Process Safety and Environmental Protection 1 1 1 ( 2 0 1 7 ) 635–651

Contents lists available at ScienceDirect

Process Safety and Environmental Protection

journal homepage: www.elsevier.com/locate/psep

Automated HAZOP revisited

J.R. Taylor
Department of Management Engineering of the Technical University of Denmark, Denmark

a r t i c l e i n f o a b s t r a c t

Article history: Hazard and operability analysis (HAZOP) has developed from a tentative approach to haz-
Received 9 February 2017 ard identification for process plants in the early 1970s to an almost universally accepted
Received in revised form 28 April approach today, and a central technique of safety engineering. Techniques for automated
2017 HAZOP analysis were developed in the 1970s, but still have not displaced expensive manual
Accepted 24 July 2017 approaches. Reasons for this were investigated and conclusions are drawn. The author’s
actual experience in applying automated HAZOP techniques over a period of more than
30 years is revisited, including results from several full-scale validation studies and many
Keywords: industrial applications. Automated techniques, when combined with manual approaches,
Automated HAZOP analysis were found to provide significant improvements in HAZOP quality and a limited but valuable
Fault tree synthesis improvement in efficiency.
Hazard identification completeness © 2017 Institution of Chemical Engineers. Published by Elsevier B.V. All rights reserved.
HAZOP quality
Formal languages
Alarm analysis

1. Introduction with several manual analyses, and by assisting in the commissioning

and operation (Taylor, 1982a, 1982b; Taylor and Olsen, 1983; Haastrup
Techniques for automated HAZOP analysis were described actually et al., 1985).
before the concept of HAZOP was openly published. Fussell (1973) Since then there have been many doctoral theses and journal arti-
described automated fault tree analysis by piecing together “mini fault cles describing automated fault tree and HAZOP analysis methods. Yet
trees”, which provides a methodology for filling out the cause columns there are still very few industrial applications of automated HAZOP,
of a HAZOP table. Taylor (1975) and Taylor and Hollo (1977) presented and companies still invest tens to hundreds of thousands of dollars
algorithms for automated cause consequence analysis and fault tree in performing HAZOP manually in HAZOP workshops. Even worse, the
analysis, together with a systematic approach to component mod- manually completed HAZOPs are known to be incomplete (see e.g. Tay-
elling. Powers and Tompkins (1974a, 1974b), Powers and Lapp (1976) and lor, 2012). What went wrong? This paper discusses the development of
Lapp and Powers (1977a, 1977b) published methods for fault tree analy- manual and automated HAZOP over a period of forty years, reasons for
sis of chemical plant using signal directed graphs (digraphs), and Salem the lack of success of automated HAZOP and reasons for the successes.
et al. (1975, 1977, 1979) and Salem and Apostolakis (1980) described the
use of decision tables to support fault tree construction. Andow (1973) 2. Obstacles to automated HAZOP
used functional equations as a representation for disturbance propa-
gation in alarm analysis. Martin-Solis et al. (1977) and Poucet (1983) One of the first obstacles to the use of automated is the need
used logical equations to represent alternative causes of disturbances. to translate system drawings such as piping and instrumen-
Digraph models have similar power to mini-fault tree and state table
tation diagrams (P&IDs) into a special format. These can be
approaches, but require preparation of a digraph form the process dia-
either a simplified version of the P&IDs themselves or a more
gram such as a P&ID (Cui et al. introduced a method to make this
complex derived representations such as digraphs (e.g. Powers
transformation automatically.
The RIKKE program, developed by the author and J.V. Olsen using and Lapp, 1976) or multi level flow diagrams (Öhman, 1999).
Fussel’s mini-fault tree approach, was extended to cover feed forward These derived representations proved to be complex and error
and feedback loops. It was developed and validated by the expedient prone for large systems, and often more costly than the man-
of helping to build a chemical plant, comparing the automated results ual HAZOP itself. This problem has been solved in recent years

E-mail address: [email protected]

http://dx.doi.org/10.1016/j.psep.2017.07.023
0957-5820/© 2017 Institution of Chemical Engineers. Published by Elsevier B.V. All rights reserved.
636 Process Safety and Environmental Protection 1 1 1 ( 2 0 1 7 ) 635–651

by the development of software that can take commercial CAD A further problem was revealed by a study of ten high
drawings and translate them into “intelligent” drawings which quality HAZOPS made from 2008 to 2014. About one third of
can be used in accident simulation (Rossing et al., 2010). Cui the findings and recommendations from these were found
et al. (2008, 2010) developed a system which could take in a CD to derive from drawing errors and detail design errors which
piping and instrumentation drawing, convert it in a standard- are not related to process deviations and are not amenable to
ised way to digraphs, and use these for HAZOP. It should be HAZOP analysis as described in guidelines. It is often said that
noted that full commercial application requires not just trans- such problems should be dealt with by a preliminary design
lation of individual diagrams, but also integration of complete review, but it was observed that many detail design problems
sets of diagrams. can only be identified in the context of HAZOP. Examples are
Some P&IDs include the control signal flow paths, but in choice of material for a pipe, when the pipe can be accidentally
most cases safety and sequential control at least are described subjected to low temperatures, or the decision about whether
by means of cause and effects matrices, so that for a full a valve should be locked open. The issue of automated design
analysis, these too must be integrated into the set of system review is addressed below.
drawings.
Some disturbance identified by HAZOP require quantita- 3. Completeness of analyses
tive judgements. An example from the plant shown in Fig. 6,
and which actually occurred, is the possibility of a product A good HAZOP should preferably identify all significant acci-
freezing in a condenser, blocking the flow. This requires knowl- dent consequences and the majority of accident causes,
edge about the temperature of the condenser coolant, the rate including all the cases which are likely to occur i.e. have
of heat transfer from the product, and the product freezing a significant risk contribution. Under ideal conditions, com-
point. In a fully automated analysis, such judgements need to pleteness is defined as (Taylor, 1981):
be interpreted conservatively, which implies that the analyses
need to be reviewed after completion, in order to reject those Absolute completeness = number of scenarios identified/
automated judgements which are incorrect.
number of possible scenarios
Numerical judgements were found to be an issue in about
2% of the disturbances investigated in a total of 40 recent
Here scenarios are defined as an initiating event, a number of
manual HAZOPS studied. Some researchers have incorporated
safety barrier failures and a consequence event. Completeness
numerical simulation into the automated HAZOP process so
values depend on the degree of detail in the analysis, and all
that judgements can be made automatically, but this requires
assessments here are predicated on the typical level of detail
a large additional effort unless a dynamic simulator is being
typical of professionally completed HAZOPS.
constructed as a part of the design process. Even then the
Completeness defined in this way has a problem in that the
automated HAZOP software needs to be adapted to the specific
number of possible scenarios cannot be determined. Historical
simulator used (e.g. McCoy et al., 1999).
completeness is defined as:
There are also issues of confidence and trust in the use
of automated HAZOP. In modern practice the HAZOP work-
Historical completeness = number of scenarios identified/
shop group has considerable authority and corresponding
responsibility. Recommendations take on the role of formal number of scenarios identified from an extensive
and sometimes legal requirements, which must be imple-
incident database
mented unless the designer can provide counter arguments. If
a proposal is rejected then the designer is required to provide
alternative solutions to the problem or a careful demonstra-
A database of over 1000 oil, gas and chemical industry acci-
tion that the problem involved is a minor one. In order to be
dents was developed to support completeness assessments.
able to accept the responsibility for risk reduction recommen-
A more valuable measure of completeness for hazard iden-
dations the HAZOP team requires full understanding of the
tification is to weight each accident scenario according to risk,
problems and the basis for analysis. This cannot be achieved
but this can only be made practical if the HAZOP event fre-
via a purely computer generated HAZOP.
quencies and risk can be calculated easily (see third generation
Another problem observed from study of accident reports is
methods below).
that there over 400 physical phenomena which have given rise
For automated HAZOP, another important measure is dis-
to accidents in oil, gas and chemical plant (Taylor, 2014). The
crimination, defined as:
published automated methods have been observed to include
up to about 30 of the most common of these. As an example,
Discrimination = number of realistically possible scenarios/
13 different forms of liquid hammer were identified from acci-
dent reports, and liquid hammer was found to have caused 2% number of scenarios identified
of the major accidents in refineries, yet these events could
not even be represented in the formalisations used in first
generation HAZOP methods. The automated methods based Without care in discrimination the HAZOP becomes use-
on disturbance propagation describe typically 23 phenomena. less. For example historical completeness could be ensured
McCoy et al. (2000e) list 38 physical phenomena and in McCoy simply by incorporating all the scenarios from the database
et al. (2000b) 14 phenomena related to loss of containment (leaving the analyst with the task of reviewing the auto-
consequences. There does not appear to be any reason why mated analysis and discarding most of it). On the other hand
this work could not be extended to cover all the known phe- fully automated analyses must compromise on discrimina-
nomena, but effort would be needed to ensure a practical level tion because they must ensure that all scenarios which are in
of discrimination. principle possible must be included, and the basis for inclu-
sion may be uncertain. For example sump tank rupture due
 Process Safety and Environmental Protection 1 1 1 ( 2 0 1 7 ) 635–651 637

to pressurised draining from a pressure vessel may be possi- tion. The conditions involved are termed control and safety
ble, or not, depending on flow conditions. Calculation of the barrier conditions.
actual probability can only be made after the possibility has • The propagation of disturbances often depends the state of
been identified. Ensuring completeness while maintaining a a component, such as whether a valve is open or closed. In
reasonably high level of discrimination is therefore a main building up a cause or consequence analysis, it is impor-
challenge in developing automated HAZOP methods. tant to avoid investigating the causes of normal states. If
Completeness of analyses depends on the depth of analy- this is not done, there may arise a situation in which the
sis. The more detailed an analysis, the easier it is to define entire operations history of the plant is investigated every
preventive measures, but at the same time there are more time a multi-state component such as a valve or switch is
opportunities for oversights. In Fig. 5, a detailed model for reached. An easy way to do this is to record the normal
valve is shown, with possible failures and errors recorded at states for each component. For analyses of dynamic sys-
the detailed failure cause level, rather than at the failure mode tems such as batch processes or plant start-up it will be
level. Completeness levels for analyses at different levels are necessary to record the status of each component at each
also described below. stage of operation. The conditions involved here are called
working state conditions.
4. Disturbance propagation • In some cases the occurrence of an accident consequence
depends on timing of safety action. Examples are the time
to activation of a toxic gas alarm versus the time to closure
Most automated HAZOP programs work by identifying “nodes”
of ventilation systems and time for gas ingress to control
which are usually individual items of equipment such as
rooms, or time to ignition of released flammable fluid versus
tanks, pressure vessels and pumps, and the interconnections
time to activation of foam systems. Timing, or at least rela-
between these. Then possible parameter disturbances in each
tive timing, becomes important in many systems, especially
node are considered and for each parameter, a search is made
in batch process safety and machinery safety.
through the network of interconnection for firstly, possible
causes of the disturbance and secondly, for possible conse-
quences. A typical knowledge element for this search is: Updated versions of algorithms which take into account
recent developments are shown in Figs. 3 and 4.
High pressure at valve inlet & valve is open ⇒ high pressure

at valve outlet 5. Modelling for disturbance propagation

One way of ensuring the proper form of the individual com-

ponent models for automated HAZOP analysis is to base them
The format here is that the left hand side of the impli-
on the physical equations for the component. Components
cation has one event (i.e. change of state), and zero or more
must necessarily obey the laws of conservation of mass and
conditions (i.e. partial states). The right hand side has one or
energy, and the laws of thermodynamics. Fig. 1 shows a sim-
more events. In earlier descriptions these were referred to as
ple process system and its corresponding equation bi-graph.
mini fault trees. The format allows the sequence of events to
The circles represent parameters and the rectangles represent
be taken into account, and by a slight extension of the nota-
physical equations. The pressure parameters are connected
tion, also timing. This kind of implication is here called an
by force balance equations and the flow parameters are con-
event/condition transfer function or TF (Taylor, 1975).
nected by mass conservation equations. Causal directions
The cause search involves matching the right hand (output)
can be marked between parameters and equations and vice
side of a TF to a current event, and so adding the left hand
versa. Each equation can determine just one variable, and each
side to the tabulation of causes. Searching for consequences
variable can be determined by just one equation. Reservoirs
involves matching of a current event to the first (Input) event
such as a pressure vessel, an open drain or a tank determine
on the left hand side of the TF.
pressure. Variables such as temperature or concentration are
An algorithm can be developed which in principle can con-
carried by flow.
struct fault trees and cause consequence diagrams, but still do
The equation bi-graph establishes the pattern of dis-
not produce acceptable HAZOP results because of the struc-
turbance propagation, but the coding in event propagation
ture and content of the knowledge base is inadequate. Some
statements requires choices. For example the effect on flow
of the problems are:
rate of pump partial failure due to impeller erosion could be
coded by tracing low flow from the pump all the way to the
• In a process plant an event such as development of a tank, and then tracing the cause of low pressure at the tank
high pressure will have consequences upstream and down- to low pressure all the way back to the pump. This is quite
stream of the location of the initiating event. clumsy, and leads to combinatorial explosion in the search.
• If an event such as development of high pressure occurs, An alternative is to code the cause of low flow as arising due to
this may cause events such as high flow rate, but this will low local pressure at the pump, conditional on there being an
depend on whether there is an open flow path downstream, open flow path (structural condition), no flow regulation (con-
and may cause reduced or reverse flow upstream, but this trol condition) and no safety actions. This approach requires a
will again depend on whether there is an upstream flow search for structural, control and safety conditions whenever
path. These conditions are called structural conditions. a low or high flow disturbance enters into the cause or conse-
• Feed forward and feedback control and safety loops affect quence tracing. When searching for structural conditions it is
the propagation of disturbances. For example propagation possible that the condition is found to be false. In this case, the
of high pressure will be prevented if there is an emergency branch of the fault tree or cause consequence chart dependent
shutdown valve closed on the basis of high pressure detec- on the condition is eliminated from the analysis result.
638 Process Safety and Environmental Protection 1 1 1 ( 2 0 1 7 ) 635–651

Fig. 1 – An equation bi-graph for simple process equipment with one possible causal marking.

Once the pattern of flow disturbance propagation is description of the shut off valve with all its failure modes cov-
established, propagation of temperature or concentration dis- ers just under three pages The ELAN notation in its simplest
turbances is straightforward. form is mathematically equivalent to the mini-fault trees, but
As can be seen, analysis of components for HAZOP can be it has been extended to include time delays, stochastic causal-
complex. However, once done, models can be saved in libraries ity and annotations. Line 9 in Fig. 2 shows a time of 2 min taken
and the work does not need to be repeated. Libraries of com- for erroneous closure of a shut off valve (which implies a quite
ponents were developed using this approach for the RIKKE large valve or a moderate access time). It also shows annota-
program (Taylor, 1982a, 1982b). Other approaches to this kind tion (in square brackets), the purpose of which is described
of modelling were given by Kelly et al. (ref. 18–28) including cri- below.
teria for impossible (i.e. conflicting) events and normally true
events.
More recently, Heusen and Lind (2010) have based process 7. HAZOP algorithms
plant models on multilevel flow modelling which used a gener-
alised notation representing energy and mass flow in a process Automated HAZOP requires identification of parameter dis-
plant (e.g. Wang et al., 2012; Wu et al., 2017). This notation turbances (such as high pressure) in a specific component or
can be applied hierarchically since all systems and parts of node and searching for causes and consequences. The search
systems obey the basic physical laws. The advantage of this may be made in any system representation, such as a system
notation here is that it requires only a few rules to provide block diagram, a piping and instrumentation diagram, a cir-
models of flow disturbance propagation for a wide range of cuit diagram or a special diagram such as a signal flow graph
component types. (or a combination of these).
The natural cause search algorithm is one for fault trees,
6. ELAN — a language for disturbance since this allows search for alternative causes (OR logic) and
modelling combinations of causal events (AND logic) such as occurrence
of an initiating event (e.g. fail open of a pressure regula-
The first implementations for automated HAZOP and fault tor) and failure of safety devices (e.g. failure of a pressure
tree analysis used graphic (mini fault tree) and state tables safety valve). The natural consequence search algorithm is
or decision tables as a basis for modelling. With full indus- one for cause consequence diagrams since these allow for
trial scale modelling with many hundreds of failure modes parallel event sequence branching (effects of a disturbance
and causes it proved to be easier to use a textual notation propagating along many paths in a system) and alternative
for expanded preparation of model libraries. Fig. 2 shows event sequence branching (different effects depending on
an abbreviated model for a manual shut off valve. The full plant state).
 Process Safety and Environmental Protection 1 1 1 ( 2 0 1 7 ) 635–651 639

Fig. 2 – ELAN description for a shut off valve.

The fault tree algorithm is shown in Fig. 3. This is the identified. Often the timings are known only approximately,
algorithm given in Taylor (1975) with addition of timing (tem- or not at all. This is indicated in ELAN by lowest and highest
poral conditions), structural conditions and interaction with values for delay timings or by a question mark. Resolution of
the analyst. timing conditions is provided either interactively, or by adding
The fault tree algorithm is a based on a simple depth first an “unresolved race” condition to the fault tree.
AND-OR tree search, mapped onto a system diagram search. The depth first search algorithm for fault tree construc-
The important extension of this algorithm is the inclusion tion is a natural one. Alternatives are breadth first search,
of loop detection, so that cascading and mutually escalating which is more complex to implement and adds nothing to
faults (such as an explosion damaging a fire protection sys- quality or speed of results, and “earliest first” or “latest first”
tem) and the effects of negative feed forward and feedback search which make temporal analysis simpler. The distinction
loops (such as an overpressure shutdown loop) are taken into between events and conditions in the representation of Fig. 3
account. incorporates some aspects of a latest first algorithm because
In understanding the method for dealing with control and the event in an event/condition transfer function implicitly
safety loops, it is useful to know something about the timing occurs after the conditions arise. The approach to control and
structure of events. The algorithm of Fig. 4 can be regarded safety loop searching using negation of causality (no compen-
as an implementation of Kripke’s “possible worlds” temporal sation) has, so far as can be determined, only been used in
logic. We can define an incarnation as a combination of events the RIKKE program (Taylor, 1979a, 1979b, 1982a, 1982b, Taylor
and conditions all of which belong to a single compatible tree and Olsen, 1983 and by Wang et al., 2012) and in the HAZEX
i.e. there are no alternative sequence choices in the tree. A program described below.
fault tree will generally represent several incarnations, with Most other programs have used an approach in which loops
incarnation branching corresponding to OR gates. We define are first detected, and then a template for the failure of a loop
an episode as a subtree of events between two alternative tem- is filled out. Powers and Lapp (1976) introduced this for digraph
poral branchings (between two OR gates). As the fault tree is based analyses, and Shafaghi et al. (1984) for mini-fault tree
built, track is kept of the chain of episodes and the incarnation approaches. Kelly (1987), Kelly and Lees (1986a, 1986b, 1986c,
branching. A loop is recognised only if a component is reached 1986d), Kelly et al. (1985a, 1985b, 1985c, 1993a, 1993b, 1993c,
which closes a physical loop, if there is a common event in the 1993d) describe the implementation of the ideas in the FAULT-
component for the two branches, if the event timings are com- FINDER system. Mullhi (1989) provides a comparison of the
patible, and have a common episode at the point of re-joining different approaches to feed-forward and feedback loops using
of the loop. the loop failure template approach.
When a loop closure is found in the fault tree, event tim- The approach to control and safety loops illustrated in Fig. 4
ings need to be considered. In particular any control or safety has been preferred here because it can deal with complex loop
action needs to be activated before the disturbance. The tim- structures, including feed forward, feed back, cascading and
ing values given in the ELAN models allow this timing to be multi-input/multi-output controllers and complex branching
defined and in turn, for deadlines, races and deadlocks to be structures in loops such as those in multi-level shutdown poli-
640 Process Safety and Environmental Protection 1 1 1 ( 2 0 1 7 ) 635–651

Fig. 3 – An updated fault tree algorithm.

cies. It also allows cause and effect diagrams to be included ability values and frequencies are looked up as far as possible
easily into the analysis. automatically (Taylor, 2012). For HAZOP table use, most inter-
Fig. 4 shows the algorithm for cause-consequence diagram mediate events, between initiating events and the disturbance
construction. It is very similar in structure to the fault tree event, and between the disturbance event and the conse-
algorithm in being an AND-OR depth first search algorithm, quences need to be edited out of the text, in order to make
but simpler in detail. This simplicity arises because the con- the analysis results readable for HAZOP workshop teams.
ditions are not investigated by tracing their causes in the
consequence analysis algorithm. To make this closure, the
8. Expert systems for HAZOP
fault tree analysis linked to the consequence analysis may be
used.
During the 1980s and trough to the present date, expert system
Output from the algorithms can be standard fault trees and
technology has been used to carry out or to support automa-
cause-consequence diagrams, safety barrier diagrams (Tay-
tion of HAZOP. Heino et al. (1989) developed the HAZOPEX
lor et al., 1978; Taylor, 1994), or structured text which can be
program. They gave comparison results for 9 deviations and
placed in HAZOP tables. The safety barrier format is especially
51 general level causes for these in an ammonia plant. An ini-
useful in supporting LOPA analysis, and is used in HAZEX (see
tial evaluation reports approximately 65% of the expert system
below), the LOPA tables are generated automatically and prob-
proposals were accepted by a HAZOP specialist reviewing the
 Process Safety and Environmental Protection 1 1 1 ( 2 0 1 7 ) 635–651 641

Fig. 4 – Cause consequence diagram algorithm.

results i.e. a discrimination level of 65% was achieved. The diagrams automatically from the HAZOP tables, so that LOPA
paper by Suokas et al. (1990) reports 330 expert system rules for analysis could also be carried out automatically.
deviation causality, 20 for consequences and 20 for safeguards. In 1989 the author was requested to review the qual-
There have been several subsequent developments using ity of the HAZOP studies and to provide a quantitative risk
expert system frameworks, such as Anderson and Ferguson assessment for 18 plants, including two refineries (Taylor and
(1987), Rahman et al. (2009), Khan and Abbasi (1997a, Vangsted, 1992). Manual checking of so many plants would
1997b, 1998, 2000), Khan (2005), Venkatasubramanian and quite obviously be very difficult, and automated analysis was
Vaidhyanathan (1994), Venkatasubramanian and Preston therefore applied.
(1996), Venkatasubramanian et al. (2000), Viswanathan et al. The approach used was based on the observation that
(2000), Zhao et al. (2009). An important extension of capabil- human safety analysts do not generally use disturbance prop-
ities in some of these is the automated conversion of P&ID’s agation tracing when performing a HAZOP. The causes and
in CAD formats to “intelligent drawings” which can be used consequences identified are usually either local to a node,
in automated HAZOP, and the provision of guidance on risk or are described in a generalised way, such as “high temper-
reduction. ature from upstream equipment”. Disturbance propagation
The IF-THEN rules used in most expert systems are log- identification is thereby achieved because HAZOP workshop
ically equivalent to the mini-fault trees or state tables used participants generally have an overview of where specific dis-
in earlier fault tree and HAZOP programs. Many applications turbances can originate. The advantage of this is that this
using standard expert system tools have however suffered overview can be accessed with very little effort. The disadvan-
problems in dealing with control and safety loops tage is that the overview may be less than perfect. An example
which arose early in the application of the approach was that
of a batch reactor for an exothermic reaction. For safety, two
9. Second generation automated HAZOP cooling water pumps were provided, one powered from an
uninterruptible supply. It was found that both pumps were
The HAZEX program was developed in the late 1980s to sup- supplied from a cooling water pond via the same PVC piping,
port the qualitative approach to risk assessment based on which was not however shown on the P&ID (As a result ques-
HAZOP analyses, which was adopted as a preferred approach tions for this kind of problem were included in the knowledge
to preparation of safety case reports in response to the Seveso base for utility failures).
directive (Taylor et al., 1987). HAZEX constructs safety barrier
642 Process Safety and Environmental Protection 1 1 1 ( 2 0 1 7 ) 635–651

Fig. 5 – HAZEX component model abbreviated example for selective copy and paste.

The format for the HAZEX program knowledge base was The automated HAZOP then functioned as an intelligent
made the same as the format for recording HAZOP results. copy and paste program without disturbance propagation
This allowed a library of HAZOP analyses to be built up by evaluation. For each node and each disturbance a correspond-
combining results from some 40 earlier HAZOPS and scenarios ing library HAZOP analyses appropriate to the equipment type
from about 800 well documented accidents. For consistency, and the materials process is selected. Questions included in
a “merge” facility for HAZOPS of similar component types the library reference HAZOPs are posed to the analyst, such as
was made, using semantic analysis of the language used. The “Is the fluid flammable?”. An answer of “No” allowed a branch
approach used in HAZEX is in principle no different from many of the HAZOP cause or consequence trees to be deleted. The
of the expert system programs used for automating HAZOP questions “Does this answer apply for this entire unit?” and
(e.g. HAZOPex by Heino et al., 1989; Karvonen et al., 1990). How- “Does this answer apply to the entire plant?” allow answers to
ever the knowledge gathering process is somewhat simpler be stored, and avoided the software posing the same questions
for HAZEX, as the main work has earlier been done by HAZOP more than once.
teams and their results can be transferred to the knowledge One of the advantages of this approach is that it does not
base with just a little effort to ensure consistency of terminol- require redrawing of the process plant, only a listing of the
ogy. plant components and possibly a recording of operating and
design pressures for vessels.
 Process Safety and Environmental Protection 1 1 1 ( 2 0 1 7 ) 635–651 643

The approach allowed very fast completion of 14 HAZOP then “Does this apply for all items of equipment in this unit”.
studies with a total of just 4 man months effort for one per- Some care is needed with this kind of facility, and some ques-
son for 54 plant units (Taylor and Vangsted, 1992). This would tions are marked “Always repeat” because of the danger of
normally take a HAZOP team at least 12 months. It should overlooking a hazard.
be noted though that there was no obligation to provide risk In addition to these features for copying, many of the
reduction proposals for the single person making the semi- questions can be answered automatically since design and
automated analysis. operating pressure and temperatures, and materials pro-
The kind of automated analysis used had by definition cessed, are usually input to the software by the scribe prior
100% historical completeness (unless mistakes are made in to the HAZOP workshop.
button pressing), since the historical accident database used The notation from Fig. 5 was for many years used by the
to support modelling was a part of the generic HAZOP library author for HAZOP recording but as more operations managers
used. The history of accidents and near misses has been and designers became used to using commercial HAZOP tools,
tracked over the subsequent 24 years. One accident with they increasingly rejected the “strange” notation. This prob-
offsite consequences occurred, a release of nitric oxide neces- lem was solved by making the program interface very similar
sitating a shelter in place alarm. This was not predicted in the to the most common commercial HAZOP recording software.
HAZOP studies because of scope restrictions applied to the The tree structuring is hidden (as a result, the production of
studies on the inventory sizes to be analysed. safety barrier diagrams and automated LOPA analyses appear
For the 14 plants studied the historical completeness of rather magical to the user).
manual HAZOPs carried out by the companies or their con- The annotations in the generic HAZOPs do not just provide
sultants was determined to vary from 80% to 95%, with one questions to be asked. Case histories of accidents, pho-
outlier at 45% (Taylor, 2012). tographs of earlier incidents and risk reduction design guides
As a check of the stability/quality of the knowledge base the can be called up as needed by a single button click.
study was repeated in 2014 using the same plant data, but a Note the ease with which human factors concerns can be
more recent generic HAZOP model library. 82 new possible sce- introduced into an analysis when using this approach. This
narios were identified for the 14 plants. This corresponds to an may be undesirable for some analyses because of the work it
increase in completeness of the automated analyses of about entails. We found that it was desirable to switch off the facility
0.25%. From this it is surmised that the completeness of the for in depth analysis both for human factors and for details of
semi-automated analyses is about 99.75%. However, later ver- component failure causes at the third level once they had been
sions provide for a deeper identification of hazard causes e.g. identified as generically applicable.
for specific corrosion types. Completeness at the more detailed
level has not, so far, been validated. 10. The importance of quantitative
The notation used for the HAZEX component models was judgements
different from the ELAN models used for disturbance propa-
gation. Both the check list and the analysis results are stored The models underlying nearly all automated HAZOP method-
as textual trees, as shown in Fig. 5. ologies are discretised (finite state) models. The discretisation
The items in square brackets are annotations. Apart from is quite crude, often just low, normal and high states being
the questions, the annotations are not shown to the user considered. Situations often arise in manual HAZOP where
except in response to button click requests. The items in angle some quantitative judgement is required e.g. can the pres-
brackets are parameters, which are replaced automatically by sure from a dead headed (blocked discharge) pump can result
specific values during the analysis. in a pump explosion. In manual HAZOP such questions are
Several things can be seen from the example. Firstly, it is generally answered by experience, simple reasoning in obvi-
coded in language which operators can easily understand and ous cases, or by special calculations, often carried out outside
augment. Secondly, it is fairly easy to include human factors workshop meetings. Excel spread sheets have been made
issues. Thirdly, the example describes a HAZOP for a single available which allow some of the most frequent calcula-
block valve, something that would hardly ever be done in a tions to be made. The QRA Pro program, originally intended
normal manual HAZOP, and which is not done in the exam- for consequence calculation and mapping, was also was also
ples of automated HAZOP which were reviewed for this paper. developed to support HAZOP, including some process and fluid
Thirdly, there are a lot of questions. flow calculations and design calculations for safety measures.
This level of detail illustrated by the example would be very Interactive HAZOP analysis described below allows the HAZOP
frustrating even for a professional HAZOP team if all the ques- to be interrupted when quantitative questions arise and for
tions needed to be asked at every stage. However the program the computer to ask the HAZOP team for a judgement or a
is organised so that it is rarely necessary to repeat a question. calculation.
Firstly, the HAZOP facilitators favourite phrase, “see above” As an example, consider the equipment arrangement in
is automated in HAZEX so that an appropriate list of “above” Fig. 6a. An increase in flow resistance in the heat exchanger,
components is found, and the reference can be made explicit. for example due to fouling. This will give a high back pressure
Secondly, a button is provided to allow particular component at the pressure sensor. However it will not be able to cause
analyses to be stored as reference copies, and to be used in reverse flow. Consider now configuration 7b, in which the sup-
preference. Selection for copying is checked for component ply pressure from source B is higher than that from source A.
type, for fluids handled and if data are available for pressure Increase in flow resistance in heat exchanger 3 will again be
and temperature. able to cause high pressure at exchanger 1, but if the increase
In addition, for every question asked, a further supplemen- is too high, reverse flow will occur from source B to source A.
tary question is asked — Is this answer universally applicable, The flow through exchanger 1 will be zero if
or for this unit only, or for this component only. An example
is “Can there be pyrophoric residues in this vessel” and if yes Pressure B/pressure A = (resistance 2 + resistance 3)/resistance 2.
644 Process Safety and Environmental Protection 1 1 1 ( 2 0 1 7 ) 635–651

Fig. 6 – (a) Back pressure due to flow resistance and (b) back pressure leading to low flow or reverse flow.

Any pressure ratio greater than this will cause reverse flow. has so far only received limited use (to support human error
Any fault tree algorithm which just works in terms of “high simulations) and for analysis of a gantry crane system.
pressure” for these examples will introduce many cases of
spurious “reverse flow”. RIKKE and HAZEX avoided these prob- 11. The importance of interaction with the
lems by distinguishing different kinds of high pressure, simple HAZOP team
high pressure from upstream sources, back pressure in the
engineering sense, and reverse pressure due to high pressure One of the major problems of fully automated HAZOP is that it
downstream sources. This reduces the number of spurious requires an extensive collection of information before analysis
hazards arising in the analysis but still leaves a need for solv- begins. This does not just require gathering of P&IDs. McCoy
ing quantitative issues such as the equation given above. In et al. (ref.) list 44 items of information which may be required
HAZEX the user is asked to resolve such issues. Configura- for each component (some items are needed only for some
tions which are in principle like this have been involved in component types). In manual HAZOP this information is pro-
gas field manifolds, and in plant air systems which use com- vided as needed, by reference to P&ID notes, to process flow
pressed nitrogen as a backup and in several other accident diagrams and mass and energy balance tables, or from mem-
types. There are many other configurations in which calcu- ory.
lations are required, and careful model coding is needed to The hopelessness of trying to provide sufficient informa-
ensure that the analyst is only required to answer such ques- tion a priori to a fully automated HAZOP program is illustrated
tions where the issues are real ones. by the following examples.
The example shows that causes can be identified more An operations supervisor noted in a HAZOP analysis of a
precisely if the disturbance description phrases are coded to three phase crude oil/water/gas separator, that the separator
indicate the source of the disturbance. The phrases high pres- was overloaded so that there was a limited carry over of water
sure, high back pressure and reverse pressure could all have into the crude oil. This affected transfer and recycle pumps at
been termed just high pressure. The resulting fault tree would the downstream stripper column, and the water caused fail-
be just as complete as with the coding shown, but the discrim- ure of pump seals after about one months operation. Such
ination of the analysis would be much poorer. Examples can knowledge is only available from experience, usually from
be found where 100% extra spurious causes are found in the operations staff.
absence of source coding. In another plant, the designers had provided blanking
For fully automated HAZOP, such quantitative judgements plates (slip plates) after the drain valve for every mainte-
must be resolved by assuming the worst case, which means nance drain. The purpose was to prevent leaks and the
that the degree of discrimination is reduced and the results resulting pollution load from passing valves. An operations
must be reviewed after completion to avoid nonsensical con- supervisor noted that this was prohibited by the plant design
clusions. McCoy et al. integrated calculation of consequences rules because it entailed that maintenance workers would be
with automated HAZOP in the AutoHAZID program (e.g., exposed to highly volatile light crude oil when removing the
McCoy et al., 2000) and also in Janošovský et al. (2016). blanking plates, and possibly also trapped pressure. Injuries
The ELAN notation described above was extended to from fire would be relatively likely.
allow mathematical expressions in the state terms, effectively Issues like this may appear minor, but if automated
transforming ELAN into a hybrid logic system. The feature HAZOP cannot allow operators to identify problems which
are troubling in their everyday activities, they will reject the
 Process Safety and Environmental Protection 1 1 1 ( 2 0 1 7 ) 635–651 645

Fig. 7 – Multi product distillation unit used for validation of HAZOP, AEA and automated HAZOP. The symbol at the top of
the diagram represents the operating procedure (Taylor, 1979a, 1979b).

methodology. This observation is not just theoretical, auto- HAZOP team: Yes
mated HAZOP analysis was rejected by companies on three
Computer: Does this answer apply for all pressure reduc-
occasions during the early industrial evaluation of the HAZEX
tions in the unit?
program, precisely for these reason.
There is no process other than manual HAZOP which would HAZOP team: Yes
allow the kind of detailed information for the examples above
These questions are derived from the annotations in
to be gathered. It is only when operators confront designers
the ELAN or the cause tree coding of component models
and safety engineers to discuss plant safety and operability
(Figs. 2 and 6). It can be seen that the software performs like a
on an item by item basis that the need for such information is
rather terse HAZOP facilitator. However the human facilitator
even recognised.
is still needed to organise the work flow, to moderate discus-
The importance of the HAZOP process in safety manage-
sions about risk reduction, to set standards for clarity and
ment, and the need for authority in making risk reduction
completeness and to pace the work. It is important that the
proposals, means that the HAZOP workshop is unlikely to
team can bypass the automated analysis, and add information
be abandoned. The poor discrimination of fully automated
freely, even though this does interfere with standardisation of
HAZOP also ensures this. An interactive form in which the
the terminology in the final result.
software proposes deviations, causes and consequences has
This approach has recently been applied in ten analyses
proved much more successful with practicing engineers and
that were monitored by video cameras. It was found that the
operators. A typical dialogue is:
effort involved in performing the analysis itself was reduced
Computer: Can blow-by occur due to level control valve by about a factor of three compare with manual analysis. How-
failure? ever the effort in selecting risk reduction measures was mostly
unchanged or perhaps slightly increased. Most of the savings
HAZOP team: Yes in time were identified as being due to avoidance of delays in
recording and cross referencing.
Computer: Is the blow-by pressure sufficient to cause rup-
A major advantage of the semi-automated approach when
ture downstream?
compared with manual analysis is that a full consequence
HAZOP team: Yes analysis is easily obtained, all the way to injury, fatality, plant
damage and environmental damage. These aspects are very
Computer: Are the fluids in the vessel flammable? often poorly reported in industrial HAZOP analyses. One of
646 Process Safety and Environmental Protection 1 1 1 ( 2 0 1 7 ) 635–651

In all it was considered that the automated analysis was a

technical success at an industrial scale, but the cost was high
because the cost of redrawing the P&ID s. The effort for semi-
automated (i.e. interactive) analysis was comparable with that
for the manual analysis. Also, as noted above, the discussion in
the HAZOP team was necessary for most of the risk reduction
proposals.
The second generation analysis methods were effectively
validated by application to the 18 Danish major hazards
plants, the follow up of these over 24 years, and the recent
repeat analysis using third generation techniques.
McCoy et al. (2000a) performed validation studies on sev-
eral industrial plant units modelled at close to full industrial
scale, carrying out manual analyses and then automated
analysues using the AutoHAZID program. The report states
“the current version of AutoHAZID, when applied by users
other than the developers, finds some 33–60% of [the manually
discovered] scenarios”. Note that this trial was more realistic
than those for the RIKKE and HAZEX programs because it was
applied by persons other than the developer.
The work by McCoy et al. (2000a) was very openly published
and their examples have since been used as bench marks for
performance assessments of automated HAZOP analyses.
The analysis for the multi-product distillation unit, origi-
nally used in the validation studies for HAZOP and action error
analysis (Taylor et al., 1982) was revisited using the third gener-
ation technique in HAZEX (see Fig. 7). The original automated
study using RIKKE covered five deviations which were found by
manual HAZOP to be potential causes of significant accidents.
Table 1 gives a comparison of the numbers of causes found
by the different analysis approaches. The very large numbers
of new risk reduction measures corresponds to changes in
safety engineering practices over 34 years and especially new
possibilities in human machine interface design.
The third generation analysis methodology described
below was validated against ten modern (2005–2014) HAZOPS
for large industrial systems (100–300 nodes) completed by pro-
fessional teams for plants in the oil and gas industry. No
Fig. 8 – Algorithm for automated action error analysis. scenarios identified by the teams were absent in the (semi-)
automated analyses, and the average risk weighted historical
the effects of this improvement is that the full information completeness for the manual analyses was 98%. Again, the
becomes available for LOPA and SIL studies. historical completeness for the semi-automated analyses was
100%. The manual and automated analyses were not indepen-
12. Validation of automated HAZOP dent since the author was facilitator for the manual analyses
and for the software. However the automated analyses were
The RIKKE program was developed in the late 1970s as part not performed until a few years after the manual analyses,
of a project to validate hazard identification methods, espe- and the model database used for the automated analysis was
cially HAZOP and action error analysis, as part of the national that from before the manual analyses were carried out.
preparation for what later became the Seveso regulations. The number of disturbance causes found give rise to ques-
The approach made was to define the methods, to use them tions about the soundness of manual HAZOP. It should be
in the design of a chemical plant, to take part in the pre- expected that manual HAZOP analysis would not be com-
commissioning audit and the commissioning itself and to plete for a batch process, and the basis for comparison should
follow the fate of the plant over a number of years. preferably be the 183 causes found by manual HAZOP together
The manual HAZOPs were carried out by a team of four, with manual action error analysis. Nevertheless, the semi-
the automated analyse by one person. Manual and automated automated analysis found 70% more potential causes, and 16%
HAZOP results were compared for the multi-product distil- additional valid risk reduction recommendations. It also raises
lation unit (Taylor and Olsen, 1983). The manual analysis the question of whether any improved manual HAZOP process
identified 98 significant accident scenarios. The automated could handle 312 disturbance causes for a single P&ID drawing
analysis identified an additional 5 scenarios, of which one in a practical way.
occurred in reality during the first year of operation, for- The difference between detailed HAZOP and normal level
tunately mitigated by the safety measures derived during HAZOP also raises questions about the objectives of HAZOP.
the analysis. Two additional scenarios were not identified, Consider the example of the HAZOP disturbance “Loss of
but occurred during commissioning. Taylor (1982a, 1982b) containment” which is used in many cases. A typical cause
describes the reasons for not identifying the six scenarios. for this is “corrosion”. There are hundreds of different types
 Process Safety and Environmental Protection 1 1 1 ( 2 0 1 7 ) 635–651 647

Table 1 – Number of significant disturbance causes found for the system in Fig. 7.
Analysis approach No. of hazard Effort (man hours) No. of design
causes identified changes made

Manual HAZOP (1981) 52 25 (9 vessels) 9

Action error analysis (1981) 131 45 (15 steps) 22 (additional)
Hazard check list (1981) 1 (additional) 2 1 (additional)
Pre commissioning and 20 128 (4 days, 4 persons) 20(additional)
commissioning audit
Found in operation 3 – 3
Automated HAZOP analysis using 146 32 (4 days) 7 (additional)
interactive 1st generation method
(RIKKE 1982)
Automated HAZOP and action error 312 10 Additional 14 possibilities
analysis using 2nd generation identified
method (HAZEX 2016) failure and
error mechanisms only
Automated HAZOP and action error 682 4 additional Additional 22 possibilities
analysis using 2nd generation identified
method (HAZEX 2016) with detailed
failure and error causes

of corrosion, about 15 of which are fairly common. One is of effort. Application within a very large natural gas liquids
“rapid corrosion due to incorrect material”. An example of and desulphurisation plant, in a HAZID workshop of ten per-
this occurred in a chlorine plant, where a hose reinforced sons, took four days. Some kind of linking between HAZOP and
with stainless steel was installed instead of one using Hastel- deep HAZID seems desirable.
loy, which appears identical. The hose failed rapidly releasing In the published literature on automated HAZOP only two
48,000 pounds of chlorine. There were several similar inci- true validation studies were found (Taylor and Olsen, 1983;
dents (CSB, 2003). McCoy et al., 2000a). However there is one demonstration exer-
Safety measures for this kind of accident are straightfor- cise, the nitric acid cooler from Lapp and Powers (1975), for
ward, proper ordering administration, proper labelled storage which several solutions have been published. A comparison
and positive materials identification using an instrument. As was made for these (Taylor, 2016). The number of initiating
can readily be seen, identification of such possibilities at crit- events in the fault trees is compared in Table 2 (all had addi-
ical locations can lead to significant risk reductions. However, tional events concerned with the control loops and safety
investigating so deeply during a manual HAZOP is not practi- loops but these were similar for all).
cal — the current check list for deep cause analysis for process The differences at the component failure mode level are
plant gives over 300 cause types, with typically ten being appli- the most comparable, some of the analyses also gave a few
cable for each cause at the usual manual HAZOP level, and failure mechanisms.
with typically 3–4 risk reduction possibilities for each (Taylor,
2014). It is possible to review such possibilities using the HAZID 13. Dynamic systems and human error
procedure, which considers possible hazard at the entire plant
or unit level (ISO, 2000). However this does not always relate
One of the limitations of modern manual HAZOP is that it
the problem to a specific equipment and plant state. Auto-
assumes steady state operation (except for a limited study
mated analysis allows this kind of analysis within the scope of
of start up in some analyses). Actually, the original Chemical
HAZOP, and can apply appropriate questions with a minimum
Industries Association guideline provided a method for per-

Fig. 9 – Example of output from automated HAZOP for a equipment and parts management system.
648 Process Safety and Environmental Protection 1 1 1 ( 2 0 1 7 ) 635–651

Fortunately, the mechanisms are generally repeated through-

Table 2 – Comparison of results (number of initiating
events) for several fault trees. out a procedure, and even throughout a plant, so that it is rare
to have more than the 67 possible causal mechanisms to con-
Source Number of initiating
sider for the first error mode, the rest of the analysis being
events modes
repetitive. The algorithm needs to keep track of these com-
Lapp and Powers 28 monalities in order to avoid repeating questions and making
Wang 22 the analysis intractable.
Mullhi 22 + 4 involving reverse flow
HAZEX failure mode level 30
HAZEX failure mechanism level 51 14. Application to information processing
and organisations

forming batch process HAZOP and this has been automated

HAZOP has been applied for computer systems since the early
by several groups (e.g. Galluzzo et al., 1999; Palmer et al., 2008;
1980s (see e.g. Redmill et al., 1999) Vasileios (2016) described
McCoy et al., 2004; Noh et al., 2001). Several authors have
a very pure approach to HAZOP for information processing
published papers on methods for “Human HAZOP” (Ellis and
systems, going back to the roots in identifying parameters and
Andrew Holt, 2009) and of automating such analysis (Taylor
parameter deviations in information systems.
and Olsen, 1983; Palmer et al., 2005).
Automation of HAZOP for information and organisational
The original RIKKE studies included implementation of
systems is straightforward when it is based on graphic sys-
automated HAZOP and action error analysis. This method
tems descriptions such as SADT, various UML diagrams,
takes procedure steps and considers error modes which can
GRAFCETs, etc. An example of results is given in Fig. 9 for an
occur in each step (the method can also be applied to monitor-
equipment and parts management system.
ing and supervisory processes.) Each error mode is considered
Modelling for information processing and for organisa-
as a failure cause at the human machine interface compo-
tional systems is not straightforward. One approach is to
nent accessed in a procedure. The original error modes used
regard information processes as components and to standard-
in Taylor (1979a, 1979b) were:
ise these. In the example above the information process is to
receive a request, check its correct form, check the feasibility
Omission Too long/not long Wrong object
of response, and then answer the request. This component can
enough
be called “Respond to request for physical item(s)”. Building up
Too early/late Inadequate precision Wrong action, a library for such generic information processing components
procedure, plan is demanding but can be done. A list of over 60 information
Too much/little force Wrong sequence Unwanted action processing types was developed, which is obviously not a com-
plete set, but was sufficient for the analyses performed so
Too much/too little Repetition Correct action
far.
material with latent hazard
Another approach is to regard information processing as
Too slow/fast Wrong direction generating and interchanging messages. A message can be
regarded as an entity relation structure, and the parameters
Recently methods for quantifying human error probabili- are identity of the entities, the values of their properties and
ties in action error analysis have been developed (Taylor, 2015, the inter-entity relations. The HAZOP guide words can be
2016). Error causes are identified using a checklist of physical applied to these. In the parts management system above for
and cognitive error mechanisms, error forcing conditions and example, the request message can have a wrong item name
performance influencing factors. Quantification is important or wrong number of items requested, as well as the traditional
because there are usually hundreds of human error possibili- message omitted, message too late, message duplicated etc. To
ties, and it is important to focus on the more probable. allow this approach to HAZOP analysis the processing needs
The algorithm for automated implementation of action to specify not only the processing structure i.e. the processes
error analysis is shown in Fig. 8. Notable is the inclusion of generating and receiving the messages, but also the entity
identification of latent hazards, which is traditionally difficult relationship diagrams for the message content.
to carry out in steady state HAZOP. Use of automated HAZOP
for batch analysis and procedure safety implies that compo-
15. Third generation methods
nent models must include modelling for normal operation in
order to investigate a full sequence of plant states. For exam-
By now most of the problems with manual HAZOP are well
ple, hot distillation products may be transferred to a tank that
known. The most important are:
contains a residue of gasoline or water, giving a rapid phase
transition explosion. In order to model this however the mod-
elling of opening valve in the transfer line and start of the • It is expensive in terms of money and more importantly in
transfer pump needs to be made. engineer time. HAZOP can become a part of the critical path
Step 14 in the algorithm involve searches for error mech- to project completion.
anisms. These are levels in the causal search at for which • The results are not complete, between 2 and 20% of accident
different preventive mechanisms are needed. Taylor (2015) scenarios are typically overlooked, even at the component
identifies 67 frequently occurring error mechanisms. Tracing failure mode level.
root causes involves many more. There are typically also 4–6 • Manual HAZOP is quite difficult and very time consuming
action error modes for each step. This would give close to 7000 for procedures and for human error.
potential causes for a 20 step procedure from human error
alone. This begins to challenge even automated analysis, and Semi-automated HAZOP has been demonstrated to provide
would certainly challenge anyone trying to read the analysis. better HAZOP quality under some conditions, but also has sig-
 Process Safety and Environmental Protection 1 1 1 ( 2 0 1 7 ) 635–651 649

nificant problems. Third generation methods are intended to locked closed. The discrimination level for automated design
remove or reduce these problems. review of this kind is generally low, which means that the
The first problem to be solved in gaining acceptance for method should preferably be applied interactively, with a
automated HAZOP is that it should be applied to the original human analyst able to discriminate between true design and
process drawings, especially P&IDs. Working engineers reject drawing errors, and those which are suggested “to be on the
out of hand any analyses based on simplified drawings made safe side”.
for automated HAZOP purposes. One approach to solving this A trial organised by the European Space Agency showed
problem would be to include automated HAZOP into commer- a significant improvement in completeness in identification
cial CAD systems. The approach taken for HAZEX has been to of design errors when compared with a human team car-
allow input of CAD files to the software, and to construct intel- rying out design review (increase in number of significant
ligent versions by means of pattern recognition on component problems found by 250%). This was achieved at the cost of
symbols, interconnections and annotations. The reason for a poor discrimination level of only about 30%, that is 70%
this choice was the number of commercial CAD programs of the suggested design errors had to be rejected by inspec-
in use, and the fact that none of them could handle a large tion. Nevertheless, the computerised analysis took only 7 days,
number of drawings at the same time, as needed for some including time for redrawing the circuit diagram, the analy-
disturbance propagation tracing and most sneak path tracing. sis itself and the post analysis review, whereas the manual
Linkages between drawings are managed by interpreting off analysis took 2 months for a two man team (Dore and Taylor,
page connection symbols. 1994).
The third generation implementation of HAZEX uses pri-
marily the successful interactive selective copy and paste 16. Other utilisation potential for HAZOPS
approach to hazard identification, but disturbance propaga-
tion tracing was included because it is useful in finding safety A system diagram together with equipment models for HAZOP
equipment tag numbers and in supporting tracing of conse- constitutes a discrete event simulator (which can be extended
quences across multiple drawings and searching for latent fairly easily to become a hybrid simulator). Uses which have
failures in action error analysis. been explored for use of the models include:
One of the problems in manual HAZOP is that of lack
of knowledge. This is responsible for a large fraction of the
• Generation of alarm patterns to support alarm minimisa-
oversights in manual HAZOPs. To overcome this an exten-
tion and management (see e.g. Andow, 1973; Andow, 1980;
sive library of accident reports was developed, organised to
Welbourne, 1968)
be directly indexed by HAZOP terms. The knowledge base
• Generation of confusion matrices, which show ambiguities
now contains several thousand accident reports. The database
in alarm patterns (similar alarm patterns generated by dif-
also includes photographs, extensive lessons learned and sug-
ferent initiating events)
gestions for risk reduction. It proved difficult to persuade
• Training simulators
engineers to read all the reports however. To overcome this
• Identification of problems in human-machine interfaces
problem the lessons learned database was integrated into the
HAZEX program so that appropriate examples of accidents,
lessons learned and risk reduction guides can be retrieved by It is conjectured that these kinds of applications will pro-
a single button click at just the time when they are relevant. vide a stronger motivation for automated HAZOP than just the
Two small additions to the third generation methodology simple saving in analysis effort.
were to provide software for making simple rule of thumb One of the main benefits though of forty years of research
quantitative calculations, such as those for expansion cooling, into automated HAZOP is a better understanding of hazard
and to include a database for initiating event frequencies and identification processes, their strengths and especially, their
safety barrier probabilities of failure on demand. This allows weaknesses.
automated completion of LOPA studies largely without effort.
A significant problem is how to deal with issues requiring 17. Conclusion
design review. In the early 1990s the author developed auto-
mated sneak path analysis for electrical and process systems Development of automated and semi-automated HAZOP has
(Dore and Taylor, 1994). Part of the sneak analysis method- gone through a difficult process over a period of 40 years, with
ology is the application of “clues” which are indications of many reinventions and much hard work, including five man
design or drawing errors. The system made use of logical state- years for the authors own group and an estimated over hun-
ments in a version of Prolog (see e.g. Quantrille and Liu, 1991) dred man years of effort overall. Practical application has been
which includes primitives for searching in intelligent electron- limited. It is disconcerting that of the authors own work the
ics drawings or P&IDs. A typical example is most successful in terms of quality and completeness has not
been the advanced disturbance propagation and modelling
[Are all block valves in series with PSV’s are marked locked
efforts, but rather an admittedly fairly sophisticated version
open?]
of copy and paste.
istype(thiscomponent, “pressure safety valve”), The main reason for the limited use of automation is the
realisation that HAZOP is much more than a process for pro-
isinseries(X, thiscomponent), istype(X, “block valve”) ducing safety analysis tables. It is a social process in which
engineers and operators interact, jointly contribute to safety,
not(ismarked(X, “LO”)), success. [A drawing error may have
achieve consensus and jointly take responsibility. Automated
been found.]
HAZOP will only be useful to working HAZOP teams if it sup-
Note that this coding in this example is not perfect, since ports all of these functions, or at least, does not get in the way
there may be two PSVs in parallel, one locked open and one of any of them.
650 Process Safety and Environmental Protection 1 1 1 ( 2 0 1 7 ) 635–651

If tools which do support these “non technical” objectives, Ellis, G.R., Andrew Holt, A., 2009. A practical application of
then automated HAZOP has much to offer. It can provide ‘human-hazop’ for critical procedures. IChemE Symposium
consistent or standardised terminology, better recording of Series No. 155 Hazards XXI.
Fussell, J.B., 1973. A formal methodology for fault tree
consequences, a significant improvement in completeness,
construction. Nucl. Sci. Eng. 52, 421–432.
provide a much larger knowledge base than is usually avail- Galluzzo, M., Bartolozzi, V., Rinaudo, C., 1999. Automating HAZOP
able to even the best HAZOP team, and help in solving risk analysis of batch processes. Comput. Chem. Eng. 23 (Suppl. 1),
reduction design problems. It can also replace the overlapping S661–S664.
LOPA and SIL review processes and provide it with experience Haastrup, P., Olsen, J.V., Taylor, J.R., Damborg, A., Vestergaard,
based values for initiating event frequencies rather than the N.K., 1985. RIKKE Users Manual, ISBN-13: 978-87-550-1079-6,
guesstimates which are often used. ISBN: 87-550-1079-2.
Heino, P., Suokas, J., Karvonen, I., 1989. Expert system for HAZOP
Moving away from the traditional use of HAZOP, and con-
studies. 6th International Symposium on Loss Prevention and
sidering LOPA, alarm management, human reliability analysis Safety Promotion in the Process Industries.
and HAZOP analysis of information processing system, the Heusen, K., Lind, M., 2010. Representing causality and reasoning
case for automated HAZOP based on disturbance propaga- about controllability of multi-level flow-systems. In: 2010 IEEE
tion analysis is far stronger. The sheer volume of work in International Conference on Systems, Man, and Cybernetics:
alarm analysis procedures for example is daunting. This is not Intelligent Systems for a Safe and Secure World, IEEE.
ISO, 2000. ISO 17776:2000(en) Petroleum and natural gas
just a question of cost and time, it is a question of whether
industries—offshore production installations—guidelines on
specialists can retain sufficient concentration to allow the
tools and techniques for hazard identification and risk
work to have consistently high quality over a period of days assessment.
and in some cases months. Also, completeness become even Janošovský, J., Labovský, J., Jelemenský, L., 2016. Automated
more important because oversights and errors in alarm sys- model-based HAZOP study in process hazard analysis. Chem.
tem design can lead directly to accidents. Automated methods Eng. Trans. 48, AIDIC.
have been found to ensure consistency and greatly assist on Karvonen, I., Heino, P., Suokas, J., 1990. Knowledge-based
Approach to Support HAZOP Studies. Research Report.
achieving this quality.
Technical Research Center of Finland.
If automated HAZOP is to be successful in general industrial Kelly, B.E., 1987. Computer-aided Fault Tree Synthesis, Ph.D.
use, developers will need to concentrate on the advantages in Thesis. Loughborough University of Technology.
terms of completeness and in user support, such as providing Kelly, B.E., Lees, F.P., 1986a. The propagation of faults in process
lessons learned and risk reduction suggestions. They will also plants: 1. Modelling of fault propagation. Reliab. Eng. 16, 1–38.
need to improve the level of discrimination, in order to lessen Kelly, B.E., Lees, F.P., 1986b. The propagation of faults in process
the need for manual review. plants: 2. Fault tree synthesis. Reliab. Eng. 16, 39–62.
Kelly, B.E., Lees, F.P., 1986c. The propagation of faults in process
Perhaps the most important contribution from the efforts
plants: 3. An interactive, computer-based facility. Reliab. Eng.
made to automate fault tree analysis and HAZOP is the 16, 63–86.
increased understanding it has generated for the various haz- Kelly, B.E., Lees, F.P., 1986d. The propagation of faults in process
ard identification methods. Human beings are much better at plants: 4. Fault tree synthesis of a pump system changeover
holistic searching than the algorithms, and for integrating dif- sequence. Reliab. Eng. 16, 87–108.
ferent kinds of logic, such as the relation between design error Khan, F.I., 2005. Knowledge-based expert system framework to
conduct offshore process HAZOP study. IEEE International
and accident physics, but the reasoning used by humans is the
Conference on Systems, Man and Cybernetics vol. 3,
same as that used by the more advanced programs. The weak-
2274–2280.
nesses of human hazard identification will be the same as the Khan, F.I., Abbasi, S.A., 1997a. OptHAZOP—an effective and
weaknesses of computer algorithms, plus a few extra because optimum approach for HAZOP study. J. Loss Prev. Process Ind.
human reasoning is not always perfect. 10 (3), 191–204.
Khan, F.I., Abbasi, S.A., 1997b. TOPHAZOP: a knowledge-based
software tool for conducting HAZOP in a rapid, efficient yet
inexpensive manner. J. Loss Prev. Process Ind. 10 (5–6),
333–343.
References Khan, F.I., Abbasi, S.A., 1998. Techniques and methodologies for
risk analysis in chemical process industries. J. Loss Prev.
Andow, P.K., 1973. A Method for Process Computer Alarm Process Ind. 11, 261–277.
Analysis, Ph.D. Thesis. Loughborough University. Khan, F.I., Abbasi, S.A., 2000. Towards automation of HAZOP with
Andow, P.K., 1980. Real-time analysis of process plant alarms a new tool EXPERTOP. Environ. Model. Softw. 15 (1), 67–77.
using a mini-computer. Comput. Chem. Eng. 4 (3), 143–155. Lapp, S.A., Powers, G.J., 1977a. Computer assisted generation and
Andow, P.K., Ferguson, G., 1987. Expert systems and chemical analysis of fault trees. 2nd International Symposium on Loss
process safety. In: Proceedings of the World Bank/AIChE/EPA Prevention and Safety Promotion in the Process Industries,
Conference on Preventing Major Chemical Accidents, 377.
Washington D.C., USA. Lapp, S.A., Powers, G.J., 1977b. A method for the generation of
CSB, 2003. U.S. Chemical Safety and Hazard Investigation Board fault trees. In: Gangadharan, A.C., Brown, S.J. (Eds.), Failure
(CSB). Investigation Report, Chlorine Release, No. Data and Failure Analysis in Power and Processing Industries.
2002-04-I-MO (online), May 2003, www.csb.gov. American Institution of Mechanical Engineers, p. 95.
Cui, L., Zhao, J., Qiu, T., Chen, B., 2008. Layered digraph model for Martin-Solis, G.A., Andow, P.K., Lees, F.P., 1977. An Approach to
HAZOP analysis of chemical processes. Process Saf. Prog. 27 Fault Tree Synthesis for Process Plants in Loss Prevention and
(4), 293–305. Safety Promotion in the Process Industries. Frankfurt:
Cui, L., Zhao, J., Zhang, R., 2010. The integration of HAZOP expert DECHEMA, Heidelberg.
system and piping and instrumentation diagrams. Process McCoy, S.A., Wakeman, S.J., Larkin, F.D., Chung, P.W.H., Rushton,
Saf. Environ. Prot. 88. A.G., Lees, F.P., Heino, P.M., 2000a. HAZID, a computer aid for
Dore, B., Taylor, J.R., 1994. New Developments in Automation of hazard identification: 3. The fluid model and consequence
Sneak Analysis. Proceedings of the Annual Reliability and evaluation systems. Process Saf. Environ. Prot. 77 (6), 335–353.
Maintainability Symposium.
 Process Safety and Environmental Protection 1 1 1 ( 2 0 1 7 ) 635–651 651

McCoy, S.A., Wakeman, S.J., Larkin, F.D., Chung, P.W.H., Rushton, Taylor, J.R., 1981. Automatic fault tree construction with RIKKE—a
A.G., Lees, F.P., 2000b. HAZID, a computer aid for hazard compendium of examples, vol. 1. Basic models (Risø-M; No.
identification: 4. Learning set, main study system, output 2311(v.1 and v.2)).
quality and validation trials. Trans. IChemE 78 (Pt. B). http://orbit.dtu.dk/files/55671609/ris m 2311.pdf (downloaded
McCoy, S.A., Chung, P.W.H., Zhou, D.F., 2004. Computer-Aided October 2011).
HAZOP of Batch Processes. HAZARDS XVIII. Institution of Taylor, J.R., 1982a. An algorithm for fault tree construction. IEEE
Chemical Engineers. Trans. Reliab. R-31, 137.
Noh, M.Y., Lee, Y.S., Hou, B.K., 2001. Knowledge framework and Taylor, J.R., 1982b. Fault Tree and Cause Consequence Analysis for
algorithm for automating HAZOP analysis of batch processes. Control Software, Risø-M-2326. Risø National Laboratory,
J. Kor. Ins. Chem. Eng. 39, 292–299. Denmark.
Öhman, B., 1999. Failure mode analysis using multilevel flow Taylor, J.R., 1994. Developing safety cases for command and
models. Proceedings of the 5th European Control Conference. control systems. In: Technology and Assessment of
Palmer, C., Chung, P.W.H., Zhou, D.F., McCoy, S.A., 2005. Safety-Critical Systems. Proceedings of the Safety Critical
Automated identification of hazardous scenarios due to Systems Symposium, Springer.
human errors in batch plant operation. IChemE, Taylor, J.R., 2014. Hazards, threats and consequences. In: The
https://www.icheme.org/communities/special-interest Application of Deep HAZID in Risk Management for Process
-groups/safety%20and%20loss%20prevention/resources/∼/ Plant. ITSA.
media/Documents/Subject%20Groups/Safety Loss Prevention/ Taylor, J.R., 2015. Human Error in Process Plant Design and
WCCE/C29-001.pdf. Operation. CRC Press.
Palmer, C., Chung, P.W.H., Madden, J., 2008. A Rule-based System Taylor, J.R., Hollo, E., 1977. Experience with algorithms for failure
for Automated Batch HAZOP Studies, HAZARDS XX. analysis. In: Nuclear Systems Reliability Engineering and Risk
Institution of Chemical Engineers. Assessment. SIAM.
Poucet, A., 1983. Computer Aided Fault Tree Synthesis. EC Joint Taylor, J.R., Olsen, J.V., 1983. A comparison of automatic fault tree
Research Centre, ISPRA, EUR 8707 EN. constriction with manual methods of fault tree analysis. 4th
Powers, G.J., Lapp, S.A., 1976. Computer-aided fault tree International Symposium on Loss Prevention and Safety
synthesis. Chem. Eng. Prog. 72 (4), 89. promotion in the Process Industries, IChemE Symposium
Powers, G.J., Tompkins, F.C., 1974a. Fault tree synthesis for Series No. 80.
chemical processes. AIChE J. 20, 376. Taylor, J.R., Vangsted, E., 1992. A comparative evaluation of safety
Powers, G.J., Tompkins, F.C., 1974b. A synthesis strategy for fault features based on risk analysis for 25 plants. In: 7th
trees in chemical processing systems. Loss Prev. (AIChE) 8, 91. International Symposium on Loss Prevention and Safety
Quantrille, T.E., Liu, Y.A., 1991. Artificial Intelligence in Chemical Promotion in the Process Industries, AIDIC.
Engineering. Academic Press. Taylor, J.R., Hansen, O., Jensen, C., Jacobsen, O.F., Justesen, M.,
Rahman, S., Khan, F., Veitch, B., Amyotte, P., 2009. ExpHAZOPþ: Kjærgaard, S., 1982. Risk analysis of a distillation unit,
knowledge-based expert system to conduct automated Risø-M-2319, http://orbit.dtu.dk/files/88560585/ris m 2319.pdf
HAZOP analysis. J. Loss Prev. Process Ind. 22, 373–380. (downloaded October 2016).
Redmill, F., Chudleigh, M., Catmur, J., 1999. System Safety: HAZOP Venkatasubramanian, V., Preston, M.L., 1996. A perspective on
and Software Hazop. Wiley. intelligent systems for process hazard analysis. AlChE Symp.
Rossing, N.L., Lind, M., Jensen, N., Jørgensen, S.B., 2010. A Ser. 92 (312), 160–171.
functional HAZOP methodology. Comput. Chem. Eng. 34, Venkatasubramanian, V., Vaidhyanathan, R., 1994. A
244–253. knowledge-based framework for automating HAZOP analysis.
Salem, S.L., Apostolakis, G., 1980. The CAT methodology for fault AIChE J. 40 (3), 496–505.
tree construction. In: Apostolakis, G., Garriba, S., Volta, G. Venkatasubramanian, V., Zhao, J., Viswanathan, S., 2000.
(Eds.), Synthesis and Analysis Methods for Safety and Intelligent systems for HAZOP analysis of complex process
Reliability Studies. Plenum Press, New York, p. 109. plants. Comput. Chem. Eng. 24 (9–10), 2291–2302.
Salem, S.L., Apostolakis, G., Okrent, D., 1975. On the automatic Viswanathan, S., Shah, N., Venkatasubramanian, V., 2000. A
construction of fault trees. Trans. Am. Nucl. Soc. 22, 475. hybrid strategy for batch process hazard analysis. Comput.
Salem, S.L., Apostolakis, G., Okrent, D., 1977. A new methodology Chem. Eng. 24 (2–7), 545–549.
for computer-aided construction of fault trees. Ann. Nucl. Wang, M., Chen, G., Fu, J., Li, W., 2012. Safety analysis approach of
Energy 4, 417. MFM-HAZOP and its application in the dehydration system of
Salem, S.L., Wu, J.S., Apostolakis, G., 1979. Decision table oilfield united station. In: International Symposium on Safety
development and application to the construction of fault Science and Engineering in China, Elsevier.
trees. Nucl. Technol. 42, 51. Welbourne, D., 1968. Alarm analysis and display at Wylfa Nuclear
Shafaghi, A., Andow, P.K., Lees, F.P., 1984. Fault tree synthesis Power Station. In: Proceedings of IEEE, U5 (11), November.
based on control loop structure. Reliab. Eng. 8 (4), 193–233. Wu, Jing, Zhang, Laibin, Liang, Wei, Hu, Jinqiu, 2017. A novel
Suokas, J., Heino, P., Karvonen, I., 1990. Expert systems in safety failure mode analysis model for gathering system based on
management. J. Occup. Accid. 12, 63–78. Multilevel Flow Modeling and HAZOP. Process Saf. Environ.
Taylor, J.R., 1975. Sequential effects in failure mode analysis. In: Prot. 91 (1–2), 1–158.
Reliability and Fault Tree Analysis. SIAM. Zhao, J., Cui, L., Zhao, L., Qiu, T., Chen, B (2009). Computers And
Taylor, J.R., 1979a. A Background to Risk Analysis. Risø National Chemical Engineering, 33(1) 371-378. Computers And
Laboratory. Chemical Engineering, by Elsevier Science B.V., Amsterdam.
Taylor, J.R., 1979b. Completeness and Discrimination of Hazard
Analyses, Risø-M-2306. Risø National Laboratory, Denmark,
http://orbit.dtu.dk/fedora/objects/orbit:91744/datastreams/file
25c7788e-7197-4636-87a8-151290bf6006/content (downloaded
October 2016).