, Cause & Effect Charts, Control / SIS Block Diagrams, ESD/ F&G interface & electrical protection schematics, Alarm / Signal List, Control Philosophy / Narratives

Delta-HAZOP (‚HAZOP Revalidation‘ or ‚HAZOP-by-Difference‘) is method of updating the HAZOP for existing (or similar plant), while ensuring the conclusions of previous HAZOP studies remain valid and are not lost. It requires a clear understanding of changes compared to the previous HAZOP, which are generally documented via MOC procedures.

The following information should be available:

• Overview of changes made since the last HAZOP (preferably as mark-up of current PIDs)
• Is MOC up to date?
• Were there any changes to an alarm or safety system?
• Did any of the changes require modification to:
  • Op. Conditions outside the operating range?
  • Chemistry of the process?
  • Timing or sequencing of the operations?
  • Maintenance procedures or staffing level?
• Does the change affect safety or the environment?
• Operator experience, Lessons learned, Root-cause analysis?

If significant changes have taken place, a new HAZOP (redo) should be done.

EHAZOP (Electrical Hazard and Operability Study) identifies hazard and operability issues associated with electrical systems. It follows the same methodology as HAZOP, however, using appropriate documents and guidewords.

EHAZOP documentation requirements include: Single line diagrams, Layouts, Consumer Load List (normal/essential),  ESD/ F&G interface & electrical protection schematics

EHAZOP may include:

• SAFAN – Safety Analysis
• SYSOP – System security and operability review
• OPTAN – Operator task analysis

Cyber-HAZOP (or Cyber-PHA) identifies cybersecurity risks associated with an Industrial Control System (ICS) or Safety Instrumented System (SIS). It follows the same methodology as HAZOP, however, using appropriate documents and guidewords in accordance with IEC 62443.

Cyber-HAZOP documentation requirements include: System Architecture Diagram, Zone & Conduit Drawings, Cyber Network Schematics

HAZID (Hazard Identification) is a method for general hazard identification normally carried out prior to HAZOP (HAZOP focuses more on process hazards). HAZID allows a high level evaluation of risk at an early stage of a project, covering issues such as: facility siting, human factors, MAH scenarios, environmental impact and best engineering practices. It follows the same methodology as HAZOP, however, using appropriate documents and Guidewords.

HAZID documentation requirements include: Location and Layout Plans, Process Flow Diagrams, MSDS for handled fluids, Table of Emissions (Air, Water, Ground, Noise, etc.)