GS EP SAF 041 - TECHNOLOGICAL RISK ASSESSMENT … · GS EP SAF 041 Technological risk assessment ... Technological risk assessment ... utilized for risk based design. A deviation

Exploration & Production

This document is the property of Total. It must not be stored, reproduced or disclosed to others without written authorisation from the Company.

GENERAL SPECIFICATION

SAFETY

GS EP SAF 041

Technological risk assessment methodology

01 01/2011 Simplification / clarifications

00 10/2008 First issue - replaces GS EP EXP 401

Rev. Date Notes

Owner: EP/HSE Managing entity: EP/HSE


General Specification Date: 01/2011

GS EP SAF 041 Rev: 01


Page 2/115

Contents

1. Scope ....................................................................................................................... 6 1.1 General Principles ............................................................................................................. 6

2. Reference documents ............................................................................................. 7

3. Terminology and definitions .................................................................................. 9 3.1 Definitions .......................................................................................................................... 9

3.2 Abbreviations ................................................................................................................... 13

4. Technological risk assessment ........................................................................... 14 4.1 Five Steps of Risk Management ...................................................................................... 16

4.2 Two Parallel Methods for Risk Analysis ........................................................................... 16

4.3 Life Cycle Risk Assessment ............................................................................................ 17

4.4 Scope of Work of Risk Assessment ................................................................................. 17

4.5 Scenario Definition ........................................................................................................... 20

4.6 Typical Upstream Scenarios ............................................................................................ 21

5. Hazard identification (HAZID) ............................................................................... 28 5.1 Objectives ........................................................................................................................ 28

5.2 Methods ........................................................................................................................... 28

6. Preliminary risk assessment ................................................................................ 29 6.1 Objectives ........................................................................................................................ 29

6.2 Methods for Preliminary Risk Assessment ...................................................................... 30

6.3 Scenario development ..................................................................................................... 33

6.4 Frequency of Central Critical Event ................................................................................. 35

6.5 Consequence Estimation ................................................................................................. 35

6.6 Frequency of Hazard Outcome ........................................................................................ 35

6.7 Damage Severity and frequency ..................................................................................... 36

6.8 Reporting ......................................................................................................................... 36

6.9 Preliminary Risk Assessment Validation Workshop ........................................................ 37

7. Risk management sheets ..................................................................................... 38 7.1 Objectives ........................................................................................................................ 38

7.2 Preparation of RMS Method ............................................................................................ 38





Page 3/115

7.3 Review of Frequencies and Consequences .................................................................... 39

7.4 Format of Risk Management Sheets ............................................................................... 39

7.5 RMS Reporting ................................................................................................................ 40

7.6 Reporting and treatment of the other types of scenarios ................................................. 41

8. Detailed risk analysis of scenarios ...................................................................... 42 8.1 Objectives ........................................................................................................................ 43

8.2 Review of Scenario .......................................................................................................... 46

8.3 Frequency Analysis ......................................................................................................... 46

8.4 Detailed Consequence Analysis ...................................................................................... 48

8.5 Escalation Potential ......................................................................................................... 48

8.6 Sensitivity Studies ............................................................................................................ 49

8.7 Probabilistic Estimation of Damage Category and Frequency ........................................ 49

8.8 Risk Reduction Workshop ............................................................................................... 51

8.9 Updating of Detailed Risk Analysis .................................................................................. 51

8.10 Reporting ......................................................................................................................... 51

9. Quantitative Risk Analysis (QRA) ........................................................................ 52 9.1 Objectives ........................................................................................................................ 52

9.2 Preparation ...................................................................................................................... 54

9.3 List of Hazardous Events ................................................................................................. 54

9.4 Frequency Analysis ......................................................................................................... 55

9.5 Consequence Analysis .................................................................................................... 55

9.6 Impact Analysis ................................................................................................................ 55

9.7 Escalation Potential ......................................................................................................... 56

9.8 Sensitivity Studies ............................................................................................................ 56

9.9 Risk Presentation ............................................................................................................. 56


9.11 Updating of QRA .............................................................................................................. 57

9.12 Reporting ......................................................................................................................... 57

10. Sensitivity analysis ............................................................................................... 58 10.1 Objectives ........................................................................................................................ 58

10.2 Defining Sensitivity Cases ............................................................................................... 58

10.3 Presentation of Sensitivity Analysis ................................................................................. 59





Page 4/115

11. Risk evaluation ...................................................................................................... 59 11.1 Objectives ........................................................................................................................ 59

11.2 Evaluation Principles ....................................................................................................... 59

11.3 Scenario Risk Evaluation ................................................................................................. 60

11.4 Quantitative Risk Evaluation ............................................................................................ 61

12. ALARP demonstration .......................................................................................... 63 12.1 Objectives ........................................................................................................................ 63

12.2 Targets for ALARP Demonstration .................................................................................. 65


12.4 Qualitative Evaluation of Risk Reduction Measures ........................................................ 68

12.5 Quantitative Evaluation of Risk Reduction Measures ...................................................... 69

12.6 Cost Benefit Analysis ....................................................................................................... 69

12.7 Reporting and ALARP Decision Tables ........................................................................... 73

13. Major risk register ................................................................................................. 74 13.1 Objectives ........................................................................................................................ 74

13.2 Safety Critical Measures .................................................................................................. 74

13.3 Reporting ......................................................................................................................... 77

14. Audit and peer reviews ......................................................................................... 77 14.1 Objectives ........................................................................................................................ 77

14.2 Reporting Requirements .................................................................................................. 78

14.3 Audits ............................................................................................................................... 79

14.4 Peer Reviews ................................................................................................................... 79

14.5 Terms of References of Reviews ..................................................................................... 80

14.6 Close out Audit and Peer Review Recommendations ..................................................... 80

Appendix 1 TRA Generic Scope of Work ................................................................ 81 1. Phase 1 PRA - Generic Scope of Work ........................................................................... 81

2. Phase 2 DRA - Generic Scope of Work ........................................................................... 82

3. Phase 3 – Alarp demonstration using Cost Benefit Analysis and Major Risk Register setting up Generic Scope of Work ................................................................................... 84

Appendix 2 Hazard Identification (HAZID) .............................................................. 85 1. HAZID Checklist .............................................................................................................. 85





Page 5/115

2. Hazard Identification Scheme .......................................................................................... 88

3. Development Phases ....................................................................................................... 89

4. HAZID Leader and Team ................................................................................................. 90

5. Reporting ......................................................................................................................... 91

6. Follow-up of HAZID Recommendations .......................................................................... 91

Appendix 3 Isolatable Sections and Hazardous Inventory ................................... 92

Appendix 4 HAZID Worksheet ................................................................................. 94

Appendix 5 Critical Events Register ....................................................................... 96

Appendix 6 Severity and Frequency Categories ................................................... 98 1. Damage Frequency Categories ....................................................................................... 98

Appendix 7 Hazard Intensity Thresholds ............................................................. 102 1. Thresholds for Injury ...................................................................................................... 102

2. Hazard Intensity Thresholds for Environment ................................................................ 104

3. Hazard Intensity Thresholds for Asset Damage ............................................................ 105

Appendix 8 FACILITATING TOOLS FOR PRA ...................................................... 106

Appendix 9 Assumptions Register ....................................................................... 107

Appendix 10 Risk Management Sheets ................................................................. 110





Page 6/115

1. Scope The purpose of this general specification is to define methodology for performing technological risk assessment of onshore and offshore oil and gas upstream facilities.

The objectives of this specification are to enable setting scope of work for a technological risk assessment study, to provide essential information performing scenario based risk assessment and QRA studies and to interpret results of risk assessment studies.

• Basic Engineering Phase

• Detailed Design Phase

• Operation Phase

• Decommissioning Phase.

This specification does not cover the exploration phase and construction phase, as indicated in Table 1.

Table 1 - Applicability of GS EP SAF 041 Addressed in GS EP SAF 041 Not Addressed in GS EP SAF 041

Exploitation phase

• Risk associated with accidental loss of containment

• Risk associated with structural damage or stability impairment

• Risk associated with natural hazards

• Risk associated with Transportation risks (boat, helicopter…) QRA approach

Exploration Phase

• Geological and Seismic campaign

Occupational risks (Note 1)

• Trips, slips, falls

• Driving

• Routine lifting or transfer

• Short-term exposure to chemicals

• Long term exposure to chemicals Construction risks (outside operating plant limits)

Note 1: When Individual risk is the criterion (QRA); occupational risks should be taken into account to estimate the overall level of individual risk for risk evaluation.

1.1 General Principles The following are the main principles for applying this General Specification:

1. This specification is aimed at risk analysis specialists and safety engineers who are directly involved in risk assessment of upstream oil and gas facilities.

2. Detailed risk analysis estimates potential loss of life (PLL) associated with an event or during life of a facility. These numerical estimates of risks are based on historical statistics on failures which represent an average quality of safety management. These numerical values shall not be interpreted as unavoidable or absolute value of loss. Instead, these numerical values should be used to characterize potential accidents and thereby





Page 7/115

developing risk reduction measures to prevent them, if not, minimize the likelihood and severity.

3. Company technological risk acceptance criteria discussed in this specification shall be considered as minimum requirements compared to respective local laws and regulations. Compliance with local or national regulatory requirements on risk acceptance criteria shall be considered as the primary requirement.

4. Scope of work shall be explicitly defined prior to commencement of any risk assessment programme identifying the boundaries, activities, methodology, risk acceptance criteria and validation method.

5. Quantitative Risk Analysis (QRA) and detailed risk analysis of scenarios give an impression of objective analysis. But these methods utilize a number of assumptions, input data which are often judgmental. These judgments may be explicit where areas in which data are reliable and where assumptions are realistic while there are also many implicit judgments where data are not directly available. Overlooking the significance of such assumptions and input data may lead to inaccurate estimation of risk.

6. The quality of modeling and input data will affect the robustness of numerical risk estimates. Therefore, uncertainties associated with risk results shall always be considered in the risk management process.

7. Technological Risk Assessment shall not be used in support of designs which are not in compliance with Total specifications Design of E&P oil and gas facilities is foremost based upon Total E&P‘s referential. This specification is not aimed at being utilized for risk based design. A deviation from Total E&P’s referential shall be adequately justified in a derogation request even before referring to any risk assessment study given as a support.

2. Reference documents The reference documents listed below form an integral part of this General Specification. Unless otherwise stipulated, the applicable version of these documents, including relevant appendices and supplements, is the latest revision published at the EFFECTIVE DATE of the CONTRACT.

Standards

Reference Title

ISO 17776 Petroleum and natural gas industries – Offshore production installations – Guidelines on tools and techniques for hazard identification and risk assessment





Page 8/115

Professional Documents

Reference Title

Report N° 434-12 Risk Assessment Data Directory - Occupational risk, OGP, March 2010

Ministère de l’Ecologie et du Développement Durable, version Octobre 2004

Guide technique relatif aux valeurs de référence de seuils d’effets des phénomènes accidentels des installations classées

SPC/Tech/OSD/30 Indicative Human Vulnerability to the Hazardous Agents Present Offshore for Application in Risk Assessment of Major Accidents, Health and safety Executive, United Kingdom, version # 2, 2010/10/01

ISBN: 0-7506-7555-1 Lee’s Loss Prevention in the Process Industries

CPR 16E Methods for the determination of possible damage (“Green Book”), first edition, TNO, Apeldoorn, 1992

Regulations

Reference Title

ISBN: 0105437743NT

Health and Safety at Work etc Act 1974 (Elisabeth II 1974 Chapter 37)

ISBN: 0717621510 Reducing Risks, Protecting People, HSE’s decision –making process, Health and Safety Executive, United Kingdom, 2001

Codes

Reference Title

Not applicable

Other documents

Reference Title

Not applicable

Total General Specifications

Reference Title

GS EP SAF 253 Impacted area, restricted area and fire zones





Page 9/115

3. Terminology and definitions There are three types of statements in this specification, the “shall”,”should” and “may” statements. They shall be understood as follows:

Shall shall be understood as mandatory. Deviating from a “shall” statement requires derogation approved by the Company.

Should shall be understood as strongly recommended to comply with the requirements of the specification. Alternatives shall provide a similar level of protection and this shall be documented.

May Is used where alternatives are equally acceptable. The specific terms and abbreviations used in this specification are presented below.

3.1 Definitions

Acceptance criteria Criteria that are used to express a risk level that is considered acceptable for the activity in question (risk associated with a scenario, IRPA etc.)

Accident event Event or chain of events that may cause loss of life, health, or damage to environment or assets.

ALARP “As Low As Reasonably Practicable” A risk reduced to levels such that further risk reduction measures would be so disproportionate that it would be objectively unreasonable to implement them.

Barriers Equipment, system or set of procedures (either hardware, software or organizational) which lowers the probability of hazard occurrence (prevention), or the severity level of the consequence (mitigation, reduction of the vulnerability of the object).

Blow down Depressurization of process system.

Bow-tie Bow-tie diagram is a representation of all the initiators and various consequences or event outcomes. At the centre of the diagram is the central critical event, to the left is what could cause the central critical event to occur from initiating events (including threats and preventative barriers) and the right contains potential consequences and mitigation barriers.

Central Critical event Central Critical Event is same as Central Hazardous Event. Generic event conventionally defined within the framework of a risk analysis, as the centre of the accidental sequence. Generally it is about loss of containment. The events located upstream are called initiating events or intermediate events which are part of the fault tree while events located downstream the central critical event are part of the event tree.

Coastal area or fragile area

The area from the coastline extending up to 22 km (12 nautical miles) offshore. Or Fragile system area: areas where there are sensitive ecological receptors for example but not limitative freshwater source, ponds, rivers, threatened species, state





Page 10/115

protected areas, etc.

Company Referred to TOTAL Exploration & Production or its affiliate.

Contractor Any person or an organization who is directly involved in execution of prescribed work under a contract with the reporting to Company or Company representative.

Escalation Spread of the impact of a hazardous event to equipment or other areas, thereby causing an increase in the consequence of the event.

Event tree analysis Utilizes a graphical tree construction that shows the logical sequence of the occurrence of events in, or states of, a system following a central critical event. Events tree helps to quantify the frequencies of various hazard outcomes (thermal, explosion overpressure, toxic, missiles, structural stability etc.) from the frequency of central critical event.

FN (Curve) Curve of "cumulative Frequency per year to have more than N fatalities". Similar concepts are utilized for Cost (F-C Curves), Spill (F-S Curves) and asset damage (F-D Curves).

Frequency In risk analysis, frequency refers to the probable number of occurrences of an event or which have occurred of a state for finite period (number of occurrences per annum or million hours).

Hazard The potential to cause harm, including ill health or injury; damage to property, plant products or the environment; production losses or increased liabilities.

Hazard outcome This term describes the characteristics of the physical effects; chemical etc. associated a hazard concerned. Examples are thermal radiation, toxic concentration, overpressure, missiles, pollution, structural impairment, etc.

HAZID Hazard Identification study: Set of methods to identify the potential hazards and mitigation measures of an installation.

IDLH Immediately Dangerous to Life and Health. Maximum concentration during which an individual can be exposed at least 30 minutes without experiencing irreversible effect to health.

Individual Risk Per Annum

Individual Risk per Annum (IRPA) is defined as the frequency at which an individual may be expected to sustain lethal levels of harm from the realization of specified hazards. It is usually taken to be the risk of death, and expressed as a risk per year.

Isolatable Section Part of the process facility which may be isolated by the ESD system. A scenario is related to a given isolatable section with a given hydrocarbon inventory and a given leak frequency related to the number and types of equipments pertaining to the isolatable section.

Jet Fire The combustion of material emerging from an orifice with a significant momentum.





Page 11/115

Leak (release) Accidental escape to environment of liquid and / or gaseous components of process (or used in the process) which are normally contained in a process system.

LCx(y) Lethal Concentration (LCx): Atmospheric concentration which, for a specified duration of exposure, will cause the death of x% of an exposed population after y minutes. e. g. LC1% (30) means 1% fatality after a 30-minute exposure.

LC1% The lethal effect threshold corresponds to the value below which one does not observe more than 1% of deaths among the exposed population.

Major risk The risks associated with scenarios having potential damage severity of “catastrophic” or above to people, environment or asset.

Major scenarios The scenarios with potential damage severity of “catastrophic” or above to people, environment or asset.

Mitigation Reduction of the effects of a hazardous event. Means taken to minimize the consequences of a major accident to personnel and the installation after the accident has occurred.

Off Shore (Environment Severity)

Further than 22 km (12 nautical miles) of coastal shores.

Parts Count The counting of any piece of equipment pertaining to a given isolatable section. This task is handled in order to calculate a generic leak frequency value for generic (corrosion, erosion..) types of cause.

Pool fire Combustion of flammable liquid spilled and retained on a surface.

Potential loss of life A probable number of fatalities resulting from the realization of hazards for a finite period. The PLL is an indicator to be utilized as a theoretical tool for risk comparison purposes only with the objective of reducing risk to ALARP. The PLL in itself is not an absolute indicator of the level of risk to the people. In the QRA, PLL represents an aggregate probable fatalities resulting from all scenarios. A partial PLL can be calculated for a given scenario or a set scenarios in a scenario based risk analysis approach.

Probability A number in a scale from 0 to 1 which expresses the likelihood that one event will succeed another.

Probit The probit function is another name for the inverse of the cumulative Gaussian distribution, in risk assessment it is used for calculating probability of death of a person at a given exposure.

Public Human beings, installations or organizations who are outside the installation's fence and who are not commissioned by company to conduct a work approved by them.





Page 12/115

Quantitative Risk Analysis (QRA)

QRA is a mathematical means of estimating numerical risk from a particular hazardous activity. It involves making numerical estimates of hazard outcome in terms of frequencies and consequences, and aggregating them into overall measure of individual or group risks.

Register of Assumptions

An essential deliverable of any Risk Assessment study which shall trace out and document any major assumption or specific methodology or origin of data which might impact the results of the study.

Reliability Probability that an item is able to perform a required function under stated conditions for a stated period of time or for a stated demand.

Risk Two-dimensional entity characterizing an unwanted event by its likelihood of occurrence and the extent of consequences arising from the occurrence of this event.

Risk analysis Quantification of the level of risk of an installation according to a given methodology.

Risk Assessment Overall process of risk analysis and risk evaluation.

Risk evaluation Judgment, on the basis of risk analysis, of whether a risk is tolerable

Risk Management Continuous process during the life cycle of an installation, which include risk assessment of each phase of the life cycle (the process reviewed periodically during operation phase).

Risk matrix A matrix depicting risks with increasing severity levels in rows and likelihood in columns.

Risk Reduction Measure

Action or measure taken as new barrier to lessen the frequency, negative consequences, or both, associated with a risk.

Safety Critical Measure A measure comprises any item of equipment or procedure whose failure would immediately result in a major event with consequence category catastrophic or above, posing a risk of serious injury, death or an unacceptable contamination of the environment or damage to asset.

Scenario Sequence of events leading to an accident. A scenario is defined based on a set of data and assumptions relating to the initiating event, intermediate event, prevention barriers, central critical event, mitigation barriers, hazard outcome, protection barriers, vulnerability sequence .

Technological risk Risks associated with the use or processing of toxic, flammable and/or explosive substances.

Tolerable risk Risk which is accepted in a given context based on the risk acceptance criteria.

Validation Comparison of analytical results from the calculations with experience derived from reviewing results of large number of cases to ensure that the physical bases and assumptions of the model are appropriate and produce accurate results.





Page 13/115

Vulnerability Susceptibility of a target (human beings generally) when subjected to a given type of effect. The vulnerability models make it possible to evaluate the gravity of damage to human, asset, environment associated with intensity of effects (for example: thermal, explosion overpressure, toxic, missiles, structural stability etc.).

3.2 Abbreviations

ALARP As low as reasonably practicable

BLEVE Boiling Liquid Expanding Vapor Explosion

CFD Computational Fluids Dynamics

CHARAD Collection of Hazard and Reliability Data (Company’s internal database)

EERA Escape, Evacuation and Rescue Assessment

EFFECTS® Modeling software for the effects and consequences of accidental release of hazardous substances developed by TNO.

ESD Emergency Shut-Down

FERA Fire and Explosion Risk Analysis

FMEA Failure Mode Effects Analysis

FN (Curve) Curve of "cumulative Frequency per year to have more than N fatalities". Similar concepts are utilised for Cost (F-C Curves), Spill (F-S Curves) and asset damage (F-D Curves)

HAZID Hazard identification Study

HAZOP Hazards and operability Review

HIPS High integrity protection system

HIPPS High integrity pressure protection system

HSE (UK) United Kingdom Health and Safety Executive

ICAF Implied Cost to Avert a Fatality

IDLH Immediately Dangerous to Life and Health. Maximum concentration during which an individual can be exposed at least 30 minutes without experiencing irreversible effect to health.

IEC International Electro-technical Commission

IRPA Individual Risk per Annum.

ISO International Organization for Standardization

LCx(y) Lethal Concentration (LCx): Atmospheric concentration which, for a specified duration of exposure, will cause the death of x% of an exposed population after y minutes. e. g. LC1% (30) means 1% fatality after a 30-minute exposure.

LC1% The lethal effect threshold corresponds to the value below which one does not





Page 14/115

observe more than 1% of deaths among the exposed population.

LSIR Location Specific Individual Risk

OGP The International Association of Oil & Gas producers

OREDA Offshore Reliability Data

P&ID Piping and instrumentation diagram

PFD Process flow diagram or Probability of failure on demand

PHAST® Process Hazards Analysis Software Tools - Det Norske Veritas (DNV).

PHAST Risk ®

Process Hazards Analysis Software Tools with risk integration DNV

PLL Potential Loss of Life

POB Personal On Board

PRA Preliminary Risk Assessment

QRA Quantitative Risk Analysis (in this document). Aggregate individual risk assessment approach is denoted as QRA based risk assessment.

RMS Risk Management Sheets (a method of detailed risk analysis for assessing risk less severe scenarios - moderate, serious and major severities)

RRW Risk Reduction Workshop

SCM Safety Critical Measures

SDV Shut Down Valve

SEI Seuil des Effets Irréversibles in French. It is the irreversible effect threshold corresponds to the value below which one does not observe significant effects for the majority of the individuals. (SEI for 30 minutes is equivalent to IDLH for toxic effects).

SIL Safety Integrity Level

SIS Safety Instrumented System

TNO Toegepast-Natuurwetenschappelijk Onderzoek (Netherlands Organisation)

TR Temporary refuge

TRA Technological Risk Assessment

UVCE Unconfined vapor cloud explosion

WOAD World-wide Offshore Accident Databank

4. Technological risk assessment Technological risks are risks associated with flammable, toxic, or explosive substances handled or processed during oil and gas extraction, treatment, storage or transportation activities. These risks impact individuals and public (directly or indirectly involved in the activities), the environment, integrity of the installations and associated production.





Page 15/115

Technological risk management involves periodic assessment of risks during development cycle of a facility and where mandatory assessment of appropriate risks reduction measures to bring levels of risk within the pre-defined risk tolerability criteria.

The simplified flow scheme of technological risk management process is shown in Figure 1.

Figure 1 - Five Steps and two possible parallel risk analysis approaches

Figure 3 Hazard IdentificationHazard Identification


Safety – Individual Risk


Individual Risk

Detailed Analysis of Scenarios

Safety, Environment & Asset


Human, Environment & Asset

Preliminary Risk Assessment


Scenarios & Scenarios & Critical Events Register

Scenario Risk Assessment

Scenario Risk Evaluation

Hazardous EventsHazardous Events

Assessment of Individual RiskIndividual Risk

Evaluation

Action Plan,Risk RegisterAction Plan,Risk Register

Scenario based method QRA methodCommon to both methods

IterationsIterations

Step 1

Step 2

Step 3

Step 4

Step 5

Risk Acceptability?Risk Reduction Workshop, Cost Benefit Analysis

ALARP Demonstration


ALARP Demonstration



Safety – Individual Risk


Individual Risk




Human, Environment & Asset



Scenarios & Scenarios & Critical Events Register





Evaluation




Step 1

Step 2

Step 3

Step 4

Step 5


ALARP Demonstration


ALARP Demonstration





Page 16/115

4.1 Five Steps of Risk Management The five steps of technological risk management process are as follows (Figure 1):

Step 1 hazards Identification

Step 2 Development of scenarios and preliminary risk assessment

Step 3 Detailed risk analysis of selected scenarios and supplementary Quantitative Risk Analysis (QRA) for certain situations

Step 4 Risk evaluation and ALARP demonstration

Step 5 Action plan on the implementation of risk reduction measures (risk treatment)

Level of details and depth of the above steps differ considerably with development phases. For example, depth of risk assessment during pre-project phase may be limited to a semi-quantitative analysis to enable screening of major scenarios for detailed risk quantification during the subsequent phases.

4.2 Two Parallel Methods for Risk Analysis As shown in Figure 1, the technological risk management process includes the following two parallel methods:

Application Risk Analysis Method

Mandatory Scenario based risk assessment This includes hazard identification, preliminary risk assessment, detailed analysis of “major scenarios” and evaluation risk acceptability of each scenario with respect to human, environment, and asset impact. Treatment of risk associated with major scenarios to meet Company’s scenario risk acceptance criteria.

Supplementary (in certain conditions)

QRA based risk assessment This includes aggregation of risk to individuals from all scenarios including occupational and transportation risks to estimate Individual Risk Per Annum (IRPA). IRPA levels of the most exposed worker groups are evaluated with respect to risk acceptability criteria. Treatment of risk associated with major aggregate individual risk to meet Company’s IRPA acceptance criteria.

Scenario based risk assessment is mandatory for all developments and existing facilities within Total E&P.

The QRA method is aimed at quantifying aggregated risks to human. This method is also mandatory if and only if, local regulation requires it. In such case QRA method may be considered as an alternate method to scenario method provided acceptance of a derogation request granted by DGEP/HSE/SEI. The derogation shall be supported by an analysis and treatment of all catastrophic and disastrous scenarios towards Environment and Asset.





Page 17/115

However QRA may complement scenario risk based assessment in cases of:

• Large permanently manned Offshore facilities

• Facilities potentially impacting public safety

• Facilities which are outside Company operating experience

• Facilities incorporating major new technology and concept

• Specific request of the Responsible Entity in charge of Technological Risk Assessment in the affiliate or project.

4.3 Life Cycle Risk Assessment The development cycle of an upstream facility shall include the following phases Figure 2):

• Exploration (seismic data gathering, exploration drilling)

• Feasibility and concept selection studies

• Pre-project

• Project (basic engineering, detailed design)

• Project (construction, installation, hook-up and commissioning)

• Development drilling

• Operations (including minor modifications)

• Revamping or modification (major modification is treated as pre-project and project)

• Decommissioning.

The details of risk assessment efforts may vary during the life cycle due to availability of details. Hazard identification shall universally be applied to all development phases.

Figure 2 - Development Phases of an Oil & Gas Installation

4.4 Scope of Work of Risk Assessment Risk assessments whether carried out using internal Company resources or using Contractor shall have a clear scope of work which prepared in advance. Scope of work document shall be reviewed by competent specialists within Company.

No risk assessment shall be initiated without a written and approved scope of work. Scope definition shall describe battery limits, operational phases, methodology, risk acceptance criteria, input data and tools to be utilized for the assessment.

ExplorationSeismic

Drilling

Feasibility,Concept

Studies

Pre-Project

Phase

ProjectPhase Basic Eng.

ProjectPhase DetailEng.

ConstructionInstallation

Commissioning

Exploitation& Minor

Modifications

ExploitationMajor

Modifications

Abandonmentof

Site

DevelopmentDrilling





Page 18/115

The scope of risk assessment shall be split into three distinctive phases (as indicated in Figure 3). The recommended phases are the following:

• Phase 1 (Steps 1 & 2) which includes hazard identification, development of scenarios, preliminary risk assessment, and PRA validation workshop

• Phase 2 (Steps 3 & 4) which includes detailed analysis of selected scenarios, QRA (if applicable), risk evaluation, risk reduction workshop, updating of risk analysis and input to Company’s ALARP demonstration

• Phase 3 (Step 5) which includes Company’s ALARP demonstration, preparation of action plan for management approval, major risk register including identification of safety critical measures.

For small facilities like a wellhead or receiving facility, preliminary risk assessment step can be eliminated and scenario risk assessment can be made directly using Steps 3 and 4.

Figure 3 - Three distinctive Phases for the development Scope of Work

For simple and very similar types of normally unmanned installations (ex: simple wellhead platform) Technological Risk Assessment may be performed on a single representative case.

Justification of the right representativeness of the selected case shall be fully argued in the Register of Assumptions of the study.

Contents of generic scope of work associated with the three recommended phases are presented in Appendix 1. The scope of work shall be adapted to reflect the development cycle and complexity of development.

Figure 3Figure 3 Hazard IdentificationHazard IdentificationHazard IdentificationHazard Identification

Quantitative Quantitative Risk Analysis (QRA)Risk Analysis (QRA)Safety Safety ––Individual RiskIndividual Risk

Quantitative Quantitative Risk Analysis (QRA)Risk Analysis (QRA)

::Individual RiskIndividual Risk

Detailed Analysis Detailed Analysis of Scenariosof Scenarios


Human, Environment Human, Environment & Assets& Assets

Preliminary Preliminary Risk Assessment Risk Assessment


Scenarios & Scenarios & Critical Events RegisterCritical Events Register

Scenarios & Critical Events Register

Scenario Scenario Risk AssessmentRisk Assessment

Scenario Scenario Risk EvaluationRisk Evaluation

Hazardous EventsHazardous EventsHazardous EventsHazardous Events

Assessment of Assessment of Individual RiskIndividual RiskIndividual Risk Individual Risk

EvaluationEvaluation

Action Plan,Action Plan,Risk RegisterRisk Register

Action PlanAction PlanRisk RegisterRisk Register

Scenario based methodScenario based method QRA methodQRA methodCommon to both methodsCommon to both methods

IterationsIterationsIterationsIterations

Step 1Step 1

Step 2Step 2

Step 3Step 3

Step 4Step 4

Step 5Step 5

Risk Acceptability?Risk Acceptability?Risk Reduction Workshop, Cost Benefit AnalysisRisk Reduction Workshop, Cost Benefit Analysis

ALARP DemonstrationALARP Demonstration

Phase 2Phase 2

Phase 3Phase 3

Phase 1Phase 1





Page 19/115

4.4.1 Documents Required for Performing Risk Assessment The risk assessment requires facility documentation and availability of the documentation will depend on stage of development. The documents indicated in Table 2 should be made available for performing risk assessment.

Table 2 - Recommended set of documents for performing risk assessment # Documents

1 Process and Utility Flow Diagrams

2 Piping and Instrumentation Diagram

3 Layout Drawings

4 Plot plan and elevation drawings

5 General arrange drawings

6 Design Basis

7 Manning and population distribution

8 Material balance + compositions + Operating Conditions

9 Safety Concept Document

10 Operating and Maintenance Philosophy

11 Electrical single line drawing

12 Simplified Safety System PFDs (including ESD Logic diagrams)

13 Cause and effect charts

14 Process and Equipment datasheets

15 Previous HAZID, HAZOP, SPOT Reports

16 Previous Safety studies – Fire Zone, Restricted Area, Impacted Area drawings with calculations.

17 Previous Safety Studies – Blow out risk assessment

18 Previous Safety Studies – Dropped object risk assessment

19 Previous Safety Studies – Fire and risk assessment

20 Previous Safety Studies – Subsea Isolation risk assessment

21 Previous Safety Studies – Collision risk assessment

22 Previous Safety Studies – CFD Dispersion and Explosion assessment

23 Previous Safety Studies – HIPS Dossier

24 Previous Safety Studies – Flare radiation, flame out risk assessment

25 Escape and evacuation risk assessment

26 Site emergency response plan





Page 20/115

# Documents

27 Fire water network drawings – Fire water capacity calculations

28 Enclosure – ventilation and pressurisation schemes

29 Temporary refuge Impairment – Criteria

30 Active and Passive fire fighting system – description

31 Emergency depressurization – philosophy and description

32 Fire and Safety detector layout drawings

33 Hazardous area classification drawings (plan, elevations)

34 Life saving equipment description (lifeboat, capsules etc.)

35 SIMOPS / COMOPS (Matrix of permitted operations)

36 Historical site incident records (accidents and near misses)

37 Asset value register

38 Logistical information: marine traffic, vehicle profiles, helicopter traffic, lifting manifest, crane characteristics.

4.5 Scenario Definition The term “scenario” has a specific meaning in the application of this specification. The definition of a scenario is as follows:

Scenario is a sequence of events leading to an accident. A scenario is further defined based on a set of data and assumptions which relate a hazard into an initiating event, prevention barriers, central critical event, mitigation barriers, hazard outcome, protection barriers, and damage sequence as illustrated below:

Figure 4 - Scenario as a sequence of events

Damages

Haz

ards

In

itiat

ing

Eve

nts

Prevention Barriers

IncidentCentral Critical Event

Causes ConsequenceConsequence Esclation

Control & Mitigation Barriers

Hazard outcome(thermal, overpressure, toxic, missiles, stability, pollution)





Page 21/115

In a scenario based risk assessment, acceptability of risk associated with each hazard outcome is judged with respect to the damage frequency and severity with respect to the Company risk acceptance matrix. Therefore, strict adherence to the definition shall be followed in a scenario based risk assessment.

As illustrated in Figure 5, a scenario shall consist of the following elements:

• An initiating event or events. (Note that all initiating events shall be considered if a scenario is associated with a generic process release)

• Unique central critical event. (e.g.: Loss of containment, small or medium or large)

• Unique hazard outcome based on isolated or un-isolated outcome. (Hazard outcomes are thermal radiation or dose, explosion overpressure, toxic dose, projectiles, pollution, stability impairment).

Figure 5 - Simplified illustration of a scenario

In general, frequency of central critical event is made using a fault tree analysis approach except if the hazard is related to generic process release. For generic process releases, the frequency of central critical event (loss of containment – small, medium or large) shall be based on approved database on process release (e.g. CHARAD).

Modeling of hazard outcomes shall be made using event trees analysis where likelihood of various event tree outcomes (for example, jet fire, pool fire, flash fire, explosion, dispersion, stability, structural failure etc.) shall be estimated from the central critical event frequency using branch probabilities.

The damages associated with a specific event tree outcome or combined event tree outcomes related to a unique hazard outcome (thermal radiation or dose, explosion overpressure, toxic dose, spill, structural impairment) shall be calculated using consequence and vulnerability models and the results shall be presented in terms of damage severity and damage frequency on the Company risk acceptance matrix.

4.6 Typical Upstream Scenarios The following categories shall be reviewed for defining scenarios for risk assessment of upstream oil and gas facilities:

4.6.1 Blowout Blowout is related to well systems and shall be reviewed with respect to phases of operation; (namely, drilling, well intervention, production, etc.).

Incident Escalated Incident

InitiatingEvents

PREVENTIONBarriers

Central Critical Event

CONTROL &MITIGATIONBarriers

Escalation CONTROL &MITIGATIONBarriers

Unique Hazard outcome

UniqueHazard outcome

HA

ZA

RD

S





Page 22/115

• Initiating Events

- Causes of blowout varies which includes loss of well control measures, failure of well control equipment, failure of well control procedures, failure of well control barriers, mechanical impact, etc. All causes during an operational phase shall be combined for defining the scenario related to blowout.

• Central Critical Events

- Central critical events related to blowout shall be release of formation fluid to atmosphere. Frequency of central critical event shall be determined based on historical data and fault tree analysis.

• Hazard Outcome

- Hazard outcome associated with blowout scenario shall be based on one of the following event tree outcomes as a physical effect:

. Jet / pool fire (thermal radiation, smoke - toxicity)

. Flash fire (thermal dose)

. Explosion (explosion overpressure)

. Spill (pollution)

. Toxic dispersion (toxic dose).

Examples are:

• Jet fire resulting from loss of containment during drilling operation due to well control failures

• Oil spill resulting from loss of containment during drilling operation due to well control failures.

4.6.2 Generic Process Release Generic process releases are related to an isolatable section or part thereof of a facility. The release frequencies shall be estimated based on historical data of equipment release which include all generic causes leading to loss of containment.

• Initiating Events

- Generic causes are corrosion, erosion, vibration, fatigue, construction defects, mechanical failure, human error, and contribution due to natural and impact events to any specific equipment or section.

• Central Critical Events

- Central critical events shall be further developed based on three different release sizes as per Table 3.





Page 23/115

Table 3 - Release sizes for scenario based risk analysis Release size Diameter range (mm) for

frequency estimation Representative diameter (mm) for

consequence calculations

Small 1 – 5 5

Medium 5 – 65 65

Large 65 – full bore Diameter of pipe or the largest flanged connection

- Small release size should only be utilized for process section handling high levels of H2S or toxic fluids (0.2% mole fraction or higher) or operating above 100 barg or for oil or condensate unmanned installations withregards environment risk. For all other cases, medium and large release sizes shall be assessed for scenario based risk analysis.

- Frequency of central critical events shall be determined based on historical data using Company failure rate database, CHARAD. Company approval shall be sought for the use of additional historical data. For existing facilities, the frequency of leaks stemming from data base should be checked and may be adjusted referring to actual loss of containment incident reporting figures over a suitable period (5 years min). The adjusted value shall be documented in the assumption register.

- Fault tree analysis approach shall not be used for determining generic process release frequencies. However, the fault tree analysis shall be recommended for conditioning release frequencies with respect to a specific design/operation which are not at all representative to generic data.

• Hazard Outcome

- Scenario shall be defined based on unique hazard outcome based on isolated or un-isolated consequence. Scenario shall be defined based on one of the following isolated or un-isolated event tree outcome:

. Jet / pool fire (thermal radiation, smoke - toxicity)

. Flash fire (thermal dose)

. Explosion (explosion overpressure)

. Spill (pollution)

. Toxic dispersion (toxic dose).

Examples of scenarios related to process release are:

• Isolated jet fire resulting from immediate ignition of medium release from vapor section of the test separator (D-100) during normal operation.

• Un-isolated explosion resulting from delayed ignition of vapor cloud associated with large release from liquid section of the deethaniser column (C-101) during normal operation.

• Isolated toxic dispersion resulting from a small release associated with condensate export pump (P-905).





Page 24/115

4.6.2.1 Rules for Defining Isolatable Sections The isolatable sections shall be defined and marked up either on P&IDs or on PFDs based on the following principles:

• The isolation boundaries shall be defined by ESD valves, blow down valves, control valves limiting the flow of hazardous gases to flare, and control valves with failure close position with input from shutdown system to close.

• In some instances, it is possible to define “pseudo Isolatable section” when the plant is not provided with ESDV or SDV (old installation).Manual valves and remote controlled valves may be considered as isolation boundaries. In that case the probability of failure of isolation should be assessed accordingly; time for isolation should also be taken into account for calculation of released material.

4.6.2.2 Rules for Defining Sections within an Isolatable Section Sections within an isolatable section shall be defined based on the following hierarchy principles:

• Fluid phase (2-phase, vapor, liquid)

• Operating pressure differences within an isolatable section.

This is illustrated in Figure 6 as an example for an isolatable section. The sections for scenario risk assessment in this example are as follows:

• 2-phase fluid inlet section (inlet pipe work between inlet isolation valve and vessel inlet nozzle)

• Liquid outlet section (half the vessel and pipe work between liquid outlet nozzle and liquid outlet isolation valve)

• Vapor outlet section (half the vessel and pipe work between vapor outlet nozzle and vapor outlet isolation valve).

For each section, two or three release sizes (small, medium and large) shall be reviewed as defined in Section 4.6.2 for preparing the critical events register (ref to Section 6.3.2).

Figure 6 - An example of an isolatable section and subsections

2-phase

BDV

SDV

SDV

Vapour

Liquid

SDV

Isolatable Section





Page 25/115

4.6.3 Specific Major Process Hazards Specific major process hazards are specific situations identified during either HAZID or process safety analysis. The initiating events, central critical events and hazard outcomes shall be defined on a case by case basis for defining scenarios related to specific major process hazards. Typical examples for scenarios associated with specific major process hazards are presented in Table 4.

Table 4 - Examples of scenarios associated with Specific Major Process Hazards Initiating event(s) Central Critical Event Hazard outcomes Specific overpressure protection system failure on demand.

Mechanical damage or loss of containment

Thermal radiation Toxicity, Spill Explosion/ BLEVE, Missiles

Specific under pressure protection system failure on demand

Mechanical damage or loss of containment

Thermal radiation Toxicity, Spill Explosion, Missiles

Overfilling of storage tanks and failure of level safety devices on demand. Human error

Loss of containment from storage tanks.

Thermal radiation Spill Explosion

Process control failure leading to ingress of air into process leading to a flammable fixture. Human error

Internal ignition Internal Explosion, Missiles

Dust accumulation in silos or storage tanks.

Ignition of fine dust particles Explosion, Missiles

Accidental process release from vent stacks

Ignition of release Thermal radiation or dose

Flame out due to flare re-ignition failure

Flame out Toxicity Thermal dose

4.6.4 Major Mechanical Impact Hazards Major Mechanical Impact hazards are dropped or swinging objects, vessel collision, aircraft collision, projectiles, vehicle impact etc. Scenarios related to major mechanical impact hazards shall be reviewed based on site specific layout and operations characteristics. The central critical events can be either structural damage or loss of containment and shall be evaluated on a case-by-case using dedicated safety studies (for example dropped object risk analysis, collision risk analysis etc.)

The frequencies of central critical events shall be estimated using historical data coupled with fault tree analysis to incorporate site specific characteristics. Examples of scenarios related to major mechanical impact hazards are presented in Table 5.





Page 26/115

Table 5 - Examples of scenarios associated with Major Mechanical Impact Hazards Initiating event(s) Central Critical Event Hazard outcomes Equipment failure or External or environmental influences or Human error

Major dropped object or swinging object

Structural impairment Thermal radiation Explosion Spill, toxicity

Aircraft impact Mechanical damage /Loss of containment or structural damage

Structural impairment Thermal radiation Spill, toxicity Explosion

Vessel collision (offshore) Mechanical damage / loss of containment

Stability impairment Thermal radiation Spill, toxicity Explosion

Vehicle impact (onshore) Loss of containment Thermal impairment Spill, toxicity Explosion

Anchor dragging, trawling (pipelines or subsea infrastructure)

Mechanical damage / loss of containment

Stability impairment Thermal radiation Spill

Mechanical failure or fatigue (mooring lines, tendons of tension leg platform, foundation, critical member fatigue)

Mechanical damage Stability impairment

4.6.5 Natural Hazards Natural hazards are associated with accidental events due to wind, current, wave, ice movement, earthquake, soil movements, subsidence, flooding, hurricanes or cyclones, tornado, tsunami, volcanic eruption etc.

Installations are designed to certain level of exceedance of the natural events. Therefore, scenarios to be reviewed shall be associated with residual risks beyond design safety levels.

Natural hazards shall be reviewed systematically or developing related scenarios. The central critical events can be structural damage, stability impairment or loss of containment and shall be evaluated on a case-by-case using site and design characteristics using dedicated safety studies (for example structural risk assessment.)

The frequencies of central critical events shall be estimated using historical data coupled with fault tree analysis to incorporated site specific and design characteristics. Examples of scenarios related to natural hazards are presented in Table 6.





Page 27/115

Table 6 - Examples of scenarios associated with Natural Hazards Initiating event(s) Central Critical Event Hazard outcomes Extreme weather (wind, wave, current)

Loss of containment / structural damage

Structural Impairment Spill, toxicity Thermal radiation Explosion

Extreme seismic events Loss of containment / structural damage

Structural Impairment Thermal radiation Spill, toxic dispersion Explosion

Icebergs Loss of containment / structural damage


Subsidence Loss of containment / structural damage


Punch through (jack-up rigs) Structural damage Structural Impairment Spill

Scouring Loss of containment / structural damage


Flooding Structural damage Structural Impairment Spill

Tsunami Structural damage to coastal facilities.

Structural Impairment Spill





Page 28/115

5. Hazard identification (HAZID)

5.1 Objectives The objective is to systematically identify all hazards which can potentially lead major incidents either directly or through escalation of events based on life cycle operation of a facility. This is the first step of any technological risk assessment as highlighted in Figure 7.

Figure 7 - Hazard Identification as part of the risk management process

5.2 Methods HAZID shall be performed based on a structured brain storming session using an appropriate checklist. Complete life cycle of a facility shall be considered in the HAZID addressing simultaneous operations like drilling and production, well intervention and production,





















Step 1Step 1

Step 2Step 2

Step 3Step 3

Step 4Step 4

Step 5Step 5







Page 29/115

construction and production, campaign maintenance and production, decommissioning some units. Pre project HAZID shall be entirely revised in order to include TRA requirements for scenario development.

HAZID session shall review non-process hazards and process hazards (hazards associated with unplanned releases). In particular, the following aspects shall be systematically reviewed:

• Impact of the facility to its surroundings

• Impact of the surroundings to the facility

• Interference between main units

• Location / orientation of plant and equipment

• Location / orientation of plant and equipment

• Unplanned releases for isolatable sections or units

• Environmental hazards, and natural hazards.

A checklist shall be prepared for facilitation of HAZID sessions to trigger quality brain storming. An example of a checklist is presented in Appendix 2. The checklist shall include the following elements:

• External Hazards

- Natural and environmental hazards (impact of the environment on the plant)

- Environmental Impact (impact of the plant on the natural environment)

- Effect on the plant of man-made hazards

- Hazards from the infrastructure supporting the facilities.

• Facility Hazards

- Process Hazards (based on isolatable sections), specific process: gas blow by, blocked outlet, packing depacking situations, piping rating change, etc.

- Utility Systems Hazards (loss of utilities)

- Other hazards within the facilities (e.g. material handling, crane operation, electricity, radio- active substances, object under induced stress, etc.).

6. Preliminary risk assessment

6.1 Objectives Objective of the preliminary risk assessment is to conservatively establish scenarios to be studied in detailed risk analysis. The risks associated with scenario hazard outcomes to human, environment and assets are screened with respect to damage frequency and severity categories using the Company risk screening matrix (refer to Figure 11) to establish the list of scenarios to be studied in detail.

The preliminary risk assessment is applicable only for scenario based risk analysis. The role of PRA in the overall technological risk management process is highlighted in Figure 8.For small upstream facilities like wellhead platform, minimal facility gathering, wellheads, manifold station





Page 30/115

etc , the preliminary risk assessment can be eliminated all together and detailed risk analysis can be directly used for estimating risks associated with scenarios.

Figure 8 - PRA as part technological risk assessment

6.2 Methods for Preliminary Risk Assessment Preliminary risk assessment involves semi-quantitative estimation of scenario risk to human, environment and asset.

Two methods are utilized for the preliminary risk assessment, namely:

• simplified method and

• rigorous method.

The preferred method is the rigorous method but in some instances the simplified PRA approach may suffice subject upon Company approval.





















Step 1Step 1

Step 2Step 2

Step 3Step 3

Step 4Step 4

Step 5Step 5







Page 31/115

The simplified PRA approach: This may apply to below concerned facilities:

• Facilities at Pre-project development stage

• Facilities in Project and Operational phases and contain only standard non toxic fluids below 100 barg

• Facilities in Project and Operational phases and contain only standard simple equipments like standard separators, piping.. New technologies are excluded.

The simplified PRA approach is very similar to ranking hazards following a hazard identification study using a team of experts with competence in performing risk analysis of oil gas upstream facilities. However the simplified PRA approach is not a purely qualitative exercise which may be biased by subjective risk perception. The simplified but conservative consequence and frequency assessment shall be performed based on the utilization of simplified consequence modeling tools and generic part count tools based on recognized historical data base.

In the simplified PRA approach, Hazid study is immediately followed by a ranking of hazards based on simplified but conservative estimation of gravity and frequency.

All calculations assumptions shall be documented in an assumptions register.

Conservative and simplified estimation of gravity: Consequence modeling: ie use of abacus or simplified consequence excel tool and simplified but conservative personal distribution.

Conservative estimation of frequency: Specific Excel tool like generic part counts tools can be utilized in order to get quickly the frequency of the Central Critical Events (loss of containment: medium and large).

CHARAD access data base can be used in order to get ignition probability based on initial release rate and type of fluid (liquid or gas). Appendix 8 briefly describes Total in house simplified modeling tools.

The rigorous method involves systematic identification of scenarios, development of consequences and frequencies (based on detail part counts and event trees) to establish conservative estimate of damage severities and consequences of each scenario.

The rigorous PRA method shall systematically be applied to the following situations:

• Facilities with potential impact to public safety

• Large permanently manned facilities

• New technologies and operations involving significant hazards to people which are considered outside the experience envelope of Company.

Main differences between rigorous PRA method and DRA:

The rigorous PRA method uses generally coarse and conservative consequence model (initial flow rate, simple but conservative ignition model, etc.)

At PRA level many factors may not be taken into account: direction of Jet Fire, screen effect to thermal impact due to high level of congestion of installation, provision for deluge, PFP, blow down, manning distribution accuracy, detail meteorological conditions.





Page 32/115

The preliminary risk assessment shall include the following steps as illustrated in Figure 9:

• Scenario development

• Frequency of central critical events

• Consequence of scenario hazard outcome.

• Frequencies of hazard outcome

• Severity level of damage (human, environment and asset)

• Reporting

• PRA validation workshop.

Figure 9 - Steps involved in a “rigorous” Preliminary Risk Assessment

HAZID Worksheets

Development of Scenarios

Frequency ofCritical Events

Consequence (Physical Effects)

PHAST, Simplified Modelling

Historical data (eg:-CHARAD),

Fault tree

Frequency of all Hazard outcomes

and physical effects

Each outcomeEstimate damage

(severity & frequency)

Critical Events Register

Isolatable Sections

Assumptions Register

Moderate Serious Major Catastrophic Disastrous

Likely

Unlikely

Very unlikely

Extremely unlikely

Remote

Scenarios with a generallyacceptable risk level

10-2/yr

10-3/yr

10-4/yr

10-5/yr

Scenarios to be studied in Detail


Likely

Unlikely

Very unlikely

Extremely unlikely

Remote


10-2/yr

10-3/yr

10-4/yr

10-5/yr



Likely

Unlikely

Very unlikely

Extremely unlikely

Remote


10-2/yr

10-3/yr

10-4/yr

10-5/yr


Human

Environment

Asset

Preliminary Risk Assessment Draft Report

PRA Validation Workshop

Facility Data, manning

Preliminary Risk Assessment Final Report





Page 33/115

6.3 Scenario development

6.3.1 Preparation The preparation for the scenario development shall include the following activities:

• Prepare a list of documents with document number, title, revision number

• Prepare a list of isolatable sections indicating stream numbers, pressure, temperature, isolating devices (upstream and downstream), list of equipment, estimate of vapor volume, liquid volume within an isolatable section

• Prepare a file of PFDs and on P&IDs with marked-up isolatable sections

• Prepare a marked up copy of layout drawings

• Compile environmental data (wind, wave, current, etc. if applicable), including wind directionality data (wind rose diagram)

• Obtain production characteristics and composition of process streams

• Obtain manning levels and distribution

• Obtain population data surrounding the facility

• Obtain rough estimate values of equipments

• Obtain high level operating and maintenance philosophy

• Obtain lifting data (nb of lifts/ year, weight/lift, etc.)

• Obtain ship traffic data around the installation

• Review of HAZID worksheets and reports

• Prepare a set of assumptions to be compiled in the assumptions register

The level of details the above varies depending on the phase of development.

6.3.2 HAZID Worksheets to Critical Events Register The objective of this task is to develop specific scenarios from the hazard identification worksheets. A review of the HAZID worksheet shall be carried out to define scenarios as per definitions given in Sections 4.5 and 4.6.

The expected output is to produce a list a comprehensive scenarios (known as critical events register) which shall include description of the system or section, initiating events, preventive barriers, central critical event, mitigation barriers, consequences (hazard outcomes), protection measures and duration of hazard outcome. Critical event template presented in Appendix 5 shall be utilized for preliminary risk assessment.

During the review, preparing a complete list of all possible process release scenarios can be cumbersome. Therefore, process release scenarios shall be sorted in such way that only representative scenarios shall be selected for evaluation.

The sorting shall be based on similar characteristics of frequency of central critical event, consequence of hazard outcome and damage potential to people, environment or asset

The translation of HAZID worksheets to Critical Events Register is illustrated in Figure 10 Expert judgment is always involved in this task and therefore all assumptions made by the expert shall





Page 34/115

be systematically documented using an “Assumptions Register”, which shall be updated and maintained throughout the risk assessment process. Format of the assumption register is presented in Appendix 6.

Figure 10 - Translation of HAZID Sheets to Critical Events Register

A complete inventory of “Individual” Central Critical Events (CCE) can rapidly generate an excessive number of scenarios to be considered. It is therefore recommended to group together similar events and to choose one representative CCE for this group in order to obtain smaller representative set of Central Critical Events. Regrouping criteria are:

• Equipment of similar design, including the associated safety systems, located in the same area of the plant

• Equivalent operating conditions and product properties

• Similar type of leak or rupture and same level of frequency

• Similar consequences.

No System Node Unit Location

Guideword Cause Potential consequences Safeguards Recommendations / Remarks Priority

HAZID Worksheets

Critical Events RegisterDamage Severity & Damage FrequencyFunctional

BlocksOperating or environmentparameter

Central Critical Events

Causes Preventive measures

Hazard outcomes Mitigation measures Duration of the Hazard outcome

Ref. #Humanseverity

Human frequency

Environ-severity

Environ-frequency

Assetseverity

Asset frequency

CommentsDamage Severity & Damage FrequencyFunctionalBlocks

Operating or environmentparameter




Ref. #Humanseverity

Human frequency

Environ-severity

Environ-frequency

Assetseverity

Asset frequency

CommentsDamage Severity & Damage FrequencyFunctionalBlocks

Operating or environmentparameter




Ref. #Humanseverity

Human frequency

Environ-severity

Environ-frequency

Assetseverity

Asset frequency

Comments





Page 35/115

The representative CCE may be associated with the combination of the most severe frequency and consequence

The list of facilities and grouped events shall be justified and appropriately recorded in the assumption register.

6.4 Frequency of Central Critical Event The next task is to conservatively estimate frequency of the central critical event of all selected scenarios of the critical event register. The frequency estimation shall be based on historical data. Fault trees analysis may be considered as an option if there are no relevant historical data available to estimate the frequency.

The main sources of historical data are as follows:

• WOAD (Worldwide Offshore Accident Databank)

• OREDA (Offshore Reliability Data )

• CHARAD Database (Company internal database).

Parts count method shall be utilized in the rigorous PRA method for determining central critical event frequencies associated generic process releases (small, medium and large).

6.5 Consequence Estimation Consequence analysis shall be carried out to estimate physical effects associated with each hazard outcome. For scenarios with loss of containment as the central critical events, this task is relatively easy. The physical effects associated with a hazard outcome shall be estimated using commercial tools such as PHAST or EFFECTS or simplified consequence analysis tables. Approval from Company shall be sought for the use of software/tools and tables for consequence estimation.

The following parameters shall be evaluated for estimating damage severity:

• Duration of release (with and without isolation)

• Distance to hazard intensity levels - (SEI if relevant, LC1%if relevant and fatality)

• Kinetics and escalation potential.

For scenarios associated with non-process events, the consequences shall be based on engineering estimate with the help of structural and hydrodynamic expertise. The hazard intensity threshold for defining SEI, LC1% and fatality zones shall be as per Appendix 7.

6.6 Frequency of Hazard Outcome A simplified event tree analysis shall be considered for determining the frequency of the hazard outcomes. The following hazard outcomes shall be reviewed for estimating frequencies:

• Thermal radiation (jet / pool fires)

• Thermal dose (flash fire)

• Explosion overpressure (UVCE, BLEVE)

• Spill (un-ignited liquid release)





Page 36/115

• Toxic dispersion (un-ignited release)

• Structural or stability impairment.

The estimation of frequencies of hazard outcome involves expert judgment and therefore all assumptions made by the experts shall be systematically documented using the assumptions register.

6.7 Damage Severity and frequency The objective of this task is to conservatively establish the worst case damage severity category and damage frequency category associated with each hazard outcome based on the definitions of categories presented in Appendix 6.

The harm levels to human, environment and asset shall be evaluated.

The frequency of human damage category shall be determined by considering probability of people presence. To perform this task, the manning levels and their distribution at site and external to the site shall be reviewed. Normal operation and SIMOPS cases should be differentiated as exposure factor and manning level are different.

The resulting damage severity category and frequency category for all scenarios shall be presented on the risk screening matrix (Figure 11) separately for people, environment and asset. The purpose of this presentation is to select a limited number of major scenarios for detailed risk analysis.

Figure 11 - Risk Screening Matrix

6.8 Reporting The following structures shall be utilized for reporting the preliminary risk assessment:

• Management Summary

• Scope & battery limits

• Study Data


Likely

Unlikely

Very unlikely

Extremely unlikely

Remote


10-2/yr

10-3/yr

10-4/yr

10-5/yr



Likely

Unlikely

Very unlikely

Extremely unlikely

Remote


10-2/yr

10-3/yr

10-4/yr

10-5/yr



Likely

Unlikely

Very unlikely

Extremely unlikely

Remote


10-2/yr

10-3/yr

10-4/yr

10-5/yr


Human

Environment

AssetModerate Serious Major Catastrophic Disastrous

Likely

Unlikely

Very unlikely

Extremely unlikely

Remote


10-2/yr

10-3/yr

10-4/yr

10-5/yr



Likely

Unlikely

Very unlikely

Extremely unlikely

Remote


10-2/yr

10-3/yr

10-4/yr

10-5/yr



Likely

Unlikely

Very unlikely

Extremely unlikely

Remote


10-2/yr

10-3/yr

10-4/yr

10-5/yr


Human

Environment

Asset





Page 37/115

• Method of Assessment

• Results

- List of major scenarios to the studied in detail

- List of other scenarios to be studied in detail using RMS

• Attachments

- Critical Event Register

- Presentation scenarios on screening matrix (safety, environment & asset)

- Assumptions register

- Frequency estimation (central critical events and hazard outcomes)

- Consequence estimation

- Damage severity and frequency estimation.

6.9 Preliminary Risk Assessment Validation Workshop The objective of this exercise is to critically examine and validate all major scenarios as a team exercise. Attendees of the PRA validation workshop should be as far as possible the same as those attended in the initial hazard identification sessions.

The comments and remarks of the team shall be utilized for updating the preliminary risk assessment report. Any early risk reduction measures and opportunities identified during the workshop shall be captured as part of the workshop minutes and included in the final PRA report.

The HAZID leader shall act as facilitator for the PRA validation workshop who shall be responsible for preparing the minutes of the validation workshop.





Page 38/115

7. Risk management sheets

7.1 Objectives The objective is to semi-quantitatively assess the risk associated with high frequency but low severity scenarios and help to demonstrate “ALARP”. The applicability region of screening matrix using Risk Management Sheet is illustrated in Figure 12: it only applies to scenarios in the major/ likely zone see below in the matrixes.

Figure 12 - Application of Risk Management Sheets

7.2 Preparation of RMS Method The preparation for RMS application shall include the following steps:

1. For each central critical event, develop simplified « Bow-Tie » and identify all available barriers, and all possible outcomes (Figure 13). A bow-tie diagram is a representation of all initiating events and consequences associated with a critical event, together with the safety barriers that are in place to prevent, control or mitigate the hazard outcomes.

2. Review /estimate of the frequency of central critical event.

3. Develop generic event trees to estimate frequencies of all hazard outcomes considering the impact of available safety barriers.

Risk Management Risk Management SheetsSheets

Qualitative Quantitative

First PrioritySecond Priority


Likely

Unlikely

Very unlikely

Extremely unlikely

Remote


10-2/yr

10-3/yr

10-4/yr

10-5/yr

Scenarios to be

studied in Detail


Likely

Unlikely

Very unlikely

Extremely unlikely

Remote


10-2/yr

10-3/yr

10-4/yr

10-5/yr

Scenarios to be

studied in Detail


Likely

Unlikely

Very unlikely

Extremely unlikely

Remote


10-2/yr

10-3/yr

10-4/yr

10-5/yr


Likely

Unlikely

Very unlikely

Extremely unlikely

Remote


10-2/yr

10-3/yr

10-4/yr

10-5/yr

Scenarios to be

studied in Detail

Human

Environment

Asset

Risk Management Risk Management SheetsSheets




Likely

Unlikely

Very unlikely

Extremely unlikely

Remote


10-2/yr

10-3/yr

10-4/yr

10-5/yr

Scenarios to be

studied in Detail


Likely

Unlikely

Very unlikely

Extremely unlikely

Remote


10-2/yr

10-3/yr

10-4/yr

10-5/yr

Scenarios to be

studied in Detail


Likely

Unlikely

Very unlikely

Extremely unlikely

Remote


10-2/yr

10-3/yr

10-4/yr

10-5/yr


Likely

Unlikely

Very unlikely

Extremely unlikely

Remote


10-2/yr

10-3/yr

10-4/yr

10-5/yr

Scenarios to be

studied in Detail

Human

Environment

Asset





Page 39/115

4. Review/ estimate hazard intensity levels associated with hazard outcomes (SEI, LC1% and fatality and review probability of human exposure).

5. Review/ estimate damage severity category (safety, environment and asset) based on hazard intensity levels.

6. Combine hazard outcome frequencies and probability of exposure.

7. Plot damage severity category and associated damage frequency associated with a hazard outcome on the Company risk matrix (Figure 20).

8. Identify scenarios within Level 1 and Level 2 regions of the risk matrix. Report the findings.

9. Review Level 1 and Level 2 scenarios in a Risk Reduction Workshop (refer to Section 12.3) for identifying potential risk reduction measures.

10. Re-evaluate the scenarios associated with identified risk reduction measures for assisting ALARP demonstration. Document the findings. The RMS documentation shall be prepared as per the format included in Appendix 8.

Figure 13 - An example of a “Bow-Tie”

7.3 Review of Frequencies and Consequences The RMS team shall review each bow-tie diagram to ensure that all available safeguards are represented. The frequencies of critical events and hazard outcomes shall be carefully reviewed along with the hazard levels of each hazard outcome.

7.4 Format of Risk Management Sheets The format of RMS template shall consist of the following parts (Appendix 8):

1. Scenario reference including a bow-tie representation.

2. Frequency of central critical event

3. Consequence and damage severity category

4. Damage frequency category estimation





Page 40/115

Parts 1-4 above need shall be updated after the risk reduction workshop to include the effect of potential risk reduction measures. Further details on risk reduction workshop and ALARP demonstration is presented in Section 12.

7.5 RMS Reporting The RMS report shall be issued to Company for review and validation prior to risk reduction workshop

Once Company comments are incorporated, Company shall schedule a risk reduction workshop which shall specifically review scenarios in Level 1 and Level 2 of the risk matrix to identify potential risk reduction measures for further evaluation.

The effect of potential risk reduction measures shall be evaluated and update the relevant section RMS report.

The revised RMS report shall be issued to Company for further validation and approval. The final report incorporating Company comments shall include the following:


• Scope and battery limits

• Risk reduction workshop

- List of potential risk reduction measures

• Results and discussions

- Table of scenarios with rankings (severity and frequency) without and with risk reduction measures

• Attachments

- Minutes of risk reduction workshop

- Completed RMS documents

- Assumptions register.





Page 41/115

7.6 Reporting and treatment of the other types of scenarios For the scenarios which are outlined in blue the reporting and treatment can be performed solely by the plotting of the scenario on the risk matrix; the traceability being assured by the relevant extract of the critical event register. These scenarios are mostly related to occupational risk.

Figure 14 - Area of medium severity and high or medium frequency scenario


unlikely

Remote

RMS


10-3/yr

-4/yr

10-5/yr

Scenarios to be

studied in Detail

Human

Environment

Asset


Very unlikely

Extremely unlikely

Remote

RMS


10-4/yr

10-5/yr

Scenarios to bestudied in Detail


Likely

Unlikely

Very unlikely

Extremely unlikely

Remote

RMS


10-2/yr

10-3/yr

10-4/yr

10-5/yr

Scenarios to be

studied in Detail





Page 42/115

8. Detailed risk analysis of scenarios Detailed risk analysis implies quantification of risks associated with “major scenarios” as indicated in Figure 16. The role of detailed risk analysis of scenarios is indicated on the overall risk management process as in Figure 15.

Figure 15 - Role of detailed risk analysis (highlighted) in risk assessment process





















Step 1Step 1

Step 2Step 2

Step 3Step 3

Step 4Step 4

Step 5Step 5







Page 43/115

Figure 16 - Application of detailed risk analysis of major scenarios

8.1 Objectives The objective is to reconfirm the risk associated with major scenarios identified in a preliminary risk assessment by including the following:

• Quantify frequency of central critical event and all hazard outcomes by modeling the available safety barriers.

• Estimate probabilistic damage by including the damage severity level and damage frequency associated a hazard outcome.

• Present the scenario risk results on the Company risk matrix in terms of damage severity category with associated damage frequency of the hazard outcome, separately for human, environment and asset damage categories.

• Identify scenarios within Level 1 and Level 2 regions of the Company risk matrix. Report the findings.

• Review Level 1 and Level 2 scenarios in a Risk Reduction Workshop (refer to Section 12.3) for identifying potential risk reduction measures.

• Re-evaluate the scenarios associated with identified risk reduction measures for assisting ALARP demonstration. Report the findings.

• Demonstrate for each major scenario, the risk is managed with the help of bow-tie representation to ensure that at least one safety barrier is present on each branch of the bow-tie, on prevention and on control and mitigation sides.

Fault Tree Fault Tree –– Event Tree Event Tree AnalysisAnalysis




Likely

Unlikely

Very unlikely

Extremely unlikely

Remote


10-2/yr

10-3/yr

10-4/yr

10-5/yr



Likely

Unlikely

Very unlikely

Extremely unlikely

Remote


10-2/yr

10-3/yr

10-4/yr

10-5/yr



Likely

Unlikely

Very unlikely

Extremely unlikely

Remote


Likely

Unlikely

Very unlikely

Extremely unlikely

Remote


10-2/yr

10-3/yr

10-4/yr

10-5/yr



Likely

Unlikely

Very unlikely

Extremely unlikely

Remote


10-2/yr

10-3/yr

10-4/yr

10-5/yr



Likely

Unlikely

Very unlikely

Extremely unlikely

Remote


10-2/yr

10-3/yr

10-4/yr

10-5/yr



Likely

Unlikely

Very unlikely

Extremely unlikely

Remote


10-2/yr

10-3/yr

10-4/yr

10-5/yr


Human

Environment

Asset





Page 44/115

Major scenarios require extensive consequence modeling and probabilistic analysis to determine the damage severity levels and frequencies in the detailed risk analysis stage. The following main tasks shall be performed as part of the detailed risk analysis of major scenarios:

1. Review of scenarios

2. Perform frequency analysis

3. Perform consequence analysis

4. Review of escalation potential

5. Perform impact analysis (vulnerability to human, environment and asset)

6. Perform sensitivity studies

7. Present results and document the calculations and assumptions

8. Issue internally validated documents to Company for comments.

9. Incorporate Company comments and reissue for the risk reduction workshop

10. Identify potential mitigation measures for Level 1 and Level 2 scenarios during the risk reduction workshop (Section 12.3).

11. Update of risk analysis to estimate the risk benefits associated with potential risk reductions measures

12. Issue internally validated report to Company for comments.

13. Incorporate Company comments and reissue as final report

These steps are discussed in the subsequent sections. An overall flow scheme of the detailed risk analysis is presented in Figure 17.





Page 45/115

Figure 17 - Flowchart of Detailed Risk Analysis of Major Scenarios

Review of major scenarios



PHAST, CFDAdditional

Safety Studies

Process release

eg: CHARAD

Frequency of all Hazard outcomes

and physical effects

Each outcomeEstimate damage

(severity & frequency)

Isolatable Sections


Detailed Risk Analysis

Final Report

Draft Risk Analysis Report

Facility DataWind,

manning

Non-processSpecific

evaluations

Event treesBranch prob.

Assess escalation potential of

event outcomes

Estimate escalated events

frequency

No

Yes

Sensitivity Studies

Level 1First Priority

Niveau 3Acceptable

Level 2Level 2TolerableTolerable

if ALARP if ALARP


Niveau 3Acceptable


if ALARP if ALARP


Likely

Unlikely

Very Unlikely

Extremely Unlikely

Remote

10-2 /yr

10-3 /yr

10-4 /yr

10-5 /yr


Level 3Acceptable


if ALARP if ALARP

Risk Personnel

Risk Environment

Risk AssetLevel 1First Priority

Niveau 3Acceptable


if ALARP if ALARP


Niveau 3Acceptable


if ALARP if ALARP


Niveau 3Acceptable


if ALARP if ALARP


Niveau 3Acceptable


if ALARP if ALARP


Likely

Unlikely

Very Unlikely

Extremely Unlikely

Remote

10-2 /yr

10-3 /yr

10-4 /yr

10-5 /yr


Level 3Acceptable


if ALARP if ALARP


Likely

Unlikely

Very Unlikely

Extremely Unlikely

Remote

10-2 /yr

10-3 /yr

10-4 /yr

10-5 /yr


Level 3Acceptable


if ALARP if ALARP


Level 3Acceptable


if ALARP if ALARP

Risk Personnel

Risk Environment

Risk Asset

Update Risk Analysis& Validation

BLEVE, Escape & Evacuation,

Structural stability


Likely

Unlikely

Very unlikely

Extremelyunlikely

Remote


10 -2/yr

10 -3/yr

10 -4/yr

10 -5/yr



Likely

Unlikely

Very unlikely

Extremelyunlikely

Remote


10 -2/yr

10 -3/yr

10 -4/yr

10 -5/yr



Likely

Unlikely

Very unlikely

Extremelyunlikely

Remote


Likely

Unlikely

Very unlikely

Extremelyunlikely

Remote


10 -2/yr

10 -3/yr

10 -4/yr

10 -5/yr



Likely

Unlikely

Very unlikely

Extremelyunlikely

Remote


10 -2/yr

10 -3/yr

10 -4/yr

10 -5/yr



Likely

Unlikely

Very unlikely

Extremelyunlikely

Remote


10 -2/yr

10 -3/yr

10 -4/yr

10 -5/yr



Likely

Unlikely

Very unlikely

Extremelyunlikely

Remote


10 -2/yr

10 -3/yr

10 -4/yr

10 -5/yr


Human

Environment

Asset

Risk Reduction Workshop


List of potential risk reduction

measures


measures





Page 46/115

8.2 Review of Scenario Review of scenario of preliminary risk analysis from initiating event (all initiating events to be considered for generic process release) to final hazard outcome shall be made with a purpose of identifying available prevention, control and mitigation measures. Review of scenario shall be made using fault-tree event tree representation to ensure that all available safeguards are accounted for in the detailed risk analysis of major scenarios.

This review establishes potential refinement in modeling, if any, to be performed in the detailed risk analysis. The refinement shall be one or more of the following elements:

• Fault tree analysis may be performed for “specific process” and “human error” releases scenarios, detailed parts count and use of validated data base to establish release frequencies for generic process releases scenarios. Fault tree analysis is not recommended for determining release frequencies for scenarios associated with generic process releases (refer to Section 4.6.2).

• Additional consequence calculations

• Development of detailed event trees and impact analysis.

8.3 Frequency Analysis The review of scenarios establishes the scope of revision required in the frequency analysis. Event trees analysis shall be performed to model the sequential development of events from the central critical event to various event tree outcomes based on the existing safety barriers and probability of immediate and delayed ignition. The following barriers shall be reviewed for developing event trees:

• Automatic isolation on process excursion or on gas or fire detection in an area

• Emergency depressurization (manual or automatic activation on confirmed gas for fire detection)

• Deluge (manual or automatic on confirmed fire detection in an area)

• Passive fire protection (fire and blast walls to mitigate escalation, passive fire protection coating on structures, vessel skids), etc.





Page 47/115

Unlike the simplified event trees considered in preliminary risk assessment, all available safeguarding barriers shall be considered in the detailed analysis. The event tree branch probabilities shall be estimated using engineering judgement, failure rate data, fault tree analysis or a combination of these. All assumptions shall be justified and shall be documented using assumptions register (refer to Appendix 9). An example of an event tree associated with a process release scenario is presented in Figure 5.

Figure 18 - An example – Event tree of a process release

Release frequency (/yr)

Immediate Ignition

Detection successful (fire or gas)

ESD and Isolation successful

Blowdown successful

Deluge effective?

Delayed Ignition

Deluge effective upon delayed ignition?

Event Tree Outcome Outcome frequency

0Isolated, Blowndown and deluged jet fire 0.00E+00

0

0.95 1Isolated and Blowndown jet fire

0.00E+00

0 Isolated and deluged jet fire 0.00E+000.975 1

1 Isolated jet fire 1.44E-05

0Unisolated and deluged jet fire

0.00E+00

0.013 0.05

1 Unisolated jet fire 7.61E-07

0.025 Unisolated jet fire 3.90E-07

0.05Isolated, blowdown and deluged Flash fire 0.00E+00

0.012

0.95 0.95 Isolated, blowdown Flash fire 0.00E+001.20E-03

0.988Isolated and blowdown dispersion 0.00E+00

0.9

Critical Critical 0.05Isolated and deluged Flash fire

0.00E+00Event (/yr)

0.0120

0.05 0.95 Isolated flash fire 0.00E+00

0.988 Isolated dispersion 0.00E+00

0.05Unisolated and deluged UVCE

0.00E+00

0.987 0.0120.1

0.95 Unisolated UVCE 0.00E+00

0.988 Unisolated dispersion 0.00E+00

0.05Undetected; unisolated, UVCE

7.11E-07

0.012

1 0.95 Undetected; unisolated UVCE 1.35E-05

0.988 Undetected dispersion 1.17E-03

Y

N





Page 48/115

8.4 Detailed Consequence Analysis The detailed consequence analysis of hydrocarbon release is a well researched area and several advanced codes and commercial software available (EFFECTS, PHAST to complex computational fluid dynamics based codes such as FLACS, KFX, etc.).

For non-hydrocarbon scenarios, the modeling of outcome such as structural failure, loss of stability, dropped object damage, or mooring failure requires specialized expertise and tools which may be based on non-linear finite element analysis and or hydro-dynamic analyses or even experienced based phenomenological models. Such methods can be extremely time consuming and requires competence in structural failure analysis, navel architecture and fluid dynamics disciplines. The selection of analysis method therefore depends upon the relative importance of the event with respect to the overall risk level of a development.

Approval shall be sought from the Company for utilization of software and tools which are not specified in the scope of work.

Graphical output shall be included for physical effect calculations associated with process release events to facilitate and review and communication of hazard intensity levels. An example of graphical output of a dispersion analysis is presented on Figure 19.

Figure 19 - An Example of a Consequence Analysis Results

8.5 Escalation Potential Escalation refers to increase in severity of a hazard outcome due to spreading (due to failure of escalation control and mitigation barriers). For offshore facilities due to compact installation geometry, escalation of events shall be critically examined to establish the potential escalated severities associated with a hazard outcome. The modeling of escalation potential shall focus on fires characteristics and explosions events on vulnerable structures or equipment.

The escalation outcomes are, for example, events lead to secondary loss of containment (such as BLEVE), missiles, capsizing, catastrophic structural failure and impairment of escape and evacuation.





Page 49/115

8.6 Sensitivity Studies Sensitivity analysis plays an important role in the detailed risk analysis to help understand uncertainties associated with the risk estimates. Sensitivity studies shall be formed based on Company approval of sensitivity cases (refer to Section 10).

8.7 Probabilistic Estimation of Damage Category and Frequency The objective of this step is to establish the worst case damage category (moderate, serious, major, catastrophic or disastrous) and associated frequency for each “hazard outcome”. For hydrocarbon release scenarios, the assessment can be complex considering the variability in release orientation, manning distribution, manning exposure probability, wind directionality etc.

In detailed risk analysis, a probabilistic picture of damage associated with all “event tree outcomes” shall be evaluated based on hazard intensity levels, manning distribution, exposure and environmental parameters.

For each “hazard outcome” (for example isolated fire leading to thermal radiation) there can be several “event tree outcomes” in a detailed event tree analysis. In this example, isolated fire can be of the following types in an event tree:

• Isolated, blown down and deluged fire

• Isolated and deluged fire

• Isolated fire (without deluge and blow down).

The physical effects associated with the above three event tree outcomes may be different based on the characteristics of fluid and isolatable section inventory and pressure. Therefore each event tree outcome potentially gives distinctive damage category and frequency.

In detailed risk analysis, it is recommended to combine “event tree outcomes” corresponding to a unique “hazard outcome”.

This approach is further explained using an example event tree analysis results associated with a critical central event on Table 7. “Hazard outcomes” associated with the central critical event (say medium release from a section of a facility handling toxic fluids) are the following:

Scenario reference Hazard outcome

1. Expl-U Un-Isolated explosion (explosion overpressure)

2. Flash-I Isolate flash fire (thermal dose)

3. Fire-I Isolated fire (thermal radiation)

4. Fire-U Un-isolated fire (thermal radiation)

5. Toxic-I Isolated toxic dispersion (toxic dose)

6. Toxic-U Un-isolated toxic dispersion (toxic dose)

The detailed risk analysis results associated with the six scenarios are presented in the lower part of Table 7. The results are also presented on risk matrix on Figure 20.





Page 50/115

Table 7 - An Example Event Outcomes with Damages of a “Central Critical Event” Hazard Event Tree Outcome Frequency of damage to human / year


Expl Un-isolated and deluged UVCE 5.14E-07 Expl Un-isolated UVCE 1.14E-06 Expl Undetected, un-isolated UVCE 2.17E-05 Fire Isolated, blown down and deluged fire 9.96E-06 Fire Isolated and blown down fire 1.89E-04 Fire Isolated and deluged fire 5.24E-07 Fire Isolated fire 9.96E-06 Fire Un-isolated and deluged fire 5.52E-07 Fire Un-isolated fire (no effect of deluge) 1.05E-05 Fire Un-isolated fire 2.45E-05 Flash Isolated, blown down and deluged flash fire 9.27E-06 Flash Isolated, blown down flash fire 4.88E-06 Flash. Isolated and deluge flash fire 9.27E-05 Flash Isolated flash fire 4.88E-06 Toxic Isolated and blown down toxic dispersion 4.74E-03 Toxic Isolated toxic dispersion 5.04E-04 Toxic Un-isolated toxic dispersion – Day time 1.18E-04 Toxic Un-isolated toxic dispersion – Night Time 1.18E-04 Toxic Undetected toxic dispersion – Day time 1.01E-04 Toxic Undetected toxic dispersion – Night time 1.01E-04

Scenario Hazard Outcome Frequency of damage to human / year


1. Expl-U Un-isolated Explosion (Overpressure) 2.34E-05

2. Flash-I Isolated flash fire (Thermal dose) 1.12E-04

3. Fire-I Isolated fire (Thermal radiation) 1.99E-04 1.05E-05

4. Fire-U Un-isolated fire (Thermal radiation) 3.56E-05

5. Toxic-I Isolated Toxic dispersion (dose) 4.74E-03 5.04E-04

6.Toxic-U Un-isolated Toxic dispersion (dose) 2.29E-04 2.29E-04





Page 51/115

Figure 20 - An Example – Scenarios associated with a Critical Central Event

8.8 Risk Reduction Workshop Once the draft report is validated by Company, the next step is to identify potential mitigation measures for scenarios with Level 1 and Level 2 risk using a risk reduction workshop.

The details of the risk reduction workshop are presented in Section 12.3.

8.9 Updating of Detailed Risk Analysis Detailed risk analysis of shall be updated to evaluate risk benefit associated potential risk reduction measures. This involves updating selected number of scenarios which are potentially impacted by the risk reduction measures. Once the updated risk analysis report is validated, it shall form input to assist ALARP demonstration (refer to Section 12).

8.10 Reporting Risk analysis Contractor shall ensure that all Company comments are resolved prior to issuing the final report.

The final report shall include the following sections:



- List of major scenarios with risk classification

• Methodology





Page 52/115

• Risk Reduction Workshop and Potential Risk Reduction Measures

• Results and Discussions

- Summary tables with rankings (severity and frequency) without and with potential risk reduction measures

- Plotting of scenario risk results on risk matrix (safety, environment and asset) – without and with potential risk reduction measures

- Graphical output of SEI, LC1%, fatality harm levels associated representative scenarios

- Bow-tie representation of all major scenarios

• Attachments


- Failure frequency data and parts count

- Frequency analysis results including event trees

- Consequence analysis results

- Impact analysis results

- Minutes of risk reduction workshop.

9. Quantitative Risk Analysis (QRA)

9.1 Objectives QRA is used as a supplementary method to estimate the aggregate risk to individuals and groups (both within the facility perimeter and external). The steps involved in performing a QRA of oil and gas facility is briefly described in this section.

For offshore facilities, traditionally, a suite of independent risk analysis studies are performed as part of the QRA. These studies include but not limited to the following:

• Fire and explosion risk analysis (FERA)

• Dropped object risk analysis

• Subsea release risk analysis

• Overpressure protection risk analysis

• Close proximity operation risk analysis

• Vessel collision risk analysis

• Temporary refuge safety function impairment analysis

• Emergency escape and evacuation risk analysis (EERA)

• Emergency system survivability analysis

• Oil spill response analysis

• Structural integrity analysis





Page 53/115

During Project phase many of the above analyses provide direct input to engineering design development (for example in design accidental load calculations). These are dedicated safety studies which are not detailed in this specification.

An overview of the quantitative risk analysis flow scheme is presented in Figure 21.

Figure 21 - Flow scheme of a QRA

List of all Hazardous

events



PHAST, CFD,Additional

Safety Studies

Process release

eg: CHARAD

Frequency of all Event tree outcomesand physical effects

Aggregation of risk to human.Potential Loss of Lives (PLL), F-N Curves

LSIR Contours, IRPA Tables

Isolatable Sections


QRAFinal Report

QRAFinal Report

Draft QRAReport

Draft QRAReport

Facility DataWind,

manning

Non-process Events. Specific

Fault tree analysis

Event treesBranch prob.

Assess escalation potential of

event outcomes

Estimate escalated events

frequency

No

Yes

Sensitivity Studies




measures


measures

Update QRA

& Validation

BLEVE, Escape & Evacuation,

Structural stability

HAZID Report, Worksheets

HAZID Report, Worksheets





Page 54/115

9.2 Preparation The quantitative risk analysis requires modeling of all scenarios to estimate the aggregate risk. Thus requires extensive modeling to determine potential loss of lives associated with all hazardous events.

The following main tasks shall be performed as part of the QRA of a facility:

1. Review of hazardous events from HAZID worksheets

2. Perform frequency analysis

3. Perform consequence analysis

4. Review of escalation potential

5. Perform impact analysis

6. Perform sensitivity studies

7. Present results of aggregate risk results (LSIR contours, PLL, IRPA and FN curves). Estimation of individual risk associated with occupational risk.

8. Report the analysis results including calculations and assumptions.

9. Issue internally validated to Company for comments.

10. Incorporate Company comments and reissue for the risk reduction workshop

11. Identify potential mitigation measures for addressing IRPA levels in Level 1 and Level 2 regions during the risk reduction workshop (Section 12.3).

12. Update of QRA to estimate the risk benefits associated with potential risk reductions measures

13. Issue internally validated reports to Company for comments.

14. Incorporate Company comments and reissue as final report

The above steps are illustrated in Figure 21 and the main elements of are briefly discussed in the subsequent sections.

9.3 List of Hazardous Events The review of hazard identification reports shall be based on facility data (plot plans, P&IDs, PFDs, layout drawings, etc.), population data, manning distribution and environmental conditions to establish a list of hazardous events which is similar to a critical events register in a scenario based risk analysis.

The hazardous events list shall be divided into process events and non-process events based on isolatable sections of a facility. For generic process release, release frequencies shall be based on historical data (CHARAD). At least four releases shall be considered for the QRA calculations. These release sizes shall be as per Table 8.





Page 55/115

Table 8 - Holes sizes for process generic releases for QRA

Similar to a scenario based risk analysis, all expert assumptions made by Contractor shall be systematically documented with justifications using “Assumptions Register” (refer to Appendix 9). Company approval shall be obtained for all assumptions prior to issuing QRA draft report.

In order to estimate the exposure of people to given hazard intensity level, operating philosophy, manning level and population distribution in and around the facility shall be required.

9.4 Frequency Analysis

This step is identical to the efforts involved in a scenario based risk assessment (refer to Section 8.3) except that all scenarios shall be treated for determining aggregate risk level.

9.5 Consequence Analysis

This step is identical to the efforts involved in a scenario based risk assessment (refer to Section 8.4) except that all scenarios shall be treated for determining aggregate risk level.

9.6 Impact Analysis Unlike scenario based risk analysis, hazard intensity level of SEI (refer to Appendix 7) shall not be utilized for QRA calculations. Probit equations shall be utilized to determine the potential lethality levels of people exposed to various hazard intensity levels. Recommended Probit equations are given in Appendix 7.

Impact analysis is to establish the potential loss of life (PLL) associated with each event tree outcome and then aggregated for all event trees outcomes associated with all scenarios. Company approval shall be sought for vulnerability models applied for potential loss of lives fatality (PLL) calculations.

The combination of event tree outcomes to a unique hazard outcome as explained in Section 8.7 is not needed for QRA analysis.

Probabilistic factors such as release orientation, directionality, wind speed and directionality, manning and population distribution, etc. shall be considered for estimating fatality frequency at a given point. These data are required for producing Location Specific Individual Risk contours (LSIR) and F-N curves.

Release diameter ranges for frequency estimation (mm)

Equivalent release diameter for consequence analysis (mm)

"1-5" 5"5-20" 20"20-65" 6565-FB Diameter of pipe or the largest flanged connection





Page 56/115

9.7 Escalation Potential Similar to scenario based risk analysis, escalation refers to increase in severity of a hazard outcome due to spreading (due to failure of escalation control and mitigation barriers). For offshore facilities due to compact installation geometry, escalation of events shall be critically examined to establish the potential escalated severities associated with a event tree outcome. The modeling of escalation potential shall focus on fires characteristics and explosions events on vulnerable structures or equipment.

The escalation outcomes are, for example, events lead to secondary loss of containment (such as BLEVE), missiles, capsizing, catastrophic structural failure and impairment of escape and evacuation.

Potential loss of lives associated escalated events shall be included in the overall risk calculations. The contribution of aggregated risk in terms of escalated risk shall be presented for reviewing safeguards against escalated events during risk reduction workshop.

9.8 Sensitivity Studies Sensitivity analysis plays an important role in the QRA to help understanding uncertainties associated with the aggregate risk estimates. Sensitivity studies shall be formed based on Company approval of sensitivity cases (refer to Section 10).

9.9 Risk Presentation In a QRA, aggregate risks to people are evaluated by integrating the contribution from all hazardous events. There are commercial tools and software available for performing this risk integration task for onshore or some offshore facilities. Contractor shall seek prior approval from Company regarding the use of specific software for risk aggregation of facilities.

The following QRA results shall be presented for offshore and onshore facilities:

• LSIR contours on layout maps (A3 size or above with contours at regular interval starting from 1E-01 per year up to 1E-08 per year.). LSIR at a point is risk for a hypothetical individual who is positioned there for 24 hours per day, 365 days per year. The LSIR contours with regular intervals from 1E-01 to 1E-08 shall be produced for all onshore facilities and for offshore hubs. The LSIR contours on a layout map is a powerful input to visualize and review upper limits of individual risk at given location generated by multiple hazards during the risk reduction workshop. In addition, LSIR contours per hazard category on layout map shall be produced for fire, toxic, explosion hazards.

• Summary of potential loss of lives per hazardous events (process fires, process explosion, process toxic, riser incidents, pipeline incidents, dropped object, helicopter, subsea release, structural failure, mooring failure, transportation, etc. ).

• IRPA and PLL tables for various worker groups with break according to various worker group. Occupational risk shall be separately estimated for determining the most exposed worker group’s IRPA levels.

• FN Curves (separately presented for fires, explosion, toxic, and for combined hazards). There are no acceptability criteria within Company for evaluating risk levels presented on F-N curve format. However, F-N curves should be utilized for assessing societal risk to community as well as for comparing risk. However F/N curves may be utilized or evaluating the risk benefits associated with risk reduction measures and for reviewing risks associated with simultaneous operations.





Page 57/115

Depending of the scope of the QRA, additional aggregate risk presentation shall be produced for the following:

• Safety function impairment frequencies (temporary refuge (TR) or muster station)

• Curve indicating cumulative frequency of accidents (F) involving a given asset damage cost (C) or more

• Curve indicating cumulative frequency of accidents (F) involving a given spill size (S) or more

• Annual oil spill rates which shows the cumulated frequencies of various spill rates

• Risktransect curves for pipeline QRA.

9.10 Risk Reduction Workshop Once the draft QRA report is validated by Company, the next step is to identify potential mitigation measures for reducing IRPA associated with Level 1 and Level 2 region using a risk reduction workshop. The details of the risk reduction workshop are presented in Section 12.3.

The hazardous events and their contribution on PLL, LSIR and F-N curves are systematically reviewed in a risk reduction workshop to support ALARP demonstration.

9.11 Updating of QRA QRA shall be updated to evaluate risk benefit associated potential risk reduction measures. This involves updating selected number of hazardous events which are potentially impacted by the risk reduction measures. Once the updated QRA report is validated, it shall form input to assist ALARP demonstration (refer to Section 12).

9.12 Reporting Risk analysis Contractor shall ensure that all Company comments are resolved prior to issuing the final report.

The final QRA report shall include the following sections:



• Methodology

• Risk Reduction Workshop and Potential Risk Reduction Measures

• Results and Discussions

- LSIR contours on layout drawings where appropriate (A3 size drawings separately for fire, explosion, toxic, and combined)

- Tables of PLL with various events including occupational and transportation risk

- Tables of IRPA with various events as above

- F-N curves (fire, explosion, toxic, and combined)

- Additional aggregate risk results based on scope of work





Page 58/115

• Attachments


- Frequency data and parts count sheets

- Frequency analysis results including event trees

- Consequence analysis results

- Escalation analysis

- Sensitivity analysis

- Impact analysis results

- Minutes of risk reduction workshop.

10. Sensitivity analysis

10.1 Objectives The objective of a sensitivity analysis is to highlight whether suitable assumptions have been made to assess the robustness of a risk analysis. The sensitivity analysis shall be included as part of the detailed risk analysis of scenarios and QRA reports.

The sensitivity analysis shall consist of varying one or more of the parameters and assumptions of the risk analysis to see how the variations affect the overall results. For this, sensitivity cases shall be defined in agreement with Company at early stages of risk analysis work.

10.2 Defining Sensitivity Cases The risk analysis involves varying elements of uncertainty due to input data, assumptions, estimation of frequency, consequence analysis and vulnerability modeling. Therefore, appreciation of these uncertainties shall be included within the risk analysis to interpret the results.

The parameters shall be considered for defining sensitivity cases of major risk assessment studies:

• Use generic failure rates to components outside the generic data envelope

• Potential of equipment or component growth due to design development

• Ignition frequency data

• Representation of source term (initial flow rate with respect to average 20 s or 90 s initial flow rate)

• Probit equations for toxicity

• Population density and distribution

• Estimation of frequency of non-process events.





Page 59/115

10.3 Presentation of Sensitivity Analysis The results and interpretation of sensitivity cases shall be included as a section in a detailed risk analysis of scenario report or a QRA report. A detailed discussion shall be presented to summarize the impact of uncertainties in the overall risk results.

11. Risk evaluation

11.1 Objectives The objective of risk evaluation is to assist in decision making process based on the results of a risk analysis. The decisions here are dealing with an action plan with priorities to demonstrate risk to ALARP principle.

11.2 Evaluation Principles Risk evaluation involves comparing the level of risk (scenario or aggregate) with Company risk acceptance criteria. Management decisions should take account of the wider risk levels and include considerations of tolerance of the risk imposed by laws and regulatory requirements.

Company technological risk acceptance criteria are based on the following principles:

Risk Level Risk treatment

Level-1 Level of risk shall be reduced obligatorily to Level-2 or Level-3 by implementing risk reduction measures.

Level-2 Level of residual risk deem tolerable if ALARP where demonstration is needed to document that any further reduction in risk would involve disproportionate risk reduction measures.

Level-3 Level of risk broadly acceptable where further reductions should be achieved by continuous improvement of HSE management system rather than specific measures.

If the risk level falls on Level-2 region, ALARP demonstration shall be performed to document risk tolerability. In some cases, this may lead to a decision to undertake further risk analysis or to update risk analysis. This is described in Section 12.





Page 60/115

11.3 Scenario Risk Evaluation Three levels of risk for scenario based risk assessment are represented on the risk matrix in Figure 22.

Figure 22 - Scenario Risk Acceptance Criteria

The main advantage of the scenario based risk evaluation is that each scenario is examined with respect to Company risk acceptance criteria on damages to human, environment and asset.

The following drawbacks of scenario based risk evaluation shall be considered in the developing action:

• Aggregate risks are not assessed. For example, release from one storage tank may be acceptable but there are no criteria for reviewing the impact of 100 tanks located within a site.

• The risks are evaluated on the basis of coarse severity categories (refer to Appendix 6). “Disastrous” is defined as more than 5 fatalities onsite, or major pollution, or asset damage in excess of 100 million Euros (2004 figures). These thresholds do not allow differentiating impact of severe consequences for example, 10 to 100 potential fatalities or asset damage in excess of 1 billion Euros.

• There are no lower limits specified for damage frequency associated with “disastrous” severity level. This would mean that ALARP demonstration has an enormous scope to demonstrate if damage level is “disastrous” and damage frequencies from 1E-04 to 1E-06, 1E-10, 1E-20, and beyond. For practical reasons, this specification recommends the use of 1E-08 per year as damage frequency limit for defining interface between Level-2 and Level-3 risk levels associated with disastrous severity.

The above limitations of scenario based risk analysis shall be carefully considered in ALARP demonstration.


Niveau 3Acceptable


if ALARP if ALARP


Niveau 3Acceptable


if ALARP if ALARP


Likely

Unlikely

Very Unlikely

Extremely Unlikely

Remote

10-2 /yr

10-3 /yr

10-4 /yr

10-5 /yr


Level 3Acceptable


if ALARP if ALARP

Risk Personnel

Risk Environment


Niveau 3Acceptable


if ALARP if ALARP


Niveau 3Acceptable


if ALARP if ALARP


Niveau 3Acceptable


if ALARP if ALARP


Niveau 3Acceptable


if ALARP if ALARP


Likely

Unlikely

Very Unlikely

Extremely Unlikely

Remote

10-2 /yr

10-3 /yr

10-4 /yr

10-5 /yr


Level 3Acceptable


if ALARP if ALARP


Likely

Unlikely

Very Unlikely

Extremely Unlikely

Remote

10-2 /yr

10-3 /yr

10-4 /yr

10-5 /yr


Level 3Acceptable


if ALARP if ALARP


Level 3Acceptable


if ALARP if ALARP

Risk Personnel

Risk Environment

Risk Asset





Page 61/115

11.4 Quantitative Risk Evaluation Aggregate risk levels are evaluated based on Company individual risk acceptance criteria as indicated in Figure 23.

Figure 23 - IRPA Risk Acceptance Criteria

The evaluation of aggregate risk shall be based in individual risk per annum. Three levels of risk as per Company risk acceptance criteria are summarized below:

Risk Level Risk Treatment

People on site External

Level-1 Individual risk per annum (IRPA) associated with the most exposed worker group above 1E-03 per year. Mandatory risk reduction.

Individual risk per annum associated with people outside plant restricted area above 1E-04 per year. Mandatory risk reduction.

Level-2 Most exposed worker group IRPA between 1E-03 and 1E-06 per year. Level of residual risk deem tolerable if ALARP.

IRPA to outside population between 1E-04 and 1E-06 per year. Level of residual risk deem tolerable if ALARP.

Level-3 Individual risk per annum (IRPA) associated with the most exposed worker group below 1E-06 per year. Risk broadly acceptable.

Individual risk per annum associated with people outside plant restricted area below 1E-06 per year. Risk broadly acceptable.

If people are permanently present outside facility fence, LSIR contour of 1E-06 per year shall be evaluated as the target for determining perimeter of the facility.

11.4.1 Transportation Risk The quantification of transportation risk shall be based on industry accident statistics. The transportation risks are associated with surface transport, water transport or air transport. The

10-6

10-5

10-4

10-3

Incr

easi

ng In

divi

dual

Ris

k P

er A

nnum

Personnel Public

LIMIT

LIMIT

-6

-5

-4

-3

Tolerableif

ALARP Tolerableif

ALARP

BROADLY ACCEPTABLE LEVEL





Page 62/115

data is available in the public domain to distinguish between type of transport, geographic region and duration of transit. These statistics shall be utilized to estimate a contribution of transportation risk to the most exposed groups.

11.4.2 Occupational Risk Similar to the transportation risk, occupational accidents both onshore and offshore are available based on Report N°434-12. The estimation of occupational risk shall be based on such industry accident statistics. The data is available in the public domain to distinguish between type of operation, and geographic region. These statistics shall be utilized to get a contribution of occupational risk to the most exposed groups.

11.4.3 Most Exposed Worker Group’s Individual Risk The most exposed worker group individual shall be calculated separately after estimating contribution from transportation and occupational risks.

Individual risk level per worker group shall then be aggregated for estimating the overall individual risk for evaluation. This is illustrated using an example in Table 9 and Figure 24.

Table 9 - An example of IRPA Summary Event Gas

Technician Operator Instrument

Tech Medic Rig Clerk

Process release (Small)

3.93E-08

3.93E-08

6.23E-07

3.55E-09

7.44E-09

(Intermediate) 4.98E-07 4.98E-07 9.77E-06 4.12E-08 6.12E-08

(Medium) 9.21E-05 9.21E-05 1.89E-04 1.11E-07 7.88E-07

(Large or full bore) 1.72E-06 1.72E-06 3.44E-06 1.32E-08 3.02E-07

Riser release (all) 3.33E-05 3.33E-05 3.34E-05 1.11E-06 1.11E-06

Dropped object 1.78E-08 1.78E-08 5.69E-07

Collisions (all) 2.88E-05 2.88E-05 2.88E-05 2.88E-05 2.88E-05

Structural failure 7.44E-06 7.44E-06 7.44E-06 7.44E-06 7.44E-06

Helicopter transportation

8.44E-05

8.44E-05

8.44E-05

8.44E-05

8.44E-05

Aggregate IRPA 2.48E-04 2.48E-04 3.57E-04 1.22E-04 1.23E-04

Most exposed group 3.57E-04





Page 63/115

Figure 24 - An example – Summary of the most exposed worker group’s IRPA

contribution

12. ALARP demonstration The term ALARP (“As Low As Reasonably Practicable”) is originally derived from the United Kingdom ISBN: 0105437743NT, which requires “every employer to ensure, so far as is reasonably practicable, the health, safety and welfare of all his employees”. This is interpreted as requiring employers to adopt safety measures unless the cost is grossly disproportionate to the risk reduction.

“ALARP involves weighing a risk against the trouble, time and cost needed to control it”.

A common misuse of risk analysis is to utilize for the demonstration that a deviation from Company design specifications or practices is 'acceptable' or safe. Sometimes risk analysis in a contractual situation can be misused to fit a preconceived decision due to complexities of calculations where underlying assumptions are not often reported or adequately evaluated.

Therefore, under no circumstances risk assessment shall be utilized to support “reverse ALARP” arguments and justify removing best industry practices in design and operation.

12.1 Objectives The objective is to manage risks that are neither in Level 1 (High) nor in Level 3 (Generally acceptable)

The higher the risk level in the Level 2 region, the more effort is expected to reduce it in an ALARP demonstration.

There are various approaches being utilized for demonstrating disproportionate principle which underpins ALARP. Two commonly used approaches are the following:

• Use of Cost Benefit Analysis (CBA)

• Use of Risk Aversion Factors toward multiple fatalities.

Riser 9%

Process - Large1%

Process - medium53%

Process -small0%

Process - intermediate

3%Helicopter24%

Structural 2%

Collision8%

Dropped object0%





Page 64/115

This section provides guidelines for performing ALARP demonstration. Risks associated with asset are not treated for ALARP demonstration with the same rigor compared to human and environmental impacts.

The overall flow chart involved in ALARP demonstration process is shown in Figure 25.

Figure 25 - Flow chart of ALARP demonstration process

Risks inLEVEL-2Region?

Risk Reduction Workshop(Reviews risk analysis results

and identify possible mitigation measures)

Detailed Risk Analysis of scenarios

&QRA

MAJOR RISK REGISTER


Niveau 3Acceptable


if ALARP if ALARP


Niveau 3Acceptable


if ALARP if ALARP


Likely

Unlikely

Very Unlikely

Extremely Unlikely

Remote

10-2 /yr

10-3 /yr

10-4 /yr

10-5 /yr


Level 3Acceptable


if ALARP if ALARP

Risk Personnel

Risk Environment


Niveau 3Acceptable


if ALARP if ALARP


Niveau 3Acceptable


if ALARP if ALARP


Niveau 3Acceptable


if ALARP if ALARP


Niveau 3Acceptable


if ALARP if ALARP


Likely

Unlikely

Very Unlikely

Extremely Unlikely

Remote

10-2 /yr

10-3 /yr

10-4 /yr

10-5 /yr


Level 3Acceptable


if ALARP if ALARP


Likely

Unlikely

Very Unlikely

Extremely Unlikely

Remote

10-2 /yr

10-3 /yr

10-4 /yr

10-5 /yr


Level 3Acceptable


if ALARP if ALARP


Level 3Acceptable


if ALARP if ALARP

Risk Personnel

Risk Environment

Risk Asset

Identification of Safety Critical Measures

Scenario based risk analysis results

QRA results(if applicable)

FIRST PRIORITYIdentify risk mitigation

measures for mandatory risk reduction

Risks inLEVEL-1Region?

Yes

NoALARP REGIONIdentify potential risk

mitigation measures for ALARP Demonstration

Update of risk analysis to model theeffect risk mitigation

measures

Cost Benefit Considerations

ALARP Demonstration

achieved?

Yes

Draft Action PlanFor management approval

No

Yes

No





Page 65/115

12.2 Targets for ALARP Demonstration

12.2.1 Scenario based Risk Analysis Approach The targets for ALARP demonstration using scenario based risk analysis approach shall be in accordance with Table 10.

Table 10 - Target Damage Frequencies of Scenario Risk Treatment Damage Severity Category

Upper Limit Damage Frequency (/yr)

Damage Frequency (/yr) ALARP Region

Target Damage Frequency (/yr)

High Low

Moderate None None 1E-02 1E-02

Serious None 1E-01 1E-03 1E-03

Major > 1E-02 1E-02 1E-04 1E-04

Catastrophic > 1E-03 1E-03 1E-05 1E-05

Disastrous > 1E-04 1E-04 < 1E-05 1E-06

Risk Treatment First Priority. Risk reduction mandatory from Level 1 to 2 or

3.

Develop potential mitigation measures and demonstrate

ALARP

No further action required if

frequency is below target.

12.2.2 QRA based Approach The targets for ALARP demonstration using QRA approach shall be in accordance with Table 11.

Table 11 - Target IRPA Levels for Risk Treatment Individuals or Public

IRPA Upper Limit (/yr)

IRPA (/yr) ALARP Region

IRPA Target (/yr) High Low

Personnel > 1E-03 1E-03 1E-06 1E-04

Public > 1E-04 1E-04 1E-06 1E-06

Risk Treatment First Priority. Mandatory risk reduction from

Level 1 to 2 or 3.

Develop potential mitigation measures and demonstrate

ALARP

No further action required if IRPA is below target.





Page 66/115

12.3 Risk Reduction Workshop Risk Reduction workshop is an important stage of risk assessment and shall be scheduled by Company with the participation of risk analysis Contractor / specialists once the risk analysis results are validated (refer to Figure 26).

Figure 26 - Risk Reduction Workshop within Step 4 of Risk Assessment Process

12.3.1 Risk Reduction Workshop Facilitation The Risk Reduction Workshop (RRW) shall review the following aspects:

• Review the validated risk analysis results and associated uncertainties

• Review the prevention and mitigation measures associated with major scenarios (scenarios on Level 1 or Level 2 of the risk matrix)

• Review the validated QRA results and associated uncertainties

• Identify potential risk reduction measures for consideration

• Identify Safety Critical Measures associated with major scenarios based on their effect in the risk management of major scenarios.

The team who attended initial hazard identification and PRA validation workshop should also participate in the Risk Reduction Workshops. An experienced risk assessment professional with operational knowledge shall act as RRW facilitator. The team shall be composed of design, operations, maintenance, and safety specialists with a broad experience in identification of potential risk reduction measures and ALARP demonstration.

Role of the RRW facilitator shall include the following tasks:

• Present risk analysis results and highlight the uncertainties on results through sensitivity cases for the following analyses:

- QRA (where applicable)

- Detailed Risk analysis of scenarios



Safety –Individual Risk















Evaluation


Risk Reduction WorkshopALARP DemonstrationCost Benefit Analysis




Step 1

Step 2

Step 3

Step 4

Step 5


















Evaluation






Step 1

Step 2

Step 3

Step 4

Step 5






Page 67/115

• Review major scenarios with the help of bow-tie diagrams and highlight the barriers included in the risk analysis

• Review major risk contributors to scenarios with catastrophic or disastrous consequences to people and environment. Focus on the areas where risk reduction would be most effective

• Review potential risk reduction measures to decide whether the measure is practicable, or not or whether further update of risk analysis may be required

• Compile a list of major scenarios and corresponding potential risk reduction measures through “brain storming” session

• Review key contributors of QRA results and help to identify risk reduction measures of lower IRPA levels

• Respect the workshop schedule and prepare an RRW Report.

12.3.2 Identification of Risk Reduction Measures The major element of an ALARP demonstration exercise shall be to identify all potential risk reduction measures that may be considered appropriate based on a team exercise. When considering risk reduction measures, it is recommended to consider a set of safety goals for each major scenario based on its bow-tie representation. The risk reduction measures to be considered based on the following safety goals are:

• Measures to eliminate the hazards

• Measures to prevent realization of the hazards

• Measures to prevent escalation of an scenario

• Measures to minimize

- exposure of personnel to hazards

- impact to environment

- impact to asset

• Measure to improve mustering and evacuation in the event.





Page 68/115

The recommended format for reporting risk reduction workshop minutes is presented in Table 12.

Table 12 - Recommended Worksheets for reporting identification of potential risk reduction measure

12.3.3 Risk Reduction Workshop Report The RRW facilitator shall be responsible for issuing a draft report to team for comments within one week. The contents of the draft report shall be the following sections:


• Signed attendance list

• List of reference documents reviewed

• Team comments on detailed risk analysis and QRA reports

• List of major scenarios and associated potential risk reduction measures

• List of potential risk reduction measures identified based on QRA results

• Risk Reduction Workshop worksheets.

Team comments on the RRW report shall be incorporated before issuing as final revision.

12.4 Qualitative Evaluation of Risk Reduction Measures The first step after risk reduction workshop reporting is to qualitatively evaluate each potential risk reduction measures to their effect on personnel safety, environment and asset. This evaluation shall be based on the following considerations:

1. Implementation of a measure to meet regulatory or legal requirements

Major Scenarios or Treat

Safety Goal Existing Safeguards Uncertainty in the risk results

Risk reduction proposal Practicable Team Comments

Recommendations

Eliminate

Prevent

Escalation

Minimise

Evacuation





Page 69/115

2. Implementation of a measure to meet compliance with codes, standards, Company Specifications or accepted industry practice.

3. Qualitative risk reduction potential associated with a measure (high, medium or low).

The risk measures falling under item (1) above shall be included in the action plan without ALARP demonstration.

The risk measures for new development falling under item (2) above should be considered for implementation without detailed ALARP demonstration if the level of baseline risk is located at upper Level-2 region.

12.5 Quantitative Evaluation of Risk Reduction Measures Potential risk reduction measures can be improvements to the design or operation of the installation that might be made in order to enhance its safety. Risk analysis is therefore a tool to help identify such measures and evaluate their benefits with respect to any potential risk reduction.

12.5.1 Use of QRA to Model Risk Reduction Measures The benefits of risk reduction measures shall be evaluated similar to sensitivity cases. The purpose is to estimate the reduction in risk associated with risk to people. The potential risk reduction impact shall be presented in terms of reduction in PLL, LSIR, F-N curves etc. and some specific cases the approach can be extended to estimating risk reduction associated with environment and asset.

Once the impact of risk reduction measures are quantified the following two approaches shall be considered for ALARP demonstration:

1. For simple measures, percentage reduction in risk results (for example reduction in PLL) with respect overall risk is to be estimated. The presentation of reduction in risk shall be judged as either proportionate or disproportionate based on expert judgment.

2. For complex measures, more detailed risk analysis along with cost benefit analysis is performed to demonstrate ALARP. Cost benefit analysis is briefly described in Section 12.6.

12.5.2 Use of Scenario Based Risk Analysis to Model Risk Reduction Measures The risk reduction associated with a proposed risk reduction measures shall be evaluated by updating the scenario risk assessment. This is challenging since each scenario is assessed with respect to the Company risk acceptability matrix.

For performing cost benefit analysis associated with a risk reduction measure, all scenarios shall be identified in which the selected risk reduction measure play a role in reducing risk.

The next step is to quantify sum of all differential PLL associated with each scenario associated with the potential risk reduction measure. Once the sum of differential PLL is estimated, the ALARP demonstration method shall be identical to a QRA approach (refer to Section 12.5.1).

12.6 Cost Benefit Analysis Use of cost benefit analysis in an ALARP demonstration should be recommended when aggregate risk falls within the upper Level 2 region. In this region the cost of implementing each measure should to be evaluated to demonstrate that all proportional risk reducing measures





Page 70/115

have been considered. This involves valuing risk reduction for comparison with cost of implementation

12.6.1 Objectives Cost benefit analysis is to provide a framework for ALARP demonstration associated with complex risk reduction measures. The cost benefit analysis is a numerical method used to compare expected benefits arising from a particular action with the associated costs.

12.6.2 Cost of Risk Reduction Measure The total annual cost of a risk reduction measures shall include:

• Costs of capital investment (e.g. design, procurement and installation of new hardware or software) written-off over an assumed working lifetime of the measure at an appropriate discount rate

• Operating expenditure (maintenance, inspection, training, additional personnel)

• Lost profits (before tax) if the implementation of a mitigation measure involves disruption of production activity.

12.6.3 Aggregate Risk to People The following steps shall be considered in cost benefit analysis using aggregate risk (IRPA) approach:

1. For each risk reduction measure, estimate cost associated with its implementation (refer to Section 12.6.2).

2. For each risk reduction measure, calculate the difference in aggregate risk in terms of reduction in PLL. (This involves updating QRA as a sensitivity case including the risk reduction measure).

3. For each risk reduction measure, estimate the impact of benefits over the life of the installation.

4. Define value of Implied Cost of Averting statistical Fatalities (ICAF). The figure shall not be less than that provided by ISBN: 0717621510.





Page 71/115

5. Apply gross disproportion factors based on the base case IRPA level. Recommended factors are between 1 and 100. This is based on the level in IRPA associated with base case, as illustrated in Figure 27.

Figure 27 - Illustration of Gross Disproportion Factor with IRPA levels

6. Compare the cost and benefits to demonstrate ALARP using the following relationship:

7. ICAF = Net present cost of measure / reduction in fatalities over lifetime of measure

8. The ICAF is expressed in Euros spend per fatality averted by considering the gross proportional factor. Compare ICAF values of life including gross proportionality factors. If the ICAF is lower then the proposed measure is reasonably practicable.

12.6.4 Scenario Risk to People Use of cost benefit analysis in ALARP demonstration when scenario risk falls within upper Level 2 region shall include assessment of each scenario with respect to the risk acceptance matrix.

The first step is to evaluate the impact of reduction on a scenario or a group of scenarios. Due to coarse definition of severity and frequency categories, often revised risk level with potential risk reduction measure may not show any noticeable reduction in risk level on the risk acceptance matrix (refer to Figure 28). Therefore, the more rigorous approach shall be utilized in some cases to determine differential PLL contribution associated with a risk reduction measure.

The following steps shall be considered for the cost benefit analysis using scenario based risk analysis:

1. For each risk reduction measure, estimate cost associated with its implementation (refer to Section 12.6.2).

2. For each risk reduction measure, calculate the sum of reduction in PLL associated with all involved scenarios. This involves updating detailed analysis of all scenarios where a risk reduction measure plays a role.

3. For each measure, estimate the impact of benefits over lifetime of the installation.

4. Apply gross disproportion factors based on the base case scenario damage frequency level. Recommended factors are similar to aggregate risk (between 1 and 100 – refer to Figure 27).

5. Compare the cost and benefits to demonstrate ALARP using the following relationship:

Personnel Public

1E-06

1E-04

1E-05

1E-03

Gross Disproportion Factor

100

10

IRPA Levels

1





Page 72/115

6. ICAF = Net present cost of measure / reduction in fatalities over lifetime of measure

7. The ICAF is expressed in Euros spend per fatality averted by considering the gross proportional factor. Compare the ICAF to values of life including gross disproportion factors. If the ICAF is lower, the measure is reasonably practicable.

Figure 28 - Effect of Risk reduction measures on Scenario risk

12.6.5 Scenario Risk to Environment Reduction in risk associated with a risk reduction measure to the environment shall involve estimation of differences in adverse impact on the following:

• Size of spill per scenario

• Frequency of oil spill.

Cost estimates for oil spill response are available in various geographic region based on size of spill, location and environmental sensitivity. The cost estimation shall be accounted for the following aspects:

• Spill response and clean up cost

• Cost of lost oil

• Compensation to local communities and industries etc. for loss of income due to adverse environmental impact

• Potential fines and penalties.

ALARP demonstration shall be based on cost associated with a risk reduction measure against cost of restoration associated with potential adverse environment impact.


Remote

ExtremelyUnlikely

VeryUnlikely

Unlikely

Likely

1E-05/yr

1E-04/yr

1E-03/yr

1E-02/yr





Page 73/115

12.6.6 Scenario Risk to Asset Similar to environmental risk, ALARP demonstration shall be performed for scenario risks related to asset. The following shall be considered for the ALARP demonstration:

• Severity of asset damage per scenario

• Frequency of asset damage

• Escalation potential per scenario

• Severity of escalated damage per scenario.

The quantification of difference in risk to assets per scenario per each risk reduction measure should be based on the following aspects:

• Costs related to damage to equipment and structures

• Additional cost in replacement of equipment of structures.

ALARP demonstration shall be based on cost associated with a risk reduction measure against cost of restoration associated with potential damage of asset.

12.7 Reporting and ALARP Decision Tables Reporting of ALARP demonstration shall include the following elements:

• Management summary

• Risk reduction workshop report including the list of potential risk reduction measures

• Risk reduction associated with proposed risk reduction measures

• ALARP decision tables. This is a summary of each risk reduction measure with the associated cost and benefits in a spreadsheet format

• List of recommended risk reduction measures

• Assumptions and calculations.

The ALARP decision tables include a register of all potential risk reduction measures with the following columns:

1. Practicality of implementation

2. Risk reduction measures needed to comply with legal or regulatory requirement

3. Risk reduction measure needed to comply with requirements of relevant codes, standards to Company Specifications

4. Cost associated with a risk reduction measure

5. Risk type (aggregate risk to human or scenario risk to human, or environment or asset)

6. Risk associated with benefit (reduction in PLL, environmental risk, or asset risk)

7. For QRA and scenario based risk to people, ICAF estimate with Gross proportion factor.

8. For scenario, ICAF estimate, benefit of environmental impact, benefit associated with asset risk.

9. Recommendation to implement a measure.





Page 74/115

13. Major risk register

13.1 Objectives Major risk register of a facility is an abstract of risk analysis results together with risk treatment plan. This abstract aims at effective major risk communication to management and day to day operational personnel. Therefore the document shall be as brief as possible in an effective communication formation which shall include the following elements:

• Summary of risk analysis results

• Implementation status of proposed risk reduction measures

• List of safety critical measures and responsible entities for the management of their performance requirements

• Risk analysis revision plan.

All site supervisory personnel and site managers shall be fully familiar with the Major Risk Register. Training on major risk register shall be an essential component of all supervisory personnel and site manager’s HSE orientation programme.

13.2 Safety Critical Measures

13.2.1 Definition Barriers or safeguards implemented in design and maintained during the life of the facility to prevent potential catastrophic or disastrous events are commonly considered in this specification as Safety Critical Measures.

Safety Critical Measures (SCMs) can be mechanical, instrumental or procedural. Safety Critical Measures can also be active or passive systems. These are defined as follows:

• Active systems need energy sources external or internal to the SCM to perform their function. Without these energy sources, the active system will not function. Examples of external energy sources include electric power, pneumatic power, hydraulic power, human energy, system pressure etc.

• Passive systems do not rely on external or internal energy sources to perform their function and are generally more reliable than active systems (Examples are layout spacing to support inherent safety principles, firewalls, etc.)

The Safety Critical Measures shall help to reduce the risk associated with a major scenario from Level 1 to Level 2 or Level 3 regions.

13.2.2 Identification of SCM The validated risk analysis results shall provide direct insight to scenarios with potential catastrophic or disastrous damage outcome. Bow-tie representations shall be utilised for studying the role of barriers implemented in the design and operation to manage major scenarios. These barriers shall be identified using a technical team effort for developing their “performance requirements” for design (functional) and operation.





Page 75/115

General principles for the selection of SCMs shall the following:

• Safety Critical Measures are systems or procedures which are fully independent of process control systems or normal operating procedures

• Safety Critical Measures can be preventive, mitigating or protection barriers with a Probability of Failure on Demand (PFD) less than or equal to 0.1 (SIL1 or above). They can be part of the following “layers of protection”:

- Critical alarms or tasks or procedures with operator supervision and manual intervention

- Automatic action from Safety Instrumented Systems (SIS)

- Physical protection systems (relief to flare, blow down systems, etc.)

- Consequence effect mitigation measures (water curtain, passive fire protection, site layout spacing, containment systems, ignition source management, etc.).

13.2.3 Performance Requirements The following aspects shall be considered for defining the performance requirements of s safety critical measure during design phase:

• Selectivity (critical alarms or tasks or procedures with operator supervision and manual intervention, SIS, physical protection systems, consequence effect mitigation measures)

• Independency

• Reliability

• Relevancy

• Efficiency

• Response Time

• Testability

• Maintainability

• Availability

• Fault Tolerance

• Survivability.

13.2.4 Life Cycle Management The following life cycles shall be considered relevant for the management of Safety Critical Measures:

• Design phase (basic and detailed engineering)

• Construction and commissioning

• Drilling and completion

• Operation phase including maintenance, inspection and testing phase

• Major modification phase.





Page 76/115

The performance requirement shall address each of these phases and responsibility for maintaining SCMs during each life cycle phase shall be clearly identified.

The overall procedure for identification and management of Safety Critical Measure are shown in Figure 29.

Figure 29 - Overall Flow scheme of Identification of Safety Critical Measures

Review of major scenarios

Develop Performance Requirements

for SCMs

Input to Operation, Maintenance

& Testing

Identify Safety Critical Measures

(SCMs)


Niveau 3Acceptable


if ALARP if ALARP


Niveau 3Acceptable


if ALARP if ALARP


Likely

Unlikely

Very Unlikely

Extremely Unlikely

Remote

10-2 /yr

10-3 /yr

10-4 /yr

10-5 /yr


Level 3Acceptable


if ALARP if ALARP

Risk Personnel

Risk Environment


Niveau 3Acceptable


if ALARP if ALARP


Niveau 3Acceptable


if ALARP if ALARP


Niveau 3Acceptable


if ALARP if ALARP


Niveau 3Acceptable


if ALARP if ALARP


Likely

Unlikely

Very Unlikely

Extremely Unlikely

Remote

10-2 /yr

10-3 /yr

10-4 /yr

10-5 /yr


Level 3Acceptable


if ALARP if ALARP


Likely

Unlikely

Very Unlikely

Extremely Unlikely

Remote

10-2 /yr

10-3 /yr

10-4 /yr

10-5 /yr


Level 3Acceptable


if ALARP if ALARP


Level 3Acceptable


if ALARP if ALARP

Risk Personnel

Risk Environment

Risk Asset

Update Performance

Dossier

SCM Performance

Dossier

SCM Performance

Dossier

Scenario based risk analysis results

Implement Life Cycle Management System

for SCM

Audits and Corrective actions

Audits and Corrective actions





Page 77/115

13.3 Reporting The Major Risk Register shall include the following where applicable:

• Management summary

• Summary of scenario based risk analysis

- List of major scenario with potential damage severity and frequency (separate list for human, environment and asset impacts). The table to include critical central event, causes, potential consequences, existing safeguards (prevention, mitigation and protection barriers)

- List of scenarios where additional controls are required to reduce the risk levels to ALARP with status of implementation of additional controls

- Use of bow-tie representation of scenarios is recommended for risk management demonstration and communication of major scenarios and associated safeguards

• Summary of QRA (if applicable)

- LSIR contour on layout map.

- IRPA tables associated with most exposed worker group

- PLL tables including FN curves

- Table indicating distribution of PLL with respect to major accident events

- List of additional controls required to reduce the IRPA levels to ALARP with status of implementation of additional controls

• Summary of Safety Critical Measures management

- List of safety critical measures and responsible entities for the management of SCM performance requirements during life cycle

• Risk analyses revision plan (revision every 5 years unless it is required by changes in operating or design conditions).

14. Audit and peer reviews

14.1 Objectives The purpose of Audit and Peer reviews is to provide assurance to Company and the Competent Entity in charge of risk assessment of the project or the installations that risk assessment processes are robust.

Risk analysis is an emerging science and an art which involves sound methods for modeling and estimating risk. As these methods are continually being improved there are many areas of uncertainty where independent expert review shall become necessary to determine the robustness.

Company risk assessment specialists shall perform independent audit on technical contents of risk assessment work based on the documents as indicated in Table 13. Company risk assessment specialist shall initiate technical audits at the request of the Competent Entity of the risk assessment process or the Owner of the project or the installations.





Page 78/115

14.2 Reporting Requirements The risk assessment process reporting requirements shall be as per the documentation list summarized in Table 13. Detailed contents of each report are given in the respective section of this specification.

Collectively, these documents form a technological risk assessment dossier. Validated technological risk assessment dossier shall provide assurance to Company that risk analysis activities are traceable, repeatable and auditable by independent internal or external resources.

The risk analysis Contractor and the entity responsible for performing the risk analysis shall ensure that all documentations and technical explanations shall be provided to the audit team.

Table 13 - Technological Risk Assessment Dossier # Reports/ Deliverables Minimum number of revisions

Issue for Company

Comments

Issue with Company comments

incorporated

1 Scope of Work

2 Hazard Identification Report

3 Preliminary Risk Assessment Report (Note-1)

4 Risk Management Sheets Application Report

(Note-2)

5 Detailed Risk Analysis Report of Major Scenarios

(Note-2)

6 Quantitative Risk Analysis Report (Note-2)

7 Risk Reduction Workshop Report (Note-3)

8 Updated Risk Management Sheets Application Report (with potential risk reduction impact)

(Note-4)

9 Updated Detailed Risk Analysis Report of Major Scenarios (with potential risk reduction impact)

(Note-4)

10 Updated Quantitative Risk Analysis Report (with potential risk reduction impact)

(Note-4)

11 ALARP Demonstration Report (Note-5)





Page 79/115

# Reports/ Deliverables Minimum number of revisions

Issue for Company

Comments

Issue with Company comments

incorporated

12 Major Risk Register

Note 1: Issue for Preliminary Risk Assessment Validation Workshop.

Note 2: Issue for Risk Reduction Workshop.

Note 4: Input to ALARP Demonstration.

Note 5: Issue for Management Approval of Action Plan.

14.3 Audits The high levels of variability in risk analysis results are well known in the industry. Source of this variability originates from input data, experience is related to application, and use of poor standards in performing risk assessment study. The purpose of the audit is to examine the details of risk assessment study to determine compliance with this specification, adequacy and robustness of the process.

Company specialist who perform technical audit shall give careful consideration to the sensitivity of the risk analysis results and shall give specific attention to the following:

• Conformance with Company referential


• Input data and assumptions

• Modeling tools and results

• Simplified “reality checks”

• Presentation of results

• Mitigation measures

• ALARP demonstration

• Reporting.

Company risk assessment specialist shall provide a written audit report towards the end of each technical audit with clear findings.

14.4 Peer Reviews Purpose of the Peer reviews is to judge the appropriateness of analysis methods, assumptions, and choices of input data in particular failure data using “a team of independent experts” in risk assessment. Peer reviews shall last several days while technical audit shall last several weeks depending on the complexity of the installation.





Page 80/115

The Competent Entity of the risk assessment process or the Owner of the project or the installations shall determine the need for Peer reviews. Peer reviews shall be part of the risk assessment of novel and complex developments which are outside Company operational experience.

Company risk assessment specialist shall participate in Peer reviews along with independent external specialists. An approved “Terms of Reference” shall be prepared before performing any peer reviews on risk assessment.

The Peer review team shall provide a written report of findings at the end of the review.

14.5 Terms of References of Reviews A written Terms of Reference (ToR) shall be prepared for audit or Peer review and shall seek approval prior to performing any review. The ToR shall address the following elements:

1. Objectives of the Audit/ review

2. Governance (review sponsor, facilitator, point of contact)

3. Peer review team

4. List of pre-reading documents

5. Planning (review location, duration, access to documentation and availability of Contractor specialists for interview)

6. Proposed agenda

7. Debriefing of review findings

8. Reporting

9. Follow-up of review recommendations

The scheduling of Peer reviews is critical to allow maximum benefit to the development. The audits and reviews shall be scheduled prior to any risk reduction workshop.

14.6 Close out Audit and Peer Review Recommendations The Competent entity in charge of risk assessment shall be in-charge of closing out all audit and peer review recommendations.

Documentation trail shall be provided to the Audit team as evidence for close out of recommendations.




Appendix 1


Page 81/115

Appendix 1 TRA Generic Scope of Work

1. Phase 1 PRA - Generic Scope of Work This phase is carried out using internal or external resources (Contractors pre-qualified by Company). Content of the Phase 1 scope of work shall include the following elements:

(1) Objectives

(a) Describe reasons for performing Phase 1 risk assessment.

(b) Specify phase of development cycle (pre-project, basic engineering, detailed design, operation, or decommissioning)

(c) Specify requirements for independent audit and reviews.

(d) Specify schedule requirements (start, finish, and milestones).

(2) Description of the Facility

(a) Include a brief description of the facilities (location and operational characteristics including rough manning and rough but conservative estimation of population distribution surrounding facility).

(3) Scope and Battery Limits

(a) Define scope (Phase 1 includes hazard identification and preliminary risk assessment, include validation workshop)

(b) Define system (hazardous substances handled or processed, operating modes, overall operating and maintenance philosophy)

(c) Specify Battery Limits - Including physical boundaries, surrounding environment, and environmental conditions.

(d) List all available study documents.

(4) Methodology

(a) Specify HAZID method. Specify requirement to breakdown facilities into Isolatable Sections and calculate hydrocarbon and toxic inventory liquid and gas of every isolatable section.

(b) Specify PRA method and failure database (e.g.: CHARAD).

(c) Specify deviations from this specification to comply applicable local regulatory requirements.

(5) Register of Assumptions

(a) Specify requirements for maintaining a register of all assumptions and document assumption in a prescribed format. One of the most paramount assumptions being manning pattern and population distribution.

(b) Specify requirement to seek Company approval of all assumptions prior to committing into any quantified calculations..

(6) Preliminary Risk Assessment Validation Workshop

(a) Specify requirements to present all assumptions, methodology and results in a PRA validation workshop.




Appendix 1


Page 82/115

(7) Reporting

(a) Specify reporting requirements including number of revisions.

(b) Specify requirements to provide all input files, intermediate calculations, results, reports in native file format.

2. Phase 2 DRA - Generic Scope of Work This phase is normally carried out using Contractors who are pre-qualified by Company. Contractor selection shall be made as per Company procedures with a specific scope work as indicated below. Content of the Phase 2 scope of work shall include the following elements:

(1) Objectives

(a) Describe the purpose of Phase 2 risk assessment.

(b) Specify phase of development (pre-project, basic engineering, detailed design, operation, or decommissioning)

(c) Specify requirements on independent audit and reviews.

(d) Specify schedule requirements (start, finish, and milestones).

(2) Description of Facility

(a) Include a brief description of facilities (location and operational characteristics) including rough manning and rough estimation of population distribution surrounding facility).

(3) Scope and Battery Limits

(a) Define the scope (Phase 2 may include risk management sheet application, detailed risk analysis of selected scenarios and QRA)

(b) Define the system (hazardous substances handled or processed, operating modes, overall operating and maintenance philosophy)

(c) Specify Battery Limits – Including physical boundaries, surrounding environment, and environmental conditions.

(d) List available study documents.

(4) Methodology

(a) Exclusion if any to sections of this specification. Specify and failure database (e.g.: CHARAD)

(b) Specify deviations from this specification to comply local regulatory requirements.

(5) Register of Assumptions

(a) Specify requirements for maintaining a register of all assumptions and documentation of assumptions in a prescribed format. One of the most paramount assumptions being manning pattern and population distribution.

(b) Specify requirements to seek Company approval of all assumptions prior to committing into any quantified calculations.

(6) Sensitivity Studies

(a) Specify requirements on sensitivity cases either for QRA or Scenario based Risk




Appendix 1


Page 83/115

Assessment to be evaluated to review uncertainties involved in risk analysis results.

(b) Specify requirements on prior approval of Company on sensitivity cases. Sensitivity cases may be defined by Contractor after the first presentation of risk analysis results. Company shall give approval for the selection of sensitivity cases.

(7) Risk Reduction Workshop

(a) Specify requirements to have a base case risk analysis reports available validated by Company

(b) Specify requirements to present risk analysis methodology and results in a RRW.

(c) Specify requirements to provide a RRW facilitator with industry experience to lead a team, to gather team input on potential risk reduction measures and to prepare RRW report.

(8) Updating of Risk Analysis

(a) Specify requirements to evaluate the impact of potential Risk Reduction measures upon Risk level, identified in Risk Reduction Workshop.

(b) Specify requirements to issue interim revision of risk analysis reports including the impact of potential risk reduction measures.

(c) Presentation of risk analysis results of major scenarios: for example the extent of SEI, LC1%, LC50% and LC95% consequence levels on layout maps.

(c) Presentation of QRA results: for example LSIR contours on layout maps, IRPA levels, PLL, F-N Curves (for information),

(9) Final Reporting

(a) Specify reporting requirements including number of revisions.

(b) Specify requirements to provide all input files, intermediate calculations, results, reports in native file format.

(10) Project Organization i. Specify Company’ project follow up Organization ii. Specify requirement’s for Contractor project Organization

(11) Contractor Roles and Responsibilities i. Specify Contractor roles and responsibilities with regards to data gathering, quality

of deliverables, fulfillment of budget and delivery time




Appendix 1


Page 84/115

3. Phase 3 – Alarp demonstration using Cost Benefit Analysis and Major Risk Register setting up Generic Scope of Work This phase is carried out using internal resources with the input from Phase 2 risk analysis results related to impact of potential risk reduction measures. Use of external resources Contractors who are pre-qualified by Company is however possible in order to perform Cost Benefits Analysis calculations and help to prepare Major Risk Register. Content of the Phase 3 scope of work shall include the following elements:

(1) Objectives

(a) Describe the purpose of Phase 3.

(b) Specify schedule requirements (start, finish, and key milestones).

(2) Summary of Potential Risk Reduction Measures

(a) Include a brief description of potential risk reduction measures and corresponding impact on level of risk (scenario and QRA)

(3) Cost Benefit Analysis

(a) Define cost and schedule impact of implementing potential mitigation measures

(b) Define dis-proportionality principle for ALARP demonstration.

(c) Prepare comparison tables showing risk reduction against cost benefit.

(d) Selection of meaningful risk reduction measures based on ALARP principles.

(4) Major Risk Register

(a) Prepare a summary report including major risk register

(b) Identify safety critical measures based on risk analysis results.

(5) Action Plan

(a) Prepare draft action plan including recommended mitigation measures with schedule for implementation.

(b) Seek management approval on draft action plan.

(6) Implementation of Action Plan

(a) Specify monitoring requirements on implementation of approved actions.

(b) Specify Key Performance Indicators (KPI) related to implementation of action plan.

(c) Perform internal or external audit and publish periodic status of implementation with KPI.




Appendix 2


Page 85/115

Appendix 2 Hazard Identification (HAZID)

1. HAZID Checklist HAZID checklist presented in this appendix consists of the following three sections which are further subdivided into hazard categories:

1. External Hazards

2. Facility Hazards

HAZID checklists shall be reviewed and updated periodically to incorporate new industry experience including the feedback from accident or incident investigations.

An example checklist for the hazard identification of upstream oil and gas facility is presented overleaf:

Section 1 External Hazards

Hazard Category Guideword Prompts

Impact of Natural and Environmental Hazards on the plant

Climatic Extremes Temperature Swell / waves Wind Dust, Sandstorms Flooding Typhoons / hurricane Snow/Ice Drought Fog Bush fires

Lighting In wet season In dry season

Seismic events

Earthquakes Tsunami

Soil Erosion Ground slide Coastal erosion River bank erosion Scouring

Subsidence Ground structure Foundations Reservoir depletion Previous quarry

Continuous / Frequent Plant Discharges to Air

Flares Vents Fugitive emissions Toxic products (from effluent) Toxic products (from combustion) Vulnerable flora and fauna

Continuous / Frequent Plant Discharges to Water

Target/ legislative requirements Drainage facilities Oil/water separation Warm / cold water (effect on corals/ fish species / aquatic flora / fauna)

Continuous Plant Discharges to Soil

Contamination of water table Nature of ground (caustic, etc.) Wash down and solubility of soil




Appendix 2


Page 86/115


Emergency/upset Discharges

Flares Vents Drainage

Waste Disposal Options Pollution Ignition source

Impact of the Plant on the Human Environment

Nature of the economical geographical environment (agriculture, commercial forestation, fishponds...)

Plant location Plant Layout Pipeline routing Storage, offsites, offloading, location Accommodations locations

Proximity to Adjacent Industrial Installation

Fires Explosions Dispersion of toxic material Dispersion of flammable material Noise, Vibrations

Proximity to Transport Corridors

Shipping lanes Fishing grounds Air routes Roads, Railways Pipelines Overhead power lines

Proximity to Centres of Population

Villages / towns Beaches / Leisure resorts Places difficult to evacuate (prisons, centres for disabled, retired persons, stadiums, religious gathering sites…)

Adjacent Land Use

Crop burning Airfields Accommodation camps Construction yard

Vibrations

Archaeological site / old constructions nearby

Human Environmental Issues

Previous cultural / social use (archaeological remains, cemeteries, engravings.) Visual impact (scenery, resort, tourism)

Effects on the plant of Manmade Hazards / constraints

Security Hazards

Internal and external security threats, (from land, from sea, from air)

Social / political unrest

Riots Civil Disturbances, Strikes Military action (law enforcement outside wars) Political unrest

Contaminated Ground

Previous use or events (industrial past, former military zone with unexploded ammunitions ….)

Protected Ground

Previous use or event (archaeology, historical site)

Effects from Infrastructures Supporting the Facility

Normal Communication Links with the Facility

Road links Air links Water links Personnel transport to / from site

Supply Support to Facility

Chemicals / Consumables / spares means of supply Fuel supply to site (road tankers / pipeline)




Appendix 2


Page 87/115


Mutual Aid / (Common) Emergency Services

Tugs Fire fighting boats in harbors Ambulances Fire Brigade

Emergency Services access

Mobile bridges Location of nearest hospital Location of nearest airstrip (Medical evacuation)

Section 2: Facility Hazards (preferably for each isolatable section)


Process hazards

Release of Flammable/ Toxic Inventory

Erosion Corrosion Weld failure Bellows failure Equipment failure Flare carryover / golden rain Flare non-ignition /flame out Damage to flare lines Damage to flare system while burning continuously Material design temperature Containment of leak

Blow-out

Drilling operations Work over operations Wire line operations Simultaneous drilling and production Gas migration from reservoir Old/abandoned well nearby

Rupture due to Overpressure

HP/LP interface Process blockage Thermal expansion Sizing case (blocked outlet, fire…) BLEVEs

Rupture due to Over/ under Temperature

Blow down Flare Flame out Hot surfaces Metal embrittlement due to low temperature Back return of reservoir flame front

Excess/ zero Level

Overfilling of (storage) tanks

Maintenance Philosophy

On-line /Isolation maintenance

Start-up/ Shutdown

Utility System Hazards

Firewater System

Adequate water supply available for fire fighting Damage to fire water mains

Fuel Gas / Oil

Loss of supply Loss of Containment




Appendix 2


Page 88/115


Heating/ Cooling Medium Loss of supply Power Supply Loss of supply Steam Loss of supply Drains/Dikes

Segregation of Hazardous and Non-hazardous drains systems Spread of flammable material through drains Spill containment - ground slope Closed drains system Sizing of bunds/dikes

Inert Gas

Loss of supply Inadequate supply

Air Loss of plant air Loss of instrument air

Potable Water Loss of supply Other Hazards within the Facilities

Stored Combustibles / Flammables

Improper storage Inadequate Ventilation Common / Separate inventory

Local Flooding Rupture of large storage tanks Crane Operations

Dropped/swinging loads Heavy lifts above process equipment

Structural Failure Fatigue Excess weight Displaced ballast

Stability/ buoyancy Ballast control Rotating machinery

Failure of rotating machinery resulting in missiles

Pressure Vessels

Failure of pressure vessels resulting in missiles

Partitions / Walls

Failure after explosion resulting in missiles

On-site traffic

Vehicular damage to plant Overhead pipelines crossing roads Vehicular damage to firewater system Vehicular damage to Passive Fire Protection

2. Hazard Identification Scheme Hazard identification session flow scheme is illustrated in Figure 30. The hazard identification techniques shall be structured processes to identifying fault conditions that lead to hazards, and reduce the chance of missing hazardous events. HAZID session shall be led by an experienced leader (or Chairperson) having the required skills and knowledge to lead a multi-disciplinary team of specialists.

The findings of the HAZID session shall be systematically recorded using a worksheet with initiating events, causes, consequences, existing safeguards and team recommendations.




Appendix 2


Page 89/115

Figure 30 - Hazard Identification flow scheme

3. Development Phases The ISO 17776 is the recommended guideline for performing HAZID for development phases indicated in Figure 2.

The HAZID techniques shall be adapted to suit a given development phase and type of facility. The recommended approaches for hazard identification are summarized in Table 14.

Table 14 - HAZID approaches to various development phases Development phase HAZID Preparation HAZID Techniques

1. Exploration

Seismic exploration Review of tasks, logistics, and hazardous materials. “What if” approach.

Exploration drilling Review of drilling programme, logistics, barriers and well control and testing plans.

“What if” approach and/or procedural HAZOPs.

2. Concept Selection Review of process description, anticipated layout and location, hazardous material inventory and past accident data on similar facilities.

Structured brain storming using a checklist.

3. Pre-project Review of layout and process flow diagram, environmental data, operating philosophy, and hazardous material inventory.


4. Project

Basic and detailed engineering

Review of layout and process flow diagram, P&ID, list of isolatable sections, operating philosophy and environmental data.


Construction Review of construction plan, procedures, environmental impact, emergency plans and logistics.


Facility DataPast

incidents &

Feedback

From site specific hazards to

scenarios for Preliminary risk

assessment

Isolatable sections and hazardous

material inventory,Manning & Ops philosophies etc.

Recommendation on hazard mitigation

measures to Owner

Recommendation on hazard mitigation

measures to Owner

Hazard IdentificationSession

Hazard IdentificationSession




Appendix 2


Page 90/115

Development phase HAZID Preparation HAZID Techniques

Installation Review of installation plan, procedures, mobilisation and demobilisation plan, environmental impact, emergency plans, and logistics.

“What if” approach and/or procedural HAZOPs and/or Failure Mode and Effect Analysis (PMEA).

Commissioning Review of commissioning plan, procedures, hazardous material inventory, isolatable sections, commissioning procedures, environmental impact, emergency plans, and logistics.


5. Development drilling Review of drilling programme, well control procedures, logistics, barriers and well completion and testing plans.

“What if” approach and/or procedural HAZOPs and/or FMEA.

6. Operations (existing facilities)

Review of layout and process flow diagram, P&ID, list of isolatable sections, operating philosophy environmental data, and emergency plan.

Complete a Company questionnaire, e.g. FOMTHI addressing major hazard levels including, isolatable sections, inventories, manning levels, population around; neighbouring facility, environment, asset, production loss and reputation.

Structured brain storming using a checklist and/or Procedural HAZOP for reviewing combined operations.

7. Major Modification Major modification is to commence from concept selection and pre-project phases.

See approaches for concept selection phase onwards.

8. Decommissioning Review of decommissioning plan, procedures, environmental impact, hazardous material inventory, mobilisation and demobilisation, emergency plans and logistics.

“What if” approach and/or procedural HAZOPs and/or FMEA.

4. HAZID Leader and Team

4.1 HAZID Leader The HAZID leader’s responsibility is to liaise with project/operation representatives regarding the selection of team members, determine the adequacy of documentation, apples brain storming techniques using a checklist or what-if method. The HAZID leader shall chair the study and prepare HAZID worksheets and a brief report including a copy of documentation reviewed during the study. A technical secretary should be used to assist HAZID leader to documenting and reporting the HAZID findings.

The HAZID leader shall also assist the Project/Operations to review and resolve response to recommendations by consulting relevant team members.

4.2 HAZID Team The HAZID team is a key to the success of any hazard identification session. Depending on the phase of development, disciplines shall be adequately represented in the HAZID sessions. Team members shall be selected based on their knowledge of the technical and operational aspects of installations similar to the installation to be studied or of existing installation in case of modifications.




Appendix 2


Page 91/115

The team shall include all of the following core disciplines:

• Process

• Operations

• Safety

Additional disciplines shall be called for the discussion on an “as need basis”.

5. Reporting HAZID report shall include results of the session including the following:


• Introduction

• Team members and attendance list

• HAZID Methodology

• List of documents reviewed

• HAZID Worksheets

• HAZID Actions sheets

• Conclusions

• Mark-up drawings, calculations and assumptions to be included as attachments.

The HAZID Worksheet format shall be as per Appendix 4.

6. Follow-up of HAZID Recommendations Team make recommendations when existing safeguards are judged inadequate to manage the hazards or propose additional safeguards for review.

These recommendations shall be endorsed by the entity in charge of the development phase to develop early risk reduction measures. The entity in charge of the development phase shall also be responsible for managing the follow-up of recommendation and providing documentary evidence for the close out.




Appendix 3


Page 92/115

Appendix 3 Isolatable Sections and Hazardous Inventory

Isolatable sections and hazardous inventory tables shall be prepared as part of HAZID preparation. The attached format shall be utilized for reporting isolatable sections and associated hazardous material inventory.

The tables shall form part of the preliminary risk assessment and QRA reports.




Appendix 3


Page 93/115

Node (Isolatable Section)

Equipment items

(include tag numbers)

Process Material

Potential hazards (flammability,

reactivity, toxicity, special care)

Maximum operating Pressure

(barg)

Operating Temperature

(°C)

Vessel & Piping

Volume (m3)

Inventory (tonnes) Isolation

by (u/s and d/s)

Time to isolate

(minutes)Liquid Gas

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15




Appendix 4


Page 94/115

Appendix 4 HAZID Worksheet

The HAZID Leader shall be responsible for preparing the HAZID report which shall include the HAZID Worksheets and Recommendation Sheets.

Format of the HAZID worksheet shall be in accordance with table presented overleaf.




Appendix 4


Page 95/115

PriorityCause Incident outcomesPreventive measuresN° System/Node Unit/Location Guide Word Mitigation measures Actions/Controls to be Incorporated




Appendix 5


Page 96/115

Appendix 5 Critical Events Register

The critical events register document the transformation of HAZID worksheets into a list of scenarios with hazard outcomes.

The spreadsheet type formulation of critical events register shall be utilised for risk ranking of damages (safety, environment and asset) associated with each hazard outcome. Format for critical event register shall be as per the attached table.




Appendix 5


Page 97/115

Functional Blocks

Operating or environment parameter

Central Critical Events Causes Preventive

measures Hazard

outcomes Mitigation measures Duration of the Hazard outcome

Ref. #

Damage Severity & Damage Frequency

Comments Human severity

Human freq. R Environ-

severity Environ-

freq. R Asset severity

Asset freq. R




Appendix 6


Page 98/115

Appendix 6 Severity and Frequency Categories

This section includes the definition of damage frequency and damage severity categories which shall be used for the scenario risk assessment.

1. Damage Frequency Categories The damage frequency categories shall be selected as per the definition given in Table 15. The categories are identical for impact to human, environment and asset. Table 15 shall be utilized for both preliminary risk assessment and detailed risk analysis.

Table 15 - Damage Frequency Categories Frequency Category

Definition for Qualitative Assessment Frequency Range (occurrence/ yr)

Likely Could occur several times during over plant lifetime. Above 10-2

Unlikely Could occur once for every 10 to 20 similar plants over 20 to 30 years of plant lifetime.

10-2 - 10-3

Very unlikely One time per year for at least 1000 units. One time for every 100 to 200 similar plants in the world over 20 to 30 years of plant lifetime. Has already occurred in the Company but corrective action has been taken.

10-3 - 10-4

Extremely unlikely

Has already occurred in the industry but corrective action has been taken.

10-4 - 10-5

Remote Event physically possible but has never or seldom occurred over a period of 20 to 30 years for a large amount of sites (above few thousands, e.g.: wagons, process vessels...)

Below 10-5

1.1 Damage Severity Categories The damage severity categories associated with a scenario shall be estimated based on the following impacts:

• Physical Injury to personnel (onsite and external)

• Environmental damage in terms of oil pollution

• Material damage in terms of asset replacement cost.

1.1.1 Damage Severity Categories – Physical Injury The damage severity associated with physical injury to people both onsite and external shall be determined based on the following hazard intensity levels:

• Number of people exposed within the irreversible effect zone of a hazard intensity level. This is denoted as “SEI” zone.

• Number of people exposed within 1% lethality zone of a hazard intensity level. This is denoted as “LC1%” zone.




Appendix 6


Page 99/115

• Number of people exposed within fatal exposure zone of a hazard intensity level. This is denoted as “Fatality” zone.

Table 16 shall be utilized for determining the damage severity categories. As illustrated in Table 16, multiple criteria (onsite, external, combined onsite and external) shall be considered to establish the worst damage severity category associated with hazard outcome.

Table 16 - Damage Severity category for Physical Injury Levels

Severity Level Parameter Number of people exposed Additional Criteria (Number of people Onsite + External) Onsite External

Moderate SEI - -

Serious SEI 1 to 99 1 to 9

Major (note1)

SEI 100 to 499 10 to 99 Below 500

LC1% 1 to 99 1 to 9

Fatality 1 -

Catastrophic (note1)

SEI 500 to 999 100 to 999 Below 1000

LC1% 100 to 499 10 to 99 Below 500

Fatality 2 to 5 1

Disastrous (note1)

SEI Above 999 Above 999 Above 1000

LC1% Above 499 Above 99 Above 500

Fatality Above 5 Above 2 -

Note1 Worst case combination should be considered for establishing the damage severity level for Major, Catastrophic and Disastrous.

1.1.2 Damage Severity Categories – Environmental Impact The damage severity associated with pollution shall be based on impact of oil or condensate spill onshore or offshore. Sensitivity of the environment and spill clean up effectiveness (ability to respond and ability to remediate) shall be considered for defining the damage severity levels.

The hazard intensity is expressed in terms of pollution in Table 17 which is associated with spill volume on open sea, onshore or “coastal area” with adequate provision for spill cleanup and site restoration. The spill intensity thresholds shall be carefully examined and revised to determine site specific severity levels if potential exists for impacting drinking water, irrigation water or sensitive ecosystems. The intensity expressed in oil /condensate spill volume is to be utilized as guidance since this is not based on TOTAL Group criteria.




Appendix 6


Page 100/115

Table 17 - Spill intensities levels for environmental damage category

Coastal Area or Fragile eco system area: The area from the coastline extending up to 22 Km (12 nautical miles) offshore. Or Fragile system area: areas where there are sensitive ecological receptors for example but not limitative freshwater source, ponds, rivers, threatened species, state protected areas…

On shore: On shore locations without specific ecological receptors

Off shore: Further than 22 km (12 nautical miles) of coastal shores.

SEVERITY LEVEL POLLUTION EVENT INTENSITY EXPRESSED AS SPILL VOLUME

MODERATE

Spill or release of pollutant requiring a notification to authorities, but without environmental consequences.

No consequences, or non reportable pollutant spill/Discharge. No remedial action required.

Coastal or Fragile Area: <0.1 bbls

On Shore: < 1 bbl

Off Shore: < 10 bbl

SERIOUS

Moderate spill within site limits

Spill within the boundaries of the site or its immediate surroundings. Reported pollutant discharge.Offshore hydrocarbons spill : response system available on site.

0.1 <= Coastal or FragileArea: <10 bbls

1 <=On Shore: < 100 bbl

10 <=Off Shore: < 1000 bbl

MAJOR

Significant pollution with external to the site. Evacuation of persons.

Pollution in the vicinity of the site. Offshore hydrocarbon spill : response systems available on site.

10 <= Coastal or Fragile Area: <200 bbls

100 <=On Shore: < 2000 bbl

1000 <=Off Shore: < 20000 bbl

CATASTROPHIC

Important pollution with reversible environmental consequences external to the site.

Pollution extending beyond the immediate vicinity of the site. Offshore hydrocarbon spill: international assistance.

200 <= Coastal or Fragile Area: <2000 bbls

2000 <=On Shore: < 20000 bbl

20000 <=Off Shore: < 200000 bbl

DISASTROUS

Major and sustained pollution external to the site and/ or extensive loss of aquatic life.

Pollution with serious environmental consequences extending beyond the site and its immediate vicinity. Offshore hydrocarbons spill :international assistance.

Coastal Area or Fragile area: >= 2000 bbls

On Shore: > = 20 000 bbl

Off Shore: >= 200 000 bbl




Appendix 6


Page 101/115

1.1.3 Damage Severity Categories – Asset Damage The asset damage severity levels shall be evaluated as per asset replacement costs as described in Table 18. Lost or deferred production element shall not be included in the asset damage severity level determination.

Table 18 - Asset damage severity categories

Severity Category Asset damage intensity

Moderate Below 200,000 €

Serious 200,000 – 2,000,000 €

Major 2,000,000 – 10,000,000 €

Catastrophic 10,000,000 – 100,000,000 €

Disastrous Above 100,000,000 €




Appendix 7


Page 102/115

Appendix 7 Hazard Intensity Thresholds

The hazard intensity thresholds for the assessment of damage to personnel shall be based on the following sections. Additional information shall be based on GS EP SAF 253.

1. Thresholds for Injury

1.1 Fire Table 19 shall be applied as the basis for determining human vulnerability against hazard intensities associated with fire.

Table 19 - Fire intensity thresholds Parameter Duration of fire Threshold Reference

SEI More than 2 minutes 3 kW/m2 Ministère de l’Ecologie et du Développement Durable, version Octobre 2004

Less than 2 minutes (600 kW/m2)4/3.s

LC1% More than 2 minutes 5 kW/m2 Ministère de l’Ecologie et du Développement Durable, version Octobre 2004

Less than 2 minutes (1000 kW/m2)4/3.s

Fatality Using Probit Equations published in ISBN: 0-7506-7555-1

1.2 Explosion Table 20 shall be applied as the basis for determining human vulnerability against hazard intensities associated with explosion overpressure.

Table 20 - Explosion overpressure intensity thresholds Parameter Threshold Reference SEI 5 kPa Ministère de l’Ecologie et du Développement Durable,

version Octobre 2004 LC1% 14 kPa Ministère de l’Ecologie et du Développement Durable,

version Octobre 2004 FATLITY Using Probit Equations SPC/Tech/OSD/30 Report 1

1.3 Toxicity The assessment of vulnerability due to toxic exposure hazards shall take into account for the following:

• Reaction times of personnel

• Protection measures

• Harm levels as a function of time (dose)

• Total exposure time (accumulated dose)




Appendix 7


Page 103/115

1.3.1 Hydrogen Sulphide (H2S) Table 21 shall be applied as the basis for determining human vulnerability against toxic hazard intensities associated with Hydrogen Sulphide.

Table 21 - H2S Thresholds (INERIS, 2000) Parameter/ Time

1-min 10-min 20-min 30-min 60-min

SEI (ppm) 320 150 115 100 80

LC1% (ppm) 1521 688 542 472 372

Fatality Using TNO Probit Equations (1992) , CPR 16E

1.3.2 Sulphur dioxide (SO2) Table 22 shall be applied as the basis for determining human vulnerability against toxic hazard intensities associated with Sulphur dioxide.

Table 22 - SO2 Thresholds (INERIS, 2005) Parameter/ Time


SEI (ppm) 230 128 108 96 81

LC1% (ppm) 2071 1148 961 866 725

Fatality Using TNO Probit Equations (1992), CPR 16E

1.3.3 Carbon Monoxide (CO) Table 23 shall be applied as the basis for determining human vulnerability against toxic hazard intensities associated with Carbon Monoxide.

Table 23 - Carbon Monoxide Thresholds Parameter/ Time


SEI (ppm) 1,200

LC1% (ppm)

Fatality Using TNO Probit Equations (1992), CPR 16E




Appendix 7


Page 104/115

1.3.4 Carbon Dioxide (CO2) Table 24 shall be applied as the basis for determining human vulnerability against toxic hazard intensities associated with Carbon Dioxide.

Table 24 - Carbon Dioxide Thresholds Parameter/ Time


SEI (ppm) 40,000

LC1% (ppm)

Fatality Conservatively estimated using a concentration of 70,000 ppm in air.

1.3.5 Smoke The impact of smoke hazard to human shall be assessed on a case-by-case approach. Company approval shall be sought for modeling hazard intensity thresholds associated smoke hazard.

1.3.6 Elevated Temperature The impact of elevated temperature hazards to human shall be assessed on a case-by-case approach. Company approval shall be sought for modeling hazard intensity thresholds associated elevated temperature hazards.

1.4 Missiles The missile impact hazard intensities shall be studied on a case by case basis. Approval shall be sought from Company on defining hazard intensity thresholds associated with missiles.

1.5 Structural Stability The scenarios with event tree outcome impacting structural stability are difficult to assess in terms of “SEI” and “LC1%” thresholds. Specific safety analysis such as dropped object risk analysis, structural risk analysis, vessel collision risk analysis, fatigue damage risk analysis etc shall be performed on a case-by-case approach. These safety studies shall address failure mode mechanisms and their effects on potential structural impairment. These specific studies shall be considered as input to estimating the risk to personnel and asset damage associated with non-process events.

The structural impairment hazard intensities shall be studied on a case by case basis and approval shall be sought from Company for defining hazard intensity thresholds.

2. Hazard Intensity Thresholds for Environment The environmental hazard intensity levels based on oil pollution shall be considered for determining environmental damage as per Table 16.




Appendix 7


Page 105/115

3. Hazard Intensity Thresholds for Asset Damage The assessment of vulnerability to asset integrity due to fire, explosion, escalation, structural impairment hazards shall be evaluated on the following basis:

• Hazard intensity levels

• Duration of hazard level

• Escalation potential

Company approval shall be sought for the approach for modeling asset damage associated with various hazard intensity levels.




Appendix 8


Page 106/115

Appendix 8 Facilitating tools for Pra

Simplified PRA approach should use these above facilitating tools.

EXISTING FACILITATING TOOLS FOR PRA

Principal selection tabs Secondary

selection tabs

Selection of product and parameters

Tiny Small Medium Large Full bore1-3 3-10 10-50 50-150 >150

First HP Separator_L /item 3.4E-03 1.6E-03 9.4E-04 1.8E-04 2.5E-04 6.35E-03First HP Separator_G /item 1.8E-02 7.9E-03 4.3E-03 5.5E-04 5.4E-04 3.14E-02HP Separator_L /item 3.4E-03 1.6E-03 9.4E-04 2.0E-04 2.5E-04 6.39E-03HP Separator_G /item 1.1E-02 4.8E-03 2.6E-03 3.8E-04 3.9E-04 1.93E-02Preflash Drum_L /item 9.0E-03 4.0E-03 2.2E-03 2.9E-04 3.4E-04 1.58E-02Preflash Drum_G /item 1.8E-02 7.9E-03 4.2E-03 6.0E-04 5.3E-04 3.14E-02Feed Gas K.O Drum_G /item 1.4E-02 6.0E-03 3.2E-03 5.4E-04 4.5E-04 2.42E-02Feed Gas Filter Coalescer_G /item 2.1E-02 8.9E-03 4.8E-03 8.1E-04 2.8E-04 3.55E-02Amine Absorber_L /item 7.0E-03 3.1E-03 1.5E-03 2.8E-04 4.7E-04 1.23E-02Amine Absorber_G /item 1.2E-02 5.1E-03 2.7E-03 3.4E-04 4.0E-04 2.02E-02Amine HP Pumps_L /item 9.7E-03 4.1E-03 2.1E-03 3.2E-04 2.3E-04 1.64E-02Treated Gas K.O Drum_L /item 3.0E-03 1.4E-03 8.4E-04 1.8E-04 2.5E-04 5.67E-03Treated Gas K.O Drum_G /item 1.2E-02 5.3E-03 2.9E-03 3.4E-04 4.8E-04 2.12E-02Gas-Gas Exchanger_G /item 1.8E-02 7.7E-03 4.0E-03 4.2E-04 5.2E-04 3.03E-02Dryer Inlet KO Drum_L /item 5.2E-03 2.4E-03 1.5E-03 1.0E-04 2.5E-04 9.51E-03Dryer Inlet KO Drum_G /item 8.9E-03 3.9E-03 2.1E-03 3.1E-04 3.9E-04 1.57E-02TEG Contactor_L /item 3.7E-03 1.7E-03 1.1E-03 1.4E-04 2.5E-04 6.91E-03TEG Contactor_G /item 1.3E-02 5.8E-03 2.9E-03 5.0E-04 4.6E-04 2.29E-02Lean TEG Cooler_G /item 1.3E-02 5.8E-03 3.1E-03 4.7E-04 3.9E-04 2.31E-02Dehydration Feed Gas Filter_L /item 2.9E-03 1.3E-03 8.6E-04 9.9E-05 2.6E-04 5.46E-03Dehydration Feed Gas Filter_G /item 1.0E-02 4.4E-03 2.5E-03 3.5E-04 3.3E-04 1.76E-02Mercury Guard Reactor_G /item 1.1E-02 4.7E-03 2.7E-03 3.0E-04 3.9E-04 1.89E-02Treated Gas Filter_G /item 5.8E-03 2.6E-03 1.5E-03 2.0E-04 3.3E-04 1.04E-02Cold Oil Contactor_L /item 6.4E-03 2.8E-03 1.5E-03 2.0E-04 3.7E-04 1.14E-02Cold Oil Contactor_G /item 1.6E-02 6.8E-03 3.9E-03 3.7E-04 4.7E-04 2.71E-02Depropaniser Reboiler_L /item 5.5E-03 2.4E-03 1.3E-03 2.0E-04 3.9E-04 9.78E-03Depropaniser_L /item 3.6E-03 1.6E-03 9.7E-04 1.6E-04 3.1E-04 6.70E-03Depropaniser_G /item 1.3E-02 5.8E-03 3.0E-03 4.4E-04 5.3E-04 2.32E-02Recycle Compressor_G /item 3.5E-02 7.5E-03 3.0E-03 2.9E-04 5.6E-05 4.59E-02Debutaniser_L /item 1.7E-02 7.3E-03 4.2E-03 3.3E-04 4.6E-04 2.89E-02Debutaniser_G /item 3.2E-02 1.4E-02 7.6E-03 7.2E-04 7.0E-04 5.48E-02Export Gas Compressor Suction_L /item 2.2E-03 1.1E-03 7.0E-04 1.2E-04 2.4E-04 4.33E-03Export Gas Compressor Suction_G /item 1.0E-02 4.5E-03 2.4E-03 3.3E-04 4.1E-04 1.78E-02Export Gas Compressor_G /item 9.9E-03 3.8E-03 2.0E-03 2.3E-04 2.8E-04 1.62E-02Export Gas Compressor Aft Co_G /item 1.1E-02 4.7E-03 2.5E-03 2.2E-04 1.8E-04 1.85E-02Well /item 3.9E-02 1.7E-02 8.4E-03 7.4E-04 7.8E-04 6.61E-02Vessel Package /item 8.29E-03 3.74E-03 2.27E-03 1.52E-04 3.55E-04 1.48E-02Small Vessel Package /item 8.12E-03 3.67E-03 2.25E-03 5.06E-04 8.94E-06 1.46E-02Separator Package /item 1.32E-02 5.81E-03 3.32E-03 2.55E-04 4.16E-04 2.30E-02Column Package /item 1.74E-02 7.63E-03 4.17E-03 3.99E-04 5.03E-04 3.01E-02Heat Exchanger Shell Package /item 5.29E-03 2.43E-03 1.43E-03 1.58E-04 2.27E-04 9.53E-03Heat Exchanger Tube Package /item 5.17E-03 2.29E-03 1.29E-03 1.02E-04 1.15E-04 8.97E-03Fin Fan Package /item 5.17E-03 2.29E-03 1.29E-03 1.00E-04 1.09E-04 8.96E-03Plate Heat Exchanger Package /item 7.81E-03 3.58E-03 1.92E-03 2.62E-04 2.38E-04 1.38E-02Small Heat Exchanger Shell /item 5.11E-03 2.35E-03 1.40E-03 3.74E-04 8.94E-06 9.24E-03Small Heat Exchanger Tube /item 4.98E-03 2.22E-03 1.27E-03 2.11E-04 8.94E-06 8.69E-03Small Fin Fan Package /item 4.99E-03 2.22E-03 1.26E-03 2.03E-04 8.94E-06 8.68E-03Small Plate Heat Exchanger Pack /item 7.63E-03 3.51E-03 1.89E-03 4.94E-04 8.94E-06 1.35E-02Centrifugal Pump Package /item 5.56E-03 2.32E-03 1.26E-03 1.07E-04 1.28E-04 9.38E-03Reciprocating Pump Package /item 5.75E-03 2.84E-03 1.77E-03 3.11E-04 5.03E-04 1.12E-02Centrifugal Compressor Package /item 3.65E-02 1.55E-02 8.72E-03 4.75E-04 6.86E-04 6.18E-02Reciprocating Compressor Pack /item 5.78E-02 1.76E-02 9.51E-03 4.49E-04 1.91E-05 8.54E-02Pig Traps Package /item 8.58E-03 3.87E-03 1.95E-03 3.06E-04 2.81E-04 1.50E-02Manifold Package /item 1.35E-02 5.74E-03 3.15E-03 9.08E-04 1.25E-04 2.34E-02Steel process pipes 50 mm /m 7.5E-05 3.5E-05 2.5E-05 1.35E-04Steel process pipes 150 mm /m 2.8E-05 1.3E-05 5.7E-06 3.9E-06 5.02E-05Steel process pipes 300 mm /m 2.1E-05 9.2E-06 4.0E-06 8.2E-07 2.3E-06 3.74E-05Steel process pipes 450 mm /m 1.9E-05 8.4E-06 3.6E-06 7.2E-07 2.3E-06 3.36E-05Steel process pipes 600 mm /m 1.8E-05 8.0E-06 3.4E-06 6.8E-07 2.2E-06 3.22E-05Steel process pipes 900 mm /m 1.7E-05 7.7E-06 3.3E-06 6.4E-07 2.2E-06 3.11E-05Flowline 2" (underground) /m 1.8E-06 1.2E-06 5.6E-08 5.6E-08 4.8E-08 3.11E-06Flowline 6" (underground) /m 8.5E-07 5.7E-07 3.8E-08 3.8E-08 3.3E-08 1.52E-06Flowline 12"(underground) /m 3.3E-07 2.2E-07 3.0E-08 3.0E-08 2.5E-08 6.43E-07Flowline 18"(underground) /m 1.8E-07 1.2E-07 2.8E-08 2.8E-08 2.3E-08 3.86E-07Flowline 24"(underground) /m 1.4E-07 9.3E-08 2.8E-08 2.8E-08 2.3E-08 3.11E-07Flowline 36"(underground) /m 1.2E-07 8.2E-08 2.8E-08 2.8E-08 2.3E-08 2.83E-07Flanged joints 50 mm /item 4.6E-05 1.9E-05 1.4E-05 7.93E-05Flanged joints 150 mm /item 5.9E-05 2.4E-05 9.5E-06 7.0E-06 9.92E-05Flanged joints 300 mm /item 8.7E-05 3.5E-05 1.4E-05 2.5E-06 5.2E-06 1.44E-04Flanged joints 450 mm /item 1.2E-04 4.9E-05 2.0E-05 3.4E-06 5.0E-06 1.99E-04Flanged joints 600 mm /item 1.6E-04 6.6E-05 2.6E-05 4.4E-06 4.6E-06 2.65E-04Manual valves 50 mm /item 4.2E-05 1.9E-05 2.1E-05 8.19E-05Manual valves 150 mm /item 6.9E-05 3.1E-05 1.4E-05 1.0E-05 1.24E-04Manual valves 300 mm /item 1.6E-04 7.1E-05 3.2E-05 6.5E-06 6.7E-06 2.74E-04Manual valves 450 mm /item 3.1E-04 1.4E-04 6.3E-05 1.4E-05 7.8E-06 5.35E-04Manual valves 600 mm /item 5.2E-04 2.3E-04 1.1E-04 2.4E-05 1.1E-05 8.93E-04Actuated valves (> 6 inch) /item 3.9E-04 1.6E-04 6.8E-05 1.3E-05 4.5E-06 6.37E-04Actuated pipeline valve /item 8.7E-04 4.4E-04 2.3E-04 6.1E-05 3.6E-05 1.63E-03Instrument connection /item 3.4E-04 1.5E-04 8.7E-05 5.77E-04Pressure vessels, connections 50-150 mm /item 2.5E-04 1.9E-04 1.7E-04 3.2E-04 9.22E-04Pressure vessels, connections >150 mm /item 2.5E-04 1.9E-04 1.7E-04 7.7E-05 2.4E-04 9.23E-04Centrifugal pumps, inlet 50-150 mm /item 1.5E-03 5.4E-04 2.3E-04 1.1E-04 2.40E-03Centrifugal pumps, inlet >150 mm /item 1.5E-03 5.4E-04 2.3E-04 5.8E-05 5.5E-05 2.40E-03Reciprocating pumps, inlet 50-150 mm /item 1.7E-03 1.1E-03 7.4E-04 6.9E-04 4.20E-03Reciprocating pumps, inlet >150 mm /item 1.7E-03 1.1E-03 7.4E-04 2.6E-04 4.3E-04 4.20E-03Centrifugal compressors, inlet 50-150 mm /item 1.9E-03 4.2E-04 1.9E-04 2.7E-04 2.81E-03Centrifugal compressors, inlet >150 mm /item 1.9E-03 4.2E-04 1.9E-04 1.0E-04 1.7E-04 2.81E-03Reciprocating compressors, inlet 50-150 mm /item 2.4E-02 2.7E-03 2.6E-04 1.1E-05 2.70E-02Reciprocating compressors, inlet >150 mm /item 2.4E-02 2.7E-03 2.6E-04 9.6E-06 1.2E-06 2.70E-02Shell & tube heat exchangers (shell side), inlet 50-150 mm /item 7.8E-04 4.5E-04 2.9E-04 2.4E-04 1.76E-03Shell & tube heat exchangers (shell side), inlet > 150 mm /item 7.8E-04 4.5E-04 2.9E-04 9.6E-05 1.5E-04 1.76E-03Shell & tube heat exchangers (tube side), inlet 50-150 mm /item 6.6E-04 3.1E-04 1.6E-04 7.7E-05 1.20E-03Shell & tube heat exchangers (tube side), inlet > 150 mm /item 6.6E-04 3.1E-04 1.6E-04 4.0E-05 3.7E-05 1.20E-03Plate heat exchangers, inlet 50-150 mm /item 3.3E-03 1.6E-03 7.8E-04 3.6E-04 6.04E-03Plate heat exchangers, inlet > 150 mm /item 3.3E-03 1.6E-03 7.8E-04 2.0E-04 1.6E-04 6.04E-03Air cooled heat exchangers, inlet 50-150 mm /item 6.6E-04 3.1E-04 1.5E-04 6.9E-05 1.19E-03Air cooled heat exchangers, inlet > 150 mm /item 6.6E-04 3.1E-04 1.5E-04 3.8E-05 3.1E-05 1.19E-03Filters, inlet 50-150 mm /item 7.7E-04 2.5E-04 1.2E-04 1.6E-04 1.29E-03Filters, inlet > 150 mm /item 7.7E-04 2.5E-04 1.2E-04 4.1E-05 1.1E-04 1.29E-03Pig traps, inlet 50-150 mm /item 1.6E-03 4.2E-04 2.2E-04 8.1E-04 3.01E-03Pig traps, inlet > 150 mm /item 1.6E-03 4.2E-04 2.2E-04 1.0E-04 7.1E-04 3.01E-03

COMPO

NEN

TSGEN

ERIC PACKAGES

TotalPer itemEquipment

H2S

-SPE

CIFIC PACKAGES

Objectives of the Consequence Estimation Tool:To be used during PRA meeting or as rough

estimation for safety distance design To perform easily a quick estimation of effect

distances for typical accident scenariosTo cover a large panel of situations (Phenomena,

Products, Pressure, Hole diameter)STATUS: OPERATIONAL

Objectives of the Generic Part Count Tool:To be used during PRA meeting to perform easy

and conservative estimation of small, medium and large frequency STATUS: OPERATIONAL

Objectives of the integrated Hazid /CE/ plotter tool: (improved version)

To be used during PRA meeting to record CE, assumptions and plot scenarios. STATUS: OPERATIONAL

Objectives of the Stock Inventory calculation Tool:

To be used prior to Hazid/Fohmti to perform easy and conservative estimation of hazardous inventory liquid and gas volumes inside equipments STATUS: OPERATIONAL




Appendix 9


Page 107/115

Appendix 9 Assumptions Register

Risk assessment involves a number of assumptions at each stage of the process from defining the scope of risk assessment to ALARP demonstration. All assumptions impacting the risk assessment shall be systematically documented and shall provide adequate justification.

Company approval shall be sought prior to apply assumptions in a risk assessment study.

The assumptions can be related to the following areas:

• Scope of the risk assessment

• Identification of hazards

• Definition of scenarios and hazard outcomes

• Estimation of consequences, including selection of models, input parameters

• Estimation of frequencies including selection of data,

• Estimation of vulnerability associated with a hazard outcome

• Evaluation of risk

• Demonstration of ALARP etc.

All assumptions shall therefore be documented in attached format in this section and shall include as appendices to the risk assessment report.




Appendix 9


Page 108/115

Assumption Register

Assumption Sheet No Brief description Proposed by Approved

by

01

02

03

04

05

06

07

08

09

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25




Appendix 9


Page 109/115

[INSTALLATION NAME] TECHNOLOGICAL RISK ASSESSMENT ASSUMPTION SHEET

Date: First Issue: dd mmm yyyy Revision: dd mmm yyyy

Assumption Number: 01 Rev 00

Subject: Specify the general area affecting the assumption

Purpose: Clearly specify the purpose of the assumption.

Description State the assumption with the background. Provide justification for the use in risk assessment with illustrations if needed. (use additional pages if needed)

References 1. Indicate appropriate references

Impact of Assumption: Clearly specify the potential impact of this assumption.

Prepared By: Name/ Organisation Date: dd mmm yyyy

Approved By: Name/ TOTAL Organisation Date: dd mmm yyyy

Project Manager: Name/ TOTAL Organisation Date: dd mmm yyyy




Appendix 10


Page 110/115

Appendix 10 Risk Management Sheets

Recommended template for documenting RMS application is presented in this section.

The format given in this section shall be utilized for reporting ALARP demonstration of scenarios associated with major, serious and moderate damage severities.




Appendix 10


Page 111/115

Scenario reference:

Central Critical Event Description:

Figure. 1. Bow-Tie Representation (without additional risk reduction measures)




Appendix 10


Page 112/115

FREQUENCY OF CENTRAL CRITICAL EVENT Initiating Events

Preventive measures

Critical Event Frequency without additional preventive measures

Data Sources:

Assumptions: (Attach relevant calculations)

Proposed Additional Preventive Measures (Identified in the Risk Reduction Workshop) Critical Event Frequency With Additional Preventive Measures

Additional Data Sources:

Additional Assumptions (Attach relevant calculations):




Appendix 10


Page 113/115

CONSEQUENCE AND DAMAGE SEVERITY Hazard Outcome: Detection, mitigation and protection measures Kinetics and Escalation Potential: Additional proposed Mitigation and protection measures (Identified in the Risk Reduction Workshop)




Appendix 10


Page 114/115

DAMAGE ASSESSMENT (WITHOUT ADDITIONAL RISK REDUCTION MEASURES) Damage Description without Additional Prevention, Mitigation and Protection Measures Human Environment Asset RISK MATRIX (without additional risk reduction measures)

Category Human Environment Asset Damage Severity Frequency (per year) Remarks




Appendix 10


Page 115/115

DAMAGE ASSESSMENT (WITH ADDITIONAL RISK REDUCTION MEASURES) Damage Description with Additional Prevention Mitigation and Protection Measures Human Environment Asset RISK MATRIX (with additional risk reduction measures)

Category Human Environment Asset Severity Frequency Remarks Name Date Revision Prepared by:

Verified by: Approved by (TOTAL):

Attachments: