Components in a Hazards Analysis

A Hazards Analysis is made up of records and links as defined by the Hazards Analysis data model. Groups of records and links make up the main elements of the analysis.

A Hazards Analysis consists of the following components:

• Process: A series of actions that are performed by multiple pieces of equipment or locations in a single system.
• Risk: An event that might occur that threatens safety, either human or environmental.

• Scenario: For a given process, the combination of a risk and its risk assessment and the negative outcome associated with that event (e.g., human injury). You can define multiple scenarios for a single process.

  While at a high level a scenario is a combination of a risk and its risk assessment, each scenario can be broken down into the following more granular parts:

  • Deviation: A condition that deviates from the normal behavior of the process and directly leads to a risk.
  • What If: A condition that can potentially deviate from the normal behavior of the process and directly leads to a risk.
  • Cause: The event that results from the deviation and leads to a negative safety or environmental outcome.

  • Consequence: The negative safety or environmental outcome that results from the cause. Together, the cause and the consequence define the risk.

• Risk Assessment: Identifies the probability that the risk will have a negative safety or environmental impact and the severity of that negative safety or environmental impact.
• Safeguard: A system or device that prevents the risk from occurring or lowers the probability or severity identified by the risk assessment.

To define components for a HAZOP Analysis, the HAZOP Analysis team will:

• Review the hazardous processes that take place in a facility.
• Identify the steps in those processes that cause abnormal or unsafe results.
• Create records to represent the various scenarios for each process. These scenarios are the components of the analysis.

As part of defining the components, the HAZOP analysis team will:

• Assess the risk associated with the components.
• Determine actions that should be taken to mitigate the risk associated with the component and create records to represent those actions.

For example, assume the HAZOP Analysis team has discussed a process that is controlled by System 1A. During the discussion, the team describes the following scenario for System 1A:

When the pressure monitor stops working, the pressure switch is not triggered to open or close appropriately, causing hazardous chemicals to leak out of the connector, which may result in human injury. To prevent this condition, a toxicity detector is in place, which sounds an alarm when the toxicity levels in the facility reach a high-risk level.

To define this scenario within a hazards analysis, the team creates one record in each family described in the following table. The third column contains an item from the previous example and serves as a reference for the type of information that record represents in the HAZOP Analysis.

In addition to the records described in the table, the HAZOP Analysis team creates two Risk Assessments, where:

• One is linked to the Consequence to store the unmitigated risk value associated with the scenario without a safeguard in place. In other words, the team will define the risk value that is associated with that scenario without the toxicity detector.
• One is linked to the Safeguard to store the mitigated risk rank value of the scenario with that safeguard in place. In other words, the team will define the risk value associated with a scenario when the toxicity detector is in place.

Once all the safeguards that are available have been applied, the team determines if additional risk mitigation is required to meet tolerable level of risk. If the risk is to be mitigated further, then the team proposes one or more recommendations to reduce the risk to tolerable limits. A Recommendation created in a Hazards Analysis is called a strategic recommendation. It can be leveraged within a strategy to define Actions that will mitigate the risk further.

To define components for a What If Analysis, the What If Analysis team will:

• Hypothesize about the hazardous processes that take place in a facility.
• Identify steps in those processes that have the potential to cause abnormal or unsafe results.
• Create records to represent the various scenarios for each process.

As part of defining the components, the What If Analysis team will:

• Assess the risk associated with the components.
• Determine actions that should be taken to mitigate the risk associated with the component and create records to represent those actions.

For example, assume the What If Analysis team has discussed a process that is controlled by System 1A. During the discussion, the team defines the following scenario, which is a scenario that could occur.

When the pressure monitor stops working, the pressure switch is not be triggered to open or close appropriately, causing hazardous chemicals to leak out of the connector, which may result in environmental degradation. To prevent this condition, a toxicity detector is in place, which sounds an alarm when the toxicity levels in the facility reach a high-risk level.

To define this scenario within a hazards analysis, the team creates one record in each family described in the following table. The third column contains an item from the previous example and serves as a reference for the type of information that record represents in the What If Analysis.

In addition to the records described in the table, the What If Analysis team creates two Risk Assessments, where:

• One is linked to the Consequence to store the unmitigated risk value associated with the scenario without a safeguard in place. In other words, the team will define the risk value that is associated with that scenario without the toxicity detector.
• One is linked to the Safeguard to store the mitigated risk rank value of the scenario with that safeguard in place. In other words, the team will define the risk value associated with a scenario when the toxicity detector is in place.

Once all the safeguards that are available have been applied, the team determines if additional risk mitigation is required to meet tolerable level of risk. If the risk is to be mitigated further, then the team proposes one or more recommendations to reduce the risk to tolerable limits. A Recommendation created in a Hazards Analysis is called a strategic recommendation. It can be leveraged within a strategy to define Actions that will mitigate the risk further.

When you conduct a Hazards Analysis, you will assess the risk associated with a given hazardous scenario to help you determine what actions should be taken to prevent or lessen the consequences of that scenario. Using a risk matrix, you will specify the following risk rank values for each scenario:

• Unmitigated: The risk level associated with that scenario before any safeguards have been put in place. Based on this risk level, the analysis team may decide on the safeguards that would mitigate the risk. To do this, the team conducts a LOPA to determine if the safeguards that are currently in place reduce the risk to tolerable levels. For example, the team may create a Risk Assessment Recommendation to recommend that a safety system be put in place. The unmitigated risk rank is stored in a Risk Assessment that is linked to the Consequence.
• Mitigated: The risk level associated with that scenario after safeguards have been put in place. The safeguards lessen the risk of a hazardous scenario or prevent the scenario from occurring. Based on this risk level, the analysis team may decide that additional actions need to be taken to further mitigate the risk. The mitigated risk rank is stored in a Risk Assessment that is linked to the Safeguard.

To assess the risk associated with a scenario, you will create the following records:

• A Risk Assessment record, which will store the unmitigated risk rank value and is linked to the Consequence. The unmitigated risk rank value indicates the probability and consequence of the risk if it occurs.

• A Risk Assessment record, which will store the mitigated risk rank value and is linked to a Safeguard. The mitigated risk rank value indicates the probability and consequence of the risk occurring if:

  • The safeguard represented by the Hazards Analysis Safeguard is in place to mitigate the risk.
  • The safeguard is also an independent layer of protection (IPL).

When you create the Risk Assessments, if the Hazards Analysis for the current analysis is associated with a specific site, the Risk Assessment interface will display the Risk Matrix that is associated with that site. If the analysis is not associated with a specific site, the default Risk Matrix will be used.

An independent layer of protection is a system, action, or an item that mitigates the risk associated with a hazardous scenario.

All independent layers of protection are safeguards, but not all safeguards are independent layers of protection.

By default, the following criteria are required to be true for a safeguard to be considered as an independent protection layer:

• The safeguard must be independent of the initiating event such that a failure associated with the risk will not cause the safeguard to fail.
• The safeguard must be testable and verifiable using an industry standard (e.g., a risk based inspection).
• The safeguard must be specific in detecting a potential hazard and taking action to prevent the hazard from occurring.
• The safeguard must be capable and available at least 90 percent of the time.
• The safeguard must increase the Risk Reduction Factor (RRF) of the LOPA to a value greater than or equal to 10.

These criteria can be modified in the administrative settings for the LOPA administrative settings for LOPA. In HAZOP Analyses and What If Analyses, Safeguards that are independent layers of protection will store additional information about the risk reduction provided by the safeguard. For additional information about Safeguards and IPLs, refer to the LOPA section of the documentation.

When the Risk Assessment that will store the mitigated risk rank is created, the APM system will populate values in the Risk Assessment interface based on criteria defined in other records.

The APM system uses the relationship between the Consequence and the Safeguard to:

• Automatically populate the Risk Matrix with the unmitigated risk rank value that you specified in the Risk Assessment that is linked to the Consequence.
• Disable the cells in the Risk Matrix that represent a risk rank that is higher than the unmitigated risk.

Before you select a mitigated risk value, the unmitigated and mitigated risk values are the same, and the icon and icon appear in the same cell. When you select the mitigated risk value, the icon appears in the selected cell.

When you create a Cause or a Safeguard, you can link it to an Asset (a piece of Equipment and a Functional Location). Similarly, when you create a System/Node, you link it to one or more Assets. In addition to the Assets that you have linked to the System/Node, the APM system links the System/Node to the Assets linked to each Cause and Safeguard in the System/Node.

All the Assets linked to a System/Node form an Asset Group. This group is named in the following format: <ID of the Hazards Analysis>/<ID of the System Node> Asset Group. You can also access a list of these Assets in the Linked Assets section of a System/Node.

After you assess risk for a scenario in a hazards analysis, you can use that information in the SIS Management module as a Safety Integrity Level (SIL) Assessment for an instrumented function within an SIL Analysis.

Risk assessments from Hazards Analysis that are used in SIS Management in this way cannot be modified via SIS Management. If you want the changes that you made to a risk assessment in the Hazards Analysis module to also appear in the SIS Management module, you must assess the SIL value using the modified PHA Internal Risk Assessment.