A HAZOP study is only as strong as its treatment of safeguards. Teams often invest significant effort identifying causes and consequences, but the quality of the study ultimately depends on whether safeguards are identified, tested, and recorded rigorously. Poorly defined or unjustified safeguards create false confidence and hide real risk.
What Is a Safeguard in HAZOP?
A Safeguard is a device, system, or action that would likely interrupt the chain of events following an initiating cause or that would mitigate loss event impacts. Safeguards may prevent causes, detect deviations, or mitigate consequences.
Safeguards may:
- Preventive: Reduce the likelihood, e.g. relief valves, alarms, interlocks.
- Mitigative: Reduce the consequences, e.g., bunds, dykes, detectors, fire protection.
Safeguards may be engineered, procedural, or administrative, but none are 100% effective.
Types of Safeguards
1. Passive Safeguards
Passive safeguards are risk-reduction measures that do not require any action, activation, power, logic, or human intervention to perform their protective function. They are always present and effective by design. They are highly reliable but only mitigate consequences; do not prevent the event.
Examples: Blast walls, Bund walls, Passive fire protection (PFP), Dikes and containment pits
2. Active Safeguards
Active safeguards are protective measures that must act, detect, or respond to a hazardous condition to reduce risk. They rely on sensors, logic, power, human action, or mechanical movement to function. If they don’t activate when needed, they fail to protect. They can prevent escalation but dependent on power, logic, sensors, or people
Examples: Emergency Shutdown (ESD) systems, Fire & Gas (F&G) detection, Deluge and sprinkler systems, Trip systems, Procedural actions
3. Preventive vs Mitigative Safeguards
- Preventive safeguards stop the deviation from occurring and prevent it from developing into a full incident. These are Proactive Safeguards and reduce the likelihood of the incident.
(e.g., Alarms, ESDs, permissives, PSVs, etc.) - Mitigative safeguards reduce the impact of incident and act after the incident has begun. These are Reactive Safeguards and Reduce the consequences (severity, impact, damage, harm) of an incident that has already started. (e.g., blast walls, dyke wall, fire protection, emergency response etc.)
A robust HAZOP scenario prioritizes prevention, then control, then mitigation.
| Category | Passive Safeguards | Active Safeguards | Preventive Safeguards | Mitigative Safeguards |
|---|---|---|---|---|
| Definition | Risk-reduction measures that work by design and require no action, power, or activation | Safeguards that must detect, act, or respond to a hazardous condition | Safeguards that stop the deviation or initiating event from occurring | Safeguards that reduce the severity after the event has occurred |
| Action Required | None | Automatic or manual action required | Automatic or procedural action | Automatic or emergency response action |
| Dependency | No power, logic, or human involvement | Sensors, logic, power, or human response | Instrumentation, interlocks, procedures | Fire systems, relief, emergency systems |
| Failure on Demand | Very low | Possible | Possible | Possible |
| Primary Role | Consequence mitigation only | Prevention and/or mitigation | Event prevention | Impact reduction |
| Typical Examples | Blast walls, bund walls, PFP, dikes, containment pits | ESD systems, F&G detection, deluge, trips, procedures | Interlocks, permissives, alarms with action, PSVs procedures | Fire protection, dyke wall emergency response |
| Strength | Very high reliability | Can stop escalation and prevent accidents | Stops hazards before they develop | Limits damage to people, assets, and environment |
| Limitation | Cannot prevent the initiating event | Dependent on reliability and response | May fail due to sensor or human error | Does not prevent the event itself |
| HAZOP / LOPA Use | Credible mitigative safeguard | Must be justified and proven | Preferred safeguard type | Secondary line of defense |
Recording Safeguards in the HAZOP Worksheet
Principal safeguards must be clearly recorded in the HAZOP log sheet and:
- Referenced to specific equipment tags
- Linked directly to the cause or consequence
- Clearly described, not listed vaguely
The team should identify:
- What device or action is involved
- Whether it prevents, detects, or mitigates
- Whether it is inside or outside the node
- Whether it is independent of the cause
Listing “procedure,” “alarm,” or “operator response” without justification is not acceptable.
Challenging the Effectiveness of Safeguards
A key responsibility of the HAZOP team is to challenge safeguards, not accept them at face value. Key questions include:
- Is the safeguard independent of the cause?
- Does it act fast enough?
- Will it actually return the process to a safe state?
- Has it been designed for the specific scenario?
- Is its reliability and integrity adequate?
Safeguards that look good on a P&ID can fail when examined against real operating conditions.
Relief Valves as Safeguards
Pressure Relief Valves (PRVs) should only be listed as safeguards when it is confirmed that:
- The set pressure is appropriate
- The relief capacity is sufficient
- The valve is designed for the actual relieving scenario (e.g., two-phase flow, gas blowby or fire case)
If relief impairment is possible, it should be addressed under the Relief Guideword, not ignored. A PRV that is undersized or incorrectly designed is not a valid safeguard.
Operator Response as a Safeguard
Operator action can be a safeguard—but only under strict conditions.
Rule of Thumb
Human action is only considered reliable when:
- ≥10 minutes response time is available
- The situation is low stress
- Diagnosis is clear
- The response is simple and well documented
- Indications are clear and reliable
Key considerations:
- Does the operator need to go to the field?
- Is there enough time to act?
- Are multiple tasks required simultaneously?
- Is the alarm independent of the cause?
If the alarm is the first indication of the problem, its independence and clarity must be challenged.
Procedural Safeguards
When procedures are normally discouraged a as primary safeguards, But if are considered then the HAZOP team must:
- Verify that written procedures explicitly address the cause or consequence
- Ensure the correct action is clearly stated
- Confirm operators have time and capability to perform the action
- Recommend procedure review before start-up, if necessary
Simply writing “operating procedure” is meaningless. The procedure number and specific step must be referenced. But it is preferred to consider engineering safeguards in hazop study.
Describing the Action of Safeguards
To avoid weak or invalid safeguards, the team should describe how each safeguard works. This helps to:
- Confirm it actually restores the process to a safe state
- Identify partial or ineffective safeguards
- Prevent complacency
Example: Procedural Safeguard
Operating Procedure ABC-1234, Revision 3, Step 12 requires independent verification and sign-off of valve line-up by a second operator using a checklist.
Alarms as Safeguards
Alarm safeguards must describe:
- Set point
- Required operator action
- Available response time
- Reference to alarm response documentation
This ensures the alarm truly prevents escalation and is not just noise.
Trip Systems
Trip systems should clearly state:
- Initiating condition
- Trip set point
- Final actions (valves closed, vents opened, feeds isolated)
Describing the action allows quick validation of adequacy.
Mitigation Safeguards: A Dangerous Comfort Zone
Mitigation safeguards are often overstated. Statements like:
- “Fire and gas detection”
- “Emergency response”
- “Firefighting”
are meaningless unless:
- Detection coverage is confirmed at the release location
- The response is automatic or timely
- Specific equipment and procedures are referenced
Emergency procedures must point to specific response plans, not generic statements.
Why Poor Safeguard Identification Is Dangerous
Listing safeguards without testing their validity leads to:
- Complacency
- Underestimation of risk
- Weak or missing recommendations
- False belief that risk is controlled
A high-quality HAZOP requires balanced judgment of:
- Likelihood of the cause
- Severity of the unmitigated consequence
- Adequacy of safeguards
Only when all three are properly analyzed can meaningful recommendations be developed.
Top References:
- HAZOP: Guidelines to Best Practice for the Process and Chemical Industries by Frank Crawley & Brian Tyler
- The HAZOP Leader’s Handbook by PHIL EAMES
- Vista Oil & Gas Hazard Identification (HAZID) Studies
Certified Functional Safety Professional (FSP, TÜV SÜD), Certified HAZOP & PHA Leader, LOPA Practitioner, and Specialist in SIL Verification & Functional Safety Lifecycle, with 18 years of professional experience in Plant Operations and Process Safety across Petroleum Refining and Fertilizer Complexes.
