Gts-S Pro Hsse-Ra 2 Hazop Final

Recommendation
Main Document
Hazard and Operability Study (HAZOP)
Systematic hazard identification for process installation using the HAZOP technique for application within OMV Group.
Provision of guidance and establishing terms of reference for consistent for application.
All employees.
OMV AG and all subsidiaries in the fully consolidated group.
Responsible for Content:
GTR-S
Ulrike Weingerl
Regulation Approver 1: Regulation Approver 2:
GTR-S GT-S
Horacio Haag Andreas Scheed
As approved by the Executive Board of: Effective as of:
Not applicable
In the interests of simplicity and readability, the language of this statement is gender neutral to the extent possible. Where applicable, the masculine includes the feminine. Print-out is only valid on the date printed. Check for the latest version in the Regulations Platform. In case of conflict, the document in its Master Language must be applied.
HSSE-R-017 Version: 2.0
Page 1 of 35
Master Language: English
Index of content 1. Introduction and Intended Purpose of Regulation ............................................................................................................ 4 2. Content of Regulation ...................................................................................................................................................... 4 2.1. 2.1.1. 2.1.2. 2.1.3. 2.1.4. 2.2. 2.2.1. 2.2.2. 2.2.3. 2.3. 2.3.1. 2.3.2. 2.3.3. 2.3.4. 2.3.5. 2.4. 2.4.1. 2.4.2. 2.4.3. 2.4.4. 2.4.5. 2.4.6. 2.4.7. 2.4.8. 2.4.9. 2.5. 2.5.1. 2.5.2. 2.5.3. 2.5.4. 2.6. 3. 4. 5. 6. 7. Scope of application of the method ........................................................................................................................ 4 Overview ....................................................................................................................................................... 4 Application regime ........................................................................................................................................ 5 Usage ............................................................................................................................................................. 5 Limits of application ...................................................................................................................................... 5 Initiating a study ..................................................................................................................................................... 6 Responsibilities .............................................................................................................................................. 6 Application within the life-cycle of systems.................................................................................................. 6 Specifying terms of reference of a study ....................................................................................................... 6 Planning and preparing analysis session ................................................................................................................. 7 Time estimate, scheduling, and venue selection ............................................................................................ 7 Setting up teams ............................................................................................................................................. 8 Ensuring competency for applying the method ............................................................................................. 9 Gathering input information needed ............................................................................................................ 10 Preparing the checklists and record templates ............................................................................................. 12 Performing analysis .............................................................................................................................................. 12 Initial discussion, kick-off the sessions ....................................................................................................... 12 The HAZOP process - oversight .................................................................................................................. 13 Selecting HAZOP nodes (study sections) and specifying the design intent ................................................ 14 Selecting and applying HAZOP deviations ................................................................................................. 14 Identifying scenarios .................................................................................................................................... 14 Evaluating consequences ............................................................................................................................. 15 Evaluating risk controls ............................................................................................................................... 16 Evaluating residual risk levels and proposing recommendations ................................................................ 17 Recording results and issuing reports .......................................................................................................... 18 Implementing results ............................................................................................................................................ 20 Communicating findings and distributing protocols .................................................................................... 20 Hazard and Risk Register ............................................................................................................................ 20 Following-up findings ................................................................................................................................. 21 Updating and revalidation of the study ........................................................................................................ 21 Quality Review of the Study Performance ........................................................................................................... 22
Internal Reference Links ................................................................................................................................................ 23 External Reference Links ............................................................................................................................................... 23 Obsolete Regulations ..................................................................................................................................................... 24 Certification Standards ................................................................................................................................................... 24 Terms & Abbreviations .................................................................................................................................................. 24 7.1. 7.2. Terms .................................................................................................................................................................... 24 Abbreviations ....................................................................................................................................................... 25
8. 9.
Keywords / Search Criteria ............................................................................................................................................ 25 Annexes ......................................................................................................................................................................... 25
Page 2 of 35
10. Amendments from Previous Versions ........................................................................................................................... 26 Annex 1. Annex 2. Annex 3. Annex 4. Annex 5. Annex 6. Deviations for Continuous Process HAZOP .................................................................................................... 26 Deviations for Procedure HAZOP ................................................................................................................... 27 Deviation for Batch / Sequential HAZOP ........................................................................................................ 29 Deviations for Electrical, Instrumentation and Control System HAZOP ......................................................... 31 Deviations focusing process installation aspects within HAZOP .................................................................... 33 HAZOP Worksheet Template .......................................................................................................................... 35
Guidance for readers of this recommendation: Sections 2.1, 2.2, 2.3, 2.5 and 2.6 address rather personal being responsible for planning studies Sections 2.4 and the Annexes address rather personal executing the study (HAZOP team) This recommendation is part of the package which covers further HAZID methodologies such as HAZOP, LOPA, etc. Each recommendation is written as stand-alone document. There for the more general parts of performing systematic hazard and risk analysis repeat in each recommendation for not getting lost in cross references.
Page 3 of 35
1.
Introduction and Intended Purpose of Regulation

The HAZOP study is a powerful method to identify hazards in process plants and to identify operability problems that could compromise a plant's safety and productivity. HAZOP is a formal, systematic and detailed examination of the process and engineering intent of new or existing facilities. Its aim is to assess the hazard potential of operations outside the design intent, or malfunction of individual items of equipment, and their consequential effects on the facility as a whole. HAZOP is generally carried out by a multi-disciplinary team lead by an independent moderator during a set of meetings. HAZOP is similar to FMEA in that it identifies failure modes of a process, system or procedure their causes and consequences. It differs in that the team considers unwanted outcomes and deviations from intended outcomes and conditions and works back to possible causes and failure modes, whereas FMEA starts by identifying failure modes. This recommendation provides guidance for Hazard and Operability Studies within the OMV Group with the aim of standardizing, optimizing and ensuring consistent quality in the application of the technique within the Group. This recommendation applies to all Project lifecycle stages including to changes made to operating facilities through Management of Change. This recommendation covers:
Principles of application Planning the sessions Performing analyses Effective follow up and close out This OMV HAZOP Study recommendation supports the application of the HSSE-S-004 OMV Group Standard: HSSE Risk Management Standard and the HSSE-R-005 OMV Group Recommendation: HSSE Risk Assessment. It provides a recommended method for application where HAZOP Study is identified as the appropriate Hazard Identification method. The procedure does not cover general aspects of Risk Management, Project Management or implementing HAZOP findings. The responsibility for this recommendation lies with the Process Safety Management team within Corporate HSSE GTS-S. The responsibility for hazard identification is as defined in the HSSE-S-004 OMV Group Standard: HSSE Risk Management Standard.
2.
2.1. 2.1.1.
Content of Regulation
Scope of application of the method
Overview Hazard identification (HAZID) is the most basic tool within the risk assessment process to check designs and intended operations to identify safety and operability improvements. HAZID is the process of finding, recognizing and recording sources of risks. Only identified hazards can be analyzed, assessed, managed, and mitigated if warranted. Of the HAZID methods, HAZOP is the most suitable technique to identify causes, events, situations or circumstances which could have a material impact upon the safety and operability of process installations. The primary purpose of a Hazard and Operability (HAZOP) study is to identify all deviations from the way the process design is expected to work, their causes, and all the hazards and operability problems associated with these deviations and make recommendations to improve its safety and operability. The basic concept behind HAZOP studies is that processes run well within design limits. If and when the process deviates from these design conditions, operability problems and incidents can occur. There are many secondary objectives such as demonstrating compliance with design standards, satisfying regulatory authorities and insurance companies, as an aid to developing training and operating manuals, etc. The purpose of a HAZOP study is to:
Identify the sources of hazards, risks, operability problems and process safety accidents including human
HSSE-R-017 Version: 2.0 failures, equipment failures and external causes Consider the consequences of these hazards and operability problems. Identify and evaluate the efficiency of engineered and procedural safeguards which are in place to prevent or mitigate these consequences. Unveil weaknesses in design and operation of process units and to establish a sound base for further improvement of the safety and operability. Review previous incidents and consider effects of potential incidents Master Language: English
Page 4 of 35
Propose recommendations, as needed, to prevent, control, or mitigate hazards. Provide assistance to management in their efforts to manage operational risks. Improvement in overall loss control and management of safety and environmental impact
HAZOP evaluates the risk qualitatively by expert judgment of the HAZOP team. It may establish a base for further risk analysis such as LOPA, BowTie or QRA and links to other analyses such as Risk Based Inspection and Maintenance (RBI/M), Fire and Explosion analysis, flare studies, or alarm management studies. HAZOP may constitute a part of the hazard analysis as request by Major Accident Regulations (e.g. SEVESO).
2.1.2.
Application regime HAZOP is the recommended HAZID method to be applied for process hazard analysis (PHA) for any process installation within OMV consisting e.g. of more than a tank and a pump. It is particularly applicable to:
Upstream and downstream operations (drilling, production, storage, etc.) Onshore and offshore facilities New, modified and existing installations (Project-HAZOP, Retro-HAZOP) Continuous processes (this is the most common application) Batch processes or where there are multiple operating modes Routine and non-routine procedures (consisting of a defined sequence of activities) Electrical, instrumentation and control systems The primary area of application is Process Safety. However, the principles of the method might also be used in other subject matter areas (e.g. waste management).
2.1.3.
Usage HAZOP can be applied in on its own or in combination with a risk screening tool (e.g. SWIFT, risk vetting according HSSE-R-005 OMV Group Recommendation: HSSE Risk Assessment). It identifies scenarios for further detailed risk analysis such as LOPA, QRA, BowTie.
It is recommended to perform a LOPA analysis on all identified HAZOP scenarios which have a worst
reasonable foreseeable consequence of a fatality, mid-term major environmental impact or property damage above 2 Mio immediate costs (i.e. severity level 4 of the risk matrix for single scenarios given in HSSE risk assessment recommendation). In particular the evaluation of safety instrumented functions (Safety Integrity Level) SIL should be based on HAZOP results. HAZOP has a much more detailed scope than SWIFT. It is structured by the repeatedly use of guide words which question how the design intention or operating conditions might not be achieved at each step in the process, procedure or system. Due to its detailing it might be sometimes advantageous to use HAZOP in combination with SWIFT. In such cases HAZOP might be limited to the inherent process hazards and SWIFT is to cover e.g. hazards on general plant level (external hazards, general emergency response systems, sampling, etc.), equipment siting aspects, tie-in aspects of a process unit into the entire facility. HAZOP uses different guidewords for the different application regimes. Furthermore the method may be tailored to address specific aspects such as human factors (at operating process plants). Satisfying results will only be achieved if the objectives of the studies are clearly defined and the guidewords selected accordingly. For complex systems it might be needed to perform combinations the different types of HAZOP (e.g. continuous process HAZOP and procedure HAZOP). HAZOP evaluates the risk qualitatively using the expertise and experience of the team. Semi quantitative evaluation of the identified scenarios might be done using e.g. LOPA - see also Section 2.4.8.
2.1.4.
Limits of application HAZOP is not:
An occupied building analysis or facility siting study (but should include consideration of these risks) see
e.g. QRA A fire and explosion risk analysis (FERA) (but considers principle fire and explosion risks) A Quantitative Risk Assessment (QRA) A SIL (Safety Integrity Level) study see e.g. LOPA A means for defining engineering and procedural solutions for sources of hazards A machinery safety study (but considers aspects of machinery safety in procedure HAZOP) A reliability analysis (but considers aspects of equipment reliability)
Page 5 of 35
A workplace health and safety study, Job Safety Analysis (JSA), Job Hazard Analysis (JHA), or Task Risk
2.2. 2.2.1.
Analysis (but covers some accidental risks to workers) HAZOP is not recommended to be used for dropped object studies, evacuation escape and rescue analysis, emergency survivability analysis, and marine Collision Study (though some of their aspects will be touched in HAZOP) SWIFT HAZOP is not recommended to be used for hazard identification of activities when no detailed action plan is in place (e.g. for demolition activities) SWIFT Normally HAZOP does not consider double-jeopardy scenarios (i.e. two unconnected failures happen at the same time). These types of events should only be included if they are not truly independent. e.g. BowTie
Initiating a study
Responsibilities The responsibility for initiating a HAZOP study lies with the risk owner (see HSSE-S-004 OMV Group Standard: HSSE Risk Management Standard). The risk owner has to ensure that the study has:

2.2.2.
Appropriate priority and attention. Commitment of competent resources. Time for proper execution. Findings of the study are communicated and followed up. Facility documentation is available and up-to-date for the analysis.
Application within the life-cycle of systems It is mandatory to complete HAZOP studies for (see also HSSE-S-004 OMV Group Standard: HSSE Risk Management Standard, HSSE-S-005 OMV Group Standard: HSSE in Projects):
Major (technical) projects or major modifications to an operating facility or process installation Some changes being addressed in the Management of Change of operating facilities Revalidation of process hazard analyses (Retro-HAZOPs) When recommended by subject matter experts HAZOP studies can be carried out at all project lifecycle stages so long as an up to date P&ID is available and sufficient details are known of the typical operating conditions and preferably start-up and shut-down operations. Retro-HAZOP Plans Operating facilities shall establish a schedule for completing or revalidating the HAZOP of their installations (see also HSSE-S-004 OMV Group Standard: HSSE Risk Management Standard). The prioritization of RetroHAZOPs shall consider risk to people, consequence potential of the process hazards, age of the installation, operating history, and date of the last comprehensive review. For optimizing resource planning Retro-HAZOP plans should be aligned with the plans of other repeatedly updated studies such as Risk Based Inspection and Maintenance (RBI/M), update of Safety Report under Seveso legislation, update of explosion document, etc.. The generally accepted practice is a thorough review of HAZOP studies every 5 years. In some countries the schedule is dictated by authorities (e.g. under the EU Directive 2012/18/EU on the control of major-accident hazards involving dangerous substances - Seveso Legislation).
2.2.3.
Specifying terms of reference of a study Terms of reference shall be developed for each study and formally agreed between the risk owner (or his/her delegate) before the study commences. A typical TOR includes:
Objectives Scope Methodology including parameters and deviations to be used Personnel required to attend the meeting: core team members and persons which might be consulted for specific questions Schedule and deliverables: times and durations of the study sessions, dates on which draft and final reports are to be submitted to the various recipients Usage of special PHA software and specification of the hand-over file format Report recipient and distribution list
Page 6 of 35
Reference documents (e.g. facility documentation, other hazard analyses, etc.) which will be included in the
review (list of typical documents see Section 2.3.4) Developing the TOR helps ensure a consistent understanding of the study and its application among HAZOP leader, risk owner, and HAZOP team. For follow-up of the study the TOR should be included in the HAZOP protocol. Specifying the scope sets the limits of the analysis and the discussion. It includes specifying:
Physical boundaries and interfaces of the system to be analyzed (i.e. boundary limits of the unit, offsite
systems, utility system)
Operations mode (i.e. continuous process, batch processes, start-up and shut-down procedures, emergency
2.3. 2.3.1.
shut-down procedures) Details of utility systems, electrical, instrumentation and control systems (i.e. analyze the details of the their functions or treat them as black box and consider just interfaces aspects) Operating procedures (i.e. routine procedures, non-routine procedures) Aspects to considered or excluded because they are considered in other analyses; see also Annex 5 (e.g. exzoning, accessibility aspects, corrosion and other degradation mechanism, offsite impacts, facility siting, human factors aspects, etc.) Degree of detailing the review e.g. inclusion of alarm prioritization, operating windows, relation to risk based inspection (RBI) analyses For projects and modification to what extend existing installation is included (i.e. HAZOP by exception or review of all scenarios in the scope of the modification)
Planning and preparing analysis session

Time estimate, scheduling, and venue selection HAZOP cost and schedule should be included in project planning and existing facility budgeting. Availability of facility documentation and key team members required should be considered in development of HAZOP schedule. Time estimate HAZOP strains considerable resources in time and personnel to cover the necessary knowledge of the process, its instrumentation and its operation. Thorough planning and follow-up is required to capitalize these resources in an optimal manner. The duration of a HAZOP team analysis depends on:
Size and complexity of the system Whether the process is a procedure-oriented operation or a continuous operation Potential hazards and quality of the safety barriers Specified scope Necessity to verify aspects in the field Availability and quality of the documentation or the system Availability and competency of the team Experience and skills of the moderator The use of dedicated software may reduce the effort for documentation Below are estimates of time needed for continuous process HAZOP for typical process installation. Here it is assumed that all documentation and team is available and up-to-date.
System Simple, small Simple, medium Complex, medium Complex large system Example Retail station, small tank storage Oil & gas production facility, bitumen plant Gas processing plant, small to medium refinery unit Large refinery unit, entire power plant Preparation 0.25 d 0.5 - 1 d 1-3d 2-5d Analysis 0.5 - 1 d 3 -5 d 2 - 4 weeks 6 weeks and more Documentation 0.25 d 0.5 - 1 d 2-4d 3-6d
Scheduling For scheduling the sessions the following aspects should be considered
Duration of team discussion should not exceed 6 hours per day Remaining daily workday may be used for
HSSE-R-017 Version: 2.0 Master Language: English
Page 7 of 35
- Catch-up and follow-up action items identified in the session - Preparation and follow-up of the team session (check and review of the documentation) Duties of operating personnel for ongoing operations in parallel to the sessions (especially for RetroHAZOPs) Necessity for follow-up session for close-out of action items and follow-up systems as engineering proceeds
Venue selection The venue for conducting the analyses should be as follows:
Sized for the core team plus temporary team members Desk space for the team Wall space for displaying facilities documentation (e.g. layouts, P&IDs) Suitably illuminated to allow PC projection and team data observation Flip/chart or whiteboard for notes or parked items Location of the venue:
If the study involves a review of an existing facility or one being modified by a project, the study should be
located near the operations facilities to provide easy access to the site for addressing questions that may arise during the study. Quick access to the facility might be especially needed if the status of facility documentation is poor, field visits are needed to check status on site, or actual performance needs to be verified through operator interviews. Consideration can be given to move the team session remote from the operations so that the team can focus its full attention on the review and not be subject to the distractions and disturbances of an operating facility or engineering office It is not recommended to move the venue to engineering contractor facilities since it limits the possibilities for integrating operating personal and on-site visits

2.3.2.
Setting up teams HAZOP requires the input of experienced and knowledgeable multi-disciplinary team lead by an independent moderator / facilitator. For Retro-HAZOPs this is typically a team of 4-8 persons, for Project-HAZOPs teams are usually larger since operating and engineering personnel will be involved. In order to save team members resources it may be agreed to involve specialists just on demand. In that case it is recommended to have regular wrap-up session (e.g. weekly) where all nominated members are present. HAZOP studies done within projects shall not be done without involving operations personal being responsible for future operations. In the event that key personnel are not available to participate the HAZOP shall be rescheduled to ensure the proper participation. Similarly re-arrangement of the team and/or sessions shall be done if the team is under qualified to draw conclusions either about the scenarios or about suitable recommendations. Optimum team size is 6-10 persons including moderator and scribe to be productive. Too small teams will not be able to cover the necessary multi-discipline expertise. At too large teams the discussions and agreement will become unwieldy. The team needs to cover all expertise as specified in the scope of the analysis (see also above):
Understanding of and experience with the process/facility design and process intent Understanding of and experience with the equipment, design limits, materials of construction, and condition
of equipment being reviewed Understanding of and experience with the day to day operations Understanding of the systems and procedures to control operations including those being safety relevant Table 1: HAZOP team composition Tasks
Plans the study, agrees team composition, and leads the study. Encourages the discussion, ensures completeness of the hazards identified and scenarios discussed.
Role Moderator / facilitator
Comment
Mandatory Shall be independent from the organizational unit and the project. The moderator shall be approved by OMV regardless if selected by a contractor on a project.
Page 8 of 35
Role Scribe / recorder
Tasks
Records the discussions in the mandatory format. Assists in planning and administrative duties. Potentially involved in follow up activities. Ensures fast and accurate protocol of the discussion and findings.
Comment
It is recommended that an independent recorder is used in all HAZOPs which take longer than 1 day or involves a team of more than 5 persons. The nomination shall be agreed with the moderator. For short session the record may be done by the moderator. Mandatory In most cases the plant manager plus qualified staff Mandatory
Operations discipline Process control discipline / instrument and control engineer Process engineering
Provide specific operations input, agrees qualitatively the residual risk level of the scenarios Provide specific input in relation to instrument and control systems, safety instrumented systems, functional tests, etc.
Provide summary on the design basis and process chemistry, provide guidance on node selection, provide information on design intent for each node, and provide specific process design information for the HAZOP team. Provide specific input on design, design limits, and materials. A number of design discipline engineers may be used as required, e.g. static mechanical, rotating machinery, etc. Provide specific input on maintenance and inspection requirements, condition of the equipment, ability to maintain, integrity management etc. Provide specific input in relation to electric and field instrumentation
Mandatory for Project-HAZOP, part-time / available on demand for Retro-HAZOP
Design discipline
Mandatory for Project-HAZOP, part-time / available on demand for Retro-HAZOP
Maintenance discipline Electrical and (field) instrumentation discipline Process Safety Advisor / Engineer Manager representative (site operations and/or project management) Independent experts / specialists, Vendor representation
Part-time / available on demand
Part-time / available on demand
Contributes to discussion from a safety point of view. Supports in planning the sessions. Depending on the nature of the HAZOP, the project manager, commissioning manager, plant manager, or production manager or their assignee may be present in addition to the Operations representative. Explains the context of the study. Provides expertise for the system and the study and provide relevant key advice; address intellectual property or other specific issues related to the Vendor design. May be invited on a part-time basis. Includes, for instance, chemists, environmental specialists, vendor package representatives and commissioning manager.
Part-time / available on demand Available on demand and to approve critical decisions
The use of an independent expert should be discussed by the Moderator and the responsible authority, taking account of factors such as novelty, complexity, previous incident experience, necessity of cold-eye reviews, etc.
2.3.3.
Ensuring competency for applying the method The quality of the study is directly related to the competence and experience of the assembled team. The moderator will be instrumental in achieving effective output. Study lead (moderator) Study leaders shall meet the following requirements (see also HSSE-R-005 OMV Group Recommendation: HSSE Risk Assessment):
Plan and lead the HAZOP study through its various stages consistent with OMV expectations and the
requirements of this recommendation.
Demonstrate practical experience in HAZOP studies through

Participated as a HAZOP team member on previous HAZOPs Acted as scribe for HAZOP sessions under the leadership of a competent HAZOP leader Co-lead HAZOP sessions under the supervision of a competent HAZOP leader either acting as scribe or participating as a team member Attended a HAZOP leadership training course at a recognized industry organization (e.g. IChemE) that provides instruction on preparing, leading, and documenting a HAZOP, as well as on the HAZOP technique itself
Page 9 of 35
Be familiar with the software used for recording.
Ability to effectively lead teams and discussions

Being alert to time pressures and ensure that the quality, thoroughness, or integrity of the review is not compromised - Advising facility or project managers of issues that could affect the integrity of the study and working with them to ensure an effective resolution. This could be HAZOP core team members not available or not meeting the competency requirements, or failing of facility documentation. - Compensate language and cultural issues in multi-national teams - Strong listening skills and confident in expressing ideas/summarizing discussions to assist in gaining consensus - Carefully not asserting undue influence over the direction and outcome of the proceedings Having a comprehensive knowledge on Process Safety Management - Experience in other process hazard analysis such as LOPA, consequence analysis, reliability analysis, facility siting studies - Knowledge of learning from incidents particularly for the type of facility being reviewed - Knowledge of legislation and best practice standards as relevant for the type of facility - Having reasonable discipline subject knowledge (e.g. an engineering degree) and if possible having experience in the type of facility being reviewed. The authority of the HAZOP leader should be defined in the terms of reference of the study and to be agreed to before initiating the HAZOP. The HAZOP leader is responsible for correct application of the method. However, he is not responsible for ensuring comprehensiveness of identified scenarios, evaluating the consequence, evaluating the existing risk controls and proposing recommendations. Scribe Any HAZOP session taking more than a day (or involving more than 5 persons) should involve a scribe for documenting the analysis. This leaves the team member and the moderator free to concentrate on the details of the discussion without the burden of completing log sheets. The scribe (he/she is not a secretary) shall meet the following requirements:
Trained in the use of the software used to record the study, have good typing and summarization skills Be familiar with HAZOP process and terminologies used Be familiar with the facility being reviewed and its terminology Be capable of structuring scenarios, recommendations/actions in a clear and understandable way. Ability to work with the moderator to ensure all parameters and deviations are addressed, unmitigated consequences are fully documented, and recommendations are clearly worded.
Team The team needs to be familiar with the principles of HSSE risk management, the objectives and the principles of the methodology used and their role in the assessment (see also above):
It is strongly recommended that the team member pass a class room training on HSSE risk management as
it is implemented in OMV In addition it recommended that the team members pass a class room training on the principles of HAZOP and its application within OMV The moderator shall deliver at the beginning of the session a formal induction to ensure common team understanding on the usage of the methodology (regardless of the formal training status of the team members). The duration of the induction depends on the knowledge and experience of the team members in applying the method (a 1-2 hour overview at the beginning of the first team review session is normally sufficient for this purpose). This mini-training shall cover the principles of the method as well as specific application for the type of facility being reviewed.
2.3.4.
Gathering input information needed Successful assessment requires that facility documentation exists for the scope of the review and is up-to-date. It is recommended to perform a formal documentation review prior to the assessment session:
The review should ensure quality and completeness of the documentation to be suitable for the study. This
should at least cover formal criteria (e.g. drawing titles, numbers, tag numbers for equipment, design conditions, etc.) and compliance with regulatory requirements For existing facilities the documentations needs to reflect the as-built status
Page 10 of 35
For projects the documentation should be sufficiently developed and the design finalized for an the scope of
the review The extent of documentation and information depends on the scope of the study. For most of the application the P&IDs are the key documents which must be available in paper. Further documents might be just electronically available for look-up and reference. It is recommended to specify in the Terms of Reference which documents are needed either electronically or paper version. For HAZOP the input may comprise the following (see also HSSE-R-028 OMV Group Recommendation: Facility Documentation): Table 2: Recommended documentation input for HAZOP Document / information Piping and Instrumentation Diagrams (P&IDs) Comment
P&IDs are the focal point of the HAZOP study. A single large set for a master and smaller individual sets for team members are recommended. HAZOP leader will use the large drawings in selecting a node (with color marking) and hang them on the wall during the HAZOP for easy team viewing. The leader or the scribe will maintain the master set for inclusion in the report. For HAZOP electrical, instrumentation and control systems the loop diagrams play a similar role than the P&IDs for process HAZOPs Mandatory for procedure HAZOP, for process HAZOP it might sufficient if electronically available for cross check and review; if different operational modes are being covered all corresponding procedures need to be available (e.g. start-up procedures) Recommended for highly complex systems to allow oversight of the process Necessary to cross check design specification; pipe classes should be indicated at P&IDs and/or process flow diagrams Necessary for consequence evaluation; safe operating limits refer to process design, product data (e.g. contaminants), operating conditions (e.g. temperature), asset integrity (e.g. corrosiveness, cycling), etc.; Safe operating limits of main equipment are indicated at P&IDs and/or process flow diagram; further information about safe operating limits may be part of the equipment data; Necessary for evaluating failures and consequences; Major control loops including trip and fail safe conditions are usually shown on P&IDs; additional data (e.g. set-points, auto-diagnose functions) might be needed for reference Necessary to evaluate control and shut-down systems; alarms and interlocks should be indicated at P&IDs Necessary to evaluate safeguarding by interlock and emergency shut-down systems; it is as separate document required especially for complex process installations
Electrical and control loop diagrams Process description and operating manuals Block flow diagram / process flow diagram Process operating and design conditions Safe Operating Limits for Process Parameters
Instrumentation and control Alarms and interlocks Cause and effect diagrams (trip matrix), emergency shut-down systems Safety systems data (e.g. pressure relief valves, flare, vent, firefighting systems) Equipment data for mechanical (static and rotating), electrical, instrumentation and control equipment Material Safety Data Sheets (MSDS) Heat & Mass Balance including inventory data Legislative & Regulatory certificates and statutory submission Hazardous Area Classification
Necessary to evaluate safeguarding; data must include at least materials of construction, design basis (e.g. scenarios considered for sizing of the relief valves), operating characteristics (e.g. response characteristic), design codes and standards; for existing installation they should also cover inspection and testing history; reliability and failure data; Necessary for evaluating failures, consequences and to cross check design data and safe operating limits; Data must include at least materials of construction, design basis, operating characteristics (e.g. shut-off head for pumps, valve capacities), design codes and standards (e.g. pipe class specification); for existing installation they should also cover inspection and testing history; reliability and failure data The information is needed to assess fire and explosion characteristics, reactivity hazards, safety and health hazards to workers, and corrosion and erosion effects on process equipment and monitoring tools The information is needed for consequence evaluation; normally the inventory is indicated at the P&IDs and/or process flow diagrams For cross checking compliance with specific legislative requirement
Facilities consequence evaluation of explosion risks; performing the hazardous area classification might be in the scope of the analysis
Page 11 of 35
Document / information Previous HAZOP reports and reports from other hazard and risk analysis Layout plans (facility, plant, equipment) and isometric drawings Tie-in list (in-out connection of facility) Underground services and utility systems Environmental data Reports on relevant accidents and malfunctions including lessons learnt List of changes
Comment
Availability of these documents might speed-up the discussion; though referring to much on previous studies implies the risk of overlooking risks and conclusions For revalidation of studies this needs to cover also information about action close-out. Necessary information to evaluate consequences and specific layout aspects (e.g. accessibility, escape routes)
Necessary to check impact from and to the systems connected with the facility under review If these systems are not in scope of the study at least main parameters need to be available for causation and consequence evaluation Provide information about external hazards such as weather, seismic, public traffic. Recommended to ensure that all reasonable that all reasonable foreseeable scenarios are identified and to cross check plausibility of scenarios
Facilitates the review of existing studies to comply with actual operation condition
2.3.5.
Preparing the checklists and record templates Checklist of Deviations The deviation checklist and the records should be developed upfront of the team meetings by the moderator (with the support of the scribe). This saves teams resources and is a final check that all necessary material is available. The deviations checklist needs to be appropriate to the system under review and the scope of the study. Along with the preparation of the deviation checklist the moderator along with the lead process engineer might agree on how the system / process are split into HAZOP nodes. Example lists of deviations are provided in the Annexes for
Continuous process HAZOP Procedure HAZOP Batch / sequential HAZOP Electrical, instrumentation and control system HAZOP The standard HAZOP as given in 00 - Annex 4 deviations are usually sufficient to identify the majority of hazards. Additional deviations (Annex 5) are provided to analyze more general aspects of the facility within the HAZOP study to cover the full range of hazards in the scope of the study. The selection of additional deviations depends on the type of process, the process intent and the scope of the study. They may be further accomplished by adopting SWIFT checklists. The use of these deviations should be agreed in the terms of reference for the study. Preparation of documentation Preparing the documentation templates upfront of the meeting may decrease the time of the team sessions. Similarly rather administrative content of the report may be prepared in advance, e.g. list of participants, lists of documents. The study documentation typically consists of a bundle of files recording the discussions and decisions made, see also Section 2.4.9.
2.4. 2.4.1.
Performing analysis
Initial discussion, kick-off the sessions At the start of the study session the moderator should spend a brief period of time reminding or training the team as necessary to ensure that everybody is at the same point of knowledge. This pre-analysis discussion should focus on, but not be limited to:

Study objectives and expectations Principles of the method and specific usage for the type of facility being reviewed Scope of application and exemptions made for the specific analysis Ensure that all team members are familiar with the major design and operating principles; Review the accident history of that type of unit to identify special topics for discussion
Page 12 of 35
Ground rules for the study and expectations of team members Rules for documenting results (e.g. nomenclature)
The team should have a high level review of the process and the facility to have the process fresh in mind and to get a sense of the scale and orientation of the process, the surrounding facilities, and the location of operating and co-located personnel. A review of the facility layout should be included. This may be achieved using a model, plot plans, or a plant walk through. The beginning of the discussion summarizes:

2.4.2.
Hazards of the process. Previous incidents with catastrophic potential. Engineering and administrative controls. Consequences of failures of engineering and administrative controls. Facility siting/layout. Qualitative evaluation of safety and health effects. Other regulatory issues.
The HAZOP process - oversight The effectiveness of HAZOP in identifying hazards comes from asking all HAZOP deviations according to a structured plan which ensures completed coverage. The analysis shall follow the process as outlined below. START Split system into nodes
Select a node for review

Describe the design intent Select a deviation from list Identify causes Assess consequences Evaluate safeguards Repeat for all deviations Repeat for all causes
Repeat for all nodes in the scope of the study
Are the risk controls adequate? YES
Make a recommendation NO

END
Figure 1: Process of HAZOP Analysis
Page 13 of 35
The subsequent paragraphs provide guidance on the steps of the process. The Annexes contain guidance on the section of deviations as well as guidance for performance specifically for the different forms of HAZOP.
2.4.3.
Selecting HAZOP nodes (study sections) and specifying the design intent The HAZOP moderator splits the process under review into nodes with consideration of team input. The nodes are either physical subsystems of the entire process or steps / phases of a procedure. The nodes should be selected by function to ensure that the design intent can be clearly and easily understood. The following criteria should be considered in selecting the end point for the next study section:
Change in design intent (e.g. pressure change due to a pump) Significant change in state (e.g. from liquid to vapor) Major equipment items with different process parameters (e.g. separation column with its association to
other equipment) If a node has more than one design intent each operations mode shall be discussed separately There are no general rules about the node size. The decision is left to the moderator and the team by their experience and skills. Factors influencing the node size are:
If the nodes are too large (e.g. containing multiple process lines and equipment items) the application of the
deviations might confuse over which piece of process equipment is being discussed and hazards might be missed. Complex process systems or process control systems usually require smaller nodes. When selecting many small nodes it should be recognized that the interfaces between nodes may hold a significant hazard that might be missed. Nodes that are very small, such as a single process line, often lead to longer study times as each deviation needs to be recorded more times and for every node the hazards resulting from the interface to the other nodes need to be discussed. The boundary limits and the different operating modes of each node shall be clearly specified, documented in the report and marked at the HAZOP master documents. HAZOP method identifies hazard and operability problems within a node caused by deviations leading to situations beyond the design intent. HAZOP has the fundamental assumption there are no hazards to safety or operability when the system is operating within the design intent. The deviations are generated by applying guidewords on the process parameters which qualify the design intent. At the beginning of each node a person knowledgeable about operations and design shall describe the design intent. This includes process parameters such as flow, temperature, pressure, level, composition, and materials selected for design. It defines how the system is expected to operate as intended for normal and abnormal operating conditions including transient conditions (e.g. start-up) and operational modes (e.g. cleaning mode). This ensures that each team member has an adequate knowledge of the process and the way sections operate within the overall design. The design intent shall be stated in the HAZOP report.
2.4.4.
Selecting and applying HAZOP deviations Once the node and design intent is stated the team works through the list of deviations to identify possible causes leading to that deviation. Deviations are generated by applying the guidewords to the parameters. Lists of typical guidewords see e.g. IEC61882. The Annexes list deviations which are typically used in Oil and Gas processing units for the different forms of HAZOP. The standard deviation as specified by the scope of the study should be applied each one to each node in turn. If no issues are found, it should be documented that the deviation was considered, but there were no issues of concern. The process for selection of deviations should be documented in the HAZOP report. The moderator and team should be careful in the selection of deviations because it could place a limit on the types of hazards which could be identified or stretch the limits of the agreed scope of the study. Identifying scenarios The HAZOP lead the discussion by applying the deviations and perhaps stimulating possible causes. The team should then be encouraged to discuss the causes, consequences, and possible actions for each deviation. As hazards are detected, the HAZOP Moderator should make sure everyone understands them. All possible causes should be stated for each deviation. There might be multiple causes for each deviation which need to be discussed separately. Likely causes or initiating events should be readily identifiable in the report. It is the responsibility of the team under the lead of an experienced moderator to assure that all initiating events are considered and all equipment in each node is investigated. Page 14 of 35 Master Language: English
2.4.5.
The identification of possible causes should be according to following principles:
It is assumed that the design of the equipment and pipe work is in accordance with the all relevant national
laws and regulations and correspond to the normal operating conditions.
For equipment and pipe work the appropriate design for the normal process conditions including their
reliability is in principle presumed. The given scenarios (e.g. corrosion scenarios) represent conditions which exceed the normal operating conditions. HAZOP normally considers single failures, although multiple failures arising from a common cause or common mode failures can be considered. Double Jeopardy failures where two unconnected failures are considered should be avoided except where one of the failures can be a latent or undetected fault. Latent faults make the potential for the coexistence of two failures much greater. Causes should only stem from the node under review. However, causes and consequences can extend beyond the node definition. They need to be covered by applying the deviation on the interface parameters, i.e. more flow from system boundary (without any assumption what was the reason outside from the node that cause that more flow). Causes need to assume technical as well as human failures and external causes (with unspecified origin). The consideration of human failures should follow the human factor model given in Annex 2. Usually sabotage and criminal acts are excluded as cause if their impacts and adequacy of risk controls is assessed in an overall security risk analysis. Scenarios may be grouped if the related to the same underlying cause and feature similar consequences (e.g. manual valves in series). If an equipment failure is stated as cause normally no further detailing is done which lead to that failure. I.e. malfunctioning of a control valve stands for technical failures as well as failures in operating that control valve. However, specific human failures should be addressed in procedure HAZOP. For continuous process HAZOP it might be agreed to exclude failure operation of equipment which is solely used for inspection during plant stop (e.g. isolation blinds). However, their failure operation needs to be considered in procedure HAZOP (e.g. preparation for turnaround). For safety related equipment only those failures are to be considered if the equipment assumes fail safe position due to a spurious / faulty trip (e.g. closing of valve due to fail-safe spring even there if the operational situation does not trigger the closing such as lack of instrument air). Some cause may be identified in multiple deviations. The record may be shortened by cross reference to that deviation where the consequences and safeguards are fully defined and documented (e.g. closing of a valve may result into no flow and low pressure at the same time). Causes should not be a restatement of the deviation or consequences. Causes should not be skipped if their causes are considered just operational relevant. First it is the strength of HAZOP to identify also operational issues and second sometimes safety related issues hide behind operational issues. Causes should not assume any safeguard working. All potential causes associated with the current deviations should be identified before assessing the consequences. This helps in ensuring that all possible causes associated with a deviation are identified.

2.4.6.
Evaluating consequences When assessing the consequences, the team develops the chain through to the reasonable foreseeable outcomes, assuming that no safeguards work. Consequences shall consider impact to human, to the environment, to asset value and production availability. It is important to assess the consequences without giving credit to any safeguard or mitigating measure (i.e. all available safeguards are assumed to fail). This allows check of availability and appropriateness of the safeguards in the next step of the analysis.
Consequence shall refer to known accidents; it may be beneficial to consult dispersion modeling to fully
HSSE-R-017 Version: 2.0 understand the range of releases of hazardous materials. Cause and consequence can extend beyond the node definition. Consequence should be only considered within that node. Possible consequences on other nodes are to be covered by applying the deviation on the interface parameters, i.e. more flow from system boundary. Consequences need to be clearly described as they might be an input for further detailed risk analysis such as LOPA. The team needs to stay focussed on worst credible outcomes at low likelihood as well as on less severe outcomes which might be more likely. It is possible that a number of different consequence chains are identified. Master Language: English
Page 15 of 35
Consequence estimates need to be reasonable; underestimating may lead to inadequate risk management;
overestimating may lead to more safety measures than warranted which increases lifecycle cost and may even introduce further risk due to higher complexity of the system. The consequence need to describe the entire credible accident scenarios. This may also include secondary consequences such as overheating following a lack of cooling water caused by a cooling water pipeline rupture.
2.4.7.
Evaluating risk controls In that step any available technical safeguards and operational controls shall be identified for detecting, preventing and mitigating the hazards. Safeguard may reduce the likelihood of occurrence by preventing the failure or interrupting the escalation of the consequence chain or they may reduce the severity of the outcome by mitigating the accident impact level. The risk control shall follow the HSSE risk management principles (see HSSE Risk Management Standard):
Elimination of a hazard is preferable to managing it Prevention of a hazardous event is preferable to mitigating it Technical safeguards are preferable to operational controls Passive safeguards (self-acting) are preferable to active safeguards Safeguard need to be effective in controlling the hazard. It is not necessary to list every conceivable safeguard. The focus should be on identifying the most effective safeguards which counter the given cause and its credible consequences. Effective safeguards consist of functions to detect and to react to excursion from the safe operating limits (see also protection layer model as given e.g. in IEC61511). The evaluation of safeguard should be according the following principles:
Safeguard must be independent from the cause:

If a failure of a control device is considered as possible cause it is assumed that the entire loop fails. This means any alarm or indication of this loop is not considered as safeguard with the exception of cascaded controllers. - An operator action must not be considered as safeguard if an operator failure is the assumed cause and the operator action simply revokes the cause. (I.e. failure operation opening a sewer valve cannot be controlled by operator clauses that valve). Here the only exception is, if there are two independent operators involved and/or there is an independent alarm which unambiguously alerts the operator. Care should be given to conditions which may impair the functionality of the safeguards. This may also include accessibility aspects. For relief valves their capability for the scenario given must be confirmed, i.e. set-pressure, valve size and conditions which may impair its functionality such as two phases or blocking. This confirmation is usually done be checking design data of the relief valve. If the design scenarios are not available it might be necessary to re-confirm the design by calculation. If a process or facility alarm listed as safeguard it must also be accomplished by the information what activities will be performed in response to the alarm. Here the clarity of the alarm as well as the time needed and the capability to execute an action need to be analyzed. For operating procedures listed as safeguard it shall be confirmed that they are described in operators manuals or handbooks and that operating personal is trained accordingly. For safety instrumented function their safety integrity level (SIL) must be confirmed. This requires analysis of the SIL classification as well as the proof that the system corresponds to that SIL. - It is recommended performing the SIL classification in the context of the study (e.g. after a node has been completed). - The recommended practice within OMV Group for SIL classification is the LOPA method (Layer Of Protection Analysis). - If available, the SIL proof is done by simply checking data sheets for safety instrumented functions. If data sheets are missing the SIL confirmation needs to be done outside of the study (see Functional Safety Management acc. IEC61511, EN62061, VDI/VDE2180, etc.). For shut-down system including relieve valves the trip-points need to be confirmed having appropriate safety margins. E.g. pressure relief systems to ensure pass-over pressure during response is within the design limits. For shut-down systems this requires also consideration of temporary bypass of the trip values which might be necessary during start-up or shut-down. Special care should be given to the performance of process control systems when operated out-of range, in manual mode (e.g. forcing), in advanced-control mode, or their features to compensating signals at transmitter failures, etc.
Page 16 of 35
The fail-safe condition in the case of lack of utilities should be evaluated for each node separately and for
each type of utility. Here the assumption for the entire unit is made, that the unit also reaches safe condition in the case of lack of utilities if each node reaches safe condition. The safeguards need to be clearly described and identifiable for follow-up of the study: Equipment tag, name, information of the response action, etc. Usually general concepts for safeguarding the facility are not listed for a specific accident scenario. This comprises precautionary measures referring to a group of accident scenarios such as general ignition protection requirements (EX-classified electrical equipment in process areas), firefighting services, facility siting, etc. The appropriateness of these measures shall be analyzed under suitable HAZOP deviation (e.g. ignition protection, emergency services) or may be analyzed be a SWIFT study. For following-up the study it has been found useful to flag safeguards. Flag criteria might be: safety related equipment, independent verification needed by legislative requirements, operational controls, manual interaction, etc. It is recommended to review the alarm prioritization concept within the HAZOP (see e.g. EEMUA Publication No. 191). Hereby the prioritization concept needs to be agreed prior to the study. Criteria may be: - Safety critical alarms whose set-points must not be changed by the operator and need to be configured in safety related systems to hinder easy bypassing of the alarm - Alarms critical to the availability of production whose set-point must not be changed by the operator but can be configured in the standard process control system - Operational alarms whose purpose is to call up the operator about production deviations but do not require immediate attention. They may be configured by the operators as convenient to them. It is recommended to perform a detailed review of operating windows within the study. However, it shall be noted that scheduling the study needs to account for the additional effort needed to perform a comprehensive review. Operating window monitoring uses process data to create performance indicators related to the reliability of the facility. Hereby the margins for specific process parameter need to be specified. This may focus on long-term degradation mechanism, accumulative effects (e.g. cycling), thresholds for accumulating emissions (e.g. flaring).
2.4.8.
Evaluating residual risk levels and proposing recommendations HAZOP evaluates the risk on a pure qualitative level using the expertise and the experience of the team members. The team decides for each scenario whether the given safeguards are sufficient to reduce the risk below an acceptable limit. If the measures are considered to be insufficient adequate recommendations for further risk reduction are given in the action list. Multiple or optional recommendations may be required to meet expectations. Risk evaluation criteria There is a constant desire to plot HAZOP scenarios against consequence and likelihood levels of a risk matrix in order to figure out the facility status on a simple heat map. Whereas consequence levels are usually simple to identify, the associated likelihood levels are not easy to evaluate in a comprehensive, traceable manner. Contributing factors for failings are the consideration of equipment failure rates (for causes and safeguards), human failure rates (for causes and in responding to scenarios), occupancy data of persons in the vicinity of the accident scenario, etc. Usually a simplified tick-on-the-matrix approach cannot cope with these factors which eventually lead to misleading conclusions.
No attempt shall be made to convert scenarios into risk number by simply selecting likelihood and
consequence levels from a matrix. Particularly a HAZOP worksheet must not contain consequence and likelihood columns and to calculate a risk number for each scenario. The risk matrix for single scenarios given in HSSE-R-005 OMV Group Recommendation: HSSE Risk Assessment may be used as a reference document to assist the team in the relative evaluation of scenarios against each other, to provide orientation for risk tolerance limits and for prioritization recommendations. The primary objective of HAZOP is hazard identification which is to identify problems and develop solutions to overcome these problems. Other methods are more convenient for risk ranking and creating heat maps. As a rule of thumb: The residual risk is seen intolerable if human intervention is the only safeguard to control the risk of fatality (or similar severe consequences). At least one additional effective, technical risk control is needed.
Proposing recommendations If the team is not satisfied with the level of protection or another issue perceives need for further attention, recommendations should be proposed for management consideration: HSSE-R-017 Version: 2.0 Master Language: English
Page 17 of 35
Recommendations shall be made if the available safeguards are unlikely to control the scenario or there is a shortfall in compliance with regulatory or best practice requirements. Priority should be given to improve controls of risk which may impact human or environment. However, operability concerns should perceive significant attention. This includes recommendations which improve information to ensure safe and reliable operations.
Recommendations should be understandable, concise, and unambiguous: the desired solution (what is
wanted), its specific location (where is it wanted) and the reason it is considered necessary (why is it wanted). They should be written as stand-alone, i.e. without need to consult the worksheets. They should clearly state the objectives which must be achieved to provide a solution to the potential problem. In developing recommendations, the team should propose feasible solution (technical and commercial); attempts to engineer the details of the solution during the review should be avoided. If the team is not certain how to control the hazard it should recommend a further study to determine a solution. However, recommendations calling for further review should be avoided, since they require a final review by the team. In rare situations the team may recommend an intermediate solution together with a more appropriate final solution if the latter cannot be implemented as fast as the criticality of the scenario warrants. It is not unusual that the team recommends removal of safeguards. This seems contradicting risk reduction, however, unnecessary safeguards increase complexity of the system and their remove is indeed a risk reduction (e.g. remove of alarms) Recommendations are usually not specific action. Rather, they alert management to potential problems that require action. However, if a problem is simple, if team is quite experienced, or if there is only one solution, a recommendation may be a specific corrective action. The team should refrain from developing recommendations when the team is satisfied that the safeguards adequately deal with the potential consequences. If the team cannot reach consensus on a recommendation, the study leader shall be the final arbiter. The scrutiny of HAZOP studies usually result into a large number of recommendations covering a wide range from correcting documentation errors upon major changes in the design. The follow-up process is improved by:
Adding flags to categorize the recommendations allows getting a quick oversight on the scope of the
recommendations; e.g.: - Compliance: recommendations which need to be implemented to comply with regulatory or best practice requirements (e.g. as stated in an OMV engineering practice) - Check: findings which need further clarification (e.g. field verification) because the team cannot decide on a recommendation (e.g. due to lack of documentation) - Configuration: recommendations to change the configuration of an existing equipment within its design limits (e.g. change of alarm set-point) - Procedure: amending operating procedures and instructing operating personal - Documentation: recommendations to correct flaws in the facility documentation Prioritization of recommendation facilitates resources planning. It should be based upon criticality of the risk they relate to and the anticipated time and resources needed to implement them. Prioritization may be in scope of the study; the system for prioritization needs to be agreed with the risk owner before the study and shall be in line with the HSSE-S-004 OMV Group Standard: HSSE Risk Management Standard.
2.4.9.
Recording results and issuing reports The scribe shall record the analysis online using a computer and a projector so that everyone can see what has been recorded and agree on it. The more administrative parts of the log sheets (e.g. team lists and attendance) may be completed off the team session. It is recommended to perform regular wrap-up session (e.g. weekly) involving the whole team if specialists join the analysis only on part-time basis. Content structure of the full report The report documents the scope, approach, identified hazards, analyzed scenarios, and findings resulting from the study. The full HAZOP report will feature as follows: Table 3: HAZOP report contents File Content
Page 18 of 35
File General part
List of Participants List of Sessions List of Documents / Information used HAZOP Worksheet
Content - Brief description of the system, area, and operation under review - Terms of reference of the study (objectives, background of the study, scope, methodology used, assumptions, etc.) - Date and revision of the analysis - Management summary: a summary of the most critical recommendations along with any general issues or themes which emerge from the analysis (see also Section 2.5.2) - List of appendices (listing the files as given below which constitute the full report) - Name (ID), organization, function, expertise / role within the analysis, attendance ( refer to List of Sessions), comments as needed - Date (ID), location, team attendance ( refer to list of participants), nodes analyzed ( refer to HAZOP Worksheet), comments as needed - Document ID, type, description, , revision / date of revision, used for node ( refer to HAZOP Worksheet), comments as needed Node ID, node boundaries, design intent incl. important parameters, documents / information used ( refer to list of documents / information), data of session incl. team members ( refer to list of sessions / participants) Deviation, cause, safeguard, recommendations ( refer to list of recommendations), comments as needed Recommendation ID, description, results from scenario ( HAZOP worksheet), responsible, priority (risk ranking) During action follow-up the list of findings will be accomplished by action tracking comments, result, status and date of conclusion Scans or photos (readable) of the marked master documents: e.g. P&ID with marked nodes and highlighting findings, PFD with marked nodes, process description, etc. Worksheets from classifying SIL (Safety Integrity Levels) of safety instrumented systems Outside information used to evaluate scenarios
List of Recommendations
Master documents
Further records from analysis, e.g.:
Guidelines for recording the analysis The report serves as the permanent record of the study and is used by people that were not a part of the team. The report is the only indicator of the quality and completeness of the study, and serves as a record of the teams diligence. The report should receive close scrutiny, clarity and accuracy for explanations of each scenario and finding. The following guidance for recording shall be adhered to:
If the team does not identify any cause for a deviation it shall be recorded that the deviation was considered
by documenting e.g. no feasible cause identified in that node, or not applicable to this node Reference to equipment shall be by equipment tag and name. The first provides unique identification and the second enhances readability of the report. The node shall be clearly marked on P&IDs or other relevant documents. Typically this is done with colored highlighters. It is useful to indicate the recommendation numbers on the master documents. This might be done outside the team sessions. The records shall clearly indicate that previous incidents have been reviewed (i.e. accidents, near miss, process upset, critical technical failures of equipment). Clear reference shall be given if outside information is used to evaluate scenarios. This information can be detailed consequence analysis, pressure relief valve calculations, logs from operations and maintenance, etc. It facilitates following-up the study if such information is attached to the full report. Findings and recommendations shall have a clear reference to the scenario or point of discussion. This ensures following-up and close-out of actions and facilitate the MoC process for implementing the actions.
Page 19 of 35
The findings and recommendations shall be written in standalone (i.e. understandable without the HAZOP
worksheet). They should be accomplishable and have a clear point of closure. The reference to the scenario / source shall be kept to allow for understanding of the context. Usage of software Specialized hazard identification software has many benefits and should be used for analyses which are scheduled to last more than 2 days. Shorter sessions can be undertaken using various standard office software packages. This recommendation does not stipulate the type of software to be used though there is a recommendation for PHA-Pro (Dyadem, IHS). Regardless of the software the information needs to be maintained as indicated above.
Hand-over / archiving of the information shall be electronically in the file format of the software. In any case hand-over of the report shall be in Word and/or pdf so that it is readily accessible for people
without that specialized software. Hazard identification software facilitates numbering systems (IDs), cross referencing and session data management. Templates and libraries support quality control, comprehensive application of deviations and checklist. It allows easy creation of customized reports in addition to the lists which constitute the full report; e.g. filtering findings by priority, extracting scenarios which contain recommendations.
2.5. 2.5.1.
Implementing results
Communicating findings and distributing protocols Finalization of the report The study team is responsible for the quality, accuracy, and completeness of the study worksheets. Once the team sessions the report is finalized by the moderator (with support of the scribe). The interim report shall be distributed to the team to get their agreement. After the final review session, the report should be issued in draft and major findings presented to operations management. They may wish to ask questions about the analysis or have a debriefing meeting on ways to improve HSSE performance of the facility. Finally the report shall be signed by the moderator and the risk owner. The approval by the risk owner is a commitment of the operations management to implement the findings. Distributing and archiving the report The approved report needs to be distributed to the report recipients and distribution list as identified in the terms of reference and shared within the organization to allow implementation of the findings. Further stakeholders to be considered in sharing conclusions can be persons who are exposed to the identified hazards. It is expected the report will be used throughout the plant lifetime (by staff not involved in the original study). Some core thoughts that relate to this are the linkage to field verification of safeguards, management of change, operating instructions, permit-to-work, training, accident investigation, etc. The full report (content see paragraph above) shall be made a controlled document in accordance with the document control procedures of the facility under review. Usually this will be done electronically; care needs to be taken to retain master documents (e.g. marked P&IDs). It is recommended to maintain the action list arising from the findings together with the report. The report needs to be accessible for reference in following-up the study and its findings, management of change, further hazard and risk analysis related to the facility, revalidation of the study, etc. All report and tracking information should be readily available for audit and review.
2.5.2.
Hazard and Risk Register HAZOP worksheet outputs do not typically automatically generate lists that can be used directly in conventional hazard and risk registers or hazards and effects registers (see also HSSE-R-005 OMV Group Recommendation: HSSE Risk Assessment). Although the techniques are recognized as hazard identification they are practically more concerned with evaluation of detailed scenarios to reduce the effects of hazards and operability problems. The worksheet might be understood as hazard register; however, it is too detailed to communicate the overall risk profile. The elaboration and/or update of detailed hazard and risk register needs to be addressed in a separate session. The qualitative summary of the overall risk situation of the facility under review shall be given in the general part of the report to provide an oversight of the risk situation to management and allows them to take immediate efforts for corrective action and resolution:
The most critical recommendation together with the scenario they resulted from
HSSE-R-017 Version: 2.0 Page 20 of 35 Master Language: English
The scenarios which involve the most severe consequences and the status of their control Number of recommendations and their principle scope Any other issue or theme which emerge from the analysis and may warrant management attention
It his highly recommended to include the conclusions and findings from the study in the bi-annual risk runs of the enterprise-wide risk management system (i.e. amending consequence and likelihood data by consideration of identified performance issues).
2.5.3.
Following-up findings The effectiveness of systematic hazard analysis is directly linked to the effectiveness of the process of following-up recommendations. This recommendation does not address detailed guidance for documenting and tracking implementation of actions to correct deficiencies identified by the study. However, effective risk management must assure that recommendations are resolved in timely manner and tracked until close-out (see also HSSE-R-005 OMV Group Recommendation: HSSE Risk Assessment). In doing so the aspects given below should be taken into consideration:
Each finding should be associated to a responsible party (person and/or organization), a priority and target
date for completion. The priority needs to reflect the residual risk level. The completion date needs to refer to the effort for completion and, if applicable, operational constraints in completion (e.g. requirement to wait until the next outage). Especially technical findings may require engineering a suitable solution. The different options should be recorded so that the final decision can be assessed (e.g. during revalidation of the study). Any major deviation from the finding including reasons to reject a finding should be recorded including justification so that the decision can be re-assessed. In such cases it is recommended that the risk owner informs higher management level to ensure they are informed and agree. For projects action follow-up is integrated in the gate-review process. The project reviews ensure close-out of actions prior to start-up of the system (see project management, operational readiness and pre-start safety review). The risk owner shall ensure that status of the actions is followed through until conclusion. It is recommended that a person is made responsible to do this. Operations management together with the risk owner(s) should perform formal status reviews of the open actions on regular intervals (e.g. quarterly on facility level / function level). Action tracking can be done manually or in computerized systems as convenient for the facility. Actions which are directly associated with a risk that is registered in ARMS or CARE should be done in that respective system. For all other actions other systems might be more convenient and only the overall status of the action list tracked in CARE or ARMS to ensure that recommendations continue to receive focus. Recommendation from different studies may be consolidated into one action list at facility level. The tracking system has to maintain the reference to the source of the action. It is highly recommended to deploy Management of Change for implementation of the findings. This might involve further hazard identification studies to guard against the ultimate solution inadvertently introduces a new risk. Action tracking systems ideally allow easy reporting of status and progress. It maintains all necessary information that recommendations are resolved in audible and verifiable manner.

2.5.4.
Updating and revalidation of the study The general requirements for updating and revalidation of systematic hazard and risk analyses are given in the HSSE-S-004 OMV Group Standard: HSSE Risk Management Standard. The process ensures that the study consistently reflects actual status of the facility and that the risk controls comply with state-of-the-art including latest findings from incidents. This may require a updating some parts of the study, a complete revision of the study or even redoing the study. The process of revalidation follows the same principles as stated above. The scope and method of revalidation shall be specified in the terms of reference (see Section 2.2.3) prior to the review sessions with consideration of the following criteria:
Updating specific scenarios:

- For close-out of actions - Learning from incidents specifically to a cause, consequence or safeguard - Management of Change when modifying specific equipment, process controls and protection system Updating specific parts / nodes: - Decommissioning of subsystems of the unit, integration of new subsystems - Decommissioning systems connected to the unit, connection to new systems Page 21 of 35 Master Language: English
Management of Change when related to product specification, to operations control philosophy and protection systems, etc. - Project activities related to subsystems of the installation - Learning from incident related to operations control of a subsystem - Following the progress of engineering and design during projects (e.g. details from vendor packages becoming available); latest prior to start-up of the system Complete revision: - Revalidation following the 5 year cycle - Management of Change when related to fundamental changes of the operations control system (e.g. upgrade of process control system, outsourcing of operational activities), major changes in legislation, major changes in the organization responsible for that facility, changes of numbering system, changes in the inspection and maintenance regime - Project activities to revamp the facility - Learning from incidents related to management system controls - The risk owners suggest change of the HAZOP scope (e.g. inclusion of procedures) Redoing the study - When the risk owner requests to do so - When the terms of reference applied for the existing study largely differ from the expectation stated here - When the existing study was done during project and did not appropriately involve operating personal - When no comprehensive study exist which covers the entire facility under review (e.g. a loose collection of various project studies) - When the study is older than 5 years and the study record does not indicate findings - When the facility documentation differs widely from the actual status of the facility or feature major gaps (e.g. P&ID missing, equipment data missing) - When the incident record stipulate lack of understanding the hazards and risk controls of the facility - When a high-level quality review of the existing study identifies gaps in identifying common hazards (review to be done by a person independent from the original team) - Newly acquired facilities The review should at least cover:
Incorporation of all modifications which have been carried out Check the existing protection systems against state of the art (i.e. factory and public standards) Critical review and incorporation of findings and action items Critical review of scenarios which have been found ALARP and, thus, require periodic review Review of the study reflecting actual status of the facility (as indicated at the facility documentation) Integration of study reports after hand-over from project to operations The review team does not need to include the team members involved in the original study. However, it is helpful and improves consistency if a least one original team member is involved. Opposing, it is not recommended to perform complete revision or redo of the study involving to a majority original team members. The final, revalidated report need to indicate the status of the study (i.e. date and revision number). It is recommended to track scope of revalidation and motivation of revision in a List of Amendments within the study report.
2.6.
Quality Review of the Study Performance

Regular independent reviews are used to evaluate the implementation of this recommendation at facility level. The results of these reviews will be used for continual improvement of the recommendation and its application. The reviews shall cover the more general management processes for planning and performing the studies implemented at facility level as well as the content review of the studies itself. The following minimum criteria which shall be considered in audit and review:
Management processes:
Was the risk assessment documented properly? Does the documented risk assessment correspond to actual as built situation? Does the team covers all required disciplines and is sufficiently competent? Does planning of the studies cover all systems at the facility level and ensure adequate resourcing? Are the results of the risk assessment communicated to stakeholders? Were identified actions completed and their results incorporated accordingly? Are there regular action follow-up meetings in place?
Page 22 of 35
- Is there a system to ensure follow-up and close out of recommendations? - Are there any recommendations rejected for action? Is the team included in that decision? - Is action-close out established and tracked as a key performance indicator? Quality of the study: - Is the information given in the risk assessment report understandable and sufficient for follow-up? - Did the team work through the systematically through the system or did it jump around and may be overlooking important scenarios? - Are scenarios resulting from the interface of the system considered appropriately? - Where are all parts / all equipment of the system considered? - Are all operating modes of the facility considered? - Is the evaluation sound and sufficient? - Were all hazards fully identified? - Are all known incident causes adequately considered? - Were all reasonable foreseeable consequences identified? - Are the risk controls recognized for all consequences and comply with state-of-the-art? - Are the safeguards valid and fully documented? - Is the evaluation of residual risk consistent and balanced? - Were the risk judgment appropriate and any necessary further actions to reduce the risk identified? - Are the recommendations adequate to the residual risk levels without lobbying of specific team members preferences?
3.
Internal Reference Links

HSSE-S-004 OMV Group Standard: HSSE Risk Management Standard HSSE-R-005 OMV Group Recommendation: HSSE Risk Assessment HSE 021 Group Standard Management of Change HSSE-R-028 OMV Group Recommendation: Facility Documentation HSSE-S-005 OMV Group Standard: HSSE in Projects HSSE-R-011 OMV Group Recommendation: Project HSSE Reviews (PHSSER) HSSE-R-030 OMV Group Recommendation: Pre Start-up HSSE Review Best Practice HSSE-R-008 OMV Group Recommendation: Site Security Risk Assessment (SSRA) HSSE-R-026 OMV Group Recommendation: Environmental and Social Impact Assessment HSSE-R-009 OMV Group Recommendation: Health Risk assessment HSSE-R-016 OMV Group Recommendation: Work place Risk assessment HSSE-R-017 OMV Group Recommendation: Hazard and Operability Study (HAZOP) HSSE-R-019 OMV Group Recommendation: Hazard Identification using the Structured What-If Technique (SWIFT) HSSE-R-029 OMV Group Recommendation: Risk Evaluation using the Layer of Protection (LOPA) Methodology HSSE-R-032 OMV Group Recommendation: Evaluating Loss of Containment Scenarios by Quantified Risk Assessment (QRA)
4.
External Reference Links ISO 31010:2009: Risk management Risk assessment techniques DOE-HDBK-1100-96: DOE Handbook - Chemical Process Hazard Analysis ISO 17776:2002: Petroleum and natural gas industries - Offshore production installations - Guidelines on
tools and techniques for hazard identification and risk assessment
IEC 61882:2001: Hazard and operability studies (HAZOP studies) Application guide IEC 60812:2008: Analysis techniques for system reliability Procedure for failure mode and effects
analysis (FMEA)
ISO 14121-2:2007: Safety of machinery Risk assessment Part 2: Practical guidance and examples of
methods
Risk assessment essentials, EU OHSA (2007) Guidelines for Hazard Evaluation Procedures, 3rd Edition; Center for Chemical Process Safety (CCPS),
AIChE, (2008)
Page 23 of 35
IEC 61025:2006: Fault tree analysis (FTA) Layer of Protection Analysis; Center for Chemical Process Safety (CCPS), AIChE, 2001 IEC 61511-1:2003 Functional safety Safety instrumented systems for the process industry sector; Part 1:
Framework, definitions, system, hardware and software requirements
UK HSE Guide HSG 48: Reducing error and influencing behaviour 5. Obsolete Regulations
None (on OMV Group level)
6.
Certification Standards
None
7.
7.1.
Terms & Abbreviations

Terms
Term BowTie Cause Checklists (HAZID, SWIFT) Consequences Definition A simple diagrammatic way of describing and analyzing the pathways of a risk from hazards to outcomes and reviewing controls. Event, situation, or condition that results, or could result, directly or indirectly in an accident or incident. Structured lists to enhance the process of brainstorming in identifying hazards. Checklists may be structured by hazard categories, causes, consequences, activities, incident scenarios, etc. Potential effects which could occur as a result of a hazard. Consequence descriptions are qualitative or quantitative estimates of the accidental effects on people, environment, property incl. revenues and reputation. Departure from the design intent, i.e. the way a process of system is intended to function. A deviation is created by applying a HAZOP guideword to a parameter which states the design intent. For the purpose of this recommendation the term facility is referred to a physical arrangement of operating installations / equipment which constitute a part of a production site / operations asset. Examples of facilities are loading station, boiler house, oil production facility, compressor station, crude distillation unit, hydro treating unit, intermediate product storage, etc. A hazard identification technique which identifies failure modes and mechanisms, and their effects (and their criticality) Words such as high, low, and no that are applied to parameters to create a potential deviation from the design intent. Physical injury or damage to the health of people, or damage to property or the environment Potential source to cause of harm to people, the environment, property incl. revenue, or reputation. Hazards can result from the inherent properties of an installation or from unsafe work practices. The process of identifying credible and conceivable hazards associated with a facility, operation or activity. HAZID is a generic term covering known techniques such as SWIFT, HAZOP, FMEA, etc. HAZID is sometimes used to describe the process of screening hazards to develop a high level hazard register. A systematic qualitative technique for identifying hazard and operability problems, using a series of guidewords to examine deviations from normal process conditions. The number of occurrences of a hazardous event per unit time (frequency) or per possible cases (probability Master Language: English
Deviation (HAZOP)
Facility
FMEA, FMECA Guideword (HAZOP) Harm Hazard
HAZID
HAZOP
Likelihood
Page 24 of 35
Term LOPA Operability Parameters QRA Risk
Safeguard
Safety SWIFT
Definition Method for evaluating the effectiveness of protection layers in reducing the frequency and/or consequence severity of hazardous events. Ability to operate a facility inside the design envelope and meet business expectations. Conditions used to define a process, including flow, pressure, temperature, and level. A systematic, quantified assessment of the risks of major releases of hazardous materials. QRA is typically used for facility siting analysis. The effect of uncertainty on objectives. Within HSSE It is expressed as the product of the measure of likelihood of occurrence of an event and the potential adverse consequences which the event may have upon people, assets (or revenue), the environment or reputation. Device, system, or action that would likely interrupt the chain of events following an initiating cause or that would mitigate loss event impacts. Safeguards are risk control barriers. Freedom from unacceptable risk. a systematic technique to identify hazards in a broad scope but does not go deep into details
7.2.
Abbreviations
Abbreviation ARMS CARE ESD FMEA, FMECA HAZID HAZOP HIPO LOPA MoC P&ID PFD QRA RBI SIL SIMOP SWIFT Meaning Active Risk Management System (OMVs system to management enterprise wide risks) OMVs group wide incident management system Emergency Shut Down Failure Mode Effect Analysis, Failure Mode Effect & Criticality Analysis HAZard IDentification HAZard and OPerability High potential (incident) Layer Of Protection Analysis Management of Change Piping and Instrumentation Diagram Process Flow Diagram Quantified Risk Assessment Risk Based Inspection Safety Integrity Level Simultaneous Operations Structured What IF Technique
8.
Keywords / Search Criteria

Hazard identification, safety, risk assessment, process hazard analysis, PHA, what-if, checklist, SWIFT, HAZOP
9.
Annexes
0 None Deviations for Continuous Process HAZOP Annex 2 Deviations for Procedure HAZOP Annex 3 Deviation for Batch / Sequential HAZOP Annex 4 Deviations for Electrical, Instrumentation and Control System HAZOP Annex 5 Deviations focusing process installation aspects within HAZOP
Page 25 of 35
Annex 6
HAZOP Worksheet Template
10.
Amendments from Previous Versions

None
Annex 1.
Deviations for Continuous Process HAZOP
The following deviations relate to the process technology part of process systems. They should be used for continuous process HAZOP and batch / sequential HAZOP. They should be applied each one to each node (as relevant for the node and defined by design intent). The listed deviations might be considered as additional deviations for procedure HAZOP. Table 4: Standard HAZOP deviation for process HAZOP - process engineering Deviation No flow Typical causes
Control loop failure Control valve fails closed Wrong routing / line-up Blockage Incorrect slip plate Incorrectly fitted check valve Burst pipe / large leak Increased pumping capacity Increased suction pressure Restriction orifice plates deleted Cross connection of systems Control faults Control valve trim changed Operation of pumps in parallel Hand valve closed Equipment failure (control valve, isolation valve, pump, compressor, vessel, etc.) Incorrect pressure differential Isolation in error Pulsation Bypass valve open Reduced delivery head Change in fluid density Exchanger tube leaks Worn or deleted restriction orifice plates Cross connection of systems Control valve fails open Burst pipe Density or viscosity changes Wrong line-up Inadvertently throttled valve Block valve closed Power failure Plugged line No flow from upstream system No flow to downstream system
More flow
Burst heat exchanger (internally) Large leak Wrong valve open Wrong line-up or misdirected flow Slug flow Water hammer Increased flow from upstream process Competing pump heads and flows Incorrect valve sizing Surging Wrong line-up or misdirected flow Unintended open connections from or to utilities (water, N2, flush systems, etc.) Recirculation valve open Increased centrifugal pump suction pressure Start-up of spare pump Failure of ejector system More reaction Plugged pressure tap Obstructed relief Pressure testing Excessive heating (e.g. fire) Exchanger tube leak (internally)
Less flow
Line restrictions Filter / strainers blockage Defective pumps Fouling of vessels, valves, orifice plates Defective check valve Leaking check valve (falsely used as positive shut-off device) Omitted, wrong type of check valves Two-way flow Siphon effect Surge problems Connection to high pressure system Gas breakthrough (inadequate venting) Control loop failure Defective isolation procedures for relief valves Positive displacement pumps against closed valve Failed pressure control valves (open or closed)
Reverse flow (misdirected flow)
Incorrect pressure differential Emergency venting Incorrect operation In-line spare equipment Internal rupture heat exchanger
More pressure
Wrong design pressures, specifications of pipes, vessels, fittings, instruments Thermal overpressure Pressure range for abnormal operations Leakage from interconnected high pressure system (HP to LP interface) Control valves failed (closed or open) Vessel drainage Blockage of blanket gas reducing valve Blockage of venting during emptying Gas dissolving in liquid Internal fires Reaction control failures Heating medium leak into process Reaction control failure Air cooling fan failure Heat tracing Regeneration
Less pressure / vacuum
Generation of vacuum condition Condensation Restricted pump / compressor suction line Undetected leakage Ambient conditions (e.g. sun radiation) Fouled or failed exchanger tubes Fire situation Cooling water failure Defective control Heater control failure -
Excessive cooling Failure of vacuum relief Inadequate net positive suction head
More temperature
Decoking Heats of reaction Mixing, reactor hot spots, decomposition, or runaway reaction, absorption, or solution. Burn protection Abnormal operations
Page 26 of 35
Deviation Typical causes Less temperature - Ambient conditions

-
Cold weather operations Fouled or failed exchanger tubes Outlet isolated or blocked Inflow greater than outflow Control failure Faulty level measurement Gravity liquid balancing Failure phase separation Inlet flow stops Leak Outflow greater than inflow Level control failure Faulty level measurement Failure of instrument air Failure of steam (LP/MP/HP) Failure of nitrogen Failure of cooling water Failure of hydraulic power Failure of process water Lack of fuel gas / fuel oil Power loss drive (high / low voltage) Power loss instrument control Power blips/failure modes Failure of tracing Leaking isolation valves Leaking exchanger tubes Interconnected systems (especially services, blanket systems) Impurities present Debris left from installation Ingress of air, water, or rust Lack or wrong additives Wrong or worn catalysts Changes in pH-value Changes in viscosity Changes in flashpoint Changes in vapor pressure Loss of agitation Agitator set at wrong speed (too slow / too fast) Agitator blade drops off Drive stops / coupling failure No or worn baffles Wrong reactant mix High temperature / heat value Low temperature / heat value
Loss of heating Reducing pressure Depressurization of liquefied gas Filling operations Liquid in vapor lines Vessel overflow Deactivated level alarm Inadequate time to respond Draining of vessel Failure pump stop Drain valve left open Incorrect calibration Two phase flow Trip delay for power failure Contamination of instrument air, nitrogen, water, etc. Telecommunications Heating and ventilating systems Lack of blanketing gas Process control computers failure Failure of communication system Loss of view process control system Stream composition / contaminants Reaction intermediates/byproducts Solvent flushing High solids concentration Settling of slurries Catalyst poisons Catalyst deactivated / inhibited Changes in phases Incorrect feedstock / specification Inadequate quality control Grade change Phase change Phase inversion Settling of solids Accumulation of liquids in bottom points Accumulation of gases in high points Side reactions Channeling Insufficient catalyst Decomposition / degradation
Joule/Thompson effect Endothermic reaction Control failure Failure tracing Incorrect calibration Interface level control Phase inversion Slug flow Condensation Plugged instrument taps Inadequate residence time Inadequate mixing, excessive heating Gas in liquid lines Viruses process control system Lack of field air Lack of back-up process control system Failure gas detector Failure fire / smoke detector Failure of lightening Failure surveillance camera Failure deluge system Failure flushing system Lack of spares / stand-by Failure of earthing Polymerization Coke formation Additional additives Decompositions Explosive mixtures Phase change Phase inversion Cavitation, flow separation
More level
Less level
Utility / service failure
Additional components / impurities
Components missing Material / quality change
Process control upset Preparation for shut-down and start-up operations
Wrong mixing (no / more / less mixing)
Lack of balance line (e.g. after injection, pumps) Vortex formation / separation
Wrong reaction (no / more / less reaction)
Incompatible chemical Pyrophoric substances (e.g. iron sulphide) High oxygen content
Annex 2.
Deviations for Procedure HAZOP
For procedure HAZOP the deviations are applied to a sequence of steps and activities. The sequence constitutes the node similar as the physical subsection for continuous process HAZOP. A clear description of the sequence of steps must be available before starting the analysis (either form operating manual or provided by the team). Possible applications are procedures for start-up, shut-down, emergency shut-down, switching over for batch operations, non-standard routing of flows, receiving pipeline pigs, etc. A procedure HAZOP shall be performed for routine and non-routine activities which are critical with respect to safety or operability of the facility or which have high inherent hazards. It is highly recommended to involve field personal in procedure HAZOP and/or perform field verification of its implementation in addition to the desktop study.
is a routine procedure or periodically performed (e.g. given in the Operations Manual) and
HSSE-R-017 Version: 2.0 Page 27 of 35 Master Language: English
is critical with respect to safety or operability or has hazardous aspects or involves hazardous materials
The purpose for each step as well as possible failures in its executing is analyzed. Within procedure HAZOP there is a strong focus on human failure. Despite all training and best intentions human beings are prone to failing. For routine action the failure rate is 1:100-1:100 when performed by a well-trained person without stress. Within emergencies the failure rate may increase up to 1:10 or higher why normally only little credit should be given for operator intervention in de-escalating major accident scenarios. The human failure model given below should be used for reference for identifying possible causes which lead to execution failures. A separate human factors study may be required if there are significant risks associated with human factors.
human & job factors
slip: execution error skill based (right idea, wrong execution) lapses: memory error miss: perception error knowledge-based mistakes: planning error, mode error rule-based mistakes: misdiagnosis, misinterpretation lack of awareness or understanding weakness of management system
errors (unintentional) mistakes (right execution, wrong idea)
human failure (active & latent) safe resources by use of short-cuts routine violations (intentional) situational exceptional insufficient resources to apply rule falsely taking of risk in an emergency conflicting goals
organizational & management factors
Figure 2: Human failure model (acc. UK HSE Guide HSG 48) The listed deviations should be used for procedure HAZOP and batch / sequential HAZOP. They should be applied each one to each node. The listed deviations might be considered as additional deviations for continuous process HAZOP. Table 5: Standard HAZOP deviation for procedure HAZOP Deviation No action / sequence halts Typical causes
Step is missed or omitted Intended operation did not occur (mechanical failure) Action impossible Equipment not ready (locked out, not in service) Blind left in piping Step not carried out Handover problems Split responsibilities / unclear roles and duties Equipment failure No reaction (process stops) Memory lapse, distractions, excessive workload No response to an alarm
More action / extra step
Operator does more than intended (opening valve too far, etc.) Another action completed, as well as the action intended Procedure ambiguity Operator does less than intended (added less catalyst than required, etc.) Equipment does not perform as required (plugged strainer) Not enough time to complete the step -
Another action completed in addition to the intended action Performs two or more steps at the same time An incorrect action in place of a specified action Step partially completed or delayed Operator only completes part of a composite action (misses out middle part, or final part) Operator short-cuts
Operator assumes he is required to do something in addition to what is specified, (stops motor and isolates power, closes drain and blanks it, etc.) Lack of clear information/indication that step intention achieved. Checks not made or incomplete
Less action / step incomplete Part of action -
Page 28 of 35
Deviation Wrong action
Typical causes
Operator opens the wrong valve, starts the wrong pump, reads the wrong instrument () Incorrect action substituted for the correct action (e.g. closes instead of opens) Operator misunderstands instruction and does something completely different (procedure ambiguity) Plant labeling defective, poor access, lighting, time pressure, fatigue Inherent hazards and operability problems with the step even if there is no deviation from the intention Other personnel in wrong area Valve closure/opening incomplete or valve passing/blocked Operator remembers a similar procedure and follows that instead Personnel performs different or out of date procedure
Interfering action (SIMOPs)

-
Any other simultaneous activity that may have an impact on the overall safety of the operations Other actions occur affecting this operation Other procedures interfering Valve open or closed in error prior to/during step. Lack of clear labelling. Operator takes longer than necessary over action, (leaves something running and gets distracted) Operator starts next action later than expected Operator carries out action too slow Process moves too slow onto the next step Operator carries out action too quickly, (stops the flow before required level is reached) Operator starts next action earlier than expected A step is done before the right timing (relative to clock time) -
Poor communications (operation, maintenance, engineers, etc.) Others don't perform as required Incomplete or incorrect valve status list in procedure Excessive delay before moving on to the next step or following completion of previous step Communication delay/error between other parties responsible for preceding steps.
Execution error More time / too late / too slow
Delay before the next step A step is done after the right timing (relative to clock time) A step is not done with the right timing; Operation completed too slowly Too little chemical reaction Valve gets stuck Cooling / heating too slow Operation completed too quickly Process moves too quickly onto the next step Too much chemical reaction Chemical reaction too fast Heating / cooling too fast Step completed out of sequence or in wrong order
Less time / too soon / too fast
Insufficient delay before moving on to the next step or following completion of previous step. Communication delay/error between other parties responsible for preceding steps. Communication delay/error between other parties responsible for preceding steps No specified actions for emergencies Information loss in shift hand over
Out of sequence / step reversed No information

-
Operator misses out a step Operator carries out a step before it should occur, or after it should occur No feed-back from the process (transmitter failure, alarms) Communication break between operators Procedure does not specify expected performance (temperatures, pressures, flows, levels, etc.) Procedure includes information that is unnecessary and could lead to confusion Necessary information is missing from the procedure Missing starting clearance Insufficient information to check progress Manual / automatic override Information provided is wrong Contradicting information (oral instruction vs. written) -
Unattended / remote operation Ability to read or confusion with local instrumentation Missing information on changes made
More information
Procedure contains information that contradicts other information Communication interruptions Verbiage confusing Readability of labeling Missing readability / clearly understand of procedures (e.g. language)
Contradiction process control information Overflow of information Inadequate alarm prioritization Insufficient information to identify error and their causes Step confusing Incorrect monitor display information Other procedures or steps within this procedure)
Less information -
Wrong information
Information is out of date Reliance on operator interaction
Annex 3.
Deviation for Batch / Sequential HAZOP
A batch process is one where there are discontinuities in the operation with time where continuous process operations alternate with manual and automatic switch operations. The HAZOP of batch process normally requires the application of deviation from continuous process HAZOP and procedure HAZOP. Usually the HAZOP is driven by the procedural part.
Page 29 of 35
A batch HAZOP can be more complex than a HAZOP for a continuous process because the status of the process changes over time. More preparation is required to avoid confusion. These preparatory steps will yield significant time savings compared with running a continuous process HAZOP on each step/ node combination. Three additional inputs are required:
A list of the batch operation steps should be developed. A matrix indicating the steps and the nodes should be developed indicating which nodes are active (A) or
inactive (I) during each step. A node is active if during the step materials are intentionally present, even if simply being stored. A valve position table should be defined indicating valve position with each step, as well as the operational status of equipment such as pumps/ mixers etc. (running/not running). The HAZOP is conducted by applying the continuous process deviations with some additional procedure deviations to each step where the node is active. For inactive nodes, only 1 deviation becomes active is used. Care has to be taken to the fact that nodes can have multiple design intents across the batch sequence. Each node needs to be analyzed for each process step. Where adjacent steps have the same nodal active/inactive profile and where they have the same valve position profile, the steps can be combined to reduce the HAZOP duration. Figure below shows a simplified ethylene process reactor system which has a range of different operating configurations such as reaction and catalyst regeneration. The steps indicate the possible reactor operating configurations (where R is reactor). The associated step/node matrix is detailed in Table XX and the valve position table in Table XX Figure 3: Example system for a batch HAZOP ethylene reactors
Feed Gas V2 V1 Regen Gas Feed
VR3 Bypass VB1 VB2 R3 V6
VR2
VR1
V5 R2
R1
V8 Reactors Discharge V7 V4
V3
VR4
VR5
2nd stage Feed
VR6 Regen Discharge
Table 6: Batch HAZOP step/node matrix

Sections Steps R1 feeding R2 R1 feeding R3 R2 feeding R3 R1 feeing R2, R3 Regen R1 feeding R3, R2 Regen R2 feeding R3, R1 Regen Feed GAs Active Active Active Active Active Active Regen Gas feed Inactive Inactive Inactive Active Active Active Reactor 1 Active Active Inactive Active Active Active Reactor 2 Active Inactive Active Active Active Active Reactor 2 Inactive Active Active Active Active Active 1st stage discharge Active Active Active Active Active Active 2nd stage discharge Active Active Active Active Active Active Regen gas discharge Inactive Inactive Inactive Active Active Active
Page 30 of 35
R1 feeding R2 and R3 R1 only R2 only
Active Active Active
Inactive Inactive Inactive
Active Active Inactive
Active Inactive Active
Active Inactive Inactive
Active Active Inactive
Active Active Active
Inactive Inactive Inactive
Table 7: Batch HAZOP valve position table

Steps R1 feeding R2 R1 feeding R3 R2 feeding R3 R1 feeing R2, R3 Regen R1 feeding R3, R2 Regen R2 feeding R3, R1 Regen R1 feeding R2 and R3 R1 only R2 only V1 O O C O O C O O C V2 C C O C C O C C O V3 O O C O O C O O C V4 C C O C C O C O C V5 O C C O C C O C C V6 C O O C O O O C C V7 O C C O C C O O O V8 C O O C O O O C C VR1 C C C C C C C C C VR2 C C C C O C C C C VR3 C C C O C O C C C VR4 C C C O C C C C C VR5 C C C C O C C C C VR6 C C C C C O C C C VB1 C C C C C C C C C VB2 C C C C C C C C C
Annex 4.
Deviations for Electrical, Instrumentation and Control System HAZOP
HAZOP of electrical, instrumentation and control systems may improve the management of common mode failures that result in multiple simultaneous process deviations. Such common mode failures may affect a group of components (e.g. a failure of a single I/O card, failure of 6kV power supply, failure of a switch cabinet). Here, the HAZOP reviews how electrical and computer control systems can fail and the potential response of the system. The basic HAZOP method is similar to those above, the main changes being the P&IDs are replaced with electrical or control loop diagrams and the guidewords differ. Based on the types and complexity of the control systems within the scope of the HAZOP, a decision shall be made as to whether the traditional HAZOP adequately addresses control system issues or whether a control system HAZOP or other types of studies are necessary. For traditional HAZOPs, substantial knowledge of the control system is needed in order to identify potential control system induced secondary deviations in response to the original, primary deviation. Often, a traditional HAZOP can be augmented by adding a review of the loop diagrams of the control system. The appropriate deviations need to be specified during preparation of the study. Criteria are whether the deviations yield substantial benefit in understanding hazards and risk controls, to what extend the deviations are already covered in the traditional HAZOP, or whether it might be more appropriate to use another method of risk analysis (e.g. FMEA). Suggested deviations are given below. They or their aspects might also be considered as additional deviations for process HAZOPs. Table 8: Standard HAZOP deviation for electrical, instrumentation and control HAZOP Deviation No current Typical causes
Failure of Component: sensor, signal, power, connection, feedback signal, fuse or overload Plant being operated in excess of design parameters Overload settings too high Short circuit, leak to earth Wrong connections after maintenance Incorrect loop connections Faulty load shedding arrangement Reduced generator capacity Variable loading Electrical storms Voltage dip Defective contacts Distribution board component failure Control switched to manual or bypass for maintenance.
More current
Excess current protection does not work Excess current protection policy. Reverse intention received (high and low readings transposed) Defective limit switch (feedback). Defective supply device Defective transformer Defective supply device Degradation of signal
Control switched to manual, interlocks not effective
Reverse current Less current More voltage Less voltage
Initiator failure results in opposite reading Incorrect calibration of sensor
Electrical overload protection philosophy
Page 31 of 35
Deviation More temperature
Typical causes
External or internal fire Fire detection and protection Cable insulation and protection Cable routing Location of equipment resistance to ambient temperature and humidity variations Reliability of heating and ventilation system Uncertainty why interlock is activated No access to pertinent process variable data Algorithms too complicated for operator to understand the relationship between variables Alarm status to interlock status not clear Spurious trip Failure to reactivate
Less temperature -
Effect of winter conditions Adjacent refrigeration plant No data or control signal passed Interlock or control device operates without control signal Probability of failure on demand (SIL calculation, proven in use data) Safe failure fraction / unsafe failure fraction Data passed at higher rate Contradicting 2oo3 signals Bypassing Card failure Transmission failure Data or control signals incomplete Data or control signals are complete but incorrect The signal arrives earlier than expected within a sequence The signal arrives later than expected within a sequence
Ice formation around electrical components Bypassing / malfunction of input Required operator intervention Adequate warning of impending activation No information if interlock has been activated No information on control loop failure
No signal / data
More data / signal Less data / signal -
Interfering signals Out of range values of interlock One component of 2oo3 fails (reconfiguration to 2oo2 or 1oo2) Switching of interlock input / outputs Spurious trip Drifting of signals -
Incomplete or wrong data / signal Data / signal before or early Data / signal arrives after or late Operator fails to act
Trip initiated below trip setpoint or trip delayed Wiring malfunctions Loose contacts Alarm flooding Response to interlock (automatic or operator) Programmed delays Missing troubleshooting instructions / training Ergonomic of alarm monitors
Not enough time for operator to evaluate alternatives Response not quick enough to achieve desired effect -
Too many alarms go off at the same time Undefined action Response to wrong signal No response Misjudgment of system state Conflicting goals / distraction Cascaded trip functions Hold points for manual intervention Verification halts Ingress of flammable atmosphere into electrical distribution room Internal damage by animal, insect, or corrosive material Loss of instrument air (total or to device only) Computer failure Set points for maximum overload condition Load shedding arrangement Electromagnetic radiation problems Maintenance isolation procedures
Alarm acknowledge without checking the reason for alarm Conflicting goals
Wrong operator action Incorrect sequence Contamination
Misreads displayed data Incorrectly times task actions Unclear procedures De-energize, fail-safe Restart clearance Equipment still operating Repetition of triggers Moisture, dust, flammable vapors, pollutants Interruption by external magnetic fields or signals Failure of electrical power to instruments. Control philosophy monitoring defects in control sensors Fail-safe philosophy Trip bypassing Procedures for modification PID controller settings Availability of spares Functional tests Loop checks Performance tests Instrument air buffers Fire protection of electronic equipment and detection systems Blind shut-down
Incorrect controller mode Capability to decide Unclear instructions Upstream / downstream hazards Unusual stress to system during trip Wiring malfunction Interference of control loops / interlocks
Utility failure Instrumentation specification
Telecommunications failure
Manual control arrangements Supervisory passwords (electronic systems) Earthing, area classification Corrosion of electrical components by internal, external or galvanic means Test of interlocks (online / offline) Reliability of control systems in the event of emergency Evacuation of control room
Maintenance
Testing, sampling Emergency operation
Calibration of analysis instrumentation Alarm testing Emergency power distribution arrangements Fire (or other emergency) Uninterruptible power, redundancies
Page 32 of 35
Deviation Non-routine operations Human factor
Typical causes
Start-up and shutdown systems Software error detection Alarm priorities Control monitor design Panel layout Reset functions (per component / loop / system) Operator action for off-spec situations Restoration of program Fail to reset Delays Restart clearance Acknowledge of repeated alarms / trips Interlock operation during startup, shut-down Downloading updates Alarm acknowledge Procedures for recovering from interlock trip (time, consequence)
Annex 5.
Deviations focusing process installation aspects within HAZOP
The following deviations relate to the installation part of process systems. These deviations stretch the HAZOP method from its original scope of process analysis to cover more general aspects of the system and its layout. Their recommended application is as follows:
The application of the deviations shall be agreed and specified in the terms of reference. Some of the
aspects covered by the deviations might already be covered in other analysis or might be used to develop these analysis (e.g. ignition sources are usually analyzed in an independent explosion protection analysis) Simple installations - i.e. where the physical arrangement of equipment is equals the technology arrangement of equipment: the deviations may be applied within the same nodes as defined for the process technology part Complex installations - i.e. where the equipment is physically group together even if they belong to different technological subsystems (e.g. all pumps of the system in a common pumping house): it is recommended to define HAZOP nodes covering the installation part independent from the nodes of the technology part. Alternatively the aspects of these deviations might also be considered in a SWIFT study Usage shall be agreed in the terms of reference The deviation might be used for continuous process HAZOP, batch / sequential HAZOP and procedure HAZOP. Table 9: Additional HAZOP deviation to cover process installation aspects Deviation Relief Typical causes
Design basis for relief (normal/abnormal - fire, startup/shut-down conditions) Backpressure on relief valve vs. design Effect of debottleneck on relief capability Instrumentation / safety instrumented system to reduce relief load Controlling scenario for overall relief system (flare overload) Changes affecting relieving requirements (insulation removal, control valve change, new connections, etc.) Safety of atmospheric relief location (fire case, flammable liquid, plume path, dispersion modeling, flare radiation) Relief valve pressure versus maximum allowable working pressure Environmental implications (relief, flare) Frequency of relief valve use Relief composition (e.g., two phase flow) Blocked path/relief valves Restricted inlet/outlet lines Plugging / build-up in relief system (hydrates, ice, weep holes plugged, liquid build-up, loss of heat tracing, etc.) Rupture disc upstream a relief valve Leak monitoring of rupture disc upstream relief valve inlet and outlet piping Blow down tower liquid overfill Failure of organizational controls Relief for reactive chemicals Low temperature in relief system due to expanding gas Maximum liquid rate vs. design capacity Type of relief device and reliability Heat tracing Restricted thermal expansion Materials of construction Momentum on relief pipes Vibration of piping / headers Inspection / testing philosophy Redundant relief valves Isolation philosophy
Page 33 of 35
Deviation Instrumentation and control
Typical causes
Control philosophy / strategy Location of instruments (remote control / field control) Fire protection Redundancies, back up Engineering station Panel arrangement and location Safety instrumented systems, SIL classification Process control, process optimization Fail safe philosophy Passive vs. active systems Auto/manual facility and human error Interlocks, forcing Instrument response time Accuracy, calibration, pulsing Data correction (temperature compensation) Bypassing instruments / emergency shut-down systems Set points of alarms and trips Permission to change set-points Time available for operator intervention Information / alarm management (overload, masking, prioritization, troubleshooting lists) Alarm and trip testing Trip/control amplifiers Defeating / acknowledging alarms Auto diagnosis functions Blocking / freezing of sensors or transmitters Failure modes (actuator, transmitter, controller) Out of range failure modes Testing philosophy safety instrumented systems Bad actor analysis Spurious trips Plausibility checks Remote services (IT) Data protection Security guards Virus protection Hazards of manual sampling (access, environment, release, personnel exposure) Sampling degradation, decomposition Transportation / storage of samples Records and feedback Stagnant/low points Failure of tank or basin liners Small bore pipe Dead ends Abandoned or out of service equipment Corrosion inhibitors Corrosion under deposit Biological induced corrosion Underground piping Coating, fire protection Failure databases Corrosion monitoring Results from equipment inspection Failure data bases
Sampling
Sampling procedures and sampling device Calibration, reliability, accuracy of representative sample Diagnosis of result and followup Testing and analysis method Cathodic protection arrangements Corrosion inhibitors Internal/external corrosion protection Possible contaminants (chlorides, H2S, water, ammonia, etc. Embrittlement (e.g. zinc, mercury) Stress corrosion cracking Flange joints Fluid velocities Erosion, abrasion Subtle composition change Passing below dew point Hydrogen content, hydrogen sulphide, chloride Purging Flushing Clearing blockages Steam out Start-up Start-up after emergency shut down Normal shutdown Emergency shutdown Emergency operations Isolation philosophy Drainage Purging Cleaning Drying Slip plates Opening lines Hot tapping Inertization Temporary clamps, plugs Installed/non-installed spare equipment Availability of spares
Purging, flushing, ventilation Sampling points, valves and plugging Loss of sample flow Online vs. laboratory sampling Sample disposal Sample cylinder testing Water content Corrosion under insulation Soil /air interfaces Corrosion of buried equipment Sealing Vibration Stress Stress cracking corrosion Fatigue, creeping Injection / mixing points Equipment operating outside acceptable limits High temperature corrosion Deviations from integrity operating envelopes Thermal chock Water hammer/surging Recovering from emergencies Inspection of operating machines Guarding of machinery Extended operations Severe weather conditions Turnarounds Shift change Off shift operations Isolation lists Availability of spares Access (siting, manipulability, spacing) Rescue plan Training, certification Interface with operations Control posts Condition monitoring Modified specifications Storage of spares Catalogue of spares
Corrosion / erosion
Non-routine operation
Extended shift schedules Reduced shift personnel Regeneration Decoking Filter change Workarounds Emergency drills Authorization, accreditation
Maintenance
Pneumatic pressure testing Construction QA/QC Work permit system Log-out, tag-out Lifting and manual handling Confined space entry Overhead lifting Pile diving
Spare equipment -
Test running of spare equipment
Page 34 of 35
Deviation Leak
Typical causes
Fissures, cracks, rupture Flanges, valves, sealing leakages Drainage, vent, sampling Hazard potential (toxicity, flammability, pressure, temperature, etc.) Threaded connection Flanges make-up Isolation philosophy Leaking pressure safety valve Fugitive emissions Leak detection methods Failed tank or basin liners Gas detection Static electricity, Earthing and grounding arrangement (permanent, temporary) Insulated vessels/equipment Low conductance fluids Splash filling of vessels Insulated strainers and valve components Hoses Dust generation Electrical equalizing current Powder handling equipment Exhaust vents Deluge systems Secondary containment Release from secondary containment Onsite impact (occupied buildings, utility installations domino effects) Offsite impact (community, environment, infrastructure) Video surveillance Routine operator tours On site leak response, external support Lightening protection Electrical sparks Hot surfaces Hot gases Open flames Pilot flames Fired heaters Exothermic reaction Adiabatic compression Electromagnetic waves high frequency Electromagnetic waves spectral range Ionizing radiation Ultrasound Infrared, laser Spray systems to dilute release Fire water run off Effluent disposal, waste Security arrangements Mutual aid Offsite emergency response Evacuation procedures Emergency showers / eyewash Escape routes / equipment Self-contained breathing apparatus Sewer, oil recovery Emergency operations and shutdown Inventory reduction Groundwater monitoring Leakage, detection and repair programs (LDAR) Reasonable worst case scenarios Electrical area classification concept Flame arresters Hot work / hot work permit Welding, grinding Vehicles Use of mobiles phones, cameras Smoking ban Mechanical sparks (gravel vs. metal) Auto ignition Metal fires, pyrophoric Hot equipment (product, steam) Friction (sealing, dry run)
Ignition protection
Safety / emergency response
Fire and gas detection system/alarms Emergency shut-down arrangements Emergency isolation arrangements Firefighting response time Emergency training Contingency plans
Escape routes Temporary refuge Shower and eye wash First aid, medical resource Thresholds for exposures (toxic, radiation, noise) Testing of emergency equipment
Annex 6.
HAZOP Worksheet Template
The template indicates the main content and set-up of a HAZOP Worksheet. It may be realized in standard office software and specialized for recording systematic hazard analysis. The layout of the template may be adjusted as needed. However, the principle information shall be maintained. Node System boundaries Operation mode Design intent Sessions Team Document inputs ID Deviation (Description of node) (Description of boundaries) (Description of operation mode) (Description of design intent incl. important parameters) (Cross reference to List of Session e.g. by date (ID)) (Cross reference to List of Participants e.g. by name (ID)) (Cross reference to List of Documents e.g. by document ID) Causes Consequences Safeguards Recommendations / Notes
Page 35 of 35

Gts-S Pro Hsse-Ra 2 Hazop Final

Загружено:

Сведения о документе

Оригинальное название

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

Gts-S Pro Hsse-Ra 2 Hazop Final

Загружено:

Авторское право:

Доступные форматы

Recommendation

Hazard and Operability Study (HAZOP)

OMV AG and all subsidiaries in the fully consolidated group.

Responsible for Content:

Regulation Approver 1: Regulation Approver 2:

Horacio Haag Andreas Scheed

As approved by the Executive Board of: Effective as of:

HSSE-R-017 Version: 2.0

Master Language: English

HSSE-R-017 Version: 2.0

Master Language: English

HSSE-R-017 Version: 2.0

Master Language: English

Introduction and Intended Purpose of Regulation

Limits of application HAZOP is not:

HSSE-R-017 Version: 2.0

Master Language: English

HSSE-R-017 Version: 2.0

Master Language: English

Planning and preparing analysis session

Role Moderator / facilitator

HSSE-R-017 Version: 2.0

Master Language: English

Role Scribe / recorder

Mandatory for Project-HAZOP, part-time / available on demand for Retro-HAZOP

Mandatory for Project-HAZOP, part-time / available on demand for Retro-HAZOP

Part-time / available on demand

Part-time / available on demand

Part-time / available on demand Available on demand and to approve critical decisions

Demonstrate practical experience in HAZOP studies through

HSSE-R-017 Version: 2.0

Master Language: English

Be familiar with the software used for recording.

Ability to effectively lead teams and discussions

HSSE-R-017 Version: 2.0

Master Language: English

HSSE-R-017 Version: 2.0

Master Language: English

Master Language: English

Select a node for review

Repeat for all nodes in the scope of the study

Are the risk controls adequate? YES

Figure 1: Process of HAZOP Analysis

HSSE-R-017 Version: 2.0

Master Language: English

HSSE-R-017 Version: 2.0

The identification of possible causes should be according to following principles:

Safeguard must be independent from the cause:

HSSE-R-017 Version: 2.0

Master Language: English

HSSE-R-017 Version: 2.0

Master Language: English

File General part

Further records from analysis, e.g.:

HSSE-R-017 Version: 2.0

Master Language: English

Updating specific scenarios:

HSSE-R-017 Version: 2.0

Quality Review of the Study Performance

HSSE-R-017 Version: 2.0

Master Language: English

Internal Reference Links

HSSE-R-017 Version: 2.0