Recording and Auditing
This chapter covers the various uses of the records and what should be considered when planning how to record the team discussions; necessary details of the project information provided to the team; the layout of the record sheets including suggested columns; what level of recording should be selected and the amount of detail in the records; use of computer recording. In a new section, the auditing of HAZOP study records, both internal and external, is considered.
Keywords
Recording; background information; record sections; recording level; record content; computer recording; internal auditing; external auditing
The final records are all that exist to show the work done by the team. They may be revisited at a future date for a number of reasons, the most likely being as part of a Safety Case. All future uses of the records should be identified in order that the recording and reporting system is designed to meet these needs in an efficient way. The final reports should cover the why, how, when, and by whom of the study, as well as recording the necessary details of the analysis and actions of the team. They must be understandable by nonmembers of the team, even some years later.
The study team will use the records in a number of ways. Draft versions of the records are used by the team for checking after each meeting and generating action notes as well as for reference during the study. The final reports are needed for the implementation of the actions and to link to later process hazard studies. There may be regulatory and contractual obligations to be met and a requirement for audit, and they will be a key part of the plant safety dossier. They may represent the only detailed record of the intended operating strategy as developed by the design team. They may also be needed as a starting point for the HAZOP study of modifications. If a significant incident occurs during the lifetime of the operation, it is likely that regulatory authorities will wish to examine the records. Thus, the team should be mindful of the uses for which the final report may be required.
In addition, the records should provide an easy and clear understanding of the process and the equipment, be of especial use in the preparation of Operating Instructions as well as for troubleshooting and operator training and have the potential to improve the management of change (MOC). Hence, it is essential to anticipate the intended uses so that the HAZOP study file contains the necessary information, detail, and clarity to meet the requirements of each use. As a minimum, the marked up P&IDs, HAZOP tables, and all action responses are archived.
7.1 Background Information
The amount of material in the final HAZOP study file depends upon the company practice for archiving of related materials. Items which are securely archived—for example, all the revisions of the P&IDs, the Material Safety Data Sheet (MSDS), and reaction hazard investigations—can be referenced without putting duplicates into the HAZOP study file. Otherwise all drawings, including the version used at the start of the study, and all other documentation are included or referenced. This includes any previous hazard studies referred to during the HAZOP study, site drawings, specially prepared material, outline operating or control procedures, and so on. Draft versions of the detailed meeting records need not be included provided the full final version is incorporated.
Additionally, a statement of the HAZOP study procedure should be given—for example, by reference to a company protocol. The name and a statement of company role should be included for each person in the team, including an attendance record. The remit of the study should be made clear and the hardware boundaries stated. The records should show the operational modes selected for examination and indicate how this was done—that is, by separate examination or by grouping a range of conditions within one examination.
7.2 Section Headings
For each section or stage given a complete round of guideword examination, there is a header which explains the model used by the team. This identifies the section limits, its status and contents, and the means of control. There is also a full statement of the design intention, as developed by the team in their search for deviations. If the design intention is complex or extensive, then reference to an appropriate design brief or specification may be used.
7.3 The Recording Format for the Detailed Examination
The discussions of the team are normally recorded in a tabular format with a series of main columns, perhaps with some supplemental sections for each entry. The minimum set of columns is:
| Deviation | Cause | Consequence | Action |
However, it is commonplace to include an initial column for the “parameter,” and after the “consequence” column it is also good practice to have one headed “protection” (or “safeguards”), particularly if these offer significant risk reduction. It is essential to have a numbering system, either numbering separately each entry or each action, and it is usual to link the action to the person responsible in an “action on” column. Thus, the norm is likely to be:
| Ref. | Parameter | Deviation | Cause | Consequence | Safeguards | No. | Action | Action On |
Further items to be considered are “response,” “comment,” “hazard category,” “event frequency,” and “event magnitude.” From these last two it is possible to develop a risk ranking scheme. The choice of which items to include depends on the company style and the uses to be made of the records, as well as on the recording system used.
A risk matrix is needed if the event likelihood and severity classifications are to be used in risk ranking—indeed if this is to be done it is likely that the company will have an established risk assessment matrix. This may range from a simple three-by-three matrix to more complex methods. Not all users of HAZOP rank potential problems and, if it is to be done, a suitable matrix must be agreed before the study is started. As described in Section 4.6, three levels of risk may be shown: for the worst case, then after allowing for the existing safeguards, and finally after the recommended actions have been incorporated. The merit of this approach is that it explicitly shows the importance of maintaining the safeguards and of implementing the action. It must also be remembered that HAZOP studies are not well suited to the identification of high-consequence low-frequency events. These should have been identified in the earlier hazard studies.
7.4 The Level of Recording
Once the format is determined, the level of detail of the recording is decided. Three levels are possible:
1. record by exception—only when an action results;
2. intermediate record—where an action results, where a hazard exists, or where a significant discussion takes place;
3. full record—all meaningful deviations are noted even if no realistic causes are found.
Recording by exception requires an entry only when the team makes a recommendation. This method serves the immediate needs of the study and provides a basis for implementation of the actions but is of little value in any subsequent uses. It is not recommended for general use. It may lead to shorter meetings and simpler reports, and be superficially attractive if there is pressure to complete the study within the project time constraints, but any economies are likely to be false ones as the fuller levels of recording have many later benefits.
At the intermediate level, a record is generated whenever there is any significant discussion by the team, including those occasions where there is no associated action. These include deviations identified by the team which, though realistic and unanticipated in the original design work, happen to be adequately protected by the existing safeguards. There are some important gains by recording at this level. One is the increased likelihood that these safeguards are maintained during the plant lifetime since their purpose is spelt out in the records. A second benefit is that the ground covered by the team is clear during an audit and to any later reader of the HAZOP study file; any deviation not recorded was either not considered a realistic combination of guideword and parameter or was thought to have no significant causes or consequences. A third benefit is the ease with which modifications can be analyzed by HAZOP study at a later date.
In full recording, an entry is included for every deviation considered by the team, even when no significant causes or consequences were found. At this level, each parameter is recorded with each guideword for which the combination is physically meaningful. It may even extend to listing the guidewords that were not considered as they did not give a meaningful deviation with the parameter examined. Reasons for recording in full are to conform to a company standard, or the high hazards involved, or to meet a legislative requirement, such as the OSHA legislation in the USA. Some shortening of the records may be possible by having standard entries to cover some common cases. For example, if no causes can be found by coupling a parameter with a group of guidewords, the term “remainder” can be written with the parameter and the phrase “no causes identified” put in the cause column or “no significant risk” in the consequence column. Full recording is obviously more expensive and leads to a very substantial file but does permit a full audit. It is therefore the preferred option for those industries that need to demonstrate the highest possible standard of safety management.
7.5 The Content
It is essential that all entries, whether causes, consequences, protection, or actions, are as clear as possible and identify unambiguously the items to which they refer, using vessel, equipment, and line numbers. If the records are too brief or otherwise inadequate, they may be open to misinterpretation so creating difficulties in the implementation of safety and operability into the final design.
7.6 Computer Recording
Dedicated computer recording systems have been available for many years and are widely used, particularly for large HAZOP studies although standard word processing or spreadsheet programs are perfectly adequate. A list of commercial software has not been included here due to the problems of giving comprehensive coverage and maintaining an up-to-date listing. Gillett4 gives some information while further sources are software houses and consultancy companies.
There are few disadvantages to using a computer recording system provided it is done well, and it is certainly worth considering if a handwritten record will later be word-processed. Probably the major disadvantage is that the package may force the recording, and perhaps even the HAZOP study, to be done in the way envisaged by the program designer. It is essential that the package allows the chosen style to be followed. It is also important to have a scribe who is familiar with the recording program and is able to type fast enough to avoid any delays to the meeting. Also, if the records are displayed on screen for the team to see, the display system must be powerful enough to avoid the need for a dimly-lit room. As with hand records, the forms can usually be customized to suit a company style. A great deal of preparative work can be done beforehand by the leader and the scribe and, even if changes are needed during the meeting, this is easily done.
There are some advantages with computer recording. During the study, the headers, which include the design intention, and earlier sheets are easily consulted and seen by all of the team. Single keystroke entries are made for parameters and guidewords and for frequently used phrases. If the team can view what is being recorded, then any disagreements or possible ambiguities are dealt with immediately. Databanks of possible causes, effects, and frequencies are held on the computer and consulted when needed. Draft records for checking are available for circulation by printing or email shortly after the end of a meeting and action notes can also be generated without delay. However, general circulation should only be done after the leader and scribe have checked them for spelling and meaning. Responses to action notes are easily incorporated into the records. Spell-checking facilities are normally available and it may be possible to search the program for individual words, names, or combinations—for example, to list all the individual records where responses are overdue. Some programs are used as a management tool for the study, and the more sophisticated programs are written for use with other process hazard studies. It is also worth noting that the recommendations/actions can be captured from the electronic records and quickly transferred into the MOC or HAZOP actions tracking system.
A different aspect of computer use in HAZOP studies is the expert system, designed to “conduct” a HAZOP study. A number of programs have been developed, but the present view is that a fully satisfactory system has yet to be written; indeed some think the creativity of a good team will never be duplicated by a computer. However, such programs do have some potential as a preliminary screening tool, for example, on P&IDs at the “approved for review” stage, since they can ensure no known cause or deviation is overlooked.
7.7 Auditing a HAZOP Study
An audit or review of a completed HAZOP study may be done internally, to show conformity with company standards and to learn from the study, or externally. In this latter case, it is likely to be done by a regulator to confirm compliance with national codes or in the aftermath of an incident. All reviews will largely depend on the study records, and it is important this is recognized at the outset of the study. The list below covers some of the major points that should be examined in an internal audit. The key question is “did we do it properly?” whereas in an external audit it is “was it done properly?”
• clear terms of reference and authority for the team;
• scope of the study—start and end points; interfaces and links to facilities as a whole;
• timing of the study within the project and facilities for the study team;
• links to other project hazard studies;
• qualification of leader and scribe;
• selection, competence, and experience of the team members;
• continuity of attendance and use of specialists.
• P&IDs revision number and date. Should be either final design or as-built;
• modes of operation selected for study (e.g., steady state, start-up, and shutdown);
• other documentation made available (e.g., cause and effect diagrams, equipment specifications, isometrics, operating and control sequences, material hazard and data sheets, site plans, reports from earlier hazard studies);
• any special preparative work done for a batch process or a procedure (e.g., batch progress charts, plant status chart);
• style of recording which should include, as a minimum, clear reference number for each line, deviation, cause, consequence, safeguards, action, and action on;
• marked off matrix of guidewords and parameters showing a comprehensive and imaginative use;
• entries that can be precisely related to the P&IDs and are sufficiently detailed for the auditor to understand the meaning and outcome of the discussions;
• a good design intention for each node, realistic causes, appropriate consequences, understanding of the design envelope and existing safeguards, etc.;
• sufficient and appropriate depth in the search for causes. No excess of trivial items;
• clarity when no causes are found for possible deviations or no action is required;
• significant perceived risks referred for more detailed risk assessment;
• clear links to follow-up so all recommended actions can be traced to a final decision and implementation. This may require an audit of the formal closeout procedure;
• evidence that the team has been able to review the outcomes of actions where further investigation was recommended.