If there is one activity in the functional safety life-cycle that sets the tone for everything that follows, it is the Hazard & Risk Assessment (H&RA). Get it right and you have a solid technical foundation for your Safety Instrumented System (SIS). Get it wrong — or skip it — and every decision downstream is built on sand.
What Is a Hazard & Risk Assessment (H&RA)?
A hazard is a physical situation with the potential to cause harm. A risk is what you get when you combine two things: the probability that the hazard leads to a harmful event, and the severity of the consequences. Risk is never just one of those dimensions. A high-severity outcome with negligible probability may be entirely tolerable. A low-severity outcome that happens constantly may not be. Both dimensions must be assessed together — always.
The H&RA is the structured process of identifying hazards, evaluating the associated risks, and determining whether those risks are tolerable. It is the foundation of the functional safety life-cycle — the end-to-end engineering process defined in IEC 61511 that governs how Safety Instrumented Systems are designed, implemented, operated, and maintained. Without the H&RA, there is no technical basis for any of what follows.
A note on terminology — you will encounter several names and acronyms for this activity depending on the standard or industry context:
- H&RA (Hazard and Risk Assessment) — the term used in IEC 61511
- HRA and HARA — also widely used within the functional safety community; same activity, different shorthand
- PHA (Process Hazard Analysis) — the equivalent term under the OSHA PSM regulation (29 CFR 1910.119) and the EPA RMP regulation; same concept, different regulatory language
- Other safety disciplines — machinery safety, for example — may use different terms again
The variation is mostly regulatory and organizational preference. The underlying activity is the same.
When a Hazard and Risk Assessment Fits in the IEC 61511 Safety Life-Cycle
A hazard and risk assessment must be conducted early in the safety life-cycle — specifically under Clause 8 — before SIS design begins.
The accepted practice is to conduct the H&RA when the P&IDs (Piping and Instrumentation Diagrams) are at Rev 0 — the point at which the process design is sufficiently defined to support a meaningful hazard study, but not so advanced that changes identified during the study become costly or impractical to implement. Too early and the hazard picture is incomplete; too late and the window to influence design has closed.
A poorly timed H&RA compounds every problem that follows.
Key Steps in Conducting an H&RA
The H&RA is not a single task — it is a structured sequence of activities. The order matters.
Step 1 – Determine tolerable risk. Before you can assess whether any risk is acceptable, you need to define what “acceptable” means for your organization. This benchmark must be established first. It governs every risk judgment that follows. (See the next section for details.)
Step 2 – Define the scope and boundaries. What process units, equipment, and operating modes are included in this H&RA? Scope creep and scope gaps are both problems. A clearly documented boundary prevents both.
Step 3 – Identify hazards. What physical situations exist that have the potential to cause harm? This is where the structured identification methodology — HAZOP, What-If, or similar — is applied.
Step 4 – Identify hazardous events and demand scenarios. A hazard becomes a hazardous event when a specific initiating cause triggers it — the conditions under which a safety function would be called upon to act.
Step 5 – Assess consequences. For each hazardous event, what is the worst credible outcome? Consequences are typically assessed in terms of harm to people, environmental impact, and asset damage.
Step 6 – Assess likelihood/frequency. How often is the hazardous event expected to occur, without any protection layers in place? This is the unmitigated or inherent demand rate.
Step 7 – Identify the risk gap. With both consequence severity and likelihood established, the assessed risk can be compared against the tolerable risk criteria and the calibrated risk matrix. Where the assessed risk exceeds tolerable risk, a gap exists. That gap is the direct trigger for a SIS.
Determining Tolerable Risk — The Foundation of Step 1
Under IEC 61511, tolerable risk is the level of risk accepted in a given context based on the current values of society. It is not zero risk — every industrial process carries some inherent risk, and the goal of IEC 61511 is to ensure that risk is identified, evaluated, and reduced to a tolerable level, not eliminated entirely. The instinct to demand “no risk” is understandable but neither achievable nor the intent of the standard.
Tolerable risk criteria must be documented — a specific IEC 61511 requirement and a common gap at smaller PSM and RMP facilities. Without documented criteria, every risk judgment becomes too subjective and the study loses its technical defensibility.
A calibrated risk matrix is the standard tool for establishing and communicating tolerable risk criteria. It is a specific type of risk matrix in which the axis boundaries are anchored to actual numerical frequency and consequence values — not vague qualitative descriptors like “frequent” or “catastrophic.” Calibration reduces subjectivity as much as possible, improves consistency across the study, and makes the risk criteria defensible under regulatory or third-party scrutiny. Larger organizations and multi-site facilities often maintain multiple calibrated risk matrices — one for each consequence category or tailored to specific process units. The PEAR Model, discussed further in the Related Topics section, provides a useful framework for structuring those consequence categories.
The Risk Gap and the Case for a SIS
The risk gap is the difference between the unmitigated risk of a hazardous event and the tolerable risk threshold. When a gap exists — when the assessed risk exceeds what is tolerable — a protection layer is required.
Protection layers can take many forms:
- Inherently safer design
- Basic process control
- Physical relief devices
- Operator response
- Safety Instrumented Functions (SIFs)
When a hazard cannot be reduced to a tolerable level through other means, it requires a Safety Instrumented Function (SIF) — a specific automated safety action that brings the process to a safe state in response to a defined demand. A process will typically have multiple hazards that each require their own SIF. All of those SIFs together constitute the Safety Instrumented System (SIS) — the SIS does not exist independently of the SIFs that define it; it is the sum of them.
This is why the hazard and risk assessment is the primary input to SIS design. Without it, there is no basis for knowing which SIFs are needed or what they must do. The H&RA outputs flow directly into other life-cycle documents, such as the Safety Requirements Specification (SRS).
The Link Between H&RA and SIL Determination
Identifying that a SIF is needed is only the first step. The H&RA provides the information that a SIL allocation is required — the size and nature of the risk gap determines how much risk reduction each SIF must deliver.
Safety Integrity Level (SIL) is a discrete measure of the required risk reduction performance of a SIF. IEC 61511 defines three SIL levels for the process sector — SIL 1, SIL 2, and SIL 3 — each representing an order-of-magnitude increase in performance. The required SIL is determined by the size of the risk gap: the larger the gap, the higher the SIL required to close it.
Layer of Protection Analysis (LOPA) is the most widely used SIL determination methodology in the process industry. LOPA is not an H&RA methodology — it is a SIL allocation tool that operates later in the life-cycle, using the hazardous event data and demand rates produced by the H&RA as its primary inputs.
H&RA Methodologies
IEC 61511 does not prescribe a specific H&RA methodology. The right choice depends on process complexity, the stage of design, available data, and the level of rigor required. What the standard does require is that the methodology is appropriate and applied systematically.
All H&RA methodologies fall into one of three umbrella categories:
Qualitative — judgment-based and descriptive. No numerical failure frequencies or consequence magnitudes are required. The output is a structured list of hazards, causes, consequences, and existing safeguards. Qualitative methods are the most widely used in the process industry for H&RA purposes.
Semi-quantitative — structured scoring or ranking. Numbers are used to characterize risk, but a full probabilistic analysis is not performed. The output provides more consistency and defensibility than a purely qualitative approach.
Quantitative — numerical frequency and consequence analysis with full probabilistic treatment. The output is a calculated risk value that can be compared directly against a numerical tolerable risk criterion.
Qualitative Methods
HAZID (Hazard Identification Study) is an upstream screening tool used to identify major hazards early in a project, before detailed design is available. It is typically applied at the conceptual or FEED stage and is less structured than a HAZOP. The primary reference standard is ISO 17776.
HAZOP (Hazard and Operability Study) is the dominant H&RA methodology in the process industry. It uses a systematic, guide-word-driven approach applied by a multi-disciplinary team to identify deviations from design intent and evaluate their causes and consequences. HAZOP produces a structured, auditable record that serves as the primary H&RA documentation. The governing standard is IEC 61882.
What-If Analysis is a less formal brainstorming technique useful for simpler processes, preliminary reviews, or as a supplement to a more structured study.
FMEA (Failure Mode and Effects Analysis) examines individual components to identify failure modes and their system-level effects. It is a bottom-up analysis most commonly used in equipment-focused assessments.
Semi-Quantitative Methods
Risk Graph is a structured method that uses defined parameters — consequence severity, occupancy, probability of avoiding harm, and demand rate — to assign a SIL target. It is widely used as an initial SIL targeting tool where a full LOPA is not warranted.
Quantitative Methods
Event Tree Analysis (ETA) models the sequences of events following an initiating cause, branching at each point where a safety barrier succeeds or fails. It is used to quantify outcome frequencies and is commonly paired with fault tree analysis in broader QRA work.
Quantitative Risk Analysis (QRA) is a formal methodology combining frequency analysis and consequence modeling to produce a quantified risk picture — typically expressed as individual risk contours or F-N curves. QRA draws on ETA, fault tree analysis, and dispersion analysis as inputs and is the most rigorous and resource-intensive approach.
FMEDA (Failure Mode, Effects and Diagnostic Analysis) is primarily a manufacturer and device certification tool conducted against IEC 61508. It produces quantitative failure rate data — including dangerous undetected failure rate and diagnostic coverage — that process facilities consume from equipment supplier safety manuals rather than generating themselves.
Related Topics and Tools
Bow-Tie Analysis places the top event at the center, with threat pathways on the left and consequence pathways on the right. Barriers appear on both sides. Bow-tie diagrams are effective for communicating H&RA outputs to management, regulators, and operating teams.
Fault Tree Analysis (FTA) is a top-down tool that works backward from an undesired top event to identify the combinations of failures that could cause it. FTA can be used qualitatively as a logic map or quantitatively with failure rate data. It is often paired with ETA in QRA studies.
Dispersion Analysis models the physical spread of a hazardous material release — gas cloud, toxic plume, or flammable vapor — to quantify the geographic extent and frequency of harm. It is a quantitative calculation that supports consequence assessment and is an essential input to QRA at facilities handling hazardous materials.
The PEAR Model structures consequence assessment around four dimensions: People, Environment, Assets, and Reputation. It is particularly relevant where tolerable risk criteria extend beyond personnel safety — and in practice, many facilities maintain a separate calibrated risk matrix for each PEAR dimension.
Hazardous Area Classification is a discipline that should be completed prior to the H&RA. The already-established hazardous areas (or zones) can serve as an independent protection layer and may be credited as such during the risk assessment process.
Security Risk Assessment (SRA) is a parallel requirement under IEC 61511 Clause 8 — the same clause that governs the H&RA. Where the H&RA addresses process hazards, the SRA addresses intentional threats and cybersecurity vulnerabilities to the SIS. Both are required to meet full Clause 8 obligations.
Common Mistakes and Pitfalls
Timing it wrong. Too early and the hazard picture is incomplete; too late and design changes to address identified hazards may already be impractical. The H&RA should be conducted when the P&IDs are at Rev 0.
No documented tolerable risk criteria. Without a defined, documented calibrated risk matrix, every risk judgment in the study is a personal opinion — and the study cannot be defended or verified by a third party.
Poorly defined hazardous events. Vague events produce incorrect consequence and frequency assessments, which produce incorrect risk gap calculations. Each hazardous event needs a defined initiating cause, affected equipment, and demand scenario.
Ignoring human factors and demand rates. Human error is a significant source of SIF demand. Underestimating it produces an overly optimistic risk picture and may result in incorrect SIL targets.
Treating the H&RA as a one-time exercise. The H&RA is a living document. When the process changes, it must be reviewed and updated.
Confusing inherent risk with residual risk. Inherent risk is assessed before protection layers. Residual risk is what remains after. Conflating the two leads to incorrect safeguard crediting and inaccurate risk gap calculations.
Keeping Your Hazard and Risk Assessment Current (Management of Change)
IEC 61511 is explicit: the H&RA must be reviewed whenever changes occur that could affect its validity. Triggers include process modifications, near misses, new or modified equipment, regulatory updates, and periodic revalidation obligations under the safety life-cycle. A formal Management of Change (MOC) process that flags these triggers is the most reliable way to keep the H&RA aligned with the actual process.
Frequently Asked Questions
Q1: I keep hearing different terms — PHA, HARA, HRA, H&RA. Are these all the same thing?
H&RA, HRA, and HARA all refer to the same IEC 61511 activity. Process Hazard Analysis (PHA) is the equivalent term under the OSHA PSM and EPA RMP regulations — different regulatory language, same concept. Other safety disciplines, such as machinery safety, may use different terms again — it can be a bit confusing.
Q2: I’ve heard that LOPA and HAZOP are often done together in the same study. Is that correct, and if so, how does that work?
Yes — many organizations run HAZOP and LOPA back-to-back in the same workshop series for efficiency, completing the HAZOP for each node before immediately running the LOPA on the identified scenarios. They remain technically distinct activities: HAZOP is the H&RA, LOPA is SIL determination — combining the workshops is a logistical choice, not a technical one.
Q3: Is HAZOP the standard way to conduct an H&RA in the process industry?
In practice, yes — HAZOP is the de facto H&RA methodology for most process facilities operating under IEC 61511, ISA 84, PSM, and RMP. That said, IEC 61511 does not mandate it; other methodologies such as What-If or QRA are appropriate depending on the project stage and complexity.
Q4: Does IEC 61511 require a specific H&RA methodology?
No — IEC 61511 requires that an appropriate methodology is applied systematically, but does not mandate a specific one. HAZOP is the most common choice in the process sector, but What-If and other approaches are all valid depending on the context.
Q5: What is the difference between inherent risk and residual risk?
Inherent risk is the risk before any protection layers are applied. Residual risk is what remains after all protection layers — including the SIS — have been credited.
Q6: Who should be involved in conducting an H&RA?
An H&RA is a multi-disciplinary team activity requiring input from process, operations, instrumentation, and safety disciplines at a minimum — these can be multi-day affairs, painful, particularly when LOPA is run back-to-back with the HAZOP. IEC 61511 requires that at least one team member holds functional safety competence; this role is often referred to in practice as the Team Leader or HAZOP Leader.
Q7: How often does an H&RA need to be revalidated?
IEC 61511 requires H&RA review whenever changes occur that could affect its validity — process modifications, near misses, new equipment, or regulatory changes. Periodic revalidation is also required as part of the broader safety life-cycle review obligations.
Further Reading
Internal — related articles on this site:
- What is Functional Safety?
- Proof Testing and Management of Change
- Stated Risk vs. Revealed Risk
- SIL Safe Glossary – H&RA Terms
- HAZOP — A Deep Dive – coming soon
- Layer of Protection Analysis (LOPA) and SIL Determination – coming soon
External authoritative references:
- ISA — ISA 84 / IEC 61511 resources
- IEC — IEC 61511 standard
- OSHA — Process Safety Management regulation (29 CFR 1910.119)
- EPA — Risk Management Program (RMP)
Conclusion
A hazard and risk assessment is not a compliance checkbox. It is the technical foundation on which every downstream SIS decision is built — from SIF definition to SIL determination to verification. A well-conducted H&RA, performed at the appropriate time, gives you a defensible, documented basis for your safety case. A poor one — or one conducted too early or too late — leaves your entire SIS design without a credible technical basis.
For facilities operating under IEC 61511, PSM, or RMP, the message is straightforward: invest in getting the H&RA right, time it correctly, and make sure it is conducted by people who understand both the process and the standard.
Functional safety is complex, and the stakes are high. If you have questions about your SIS design, SIL verification, or where to start with IEC 61511, the team at SIL Safe is here to help. Reach out to us today.