GP 48-02 - Hazard and Operability HAZOP Study
GP 48-02 - Hazard and Operability HAZOP Study
GP 48-02 - Hazard and Operability HAZOP Study
GP 48-02
Applicability Group
Date 12 June 2008
GP 48-02
This Group Defined ETP has been approved by the GVP Safety
and Operations for implementation across the BP Group.
BP GROUP
ENGINEERING TECHNICAL PRACTICES
12 June 2008 GP 48-02
Hazard and Operability (HAZOP) Study
Foreword
This revision of GP 48-02 includes greater clarity on the applicability of the HAZOP Process,
relationship to the CVP, independence of the team leader, rigour and management of the HAZOP
process, and reference of the risk matrix in GDP 31-00-01, the Group Defined Operating Practice for
assessment, prioritization, and management of risk (issued 30 January 2008 as an implementation
draft).
These changes were so extensive that revisions have not been indicated in the margin as is normal
practice.
In the event of a conflict between this document and a relevant law or regulation, the
relevant law or regulation shall be followed. If the document creates a higher obligation, it
shall be followed as long as this also achieves full compliance with the law or regulation.
Page 2 of 57
12 June 2008 GP 48-02
Hazard and Operability (HAZOP) Study
Table of Contents
Page
Foreword ........................................................................................................................................ 2
1. Scope .................................................................................................................................... 5
2. Normative references............................................................................................................. 5
3. Terms and definitions............................................................................................................. 6
4. Symbols and abbreviations .................................................................................................... 8
5. General................................................................................................................................ 10
5.1. HAZOP purpose ....................................................................................................... 10
5.2. Management responsibilities..................................................................................... 10
6. Timing.................................................................................................................................. 10
6.1. Projects..................................................................................................................... 10
6.2. Existing facilities ....................................................................................................... 12
7. Terms of reference for HAZOP ............................................................................................ 12
7.1. General..................................................................................................................... 12
7.2. Study scope .............................................................................................................. 13
8. Team composition ............................................................................................................... 14
8.1. HAZOP study leader ................................................................................................. 14
8.2. HAZOP study scribe ................................................................................................. 15
8.3. Selection of the HAZOP study team.......................................................................... 15
9. Implementation .................................................................................................................... 17
9.1. Planning and preparation .......................................................................................... 17
9.2. Drawings and information required ........................................................................... 18
9.3. Execution of the study............................................................................................... 20
9.4. HAZOP report ........................................................................................................... 22
9.5. Follow-up .................................................................................................................. 23
10. HAZOP methodology ........................................................................................................... 24
10.1. General..................................................................................................................... 24
10.2. Selecting nodes ........................................................................................................ 25
10.3. Design intention ........................................................................................................ 26
10.4. Process parameters.................................................................................................. 27
10.5. Guidewords and deviation......................................................................................... 27
10.6. Causes ..................................................................................................................... 28
10.7. Consequences.......................................................................................................... 29
10.8. Safeguards ............................................................................................................... 30
10.9. Risk ranking .............................................................................................................. 31
10.10. Recommendations .................................................................................................... 32
10.11. Human factors and facility siting................................................................................ 33
11. HAZOP of batch/sequential operations ................................................................................ 34
12. HAZOP of control and computer systems ............................................................................ 36
Page 3 of 57
12 June 2008 GP 48-02
Hazard and Operability (HAZOP) Study
List of Tables
List of Figures
Page 4 of 57
12 June 2008 GP 48-02
Hazard and Operability (HAZOP) Study
1. Scope
2. Normative references
The following referenced documents may, to the extent specified in subsequent clauses and normative
annexes, be required for full compliance with this GP:
Page 5 of 57
12 June 2008 GP 48-02
Hazard and Operability (HAZOP) Study
BP
GDP 31-00-01 Assessment, prioritization and management of risk.
GP 48-03 Layers of Protection Analysis (LOPA).
For the purposes of this GP, the following terms and definitions apply:
BP Operations
BP Strategic Performance Units, Business Units, projects, facilities, sites, and operations.
Cause
Event, situation, or condition that results, or could result, directly or indirectly in an accident or
incident.
Competent
Describes an individual with knowledge and skills deemed acceptable by the EA to perform a task.
Appropriate knowledge and skill may be acquired through training, experience, qualifications, or some
combination of these.
Consequences
Direct, undesirable result of an accident sequence usually involving a fire, explosion, or release of
toxic material. Consequence descriptions may be qualitative or quantitative estimates of the effects of
an accident in terms of factors such as health impacts, economic loss, and environmental damage.
Design intent
The way a process or system is intended to function.
Deviations
Departures from the design intent. A guideword plus a parameter equals a deviation.
Guideword
Words such as “high”, “low”, and “no” that are applied to parameters to create a potential deviation
from the design intent.
Hazard
Condition or practice with the potential to cause harm to people, the environment, property, or BP’s
reputation.
Page 6 of 57
12 June 2008 GP 48-02
Hazard and Operability (HAZOP) Study
Modification
Changes to existing facilities.
Operability
Ability to operate a facility inside the design envelope and meet business expectations.
Parameters
Conditions used to define a process, including flow, pressure, temperature, and level.
Risk
A measure of loss / harm to people, the environment, compliance status, Group reputation, assets or
business performance in terms of the product of the probability of an event occurring and the
magnitude of its impact. Throughout this Practice the term “risk” is used to describe health, safety,
security, environmental, and operational (HSSE&O) undesired events.
Safeguard
Device, system, or action that would likely interrupt the chain of events following an initiating cause
or that would mitigate loss event impacts.
Page 7 of 57
12 June 2008 GP 48-02
Hazard and Operability (HAZOP) Study
What if analysis
Scenario based hazard evaluation procedure using a brainstorming approach in which typically a team
that includes one or more persons familiar with the subject process asks questions or voices concerns
about what could go wrong, what consequences could ensue, and whether the existing safeguards are
adequate.
For the purpose of this GP, the following symbols and abbreviations apply:
CV Control valve.
EA Engineering authority.
HP High pressure.
IM Integrity management.
Page 8 of 57
12 June 2008 GP 48-02
Hazard and Operability (HAZOP) Study
LP Low pressure.
PM Preventive maintenance.
RV Relief valve.
Page 9 of 57
12 June 2008 GP 48-02
Hazard and Operability (HAZOP) Study
5. General
6. Timing
6.1. Projects
a. CVP stage activity describes the timing and intentions for hazard identification studies
including HAZOP.
Design Safety Guidelines in MPcp should be used for selection of proper timing and
types of reviews for E&P projects.
Design Safety Guidelines in Pcp should be used for selection of proper timing and
types of reviews for R&M projects.
b. Hazard identification studies during project development include:
1. First, a high level review, perhaps HAZID, very early in the design development.
Page 10 of 57
12 June 2008 GP 48-02
Hazard and Operability (HAZOP) Study
The study focuses on inherently safer design issues. It takes place when there may be
little or no design detail and may take approximately 1 d. The results of this early
review could directly influence the basis of design.
2. Second review follows as design details are developed. This may be a HAZID, What
If, or HAZOP.
This review takes place when P&IDs are available but not near completion. It
should be early enough to allow any major issues to be identified, changes to be
incorporated into the design, and cost impact of recommendations to be included in
the project estimate. This also allows LOPA to be held soon enough for the SIS
design to be sufficiently developed so that its cost can also be included in the project
estimate.
3. A HAZOP shall be conducted when the design stage is nearing completion. For the
purposes of this document, it is referred to as the ‘final design HAZOP’.
This provides assurance on the process or system design.
This review is performed at the end of Define or in the Execute stage.
The design and P&IDs for vendor packages that are typically available later during
detailed design and depending on timing, are likely to be subject to a separate
HAZOP review.
A consideration for the project team is whether the HAZOP should be one long
continuous HAZOP session or if the study should be conducted in smaller sessions.
There may be benefits in phasing the HAZOP sessions to match the issue timing for
P&IDs. If the study is conducted in phases interactions between sections should be
addressed even if the sections are examined separately.
Recommendations developed in previous reviews should be actioned, tracked, and if
incomplete, added to the recommendations in subsequent reviews. For projects, this
ensures completion before startup, and for operations, it ensures recommendations
continue to receive focus.
c. A detailed P&ID review should be conducted before issuing the drawings as “Approved
for HAZOP.” This should include the following.
1. Review of regulatory requirements.
2. Drawing titles, numbers, tag numbers for equipment, design conditions, etc.
3. Operations review.
In a project, the key to a successful project HAZOP is strong emphasis by the
project on planning, development, and finalisation of design and P&IDs before
executing the project HAZOP. This can be achieved by application of inherently
safer design principles, engagement of operations expertise early in FEL, applying
value engineering processes early-on, and conducting thorough P&ID reviews as a
part of P&ID development.
d. When the final design HAZOP has been completed, a MOC process shall be used to
consider any changes made to the design on which the HAZOP was based.
This minimises the effort required in implementing a project MOC.
e. Subsequent changes to the project as tracked by the MOC process should be the subject of
a HAZOP review.
This is also an opportunity to review changes to the design resulting from completed
recommendations in earlier HAZOPs.
Page 11 of 57
12 June 2008 GP 48-02
Hazard and Operability (HAZOP) Study
7.1. General
a. A TOR shall be:
1. Developed for each study.
2. Subject to formal agreement between the BP Operations leader or delegate and the
HAZOP study leader before the study commences.
b. A typical HAZOP TOR document should include:
1. Objectives.
2. Scope.
3. Methodology including parameters and deviations to be used.
4. Personnel required to attend the meeting.
5. Schedule and deliverables.
6. Report recipient.
7. Distribution list.
8. Reference documents (e.g., HAZID, P&IDs, etc.).
c. The TOR should also identify and be forwarded to the BP Operations EA or Project EA
responsible for the hazard and risk management at that facility or on that project.
Page 12 of 57
12 June 2008 GP 48-02
Hazard and Operability (HAZOP) Study
The formality of the TOR should be appropriate to the HAZOP. For a project, it may
be a detailed plan. For a minor change, it could be a brief statement addressing the
above points.
d. The principal recipient of the study report should be identified as part of the scope and
objectives in the TOR.
Developing the TOR helps ensure a consistent understanding of the HAZOP
technique, and its application will be established among HAZOP leader, project/site
management, and HAZOP team.
Page 13 of 57
12 June 2008 GP 48-02
Hazard and Operability (HAZOP) Study
8. Team composition
Page 14 of 57
12 June 2008 GP 48-02
Hazard and Operability (HAZOP) Study
The authority of the HAZOP leader should be defined in the TOR and agreed to
before initiating the HAZOP.
i. The HAZOP leader should have experience in other PHA or risk assessment techniques
such as consequences analysis, reliability analysis, and QRA, that may be recommended to
further address hazards identified by the HAZOP team.
j. The HAZOP leader should be familiar with LOPA requirements and should ensure that
information required to perform a LOPA is discussed and captured in the HAZOP
worksheets.
Page 15 of 57
12 June 2008 GP 48-02
Hazard and Operability (HAZOP) Study
Page 16 of 57
12 June 2008 GP 48-02
Hazard and Operability (HAZOP) Study
Selecting team members that represent more than one technical expertise or
affiliation helps to limit team size.
If contractors are used as team members, care should be taken to ensure that
adequate BP operational expertise is included in the study. The contractor should
not be totally responsible for providing the BP expertise.
One way to limit the size of the HAZOP team on a large project is to restrict the
specialist or Vendor representatives to only those days and/or sessions that require
their participation.
g. The core team should not be changed during the HAZOP study and the other team
members should not be changed frequently during the study.
9. Implementation
Page 17 of 57
12 June 2008 GP 48-02
Hazard and Operability (HAZOP) Study
For project, operating procedures may have not yet been developed.
Recommendations from the HAZOP can reference items that may be developed in
future operating procedures.
5. For operating facilities not undergoing major modifications, documentation should
reflect the “as built” facility before the HAZOP commences.
6. Study location should be selected based on location of design information, team
members, or the facility to be reviewed.
If practical, a site tour should be arranged for operating facilities.
If the study involves a review of an existing facility or one being modified by a
project, the study can be located near the site to provide easy access to the site for
addressing questions that may arise during the study.
Consideration can be given to locate the study offsite so that the HAZOP team can
focus its full attention on the review and not be subject to the distractions and
disturbances of an operating facility or engineering office.
7. The study room should be of sufficient size to comfortably accommodate the study
team and any specialist advisors with enough working table space for placing copies
of P&IDs for each team member.
Page 18 of 57
12 June 2008 GP 48-02
Hazard and Operability (HAZOP) Study
Page 19 of 57
12 June 2008 GP 48-02
Hazard and Operability (HAZOP) Study
14. Previous risk assessment. In particular, any consequence modelling that has been
completed should be available to the HAZOP team to assess the consequences of
identified causes.
15. Electrical loop diagrams.
16. Process sequence, for batch operations.
17. Ventilation system design.
18. Design codes and standards employed.
Page 20 of 57
12 June 2008 GP 48-02
Hazard and Operability (HAZOP) Study
review the discussions made by the HAZOP team. It does not provide an auditable
trail of the HAZOP and a record of whether the deviation was considered.
c. HAZOP software
1. HAZOP software provides a systematic method for recording the study and
generating log sheets and other information for the HAZOP report.
2. HAZOP software should provide capability to follow the formalised sequence
detailed in 10.
Annex B shows typical HAZOP log sheets with the required information. Some
leaders and scribes may prefer to use a spreadsheet or writing program for short
studies.
d. For studies recorded using HAZOP software, an electronic copy of recordings should be
retained with the project or facility hazard analysis documentation.
In some cases, it may be necessary to transfer the file into a Word or PDF format so
that it is readily accessible to people without the HAZOP software.
e. The HAZOP leader shall be accountable for clearly marking up the nodes on the HAZOP
master P&IDs and including these drawings with the HAZOP report.
Typically the node marking is done with coloured highlighters. It is very helpful for
the leader or scribe to mark on the drawings the number of each recommendation
close to the relevant point on the P&ID. This may be done outside review sessions.
It is best to mark the recommendation numbers on the drawings at the end of the
study since during the course of the study recommendations may be combined,
added, or deleted.
f. The HAZOP leader shall ensure that names, expertise of team members and participants,
and attendance for each HAZOP session are documented for the HAZOP record. The
competency of the leader should also be documented.
Typically, the HAZOP scribe records the attendance for each session.
The HAZOP team is responsible for the quality, accuracy, and completeness of the
HAZOP worksheets. After the final HAZOP review session, HAZOP log sheets
should be issued in draft form to the Client/Project Representative or operating site
representative. It is advisable to print the log sheets at the end of every day to allow
the entries to be checked over. It usually falls on the leader to do this and then any
corrections (clarity, accuracy, and logic) can be discussed with the team before
moving on to the next day’s work.
Using software for recording HAZOPs provides capability to project the PC display
so that all the team members (including the leader) can review the log sheets as they
are recorded. However, it is important that the leader keep the team focused on the
HAZOP as opposed to grammar, spelling, etc, Outside information is often used to
complete the log sheets or answer team questions. This can include information
from the results of detailed consequence analyses, PRD analyses, outside
calculations from team members, etc. If appropriate, this outside information should
be referenced within the log sheets for the benefit of future reviewers. This can be
valuable for future MoC work or safety studies.
g. The leader should ensure that the HAZOP recommendations are clear and complete and
that there is HAZOP team consensus on recommendations, including revisions made
outside the review sessions, with the exception of minor grammatical corrections. Some
considerations for writing recommendations are:
1. Written to be standalone (understandable without the benefit of the worksheets).
Page 21 of 57
12 June 2008 GP 48-02
Hazard and Operability (HAZOP) Study
Any well written recommendation contains the three Ws - What, Where, and Why (add a
relief valve downstream of positive displacement pump P-101 to prevent casing
overpressure in the event of accidental shut-in.).
2. Written so that recommendations are accomplishable and have a clear point of
closure.
Some recommendations may be unresolved at the time of a particular review
session, and a team member(s) may be given an action to follow up outside of the
session. The whole team should review the final recommendation arising from these
items at a later session.
h. If the team can not reach consensus on a recommendation, the HAZOP leader shall be the
final arbiter.
Page 22 of 57
12 June 2008 GP 48-02
Hazard and Operability (HAZOP) Study
g) Recommendation summary.
h) References (list of P&IDs and other data used).
i) Distribution list.
2. Appendices
a) TOR for the HAZOP study.
b) HAZOP log sheets.
c) List of recommendations from the study.
d) Team attendance for each session.
e) Colour marked P&IDs with node numbers.
f) Human factors and facility siting issues (checklists used or other related studies).
g) Risk matrix from Appendix 1, 2, and 3 of the GDP 31-00-01.
h) Any incidents considered.
i) MoCs reviewed or P&ID change logs.
j) Information that was referenced in the log sheets or used extensively by the
team.
This can include calculations, detailed consequence analyses, or other useful
information compiled for or during the HAZOP that would be useful reference
material for future MoC or safety issues.
It may be beneficial to produce an annex to the full report that contains only those
guidewords/causes/consequence discussions that resulted in recommendations. It
may also be beneficial to sort the recommendations by risk ranking, if applicable, to
give priorities on recommendations.
9.5. Follow-up
a. Recommendations shall be addressed in a timely manner and tracked until closure. To
achieve this, each recommendation should be assigned to a responsible party with a target
completion date for follow-up.
b. Technical reasons for recommendation resolution including suggestion of a different
action, or rejection, shall be clearly stated in writing. A formal record should be kept of
such decisions which can be accessed in the future if required.
c. If recommendation and actions cannot be agreed with the project or BP Operation to the
satisfaction of the HAZOP leader then the Project EA or BP Operations EA shall be
informed. The EA shall attempt to get resolution with the Project Manager or BP
Operation leader but if this is not possible the EA shall raise the issue to a higher EA until
agreement is reached with the BP Operation leader.
d. For projects, the Project manager shall ensure that agreed recommendations are addressed
in an appropriate timescale as dictated by project schedule.
The PHSSER teams will review and audit action progress at various stages of CVP
in accordance with GP 48-01, as well as the compliance of the HAZOP strategy and
process with this GP.
Completion of recommendations should also consider the amount of work involved
in completing the tasks. Administrative and documentation recommendations should
be completed in a reasonably short period while recommendations requiring
extensive engineering and installation during unit downtime may require years to
complete.
Page 23 of 57
12 June 2008 GP 48-02
Hazard and Operability (HAZOP) Study
e. BP Operations leader shall ensure that agreed actions are followed through to an
appropriate conclusion. A person should be nominated to do this and instructed to report
formally at regular intervals while the action remains outstanding.
f. A full audit trail of responses and actions completed in respect of each recommendation
shall be maintained for the life of the facility.
Report recommendations, Project or Asset Management responses, and supporting
documentation should ideally be recorded in a records system, which will permit
ready retrieval, status reporting, progress chasing, and independent audit. The
supporting documentation should include appropriate reports, memos, drawings,
and other communications demonstrating that the recommendations arising from
the HAZOP have been carried out or otherwise resolved.
g. BP Operations EA or Project EA should ensure that an effective means of tracking
recommendations is in place and accomplishes the following:
1. Tracks the status of open action items.
2. Records the action item closure and approval by project or site authority (approved
action response sheets should be retained with the log sheets).
3. Includes or references documentation requirements.
4. Tracks the transfer of action items between delivery teams (e.g., project to
commissioning).
To facilitate future reviews and use of material for training purposes, it is useful if
the log sheets are updated to include the actual actions taken when the
recommendations are closed out.
To assist in this activity, project teams or facility teams may choose to use a
separate HAZOP Recommendation Action Tracking system.
5. Provides for a confirmation of completion including by field-verification for
operating facilities.
h. Relevant recommendations and actions from HAZOP reports and related study documents
shall be communicated to members of the BP workforce who may be affected by them.
Local law may impose additional communication requirements, including a
requirement to make the risk assessment accessible to persons who work with or
near the studied risk.
i. For operating facilities, an MOC process shall be followed for approved changes resulting
from HAZOP recommendations.
MOC ensures that employees are advised on changes to procedures and/or
equipment and any relevant training provided at the time of change. It also guards
against the resolution of the recommendation inadvertently introducing a new risk.
10.1. General
The HAZOP study shall follow the sequence illustrated in Figure 1.
A HAZOP study is a structured methodology for hazard identification. It is an
investigation technique that is designed to inspire imaginative thinking (or
brainstorming) by a team of experts to identify hazards and major operational
problems while examining a process or facility in a thorough and systematic
manner.
Page 24 of 57
12 June 2008 GP 48-02
Hazard and Operability (HAZOP) Study
Page 25 of 57
12 June 2008 GP 48-02
Hazard and Operability (HAZOP) Study
properly managed, could lead to overlooking hazards. Selecting a proper node size
and guiding the team through the node is crucial for success of HAZOP study.
a. Nodes should be selected by the HAZOP Leader, but team members may also provide their
input.
b. To ensure that the design intentions of each node can be easily and clearly understood, the
nodes should be selected by function.
This GP does not intend to prescribe exact node size. Such a decision is left up to the
HAZOP leader and team members. Several factors influence size and complexity of
a node including leader and team experience, hazards of the process, and
complexity of the control system.
c. The following criteria should be considered in selecting the appropriate transition to the
next node:
1. Change in design intent.
2. Change in state (e.g., from liquid to vapour).
3. Major pieces of equipment.
4. There could be confusion over which piece of process equipment is being discussed
(e.g., if the deviation is more flow and there are multiple lines in the node, there may
be confusion over which line is being discussed).
If nodes are selected with multiple lines, the leader should ensure that team
members are together and thinking about the same line. This can be done by the
leader systematically guiding the team to review one line at a time.
d. Different operating nodes
1. If a node has more than one design condition or operating mode (e.g., normal
production and in-situ molecular sieve regeneration), each operating mode/operation
condition shall be considered (i.e., each of the nodes should be repeated for the
different operating modes/operating conditions).
2. The different operating modes should be clearly documented in the HAZOP log sheet
and report.
e. Parallel trains
1. Parallel trains may be reviewed independently or one train may be reviewed and the
next train may be reviewed based on the first.
2. If the later approach is taken, the trains shall be compared in detail to ensure that any
differences in control, instrumentation, piping arrangement, and equipment design is
identified and considered.
Page 26 of 57
12 June 2008 GP 48-02
Hazard and Operability (HAZOP) Study
c. The design intent defines how a component or system is expected to operate and the
purpose of the system. This includes the design flow, temperature, pressure, level, and
other relevant details.
d. The design intent of each parameter should be established, documented, and understood by
team members.
The design intent (or design operating conditions) of the study node are usually
available in the material balance sheet. The process engineer or other team member
should be familiar with the design intent of the process.
Design intent includes the design flow, temperature, pressure, level, and other
relevant details such as composition.
Guideword
Parameters Other
More Less No Reverse Part of As well as
than
Wrong
Reverse direction
Flow More flow Less flow No flow Wrong ratio Contamination
flow (reverse
flow)
Pressure High pressure Low pressure Vacuum
High Low
Temperature
temperature temperature
Level High level Low level No level
No Reverse Wrong
Reaction High reaction Low reaction Side reaction
reaction reaction reaction
Page 27 of 57
12 June 2008 GP 48-02
Hazard and Operability (HAZOP) Study
The process for selection of the parameters and guidewords should be documented
in the HAZOP report. The HAZOP leader and team should exercise caution in the
selection of guideword and parameter combinations because it could set the scope
of the HAZOP and place a limit on the types of hazards which could be identified.
A list of typical guidewords and descriptions applicable to continuous process
HAZOP is available in Annex A, Table A.1. A more extensive list of deviations used
in chemical and petroleum industry is also available in Annex a, Table A.2 with
detail description.
A list of typical deviations and descriptions applicable to interlock and control
system is available in Annex A, Table A.3. As interlocks are encountered in a
HAZOP, these guidewords can supplement the review by providing a better analysis
of the interlock function, its ability to achieve design intent, limitations, potential
effects on the process and recovery from trip of the interlock.
b. Process parameters and guidewords (and hence deviations) should be applied to each
process node, as appropriate. If no issues are found, it should be documented that the
deviation was considered, but there were no issues of concern.
c. Different guideword/parameter deviations may be used for nonprocess facilities.
10.6. Causes
a. All potential causes should be established for each deviation from intention considered.
b. There may be multiple causes for each deviation. In such case, each cause should be listed
separately.
c. Causes can be due to a range of events. Some examples are human error, equipment
failure, process upset, or external event.
For example, a control valve could fail closed because of human error, loss of
instrument air or electrical signal, actuator failure, etc. Similarly, a block valve
adjacent to the control valve could be inadvertently closed due to human error. All
of these causes have the same affect, blocked flow. The important point is that this
information is included so that the correct initiating frequency can be used in
subsequent analyses.
d. Causes should be specifically defined using the proper equipment, instrumentation, and
piping tags.
e. Multiple-cause events shall be considered if they are the result of a common mode failure
or a process dependency.
“Double jeopardy” events are not typically included in the HAZOP studies. Double
jeopardy events are multiple independent events occurring at the same time and
causing a hazardous situation (e.g., a level control failure on one tower that causes
liquids overhead and a level control failure on another tower also causing liquids to
the same overhead system if the system is not expected to handle liquids from both
towers). If the causes are independent, they are considered double jeopardy. In
determining if the causes are independent, careful consideration should be given to
common mode failures and process dependencies.
When encountering potential cases of “double jeopardy”, the team should consider
the severity of the consequences. There may be cases in which the consequences are
so severe and unacceptable that action is needed, even if the likelihood of the
“double jeopardy” event is very low.
f. The cause is identified within the node being studied. However, the resulting consequence
may occur throughout the process.
Page 28 of 57
12 June 2008 GP 48-02
Hazard and Operability (HAZOP) Study
Holding the cause to within the node and identifying consequences outside the node
is the typical approach. An alternative HAZOP methodology is to identify
consequences within the node and then to identify causes for each consequence
inside and outside of the node. Both approaches can be acceptable and are driven
by BP Operations practices. The leader and HAZOP team should ensure that the
selected methodology is consistent with client expectations and, once adopted, is
applied consistently throughout the study for thoroughness.
g. If the node starts from a battery limit, deviations from upstream and downstream shall also
be considered.
For example, a node at the front end of the process boundary limits should consider
upstream deviations, or a node at the back end of where the HAZOP ends for the
process should consider downstream deviations. This approach is also applicable to
deviations in process utilities to which a node is tied.
In the HAZOP review of major modifications and equipment changes, potential
effects from deviations upstream and downstream of the change should be
considered since causes outside the scope of the change may not be evaluated as a
part of the study.
h. Same cause under multiple deviations
1. There are opportunities to identify the same cause under multiple deviations.
2. As long as the consequences and safeguards are fully defined and documented, there
is no requirement to document details for the same cause in each of the deviations.
3. An example would be a valve closing could result in no flow or a change in pressure
or level.
It is important that the HAZOP team documents the review of the deviation, however
if recommendations are made under another deviation, the HAZOP team should
state that “No new issues” are identified.
i. LOPA
1. HAZOP is typically used as the basis for LOPA.
There are other hazard identification and risk analysis techniques that may be used
to feed into LOPA. In the majority of instances, HAZOP forms the basis. The
remainder of the document is written from the point of view of using the HAZOP as
the input.
2. Causes identified in the HAZOP can be used as an initiating event in LOPA.
3. All causes (including failure mode) shall be identified and clearly stated.
This saves effort in preparation of LOPA.
j. The cause should not be a restatement of deviations or consequences.
10.7. Consequences
a. The leader shall challenge HAZOP team members to identify all potential practical
consequences of each cause, especially the potential for harm to people and the
environment.
In some cases, that might be considering the worst consequence and lower
likelihood while in other cases, it might be the more likely but less consequential
outcome.
b. The discussion should consider the unmitigated consequences - those consequences
without giving any credit to the safeguards (assuming all safeguards fail). Safeguards are
discussed and documented in the next step.
Page 29 of 57
12 June 2008 GP 48-02
Hazard and Operability (HAZOP) Study
10.8. Safeguards
a. In the next step the team should identify the engineered system (as defined in the P&IDs
and other engineering information) and administrative controls (such as operator response
to alarms) that can prevent or mitigate the hazard.
b. The team should also consider whether operability is impaired if any deviations occur or
whether design could be improved to give the operator better information or facilities to
prevent/control/mitigate the hazard.
c. Principal safeguards (engineering and administrative controls) shall be recorded in the
HAZOP log sheet referencing the appropriate equipment tags.
d. Typical safeguards (or protection layers) that prevent or minimise consequences and
likelihoods are described in Figure 2. This develops information required for a LOPA
evaluation.
e. Relief valves should be listed as safeguards only after it has been confirmed that the relief
valve size and set pressure are sufficient for the consequence being considered.
This can be accomplished either through review of data on the P&IDs or relief
device data sheets.
f. If operating procedures are identified as the primary safeguard preventing/mitigating a
safety consequence, the HAZOP team shall:
1. Ensure written procedures address the cause/consequence identified and the
appropriate action described in the safeguard, and
Page 30 of 57
12 June 2008 GP 48-02
Hazard and Operability (HAZOP) Study
Barricades, Dikes
Critical alarms
Safety instrumental systems
Process design
The safeguards shown in Figure 2 are also considered in LOPA. However, unlike
HAZOP, LOPA considers only IPLs as safeguards in assessing capability to reduce
risk.
Page 31 of 57
12 June 2008 GP 48-02
Hazard and Operability (HAZOP) Study
10.10. Recommendations
a. A recommendation shall be made if the team judges that any of the following are true:,
1. Engineered systems and administrative controls are unlikely to prevent or sufficiently
mitigate a consequence.
2. An operability concern is sufficiently severe that it requires attention.
3. There is a shortfall in compliance with a regulation or BP standard.
Recommendations can be design changes, procedural changes, or issues requiring
further study. The recommendation needs to be understandable, concise, and
unambiguous, clearly address the identified hazard, and be effectively completed.
b. Recommendations should meet the following.
1. Stand alone, such that it is understandable without benefit of the log sheets.
Sometimes recommendations are placed on an action list, not accompanied by the
appropriate deviation, cause, consequence information. The person responsible for
closing the recommendation needs to fully understand the hazard.
2. Be able to be accomplished - have a clear point of closure.
3. Be understandable, concise, and unambiguous.
Including equipment/piping/instrumentation names or numbers can aid in the clarity
of the recommendation.
4. Be clearly worded to address the identified hazard.
5. Be thorough (identifying the reason for the recommendation and clearly
communicating the intentions of the HAZOP team).
Sometimes recommendations are placed on an action list, not accompanied by
appropriate deviation, cause, consequence information. The person responsible for
closing the recommendation needs to fully understand the hazard.
c. The HAZOP team should focus on addressing hazards and not try to design the solution to
problems identified. If the team is not certain how to prevent or mitigate the hazards, the
team should recommend a further study to determine the resolution.
The purpose of the HAZOP is to identify hazards, not to engineer solutions.
Recommendations calling for further review should be avoided if such reviews can
be readily accomplished by the HAZOP team and are within its charter.
d. Recommendations shall not be modified without the concurrence and authority of the
HAZOP team.
Page 32 of 57
12 June 2008 GP 48-02
Hazard and Operability (HAZOP) Study
The leader can use various techniques for ensuring that the team has reached
consensus.
Page 33 of 57
12 June 2008 GP 48-02
Hazard and Operability (HAZOP) Study
Page 34 of 57
12 June 2008 GP 48-02
Hazard and Operability (HAZOP) Study
Page 35 of 57
12 June 2008 GP 48-02
Hazard and Operability (HAZOP) Study
h. Guidewords in g. shall include use of the main process parameter guidewords (relating to
flow, pressure, temperature, level, and composition) on associated facility sections
(HAZOP nodes) at appropriate steps in the procedure.
For sequential operations, it is appropriate to document the overall design intention
of the procedure or subsection of a large procedure and, in addition, to consider the
design intent and inherent hazards of each step of the operation before considering
deviations from the intention.
a. Control systems, such as programmable electronic systems, due to their inherent flexibility
and complexity, have the potential to create common mode failures that result in multiple
simultaneous process deviations. CHAZOP study reviews how control and computer
systems can fail and consequences of deviation from design intent.
The traditional HAZOP does not address issues associated with the control system.
b. The HAZOP leader of a computer or control HAZOP should have an additional
competency to those listed for traditional HAZOP team leaders which is experience in
control or systems HAZOPs.
c. The response of the control system to a deviation or the potential cause of a deviation by a
control system should be factored into the HAZOP.
Page 36 of 57
12 June 2008 GP 48-02
Hazard and Operability (HAZOP) Study
d. Based on the types and complexity of the control systems within the scope of the HAZOP,
a decision shall be made as to whether the traditional HAZOP adequately addresses control
system issues or whether a control system HAZOP (a.k.a. CHAZOP) or other types of
studies are necessary.
For traditional HAZOPs, substantial knowledge of the control system is needed in
order to identify potential control system induced secondary deviations in response
to the original, primary deviation. Often, a traditional HAZOP can be augmented by
adding a review of the I/O cards of a computer based control system. Assuming the
common mode failure of any single card failing, the points on that card can be
reviewed to determine if any resulting multiple simultaneous process deviations
would create a safety or environmental hazard.
e. The list of typical guidewords and deviations available in Annex A, Table A.3 may be used
to address interlock and control systems.
a. If the current HAZOP conforms to this GP, HAZOP shall form a basis for LOPA.
LOPA is applied to the hazard, not to the cause. In LOPA, it is necessary to consider
a hazard first and then consider all causes related to the hazard from related nodes.
LOPA is typically conducted immediately following a HAZOP, but in some cases is
conducted in conjunction with HAZOP.
GP 48-03 provides requirements on LOPA. The key information needed for LOPA
from HAZOP is as follows:
• Process deviation and initiating cause.
• Consequence and severity category.
• Safeguards.
LOPA relies on the result of HAZOP for hazards and associated initiating causes. It
is important that all hazards and initiating causes are captured during HAZOP.
b. The team shall identify the scenarios that are consequence categories D through F on the
risk matrix in GDP 31-00-01, Appendices 1, 2, and 3 for evaluation in a LOPA.
c. The key participants in HAZOP should also participate in LOPA per team member
description defined in GP 48-03.
d. The HAZOP leader should be familiar with the information required to conduct a LOPA
and should ensure that the information is discussed and captured on the log sheets.
If a different team is used in LOPA, the LOPA team should spend some time to get
familiar with the process and discuss the same hazards already addressed in the
HAZOP study.
Page 37 of 57
12 June 2008 GP 48-02
Hazard and Operability (HAZOP) Study
Page 38 of 57
12 June 2008 GP 48-02
Hazard and Operability (HAZOP) Study
Page 39 of 57
12 June 2008 GP 48-02
Hazard and Operability (HAZOP) Study
Annex A
(Informative)
Guidewords and deviations for HAZOP
Deviation Causes
More flow Bypass valve open Worn or deleted restriction Large leak
Increased pumping capacity orifice plates Wrong valve open
Operation of pumps in parallel Cross connection of systems Wrong lineup or misdirected
Reduced delivery head Control faults flow
Change in fluid density Control valve trim changed Slug flow
Exchanger tube leaks Control valve fails open Water hammer
Burst pipe Increased flow from upstream
process
Less flow Line restriction Fouling of vessels, lines, Inadvertently throttled valve
Filter fouled valves, or orifice plates Incorrect valve sizing
Defective pumps Density or viscosity changes Wrong lineup
Competing pump heads and Surging
flows
No flow Block valve closed Equipment failure (control Isolation in error
Wrong lineup valve, isolation valve, pump, Power failure
vessel, instrumentation, etc.)
Slip blind installed Plugged line
Control valve fails closed
Incorrectly installed check
valve Incorrect pressure differential
Reverse flow Malfunctioning, omitted, wrong Siphon effect Wrong lineup or misdirected
type of check valves (note that Incorrect differential pressure flow
check valves are not usually In line spare equipment
bubble tight or positive shutoff Two way flow
devices) Emergency venting Connections to utilities (water,
N2, flush systems, etc.)
Misdirected Valve open in error or passing allowing material to be routed to an unintended location
flow
Page 40 of 57
12 June 2008 GP 48-02
Hazard and Operability (HAZOP) Study
Deviation Causes
Wrong Human error Line restriction Defective pumps
percentage Malfunction of control valves Filter fouled Fouling of vessels, lines,
valves, or orifice plates
Contamination/ Leaking valves Improper mixing Wrong additives or catalysts
composition Leaking exchanger tubes Ingress of air, water, or rust Catalyst poisons
Changes to feedstock Identify nitrogen interfaces to Preparation for shutdown and
Stream composition process startup operations
Stream contaminants Inadvertent mixing Solvent flushing
Inadequate quality control Explosive mixtures Phase inversion
Process control upset reaction Interconnected systems Sphere rollover
intermediates (especially services, blanket Tower tray damage
systems)
Byproducts
Wrong material Human error Leaking exchanger tubes Stream composition
Leaking valves Changes to feedstock Stream contaminants
High pressure Design pressures Inadequate or defective Failure of ejector/eductor
Specification of pipes, vessels, isolation procedures for relief system
fittings, and instruments valves More reaction
Pressure range for abnormal Thermal overpressure Plugged pressure tap
operations Positive displacement pumps Obstructed relief
Surge problems Control valves failed (closed or Pressure testing
Leakage from interconnected open)
Excessive heating
high pressure system (HP to Increased centrifugal pump
LP interface) suction pressure - startup of Exchanger tube leak
Gas breakthrough (inadequate spare pump
venting)
Low pressure/ Cooling Compressor suction line Blockage of blanket gas
vacuum Condensation Undetected leakage Failure of vacuum relief
Gas dissolving in liquid Vessel drainage procedure Inadequate NPSH
Restricted pump
High Fire situation Heater control failure Decoking
temperature Ambient conditions Internal fires Heats of reaction
Fouled or failed exchanger Reaction control failures Mixing, reactor hot spots,
tubes Heating medium leak into decomposition, or runaway
Cooling water failure process reaction, absorption, or
solution.
Air cooler malfunction Heat tracing
Burn protection
Defective control Regeneration
Abnormal operations
Low Cold weather operations Fouled or failed exchanger Joule/Thompson effect
temperature Ambient conditions tubes Endothermic reaction
Reducing pressure Loss of heating Control failure
Depressuring liquefied gas
High level Outlet isolated or blocked Filling operations Interface level control
Inflow greater than outflow Liquid in vapour lines Phase inversion
Control failure Vessel overflow Slug flow
Faulty level measurement Deactivated level alarm Condensation
Incorrect calibration Inadequate time to respond
Low level/ Inlet flow stops Control valve malfunction Plugged instrument taps
no level Leak Faulty level measurement Inadequate residence time
Drain valve left open Incorrect calibration Inadequate mixing, excessive
Outflow greater than inflow Two phase flow heating
Gas in liquid lines
High reaction Wrong reactant mix Incompatible chemical Side reactions
(runaway High temperature
reaction)
Page 41 of 57
12 June 2008 GP 48-02
Hazard and Operability (HAZOP) Study
Deviation Causes
Low reaction/ Wrong reactant mix Insufficient catalyst Channelling
no reaction Low temperature
(incomplete
reaction)
Reverse Wrong reactant mix Insufficient catalyst Channelling
reaction Low temperature
Side reaction Wrong reactant mix Insufficient catalyst Channelling
Low temperature
Wrong reaction Wrong reactant mix Insufficient catalyst Channelling
Low temperature
Excessive Agitator set at wrong speed
mixing
Poor/no Mixing Agitator set at wrong speed Agitator blade drops off Poor mixing
Drive stops Coupling failure No baffles
Relief Design basis for relief: How is overpressure protection provided?
Relief for process Effect of debottleneck on relief Relief composition (e.g., two
(normal/abnormal - fire, capability phase flow)
startup/shutdown conditions) Instrumentation/SIS to reduce Maximum liquid rate vs. design
What is the controlling relief load capacity
scenario? Type of relief device and Tower liquid overfill
Changes affecting relieving reliability Relief for reactive chemicals
requirements (insulation Atmospheric relief valves
removal, CV change, new Materials of construction
(discharge location, plume
connections, etc.) path, dispersion modelling, risk Heat tracing/temperature of
Backpressure on relief valve associated with discharge) rupture disks
vs. design RV set pressure vs. MAWP
Path for relief protection and can it be impaired?
Blocked path/relief valves Plugging/buildup in relief Failure of administrative
Restricted inlet/outlet lines system (hydrates, ice, weep controls
holes plugged, liquid buildup,
loss of heat tracing, etc.)
Preventive maintenance: inspection/testing results
Isolation philosophy Is a spare relief valve needed Location of relief device
to achieve the testing interval?
Other
Environmental implications Near miss incidents Rupture disks under RVs - Is
Frequency of relief valve use Stress on RV inlet/outlet piping pressure between RV and
rupture disk checked to identify
Relief device exposed to Vibration of piping/headers rupture disk leakage?
abnormal operating
temperature or pressure
Rupture/leak Hazards
Toxic gas Potential RMP worst case or alternate release scenario
Fire/explosion potential - impact on personnel/community/environment/surroundings
(major accident risk potential)
High pressure - impact on occupied buildings/nearby trailers
Temperature
Local vs. offsite impact
Detection
Methods Visibility Video monitors
Time required Odour thresholds Routine checks
Fire and gas detectors/alarms
Mitigation
Page 42 of 57
12 June 2008 GP 48-02
Hazard and Operability (HAZOP) Study
Deviation Causes
Methods available Containment methods Inventory reduction
Isolation points Emergency operations in spill Emergency shutdown
Duration of leak area arrangements
Procedures/training
Protective systems
Turret coverage Firefighting strategy Emergency showers/eyewash
Fire crew availability/response Required response stations
time Alarms Location of SCBA
Deluge system Evacuation procedures Emergency training
Prevention: See equipment integrity for root cause elimination
Instrumentation Critical Instrumentation Alarm and trip testing Failure mode of control valve
Need for SIS SIS component testing or final control element
SIL frequencies Out of range failure mode vs.
Confusing alarms range of possible conditions
Control strategy
Fire protection Lack of documentation
Location of instruments
Panel arrangement and Computer control
Lack of instrumentation
location Mechanical and PLC interlocks
Information/alarm overload
Auto/manual facility and PLC failure mode and its
Instrument response time human error effects
Time available for operator Sample devices Bypassed interlocks
intervention
Failure mode of transmitter Defeated alarms
Set points of alarms and trips
Chemical Undefined chemical Chemical interaction matrix Chemical storage excess
hazards stability/reactivity Inadvertent mixing Phase inventory
Unique hazards of chemicals change Different fire protection needed
and methods of control, Phase separation for chemical
reactive chemicals Effect of heat tracing
Flammability
Instability/decomposition, such Disposal
as ethylene decomposition Toxicity
Health effects Phase inversion
Runaway reactions
MSDS information Azeotropic boundary
Initiating mechanism
Detection of leaks Compatibility with chemicals in
drainage/sewer systems
Physical Properties
Vapour pressure Particle size Freezing temperature
Saturation points of chemicals Settling of solids Fouling or plating
Solubility Sublimation Viscosity
Crystallisation
Equipment Results of equipment Temporary fixes (clamps, Injection/mix points
integrity inspection and testing plugs, etc.) Soil/air interfaces
Fitness for service Identify dead legs Buried piping
Corrosion/failure mechanisms
Internal/external corrosion Fluid velocities Stagnant/low points
Corrosion under insulation Vibration Failure of tank or basin liners
Embrittlement Stress Integrity of flanged joints
Stress corrosion cracking Fatigue Structural damage
Subtle composition change Small bore pipe Abandoned or out of service
Possible contaminants Equipment operating outside equipment
(chlorides, H2S, water, acceptable limits Mothballing techniques
ammonia, etc. Water hammer/surging Condition of grating and
Erosion handrails
Prevention
Page 43 of 57
12 June 2008 GP 48-02
Hazard and Operability (HAZOP) Study
Deviation Causes
Appropriateness of Do inspection and test plans Underground piping protection
specifications/materials of address the potential damage Cleaning/testing/monitoring of
construction mechanisms? equipment, such as piping,
Compatibility with process Are inspection/testing vessels, heat exchangers,
conditions and process fluids techniques specified likely to flexible hoses
Adequacy of inspection/testing find expected damage? Safety critical equipment
frequency and procedures RBI Is equipment designed for
Has all equipment been PMI Construction QA/QC inspection?
evaluated to determine if it Cathodic protection Testing of emergency
needs an inspection and test arrangement equipment
plan?
Corrosion inhibitors
Ignition Static eletricity
Earthing (grounding Splash filling of vessels Temporary earthing
arrangements Insulated strainers and valve (grounding) for
Insulated vessels/equipment components loading/unloading
Low conductance fluids Dust generation and handling PM for earthing (grounding)
systems
Hoses
Open flames
Flares Pilot lights Fired heaters
Other sources
Location of vehicles Loss of purge to panels Hot work permits
Vehicle traffic Lightning People in area
Vehicle entry Hot surfaces Nonintrinsically safe equipment
Electrical classifications Hot work/welding
Flammability
Auto ignition Flash point Fire triangle
Upper and lower flammability Metal fires
limits
Service failure Failure of
Instrument air Hydraulic power Contamination of instrument
Steam Water or other air, nitrogen
Nitrogen Power loss/blips/failure modes Telecommunications
Cooling water Trip delay for power failure Heating and ventilating
systems
DCS system
Failure Viruses Backup
Loss of view Reliability
Protection systems
Deluge systems Firewater Emergency dump
Hydrocarbon detectors Foam Previous failures
Page 44 of 57
12 June 2008 GP 48-02
Hazard and Operability (HAZOP) Study
Deviation Causes
Abnormal What are the potential abnormal operations and is system designed for it?
operation Extended operations Fire Operation of common spares
Purging Turnarounds Loading/unloading of trucks or
Flushing Off shift operations railcars
Removal of solids Shift change Spills/spill containment
Contaminants Flaring Evacuation plans
Water or air, etc. Bypassed safety devices Bypassing procedures
Startup Bypassed equipment/controls Workarounds
Normal shutdown Time (sequence) Using extraordinary effort
Emergency shutdown Startup following emergency Extended shift schedules
Operations under emergency shutdown Previous incidents and near
conditions Regeneration misses
Severe weather conditions Decoking Use of contractors
Spills Filter changes Written procedures (accurate,
updated, followed)
Sampling Is sampling required? Sampling apparatus Diagnosis of result
Online vs. manual sampling Environmental, compliance Industrial hygiene (personnel
Is the sampling device and points exposure/monitoring)
location appropriate? Spill and leakage monitoring PPE required
Is sample return point Sampling procedure Sample disposal
appropriate for abnormal Time for analysis result Operator intervention
operation?
Calibration of automatic Process changes because of
Risk of sampling (hot/cold, samplers sample result
high/low pressure, toxics)
Reliability, accuracy, or Is there an inspection and test
Hazards of gaging tanks/silos representative sample plan to ensure the integrity of
Purpose of sample sample cylinders?
Maintenance Preparation
Verify equipment can be properly isolated and prepared for maintenance, including:
Isolation philosophy Drying Hot bolting
Drainage Opening lines Equipment LOTO procedures,
Purging Blinding including isolation lists
Cleaning Risk of metal or packing fires
General issues
Work required on operating Procedures (verbal, written) Breaker identification
("live", "hot", "active") Preventive maintenance Vent discharges near work
equipment areas
Predictive maintenance
Confined space (entry into Contractors
vessels with hazardous Accessibility
atmosphere) Training Nitrogen asphyxiation risks
Rescue plans Control of work permits Golden Rules enforcement
Equipment Installation/demolition
Hot and cold taps Pneumatic pressure testing Pile driving
Pressure testing Overhead lifting
Sparing philosophy
Installed/noninstalled spare Modified specification Catalogue of spares
equipment Storage of spares Test running of spare
Availability of spares equipment
Page 45 of 57
12 June 2008 GP 48-02
Hazard and Operability (HAZOP) Study
Deviation Causes
Equipment Access to local field Fire protection systems Location of occupied buildings
siting instrumentation Location of breathing air vs. process hazards
Accessibility to equipment and apparatus Entry into flare exclusion zone
valves (maintenance hindered Location of LELs and/or toxic Location/accessibility of
from accessing equipment (i.e., gas detectors and adequacy of emergency isolation valves
access to valves needed to coverage
prepare equipment for Need for lifting heavy
maintenance) Location of nearest emergency equipment over process lines
shower and eye bath Tripping hazards
Equipment spacing
standards/codes applied Location of vents and emission Placement of trailers
sources vs. people
Escape routes
Previous Incidences at similar processes
incidents HIPOs/MIAs
Review of any previous incident with having potential for catastrophic consequences, including near
misses
Undocumented incidents
Were hazards addressed by the incident investigation?
Were recommendations from the incident investigation resolved/implemented?
Were root cause(s) of the incident resolved?
Human factors Interfaces with process
Ability to read or confusion with Auto restart Confusion over information on
local instrumentation Gaging operations computer systems (e.g., too
Consistency (layout, labelling, many alarms?, incorrect
Clarity of signs/labelling displays?)
operation action, instrument
spans, etc) Communications Methods for detecting process
Actions during an emergency Confusion on operation of problems, failures, status
valves Feedback on changes made
Automatic vs. manual control
Human capabilities
Potentially hazardous tasks Complex tasks Adequate tools for job
Fitness for task Ergonomics Confined work space
Infrequent tasks Experience levels Inadequate lighting
Opportunity for operator errors Competency Night work
Physical work environment Unclear responsibilities
Administrative controls
Changes affecting procedures Procedures extending across Administrative vs. engineered
or safe work practices shift safeguards
Confusion over procedures Variances from written Training
procedures
Environmental Potential sources and impact of environmental incident or excursion (range of operations, weather,
etc.)
Solids
Filter elements Catalysts
Spent chemicals Residues
Liquids
Soil contamination Pickling fluids Collection/disposition of
Underground piping leaks Discharge and drain points drained fluids and final
destination
Failed tank or basin liners
Air emissions: (gases and particulates)
Flaring Point source Odours
Fugitive Vents Atmospheric relief
Mitigation
Page 46 of 57
12 June 2008 GP 48-02
Hazard and Operability (HAZOP) Study
Deviation Causes
Proper disposition/treating Reclamation Scrubbing/adsorption
Storage of chemicals and spill Recycle/recovery options Options for reducing
containment/abatement Methods to reduce flaring greenhouse gas emission
requirements Equipment specifications
Waste treatment
Compatibility with WWT or Discharges to waste treatment (different chemicals, creation of or
alternate treatment methods changes to solid waste streams, process wastes, increases in
Excessive water usage loading or increases in concentrations, pH, etc.)
Surface water
Other
Contingency plans for handling Impact of Spill Prevention, Control, and Countermeasure (SPCC),
leaks or spills from equipment Oil Pollution Act of 1990 (OPA90), Resource Conservation and
Firewater disposal Recovery Act (RCRA), Comprehensive Environmental Response,
Compensation, and Liability Act [Superfund] (CERCLA)
Noise to community
Design change
What is the potential effect on Capacity creep vs. permit limit Does equipment need to be
permits for air or water (i.e., included in VOC monitoring?
NOx/SOx/VOC /HRVOC
generation and applicable
permit limits)?
Safety Unique situation or unrecognised hazard
Status of written operating and maintenance procedures (available, accurate, updated, followed)
Accuracy of PSI
Hazards created by others and contingency plans - (adjacent storage areas/process plants)
Compliance with local/national regulations and codes
Location of safety showers/eye wash (10 s access)
Housekeeping in dust environments
Industrial hygiene
PPE MSDS Antidotes/decontamination
Noise levels Health map Lifting (back injury)
TLVs of process materials and First aid/medical resources/
methods of detection supplies
Security
Monitoring Entrance control
Vulnerability DCS security, etc.
Deviation Description
No interlock Causes
What hazard does the interlock address?
Does the interlock address all causes of hazard?
Consequences
Determine consequences if interlock failed to activate or if there were no interlock.
Safeguards
Identify all other safeguards, layers of protection that either prevent of mitigate hazard
Recommendations
Formulate a recommendation if the safety integrity level required by the process has not been
determined.
Rank the recommendation based on severity of the consequences and its Likelihood without benefit
of the interlock.
Page 47 of 57
12 June 2008 GP 48-02
Hazard and Operability (HAZOP) Study
Deviation Description
Interlock input Review input to interlock
Purpose of input Other inputs needed
Does input adequately detect hazard/concern? Inputs from other interlocks or instruments
Can input cause trips without a hazard? Bypassed/malfunctioning inputs
Interlock Review output of interlock
output Purpose of output Are unnecessary actions taken?
Does output adequately deenergise Are required actions missing?
hazard/concern? Required output to other interlocks
Interlock Review impact on process
activation Does activation create a hazard (upstream or Equipment still operating
downstream with pressure, temperature, level, Does the interlock cause the process to fail to a
flow, reaction)? safe state?
Does activation damage equipment, foul What are the effects of interlock activation and
process, or cause extensive problems? are they acceptable?
Venting
Reset of Automatic reset Startup bypasses
interlock Component reset Fails to reset
Purpose not Bypassed Card failures
achieved Inadequate testing/maintenance Insufficient redundancy
Operator fails to reactivate Switching of interlock inputs/outputs
Mechanical, electrical, or signal transmission
failures (see detailed list in Annex A)
Lack of Required operator intervention Operator does not have clear and immediate
information for Adequate warning of impending activation? access to pertinent process variable data
operator Algorithms may be too complicated for operator
Operator does not know if interlock has
activated or control loop failed to understand the relationship between variables
Operator cannot tell why interlock has activated Alarm status to interlock status not clear
Erroneous The team should discuss what happens if an interlock operates when it is not supposed to do so
activation (e.g., if it is supposed to be activated by high temperature, what if it activates at a lower
temperature? If it is activated by the ratio between two flows going too high, what if it activates at a
lower ratio than intended?)
Consider equipment failures
Wiring malfunctions
Adverse effect/ Can any other interlock or loop malfunction in such a way as to cause the loop under consideration
other loop to malfunction?
Inadvertent Can the operator easily identify this circumstance (e.g., normal level showing on analogue process
alarm variable but separate discrete alarm activates)?
Operator fails Define actions required by operators
to act Why the operator might not respond to incorrect operation of interlock or control loop
Too many alarms go off at the same time
Alarms are acknowledged without operator looking at the display screens associated with the part of
the process that has alarmed
Operator might not understand procedures or may have forgotten system knowledge
Procedures may not cover all circumstances that can cause the alarm to be activated
Multiple inputs to single DCS alarm or alarm located remotely or at a separate panel
Wrong The team discusses why the operators may fail to respond correctly
operator action Operator misjudges system state Incorrectly times task actions
Misuse procedure Misuse controls
Incorrectly recalls response strategies Resets controller mode incorrectly
Misreads displayed data
Page 48 of 57
12 June 2008 GP 48-02
Hazard and Operability (HAZOP) Study
Deviation Description
Incorrect If the interlock requires multiple steps, are they in the right sequence (e.g., if the interlock shuts
sequence down the facility, can it be dangerous if some actions happen in the wrong order?)?
Can the sequence be monitored step by step for verification?
Can stop-hold points be implemented for troubleshooting if needed?
Time delay too Programmed delays? - Response to interlock (automatic or operator) not quick enough to achieve
long desired effect
Time delay too Not enough time for operator to evaluate alternatives
short
Service failure Does interlock fail safe? Instrument air Is there redundancy?
Impact of service failures Power Is an uninterruptible power
Signal Can operator shut down blind? supply needed?
Recovery What steps and sequence are necessary to recover from the interlock trip? Resets? Recovery time?
Consequential damage?
Abnormal Interlock operation during startup, shutdown
operations Special procedures
Fire (or other emergency)
Restoration of program
Downloading
How do you test the interlock (is online testing required?)?
Evacuation of control room
What are out of range values for interlock, and does it cover potential range of abnormal
operations?
Deviation Description
Occupied buildings or Is the construction design adequate given the hazards of the operation? Is the building
high manned areas within a blast/fire/smoke/toxic zone?
What is the size of potential events/effects of ventilation/wind conditions?
If this information is not known, a more quantitative analysis is required.
Response to event Can personnel respond appropriately in an emergency? Does the facility have the
following?
Means of communication during emergency
Alarms
Assigned responsibilities
Evacuation procedures
Identified safe havens and muster points
Escape routes
Visible wind sock
Multiple exits
Trained personnel
Signs and directions
Emergency power
Procedure for total abandonment
Access to medical facilities
Emergency responders
Have drills for emergency response been conducted? How often? Are the learnings from
the drills communicated to personnel?
Page 49 of 57
12 June 2008 GP 48-02
Hazard and Operability (HAZOP) Study
Deviation Description
Protective equipment Is the following equipment available if required?
Fresh breathing air
Escape air packs
Scott air packs
Is there a shutdown system? Is it automatically activated?
Is there a fire suppression system, sprinklers, extinguishers, etc.?
Fresh air intake Are fresh air intakes located to minimise contaminants and toxic gases? Is there an
automatic shutdown of the HVAC system in the event of a release?
Housekeeping Is housekeeping at the site good?
Is equipment stored in appropriate places?
Are exits and walkways cleared of debris?
Containment In the event of a liquid release, can the release be contained? Does containment consider
the following?
Depth of liquid pool
Wave effect
Secondary containment
Drainage and sewers in containment area
Location of ignition sources
Method of isolation and cleanup
Drainage/sewers Have the drains and sewers considered the following?
Spill volume versus drainage capacity (including deluge and fire fighting water)
Drainage direction
Slope
Spills into ditches
Drainage destination
Method of cleanup
Ignition Are there policies and procedures in place to control hot work and ignition sources? Does it
include static electricity, vehicles, hot work permits, cameras, etc.?
Are known fixed ignition sources (heaters, etc.) beyond the range of credible releases?
Fire protection Has a fire and explosion assessment been completed?
Is passive protection in good condition?
Is there a fire fighting strategy?
Are personnel trained? Are drills conducted?
Is the equipment maintained and inspected?
Effect on surroundings Has a review been conducted that considers the potential onsite footprints from different
hazards, including explosions, fires, and toxic releases?
Does the review consider knockon effects to other equipment?
Are there appropriate detection systems with alarms?
Is this information communicated to employees and used during drills?
Effect on other areas Has a review been conducted that considers potential offsite impacts from the site?
Have the community and mutual aid responders been made aware of potential hazards
and what to do in the event of an emergency?
Page 50 of 57
12 June 2008 GP 48-02
Hazard and Operability (HAZOP) Study
Annex B
(Informative)
Sample HAZOP log sheet
Page 51 of 57
12 June 2008 GP 48-02
Hazard and Operability (HAZOP) Study
Annex C
(Informative)
Discussion topics for HAZOP revalidation
Page 52 of 57
12 June 2008 GP 48-02
Hazard and Operability (HAZOP) Study
Page 53 of 57
12 June 2008 GP 48-02
Hazard and Operability (HAZOP) Study
Previous Were there any incidents or near misses since the last HAZOP? If so, was there a thorough
incidents investigation, and was the pertinent information shared with those involved in operating and
maintaining the process?
Were there any incidents from outside the facility (other BP facilities or industry) from which
learnings could be applied to the process undergoing HAZOP revalidation?
Did any changes take place as a result of the incident investigation? If so, was the MOC
procedure followed? Was a HAZOP completed if necessary?
PHA quality Are there any known causes of process incidents that were not adequately covered in the
baseline PHAs? Have all causes been considered?
Are there any engineering or administrative controls and their relationships that were not fully
discussed in the baseline study? Are there any consequences that were not fully developed in the
baseline?
Were safeguards valid and fully documented?
Gaps in PHA documentation
Equipment previously not reviewed
Facility siting Plant siting
Blast overpressure Evacuation plans Site specific natural hazards
Spacing criteria Fire suppression equipment Damage due to vehicle impact
Design and location of Reliability of critical building Emergency vehicle access
portable and permanent equipment Control of motor vehicle
occupied buildings Toxic releases access
Changes to building HVAC Unauthorised access
occupancy
Equipment setbacks Buried equipment
External events identification
Equipment spacing
Egress routes Electrical area classification
Containment
Segregated sewer systems Surface drainage
Equipment siting
Access to local field instrumentation Location of nearest emergency shower and
Accessibility to equipment and valves eye bath
(maintenance blocked from accessing Location of vents and emission sources vs.
equipment, access to valves needed to people
prepare equipment for maintenance) Location/accessibility of emergency isolation
Equipment spacing standards/codes applied valves
Fire protection systems Need for lifting heavy equipment over process
Location of breathing air apparatus lines
Location of LELs and/or toxic gas detectors Tripping hazards
and adequacy of coverage
Human factors Interfaces with process
Ability to read or confusion Clarity of signs/labelling Confusion over information on
with local instrumentation Communications computer systems (e.g., too
Capability to detect hazardous many alarms?, incorrect
Confusion on operation of displays?)
situations valves
Actions during an emergency Methods for detecting process
Feedback on changes made problems, failures, status,
Automatic vs. manual control Alarm priorities established
Human capabilities
Potentially hazardous tasks Complex tasks Adequate tools for job
Fitness for task Experience levels Confined work space
Infrequent tasks Competency Inadequate lighting
Opportunity for operator errors Unclear responsibilities Night work
Physical work environment
Administrative controls
Changes affecting procedures Procedures extending across Administrative vs. engineered
or safe work practices shift safeguards
Confusion over procedures Variances from written Training
procedures
Page 54 of 57
12 June 2008 GP 48-02
Hazard and Operability (HAZOP) Study
Page 55 of 57
12 June 2008 GP 48-02
Hazard and Operability (HAZOP) Study
Page 56 of 57
12 June 2008 GP 48-02
Hazard and Operability (HAZOP) Study
Bibliography
BP
[1] GP 44-30, Design and Location of Occupied Permanent Buildings Subject to Blast, Fire, and Gas
Hazards on Onshore Facilities.
[2] GP 44-31, Design and Location of Occupied Portable Buildings for Onshore Locations.
[3] GP 44-32, Protection of Personnel from Explosion, Fire, and Toxic Hazards on Offshore Facilities.
Page 57 of 57