Gem 0011

Global Engineering Method GEM 0011
Revision: 3
Safety Risk Analysis in

accordance with the Machinery
Directive
Supersedes RLN 336 and RLN 337
© Rolls-Royce plc 2007
The information in this document is the property of Rolls-Royce plc and may not be copied,
communicated to a third party, or used for any purpose other than for which it is supplied, without
the express written consent of Rolls-Royce plc.
While this information is given in good faith based upon the latest information available to
Rolls-Royce plc, no warranty or representation is given concerning such information, which must
not be taken as establishing any contractual or other commitment binding upon Rolls-Royce plc
or any of its subsidiary companies
Rolls-Royce Power Engineering plc Rolls-Royce Energy Systems Inc.

Atlantic Industrial Complex 105 North Sandusky Street
Dunnings Bridge Road Mount Vernon
Bootle, Merseyside L30 4UZ Ohio 43050
England USA
www.rolls-royce.com
GEM 0011
Revision 3
Page 2 of 39
EXECUTIVE SUMMARY
This document describes the process used to undertake a project analysis to comply with the Safety
Risk Assessment requirements of the Machinery Directive. This process draws upon the Energy
Business Safety & Reliability process via LOPs C.2.6.A, LOP C.2.6.B & LOP C.2.6.C, and provides
details of how to perform a HAZOP. Specific consideration is given for a Package analysis, with a
worked example based on the generic hazard list included for illustration and clarity.
The HAZOP process has several steps, which are meant to be followed chronologically, and is
especially ideal for new products, and systems in particular. Additionally, the flexibility of the process
allows its steps to be used independently, so an existing product can benefit from an appropriate
HAZOP as well.
Revision 2 – This version brings this document in line with the Energy Business safety processes and
incorporates the Energy Product Safety Review Board policy decision on business representation at
customer HAZOP reviews as per EPSRB meeting 18 Action 5.1.
This document supersedes RLN 336 and RLN 337.
CIRCULATION RESTRICTIONS - NONE
POINT OF EMBODIMENT
Applies to all future, past and present equipments covered by the scope of this document,
retrospective application to be initiated as soon as parts / information are made available at site.
Revision History
Approval Signature,
Revision Revision Description Author
Date
0 First Issue P Rainer HPR 07 Apr 03

Normative references corrected in Sections 2
1 & 5. K. Sharratt P. Rainer 20 Feb 04
Severity clarified in Section 3.4
Extensive redraft to correlate with Energy
S Bramfitt-Reid
2 Safety Review Board current methodology P. Rainer 10 Jan 07
/ P Rainer
ECR 21174
Update table B1, B2 formatting per ECR Peter Rainer
3 G. Vanier 2007.06.18 17:05:05 +01'00'
22606 APPROVED
The information in this document is the property of Rolls-Royce plc and may not be copied, communicated to a third party, or used for
any purpose other than for which it is supplied, without the express written consent of Rolls-Royce plc.
While this information is given in good faith based upon the latest information available to Rolls-Royce plc, no warranty or
representation is given concerning such information, which must not be taken as establishing any contractual or other commitment
binding upon Rolls-Royce plc or any of its subsidiary companies
GEM 0011
Revision 3
Page 3 of 39
TABLE OF CONTENTS
1 SCOPE & INTRODUCTION..................................................................................................... 5
2 CROSS REFERENCE STANDARDS...................................................................................... 6
3 DEFINITIONS........................................................................................................................... 6
3.1 HAZOP .............................................................................................................................. 6

3.2 HAZID................................................................................................................................ 6
3.3 Attribute ............................................................................................................................. 6
3.4 Cause ................................................................................................................................ 6
3.5 Consequence .................................................................................................................... 7
3.6 FMECA.............................................................................................................................. 7
3.7 Guidewords ....................................................................................................................... 7
3.8 Hazard............................................................................................................................... 7
3.9 Hazard Log........................................................................................................................ 7
3.10 Machinery Directive ......................................................................................................... 7
3.11 Operability........................................................................................................................ 7
3.12 P&IDs............................................................................................................................... 7
3.13 Risk .................................................................................................................................. 7
3.14 Systems Integration ......................................................................................................... 7
4 SAFETY RISK ASSESSMENT METHODOLOGY .................................................................. 8
5 THE HAZOP PROCESS .......................................................................................................... 8
5.1 General Introduction.......................................................................................................... 8

5.2 HAZOP Planning............................................................................................................... 9
5.3 Select Team ...................................................................................................................... 9
5.4 Choosing Appropriate HAZOP Technique ........................................................................ 11
6 HAZOP METHODS .................................................................................................................. 12
6.1 Concept HAZOP ............................................................................................................... 12

6.2 Preliminary HAZOP........................................................................................................... 12
6.3 Detailed HAZOP................................................................................................................ 13
6.4 FINAL (VALIDATION) HAZOP.......................................................................................... 14
6.5 MINI (CHANGE) HAZOP .................................................................................................. 15
7 HAZOP METHODOLOGY ....................................................................................................... 16
7.1 Hazard Identification ......................................................................................................... 16

7.2 Hazard Assessment (Risk Ranking) ................................................................................. 17
GEM 0011
Revision 3
Page 4 of 39
8 IMPLEMENTATION GUIDANCE............................................................................................. 18
9 RECORD KEEPING................................................................................................................. 18
9.1 Technical file ..................................................................................................................... 18

9.2 Records ............................................................................................................................. 19
9.3 Standardisation Register................................................................................................... 19
APPENDIX A: PARAMETERS ....................................................................................................... 20
APPENDIX B: PACKAGE SPECIFIC ADDITIONAL INFORMATION........................................... 25
GEM 0011
Revision 3
Page 5 of 39
1 SCOPE & INTRODUCTION
1.1 The scope of this document is to provide the necessary guideline notes to allow the completion
of the Safety Risk Assessment in line with the requirements of the Machinery Directive. This process
draws upon the Energy Business Safety & Reliability process via LOP C.2.6.A, LOP C.2.6.B & LOP
C.2.6.C, and provides details of how to perform a HAZOP. Specific consideration is given for a
Package analysis, with a worked example included for illustration and clarity.
1.2 A safety risk assessment shall be performed per LOP C.2.6.A to determine whether the
equipment being considered will pose a threat to people’s lives, cause major / minor injury to
personnel, during normal operation, maintenance or other activities that can be anticipated for the
working life of the equipment.
1.3 Safety risk assessment is typically performed as a series of steps that allow potential hazards
associated with the equipment to be identified, rated and then systematically investigated for credible
unsafe consequences. Where necessary, and practicable, the safety risk assessment phase is
followed by safety risk reduction. The primary aim of risk reduction is to eliminate hazards but where
this is not possible then to reduce the risk of the unsafe consequences to an acceptable level as per
LOP C.2.6.C. An acceptable level of risk depends on the likelihood of occurrence and the potential
severity of consequences.
1.4 Safety risk assessment and safety risk reduction is an iterative process performed until there is
sufficient evidence that all risks have been adequately eliminated or reduced.
1.5 This document is in line with the Energy Business safety processes and incorporates the
Energy Product Safety Review Board policy decision on business representation at customer HAZOP
and SIL reviews as per EPSRB meeting 18 Action 5.1.
1.6 All customer HAZOP and SIL evaluations shall include quorum representation from the
Packaging OBU, Power Systems & Compressors OBU (including controls) and Safety team taking into
account the depth of the evaluation i.e. where the HAZOP was treating the Package as a black box
only without going into the subsystems, a single representative would probably suffice that was versed
in the interfaces and residual safety risks. The starting point of contact to identify the representative
for each evaluation are: -
a) For a package sub-system design representative – the project IPT Leader
b) For power systems and compressors (including controls) representative – Engineering
Director (currently W Blair 740 393 8681)
c) For safety & reliability representative – Manager Safety & Reliability – Energy Business
(currently S Bramfitt-Reid 514 636 0964 Ext 7478)
1.7 For the purposes of this document only, the term "Rolls-Royce" shall be construed as meaning
and / or referring to "Rolls-Royce Power Engineering plc." and "Rolls-Royce Energy Systems Inc."
either jointly or individually, it is also used by Rolls-Royce Canada as guidance as some subtle
changes are required to comply with their internal processes.
NOTE: This document is an Engineering Standard. No deviations are permitted to instructions

or specifications herein other than those approved in writing by the PCB (Product Change
Board).
GEM 0011
Revision 3
Page 6 of 39
2 CROSS REFERENCE STANDARDS
2.1 ISO 14121 - Safety of Machinery – Principles for Risk Assessment
2.2 ISO 12100-1 Safety of Machinery – Basic concepts, general principles for design - Part 1: Basic
terminology, methodology
2.3 ISO 12100-2 Safety of Machinery – Basic concepts, general principles for design - Part 2:
Technical principles
2.4 The Supply of Machinery (Safety) Regulations (1998)
2.5 ISO/DIS 21789 v1 – Gas Turbine Applications – Safety
2.6 LOP C.2.6.A – Safety & Reliability Management Process for Energy Business Products
2.7 LOP C.2.6.B – Integrated Safety Process for Energy Business Products
2.8 LOP C.2.6.C – Safety Risk Assessment Methodologies for Energy Business Products
2.9 GTER 12327 – Design for Safety - Working Practice
3 DEFINITIONS
3.1 HAZOP
3.1.1 HAZard and OPerability study is a formal technique for identifying the failure modes that
cause process deviations (pressure, temperature, speed, power etc…), procedure deviations and for
assessing the mitigation in place to protect against exceeding operating limits
3.2 HAZID
3.2.1 HAZard IDentification study is less detailed than HAZOP. HAZID utilises more generic
checklists of hazards to prompt review and understanding of the potential design issues at a top level
without going into the specific details of the design. HAZID is often referred to by customers and is
covered by preliminary HAZOP in this document with the associated checklists / guidewords listed in
Appendix A and B.
3.3 Attribute
3.3.1 A physical property of a system such as pressure or temperature.
3.4 Cause
3.4.1 This is the initiating event that can lead to the hazardous condition, such as a failure, error or
control sequence. This can be defined at different levels, from a component failure mode to a loss of
function of a major piece of equipment. The level that is chosen should be consistent throughout the
study or series of studies, wherever possible, and where possible, should help clarify the area in which
activity required to reduce risk.
GEM 0011
Revision 3
Page 7 of 39
3.5 Consequence
3.5.1 This is the end effect of the hazard. Consequences can be used to describe the effect on
the product operability or availability, a person (i.e. accident consequence) or the environment, as
appropriate.
3.6 FMECA
3.6.1 Failure Modes, Effects and Criticality Analysis. Please refer to GTER 10383 for the Energy
Business in-house method, and GTER 10929 for guidelines for suppliers.
3.7 Guidewords
3.7.1 Keywords, concepts and ideas, which can be used to prompt discussion. For process
equipment, guidewords are often a deviation from the norm.
3.8 Hazard
3.8.1 Something that has a potential to cause harm to a person (safety).
3.9 Hazard Log
3.9.1 Record of hazards arising from all sources for the equipment, incorporating residual risks
identified by sub-suppliers and the output from the HAZOPs and other sources to build up the safety
case.
3.10 Machinery Directive
3.10.1 European law regarding machinery safety written to promote free trade across the EU by
ensuring machinery safety standards are the same throughout Europe. The Supply Of Machinery
Regulations implements this into UK law, each member state of the EEA has its own regulations to
implement the Directive
3.11 Operability
3.11.1 The ability of the system / product to operate correctly and safely in normal operation, and
when normal deviations occur.
3.12 P&IDs
3.12.1 Process and Instrumentation Diagrams: Diagrammatical representation of how equipment is

connected together to form a system, showing interfaces and other basic details. Within this document
a reference to P&ID may also include component listings, table of action or cause and effect
documentation that is required to fully understand the P&ID details
3.13 Risk
3.13.1 The combination of the likelihood and the consequence of an incident
3.14 Systems Integration
3.14.1 The process of merging discrete equipments and sub-systems to provide a safe, working
system.
GEM 0011
Revision 3
Page 8 of 39
4 SAFETY RISK ASSESSMENT METHODOLOGY
4.1 In order to comply with the Machinery Directive for a safety risk assessment, the Energy
Business safety process implemented via LOPs C.2.6.A, C.2.6.B & LOP C.2.6.C shall be followed.
LOP C.2.6.C references several hazard identification techniques that can be used including the
HAZard and OPerability (HAZOP) process. This document provides detailed guidance on how to
perform a HAZOP. Specific consideration is given for a Package analysis, with a theoretical worked
example based on the generic hazard list included for illustration and clarity.
5 THE HAZOP PROCESS
5.1 General Introduction
5.1.1 The purpose of this section is to describe the principles and application of HAZard and
OPerability (HAZOP) studies.
5.1.2 HAZOP is a structured and systematic technique for examining a defined system, with the
objective of:
• identifying potential hazards in the system. The hazards involved may include both
those essentially relevant only to the immediate area of the system and those with a
much wider sphere of influence, e.g. some environmental hazards;
• identifying potential operability problems with the system and in particular identifying
causes of operational disturbances and production deviations likely to lead to
nonconforming products.
5.1.3 This is done through a team based, rigorous brainstorming fault or problem identification
methodology based on the systematic application of combinations of attributes (flow, pressure and
temperature) and guidewords (no, more, less) to prompt discussion of potential deviations (no flow,
less pressure) from the design intent or intended operational mode of the product. Credible causes of
deviations are identified for each product section (called node). The consequences arising are then
discussed, assessed and mitigated with actions or requests for further consideration by the project
team. To facilitate examination, the system is divided into parts in such a way that the design intent for
each part (node) can be adequately defined.
5.1.4 This technique has many advantages, including:
• A systemic, structured technique, capable of providing repeatable results
• Auditable
• Uses a multi-disciplined team of experts in the relevant system to identify the widest
possible array of safety risks, unattainable solely by an individual or discipline
review.
• It can be used to address a wide range of hazard types: such as project risk, safety
risk, environmental impact, plant availability impact etc.
• It can be applied to a wide range of plant and processes at any stage in the life
cycle, from concept to decommissioning.
GEM 0011
Revision 3
Page 9 of 39
• The resulting knowledge obtained by identifying potential hazards and operability

problems in a structured and systematic manner, is of great assistance in
determining remedial measures.
5.1.5 However, HAZOP may not always be the best technique for risk analysis, and is best applied
to processes and systems that interact rather than discrete components (see LOP C.2.6.C for other
options).
5.2 HAZOP Planning
5.2.1 Once HAZOP has been determined to be best suited for a particular risk assessment (see
LOP C.2.6.C for choices), some of the key activities involved in planning a HAZOP safety risk analysis
study include:
• Selecting a team
• Choosing Appropriate Technique
• Having pertinent design information available
• Applying HAZOP Procedure
5.3 Select Team
5.3.1 The HAZOP Study techniques are founded on the principle of a team of experts, with
different backgrounds, working together in a systematic study so as to identify more problems than if
they worked separately and combined their results. It also essential that some personnel external to
the project team be present to provide external views.
5.3.2 NOTE – If involved in a customer HAZOP or SIL evaluation then Section 1.6 must be
followed.
5.3.3 The optimum team will usually consist of 7 members, with only 3-4 needed for a Concept
HAZOP. Reviews with more than this number tend to be slow and stilted, and more likely to wander,
despite a good chairman. Too few members can mean that the necessary knowledge base is not
available
5.3.4 It is important, for any study, that full commitment of all participants is obtained and that team
members do go to all the sessions in which their presence is required. If appropriate, the HAZOP
study should be rescheduled to compensate for changes in the availability of key members.
NOTE: If a client is to be represented at a Rolls-Royce Energy Business lead HAZOP, their role
should be agreed as part of the meeting organization process.
GEM 0011
Revision 3
Page 10 of 39
Table 1 Core Attendees

Position Position Description
Chairman Expert in the HAZOP study technique, but not necessarily in the system to be studied,
the chairman should be independent of the project requiring study. This is the person
to lead the meeting and ensure that the schedule is kept, prompting the group where
the discussion is slow and returning to the point if the discussion wanders.
This requires very good interpersonal skills to ensure that strong personalities do not
dominate the group.
The chairman ensures consistency between the study sessions. The series should not
change chairman part way through. The chairman should ensure that the recorder has
taken down an accurate record, which has been agreed by all present, before the
discussion moves on.
Recorder / secretary Person who is competent to understand the issues arising in the meeting, and
responsible for documenting the results. The recorder will be responsible for circulating
the actions following the HAZOP study, and issuing the study report.
Design Expert: For example, the person responsible for designing the system, including the detail
design, and specifying codes and standards for manufacture. If the system contains
instrumentation, then the appropriate control and instrumentation engineer should be
included too.
Operator A person familiar with operating this, or similar systems
Maintainer (if different A person familiar with maintaining this or similar systems
from operator)
Safety Engineer / A person responsible for carrying out the risk assessment process for the system.
Representative
Person Responsible for Person such as the Chief Project Engineer or equivalent, or their delegated
Overall Safety of the representative.
Product
Table 2 Other possible people to include in the study:
Position Position Description

Client’s Representative The person delegated by the client to represent them, i.e. Client’s Engineer.
Service Provider Where a service is provided to the equipment, i.e. gas supply, air supply, oil supply,
Representative coolant supply, then a person representing the service provider.
Manufacturer The person making the system, responsible for ensuring build quality
Specialist Other experts as required. Experts may include specialists in: fatigue, metallurgist,
performance, development, fire protection, etc.
5.3.5 An individual may have more than one role to play in the HAZOP study, but it is important to
realize that the chairman or recorder will be less effective if they have an assessment role to play in
addition to their organizational role.
5.3.6 The name, role, and competence in the role for each participant should be logged at the start
of the meeting. If a person only attends part of the meeting, it should be clear which part he attended.
If a person delegates any of his actions to others, then the other person’s details should be registered
also.
5.3.7 The chairman and HAZOP study organizers should be sure that the team is competent to
give a reasonable estimate of consequences and consequence frequency when this is included as
part of the meeting.
GEM 0011
Revision 3
Page 11 of 39
5.3.8 It is not always possible to HAZOP study the whole system because some areas are outside
of the scope of supply. The person responsible for the equipment the other side of the interface
should be involved in the study. The service provider representative should be able to explain the
possible deviations from the normal supply conditions which can occur (including fault conditions) and
the client’s representative should be able to explain the downstream effects of a failure with our plant
or package.
5.4 Choosing Appropriate HAZOP Technique
5.4.1 HAZOP shall integrate all key safety system interactions. (Even if these are supplied by end
user or third party) Consideration given to “others” scope shall be formally documented.
5.4.2 Ideally, an assessment for a new design should follow the entire process as shown in Figure
1. However, a HAZOP study can be carried out at any point in the life cycle of the product. At each
point in time, the purpose and benefits in doing the study will vary. Figure 1 provides guidance on
which method to use depending on the Stage of the project. The Safety and Reliability Plan report, as
required by LOP C.2.6.A, will outline the methodology to be followed for new designs and the level of
HAZOPs to be included.
Fundamental Design Optimize Verify/validate Monitor
Hardware design Design/optimization

Integrated System
Control Design Optimization
Concept Preliminary Detailed Final Change

HAZOP HAZOP HAZOP (validation) HAZOP
HAZOP
Preliminary hardware Critical P&ID

Design Review Review
New Project Full Concept Product

Planning Definition In Service
Realization Support
(Stage 1) (Stage 2)
(Stage 3) (Stage 4)
Figure 1 - Timing of Hazard Assessments within the Product Life Cycle
5.4.3 Additionally, the full HAZOP methodology may not be necessary for every product risk
assessment. Deviations to the full procedure will depend on the objective and scope of the
assessment. For example, existing designs may need only a Change or Detailed HAZOP, and even
new designs may require only a Detailed and Final HAZOP if sufficiently small.
5.4.4 When defining scope, the system boundaries should be given special thought before the
commencement of the study. It is important to realize that when analysing a system, which is part of a
machine, the HAZOP study technique covers the system as a whole and not divided into parts as
supplied by sub-suppliers. This gives a better appreciation to each sub-supplier of the impact of their
scope of supply on the rest of the machine. Consequently, the system to be analysed should be set to
include all equipment filled with a particular fluid, or all equipment associated with a particular function.
This is not always possible however, as either the equipment interfaces with other products or with a
service outside our scope (i.e. gas supply, water supply, etc.).
5.4.5 By defining scope in this manner, the HAZOP Study can then be used to help demonstrate
“Systems Integration”, which is an essential requirement of the Machinery Directive.
GEM 0011
Revision 3
Page 12 of 39
6 HAZOP METHODS
6.1 Concept HAZOP
6.1.1 General
6.1.1.1 Concept HAZOP Studies are the initial kick-off of the HAZOP process for new designs. The
process is done very early in the design phase for the specific purpose of influencing the
initial design by bringing into focus wider safety, health, and environmental issues through
the use of general deviations or generic hazards (see Appendix A and B). These deviations
and generic hazards are looked at one by one to brainstorm all foreseeable potential
hazards of the design concepts, which then go on a Hazard List. These key hazards can
then be mitigated in the initial design. The goal is encourage a conceptually safe design with
no major hazards to the overall system.
6.1.1.2 It is not meant to assess specific parameters or modes of operation for hazards, as this
requires information simply not available at this stage of design. That task is delegated to
the preliminary and detailed HAZOPs.
6.1.2 Collecting Information
6.1.2.1 Concept HAZOPs are typically performed using basic, but workable conceptual designs.
These include schematics or early drawings of the design.
6.2 Preliminary HAZOP
6.2.1 General
6.2.1.1 The Preliminary HAZOP steers the focus of hazard identification toward the main process
assumptions of the design. No instrumentation or controls have yet been defined, and so it
becomes this phases’ sole purpose to analyse the fundamental hardware design.
6.2.1.2 A more in-depth study than Concept HAZOP, this study implements the full HAZOP
Methodology, with all guidewords/parameters/modes of operation/generic hazards assessed
for each node. The objective is to optimise the design so as to minimize later rework. The
full teams’ presence is required for this stage.
Note: The customer may perform a HAZID of the design in a top level review similar to the
preliminary HAZOP as it uses generic risk lists, see Appendix A and B.
6.2.2.1 Preliminary HAZOPs are performed on early P&IDs or block diagrams of the process. Other
previous HAZOP and FMEA reports on the same or similar systems, as well as Hazard logs
and Safety Hazard Reports, can also be of value.
6.2.3 Defining Key Nodes
6.2.3.1 For preliminary HAZOPS, the nodes should be large due to still limited engineering details
available, and should focus more on the operations themselves.
6.2.4 Project Records
GEM 0011
Revision 3
Page 13 of 39
6.2.4.1 The Preliminary HAZOP Report will include all appropriate parameter combinations, along
with the details of each hazard (node, mode, design intent, recommendations, etc.) called a
HAZOP Sheet. There is no defined set of required information, however a minimum set must
include deviation, cause, consequence, and action (recommendation). A more typical
example entry in given below.
Figure 2 - Sample HAZOP Sheet

6.2.4.2 A slightly different version of HAZOP Sheet for package-specific product reports is given in
Appendix B based on the generic hazard list. For RRESI / RRPE this is the standard form
(GEMF0011) and can be obtained from engportal at the following URL.
http://engportal/Forms .
6.2.4.3 These records will provide the basis for the hazard log and can be used as evidence of
system integration in design for compliance with the Machinery Directive.
6.2.5 Results
6.2.5.1 Residual risk statements may need to be issued to End user / third party if key safety
systems are supplied by them.
6.2.5.2 By the end of this phase, the HAZOP Team will have:
• Defined the required Safety & Reliability functions (control logic,

valves/instrumentation devices) of the system, so they can be incorporated into the
design of the P&IDs.
• Assessed all hazards, and created a list of unacceptable Residual Risks that need to
be addressed for the hardware design of the P&IDs as well.
6.2.6 Documentation
6.2.6.1 The following items should be included in the HAZOP report, or cross referenced if the
documentation exists elsewhere (to avoid duplication of documents):
• Scope
• System description
• Hazard Sheets
• Summary list of safety functions/mitigation
• Marked-up drawings/schematics
• Residual Risk Statements
6.3 Detailed HAZOP
GEM 0011
Revision 3
Page 14 of 39
6.3.1 General
6.3.1.1 The Detailed HAZOP is the main assessment tool where the bulk of a full HAZOP study is
done and can only be done once the products design is fully completed. The purpose of this
phase is to ensure that hardware and controls have been integrated together effectively to
perform their intended Safety & Reliability functions. This phase focuses on assessing the
systems’ ability to safely and sensibly accommodate deviations from normal operating
conditions through the use of the full HAZOP Methodology on all details of the product.
6.3.1.2 This is expected to be the final check for hazards in the design. With the exception of a few
possible changes brought up in Change HAZOPs (see section 5.5.5), the Hazard Log
contains the final list of hazards and their mitigations to be uncovered before final validation.
It is therefore essential that this HAZOP be performed to the best possible degree, with the
best choice in experts from all necessary fields.
6.3.1.3 Standard issues to assess may include:
• Specific operating limits of hardware (max limits, relief valve flow rates, etc.)
• Trip/alarm settings of controls
• Permissive/control logic
• Validation testing that needs to be done on first of type and subsequent builds
6.3.2.1 Detailed HAZOPs are performed solely on the “design frozen” final drawings. These include
P&IDs and associated Schedule of Action (control systems’ “cause and effect” logic), or
detailed Mechanical Drawings.
6.3.3 Defining Key Nodes
6.3.3.1 Nodes for Detailed HAZOPs should consist of segments with the same operating
characteristics, broken down from a subsystem level. Thus, piping running from a
compressor to a vessel could be one node. The vessel would be another node and so on.
The comprehensive analysis of such precise and detailed nodes (usually on a P&ID) is what
provides the completeness necessary for such an assessment.
6.3.4 Project Records
6.3.4.1 All information concerning each mode must be recorded on a HAZOP Sheet entry form.
6.3.5 Results
6.3.5.1 By the end of this phase, the HAZOP Team will have:
• Completed all HAZOP Sheets, which contain the final actions to be raised and
recommendations to the products’ design before final validation.
6.3.6 Documentation
6.3.6.1 Same as Preliminary HAZOP.
6.4 FINAL (VALIDATION) HAZOP
GEM 0011
Revision 3
Page 15 of 39
6.4.1 General
6.4.1.1 The Validation HAZOP is meant to close out the HAZOP process. This occurs prior to
Critical Design Review, when the P&IDs are frozen, with its purpose to confirm that all
Hazards brought up by the Hazard Log are properly mitigated against, and all
recommendations were put into place. The technique is the same as the Main study but the
team is limited to looking at changes rather than reviewing the agreed design. Once a
design passes this stage, it is approved for design, and can begin construction.
6.4.1.2 Not all Team Attendees may be necessary at this phase, and may simply involve signing off
the risks by the appropriate personnel.
6.4.2 Results
6.4.2.1 The result of this phase is the validation of the products design, where it is ready for Critical
Design Review.
6.5 MINI (CHANGE) HAZOP
6.5.1 General
6.5.1.1 Although no changes are expected, some may occur after the Detailed HAZOP. These
changes must be formally risk assessed, and a HAZOP may be carried out if deemed
appropriate. In such a case, only the team members with expertise in the specific area of
the hazard need attend the meeting(s) but the formal recording of the meeting(s) should be
witnessed by chairman of the main HAZOP
GEM 0011
Revision 3
Page 16 of 39
7 HAZOP METHODOLOGY
7.1 Hazard Identification
7.1.1 The flowchart (Fig 3) below describes the HAZOP hazard identification procedure.
Figure 3 HAZOP flow chart
GEM 0011
Revision 3
Page 17 of 39
Relevant expert(s) will describe the overall design intent to the team. This description should include:
• How it works
• The operation cycle
• Key operating parameters (such as important pressures and temperatures)
• Any relevant considerations for design, manufacture, installation & commissioning,

etc. phases.
• Currently identified hazards and mitigations (where known)
7.1.2 Select a node, if possible break the node up into smaller items or groups, and select one.
7.1.3 Consider each possible combination of mode + guideword + attributes. These parameter
sets shall be assessed for credibility. Not all combinations are realistic, and those, which are not
credible, will be discarded.
7.1.4 For all credible deviations, its potential cause(s) will be determined. It is very possible to
have several causes for a single deviation scenario, and each cause must be looked at separately for
consequences.
7.1.5 Any cause for which its consequence affects the safety of the product becomes a hazard.
7.1.6 Iterate this procedure for each node and sub-divisions within the node.
7.2 Hazard Assessment (Risk Ranking)
7.2.1 Each hazard will be allocated a probability / severity (without any mitigations or other safety
features of the design being considered). The acceptability of a hazard is then determined by using a
risk matrix.
7.2.2 Figure 4 illustrates analysis of the initial (illustrated by ‘X’) and final results (illustrated by
‘circle’). For present version of RR Energy Business Products Risk Matrix, refer to LOP C.2.6.C.
Figure 4 - Sample Risk Matrix

Green: Acceptable risk Red: Unacceptable risk
Amber: Acceptable risk only if no further risk reduction is practicable using ALARP techniques
(http://www.hse.gov.uk/risk/theory/alarpglance.htm provides guide and definition of ALARP)
GEM 0011
Revision 3
Page 18 of 39
7.2.3 It is normal, although not mandatory, to firstly list all hazards, then allocate initial probabilities /
severities, then finally add the mitigations and re-assess the risk ratings.
7.2.4 These steps can be done during the meeting, however it is usually a more efficient use of
personnel to have the severity, probability, and risk ratings done by experienced attendees once
meeting(s) adjourned.
7.2.5 An appropriate Hazard List or Log will be taken on the results of the meeting.
7.2.6 If after the assessment residual risks remain or mitigations / actions have been identified
which are not yet within the design, then a further analysis has to be undertaken to minimize these
risks and ensure that all close out activities are in place.
7.2.7 If risks cannot be reduced to an acceptable level by the mitigations / design process then
these must be passed on to the user within the residual safety risk statement.
8 IMPLEMENTATION GUIDANCE
Table 3 Implementation guidance
Common Mistakes Implementation Guidance
Too many people Target limiting to 7 people
Nodes not understood Highlight on P&IDs
HAZOPed a wrong assumption Only perform detailed HAZOP on frozen P&IDs. Confirm all
about the design operating limits on the P&IDs. Accept only what is on the
P&ID and cause and effect logic.
Too many recommendations Separate recommendations from less important comments.
HAZOP missed operating limit of Confirm all operating limits and trip settings are on P&IDs
system being less than trip
Consequence not taken to the final Facilitator needs to explain that it is important that we assume
“end” consequence protection devices fail to explore the “end consequence” which
is valuable for verifying the integrity devices.
Clear understanding of design P&ID can be frozen at various stages to allow HAZOP to
studies proceed. It is necessary to ensure the appropriate revision
number is understood. A Change HAZOP could be done
afterwards if necessary on any changes
9 RECORD KEEPING
9.1 Technical file
9.1.1 The Safety Case will form part of the technical file for that project in compliance with the
Supply of Machinery (Safety) Regulations 1998.
GEM 0011
Revision 3
Page 19 of 39
NOTE: some projects may require a safety risk assessment to be carried out in accordance
with this guideline document but not require the construction of a formal technical file. In this
case it is prudent to file the Safety Case together with the project records.
9.2 Records
9.2.1 Records shall be kept for a minimum of 10 years after despatch of the last equipment that they
pertain to for compliance with EEC regulations. Irrespective of EEC legal requirement to retain
documents for 10 years, consideration shall be given to retain pertinent safety documentation for the
life of the equipment until after its disposal.
9.2.2 If equipment, at end of life, is sold to a third party rather than disposed of, then specialist legal
advice shall be sought to ensure minimum company exposure in the event of a future incident.
9.2.3 Additional guidance is given in GQP P.8.5.
9.3 Standardisation Register
9.3.1 The HAZOP records shall be formally issued with a controlled unique document number. The
product Standardisation register will need to be updated to correctly point to these HAZOP records.
(See GER 0158 and its subservient documents)
GEM 0011
Revision 3
Page 20 of 39
APPENDIX A: PARAMETERS
Proper choice of guidewords, attributes, and system modes, are essential for HAZOPs to be
successful. The list and all combinations must be as complete and exhaustive as possible.
Informative lists can be found in Appendix A. They are not necessarily complete lists, and they may
contain inapplicable parameters for the assessed system or node. It is up to the chairman to add or
delete from the lists. Experience in HAZOPs is essential for this task.
GUIDEWORDS
For Preliminary Review HAZOPs, it would be impossible to use the standard parameter lists, as the
required information to assess these are not present at this point I the products life cycle. Therefore, a
more general approach is taken to find hazards, with more system encompassing guidewords used.
Table A1 Preliminary HAZOP Deviations
Guideword Interpretation
• Fire hazards posed by the system.

Fire / overheat
• Fire hazards posed to the system by adjacent systems/plant.
• Explosion hazards posed by the system.
Explosion / detonation
• Explosion hazards posed to the system by adjacent systems/plant.
• Work in confined spaces.
Asphyxiation
• Work in potentially contaminated atmospheres.
Loss of any service upon which the system is reliant for safe and effective
Loss of Services
operation i.e.:
• Loss of/inadequate cooling
• Loss of/inadequate shielding/guarding, interlocks
• Loss of ventilation
For systems incorporating electrical components only, hazards such as
Electrical Hazards
electrocution and fire that arise because the system incorporates an
electrical supply.
• Flooding hazards the system poses to the plant, from any liquid
Flooding
contained by the system.
• Susceptibility of the system to flooding from elsewhere within/beyond
the plant.
Susceptibility of the system to prevailing and extreme weather conditions,
Extreme Weather
including impact damage from windborne debris
• Potential hazards from the system due to sudden release of stored
Disruptive Failures
energy, such as pressurised systems and (high speed) rotating
equipment.
• Equivalent hazards posed to the system by adjacent systems/plant,
including impact.
• Drop loads from other systems, plant, mobile equipment (cranes) etc.
Potential hazards to the environment (working and natural) posed by the
Environmental
system, e.g. toxic/corrosive fluids, biologically active materials. Including:
• Waste/discharge (to air, land or water drains)

• Fugitive Emissions
• Decommissioning and disposal considerations
GEM 0011
Revision 3
Page 21 of 39
Guideword Interpretation
A definition of all interactions between the subject system and any other in
Interactions
the plant and of any potential hazards arising there from, including mixing
Potential hazards to plant/equipment and personnel from the system, e.g.
Hazardous Materials
toxic/corrosive fluids, materials of construction, products of combustion
A definition of the electromagnetic compatibility (EMC) of the system with
Electromagnetic / static
its working environment:
Hazards
• Any potential for the system to act as a source of electromagnetic
interference, e.g. synchronous motors, oscillating relays.
• Equivalent hazards posed to the system by adjacent systems/plant
The assessment should consider interference conducted through data
cables and electrical supply cables, faulty earth cables as well as
transmitted interference.
Also build-up of charge / electrostatics
Potential hazards to operating and maintenance staff because of the
Occupational Hazards
system, e.g. confined access, allergenic reactions to process
materials/materials of construction, i.e.
• Toxicity
• Mechanical handling/manual handling
• Ergonomic/human factors
• Any hazards identified as resulting from process materials or materials
Materials/
of construction; potential adverse reactions between such materials.
Corrosion/Erosion
• Susceptibility of the system to erosion or corrosion, leading to
releases of process or service fluids.
• Any circumstances where failure of the subject system leads
Domino/ cascade /
potentially to the immediate failure of successive systems in the
escalating event
process/operating stream, or of adjacent plant/equipment.
• Any circumstances where failure of the subject system leads to a
delayed failure of successive systems in the process/operating
stream, or of adjacent plant/equipment.
• Any external event which could have similar effect
Hazards during: Maintenance, Construction, Installation, Assembly, and
Life Cycle
Decommissioning. Start-up, Shut down. Catch-all for other hazards arising
from the product life cycle
Anything where human error can play a large part of the hazard severity
Human error
which has not already been considered
Hazards arising from vehicles on or around site
Transport
Hazards arising from earthquakes, and other natural events
Seismicity / Acts of God
Final catch all
Other
GEM 0011
Revision 3
Page 22 of 39
Useful guidewords for all other HAZOPs are as follows:
Table A2 Standard HAZOP Guidewords
Guideword Meaning Interpretation
No / None Complete negation The specified function is not fulfilled; no action is taken.
More Higher than the The specified function is carried out to a greater extent, or
design requirement with greater output, than envisaged - either as required by
the process or as expected from plant analysis and
performance predictions.
Less Lower than the design The specified function is carried out to a lesser extent, or
requirement with lower output, than envisaged - either as required by the
process or as expected from plant analysis and
performance predictions.
As well as Coincident Something else, unexpected/unplanned, occurs

occurrence simultaneously/coincident with execution of the stated
function.
Part of Partial fulfilment of the The function is only partly fulfilled: process does not go to
design requirement completion or the process is only partly applied.
only
Cycling Re-occurring event or The attribute is varying back and forth

oscillation
Reverse Direct contrary Action performed is the opposite of the stated function.
Other than Alternate Some other function or action is carried out, instead of that
function/action stated.
performed
Early Premature action in The stated function is carried earlier than intended, but in
sequence. the correct sequence.
Late Delayed action in The stated function is carried later than intended, but in the
sequence. correct sequence.
Before Premature action out The stated function is executed out of sequence, being
of sequence. performed before a function scheduled earlier in the
sequence.
After Delayed action out of The stated function is executed out of sequence, being
sequence. performed after a function scheduled later in the sequence.
GEM 0011
Revision 3
Page 23 of 39
ATTRIBUTES
The attributes that should be applied are provided below. Not every attribute will apply to each node.
For example, “Level” attribute would apply to a tank node but not to a node of fuel piping; for which,
“Flow” would be appropriate. “Speed” and “Torque” would apply to shafts systems.
Table A3 HAZOP attributes
Attribute Interpretation
Flow The movement of a fluid through the system between the defined nodes (also
covers the pressure differentials in the system between the defined nodes)
Pressure Ambient and average pressure.
Temperature The temperature of the fluid in the system between the defined nodes
Speed The speed of the component
Torque The tendency of a force to move in a rotational direction.
Material The material of the equipment carrying the fluid, or any other equipment which is
part of the system, between the defined nodes
Composition The composition between the defined nodes
Instrumentation / The instrumentation present and the control equipment as far as control and
control instrumentation can influence the behaviour of the system between the defined
nodes
Power The power supply for control / instrumentation / equipment which is part of the
system as far as the power supply can influence the behaviour of the system
between the defined nodes
Static The static generated by the movement of a fluid through the system between the
defined nodes
MODES OF OPERATION
The typical operating modes may include:
• Installation
• Commissioning
• Maintenance
• Start-up. This may be further broken down to:
o Routine Start-up
GEM 0011
Revision 3
Page 24 of 39
o Initial Start-up. Here some special variables may be introduced, such as no initial fluid
in lines (oil, fuel), or untested faulty equipment (internal cracks, manufacture errors)
o Start-up after an emergency. New issues may be particular to this mode, such as
unseen damage done by cause of shutdown; problem not fully solved; faulty
maintenance.
• Normal Operation. This may include:
o Routine operation
o Fuel Transfer
o Transient (accel/decel, power grid spikes)
o Load acceptance/rejection
• Shutdown. This may also be broken down to:
o Routine shutdown
o Shutdown during emergency. Special attention may be necessary as ESD can

produce excess strains on the products systems and parts. Limits may be exceeded.
GEM 0011
Revision 3
Page 25 of 39
APPENDIX B: PACKAGE SPECIFIC ADDITIONAL INFORMATION
B.1 Generic Safety Risk Descriptions
For package specific products, the following is a standard list of generic safety risks to assess. The list
is not exhaustive, and the Chairman will decide whether to add or drop any hazards as part of the
HAZOP. Other generic hazards are documented in ISO 14121 and ISO 21789 which should be
considered. For specific design guidance on safety refer to GTER 12327, ‘Design for Safety - Working
Practice’.
1. Mechanical Hazards
- due to machine parts or work pieces e.g.
a) Shape
b) Relative Location
c) Mass & Stability (potential energy)
d) Mass & Velocity (kinetic energy)
e) Inadequacy of mechanical strength
- due to accumulation of energy inside the machinery e.g.
f) Elastic Elements (springs)
g) Liquids & gases under pressure
h) Effect of vacuum
2. Crushing Hazard
3. Shearing Hazard
4. Cutting or Severing Hazard
5. Entanglement Hazard
6. Drawing in or Trapping Hazard
7. Impact Hazard
8. Stabbing or Puncture Hazard
9. Friction or Abrasion Hazard
10. High Pressure Fluid Injection or ejection hazard
11. Electrical Hazards
a) Contact of person with live parts (direct contact)
b) Contact of person with parts which have become live under faulty conditions (indirect contact)
c) Approach to live parts under High Voltage
d) Electrostatic phenomena
e) Thermal radiation or other phenomena such as projection of molten particles and chemical
effects from short circuits, overloads, etc
12. Thermal Hazard
a) Burns, scalds and other injuries by a possible contact of persons with objects or materials with
an extreme high or low temperature, by flames or explosions and also by the radiation of heat
sources
GEM 0011
Revision 3
Page 26 of 39
b) Damage to health by hot or cold working environment

13. Noise Hazard
a) Hearing loss
b) Interference with communication
14. Vibration Hazard

15. Radiation Hazard
16. Materials and Substances Hazards
a) Contact with personnel
b) Fire or Explosion
c) Bacterial / Biological or microbiological
17. Hazard due to lack of Ergonomic design
18. Hazards due to unexpected Start, Stop or Overspeed
a) Failure / disorder of control system
b) Unexpected restoration of supply
c) External influence on equipment
d) Gravity or Wind
e) Software error
f) Operator error
19. Impossibility of stopping the machine
20. Break up during operation
21. Slip Trip or Fall Hazards
22. Electrical discharge hazard (Lightning)
23. Fire and Explosion Hazards
The application of the generic hazard list to a theoretical package is provided for illustration and clarity
purposes. This is not a substitute for applying the Energy Business safety process via LOP C.2.6.A,
which will draw on the HAZOP process, generic hazard lists and other risk identification techniques as
appropriate to satisfy the business safety requirements for products. In following the Energy Business
safety process the requirements for Safety Risk Assessment as part of the Machinery Directive are
satisfied.
GEM 0011
Revision 3
Page 27 of 39
Table B1 Example of completed theoretical Package Safety Risk Assessment based on the generic hazard list
Risk Risk Description Hazard Hazard Existing or new control Severity Likelihood
Number Number Description measures introduced for Level (LOP (see LOP
mitigation of the identified risk C.2.6.C) C.2.6.C)
1 Mechanical Hazards due to 1.1 a) Sharp corners on baseplates a) Suitable signage & use of PPE IV or III Occasional –
-machine parts or workpieces e.g. could cause injury in case of fall at site needs to be addressed by Remote
a) Shape b) None operator. Minimize trip hazards.
b) Relative Location 1.2 c) Incorrect mechanical handling of c) Suitable tooling is installed for IV, III or II Remote
c) Mass & Stability (potential heavy components can lead to all normal maintenance
injury procedures & is tested to
international standards prior to
use. Maintenance procedures in
manuals give guidance to
personnel
d) Mass & Velocity d) None

e) Inadequacy of mechanical e) Failure of support structure e) As above, Structural calcs &
strength assessments done to Remote
1.3 III or II
international stds
- accumulation of energy inside
the machinery, e.g. g) All hoses designed to
f) Elastic Elements (springs) f) None traditional stds each supplied with
1.4 individual pressure test certs III or II Remote
g) Liquids & gases under pressure g) Under design of flex hose can
h) Effect of vacuum lead to fluid release
h) None
2 Crushing Hazard 2.1 Incorrect mechanical handling of Manuals declare operation III or II Remote
heavy items, (AC Generator, G/box procedures. Special tooling is
internals power turbine rotor & gas supplied.
generator are the major lifts)
3 Shearing Hazard 3.1 None identified
4 Cutting or Severing Hazard 4.1 None identified
The information in this document is the property of Rolls-Royce plc and may not be copied, communicated to a third party, or used for any purpose other than for which it is supplied, without
While this information is given in good faith based upon the latest information available to Rolls-Royce plc, no warranty or representation is given concerning such information, which must not
be taken as establishing any contractual or other commitment binding upon Rolls-Royce plc or any of its subsidiary companies
GEM 0011
Revision 3
Page 28 of 39
5 Entanglement Hazard 5.1 Lack of effective guards on coupling Tools are needed to remove all III or II Remote
or other rotating elements can lead guards. All guards are fabricated
to entanglement. to ensure that personnel cannot
fall into or touch rotating parts.
Access to inside of GT enclosure
is limited whilst machine is in
operation.
6 Drawing-in or Trapping Hazard 6.1 Personnel could become trapped 1) All doors have emergency III or II Remote
inside enclosure. release mechanisms.
2) Practical test to be carried out
prior to ex works to
prove personnel can
open door.
3) Operators permit to work
system controls
access to the
machinery.
4) "Buddy" system for
maintenance crew to
be recommended
within manuals.
GEM 0011
Revision 3
Page 29 of 39
7 Impact Hazard 7.1 Possible ingestion of foreign objects Filters installed. Control Systems III or II Remote
into the intake causing engine adequately protect machinery /
damage if filter system is inoperative personnel.
Intake tract checked and verified
as clean with no loose items
during installation. Filtration
protects system under normal
operation. Manuals define
required operations after
maintenance activity.
8 Stabbing or Puncture Hazard 8.1 None identified
9 Friction or Abrasion Hazard 9.1 None identified
10 High Pressure Fluid injection or 10.1 Fluids emitted from pipework leading All system pipework is hydro II Remote
ejection Hazard to injury tested to a minimum of 1.5 times
MAWP during fabrication, all
welds have appropriate NDE.
When assembled into the
package leak testing carried out.
GEM 0011
Revision 3
Page 30 of 39
11 Electrical Hazards due to All live terminals are shrouded & III or II Remote
9.3.2 a) Contact with live parts – 11.1 a) Injury or death resulting from inside suitable mechanical
direct contact electric shock protection (junction boxes,
terminal boxes) supplied with
correct IP rating.
All electrical systems are
b) Contact with parts that have 11.2 b) Possible electrical discharge designed & tested to International III or II Remote
become live under faulty leading to injury / fire Stds and the component parts are
conditions – indirect contact selected for the appropriate
c) Approach to live parts under Hazard Zone.
high voltage Completion of risk assessments
d) Electrostatic phenomena Fire detection & suppression
system installed. Suitable
e) Thermal radiation / projection of signage installed on all JB's
molten particles containing 110V+
12 Thermal Hazard 12.1 a) Hot surfaces exist within the (inside) – Entry into the enclosure IV or III Occasional -
a) Burns or scalds resulting from package boundary both inside and is restricted by work permit & Remote
hot surfaces (other considerations outside the enclosure. operational procedures. Entry
may be extreme cold, flames or doors are lockable (key control by
explosions) the operator)
Suitable signage to be adjacent to
each entry door
(outside) – Some exhaust
components may be accessible.
Thermal insulation used to reduce
the surface temperature &
suitable labels exist to warn
personnel
GEM 0011
Revision 3
Page 31 of 39
13 Noise Hazard 13.1 Gas turbines generate a significant Signage on doors together with III or II Remote
a) Hearing loss, physiological noise hazard for personnel PPE statements within the
disorders (loss of balance or manuals and site operation
awareness) procedures advise personnel
b) Interference with speech Acoustic enclosure is used to
communication reduce the external noise from
the gas generator
14 Vibration Hazard 14.1 Seismic activity leads to unexpected Machinery has vibration detection None
shutdown to ensure safe shutdown
15 Radiation Hazard 15.1 None identified
16 Materials and Substances 16.1 a1)- Contact with synthetic oils may Operation procedures call for III Occasional -
Hazards cause skin irritation. suitable PPE to be used when Remote
a) Contact with personnel / handling oils
inhalation Use of PPE as described in
16.2 a2)- Contact with leaking battery acid manuals advises personnel. III Occasional -
may cause burn Corrosive label on battery Remote
compartment door, door is
lockable. Lead drip tray fitted
b) Fire or Explosion Fire detection / protection /

b1)- Fire risk from hydrocarbon suppression system is installed Remote
16.3 based fluids. II
Battery enclosure is externally

b2) - Hydrogen build up from vented. Very low leakage rate Improbable
16.4 batteries has potential to lead to from sealed for life batteries I
explosion.
c) – Bacterial / Biological or
microbiological
c) - None
GEM 0011
Revision 3
Page 32 of 39
17 Hazard due to lack of 17.1 None Identified
Ergonomic design
18 Hazards due to unexpected 18.1 a) – Unexpected shutdown due to Machine should fail safe and Depends Design
Start, Stop or Overspeed control failure shutdown on failure of control or on effect assessment
a) Failure / disorder of control other system depending on level required
system of integrity of design and
functional safety
b) Unexpected restoration of 18.2
supply b) – Leads to unexpected start UCP is not able to restart the
machine without the manual None
intervention that is required to
c) External influence on initiate the start sequence
equipment 18.3 c)- None
Excessive vibration will lead to
d) Gravity or Wind d)– Seismic activity leads to safe shutdown. Design None
shutdown incorporates all expected
environmental conditions.
18.4 Software designed as failsafe

system depending on level of
integrity of design and functional Depends Design
e)– Software fracture leads to lack of safety on effect assessment
e) Software error 18.5 required
control.
f) Operator error Operator training & restricted
access / permit to work together
with failsafe software (see
f)- Operator error leads to incorrect
above).
operation mode.
GEM 0011
Revision 3
Page 33 of 39
19 Impossibility of stopping the 19.1 Machine continues to run after Fuel supply valves are fail shut, II Remote
machine command to stop and vent valves fail open.
Multiple failures of control system
at the same time would be
required
20 Break up during operation 20.1 Core machinery failure during Core machinery failure is covered II Remote
service leading to injury by the relevant Risk Review and
close out reports
20.2 Failure of line component leading to

system shutdown System components are
protected by the use of filters to None
collect any debris from failures.
The failures will often result in a
change to some other measured
parameter which in turn leads to a
safe shutdown
GEM 0011
Revision 3
Page 34 of 39
21 Slip Trip or Fall Hazards 21.1 Oil presence on floors can lead to Grating walkway minimises the oil IV or III Occasional
slip hazard. pool potential. Normal good
housekeeping & maintenance
activity to clean any minor oil
spills.
Control room fitted with anti slip
surface.
21.2 Trip hazard upon entry through Suitable signage fitted to door. IV or III Occasional
access door
Normal maintenance areas on
Fall from roof access leads to injury roof are protected by handrail &
21.3 hooped ladders III or II Remote
22 Electrical discharge hazard 22.1 Electrocution / Electrostatic 1) Faraday cage effect of steel II Remote
(Lightning) Discharge leads to injury to enclosure
personnel or machinery 2) Protection gained from tall
exhaust (by others)
3) Machinery is grounded
23 Fire and Explosion Hazards 23.1 Release of hydrocarbons internal to Gas detection exists within the I Improbable
the package could lead to fire or ventilation ducting to detect gross (Explosion)
explosion leakage and to initiate machine
trip
II (Fire) Remote
Fire detection / suppression
system is installed
Additional Risks Covered, which are not part of the Guidelines, but should be considered during the project assessment
GEM 0011
Revision 3
Page 35 of 39
Copy the table below and append to the end of the document, adjust the numbering sequence to suit
Number Number Description measures introduced for Level
mitigation of the identified risk
24 Asphyxia 24.1 Personnel trapped in enclosure 1) Permit to Work process risk I Improbable
during CO2 extinguishant release assessment and lock out prior
to entry
2) Pre-discharge Alarm
25 Rating Plate 25.1 Lack of rating plate would not advise Rating plate is fitted II Remote
operator of machine capability
GEM 0011
Revision 3
Page 36 of 39
Table B2 Blank Generic Hazard Table (Use form GEMF0011 as an automated alternative)
1 Mechanical Hazards 1.1
- due to machine parts or work
pieces e.g.
a) Shape
b) Relative Location
c) Mass & Stability (potential
energy)
d) Mass & Velocity (kinetic energy)
e) Inadequacy of mechanical
strength
- due to accumulation of energy
inside the machinery e.g.???
f) Elastic Elements (springs)
g) Liquids & gases under pressure
h) Effect of vacuum
2 Crushing Hazard 2.1 .
3 Shearing Hazard 3.1 .
4 Cutting or Severing Hazard 4.1 .
5 Entanglement 5.1 .
Hazard
6 Drawing in or Trapping Hazard 6.1 .
7 Impact Hazard 7.1 .
8 Stabbing or Puncture Hazard 8.1 .
9 Friction or Abrasion Hazard 9.1 .
10 High Pressure Fluid Injection or 10.1 .
GEM 0011
Revision 3
Page 37 of 39
ejection hazard
11 Electrical Hazards 11.1 .
a) Contact of person with live parts
(direct contact)
b) Contact of person with parts
which have become live under
faulty conditions (indirect contact)
c) Approach to live parts under
High Voltage
d) Electrostatic phenomena
e) Thermal radiation or other
phenomena such as projection of
molten particles and chemical
effects from short circuits,
overloads, etc.
12 Thermal Hazard 12.1 .
a) Burns, scalds and other injuries
by a possible contact of persons
with objects or materials with an
extreme high or low temperature,
by flames or explosions and also
by the radiation of heat sources
b) damage to health by hot or cold
working environment
13 Noise Hazard 13.1 .
a) Hearing loss
b) Interference with
communication
GEM 0011
Revision 3
Page 38 of 39
14 Vibration Hazard 14.1 .
15 Radiation Hazard 15.1 .
16 Materials and Substances 16.1 .
Hazards
a) Contact with personnel
b) Fire or Explosion
c) Bacterial / Biological or
microbiological
17 Hazard due to lack of 17.1 .
Ergonomic design
18 Hazards due to unexpected 18.1 .
Start, Stop or Overspeed
a) Failure / disorder of control
system
b) Unexpected restoration of
supply
c) External influence on equipment
d) Gravity or Wind
e) Software error
f) Operator error
19 Impossibility of stopping the 19.1 .
machine
20 Break up during operation 20.1 .
21 Slip Trip or Fall Hazards 21.1 .
22 Electrical discharge hazard 22.1 .
(Lightning)
GEM 0011
Revision 3
Page 39 of 39
23 Fire and Explosion Hazards 23.1 .

Gem 0011

Uploaded by

Copyright:

Available Formats

You might also like

Gem 0011

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Gem 0011

Uploaded by

Copyright:

Available Formats

Global Engineering Method GEM 0011

Safety Risk Analysis in

© Rolls-Royce plc 2007

Rolls-Royce Power Engineering plc Rolls-Royce Energy Systems Inc.

This document supersedes RLN 336 and RLN 337.

CIRCULATION RESTRICTIONS - NONE

0 First Issue P Rainer HPR 07 Apr 03

1 SCOPE & INTRODUCTION..................................................................................................... 5

2 CROSS REFERENCE STANDARDS...................................................................................... 6

3.1 HAZOP .............................................................................................................................. 6

4 SAFETY RISK ASSESSMENT METHODOLOGY .................................................................. 8

5 THE HAZOP PROCESS .......................................................................................................... 8

5.1 General Introduction.......................................................................................................... 8

6 HAZOP METHODS .................................................................................................................. 12

6.1 Concept HAZOP ............................................................................................................... 12

7 HAZOP METHODOLOGY ....................................................................................................... 16

7.1 Hazard Identification ......................................................................................................... 16

9.1 Technical file ..................................................................................................................... 18

APPENDIX A: PARAMETERS ....................................................................................................... 20

APPENDIX B: PACKAGE SPECIFIC ADDITIONAL INFORMATION........................................... 25

1 SCOPE & INTRODUCTION

NOTE: This document is an Engineering Standard. No deviations are permitted to instructions

2 CROSS REFERENCE STANDARDS

2.1 ISO 14121 - Safety of Machinery – Principles for Risk Assessment

2.4 The Supply of Machinery (Safety) Regulations (1998)

2.5 ISO/DIS 21789 v1 – Gas Turbine Applications – Safety

2.9 GTER 12327 – Design for Safety - Working Practice

3.3.1 A physical property of a system such as pressure or temperature.

3.8.1 Something that has a potential to cause harm to a person (safety).

3.9 Hazard Log

3.10 Machinery Directive

3.12.1 Process and Instrumentation Diagrams: Diagrammatical representation of how equipment is

3.13.1 The combination of the likelihood and the consequence of an incident

3.14 Systems Integration

4 SAFETY RISK ASSESSMENT METHODOLOGY

5 THE HAZOP PROCESS

5.1 General Introduction

5.1.4 This technique has many advantages, including:

• A systemic, structured technique, capable of providing repeatable results

• The resulting knowledge obtained by identifying potential hazards and operability

5.2 HAZOP Planning

• Choosing Appropriate Technique

• Having pertinent design information available

• Applying HAZOP Procedure

5.3 Select Team

Table 1 Core Attendees

Table 2 Other possible people to include in the study:

Position Position Description

5.4 Choosing Appropriate HAZOP Technique

Fundamental Design Optimize Verify/validate Monitor

Hardware design Design/optimization

Concept Preliminary Detailed Final Change

Preliminary hardware Critical P&ID

New Project Full Concept Product

Figure 1 - Timing of Hazard Assessments within the Product Life Cycle

6.1 Concept HAZOP

6.1.2 Collecting Information

6.2 Preliminary HAZOP