Introduction to Process Hazard Safety Meetings: Part 1 Concepts and Worksheet

  • Share
  • Share

This is the first in a three part series on process hazard meetings, such as HAZOPS, PHAs, What-Ifs, Checklists, and HAZANs. Part 1 introduces the concepts. Part 2, meeting attendees and preparation, and Part 3, advice for running the meeting, are also available.

Very often a design project will include a meeting, or a series of meetings, that systematically study the details of the design and searches for hazards. This systematic study can take place at different times in the life of a project (from proposal to detailed design) and therefore can take place at different “scales” or levels of detail. Sometimes these meetings are required by law or company procedure, but some are done just as a prudent check of the design. There is an alphabet soup of these meetings:

  • HAZOP: Hazard and operability study
  • PHA: Process hazard analysis
  • What-If? Study
  • Checklist Study
  • HAZAN: Hazard Analysis

This series of posts is going to try to generally cover all of these types of meetings. The different meeting types will use slightly different lingo for all the terms, and be either broad or nitty-gritty looks at details. But in all cases the general principle is similar. In addition to the principals of this post, get your hands on your company’s hazard meeting procedure, AND find a previous hazard report. Try to get an old hazard report done with the same participating companies, at the same level of detail, if possible. You’ll want a guide to understand how much detail to put into each step of the following procedure, and what exact terms to use.

Anyway, this first post is on the concepts. To guide us, we will look at the Hazard Meeting Worksheet – the worksheet that is the focus of the hazards meeting. The “deliverable” of the meeting is to have everyone attending the meeting work as a group to fill the worksheet out. In the second part of this series of posts, we will step back and learn about preparing for the meeting and who should attend. In the third post, we will learn to overcome problems that can pop up in the meeting.

Nodes: Sections of the Process

The first step of the meeting is done outside of it: the process must be broken down into “nodes,” items or sections or areas of the process to consider. Depending on the scope, they may be as large as a system of equipment (e.g. “truck unloading system,” “crude preheat train”) or they may be as small as each individual line and valve getting its own node.

A clear boundary, breaking the process unambiguously up into smaller chunks, is essential. Often it helps to mark these nodes on PFDs or P&IDs so everyone can see the node boundaries. In some meetings, it may be wise to have a “general” or “general issues” node, to cover global problems that affect the entire design like storms, earthquakes, power failures, etc.

In very large hazard meetings, you may want to group the nodes into some hierarchy for the sake of organization. (ex: Area 1, Crude Unit. Node 1: Feed Pumps).

For each node, a worksheet must be prepared in the safety hazard meeting. Here’s a sample worksheet entry I made for this post:

Worksheet for Node 1 Feed Section

Deviation Cause Consequence Safeguards S L RR Recommendation Responsibility
1. High Flow 1. Control valve FCV-100 fails open 1. Drum D-100 overfills with liquid, could overpressure and rupture 1. Relief valve to safe location

2. Operators can manually divert flow to D-101 in emergency

1 2 1 1. Add high level alarm and high high level pump trip to D-100 Raj Sinder

Let’s discuss each part of the worksheet.

Deviations: What could go wrong

Deviations, also called checklist items, what-if items, hazards, etc., are a list of how things could differ from normal operation. . Conditions that are different from the normal or expected operation. A list of “what could possibly go wrong?” In your safety meeting, generally you will start with a blank worksheet covering Node #1. Someone will propose a deviation, and the entire table will work through the deviation. Then, someone will propose a second deviation, everyone discusses it, and so on. Once everyone has suggested every plausible deviation for Node #1, only then will you move on to Node #2.

  • Alternative: In some cases, someone is tasked to fill out the worksheet with proposed deviations ahead of time. This can save time in the meeting. During the meeting, people can add to or delete from this list of proposed deviations as necessary

By the end of the meeting, you want to have a comprehensive list of all the plausible deviations for each node. Everyone around the table has thought it through and has no additional deviations to suggest. With the help of the worksheet, you will have made sure that your process can safely respond to each deviation that has been proposed.

Some deviations you might consider including:

  • Flow: High, low, reverse, no flow
  • Temperature: High, low, cryogenic
  • Pressure: High, low, vacuum
  • Level: high, low
  • Density: High, low
  • Concentration of important component, pH, water content, etc. similar measures: High, low
  • Presence of contaminants
  • Rupture, leak, or loss of containment
  • Corrosion
  • Static electricity
  • Emergencies (fire, power failure, storm, earthquake, utility failure, etc.)
  • Abnormal operations: commissioning, start-up, shutdown, human error, riots, etc.
  • Maintenance issues: adequate access, adequate procedures, access for cranes/jibs, etc.

This is not an inclusive list. It’s important that everyone around the table raises all deviations they can think of for a node. Wikipedia has some more ideas.

Extreme, outlandish scenarios are usually not studied. For example, I personally have never seen a hazard meeting study a plane crash, meteor strike, or war. Sabotage, terrorism, or cyber-terrorism are not normally investigated. But who knows, maybe in some parts of the world or for certain industries (nuclear??) these could be included?

Cause: How could you get that deviation?

For each deviation you need one or more plausible causes that could generate the deviation. This is just an explanation of how the deviation could occur: you want to indicate the scenario you are studying. In some cases there are several causes that could all cause the same deviation, and you need to study all of the different causes. So if a pump trip or a closed control valve could both cause the no flow deviation, list both causes as separate rows in the worksheet.

In some cases, a deviation will be proposed, but no one can see a plausible cause. In that case delete the deviation, or mark down “no cause identified” and skip it.

Consequence: What’s the damage?

The consequence lists the negative outcome or result from your deviation. You want to list all the consequences that will happen or that might happen. Think of damage to equipment, damage to personnel, damage to the environment, financial harm, loss of status or goodwill towards the company, waste of operator’s time, etc. etc. You want to capture the main negative effects.

A problem may have multiple consequences: for example, a breaking pipe of hydrocarbon liquid will cause loss of product and force a shutdown of the unit (a financial problem). But the pipe could also hit a worker if they happened to be nearby. The leaking hydrocarbon might also start a fire, which is very serious. List all these issues as separate consequences, each with their own row.

Because a deviation can spawn multiple causes, and each cause can spawn multiple consequences, you may get several rows out of a single deviation.


Also called existing guards, safeguards and controls, or similar. This is where you list features already present in the design RIGHT NOW that will mitigate the problem. They may prevent the deviation or consequence, or they may reduce the chances of a problem, or reduce the impact of the problem, or even just give a possibility that something useful can be done by operations or maintenance. They may even increase the probability that blind luck reduces or avoids the problem.

Do not list things that “probably” will be added to the design later – if you forgot something, it should become a recommendation (see below) and not be listed as a safeguard.

However, at early stages of design, something doesn’t have to be completely designed to count it as a safeguard. For example, take credit for a relief valve or a shutdown system even if it is not fully designed, as long as it’s captured in the plan of work and indicated somewhere in the design. You can use the recommendations column to note any special issues you identify at the meeting that must be borne in mind as the design progresses. (However, if you lack a lot of details on the design of the safeguard, I hope that you are just doing a preliminary hazard meeting. There is no point doing an item by item super-detailed HAZOP of a fired heater if no one has designed the burner management system, for example).

Some safeguards may include:

  • Alarms, trips, automatic controls
  • Safety equipment like relief valves, automatic sprinklers, etc.
  • The ability of operators to take manual actions to avoid or diminish the consequence, or spot the problem before it begins. Consider whether the manual action can be done at a safe distance from any danger
  • Existing or planned-for training, procedures, preventative maintenance, fire brigades, etc.
  • Any layout design that can help (like a berm or slope helping to contain spills, or maybe designating an area “Class I Div I” in electrical terms to limit sources of ignition)
  • Intrinsically safe designs (such as piping designed to withstand the pump shut-off pressure)
  • Back-up systems like having diesel generators to power critical services in power failures, or having an online or warehouse spare to replace a failed piece of equipment

The Risk Matrix (S, L, RR):

The entries S, L, and RR above may appear cryptic. But these are referring to the risk matrix. This risk matrix is a separate document that needs to be prepared before the hazards meeting.

The risk matrix posits the following: each risk or consequence should be assigned two ratings. One, the severity (S), is how damaging, hurtful, costly, or deadly the result is. The second, likelihood (L), is how likely the risk is to actually occur. The actual danger of the risk – the risk ranking (RR) – is a combination of the severity and the likelihood. You should assign S, L, and RR for each consequence you have determined.

Severity and likelihood ratings are almost always assigned with consideration of the safeguards you have in place. You can credit the existing safeguards to reduce S or L.

Why does the risk ranking use a combination of severity and likelihood? It is a very common theme in risk management: that a rational assessment of threats is not blinded by horrible scenarios, but considers how often or how likely something will happen too.

It is roughly analogous to using probability theory to make rational assessments about the seriousness of threats. (For example: do I buy a warranty on my new TV? Say the TV costs $1000 and the TV has a 1/10 chance of breaking during the warranty period. Then $1000 x 1/10 = $100 is probably a “fair price” for a warranty. $20 is a steal, $300 is a rip-off.)

But who comes up with severity ratings? Likelihood ratings? And who determines the risk ranking – in what way do we decide how to combine S and L into an RR? The answer is everyone’s favorite word: it’s subjective! Each company comes up with the S and L ratings, and a table that shows how to combine the two into an RR. These tables are based on the value system and risk aversion of the company. In all cases, the list of possible S ratings should cover a range from trivial to deadly/disastrous, and the L ratings should cover a range from "happens quite often” to “almost never.”

Below, I’ll show a sample system I made up:


1 Financial loss < $100,000. Unlikely to be any harm to personnel requiring a first aid or lost time incident. No lasting damage to environment. No impact on public
2 Financial loss between $100,000 and $1,000,000. Harm to personnel requiring a first aid, or a lost time incident, but no serious harm. Release to environment that may have localized long term impacts. Impact on public is nuisance.
3 Financial loss > $1,000,000. Serious harm to personnel or possible disability/fatality. Serious, long-lasting, or widespread harm to environment. Impacts public or public perception in a serious, negative way.

You’ll notice this severity table includes financial, human, and environmental perception, as well as nuisance to the public or harm to the company issue. Some companies like to break this up in the table by having columns for each type of harm.

At times, you may have to divide a cause into several consequences and give them all different severity ratings. For example: a sudden release of steam might have a trivial cost and no environmental impact, and be easily compensated by the boilers, so it seems like a severity of 1.

But there is a second consequence: if a blast of steam hits a person it could cripple or kill them. Therefore, if the sudden release of steam is directed somewhere that people could be present, like a hallway, it ranks a 3. I might call this second consequence “potential for personnel harm” since there’s no guarantee a person will be there, but also no guarantee the hallway will be empty.

The use of 3 rankings is arbitrary: more than 3 levels could be used. Also, the money values are highly dependent on the organization. $1,000,000 could devastate some companies, but is a small matter to others.


1 Not likely to occur in plant lifetime
2 Could occur once every few years
3 Occurs regularly: annually or more often

The likelihood is how often you expect the cause will deviation, cause, and consequence will occur. Is this a problem that happens a few times? Might happen? Never happens? Happens every week?

Some people like to assign probabilities to their likelihood rating. E.g. Likelihood 1 might be a one in a million occurrence: “Not likely to occur in plant lifetime (probability < 1e6)”

Risk Matrix

S = 3 2 4 4
S = 2 1 2 3
S = 1 1 1 2
Severity / Likelihood L = 1 L = 2 L = 3

Risk Ranking

1 Low/no risk
2 Acceptable with controls or procedures in place
3 Risk is high; consider recommendations and additional safeguards
4 Risk is unacceptable. Recommendations or process changes required

Now that you’ve seen a risk matrix, maybe this is becoming clear. With a severity and likelihood in hand, you look up the risk matrix. It gives you a Risk Ranking, which guides you in how bad a situation is. In this case, the fictional company is OK with RR = 1. With RR = 2, it would be nice to consider extra safeguards. RR = 3 needs safeguards and people should think of additional recommendations. RR = 4 means more recommendations are definitely needed.

In this case, the risk matrix was not symmetrical because S2L3 is not the same as S3L2. Many matrices are symmetrical. Also, risk matrices can be any rectangular shape: 3x3, 4x4, 3x5, 5x4, etc. And they can have any number of risk ranking levels – I used 4 here. Some companies like to color code the risk levels for convenience.

  • Alternative: In some cases, it is preferred to do a risk ranking before and also after safeguards are considered. So for example, if the design has an automatic trip and a relief valve, do one risk ranking while imagining those items are gone, and a second risk ranking with them included. I personally do not see much benefit from doing this, but it is done
  • Alternative: Some companies prefer not to use a risk matrix at all, skipping directly to recommendations and just trusting the attendees to subjectively rank the risk
  • Alternative: Some companies prefer to sub-divide likelihood into two smaller categories: the likelihood or frequency that a chance for harm comes up, and the probability that the chance for harm actually does develop into a problem. For example: extensive repairs on the reactor are done once every 3 years, which is the frequency. Based on records, someone has a small injury for roughly 1/3rd of the repairs, so the probability is 33%

Risk Ranking in our Worksheet Example:

Lets again review the worksheet for Node 1:

Deviation Cause Consequence Safeguards S L RR Recommendation Responsibility
1. High Flow 1. Control valve FCV-100 fails open 1. Drum D-100 overfills with liquid, could overpressure and rupture 1. Relief valve to safe location

2. Operators can manually divert flow to D-101 in emergency

1 2 1 1. Add high level alarm and high high level pump trip to D-100 Raj Sinder

In this example I gave the high flow deviation a Severity of 1. This is because a relief valve is there ready to open and keep the pressure down. If there was no relief valve, I’d give a S = 3: an over-pressured drum can burst, forcing a unit shutdown, replacement of the drum, and depending on how it breaks the drum could easily hurt people.

I put a Likelihood of 2. During the meeting, the instrumentation lead said that FCV-100 is pretty reliable, but it’s conceivable it could fail maybe once every 5 years or so. Since the plant is designed for 20 years life-cycle, everyone in the meeting agreed that L = 2 was correct.

RR = 1 suggests that this scenario is OK as it is, thanks to the relief valve. But around the table people still thought that adding a level instrument with alarms and pump trip would be a good idea. We therefore recorded that as a recommendation. If someone had protested that this costs too much, I could reword the recommendation to say “consider alarm and trip” so that the costs/benefits could be examined outside the meeting.


Note about fires, storms, and inherently dangerous situations:

Depending on how the risk matrix is set up, it is quite possible for fires to reach the unacceptable rating, even with rigourous safeguards in place. Any fire can turn fatal, and even with the best safeguards fires are still possible. The best you can do in the hazard meeting is ensure you’ve done all you reasonably can to mitigate the risk.

Similarly, some storms, like hurricanes, earthquakes, or other “acts of God,” may get stuck an unacceptable RR no matter what you do. Again, you’ve got to just do the best reasonably possible. Including training and procedures, weather monitoring, etc.

Or, in a radical case, maybe you shouldn’t be building this plant at all! (Don’t make a TNT plant at the bottom of Landslide Peaks).

Depending on the risk matrix system you have, you could find that even normal hazards reaching a somewhat unacceptable rating. For example, even with the best of maintenance practices, it is still true that high pressure lines could burst, and their contents could hit someone. Just keep the could’s as low as possible through good preventative maintenance, adequate safety systems, and logical layouts.

Recommendations: What we should do next

During the hazard meeting, people will come up with ideas to reduce the risk.

  • “Oh, we needed a relief valve here!”
  • “No one knows if this is designed for a water hammer? We need to double-check with our piping team”
  • “You know, I think I remember reading that carbon steel is not acceptable for this fluid. But I’m not sure. Bill, can you look it up in your material compatibility literature?”
  • “Now that I think of it, our fire brigade has no training for natural gas fires. We should send them for training before we install the new boiler, and also update their firefighting manual.”

Recommendations are where you capture this. Recommendations can be changes to a process, new items to install, procedures to write, calculations to do, questions that vendors must be asked, etc. You can list as many recommendations as you want: zero, four, whatever. Some situations are already safe enough so no recommendation is required.

In a safety meeting, you do NOT want to actually spend time designing and solving all of these problems. Time is precious in the hazard meeting: a lot of highly paid people are sitting at the table who are not going to be involved in implementing the recommendation.

Think of a recommendation as just a reminder to do something. Sometimes a recommendation can be vague: “must decide best way to protect this system from overpressure.” This recommendation leaves it open: is it going to be a PSV, stronger piping, a weaker pump? Decide later. Just capture the concern and move on.

If two people are in a disagreement over whether something is safe, and the problem cannot be resolved after a few minutes discussion, don't get stuck. To keep things moving you can put in a compromise recommendation, like “confirm that XXX is safe, or redesign if not.” Let those two fight it out later, outside of the meeting.

The point of the hazards meeting is to indentify all the risks, not to solve them right then and there.

Alternative: Some companies prefer to list both existing safeguards, and safeguards that need to be added, in the same column. (They have a safeguards column but do not include a recommendations column). In such a case, that’s fine, just make sure there is a clear distinction between what is already installed and what requires further work.


This can be decided either as you make recommendations, or you can wait until the end of the day or even the very end of the meeting to do the assigning. (Do not wait too long or people may forget what was discussed).

Responsibility is who is going to resolve the recommendation. Some people assign this to companies or departments, but in practice it is usually better to assign responsibility to a single person. That person is responsible for ensuring it gets done. They can and will talk to everyone else in the team and get their help as needed. They can even totally delegate the work if they want to. But the responsible person has to make sure it gets done, one way or another.

After the meeting, make a responsibility list. This should have each recommendation, where the recommendation was made (e.g. Node 1 Cause 1), and the responsible person. To track future implementation, have columns for what was done, and a sign-off.

Note that in the end, you may study the issue and decide not to implement a recommendation. That’s fine too. The person who was responsible simply has to record that is was looked into, and that nothing needs to be done for reason XXX.

Some companies believe in never assigning responsibility to a person not at the meeting. So if Bob the piping lead is not in the meeting, assign responsibility to Martha the project manager, who will delegate to Bob. Other groups do not have a problem assigning responsibility to Bob in such a situation.

We have learned how to fill out the safety meeting worksheet. This concludes part 1. Coming up, see Part 2: a look at the team members in a hazard meeting, and meeting preparation advice, and Part 3, advice for running safety meetings.

Print Friendly, PDF & Email

About admin

I own and run
This entry was posted in Relief & Safety and tagged , , , , , , , , . Bookmark the permalink.

2 Responses to Introduction to Process Hazard Safety Meetings: Part 1 Concepts and Worksheet

  1. Pingback: Introduction to Process Hazard Safety Meetings: Part 2 Attendees and Preparation | Smart Process Design

  2. Pingback: Introduction to Process Hazard Safety Meetings: Part 3 Advice for Running Meetings | Smart Process Design

Leave a Reply

Your email address will not be published.

+ 78 = 84