The Detailed HAZOP Study Procedure
This chapter covers the detailed HAZOP study procedure including process description, design intention, finding deviations, identifying causes, evaluating consequences and safeguards, assessing risks, and deciding upon recommendations and actions. A flow diagram explains the sequence used in HAZOP study. The main guidewords are listed and explained, some parameters are shown, and some meaningful combinations tabulated. Recording and follow-up are briefly mentioned. A detailed illustration is given of the stages of a HAZOP study including parts of a HAZOP study report.
Keywords
Detailed procedure; HAZOP flow chart; design intention; guidewords; parameters; deviations; actions; HAZOP example
The actual study must proceed in a carefully planned, systematic manner to cover all of the selected aspects of the process or operation. It is normal to cover a continuous operation by dividing it into sections and working from an upstream starting point. A batch process or a procedure is divided into sequential steps and these are taken in a chronological order. The division of a process into sections or steps is described in more detail in Section 5.3 and illustrated in Appendices 3–5. The pattern of analysis for an individual section or stepa is shown in Figure 4.1, and its main elements are described in the following sections.
4.1 The Description and Design Intention
It is essential the team begins with a full understanding of the section or stage to be analyzed, either knowing the existing situation or having sufficient information to be able to form an adequate conceptual model. A full description should be developed, including all the key parameters, and the HAZOP report should include the design description.
Next, a design intention for the step is formulated and recorded. This should include a statement of the intended operational range (envelope) so that the team can recognize any situations lying outside this range as deviations. The design intention may be interlinked with the step description and hence to the design parameters of the equipment.
It is good practice to develop a comprehensive design intention, clearly linked to the drawings being used, which can be referred to during the search for deviations. A design intention may refer to equipment items in the section, to materials, conditions, sources, and destination, to changes or transfers, as well as to the means of control and timing of a step. It not only refers to plant equipment but covers what is intended to be done within the section being analyzed.
The recording of the design intention should include sufficient information to enable a later user of the records to understand the picture developed and used by the HAZOP team during their study.
4.2 Generating a Deviation
The next step is to generate a meaningful deviation by coupling a guidewordb and a parameter.c A deviation can be generated by taking a parameter and combining it with each guideword in turn to see if a meaningful deviation results (the parameter-first approach). This is the method described in Figure 4.1. The alternative approach is to take a guideword and try each parameter in turn (the guideword-first approach). More details of the guideword-first approach are given in Appendix 1, pages 95–97.
The standard set of guidewords for process plant is listed in Table 4.1, alongside their generic meanings. The first seven are normally used, with the others included if appropriate. As the purpose of the guidewords is to assist the team in a creative and thorough search for meaningful deviations, it is important to select a set that works well for the problem being studied. Variations of the standard set may be tried or others added to the list. Some companies have developed their own set of guidewords for particular technologies.
Table 4.1
Standard guidewords and their generic meanings
| Guideword | Meaning |
| No (not, none) | None of the design intent is achieved |
| More (more of, higher) | Quantitative increase in a parameter |
| Less (less of, lower) | Quantitative decrease in a parameter |
| As well as (more than) | An additional activity occurs |
| Part of | Only some of the design intention is achieved |
| Reverse | Logical opposite of the design intention occurs |
| Other than (other) | Complete substitution—another activity takes place OR an unusual activity occurs or uncommon condition exists |
| Other useful guidewords include: | |
| Where else | Applicable for flows, transfers, sources, and destinations |
| Before/after | The step (or some part of it) is effected out of sequence |
| Early/late | The timing is different from the intention |
| Faster/slower | The step is done/not done with the right timing |
Interpretations of the guidewords for computer-controlled systems (programmable electronic system, PES) are given in the IEC HAZOP Application Guide.7
While clear recommendations can be made as to which guidewords should be considered, it is not possible to provide such firm advice regarding parameters. The selection of parameters is a task each team must address for each system studied. Table 4.2 gives examples of parameters that might be used in the analysis of a process operation. This list is not exhaustive but is intended to show the depth and breadth of the parameter and guideword search that can be used. It must be emphasized that many of the parameters listed will not apply to every issue or process as parameters relate to the individual system, process, or operation being studied.
The extent of this list emphasizes the need for the team to form a clear conceptual model of the step and to use it to decide which parameters should be used in the search for possible deviations. When seeking deviations it must be remembered that not every guideword combines with a parameter to give a meaningful deviation. It is a waste of time to discuss combinations which do not have a physical meaning. Some examples of meaningful combinations are given in Table 4.3. Many parameters will emerge from the step description and statement of the design intention, provided it is explicit and comprehensive. In addition, a good team is likely to identify further parameters during the examination, particularly for the later guidewords “as well as,” “part of,” and “other than.” It is good practice to apply all of the guidewords to the design intention before leaving a node.
Table 4.3
Examples of meaningful combinations of parameters and guidewords
| Parameter | Guidewords That Can Give a Meaningful Combination |
| Flow | None; more of; less of; reverse; elsewhere; as well as |
| Temperature | Higher; lower |
| Pressure | Higher; lower; reverse |
| Level | Higher; lower; none |
| Mixing | Less; more; none |
| Reaction | Higher (rate of); lower (rate of); none; reverse; as well as/other than; part of |
| Phase | Other; reverse; as well as |
| Composition | Part of; as well as; other than |
| Communication | None; part of; more of; less of; other; as well as |
Most of the combinations in Table 4.3 have obvious meanings but, as an example of the subtlety possible in HAZOP study, reverse pressure is included. It may apply to the situation in twin tubing where the pressure in the annulus between the outer and inner tube may be sufficient to crush the inner tube.
HAZOP study is most effective when it is a creative process, and the use of checklists for guidewords or parameters can stultify creativity. Nevertheless, checklists can be helpful for an experienced team. Illustrations are given in Appendix 2, pages 99–100.
4.3 Identifying Causes
Once a meaningful deviation has been identified, the team then seeks a cause. It is worth noting at once if the consequences are trivial as there is then no point in searching for causes. If there are likely to be several causes, as with the deviation “no flow” in a pipeline, it is very helpful to have a short brainstorming session to identify as many causes as possible, remembering that causes may be related to human factors as well as to hardware items. In seeking causes (and evaluating consequences), it is essential that all members of the team take a positive and critical, but not defensive, attitude. This is particularly important for any members responsible for the design. It can be useful to create and use a databank of frequently occurring causes to ensure no common causes are overlooked. If this is done, however, it should not be allowed to affect the creativity of the team or become the principal source of causes.
Although only realistic causes need to be discussed in detail, a judgment on this cannot be made without taking account of the nature and seriousness of the consequences. Acceptable risk involves an assessment of both frequency and severity so it is impractical to completely separate the discussion of cause and consequences in a HAZOP analysis. Sometimes this results in an action to assess the risk by more detailed analysis outside the HAZOP study meeting, for example, where a major consequence could occur as the result of a combination of causes. The term “realistic” implies a consideration of the likely frequency of a cause. If only minor consequences ensue, then even high-frequency causes may be ignored. In effect, a risk assessment is made based on a combination of the frequency of the event and the seriousness of the consequences. Experienced teams have little difficulty in this for most events. However, judgments as to the frequency at which causes are described as “realistic” are likely to differ from company to company and will certainly alter between countries due to different legislative approaches. In some circumstances, it may be best to analyze and record for even very low-frequency causes, perhaps with all the causes identified.
An alternative approach is to ignore the safeguards when evaluating consequences so that the ultimate effects are understood. Then each cause is considered in turn. Now the adequacy of the safeguards can be evaluated and the need for action determined.
It is important that causes are clearly described, as broadly similar causes may have distinctly different consequences. In these circumstances, it is necessary to distinguish and treat each cause separately. For example, pump failure due to a mechanical cause may cause loss of containment as well as loss of flow while pump failure due to an electrical cause may simply lead to loss of flow. So while it may sometimes be possible to group causes together, this should only be done where the team is sure that the consequences are identical for every cause.
Finally, before the discussion of a particular deviation is concluded, the team should consider all of the possible causes suggested.
4.4 Evaluating Consequences
The consequences of each cause must be carefully analyzed to see whether they take the system outside the intended range of operation. It is essential to fully identify all of the consequences, both immediate and delayed, and both inside and outside the section under analysis. It often helps to analyze how the consequences develop over a period of time, noting when alarms and trips operate and when and how the operators are alerted. This allows a realistic judgment on the likelihood and influence of operator intervention.
Where an effect occurs outside the section or stage being analyzed, the team leader must decide whether to include the consequences in the immediate analysis or to note the potential problem and defer the analysis to a later, more suitable point, in the overall HAZOP study. Whichever approach is adopted it is important that consequences outside the study section are fully covered, however distant they may be.
4.5 Safeguards (Protection)
There are variations in practice as to when the existing safeguards and protection are noted and taken into account. One approach is first to analyze the outcome ignoring the existence of any safeguards such as an alarm, trip, or vent. Then, when the worst outcome has been identified, the safeguards are noted and the team moves to considering the need for action. This approach has the advantage that the team is alerted to possible serious consequences and misjudgments of the need for protection are less likely. Against this, it can be argued that it is unrealistic to ignore the in-built safeguards of a well-designed operation. Whichever approach is adopted, it is good practice to make note of the safeguards in the detailed records of the study.
4.6 Risk Assessment
Originally, little or no risk assessment was done in a HAZOP study, its purpose being the identification of hazard and operability problems. This is still a valid approach. However, if risk assessment is to be done during the study, the team needs an agreed approach covering:
It can be very time-consuming to do a risk assessment for every problem. However, if the team has a familiar, well-constructed risk matrix which is appropriate to that particular industry, they will become efficient at assigning likelihood and severity categories. A good software package helps by providing an easily viewed reminder of the matrix and may also allow different risks to be recorded for different categories of consequences such as environmental, process, or personnel injury.
The estimations of likelihood and severity are normally qualitative, typically in order of magnitude bands. They rely on the team’s experience and judgment of similar events and will be uncertain, perhaps by as much as a factor of 3 (i.e., about one-half of an order of magnitude). A good team will quickly estimate frequencies as low as once in 10 years for common events. For lower frequencies, it may be necessary to make some analysis of the conditions needed for the event to occur and to do a rough quantification to get to lower frequencies. Inevitably, the uncertainty in the estimate will be greater for very low frequencies. When events of very low frequency, of one in 100 years or less, need to be considered, it is better to refer the problem to outside analysis by QRA or full Hazard Analysis and not to lose focus on the identification exercise.
The assessment is probably best made either after the team has clarified the consequences or following the discussion of the safeguards. Some companies choose to assess the risk at three stages:
The advantage of this approach is that it shows the worst case consequences, the extent to which these are alleviated by existing safeguards, and then the effects of the proposed actions. This sequence makes it very clear how serious the problem is, the reliance on existing safeguards, and hence the need to ensure these are maintained during operations and the benefit, and hence the justification, for the proposed actions.
A further benefit of risk assessment after the consideration of the consequences is that minor problems are apparent and further discussion can be terminated.
4.7 Recommendations/Actions
Several different approaches are in common use:
• After a potential problem is identified, it is always referred for investigation outside of the HAZOP meeting.
• At the other extreme, the team attempts, whenever possible, to deal with the problem and record a recommended solution to that problem whether engineering or procedural.
• The norm is for an intermediate approach where the team recommends a solution to the problem only if there is a breach of standards or if the team has unanimously agreed a solution which is within their authority to make. All other problems, particularly if there is no unanimity, are referred for further investigation outside the HAZOP meeting. This approach has the benefit that agreed hardware changes can be immediately marked on the working drawing and taken into account during the remainder of the study.
The approach used should be agreed in the definition of the study. Whichever approach is adopted, it is important that there is consensus among the team on any positive action, as well as on the causes and consequences. Also further causes, consequences, and deviations that might be associated with a change should be considered and covered within the HAZOP study. It is essential that all recommendations/actions are unambiguous and clearly recorded so that they can be understood at a later stage in the project by non-team members.
Actions may be either specific or generic. The former is more common but, where a change might apply at several points within the design, it is simpler to make a generic action, so avoiding repetition and the possibility of different actions for similar problems in different parts of the process.
It is good practice to have an entry in the action column for every deviation and cause discussed, even if the entry simply states that no action is required because the existing safeguards are considered adequate, to show that the team concluded their discussion.
4.8 Recording
The conclusions reached by the team must be fully recorded, and it should be remembered that the HAZOP report typically represents the only comprehensive record of the study and of the operating strategy intended by the designers of the plant. The report should be regarded as one of the suite of key documentation handed forward to the operators of the project.
The selection of items to be included in the record are agreed during the planning of the study. It is important that sufficient detail is recorded for the potential problem to be understood outside the meeting by persons who were not present. The details of recording are discussed in Chapter 7. During the examination process, the team members should be aware of the details of the current record, either by it being displayed or by the leader stating what is to be recorded. In addition, team members should have an early opportunity to check the first draft of the meeting records.
4.9 Continuing and Completing the Analysis
In the parameter-first approach, the normal sequence is to consider in turn all causes of a particular deviation. When that is complete the same parameter is considered with another guideword to see if a meaningful deviation can be generated. This continues until all the guidewords have been tried. In practice a team quickly recognizes which guidewords to consider with each parameter. When all meaningful deviations have been examined, the team moves on to another parameter and considers this with all appropriate guidewords. The HAZOP analysis of the section or step is complete when the team can suggest no further parameters.
To get the best results from a HAZOP study, it is essential that the group functions as a team throughout, with every member feeling free to contribute and actually doing so. It is expected that a consensus will be reached at every stage of the analysis. If any team member is not satisfied with a conclusion or recommendation, then the team should aim to resolve the issue before moving on or turn it into an action for further discussion outside the meeting.
4.10 An Illustration of the HAZOP Study Process
This simple example shows how a HAZOP study works. It is applied to a familiar task. The early stages are set out in full but the analysis is not completed, only going far enough to show at least one line of analysis for each guideword. You can easily add some more yourself.
Consider filling the fuel tank of a diesel-engined car as part of the operation of a new filling station. Assume the design of the filling station is complete and that it has been subjected to a full set of Hazard Studies. The intention here is to look at one function of the design. Consider a car driver arriving to take on fuel. Having selected this filling station, we consider what the driver has to do. A minimum set of steps is:
1. Select a filling bay that is not occupied.
2. Park so the filling hose can reach the inlet to the car’s fuel tank.
3. Remove the cap from the fuel tank.
4. Determine which fuel is required—95-octane lead-free petrol, diesel, high-octane petrol, etc.
5. Place the fuel nozzle into the car’s fuel tank inlet.
7. Monitor the flow, stopping it when enough has been added.
8. Replace the fuel nozzle on the pump stand.
These could be made more precise but initial drafts of operating instructions rarely cover all situations.
Information must be collected for the study. This should include:
• The layout of the filling station showing entry and exit lanes, the number, position, and spacing of the pumps, and related buildings (the shop and pay point, tanker supply area and filling connections, the car wash, the compressed air and water supply station, etc.). Drawings and photographs of equipment items are required.
• The details of each typical pump station (if there is more than one style) with information on the number of fuel types available, the control system to be used, the display, and the flowrates. Drawings, specifications, and photographs are the minimum; a team visit to the site would be useful. Normally a P&ID would be included.
• site drainage details and plans;
• fire safety measures and firefighting equipment;
• details on typical usage—fractional occupation of the available pump spaces, time per visit, range of amounts transferred, other traffic to and from the site (e.g., visits for shop purchases only);
• number of operators on-site and their general duties;
• frequency of supply tank filling and any restrictions placed on customer access during resupply;
• typical nonavailability of pumps, for example, due to shortage of fuel or individual pump failure;
• history of filling station incidents (specific to the operating company and in general).
We will assume that an experienced HAZOP study leader has been appointed to lead this study. The leader will review this information for general suitability and coverage and then think about the division of the steps of the operation (1–11 above) into stages for the study. The initial suggestion might be:
| Stage 1 | Steps 1–2 | Arrival and preparing for transfer |
| Stage 2 | Steps 3–9 | Filling the tank |
| Stage 3 | Step 10 | Paying |
| Stage 4 | Step 11 | Leaving |
We will look here at stage 2.
The team leader will need to assemble a suitable team. This might be:
• member of the site management (SM);
• representative from the pump manufacturers (PM);
After familiarization with the study data the team would discuss what is involved in stage 2 and draw up a design intention. This could be:
To transfer diesel fuel from the selected fixed pump into the fuel tank of the car at the fastest rate compatible with safety. The amount transferred may be a chosen volume, a chosen value or the full tank capacity. The transfer will be controlled by an untrained member of the public and may be terminated manually or by automatic cut-off when the tank is full.
The team, on advice from the leader, is using the standard set of seven guidewords, namely:
An initial consideration by the team of possible parameters gave the following ones (which may be extended by ideas suggested during the study itself):
The following section gives examples of the team discussion, the first relating to high fuel flow:
| TL | “I would like to discuss high flow of fuel into the car’s fuel tank a little more. What are the implications of the failure of the Dead Mans’ Handle on the filler or the failure to shut off in the case of high level in the car fuel tank?” |
| LO | “The fuel will spill out of the tank in an uncontrolled manner and go into the drain system where it will be caught in the interceptor.” |
| RU | “Do we know if there is any level measurement or warning of overload of the interceptor?” |
| HS | “I think that there is.” |
| TS | “I am making a note of the action on HS to verify this.” |
| LO | “This raises some issues about the emptying of the interceptor both ‘how?’ and ‘how often?’.” |
| TS | “I am making an action on this between the LO and the HS.” |
| TL | “Are there any more consequences associated with these causes of high flow?” |
At a later stage, the team has a short brainstorming session to start the guide word “other/other than.”
| TL | “I suggest we start the use of the guideword ‘other/other than’ by brain-storming for possible deviations. Any ideas?” |
| LO | “A non-standard fuel container is filled.” |
| PM | “Perhaps using a different fuel.” |
| RU | “A car jacking is attempted.” |
| HS | “Safety—an engine fire.” |
| TS | “Car has a trailer or caravan attached.” |
| RU | “Car won’t restart or a puncture is noticed.” |
| LO | “Leak of coolant, engine oil or other fluid from the vehicle.” |
| SA | “Driver taken ill or appears so (drink, drugs).” |
| SM | “Extreme weather conditions—wind, frost, lightning, snow.” |
Table 4.4 shows extracts from the report.
Table 4.4
This is a selection from the report that could result from the study. Enough has been included here to illustrate each of the main guidewords at least once. An action placed on two team members means that they are both expected to be involved in resolving the problem. However, the responsibility for the response is placed upon the first named member
| Ref. | Deviation | Cause | Consequence | Safeguards | Action | On |
| 1 | No flow | Wrong initiating sequence used by the customer | Delay. Possible damage from wrong sequence. Sale may be lost. | Required sequence is usual for the UK and uses illuminated buttons on the pump panel. The site operator can select and speak to each station. | A1: Consider installing an alert to the operator whenever delay between removing hose and start of pumping exceeds selected time (say 20 s). | PM |
| 2 | No flow | Supply tank at low cutoff level | Delay and frustration for customer as cause not apparent. | Alarm to site operator of impending loss of supply. Operating procedure to cone off pumps with prepared signage. | A2: Review restocking arrangements against the expected demands to minimize this situation. | SM |
| A3: Review operator training and testing. | HS | |||||
| 8 | More quantity | Customer error | Customer cannot pay; delay at till and at pump. | None | A5: Cover in training procedures. | SM |
| 9 | More (high) fuel flow | Dead man’s handle on pump fails or the flow fails to shut off on high level in tank | Fuel spillage over side of car, onto ground, and into drain system. Possible fire. | Maintenance of the pumps. Interceptor within the drains. | A6: Check on the recommended maintenance procedures. | PM and SM |
| A7: Check for level indicator and warning of interceptor overload. | HS | |||||
| A8: Review location and effectiveness of the first aid firefighting facilities. | HS | |||||
| 10 | More time | Driver leaves car unattended (e.g., to shop in main store) | Pump blocked to other users. Uncertainty over “abandoned” vehicle. | None | A9: Establish procedure to deal with “abandoned” vehicles including emergency evacuation of the area. | HS |
| 13 | Less quantity | Low level in main supply tank | Customers cannot get fuel. | Low level warning on main supply tank. | A11: Check that resupply arrangements cover all likely rates of sale. See also A2. | SM |
| Operator training to cone off the affected pumps. | A12: Review | SM | ||||
| 16 | Reverse entry of car into the pump lanes | Driver mistake or deliberate short cut taken | Confusion among other users and increased likelihood of on-site collision. | Signage | A13: Review the position and instructions on signs. | SA and SM |
| A14: Consider if routing of entry/exit slip lanes can reduce occurrence. | SA | |||||
| 18 | As well as—customer uses mobile phone | Customer ignores warnings | Possible ignition source—not likely with diesel but could be with petrol. | Warning notice at every pump station. | A15: Check on reality of the rumors of fuel ignition from mobile phones. | HS |
| A16: Consider requiring till operator to warn phone users over built in speakers on pump station. | SM | |||||
| 19 | Only part of sequence completed | Customer does not properly replace fuel nozzle on its stand | Transfer pump continues to run against closed valve. Payment cannot be made and customer must return to the pump. | Till operator can notify customer using the pump speaker but is unlikely to spot the problem before customer leaves the pump. | A17: Check with manufacturer how likely this is with the chosen design and what the alternatives are. | SM and PM |
| 21 | Other fuel container filled | Customer uses fuel can (perhaps as well as filling car fuel tank) | Pump is stopped and then restarted. May attempt to pump a different fuel. High-level cutoff may not work if container has a wide neck. | Not possible to pump separate fuel until payment made for first and pump zeroed. Restart with same fuel is possible provided nozzle not replaced first. | A18: Decide whether a timed cutoff should be included so restart is not possible after a selected time. | SM |
| A19: Check whether high-level cutoff works in wide necked containers. | PM | |||||
| 22 | Other event—carjacking attempted | Planned criminal activity | Risk of violence with injury (or death). | Warning to customers to remove car keys and not to leave car unlocked. | A20: Check wording and prominence of notices. | HS and LO |
| Bad publicity inevitable. | A21: Put up clear notice that CCTV is in use as a deterrent. | SM | ||||
| A22: Review emergency procedures to ensure this eventuality is covered and that training is provided. | SM and LO |
