SIST EN 61882:2016

SLOVENSKI STANDARD
01-september-2016
Analiza obratovanja in nevarnosti (analiza HAZOP) - Navodilo za uporabo (IEC
61882:2016)
Hazard and operability studies (HAZOP studies) - Application guide (IEC 61882:2016)
Ta slovenski standard je istoveten z: EN 61882:2016
ICS:
03.100.50 Proizvodnja. Vodenje Production. Production
proizvodnje management
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

EUROPEAN STANDARD EN 61882
NORME EUROPÉENNE
EUROPÄISCHE NORM
June 2016
ICS 03.100.50; 03.120.01; 13.020.30

English Version
Hazard and operability studies (HAZOP studies) - Application
guide
(IEC 61882:2016)
Études de danger et d'exploitabilité (études HAZOP) - HAZOP-Verfahren (HAZOP-Studien) -
Guide d'application Anwendungsleitfaden
(IEC 61882:2016) (IEC 61882:2016)
This European Standard was approved by CENELEC on 2016-04-14. CENELEC members are bound to comply with the CEN/CENELEC
Internal Regulations which stipulate the conditions for giving this European Standard the status of a national standard without any alteration.
Up-to-date lists and bibliographical references concerning such national standards may be obtained on application to the CEN-CENELEC
Management Centre or to any CENELEC member.
This European Standard exists in three official versions (English, French, German). A version in any other language made by translation
under the responsibility of a CENELEC member into its own language and notified to the CEN-CENELEC Management Centre has the
same status as the official versions.
CENELEC members are the national electrotechnical committees of Austria, Belgium, Bulgaria, Croatia, Cyprus, the Czech Republic,
Denmark, Estonia, Finland, Former Yugoslav Republic of Macedonia, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia,
Lithuania, Luxembourg, Malta, the Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, Switzerland,
Turkey and the United Kingdom.

European Committee for Electrotechnical Standardization
Comité Européen de Normalisation Electrotechnique
Europäisches Komitee für Elektrotechnische Normung
CEN-CENELEC Management Centre: Avenue Marnix 17, B-1000 Brussels
© 2016 CENELEC All rights of exploitation in any form and by any means reserved worldwide for CENELEC Members.
Ref. No. EN 61882:2016 E
European foreword
The text of document 56/1653/FDIS, future edition 2 of IEC 61882, prepared by
IEC/TC 56 "Dependability" was submitted to the IEC-CENELEC parallel vote and approved by
CENELEC as EN 61882:2016.
The following dates are fixed:
(dop) 2017-01-14
• latest date by which the document has to be
implemented at national level by
publication of an identical national
standard or by endorsement
• latest date by which the national (dow) 2019-04-14
standards conflicting with the
document have to be withdrawn
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. CENELEC [and/or CEN] shall not be held responsible for identifying any or all such
patent rights.
Endorsement notice
The text of the International Standard IEC 61882:2016 was approved by CENELEC as a European
Standard without any modification.
In the official version, for Bibliography, the following notes have to be added for the standards indicated:

IEC 60812:2006 NOTE Harmonized as EN 60812:2006 (not modified).
IEC 61025:2006 NOTE Harmonized as EN 61025:2007 (not modified).
IEC 61160:2005 NOTE Harmonized as EN 61160:2005 (not modified).
IEC 61511-3:2003 NOTE Harmonized as EN 61511-3:2004 (not modified).
IEC 62502:2010 NOTE Harmonized as EN 62502:2010 (not modified).
IEC/ISO 31010:2009 NOTE Harmonized as EN 31010:2010 (not modified).
Annex ZA
(normative)
Normative references to international publications
with their corresponding European publications

The following documents, in whole or in part, are normatively referenced in this document and are
indispensable for its application. For dated references, only the edition cited applies. For undated
references, the latest edition of the referenced document (including any amendments) applies.

NOTE 1 When an International Publication has been modified by common modifications, indicated by (mod), the relevant
EN/HD applies.
NOTE 2 Up-to-date information on the latest versions of the European Standards listed in this annex is available here:
www.cenelec.eu
Publication Year Title EN/HD Year

IEC 60050-192 -  International electrotechnical vocabulary - - -
Part 192: Dependability
IEC 61882 ®
Edition 2.0 2016-03
INTERNATIONAL
STANDARD
NORME
INTERNATIONALE
Hazard and operability studies (HAZOP studies) – Application guide

Études de danger et d'exploitabilité (études HAZOP) – Guide d'application

INTERNATIONAL
ELECTROTECHNICAL
COMMISSION
COMMISSION
ELECTROTECHNIQUE
INTERNATIONALE
ICS 03.100.50; 03.120.01; 13.020.30 ISBN 978-2-8322-3208-8

– 2 – IEC 61882:2016 © IEC 2016
CONTENTS
FOREWORD. 4
INTRODUCTION . 6
1 Scope . 7
2 Normative references . 7
3 Terms, definitions and abbreviations . 7
3.1 Terms and definitions . 7
3.2 Abbreviations . 9
4 Key features of HAZOP . 10
4.1 General . 10
4.2 Principles of examination. 11
4.3 Design representation . 12
4.3.1 General . 12
4.3.2 Design requirements and design intent . 13
5 Applications of HAZOP . 13
5.1 General . 13
5.2 Relation to other analysis tools . 14
5.3 HAZOP study limitations . 14
5.4 Risk identification studies during different system life cycle stages . 15
5.4.1 Concept stage . 15
5.4.2 Development stage . 15
5.4.3 Realization stage . 15
5.4.4 Utilization stage . 15
5.4.5 Enhancement stage . 16
5.4.6 Retirement stage. 16
6 The HAZOP study procedure . 16
6.1 General . 16
6.2 Definitions . 17
6.2.1 Initiate the study . 17
6.2.2 Define scope and objectives . 17
6.2.3 Define roles and responsibilities . 18
6.3 Preparation . 19
6.3.1 Plan the study . 19
6.3.2 Collect data and documentation . 20
6.3.3 Establish guide words and deviations . 20
6.4 Examination . 21
6.4.1 Structure the examination . 21
6.4.2 Perform the examination . 22
6.5 Documentation and follow up . 24
6.5.1 General . 24
6.5.2 Establish method of recording . 25
6.5.3 Output of the study. 25
6.5.4 Record information . 25
6.5.5 Sign off the documentation . 26
6.5.6 Follow-up and responsibilities . 26
Annex A (informative) Methods of recording . 27

IEC 61882:2016 © IEC 2016 – 3 –
A.1 Recording options . 27
A.2 HAZOP worksheet . 27
A.3 Marked-up representation . 28
A.4 HAZOP study report . 28
Annex B (informative) Examples of HAZOP studies . 29
B.1 General . 29
B.2 Introductory example . 29
B.3 Procedures . 34
B.4 Automatic train protection system . 37
B.4.1 General . 37
B.4.2 Application . 37
B.5 Example involving emergency planning . 40
B.6 Piezo valve control system . 44
B.7 HAZOP of a train stabling yard horn procedure . 48
Bibliography . 59

Figure 1 – The HAZOP study procedure . 17
Figure 2 – Flow chart of the HAZOP examination procedure – Property first sequence . 23
Figure 3 – Flow chart of the HAZOP examination procedure – Guide word first
sequence . 24
Figure B.1 – Simple flow sheet . 30
Figure B.2 – Train-carried ATP equipment . 37
Figure B.3 – Piezo valve control system . 44

Table 1 – Example of basic guide words and their generic meanings . 11
Table 2 – Example of guide words relating to clock time and order or sequence . 12
Table 3 – Examples of deviations and their associated guide words . 21
Table B.1 – Properties of the system under examination . 30
Table B.2 – Example HAZOP worksheet for introductory example . 31
Table B.3 – Example HAZOP worksheet for procedures example . 35
Table B.4 – Example HAZOP worksheet for automatic train protection system . 38
Table B.5 – Example HAZOP worksheet for emergency planning . 41
Table B.6 – System design intent . 45
Table B.7 – Example HAZOP worksheet for piezo valve control system. 46
Table B.8 – Operational breakdown matrix for train stabling yard horn procedure . 50
Table B.9 – Example HAZOP worksheet for train stabling yard horn procedure . 53

– 4 – IEC 61882:2016 © IEC 2016
INTERNATIONAL ELECTROTECHNICAL COMMISSION
____________
HAZARD AND OPERABILITY STUDIES (HAZOP STUDIES) –
APPLICATION GUIDE
FOREWORD
1) The International Electrotechnical Commission (IEC) is a worldwide organization for standardization comprising
all national electrotechnical committees (IEC National Committees). The object of IEC is to promote
international co-operation on all questions concerning standardization in the electrical and electronic fields. To
this end and in addition to other activities, IEC publishes International Standards, Technical Specifications,
Technical Reports, Publicly Available Specifications (PAS) and Guides (hereafter referred to as “IEC
Publication(s)”). Their preparation is entrusted to technical committees; any IEC National Committee interested
in the subject dealt with may participate in this preparatory work. International, governmental and non-
governmental organizations liaising with the IEC also participate in this preparation. IEC collaborates closely
with the International Organization for Standardization (ISO) in accordance with conditions determined by
agreement between the two organizations.
2) The formal decisions or agreements of IEC on technical matters express, as nearly as possible, an international
consensus of opinion on the relevant subjects since each technical committee has representation from all
interested IEC National Committees.
3) IEC Publications have the form of recommendations for international use and are accepted by IEC National
Committees in that sense. While all reasonable efforts are made to ensure that the technical content of IEC
Publications is accurate, IEC cannot be held responsible for the way in which they are used or for any
misinterpretation by any end user.
4) In order to promote international uniformity, IEC National Committees undertake to apply IEC Publications
transparently to the maximum extent possible in their national and regional publications. Any divergence
between any IEC Publication and the corresponding national or regional publication shall be clearly indicated in
the latter.
5) IEC itself does not provide any attestation of conformity. Independent certification bodies provide conformity
assessment services and, in some areas, access to IEC marks of conformity. IEC is not responsible for any
services carried out by independent certification bodies.
6) All users should ensure that they have the latest edition of this publication.
7) No liability shall attach to IEC or its directors, employees, servants or agents including individual experts and
members of its technical committees and IEC National Committees for any personal injury, property damage or
other damage of any nature whatsoever, whether direct or indirect, or for costs (including legal fees) and
expenses arising out of the publication, use of, or reliance upon, this IEC Publication or any other IEC
Publications.
8) Attention is drawn to the Normative references cited in this publication. Use of the referenced publications is
indispensable for the correct application of this publication.
9) Attention is drawn to the possibility that some of the elements of this IEC Publication may be the subject of
patent rights. IEC shall not be held responsible for identifying any or all such patent rights.
International Standard IEC 61882 has been prepared by IEC technical committee 56:
Dependability.
This second edition cancels and replaces the first edition published in 2001. This edition
constitutes a technical revision.
This edition includes the following significant technical changes with respect to the previous
edition:
a) clarification of terminology as well as alignment with terms and definitions within
ISO 31000:2009 and ISO Guide 73:2009;
b) addition of an improved case study of a procedural HAZOP.

IEC 61882:2016 © IEC 2016 – 5 –
The text of this standard is based on the following documents:
FDIS Report on voting
56/1653/FDIS 56/1666/RVD
Full information on the voting for the approval of this standard can be found in the report on
voting indicated in the above table.
This publication has been drafted in accordance with the ISO/IEC Directives, Part 2.
The committee has decided that the contents of this publication will remain unchanged until
the stability date indicated on the IEC website under "http://webstore.iec.ch" in the data
related to the specific publication. At this date, the publication will be
• reconfirmed,
• withdrawn,
• replaced by a revised edition, or
• amended.
– 6 – IEC 61882:2016 © IEC 2016
INTRODUCTION
This standard describes the principles for and approach to guide word-driven risk
identification. Historically this approach to risk identification has been called a hazard and
operability study or HAZOP study for short. This is a structured and systematic technique for
examining a defined system, with the objectives of:
• identifying risks associated with the operation and maintenance of the system. The
hazards or other risk sources involved can include both those essentially relevant only to
the immediate area of the system and those with a much wider sphere of influence, for
example some environmental hazards;
• identifying potential operability problems with the system and in particular identifying
causes of operational disturbances and production deviations likely to lead to non-
conforming products.
An important benefit of HAZOP studies is that the resulting knowledge, obtained by identifying
risks and operability problems in a structured and systematic manner, is of great assistance in
determining appropriate remedial measures.
A characteristic feature of a HAZOP study is the examination session during which a multi-
disciplinary team under the guidance of a study leader systematically examines all relevant
parts of a design or system. It identifies deviations from the system design intent utilizing a
set of guide words. The technique aims to stimulate the imagination of participants in a
systematic way to identify risks and operability problems. A HAZOP study should be seen as
an enhancement to sound design using experience-based approaches such as codes of
practice rather than a substitute for such approaches.
Historically, HAZOP and similar studies were described as hazard identification as their
primary purpose is to test in a systematic way whether hazards are present and, if so,
understand both how they could result in adverse consequences and how such consequences
could be avoided through process redesign. ISO 31000:2009 defines risk as the effect of
uncertainty on objectives, with a note that an effect is a deviation from the expected.
Therefore HAZOP studies, which consider deviations from the expected, their causes and
their effect on objectives in the context of process design, are now correctly characterized as
powerful risk identification tools.
There are many different tools and techniques available for the identification of risks, ranging
from checklists, failure modes and effects analysis (FMEA) to HAZOP. Some techniques, such
as checklists and what-if/analysis, can be used early in the system life cycle when little
information is available, or in later phases if a less detailed analysis is needed. HAZOP
studies require more detail regarding the systems under consideration, but produce more
comprehensive information on risks and weaknesses in the system design.
The term HAZOP is sometimes associated, in a generic sense, with some other hazard
identification techniques (e.g. checklist HAZOP, HAZOP 1 or 2, knowledge-based HAZOP).
The use of the term with such techniques is considered to be inappropriate and is specifically
excluded from this document.
Before commencing a HAZOP study, it should be confirmed that it is the most appropriate
technique (either individually or in combination with other techniques) for the task in hand. In
making this judgment, consideration should be given to the purpose of the study, the possible
severity of any consequences, the appropriate level of detail, the availability of relevant data
and resources and the needs of decision-makers.
This standard has been developed to provide guidance across many industries and types of
system. There are more specific standards and guides within some industries, notably the
process industries where the technique originated, which establish preferred methods of
application for these industries. For details see the bibliography at the end of this standard.

IEC 61882:2016 © IEC 2016 – 7 –
HAZARD AND OPERABILITY STUDIES (HAZOP STUDIES) –
APPLICATION GUIDE
1 Scope
This International Standard provides a guide for HAZOP studies of systems using guide
words. It gives guidance on application of the technique and on the HAZOP study procedure,
including definition, preparation, examination sessions and resulting documentation and
follow-up.
Documentation examples, as well as a broad set of examples encompassing various
applications, illustrating HAZOP studies are also provided.
2 Normative references
The following documents, in whole or in part, are normatively referenced in this document and
are indispensable for its application. For dated references, only the edition cited applies. For
undated references, the latest edition of the referenced document (including any
amendments) applies.
IEC 60050-192, International electrotechnical vocabulary – Part 192: Dependability (available
at http://www.electropedia.org)
3 Terms, definitions and abbreviations
3.1 Terms and definitions
For the purposes of this document, the terms and definitions given in IEC 60050-192 and the
following apply.
NOTE Within this clause, the terms defined are in italic type.
3.1.1
characteristic
qualitative or quantitative property
EXAMPLE Pressure, temperature, voltage.
3.1.2
consequence
outcome of an event affecting objectives
Note 1 to entry: An event can lead to a range of consequences.
Note 2 to entry: A consequence can be certain or uncertain and can have positive or negative effects on
objectives.
Note 3 to entry: Consequences can be expressed qualitatively or quantitatively.
Note 4 to entry: Initial consequences can escalate through knock-on effects.
[SOURCE: ISO Guide 73:2009, 3.6.1.3]

– 8 – IEC 61882:2016 © IEC 2016
3.1.3
control
measure that is modifying risk (3.1.12)
Note 1 to entry: Controls include any process, policy, device, practice, or other actions which modify risk.
Note 2 to entry: Controls may not always exert the intended or assumed modifying effect.
[SOURCE: ISO Guide 73:2009, 3.8.1.1]
3.1.4
design intent
designer’s desired, or specified range of behaviour for properties which ensure that the item
fulfills its requirements
3.1.5
property
constituent of a part which serves to identify the part’s essential features
Note 1 to entry: The choice of properties can depend upon the particular application, but properties can include
features such as the material involved, the activity being carried out, the equipment employed, etc. Material should
be considered in a general sense and includes data, software, etc.
3.1.6
guide word
word or phrase which expresses and defines a specific type of deviation from a property’s
design intent
3.1.7
harm
physical injury or damage to the health of people or damage to assets or the environment
3.1.8
hazard
source of potential harm (3.1.7)
Note 1 to entry: Hazard can be a risk source (3.1.14).
[SOURCE: ISO Guide 73:2009, 3.5.1.4]
3.1.9
level of risk
magnitude of a risk (3.1.12) or combination of risks, expressed in terms of the combination of
consequences (3.1.2) and their likelihood
[SOURCE: ISO Guide 73:2009, 3.6.1.8]
3.1.10
manager
person with responsibility for a project, activity or organization.
3.1.11
part
section of the system which is the subject of immediate study
Note 1 to entry: A part can be physical (e.g. hardware) or logical (e.g. step in an operational sequence).
3.1.12
risk
effect of uncertainty on objectives

IEC 61882:2016 © IEC 2016 – 9 –
Note 1 to entry: An effect is a deviation from the expected – positive and/or negative.
Note 2 to entry: Objectives can have different aspects (such as financial, health and safety, and environmental
goals) and can apply at different levels (such as strategic, organization-wide, project, product and process).
Note 3 to entry: Risk is often characterized by reference to potential events and consequences (3.1.2) or a
combination of these.
Note 4 to entry: Risk is often expressed in terms of a combination of the consequences of an event (including
changes in circumstances) and the associated likelihood of occurrence.
Note 5 to entry: Uncertainty is the state, even partial, or deficiency of information related to, understanding or
knowledge of an event, its consequence, or likelihood.
[SOURCE: ISO Guide 73:2009, 1.1]
3.1.13
risk identification
process of finding, recognizing and describing risks (3.1.12)
Note 1 to entry: Risk identification involves the identification of risk sources (3.1.14), events, their causes and
their potential consequences (3.1.2).
Note 2 to entry: Risk identification can involve historical data, theoretical analysis, informed and expert opinions,
and stakeholder's needs.
[SOURCE: ISO Guide 73:2009, 3.5.1]
3.1.14
risk source
element which alone or in combination has the intrinsic potential to give rise to risk (3.1.12)
Note 1 to entry: A risk source can be tangible or intangible.
[SOURCE: ISO Guide 73:2009, 3.5.1.2]
3.1.15
risk treatment
process to modify risk (3.1.12)
Note 1 to entry: Risk treatment can involve:
– avoiding the risk by deciding not to start or continue with the activity that gives rise to the risk;
– taking or increasing risk in order to pursue an opportunity;
– removing the risk source (3.1.14);
– changing the likelihood;
– changing the consequences (3.1.2);
– sharing the risk with another party or parties (including contracts and risk financing); and
– retaining the risk by informed decision.
Note 2 to entry: Risk treatments that deal with negative consequences are sometimes referred to as “risk
mitigation”, “risk elimination”, “risk prevention” and “risk reduction”.
Note 3 to entry: Clarification of risk treatment and risk control (3.1.3) – a risk control is already in place whereas a
risk treatment is an activity to improve risk controls. Hence, an implemented treatment becomes a control.
[SOURCE: ISO Guide 73:2009, 3.8.1, modified — Note 3 to entry replaces the existing note 3]
3.2 Abbreviations
ATP automatic train protection
EER escape, evacuation and rescue
ETA event tree analysis
– 10 – IEC 61882:2016 © IEC 2016
FMEA failure mode and effects analysis
FTA fault tree analysis
GPA general purpose alarm
HAZOP hazard and operability
LH left hand
LOPA layer of protection analysis
OIM offshore installation manager
P&IDs process and instrumentation diagrams
PAPA prepare to abandon platform alarm
PA public address
PES programmable electronic system
PPE personal protective equipment
QP qualified person
RH right hand
4 Key features of HAZOP
4.1 General
A HAZOP study is a detailed process carried out by a dedicated team to identify risks and
operability problems. HAZOP studies deal with the identification of potential deviations from
the design intent, examination of their possible causes and assessment of their
consequences.
Key features of a HAZOP study include the following.
• The study is a creative process that proceeds by systematically using a series of
guide words to identify potential deviations from the design intent and employing these to
stimulate team members to envisage how the deviation might occur and what might be the
consequences.
• The study is carried out under the guidance of a trained and experienced study leader,
who has to ensure comprehensive coverage of the system under study, using logical,
analytical thinking. The study leader is preferably assisted by a recorder who records
pertinent data associated with identified risks and/or operational disturbances for risk
analysis, evaluation and treatment.
• The study relies on specialists from various disciplines with appropriate skills and
experience who display intuition and good judgement.
• The study should be carried out in an atmosphere of critical thinking in a frank and open
atmosphere.
• A HAZOP study produces minutes or software to record the deviations, their causes,
consequences and recommended actions together with marked up drawings, documents
or other representations of the system that indicate the associated minute number and
where possible the recommended action.
• The development of risk treatment actions for identified risks or operability problems is not
a primary objective of the HAZOP examination, but recommendations should be made
where appropriate and recorded for consideration by those responsible for the design of
the system.
• The initial HAZOP study might be done in a progressive fashion so that design changes
can be incorporated but the completed HAZOP study has to correlate to the final design
intent.
IEC 61882:2016 © IEC 2016 – 11 –
• Existing HAZOP studies should be reviewed at regular intervals to evaluate whether there
have been any changes to the design intent or hazards and also during other stages in the
life cycle such as the enhancement stage.
4.2 Principles of examination
The basis of a HAZOP study is a “guide word examination” which is a deliberate search for
deviations from the design intent. To facilitate the examination, a system is divided into parts
in such a way that the design intent or function for each part can be adequately defined. The
size of the part chosen is likely to depend on the complexity of the system and the potential
magnitude and significance of the consequence. In complex systems or those where the level
of risk might be expected to be high, the parts are likely to be small in comparison to the
system. In simple systems or those where the level of risk might be expected to be low, the
use of larger parts will expedite the study.
The design intent for a given part of a system is expressed in terms of properties, which
convey the essential characteristics of the part and which represent natural divisions of the
part. The selection of properties to be examined is to some extent a subjective decision in
that there might be several combinations which will achieve the required purpose and the
choice can also depend upon the particular application. Parts can be discrete steps or stages
in a procedure, clauses in a contract, individual signals and equipment items in a control
system, equipment or components in a process or electronic system, etc.
In some cases it might be helpful to express the function of a part in terms of:
– the input material taken from a source;
– an activity which is performed on that material;
– an output which is taken to a destination.
Thus the design intent will contain the following elements: inputs and outputs, functions,
activities, sources and destinations, which can be viewed as properties of the part.
Properties can often be usefully defined further in terms of characteristics that can be either
quantitative or qualitative. For example, in a chemical system, the inputs could be defined
further in terms of characteristics such as temperature, pressure and composition. For a
transport activity, characteristics such as the rate of movement, the load or the number of
passengers might be relevant. For computer-based systems, communication, interfaces, and
data processing are likely to be the characteristic of each part.
For each part in turn, the HAZOP study team examines each property for deviation from the
design intent which can lead to undesirable (or desirable) consequences. The identification of
deviations from the design intent is achieved by a questioning process using predetermined
guide words. The role of the guide word is to stimulate imaginative thinking, to focus the study
and elicit ideas and discussion, thereby maximizing the chances of study completeness. An
example of basic guide words and their meanings is given in Table 1.
Table 1 – Example of basic guide words and their generic meanings
Guide word Meaning
NO OR NOT Complete negation of the design intent
MORE Quantitative increase
LESS Quantitative decrease
AS WELL AS Qualitative modification/increase
PART OF Qualitative modification/decrease
REVERSE Logical opposite of the design intent
OTHER THAN Complete substitution

– 12 – IEC 61882:2016 © IEC 2016
A further example of additional guide words relating to clock time and order or sequence is
given in Table 2.
Table 2 – Example of guide words relating to clock time and order or sequence
Guide word Meaning
EARLY Relative to the clock time
LATE Relative to the clock time
BEFORE Relating to order or sequence
AFTER Relating to order or sequence

Additional guide words can be used to facilitate identification of deviation, provided they are
identified before the examination commences.
Having selected a part for examination, the design intent of that part is specified in terms of
discrete properties. Each relevant guide word is then applied to each property, thus a
thorough search for deviations is carried out in a systematic manner. Having applied a
guide word, possible causes and consequences of a given deviation are examined and
mechanisms for control of the predicted consequences can also be investigated. The results
of the examination are recorded in an agreed format (see 6.5.2).
Guide word/property associations can be regarded as a matrix. Within each cell of the matrix
thus formed will be a specific guide word/property combination. To achieve a comprehensive
risk identification, it is necessary that the properties cover all aspects of the design intent and
guide words cover all possible deviations. Not all combinations will give credible deviations,
so the matrix can have several empty spaces when all guide word/property combinations are
considered.
In general the study leader will predefine the applicable guide word/property combinations to
make the risk identification process more efficient and make best use of the participant
expertise and time.
There are two possible sequences in which the cells of the matrix can be used for the
examination of the chosen part: column by column (i.e. property first), or row by row (i.e.
guide word first). The details of examination are outlined in 6.4 and both forms of examination
are illustrated in Figures 2 and 3. In principle the results of the examination should be the
same.
As well as applying guide words to defined properties of a part there can be other attributes
such as access, isolation, control, and the work environment (noise, lighting, etc.) that are
important to the desired operation of the system and to which a subset of the guide words can
be applied.
4.3 Design representation
4.3.1 General
An accurate and complete design representation of the system under study is a prerequisite
to the examination task. A design representation is a descriptive model of the system
adequately describing the system under study, its parts and identifying their properties. The
representation could be of the physical design or of the logical design and it should be made
clear what is represented.
The design representation should convey the system function of each part and element in a
qualitative or quantitative manner. It should also describe the interactions of the system with
other systems, with its operator/user and possibly with the environment. For example, P&IDs
are likely to provide the level of detail required for the design representation. The

IEC 61882:2016 © IEC 2016 – 13 –
conformance of properties or characteristics to their design intent determines the correctness
of operations and in some cases the safety of the system.
The representation of the system consists of two basic components:
– the system requirements; and
– a physical and/or logical description of the design.
The value of a HAZOP study depends on the completeness, adequacy and accuracy of the
design representation including the design intent. Any modifications from the original design
should be shown in the design representation. Before starting the examination, the team
should review this information package, and if necessary have it revised so that it accurately
represents the system.
4.3.2 Design requirements and design intent
The design requirements consist of qualitative and quantitative requirements that the system
has to satisfy, and provide the basis for development of system design and design intent. All
reasonably foreseen ways in which the system could be used or misused should be identified.
Both the design requirements and resulting design intent have to meet customer requirements
and those of any relevant legislation, norms or standards.
On the basis of system requirements, a designer develops the system design; for instance, a
system configuration is arrived at, and specific functions are assigned to subsystems and
components. Components are specified and selected. The designer should not only consider
what the system should do, but also ensure that it will not fail under any foreseeable set of
conditions, or that it will not fail or degrade during the specified lifetime. Undesirable
behaviours or features should also be identified so they can be designed out, or their effects
minimized by appropriate design or maintenance.
The design intent forms a baseline for the examination and should be accurate and correct, as
far as possible. The verification of design intent (see IEC 61160) is outside of the scope of the
HAZOP study, but the study leader should ascertain that it is accurate and correct to allow the
study to proceed. In general most documented design intents are limited to basic system
functions and parameters under normal operating conditions.
Reasonably foreseeable abnormal operating conditions and undesirable activities that might
occur (e.g., severe vibrations, extreme weather events, abnormal stoppages or third party
interventions) should be identified and considered during the examination. Also deterioration
mechanisms such as decay, corrosion and non-compliance of procedures and other
mechanisms which cause deterioration in system properties should be identified and
considered in a study using appropriate guide words. If necessary, a more detailed study
looking specifically at failure modes and effects may be required (see IEC 60812).
Expected life, reliability, maintainability and supportability should also be identified and
considered together with risk sources which could be encountered during maintenance and
logistic support activities, provided they are included in the scope of the HAZOP study.
5 Applications of HAZOP
5.1 General
Originally a HAZOP study was a technique developed for systems involving the treatment of a
fluid medium or other material flow in the process industries where it is now a major element
of process safety management. However its area of application has steadily widened in recent
years and for example includes usage for:
– software applications including programmable electronic systems;

– 14 – IEC 61882:2016 © IEC 2016
– systems involving the movement of people by transport modes such as road, rail, and air;
– examining different operating sequences and procedures;
– assessing administrative procedures in different industries;
– assessing specific systems, for example medical devices;
– software and code development;
– assessing proposed organizational change and defining the mechanisms to achieve those
changes;
– testing and improving draft contracts and other legal documents;
– testing and improving documents including instructions and procedures for critical
activities.
A HAZOP study is particularly useful for identifying weaknesses in systems (existing or
proposed) involving the flow of materials, people or information, or a number of events or
activities in a planned sequence or the procedures controlling such a sequence. HAZOP
studies can also be used for non-operational conditions such as storage and transport. As
well as being a valuable tool in
...