Energy Practice

RISK ENGINEERING POSITION PAPER – 01

PROCESS HAZARD
ANALYSIS (PHA)
 RISK ENGINEERING POSITION PAPER

CONTENTS

1. Background 5

2. Objective 6

3. Scope 6

4. Specific Requirements 6

5. Stewardship of the PHA Process 11

6. References 12

7. Appendices 13

Appendix A: Industry Losses 14

Appendix B: Common PHA Techniques 15

Appendix C: Self-Assessment Checklist 19

Marsh • 3
4 • Process Hazard Analysis (PHA)
 RISK ENGINEERING POSITION PAPER

1. BACKGROUND
Major accidents on energy sites have the potential
to result in hundreds of millions of dollars of physical
damage, present a danger to employees and the
local population, and can lead to significant business
interruption.

However, there are steps that can be taken to address major accident hazard (MAH)
threats and minimize the risk of a serious incident as part of a comprehensive process
safety management (PSM) program. A fundamental element of PSM, alongside others,
such as mechanical integrity or management of change (MOC), is process hazard
analysis, a key tool for understanding MAHs.

PHA encompasses several techniques to evaluate and control hazards and risk levels
respective to process operations to assess the suitability and effectiveness of existing
safety barriers, and to help determine whether additional barriers or risk mitigation
measures are needed. Therefore, the ineffective application or absence of PHA can
significantly increase overall risk levels, and as outlined in Appendix A of this paper, the
lack of a rigorous PHA program has been identified as a key contributing factor in several
major recent loss events within the energy industry.

Many of the PHA techniques discussed in this paper are considered to be well-
established within the industry, and have been standardized with templates developed
for their execution in many organizations. Each technique will have its own level of
suitability and applicability, depending on a site’s process maturity and complexity, as
well as its overall PSM philosophy and objectives. Yet, no two PHAs are the same. The
fact that a PHA is a team effort can lead to different outcomes depending on the PHA
technique used and the skills and experience of the PHA Leader and team members.

Marsh • 5
RISK ENGINEERING POSITION PAPER

2. OBJECTIVE
The objective of this position paper is to define the key attributes that would be rated by Marsh as “very good” for a PHA process in the
oil, gas, and petrochemical industry. These attributes reflect those in the Marsh energy risk ranking criteria. They can be used to support
and define risk improvement recommendations, and also to provide detailed advice to clients seeking to improve their management
systems.

3. SCOPE
The scope of this position paper includes the development and application of a PHA process for carrying out periodic reviews of an
operating asset’s process safety studies, including those carried out as part of minor works or plant modifications. It is not intended to
define the key attributes of a PHA or the risk assessment process as part of a larger engineering, procurement, and construction (EPC)
project.

It should be noted that throughout this document, the term “site” is used to reference the part of the organization carrying out the PHA
process. Depending on the nature of the organization, this could be a single plant, multiple plants on the same site, or multiple sites.

Although this document describes techniques that can be used by a site to carry out a PHA, it is not within its scope to provide detailed
technique methodologies.

4. SPECIFIC REQUIREMENTS
There should be a comprehensive written policy and procedure
governing the PHA process for each site as part of the site’s policy
SCOPE OF PHA STUDY
for the management of major hazards. Any corporate expectations A PHA study should evaluate the following:
for the PHA process should communicated, made readily available
to member sites, and incorporated as appropriate into the site’s •• The process hazards.
policy and procedures.
•• The identification of any previous incidents that had the
potential for catastrophic consequences.
The policy and procedure for the PHA process should define the
following elements: •• Engineering and administrative controls applicable to the
hazards and their interrelationships.
•• Objectives for carrying out a PHA.
•• Consequences of the failure of these controls.
•• The scope of the PHA.
•• The broader considerations of facility siting.
•• The PHA technique to be adopted.
•• Human factors that apply to the effective application of barriers
•• The key roles, responsibilities, and competence requirements or controls.
for those involved in the PHA process.
•• A qualitative evaluation of the effect of control failure on the
•• Managing the PHA schedule. safety and health of site employees.
•• The required documentation infrastructure to enable the PHA
According to the US Occupational Safety and Health
process to operate effectively.
Administration (OSHA), “The key provision of PSM is process
•• The preparation required for the PHA. hazard analysis (PHA) – a careful review of what could go wrong
and what safeguards must be implemented to prevent releases of
•• The key steps in the PHA process. hazardous chemicals.” In the EU, the scope of the PHA study will be
influenced by the Seveso Directive, the main legislation addressing
the control of onshore MAH threats involving dangerous
substances, and by the Safety of Offshore Oil and Gas Operations
Directive.1

6 • Process Hazard Analysis (PHA)

 RISK ENGINEERING POSITION PAPER

THE PHA TECHNIQUE TO BE ADOPTED

Within this paper, the following definitions are used, recognizing that different organizations may have different interpretations of the
techniques discussed (refer to Appendix B for further detail on these and other commonly used PHA techniques).

TECHNIQUE COMMENT
Hazard identification (HAZID) Identification of significant hazards to ensure that there are appropriate measures in
place to eliminate or reduce the risks to tolerable levels. Can be carried out once the
basic process engineering design of a project or modification is known.
Hazard and operability study (HAZOP) A rigorous line-by-line review, this requires the piping and instrumentation diagrams
(P&ID) to be finalized with a good understanding of the safety barriers that need to be
adopted as part of the project, or those already installed when restudying an existing
plant. If done too early in the development of the P&ID, the HAZOP can quickly
degenerate into a design review.
Process hazard review (PHR) A rigorous system-by-system review designed to operate at a higher level than a
HAZOP, applying learning gained during site operation to previous versions of the PHA
or HAZOP.
Safety integrity level (SIL) analysis An assurance assessment that safety instrumented functions (SIF) provide the required
safety performance and integrity. Typically carried out in parallel with a HAZOP or PHR.
Hazard analysis (HAZAN) A quantitative analysis of a known hazard, including equipment reliability and
hazard frequency data. It is most effectively done on an operating plant with known
performance data, rather than using data that is either theoretical or implied.
A tool also often used for SIL analysis.
Layer of protection analysis (LOPA) A semi-quantitative tool for analyzing and assessing risk. The timing would be similar
to that for a HAZOP. Like HAZAN, it is a tool also often used for SIL analysis.
Bowtie analysis Primarily a qualitative technique, this can be carried out once details of the safety
barriers to be adopted/already employed are known, even though operating data,
including that for human factors, may not yet be available.
Failure mode and effect analysis (FMEA) A systematic, typically qualitative, and methodical tabular technique for evaluating
and documenting the causes and effects of known types of component failures.
“What if” A simple-yet-structured brainstorming technique for determining likely hazards and
judging the likelihood and consequences of those hazards occurring.

The PHA technique to be adopted should be the most appropriate For a multi-unit site, it is also worth considering whether the
to the potential severity of the site’s MAH threats. As such, the same approach is necessary across all units. For example, it may
selection of the PHA technique should consider the following be appropriate for less complex process operations to be studied
criteria: qualitatively, while a more structured or quantitative approach
is used to study those unit operations where failure of a safety
•• The age and maturity of plant operations. instrumented system (SIS) could escalate to a major accident
hazard.
•• The technical complexity of the site.

•• The quality of available information. The choice of the PHA technique will also depend on whether a
site is seeking to carry out an update or a revalidation of an existing
•• The experience and competence resident at site with using the PHA, or whether a completely new PHA is to be carried out for an
various PHA techniques available. existing asset. This will depend on:

Therefore, while it would be typical for a refinery or complex •• The quality of the initial PHA (for example, if there are any
petrochemicals plant to conduct a HAZOP and SIL assessment deficiencies in supporting documentation or study scope, or
every five years, a PHR with accompanying SIL may be deemed if recent process safety information (PSI) casts doubt on the
more appropriate for a chemicals facility, while a “what if” study thoroughness of the initial study).
would be more suitable for a less complex operation, such as a
distribution terminal.

Marsh • 7
RISK ENGINEERING POSITION PAPER

•• How extensive changes to the process have been since ROLES, RESPONSIBILITIES,
the initial PHA. Note that the IEC 61882 HAZOP studies -
Application guide refers to the need for periodic studies to AND COMPETENCE REQUIREMENTS
“counteract the effects of creeping change.”2
The PHA is best performed by a team with expertise in
•• The effectiveness of the site’s management of change (MOC) engineering and process operations, including at least one
program in analyzing and documenting changes carried out employee who has experience with and knowledge of the
on the site since the last PHA (for example, plant uprating, operation of the process being evaluated. Therefore, although
changes to P&IDs or control/trip logic, or changes to staff it may be appropriate for the team to be led by an external
training or shift coverage). specialist knowledgeable in the specific analysis technique(s)
being used, it is not appropriate to outsource the PHA process
•• Any recent regulatory changes. to be managed and executed exclusively by a third party.

•• Company PSM standards and major accident management

Each site will likely have its own organizational structure and
policy.
may have different titles for the key PHA team roles within that
organization. It should also be acknowledged that there is likely
As noted earlier, it is the responsibility of the site to clearly state
to be a “core team” for the duration of the study process, with
the criteria for the approach or technique taken in its PHA policy
specialists brought in for individual sessions to answer specific
and procedure.
points.

It is expected that, for all key roles, the competence expectations

for carrying out the PHA are defined by the site and documented
within the individual job descriptions and associated competence
matrices.

ROLE COMMENT
PHA process owner The person who takes overall ownership for implementing and managing the PHA process locally,
while taking cognizance of any corporate procedures and policies.
This person will typically:
• Produce a written proposal for initial approval.
• Ensure that the key people are involved at the right times.
• Ensure that the process has been followed properly.
• Ensure that all actions arising from the process are effectively managed to completion.
The most common process owners will likely be the process safety managers, or senior engineers
associated with the technical or safety functions.
PHA leader An experienced PHA practitioner who has attended specific formal training in leading process hazard
analyses. The PHA leader may be from inside the site, corporate organization, or from a recognized
third-party specialist organization. If third parties are employed to lead PHAs, the site should fully
verify the third party’s experience and competence. They will need to be familiar with a range of
hazard identification, hazard and risk assessment, and quantification techniques.
The leader will advise on the selection of the PHA team and ensure the adequacy of the information
recorded for the study. They will also need to ensure that the validity of declared safety barriers is
thoroughly tested as part of the PHA process.
PHA scribe The PHA leader will often appoint a separate person to facilitate note taking during the PHA process.

8 • Process Hazard Analysis (PHA)

 RISK ENGINEERING POSITION PAPER

Discipline engineers Several specialist engineering disciplines (for example, plant process engineer or distributed
control system (DCS) engineer) will input into the PHA process. However, they may come in and
out to address specific technical issues. They may need their input to be checked or verified by the
corresponding technical authorities on site, depending on their level of seniority or experience.
Operations representative An effective PHA process requires detailed understanding of the plant process and equipment
being studied. It also requires contributions from people who are directly involved with the plant
operations and understand what actions are required to be taken in the first instance following plant
abnormal operation. To that end, the operations representative attending the PHA will typically be an
experienced operator or operations shift supervisor.
The representative will advise on site operating and maintenance preparation requirements and
validate any assumptions made in hazard analyses on the suitability, validity, or applicability of safety
barriers, including operating methods, proof testing of instruments, repair times for equipment, etc.
Technology specialists The PHA may require input from specialists such as process chemists, catalysis experts, or corrosion
engineers. This will likely only be required for the assessment of specific sections of the process.
PHA auditors The site should identify and appoint suitably competent and experienced personnel to audit
the PHA process to ascertain compliance and identify areas of improvement. For large multi-site
organizations, these may be corporately-appointed.

Marsh • 9
RISK ENGINEERING POSITION PAPER

It is important that all of the key personnel involved in the operation of the site’s PHA
process understand its importance within the site or corporate PSM structure, as well
as their individual and team responsibilities. All PHA participants should receive an
appropriate level of training, dependent on their responsibilities within the PHA. This
may include general training for discipline engineers and operations representatives in
advance of a PHA to ensure that they have an outline understanding of the PHA process
and procedures. Appropriate training should also be given to those taking part in a PHA
for the first time, and consideration should be given to the need for regular refresher
training, particularly for infrequent PHA attendees. If the site has a role within the
organization that takes overall responsibility for the PHA process, this individual should
lead the training for the other participants.

MANAGING THE PHA SCHEDULE

The time period between the first PHA and subsequent revalidation reviews will typically
be influenced by overall site process complexity, the magnitude of potential MAH, and
local regulatory requirements. Because of the significant resource requirements for
carrying out a PHA, five years is typically seen as the maximum time before a revalidation
review or new PHA should be carried out. This is the review period enforced in the US by
the OSHA PSM standard 29 CFR 1910.119.3,4,5

The site should also identify and document the order for studying its plants or process
units. This will typically be based on hazard severity, the number of potentially affected
employees, the age of the process, and the operating history of the process.

The requirement to review the suitability of the site’s wider PHA studies should be
included in the site’s change management program, such that the potential knock-on
effects of any change or project on the site’s risk profile is examined. This is particularly
relevant for significant plant modifications that could have far-reaching effects beyond
the immediate vicinity of the modification, and may mean a process unit-specific or site-
wide PHA revalidation review will need to be conducted earlier than would otherwise be
mandated by the site’s PHA policy and procedure.

DOCUMENTATION INFRASTRUCTURE
REQUIREMENTS
An appropriate system is required to record the inputs to and outputs from the PHA,
including the management of action items.

MANAGING THE PHA INPUTS

The documentation system for managing inputs can take various forms, but must be
designed for the following inputs to be appropriately documented:

•• Overview information of the plant or process being studied.

•• Key individuals involved in the PHA study.

•• Evidence generated during the process defining the existing risk mitigation measures,
layers of protection, and safety barriers such as loss control elements, safety critical
equipment, critical procedures, and critical tasks.

•• Where there are known gaps within the current layers of protection and the actions
required to close them.

During the PHA process, the PHA leader should use his/her judgement on how long to
debate a topic before an action is assigned. Once a discussion has gone beyond a certain
time limit (for example, 10 minutes) then the process should move to the next point and
an action generated.

10 • Process Hazard Analysis (PHA)

 RISK ENGINEERING POSITION PAPER

MANAGING THE PHA OUTPUTS TYPE OF PSI EXAMPLES

The PHA can generate a significant number of actions,
particularly in the first revalidation cycle or complete re-study, Information •• Toxicity and permissible exposure limits.
although subsequent revalidations will typically generate fewer on chemical •• Physical, reactivity, and corrosivity data.
and fewer actions. hazards
•• Thermal and chemical stability data.

All of these actions need to be effectively managed, and this can •• The hazardous effects of inadvertent
only be done if they are SMART – that is, specific, measurable, mixing of different materials, that is,
achievable, relevant, and time-bound. The documentation potential chemical interactions.
system chosen to manage the actions must take the following
into consideration:
Process and •• Up-to-date P&ID and electrical
technology classification drawings.
•• The PHA outcomes, findings, and associated actions can be
information •• A block flow diagram or simplified process
effectively communicated to all personnel impacted by the
PHA, for example, process operators. flow diagram.
•• Material and energy balances.
•• Each action is assigned a unique identifier number, with a
defined date and a clear expectation of requirements for •• Process chemistry.
closure. •• Process inventory and design operating
conditions.
•• The status of each action can be tracked, meaning any overdue
can be easily identified. •• Materials of construction.
•• Design codes and standards employed.
•• The required action approval authority is defined.
•• Up-to-date standard operating
•• The evidence associated with action closure is documented, procedures (SOP) and emergency
or, if the action is rejected by the approval authority, the operating procedures (EOP),
reasons why, and what further action is required to permit for describing operator response to
closure has been noted. normal and abnormal operations.

•• Any modification, such as an extension to the closure date, •• Understanding of the process’s corrosion
is clearly documented. and damage mechanisms.
•• Safe upper and lower limits for process
Where the site’s PHA process extends across several units or parameters (for example, temperature,
plants, the process for recording actions should be consistent pressure, flow, pH,
across all plants, and ideally, the documentation system should or composition).
allow for an overview of all site actions.
•• Relief system design and design basis.

PREPARATION FOR THE PHA •• Emergency depressuring and shutdown

system design.

ENSURE UP-TO-DATE PROCESS SAFETY •• Other safety systems (for example, gas
INFORMATION (PSI) detection or fire suppression systems).

Good quality PSI is the foundation of a good PHA study, and

the site should ensure that its written PSI is up to date before Other •• Management of change (MOC)
conducting a PHA, particularly that for P&IDs. Once the quality documents for changes carried out since
of the information is confirmed, the site may need to update this the last PHA study.
information prior to carrying out the PHA, or adjust its preferred •• Incident investigation reports for process
approach to the study if it is clear that the PSI is not of the desired safety-related incidents and near-misses
quality. In this case, a site can still get value from its preferred since the last PHA study.
PHA technique, but must consider adjusting the technique by
adding additional experienced personnel to the process, or •• Previous PHA studies (this may include
giving extra time and consideration to critical areas where the studies from other similar units).
data is incomplete.

Access to quality PSI will help the site identify and understand the
hazards posed by processes and technologies involving highly
hazardous chemicals. The site should have ready access to the
following:

Marsh • 11
RISK ENGINEERING POSITION PAPER

SETTING THE ENVIRONMENT REVIEW PREVIOUS PROCESS SAFETY

Setting the right environment for any PHA is paramount to enable
INCIDENTS
the process to run as efficiently as possible and to get the most The PHA revalidation team should also review the site’s process
out of the people attending. safety incidents and near misses since the previous PHA, as well
as learnings from relevant external incidents (for example, from
Studies can take a considerable period of time, so should be sites using similar processes or technology), in order to ensure
scheduled in an appropriate location to ensure that attendees that potential hazards are identified, as well as the adequacy of
are distracted as little as possible. The program of PHA existing safety barriers.
meetings should include sufficient breaks and opportunities for
refreshment.
REVIEW THE STATUS/RESOLUTION OF
KEY STEPS IN THE PHA PROCESS PREVIOUS PHA RECOMMENDATIONS
The PHA revalidation process for each site will be different, The team should make sure all previous recommendations
depending on local regulatory and compliance requirements, have been closed out. It would be good practice for the team
as well as the maturity of the operating plant. However, the to review a sample of past responses to ensure that the closure
process should broadly follow these key steps: process has been robust. Any recommendations or actions not
closed out should be further reviewed to make sure that the
recommendation is still valid in light of the current PHA process.
REVIEW ALL MODIFICATIONS MADE TO THE
PROCESS SINCE THE PREVIOUS PHA
ADDRESS HAZARDS ASSOCIATED WITH
To make sure the PHA revalidation accurately reflects the hazards ABNORMAL OPERATING MODES
of the site’s current processes, the revalidation team should
review all modifications since the previous PHA and determine if The PHA process should include a systematic means of assessing
an additional analysis is needed. This should include reviewing both normal and abnormal operating modes. The hazards
records of implemented recommendations from the previous involved during start-up, shutdown, maintenance, sampling, etc.
PHA and any incident reports and compare these to the MOCs. in a process unit should be evaluated to help identify procedural
or equipment deficiencies that could contribute to human errors.
If the hazard evaluation performed during a modification was
either inadequate or uncertain, then the team should review this It is not unusual for initial PHAs or hazard studies to incompletely
change as part of the wider PHA process. address hazards during non-routine operation. As a result, the
PHA revalidation team may need to augment the previous PHA by
In instances where the process identifies several modifications performing this task, either as a standalone hazard analysis, or by
that do not have corresponding MOC documentation, this may incorporating guidewords within the revalidation PHA to include
be an indication that the MOC process has not been implemented abnormal operation such as start-up, shutdown, etc.
effectively and the team may need to consider redoing the PHA
rather than updating or revalidating it.
ENSURE COMPLIANCE WITH CURRENT PHA
Depending on how human factors have been addressed in the REGULATORY REQUIREMENTS
previous PHAs, the team should review any assumptions made in The revalidation team should look at the following, and determine
the past and consider how these might have been affected by site what additional information needs to be added to any previous
changes and modifications. These include: PHA to make it compliant; the team should also identify the tasks
required in order to obtain that information:
•• Operator training, for example, in response to abnormal
operating scenarios. •• The effect of any new or existing regulatory requirements on
the site’s PHA.
•• The suitability of SOPs and EOPs and the application of critical
task analysis. •• The effect of any new or existing industry standards.
•• Control room ergonomic factors. •• The effect of any new or existing internal company
requirements.
•• Personnel workload/stress.

•• Labelling/housekeeping.

12 • Process Hazard Analysis (PHA)

 RISK ENGINEERING POSITION PAPER

5. STEWARDSHIP
OF THE PHA PROCESS
The health and performance of the PHA process should be •• PHA procedure compliance as per audit.
regularly monitored and assessed using both a routine review
of key performance indicators (KPIs) and periodic audits. These Lagging indicators might include the number of process safety
steps will help assure the site management team that the system incidents on a plant where incomplete or inadequate PHA is
is being used in the way it is designed and intended. identified as a contributing cause.

KPIs AUDITS
Each site should routinely produce both leading and lagging Each site should audit its PHA process periodically, typically
KPIs to monitor the performance and health of its PHA process. annually. The audit should be performed by a small team
The KPIs should be produced at least once per month and be knowledgeable in the application of the PHA process.
reviewed at an appropriate site management forum. Routine Consideration should be given to including people from outside
leading KPIs would typically include: the immediate local site in the audit process. Findings from the
audit should be reported to site management, possibly through
•• The total number of planned PHAs completed/overdue as per forums such as the site process safety management committee.
plan.
An audit process would typically include:
•• The number and proportion of open and overdue PHA actions,
by severity/risk category.

AUDIT STAGE QUESTIONS TO CONSIDER

Evaluating the PHA Process •• Is there a scheduled plan for ensuring all relevant plant areas are included in the PHA process, with
defined timescales?
•• Has a competent PHA leader been identified and appointed?
•• Are all key personnel identified and invited to attend? Are there any key personnel (such as
technology specialists) omitted?
•• Are key preparation requirements established and study preparation materials (such as process
descriptions or standard and emergency operations procedures) distributed?
The PHA study •• Are the appropriate risk assessment and quantification processes being selected?
•• Are the processes being followed properly and thoroughly?
•• Is there an appropriate level of documentation for risk mitigation measures?
•• Are the actions raised SMART (specific, measurable, achievable, relevant, and time-bound)?
Do they address the risk gaps identified?
Managing the actions •• Are actions being closed out by the appropriate approval authorities?
•• Are actions being completed in a timely manner?
•• Is the action documentation sufficient to give a full account of either why the additional risk
reduction measures presented are appropriate, or why no further action is required?
Personnel related •• Do the key personnel understand the process?
•• Do they understand their roles and responsibilities?
•• Have they been trained?

Marsh • 13
RISK ENGINEERING POSITION PAPER

5. REFERENCES
1. EU Safety of Offshore Oil and Gas Operations Directive, Document 32013L0030, Directive 2013/30/EU of the European Parliament
and of the Council of 12 June 2013.

2. BSI, 2016, Hazard and Operability Studies – HAZOP Studies – Application Guide, BS IEC 61882:2016, British Standards Institution.

3. United States Department of Labor Occupational Safety and Health Administration (OSHA) standard 29 CFR 1910.119 - Occupational
Safety and Health Standards.

4. Process Safety Management - U.S. Department of Labor Occupational Safety and Health Administration OSHA 3132.

5. Process Safety Management Guidelines for Compliance - U.S. Department of Labor Occupational Safety and Health Administration
OSHA 3133.

6. The Report, The BP U.S. Refineries Independent Safety Review Panel, January 2007.

7. State of California. Department of Industrial Relations, Notice of Citation, available at https://www.dir.ca.gov/dosh/citations/

ExxonMobil.Signed-Citation-Documents.1042440.pdf, accessed 1 February 2018.

8. US Department of Labor. Occupational Safety and Health Administration, Stipulation and Settlement Agreement, available at https://
www.osha.gov/enforcement/cwsa/phillips-66-company-08221991, accessed 1 February 2018.

9. US Chemical Safety Board. Final Report: Williams Olefins Case Study, available at http://www.csb.gov/williams-olefinsplant-
explosion-and-fire-/, accessed 1 February 2018.

10. IEC 61508, Functional Safety of Electrical / Electronic / Programmable Electronic Safety-related Systems.

11. The Report, The BP U.S. Refineries Independent Safety Review Panel, January 2007.

12. Ibid.

14 • Process Hazard Analysis (PHA)

 RISK ENGINEERING POSITION PAPER

6. APPENDICES
APPENDIX A: INDUSTRY LOSSES
Examples of industry losses where the lack of a rigorous PHA program has been
identified as a key contributing factor:

INDUSTRY LOSS LOSS COMMENT

Pasadena, US, 1989 23 fatalities following a polyethylene Following the incident, the operator agreed with OSHA to conduct a
plant explosion and fire. PHA utilizing a methodology that would best address the hazards of
the particular process at issue.8
Longford , Australia, A US$1.3 billion, major property and One of the root causes was that a retrospective HAZOP planned for
1998 business interruption loss. Gas Plant 1 for several years had not been completed. Further, that
a 1992 modification had only been completed with a HAZOP which
had limited scope. The Royal Commission viewed it as inconceivable
that a HAZOP study would not have revealed factors which
contributed to the incident.
Texas City, US, 2005 15 fatalities, major property and The Baker report6 into the loss recommended that the site
business interruption loss. management “should not rely solely on audits, rather also on PHA,
near misses, high potential incidents, MOC reviews, inspections.”
Point Comfort, US, Property damage of US$85 million, Vehicle impact (a primary cause of the loss) was not picked up as
2005 plus five months’ shutdown. part of the site’s hazard review process.
Jaipur, India, 2009 11 fatalities, the tank fire burned for 11 The investigation committee into the incident stated that “loss of
days. containment in terms of time and quantity was never considered
a credible event and accordingly not taken into account in hazard
identification. Also that “…only one HAZOP study has been done on
the installation…The report, though titled “HAZOP study,” does not
include any HAZOP work but contains “consequence analysis.”
Geismar, US, 2013 Two fatalities following an olefins plant Following the incident, the US Chemical Safety Board concluded
explosion, giving US$110 million that “…deficiencies in implementing the site’s process safety
property damage plus extensive management programs include…poor implementation of PHA
business interruption loss. action items…. Those deficiencies ultimately contributed to the
reboiler rupture and the deaths of two employees.”9
Torrance, US, 2015 Fluidized catalytic cracker explosion Citation 11 Item 1 by the State of California states: “On and prior
giving major property and business to February 18, 2015, the employer failed to perform a Process
interruption loss and a US$566,600 Hazard Analysis PHA for identifying, evaluating, and controlling
fine. hazards in the electrostatic precipitator (ESP) operating with broken
and bypassed safety critical devices…..during the FCC emergency
shutdown.”7

APPENDIX B: COMMON PHA TECHNIQUES

HAZARD IDENTIFICATION (HAZID) the opportunity for unit or equipment redesign to eliminate
or significantly reduce the risk, but, where the risk cannot be
The HAZID is designed to identify significant hazards present reduced to tolerable levels by practicable redesign, additional
within the unit, and ensure that there are appropriate measures protective measures may need to be incorporated to meet the
to eliminate the risk or reduce the risk to tolerable levels (ALARP). relevant criteria.

This is typically a hazard-based top-down approach, designed By its nature, the HAZID will identify any new scenarios or MAHs
to either revalidate major accident scenarios, initiating events that need to be documented and would prompt a revision of the
and safeguards, or to identify potential new exposures following site’s hazard register.
a site-initiated change. Identification of the hazards provides

Marsh • 15
RISK ENGINEERING POSITION PAPER

HAZARD AND OPERABILITY STUDY (HAZOP) The PHR technique, therefore, will typically develop what had
already been documented through the site’s original hazard
The HAZOP is probably the most common rigorous technique studies, adding what has been learnt since, such as learning
used for carrying out a PHA within the energy industry. This is from incidents, or changes made upstream or downstream of the
often because it is a process which would likely (depending on original studies.
asset age) have been carried out during the initial site design
stage. It uses fully developed P&IDs to identify hazards and
operability problems, and process deviation guidewords to BOWTIE ANALYSIS
stimulate creative thinking about possible deviations and their
effects. Within an EPC project, a HAZOP would typically follow The bowtie technique is typically a structured qualitative analysis,
a HAZID in the project timeline. used where a quantitative approach is neither possible (for
example, through a lack of data), nor desirable. We are, however,
seeing more examples of this approach being used quantitatively
This is a rigorous deviation-based bottom-up approach, in which
as sites become more familiar with the methodology and gain
the site will likely have its own trained HAZOP leaders. However,
access to data on barrier and control performance. When
because it is highly structured, caution must be used when using
used qualitatively, the process gives a visual presentation of
this to revalidate an existing study to ensure that in following
the number of barriers or controls for MAH prevention and
the existing guidewords, the process does not result in merely
mitigation, as shown in the following example:
repeating the previous study, but is also able to identify new
hazards or exposures.
The hazardous event to be studied would typically be identified
in a HAZID, therefore, this technique is most powerful once the
The HAZOP structure will support parallel SIL studies, the review
site’s MAHs are known and understood. The bowtie diagram then
and update of site P&IDs, and the identification of opportunities
combines a study of the threats that can cause the event (that is,
for further site risk reduction. However, HAZOPs are invariably
the fault tree, typically drawn on the left hand side) with a study
time consuming, and can present a major resource challenge
of the consequences (that is, the event tree, typically drawn on
for an operational plant. As discussed earlier in this report,
the right hand). The process then continues to identify protecting
it is important that non routine activities, such as start-up or
barriers, as either controls which look to prevent the threats from
shutdown, are included in a HAZOP, alongside normal operation.
occurring, or as recovery or mitigation measures which look to
reduce the potential impact.
PROCESS HAZARD REVIEW (PHR)
One of the strengths of the bowtie analysis is that it can show
The PHR technique is a systematic and comprehensive study the site’s overall response to an MAH scenario, combining
of hazardous events. But, where the HAZOP is a line by-line hardware (such as SIS), software (such as the operator’s response
approach, the PHR operates at the higher system-by-system to an initiating event), and emergency response and recovery
level, using hazardous event guidewords, showing some measures in a single process illustration.
similarities in this respect to the HAZID approach.
It is typically a hazard-based top-down approach, and while it not
as rigorous as a HAZOP, its higher-level view of the process offers
considerable time savings and does not require detailed P&IDs. A
unit flowsheet or process flow diagram will often suffice.

Threat PREVENTION RECOVERY Consequence

Threat
HAZARDOUS Consequence
EVENT

LOSS OF
CONTROL CONTROL RECOVERY
Threat MEASURES MEASURES Consequence

POTENTIAL POTENTIAL
CAUSES OUTCOME

16 • Process Hazard Analysis (PHA)

 RISK ENGINEERING POSITION PAPER

SAFETY INTEGRITY LEVEL (SIL) ANALYSIS

Safety instrumented systems are often used to provide a level SIL analysis can be carried out by various techniques and is often
of risk reduction in relation to one or more hazardous events. done alongside a HAZOP or PHR, as it usually requires the same
If instrumentation is to be effectively used in this capacity, it is disciplines to be present. The techniques of hazard analysis
essential that it achieves appropriate standards of reliability and (HAZAN) and layer of protection analysis (LOPA) are discussed in
performance. The setting of standards and performance levels greater detail below. Although risk graphs are commonly used for
is formalized in the International Standards IEC 6150810 and SIL analysis, they are typically only recommended for initial “risk
IEC 6151111 IEC 61511 requires that in addition to providing screening”, and therefore they are not discussed further in this
risk reduction for hazardous events with a consequence paper.
associated with the protection of people, the SIL assessment
procedure should also be used where it involves protection of
the environment. The procedure may also be used for other
applications involving asset protection or other business loss.

FEATURE RISK GRAPHS LOPA HAZAN

Level of complexity and sophistication. Low Medium High – requires experienced,
specified practitioners.
Use for initial screening? Yes – very quick Yes No – too complex
Typical study time, per instrumented A few minutes One hour One day
loop.
Suitable for detailed analysis? No Yes – up to a point Yes
Identifies potential dependency No Yes – identifies but does not Yes
between barriers? quantify
Able to include specific human factors No Yes Yes
aspects?
Output SIL PFDa1 PFDa1
Further comment Technique does not lend See below. See below.
itself to recording the
basis of any decisions.
1. Probability of Failure on Demand, average value.

HAZAN HAZAN therefore enables the risks associated with a particular

hazard to be calculated, helping to clarify:
This technique is the most rigorous and most flexible of the
SIL methodologies available. It can, however, be the most time •• Is the level of risk acceptable?
consuming, and requires considerable training and experience to
be used effectively. •• Is a particular expenditure justified?

•• What hazardous events present the greatest risk, and therefore

It uses two complementary techniques: demand trees and fault
should be prioritized?
trees. The technique of demand trees is a systematic way of
identifying the potential initiating causes for a particular specific •• Which design is the safest or most reliable?
hazardous event. Fault tree analysis allows the initiating causes
to be represented with their respective risk reduction measures. HAZAN provides a rational method of assessing risks so that
It also allows the identified dependencies to be included in an decisions can be made with a greater element of certainty. It is
appropriate manner. typically the best technique for complicated SIS where there may
be common cause failure and human factors issues.

Marsh • 17
RISK ENGINEERING POSITION PAPER

LOPA FAILURE MODE AND EFFECT ANALYSIS (FMEA)

LOPA is the most common technique used for SIL analysis, as it This is a systematic, typically qualitative and methodical tabular
strikes a balance between the time required for the analysis, the technique for evaluating and documenting the causes and
level of accuracy, and the documentation detail. Although it can effects of known types of component failures, particularly those
be used in a relatively simplistic screening manner, it can also involving electrical and mechanical processes. As a top-down
be used in a more quantitative manner, with a level of detail not tool, it is less effective than fault tree analysis, but when used as
dissimilar to a HAZAN using fault trees. Its format also lends itself a bottom-up tool, FMEA can augment or complement fault tree
to being used alongside a HAZOP or PHR. analysis and identify more causes and failure modes resulting in
top-level symptoms.
The methodology for SIL analysis follows the broadly accepted
approach as laid down in the standard IEC 61511.12 However, it is not able to discover complex failure modes
The principle steps are as follows: involving multiple failures within a process, and does not
question the original design basis of the process.
•• Identify the specific hazardous event.
As a PHA technique, it is perhaps most effective as a higher-level
•• Determine the severity and target frequency.
screening tool to rank potential scenarios, or for evaluating “one
•• Identify the initiating causes. cause” events in low-complexity units.

•• Scenario development.
“WHAT IF” ANALYSIS
•• Protective measure and condition modifier listing.
“What if” analysis is a structured brainstorming technique
•• Completion of LOPA standard pro forma / spreadsheet. for determining likely hazards, and judging the likelihood
and consequences of those hazards occurring. It is a simple
However, care should be taken as it is generally not sophisticated technique, relying heavily on the experience and intuition of
enough by itself above SIL, or when studying catastrophic or very the review team, and is more subjective and less detailed than a
rare events, where a HAZAN would be more appropriate. HAZOP. While it is relatively easy to use and can be an effective
tool, the outcome will depend heavily on the quality of the
questions asked.

As a PHA technique, this is perhaps most effective as a higher-

level screening tool, or for evaluating well-understood events in
low-complexity units.

18 • Process Hazard Analysis (PHA)

 RISK ENGINEERING POSITION PAPER

APPENDIX C: SELF-ASSESSMENT CHECKLIST

The following checklist can be used to test a site’s existing PHA process against industry good practice.

ITEM Y N PARTIAL
SETUP AND APPLICABILITY
Does the site have a formal, written procedure for carrying out PHAs?
Does it clearly identify when a PHA should be carried out?
Does it define the most appropriate processes for the assets covered?
STAFFING
Does the PHA process define the roles and responsibilities of the key people who operate
the process:
–– Process owner?
–– PHA leader?
–– Discipline engineers?
–– Operations personnel?
–– Technology specialists?
–– PHA auditors?
KEY STEPS
Does the PHA process address the following:
–– The process hazards?
–– The identification of any previous incident that had the potential for catastrophic
consequences?
–– Engineering and administrative controls applicable to the hazards and their
interrelationships?
–– Consequences of the failure of these controls?
–– Facility siting?
–– Human factors?
–– A qualitative evaluation of the effect of control failure on the safety and health of site
employees?
–– Ensure up-to-date process safety information?
–– A review of all modifications made to the process since the previous PHA?
–– A review of the status/resolution of previous PHA recommendations?
–– Address hazards associated with abnormal/transient operating modes?
–– Ensure that the PHA meets the requirements of any existing or new regulations,
industry standards, or internal company requirements?
SUPPORTING INFRASTRUCTURE
Does the site have a structured way to document the PHA process?
Does the site have a structured way to document and manage actions generated by the
PHA process?
Does training exist for the key people involved in operating the PHA process?
Have all of the key people had this training, and are they still considered competent,
or is refresher training required?
STEWARDSHIP AND GOVERNANCE
Are KPIs describing the operation of the PHA process routinely generated?
Are they reviewed by senior level staff at an appropriate forum?
Is an audit of the PHA procedure performed at least as frequently as the PHA process cycle?
Are the outcomes of audits reviewed by senior level staff at an appropriate forum?
Is there evidence of any corrective action being implemented following audit findings?

Marsh • 19
Marsh is one of the Marsh & McLennan Companies, together with Guy
Carpenter, Mercer, and Oliver Wyman.
The information contained herein is based on sources we believe
reliable and should be understood to be general risk
management and insurance information only. The
information is not intended to be taken as advice with
respect to any individual situation and cannot be
relied upon as such.
In the United Kingdom, Marsh Ltd
is authorised and regulated by the
Financial Conduct Authority.
Copyright © 2018 Marsh Ltd
All rights reserved.