130223 Gts-s Pro Hsse-ra 2 Hazop Final

Recommendation Main Document

Hazard and Operability Study (HAZOP)

Systematic hazard identification for process installation using the HAZOP technique for application within OMV Group.

Provision of guidance and establishing terms of reference for consistent for application.

All employees.

OMV AG and all subsidiaries in the fully consolidated group.

Responsible for Content:

GTR-S Ulrike Weingerl

Regulation Approver 1: GTR-S Horacio Haag

Regulation Approver 2: GT-S Andreas Scheed

As approved by the Executive Board of: Not applicable

Effective as of:

In the interests of simplicity and readability, the language of this statement is gender neutral to the extent possible. Where applicable, the masculine includes the feminine. Print-out is only valid on the date printed. Check for the latest version in the Regulations Platform. In case of conflict, the document in its Master Language must be applied.

HSSE-R-017 of 42

Master Language: EnglishVersion: 2.0

Index of content1. Introduction and Intended Purpose of Regulation......................................................................4

2. Content of Regulation................................................................................................................4

2.1. Scope of application of the method...................................................................................4

2.1.1. Overview.....................................................................................................................4

2.1.2. Application regime......................................................................................................5

2.1.3. Usage..........................................................................................................................5

2.1.4. Limits of application....................................................................................................6

2.2. Initiating a study................................................................................................................6

2.2.1. Responsibilities...........................................................................................................6

2.2.2. Application within the life-cycle of systems................................................................6

2.2.3. Specifying terms of reference of a study....................................................................7

2.3. Planning and preparing analysis session...........................................................................8

2.3.1. Time estimate, scheduling, and venue selection........................................................8

2.3.2. Setting up teams........................................................................................................9

2.3.3. Ensuring competency for applying the method.........................................................11

2.3.4. Gathering input information needed.........................................................................12

2.3.5. Preparing the checklists and record templates.........................................................14

2.4. Performing analysis.........................................................................................................15

2.4.1. Initial discussion, kick-off the sessions......................................................................15

2.4.2. The HAZOP process - oversight.................................................................................15

2.4.3. Selecting HAZOP nodes (study sections) and specifying the design intent...............16

2.4.4. Selecting and applying HAZOP deviations................................................................17

2.4.5. Identifying scenarios.................................................................................................17

2.4.6. Evaluating consequences.........................................................................................19

2.4.7. Evaluating risk controls.............................................................................................19

2.4.8. Evaluating residual risk levels and proposing recommendations..............................21

2.4.9. Recording results and issuing reports.......................................................................23

2.5. Implementing results.......................................................................................................25

2.5.1. Communicating findings and distributing protocols..................................................25

2.5.2. Hazard and Risk Register..........................................................................................26

2.5.3. Following-up findings................................................................................................26

2.5.4. Updating and revalidation of the study.....................................................................27

2.6. Quality Review of the Study Performance........................................................................29

3. Internal Reference Links..........................................................................................................29

4. External Reference Links.........................................................................................................30

5. Obsolete Regulations...............................................................................................................30

6. Certification Standards............................................................................................................30

7. Terms & Abbreviations............................................................................................................30

7.1. Terms..............................................................................................................................30

7.2. Abbreviations...................................................................................................................31

8. Keywords / Search Criteria.......................................................................................................32

9. Annexes...................................................................................................................................32

HSSE-R-017 of 42


10. Amendments from Previous Versions......................................................................................32

Annex 1. Deviations for Continuous Process HAZOP....................................................................32

Annex 2. Deviations for Procedure HAZOP..................................................................................34

Annex 3. Deviation for Batch / Sequential HAZOP.......................................................................37

Annex 4. Deviations for Electrical, Instrumentation and Control System HAZOP.........................39

Annex 5. Deviations focusing process installation aspects within HAZOP....................................41

Annex 6. HAZOP Worksheet Template.........................................................................................43

Guidance for readers of this recommendation:

Sections 2.1, 2.2, 2.3, 2.5 and 2.6 address rather personal being responsible for planning studies

Sections 2.4 and the Annexes address rather personal executing the study (HAZOP team)

This recommendation is part of the package which covers further HAZID methodologies such as HAZOP, LOPA, etc. Each recommendation is written as stand-alone document. There for the more general parts of performing systematic hazard and risk analysis repeat in each recommendation for not getting lost in cross references.

HSSE-R-017 of 42


1. Introduction and Intended Purpose of Regulation

The HAZOP study is a powerful method to identify hazards in process plants and to identify operability problems that could compromise a plant's safety and productivity. HAZOP is a formal, systematic and detailed examination of the process and engineering intent of new or existing facilities. Its aim is to assess the hazard potential of operations outside the design intent, or malfunction of individual items of equipment, and their consequential effects on the facility as a whole. HAZOP is generally carried out by a multi-disciplinary team lead by an independent moderator during a set of meetings.

HAZOP is similar to FMEA in that it identifies failure modes of a process, system or procedure their causes and consequences. It differs in that the team considers unwanted outcomes and deviations from intended outcomes and conditions and works back to possible causes and failure modes, whereas FMEA starts by identifying failure modes.

This recommendation provides guidance for Hazard and Operability Studies within the OMV Group with the aim of standardizing, optimizing and ensuring consistent quality in the application of the technique within the Group. This recommendation applies to all Project lifecycle stages including to changes made to operating facilities through Management of Change.

This recommendation covers:

► Principles of application► Planning the sessions► Performing analyses► Effective follow up and close out

This OMV HAZOP Study recommendation supports the application of the HSSE-S-004 OMVGroup Standard: HSSE Risk Management Standard and the HSSE-R-005 OMV GroupRecommendation: HSSE Risk Assessment. It provides a recommended method for application where HAZOP Study is identified as the appropriate Hazard Identification method. The procedure does not cover general aspects of Risk Management, Project Management or implementing HAZOP findings.

The responsibility for this recommendation lies with the Process Safety Management team within Corporate HSSE GTS-S. The responsibility for hazard identification is as defined in the HSSE-S-004 OMV Group Standard: HSSE Risk Management Standard.

2. Content of Regulation

2.1. Scope of application of the method

2.1.1. Overview

Hazard identification (HAZID) is the most basic tool within the risk assessment process to check designs and intended operations to identify safety and operability improvements. HAZID is the process of finding, recognizing and recording sources of risks. Only identified hazards can be analyzed, assessed, managed, and mitigated if warranted. Of the HAZID methods, HAZOP is the most suitable technique to identify causes, events, situations or circumstances which could have a material impact upon the safety and operability of process installations.

The primary purpose of a Hazard and Operability (HAZOP) study is to identify all deviations from the way the process design is expected to work, their causes, and all the hazards and operability problems associated with these deviations and make recommendations to improve its safety and operability. The basic concept behind HAZOP studies is that processes run well within design limits. If and when the process deviates from these design conditions, operability problems and incidents can occur.

There are many secondary objectives such as demonstrating compliance with design standards, satisfying regulatory authorities and insurance companies, as an aid to developing training and operating manuals, etc.

The purpose of a HAZOP study is to:

HSSE-R-017 of 42


► Identify the sources of hazards, risks, operability problems and process safety accidents including human failures, equipment failures and external causes

► Consider the consequences of these hazards and operability problems.► Identify and evaluate the efficiency of engineered and procedural safeguards which

are in place to prevent or mitigate these consequences.► Unveil weaknesses in design and operation of process units and to establish a sound

base for further improvement of the safety and operability.► Review previous incidents and consider effects of potential incidents► Propose recommendations, as needed, to prevent, control, or mitigate hazards.► Provide assistance to management in their efforts to manage operational risks.► Improvement in overall loss control and management of safety and environmental

impact

HAZOP evaluates the risk qualitatively by expert judgment of the HAZOP team. It may establish a base for further risk analysis such as LOPA, BowTie or QRA and links to other analyses such as Risk Based Inspection and Maintenance (RBI/M), Fire and Explosion analysis, flare studies, or alarm management studies. HAZOP may constitute a part of the hazard analysis as request by Major Accident Regulations (e.g. SEVESO).

2.1.2. Application regime

HAZOP is the recommended HAZID method to be applied for process hazard analysis (PHA) for any process installation within OMV consisting e.g. of more than a tank and a pump. It is particularly applicable to:

► Upstream and downstream operations (drilling, production, storage, etc.)► Onshore and offshore facilities► New, modified and existing installations (Project-HAZOP, Retro-HAZOP)► Continuous processes (this is the most common application)► Batch processes or where there are multiple operating modes► Routine and non-routine procedures (consisting of a defined sequence of activities)► Electrical, instrumentation and control systems

The primary area of application is Process Safety. However, the principles of the method might also be used in other subject matter areas (e.g. waste management).

2.1.3. Usage

HAZOP can be applied in on its own or in combination with a risk screening tool (e.g. SWIFT, risk vetting according HSSE-R-005 OMV Group Recommendation: HSSE RiskAssessment). It identifies scenarios for further detailed risk analysis such as LOPA, QRA, BowTie.

► It is recommended to perform a LOPA analysis on all identified HAZOP scenarios which have a worst reasonable foreseeable consequence of a fatality, mid-term major environmental impact or property damage above 2 Mio€ immediate costs (i.e. severity level 4 of the risk matrix for single scenarios given in HSSE risk assessment recommendation).

► In particular the evaluation of safety instrumented functions (Safety Integrity Level) SIL should be based on HAZOP results.

HAZOP has a much more detailed scope than SWIFT. It is structured by the repeatedly use of guide words which question how the design intention or operating conditions might not be achieved at each step in the process, procedure or system. Due to its detailing it might be sometimes advantageous to use HAZOP in combination with SWIFT. In such cases HAZOP might be limited to the inherent process hazards and SWIFT is to cover e.g. hazards on general plant level (external hazards, general emergency response systems, sampling, etc.), equipment siting aspects, tie-in aspects of a process unit into the entire facility.

HAZOP uses different guidewords for the different application regimes. Furthermore the method may be tailored to address specific aspects such as human factors (at operating process plants). Satisfying results will only be achieved if the objectives of the studies are clearly defined and the guidewords selected accordingly. For complex systems it might

HSSE-R-017 of 42


be needed to perform combinations the different types of HAZOP (e.g. continuous process HAZOP and procedure HAZOP).

HAZOP evaluates the risk qualitatively using the expertise and experience of the team. Semi quantitative evaluation of the identified scenarios might be done using e.g. LOPA - see also Section 2.4.8.

2.1.4. Limits of application

HAZOP is not:

► An occupied building analysis or facility siting study (but should include consideration of these risks) see e.g. QRA

► A fire and explosion risk analysis (FERA) (but considers principle fire and explosion risks)

► A Quantitative Risk Assessment (QRA)► A SIL (Safety Integrity Level) study see e.g. LOPA► A means for defining engineering and procedural solutions for sources of hazards► A machinery safety study (but considers aspects of machinery safety in procedure

HAZOP)► A reliability analysis (but considers aspects of equipment reliability)► A workplace health and safety study, Job Safety Analysis (JSA), Job Hazard Analysis

(JHA), or Task Risk Analysis (but covers some accidental risks to workers)► HAZOP is not recommended to be used for dropped object studies, evacuation escape

and rescue analysis, emergency survivability analysis, and marine Collision Study (though some of their aspects will be touched in HAZOP) SWIFT

► HAZOP is not recommended to be used for hazard identification of activities when no detailed action plan is in place (e.g. for demolition activities) SWIFT

► Normally HAZOP does not consider double-jeopardy scenarios (i.e. two unconnected failures happen at the same time). These types of events should only be included if they are not truly independent. e.g. BowTie

2.2. Initiating a study

2.2.1. Responsibilities

The responsibility for initiating a HAZOP study lies with the risk owner (see HSSE-S-004OMV Group Standard: HSSE Risk Management Standard). The risk owner has to ensure that the study has:

► Appropriate priority and attention.► Commitment of competent resources.► Time for proper execution.► Findings of the study are communicated and followed up.► Facility documentation is available and up-to-date for the analysis.

2.2.2. Application within the life-cycle of systems

It is mandatory to complete HAZOP studies for (see also HSSE-S-004 OMV GroupStandard: HSSE Risk Management Standard, HSSE-S-005 OMV Group Standard: HSSE inProjects):

► Major (technical) projects or major modifications to an operating facility or process installation

► Some changes being addressed in the Management of Change of operating facilities► Revalidation of process hazard analyses (Retro-HAZOPs)► When recommended by subject matter experts

HAZOP studies can be carried out at all project lifecycle stages so long as an up to date P&ID is available and sufficient details are known of the typical operating conditions and preferably start-up and shut-down operations.

HSSE-R-017 of 42


Retro-HAZOP Plans

Operating facilities shall establish a schedule for completing or revalidating the HAZOP of their installations (see also HSSE-S-004 OMV Group Standard: HSSE Risk ManagementStandard). The prioritization of Retro-HAZOPs shall consider risk to people, consequence potential of the process hazards, age of the installation, operating history, and date of the last comprehensive review.

For optimizing resource planning Retro-HAZOP plans should be aligned with the plans of other repeatedly updated studies such as Risk Based Inspection and Maintenance (RBI/M), update of Safety Report under Seveso legislation, update of explosion document, etc..

The generally accepted practice is a thorough review of HAZOP studies every 5 years. In some countries the schedule is dictated by authorities (e.g. under the EU Directive 2012/18/EU on the control of major-accident hazards involving dangerous substances - Seveso Legislation).

2.2.3. Specifying terms of reference of a study

Terms of reference shall be developed for each study and formally agreed between the risk owner (or his/her delegate) before the study commences. A typical TOR includes:

► Objectives► Scope► Methodology including parameters and deviations to be used► Personnel required to attend the meeting: core team members and persons which

might be consulted for specific questions► Schedule and deliverables: times and durations of the study sessions, dates on which

draft and final reports are to be submitted to the various recipients► Usage of special PHA software and specification of the hand-over file format► Report recipient and distribution list► Reference documents (e.g. facility documentation, other hazard analyses, etc.) which

will be included in the review (list of typical documents see Section 2.3.4)

Developing the TOR helps ensure a consistent understanding of the study and its application among HAZOP leader, risk owner, and HAZOP team. For follow-up of the study the TOR should be included in the HAZOP protocol.

Specifying the scope sets the limits of the analysis and the discussion. It includes specifying:

► Physical boundaries and interfaces of the system to be analyzed (i.e. boundary limits of the unit, offsite systems, utility system)

► Operations mode (i.e. continuous process, batch processes, start-up and shut-down procedures, emergency shut-down procedures)

► Details of utility systems, electrical, instrumentation and control systems (i.e. analyze the details of the their functions or treat them as black box and consider just interfaces aspects)

► Operating procedures (i.e. routine procedures, non-routine procedures)► Aspects to considered or excluded because they are considered in other analyses; see

also Annex 5 (e.g. ex-zoning, accessibility aspects, corrosion and other degradation mechanism, offsite impacts, facility siting, human factors aspects, etc.)

► Degree of detailing the review e.g. inclusion of alarm prioritization, operating windows, relation to risk based inspection (RBI) analyses

► For projects and modification to what extend existing installation is included (i.e. HAZOP by exception or review of all scenarios in the scope of the modification)

2.3. Planning and preparing analysis session

2.3.1. Time estimate, scheduling, and venue selection

HAZOP cost and schedule should be included in project planning and existing facility budgeting.

HSSE-R-017 of 42


Availability of facility documentation and key team members required should be considered in development of HAZOP schedule.

Time estimate

HAZOP strains considerable resources in time and personnel to cover the necessary knowledge of the process, its instrumentation and its operation. Thorough planning and follow-up is required to capitalize these resources in an optimal manner. The duration of a HAZOP team analysis depends on:

► Size and complexity of the system► Whether the process is a procedure-oriented operation or a continuous operation► Potential hazards and quality of the safety barriers► Specified scope► Necessity to verify aspects in the field► Availability and quality of the documentation or the system► Availability and competency of the team► Experience and skills of the moderator► The use of dedicated software may reduce the effort for documentation

Below are estimates of time needed for continuous process HAZOP for typical process installation. Here it is assumed that all documentation and team is available and up-to-date.

System Example Preparation Analysis Documentation

Simple, small Retail station, small tank storage 0.25 d 0.5 - 1 d 0.25 d

Simple, medium Oil & gas production facility, bitumen plant

0.5 - 1 d 3 -5 d 0.5 - 1 d

Complex, medium

Gas processing plant, small to medium refinery unit

1 - 3 d 2 - 4 weeks 2 - 4 d

Complex large system

Large refinery unit, entire power plant

2 - 5 d 6 weeks and more

3 - 6 d

Scheduling

For scheduling the sessions the following aspects should be considered

► Duration of team discussion should not exceed 6 hours per day► Remaining daily workday may be used for

- Catch-up and follow-up action items identified in the session- Preparation and follow-up of the team session (check and review of the

documentation)► Duties of operating personnel for ongoing operations in parallel to the sessions

(especially for Retro-HAZOPs)► Necessity for follow-up session for close-out of action items and follow-up systems as

engineering proceeds

Venue selection

The venue for conducting the analyses should be as follows:

► Sized for the core team plus temporary team members► Desk space for the team► Wall space for displaying facilities documentation (e.g. layouts, P&IDs)► Suitably illuminated to allow PC projection and team data observation► Flip/chart or whiteboard for notes or parked items

Location of the venue:

► If the study involves a review of an existing facility or one being modified by a project, the study should be located near the operations facilities to provide easy access to the site for addressing questions that may arise during the study. Quick access to the facility might be especially needed if the status of facility documentation is poor, field visits are needed to check status on site, or actual performance needs to be verified through operator interviews.

HSSE-R-017 of 42


► Consideration can be given to move the team session remote from the operations so that the team can focus its full attention on the review and not be subject to the distractions and disturbances of an operating facility or engineering office

► It is not recommended to move the venue to engineering contractor facilities since it limits the possibilities for integrating operating personal and on-site visits

2.3.2. Setting up teams

HAZOP requires the input of experienced and knowledgeable multi-disciplinary team lead by an independent moderator / facilitator. For Retro-HAZOPs this is typically a team of 4-8 persons, for Project-HAZOPs teams are usually larger since operating and engineering personnel will be involved. In order to save team member’s resources it may be agreed to involve specialists just on demand. In that case it is recommended to have regular wrap-up session (e.g. weekly) where all nominated members are present.

HAZOP studies done within projects shall not be done without involving operations personal being responsible for future operations.

In the event that key personnel are not available to participate the HAZOP shall be rescheduled to ensure the proper participation. Similarly re-arrangement of the team and/or sessions shall be done if the team is under qualified to draw conclusions either about the scenarios or about suitable recommendations.

Optimum team size is 6-10 persons including moderator and scribe to be productive. Too small teams will not be able to cover the necessary multi-discipline expertise. At too large teams the discussions and agreement will become unwieldy.

The team needs to cover all expertise as specified in the scope of the analysis (see also above):

► Understanding of and experience with the process/facility design and process intent► Understanding of and experience with the equipment, design limits, materials of

construction, and condition of equipment being reviewed► Understanding of and experience with the day to day operations► Understanding of the systems and procedures to control operations including those

being safety relevant

Table 1: HAZOP team composition

Role Tasks Comment

Moderator / facilitator

- Plans the study, agrees team composition, and leads the study. Encourages the discussion, ensures completeness of the hazards identified and scenarios discussed.

- Mandatory- Shall be independent from the

organizational unit and the project.- The moderator shall be approved by

OMV regardless if selected by a contractor on a project.

Scribe / recorder

- Records the discussions in the mandatory format. Assists in planning and administrative duties. Potentially involved in follow up activities. Ensures fast and accurate protocol of the discussion and findings.

- It is recommended that an independent recorder is used in all HAZOPs which take longer than 1 day or involves a team of more than 5 persons.

- The nomination shall be agreed with the moderator.

- For short session the record may be done by the moderator.

Operations discipline

- Provide specific operations input, agrees qualitatively the residual risk level of the scenarios

- Mandatory- In most cases the plant manager plus

qualified staff

Process control discipline / instrument and control engineer

- Provide specific input in relation to instrument and control systems, safety instrumented systems, functional tests, etc.

- Mandatory

HSSE-R-017 of 42


Role Tasks Comment

Process engineering

- Provide summary on the design basis and process chemistry, provide guidance on node selection, provide information on design intent for each node, and provide specific process design information for the HAZOP team.

- Mandatory for Project-HAZOP, part-time / available on demand for Retro-HAZOP

Design discipline

- Provide specific input on design, design limits, and materials. A number of design discipline engineers may be used as required, e.g. static mechanical, rotating machinery, etc.

- Mandatory for Project-HAZOP, part-time / available on demand for Retro-HAZOP

Maintenance discipline

- Provide specific input on maintenance and inspection requirements, condition of the equipment, ability to maintain, integrity management etc.

- Part-time / available on demand

Electrical and (field) instrumentation discipline

- Provide specific input in relation to electric and field instrumentation


Process Safety Advisor / Engineer

- Contributes to discussion from a safety point of view. Supports in planning the sessions.


Manager representative (site operations and/or project management)

- Depending on the nature of the HAZOP, the project manager, commissioning manager, plant manager, or production manager or their assignee may be present in addition to the Operations representative. Explains the context of the study.

- Available on demand and to approve critical decisions

Independent experts / specialists, Vendor representation

- Provides expertise for the system and the study and provide relevant key advice; address intellectual property or other specific issues related to the Vendor design. May be invited on a part-time basis. Includes, for instance, chemists, environmental specialists, vendor package representatives and commissioning manager.

- The use of an independent expert should be discussed by the Moderator and the responsible authority, taking account of factors such as novelty, complexity, previous incident experience, necessity of cold-eye reviews, etc.

2.3.3. Ensuring competency for applying the method

The quality of the study is directly related to the competence and experience of the assembled team. The moderator will be instrumental in achieving effective output.

Study lead (moderator)

Study leaders shall meet the following requirements (see also HSSE-R-005 OMV GroupRecommendation: HSSE Risk Assessment):

► Plan and lead the HAZOP study through its various stages consistent with OMV expectations and the requirements of this recommendation.

► Demonstrate practical experience in HAZOP studies through- Participated as a HAZOP team member on previous HAZOPs- Acted as scribe for HAZOP sessions under the leadership of a competent HAZOP

leader- Co-lead HAZOP sessions under the supervision of a competent HAZOP leader

either acting as scribe or participating as a team member- Attended a HAZOP leadership training course at a recognized industry

organization (e.g. IChemE) that provides instruction on preparing, leading, and documenting a HAZOP, as well as on the HAZOP technique itself

- Be familiar with the software used for recording.► Ability to effectively lead teams and discussions

- Being alert to time pressures and ensure that the quality, thoroughness, or integrity of the review is not compromised

HSSE-R-017 of 42


- Advising facility or project managers of issues that could affect the integrity of the study and working with them to ensure an effective resolution. This could be HAZOP core team members not available or not meeting the competency requirements, or failing of facility documentation.

- Compensate language and cultural issues in multi-national teams- Strong listening skills and confident in expressing ideas/summarizing discussions

to assist in gaining consensus- Carefully not asserting undue influence over the direction and outcome of the

proceedings► Having a comprehensive knowledge on Process Safety Management

- Experience in other process hazard analysis such as LOPA, consequence analysis, reliability analysis, facility siting studies

- Knowledge of learning from incidents particularly for the type of facility being reviewed

- Knowledge of legislation and best practice standards as relevant for the type of facility

- Having reasonable discipline subject knowledge (e.g. an engineering degree) and if possible having experience in the type of facility being reviewed.

The authority of the HAZOP leader should be defined in the terms of reference of the study and to be agreed to before initiating the HAZOP.

The HAZOP leader is responsible for correct application of the method. However, he is not responsible for ensuring comprehensiveness of identified scenarios, evaluating the consequence, evaluating the existing risk controls and proposing recommendations.

Scribe

Any HAZOP session taking more than a day (or involving more than 5 persons) should involve a scribe for documenting the analysis. This leaves the team member and the moderator free to concentrate on the details of the discussion without the burden of completing log sheets. The scribe (he/she is not a secretary) shall meet the following requirements:

► Trained in the use of the software used to record the study, have good typing and summarization skills

► Be familiar with HAZOP process and terminologies used► Be familiar with the facility being reviewed and its terminology► Be capable of structuring scenarios, recommendations/actions in a clear and

understandable way.► Ability to work with the moderator to ensure all parameters and deviations are

addressed, unmitigated consequences are fully documented, and recommendations are clearly worded.

Team

The team needs to be familiar with the principles of HSSE risk management, the objectives and the principles of the methodology used and their role in the assessment (see also above):

► It is strongly recommended that the team member pass a class room training on HSSE risk management as it is implemented in OMV

► In addition it recommended that the team members pass a class room training on the principles of HAZOP and its application within OMV

► The moderator shall deliver at the beginning of the session a formal induction to ensure common team understanding on the usage of the methodology (regardless of the formal training status of the team members). The duration of the induction depends on the knowledge and experience of the team members in applying the method (a 1-2 hour overview at the beginning of the first team review session is normally sufficient for this purpose). This mini-training shall cover the principles of the method as well as specific application for the type of facility being reviewed.

HSSE-R-017 of 42


2.3.4. Gathering input information needed

Successful assessment requires that facility documentation exists for the scope of the review and is up-to-date. It is recommended to perform a formal documentation review prior to the assessment session:

► The review should ensure quality and completeness of the documentation to be suitable for the study. This should at least cover formal criteria (e.g. drawing titles, numbers, tag numbers for equipment, design conditions, etc.) and compliance with regulatory requirements

► For existing facilities the documentations needs to reflect the as-built status► For projects the documentation should be sufficiently developed and the design

finalized for an the scope of the review

The extent of documentation and information depends on the scope of the study. For most of the application the P&IDs are the key documents which must be available in paper. Further documents might be just electronically available for look-up and reference. It is recommended to specify in the Terms of Reference which documents are needed either electronically or paper version. For HAZOP the input may comprise the following (see also HSSE-R-028 OMV Group Recommendation: Facility Documentation):

Table 2: Recommended documentation input for HAZOP

Document / information Comment

Piping and Instrumentation Diagrams (P&IDs)

P&IDs are the focal point of the HAZOP study. A single large set for a master and smaller individual sets for team members are recommended. HAZOP leader will use the large drawings in selecting a node (with color marking) and hang them on the wall during the HAZOP for easy team viewing. The leader or the scribe will maintain the master set for inclusion in the report.

Electrical and control loop diagrams

For HAZOP electrical, instrumentation and control systems the loop diagrams play a similar role than the P&IDs for process HAZOPs

Process description and operating manuals

Mandatory for procedure HAZOP, for process HAZOP it might sufficient if electronically available for cross check and review; if different operational modes are being covered all corresponding procedures need to be available (e.g. start-up procedures)

Block flow diagram / process flow diagram

Recommended for highly complex systems to allow oversight of the process

Process operating and design conditions

Necessary to cross check design specification; pipe classes should be indicated at P&IDs and/or process flow diagrams

Safe Operating Limits for Process Parameters

Necessary for consequence evaluation; safe operating limits refer to process design, product data (e.g. contaminants), operating conditions (e.g. temperature), asset integrity (e.g. corrosiveness, cycling), etc.;Safe operating limits of main equipment are indicated at P&IDs and/or process flow diagram; further information about safe operating limits may be part of the equipment data;

Instrumentation and control

Necessary for evaluating failures and consequences;Major control loops including trip and fail safe conditions are usually shown on P&IDs; additional data (e.g. set-points, auto-diagnose functions) might be needed for reference

Alarms and interlocks Necessary to evaluate control and shut-down systems; alarms and interlocks should be indicated at P&IDs

Cause and effect diagrams (trip matrix), emergency shut-down systems

Necessary to evaluate safeguarding by interlock and emergency shut-down systems; it is as separate document required especially for complex process installations

Safety systems data (e.g. pressure relief valves, flare, vent, firefighting systems)

Necessary to evaluate safeguarding; data must include at least materials of construction, design basis (e.g. scenarios considered for sizing of the relief valves), operating characteristics (e.g. response characteristic), design codes and standards; for existing installation they should also cover inspection and testing history; reliability and failure data;

Equipment data for mechanical (static and rotating), electrical, instrumentation and control equipment

Necessary for evaluating failures, consequences and to cross check design data and safe operating limits;Data must include at least materials of construction, design basis, operating characteristics (e.g. shut-off head for pumps, valve capacities), design codes and standards (e.g. pipe class specification); for existing installation they should also cover inspection and testing history; reliability and failure data

HSSE-R-017 of 42


Document / information Comment

Material Safety Data Sheets (MSDS)

The information is needed to assess fire and explosion characteristics, reactivity hazards, safety and health hazards to workers, and corrosion and erosion effects on process equipment and monitoring tools

Heat & Mass Balance including inventory data

The information is needed for consequence evaluation; normally the inventory is indicated at the P&IDs and/or process flow diagrams

Legislative & Regulatory certificates and statutory submission

For cross checking compliance with specific legislative requirement

Hazardous Area Classification

Facilities consequence evaluation of explosion risks; performing the hazardous area classification might be in the scope of the analysis

Previous HAZOP reports and reports from other hazard and risk analysis

Availability of these documents might speed-up the discussion; though referring to much on previous studies implies the risk of overlooking risks and conclusionsFor revalidation of studies this needs to cover also information about action close-out.

Layout plans (facility, plant, equipment) and isometric drawings

Necessary information to evaluate consequences and specific layout aspects (e.g. accessibility, escape routes)

Tie-in list (in-out connection of facility)

Necessary to check impact from and to the systems connected with the facility under review

Underground services and utility systems

If these systems are not in scope of the study at least main parameters need to be available for causation and consequence evaluation

Environmental data Provide information about external hazards such as weather, seismic, public traffic.

Reports on relevant accidents and malfunctions including lessons learnt

Recommended to ensure that all reasonable that all reasonable foreseeable scenarios are identified and to cross check plausibility of scenarios

List of changes Facilitates the review of existing studies to comply with actual operation condition

2.3.5. Preparing the checklists and record templates

Checklist of Deviations

The deviation checklist and the records should be developed upfront of the team meetings by the moderator (with the support of the scribe). This saves team’s resources and is a final check that all necessary material is available.

The deviations checklist needs to be appropriate to the system under review and the scope of the study. Along with the preparation of the deviation checklist the moderator along with the lead process engineer might agree on how the system / process are split into HAZOP nodes. Example lists of deviations are provided in the Annexes for

► Continuous process HAZOP► Procedure HAZOP► Batch / sequential HAZOP► Electrical, instrumentation and control system HAZOP

The standard HAZOP as given in - Annex 4 deviations are usually sufficient to identify the majority of hazards.

Additional deviations (Annex 5) are provided to analyze more general aspects of the facility within the HAZOP study to cover the full range of hazards in the scope of the study. The selection of additional deviations depends on the type of process, the process intent and the scope of the study.

They may be further accomplished by adopting SWIFT checklists. The use of these deviations should be agreed in the terms of reference for the study.

Preparation of documentation

Preparing the documentation templates upfront of the meeting may decrease the time of the team sessions. Similarly rather administrative content of the report may be prepared

HSSE-R-017 of 42


in advance, e.g. list of participants, lists of documents. The study documentation typically consists of a bundle of files recording the discussions and decisions made, see also Section 2.4.9.

2.4. Performing analysis

2.4.1. Initial discussion, kick-off the sessions

At the start of the study session the moderator should spend a brief period of time reminding or training the team as necessary to ensure that everybody is at the same point of knowledge. This pre-analysis discussion should focus on, but not be limited to:

► Study objectives and expectations► Principles of the method and specific usage for the type of facility being reviewed► Scope of application and exemptions made for the specific analysis► Ensure that all team members are familiar with the major design and operating

principles;► Review the accident history of that type of unit to identify special topics for discussion► Ground rules for the study and expectations of team members► Rules for documenting results (e.g. nomenclature)

The team should have a high level review of the process and the facility to have the process fresh in mind and to get a sense of the scale and orientation of the process, the surrounding facilities, and the location of operating and co-located personnel. A review of the facility layout should be included. This may be achieved using a model, plot plans, or a plant walk through. The beginning of the discussion summarizes:

► Hazards of the process.► Previous incidents with catastrophic potential.► Engineering and administrative controls.► Consequences of failures of engineering and administrative controls.► Facility siting/layout.► Qualitative evaluation of safety and health effects.► Other regulatory issues.

2.4.2. The HAZOP process - oversight

The effectiveness of HAZOP in identifying hazards comes from asking all HAZOP deviations according to a structured plan which ensures completed coverage. The analysis shall follow the process as outlined below.

HSSE-R-017 of 42


Select a node for review

Describe the design intent

Select a deviation from list

Identify causesAssess consequencesEvaluate safeguards

Make a recommendatio

n

START

Are the risk controls

adequate? NO

YES

Rep

eat

for

all

cause

s

Rep

eat

for

all

devia

tion

s

Rep

eat

for

all

nod

es

in t

he s

cop

e o

f th

e

stu

dy

END

Split system into nodes

Figure 1: Process of HAZOP Analysis

The subsequent paragraphs provide guidance on the steps of the process. The Annexes contain guidance on the section of deviations as well as guidance for performance specifically for the different forms of HAZOP.

2.4.3. Selecting HAZOP nodes (study sections) and specifying the design intent

The HAZOP moderator splits the process under review into nodes with consideration of team input. The nodes are either physical subsystems of the entire process or steps / phases of a procedure. The nodes should be selected by function to ensure that the design intent can be clearly and easily understood. The following criteria should be considered in selecting the end point for the next study section:

► Change in design intent (e.g. pressure change due to a pump)► Significant change in state (e.g. from liquid to vapor)► Major equipment items with different process parameters (e.g. separation column

with its association to other equipment)► If a node has more than one design intent each operations mode shall be discussed

separately

There are no general rules about the node size. The decision is left to the moderator and the team by their experience and skills. Factors influencing the node size are:

HSSE-R-017 of 42


► If the nodes are too large (e.g. containing multiple process lines and equipment items) the application of the deviations might confuse over which piece of process equipment is being discussed and hazards might be missed.

► Complex process systems or process control systems usually require smaller nodes.► When selecting many small nodes it should be recognized that the interfaces between

nodes may hold a significant hazard that might be missed.► Nodes that are very small, such as a single process line, often lead to longer study

times as each deviation needs to be recorded more times and for every node the hazards resulting from the interface to the other nodes need to be discussed.

The boundary limits and the different operating modes of each node shall be clearly specified, documented in the report and marked at the HAZOP master documents.

HAZOP method identifies hazard and operability problems within a node caused by deviations leading to situations beyond the design intent. HAZOP has the fundamental assumption there are no hazards to safety or operability when the system is operating within the design intent. The deviations are generated by applying guidewords on the process parameters which qualify the design intent.

At the beginning of each node a person knowledgeable about operations and design shall describe the design intent. This includes process parameters such as flow, temperature, pressure, level, composition, and materials selected for design. It defines how the system is expected to operate as intended for normal and abnormal operating conditions including transient conditions (e.g. start-up) and operational modes (e.g. cleaning mode). This ensures that each team member has an adequate knowledge of the process and the way sections operate within the overall design.

The design intent shall be stated in the HAZOP report.

2.4.4. Selecting and applying HAZOP deviations

Once the node and design intent is stated the team works through the list of deviations to identify possible causes leading to that deviation. Deviations are generated by applying the guidewords to the parameters. Lists of typical guidewords see e.g. IEC61882. The Annexes list deviations which are typically used in Oil and Gas processing units for the different forms of HAZOP.

The standard deviation as specified by the scope of the study should be applied each one to each node in turn. If no issues are found, it should be documented that the deviation was considered, but there were no issues of concern.

The process for selection of deviations should be documented in the HAZOP report. The moderator and team should be careful in the selection of deviations because it could place a limit on the types of hazards which could be identified or stretch the limits of the agreed scope of the study.

2.4.5. Identifying scenarios

The HAZOP lead the discussion by applying the deviations and perhaps stimulating possible causes. The team should then be encouraged to discuss the causes, consequences, and possible actions for each deviation. As hazards are detected, the HAZOP Moderator should make sure everyone understands them.

All possible causes should be stated for each deviation. There might be multiple causes for each deviation which need to be discussed separately. Likely causes or initiating events should be readily identifiable in the report. It is the responsibility of the team under the lead of an experienced moderator to assure that all initiating events are considered and all equipment in each node is investigated.

The identification of possible causes should be according to following principles:

► It is assumed that the design of the equipment and pipe work is in accordance with the all relevant national laws and regulations and correspond to the normal operating conditions.

► For equipment and pipe work the appropriate design for the normal process conditions including their reliability is in principle presumed. The given scenarios (e.g. corrosion scenarios) represent conditions which exceed the normal operating conditions.

HSSE-R-017 of 42


► HAZOP normally considers single failures, although multiple failures arising from a common cause or common mode failures can be considered. “Double Jeopardy” failures where two unconnected failures are considered should be avoided except where one of the failures can be a latent or undetected fault. Latent faults make the potential for the coexistence of two failures much greater.

► Causes should only stem from the node under review. However, causes and consequences can extend beyond the node definition. They need to be covered by applying the deviation on the interface parameters, i.e. more flow from system boundary (without any assumption what was the reason outside from the node that cause that more flow).

► Causes need to assume technical as well as human failures and external causes (with unspecified origin).

► The consideration of human failures should follow the human factor model given in Annex 2. Usually sabotage and criminal acts are excluded as cause if their impacts and adequacy of risk controls is assessed in an overall security risk analysis.

► Scenarios may be grouped if the related to the same underlying cause and feature similar consequences (e.g. manual valves in series).

► If an equipment failure is stated as cause normally no further detailing is done which lead to that failure. I.e. malfunctioning of a control valve stands for technical failures as well as failures in operating that control valve. However, specific human failures should be addressed in procedure HAZOP.

► For continuous process HAZOP it might be agreed to exclude failure operation of equipment which is solely used for inspection during plant stop (e.g. isolation blinds). However, their failure operation needs to be considered in procedure HAZOP (e.g. preparation for turnaround).

► For safety related equipment only those failures are to be considered if the equipment assumes fail safe position due to a spurious / faulty trip (e.g. closing of valve due to fail-safe spring even there if the operational situation does not trigger the closing such as lack of instrument air).

► Some cause may be identified in multiple deviations. The record may be shortened by cross reference to that deviation where the consequences and safeguards are fully defined and documented (e.g. closing of a valve may result into no flow and low pressure at the same time).

► Causes should not be a restatement of the deviation or consequences.► Causes should not be skipped if their causes are considered just operational relevant.

First it is the strength of HAZOP to identify also operational issues and second sometimes safety related issues hide behind operational issues.

► Causes should not assume any safeguard working.► All potential causes associated with the current deviations should be identified before

assessing the consequences. This helps in ensuring that all possible causes associated with a deviation are identified.

2.4.6. Evaluating consequences

When assessing the consequences, the team develops the chain through to the reasonable foreseeable outcomes, assuming that no safeguards work. Consequences shall consider impact to human, to the environment, to asset value and production availability.

It is important to assess the consequences without giving credit to any safeguard or mitigating measure (i.e. all available safeguards are assumed to fail). This allows check of availability and appropriateness of the safeguards in the next step of the analysis.

► Consequence shall refer to known accidents; it may be beneficial to consult dispersion modeling to fully understand the range of releases of hazardous materials.

► Cause and consequence can extend beyond the node definition. Consequence should be only considered within that node. Possible consequences on other nodes are to be covered by applying the deviation on the interface parameters, i.e. more flow from system boundary.

HSSE-R-017 of 42


► Consequences need to be clearly described as they might be an input for further detailed risk analysis such as LOPA.

► The team needs to stay focussed on worst credible outcomes at low likelihood as well as on less severe outcomes which might be more likely.

► It is possible that a number of different consequence chains are identified.► Consequence estimates need to be reasonable; underestimating may lead to

inadequate risk management; overestimating may lead to more safety measures than warranted which increases lifecycle cost and may even introduce further risk due to higher complexity of the system.

► The consequence need to describe the entire credible accident scenarios. This may also include secondary consequences such as overheating following a lack of cooling water caused by a cooling water pipeline rupture.

2.4.7. Evaluating risk controls

In that step any available technical safeguards and operational controls shall be identified for detecting, preventing and mitigating the hazards. Safeguard may reduce the likelihood of occurrence by preventing the failure or interrupting the escalation of the consequence chain or they may reduce the severity of the outcome by mitigating the accident impact level.

The risk control shall follow the HSSE risk management principles (see HSSE Risk Management Standard):

► Elimination of a hazard is preferable to managing it► Prevention of a hazardous event is preferable to mitigating it► Technical safeguards are preferable to operational controls► Passive safeguards (self-acting) are preferable to active safeguards

Safeguard need to be effective in controlling the hazard. It is not necessary to list every conceivable safeguard. The focus should be on identifying the most effective safeguards which counter the given cause and its credible consequences. Effective safeguards consist of functions to detect and to react to excursion from the safe operating limits (see also protection layer model as given e.g. in IEC61511).

The evaluation of safeguard should be according the following principles:

► Safeguard must be independent from the cause:- If a failure of a control device is considered as possible cause it is assumed that

the entire loop fails. This means any alarm or indication of this loop is not considered as safeguard with the exception of cascaded controllers.

- An operator action must not be considered as safeguard if an operator failure is the assumed cause and the operator action simply revokes the cause. (I.e. failure operation opening a sewer valve cannot be controlled by operator clauses that valve). Here the only exception is, if there are two independent operators involved and/or there is an independent alarm which unambiguously alerts the operator.

► Care should be given to conditions which may impair the functionality of the safeguards. This may also include accessibility aspects.

► For relief valves their capability for the scenario given must be confirmed, i.e. set-pressure, valve size and conditions which may impair its functionality such as two phases or blocking. This confirmation is usually done be checking design data of the relief valve. If the design scenarios are not available it might be necessary to re-confirm the design by calculation.

► If a process or facility alarm listed as safeguard it must also be accomplished by the information what activities will be performed in response to the alarm. Here the clarity of the alarm as well as the time needed and the capability to execute an action need to be analyzed.

► For operating procedures listed as safeguard it shall be confirmed that they are described in operator’s manuals or handbooks and that operating personal is trained accordingly.

HSSE-R-017 of 42


► For safety instrumented function their safety integrity level (SIL) must be confirmed. This requires analysis of the SIL classification as well as the proof that the system corresponds to that SIL.- It is recommended performing the SIL classification in the context of the study

(e.g. after a node has been completed).- The recommended practice within OMV Group for SIL classification is the LOPA

method (Layer Of Protection Analysis).- If available, the SIL proof is done by simply checking data sheets for safety

instrumented functions. If data sheets are missing the SIL confirmation needs to be done outside of the study (see Functional Safety Management acc. IEC61511, EN62061, VDI/VDE2180, etc.).

► For shut-down system including relieve valves the trip-points need to be confirmed having appropriate safety margins. E.g. pressure relief systems to ensure pass-over pressure during response is within the design limits. For shut-down systems this requires also consideration of temporary bypass of the trip values which might be necessary during start-up or shut-down.

► Special care should be given to the performance of process control systems when operated out-of range, in manual mode (e.g. forcing), in advanced-control mode, or their features to compensating signals at transmitter failures, etc.

► The fail-safe condition in the case of lack of utilities should be evaluated for each node separately and for each type of utility. Here the assumption for the entire unit is made, that the unit also reaches safe condition in the case of lack of utilities if each node reaches safe condition.

► The safeguards need to be clearly described and identifiable for follow-up of the study: Equipment tag, name, information of the response action, etc.

► Usually general concepts for safeguarding the facility are not listed for a specific accident scenario. This comprises precautionary measures referring to a group of accident scenarios such as general ignition protection requirements (EX-classified electrical equipment in process areas), firefighting services, facility siting, etc. The appropriateness of these measures shall be analyzed under suitable HAZOP deviation (e.g. ignition protection, emergency services) or may be analyzed be a SWIFT study.

► For following-up the study it has been found useful to flag safeguards. Flag criteria might be: safety related equipment, independent verification needed by legislative requirements, operational controls, manual interaction, etc.

► It is recommended to review the alarm prioritization concept within the HAZOP (see e.g. EEMUA Publication No. 191). Hereby the prioritization concept needs to be agreed prior to the study. Criteria may be:- Safety critical alarms whose set-points must not be changed by the operator and

need to be configured in safety related systems to hinder easy bypassing of the alarm

- Alarms critical to the availability of production whose set-point must not be changed by the operator but can be configured in the standard process control system

- Operational alarms whose purpose is to call up the operator about production deviations but do not require immediate attention. They may be configured by the operators as convenient to them.

► It is recommended to perform a detailed review of operating windows within the study. However, it shall be noted that scheduling the study needs to account for the additional effort needed to perform a comprehensive review. Operating window monitoring uses process data to create performance indicators related to the reliability of the facility. Hereby the margins for specific process parameter need to be specified. This may focus on long-term degradation mechanism, accumulative effects (e.g. cycling), thresholds for accumulating emissions (e.g. flaring).

2.4.8. Evaluating residual risk levels and proposing recommendations

HAZOP evaluates the risk on a pure qualitative level using the expertise and the experience of the team members. The team decides for each scenario whether the given safeguards are sufficient to reduce the risk below an acceptable limit. If the measures are

HSSE-R-017 of 42


considered to be insufficient adequate recommendations for further risk reduction are given in the action list. Multiple or optional recommendations may be required to meet expectations.

Risk evaluation criteria

There is a constant desire to plot HAZOP scenarios against consequence and likelihood levels of a risk matrix in order to figure out the facility status on a simple heat map. Whereas consequence levels are usually simple to identify, the associated likelihood levels are not easy to evaluate in a comprehensive, traceable manner. Contributing factors for failings are the consideration of equipment failure rates (for causes and safeguards), human failure rates (for causes and in responding to scenarios), occupancy data of persons in the vicinity of the accident scenario, etc. Usually a simplified “tick-on-the-matrix” approach cannot cope with these factors which eventually lead to misleading conclusions.

► No attempt shall be made to convert scenarios into risk number by simply selecting likelihood and consequence levels from a matrix. Particularly a HAZOP worksheet must not contain consequence and likelihood columns and to calculate a risk number for each scenario.

► The risk matrix for single scenarios given in HSSE-R-005 OMV GroupRecommendation: HSSE Risk Assessment may be used as a reference document to assist the team in the relative evaluation of scenarios against each other, to provide orientation for risk tolerance limits and for prioritization recommendations.

► The primary objective of HAZOP is hazard identification which is to identify problems and develop solutions to overcome these problems. Other methods are more convenient for risk ranking and creating heat maps.

► As a rule of thumb: The residual risk is seen intolerable if human intervention is the only safeguard to control the risk of fatality (or similar severe consequences). At least one additional effective, technical risk control is needed.

Proposing recommendations

If the team is not satisfied with the level of protection or another issue perceives need for further attention, recommendations should be proposed for management consideration:

Recommendations shall be made if the available safeguards are unlikely to control the scenario or there is a shortfall in compliance with regulatory or best practice requirements. Priority should be given to improve controls of risk which may impact human or environment. However, operability concerns should perceive significant attention. This includes recommendations which improve information to ensure safe and reliable operations.

► Recommendations should be understandable, concise, and unambiguous: the desired solution (what is wanted), its specific location (where is it wanted) and the reason it is considered necessary (why is it wanted). They should be written as stand-alone, i.e. without need to consult the worksheets. They should clearly state the objectives which must be achieved to provide a solution to the potential problem.

► In developing recommendations, the team should propose feasible solution (technical and commercial); attempts to engineer the details of the solution during the review should be avoided.

► If the team is not certain how to control the hazard it should recommend a further study to determine a solution. However, recommendations calling for further review should be avoided, since they require a final review by the team.

► In rare situations the team may recommend an intermediate solution together with a more appropriate final solution if the latter cannot be implemented as fast as the criticality of the scenario warrants.

► It is not unusual that the team recommends removal of safeguards. This seems contradicting risk reduction, however, unnecessary safeguards increase complexity of the system and their remove is indeed a risk reduction (e.g. remove of alarms)

► Recommendations are usually not specific action. Rather, they alert management to potential problems that require action. However, if a problem is simple, if team is

HSSE-R-017 of 42


quite experienced, or if there is only one solution, a recommendation may be a specific corrective action.

► The team should refrain from developing recommendations when the team is satisfied that the safeguards adequately deal with the potential consequences.

► If the team cannot reach consensus on a recommendation, the study leader shall be the final arbiter.

The scrutiny of HAZOP studies usually result into a large number of recommendations covering a wide range from correcting documentation errors upon major changes in the design. The follow-up process is improved by:

► Adding flags to categorize the recommendations allows getting a quick oversight on the scope of the recommendations; e.g.:- Compliance: recommendations which need to be implemented to comply with

regulatory or best practice requirements (e.g. as stated in an OMV engineering practice)

- Check: findings which need further clarification (e.g. field verification) because the team cannot decide on a recommendation (e.g. due to lack of documentation)

- Configuration: recommendations to change the configuration of an existing equipment within its design limits (e.g. change of alarm set-point)

- Procedure: amending operating procedures and instructing operating personal- Documentation: recommendations to correct flaws in the facility documentation

► Prioritization of recommendation facilitates resources planning. It should be based upon criticality of the risk they relate to and the anticipated time and resources needed to implement them. Prioritization may be in scope of the study; the system for prioritization needs to be agreed with the risk owner before the study and shall be in line with the HSSE-S-004 OMV Group Standard: HSSE Risk Management Standard.

2.4.9. Recording results and issuing reports

The scribe shall record the analysis online using a computer and a projector so that everyone can see what has been recorded and agree on it. The more administrative parts of the log sheets (e.g. team lists and attendance) may be completed off the team session.

It is recommended to perform regular wrap-up session (e.g. weekly) involving the whole team if specialists join the analysis only on part-time basis.

Content structure of the full report

The report documents the scope, approach, identified hazards, analyzed scenarios, and findings resulting from the study. The full HAZOP report will feature as follows:

Table 3: HAZOP report contents

File Content

General part - Brief description of the system, area, and operation under review

- Terms of reference of the study (objectives, background of the study, scope, methodology used, assumptions, etc.)

- Date and revision of the analysis- Management summary: a summary of the most critical

recommendations along with any general issues or themes which emerge from the analysis (see also Section 2.5.2)

- List of appendices (listing the files as given below which constitute the full report)

List of Participants - Name (ID), organization, function, expertise / role within the analysis, attendance ( refer to List of Sessions), comments as needed

List of Sessions - Date (ID), location, team attendance ( refer to list of participants), nodes analyzed ( refer to HAZOP Worksheet), comments as needed

HSSE-R-017 of 42


File Content

List of Documents / Information used

- Document ID, type, description, , revision / date of revision, used for node ( refer to HAZOP Worksheet), comments as needed

HAZOP Worksheet - Node ID, node boundaries, design intent incl. important parameters, documents / information used ( refer to list of documents / information), data of session incl. team members ( refer to list of sessions / participants)

- Deviation, cause, safeguard, recommendations ( refer to list of recommendations), comments as needed

List of Recommendations

- Recommendation ID, description, results from scenario ( HAZOP worksheet), responsible, priority (risk ranking)

- During action follow-up the list of findings will be accomplished by action tracking comments, result, status and date of conclusion

Master documents - Scans or photos (readable) of the marked master documents: e.g. P&ID with marked nodes and highlighting findings, PFD with marked nodes, process description, etc.

Further records from analysis, e.g.:

- Worksheets from classifying SIL (Safety Integrity Levels) of safety instrumented systems

- Outside information used to evaluate scenarios

Guidelines for recording the analysis

The report serves as the permanent record of the study and is used by people that were not a part of the team. The report is the only indicator of the quality and completeness of the study, and serves as a record of the team’s diligence. The report should receive close scrutiny, clarity and accuracy for explanations of each scenario and finding. The following guidance for recording shall be adhered to:

► If the team does not identify any cause for a deviation it shall be recorded that the deviation was considered by documenting e.g. no feasible cause identified in that node, or not applicable to this node

► Reference to equipment shall be by equipment tag and name. The first provides unique identification and the second enhances readability of the report.

► The node shall be clearly marked on P&IDs or other relevant documents. Typically this is done with colored highlighters.

► It is useful to indicate the recommendation numbers on the master documents. This might be done outside the team sessions.

► The records shall clearly indicate that previous incidents have been reviewed (i.e. accidents, near miss, process upset, critical technical failures of equipment).

► Clear reference shall be given if outside information is used to evaluate scenarios. This information can be detailed consequence analysis, pressure relief valve calculations, logs from operations and maintenance, etc. It facilitates following-up the study if such information is attached to the full report.

► Findings and recommendations shall have a clear reference to the scenario or point of discussion. This ensures following-up and close-out of actions and facilitate the MoC process for implementing the actions.

► The findings and recommendations shall be written in standalone (i.e. understandable without the HAZOP worksheet). They should be accomplishable and have a clear point of closure. The reference to the scenario / source shall be kept to allow for understanding of the context.

Usage of software

Specialized hazard identification software has many benefits and should be used for analyses which are scheduled to last more than 2 days. Shorter sessions can be undertaken using various standard office software packages.

HSSE-R-017 of 42


This recommendation does not stipulate the type of software to be used though there is a recommendation for PHA-Pro (Dyadem, IHS). Regardless of the software the information needs to be maintained as indicated above.

► Hand-over / archiving of the information shall be electronically in the file format of the software.

► In any case hand-over of the report shall be in Word and/or pdf so that it is readily accessible for people without that specialized software.

Hazard identification software facilitates numbering systems (IDs), cross referencing and session data management. Templates and libraries support quality control, comprehensive application of deviations and checklist. It allows easy creation of customized reports in addition to the lists which constitute the full report; e.g. filtering findings by priority, extracting scenarios which contain recommendations.

2.5. Implementing results

2.5.1. Communicating findings and distributing protocols

Finalization of the report

The study team is responsible for the quality, accuracy, and completeness of the study worksheets. Once the team sessions the report is finalized by the moderator (with support of the scribe). The interim report shall be distributed to the team to get their agreement.

After the final review session, the report should be issued in draft and major findings presented to operations management. They may wish to ask questions about the analysis or have a debriefing meeting on ways to improve HSSE performance of the facility.

Finally the report shall be signed by the moderator and the risk owner. The approval by the risk owner is a commitment of the operations management to implement the findings.

Distributing and archiving the report

The approved report needs to be distributed to the report recipients and distribution list as identified in the terms of reference and shared within the organization to allow implementation of the findings. Further stakeholders to be considered in sharing conclusions can be persons who are exposed to the identified hazards.

It is expected the report will be used throughout the plant lifetime (by staff not involved in the original study). Some core thoughts that relate to this are the linkage to field verification of safeguards, management of change, operating instructions, permit-to-work, training, accident investigation, etc.

The full report (content see paragraph above) shall be made a controlled document in accordance with the document control procedures of the facility under review. Usually this will be done electronically; care needs to be taken to retain master documents (e.g. marked P&IDs). It is recommended to maintain the action list arising from the findings together with the report.

The report needs to be accessible for reference in following-up the study and its findings, management of change, further hazard and risk analysis related to the facility, revalidation of the study, etc.

All report and tracking information should be readily available for audit and review.

2.5.2. Hazard and Risk Register

HAZOP worksheet outputs do not typically automatically generate lists that can be used directly in conventional hazard and risk registers or hazards and effects registers (see also HSSE-R-005 OMV Group Recommendation: HSSE Risk Assessment). Although the techniques are recognized as hazard identification they are practically more concerned with evaluation of detailed scenarios to reduce the effects of hazards and operability problems. The worksheet might be understood as hazard register; however, it is too detailed to communicate the overall risk profile. The elaboration and/or update of detailed hazard and risk register needs to be addressed in a separate session.

HSSE-R-017 of 42


The qualitative summary of the overall risk situation of the facility under review shall be given in the general part of the report to provide an oversight of the risk situation to management and allows them to take immediate efforts for corrective action and resolution:

► The most critical recommendation together with the scenario they resulted from► The scenarios which involve the most severe consequences and the status of their

control► Number of recommendations and their principle scope► Any other issue or theme which emerge from the analysis and may warrant

management attention

It his highly recommended to include the conclusions and findings from the study in the bi-annual risk runs of the enterprise-wide risk management system (i.e. amending consequence and likelihood data by consideration of identified performance issues).

2.5.3. Following-up findings

The effectiveness of systematic hazard analysis is directly linked to the effectiveness of the process of following-up recommendations. This recommendation does not address detailed guidance for documenting and tracking implementation of actions to correct deficiencies identified by the study. However, effective risk management must assure that recommendations are resolved in timely manner and tracked until close-out (see also HSSE-R-005 OMV Group Recommendation: HSSE Risk Assessment). In doing so the aspects given below should be taken into consideration:

► Each finding should be associated to a responsible party (person and/or organization), a priority and target date for completion. The priority needs to reflect the residual risk level. The completion date needs to refer to the effort for completion and, if applicable, operational constraints in completion (e.g. requirement to wait until the next outage).

► Especially technical findings may require engineering a suitable solution. The different options should be recorded so that the final decision can be assessed (e.g. during revalidation of the study).

► Any major deviation from the finding including reasons to reject a finding should be recorded including justification so that the decision can be re-assessed. In such cases it is recommended that the risk owner informs higher management level to ensure they are informed and agree.

► For projects action follow-up is integrated in the gate-review process. The project reviews ensure close-out of actions prior to start-up of the system (see project management, operational readiness and pre-start safety review).

► The risk owner shall ensure that status of the actions is followed through until conclusion. It is recommended that a person is made responsible to do this.

► Operations management together with the risk owner(s) should perform formal status reviews of the open actions on regular intervals (e.g. quarterly on facility level / function level).

► Action tracking can be done manually or in computerized systems as convenient for the facility. Actions which are directly associated with a risk that is registered in ARMS or CARE should be done in that respective system. For all other actions other systems might be more convenient and only the overall status of the action list tracked in CARE or ARMS to ensure that recommendations continue to receive focus.

► Recommendation from different studies may be consolidated into one action list at facility level. The tracking system has to maintain the reference to the source of the action.

► It is highly recommended to deploy Management of Change for implementation of the findings. This might involve further hazard identification studies to guard against the ultimate solution inadvertently introduces a new risk.

► Action tracking systems ideally allow easy reporting of status and progress. It maintains all necessary information that recommendations are resolved in audible and verifiable manner.

HSSE-R-017 of 42


2.5.4. Updating and revalidation of the study

The general requirements for updating and revalidation of systematic hazard and risk analyses are given in the HSSE-S-004 OMV Group Standard: HSSE Risk ManagementStandard. The process ensures that the study consistently reflects actual status of the facility and that the risk controls comply with state-of-the-art including latest findings from incidents. This may require a updating some parts of the study, a complete revision of the study or even redoing the study.

The process of revalidation follows the same principles as stated above.

The scope and method of revalidation shall be specified in the terms of reference (see Section 2.2.3) prior to the review sessions with consideration of the following criteria:

► Updating specific scenarios:- For close-out of actions- Learning from incidents specifically to a cause, consequence or safeguard- Management of Change when modifying specific equipment, process controls and

protection system► Updating specific parts / nodes:

- Decommissioning of subsystems of the unit, integration of new subsystems- Decommissioning systems connected to the unit, connection to new systems- Management of Change when related to product specification, to operations

control philosophy and protection systems, etc.- Project activities related to subsystems of the installation- Learning from incident related to operations control of a subsystem- Following the progress of engineering and design during projects (e.g. details from

vendor packages becoming available); latest prior to start-up of the system► Complete revision:

- Revalidation following the 5 year cycle- Management of Change when related to fundamental changes of the operations

control system (e.g. upgrade of process control system, outsourcing of operational activities), major changes in legislation, major changes in the organization responsible for that facility, changes of numbering system, changes in the inspection and maintenance regime

- Project activities to revamp the facility- Learning from incidents related to management system controls- The risk owners suggest change of the HAZOP scope (e.g. inclusion of procedures)

► Redoing the study- When the risk owner requests to do so- When the terms of reference applied for the existing study largely differ from the

expectation stated here- When the existing study was done during project and did not appropriately involve

operating personal- When no comprehensive study exist which covers the entire facility under review

(e.g. a loose collection of various project studies)- When the study is older than 5 years and the study record does not indicate

findings- When the facility documentation differs widely from the actual status of the

facility or feature major gaps (e.g. P&ID missing, equipment data missing)- When the incident record stipulate lack of understanding the hazards and risk

controls of the facility- When a high-level quality review of the existing study identifies gaps in identifying

common hazards (review to be done by a person independent from the original team)

- Newly acquired facilities

The review should at least cover:

► Incorporation of all modifications which have been carried out► Check the existing protection systems against state of the art (i.e. factory and public

standards)

HSSE-R-017 of 42


► Critical review and incorporation of findings and action items► Critical review of scenarios which have been found ALARP and, thus, require periodic

review► Review of the study reflecting actual status of the facility (as indicated at the facility

documentation)► Integration of study reports after hand-over from project to operations

The review team does not need to include the team members involved in the original study. However, it is helpful and improves consistency if a least one original team member is involved. Opposing, it is not recommended to perform complete revision or redo of the study involving to a majority original team members.

The final, revalidated report need to indicate the status of the study (i.e. date and revision number). It is recommended to track scope of revalidation and motivation of revision in a List of Amendments within the study report.

2.6. Quality Review of the Study Performance

Regular independent reviews are used to evaluate the implementation of this recommendation at facility level. The results of these reviews will be used for continual improvement of the recommendation and its application. The reviews shall cover the more general management processes for planning and performing the studies implemented at facility level as well as the content review of the studies itself.

The following minimum criteria which shall be considered in audit and review:

► Management processes:- Was the risk assessment documented properly?- Does the documented risk assessment correspond to actual as built situation?- Does the team covers all required disciplines and is sufficiently competent?- Does planning of the studies cover all systems at the facility level and ensure

adequate resourcing?- Are the results of the risk assessment communicated to stakeholders?- Were identified actions completed and their results incorporated accordingly?- Are there regular action follow-up meetings in place?- Is there a system to ensure follow-up and close out of recommendations?- Are there any recommendations rejected for action? Is the team included in that

decision?- Is action-close out established and tracked as a key performance indicator?

► Quality of the study:- Is the information given in the risk assessment report understandable and

sufficient for follow-up?- Did the team work through the systematically through the system or did it jump

around and may be overlooking important scenarios?- Are scenarios resulting from the interface of the system considered appropriately?- Where are all parts / all equipment of the system considered?- Are all operating modes of the facility considered?- Is the evaluation sound and sufficient?- Were all hazards fully identified?- Are all known incident causes adequately considered?- Were all reasonable foreseeable consequences identified?- Are the risk controls recognized for all consequences and comply with state-of-

the-art?- Are the safeguards valid and fully documented?- Is the evaluation of residual risk consistent and balanced?- Were the risk judgment appropriate and any necessary further actions to reduce

the risk identified?- Are the recommendations adequate to the residual risk levels without lobbying of

specific team members’ preferences?

HSSE-R-017 of 42


3. Internal Reference Links

HSSE-S-004 OMV Group Standard: HSSE Risk Management Standard

HSSE-R-005 OMV Group Recommendation: HSSE Risk Assessment

HSE 021 Group Standard Management of Change

HSSE-R-028 OMV Group Recommendation: Facility Documentation

HSSE-S-005 OMV Group Standard: HSSE in Projects

HSSE-R-011 OMV Group Recommendation: Project HSSE Reviews (PHSSER)

HSSE-R-030 OMV Group Recommendation: Pre Start-up HSSE Review Best Practice

HSSE-R-008 OMV Group Recommendation: Site Security Risk Assessment (SSRA)

HSSE-R-026 OMV Group Recommendation: Environmental and Social Impact Assessment

HSSE-R-009 OMV Group Recommendation: Health Risk assessment

HSSE-R-016 OMV Group Recommendation: Work place Risk assessment

HSSE-R-017 OMV Group Recommendation: Hazard and Operability Study (HAZOP)

HSSE-R-019 OMV Group Recommendation: Hazard Identification using the Structured What-If Technique (SWIFT)

HSSE-R-029 OMV Group Recommendation: Risk Evaluation using the Layer of Protection (LOPA) Methodology

HSSE-R-032 OMV Group Recommendation: Evaluating Loss of Containment Scenarios by Quantified Risk Assessment (QRA)

4. External Reference Links

► ISO 31010:2009: Risk management – Risk assessment techniques► DOE-HDBK-1100-96: DOE Handbook - Chemical Process Hazard Analysis► ISO 17776:2002: Petroleum and natural gas industries - Offshore production

installations - Guidelines on tools and techniques for hazard identification and risk assessment

► IEC 61882:2001: Hazard and operability studies (HAZOP studies) – Application guide► IEC 60812:2008: Analysis techniques for system reliability – Procedure for failure

mode and effects analysis (FMEA)► ISO 14121-2:2007: Safety of machinery — Risk assessment — Part 2: Practical

guidance and examples of methods► Risk assessment essentials, EU OHSA (2007)► Guidelines for Hazard Evaluation Procedures, 3rd Edition; Center for Chemical Process

Safety (CCPS), AIChE, (2008)► IEC 61025:2006: Fault tree analysis (FTA)► Layer of Protection Analysis; Center for Chemical Process Safety (CCPS), AIChE, 2001► IEC 61511-1:2003 Functional safety – Safety instrumented systems for the process

industry sector; Part 1: Framework, definitions, system, hardware and software requirements

► UK HSE Guide HSG 48: Reducing error and influencing behaviour

5. Obsolete Regulations

None (on OMV Group level)

6. Certification Standards

None

HSSE-R-017 of 42


7. Terms & Abbreviations

7.1. Terms

Term Definition

BowTie A simple diagrammatic way of describing and analyzing the pathways of a risk from hazards to outcomes and reviewing controls.

Cause Event, situation, or condition that results, or could result, directly or indirectly in an accident or incident.

Checklists (HAZID, SWIFT)

Structured lists to enhance the process of brainstorming in identifying hazards. Checklists may be structured by hazard categories, causes, consequences, activities, incident scenarios, etc.

Consequences Potential effects which could occur as a result of a hazard. Consequence descriptions are qualitative or quantitative estimates of the accidental effects on people, environment, property incl. revenues and reputation.

Deviation (HAZOP) Departure from the design intent, i.e. the way a process of system is intended to function. A deviation is created by applying a HAZOP guideword to a parameter which states the design intent.

Facility For the purpose of this recommendation the term facility is referred to a physical arrangement of operating installations / equipment which constitute a part of a production site / operations asset. Examples of facilities are loading station, boiler house, oil production facility, compressor station, crude distillation unit, hydro treating unit, intermediate product storage, etc.

FMEA, FMECA A hazard identification technique which identifies failure modes and mechanisms, and their effects (and their criticality)

Guideword (HAZOP) Words such as “high”, “low”, and “no” that are applied to parameters to create a potential deviation from the design intent.

Harm Physical injury or damage to the health of people, or damage to property or the environment

Hazard Potential source to cause of harm to people, the environment, property incl. revenue, or reputation.Hazards can result from the inherent properties of an installation or from unsafe work practices.

HAZID The process of identifying credible and conceivable hazards associated with a facility, operation or activity. HAZID is a generic term covering known techniques such as SWIFT, HAZOP, FMEA, etc.HAZID is sometimes used to describe the process of screening hazards to develop a high level hazard register.

HAZOP A systematic qualitative technique for identifying hazard and operability problems, using a series of guidewords to examine deviations from normal process conditions.

Likelihood The number of occurrences of a hazardous event per unit time (frequency) or per possible cases (probability

LOPA Method for evaluating the effectiveness of protection layers in reducing the frequency and/or consequence severity of hazardous events.

Operability Ability to operate a facility inside the design envelope and meet business expectations.

HSSE-R-017 of 42


Term Definition

Parameters Conditions used to define a process, including flow, pressure, temperature, and level.

QRA A systematic, quantified assessment of the risks of major releases of hazardous materials. QRA is typically used for facility siting analysis.

Risk The effect of uncertainty on objectives. Within HSSE It is expressed as the product of the measure of likelihood of occurrence of an event and the potential adverse consequences which the event may have upon people, assets (or revenue), the environment or reputation.

Safeguard Device, system, or action that would likely interrupt the chain of events following an initiating cause or that would mitigate loss event impacts. Safeguards are risk control barriers.

Safety Freedom from unacceptable risk.

SWIFT a systematic technique to identify hazards in a broad scope but does not go deep into details

7.2. Abbreviations

Abbreviation Meaning

ARMS Active Risk Management System (OMV’s system to management enterprise wide risks)

CARE OMV’s group wide incident management system

ESD Emergency Shut Down

FMEA, FMECA Failure Mode Effect Analysis, Failure Mode Effect & Criticality Analysis

HAZID HAZard IDentification

HAZOP HAZard and OPerability

HIPO High potential (incident)

LOPA Layer Of Protection Analysis

MoC Management of Change

P&ID Piping and Instrumentation Diagram

PFD Process Flow Diagram

QRA Quantified Risk Assessment

RBI Risk Based Inspection

SIL Safety Integrity Level

SIMOP Simultaneous Operations

SWIFT Structured What IF Technique

8. Keywords / Search Criteria

Hazard identification, safety, risk assessment, process hazard analysis, PHA, what-if, checklist, SWIFT, HAZOP

9. Annexes

None

Annex 2 Deviations for Procedure HAZOP

Annex 3 Deviation for Batch / Sequential HAZOP

Annex 4 Deviations for Electrical, Instrumentation and Control System HAZOP

Annex 5 Deviations focusing process installation aspects within HAZOP

HSSE-R-017 of 42


Annex 6 HAZOP Worksheet Template

10. Amendments from Previous Versions

None

Annex 1. Deviations for Continuous Process HAZOP

The following deviations relate to the process technology part of process systems. They should be used for continuous process HAZOP and batch / sequential HAZOP. They should be applied each one to each node (as relevant for the node and defined by design intent).

The listed deviations might be considered as additional deviations for procedure HAZOP.

Table 4: Standard HAZOP deviation for process HAZOP - process engineering

Deviation Typical causes

No flow - Control loop failure- Control valve fails closed- Wrong routing / line-up- Blockage- Incorrect slip plate- Incorrectly fitted check

valve- Burst pipe / large leak

- Hand valve closed- Equipment failure

(control valve, isolation valve, pump, compressor, vessel, etc.)

- Incorrect pressure differential

- Isolation in error

- Block valve closed- Power failure- Plugged line- No flow from upstream

system- No flow to downstream

system

More flow - Increased pumping capacity

- Increased suction pressure

- Restriction orifice plates deleted

- Cross connection of systems

- Control faults- Control valve trim

changed- Operation of pumps in

parallel

- Pulsation- Bypass valve open- Reduced delivery head- Change in fluid density- Exchanger tube leaks- Worn or deleted

restriction orifice plates- Cross connection of

systems- Control valve fails open- Burst pipe

- Burst heat exchanger (internally)

- Large leak- Wrong valve open- Wrong line-up or

misdirected flow- Slug flow- Water hammer- Increased flow from

upstream process

Less flow - Line restrictions- Filter / strainers blockage- Defective pumps- Fouling of vessels,

valves, orifice plates

- Density or viscosity changes

- Wrong line-up- Inadvertently throttled

valve

- Competing pump heads and flows

- Incorrect valve sizing- Surging

Reverse flow (misdirected flow)

- Defective check valve- Leaking check valve

(falsely used as positive shut-off device)

- Omitted, wrong type of check valves

- Two-way flow- Siphon effect

- Incorrect pressure differential

- Emergency venting- Incorrect operation- In-line spare equipment- Internal rupture heat

exchanger

- Wrong line-up or misdirected flow

- Unintended open connections from or to utilities (water, N2, flush systems, etc.)

- Recirculation valve open

More pressure

- Surge problems- Connection to high

pressure system- Gas breakthrough

(inadequate venting)- Control loop failure- Defective isolation

procedures for relief valves

- Positive displacement pumps against closed valve

- Failed pressure control valves (open or closed)

- Wrong design pressures, specifications of pipes, vessels, fittings, instruments

- Thermal overpressure- Pressure range for

abnormal operations- Leakage from

interconnected high pressure system (HP to LP interface)

- Control valves failed (closed or open)

- Increased centrifugal pump suction pressure

- Start-up of spare pump- Failure of ejector system- More reaction- Plugged pressure tap- Obstructed relief- Pressure testing- Excessive heating (e.g.

fire)- Exchanger tube leak

(internally)

HSSE-R-017 of 42



Less pressure / vacuum

- Generation of vacuum condition

- Condensation- Restricted pump /

compressor suction line- Undetected leakage

- Vessel drainage- Blockage of blanket gas

reducing valve- Blockage of venting

during emptying- Gas dissolving in liquid

- Excessive cooling- Failure of vacuum relief- Inadequate net positive

suction head

More temperature

- Ambient conditions (e.g. sun radiation)

- Fouled or failed exchanger tubes

- Fire situation- Cooling water failure- Defective control- Heater control failure

- Internal fires- Reaction control failures- Heating medium leak into

process- Reaction control failure- Air cooling fan failure- Heat tracing- Regeneration

- Decoking- Heats of reaction- Mixing, reactor hot spots,

decomposition, or runaway reaction, absorption, or solution.

- Burn protection- Abnormal operations

Less temperature

- Ambient conditions- Cold weather operations- Fouled or failed

exchanger tubes

- Loss of heating- Reducing pressure- Depressurization of

liquefied gas

- Joule/Thompson effect- Endothermic reaction- Control failure- Failure tracing

More level - Outlet isolated or blocked- Inflow greater than

outflow- Control failure- Faulty level

measurement- Gravity liquid balancing- Failure phase separation

- Filling operations- Liquid in vapor lines- Vessel overflow- Deactivated level alarm- Inadequate time to

respond

- Incorrect calibration- Interface level control- Phase inversion- Slug flow- Condensation

Less level - Inlet flow stops- Leak- Outflow greater than

inflow- Level control failure- Faulty level

measurement

- Draining of vessel- Failure pump stop- Drain valve left open- Incorrect calibration- Two phase flow

- Plugged instrument taps- Inadequate residence

time- Inadequate mixing,

excessive heating- Gas in liquid lines

Utility / service failure

- Failure of instrument air- Failure of steam

(LP/MP/HP)- Failure of nitrogen- Failure of cooling water- Failure of hydraulic

power- Failure of process water- Lack of fuel gas / fuel oil- Power loss drive (high /

low voltage)- Power loss instrument

control- Power blips/failure modes- Failure of tracing

- Trip delay for power failure

- Contamination of instrument air, nitrogen, water, etc.

- Telecommunications- Heating and ventilating

systems- Lack of blanketing gas- Process control

computers failure- Failure of communication

system- Loss of view process

control system

- Viruses process control system

- Lack of field air- Lack of back-up process

control system- Failure gas detector- Failure fire / smoke

detector- Failure of lightening- Failure surveillance

camera- Failure deluge system- Failure flushing system- Lack of spares / stand-by- Failure of earthing

Additional components / impurities

- Leaking isolation valves- Leaking exchanger tubes- Interconnected systems

(especially services, blanket systems)

- Impurities present- Debris left from

installation- Ingress of air, water, or

rust

- Stream composition / contaminants

- Reaction intermediates/by-products

- Solvent flushing- High solids concentration- Settling of slurries- Catalyst poisons

- Polymerization- Coke formation- Additional additives- Decompositions- Explosive mixtures- Phase change- Phase inversion- Cavitation, flow

separation

Components missing

- Lack or wrong additives- Wrong or worn catalysts

- Catalyst deactivated / inhibited

-

Material / quality change

- Changes in pH-value- Changes in viscosity- Changes in flashpoint- Changes in vapor

pressure

- Changes in phases- Incorrect feedstock /

specification- Inadequate quality

control- Grade change

- Process control upset- Preparation for shut-

down and start-up operations

HSSE-R-017 of 42



Wrong mixing (no / more / less mixing)

- Loss of agitation- Agitator set at wrong

speed (too slow / too fast)

- Agitator blade drops off- Drive stops / coupling

failure- No or worn baffles

- Phase change- Phase inversion- Settling of solids- Accumulation of liquids in

bottom points- Accumulation of gases in

high points

- Lack of balance line (e.g. after injection, pumps)

- Vortex formation / separation

Wrong reaction (no / more / less reaction)

- Wrong reactant mix- High temperature / heat

value- Low temperature / heat

value

- Side reactions- Channeling- Insufficient catalyst- Decomposition /

degradation

- Incompatible chemical- Pyrophoric substances

(e.g. iron sulphide)- High oxygen content

Annex 2. Deviations for Procedure HAZOP

For procedure HAZOP the deviations are applied to a sequence of steps and activities. The sequence constitutes the node similar as the physical subsection for continuous process HAZOP. A clear description of the sequence of steps must be available before starting the analysis (either form operating manual or provided by the team). Possible applications are procedures for start-up, shut-down, emergency shut-down, switching over for batch operations, non-standard routing of flows, receiving pipeline pigs, etc.

A procedure HAZOP shall be performed for routine and non-routine activities which are critical with respect to safety or operability of the facility or which have high inherent hazards. It is highly recommended to involve field personal in procedure HAZOP and/or perform field verification of its implementation in addition to the desktop study.

► is a routine procedure or periodically performed (e.g. given in the Operations Manual) and

► is critical with respect to safety or operability or► has hazardous aspects or involves hazardous materials

The purpose for each step as well as possible failures in its executing is analyzed. Within procedure HAZOP there is a strong focus on human failure. Despite all training and best intentions human beings are prone to failing. For routine action the failure rate is 1:100-1:100 when performed by a well-trained person without stress. Within emergencies the failure rate may increase up to 1:10 or higher why normally only little credit should be given for operator intervention in de-escalating major accident scenarios. The human failure model given below should be used for reference for identifying possible causes which lead to execution failures. A separate human factors study may be required if there are significant risks associated with human factors.

HSSE-R-017 of 42


human & job factors

organizational & management factors

violations(intentional)

slip: execution error

errors (unintentional)

routine

insufficient resources to apply rule

falsely taking of risk in an emergency

skill based(right idea, wrong execution)

mistakes(right execution, wrong idea)

lapses: memory error

miss: perception error

knowledge-based mistakes: planning error, mode error

rule-based mistakes: misdiagnosis, misinterpretation

lack of awareness or understandingweakness of management system

situational

exceptional

conflicting goals

safe resources by use of short-cuts

human failure (active & latent)

Figure 2: Human failure model (acc. UK HSE Guide HSG 48)

The listed deviations should be used for procedure HAZOP and batch / sequential HAZOP. They should be applied each one to each node.

The listed deviations might be considered as additional deviations for continuous process HAZOP.

Table 5: Standard HAZOP deviation for procedure HAZOP


No action / sequence halts

- Step is missed or omitted- Intended operation did

not occur (mechanical failure)

- Action impossible- Equipment not ready

(locked out, not in service)

- Blind left in piping- Step not carried out- Handover problems- Split responsibilities /

unclear roles and duties- Equipment failure

- No reaction (process stops)

- Memory lapse, distractions, excessive workload

- No response to an alarm

More action / extra step

- Operator does more than intended (opening valve too far, etc.)

- Another action completed, as well as the action intended

- Procedure ambiguity

- Another action completed in addition to the intended action

- Performs two or more steps at the same time

- An incorrect action in place of a specified action

- Operator assumes he is required to do something in addition to what is specified, (stops motor and isolates power, closes drain and blanks it, etc.)

Less action / step incompletePart of action

- Operator does less than intended (added less catalyst than required, etc.)

- Equipment does not perform as required (plugged strainer)

- Not enough time to complete the step

- Step partially completed or delayed

- Operator only completes part of a composite action (misses out middle part, or final part)

- Operator short-cuts

- Lack of clear information/indication that step intention achieved.

- Checks not made or incomplete

Wrong action - Operator opens the wrong valve, starts the wrong pump, reads the wrong instrument ()

- Incorrect action substituted for the correct action (e.g. closes instead of opens)

- Operator misunderstands instruction and does something completely different (procedure ambiguity)

- Plant labeling defective, poor access, lighting, time pressure, fatigue

- Operator remembers a similar procedure and follows that instead

- Personnel performs different or out of date procedure

HSSE-R-017 of 42



Interfering action (SIMOPs)

- Any other simultaneous activity that may have an impact on the overall safety of the operations

- Other actions occur affecting this operation

- Other procedures interfering

- Inherent hazards and operability problems with the step even if there is no deviation from the intention

- Other personnel in wrong area

- Poor communications (operation, maintenance, engineers, etc.)

- Others don't perform as required

Execution error

- Valve open or closed in error prior to/during step.

- Lack of clear labelling.

- Valve closure/opening incomplete or valve passing/blocked

- Incomplete or incorrect valve status list in procedure

More time / too late / too slow

- Operator takes longer than necessary over action, (leaves something running and gets distracted)

- Operator starts next action later than expected

- Operator carries out action too slow

- Process moves too slow onto the next step

- Delay before the next step

- A step is done after the right timing (relative to clock time)

- A step is not done with the right timing; Operation completed too slowly

- Too little chemical reaction

- Valve gets stuck- Cooling / heating too slow

- Excessive delay before moving on to the next step or following completion of previous step

- Communication delay/error between other parties responsible for preceding steps.

Less time / too soon / too fast

- Operator carries out action too quickly, (stops the flow before required level is reached)

- Operator starts next action earlier than expected

- A step is done before the right timing (relative to clock time)

- Operation completed too quickly

- Process moves too quickly onto the next step

- Too much chemical reaction

- Chemical reaction too fast

- Heating / cooling too fast

- Insufficient delay before moving on to the next step or following completion of previous step.

- Communication delay/error between other parties responsible for preceding steps.

Out of sequence / step reversed

- Operator misses out a step

- Operator carries out a step before it should occur, or after it should occur

- Step completed out of sequence or in wrong order

- Communication delay/error between other parties responsible for preceding steps

No information

- No feed-back from the process (transmitter failure, alarms)

- Communication break between operators

- Procedure does not specify expected performance (temperatures, pressures, flows, levels, etc.)

- Unattended / remote operation

- Ability to read or confusion with local instrumentation

- Missing information on changes made

- No specified actions for emergencies

- Information loss in shift hand over

More information

- Procedure includes information that is unnecessary and could lead to confusion

- Procedure contains information that contradicts other information

- Contradiction process control information

- Overflow of information- Inadequate alarm

prioritization

Less information

- Necessary information is missing from the procedure

- Missing starting clearance

- Insufficient information to check progress

- Manual / automatic override

- Communication interruptions

- Verbiage confusing- Readability of labeling- Missing readability /

clearly understand of procedures (e.g. language)

- Insufficient information to identify error and their causes

- Step confusing- Incorrect monitor display

information

HSSE-R-017 of 42



Wrong information

- Information provided is wrong

- Contradicting information (oral instruction vs. written)

- Information is out of date- Reliance on operator

interaction

- Other procedures or steps within this procedure)

Annex 3. Deviation for Batch / Sequential HAZOP

A batch process is one where there are discontinuities in the operation with time where continuous process operations alternate with manual and automatic switch operations. The HAZOP of batch process normally requires the application of deviation from continuous process HAZOP and procedure HAZOP. Usually the HAZOP is driven by the procedural part.

A batch HAZOP can be more complex than a HAZOP for a continuous process because the status of the process changes over time. More preparation is required to avoid confusion. These preparatory steps will yield significant time savings compared with running a continuous process HAZOP on each step/ node combination.

Three additional inputs are required:

► A list of the batch operation steps should be developed.► A matrix indicating the steps and the nodes should be developed indicating which

nodes are active (A) or inactive (I) during each step. A node is active if during the step materials are intentionally present, even if simply being stored.

► A valve position table should be defined indicating valve position with each step, as well as the operational status of equipment such as pumps/ mixers etc. (running/not running).

The HAZOP is conducted by applying the continuous process deviations with some additional procedure deviations to each step where the node is active. For inactive nodes, only 1 deviation “becomes active” is used.

Care has to be taken to the fact that nodes can have multiple design intents across the batch sequence. Each node needs to be analyzed for each process step. Where adjacent steps have the same nodal active/inactive profile and where they have the same valve position profile, the steps can be combined to reduce the HAZOP duration.

Figure below shows a simplified ethylene process reactor system which has a range of different operating configurations such as reaction and catalyst regeneration. The steps indicate the possible reactor operating configurations (where R is reactor). The associated step/node matrix is detailed in Table XX and the valve position table in Table XX

Figure 3: Example system for a batch HAZOP – ethylene reactors

HSSE-R-017 of 42


R1

R3R2

Regen Gas FeedFeed Gas

Regen Discharge

Reactors Discharge

2nd stage Feed

Bypass

V1VR1

V2VR2VR3

VB1

VB2

V5

V3

V4V7

VR4 VR5 VR6

V8

V6

Table 6: Batch HAZOP step/node matrix

Sections

Steps Feed GAs Regen Gas feed

Reactor 1 Reactor 2 Reactor 2 1st stage discharge

2nd stage discharge

Regen gas discharge

R1 feeding R2 Active Inactive Active Active Inactive Active Active Inactive

R1 feeding R3 Active Inactive Active Inactive Active Active Active Inactive

R2 feeding R3 Active Inactive Inactive Active Active Active Active Inactive

R1 feeing R2, R3 Regen

Active Active Active Active Active Active Active Active

R1 feeding R3, R2 Regen




R1 feeding R2 and R3

Active Inactive Active Active Active Active Active Inactive

R1 only Active Inactive Active Inactive Inactive Active Active Inactive

R2 only Active Inactive Inactive Active Inactive Inactive Active Inactive

Table 7: Batch HAZOP valve position table

Steps V1 V2 V3 V4 V5 V6 V7 V8 VR1 VR2 VR3 VR4 VR5 VR6 VB1 VB2

R1 feeding R2 O C O C O C O C C C C C C C C C

R1 feeding R3 O C O C C O C O C C C C C C C C

R2 feeding R3 C O C O C O C O C C C C C C C C

R1 feeing R2, R3 Regen

O C O C O C O C C C O O C C C C


O C O C C O C O C O C C O C C C


C O C O C O C O C C O C C O C C

R1 feeding R2 and R3

O C O C O O O O C C C C C C C C

R1 only O C O O C C O C C C C C C C C C

R2 only C O C C C C O C C C C C C C C C

HSSE-R-017 of 42


Annex 4. Deviations for Electrical, Instrumentation and Control System HAZOP

HAZOP of electrical, instrumentation and control systems may improve the management of common mode failures that result in multiple simultaneous process deviations. Such common mode failures may affect a group of components (e.g. a failure of a single I/O card, failure of 6kV power supply, failure of a switch cabinet). Here, the HAZOP reviews how electrical and computer control systems can fail and the potential response of the system. The basic HAZOP method is similar to those above, the main changes being the P&IDs are replaced with electrical or control loop diagrams and the guidewords differ.

Based on the types and complexity of the control systems within the scope of the HAZOP, a decision shall be made as to whether the traditional HAZOP adequately addresses control system issues or whether a control system HAZOP or other types of studies are necessary. For traditional HAZOPs, substantial knowledge of the control system is needed in order to identify potential control system induced secondary deviations in response to the original, primary deviation. Often, a traditional HAZOP can be augmented by adding a review of the loop diagrams of the control system.

The appropriate deviations need to be specified during preparation of the study. Criteria are whether the deviations yield substantial benefit in understanding hazards and risk controls, to what extend the deviations are already covered in the traditional HAZOP, or whether it might be more appropriate to use another method of risk analysis (e.g. FMEA).

Suggested deviations are given below. They or their aspects might also be considered as additional deviations for process HAZOPs.

Table 8: Standard HAZOP deviation for electrical, instrumentation and control HAZOP


No current - Failure of Component: sensor, signal, power, connection, feedback signal, fuse or overload

- Distribution board component failure

- Control switched to manual or bypass for maintenance.

More current - Plant being operated in excess of design parameters

- Overload settings too high

- Short circuit, leak to earth

- Excess current protection does not work

- Excess current protection policy.

- Control switched to manual, interlocks not effective

Reverse current

- Wrong connections after maintenance

- Incorrect loop connections

- Reverse intention received (high and low readings transposed)

- Initiator failure results in opposite reading

Less current - Faulty load shedding arrangement

- Reduced generator capacity

- Defective limit switch (feedback).

- Incorrect calibration of sensor

More voltage - Variable loading- Electrical storms

- Defective supply device- Defective transformer

- Electrical overload protection philosophy

Less voltage - Voltage dip- Defective contacts

- Defective supply device- Degradation of signal

More temperature

- External or internal fire- Fire detection and

protection

- Cable insulation and protection

- Cable routing

- Location of equipment resistance to ambient temperature and humidity variations

Less temperature

- Effect of winter conditions

- Adjacent refrigeration plant

- Ice formation around electrical components

- Reliability of heating and ventilation system

HSSE-R-017 of 42



No signal / data

- No data or control signal passed

- Interlock or control device operates without control signal

- Probability of failure on demand (SIL calculation, proven in use data)

- Safe failure fraction / unsafe failure fraction

- Bypassing / malfunction of input

- Required operator intervention

- Adequate warning of impending activation

- No information if interlock has been activated

- No information on control loop failure

- Uncertainty why interlock is activated

- No access to pertinent process variable data

- Algorithms too complicated for operator to understand the relationship between variables

- Alarm status to interlock status not clear

More data / signal

- Data passed at higher rate

- Contradicting 2oo3 signals

- Interfering signals- Out of range values of

interlock

- Spurious trip

Less data / signal

- Bypassing- Card failure- Transmission failure

- One component of 2oo3 fails (reconfiguration to 2oo2 or 1oo2)

- Failure to reactivate

Incomplete or wrong data / signal

- Data or control signals incomplete

- Data or control signals are complete but incorrect

- Switching of interlock input / outputs

- Spurious trip- Drifting of signals

- Trip initiated below trip set-point or trip delayed

- Wiring malfunctions- Loose contacts

Data / signal before or early

- The signal arrives earlier than expected within a sequence

- Not enough time for operator to evaluate alternatives

- Alarm flooding

Data / signal arrives after or late

- The signal arrives later than expected within a sequence

- Response not quick enough to achieve desired effect

- Response to interlock (automatic or operator)

- Programmed delays

Operator fails to act

- Too many alarms go off at the same time

- Undefined action- Response to wrong signal- No response

- Alarm acknowledge without checking the reason for alarm

- Conflicting goals

- Missing troubleshooting instructions / training

- Ergonomic of alarm monitors

Wrong operator action

- Misjudgment of system state

- Conflicting goals / distraction

- Misreads displayed data- Incorrectly times task

actions- Unclear procedures

- Incorrect controller mode- Capability to decide- Unclear instructions

Incorrect sequence

- Cascaded trip functions- Hold points for manual

intervention- Verification halts

- De-energize, fail-safe- Restart clearance- Equipment still operating- Repetition of triggers

- Upstream / downstream hazards

- Unusual stress to system during trip

Contamination

- Ingress of flammable atmosphere into electrical distribution room

- Internal damage by animal, insect, or corrosive material

- Moisture, dust, flammable vapors, pollutants

- Interruption by external magnetic fields or signals

- Wiring malfunction- Interference of control

loops / interlocks

Utility failure - Loss of instrument air (total or to device only)

- Computer failure

- Failure of electrical power to instruments.

- Telecommunications failure

Instrumentation specification

- Set points for maximum overload condition

- Load shedding arrangement

- Electromagnetic radiation problems

- Control philosophy - monitoring defects in control sensors

- Fail-safe philosophy- Trip bypassing

- Manual control arrangements

- Supervisory passwords (electronic systems)

- Earthing, area classification

Maintenance - Maintenance isolation procedures

- Procedures for modification

- PID controller settings- Availability of spares-

- Corrosion of electrical components by internal, external or galvanic means

HSSE-R-017 of 42



Testing, sampling

- Calibration of analysis instrumentation

- Alarm testing

- Functional tests- Loop checks- Performance tests

- Test of interlocks (online / offline)

Emergency operation

- Emergency power distribution arrangements

- Fire (or other emergency)- Uninterruptible power,

redundancies

- Instrument air buffers- Fire protection of

electronic equipment and detection systems

- Blind shut-down

- Reliability of control systems in the event of emergency

- Evacuation of control room

Non-routine operations

- Start-up and shutdown systems

- Software error detection

- Operator action for off-spec situations

- Restoration of program

- Interlock operation during start-up, shut-down

- Downloading updates

Human factor - Alarm priorities- Control monitor design- Panel layout- Reset functions (per

component / loop / system)

- Fail to reset- Delays- Restart clearance- Acknowledge of repeated

alarms / trips

- Alarm acknowledge- Procedures for recovering

from interlock trip (time, consequence)

Annex 5. Deviations focusing process installation aspects within HAZOP

The following deviations relate to the installation part of process systems. These deviations stretch the HAZOP method from its original scope of process analysis to cover more general aspects of the system and its layout. Their recommended application is as follows:

► The application of the deviations shall be agreed and specified in the terms of reference. Some of the aspects covered by the deviations might already be covered in other analysis or might be used to develop these analysis (e.g. ignition sources are usually analyzed in an independent explosion protection analysis)

► Simple installations - i.e. where the physical arrangement of equipment is equals the technology arrangement of equipment: the deviations may be applied within the same nodes as defined for the process technology part

► Complex installations - i.e. where the equipment is physically group together even if they belong to different technological subsystems (e.g. all pumps of the system in a common pumping house): it is recommended to define HAZOP nodes covering the installation part independent from the nodes of the technology part. Alternatively the aspects of these deviations might also be considered in a SWIFT study

► Usage shall be agreed in the terms of reference

The deviation might be used for continuous process HAZOP, batch / sequential HAZOP and procedure HAZOP.

Table 9: Additional HAZOP deviation to cover process installation aspects

HSSE-R-017 of 42



Relief - Design basis for relief (normal/abnormal - fire, start-up/shut-down conditions)

- Backpressure on relief valve vs. design

- Effect of debottleneck on relief capability

- Instrumentation / safety instrumented system to reduce relief load

- Controlling scenario for overall relief system (flare overload)

- Changes affecting relieving requirements (insulation removal, control valve change, new connections, etc.)

- Safety of atmospheric relief location (fire case, flammable liquid, plume path, dispersion modeling, flare radiation)

- Relief valve pressure versus maximum allowable working pressure

- Environmental implications (relief, flare)

- Frequency of relief valve use

- Relief composition (e.g., two phase flow)

- Blocked path/relief valves- Restricted inlet/outlet

lines- Plugging / build-up in

relief system (hydrates, ice, weep holes plugged, liquid build-up, loss of heat tracing, etc.)

- Rupture disc upstream a relief valve

- Leak monitoring of rupture disc upstream relief valve

- inlet and outlet piping- Blow down tower liquid

overfill

- Failure of organizational controls

- Relief for reactive chemicals

- Low temperature in relief system due to expanding gas

- Maximum liquid rate vs. design capacity

- Type of relief device and reliability

- Heat tracing- Restricted thermal

expansion- Materials of construction- Momentum on relief

pipes- Vibration of piping /

headers- Inspection / testing

philosophy- Redundant relief valves- Isolation philosophy

Instrumentation and control

- Control philosophy / strategy

- Location of instruments (remote control / field control)

- Fire protection- Redundancies, back up- Engineering station- Panel arrangement and

location- Safety instrumented

systems, SIL classification

- Process control, process optimization

- Fail safe philosophy- Passive vs. active

systems- Auto/manual facility and

human error- Interlocks, forcing

- Instrument response time- Accuracy, calibration,

pulsing- Data correction

(temperature compensation)

- Bypassing instruments / emergency shut-down systems

- Set points of alarms and trips

- Permission to change set-points

- Time available for operator intervention

- Information / alarm management (overload, masking, prioritization, troubleshooting lists)

- Alarm and trip testing- Trip/control amplifiers- Defeating /

acknowledging alarms- Auto diagnosis functions- Blocking / freezing of

sensors or transmitters- Failure modes (actuator,

transmitter, controller)- Out of range failure

modes- Testing philosophy safety

instrumented systems- Bad actor analysis- Spurious trips- Plausibility checks- Remote services (IT)- Data protection- Security guards- Virus protection

Sampling - Sampling procedures and sampling device

- Calibration, reliability, accuracy of representative sample

- Diagnosis of result and follow-up

- Testing and analysis method

- Purging, flushing, ventilation

- Sampling points, valves and plugging

- Loss of sample flow- Online vs. laboratory

sampling- Sample disposal- Sample cylinder testing

- Hazards of manual sampling (access, environment, release, personnel exposure)

- Sampling degradation, decomposition

- Transportation / storage of samples

- Records and feedback

HSSE-R-017 of 42



Corrosion / erosion

- Cathodic protection arrangements

- Corrosion inhibitors- Internal/external

corrosion protection- Possible contaminants

(chlorides, H2S, water, ammonia, etc.

- Embrittlement (e.g. zinc, mercury)

- Stress corrosion cracking- Flange joints- Fluid velocities- Erosion, abrasion- Subtle composition

change- Passing below dew point- Hydrogen content,

hydrogen sulphide, chloride

- Water content- Corrosion under

insulation- Soil /air interfaces- Corrosion of buried

equipment- Sealing- Vibration- Stress- Stress cracking corrosion- Fatigue, creeping- Injection / mixing points- Equipment operating

outside acceptable limits- High temperature

corrosion- Deviations from integrity

operating envelopes- Thermal chock- Water hammer/surging

- Stagnant/low points- Failure of tank or basin

liners- Small bore pipe- Dead ends- Abandoned or out of

service equipment- Corrosion inhibitors- Corrosion under deposit- Biological induced

corrosion- Underground piping- Coating, fire protection- Failure databases- Corrosion monitoring- Results from equipment

inspection- Failure data bases

Non-routine operation

- Purging- Flushing- Clearing blockages- Steam out- Start-up- Start-up after emergency

shut down- Normal shutdown- Emergency shutdown- Emergency operations

- Recovering from emergencies

- Inspection of operating machines

- Guarding of machinery- Extended operations- Severe weather

conditions- Turnarounds- Shift change- Off shift operations

- Extended shift schedules- Reduced shift personnel- Regeneration- Decoking- Filter change- Workarounds- Emergency drills- Authorization,

accreditation

Maintenance - Isolation philosophy- Drainage- Purging- Cleaning- Drying- Slip plates- Opening lines- Hot tapping- Inertization- Temporary clamps, plugs

- Isolation lists- Availability of spares- Access (siting,

manipulability, spacing)- Rescue plan- Training, certification- Interface with operations- Control posts- Condition monitoring

- Pneumatic pressure testing

- Construction QA/QC- Work permit system- Log-out, tag-out- Lifting and manual

handling- Confined space entry- Overhead lifting- Pile diving

Spare equipment

- Installed/non-installed spare equipment

- Availability of spares

- Modified specifications- Storage of spares- Catalogue of spares

- Test running of spare equipment

Leak - Fissures, cracks, rupture- Flanges, valves, sealing

leakages- Drainage, vent, sampling- Hazard potential

(toxicity, flammability, pressure, temperature, etc.)

- Threaded connection- Flanges make-up- Isolation philosophy- Leaking pressure safety

valve- Fugitive emissions- Leak detection methods- Failed tank or basin liners- Gas detection

- Exhaust vents- Deluge systems- Secondary containment- Release from secondary

containment- Onsite impact (occupied

buildings, utility installations domino effects)

- Offsite impact (community, environment, infrastructure)

- Video surveillance- Routine operator tours- On site leak response,

external support

- Evacuation procedures- Emergency showers /

eyewash- Escape routes /

equipment- Self-contained breathing

apparatus- Sewer, oil recovery- Emergency operations

and shut-down- Inventory reduction- Groundwater monitoring- Leakage, detection and

repair programs (LDAR)- Reasonable worst case

scenarios

HSSE-R-017 of 42



Ignition protection

- Static electricity,- Earthing and grounding

arrangement (permanent, temporary)

- Insulated vessels/equipment

- Low conductance fluids- Splash filling of vessels- Insulated strainers and

valve components- Hoses- Dust generation- Electrical equalizing

current- Powder handling

equipment

- Lightening protection- Electrical sparks- Hot surfaces- Hot gases- Open flames- Pilot flames- Fired heaters- Exothermic reaction- Adiabatic compression- Electromagnetic waves

high frequency- Electromagnetic waves

spectral range- Ionizing radiation- Ultrasound- Infrared, laser

- Electrical area classification concept

- Flame arresters- Hot work / hot work

permit- Welding, grinding- Vehicles- Use of mobiles phones,

cameras- Smoking ban- Mechanical sparks

(gravel vs. metal)- Auto ignition- Metal fires, pyrophoric- Hot equipment (product,

steam)- Friction (sealing, dry run)

Safety / emergency response

- Fire and gas detection system/alarms

- Emergency shut-down arrangements

- Emergency isolation arrangements

- Firefighting response time

- Emergency training- Contingency plans

- Spray systems to dilute release

- Fire water run off- Effluent disposal, waste- Security arrangements- Mutual aid- Offsite emergency

response

- Escape routes- Temporary refuge- Shower and eye wash- First aid, medical

resource- Thresholds for exposures

(toxic, radiation, noise)- Testing of emergency

equipment

Annex 6. HAZOP Worksheet Template

The template indicates the main content and set-up of a HAZOP Worksheet. It may be realized in standard office software and specialized for recording systematic hazard analysis. The layout of the template may be adjusted as needed. However, the principle information shall be maintained.

Node (Description of node)

System boundaries

(Description of boundaries)

Operation mode

(Description of operation mode)

Design intent (Description of design intent incl. important parameters)

Sessions (Cross reference to List of Session e.g. by date (ID))

Team (Cross reference to List of Participants e.g. by name (ID))

Document inputs

(Cross reference to List of Documents e.g. by document ID)

ID Deviation Causes Consequences Safeguards Recommendations / Notes

HSSE-R-017 of 42


130223 Gts-s Pro Hsse-ra 2 Hazop Final

Documents

Transcript of 130223 Gts-s Pro Hsse-ra 2 Hazop Final