A successful HAZOP begins long before the first deviation is discussed, it starts with a clear set of ground rules that the entire team understands and agrees upon. These rules are not meant to be imposed by the facilitator, but shaped collaboratively so every member feels aligned on the methodology and expectations. While many principles are widely accepted across the industry, experienced practitioners and individual companies often refine them based on lessons learned and internal standards. The following ground rules form the foundation of an effective, consistent, and high-quality HAZOP study;
- Identify causes within the node boundary, but consider consequences anywhere in the system where the deviation can realistically propagate. At battery limits of plant, deviations from upstream and downstream are also be considered.
- Describe ultimate unmitigated consequences (i.e. without considering any safeguards). What will happen, where it will occur, and who or what will be harmed or damaged, assuming no safeguards acting. While, event frequency is assessed considering the existing safeguards.
- If the HAZOP team cannot reach consensus on a particular cause, its consequences, or safeguards scenario within 15 minutes, the topic shall be either parked as a “Parked Item” or a recommendation shall be raised for further review.
- Failures of protective systems are not considered as a cause of deviation, e.g., PSV failure to open on demand, ESD failure to initiate the trip, etc. these safeguards are considered as our last layer of defense before an accident happens. But for the potentially dangerous scenarios created due to operations of the protective layer can be discussed e.g. PSV operating open to atmosphere creates environmental damage or potential toxic release or fire.
- Failures of PTW (Permit to Work) related actions and maintenance errors are not considered credible causes of deviation in HAZOP studies. Because they fall under administrative controls and procedural compliance, not a process design weakness. HAZOP assumes that the PTW system and maintenance procedures are in place, enforced, and that certified personnel will follow the isolation and maintenance procedures correctly.
- Causes that are possible under “double jeopardy” conditions are not considered credible and not to be analyzed in a HAZOP study. Double jeopardy refers to the simultaneous failure of two unrelated (independent) systems at the exact same time—for example, an operator inadvertently opening a vessel gas-inlet valve while the high-pressure alarm fails at the same moment, resulting in over-pressurization. While double jeopardy scenarios are generally ignored in HAZOP, certain cases require further evaluation in which the consequences are very severe, even if the likelihood of the event is very low.
- A single check valve (NRV) is not specified as a safety-related device and shall not be credited as a safeguard for reverse-flow scenarios with Safety or Environmental impact, unless explicitly justified.
Check valves are not bubble-tight or positive shutoff devices, and leakage or failure is considered a credible scenario unless specific design measures are implemented. - Where reverse flow poses an over-pressurization or integrity risk to a low-pressure system, an engineered safeguard such as an automatic shutdown valve with reverse-flow or high-pressure detection is required.
- Installing two dissimilar check valves in series may be accepted only for minimizing reverse flow where the consequence is contamination, not where reverse flow can cause over-pressurization or threaten system integrity.
- When a system contains two or more identical trains or equipment, only one representative train is evaluated during the HAZOP. However, all associated operation, parallel operation, hot/cold standby, switchover, and isolation etc. will still be reviewed. Any recommendations identified for the representative train, apply equally to all other identical trains or equipment items.
- Hazardous event escalation may only be considered when its likelihood is supported by inputs from other studies (e.g., QRA, Fire & Explosion Analysis, or facility siting). The HAZOP team must document the initial consequence and the escalated consequence separately to avoid confusion and to preserve clarity in risk assessment.
- Flaring initiated by safety-related systems or depressurization devices operating on demand shall not be considered an environmental consequence in HAZOP studies. These actions are part of the designed safety response and are not treated as environmental deviations.
- Equipment or machinery is assumed to be properly designed, manufactured, inspected, and regularly maintained in accordance with plant management system requirements, with no inherent defects.
- Multiple causes may be grouped together in the HAZOP worksheet when they lead to the same consequence and share the same safeguards.
- Risk ranking shall only be carried out for the consequence categories that are actually affected. If the deviation results only in asset/equipment damage, then only the asset risk category shall be ranked, while the People and Environment categories remain blank and vice versa when the consequence affects only personnel or the environment.
- If a cause leads to a non-significant consequence, the scenario shall not be evaluated further and shall not be risk ranked in the HAZOP worksheet.
- Human errors are considered a valid and credible cause during HAZOP. Even though operators are trained and competent, real-world conditions such as stress, abnormal situations, start-up/shutdown, frequent changeovers, distractions, and workload can still lead to mistakes like opening/closing the wrong valve.
- Operating procedures are not accepted as primary safeguards. Operating procedures may only be considered when an engineered safeguard is not feasible, and even then, only with justified operator capability and proper training.
- HAZOP actions should focus on identifying hazards and proposing risk-reduction measures, shall not attempt to mandate or bind the design team to particular codes or standards.
- Design-related causes (e.g., drain line size, vent line size, vessel or tank dimensions) shall not be considered valid causes and does not evaluate or challenge design sizing, engineering calculations, or dimensions during the HAZOP review.
- Responsibility for HAZOP actions shall not be assigned to any person or party who is not present in the HAZOP meeting. All recommendations must be agreed by the team, and consensus cannot be achieved if the responsible party is absent from the discussion.
- The purpose of HAZOP is to review the design for hazards, operability issues, and safeguard adequacy—not to specify instruments for plant performance tracking. Any such needs may be noted separately in the Parking Lot Item list for consideration outside the HAZOP study.
- Power outage can be evaluated as a node-specific cause in the HAZOP study. For each node, the team shall consider what happens if electrical power to the equipment under review is lost, what deviations may occur, and what safeguards exist.
- Simultaneous operation of more pumps, compressors, or similar equipment than required shall be considered a valid cause in a HAZOP study.
- Fire Water Systems are not considered in HAZOP in the same manner as process units. Fire water systems are designed in accordance with NFPA and other international standards, and the HAZOP team may not possess the specialized expertise required to evaluate compliance with those design requirements.
- Non–P&ID-related safety issues generally are not addressed within the HAZOP worksheet; instead, they shall be recorded in the Parking Lot Item list and are transferred to the company’s Risk Register for follow-up.
- Prior to start the Hazop study agreed Risk Matrix should be used during risk assessment, otherwise develop a new agreed risk matrix.
- Alarms may be credited as safeguards only when alarm is independent from the cause, an operator has enough time, clear instructions, proper training, and the alarm is maintained and reliable. Unnecessary alarms should not be added in HAZOP, as alarm flooding reduces operator effectiveness.
Top References
- Generally Accepted HAZOP Rules in the Process Industry by Fayyaz Moazzam, PetroRisk Middle East
- The HAZOP Leader’s Handbook by PHIL EAMES
- Guidance for Process Hazard Analysis, Hazard Identification and Risk Analysis by Nigel Hyat.
- BP Hazard and Operability (HAZOP) Study (GP 48-02).
Certified Functional Safety Professional (FSP, TÜV SÜD), Certified HAZOP & PHA Leader, LOPA Practitioner, and Specialist in SIL Verification & Functional Safety Lifecycle, with 18 years of professional experience in Plant Operations and Process Safety across Petroleum Refining and Fertilizer Complexes.
