HAZID vs What-If vs LOPA: Which Fits Process Risk

Process hazard reviews fail most often when the method is chosen by habit, not by decision need. This comparison shows when HAZID, What-If and LOPA fit process risk, where each method becomes weak, and how an EHS manager can turn the choice into executive governance rather than another workshop.

1. Why does method choice change the quality of process risk decisions?

Method choice changes process risk decisions because each technique answers a different management question. HAZID asks what credible hazards exist, What-If asks how deviations could unfold, and LOPA asks whether independent protection layers reduce scenario risk enough for a defined tolerance. ISO describes risk management in ISO 31000:2018 as a process for managing risk that can be adapted to any organization, which means the method must fit the decision rather than the other way around.

Across 25+ years leading EHS at multinationals, Andreza Araujo has seen that organizations often overvalue the meeting format and undervalue the decision that follows it. A polished worksheet may still leave the plant blind if the selected method cannot distinguish between a low-consequence nuisance, a credible serious injury or fatality scenario, and a low-frequency catastrophic release.

The practical test is simple enough for a steering committee: define the decision first. If the decision is whether a project has missed major hazards, start broad. If the decision is whether existing safeguards are independent and strong enough, go deeper. If the decision is whether a field team needs a next-shift control, connect the review to dynamic risk assessment rather than forcing a full process study into a frontline routine.

2. Evaluation criteria for choosing HAZID, What-If or LOPA

The best comparison uses 6 criteria: life-cycle timing, scenario depth, data requirement, barrier independence, workshop speed, and executive defensibility. HSE explains that employers must make a suitable and sufficient risk assessment through its risk assessment guidance, and that word "sufficient" matters because a method can be too shallow for a major hazard or too heavy for an early screening decision.

The first criterion is timing. HAZID is stronger early, before design decisions harden. What-If is useful when people know the operation well enough to challenge deviations. LOPA belongs after the team has a defined scenario, initiating event, consequence, and candidate protection layers whose independence can be tested.

The second criterion is governance weight. If the output will decide capital expenditure, shutdown, redesign, or tolerance of residual risk, the method needs visible criteria and decision rights. A useful companion is a risk criteria workshop, because the best process study still weakens when leaders have not agreed what risk level forces escalation.

3. HAZID: when should leaders use it?

HAZID fits early-stage process risk because it scans hazards before the organization has enough detail for quantified or semi-quantified analysis. In a 30%, 60% or pre-FEED design review, HAZID can expose energy sources, hazardous materials, interfaces, simultaneous operations and external threats before they become expensive design locks.

As Andreza Araujo argues in Safety Culture: From Theory to Practice, culture is visible in the decisions made before pressure arrives. That principle applies to HAZID because the method protects optionality. It gives leaders a chance to remove or reduce hazards while design, procurement, layout and staffing are still flexible.

The trap is treating HAZID as a final proof of control. HAZID can identify a toxic release scenario, but it usually will not prove whether a gas detector, alarm, operator response, isolation valve and emergency ventilation are independent enough to carry the risk. When the team needs that level of evidence, HAZID should hand the scenario to LOPA or another barrier-strength review.

4. What-If: when does a structured challenge work better?

What-If works best when the team has enough operational knowledge to challenge deviations without needing the full structure of a node-by-node process hazard analysis. OSHA describes process hazard analysis as a thorough, orderly, systematic approach for identifying, evaluating and controlling hazards in covered chemical processes through its process safety management hazard guidance, and What-If can serve that purpose when complexity is moderate and the team is disciplined.

The strength of What-If is speed with realism. A supervisor, process engineer, maintenance lead and EHS manager can test questions such as what if the transfer pump deadheads, what if nitrogen is connected to the wrong header, what if a bypass remains open after maintenance, or what if the truck arrives during a shift handover.

The weakness appears when the session becomes a brainstorming meeting with no scenario discipline. If every question has the same risk rating, if safeguards are listed without ownership, or if human response is credited without time, training and alarm evidence, the worksheet becomes a comfort document. That is where the broader discipline of FMEA risk assessment blind spots helps leaders challenge whether the analysis is finding failure modes or merely naming controls.

5. LOPA: when is protection-layer evidence necessary?

LOPA fits when leaders must test whether independent protection layers are strong enough for a defined scenario. It is not a general hazard-finding workshop. It is a scenario-based method that asks whether the initiating event frequency, consequence severity and credited layers reduce risk to a level the organization can defend.

In Sorte ou Capacidade, glossed for English readers as Luck or Capability, Andreza Araujo argues that relying on luck does not survive over the medium and long term. LOPA operationalizes that warning because it refuses to count a safeguard just because it appears in a procedure. A protection layer must be independent, specific, auditable and capable of interrupting the scenario.

LOPA becomes dangerous when organizations use it to justify what they already wanted to accept. If a team credits an operator response without proving alarm clarity, available time, staffing and authority to stop production, the method becomes mathematics wrapped around wishful thinking. 4 tests should be visible for every credited layer: independence, effectiveness, auditability and restoration when weak.

6. Decision matrix: how do the 3 methods compare?

The decision matrix should compare the methods against the decision, not against prestige. HAZID scores highest for early hazard discovery, What-If scores highest for fast operational challenge, and LOPA scores highest for barrier sufficiency when a serious scenario needs defensible evidence.

The matrix also clarifies why the methods should not compete for every problem. A 2-hour HAZID can identify that a new tank farm introduces incompatible chemicals, but it cannot prove final layer strength. A 90-minute What-If can expose a handover weakness, but it may not satisfy a board-level question about a high-consequence release. A LOPA can defend a protection-layer decision, although it wastes time if the team has not yet agreed which scenario matters.

7. Which method fits each process risk context?

HAZID fits early uncertainty, What-If fits operational challenge, and LOPA fits serious scenario governance. The International Labour Organization states that occupational safety and health aims to prevent occupational accidents and diseases through risk elimination or reduction where reasonably practicable in its OSH overview, which gives leaders the broader management duty behind the method choice.

Use HAZID for a greenfield project, layout change, new chemical route, acquisition due diligence, or major contractor interface before the site has committed to final design. Use What-If for procedural changes, transfer operations, abnormal operating modes, startup and shutdown questions, or maintenance interfaces where experienced operators can challenge deviations quickly. Use LOPA for high-consequence scenarios where leaders need evidence that layers are independent enough to support residual-risk acceptance.

During the PepsiCo South America tenure, where the accident ratio fell 50% in 6 months, Andreza Araujo learned that methods only matter when they change leadership cadence. For process risk, that means every selected method needs a named owner, due date, escalation rule and verification rhythm rather than a static report stored after the workshop.

8. How should executives combine HAZID, What-If and LOPA?

Executives should combine the 3 methods as a funnel: HAZID screens broad hazards, What-If challenges credible deviations, and LOPA tests the few scenarios whose consequence and uncertainty require protection-layer evidence. HSE explains ALARP as weighing risk against the trouble, time and money needed to control it in its legal requirements guidance, and that logic depends on knowing which analysis is strong enough for the decision.

The governance flow should be visible in 4 steps. First, screen the change or operation with HAZID when the hazard set is still unclear. Second, apply What-If to the selected operations where deviations, interfaces and human response need challenge. Third, send high-consequence or disputed scenarios to LOPA. Fourth, connect the residual-risk decision to ALARP, SFAIRP or risk appetite language so executives know what they are accepting.

Each month without this funnel leaves process-risk decisions vulnerable to method shopping, where teams pick the fastest worksheet for the hardest scenario and executives inherit exposure they never saw clearly.

9. What traps make the comparison fail?

The comparison fails when the organization treats methods as interchangeable, credits weak controls as strong layers, or allows workshop closure to replace field verification. These 3 traps explain why process risk can look governed on paper while real exposure remains active in maintenance, startup, shutdown or abnormal operations.

The first trap is using HAZID as proof. The second is letting What-If become loose brainstorming. The third is allowing LOPA to count dependent safeguards, especially when alarms, operators and procedures all depend on the same staffing level, same control room load or same management-of-change weakness. For operational change, the method choice also needs connection to MOC, PTW and PSSR controls, because analysis without change control rarely survives contact with the field.

A stronger executive rule is to ask 5 questions before approving the study output: which decision did this method support, which scenarios remain above tolerance, which controls are independent, which actions require capital or shutdown authority, and which verification evidence will be reviewed in 30, 60 and 90 days?

10. Recommendation for EHS managers and executives

Use HAZID to discover, What-If to challenge, and LOPA to defend. That sequence prevents a common process-safety error in which the organization asks a screening method to carry an executive risk-acceptance decision or asks a detailed layer method to solve an early design question that still needs hazard imagination.

Andreza Araujo's work in more than 250 cultural transformation projects points to the same management pattern: tools improve safety only when leaders use them to change decisions. In process risk, the strongest decision is not the prettiest matrix. It is the visible choice to redesign, strengthen a layer, escalate residual risk, or stop accepting a scenario that the evidence no longer supports.

90 days is enough to test whether the funnel is working: review 5 recent studies, classify each by method, verify whether the selected method matched the decision, and check whether high-consequence actions reached the right authority. If that review shows method drift, the next executive safety review should reset the process-risk standard before another major change enters the site.

Andreza Araujo helps executive teams connect risk methods, safety culture and leadership cadence so that process risk is not only analyzed, but governed with discipline. Request a safety culture and risk governance diagnostic.