Académique Documents
Professionnel Documents
Culture Documents
Overview Hazards
and Effects
Management
Process
EP 95-0300
HSE
MANUAL
* In this publication, some of the figures have been colour enhanced. This was done after the issue of the CD ROM.
The next issue of the CD ROM will include these enhancements. There is no difference in content.
Contents
Contents
1 Introduction 1 4 Structured Review
Techniques 17
1.1 Elements of the HSE Management
System 1 4.1 Identify Hazards and Potential
Effects 17
1.2 Tools for the Hazards and Effects
Management Process 2 4.2 Evaluate Risks 19
1.2.1 Selection of tools 2 4.2.1 Scenario development
(causes) 20
1.2.2 Application and competence 2
4.2.2 Probability 20
2 Hazards and Effects 4.2.3 Consequence analysis 20
Terminology 3
4.2.4 Determination of risk 22
2.1 Hazards, Effects and Incidents 3
4.2.5 Quantitative Risk
2.2 Threats and Barriers 4 Assessment (QRA) 22
2.3 Consequences, Mitigation and 4.2.6 Screening criteria:
Recovery Preparedness Measures 4 limits/standards 26
2.6 Likelihood and Consequence (or 4.3.2 Hazards and effects register 26
Effect) 9 4.3.3 Manual of Permitted
Operations (MOPO) 27
3 Hazards and Effects 4.4 Compare with Objectives and
Management Process (HEMP) 11 Performance Criteria 27
3.1 The Steps in the Process 11 4.5 Establish Risk Reduction
3.2 Implementation of HEMP 12 Measures 27
3.2.1 Assets: planning and review 12 4.5.1 General 27
Glossary 78
References 81
1 INTRODUCTION
Volume 3 of the EP HSE manual is concerned with the tools and techniques which are available to
achieve the management of HSE issues. It is a first reference for all those involved in EP business
activities particularly those who are responsible for the management of hazards and their effects.
the need, within the context of an HSE Management System, to define both the techniques and
tools commonly in use together with the competencies required for their effective application
the more common terminology and concepts used in the analysis of hazards and effects and the
determination of risk
the stages of the Hazards and Effects Management Process and its role within the HSE
Management System. The role of experience, codes and standards, checklists and structured
techniques are discussed
in summary the various structured review techniques available in Shell to support the process.
The Hazards and Effects Management Process (HEMP) is central to the effective implementation of
the HSE Management System. The process ensures that hazards and potential effects are fully
evaluated. To do this they must first be identified then assessed and then mitigation and recovery
preparedness measures put in place to reduce the consequences of any remaining risk. To achieve this
a number of tools and techniques are used. These are described in this Volume.
(Specific guidance on when to use the techniques within various business activities is given in
the relevant sections of Volume 2, e.g. EP 95-0230 Design, EP 95-0220 Appraisal and
Development, etc.)
This document is designed to identify, specify and aid the effective selection of an integrated suite of
tools and techniques. Most of these have been in use for some time. The various tools and techniques
have been collated for ease of reference, to demonstrate their relationship to each other and to
describe their input to the HSE MS and HSE Case. As stated above this document does not specify
when to use the tools, this is done in the documents describing the business activities. A very broad
framework of tools, techniques and guidelines used in hazards and effects identification and
assessment during the life cycle is provided in Appendices I and II.
Codes, standards, checklists, as well as individual experience and judgement are in no way replaced
by any of these techniques and continue to play a vital role.
The application of tools in the hazards and effects management process such as Environmental
Assessment, Health Risk Assessment and QRA will continue to involve specialists but their output
can now be brought together with other studies in a common HSE Management System. Specialist
assistance when using other tools and techniques may also be necessary. However the successful
application of any tool and technique will always be dependent on the participation of the staff
involved in the activities under study. Most of the tools described require a multi-disciplinary
approach.
Health, Safety and Environmental Management is no different from any other aspect of EP business
and remains a line responsibility. HSE therefore falls under the same management and management
system. H, S and E have been considered together in this document although external reasons may
exist for presenting certain studies separately. For example, when two separate authorities deal with
safety and environmental
A comprehensive list of terms and their definitions is provided in the glossary of this document.
'The potential to cause harm, ill health or injury, damage to property, plant, products or the
environment, production losses or increased liabilities'. This definition can be extended to include
social/cultural disruption.
This represents a specific use of the word hazard which in more common usage can mean danger,
chance or risk. Risk is defined in 2.4. It is important to recognise the adopted definition of this basic
term and to be consistent when using common techniques. Hazards should not be confused with
hazardous activities (e.g. drilling). Examples of hazards are: hydrocarbons under pressure, objects at
height , electricity. Appendix III contains a listing of generic hazards.
The terms 'chronic' and 'acute' are introduced in Volume 1 and are used to differentiate between
hazards and effects associated with continuous discharges and occupational exposure (prolonged) and
those relating to one off events, (health, safety and environmental incidents) which might include
poisoning, oil spills, fires and explosions.
In environmental terms, 'chronic' effects are sometimes referred to as 'routine' and are defined as the
result of planned emission or discharge to the environment. Such releases may include flaring of gas,
or discharge to sea of produced water following repeated and prolonged exposure to relatively low
levels or concentrations of a hazardous agent.
The aim is to control all health and environmental hazards and effects within defined limits. For
health, for example, controls for benzene define levels in air for long term exposure. For environment,
for example, controls for flaring may include limiting the volume of gas disposed of, defining criteria
for the combustion efficiency and defining environmental quality standards for combustion products.
Similarly, control of noise emission will be based on noise limits which will be set for a given
location.
An effect in the context of this manual is usually an adverse effect either on the health or safety of
employees or the public. An environmental effect is any direct or indirect impingement, whether
adverse or beneficial, upon the environment of the activities, products and services of the company.
This also includes impact on social and cultural systems.
The undesired release of a hazard is a hazardous event. If the hazardous event is the first event
resulting from the release of a hazard then it is called a 'Top Event'. This is the undesired event at the
end of the fault tree and at the beginning of an event tree (see 2.5). In the context of environmental
routine hazards, the undesired event can relate to the breaching of defined limits, such as oil in water
discharged to sea or noise levels in and around locations, or in the context of health hazards, this
relates to exceeding occupational exposure limits and other standards for the full range of agents
hazardous to health.
An incident is an unplanned event or chain of events which has caused or could have caused injury,
illness and/or damage (loss) to assets, revenue, the environment or third parties. An incident involves
the release or near release of a hazard which includes the exceedance of defined limits.
To prevent a threat or combination of threats ultimately resulting in the release of a hazard, some kind
of countermeasures are necessary. These measures are called barriers. In the case of corrosion as a
threat, for example, appropriate barriers could be a corrosion-resistant coating, inspection
programmes or corrosion allowances. For overpressure one barrier would be a pressure relief system.
Environmental barriers could include operational controls, e.g. traffic restrictions for noise, or
hardware controls, e.g. provision of water treatment equipment. Health barriers include, for example
local exhaust ventilation (LEV) and PPE.
THREATS ESCALATION
Hazard :
Hydrocarbon gas
under pressure
Examples:
Corrosion Fire
Pressure Vessel
Erosion
Impact
Hazardous
Event
Leak ! Fire
CAUSATION CONSEQUENCE
THREATS ESCALATION
Ecological damage
Water supply contamination
Irrigation contamination
Hazard : Liabilities
Effluent Reputation
Discharge
Hazardous
Event
Discharge
ppm Limit Exceeded !
Pollution
ppm
ppm
Limit
CAUSATION CONSEQUENCE
THREATS ESCALATION
Increased risk :
Hazard:
Leukaemia
Toxic vapour
Liabilities
Loss of reputation
Examples:
Corrosion
Handling of toxic chemical
Maloperation
Leaking flanges
Release of benzene
Increased
risk of
leukaemia
Exposure to benzene
exceeding OEL* !
ppm
ppm
Limit
CAUSATION CONSEQUENCE
2.4 Risk
Risk is the product of the probability that a specified undesired event will occur and the severity of
the consequences of the event. To determine the risk of a specific hazardous event taking place
therefore requires information on the likelihood of the event taking place and the severity of the
adverse consequences that could be expected to follow from it. Risk is a term which combines the
chance that a specified undesired event will occur and the severity of the consequences of the event.
To determine the risk associated with a specific 'hazardous event', information is therefore required
on the chance of the event taking place and the severity of the consequences that might be expected to
follow from it. Risk is sometimes also defined as the product of probability and the severity of
consequences.
The terms 'probability', 'likelihood', 'frequency' and 'chance' are often used interchangeably however
in the HEMP terminology, the following apply and should be consistently used:
llikelihood and chance both indicate the possibility of something happening
frequency is a rate, e.g. number of incidents per hour
probability is a ratio
It indicates the number of chances of something happening to the total number of chances.
Fault Tree Analysis is used to show the sequence of possible threats or causes that could lead to the
release of a hazard. The fault tree leads to a single point where the undesired event has taken place or
where the hazard has been released. This is known in risk assessment terms as the Top Event and
represents the transition from the Fault Tree (threats/causes) to the Event Tree (consequence).
The Event Tree is made up of nodes which correspond to the different stages in an escalating incident
sequence. The lines which lead out of each node correspond to the paths of success or failure in
mitigation of the incident.
The whole sequence showing the progression from any cause, (Fault Tree) through the Top Event to
the full range of consequences (Event Tree), for a single hazard can be represented in a single
diagram (often called a 'bow tie') as shown in Figure 2.4. In a quantitative assessment such as QRA, a
number of hazards will be considered together, however in qualitative assessment it is normal to
consider one hazard or one bow tie.
For qualitative and quantitative risk assessment the same process is used (i.e. bow tie) but in QRA,
risks are quantified initially per Top Event then summated for a number of scenarios and hazards.
Lack of good data may limit the development of a fault tree however in some circumstances the
historical frequency of the top event may provide an adequate timate.
Consequence analysis can be applied to assess HSE aspects for a range of scenarios and typically
involves the use of predictive models. Examples include the use of:
physical effects models for predicting the behaviour and loading from potential hydrocarbon
releases (dispersion, fire, radiation, explosion and smoke) in terms of flammable limits, heat
radiation, explosion overpressure, etc
physical consequence models for predicting the consequence of the effects of hydrocarbon release
events (structural damage, vessel integrity loss, etc)
air and water dispersion models for predicting the behaviour of discharges to the atmosphere or
water bodies respectively
The tools and techniques used for both likelihood and consequence analysis are described in
Chapter 4.
The principles of 'identify', 'assess', 'control' and 'recover' are the basis of HEMP, with the individual
stages summarised in the following steps:
These documents will then be included in Parts 3 and 5 of the HSE MS and HSE Case.
People involved in operational activities however should always be alert to identify new hazards
particularly in non routine operations.
Appendices I and II give an indication of when the tools and techniques are used during the life cycle
of a development and in the development of an HSE Case for an asset. Full guidance is provided in
the respective business activity guidelines such as EP 95-0230 Design and Engineering and EP 95-
0220 Concept Development.
The output from the various tools and techniques used in the HEMP in the planning and review stages
of a new development is used primarily to refine the design by identifying the hazards and threats,
removing them if possible and making the design as inherently safe to operate as practicable. The
output therefore primarily concerns the hardware although the design planning phase can profoundly
affect all subsequent stages of the development. Information from this work is included in the HSE
Case for an asset for use in the operational phase.
In the implementation or operations phase, planning activities such as the systematic preparation of
Permits to Work and Job Hazard Analysis address all the steps of the HEMP. EP 95-0315 describes
the basic Permit-to-Work System and EP 95-0311 describes Job Hazard Analysis which can be used
for a team review of the procedure for a repeated activity or as a one-off review of a new activity. The
computerised system THESIS (see EP 95-0323) can also be used to assess hazards and effects and
identify the necessary controls. EP 95-0270 General Workplace Practices contains activity
specification sheets and hazard register sheets for typical HSE activities and hazards encountered in
the workplace. The Manual of Permitted Operation (MOPO) describes conditions where specific
activities cannot be carried out at the same time and is described in EP 95-0310 Implementing and
Documenting an HSE MS and HSE Case. Waste management procedures, described in EP 95-0390
Waste Management Guidelines, provide information for the inclusion of waste management
activities.
At the time of writing this Guide, work is proceeding on the preparation of Generic HSE Cases for
activities such as drilling, seismic and transport. These are aimed at providing a basic 'starter kit'
HSE case containing all the common activities, procedures and controls which can be subsequently
made 'site-specific' for local application.
The output from the various tools and techniques in the HEMP for operational-type activities will be
used in the development and review of working procedures and form part of the HSE Case for the
operation of the facility. For a significant or new activity, such as a major construction project, a
seismic or drilling campaign or abandonment, the output from the various tools will be included in an
HSE Case.
For a smaller work scope usually confined to one contract the HSE Case is sometimes called an HSE
Plan or where the work or operational task is one of many to be undertaken, terms like 'Work
Procedure' or 'Work Statement' are sometimes used. All these descriptions only reflect the scale of the
operation. The most important point is that in their preparation the steps of the Hazards and Effects
Management Process must be followed. That is hazards and potential effects must be identified and
assessed and Control and Recovery Preparedness measures must be developed and in place ahead of
time.
experience/judgement
checklists
codes and standards
structural review techniques
Structured
Review
Techniques
Checklists
Experience /
Judgement
IDENTIFY ASSESS
HEMP
RECOVER CONTROL
3.3.1 Experience/judgement
The knowledge of experienced staff provides a sound basis for hazard identification and assessment.
One can draw on experience gained from different aspects of the EP business in different locations.
Practical staff experience gained in the field and feedback from incidents, accidents and near misses
is invaluable.
3.3.2 Checklists
These are a useful way of ensuring that known hazards and threats have all been identified and
assessed. The use of checklists, however, must not be allowed to limit the scope of review. They are
normally drawn up from standards and operational experience and focus on areas where the potential
for mistakes is high or where problems have occurred in the past. Hazard Registers taken from the life
cycle of previous developments are particularly useful as a basis for checklists. They should be
maintained throughout the life of the development and include both the operational and abandonment
phases (Ref. 1).
Table VI.1 is a checklist called the Hazard Hierarchy which includes health, safety and environmental
hazards previously identified by Opcos. The checklist approach is used in several techniques such as
HAZID, HAZOP and FIREPRAN for example.
release of agents harmful to health can be assessed by reference to environmental quality standards
and occupational health exposure limits. For environmental and occupational health, the process
begins with an inventory of emissions and effects agents hazardous to health respectively.
Codes and standards can therefore provide guidance on all four steps of identify, assess, control and
recovery.
Where new or non-standard designs are concerned, especially ones containing configurations with
multiple interfaces, it is unlikely that all the possible interactions can be identified using codes and
standards alone. In more complex facilities such as offshore process facilities, other hazard
management tools will be required.
For EP facilities, a generic Hazards and Effects Hierarchy has been generated and is included in
Appendix III. This provides a structured listing of hazards and effects and attributes which can be
used as a completeness check during hazard identification. The hierarchy provides the basis for a
computerised approach to the systematic identification and assessment of hazards and their effects.
Technique Reference
Health Risk Assessment Is used for identifying and assessing occupational SHSEC Guide
health hazards and the controls needed to manage (Ref. 2)
them effectively. Chemical, physical, biological, HMSO publication
ergonomic as well as psychological aspects of the (Ref. 3)
occupational environment are included.
Health Risk Assessment and Supplements the general guide on Health Risk SHSEC 1995
Exposure Evaluation for Chemical Assessment (Ref. 4) by providing specific (Ref. 4)
Agents additional advice on assessing risk to health arising
from chemical agents in the work place.
Technique Reference
Soil and Groundwater Guides Provides guidance on assessing soil and EP 95-0385
groundwater quality at EP locations from initial EP 95-0386
desk studies to more detailed site investigations.
EP 95-0387
Social Impact Assessment Describes the component parts of a social impact EP 95-0371
assessment including relationship to the natural
environment, cultural and historical attitudes and
sensitivities, population characteristics and political
social institutions. Means to involve the wider
public are seen as critical.
HAZOP (Hazard and Operability One of the most widely accepted and powerful of EP 95-0313
Study) the hazard identification and assessment tools
available for reviewing the design of process
facilities. It is carried out in varying degrees of
detail throughout a project after design checks have
been completed. HAZOP is not a design tool but a
supplementary team checking exercise which also
includes the operational aspect of a design.
It is unusual to make other than a subjective
assessment of the consequences of a particular
failure scenario during a HAZOP. The HAZOP
technique has been extended with success by others
to areas like maintenance, drilling, etc.
Technique Reference
There are few if any tools and techniques which are limited solely to the identification of Hazards and
Potential Effects. Most include assessment as well as identification. Indeed techniques, such as Health
Risk Assessment and Environmental Assessment include all four elements, identify, assess, control
and recover.
Inherent in some techniques, such as HAZOP, is a qualitative assessment of risk based on judgement
of threats, such as hardware failure, control system failure, human error, corrosion, extreme
conditions, etc.
Technique Reference
software can also be used to assist in the hazard/risk evaluation and also uses the Risk Matrix.
Guidance on when to use quantitative risk assessment is provided in the following paragraphs.
4.2.2 Probability
The probability of a hazardous event occurring may be determined by evaluation of the associated
possible threats and circumstances or from historical data bases. Once established, the probability of
occurrence of each event can be included in a fault tree.
Historical records such as those described in EP 92-1020 (Ref. 6) provide failure data for various
types of event in the fault tree and event tree including the Top Event. Alternatively, probability can
be generated in a qualitative way by the relative classification of probability into those shown on the
Risk Matrix in 4.2.4.
It is planned to replace EP 92-1020 (Ref. 6) with a data base prepared on an industry wide basis. This
development is underway with the E&P Forum.
In performing consequence analyses it should be recognised that the majority of models provide only
a good approximation of what might happen. It is a mistake to base design calculations wholly on
model results. The designed system should be capable of withstanding the range of possible
anticipated loadings.
Technique Reference
Technique Reference
Oil Spill trajectory Models Used to predict the behaviour of marine spills and A range of models
can play an important role in oil spill contingency available. For
planning. A number of models are available. advice on selection
and use refer to
SIEP
Risk Assessment Models for These have been developed to evaluate the Env. quality
Contaminated Soil significance of soil contaminants to human and standards for soil
environmental health. The Human Exposure to and groundwater:
Soil Pollutants (HESP) developed in SIPM is an EP 95-0385
example.
Setting Priorities
for contaminated
soil and
groundwater:
EP 95-0387
Groundwater Models These have been developed to predict the A range of models
behaviour of contaminants in groundwater and available. For
focus on the movements of the contaminants. advice on selection
and use refer to
SIPM
The matrix need not remain as a static display of risk and measures to be taken. Over the years
tolerance to risk will change therefore the shading in the diagram will change.
The above matrix gives an indication of risk tolerability but this should relate to the operation under
consideration . An example of how the matrix can be further defined for a particular operation is
included in Appendix V.
Guidelines are available for undertaking quantitative risk assessment for specific applications
including risers and pipelines.
These are:
Technique Reference
These quantitative risk assessments should only be used by personnel with adequate training and
experience. It is most important that those familiar with the operation, the facility or the design are
involved in the study particularly with respect to the input, assumptions and conclusions drawn to
ensure that the model reflects reality.
Assumptions must reflect actual practice including inspection and maintenance frequencies and
techniques, frequency of drills and operating procedures, etc.
QRA provides a structured approach to assessing risk and expresses this numerically. The main
function of QRA is to identify high risk areas and assist in the comparison of design options and the
selection of operations philosophies with a view to establishing effective and efficient risk
management.
QRA assists in the determination of 'how safe is safe enough' by helping to analyse options to
establish whether or not ALARP (As Low As Reasonably Practicable) has been achieved.
Engineers and decision makers sometimes like to use quantitative risk assessment to make a decision
for them. For this purpose they would like to see well defined acceptance criteria for risk and a
calculation resulting in one number to tell them whether their design is 'right' or 'wrong'. However,
risk figures which are based on probabilities should be used with caution and comparison against
absolute numerical risk criteria avoided where possible. This is important for a number of reasons.
First, the accuracy of QRA studies means that the comparison of calculated numbers with specified
numerical criteria must be used with considerable caution. The inaccuracies are less important in
comparisons between various options analysed in a consistent manner. Nevertheless absolute risk
figures may be required to fulfil legislative requirements and to ascertain whether ALARP risk levels
have been reached.
Secondly, the risk of EP operations calculated in a QRA is often in the 'Too High' area and nowhere
near the Negligible area. This means that regardless of acceptance criteria set by authorities or
others, there is a need to identify further improvements and to implement them if the cost, time and
effort can be justified.
Thirdly, there is always the temptation to use comparison with absolute risk criteria as a means to
justify not carrying out risk reduction measures, with data being manipulated solely to meet the
criteria. Playing the 'numbers game' in this way could lead to QRA being used to justify risk levels
that could realistically still be reduced.
Fourthly, using statistical likelihood values carries with them a set of inherent assumptions which
may or may not be appropriate for the operation being studied.
Expressions like 'acceptably safe' or 'an acceptable risk' should be avoided when discussing risk.
Risks are never acceptable when the benefits of an activity are perceived to be smaller than the risks.
Further, a risk is never considered acceptable while there are effective alternatives to lower it. If there
are no effective alternatives or the cost of further reduction is disproportionate then it may be
necessary to live with or 'tolerate' the risk.
QRA can be used to assess risk to the company's workforce, assets and environment as well as risk to
the public. At present, QRA or environmental QRA is confined to 'incidental' or 'acute' hazardous
events. In EP operations, the facilities are in many cases sufficiently remote that considerations of this
type of risk to the public do not dominate. In downstream activities, risk to the public is often the
main concern.
The application of QRA is not necessarily limited to large, complex and expensive studies. It is a
technique which can be used relatively quickly and cheaply to help to structure the solution to
problems for which the solution is not intuitively obvious. Without the quantification of risk in some
situations, there may a danger of allocating scarce resources for little benefit. Risk is often defined as
a function of the chance that a specified undesired event will occur and the severity of the
consequences of the event. For QRA purposes, chance can be expressed as frequency or probability
of an occurrence. If no attempt is made to estimate the chance, we may be driven by the consequence
into investing heavily on risk reduction measures which are ineffective. This is illustrated in
Figure 4.1. The risk curve (shaded) indicates the area in which effective risk reduction measures can
be taken.
On the left side of the curve the consequences are too small to cause concern, regardless of the
probability. On the right side the consequences could be dramatic but the probability is so low that it
would be more effective to invest in those risk reduction measures which concentrate on the events
contributing to the peak of the risk curve. The above can be easily aligned with the Risk Matrix.
It must be recognised that the public and regulatory authorities are most interested in high
consequence events. In the context of the Risk Matrix this might be in the 'never heard of incident in
EP industry' column but nevertheless risk reduction measures must still be considered.
References to occupational exposure limits and standards are listed in Health Risk Assessment
(Ref. 2) and Ionising Radiation Safety Guide (Ref. 17).
In a major project or facility the studies carried out as part of the HEMP are recorded formally usually
via the first draft of the Hazards and Effects Register. The level of detail addressed increases as
familiarity with the project or facility improves. Different techniques are then applied to identify and
assess hazards. The hazards and control measures identified during the design phase are recorded for
later transfer to the operator of the facility who will be responsible for the HSE Case. A PC based tool
developed to do this is THESIS described in EP 95-0323.
Assembly of the Hazards and Effects Register, which forms part of the HSE Case, begins at the
design and development stage of a project when hazards and effects from this phase are incorporated.
Hazards applicable during the construction and commissioning phase may be included or listed
separately. Later, hazards encountered in the operations and maintenance phase are included. The
Hazards and Effects Register is a live document and is passed from phase to phase of a development
through to abandonment. When the design phase is complete, the Hazards and Effects Register is
handed over to and subsequently maintained by, the operations management of a facility. The
Hazards and Effects Register will subsequently be used in the planning of abandonment and held on
record for a period thereafter.
the level and number of barriers installed initially and the recovery preparedness measures to be in
place
the limit of safe operation if the barriers and/or recovery preparedness measures (sometimes
referred to as the 'Integrity Envelope') are reduced, removed or purposely defeated
the limit of safe operation permitted during periods of escalated risk, in either likelihood or
consequence. This includes external factors like extreme weather conditions
which activities may or may not be carried out concurrently, e.g. simultaneous welding and crude
sampling.
Further details on the preparation of a MOPO are given in EP 95-0310 Implementing and
Documenting on HSE MS and HSE Case.
Control and recovery aspects form a significant part of design standards. These are not listed
separately in this document.
A number of reference documents describing the controls are frequently used in applying the HEMP.
These are summarised below together with references for full descriptions.
EP HSE Manual:
EP 95-0376 Monitoring Air Quality
EP 95-0381 Monitoring Water Quality
EP 95-0386 Monitoring Soil and Groundwater Quality
EP 95-0390 Waste Management Guidelines
EP 95-0391 Classifying Waste
Recovery Preparedness Measures include active, passive and operational (contingency plans)
response arrangements.
In a crude oil separation module a loss of containment will probably be controlled by ESD,
depressurisation and containment/fire protection devices. These control and recovery measures have
been installed to achieve the HSE objectives that have been set. They might reduce a worst case
occurrence to a single major injury or fatality as compared with the possible catastrophe that could
have occurred with no controls at all in place.
From an environmental perspective recovery includes site clean up and rehabilitation. An example in
occupational health would be the redeployment of a radiographer who has exceeded his radiation
exposure or a cargo handler who has a back injury.
Documents which will assist in the development of recovery procedures include amongst others:
APPENDIX I
ACTIVITIES: PLANNING AND REVIEW
HEMP TOOLS AND TECHNIQUES
In the EP Business Model (EPBM) Version 3 (Ref. 23) the activity grouping (ACT) 'Managing
Activities' applies equally to all activities including those shown below against the life cycle.
In the 'Establishment of Business Controls' (ACT-01-06), the controls to manage HSE risk are
addressed in an HSE Case. The broad HSE objectives to be met in the activities: establishment of
business controls (ACT-01-06), 'planning' (ACT-01-08) and 'monitoring/control during execution'
(ACT-03-02) are bulletised on the left of the table below. Some of the tools and techniques available
are listed on the right.
produce and
explore appraise develop maintain abandon
Execute Surveys
Drilling Drilling
Appraisal and
Development
Design
Construction
Commissioning
Production and
Maintenance
Decommissioning
Logistics
objectives
APPENDIX II
ASSETS: PLANNING AND REVIEW
HEMP TOOLS AND TECHNIQUES
The activities (Ref. 23) described in this appendix encompass the life cycle of an asset. The HSE Case
which is prepared during the execution of these activities becomes the HSE Case for the asset and
forms part of the Asset Reference Plan.
The broad HSE objectives are bulletised on the left of the table. Some of the tools and techniques
available are listed on the right.
DESIGN, CONSTRUCT, MODIFY OR ABANDON FACILITIES (A12)
Prepare Conceptual Design (A12-01) (Validate 'Basis for Design')
ensure technical integrity of HAZOP (coarse)
basic process
develop layout to minimise Coarse Layout Methodology
consequences in developing Human Factors
the 'Project Specification'
review technical integrity of HAZOP (detailed)
detailed process Instrumented Protection Function (IPF) classification
minimise risk of escalation
-for offshore and complex plant Detailed Layout Methodology, Fire and Explosion Analysis
-for less complex and onshore Emergency System Survivability Analysis
FIREPRAN
ensure adequate provision Escape, Evacuation and Rescue Analysis (use judgement
for escape for less complex plant)
review overall risks QRA (as necessary)
minimise construction risks HAZID
incorporate HSE-specific Health Risk Assessment, Human Factors,
requirements Environmental Assessment
HSE CASE FOR ASSET
HAZARDS AND
EFFECTS REGISTER
objectives
DESIGN, CONSTRUCT, MODIFY OR ABANDON FACILITIES (A12) cont'd)
Prepare Detailed Design (A12-02)
ensure change does not QRA
HAZOP
impair technical integrity
Instrumented Protection Function (IPF) classification
prepare input for HSE Case
for facility see ACT-01-06
DESIGN, CONSTRUCT, MODIFY OR ABANDON WELLS (A09)
(as for A12 for Wells)
OPERATE AND MAINTAIN FACILITIES AND WELLS (A71/A72)
(see under HSE Case for Asset)
MANAGE ASSETS (ASS)
(Includes HSE Case for Asset)
Asset Reference Plan (ASS-01-02)
demonstrate that risks HAZID
associated with asset and its Health Risk Assessment
operation are managed Environmental Assessment
Job Hazard Analysis
Permit-to-Work
Instrumented Protection Function (IPF) classification
H2 S
Fire Control and Recovery
Safe Handling of Chemicals (SDS)
Human Factors
Emergency Response (including oil spill plans)
Oil Spill Dispersants
Contaminated Soil and Groundwater
Classification of Waste
Waste Management
Appraise Asset Integrity (ASS-04-02)
confirm process integrity and Process Hazard Review
containment HAZOP
compare fire and explosion FIREPRAN
provisions against objectives set
HSE CASE FOR ASSET
HAZARDS AND
EFFECTS REGISTER
APPENDIX III
HAZARDS AND EFFECTS HIERARCHY
The Hazards and Effects Hierarchy is a structured list of HSE-related hazards and effects that may
occur in the EP business. It can provide a starting point in hazard identification (the first step of the
Hazards and Effects Management Process, HEMP). Use of the Hazards and Effects Hierarchy as a
checklist gives greater assurance that all hazards and effects have been addressed and identification
and initial assessment is complete.
The Hazards and Effects Hierarchy is a structured checklist incorporated in the PC-based tool
THESIS (EP 95-0323). It is continually being improved with use in different operations and
environments. The hierarchy in the attached Table III.1 is therefore only included as an example or
'snapshot'. For the most up-to-date version, refer to the latest version of THESIS software.
In THESIS each hazard and effect has been assigned a number which has been consistently carried
through to the Hazards and Effects Register. The same numbering system is used here.
The Hazards and Effects Hierarchy, Table III.1, consists of main hazard groups such as H-01
Hydrocarbons. Under these are sub-groupings, such as H-01.06 Hydrocarbon Gas. Some examples
are given of typical sources of these hazards or locations where they will be found.
Under the three columns 'Safety', 'Health' and 'Environment' an arbitrary coding has been given which
has been found useful in grouping hazards. The reason for the Health grouping is explained below.
Any other coding or tagging can be used.
No attempt has been made to link the listing of hazards with, for example business activities or types
of facilities, since any one hazard can invariably be present in many situations. The Hazards and
Effects Hierarchy nevertheless lends itself to use as part of a systematised approach to hazard
management.
chemical hazards
physical hazards such as noise, vibration, ionising radiation
biological hazards such as micro-organisms
ergonomic hazards such as manual handling
psychological hazards such as stress
life style such as substance abuse
living environment such as malaria and environmental pollution
The Hazards and Effects Hierarchy as presented in this appendix can be sorted to cover all significant
health hazards and effects in this order or any other order that is required.
The Hazards and Effects Hierarchy listing, Table III.1, is valid for both incidental releases and
routine releases. As described in 2.1, a hazardous event in the case of the routine or chronic release
is when defined limits have been exceeded. A hazardous event in the case of an acute or incidental
release is an occurrence or incident.
Limits should be defined for routine releases which have an adverse effect on the environment.
Reviewers often find it easier to think in terms of sources of environmental effects. To assist in this
identification Table III.1 is a checklist of sources, of environmental hazards and of potential effects.
This table can assist in the identification of hazards and effects when reviewing a proposed
development or operation (i.e. in the Environmental Assessment process) or when reviewing effects
from the existing operation and preparing reduction plans.
The list is not complete and any further additions to the checklist should be forwarded to SIEP.
It is not always possible to pinpoint a genuine hazard causing the effect, e.g. resource use can result
from a number of activities.
Key to Hazards
Table III.1 The Hazards and Effects Hierarchy
H-04 Explosives
H-13.01 Oceans, seas and lakes less P North Sea, Arctic Ocean
than 10 deg. C
H-15 Electricity
H-19 Asphyxiates
H-27.01 Piracy Se
H-27.02 Assault Se
H-27.03 Sabotage Se
H-27.04 Crisis (military action, civil Se
disturbances, terrorism)
H-27.05 Theft, pilferage Se
H-29 Medical
* any indented (-) are covered by all aspects in the adjacent columns.
APPENDIX IV
STRUCTURED REVIEW TECHNIQUES
SUMMARY DESCRIPTION SHEETS
Title Assets* Activities*
ASPIN *
Emergency Systems Survivability Analysis (ESSA) *
Environmental Assessment (EA) *
Explosion Protection Review (EPR) *
Fire and Explosion Analysis (FEA) *
FIREPRAN * *
HAZID *
HAZOP * *
Health Risk Assessment (HRA) * *
Job Hazard Analysis *
Physical Effects Modelling (PEM) *
Process Hazard Review (PHR) * *
Platform Layout Methodology (PLM) * *
RISER *
Smoke Ingress Analysis (SIA) *
SAFOP *
Structural Consequence Analysis (SCA) *
Temporary Refuge/Escape Evacuation and Rescue Analysis (TR/EERA) *
The Health, Environment, Safety Information System (THESIS) * *
Tripod-BETA *
Tripod-DELTA *
Assets* Used primarily in planning, design, longer term review and preparation of HSE Cases for assets.
Activities* Used primarily for developing and reviewing operational-type procedures, systems and preparing
activity HSE Cases, plans or method statements, e.g. seismic drilling, construction and
commissioning, and production and maintenance.
ASPIN
Objective
To provide an easy-to-use quantitative failure risk assessment tool to compare different options and
conditions during pipeline design and operation and to assist in optimising and planning inspection and
maintenance efforts.
It is a tool that is situated between a full Quantitative Risk Assessment (QRA) and simple risk
ranking/scoring methods, less complicated and expensive than the former and more quantitative (and
therefore more accurate) than the latter. It is intended as a decision support tool and does not specify
acceptance criteria for risk levels. It can, for example, identify the effect of use of inspection pigging and a
leak detection system on risk levels.
Method
The methodology is based on the generally applied risk analysis technique whereby the probability of a
failure, expressed in terms of expected failure frequency, is multiplied by the consequence of such a failure
to arrive at risk. Failure risk is determined cumulatively over a given longer period of time as well as on a
yearly basis.
The method is structured in four main parts:
1. Identify the possible failure causes and derive potential failure frequencies
2. Identify the most likely failure type distribution
3. Identify the consequences of pipeline failure
4. Combine parts 1 and 3 to derive risk levels
Deliverables (Output)
Safety, environmental and economic risk comparison assessments that can be used in support of pipeline
design and operation decisions. ASPIN can be used in the development of HSE Cases as part of the HSE
MS including input into Hazards and Effects Register. ASPIN identifies and assesses all potential major
hazards, evaluates the risks and the effectiveness of the various measures to reduce the risks to the lowest
practicable level.
Further Information
EP 94-0101 - ASPIN Version 1.1 Pipeline Failure Risk Assessment (Ref. 13)
EP 94-0102 - ASPIN Version 1.1 Pipeline Failure Risk Assessment (Ref. 14)
EP 94-0195 - Simplified Method for Pipeline Risk Ranking, Version 2.0 (Ref. 15)
DEP 31.40.60.11 - Gen Pipeline Leak Detection (Ref. 24).
Objective
Determination of the ability of the emergency systems to withstand severe accident conditions. If
performance criteria for essential safety systems are developed as part of the process which evaluates fires
and explosions an ESSA as a separate exercise may not be required.
Method
Identification of all the safety and emergency systems. Assessment of the criticality of each system with
respect to preventing escalation, protecting the Temporary Refuge(s) (TR(s)) and enabling
escape/evacuation. The critical systems are then assessed to determine their vulnerability to explosions and
fires.
Information Required
Detailed information on the type and layout of safety and emergency systems for example ESD power
systems and emergency communications. Fire and explosion scenario data from the Explosion Protection
Review (EPR) and Fire and Explosion Analysis (FEA) .
Deliverables
Identification of critical emergency equipment and system locations. An assessment of the vulnerability of
the critical systems during direct and escalated events.
Overlap
ESSA is a part of the FEA process and provides information which is subsequently used in the Temporary
Refuge/Escape, Evacuation and Rescue Analysis (TR/EERA).
Further Information
Shell Expro document EN/074 (Ref. 11).
Objective
To predict the significant chemical, biological and socio-economic effects of an activity and to make
recommendations on activities, sites, techniques and technologies to be adopted in order to maximise the
positive, and minimise the negative effects.
Method
Acquisition of environmental description in terms of abiotic, biotic and human environments
Identify project environmental hazards and characterise the environment
Evaluate the magnitude and significance of environmental effects
Determination of any environmental control and recovery management requirements.
Information Required
Site and potential waste product descriptions, project description including process materials and sources,
materials of construction, project schedule and both strategic and local economic benefits.
Deliverables
Environmental Statement
Agreed adjustment to design options
Mitigation and recovery measures during operations
Environmental report covering suggested monitoring programmes and environmental management
systems. This report can be used as the basis for public meetings and exhibitions if required.
Overlap
Environmental Assessment (EP 95-0370) describes the Hazards and Effects Management Process (HEMP)
as it applies to environmental matters throughout the life cycle of a development.
Further Information
EP HSE Manual, Environmental Assessment, EP 95-0370.
Objective
Determination of worst case scenarios for explosions which then define the limits required for designing
offshore installations to withstand accidental vapour cloud explosions.
Method
Explosion overpressure prediction models are used to determine the worst case peak internal explosion
overpressure and an estimate of the overpressure external to the source module. The Thornton model
SCOPE is used to determine the worst case peak confined internal overpressure and an estimate of the
overpressure external to the source area. This information is then used to assess the capacity of the blast
walls, floors, ceilings and other structural components as well as the effects of the external explosion.
Information Required
Information on the area geometry, equipment layout and structure design. Worst case assumptions are
generally made on gas concentrations, gas volumes and ignition source locations.
Deliverables
Explosion overpressure for each module with the associated effects on the module structure and an
indication of the capacity of the module to withstand the explosion. Recommendations to reduce or contain
the explosion overpressure.
Overlap
EPR is effectively a stand alone technique but is part of the Fire and Explosion Analysis (FEA) process.
Further Information
Shell Expro document EA/083 (Ref. 25).
Objective
A general term for a process which identifies and evaluates all fire and explosion hazardous events as a basis
for risk reduction and for preparing performance criteria for essential safety systems and the arrangements
required for Escape, Evacuation and Rescue (EER).
Method
The location and type of all potential fires (and explosions) are identified. The capability of the existing or
required fire protection (and explosion relief) measures are established together with the corresponding
performance standards. Estimates of the damage potential of each event are made. The FEA process is a
fundamental part of developing an installation Quantitative Risk Assessment (QRA) model and can either be
undertaken as part of the QRA or as a stand alone exercise providing input to the QRA.
Information Required
Detailed information on plant layout, fire areas, hazardous areas, flammable inventories, fire and safety
equipment layout, passive fire protection location, fire water piping runs and any other pertinent data.
Deliverables
All potential fire and explosion events are identified and a number subjected to more detailed evaluation.
Requirements for the essential safety systems to manage fire and explosions and for EER are identified.
Overlap
ESSA, EPR, SIA, SCA, FIREPRAN are all components of the FEA as necessary. The FEA utilises PEM.
Further Information
There is not a specific guideline on FEA, it is a collective term describing a process, which utilises a number
of techniques including PEM.
FIREPRAN
Objective
A structured review technique for the review and assessment of:
1. hydrocarbon release and combustion related risks in a facility
2. the fire and explosion control and recovery preparedness measures in place.
3. the capability to meet the performance standards set and satisfy the objectives and criteria set for the
management of fire and explosion hazards.
To identify deficiencies and opportunities for improvement in order to meet objectives with respect to fire
and explosion management. FIREPRAN is not suited to complex, compact integrated facilities.
Method
A multi-disciplined team uses a structured HEMP compatible approach to identify hazards related to
hydrocarbon releases and explosions and develops a hazards and effects hierarchy. The hazard control
measures and related hazardous events mitigation and recovery measures are recorded in a hazards and
effects register. Potential fire and explosion scenarios are developed enabling review of the resources needed
to respond effectively to these incidents. Resources needed to respond effectively to fire and explosion
hazardous event scenarios are compared with those already in place. Results are presented with
opportunities for improved risk reduction measures as appropriate to plant criticality.
Information Required
Process flow schemes, plot plans, plant layouts and hazardous area drawings
Fire system and fire water piping drawings, fire areas, equipment layout, fire and blast walls and passive
fire protection drawings
Operating and maintenance philosophies
Deliverables
This technique permits the identification of hazards as well as potential, related fire and explosion scenarios.
It assists line management in the process of developing realistic, cost effective, control and recovery
measures which can be justified in terms of reducing risks to personnel, environment, assets and production,
to tolerable levels. Deliverables take the form of a hazards and effects register, fire and explosion scenario
development sheets and a set of recommendations for actions needed to achieve tolerable risk levels.
Overlap
HAZOP, QRA (for complex studies).
Further Information
EP HSE Manual, FIREPRAN, EP 95-0350.
Objective
To identify at an early stage in a green or brownfield project or development plan the major Hazards which
must be removed or managed.
Method
A multi-disciplined team review of the overall project development proposal (including infrastructure) plant
design and operation together with its impact on the local environment. The study uses a step-by-step
methodology and a checklist of guide words to identify hazards and assess the influence these hazards may
have on the project development strategy and design philosophy. The scope will encompass both current and
future life cycle issues.
Information Required (Input)
Information pack on project, its potential scope and environmental issues. All available conceptual and
preliminary drawings and development plans.
Deliverables (Output)
Input of major hazards identified to Hazards and Effects Register together with recommendations in priority
order.
An initial statement on hazard manageability and assurance needs.
Further Information
EP HSE Manual, HAZID, EP 95-0312.
Objective
To identify the Hazards, Effects and Operability problems relating to the process design and intended
method of plant operation which must be removed or managed in the operation.
Coarse HAZOP - Early study to identify basic flaws in design which would be costly to correct later.
Main HAZOP - Primary vehicle for identification of hazards, effects and operability problems. Held
when the front end engineering design is almost complete so that systems can be covered in detail.
Final HAZOP - Coverage of those systems not sufficiently developed for consideration in the Main
HAZOP, particularly vendor data, and a formal review of action responses to previous HAZOPs.
Procedural HAZOP - Identification of hazards and operability problems arising from procedures such as
commissioning, maintenance and other non-continuous procedures.
Health and environmental aspects must be included on the same basis as safety.
Method
A multi-disciplined team review using a structured step-by-step methodology with the application of
parameter and guide word combinations to sections (nodes) of the system to identify hazards and operability
problems normally with a facility but also with procedures.
Coarse HAZOP - Large nodes concentrating on major issues, requires a team of experienced senior
engineers. The recommendations from a Coarse HAZOP may involve significant changes to the design.
Main HAZOP - Rigorous application of the technique to relatively small nodes, requires a team of
experienced engineers with extensive project experience.
Final HAZOP - Rigorous application of the technique to relatively small nodes, requires similar team as
for Main HAZOP with the addition of vendor representatives. At this stage recommendations should be
concentrated on will it work rather than it would improve the safety of design to have.
Procedural HAZOP - Application of specialised guide words to operating procedures, requires a team
similar to that for main HAZOP with greater emphasis on operational personnel.
HAZOP (continued)
Deliverables (Output)
Coarse HAZOP - Recommendations for adjustment to design options, QRA studies and other supporting
investigations. A risk ranking may be given to assist in prioritising the actions. This list may be
incorporated into the Hazards and Effects register for the project.
Main HAZOP - Recommendations to amend the design to remove or reduce hazards and operability
problems. Categorisation of the recommendations into approximate risk groups to assist in prioritising
the actions. This list should be used to update the Hazard register for the project.
Procedural HAZOP - Recommendations to amend the procedures to remove or reduce hazards and
operating problems. This will allow Safety Critical Procedures/Operations to be identified.
Overlap
HAZOP is a stand alone process hazard and operability problem identification and assessment (qualitative)
tool.
Further Information
EP HSE Manual, HAZOP, EP 95-0313.
Objective
The identification of health hazards in the workplace and subsequent evaluation of risk to health, taking
account of existing control measures. Where appropriate, the need for further measures to control exposure
is identified.
Method
HRA consists of a number of steps:
Step 1 Define management's role and responsibilities and allocate resources
Step 2 Define structure for implementation (identify assessment units; assessment team; job types; tasks;
hazardous agents)
Step 3 For each job type gather information on agents and their harmful effects; nature and degree of
exposure; screening and performance criteria
Step 4 Evaluate the risk to health (assign severity rating and exposure rating)
Step 5 Decide on remedial action
Step 6 Record the health risk assessment
Step 7 Review the health risk assessment.
Information Required
Detailed information on hazards and effects (e.g. toxic properties of chemicals); exposures (e.g. exposure
levels to toxic chemicals); performance of existing controls; information from health surveillance records,
etc.
Deliverables
HRA, as a tool for use as party of a company's HEMP, assists to identify, evaluate and control health risks
related to the company's operations to a level 'as low as reasonably practicable'. The recommendations
emerging from the HRA provide the input into the HSE Management System to ensure ongoing control of
health risks and continual improvement in health performance.
Further Information
SHSEC Guide (Ref. 2) and references contained within that document.
Objective
Identification of potential problems within a job task that could lead to hazardous situations. Elimination or
reduction of the hazard by development of safe working procedures.
Method
The method is derived from Task Analysis. It is a structured step-by-step team analysis of the job. Initially
the job is broken down into individual steps which are then analysed sequentially to identify potential
injuries to personnel, damage to equipment and pollution of the environment. The controls and preventative
measures are considered and if found to be inadequate remedial recommendations are made. Consideration
is also given to the establishment of recovery measures if necessary.
Information Required
Job description, plans and drawings. Historical records of accidents and near misses. Team members with
technical competence relevant to the job being analysed.
Deliverables
Step-by-step analysis of each job highlighting potential departures from normal practice, with associated
hazards and recommendations for remedial action. The analysis also identifies the accident prevention
responsibilities for key personnel. The report can also be used as the basis for the development/ modification
of operating/working procedures.
Overlap
Job Hazard Analysis is a stand alone technique but is often used in configuration with PTW system.
Further Information
EP HSE Manual, Job Hazard Analysis, EP 95-0311.
Objective
To model the physical behaviour of the potential release of a hazardous fluid or substance and subsequent
related events to determine a measure of the effect, in terms of loading, on people, the environment and
assets for each potential outcome.
Method
The physical effects, such as dispersion, explosion over pressures and heat radiation are calculated as input
to assess potential extent of loss of life or damage. Use of step-by-step modelling allows potential escalation
scenarios to be assessed.
Information Required
Detailed information on: physical properties, such as density and toxicity; environmental factors, such as
wind velocity, humidity ambient temperature, and geometrical obstructions, confinement, etc.
Information on process flows and any mitigating measures, such as inventory ESD or blowdown systems.
Access to sophisticated consequence modelling computer programs, e.g. FRED, HG SYSTEMS and
SCOPE.
Deliverables
Data on the potential consequential loadings of previously identified hazardous scenarios with respect to the
potential effects to personnel, the environment and the facilities.
Overlap
Input data for Physical Effects Modelling can be generated from hazard identification techniques contained
in FIREPRAN, QRA and HAZOP.
Physical effects modelling may be used as an aid to Quantitative Risk Assessment, (QRA), FIREPRAN,
PHR, Plant Layout Methodology (PLM) and Fire and Explosion Analysis (FEA). Output from physical
effects modelling will provide input to physical response assessment (e.g. SCA) and consequent modelling.
Further Information
EP HSE Manual, Physical Effects Modelling, EP 95-0314.
Objective
An assessment of the safety status of existing process plant. It is intended for use when a plant has been in
operation for a considerable time and/or has undergone equipment modifications and operation changes. It is
used to provide an HSE Assurance report for ongoing operations in advance of major modifications or for
life extension evaluations.
Method
PHR is an 'expert review' led by an experienced leader, containing design engineers but heavily weighted
towards plant operators and maintenance staff. The review primarily focuses on potential causes of 'loss of
containment'.
The study progresses through the plant looking at each major equipment items, applying a leader's checklist
(aide-mmoire) of causes of loss of containment. The current design and operation of the plant is assessed
and a critical examination made of the revision history to identify any causes of release resulting from
changes to the design and operation of the equipment item since commissioning.
The team also reviews any hazards arising from variations (due to the age of the plant) from current design
or operating standards.
Information Required
The technique assumes that most of the drawings are near to current status. The meetings are normally held
on the plant with regular site visits to check any details not 'as built' on drawings. The latest version of the
Process Engineering Flow Schemes (PEFS) is used as the major study document to ensure complete
coverage of the scope of the study. Additional information required includes the cause and effect diagrams
and the full revision history and incident reports for the plant together with changes in the operating
envelope and operation/maintenance procedures.
The expertise of the team is of critical importance. Where data are incomplete the PHR technique is
applicable but success relies heavily on the study team containing operating staff with considerable depth of
experience and knowledge of the plant throughout its operating life.
Deliverables
A report showing the identified hazards, their causes and the concern of the team together with
recommendations for any remedial action including, if appropriate, more detailed HAZOP in discrete areas.
Overlap
HAZOP, FIREPRAN, Technical Audit.
Further Information
SIEP.
Objective
Provision of an auditable framework within which the essential processes in the development of an offshore
platform topsides layout can be structured.
Method
Establishment of the functional shape of the facility with due regard to safety and operational
constraints
A structured approach is used to select layout preferences based on the inherent active and reactive
behaviour characteristics of equipment items with due regard for separation distances and physical
barriers
Consideration of previously identified hazardous scenarios to identify those which are highly likely to
reach adjacent areas of the facility.
Information Required
Facility layout drawings and any available information from physical effect and consequence modelling.
Deliverables
A structured auditable description of the development of an offshore platform topsides layout.
Overlap
Input data from PEM and consequence modelling.
Further Information
EP 90-2500 (Ref. 9)
EP 91-1600 (Ref. 7)
EP 91-1601 (Ref. 8).
A similar document describing an onshore layout procedure is planned.
RISER
Objective
Assessment of risks of pipeline riser on or near platforms with comparative risk analysis to assess the
benefits of subsea valve installation on pipelines.
Method
The method is based on the following steps (using the information required described below):
definition of release cases using clear selection rules
failure frequency estimation (using a standard historical data set modified where needed to allow for
local factors)
consequence modelling (from release rate calculations using models for dispersion, jet fires, explosions,
etc)
impact assessment (determination of fatalities/damage and probabilities followed by event tree analysis)
risk calculation (determination of total risk for the riser system).
Information Required
Platform and pipeline engineering data, personnel numbers and distribution, environmental data and
evacuation systems.
Deliverables
Data on the comparative risk expressed as Potential Loss of Life (PLL)
Overlap
Input data from hazard identification techniques such as FIREPRAN, Quantitative Risk Assessment (QRA)
and Hazard and Operability Studies (HAZOP).
Output data are used in Quantitative Risk Assessment (QRA), FIREPRAN, Plant Layout Methodology
(PLM) and Fire and Explosion Analysis (FEA).
Further Information
EP 90-1045 RISER Riser Safety Evaluation Routine (Ref.16).
Objective
Identification of potential hazards to personnel in the vicinity of electrical systems. Critical assessment of
electrical network and plant design and analysis of operator actions to determine areas of potential operator
error. Making recommendations to eliminate or reduce risks.
Method
A multi-disciplined team and a structured step by step methodology are used.
SAFAN - Hazards present in construction, commissioning and operation of electrical systems are
examined in relation to the safety of personnel in the vicinity.
SYSOP - Examination is made of the control systems, the main items of plant and their auxiliaries in
relation to any limitations and their effects on the overall system operability.
OPTAN - Considers probable tasks to be under taken during normal and upset conditions. The usability
of equipment and clarity of instructions are reviewed with the aim of reducing the potential for human
error as low as is reasonably practicable.
Information Required
Detailed electrical system design and layout drawings, control circuit diagrams, system designs and
functional specifications, and electrical system operating and emergency procedures.
Deliverables
Report detailing the findings of the audit and where necessary making recommendations categorised as
Strongly Recommended, Advice or call for further information Information Required.
Overlap
SAFOP is a stand alone technique but it has some overlap with Job Hazard Analysis EP 95-0311, Human
Factors Analysis EP 95-0324 and Procedural HAZOP.
Further Information
DEP (Ref. 5) under preparation. Until release consult Electrical Engineering. Refer to SIEP.
Objective
Determination of the rate of build-up of gases and smoke in and around designated Temporary Refuges
(TRs) and the effect this will have on TR integrity and the ability of occupants to survive. The SIA is an
integral part of Escape Evacuation and Rescue Analysis/Temporary Refuge (EERA/TR) but is so significant
that it has been documented separately.
Method
Input on the type size and duration of potential fires is taken from the Fire and Explosion Analysis (FEA).
Each scenario will then be analysed to determine the concentration of smoke and gases at the boundary of
the TR and subsequently the build-up inside and around the TR. Consideration is given to the dilution and
dispersion effects that may occur between the fire source and the TR. Assessment is also made of the leak
paths and any localised over or under pressures caused by wind effects in order to determine the rate of
ingress to the TR. If available, actual installation test data are used to increase the realism of the SIA.
Information Required
Installation layout drawings, details of TR construction and the details of the fire scenarios from the FEA .
Leak test data for the TR.
Deliverables
Identification of scenarios that have the potential to effect significantly the TR in terms of smoke or gas
ingress at build-up rates which would impair TR integrity or impact on the emergency response capability.
Overlap
The results from the SIA are be used in TR/EERA analyses.
Further Information
Shell Expro document EN/066 (Ref. 26).
Note:
There are several practical and theoretical problems with the methodology in EN/066. The model is
written in Supercalc 5 which is not a Shell-supported package and there may be considerable
difficulty in running the software. Expro are planning to revise EN/066 to provide guidance on
smoke, heat, CO and low oxygen impairment of the TR. This work is planned to also overcome the
technical limitations of the current methodology and to incorporate results of relevant research in
these areas.
Objective
Assessment of the response of a structure under fire conditions. Determination of the extent of any failure
under fire loading and, if necessary, proposal of remedial measures.
Method
Coarse analysis is based on determining the time to failure of the structure from linear elastic techniques.
This analysis determines those structures which are critical and which should be the subject of more
detailed analysis.
Detailed analysis is based on non-linear analysis methods. These allow the true collapse load of the
structure to be estimated by modelling elastic-plastic behaviour of the structure at elevated temperatures.
The USFOS analysis program may be used for these studies.
Information Required
Details of potential fires from FEA , data on the type and layout of existing fire protection facilities.
Detailed structural drawings.
Deliverables
Report on the ability of the structure to withstand the fire scenarios identified. This will reveal if there exists
the potential exists for fire to lead to progressive collapse of the structure or loss of the TR within the
required endurance period. If necessary recommendations for remedial actions and distribution of protective
equipment should be made.
Overlap
Input data is required from Fire and Explosion Analysis (FEA) and physical effects modelling. SCA may be
used in QRA.
Further Information
Expertise and advice should be sought from SIEP Structural engineering function.
Objective
Analysis of escape to TR, the provisions within the TR system, and Evacuation, Escape and Rescue with
respect to the major scenarios previously identified for comparison against respective acceptance standards
highlighting critical elements and revealing any shortfalls.
Method
The EERA/TRA comprises three related elements:
a goal analysis which considers how the goals for the EER process will be satisfied in likely EER
situations as a basis for determining the adequacy of the proposed arrangements
an escape and evacuation time analysis which considers the time needed to complete all phases of the
EER process under conditions which may be present when there is a need for EER
a TR impairment analysis to determine the frequency that the TR and related evacuation facilities will be
impaired.
Information Required
Detailed information on the TR/EERA provisions and details of the major hazard scenarios identified.
Details of installation layout including muster stations, refuges, evacuation points and escape to sea
facilities. Input data from Fire and Explosion Analysis (FEA), Smoke Ingress Analysis (SIA) and
Emergency Systems Survivability Analysis (ESSA).
Deliverables
A formal record of the EER facilities and arrangements with details of the direct and escalated impact of the
identified hazard scenarios coupled with considerations on the likelihood of their occurrence.
Overlap
Input data required from FEA , SIA and ESSA. The results of the TR/EERA may be used in the QRA.
Further Information
Shell Expro document - EA/032 (Ref. 27) and DEP 37.17.10.11 Gen (Ref. 12).
Objective
To provide a structured method for building, using and maintaining Safety (HSE) Management Systems and
Cases. To store Safety (HSE) Management System and Case data in an electronic relational data bank on a
computer for easy access and use and generate HSE Cases in a consistent structured manner.
Method
THESIS provides checklists, models, prompts and facilitates structured brainstorming to identify the hazards
and effects and critical activities of an operation. Once the hazards and effects and activities are identified a
process is provided to document and qualitatively assess the controls in place and identify shortfalls. It uses
workforce experience and engineering judgement to identify and qualitatively assess the HSE management
system in use. The build process is designed to provoke and facilitate discussion concerning the degree of
existing hazard control provided and how adequately HSE critical activities are performed.
Information Required
Personnel with detailed working knowledge of the operation or installation for which the Case is being
prepared. Operational information about the operation or installation such as operating manuals, inspection
and maintenance manuals, equipment standards and specifications, environmental and health standards,
specifications and monitoring data.
Deliverables
Safety or HSE Case data stored on a computer in a relational data bank for easy access and use. Printed
reports are generated which provide a fully documented record of the build and assessment process carried
out including the 7 part Safety (HSE) Case document, Hazard Registers, HSE MS Specification Sheets, a list
of shortfalls and many more. Once completed, HSE specialists, managers, supervisors and operators have
the information needed at their fingertips to implement their HSE management system. They can use
THESIS to assess the HSE implications of proposed actions and changes.
Overlap
THESIS is a stand alone tool. It is designed to be complementary with other management systems such as a
maintenance management system.
Further Information
EP HSE Manual, THESIS, EP 95-0323.
Tripod-BETA
Objective
To facilitate accident or incident investigation and analysis by providing the means to assemble and
manipulate investigation information into a logical structure consistent with the Tripod accident causation
model and the hazards and effects model of SMS (HSE MS).
Method
A PC tool which provides the means to record information from the investigation, linking related
information on events, people, damage, locations, etc.
Information is transferred to a screen where it can be manipulated and linked as nodes in a BETA tree.
Nodes are classified, the connecting logic tested and anomalies flagged for amendment. Nodes are assigned
General Failure Type (GFT) classifications.
Information Required
Accident or incident investigation data.
Deliverables
A draft report for final editing, presenting salient details of the events, actual and potential damage,
failures and identified causes
A BETA tree diagram
GFT profile for the accident/incident.
Overlap
Tripod-BETA is a stand-alone technique.
Further Information
EP HSE Manual, Tripod-BETA, EP 95-0321
Tripod-DELTA
Objective
The proactive identification of potential latent failures that could lead to hazardous situations and the
development of remedial actions to be taken to reduce or eliminate such hazards.
Used where there are few incidents providing information on causation therefore tries to avoid 'requiring
incidents to improve'.
Method
Development of indicator question database. These are used in the form of yes/no answer questions to
reveal the presence of General Failure Types (GFT) in the operation or organisation
Tripod-DELTA Profiling-derivation of checklists based on the indicator questions, answering of
indicator questions, analysis of answers. Results are presented as a Failure State Profile. The analysis
identifies those areas where remedial action is required.
Information Required
Access to personnel with detailed working knowledge of the operation or organisation being analysed.
Deliverables
The Failure State Profile indicates the extent to which each of the 11 GFTs is present in the system under
study. This allows remedial actions to be prioritised.
Overlap
Tripod-DELTA is a stand alone technique.
Further Information
EP HSE Manual, Tripod-DELTA, EP 95-0320
APPENDIX V
EXAMPLE OF FURTHER DEFINITION OF CONSEQUENCE -
SEVERITY RATING FOR RISK MATRIX
Table V.1 Example of further definition of consequence - severity rating for risk matrix
Severit People Assets*, Equipment
y
Injury Health
Potential Definition Potential Definition Potential Definition
Impact Impact Impact
0 No injury No injury or damage to health No injury No injury or damage to health No No damage to
damage equipment
1 Slight Not detrimental to individual Slight injury Not affecting work performance Slight No disruption to
injury employability or to the or causing disability. damage the process,
performance of present work -Agents which are not hazardous minimum cost of
to health repair (below
$10,000)
2 Minor Detrimental to the performance Minor Affecting work performance, Minor Possible brief
injury of present work, such as injury/ such as restriction to activities damage disruption of the
curtailment of activities or illness (Restricted Work Case) or a process;
some calendar days to recover need to take a few calendar days isolation of
fully, maximum one week to recover fully equipment for
-Agents which have limited repair (estimated
health effects which are cost below
reversible, e.g. irritants, many $100,000)
food poisoning bacteria
3 Major Leading to permanent partial Major Resulting in permanent partial Localised Plant partly
injury disablement or unfitness for injury/ disability or affecting work damage down; process
work or detrimental to illness performance in the longer term, can (possibly) be
performance of work over such as a prolonged absence restarted.
extended period, such as long from work (estimated cost
term absence -Agents which are capable of of repair below
irreversible damage without $1,000,000)
serious disability, e.g. noise,
poorly designed manual handling
tasks
4 Single Alternatively victim with Permanent - Agents which are capable of Major Partial loss of
fatality permanent total disablement or total irreversible damage with serious damage plant; plant shut
unfitness for work. Also disability or disability or death, e.g. down (for at
includes the possibility of fatality corrosives, known human most two weeks
multiple fatalities (maximum 3) (small carcinogens and/or estimated
in close succession due to the exposed repair costs
incident, e.g. explosion population) below
$10,000,000)
5 Multiple May include four fatalities in Multiple -Agents with potential to cause Extensive Total loss of the
fatalities close succession due to the fatalities multiple fatalities, e.g. chemicals damage plant; extensive
incident, or multiple fatalities with acute toxic effects (e.g. damage
(four or more) each at different hydrogen sulphide, carbon (estimated cost
points and/or with different monoxide), known human of repair
activities carcinogens exceeds
$10,000,000)
* Assets are understood as referring to: the oil and gas reservoirs, production facilities, pipelines, money, capital, and other Opco and third party
property
Table V.1 Example of further definition of consequence - severity rating for risk matrix
(continued)
Severity Environment Reputation
1 Slight effect Negligible financial <10 0-100 Slight impact Public awareness of the
consequences, local incident* may exist; there is no
environmental risk within the public concern
fence and within systems
2 Minor effect Contamination, damage <100 100 - Limited Some local public concern;
sufficiently large to affect the 1,000 impact some complaints received;
environment, single slight local media and/or local
exceedance of statutory or political attention with
prescribed criteria, single potentially negative aspects for
complaint, no permanent effect Opco operations
on the environment
3 Localised Limited loss of discharges of 100 - 1,000- Considerable Regional public concern;
effect known toxicity, repeated 1,000 10,000 impact numerous complaints;
exceedance of statutory or extensive negative attention in
prescribed limit and beyond local media; slight national
fence/neighbourhood media and/or local/regional
political attention with possible
negative stance of local
government and/or action
groups
4 Major effect Severe environmental 1000 - 10,000 - National National public concern;
damage, the Opco is required 10,000 100,000 impact continuing complaints;
to take extensive measures to extensive negative attention in
restore the contaminated national media and/or
environment to its original regional/national politics with
state. Extended exceedance of potentially restrictive measures
statutory or prescribed limit and/or impact on grant of
licences; mobilisation of action
groups
The above table is an example for crude oil contamination. For other chemical discharge criteria, environmental experts should be consulted.
Incidents relating to air, noise, small, light and soil vibrations should be addressed on the basis of expert judgement and, in the case of
uncertainty, local expertise may be called in.
* 'Incident' as used in Severity level 1 must be seen as the source of the concern for all severity levels. It is defined in the glossary but recognise
it includes an environmental problem, an event or chain of events which has caused or could have caused spills, leaks, complaints, public
concern, issue debates, failing to follow commitments and so forth.
'Public' must be seen as encompassing a wide range including 'opinion formers', e.g. environmental scientists; groups; politicians; authorities (of
various types); media (scientific general).
APPENDIX VI
WHEN TO USE QRA
Quantified Risk Assessment (QRA) is used to:
Guidance is given below which addresses the cases when QRA is likely to be of benefit and when it
is not. Each individual case should be treated on its merits. Further advice is given in EP 95-0352.
(i) assist with final major decision-making with respect to design options
(ii) provide a basis for further design optimisation during completion of conceptual engineering and
detailed engineering and (ultimately) to reach risk levels regarded as As Low As Reasonably
Practicable (ALARP)
(iii) confirm to senior management, shareholders and the Regulator that risk criteria will be achieved.
At the end of detailed engineering, i.e. when all optimisation has been completed, the risk assessment
is issued in the form of a final report for input to the HSE Case. This is intended to demonstrate that
the risk criteria have been achieved and this risk is as low as reasonably practicable.
This is the case unless the layout is so well spaced-out that the workforce is for the majority of the
time outside the maximum effect area of the high pressure hydrocarbon production/process
facilities and the risk of escalation is considered to be negligible.
onshore plants
This is where the public is within the maximum effect radius and/or where the plant is complex
and the hydrocarbon processing equipment cannot be spaced to minimise the risk of escalation.
In other cases, physical effects modelling combined with other non-quantitative methodologies may
be sufficient to manage the hazards.
GLOSSARY
The general glossary for the EP HSE Manual is now in a separate Section EP95-0010 Glossary.
REFERENCES
1 MF 92-0130 Issue 4, Technical HSE Reviews and Fire Safety Reviews: Checklists Planning
and Execution, Shell Manufacturing Division, March 1995.
3 ISBN 0 11 430020, Understanding Stress - Part Two Line Managers' Guide, HMSO, June
1992.
4 Chemical Hazards: Health Risk Assessment and Exposure Evaluation, SHSEC, 1995.
7 EP 91-1600, Layout Considerations for Offshore Topsides Facilities, Volume II, Step by Step
Procedure and Template, SIPM, 1991.
8 EP 91-1601, Layout Considerations for Offshore Topsides Facilities, Volume III, 'Ariadne'
Demonstrator, SIPM, 1991.
13 EP 94-0101, ASPIN Version 1.1 Pipeline Failure Risk Assessment, User Manual, Worked
examples, December 1993.
14 EP 94-0102, ASPIN Version 1.1 Pipeline Failure Risk Assessment, Reference Manual,
December 1993.
15 EP 94-0195, Simplified Method for Pipeline Risk Ranking, Version 2.0, January 1994.
20 HSE 94023, Medical Emergency Guidelines for Health Care Professionals and First Aiders,
January 1995
23 EP 95-7000 EP Business Model (Version 3.0) Flowcharts and Description of Process Activities,
SIEP, 1995.
27 EA/032, Escape, Refuge, Evacuation and Rescue - Offshore Installations, Shell Expro.
30 ISBN 0 11 8859889 Successful Health and Safety Management UK Health and Safety
Executive, HMSO, 1991.