Faculty of Chemical Engineering

Ho Chi Minh City University of Technology

INTRODUCTION TO HAZOP

Từ Hoàng Hoa Trân

In collaboration with The Faculty of Chemical Engineering, Ho Chi Minh City University of Technology/Ho Chi Minh National
University

R1

2024 1
Ho Chi Minh City University of Technology
Faculty of Chemical Engineering
1. INTRODUCTION
Why Safety matters
What is HAZOP ?
Purpose of presentation

2. BASIC METHODOLOGY OF HAZARD AND OPERABILITY STUDY

(HAZOP)
2.1 HAZOP Approach to identify Hazards and Operability Problems
2.2 Terminology
2.3 Design Representation of a System (Model of System)
2.4 Deviation Guide Words
– Example of using Guide Word NO/NOT
TABLE OF 2.5 Sequence of Creating & Examining Deviations from Design Intent
2.6 Sample of HAZOP Report
2.7 When to conduct HAZOP in Project Life Cycle
CONTENTS 2.8 Benefits of HAZOP
2.9 History

3. HOW A HAZOP STUDY IS CONDUCTED

3.1 HAZOP Study Procedure
3.2 Pre HAZOP Work Session Preparation
3.3 Team Membership & Roles
3.4 HAZOP Work Session Agenda (Typical)
3.5 Success Factors in HAZOP

2024 2
Ho Chi Minh City University of Technology
Faculty of Chemical Engineering
4. USEFUL TOPICS IN LOSS CONTROL MANAGEMENT
4.1 Risk matrix
4.2 Hierarchy of hazard controls
4.3 Design Intent & Safe Operating Limits (SOL)
4.4 Other hazard identification methods: Creative Checklist Hazop,
What-IF, FMEA & FTA
4.5 Models for Causation of Loss (DNV, Reason)
4.6 Steps in managing risks – IEDIM

5. CASE STUDY (CLASS EXERCISE)

HAZOP analysis of Process Fired Heater & Atmospheric Distillation
Tower

6. REVIEW OF INCIDENTS IN OIL SAND INDUSTRY

TABLE OF Overpressure of polymer homogenizing units, Movement of discharge pipe
caused by air pocket, Upgrader fractionator fire & Equipment fell through thin ice

CONTENTS 7. REFERENCES
ATTACHMENTS

2024 3
Ho Chi Minh City University of Technology
Faculty of Chemical Engineering

• Why Safety matters

• What is HAZOP ? A tool for identifying Hazards and
1. Operability problems
INTRODUCTION • Purpose of Presentation

2024 4
1. INTRODUCTION
WHY SAFETY MATTERS

Safety matters to engineers because behind any engineering project

there’s always a human face. Not only required by law, it’s also a
matter of conscience and professionalism.

Safety is Everyone’s business.

• Work place is hazardous due to scale & complexity of process &
equipment in use.

• At one time in the past, accidents were viewed as part of risk when
signing up for a job.

• Now, all accidents are preventable. Unsafe act like that pictured at
right is now unthinkable.
• Due to human cost of accident, society expectation and
Lunch atop a skyscraper. Construction workers
legislation, it is the employer’s duty to provide a safe work
taking lunch break during construction of
environment to workers. However safety is everyone’s Rockefeller Center (New York, 1932)
responsibility.

In this presentation we’ll discuss a method commonly used in the

industry to identify potential hazards in engineering projects, called
HAZOP Study.

Faculty of Chemical Engineering

2024 5
Ho Chi Minh City University of Technology
1. INTRODUCTION (cont’d)
WHAT IS HAZOP ?
HAZOP stands for HAZARD and OPERABILITY Study.
• A structured and systematic method whose main purpose is to identify hazards and operability problems in a
Process or System, in particular those caused by design deficiency or by human error.
• Typically used to discover problems which might be overlooked in new designs, or when modifying process.
• Based on premise that hazards and operational problems occur ONLY WHEN System operates outside of its
Design Intent.
Hence, when searching for hazards, HAZOP focuses exclusively on the set of all possible ways in which a System
may deviate from design intent. We’ll come back to this important concept later on.

PURPOSE OF PRESENTATION
• To provide students with a fundamental understanding of HAZOP method to support their participation in actual
HAZOP studies in the industry.
• Key learning objectives:
- HAZOP as a tool for identifying hazards and operability problems,
- Basic methodology of HAZOP and how a HAZOP study is conducted,
- Useful concepts in Loss Control Management, and
- Review of selected actual incidents in Oil Sands industry where engineering deficiencies contributed to these
failures.
Faculty of Chemical Engineering
2024 6
Ho Chi Minh City University of Technology
 Additional Notes
How to Identify Hazards in a System ?
To protect employees as well as plant integrity, safety hazards need to be identified and mitigated. Identify and
evaluate hazardous conditions is a core foundation of all safety programs.
There are several qualitative methods which can be used to analyze a System to identify safety hazards and
their impact: HAZOP, Creative Checklist, What IFs, and FMEA (Failure Mode & Effect Analysis).
HAZOP is widely used in the chemical process industries to identify potential hazards and operability problems
in a System (process, facility, procedure, etc.) at various stages of a system’s life cycle: - final design, -
commissioning, - plant test or modification, and shutdown.
The method is especially useful when the study is carried out, 1) at final design stage so that design deficiencies
can be corrected before construction begins, and 2) when there are changes made to an existing System, e.g.
modification to existing process, equipment, procedure, etc.
A unique characteristic of HAZOP is that it is based on the concept that hazard and operability problems occur
ONLY WHEN the System operates outside a plan, design conditions or intent. Hence, in searching for potential
hazards or operability problems, we’ll just need to look at the possible ways in which a System can deviate from
its design intent. Then assess whether current system design is adequate or not to handle the unexpected
hazardous situations found in the new deviations.
In HAZOP, the search for potential hazards is narrowed down to 7 directions along which the System may
deviate from plan or design. A set of 7 Guide Words is used to prompt the study team into imagining all possible
deviating scenarios to be examined for hazards.

Faculty of Chemical Engineering

2024 7
Ho Chi Minh City University of Technology
Ho Chi Minh City University of Technology
Faculty of Chemical Engineering

2.1 HAZOP Approach to identify Hazard & Operability

problem.
2.2 Terminology
2.3 Design Representation of a System (Model of System)
2.4 Deviation Guide Words
• Example of using Guide Word NO/NOT
2.5 Sequence of Creating & Examining Deviations
2. 2.6 Sample of HAZOP Report
BASIC 2.7 When to conduct HAZOP in Project Life Cycle
2.8 Benefits of HAZOP
METHODOLOGY 2.9 History

2024 8
2.1 HAZOP APPROACH TO IDENTIFY HAZARDS AND OPERABILITY PROBLEMS
An overview of the HAZOP Study method is presented in this section.
A) Goal of HAZOP
HAZOP seeks to minimize the impact of “atypical” operating environments by ensuring adequate hazard
controls are in place to prevent them from becoming major accidents [2].
Note: "Atypical" means out of the norm (abnormal), unintended, undesirable & presumably unsafe.
More specifically, HAZOP defines “atypical" operating environments as those which "deviate" from design
intent. We’ll get to that in subsequent slides.
B) General idea
HAZOP identifies hazard/operability problems in a System by:
• Examining all "atypical" operating environments which a system may inadvertently run into, and
• Analyzing their impact to system to identify those which potentially give rise to hazards or operability
problems.
➔ In essence, Identifying hazards = Identifying those “hazardous” operating environments !
• Gaining insight into how hazardous operating environments come about helps improves design,
operating procedure and training programs. This reduces human errors also. All these improvements
prevent or mitigate accidents.

Faculty of Chemical Engineering Ho Chi Minh City

2024 9
University of Technology
2.1 HAZOP APPROACH (cont’d)
C) How HAZOP generates “atypical” operating environments
Generating “atypical” operating environments for examination is the first and important step in
HAZOP.
Process based on following foundational assumptions:
• HAZOP premise: Hazard occurs only when System deviates from its design intent. Each
instance of deviation is an “atypical” operating environment and presumably “unsafe”.
• There are 7 specific directions along which System deviates. Each direction of deviation is
labeled by a Guide word, and
• A Model of the System is used as platform from which “hypothetical” or “thought changes”
are applied to the System to make it deviate.
By simulating or imagining changes to System along the 7 directions of deviation, HAZOP
study team generates “atypical” operating environments, which may lead to hazards and
operability problems.

Faculty of Chemical Engineering

2024 10
Ho Chi Minh City University of Technology
2.1 HAZOP APPROACH (cont’d)
HAZOP PREMISE
• Hazard and operability problems are encountered ONLY WHEN System operates outside of
its design intent or normal conditions.
• Vice versa, a System operating within its design intent is Safe.
• Hence when searching for hazardous operating environments, HAZOP focusses ONLY on
environments which deviate from design intent. These are the only circumstances when
hazard and operability problem may occur.
• Operating environments deviating from design intent are called Deviations.
• "Atypical" operating environment mentioned previously is a case of Deviations.

Faculty of Chemical Engineering

2024 11
Ho Chi Minh City University of Technology
2.1 HAZOP APPROACH (cont’d)
DEVIATION & GUIDE WORDS
• There are 7 fundamental ways or directions along which a system can deviate from design
intent, generating 7 types of deviations.
• Each deviation is “labelled” after the way design intent is affected: NO, MORE, LESS, AS WELL
AS, REVERSE, PART OF, AND OTHER THAN. These 7 labels are called Guide Words.

For example,
– Deviation “MORE” is an event where greater result was accomplished than intended. An overload condition.

– Deviation “NO/NOT” is an event where design intent could not be accomplished at all. A system shutdown
event.

• Guide Words are symbolic terms to prompt us to imagine about what potential “problem”
might occur, when system deviates along the direction of guide words.
• Imagining potential problems hinted by Guide Words requires creativity, intuition, experience
as well as expertise in the subject matter. HAZOP is best conducted by a team using
unhindered brain-storming approach.

Faculty of Chemical Engineering

2024 12
Ho Chi Minh City University of Technology
2.1 HAZOP APPROACH (cont’d)
CONCEPT OF DEVIATION: WHEN A “SAFE SYSTEM” BECOMES “UNSAFE”
Presumably Hazardous
Scenarios
Presumably Hazardous
Scenarios
Deviation 3
DESIGN (LESS)
INTENT
Deviation 1 (normal plan)
=
(NO) SAFE
CONDITIONS
Deviation 7
(OTHER THAN)

HAZOP divides the operational space of a System into 2 distinct areas:

• Area within Design Intent: NORMAL & SAFE environment, and
• Deviations from, or Area outside of Design Intent: ABNORMAL and presumably Hazardous environments.
Note: System wanders away from design intent as a result of unexpected changes, internally or externally.

➔ HAZOP’s perspective: Deviations is a “harbor” for hazards to surface

Faculty of Chemical Engineering

2024 13
Ho Chi Minh City University of Technology
2.1 HAZOP APPROACH (cont’d)
USING MODEL TO IMPART CHANGES TO SYSTEM
• For a system to deviate from its normal conditions, something within the system or external to it
must have changed. This necessitates establishing a model to define parameters responsible for
system performance, and allowing us making changes to these parameters to create
“hypothetical” Deviations.
• A System is defined by the following model:
– 4 Elements: Material, Activity, Source and Destination, and
– A Design Intent: a description of where or how each element is supposed to be. Normal design or operating conditions,
or normally expected performance.
• System deviates from design intent when its elements deviate from their corresponding design
intent.
In fact, to generate “hypothetical” Deviation, we assume a system Element has deviated from its
design intent along the direction suggested by one of the Guide Words. This line of assumption
creates a new Deviation.
• The study team then investigates whether the new “Deviation” would give rise to hazards or not.
• The process continues until deviations by every Element in all direction have been completely
examined. The process is illustrated in Diagram of HAZOP Strategy (in subsequent slide).

Faculty of Chemical Engineering

2024 14
Ho Chi Minh City University of Technology
2.1 HAZOP APPROACH (cont’d)
D) HOW DOES HAZOP WORK? (Rephrasing using “Deviation” concept)
• To discover hazard & operability problems in a system, HAZOP creates and investigates all
hypothetical deviations from design intent. The aim is to identify those deviations which may
become major accidents.
• The process takes the following form of questioning:
– What would be the problem if a particular deviation occurs ? (Generate hypothetical Deviation or incident)
– How did System end up there? How did it happen? (Analyze Cause of incident),
– Can this give rise to hazard? (Assess Consequence due to Causes), and
– Can current design cope with such event? (Assess Safeguards: hazard controls and safety system).
• Creating and investigating Deviations is central to HAZOP study because only through
analyzing all realistic deviations can we completely discover deficiencies with current System
design.
• HAZOP strategy is illustrated in next slide.

Faculty of Chemical Engineering

2024 15
Ho Chi Minh City University of Technology
2.1 HAZOP APPROACH (cont’d)
DIAGRAM OF HAZOP STRATEGY - (1) Atypical = deviating from design intent, abnormal

1) MODELLING OF SYSTEM 2) IDENTIFICATION/

(DESIGN REPRESENTATION) ASSESSMENT OF “ATYPICAL(1)” 3) REPORTING
HAZARDOUS SITUATIONS

SYSTEM • “Push” system

• 4 Elements: • Document findings
material, activity, outside of its normal
Real condition (or design (hazards, operability
source & intent) problems,
life destination
• What hazard can deficiencies,
• Design intent arise? recommendation)

HAZOP Study essentially boils down to following ideas:

• Imagine all possible ways in which a System can deviate from its Design Intent,
• Then determine which of these Deviations give rise to hazards, and
• Then determine whether or not original System Design is adequate to handle unexpected hazards &
operability problems found in Deviations.

Faculty of Chemical Engineering

2024 16
Ho Chi Minh City University of Technology
 Additional Notes
Using Model to impart changes to System to study their effects – reflection
Introducing hypothetical but meaningful changes to system baseline is a powerful technique to judge the
robustness of the system, and to discover its weakness. It is very much like taking the current system
design to new territories for a stress test.
HAZOP essentially is a Potential Problem Analysis method, in the sense that both methods aim to
envisage ALL the particular circumstances (beyond Design Intent) which could negatively affect the
System.
In HAZOP this effort is facilitated by the use of Guide Words, which stimulate the imagination of deviation
scenarios in a structured fashion.
Creating and examining deviations remains the most important step of HAZOP.

Faculty of Chemical Engineering

2024 17
Ho Chi Minh City University of Technology
2.2 TERMINOLOGY
Terms Meaning
Hazard (or Source of harm.
Safety Hazards) Abnormal Situation or Upset condition which could cause fire, explosion, release of toxic material, or
harm people or environment.

Operability Abnormal Situation or Upset Condition which could lead to down time, production
Problems loss, off-spec product or violation of health, safety & environmental regulation.
Operability problems needs to be managed as, in presence of human errors, they
can turn into safety hazards.

Design Intent Normal operating envelop specified by Designer for a particular System. Safe operating zone.
Expected performance of a System. When conforming to design intent, System is safe.

Deviation An operation or scenario which falls outside of Design Intent boundary.

Hazard or operability problem expected to occur when System deviates from design intent !

Guide Words 7 Symbolic labels or Keywords to denote different manners in which a System can deviate from its
Design Intent.
Denote the different ways design intent is affected by Deviation

2024 Faculty of Chemical Engineering 18

Ho Chi Minh City University of Technology
2.2 TERMINOLOGY(cont’d)

Terms Meaning
System Main subject of a HAZOP study: Plant, Process, Facility, Procedure, Software, etc.

System Elements Components of a System. Describe and define System:

– Material, Activity, Source and Destination.
Guide Words are applied to Elements to generate Deviations.

Process Parameters Relevant process variables defining the condition of the process under examination.
(characteristic of Like Elements (but easier to quantify and relate to), Parameters define the process,
Elements) and are combined with Guide Words to generate Deviations.

Study Node/ A sub-section of System, logically selected and delimited to:

Process Section 1) Reduce its complexity,
2) Reflect physical/logical separation between section/equipment, and
3) Facilitate the examination of hazard and operability problem within it. Example: Furnace,
Distillation tower, Pump trains, …
Note: Should ensure Design Intent is complete and meaningful within a sub-section.

Faculty of Chemical Engineering

2024 19
Ho Chi Minh City University of Technology
2.2 TERMINOLOGY(cont’d)

Terms Meaning
Cause Reason(s) why Deviation from Design Intent occurs. A Deviation can have many Causes.
4 Types of Causes:
• Equipment Failure,
• Human Error,
• Unexpected Process Changes, and
• External disruption from outside of System.

Consequence Result or Impact to the System due to Causes. A Cause can have many Consequences.

Safeguard Facilities and measures designed to reduce frequency of Deviation, or to reduce Consequence of
Deviation.
5 types of Safeguards (please see further below)
Action/ Post HAZOP action item to address Deviation for which Safeguards are found inadequate.
Recommendation Example: to change design, operating procedure, training program, control logic.

Accident Event that results in unintended harm or damage. Usually result of a contact with a source of energy
or substance above threshold limit of body or structure.
Loss
Result of accident.
Safety The control of accidental loss.

Faculty of Chemical Engineering

2024 20
Ho Chi Minh City University of Technology
2.3 DESIGN REPRESENTATION OF A SYSTEM (MODEL OF SYSTEM)
• Design Representation is a Model of the System that HAZOP uses to create atypical scenarios deviating
from design intent.
Such a model was shown in slide 17, Diagram of HAZOP Strategy.
• HAZOP calls this particular model, Design Representation of a System, to underline the fact that model
includes only elements which are relevant to the design & operational aspect of the System.
Business, legal, financial, or HR aspects, for example, are not represented in model.
• Design Representation contains a complete description of a System under study, including parts and
elements making up the system, their functions and the design intent.
There are two important definitions embedded in Design Representation:
– Definition of the attributes (parts, components) making up a System: “Elements”, or “Process parameters”,
and
– Definition of their normal conditions: “Design Intent”.
• Accurate information about Design Representation is important in HAZOP analysis because
Elements/Process Parameters and Design Intent form the baseline from which Deviation scenarios will be
created and examined.
• There are 2 equivalent ways to define a System, by Elements and by Process Parameters. Guide Words
used in each representation are worded differently, and the interpretation of deviations are also slightly
different.

Faculty of Chemical Engineering

2024 21
Ho Chi Minh City University of Technology
2.3 DESIGN REPRESENTATION OF A SYSTEM (cont’d)
1) TRADITIONAL DESIGN REPRESENTATION (for Generic HAZOP):
A System is defined by 4 ELEMENTS & a DESIGN INTENT
1. Material: What enters and exits the System, e.g. crude oil, 1.MATERIAL
H2S, water, … 3. SOURCE 4.DESTINATION
2. Activity: Role or Function carried out by System, e.g. pumping, 2. ACTIVITY
heating, cooling, mixing, …
3. Source: Where material enters System, e.g. Inlet, Upstream +
equipment…,
DESIGN INTENT
4. Destination: Where material exits System, e.g. downstream
vessel,… and
Design Intent: Performance System is expected to deliver Traditional design representation

2) DESIGN REPRESENTATION BY PROCESS PARAMETERS (for Process HAZOP):

When System under study is a plant or process, it is more practical to describe the System by PROCESS PARAMETERS (*),
which are relevant to its operation. For example, Elements of System can be described by following process variables:
- Pressure, Flow, Temperature, Rate of pumping, heating or mixing, etc.

(*): Process parameters are, by definition, “characteristics” of Elements.

➢Both representations are equivalent in terms of identifying hazards. Depending on application, select Method which allows us
to connect Deviation to real life issues more easily & intuitively. Relationship between the 2 representations will be presented
later on.
Faculty of Chemical Engineering
2024 22
Ho Chi Minh City University of Technology
2.3 DESIGN REPRESENTATION OF A SYSTEM (cont’d)
• Below are typical Process Parameters used in HAZOP analysis.

Flow pH Transfer

Temperature Particle Size Grinding

Pressure Speed Start/Stop

Level Mixing/Blending Heating/Cooling

Composition Addition Maintenance

• Design Representation is worth noting as Guide Words are applied to elements defining the System to
generate potential Deviations.
• Although 2 Design Representations are equivalent, Deviations in each representation are worded differently,
and their meaning requires slightly different interpretation.
• Meaning of Deviations in Traditional and Process Parameter-based representations are discussed in sub-
section 2.4

Faculty of Chemical Engineering

2024 23
Ho Chi Minh City University of Technology
2.3 DESIGN REPRESENTATION OF A SYSTEM BY “PROCESS PARAMETERS” (cont’d)

RELATIONSHIP BETWEEN “ELEMENTS” AND “PROCESS PARAMETERS”

Corresponding Process Parameters & meanings

Elements
(Note: Process Parameters = Characteristics of the Elements)
Physical condition: Flow, Pressure, Temperature, Level, Frequency, Speed, …
Material Property condition: Composition, Purity, PSD (particle size distribution),
Viscosity, pH, etc.
Pump, Transfer, Fill, Drain, Convey, Grind
Heating, Cooling, Mixing
Activity Reaction rate, Status (runaway, stopped), Phase
Commissioning, Decommissioning, Start-Up, Shutdown, Field Trial, Maintenance, Service,
Communication, Control, Measure,
Status of Isolation sub-system or Upstream Unit.
Source Example: NO Source = Isolation device Close or Upstream Unit S/D

Loss of containment, e.g. MORE Destination

Destination Status of Downstream Unit, e.g. NO Destination = Unit S/D.

Faculty of Chemical Engineering

2024 24
Ho Chi Minh City University of Technology
 Additional Notes
How do we define a System in HAZOP ?
To support the requirement* of HAZOP analysis, a System is represented by the diagram above,
called design representation of a system.
It describes the System’s structure (what the system is made of), its pathway, function and design
intent (performance it’s supposed to deliver).
Design intent is an important aspect of a System, and should be well defined and understood
because it forms the baseline from which deviations are to be created and examined. As already
mentioned, in HAZOP there are 2 ways to describe a System:
1. By System Elements (4): material, activity, source and destination as shown in diagram above,
OR alternatively,
2. By Process Parameters which describe relevant aspects of Material, Activity, Source or
Destination.
In IEC 61882 (International Electrotechnical Commission) Standard, Process Parameters are
called “characteristics” of System’s Elements.
“Characteristics” means a property, measurement or attribute describing or characterizing a
System Element that is relevant or useful to the purpose of HAZOP analysis.

(*) HAZOP analysis requirement: to generate & examine deviation scenarios.

Faculty of Chemical Engineering

2024 25
Ho Chi Minh City University of Technology
2.3 DESIGN REPRESENTATION OF A SYSTEM (cont’d)
DESIGN INTENT OR INTENTION - Definition
• Normal Operating Envelope of a System specified by Designer.
– Expected performance to be achieved by System, e.g. production, quality, efficiency,…
– Design intent for Material, Activity, Source and Destination specified as part of System Design Representation.
– When Design Intent is achieved, System’s Business Goals & Requirements are also met.
• No Hazard nor Operability Problem is expected when SYSTEM operates at DESIGN INTENT
conditions.
– Vice versa, Hazard and Operability Problems occur ONLY WHEN System departs from Design Intent condition.
• Important to quantify DESIGN INTENT as specifically as possible because it forms the baseline from
which possible Deviations will be examined.
– For MATERIAL/ACTIVITY, it is useful to express DESIGN INTENT in term of associated Process Parameters,
which are easier to quantify,
– Example wording of a Design Intent, all 4 system elements specified: Transfer 5000 m3/h of Light Crude Oil (10
API, 20C) from Tank TK-1 to Furnace F-2

Faculty of Chemical Engineering

2024 26
Ho Chi Minh City University of Technology
2.3 DESIGN REPRESENTATION OF SYSTEM (cont’d)

Where to obtain Engineering/Technical Information about Design Representation of a System

– P&ID (Piping & Instrumentation Diagram). This is the Main working drawing during HAZOP study.

Other supporting documents:

– PFD (Process Flow Diagram), Heat & Mass Balance.
– Piping & Equipment Lay-Out drawing, Line Designation Table.
– Operating Procedure, Control Narrative, Cause & Effect Diagram (Safety control system).
– (Material) Safety Data Sheet, Equipment Data Sheet

Faculty of Chemical Engineering

2024 27
Ho Chi Minh City University of Technology
2.4 DEVIATION GUIDE WORDS
INTRODUCTION
• Developing meaningful scenarios which deviate from the Design Intent is a key component of HAZOP
analysis because these are the only circumstances when hazard and operability problems may occur. The
deviating scenarios are called DEVIATIONS.

• A System deviates from its Design Intent when:

– Its Elements, such as Material , Activity , Source or Destination, OR
– Its Process Parameters, e.g. Pressure, Temperature, Flow, etc. deviates from the design/process intention .

• To guide and facilitate the imagination of all possible deviations from design intent, a set of short, annotated
“Keywords” was created to symbolize the different ways in which the System may deviate. These “Keywords”
are called “Deviation Guide Words”, or “Guide Words” for short.

• There are 7 Basic Guide Words: NO/NOT, MORE, LESS, AS WELL AS, PART OF, REVERSE AND OTHER THAN.
Each Guide Word represents a distinct way of departure from the design intent that an Element or a Process
Parameter may experience. Its purpose is to prompt the imagination about potential deviations in that
direction of departure. The set of Guide Words were designed to capture all conceivable deviations.

Faculty of Chemical Engineering

2024 28
Ho Chi Minh City University of Technology
2.4 DEVIATION GUIDE WORDS (cont’d)
Set of HAZOP Guide Words and their meanings
• Basic Guide Words and their generic meaning are shown below (from IEC 61882).
• In the table, Guide Words are shown applied to Design Intent. In reality, they also apply to
System Elements and Process Parameters.
• Deviations are “created” by combining Guide Words with relevant System Elements or
Process Parameters.

Faculty of Chemical Engineering

2024 29
Ho Chi Minh City University of Technology
2.4 DEVIATION GUIDE WORDS – Traditional Design Representation(cont’d)
A) DEVIATION GUIDE WORDS & MEANINGS IN TRADITIONAL DESIGN REPRESENTATION (SYSTEM ELEMENTS)
7 Basic Deviation Guide Words and their meanings as applied to Design Intent/ Material/ Activity/ Source/ Destination.

Deviation Guide Meaning of Design Meaning of Deviations in terms of Material, Activity,

Type Words Intent Deviation Source or Destination (as logically as possible) –
Underlying connotation: “What is the Issue?”
NO Design intent is not No material, activity, source or destination was present when
achieved there should be.
Negative
Example of Issues: System shuts down

MORE Quantitative increase More material, activity, source or destination was achieved
above design intent than should be.
Example of Issues: Pipe leaks (MORE Material/ Destination)

Quantitative
modification LESS Quantitative decrease Less material, activity, source or destination achieved than
below design intent should be.
Example of Issues: Lower pumping rate caused by restriction
in pipeline

Faculty of Chemical Engineering

2024 30
Ho Chi Minh City University of Technology
2.4 DEVIATION GUIDE WORDS – Traditional Design Representation(cont’d)
A) DEVIATION GUIDE WORDS & MEANINGS IN TRADITIONAL DESIGN REPRESENTATION (SYSTEM ELEMENTS) (cont’d)

Deviation Guide Meaning of Design Intent Meaning of Deviations in terms of Material, Activity,
Type Words Deviation Source or Destination (as logically as possible) –
Underlying connotation: “What is the Issue?”
AS WELL AS Design intent is achieved, but Achieving design intent, but also encountering additional &
an additional activity also unexpected “side effects”.
occurs Example of Issues: Foaming occurs when using new polymer
Qualitative
modification PART OF Only Part of Design intent is Some material missing. Reduction in capacity. Restriction in
achieved upstream/downstream unit.
Example of Issues: Fractionator produces on-spec Naphtha,
but Kero is off-spec.
REVERSE Logical Opposite of design Reverse flow direction. Reverse reaction.
intent occurs Example of Issues: Flow reverses when pump in parallel
configuration shuts off & check valve fails to close.
Substitution
OTHER Complete substitution of Desired activity NOT achieved, but something else
THAN design intent. happened unexpectedly. Another activity was taking place.
Example of Issues: Pump material to a wrong tank.

Faculty of Chemical Engineering

2024 31
Ho Chi Minh City University of Technology
2.4 DEVIATION GUIDE WORDS – Traditional Design Representation (cont’d)
B) DEVIATION GUIDE WORDS FOR BATCH PROCESS
- Order or Sequence, Time and Rate of Change.

Deviation Type Guide Words Meaning of Deviation in process industries (Batch process) –
Underlying connotation: “What is the Issue?”
BEFORE A step or phase in a batch process happens too early in a sequence.

Order or
Sequence AFTER A step or phase in a batch process happens too late in a sequence.

EARLY A step or phase in a batch process happens early relative to clock time.

Time
LATE A step or phase in a batch process happens early relative to clock time.

Rate of Change FASTER/ Rate of Change of an Event is not meeting Design Intent, e.g. Reduction in
SLOWER monthly car sales puts stress on parking space at small dealerships.

Faculty of Chemical Engineering

2024 32
Ho Chi Minh City University of Technology
2.4 DEVIATION GUIDE WORDS – Representation by Process Parameters (cont’d)
C) DEVIATION GUIDE WORDS FOR PROCESS PARAMETERS

Parameters Relevant Guide Deviation Example of real life incident

Words
NO No Flow Line blockage, System S/D.

MORE More Flow Too many pumps on-line. Pipe split.

Flow
LESS Less Flow Pump wear. Increase in pipe friction (fouling).

REVERSE Reverse Flow Check valve failure (pumps in parallel).

MORE Higher Pressure Pump dead-head. Tank vent plugged.

Pressure LESS Less Pressure Pipeline leaks. Tank vent plugged.

Faculty of Chemical Engineering

2024 33
Ho Chi Minh City University of Technology
2.4 DEVIATION GUIDE WORDS – Representation by Process Parameters (cont’d)

C) DEVIATION GUIDE WORDS FOR PROCESS PARAMETERS (cont’d)

Parameters Relevant Guide Deviation Example of real life incident
Words
MORE High Temp Reaction runaway, cooling system failure.

Temperature LESS Low Temp Line Freezing.

MORE High Viscosity Incorrect Blending ratio or Blending

temperature.
Viscosity LESS Low Viscosity Same as above.

MORE Composition Change Under dilution.

PART OF Composition Change Over dilution.

Composition
OTHER THAN Contamination

Faculty of Chemical Engineering

2024 34
Ho Chi Minh City University of Technology
2.4 DEVIATION GUIDE WORDS – Representation by Process Parameters (cont’d)
Matrix of meaningful HAZOP Deviations based on Process Parameters – Adapted from Sea Jay Engineering
Service Ltd/Suncor Energy Inc.

Parameters No More Less As Well As Part Of Reverse Other Than

Flow No Flow High Flow Low Flow Misdirection Missing Flow Wrong Material
Material Reversal
Pressure Open to atm High Pres Low Pres Vacuum

Temperature Line Freezing High Temp Low Temp

Level Empty High level Low level

Composition increase decrease

Viscosity High Visc Low Visc

Reaction No Reaction Excessive Insufficient Secondary Incomplete Inverse Different Reaction

reaction Reaction
Mixing No Mixing Excessive Insufficient Foaming Incomplete Settling
(Fish eyes)

Faculty of Chemical Engineering

2024 35
Ho Chi Minh City University of Technology
2.4 EXAMPLE OF USING GUIDE WORD “NO/NOT” IN FIRED HEATER ANALYSIS

In 1st analysis, fire heater will be represented by System Elements.

In 2nd analysis, it will be represented by Process Parameters.
In both analyses the same risks were identified as would be expected.
• The intent of Guide Word “NO/NOT” is to prompt our imagination about situation where Design
Intent is NOT achieved.
• This is the most serious Deviation as “NO/NOT” generally implies a process or equipment
shutdown.
• We’ll use the example of a Crude Oil Furnace F-1 (next slide) to illustrate the application of
NO/NOT to Elements and to Process Parameters of this equipment.
• Two situations suggested by Guide Word “NO/NOT” are:
– F-1 is Shut Down unexpectedly. This scenario is discussed here,
OR
– F-1 is under Maintenance. For that case, the study intent may focus on identifying hazards specific to maintenance
activities. This case is NOT covered here.
• The application of NO/NOT identifies several interesting causes which lead to F -1 shutdown.
Successful analysis depends on our ability to creatively link Guide Word deviations to furnace unit
operation.
Faculty of Chemical Engineering
2024 36
Ho Chi Minh City University of Technology
2.4 EXAMPLE OF USING GUIDE WORD “NO/NOT” IN FIRED HEATER ANALYSIS (cont’d)
NODE 2
NODE 1 PC
TI 1
To Fuel
7
Ga s
TI Sys tem
E-3
11 LC
O D-2 1
FC
1 2 TI
20 D-2
TI
6 Naphtha
TI TI TI
1 2 3 G-2 G-3
Tank TI
Farm 12
LC
2 TI
D-1A to G G-1A/B T-3 21
D-3

E-1
E-1 E-2
FC Kero
TI 1
TI 4 TI
13 LC Kero Cooler
8
3
TI
F-1 TC 22 D-4

E-2
Ambient Air 5
K-2 Gas Oil
T-2
GO Cooler
TI FC TI PC
9 Air Pre- 2 10 55
K-1 Title DANANG REFINERY EXPANSION PROJECT
Heater
PHASE 1 - CRUDE DISTILLATION COMPLEX #2
Drawing PD20-A-1-1
Refinery Fuel Gas
System Rev No 1 Date: 2019-06-30
Drawn by: THHT Eng. By: THHT
Appr. By: DKH
Filename: Hazop Work sheet - Case Studies

2024
Faculty of Chemical Engineering
37
Ho Chi Minh City University of Technology
2.4 EXAMPLE OF USING GUIDE WORD “NO/NOT” IN FIRED HEATER ANALYSIS (cont’d)
Analysis 1 - Results from applying “NO/NOT” to Fire Heater’s System Elements

Deviation – Issue Potential Causes

“NO/NOT” applied to System (What is the problem?)
Element

NO Material (Crude Oil) NO Crude Oil Feed to F-1 Tank Farm Shutdown (e.g. Low inventory)
Upstream valve close
Crude pump failure
Crude distillation tower shut down
NO Material (Air) NO Combustion Air FD fan failure

NO Material (Fuel Gas) NO Fuel Gas Shut down of Refinery Fuel Gas system

NO Activity NO Heating taking place NO Combustion Air (already identified)

(occurs on Crude Oil stream) NO Fuel Gas (already identified)
NO Source NO feed to F-1 Tank Farm Shutdown (e.g. Low inventory)
Upstream valve close
Crude pump failure
NO Destination NO Destination Crude Distillation tower shut down

Faculty of Chemical Engineering

2024 38
Ho Chi Minh City University of Technology
2.4 EXAMPLE OF USING GUIDE WORD “NO/NOT” IN FIRED HEATER ANALYSIS (cont’d)
Analysis 2 - Results from applying “NO/NOT” to Fire Heater’s Process Parameters

Deviation – Issue Potential Causes

“No/Not” applied to Process (What is the problem?)
Parameter
NO Flow/Pressure (crude oil NO Crude Oil feed to F-1 Tank Farm shutdown (e.g. Low inventory)
stream) Upstream valve close
Crude pump failure
Crude Distillation tower shutdown

NO Flow/Pressure (combustion NO Combustion Air FD fan failure

air stream)
NO Flow/Pressure (fuel gas NO Fuel Gas Shut down of Refinery Fuel Gas system
stream)
NO Temperature Change (crude No Heating taking place NO Combustion Air (already identified)
oil stream) NO Fuel Gas (already identified)

Faculty of Chemical Engineering

2024 39
Ho Chi Minh City University of Technology
2.5 SEQUENCE OF CREATING & EXAMINING DEVIATIONS
(Deviation, Cause, Consequence, Safeguards & Recommendations)
DEVIATION EXAMINATION PROCESS

• Creating & Examining Deviation Step is where the search for hazard actually takes place.

• It takes experience & imagination to connect a hypothetical deviation to a real abnormal, hazardous
event.

• Deviations from Design Intent are generated by applying each Guide Word to each System Element
(M, A, S & D) or to each Process Parameter.

• Typical interpretation of deviations made from combinations of (Guide Word + Element) and (Guide
Word + Process Parameters) were illustrated in previous slides. Not all combinations are meaningful
deviations.

• A same safety hazard may be found in different Deviations.

• After a Deviation is generated, the Cause of such Deviation is assessed.

– If Cause is NOT likely to occur, Deviation is “Not Credible” and is ignored, Next Deviation is considered.
– If Cause is likely to occur, Deviation is a “Credible” undesirable event and the assessment continues.

Faculty of Chemical Engineering

2024 40
Ho Chi Minh City University of Technology
2.5 SEQUENCE OF CREATING & EXAMINING DEVIATIONS (cont’d)
(Deviation, Cause, Consequence, Safeguards & Recommendations)

DEVIATION EXAMINATION PROCESS (cont’d)

• Potential Hazard or Operability Problems which could result from these Causes are then assessed.
– If Consequence is Not significant, e.g. Low Risk Rank, no further examination is needed.
– If Consequence is significant, effectiveness of Safeguards in detecting, preventing or mitigating Deviation is
then evaluated.
• If Safeguard is adequate, hazard or operability problem is adequately resolved by current System
Design & no further action needs to be taken.
• If Safeguard is NOT adequate, additional Recommendation or follow-up Action is recorded to seek
future resolution of the identified Hazard or Operability problems.
• After examination of a Deviation is complete, the next Deviation is examined and assessed until all
possible Deviations are completely examined.

Faculty of Chemical Engineering

2024 41
Ho Chi Minh City University of Technology
2.5 SEQUENCE OF CREATING & EXAMINING DEVIATIONS (FLOWCHART)
START

1) Select a Study Node

2) Select Parameter

3) Apply Relevant Guide Word to

Parameter to Generate Deviation

Is CAUSE Y
To cause
Y Is N Record
Significant Hazard or
Likely or Operability
SafeGuard Action/
Credible ? problem ? Adequate ? Recommendation

N N Y
Select Next Relevant Guide Word (for Same Parameter) & Go to Step 3
If all Guide Words are examined, Select Next Parameter & Go To Step 2
If All Parameters are examined, Select Next NODE & Go To Step 1
When All NODES are examined, Examination is complete.
Prepare Study Report Faculty of Chemical Engineering
2024 42
Ho Chi Minh City University of Technology
2.5 SEQUENCE OF CREATING & EXAMINING DEVIATIONS (cont’d)
(Deviation, Cause, Consequence, Safeguards & Recommendations)
Categories (Types) of Safeguards

There are 5 types of Safeguards:

1. Detect Deviation, e.g. Alarm system,

2. Counter-act or Compensate for Deviation, e.g. Automatic Process Control
3. Prevent Deviation from happening through Safe design, e.g.
– installation of physical barrier,
– use diesel as fuel instead gasoline,
– Tank venting
4. Prevent further escalation of the effect of Deviation, e.g. Equipment Trip logic,
5. Relieve System from hazardous condition, e.g. installation of,
– PSV,
– Flaring,
– Tank overflow line

Faculty of Chemical Engineering

2024 43
Ho Chi Minh City University of Technology
2.6 SAMPLE OF HAZOP REPORT
• Examination & deliberation made during the assessment of Deviation, Hazards and Operability
Problems are captured on standard HAZOP study Report.

• Below is a HAZOP Report built in EXCEL → HAZOP Work Sheet

Project Title Date

Hazop type Parametric
Node No. Node Description
Line/Part Considered
Material Source
Design Intent
Activity Destination

MITIGATING RECOMMENDATIONS
MEASURES
ELEMENT/ DEVIATION (Additional safeguards
SITUATION REC / ACTION
ITEM

GUIDE WORD PROCESS (WHAT'S THE CONSEQUENCE (SAFEGUARDS IN or actions required to

(CAUSE) OWNER
PLACE AND be implemented to
PARAMETER ISSUE ?) SAFEGUARD reduce Residual Risk
CATEGORIES) to acceptable level)

1
2
3

Adapted from a Canadian Oil Sand Company

Faculty of Chemical Engineering

2024 44
Ho Chi Minh City University of Technology
2.7 WHEN TO APPLY HAZOP IN PROJECT LIFE CYCLE
HAZOP requires complete and accurate System Representation information to successfully identify all
Hazards and Operability problems.

This analysis is best applied at the following project stages:

1. End of Detail Design Stage. Most HAZOP studies in industry are completed at this stage.
- Best opportunity to carry out HAZOP study because Design is complete, Information and Drawings are available, and
Recommendation (for example, design change or addition of new ideas) can be implemented at lower cost than if Construction
had already begun.

2. Pre-Commissioning or Pre-Start Up Stage.

- As System Design was already Hazoped, Operational Readiness & Troubleshooting preparedness is the main objective of this
HAZOP.
- Main focus of HAZOP would include topics such as, Operational & Safety Procedures, Training, Control Narrative, Safety System
operation and specific Hazards occurring only when S/U or S/D equipment.

3. Pre-Decommissioning or Disposal of Asset.

- Topics to Hazop include New hazards specific to the work activity, but which are not normally present during normal operation.

Note: *** HAZOP is NOT suitable at Conceptual Design Stage because of the lack of complete and
accurate System Representation information.
- What-IF Analysis, Potential Problem Analysis is more suitable.

Faculty of Chemical Engineering

2024 45
Ho Chi Minh City University of Technology
2.8 BENEFITS OF HAZOP

• Identification and Awareness of potential Hazards and Operability problems before they occur.
• Collaboration between System Designer, Technical and Operating groups in developing solution.
• Valuable source of documentation of technical & operational deficiencies & improvement ideas.
• HAZOP Report is a valuable reference in training new employees, making design improvement and in
incident investigation.
• Help cultivate Safety Culture at work

Faculty of Chemical Engineering

2024 46
Ho Chi Minh City University of Technology
2.9 HISTORY

• 1963. Started as ICI Critical Examination Process, looking for “Alternatives” to the current process or
“status quo”. Evolved into looking for “Deviations” from Original Design Intent.
• 7 Deviation Guide Words originally devised for Critical Examination Process were later adopted in
HAZOP.
• 1977. First HAZOP publication: A Guide To Hazard & Operability Studies, ICI & Chemical Industries
Association.
• Traditionally HAZOP was intended for detecting deficiency at detail design stage of engineering
projects in process industries
• Method now extends to other disciplines & industries, as well as at various stages of project
implementation: detail engineering, construction, startup/commissioning, re-validation and
decommissioning.
• Standard for conducting a HAZOP study fully documented in IEC 61882 - HAZOP Application Guide

2024 Faculty of Chemical Engineering 47

Ho Chi Minh City University of Technology
Ho Chi Minh City University of Technology
Faculty of Chemical Engineering

3.1 HAZOP Study Procedure

3.
3.2 Pre-HAZOP Work Session Preparation
HOW HAZOP 3.3 Team Membership and Roles
STUDY IS 3.4 HAZOP Work Session Agenda
CONDUCTED 3.5 HAZOP Success Factors

2024 48
3.1 HAZOP STUDY PROCEDURE

HAZOP Study Procedure: 4 steps

Step 1. Definition of scope of study, team membership, roles & responsibilities.

Step 2. Preparation.

Step 3. Examination (most important step in HAZOP study).

➢ Generate Deviations from Design Intent
➢ Examine likelihood/frequency of Cause
➢ Assess severity of Consequence
➢ Evaluate Safeguard, and
➢ Document further Action/Recommendation

Step 4. Documentation & Follow-up.

Faculty of Chemical Engineering

2024 49
Ho Chi Minh City University of Technology
HAZOP STUDY PROCEDURE

(from BS IEC 61882-2001 Hazop

Studies – Application Guide)

Faculty of Chemical Engineering Ho Chi Minh City

2024 50
University of Technology
3.2 PRE HAZOP WORK SESSION PREPARATION

1. Prepare Scope of HAZOP Study, HAZOP Approach & Node selection (Facilitator + Project Lead)
2. Build HAZOP Study Team (Facilitator + Project Lead)
3. Distribute Project & Design Engineering document/drawings to participants for review (Project Lead +
Facilitator)
4. Arrange Work Session Logistics, e.g. meeting location & invitation (Project Lead)

2024
Faculty of Chemical Engineering 51
Ho Chi Minh City University of Technology
3.3 TEAM MEMBERSHIP & ROLES
HAZOP study is a multi-disciplinary, team based effort, relying on technical and operational expertise of
members under guidance of a facilitator skilled with HAZOP examination technique.

Project Lead selects members of the study team with inputs from HAZOP facilitator.
• Team size: 4 – 8. Too large may slow down process

1. HAZOP Facilitator: Prepare & Lead Study

2. HAZOP Recorder: Take notes of discussion
3. Project Lead: Provide project & engineering inputs
4. System Designer: Provide engineering inputs
5. Discipline Engineers: Provide inputs in their field of expertise
– Process
– Reliability
– Instrumentation and Control
6. Operations Representative: Provide inputs about plant operation
7. Environment, Health and Safety (EHS) representative: Provide EHS inputs.
8. Subject Matter Expert (as required): vendor or equipment specialist, providing specialized expertise.

2024 Faculty of Chemical Engineering 52

Ho Chi Minh City University of Technology
3.4 HAZOP WORK SESSION AGENDA (TYPICAL)

1. Present participants & Request signing off attendance list.

2. Explain Overall Description of system or process to be analyzed.
3. Explain Study Scope & HAZOP Guide Word approach (emphasizing on identification of safety hazard
and operability problem BUT not solving them).
4. Select a Study node or logical Plant section & Start the Examination process
- Examine the most major stream first.
- Generate & Analyze all Deviations
- Record discussion: Cause, Consequence, Safeguard & Recommendation.
- Continue examination of next stream in node until all streams are examined
5. After completing Line-by-Line analysis of a study node, continue the analysis on the next node until all
nodes are analyzed.
6. Perform an OVERVIEW analysis, examining deviation in the overall operation, start-up, shutdown and
maintenance of system as interaction between nodes can create hazard or operability problems.
7. Prepare HAZOP report and forward to participants

Faculty of Chemical Engineering

2024 53
Ho Chi Minh City University of Technology
3.5 HAZOP SUCCESS FACTORS

• Implementation of Recommendations is one of the most important accomplishment in HAZOP study.

A Management Of Change (MOC) System needs to be in place to ensure that all

Recommendations are acted upon and completed before System is brought on-line.

• Availability of complete and accurate drawings, design information and technical data.
• Relevant Technical expertise, Operating experience and Insight of participants
• Familiarity with HAZOP technique.
• Team’s creativity in the use of guide words for identifying hazards or operability problems.
• Facilitator’s skills in leading/coaching Study team in applying HAZOP technique
• Focus on hazard identification and not on developing solution.
• Good judgement and sense of proportion when assessing hazards (likelihood and severity).

Faculty of Chemical Engineering

2024 54
Ho Chi Minh City University of Technology
University of Technology
Faculty of Chemical Engineering Ho Chi Minh City

4.1 Risk Ranking Matrix

4.
4.2 Design Intent vs Safe Operating Limit
USEFUL
4.3 Hierarchy of Controls
CONCEPTS IN 4.4 Other Hazard Indentification Methods
LOSS CONTROL 4.5 Models for Causation of Loss
MANAGEMENT 4.6 Steps in Managing Risks

2024 55
4.1 RISK RANKING MATRIX
• Assign a criticality level to a “RISK” to ensure
accountability and urgency for resolution is assigned
to proper level of authority in an organization.
• Rule for Risk Matrix is specific to each organization

---- Increasing Likelihood --

L6 III II I I I I
– R I = highest level of risk to an organization.

Likelihood Category
L5 III III II I I I
Accountability = most senior leader in organization
L4 IV III III II I I
– R III = intermediate level. Accountability = Front line

-->
leader, technical staff L3 IV IV III III II I

– R IV = lowest level. Usually for awareness purpose only. L2 IV IV IV III III II

• R number is based on: L1 IV IV IV IV III III
– Severity of Consequence: C1 = least serious, C6 = most C1 C2 C3 C4 C5 C6
serious.
Consequence Category
➢ Consequence of a risk is further evaluated
depending on types of impacts: Social, ---------- Increasing consequence ------------>
Environmental & Economic,
– Likelihood or Frequency of occurrence: L1= least likely,
L6 = most likely Adapted from a Canadian Oil Sand Company

Faculty of Chemical Engineering

2024 56
Ho Chi Minh City University of Technology
4.2 DESIGN INTENT/SAFE OPERATING LIMIT
• Design Intent (DI) = optimal operating target, most often based on Safety/Regulatory concern and
Economics driver.

• Safe Operating Limit (SOL) = DI +/- allowable variability expected in normal, S/U & S/D operation.
– Control System Alarm is activated to warn excursion beyond SOL.

• Design Limit (DL) = set by Material or Equipment limitation.

– Drastic corrective action is taken to prevent excursion beyond DL: automatic S/D of equipment, PSV lift.

DL (e.g. Max Allowable

Working Pressure, MAWP, for
parameter Pressure)

SOL

DI

Faculty of Chemical Engineering

2024 57
Ho Chi Minh City University of Technology
4.3 HIERARCHY OF HAZARD CONTROL
EFFECTIVENESS VS COMPLEXITY OF CONTROLS

Most
complex

Least
complex

From US National Institute for Occupational Safety and Health (NIOSH)

Faculty of Chemical Engineering

2024 58
Ho Chi Minh City University of Technology
4.3 HIERARCHY OF HAZARD CONTROL (cont’d)
1. Elimination (most complex & most effective control)
– Changes to a new design or material which remove hazard at source.
• Example: Install sample point at pump suction (low pressure) instead of discharge (high pressure) to eliminate splashing
hazard.
– Most preferred control overall. Best opportunity for this type: in new plant / new design.
• Prevention by Design, Intrinsically Safe Design
2. Substitution
– Changes which, ideally, do not create new hazard.
• Example: Replace asbestos by synthetic/ceramic fiber material in brake pads
3. Engineering controls
– Engineered barriers to isolate people from hazard to reduce exposure.
• Example: Install machine guard to protect hand.
4. Administrative controls
– Changes to the way we work to reduce exposure to hazard .
– Onus of protection resides mainly with individual/victim (compliance, experience, state of mind..)
• Example: Change training program and operating procedure. Install label, signage.
5. Personal Protective Equipment (PPE) (least complex & least effective control)
– Last barrier between worker and hazard.
• Example: hard hat, safety glasses, gloves, safety boots, fall arrest equipment, etc…

Faculty of Chemical Engineering

2024 59
Ho Chi Minh City University of Technology
4.4 OTHER HAZARD IDENTIFICATION METHODS
Besides HAZOP, there are other hazard identification methods available: Creative Check List HAZOP, What-IF,
FMEA and FTA.
• Like HAZOP, all methods use a multi-disciplinary, team-based, brainstorming approach to maximize synergy
between team members.
• All have a common purpose: Identify potential hazards & causes, and assess effect.
• In search of hazards, methods rely on open What-IF questions to stimulate team’s imagination about what
can possibly go wrong, e.g.
– ”What If such and such parameter exceeds certain limit, or that valve fails to open, etc.? What will happen then ?”
• Because What-IFs questions are open-ended (*) – i.e. no structure to prompt imagination, study team relies
heavily on experience and prior knowledge of similar failures to come up with relevant hazardous scenarios.
This is the most challenging step in these methods.
(*) HAZOP and Creative Checklist HAZOP use Deviation Guide Words and checklist structure to guide What-IFs
questions.
• To stimulate creative thinking, Structured What-IF Technique (SWIFT) uses a list of 10 categories of
questions to give focus and structure to What-IFs questions. (please see Supplemental Notes)
• Deliberation made during session is captured in a report. A typical What-IF report is illustrated below:

Element / Function What If ? (unwanted event) Cause Effect Decision about risk

Faculty of Chemical Engineering

2024 60
Ho Chi Minh City University of Technology
CREATIVE CHECK LIST HAZOP
Material & Block Hazards Checklist HAZOP

• Material & Block Hazards Checklist HAZOP is developed for following

purposes:
– To have a method particularly suited for investigating hazards when a new
material is introduced to the plant, and
– To investigate hazard at preliminary design stage when a full description of the
System is not yet available.

• Hence, examination of hazards is based on material property and

interactions between material, people, machinery and the environment.

• A “Block” is similar to a Study Node. It is a sub-system of the plant, e.g. a

“unit”, that processes the new material, logically selected to include the
relevant equipment, personnel and operating environment involved in its
processing.

Faculty of Chemical Engineering

2024 61
Ho Chi Minh City University of Technology
CREATIVE CHECK LIST HAZOP
Material & Block Hazards Checklist HAZOP
• Key characteristics of this method:
• Checklist guides the examination through 3 main classes of hazards:
– Energy related hazards, e.g. fire & explosion, mechanical impact, etc.
– Hazards related to interaction between material-people-equipment, e.g. exposure to
hazardous substances, confusion/maloperation, access & egress in case of emergency,
etc., and
– Hazards related to interaction with environment, e.g. flooding, dust, disposal of wastes,
etc.
• Although not as comprehensive as full HAZOP analysis, study is useful at
preliminary design stage to allow for further optimization of preliminary design.
• Results from examining unit-unit interaction also useful for optimizing geographical
layout of plant and equipment.
• Material & Block Hazard Checklist HAZOP form included in Attachments.

Faculty of Chemical Engineering

2024 62
Ho Chi Minh City University of Technology
WHAT-IF ANALYSIS
• A multi-disciplinary brainstorming approach in which study team ask questions about
concerns and potential undesirable events.
• Most general form of safety review due to open ended style of questioning.
• The examination begins with typical probing questions like, "What If … something fails to
work, then… what can happen?”
• Each question probes into the prospect of a potential failure or an abnormal event, and
elicits a study team into reflecting whether a potential hazard can occur.
• Study team then assesses cause, consequence & severity, and reviews effectiveness of
existing mitigating controls to determine if further actions are warranted. Below is typical
What-IF working template.
What If ? (unwanted event)
• Cause
Element /
•
•
Effect What If ?
Decision about risk
Cause Effect Decision about risk
•
Function
Effect (unwanted event)
• Decision about risk
•Fired
Effect
heater F-1 What If … No feed Feed pump Loss of Auto Start backup feed pump.
• Decision about risk
to F-1 ? OFF production

Faculty of Chemical Engineering

2024 63
Ho Chi Minh City University of Technology
WHAT-IF ANALYSIS (cont’d)
• Generating “WHAT-IF” questions is the most challenging task.
• Equipment failure, human errors, process upsets, external events are typical areas
around which WHAT-IF tries to probe for potential problems.
• Structured WHAT-IF Technique (SWIFT) has a comprehensive list of 10 categories
of problem areas around which questions can be structured (see below).
• Deliberation from study session is documented in a report (working template above).

SWIFT’s 10 categories for WHAT-IF questions

1. Material 2. External 3. Operating errors 4. Analytical & 5. Equipment/

problems events (of & other human sampling errors Instrumentation
influence) factors malfunction
6. Unknown 7. Utility failure 8. Integrity failure/ 9. Emergency 10. Environmental
Process upsets loss of containment operations release

Faculty of Chemical Engineering

2024 64
Ho Chi Minh City University of Technology
FMEA – FAILURE MODE & EFFECT ANALYSIS
• FMEA is a systematic, team-based brainstorming approach for identifying potential failures
in a system and their impact.
➔ Failure modes: manner or way in which something may go wrong, fail or malfunction. Usually the
way the failure was observed or detected.
➔ Effects: consequence, impact of such failure to the system.
• For each component/subsystem it tabulates all potential failures associated with them.
• For each failure FMEA identifies & assesses cause and consequence, like in HAZOP.
(OCC = likelihood of occurrence, SEV = severity of consequence, DET = detectability of failure,
RPN = Risk Priority Number)

SYSTEM/ FUNCTION FAILURE MODE CAUSE EFFECT CONTROLS RPN RECOMMENDATION

COMPONENT (UNWANTED EVENT) & OCC & SEV & DET O*S*D

Feed pump Transfer S/D Overheated. F-1 tubes damage. BU pump. RPN= 180 Emer S/D of F-1 on
G-1 O=2 S= 9 D = 10 (=2*9*10) loss of feed

Faculty of Chemical Engineering

2024 65
Ho Chi Minh City University of Technology
FMEA (CONT’D)
• In addition, FMEA assesses:
1. Occurrence rating O (probability of failure, 10= will happen),
2. Seriousness of effect S (10=most serious), and
3. Failure Detectability D (10 = undetectable).
• Index RPN (Relative Priority Number) = O*S*D is a relative measure of the risk for such failure.
• Does not use Deviation Guide Words. To identify failure, FMEA uses WHAT-IF questions and relies on
team’s experience, intuition and knowledge of similar failures in the past to identify potential modes of
failures and their effects.
• Mainly used in Reliability and Quality engineering to identify factors affecting reliability and product
quality.
• 3 types & purposes of FMEA studies:
1. Equipment FMEA: Investigate accident or analyze potential equipment failures so that additional controls can be
implemented,
2. Process FMEA: Improve manufacturing processes, e.g. identify deficiency in manufacturing processes, and
3. Design FMEA: Improve system design, e.g. identify deficiency at conceptual and design stage.

Faculty of Chemical Engineering

2024 66
Ho Chi Minh City University of Technology
FTA – FAULT TREE ANALYSIS

Top level failure • This failure analysis technique explains how system fails by
(undesired event) presenting graphically relationship between top level failure and
lower-level contributing factors.
• Fault Tree itself is a comprehensive model of inner working of a
system.
• Analysis starts with defining top level failure (undesired event).
Then works down & defines all contributing factors one level
below.
• Then continues on to next level below, and so on.
• Tree stops when bottom events reach resolution threshold of
the analysis.
• Uses AND/OR/Other Boolean gates to specify events in parallel,
series ,or conditional, etc.
• From Boolean gates, frequency of failure of top level event can
Bottom level contributing factors be estimated from failure rate of components below.

Faculty of Chemical Engineering

2024 67
Ho Chi Minh City University of Technology
FTA – FAULT TREE ANALYSIS (cont’d)

Key characteristics
• Provide excellent visual display of cause-effect relationship. Emphasize
principle of multiple causes.
• Provide the most comprehensive model of a System (& how it works).
• Help visualize pathway/logic/mechanism leading to top level failure &
relative importance lower level components play in failure. These
components can be prioritized for inspection, maintenance & development
of redundancy.
• Main purpose of FTA is to identify root causes resulting in top level failure
(already happened or potential). To identify potential top failures, method
still relies on other hazard identification techniques, such as HAZOP or
WHAT-IF.

Faculty of Chemical Engineering

2024 68
Ho Chi Minh City University of Technology
4.5 MODEL FOR CAUSATION OF LOSS (DNV, B IRD & GERMAINE, 1986)
Distribution of Loss by Types or Seriousness (Ratio relationship 1/10/30/600)

Key messages from Ratio relationship:

Serious injury/ Fatality
(1) • No-loss incidents are precursor to
more serious accidents awaiting to
Minor injuries happen.
(10)
• Serious injuries are rare events,
hence offer limited basis to develop
Property damage
accidents (30)
effective control of losses.
• More frequent & less serious events
No-loss Incidents provide a larger basis for more
(600)
No loss incidents (600) effective control of losses.

Faculty of Chemical Engineering

2024 69
Ho Chi Minh City University of Technology
4.5 MODEL FOR CAUSATION OF LOSS (DNV, B IRD & GERMAINE, 1986) (cont’d)

• According to Bird & Germaine, an incident is a result of a Lack of Control at the System
(or Program), Standards or Compliance level, cascading down to a Loss. This is a
refinement of the previous “5 domino” theory of causation by Heinrich.
• This emphasizes the Critical Role of Management as Leader of the Safety Program in
the Organization, as they have the highest level of control.

Lack of Basic Immediate

Incident Loss
Control Causes Causes
Inadequate
• Substandard • Event • Unintended
• System or • Personal
Program (e.g. Factors Actions/ Harm or
inadequate Practices Damage
• Job/System
content) • Substandard
Factors
Conditions
• Standards
• Compliance
to Standard

Faculty of Chemical Engineering

2024 70
Ho Chi Minh City University of Technology
4.5 ACCIDENT CAUSATION MODEL: REASON SWISS CHEESE MODEL
• Reason proposed a Swiss Cheese Model where Loss is caused by simultaneous failures in multiple barriers, when
faults in barriers, called “holes”, are aligned. Despite this apparent deficiency, a multi-layered defense is universally
recognized as the most effective approach to accident prevention.
• Some holes are due to “Active Failures” by People & Equipment at frontline (now called Immediate Causes)
• Other holes are due to systemic organizational factors called “Latent conditions” (or Underlying Causes), such as
Production-over-Safety culture, Tolerance of unsafe condition or behavior,…

• Over time more sophisticated models were

proposed to explain the origin of accidents.
• Bird/Germaine & Reason Swiss Cheese Models are
intuitive and provide deep insight into accidents
such that they become the foundation of many
current safety practices.
• Loss Causation Models recognize accidents have
multiple causes beyond human error. Together with
other models, they help establish Safety Program as
a Corporate function and responsibility.

Faculty of Chemical Engineering

2024 71
Ho Chi Minh City University of Technology
4.6 STEPS IN MANAGING RISKS – I.E.D.I.M
(DNV, Bird and Germaine, 1986)

Step 1: (I)dentify All Loss Exposures (Hazard & Risk identification)

– Task Analysis & Observation.
– Risk Inventories, Safety Inspection.
– HAZOP

Step 2: (E)valuate the Risk in each Exposure: Severity, Frequency or Probability (Risk assessment)

Step 3: (D)evelop a Plan to address Risk (Risk control)

– Terminate, Treat, Tolerate, Transfer
– See Hierarchy of Controls

Step 4: (I)mplement the Plan (Risk control)

– Goals/Objectives
– Roles/Responsibilities, Accountability
– Follow-Through

Step 5: (M)onitor the System (Monitoring, reviewing & improving)

– Measure, Evaluate, Commend, Correct

Faculty of Chemical Engineering

2024 72
Ho Chi Minh City University of Technology
Ho Chi Minh City University of Technology
Faculty of Chemical Engineering

5. 5.1 HAZOP exercise: Crude Fired Heater

CASE STUDY 5.2 HAZOP exercise: Atmospheric Distillation Tower

2024 73
5. CASE STUDY
PURPOSE
To familiarize with HAZOP examination technique, attendees will participate in a sample HAZOP analysis
of the final design of a fictional petroleum refinery project.
The exercise consists of:
– Study process description & P&ID, and select 2 nodes for HAZOP analysis: 20F -1 fired heater & 20T-2
atmospheric distillation column,
– Perform Stream by Stream Analysis within each node, using relevant guide words to generate credible
deviations,
– Analyze Causes, Consequences, Safeguards and Recommended Actions,
– Document discussion in a HAZOP Work Sheet.

Faculty of Chemical Engineering

2024 74
Ho Chi Minh City University of Technology
5. CASE STUDY
SCOPE OF HAZOP STUDY

• Node 1: 20F-1 Process Fired Heater (PD20-A-1-1)

– P&ID: PD20-A-1-1, please see below.
– Material (Input): Light Crude Oil (LCO), Fuel Gas, Ambient Air
– Activity: 1) Heat 5500 m3/h of LCO (T-2 feed) from 20C to 360C,
2) Pre-heat combustion air from 20C to 40C
– Source: 20G-1 A/B (Feed Pump), Refinery Fuel Gas System
– Destination: Atmospheric Distillation Tower 20T-2

• Node 2: 20T-2 Atmospheric Distillation Unit #2

– P&ID: PD20-A-1-1, please see below.
– Material (Input): Light Crude Oil (LCO) partially vaporized, Cooling Water
– Activity: 1) Distill 5000 m3/h of LCO (360C) into Light Ends, Naphtha, Kero and Gas Oil product,
2) Cool down Kero & Gas Oil products to 38C for storage.
– Source: 20F-1 outlet, Cooling Water
– Destination: Refinery Fuel Gas System , Naphtha / Kero/ Gas Oil product tanks

• Not Analyzed: Node 3 (Feed Tank & Crude Supply Pipeline), Node 4 (20E-2 Product/Feed Heat Exchangers)

Faculty of Chemical Engineering

2024 75
Ho Chi Minh City University of Technology
5. CASE STUDY – PROCESS DESCRIPTION
• To meet the increase in demand for petroleum products, VINAOIL Inc. decides to double the capacity of
its refinery in Da Nang.
• In Phase 1, a 2nd Atmospheric Distillation Complex will be built in 2019 with a nameplate capacity of
5000 m3/h of Light Crude Oil supplied from the existing Inter-Provincial Pipeline system.
• The final design is now complete, and the 2nd Complex consists of the following processing facilities:
– A new tank farm composed of 7 floating -roof storage tanks, 20D -1 A-G. The storage capacity of each is tank
120,000 m3. This provides 7 days of crude oil supply to the Complex. Two feed pumps, 20G -1A/B, one on-line,
one standby, deliver 5000 m3/h of crude oil from tank farm to a singe process fired heater, 20F -1.
– 20F-1 is a forced draft, 4-pass furnace, equipped with a combustion air preheater to reduce fuel gas
consumption by 12%. It can heat up 110% of the design capacity of the 2 nd Atmospheric Distillation Complex
from 20C to 360 C.
– The distillation tower, 20T-2, has 30 sieve trays and operates at 1.2 - 1.5 atm. The products are: Light End
gases, Naphtha, Kerosene and Gas Oil.
– The Light End gas is mainly methane and routed to the refinery Fuel Gas system for use as fuel.
– Napha/Kero and Gas Oil products are produced at a respective 30/30/35 split ratio.
– Kero and Gas Oil products exchange heat with incoming crude and are further cooled by water coolers to 38C
before entering their product storage tanks.

Faculty of Chemical Engineering

2024 76
Ho Chi Minh City University of Technology
5. CASE STUDY – P&ID
NODE 2
NODE 1 PC
TI 1
To Fuel
7
Ga s
TI Sys tem
E-3
11 LC
O D-2 1
FC
1 2 TI
20 D-2
TI
6 Naphtha
TI TI TI
1 2 3 G-2 G-3
Tank TI
Farm 12
LC
2 TI
D-1A to G G-1A/B T-3 21
D-3

E-1
E-1 E-2
FC Kero
TI 1
TI 4 TI
13 LC Kero Cooler
8
3
TI
F-1 TC 22 D-4

E-2
Ambient Air 5
K-2 Gas Oil
T-2
GO Cooler
TI FC TI PC
9 Air Pre- 2 10 55
K-1 Title DANANG REFINERY EXPANSION PROJECT
Heater
PHASE 1 - CRUDE DISTILLATION COMPLEX #2
Drawing PD20-A-1-1
Refinery Fuel Gas
System Rev No 1 Date: 2019-06-30
Drawn by: THHT Eng. By: THHT
Appr. By: DKH
Filename: Hazop Work sheet - Case Studies

Faculty of Chemical Engineering

2024 77
Ho Chi Minh City University of Technology
University of Technology
Faculty of Chemical Engineering Ho Chi Minh City

6.
Overpressure of Polymer Homogenizing Units
REVIEW OF
Movement of Discharge Pipe Spools Caused by Air Pockets
SELECTED
Upgrader Fire caused by premature recycle line failure at
INCIDENTS IN nozzle attachment
OIL SANDS Equipment Operating on Frozen Pond fell through thin ice
INDUSTRY

2024 78
6. REVIEW OF INCIDENTS IN OIL SANDS INDUSTRY
The following incidents were selected for discussion to highlight the fact that deficiency in
engineering work was a contributing factor to these failures.

– Overpressure of polymer homogenization units (high shear pump).

– Movement of discharge pipe spools caused by air pocket inside pipeline.
– Upgrader fire caused by premature failure of recycle line at attachment nozzle.
– Operator drowned when machinery working on frozen surface of tailings pond fell through thin ice.

Faculty of Chemical Engineering

2024 79
Ho Chi Minh City University of Technology
Overpressure of polymer homogenizing units
Incident description:
Rupture disc protecting high shear homogenizer pump (to reduce polymer particle size) was blown so often that polymer plant c apacity was
reduced.
Root cause:
Incorrect “grind” setting was selected for high shear pump.
At original “fine” setting, the high shear pump could not handle the amount of undissolved polymer particles. As a result the se particles collected at
the gaps between rotor/stator and eventually plugged up pump completely, causing overpressure in the pipeline. The rupture d isc blew up to
relieve pressure to protect the high shear pump as designed.
Solution:
Change to “coarse setting” prevents undissolved polymer particles from plugging up high shear pump, and resolved overpressure issue.

Pressure relief device

Dry polymer activated excessively due Polymer solution
to high pressure events
water
Rupture disc

Polymer PIC
wetting
unit

Progressive cavity pump High shear pump – originally set at “Fine grind” setting

Faculty of Chemical Engineering

2024 80
Ho Chi Minh City University of Technology
Movement of discharge pipe spools caused by air pocket inside pipeline

Incident description:
After polymer solution was injected into the tailings pipeline to treat tailings Tailings waste
material, the discharge spools experienced violent kickback when treated Installation
material exited the spools. of wrong
type of
vent/
Immediate cause: vacuum
break valve
A wrong type of vent/vacuum break valve was installed on the polymer line, allowed air
allowing ambient air to enter and accumulated in the polymer line. to enter
polymer
When polymer solution was injected into tailings line, air pockets then entered pipeline
the main tailings line and got compressed . Energy of compressed air caused
Injection of polymer solution
the discharge spools to kick back when material exited the pipeline, a
phenomena called garden hose kickback.

Root cause: Inadequate design review of new vent valve. “Tee”

Solution: Vent valve was removed. Kickback almost eliminated.

Discharge spools swung

around center “Tee”

Faculty of Chemical Engineering

2024 81
Ho Chi Minh City University of Technology
Upgrader fire caused by premature failure of recycle line at attachment nozzle

Incident description:
Upgrader caught fire after nozzle N19 of the
recycle line leaked hydrocarbon vapor to the
atmosphere, which got ignited.
Upgrader 2 was out of service for 8 months.

Root cause:
Nozzle 19 wore out prematurely and leaked
after 3.25 years in service (vs 15 years as
per design) because it was not lined with N19
nozzle
stainless steel, as specified, to better
withstand erosion/corrosion.

Faculty of Chemical Engineering

2024 82
Ho Chi Minh City University of Technology
Equipment operating on frozen pond fell through thin ice
Incident description:
In 2014 and 2021, equipment operating on frozen tailings pond surface (excavator, dozer) sank when ice layer gave
way. Equipment operator was drowned in both accidents.

Immediate cause: Ice too thin to support the weight of equipment

Root causes:
There were several causes, most important among them are:
• Failure to test ice thickness with ground penetrating radar.
• Failure to consider previous results of insufficient ice thickness (2021 incident).
• Failure to train employees in safe operation of equipment (2021 incident).

2021 drowning accident Conclusion:

• Suncor and its Contractor, Christina River Construction, pleaded guilty in the drowning death of Oilsands worker.

Faculty of Chemical Engineering

2024 83
Ho Chi Minh City University of Technology
REFERENCE (*) hardcopy reference (not included as e-files)

HAZOP process – General literature

1*. Effective Hazard Review Leadership, Internal training course notes, 1996. Sea-Jay Engineering Services
& Suncor Energy Inc.
2. Hazardous Industry Planning Advisory Paper No 8 - HAZOP Guidelines, NSW Planning, Australia, Jan
2011.
3. HAZOP, Hazard and Operability Study, Marvin Raussand.
4. HAZOP Tutorial , Rebecca Holt.
5. Process Safety Management and Risk Analysis , Gordon MacKay.
6*. HAZOP Guide to Best Practice , 3 rd edition, F. Crawley & B. Tyler.

International Electrotechnical Commission (IEC) Standards

7. British Standard IEC 61882 HAZOP - Application Guide, 2001.
8. British Standard IEC 60812 FMEA - Application Guide, 2018.

Faculty of Chemical Engineering

2024 Ho Chi Minh City University of Technology 84
REFERENCE (*) hardcopy reference (not included as e-files)

Other Risk Assessment Methods

9. Some Risk Assessment Methods and Examples of their Application (HAZOP, FMEA & FTA) - Pavel Fuchs
et al.
10. Hazards Identification (WHAT IFs, FMEA) – Texas A&M University.
11. How to conduct an FMEA (a white paper by Siemens).
12. Fault Tree (FTA) Analysis – Marvin Raussand.

Loss Control Management

13*. DNV Loss Control Management, Bird & Germaine , 1986.
14. Models of Causation: Safety, 2012, Core Body of Knowledge for the Generalist OHS Professional, Safety
Institute of Australia.
15. Guide – 6 steps to Risk Management , NTWorkSafe, September 2018, Northern Territory Government
(Australia).

Incidents in Oilsands Industry

16. Suncor and Contractor plead guilty in 2021 drowning death of Oilsands worker _CBC News.

Faculty of Chemical Engineering

2024 Ho Chi Minh City University of Technology 85
 ATTACHMENTS

1. Matrix of meaningful deviations based on Process Parameters

2. Sample of HAZOP Report
3. HAZOP Material & Block Hazards Checklist

Faculty of Chemical Engineering

2024 86
Ho Chi Minh City University of Technology