Introduction
Throughout my career in upstream process engineering — FPSO topsides, modular gas facilities, offshore platforms across Southeast Asia, West Africa, and the Middle East — I have sat in dozens of HAZOP studies. Some have been thorough, well-prepared, and genuinely valuable. Others have been rushed, superficial, and little more than an expensive formality that gave the project team a false sense of security.
The difference between those two outcomes is not the method. The method — guideword-driven, node-by-node examination of a P&ID — is sound. The difference lies in preparation, team quality, and leadership commitment to actually acting on the findings.
This article is about why a HAZOP is indispensable, what a good one uncovers, and why the cost argument against running one properly does not survive scrutiny.
What a HAZOP Is — and What It Is Not
A Hazard and Operability Study is a structured, systematic technique for identifying hazards and operability problems in a process design. The method was developed by ICI in the 1960s and has become the global standard for process hazard analysis in the oil and gas, petrochemical, and chemical industries.
What makes a HAZOP distinct from other design reviews is its rigour. It does not ask "is this design safe?" in a general sense. It applies specific guidewords — No Flow, More Pressure, Less Temperature, Reverse, As Well As, Other Than — to every measurable parameter at every node of the P&ID, and for each combination asks: what are the causes of this deviation? What is the consequence? Are the safeguards adequate?
A HAZOP is not a peer review, not a design verification, and not a walkthrough. Those reviews have value, but they are inherently informal — the team focuses on what is there, not on what could go wrong.
The Regulatory Picture
For most upstream oil and gas projects, a HAZOP is not optional. It appears as a mandated requirement in:
IEC 61511 — the international standard for Safety Instrumented Systems. The HAZOP is the primary mechanism for identifying the hazardous events that then feed into SIL determination via LOPA. Without a HAZOP, the SIS lifecycle cannot be properly initiated.
NORSOK Z-013 — the Norwegian Continental Shelf standard for risk and emergency preparedness analysis mandates systematic hazard identification and operability studies for all new installations and significant modifications.
API 14C and API 14J — for offshore production facilities, systematic process hazard analysis is required as part of the safety analysis methodology.
OSHA PSM (29 CFR 1910.119) — the US Process Safety Management standard requires a process hazard analysis for all covered processes. A HAZOP conducted by a qualified team satisfies this requirement.
UK COMAH Regulations — facilities handling above-threshold quantities of dangerous substances must demonstrate that all major hazards have been systematically identified and assessed.
Client management systems and operator safety cases typically impose further requirements on top of these baseline standards.
What a HAZOP Uncovers
The most valuable HAZOP findings are rarely the obvious ones. Any competent engineer anticipates the main failure modes of the equipment they design. What systematic guideword analysis reveals are the interactions, combinations, and edge cases that informal review misses.
Safeguard gaps in consequence chains. A separator high-pressure deviation is identified, and the safeguards listed — a high-pressure shutdown, a PSV — appear adequate. But the HAZOP forces the question: is the PSV sized for this specific scenario? Is the HIPPS response time fast enough to prevent MAWP exceedance before the mechanical relief activates? Is the shutdown valve fail-safe position confirmed? Gaps that look closed on the P&ID turn out to be open on examination.
Instrument failures as initiating causes. Control loops that fail in unsafe directions are one of the most consistent sources of HAZOP findings. A temperature controller on a fired heater that fails open. A level transmitter that reads low during a power dip, causing a level valve to open and send liquid downstream into a gas compression train. These scenarios are not obvious until guidewords force the team to consider them.
Operability problems during non-steady-state conditions. Process safety incident data consistently shows that a disproportionate number of incidents occur during start-up, shutdown, and maintenance operations. A HAZOP that examines only normal operation misses half the risk picture. Valve arrangements that make safe isolation impossible during online operations, drain configurations that require simultaneous manipulation of three manual valves, or start-up sequences with inadequate purging steps — these emerge during operability-focused examination.
Human factors. Where a safeguard depends on operator intervention, the HAZOP questions whether that intervention is realistic. Is the alarm distinctive and unambiguous? Does the operator have sufficient time to respond before the consequence becomes irreversible? Are procedures in place and accessible? A design that relies on a 10-minute operator response to a rapidly escalating scenario is flagged; the engineering safeguard is strengthened accordingly.
The Cost of Skipping It
The process safety literature is unambiguous on this point. Piper Alpha (167 fatalities, 1988), Texas City (15 fatalities, 2005), Buncefield (2005, no fatalities but £1 billion in losses and long-term environmental impact) — each post-incident investigation identified design and operational deficiencies that a thorough HAZOP was positioned to surface.
The cost argument — that a HAZOP is expensive and time-consuming — collapses under examination. A HAZOP on a mid-size offshore topside takes four to eight days of structured workshop time. The cost of engineering changes identified at that stage is a fraction of what the same changes cost during fabrication, and a small fraction of what they cost after an incident. The liability, regulatory, commercial, and human cost of a major process safety event is not comparable to any engineering budget line.
When to Run the HAZOP
The correct timing is at P&ID freeze — when the design is sufficiently developed for node-by-node examination, but before detailed engineering work (instrument sizing, line lists, procurement packages) is completed. A HAZOP conducted too early, on immature P&IDs, misses deviations that only arise from the finalised design. One conducted too late forces expensive changes on a design that is already in detailed engineering or procurement.
For brownfield facilities, a HAZOP should be triggered by any Management of Change that alters process conditions, adds new equipment, or modifies safety-critical logic. The scope is typically targeted — the affected nodes and their interfaces — but the methodology is identical.
Getting Value from the Action Register
A HAZOP study ends when the workshop closes. A HAZOP process ends when every action in the register is tracked to closure with documented engineering evidence.
Actions closed by recording "inherently safe by design" without substantiation should be challenged. Each recommendation should have a named owner, a target date, and — when closed — a clear record of what engineering change was made or what engineering justification was provided for accepting the risk.
At FEEC, we facilitate HAZOPs as an independent function, not as the design team. That independence matters. An engineer reviewing their own design has a natural tendency to see safeguards as adequate because they designed them to be adequate. An independent facilitator asks the question without that assumption.
The goal of a HAZOP is not to produce a report. It is to produce a safer facility.
