Hazard. Norma Shell. Shell Standard

Shell International Exploration & Production B.V.
Overview Hazards
and Effects
Management
Process
EP 95-0300
HSE
MANUAL
Revision 0: 16 October 1995

EP HSE Manual Amendment Record Sheet
Section Number: EP 95-0300
Section Title: Overview Hazards and Effects Management Process
Rev Chapter Description to amendment Date Amended by

Nos. dd/mm/yy
No.
0 All Original hard copy and CD-ROM issue * 16/10/95 EPO/61
* In this publication, some of the figures have been colour enhanced. This was done after the issue of the CD ROM.
The next issue of the CD ROM will include these enhancements. There is no difference in content.
Contents
Contents
1 Introduction 1 4 Structured Review
Techniques 17
1.1 Elements of the HSE Management
System 1 4.1 Identify Hazards and Potential
Effects 17
1.2 Tools for the Hazards and Effects
Management Process 2 4.2 Evaluate Risks 19
1.2.1 Selection of tools 2 4.2.1 Scenario development
(causes) 20
1.2.2 Application and competence 2
4.2.2 Probability 20
2 Hazards and Effects 4.2.3 Consequence analysis 20
Terminology 3
4.2.4 Determination of risk 22
2.1 Hazards, Effects and Incidents 3
4.2.5 Quantitative Risk
2.2 Threats and Barriers 4 Assessment (QRA) 22
2.3 Consequences, Mitigation and 4.2.6 Screening criteria:
Recovery Preparedness Measures 4 limits/standards 26
2.4 Risk 8 4.3 Record Hazards and Effects 26
2.5 Fault and Event Trees 9 4.3.1 Records 26
2.6 Likelihood and Consequence (or 4.3.2 Hazards and effects register 26
Effect) 9 4.3.3 Manual of Permitted
Operations (MOPO) 27
3 Hazards and Effects 4.4 Compare with Objectives and
Management Process (HEMP) 11 Performance Criteria 27
3.1 The Steps in the Process 11 4.5 Establish Risk Reduction
3.2 Implementation of HEMP 12 Measures 27
3.2.1 Assets: planning and review 12 4.5.1 General 27
3.2.2 Activities: planning and 4.5.2 Control of release of hazards

review 13 and effects 27
3.3 Approaches to the Hazards and 4.5.3 Recovery preparedness

Effects Management Process 13 measures 28
3.3.1 Experience/judgement 14 Appendix I Activities: Planning

3.3.2 Checklists 14 and Review HEMP Tools and
Techniques 30
3.3.3 Codes and standards 14
3.3.4 Structured review Appendix II Assets: Planning
techniques 15 and Review HEMP Tools and
Techniques 31
EP 95-0300 Revision 0: 16 October 1995 i

HSE Manual EP 95-0300 Overview Hazards and Effects Management Process
Appendix III Hazards and Effects

Hierarchy 33
Appendix IV Structured Review

Techniques Summary Description
Sheets 52
Appendix V Example of Further

Definition of Consequence -
Severity Rating for Risk Matrix 74
Appendix VI When to use QRA 76
Glossary 78
References 81
ii EP 95-0300 Revision 0: 16 October 1995

1 Introduction
1 INTRODUCTION
Volume 3 of the EP HSE manual is concerned with the tools and techniques which are available to
achieve the management of HSE issues. It is a first reference for all those involved in EP business
activities particularly those who are responsible for the management of hazards and their effects.
The objectives of Volume 3 are to:
provide a general overview of the Hazards and Effects Management Process

describe the tools and techniques most commonly used in Shell EP
assist in the selection of the appropriate tools and techniques
provide guidance on the integrated application of the tools and techniques and outline how the
results are to be incorporated within the HSE Management System.
This document, EP 95-0300, provides an overview of Volume 3 and describes:
the need, within the context of an HSE Management System, to define both the techniques and
tools commonly in use together with the competencies required for their effective application
the more common terminology and concepts used in the analysis of hazards and effects and the
determination of risk
the stages of the Hazards and Effects Management Process and its role within the HSE
Management System. The role of experience, codes and standards, checklists and structured
techniques are discussed
in summary the various structured review techniques available in Shell to support the process.
1.1 Elements of the HSE Management System

The HSE Management System contains the following elements which are described fully in
Volume 1.
Leadership and Commitment

Policy and Strategic Objectives
Organisation, Responsibilities, Resources, Standards and Documents
Hazards and Effects Management Process (HEMP)
Planning and Procedures
Implementation and Monitoring
Audit
Review
The Hazards and Effects Management Process (HEMP) is central to the effective implementation of
the HSE Management System. The process ensures that hazards and potential effects are fully
evaluated. To do this they must first be identified then assessed and then mitigation and recovery
preparedness measures put in place to reduce the consequences of any remaining risk. To achieve this
a number of tools and techniques are used. These are described in this Volume.
(Specific guidance on when to use the techniques within various business activities is given in
the relevant sections of Volume 2, e.g. EP 95-0230 Design, EP 95-0220 Appraisal and
Development, etc.)
EP 95-0300 Revision 0: 16 October 1995 1

1.2 Tools for the Hazards and Effects Management Process

1.2.1 Selection of tools
The objectives set out in the HSE Management Systems (HSE MS) and subsequently the HSE Case
effectively become the acceptance criteria for the risk determined in the hazards and effects
management process. There are many publications and documents available describing tools and
techniques for hazards and effects management some of which are marketed commercially. These
techniques are often developed in isolation and may be inappropriate for use within EP. They may
also be unnecessarily time consuming, not cost effective or may overlap.
This document is designed to identify, specify and aid the effective selection of an integrated suite of
tools and techniques. Most of these have been in use for some time. The various tools and techniques
have been collated for ease of reference, to demonstrate their relationship to each other and to
describe their input to the HSE MS and HSE Case. As stated above this document does not specify
when to use the tools, this is done in the documents describing the business activities. A very broad
framework of tools, techniques and guidelines used in hazards and effects identification and
assessment during the life cycle is provided in Appendices I and II.
Codes, standards, checklists, as well as individual experience and judgement are in no way replaced
by any of these techniques and continue to play a vital role.
1.2.2 Application and competence

Successful application of a technique is largely dependent on the experience of the personnel using it.
For this reason, familiarity, competence and training are important factors to be taken into
consideration when planning and resourcing projects and drafting contract specifications. The
competence levels required to operate these techniques effectively may then be identified and the
relevant resources secured.
The application of tools in the hazards and effects management process such as Environmental
Assessment, Health Risk Assessment and QRA will continue to involve specialists but their output
can now be brought together with other studies in a common HSE Management System. Specialist
assistance when using other tools and techniques may also be necessary. However the successful
application of any tool and technique will always be dependent on the participation of the staff
involved in the activities under study. Most of the tools described require a multi-disciplinary
approach.
Health, Safety and Environmental Management is no different from any other aspect of EP business
and remains a line responsibility. HSE therefore falls under the same management and management
system. H, S and E have been considered together in this document although external reasons may
exist for presenting certain studies separately. For example, when two separate authorities deal with
safety and environmental
2 EP 95-0300 Revision 0: 16 October 1995

2 Hazards and Effects Terminology
2 HAZARDS AND EFFECTS TERMINOLOGY

This chapter provides an overview of the more common terminology and concepts used in the
analysis of hazards and effects and the determination of risk.
A comprehensive list of terms and their definitions is provided in the glossary of this document.
2.1 Hazards, Effects and Incidents

A hazard is defined as:
'The potential to cause harm, ill health or injury, damage to property, plant, products or the
environment, production losses or increased liabilities'. This definition can be extended to include
social/cultural disruption.
This represents a specific use of the word hazard which in more common usage can mean danger,
chance or risk. Risk is defined in 2.4. It is important to recognise the adopted definition of this basic
term and to be consistent when using common techniques. Hazards should not be confused with
hazardous activities (e.g. drilling). Examples of hazards are: hydrocarbons under pressure, objects at
height , electricity. Appendix III contains a listing of generic hazards.
The terms 'chronic' and 'acute' are introduced in Volume 1 and are used to differentiate between
hazards and effects associated with continuous discharges and occupational exposure (prolonged) and
those relating to one off events, (health, safety and environmental incidents) which might include
poisoning, oil spills, fires and explosions.
In environmental terms, 'chronic' effects are sometimes referred to as 'routine' and are defined as the
result of planned emission or discharge to the environment. Such releases may include flaring of gas,
or discharge to sea of produced water following repeated and prolonged exposure to relatively low
levels or concentrations of a hazardous agent.
The aim is to control all health and environmental hazards and effects within defined limits. For
health, for example, controls for benzene define levels in air for long term exposure. For environment,
for example, controls for flaring may include limiting the volume of gas disposed of, defining criteria
for the combustion efficiency and defining environmental quality standards for combustion products.
Similarly, control of noise emission will be based on noise limits which will be set for a given
location.
An effect in the context of this manual is usually an adverse effect either on the health or safety of
employees or the public. An environmental effect is any direct or indirect impingement, whether
adverse or beneficial, upon the environment of the activities, products and services of the company.
This also includes impact on social and cultural systems.
The undesired release of a hazard is a hazardous event. If the hazardous event is the first event
resulting from the release of a hazard then it is called a 'Top Event'. This is the undesired event at the
end of the fault tree and at the beginning of an event tree (see 2.5). In the context of environmental
routine hazards, the undesired event can relate to the breaching of defined limits, such as oil in water
discharged to sea or noise levels in and around locations, or in the context of health hazards, this
relates to exceeding occupational exposure limits and other standards for the full range of agents
hazardous to health.
An incident is an unplanned event or chain of events which has caused or could have caused injury,
illness and/or damage (loss) to assets, revenue, the environment or third parties. An incident involves
the release or near release of a hazard which includes the exceedance of defined limits.

2.2 Threats and Barriers

A threat in the context of this document is something that could potentially cause the release of a
hazard and result in an incident. Examples of these causes or threats are corrosion, fatigue damage,
poor visibility, overpressure, lack of knowledge/competence, etc.
To prevent a threat or combination of threats ultimately resulting in the release of a hazard, some kind
of countermeasures are necessary. These measures are called barriers. In the case of corrosion as a
threat, for example, appropriate barriers could be a corrosion-resistant coating, inspection
programmes or corrosion allowances. For overpressure one barrier would be a pressure relief system.
Environmental barriers could include operational controls, e.g. traffic restrictions for noise, or
hardware controls, e.g. provision of water treatment equipment. Health barriers include, for example
local exhaust ventilation (LEV) and PPE.
Barriers may be physical (shields, isolation, separation, protective devices) or non-physical

(procedures, alarm systems, training, drills).
2.3 Consequences, Mitigation and Recovery Preparedness

Measures
Should the barriers fail to prevent or avoid the release of a hazard then some kind of counter measures
are required to limit the consequences of the hazardous event or effect. The purpose of these
countermeasures is the mitigation of consequences and to aid in reinstatement. One example of
mitigation is a fixed fire protection system, another would be the evacuation of personnel from the
area. Those measures aimed at reinstating or returning the situation to a normal operating condition
are also called recovery preparedness measures. All such measures ranging from the first steps in
mitigation through to reinstatement of the operation are termed recovery preparedness measures.

Figure 2.1 Terminology: acute or incidental release (safety example)
THREATS ESCALATION
Hazard :
Hydrocarbon gas
under pressure
Examples:
Corrosion Fire
Pressure Vessel
Erosion
Impact
Rupture and Leak
Hazardous
Event
Leak ! Fire
First Hazardous Event

or
Top Event
Inspection Corrosion Detection Detection Plant Detection

Allowance Process ESD Separation and
Shutdown Deluge
Threat Barriers Recovery Preparedness Measures

and Mitigation Measures
CAUSATION CONSEQUENCE

Figure 2.2 Terminology: chronic or routine release (environmental example)
THREATS ESCALATION
Ecological damage
Water supply contamination
Irrigation contamination
Hazard : Liabilities
Effluent Reputation
Examples: Treatment system

Input Changes Pollution
Maloperation
Malfunction
Discharge
Hazardous
Event
Discharge
ppm Limit Exceeded !
Pollution
ppm
ppm
Limit

or
Top Event
Auto Level Procedures Alarm System Divert to Plant Clean-up

Alarm Sampling Shutdown Holding Shutdown Plan
Tanks


Figure 2.3 Terminology - Chronic or Routine Release (Health Example)
THREATS ESCALATION
Increased risk :
Hazard:
Leukaemia
Toxic vapour
Liabilities
Loss of reputation
Examples:
Corrosion
Handling of toxic chemical
Maloperation
Leaking flanges
Release of benzene
Increased
risk of
leukaemia
Exposure to benzene
exceeding OEL* !
ppm
ppm
Limit

or
Top Event
Vapour Return Procedures Local PPE Biological Epidemiology
System Exhaust Monitoring
Ventilation
* OEL Occupational Exposure Limit


Figure 2.4 Cause consequence diagram (bow tie)
2.4 Risk
Risk is the product of the probability that a specified undesired event will occur and the severity of
the consequences of the event. To determine the risk of a specific hazardous event taking place
therefore requires information on the likelihood of the event taking place and the severity of the
adverse consequences that could be expected to follow from it. Risk is a term which combines the
chance that a specified undesired event will occur and the severity of the consequences of the event.
To determine the risk associated with a specific 'hazardous event', information is therefore required
on the chance of the event taking place and the severity of the consequences that might be expected to
follow from it. Risk is sometimes also defined as the product of probability and the severity of
consequences.
The terms 'probability', 'likelihood', 'frequency' and 'chance' are often used interchangeably however
in the HEMP terminology, the following apply and should be consistently used:
llikelihood and chance both indicate the possibility of something happening
frequency is a rate, e.g. number of incidents per hour
probability is a ratio
It indicates the number of chances of something happening to the total number of chances.

2.5 Fault and Event Trees

A common way of understanding the possible threats or causes that could lead to the unplanned
release of a hazard is to present them diagrammatically using a fault tree. In a similar way after the
release of a hazard an event tree may be used to determine and display the potential outcomes or
consequences.
Fault Tree Analysis is used to show the sequence of possible threats or causes that could lead to the
release of a hazard. The fault tree leads to a single point where the undesired event has taken place or
where the hazard has been released. This is known in risk assessment terms as the Top Event and
represents the transition from the Fault Tree (threats/causes) to the Event Tree (consequence).
The Event Tree is made up of nodes which correspond to the different stages in an escalating incident
sequence. The lines which lead out of each node correspond to the paths of success or failure in
mitigation of the incident.
The whole sequence showing the progression from any cause, (Fault Tree) through the Top Event to
the full range of consequences (Event Tree), for a single hazard can be represented in a single
diagram (often called a 'bow tie') as shown in Figure 2.4. In a quantitative assessment such as QRA, a
number of hazards will be considered together, however in qualitative assessment it is normal to
consider one hazard or one bow tie.
For qualitative and quantitative risk assessment the same process is used (i.e. bow tie) but in QRA,
risks are quantified initially per Top Event then summated for a number of scenarios and hazards.
2.6 Likelihood and Consequence (or Effect)

The Likelihood of a Top Event occurring may be determined by quantitative evaluation of the
possible threats or from historical data bases.
Lack of good data may limit the development of a fault tree however in some circumstances the
historical frequency of the top event may provide an adequate timate.
Consequence analysis can be applied to assess HSE aspects for a range of scenarios and typically
involves the use of predictive models. Examples include the use of:
physical effects models for predicting the behaviour and loading from potential hydrocarbon
releases (dispersion, fire, radiation, explosion and smoke) in terms of flammable limits, heat
radiation, explosion overpressure, etc
physical consequence models for predicting the consequence of the effects of hydrocarbon release
events (structural damage, vessel integrity loss, etc)
air and water dispersion models for predicting the behaviour of discharges to the atmosphere or
water bodies respectively
The tools and techniques used for both likelihood and consequence analysis are described in
Chapter 4.

This page intentionally left blank

3 Hazards and Effects Management Process (HEMP)
3 HAZARDS AND EFFECTS MANAGEMENT

PROCESS (HEMP)
3.1 The Steps in the Process
The Hazards and Effects Management Process (HEMP) was originally developed to provide a
structured approach to the analysis of safety hazards throughout the life cycle of an installation. The
environmental and health risk assessment processes fulfil a comparable function with respect to
environmental and health hazards at all stages of the life cycle. These assessments are based on the
same concept and have been brought together as HEMP. The process is applicable to all business
processes in the life cycle of an operation from inception to abandonment. The tools and techniques
available are applied in a logical and rigorous way, setting acceptance criteria and screening against
them as the process proceeds. The arrangements identified as necessary to manage assessed threats
and potential consequences and effects are then incorporated in the design phase or for existing
operations it is necessary to verify that what is in place is suitable and sufficient. If not, then remedial
action is taken and all necessary procedures are incorporated into the HSE Management System.
The principles of 'identify', 'assess', 'control' and 'recover' are the basis of HEMP, with the individual
stages summarised in the following steps:
1. Identify Hazards and Potential Effects

2. Evaluate Risks
3. Record Hazards and Effects
4. Compare with Objectives and Performance Criteria
5. Establish Risk Reduction Measures.
Step 1: Identify hazards and potential effects

Systematically identify the hazards, the threats and potential hazardous events and effects which may
affect, or arise from, a company's operation throughout the total life cycle of the operation.
Step 2: Evaluate risks

Systematically evaluate (assess) the risks from the identified hazards against accepted screening
criteria, taking into account the likelihood of occurrence and the severity of any consequences to
employees, assets, the environment and the public. This includes the risks associated with deviation
from limits set for environmental and occupational health hazards.
Step 3: Record hazards and effects

Record all those hazards and effects identified as significant in relation to the screening criteria in one
of the following documents:
HSE MS Activities Catalogue

HSE Activity Specification Sheets
Hazards and Effects Register
HSE Critical Operating Procedures
Manual of Permitted Operations.
These documents will then be included in Parts 3 and 5 of the HSE MS and HSE Case.

Step 4: Compare with objectives and performance criteria

Compare the evaluated risks against the detailed HSE objectives and targets for the project or
installation. For all cases these targets must be maintained and be consistent with the Company
Policy, and Strategic Objectives. Performance standards at all levels must meet the criteria set in the
HSE Case which in turn must comply with the Company's HSE Management System.
Step 5: Establish risk reduction measures

Select, evaluate and implement appropriate measures to reduce or eliminate risks. Risk reduction
measures include those to prevent or control incidence (i.e. reducing the probability of occurrence)
and to mitigate effects (i.e. reducing the consequences). Mitigation measures include steps to prevent
escalation of developing abnormal situations and to lessen adverse effects on Health, Safety and the
Environment. Risk reduction measures also include recovery preparedness measures which address
emergency procedures as well as restoration and compensation procedures to recover.
Revisit Step 3 to record fully the activity/task requirements.
3.2 Implementation of HEMP

The Hazards and Effects Management Process can be implemented at any point in the life cycle of a
facility or operation. When planning the development of new facilities, reviewing existing facilities,
or planning for the abandonment and decommissioning of existing facilities the focus is on the
identification and assessment of hazards and effects that may be avoided, reduced or eliminated. In
the operational and maintenance phase, the focus is on control of hazards and effects by procedures
and the development and implementation of effective recovery preparedness measures. In the
abandonment and decommissioning stages the focus is directed towards safe clean up and
rehabilitation.
People involved in operational activities however should always be alert to identify new hazards
particularly in non routine operations.
3.2.1 Assets: planning and review

In a new development the HEMP will normally be iterative, beginning on a wide basis with little
detail and then progressing through the development cycle as more detail becomes available. In the
review of an existing development a similar iterative approach may be adopted starting with a wide
approach on general issues then converging on areas of specific concern and more detailed
assessments. This management process is applied to all hazards and potential effects. Those engaged
in design and planning activities who utilise tools, such as HAZOP, Health Risk Assessment or
Environmental Assessment are already familiar with this approach.
Appendices I and II give an indication of when the tools and techniques are used during the life cycle
of a development and in the development of an HSE Case for an asset. Full guidance is provided in
the respective business activity guidelines such as EP 95-0230 Design and Engineering and EP 95-
0220 Concept Development.
The output from the various tools and techniques used in the HEMP in the planning and review stages
of a new development is used primarily to refine the design by identifying the hazards and threats,
removing them if possible and making the design as inherently safe to operate as practicable. The
output therefore primarily concerns the hardware although the design planning phase can profoundly
affect all subsequent stages of the development. Information from this work is included in the HSE
Case for an asset for use in the operational phase.

3.2.2 Activities: planning and review

This relates to the preparation for practical physical activities involved in the implementation of
plans. In EP these activities include survey, drilling construction, operation, decommissioning, and
abandonment. This preparation should involve those carrying out or supervising the activity. The
techniques for the identification and assessment of hazards used in the planning and review stages are
also applicable but in the operational phase tend to be more focused on procedural aspects rather than
hardware design.
In the implementation or operations phase, planning activities such as the systematic preparation of
Permits to Work and Job Hazard Analysis address all the steps of the HEMP. EP 95-0315 describes
the basic Permit-to-Work System and EP 95-0311 describes Job Hazard Analysis which can be used
for a team review of the procedure for a repeated activity or as a one-off review of a new activity. The
computerised system THESIS (see EP 95-0323) can also be used to assess hazards and effects and
identify the necessary controls. EP 95-0270 General Workplace Practices contains activity
specification sheets and hazard register sheets for typical HSE activities and hazards encountered in
the workplace. The Manual of Permitted Operation (MOPO) describes conditions where specific
activities cannot be carried out at the same time and is described in EP 95-0310 Implementing and
Documenting an HSE MS and HSE Case. Waste management procedures, described in EP 95-0390
Waste Management Guidelines, provide information for the inclusion of waste management
activities.
At the time of writing this Guide, work is proceeding on the preparation of Generic HSE Cases for
activities such as drilling, seismic and transport. These are aimed at providing a basic 'starter kit'
HSE case containing all the common activities, procedures and controls which can be subsequently
made 'site-specific' for local application.
The output from the various tools and techniques in the HEMP for operational-type activities will be
used in the development and review of working procedures and form part of the HSE Case for the
operation of the facility. For a significant or new activity, such as a major construction project, a
seismic or drilling campaign or abandonment, the output from the various tools will be included in an
HSE Case.
For a smaller work scope usually confined to one contract the HSE Case is sometimes called an HSE
Plan or where the work or operational task is one of many to be undertaken, terms like 'Work
Procedure' or 'Work Statement' are sometimes used. All these descriptions only reflect the scale of the
operation. The most important point is that in their preparation the steps of the Hazards and Effects
Management Process must be followed. That is hazards and potential effects must be identified and
assessed and Control and Recovery Preparedness measures must be developed and in place ahead of
time.
3.3 Approaches to the Hazards and Effects Management

Process
Hazards can be identified and assessed in a number of ways. The hazard identification and assessment
process is based on the following:
experience/judgement
checklists
codes and standards
structural review techniques

Figure 3.1 Approaches to the Hazards and Effects Management Process
Structured
Review
Techniques
Increasing level of detail Codes / Standards
Checklists
Experience /
Judgement
IDENTIFY ASSESS
HEMP
RECOVER CONTROL
3.3.1 Experience/judgement
The knowledge of experienced staff provides a sound basis for hazard identification and assessment.
One can draw on experience gained from different aspects of the EP business in different locations.
Practical staff experience gained in the field and feedback from incidents, accidents and near misses
is invaluable.
3.3.2 Checklists
These are a useful way of ensuring that known hazards and threats have all been identified and
assessed. The use of checklists, however, must not be allowed to limit the scope of review. They are
normally drawn up from standards and operational experience and focus on areas where the potential
for mistakes is high or where problems have occurred in the past. Hazard Registers taken from the life
cycle of previous developments are particularly useful as a basis for checklists. They should be
maintained throughout the life of the development and include both the operational and abandonment
phases (Ref. 1).
Table VI.1 is a checklist called the Hazard Hierarchy which includes health, safety and environmental
hazards previously identified by Opcos. The checklist approach is used in several techniques such as
HAZID, HAZOP and FIREPRAN for example.
3.3.3 Codes and standards

These reflect collective knowledge and experience, accumulated on the basis of national or
international operations. They generally focus on hazard assessment and control, since the hazard is
inherent and recognisable. Codes and standards usually contain information on hazards applicable to
a particular type of operation. The designer of a pressure vessel relief system, for example, can use a
DEP or ISO Standard to find detailed guidance on the relief cases that should be considered. In some
cases compliance with prescriptive standards alone will reduce risk to 'as low as reasonably
practicable'. Similarly, the acceptability or otherwise of emissions or discharges to the environment or

release of agents harmful to health can be assessed by reference to environmental quality standards
and occupational health exposure limits. For environmental and occupational health, the process
begins with an inventory of emissions and effects agents hazardous to health respectively.
Codes and standards can therefore provide guidance on all four steps of identify, assess, control and
recovery.
Where new or non-standard designs are concerned, especially ones containing configurations with
multiple interfaces, it is unlikely that all the possible interactions can be identified using codes and
standards alone. In more complex facilities such as offshore process facilities, other hazard
management tools will be required.
3.3.4 Structured review techniques

The following chapters of this document describe the Structured Review Techniques and Procedures
in current use. Some of these techniques were initially developed for use in safety management others
have been specifically developed for environmental and occupational health management often using
similar principles as for safety management. One example is HAZID (Hazard Identification) and
another is HAZOP (Hazard and Operability Study). With interpretation, these techniques are also
capable of addressing emissions, discharges, waste generation and occupational exposure to
hazardous substances, etc. Many of the techniques described in this Volume also contain screening
and acceptance criteria for Controls.


4 Structured Review Techniques
4 STRUCTURED REVIEW TECHNIQUES

Structured review techniques are available for all phases of the 'identify, assess, control and recover'
process. The recommended techniques are presented in this chapter under the same headings as used
in Chapter 3, i.e.:
Identify Hazards and Potential Effects

Evaluate Risks
Record Hazards and Effects
Compare with Objectives and Performance Criteria
Establish Risk Reduction Measures.
4.1 Identify Hazards and Potential Effects

The selection of the appropriate techniques depends upon the information available and the phase of
the project or maturity of the operation. The development of a project is described further in Volume
2 of this manual.
For EP facilities, a generic Hazards and Effects Hierarchy has been generated and is included in
Appendix III. This provides a structured listing of hazards and effects and attributes which can be
used as a completeness check during hazard identification. The hierarchy provides the basis for a
computerised approach to the systematic identification and assessment of hazards and their effects.
Table 4.1 Techniques for planning and review of assets
Technique Reference
HAZID (Hazard Identification) A structured brainstorming technique that is EP 95-0312

particularly useful in the early stages of a
development, either as a stand alone exercise or as
part of a more general review. The prompt or
checklist approach guides the less experienced
and prompts the experienced. Success when using
the technique depends upon a properly constructed
team being well managed and having the
opportunity to think beyond the checklist and
identify the unusual. The same technique can be
applied for health hazards associated with the
living environment (e.g. tropical diseases) and
lifestyle (e.g. substance abuse).
Health Risk Assessment Is used for identifying and assessing occupational SHSEC Guide
health hazards and the controls needed to manage (Ref. 2)
them effectively. Chemical, physical, biological, HMSO publication
ergonomic as well as psychological aspects of the (Ref. 3)
occupational environment are included.
Health Risk Assessment and Supplements the general guide on Health Risk SHSEC 1995
Exposure Evaluation for Chemical Assessment (Ref. 4) by providing specific (Ref. 4)
Agents additional advice on assessing risk to health arising
from chemical agents in the work place.

Table 4.1 Techniques for planning and review of assets (continued)
Technique Reference
Human Factors Encompasses a number of techniques directed at EP 95-0324

the assessment of the human element of the
management of hazardous events from design
through to emergency response.
Environmental Assessment (EA) Includes development of an environmental profile EP 95-0370

which provides information necessary to:
build an environmental description of the area
or location and its environment before
development
assess the beneficial and/or adverse effects of
the development
identify mitigation measures
prepare a plan to enable measures to be
implemented
Also applicable to ongoing activities.
Soil and Groundwater Guides Provides guidance on assessing soil and EP 95-0385
groundwater quality at EP locations from initial EP 95-0386
desk studies to more detailed site investigations.
EP 95-0387
Social Impact Assessment Describes the component parts of a social impact EP 95-0371
assessment including relationship to the natural
environment, cultural and historical attitudes and
sensitivities, population characteristics and political
social institutions. Means to involve the wider
public are seen as critical.
HAZOP (Hazard and Operability One of the most widely accepted and powerful of EP 95-0313
Study) the hazard identification and assessment tools
available for reviewing the design of process
facilities. It is carried out in varying degrees of
detail throughout a project after design checks have
been completed. HAZOP is not a design tool but a
supplementary team checking exercise which also
includes the operational aspect of a design.
It is unusual to make other than a subjective
assessment of the consequences of a particular
failure scenario during a HAZOP. The HAZOP
technique has been extended with success by others
to areas like maintenance, drilling, etc.
FIREPRAN To identify deficiencies and opportunities for EP 95-0350

improvement in order to meet objectives with
respect to fire and explosion management.
FIREPRAN is not suited to complex, compact
integrated facilities.

Table 4.1 Techniques for planning and review of assets (continued)
Technique Reference
SAFOP (Electrical Safety and Comprises three components:

Operability Study) SAFAN - (Safety Analysis) identification of DEP (under
hazards to personnel in the vicinity of preparation)
electrical systems (Ref. 5)
SYSOP (System Operability) critical Refer to SIPM
assessment of electrical network and plant
design
OPTAN (Operational Task Analysis) analysis
of operator actions to determine areas of
potential operator error.
There are few if any tools and techniques which are limited solely to the identification of Hazards and
Potential Effects. Most include assessment as well as identification. Indeed techniques, such as Health
Risk Assessment and Environmental Assessment include all four elements, identify, assess, control
and recover.
Inherent in some techniques, such as HAZOP, is a qualitative assessment of risk based on judgement
of threats, such as hardware failure, control system failure, human error, corrosion, extreme
conditions, etc.
Table 4.2 Techniques primarily for activity planning and review
Technique Reference
Job Hazard Analysis Identification of potential problems within a job EP 95-0311

task that could lead to hazardous situations.
Elimination or reduction of the hazard by
development of safe working procedures.
Tripod-BETA To facilitate accident or incident investigation and EP 95-0321

analysis by providing the means to assemble and
manipulate investigation information into a logical
structure consistent with the Tripod accident
causation model and the hazards and effects model
of SMS (HSE MS).
Tripod-DELTA The proactive identification of potential latent EP 95-0320

failures that could lead to hazardous situations and
the development of remedial actions to be taken to
reduce or eliminate such hazards.
4.2 Evaluate Risks

Once hazards and threats have been identified, their causes, consequences and probability can be
estimated and the risk determined. Risk assessment may be on a qualitative or quantitative basis both
involving the same steps. Qualitative methods may be adequate for risk assessments of simple
facilities or operations where the exposure of the workforce, public, environment or the asset is low.
Inherent in many of the techniques mentioned in 4.1 is a subjective evaluation of risk. HAZOP and
FIREPRAN, for example require the team to select the critical items for further study. To do this
there must be a risk assessment which is based primarily on experience or judgement. The qualitative
or banded assessment of probability and consequence from such an analysis can be plotted on the
Risk Matrix described in EP 95-0100 HSE Management System and repeated in 4.2.4. In
FIREPRAN, HAZOP and Health Risk Assessment, this Risk Matrix is used to assist in decisions
regarding risk. In the context of this manual evaluate and assess have the same meaning. The THESIS

software can also be used to assist in the hazard/risk evaluation and also uses the Risk Matrix.
Guidance on when to use quantitative risk assessment is provided in the following paragraphs.
4.2.1 Scenario development (causes)

The first step in the risk evaluation is to examine the ways in which events may take place to cause a
hazardous event. Causation scenarios may be developed in simple narrative or use multiple branch
fault trees or utilise complex computerised modelling techniques. The method is entirely dependent
on the area being assessed. For further details on scenario development refer to EP 95-0352 QRA.
4.2.2 Probability
The probability of a hazardous event occurring may be determined by evaluation of the associated
possible threats and circumstances or from historical data bases. Once established, the probability of
occurrence of each event can be included in a fault tree.
Historical records such as those described in EP 92-1020 (Ref. 6) provide failure data for various
types of event in the fault tree and event tree including the Top Event. Alternatively, probability can
be generated in a qualitative way by the relative classification of probability into those shown on the
Risk Matrix in 4.2.4.
It is planned to replace EP 92-1020 (Ref. 6) with a data base prepared on an industry wide basis. This
development is underway with the E&P Forum.
4.2.3 Consequence analysis

Consequence analysis can be applied to assess HSE aspects for a range of consequence scenarios and
involves the use of predictive models. Consequence scenarios may be developed in simple narrative
or use multiple branch event trees or utilise complex computerised modelling techniques.
Examples include the use of physical effects models for assessing the integrity of structures, for
predicting the behaviour of emissions to the atmosphere and discharge to water and predicting heat
loading and explosion overpressure. Models should only be used when they are validated in a
particular application and their predictive capability is generally accepted. Successful application
requires that they be used by personnel with adequate training and experience. The results from
Physical Effects Modelling usually provide input to other HSE analyses such as ESSA, FEA and
Layout Studies.
In performing consequence analyses it should be recognised that the majority of models provide only
a good approximation of what might happen. It is a mistake to base design calculations wholly on
model results. The designed system should be capable of withstanding the range of possible
anticipated loadings.
Table 4.3 Techniques for consequence analysis
Technique Reference
Physical Effects Modelling This encompasses a number of techniques EP 95-0314

available for modelling the effects of hazardous
releases such as explosions, gas dispersion and
fire
Layout Methodology Offshore Layout Methodology

A simplified design tool for identifying separation EP 91-1600/1601
requirements when laying out an offshore (Refs. 7 and 8)
complex EP 90-2500
(Ref. 9)

Onshore Layout Methodology as above for DEP to be

onshore facilities prepared
(Ref. 10)
FEA Fire and Explosion Analysis is a collective term No reference

for the process which identifies and evaluates all
fire and explosion hazardous events as a basis for
risk reduction and for preparing performance
criteria for essential safety systems and the
arrangements required for escape, evacuation and
rescue (EER).
ESSA Emergency System Survivability Analysis. This is EXPRO Docs

part of the FEA and determines the ability of the (Ref. 11)
emergency systems to withstand severe accident
conditions. ESSA is part of the FEA process and
provides information which is subsequently used
in TR/EERA.
TR/EERA Temporary Refuge Escape, Evacuation and DEP 37.17.10.11

Rescue Analysis of escape to Temporary Refuge (Ref. 12)
(TR), the provisions within the TR system, and
the Evacuation, Escape and Rescue provisions.
The analysis considers the major scenarios
previously identified and compares these against
respective acceptance standards highlighting
critical elements and revealing any shortfalls.
Environmental Dispersion Used to predict the behaviour of contaminants Monitoring air

Models following discharge. Results are used to evaluate quality
the significance of emissions and discharges. A EP 95-0376
wide range of models are available and vary in
complexity and sophistication. Monitoring water
quality
EP 95-0381
Table 4.3 Techniques for consequence analysis (continued)
Technique Reference
Oil Spill trajectory Models Used to predict the behaviour of marine spills and A range of models
can play an important role in oil spill contingency available. For
planning. A number of models are available. advice on selection
and use refer to
SIEP
Risk Assessment Models for These have been developed to evaluate the Env. quality
Contaminated Soil significance of soil contaminants to human and standards for soil
environmental health. The Human Exposure to and groundwater:
Soil Pollutants (HESP) developed in SIPM is an EP 95-0385
example.
Setting Priorities
for contaminated
soil and
groundwater:
EP 95-0387

Groundwater Models These have been developed to predict the A range of models
behaviour of contaminants in groundwater and available. For
focus on the movements of the contaminants. advice on selection
and use refer to
SIPM
These techniques are summarised in Appendix IV.
4.2.4 Determination of risk

Having determined the probability of the different scenarios occurring to cause a 'hazardous event'
and having determined the consequences arising from that event, it is possible to represent the risk
graphically using the Risk Matrix described in
EP 95-0100 HSE Management System and repeated below:
Table 4.4 Risk Matrix
CONSEQUENCE INCREASING PROBABILITY
Severity People Assets Environment Reputation A B C D E

Never Has Incident Happens Happens
heard of occurred has several several
in EP in EP occurred times per times per
industry industry in Opco year in year in
Opco location
0 No No No No
injury damage effect impact
1 Slight Slight Slight Slight Manage for continuous
injury damage effect impact improvement
2 Minor Minor Minor Limited
3 Major Localised Localised Considerable
4 Single Major Major National Incorporate risk
fatality damage effect impact reduction measures Intolerable
5 Multiple Extensive Massive International
fatalities damage effect impact
The matrix need not remain as a static display of risk and measures to be taken. Over the years
tolerance to risk will change therefore the shading in the diagram will change.
The above matrix gives an indication of risk tolerability but this should relate to the operation under
consideration . An example of how the matrix can be further defined for a particular operation is
included in Appendix V.
4.2.5 Quantitative Risk Assessment (QRA)

QRA is a potentially powerful technique which is described fully in EP 95-0352.
Appendix VI contains specific examples and guidance of when Quantitative Risk Assessment is used
to its best advantage.
Guidelines are available for undertaking quantitative risk assessment for specific applications
including risers and pipelines.
These are:

Table 4.5 QRA techniques for specific applications
Technique Reference
ASPIN Pipeline failure risk analysis technique and EP 94-0101

data base. (Ref. 13)
An easy to use quantitative failure risk EP 94-0102
assessment tool to compare different (Ref. 14)
options and conditions during pipeline
design and operation and to assist in
optimising and planning inspection and EP 94-0195
maintenance efforts. (Ref. 15)
Simplified version.

RISER Risk Evaluation of Risers. EP 90-1045

(Ref. 16)
Assessment of risks of pipeline riser on or
near platforms with comparative risk
analysis to assess the benefits of subsea
valve installation on pipelines.
These quantitative risk assessments should only be used by personnel with adequate training and
experience. It is most important that those familiar with the operation, the facility or the design are
involved in the study particularly with respect to the input, assumptions and conclusions drawn to
ensure that the model reflects reality.
Assumptions must reflect actual practice including inspection and maintenance frequencies and
techniques, frequency of drills and operating procedures, etc.
QRA provides a structured approach to assessing risk and expresses this numerically. The main
function of QRA is to identify high risk areas and assist in the comparison of design options and the
selection of operations philosophies with a view to establishing effective and efficient risk
management.
QRA assists in the determination of 'how safe is safe enough' by helping to analyse options to
establish whether or not ALARP (As Low As Reasonably Practicable) has been achieved.
Engineers and decision makers sometimes like to use quantitative risk assessment to make a decision
for them. For this purpose they would like to see well defined acceptance criteria for risk and a
calculation resulting in one number to tell them whether their design is 'right' or 'wrong'. However,
risk figures which are based on probabilities should be used with caution and comparison against
absolute numerical risk criteria avoided where possible. This is important for a number of reasons.
First, the accuracy of QRA studies means that the comparison of calculated numbers with specified
numerical criteria must be used with considerable caution. The inaccuracies are less important in
comparisons between various options analysed in a consistent manner. Nevertheless absolute risk
figures may be required to fulfil legislative requirements and to ascertain whether ALARP risk levels
have been reached.
Secondly, the risk of EP operations calculated in a QRA is often in the 'Too High' area and nowhere
near the Negligible area. This means that regardless of acceptance criteria set by authorities or
others, there is a need to identify further improvements and to implement them if the cost, time and
effort can be justified.
Thirdly, there is always the temptation to use comparison with absolute risk criteria as a means to
justify not carrying out risk reduction measures, with data being manipulated solely to meet the
criteria. Playing the 'numbers game' in this way could lead to QRA being used to justify risk levels
that could realistically still be reduced.
Fourthly, using statistical likelihood values carries with them a set of inherent assumptions which
may or may not be appropriate for the operation being studied.
Expressions like 'acceptably safe' or 'an acceptable risk' should be avoided when discussing risk.
Risks are never acceptable when the benefits of an activity are perceived to be smaller than the risks.
Further, a risk is never considered acceptable while there are effective alternatives to lower it. If there

are no effective alternatives or the cost of further reduction is disproportionate then it may be
necessary to live with or 'tolerate' the risk.
QRA can be used to assess risk to the company's workforce, assets and environment as well as risk to
the public. At present, QRA or environmental QRA is confined to 'incidental' or 'acute' hazardous
events. In EP operations, the facilities are in many cases sufficiently remote that considerations of this
type of risk to the public do not dominate. In downstream activities, risk to the public is often the
main concern.
The application of QRA is not necessarily limited to large, complex and expensive studies. It is a
technique which can be used relatively quickly and cheaply to help to structure the solution to
problems for which the solution is not intuitively obvious. Without the quantification of risk in some
situations, there may a danger of allocating scarce resources for little benefit. Risk is often defined as
a function of the chance that a specified undesired event will occur and the severity of the
consequences of the event. For QRA purposes, chance can be expressed as frequency or probability
of an occurrence. If no attempt is made to estimate the chance, we may be driven by the consequence
into investing heavily on risk reduction measures which are ineffective. This is illustrated in
Figure 4.1. The risk curve (shaded) indicates the area in which effective risk reduction measures can
be taken.
Figure 4.1 Determination of risk
On the left side of the curve the consequences are too small to cause concern, regardless of the
probability. On the right side the consequences could be dramatic but the probability is so low that it
would be more effective to invest in those risk reduction measures which concentrate on the events
contributing to the peak of the risk curve. The above can be easily aligned with the Risk Matrix.
It must be recognised that the public and regulatory authorities are most interested in high
consequence events. In the context of the Risk Matrix this might be in the 'never heard of incident in
EP industry' column but nevertheless risk reduction measures must still be considered.

4.2.6 Screening criteria: limits/standards

EP 95-0100 HSE Management Systems Chapter 4 describes the concept of screening risk against
criteria set in a qualitative and quantitative manner together with the use of the ALARP principle,
which sets the risk level as low as reasonably practicable.
Guidelines which provide environmental limits and standards include:
EP 95-0375 Environmental quality standards - air

EP 95-0380 Environmental quality standards - water
EP 95-0385 Environmental quality standards - soil and groundwater
References to occupational exposure limits and standards are listed in Health Risk Assessment
(Ref. 2) and Ionising Radiation Safety Guide (Ref. 17).
4.3 Record Hazards and Effects

4.3.1 Records
The documentation relating to the hazards and effects analysis and the management of hazards and
effects is included in Parts 3 and 5 of the HSE MS and HSE Case described in EP 95-0310.
In a major project or facility the studies carried out as part of the HEMP are recorded formally usually
via the first draft of the Hazards and Effects Register. The level of detail addressed increases as
familiarity with the project or facility improves. Different techniques are then applied to identify and
assess hazards. The hazards and control measures identified during the design phase are recorded for
later transfer to the operator of the facility who will be responsible for the HSE Case. A PC based tool
developed to do this is THESIS described in EP 95-0323.
4.3.2 Hazards and effects register

The hazards and effects information gained from the application of HEMP tools and techniques is
incorporated in the HSE Case in what is called a Hazards and Effects Register.
The HSE Case has to demonstrate that:
all hazards, effects and threats have been identified

the likelihood and consequences of a hazardous event have been assessed
that controls to manage potential causes (threat barriers) are in place
that recovery preparedness measures to mitigate potential consequences have been taken.
Assembly of the Hazards and Effects Register, which forms part of the HSE Case, begins at the
design and development stage of a project when hazards and effects from this phase are incorporated.
Hazards applicable during the construction and commissioning phase may be included or listed
separately. Later, hazards encountered in the operations and maintenance phase are included. The
Hazards and Effects Register is a live document and is passed from phase to phase of a development
through to abandonment. When the design phase is complete, the Hazards and Effects Register is
handed over to and subsequently maintained by, the operations management of a facility. The
Hazards and Effects Register will subsequently be used in the planning of abandonment and held on
record for a period thereafter.

4.3.3 Manual of Permitted Operations (MOPO)

Once the Hazards and Effects Register is completed it is possible to complete a Manual of Permitted
Operations which defines:
the level and number of barriers installed initially and the recovery preparedness measures to be in
place
the limit of safe operation if the barriers and/or recovery preparedness measures (sometimes
referred to as the 'Integrity Envelope') are reduced, removed or purposely defeated
the limit of safe operation permitted during periods of escalated risk, in either likelihood or
consequence. This includes external factors like extreme weather conditions
which activities may or may not be carried out concurrently, e.g. simultaneous welding and crude
sampling.
Further details on the preparation of a MOPO are given in EP 95-0310 Implementing and
Documenting on HSE MS and HSE Case.
4.4 Compare with Objectives and Performance Criteria

The objectives and performance criteria adopted at all levels in the process should comply with those
stated in the Corporate HSE Policy, HSE MS and HSE Case, respectively (see EP 95-0100 HSE
Management Systems Chapter 4).
4.5 Establish Risk Reduction Measures

4.5.1 General
Risk reduction measures include preventative measures (likelihood reducing) and mitigatory
measures (consequence reducing). As described in EP 95-0100, the point at which measures may be
classified as prevention, mitigation or recovery can sometimes become unclear depending on the
perspective of what constitutes the hazardous event. Fortunately, in practice, this makes little or no
difference to the process of risk reduction.
Control and recovery aspects form a significant part of design standards. These are not listed
separately in this document.
A number of reference documents describing the controls are frequently used in applying the HEMP.
These are summarised below together with references for full descriptions.
4.5.2 Control of release of hazards and effects

Some typical control measures are described in the following guidelines:
EP HSE Manual:
EP 95-0376 Monitoring Air Quality
EP 95-0381 Monitoring Water Quality
EP 95-0386 Monitoring Soil and Groundwater Quality
EP 95-0390 Waste Management Guidelines
EP 95-0391 Classifying Waste

EP 95-0270 General Workplace Practices

EP 95-0315 Guidelines on Permit to Work (PTW) Systems
EP 95-0317 Hydrogen Sulphide (H2S) in Operations
All SHC and SHSEC guidelines e.g. Noise Guide, Asbestos, Ionising Radiation, Heat
and Cold Stress
DEPs Refer to Index DEP Publications and Standard Specifications DEP
00.00.05.05 Gen. (Ref. 18)
Codes and standards
4.5.3 Recovery preparedness measures

Recovery from the consequences of the release of a hazard requires careful planning. Even with a
comprehensive range of controls in place to prevent the release of hazards or effects things can still
go wrong. It is important that all personnel involved are fully briefed and drilled as to the response
measures planned which may include evacuation and restoration procedures.
Recovery Preparedness Measures include active, passive and operational (contingency plans)
response arrangements.
In a crude oil separation module a loss of containment will probably be controlled by ESD,
depressurisation and containment/fire protection devices. These control and recovery measures have
been installed to achieve the HSE objectives that have been set. They might reduce a worst case
occurrence to a single major injury or fatality as compared with the possible catastrophe that could
have occurred with no controls at all in place.
From an environmental perspective recovery includes site clean up and rehabilitation. An example in
occupational health would be the redeployment of a radiographer who has exceeded his radiation
exposure or a cargo handler who has a back injury.
Documents which will assist in the development of recovery procedures include amongst others:
EP 95-0316 Emergency Response

DEP 37.17.10.11-Gen Design of Offshore Temporary Refuges (Ref. 12)
EP 95-0397 Oil Spill Dispersants
EP 95-0387 Contaminated Soil and Groundwater
EP 95-0351 Fire Control and Recovery
SHSEC 1994 Medical Emergency Guidelines for Management (Ref. 19)
HSE 94023 Jan 1995 Medical Emergency Guidelines for Health Care Professionals and
First Aiders (Ref. 20)
HSE 94023a Jan 1995 Guidance to First Aiders (Ref. 21)
E&P Forum Standards for Clinical Services (Ref. 22)
DEPs For index refer to Index DEP Publications and Standard
Specifications DEP 00.00.05.05-Gen. (Ref. 18)
Codes and standards


APPENDIX I
ACTIVITIES: PLANNING AND REVIEW
HEMP TOOLS AND TECHNIQUES
In the EP Business Model (EPBM) Version 3 (Ref. 23) the activity grouping (ACT) 'Managing
Activities' applies equally to all activities including those shown below against the life cycle.
In the 'Establishment of Business Controls' (ACT-01-06), the controls to manage HSE risk are
addressed in an HSE Case. The broad HSE objectives to be met in the activities: establishment of
business controls (ACT-01-06), 'planning' (ACT-01-08) and 'monitoring/control during execution'
(ACT-03-02) are bulletised on the left of the table below. Some of the tools and techniques available
are listed on the right.
produce and
explore appraise develop maintain abandon
Execute Surveys
Drilling Drilling
Appraisal and
Development
Design
Construction
Commissioning
Production and
Maintenance
Decommissioning
Logistics
objectives
MANAGE ACTIVITIES (ACT)

Includes: HSE Case for Specific Activities
Establish Business Controls (ACT-01-06)
eg Prepare HSE Case for specific activities such as: survey, drilling, operations, logistics
demonstrate that risks HAZID
associated with the activity Generic HSE Cases (under development)
are managed Health Risk Assessment
Environmental Assessment
Job Hazard Analysis
Permit-to-Work
H2 S
Fire Control and Recovery
Safe Handling of Chemicals (SDS)
Human Factors
Emergency Response (including oil spill plans),
Oil Spill Dispersants
Contaminated Soil and Groundwater
Classification of Waste
Waste Management
Prepare Plan (ACT-01-08) eg. Prepare Execution Plan
ensure contracting strategy HAZID
reflects known risks
Monitor and Control Activity Execution (ACT-03-02)
identify and manage any Environmental Monitoring/Standards
additional hazards and threats Job Hazard Analysis
Tripod - DELTA
Tripod - BETA
HSE CASE FOR ACTIVITY

HAZARDS AND
EFFECTS REGISTER

Appendix II Assets : Planning and Review HEMP Tools and Techniques
APPENDIX II
ASSETS: PLANNING AND REVIEW
HEMP TOOLS AND TECHNIQUES
The activities (Ref. 23) described in this appendix encompass the life cycle of an asset. The HSE Case
which is prepared during the execution of these activities becomes the HSE Case for the asset and
forms part of the Asset Reference Plan.
The broad HSE objectives are bulletised on the left of the table. Some of the tools and techniques
available are listed on the right.
ACQUIRE OR DIVEST ASSET (A16)

objectives
Evaluate/Value Asset or Divestment (A16-01-02)
identify major hazards HAZID
identify environmental Environmental Assessment (preliminary)
effects and sensitivities
together with history of past
practices

EVOLVE DEVELOPMENT CONCEPTS (A11)
Make Facility Design Concepts (A11-04-02)
identify major project HAZID
hazards
Carry out HSE Analysis (A11-04-05)
obtain assurance of Qualitative comparison of risk based on judgement or coarse
manageability QRA if significant global risks or high level of innovation
Environmental Assessment, Health Risk Assessment
Evaluate Concepts (A11-05)
obtain an assessment and QRA (Comparative or coarse)
comparison of HSE risks Environmental Assessment (update)
between options
Propose Development Concepts (A11-06)
finalise option selection with QRA (comparative or coarse)
due regard for HSE Environmental Assessment (update)
review hazards within option HAZID
obtain agreement for
philosophies of:
Operations and Maintenance;
Fire and Explosion

DESIGN, CONSTRUCT, MODIFY OR ABANDON FACILITIES (A12)
Prepare Conceptual Design (A12-01) (Validate 'Basis for Design')
ensure technical integrity of HAZOP (coarse)
basic process
develop layout to minimise Coarse Layout Methodology
consequences in developing Human Factors
the 'Project Specification'
review technical integrity of HAZOP (detailed)
detailed process Instrumented Protection Function (IPF) classification
minimise risk of escalation
-for offshore and complex plant Detailed Layout Methodology, Fire and Explosion Analysis
-for less complex and onshore Emergency System Survivability Analysis
FIREPRAN
ensure adequate provision Escape, Evacuation and Rescue Analysis (use judgement
for escape for less complex plant)
review overall risks QRA (as necessary)
minimise construction risks HAZID
incorporate HSE-specific Health Risk Assessment, Human Factors,
requirements Environmental Assessment

HSE CASE FOR ASSET
HAZARDS AND
EFFECTS REGISTER

objectives

DESIGN, CONSTRUCT, MODIFY OR ABANDON FACILITIES (A12) cont'd)
Prepare Detailed Design (A12-02)
ensure change does not QRA
HAZOP
impair technical integrity
Instrumented Protection Function (IPF) classification
prepare input for HSE Case
for facility see ACT-01-06
Construct and Precommission Facility (A12-03)

ensure HSE risk managed in
construction
Prepare activity HSE Case Plan (see ACT-01-06)
Commission Facility (A12-04)

verify readiness to startup Pre-startup audit
Abandon Facility (A12-05)

ensure legal and social Prepare plan (ACT-01-06)
obligations met with respect HAZID
to environment Environmental Assessment (including review of past
practices and liabilities), Health Risk Assessment
decommission and remove HAZID
safely with due care for Environmental Assessment
health and environment Health Risk Assessment

DESIGN, CONSTRUCT, MODIFY OR ABANDON WELLS (A09)
(as for A12 for Wells)

OPERATE AND MAINTAIN FACILITIES AND WELLS (A71/A72)
(see under HSE Case for Asset)

MANAGE ASSETS (ASS)
(Includes HSE Case for Asset)
Asset Reference Plan (ASS-01-02)
demonstrate that risks HAZID
associated with asset and its Health Risk Assessment
operation are managed Environmental Assessment
Job Hazard Analysis
Permit-to-Work
Instrumented Protection Function (IPF) classification
H2 S
Fire Control and Recovery
Safe Handling of Chemicals (SDS)
Human Factors
Emergency Response (including oil spill plans)
Oil Spill Dispersants
Contaminated Soil and Groundwater
Classification of Waste
Waste Management
Appraise Asset Integrity (ASS-04-02)
confirm process integrity and Process Hazard Review
containment HAZOP
compare fire and explosion FIREPRAN
provisions against objectives set

HSE CASE FOR ASSET
HAZARDS AND
EFFECTS REGISTER

Appendix III Hazards and Effects Hierarchy

APPENDIX III
HAZARDS AND EFFECTS HIERARCHY
The Hazards and Effects Hierarchy is a structured list of HSE-related hazards and effects that may
occur in the EP business. It can provide a starting point in hazard identification (the first step of the
Hazards and Effects Management Process, HEMP). Use of the Hazards and Effects Hierarchy as a
checklist gives greater assurance that all hazards and effects have been addressed and identification
and initial assessment is complete.
The Hazards and Effects Hierarchy is a structured checklist incorporated in the PC-based tool
THESIS (EP 95-0323). It is continually being improved with use in different operations and
environments. The hierarchy in the attached Table III.1 is therefore only included as an example or
'snapshot'. For the most up-to-date version, refer to the latest version of THESIS software.
In THESIS each hazard and effect has been assigned a number which has been consistently carried
through to the Hazards and Effects Register. The same numbering system is used here.
The Hazards and Effects Hierarchy, Table III.1, consists of main hazard groups such as H-01
Hydrocarbons. Under these are sub-groupings, such as H-01.06 Hydrocarbon Gas. Some examples
are given of typical sources of these hazards or locations where they will be found.
Under the three columns 'Safety', 'Health' and 'Environment' an arbitrary coding has been given which
has been found useful in grouping hazards. The reason for the Health grouping is explained below.
Any other coding or tagging can be used.
No attempt has been made to link the listing of hazards with, for example business activities or types
of facilities, since any one hazard can invariably be present in many situations. The Hazards and
Effects Hierarchy nevertheless lends itself to use as part of a systematised approach to hazard
management.
III.1 Routine Health Hazards and Effects

Health hazards encountered in the work place and by the public are usually divided into the following
five broad groups:
chemical hazards
physical hazards such as noise, vibration, ionising radiation
biological hazards such as micro-organisms
ergonomic hazards such as manual handling
psychological hazards such as stress
life style such as substance abuse
living environment such as malaria and environmental pollution
The Hazards and Effects Hierarchy as presented in this appendix can be sorted to cover all significant
health hazards and effects in this order or any other order that is required.
III.2 Environmental Hazards and Effects

Effects on the environment may be due to unintentional incidents (e.g. a fire or chemical spill) or due
to intended often continuous, routine or chronic releases as part of the operation.

The Hazards and Effects Hierarchy listing, Table III.1, is valid for both incidental releases and
routine releases. As described in 2.1, a hazardous event in the case of the routine or chronic release
is when defined limits have been exceeded. A hazardous event in the case of an acute or incidental
release is an occurrence or incident.
Limits should be defined for routine releases which have an adverse effect on the environment.
Reviewers often find it easier to think in terms of sources of environmental effects. To assist in this
identification Table III.1 is a checklist of sources, of environmental hazards and of potential effects.
This table can assist in the identification of hazards and effects when reviewing a proposed
development or operation (i.e. in the Environmental Assessment process) or when reviewing effects
from the existing operation and preparing reduction plans.
The list is not complete and any further additions to the checklist should be forwarded to SIEP.
Currently, three types of environmental hazards have been identified:
hazards associated with discharges or emissions

hazards/effects from use of natural resources
hazards causing effects from presence.
It is not always possible to pinpoint a genuine hazard causing the effect, e.g. resource use can result
from a number of activities.
Key to Hazards
Table III.1 The Hazards and Effects Hierarchy
Safety Hazards Health Hazards Environmental Hazards
F = Flammable B = Biological Agent D= Discharge Hazards

MH = Major Hazard C = Chemical Agent R = Use of Natural Resources
Se = Security Hazard E = Ergonomic Agent Pr = Presence
WP = Work Practice P = Physical Agent

LS = Life Style Agent
Psy = Psychological Agent
M = Medical Issue
Hazard Hazard Description Safety Health Enviro Sources

Number
H-01 Hydrocarbons
H-01.01 Crude oil under pressure MH C D Flowlines, pipelines, pressure

vessels and piping
H-01.02 Hydrocarbons in formation MH D Oil wells especially during well
drilling and entry/workover
operations

H-01.03 LPGs (e.g. Propane) MH C D Process fractionating equipment,

storage tanks, transport trucks
and rail cars
H-01.04 LNGs MH C D Cryogenic plants, tankers
H-01.05 Condensate, NGL MH C D Gas wells, gas pipelines, gas
separation vessels
H-01.06 Hydrocarbon gas MH C D Oil/gas separators, gas
processing plants, compressors,
gas pipelines
H-01.07 Crude oil at low pressures MH C D Oil storage tanks
H-01.08 Wax F C D Filter separators, well tubulars,
pipelines
H-01.09 Coal F P R Fuel source, mining activities
H-02 Refined Hydrocarbons

H-02.01 Lube and seal oil C D Engines and rotating equipment
H-02.02 Hydraulic oil C D Hydraulic pistons, hydraulic
reservoirs and pumps
H-02 Refined Hydrocarbons (cont'd)
H-02.03 Diesel fuel C D Vehicle fuelling stations, vehicle

maintenance
H-02.04 Petroleum spirit/gasoline F C D Vehicle fuelling stations, vehicle
maintenance
H-03 Other flammable materials
H-03.01 Cellulosic materials F Packing materials, wood planks,

paper rubbish
H-03.02 Pyrophoric materials F C D Metal scale from vessels in sour
service, scale on filters in sour
service, iron sponge sweetening
units


Number
H-04 Explosives
H-04.01 Detonators WP C Seismic Operations,

pipeline construction
H-04.02 Conventional explosive MH C Pr Seismic Operations,
material pipeline construction
H-04.03 Perforating gun charges MH Well completion activities
associated with drilling rigs and
workover operations
H-05 Pressure Hazards

H-05.01 Bottled gases under pressure WP Welding and metal cutting
operations, laboratory gas
sources
H-05.02 Water under pressure in WP Water disposal, water floods and
pipeworks injection operations, strength
testing of pipeworks, well
fracturing and treatments
H-05.03 Non-hydrocarbon gas under MH Purging and leak testing of
pressure in pipeworks facilities
H-05.04 Air under high pressure WP Seismic air guns and related
piping,
H-05.05 Hyperbaric Operations WP P Undersea operations
(diving)
H-05.06 Decompression (diving) WP P Undersea operations
H-06 Hazards associated with differences in height
H-06.01 Personnel at height >2m MH Work involving scaffolding,

suspended access, ladders,
platforms, excavations, towers,
stacks, roofing, working
overboard, working on monkey
board
H-06 Hazards associated with differences in height (cont'd)
H-06.02 Personnel at height <2m WP Slippery/uneven surfaces,

climbing/descending stairs,
obstructions, loose grating
H-06.03 Overhead equipment MH Objects falling while being
lifted/handled or working at a
height over people, equipment or
process systems, elevated work
platforms, slung loads


Number
H-06.04 Personnel under water MH Objects falling on to divers from

operations overhead
H-06.05 Personnel below grade WP Pipeline trenches, excavations,
repairing buried facilities
H-07 Objects under induced stress
H-07.01 Objects under tension WP Guy & support cables, anchor

chains, tow & barge tie-off
ropes, slings
H-07.02 Objects under compression WP Spring-loaded devices such as
relief valves and actuators and
hydraulically operated devices
H-08 Dynamic situation hazards
H-08.01 On land transport (driving) WP Driving to and from locations

and camps, transporting
materials, supplies and products,
seismic operations, moving
drilling rigs and workover rigs
H-08.02 On water transport (boating) WP Boat transport to and from
locations and camps,
transporting materials, supplies
and products, marine seismic
operations, barges moving
drilling rigs and workover rigs
H-08.03 In air transport (flying) MH Helicopter and fixed wing travel
to and from locations and camps,
transporting materials, supplies
and products
H-08.04 Boat collision hazard to other MH Shipping lane traffic, product
vessels and offshore structures transport vessels, supply and
maintenance barges and boats,
drifting boats
H-08.05 Equipment with moving or WP Engines, motors, compressors,
rotating parts drill stems, thrusters on DP
Ships
H-08 Dynamic situation hazards (cont'd)
H-08.06 Use of hazardous hand tools WP Workshop, construction sites,

(grinding, sawing) maintenance sites, rotating
equipment
H-08.07 Use of knives, machetes and WP Galley, seismic line clearing,
other sharp objects grubbing operations
H-08.08 Transfer from boat to offshore WP Basket transfer, rope transfer
platform


Number
H-09 Environmental Hazards
H-09.01 Weather WP Winds, temperature extremes,

rain, etc
H-09.02 Sea state/river currents MH Waves, tides or other sea states,
river currents
H-09.03 Tectonic MH Earthquakes or other earth
movement activity
H-10 Hot surfaces
H-10.01 Process piping and equipment WP P Oilwell piping, piping in

between 60 and 150 deg. C fractionation systems, glycol
regeneration
H-10.02 Process piping and equipment MH P Hot oil piping, piping associated
over 150 deg. C with stills and reboilers
H-10.03 Engine and turbine exhaust WP P Power generation, gas
systems compression, refrigeration
compression, engine driven
equipment such as forklifts
H-10.04 Steam piping WP P Sulphur plants, power boilers,
waste heat recovery systems,
heat tracing and jackets
H-11 Hot fluids
H-11.01 Temperatures between 100 WP P Glycol regeneration, low quality

and 150 deg. C steam systems, cooling oils,
galley
H-11.02 Temperatures greater than 150 MH P Power boilers, steam generators,
deg. C sulphur plants, waste heat
recovery units, hot oil heating
systems, regeneration gases used
with catalysts and desiccants
H-12 Cold surfaces
H-12.01 Process piping between MH P Cold ambient climate, Joule-

-25 deg. C and -80 deg. C Thomson expansions (process
and leaks), propane refrigeration
systems, LPG gas plants
H-12.02 Process piping less than MH P Cryogenic plants, LNG plants,
- -80 deg. C LNG storage vessels including
tankers, vapour lines off liquid
nitrogen storage
H-13 Cold fluids
H-13.01 Oceans, seas and lakes less P North Sea, Arctic Ocean
than 10 deg. C


Number
H-14 Open flame
H-14.01 Heaters with fire tube F P D Glycol reboilers, amine

reboilers, salt bath heaters, water
bath heaters (line heaters)
H-14.02 Direct fired furnaces F P D Hot oil furnace, Claus plant
reaction furnace, catalyst and
desiccant regeneration gas
heaters, incinerators, power
boilers
H-14.03 Flares P D Pressure relief and blowdown
systems
H-15 Electricity
H-15.01 Voltage > 50 to 440 V in MH Power cables, temporary

cables electrical lines on construction
sites
H-15.02 Voltage > 50 to 440 V in WP Electric motors, electric
equipment switchgear, power generation,
welding machines, transformer
secondary
H-15.03 Voltage >440 V MH Overhead power lines, power
generation, transformer primary,
large electrical motors
H-15.04 Lightning discharge WP Major lightning-prone areas
H-15.05 Electrostatic energy WP Non-metallic storage vessels and
piping, product transfer hoses,
wiping rags, unearthed
equipment, aluminium/steel,
high velocity gas discharges
H-16 Electromagnetic radiation

H-16.01 Ultraviolet radiation P Arc welding, sunshine
H-16 Electromagnetic radiation (cont'd)
H-16.02 Infra-red radiation P Flares

H-16.03 Microwaves P Galley
H-16.04 Lasers P Instrumentation, surveying
H-16.05 E/M radiation : high voltage P Transformers, power cables
ac cables


Number
H-17 Ionising radiation - open source
H-17.01 Alpha, beta - open source P D Well logging, radiography,

densitometers, interface
instruments
H-17.02 Gamma rays - open source P D Well logging, radiography
H-17.03 Neutron - open source P D Well logging
H-17.04 Naturally occurring ionising P D Scales in tubulars, vessels and
radiation process plant fluids (especially
in C3 reflux streams)
H-18 Ionising radiation - closed source
H-18.01 Alpha, beta - closed source P Well logging, radiography,

densitometers, interface
instruments
H-18.02 Gamma rays - closed source P Well logging, radiography
H-18.03 Neutron - closed source P Well logging
H-19 Asphyxiates
H-19.01 Insufficient oxygen C Confined spaces, tanks

atmospheres
H-19.02 Excessive CO2 C D Areas with CO2 firefighting
systems such as turbine
enclosures
H-19.03 Drowning C Working overboard, marine
seismic operations, water
transport
H-19.04 Excessive N2 C N2 purged vessels
H-19.05 Halon C D Areas with halon firefighting

systems such as turbine
enclosures and electrical
switchgear and battery rooms
H-19.06 Smoke C D Welding/burning operations,
fires
H-20 Toxic gas
H-20.01 H2S (hydrogen sulphide, sour MH C D Sour gas production, bacterial

gas) activity in stagnant water,
confined spaces in sour
operations


Number
H-20 Toxic gas (cont'd)
H-20.02 Exhaust fumes C D Sleeping in cars with running

engines, heating devices, car
garage
H-20.03 SO2 C D Component of H2S flare and
incinerator flue gas
H-20.04 Benzene C D Component of crude oil,
concentrated in glycol vent
emissions and Wemco units
H-20.05 Chlorine MH C D Water treatment facilities
H-20.06 Welding fumes C Construction and metal
fabrication/repair, welding toxic
metals (galvanised steel,
cadmium-coated steel), metal
cutting, grinding
H-20.07 Tobacco smoke LS Accommodation, office
buildings, inside cars, boats,
helicopters, aeroplanes
H-20.08 CFCs D Air conditioning, refrigeration,
aerosol sprays
H-21 Toxic liquid
H-21.01 Mercury C D Electrical switches, gas filters

H-21.02 PCBs C D Transformer cooling oils
H-21.03 Biocide (gluteraldehyde) C D Water treatment systems
H-21.04 Methanol C D Gas drying and hydrate control
H-21.05 Brines C D Hydrocarbon production, well
kill fluid, packer fluids
H-21.06 Glycols C D Gas drying and hydrate control
H-21.07 Degreasers (terpenes) C D Maintenance shops
H-21.08 Isocyanates C D Two-pack paint systems
H-21.09 Sulphanol C D Gas sweetening
H-21.10 Amines C D Gas sweetening
H-21.11 Corrosion inhibitors C D Additive to pipelines and oil/gas
wells, chromates, phosphates
H-21.12 Scale inhibitors C D Cooling and injection water
additive
H-21.13 Liquid mud additives C D Drilling fluid additive
H-21.14 Odorant additives C D Custody transfer facilities for
(mercaptans) gas, LPG and LNG


Number
H-21.15 Alcohol-containing beverages WP LS

H-21.16 Recreational drugs WP LS
H-21.17 Used engine oils C D Used engine oils
(polycyclicaromatic
hydrocarbons)
H-21.18 Carbon tetrachloride C Plant laboratory
H-21.19 Grey and/or Black Water Septic systems, camps,
detergents
H-22 Toxic solid
H-22.01 Asbestos C D Thermal insulation and

construction materials, old
roofing (encountered during
removal)
H-22.02 Man-made mineral fibre C D Thermal insulation and
construction material
H-22.03 Cement dust C D Oil well and gas well cementing,
civil construction
H-22.04 Sodium hypochlorite C D Drilling fluid additive
H-22.05 Powdered mud additives C D Drilling fluid additive
H-22.06 Sulphur dust C D Sulphur recovery plants
H-22.07 Pig trash C D Pipeline cleaning operations
H-22.08 Oil-based muds C D Oil and gas well drilling
H-22.09 Pseudo-oil-based muds C D Oil and gas well drilling
H-22.10 Water-based muds C D Oil and gas well drilling
H-22.11 Cement slurries C D Oil and gas well drilling, plant
construction
H-22.12 Dusts C Cutting brickwork and concrete,
driving on unpaved roads,
carpenter shops, grit blasting,
sand blasting, catalyst (dumping,
screening, removal, drumming)
H-22.13 Cadmium compounds and C D Welding fumes, handling coated
other heavy metals bolts
H-22.14 Oil based sludges C D Oil storage tank cleaning
H-23 Corrosive substances
H-23.01 Hydrofluoric acid WP C D Well stimulation

H-23.02 Hydrochloric acid WP C D Well stimulation


Number
H-23 Corrosive substances (cont'd)
H-23.03 Sulphuric acid WP C D Wet batteries, regenerant for

reverse osmosis water makers
H-23.04 Caustic soda (sodium C D Drilling fluid additive
hydroxide)
H-24 Biological hazards
H-24.01 Poisonous plants (poison ivy B Natural environment

and oak, stinging nettles,
nightshade)
H-24.02 Large animals (dogs, cats, B Natural environment
rats, African wild animals)
H-24.03 Small animals (snakes, B Natural environment
scorpions, lizards)
H-24.04 Food-borne bacteria (e.g. E. B Contaminated food
Coli)
H-24.05 Water-borne bacteria (e.g. B Cooling systems, domestic water
Legionella) systems
H-24.06 Parasitic insects (pin worms, B Improperly cleaned food, hands,
bed bugs, lice, fleas) clothing, living sites (pin worms,
bed bugs, lice, fleas )
H-24.07 Disease transmitting insects B Natural environment
(mosquitoes-malaria and
yellow fever, ticks-lime
disease, fleas-plague)
H-24.08 Cold and Flu Virus B Other people
H-24.09 Human Immune deficiency B Contaminated blood, blood
Virus (HIV) products and other body fluids
H-24.10 Other Communicable B Other people
Diseases
H-25 Ergonomic hazards
H-25.01 Manual materials handling E Pipe handling on drill floor, sack

handling in sack store,
manoeuvring equipment in
awkward locations
H-25.02 Damaging noise WP P Pr Releases from relief valves,
pressure control valves
H-25.03 Loud steady noise > 85 dBA P Pr Engine rooms, compressor
rooms, drilling brake, air tools
H-25.04 Heat stress (high ambient P Near flare, on the monkey board
temperatures) under certain conditions, in open
exposed areas in certain regions
of the world during summer


Number
H-25 Ergonomic hazards (cont'd)
H-25.05 Cold stress (low ambient P Open areas in winter in cold

temperatures) climates, refrigerated storage
areas
H-25.06 High humidity P Climates where sweat
evaporation rates are too low to
cool the human body, personal
protective clothing
H-25.07 Vibration P Pr Hand-tool vibration,
maintenance and construction
worker, boating
H-25.08 Workstations E Poorly designed office furniture
and poorly laid out workstations
H-25.09 Lighting P Pr Work areas requiring intense
light, glare, lack of contrast,
insufficient light
H-25.10 Incompatible hand controls E Controls poorly positioned in
workplace requiring workers to
exert excessive force, lacking
proper labels, hand-operated
control valves, for example in
driller house, heavy
machinery, control rooms
H-25.11 Awkward location of E Machinery difficult to maintain
workplaces and machinery regularly due to their awkward
positioning, for example
valves in an usually high or
low position
H-25.12 Mismatch of work to E Requiring older workers to
physical abilities maintain a high physical level
of activity over the course of
an 8/12 hour day, heavy
construction work performed
by slight individuals
H-25.13 Mismatch of work to E Requiring individuals to
cognitive abilities monitor a process without
trying to reduce their boredom
by giving them a higher task
load, asking a worker to
supervise something he/she is
not qualified
H-25.14 Long and irregular working E Offshore locations utilising
hours/shifts long shift cycles, overtime,
night shifts, rollover shifts


Number
H-25 Ergonomic hazards (cont'd)
H-25.15 Poor organisation and job E Ambiguity of job

design requirements, unclear
reporting relationships,
over/under supervision, poor
operator/contractor interfaces
H-25.16 Work planning issues E Work overload, unrealistic
targets, lack of clear planning,
poor communications
H-25.17 Indoor climate (too hot/ E Uncomfortable climate for
cold/ dry/ humid, draughty) permanently manned areas
H-26 Psychological hazards
H-26.01 Living on the job/away from Psy Homesickness, missing family

family and social events, unable to be
involved in community,
feeling of isolation and losing
chunks of life. Drifting away
from spouse and family,
development of different
interests and friends,
threatened by spouse's
independence, wind-down
period at start of break.
Inability to support spouse in
domestic crisis. Difficult to
turn off in leisure time
H-26.02 Working and living on a live Psy Awareness that mistakes can
plant be catastrophic, vulnerable to
the mistakes of others,
responsible for the safety of
others. Awareness of difficulty
of escape in an emergency.
Awareness of risks in
helicopter travel, adverse
weather.
H-26.03 Post traumatic stress Psy Serious incidents, injuries to
self and others
H-27 Security related Hazards
H-27.01 Piracy Se
H-27.02 Assault Se
H-27.03 Sabotage Se
H-27.04 Crisis (military action, civil Se
disturbances, terrorism)
H-27.05 Theft, pilferage Se


Number
H-28 Use of Natural Resources
H-28.01 Land R Installation sites, drilling

locations, seismic clearing,
pipeline right-of-ways
H-28.02 Water R Cooling water
H-28.03 Air R Turbines, combustion engines
(cars, trucks, pump and
compressor drivers)
H-28.04 Trees, vegetation R Installation sites, seismic
clearing, pipeline right-of-ways,
drilling locations
H-28.05 Gravel R Borrow pits, road construction
H-29 Medical
H-29.01 Medical unfitness M Medically unfit staff for the task

H-29.02 Motion sickness M Crew change on water, marine
operations

Table III.2 Checklist of sources - hazards - effects

Source* ROUTINE HAZARDS POTENTIAL EFFECTS
Flare CH4 global warming/climate change/atmospheric ozone increase

SOx acid deposition, water and soil acidification
NOx atmospheric ozone increase/acid deposition
N2O global warming/stratosphere ozone depletion/climate change
CO2 global warming/climate change
CO health damage
noise nuisance/health damage
light nuisance/health effects
H2S health damage/odour nuisance
odorous compounds nuisance/odour
particulates health damage/ecological damage/soot deposition
radiation health damage/ecological
heat nuisance/ecological damage
trace toxics - ecological/health damage
metals
- PAH
Energy generating CH4 global warming/climate change/atmospheric ozone increase
equipment
turbines SOx acid deposition, water and soil acidification, global cooling
boilers/heaters NOx atmospheric ozone increase/acid deposition/fertilisation
furnaces
transport (diesel, N2O global warming/stratosphere ozone depletion/climate change
gasoline)
drilling, etc CO2 global warming/climate change
CO health damage
noise nuisance/health damage/wildlife damage
light nuisance/health damage/wildlife damage
odorous compounds nuisance/odour
particulates/dust ecological damage/health damage/soot deposition
radiation ecological/health damage
PAH ecological/health damage
H2S nuisance, health damage, ecological damage
heat health damage, ecological damage
PCB health damage, ecological damage
Trace toxics (e.g. catalysts, health damage, ecological damage
heavy metals, chemicals)
Venting CH4 global warming/climate change/atmospheric ozone increase
tanker loading VOC/CxHx atmospheric ozone increase/health damage/ecological
damage
production Specific Chemicals health damage/ecological damage
pressure relief
glycol venting
Refrigeration CFC global warming/climate change/stratosphere ozone depletion
Fire extinguishers halons global warming/climate change/stratosphere ozone depletion
Fugitives CH4 global warming/climate change/atmospheric ozone increase
valves, pumps, etc VOC/CxHx/specific global warming/climate change/atmospheric ozone increase/
chemicals health damage/ ecological damage

Water oil floating layer/unfit for drinking recreation/tainting of

water based mud fish/biological damage
oil based mud
aqueous effluents soluble organics/dissolved tainting of fish, damage to aquatic organisms, unfit for
site drains HC/BTEX drinking, recreation, irrigation, livestock.
storm water run off heavy metals accumulation in biota and sediments, adverse effects on
organisms, unfit for drinking, recreation, irrigation, livestock.
produced water salts biological damage
cooling water barite (mud), drilling fluids, smothering/damage to sea bed and biota
drilling cuttings
tank bottom water nutrients eutrophication
odour nuisance
chemicals/corrosion damage to aquatic organisms
inhibitors/biocides/
fungicides
volume of water to land increased water table, flooding, change in riverflow
fresh water discharge decreased salinity
suspended solids decreased transparency, damage to coral reefs, damage to
and bottom organisms, recreation, habitat
soil/ erosion sediments smothering, damage to vegetation
PAH damage to aquatic organisms, water not fit for drinking,
irrigation, livestock.
Grease water not fit for recreation, damage to bottom sediments
salts/brine increased salinity, damage to aquatic organisms, water unfit
for drinking, recreation, irrigation, livestock
acids/caustics damage to aquatic organisms
temperature change change in oxygen concentration, damage to aquatic
organisms, increased growth/blooms
detergents eutrophication/toxicity
Black water and/or grey pathogens health damage
water (sewage and wash
water)
anoxia (deoxygenation) biological damage
nutrients eutrophication
specific chemicals damage to aquatic organisms water unfit for drinking,
recreation, irrigation, livestock
odorous compounds nuisance odour/smell
Sacrificial anodes heavy metals damage to aquatic organisms, water unfit for drinking,
recreation, irrigation, livestock
Detonators noise/pressure waves damage to aquatic organisms/repellent
Chemicals paints biological toxic or chronic damage/global warming
solvents health/biological toxic or chronic damage/global warming
cleaners biological toxic or chronic damage
Soil oil/hydrocarbons soil contamination; ground water contamination
oil sludges heavy metals soil contamination
tank bottom sludges chemicals soil contaminations; groundwater contamination; smothering.
oil based muds specific chemicals soil contamination; groundwater contamination; smothering.
water based muds
drilled cuttings
contaminated soil
Eroded Materials soil sediments smothering, biological damage

Solid/liquid wastes, hazardous wastes soil contamination; groundwater contamination; health

medical waste, toxic substances damage.
spent catalyst
Household, organic and specific soil contamination; groundwater contamination
food/kitchen and wastes damage to health
office waste pathogens
Landfarming oil/hydrocarbons soil contamination; groundwater contamination
heavy metals damage to health
chemical additives
Heavy vehicles soil compaction changing surface hydrology; changing sub-surface
hydrology; reduced plant growth; erosion
Vibrating equipment vibrations nuisance/animal repellent
Human resources presence of workforce socio/cultural effects; employment in-/decrease;
with different influence on local population/demography;
socio/cultural demands on local resources/surfaces
background
during construction
and operation;
community intrusion
Need for land land take by: soil erosion, destruction of habitat
- seismic changing surface hydrology
- drilling removal of vegetation
- field development, tank change land use, change in natural relief
forms
- access routes change in accessibility
- camps, offices, damage to natural habitat
warehouses
- pipelines visual impact

Need for energy energy take loss of energy resources
heaters/boilers
power generation
steam generation
vehicles/transport
cooling
Need for water water take damage to wetlands
cooling draw down of ground water level/damage to water well users
process impact on downstream users
drinking water
waste waters
irrigation
recharge/pressure
maintenance
Need for gravel/sand gravel/sand take damage to habitat/vegetation/crops
drill pads visual impact/land scarring
access roads change to surface hydrology
camp base/levelling change in natural relief
facility construction
recovery and
replacement
Need for consumables use of non renewable raw depletion of raw materials
materials
* any indented (-) are covered by all aspects in the adjacent columns.


APPENDIX IV
STRUCTURED REVIEW TECHNIQUES
SUMMARY DESCRIPTION SHEETS
Title Assets* Activities*
ASPIN *
Emergency Systems Survivability Analysis (ESSA) *
Environmental Assessment (EA) *
Explosion Protection Review (EPR) *
Fire and Explosion Analysis (FEA) *
FIREPRAN * *
HAZID *
HAZOP * *
Health Risk Assessment (HRA) * *
Job Hazard Analysis *
Physical Effects Modelling (PEM) *
Process Hazard Review (PHR) * *
Platform Layout Methodology (PLM) * *
RISER *
Smoke Ingress Analysis (SIA) *
SAFOP *
Structural Consequence Analysis (SCA) *
Temporary Refuge/Escape Evacuation and Rescue Analysis (TR/EERA) *
The Health, Environment, Safety Information System (THESIS) * *
Tripod-BETA *
Tripod-DELTA *
Assets* Used primarily in planning, design, longer term review and preparation of HSE Cases for assets.
Activities* Used primarily for developing and reviewing operational-type procedures, systems and preparing
activity HSE Cases, plans or method statements, e.g. seismic drilling, construction and
commissioning, and production and maintenance.

Appendix IV Structured Review Techniques Summary Description Sheets
ASPIN
Objective
To provide an easy-to-use quantitative failure risk assessment tool to compare different options and
conditions during pipeline design and operation and to assist in optimising and planning inspection and
maintenance efforts.
It is a tool that is situated between a full Quantitative Risk Assessment (QRA) and simple risk
ranking/scoring methods, less complicated and expensive than the former and more quantitative (and
therefore more accurate) than the latter. It is intended as a decision support tool and does not specify
acceptance criteria for risk levels. It can, for example, identify the effect of use of inspection pigging and a
leak detection system on risk levels.
Method
The methodology is based on the generally applied risk analysis technique whereby the probability of a
failure, expressed in terms of expected failure frequency, is multiplied by the consequence of such a failure
to arrive at risk. Failure risk is determined cumulatively over a given longer period of time as well as on a
yearly basis.
The method is structured in four main parts:
1. Identify the possible failure causes and derive potential failure frequencies
2. Identify the most likely failure type distribution
3. Identify the consequences of pipeline failure
4. Combine parts 1 and 3 to derive risk levels
Information Required (Input)

pipeline fluids (those covered are: crude oil, natural gas, sour natural gas, NGL, fuel gas, gas
oil/diesel, kerosene/naphtha/gasoline, LPG, ethylene, propylene and two-phase oil/gas fluids)
impact failure statistics and failure frequencies
construction/material defect failure statistics and failure frequencies
corrosion statistics or estimated possible mechanisms/expected time to first failure (wall
thickness, critical defect depth, inspection surveys, actual corrosion data), annual corrosion
failure frequencies
Deliverables (Output)
Safety, environmental and economic risk comparison assessments that can be used in support of pipeline
design and operation decisions. ASPIN can be used in the development of HSE Cases as part of the HSE
MS including input into Hazards and Effects Register. ASPIN identifies and assesses all potential major
hazards, evaluates the risks and the effectiveness of the various measures to reduce the risks to the lowest
practicable level.
Further Information
EP 94-0101 - ASPIN Version 1.1 Pipeline Failure Risk Assessment (Ref. 13)
EP 94-0102 - ASPIN Version 1.1 Pipeline Failure Risk Assessment (Ref. 14)
EP 94-0195 - Simplified Method for Pipeline Risk Ranking, Version 2.0 (Ref. 15)
DEP 31.40.60.11 - Gen Pipeline Leak Detection (Ref. 24).

Emergency Systems Survivability Analysis (ESSA)
Objective
Determination of the ability of the emergency systems to withstand severe accident conditions. If
performance criteria for essential safety systems are developed as part of the process which evaluates fires
and explosions an ESSA as a separate exercise may not be required.
Method
Identification of all the safety and emergency systems. Assessment of the criticality of each system with
respect to preventing escalation, protecting the Temporary Refuge(s) (TR(s)) and enabling
escape/evacuation. The critical systems are then assessed to determine their vulnerability to explosions and
fires.
Information Required
Detailed information on the type and layout of safety and emergency systems for example ESD power
systems and emergency communications. Fire and explosion scenario data from the Explosion Protection
Review (EPR) and Fire and Explosion Analysis (FEA) .
Deliverables
Identification of critical emergency equipment and system locations. An assessment of the vulnerability of
the critical systems during direct and escalated events.
Overlap
ESSA is a part of the FEA process and provides information which is subsequently used in the Temporary
Refuge/Escape, Evacuation and Rescue Analysis (TR/EERA).
Further Information
Shell Expro document EN/074 (Ref. 11).

Environmental Assessment (EA)
Objective
To predict the significant chemical, biological and socio-economic effects of an activity and to make
recommendations on activities, sites, techniques and technologies to be adopted in order to maximise the
positive, and minimise the negative effects.
Method
Acquisition of environmental description in terms of abiotic, biotic and human environments
Identify project environmental hazards and characterise the environment
Evaluate the magnitude and significance of environmental effects
Determination of any environmental control and recovery management requirements.
Site and potential waste product descriptions, project description including process materials and sources,
materials of construction, project schedule and both strategic and local economic benefits.
Deliverables
Environmental Statement
Agreed adjustment to design options
Mitigation and recovery measures during operations
Environmental report covering suggested monitoring programmes and environmental management
systems. This report can be used as the basis for public meetings and exhibitions if required.
Overlap
Environmental Assessment (EP 95-0370) describes the Hazards and Effects Management Process (HEMP)
as it applies to environmental matters throughout the life cycle of a development.
Further Information
EP HSE Manual, Environmental Assessment, EP 95-0370.

Explosion Protection Review (EPR)
Objective
Determination of worst case scenarios for explosions which then define the limits required for designing
offshore installations to withstand accidental vapour cloud explosions.
Method
Explosion overpressure prediction models are used to determine the worst case peak internal explosion
overpressure and an estimate of the overpressure external to the source module. The Thornton model
SCOPE is used to determine the worst case peak confined internal overpressure and an estimate of the
overpressure external to the source area. This information is then used to assess the capacity of the blast
walls, floors, ceilings and other structural components as well as the effects of the external explosion.
Information on the area geometry, equipment layout and structure design. Worst case assumptions are
generally made on gas concentrations, gas volumes and ignition source locations.
Deliverables
Explosion overpressure for each module with the associated effects on the module structure and an
indication of the capacity of the module to withstand the explosion. Recommendations to reduce or contain
the explosion overpressure.
Overlap
EPR is effectively a stand alone technique but is part of the Fire and Explosion Analysis (FEA) process.
Further Information
Shell Expro document EA/083 (Ref. 25).
Fire and Explosion Analysis (FEA)
Objective
A general term for a process which identifies and evaluates all fire and explosion hazardous events as a basis
for risk reduction and for preparing performance criteria for essential safety systems and the arrangements
required for Escape, Evacuation and Rescue (EER).
Method
The location and type of all potential fires (and explosions) are identified. The capability of the existing or
required fire protection (and explosion relief) measures are established together with the corresponding
performance standards. Estimates of the damage potential of each event are made. The FEA process is a
fundamental part of developing an installation Quantitative Risk Assessment (QRA) model and can either be
undertaken as part of the QRA or as a stand alone exercise providing input to the QRA.
Detailed information on plant layout, fire areas, hazardous areas, flammable inventories, fire and safety
equipment layout, passive fire protection location, fire water piping runs and any other pertinent data.
Deliverables
All potential fire and explosion events are identified and a number subjected to more detailed evaluation.
Requirements for the essential safety systems to manage fire and explosions and for EER are identified.
Overlap
ESSA, EPR, SIA, SCA, FIREPRAN are all components of the FEA as necessary. The FEA utilises PEM.
Further Information
There is not a specific guideline on FEA, it is a collective term describing a process, which utilises a number
of techniques including PEM.

FIREPRAN
Objective
A structured review technique for the review and assessment of:
1. hydrocarbon release and combustion related risks in a facility
2. the fire and explosion control and recovery preparedness measures in place.
3. the capability to meet the performance standards set and satisfy the objectives and criteria set for the
management of fire and explosion hazards.
To identify deficiencies and opportunities for improvement in order to meet objectives with respect to fire
and explosion management. FIREPRAN is not suited to complex, compact integrated facilities.
Method
A multi-disciplined team uses a structured HEMP compatible approach to identify hazards related to
hydrocarbon releases and explosions and develops a hazards and effects hierarchy. The hazard control
measures and related hazardous events mitigation and recovery measures are recorded in a hazards and
effects register. Potential fire and explosion scenarios are developed enabling review of the resources needed
to respond effectively to these incidents. Resources needed to respond effectively to fire and explosion
hazardous event scenarios are compared with those already in place. Results are presented with
opportunities for improved risk reduction measures as appropriate to plant criticality.
Process flow schemes, plot plans, plant layouts and hazardous area drawings
Fire system and fire water piping drawings, fire areas, equipment layout, fire and blast walls and passive
fire protection drawings
Operating and maintenance philosophies
Deliverables
This technique permits the identification of hazards as well as potential, related fire and explosion scenarios.
It assists line management in the process of developing realistic, cost effective, control and recovery
measures which can be justified in terms of reducing risks to personnel, environment, assets and production,
to tolerable levels. Deliverables take the form of a hazards and effects register, fire and explosion scenario
development sheets and a set of recommendations for actions needed to achieve tolerable risk levels.
Overlap
HAZOP, QRA (for complex studies).
Further Information
EP HSE Manual, FIREPRAN, EP 95-0350.

HAZID (Hazard Identification)
Objective
To identify at an early stage in a green or brownfield project or development plan the major Hazards which
must be removed or managed.
Method
A multi-disciplined team review of the overall project development proposal (including infrastructure) plant
design and operation together with its impact on the local environment. The study uses a step-by-step
methodology and a checklist of guide words to identify hazards and assess the influence these hazards may
have on the project development strategy and design philosophy. The scope will encompass both current and
future life cycle issues.
Information pack on project, its potential scope and environmental issues. All available conceptual and
preliminary drawings and development plans.
Input of major hazards identified to Hazards and Effects Register together with recommendations in priority
order.
An initial statement on hazard manageability and assurance needs.
Further Information
EP HSE Manual, HAZID, EP 95-0312.
HAZOP (Hazard and Operability Study)
Objective
To identify the Hazards, Effects and Operability problems relating to the process design and intended
method of plant operation which must be removed or managed in the operation.
Coarse HAZOP - Early study to identify basic flaws in design which would be costly to correct later.
Main HAZOP - Primary vehicle for identification of hazards, effects and operability problems. Held
when the front end engineering design is almost complete so that systems can be covered in detail.
Final HAZOP - Coverage of those systems not sufficiently developed for consideration in the Main
HAZOP, particularly vendor data, and a formal review of action responses to previous HAZOPs.
Procedural HAZOP - Identification of hazards and operability problems arising from procedures such as
commissioning, maintenance and other non-continuous procedures.
Health and environmental aspects must be included on the same basis as safety.
Method
A multi-disciplined team review using a structured step-by-step methodology with the application of
parameter and guide word combinations to sections (nodes) of the system to identify hazards and operability
problems normally with a facility but also with procedures.
Coarse HAZOP - Large nodes concentrating on major issues, requires a team of experienced senior
engineers. The recommendations from a Coarse HAZOP may involve significant changes to the design.
Main HAZOP - Rigorous application of the technique to relatively small nodes, requires a team of
experienced engineers with extensive project experience.
Final HAZOP - Rigorous application of the technique to relatively small nodes, requires similar team as
for Main HAZOP with the addition of vendor representatives. At this stage recommendations should be
concentrated on will it work rather than it would improve the safety of design to have.
Procedural HAZOP - Application of specialised guide words to operating procedures, requires a team
similar to that for main HAZOP with greater emphasis on operational personnel.


Coarse HAZOP - Basic layouts, process flow schemes (PFSs) and any operating/control philosophies
that are available.
Main HAZOP - Process and Utility Process Engineering Flow Schemes, (PEFSs, UEFSs) Operating and
Control Philosophies, Cause and Effect Diagrams, Process Safeguarding Drawings, line lists, alarm and
trip settings.
Final HAZOP EFSs and Vendor drawings, data, previous HAZOP findings and responses and any design
changes since last HAZOP.
Procedural HAZOP - As for Main HAZOP and Operating Procedures.
(Continued on next page)
HAZOP (continued)
Coarse HAZOP - Recommendations for adjustment to design options, QRA studies and other supporting
investigations. A risk ranking may be given to assist in prioritising the actions. This list may be
incorporated into the Hazards and Effects register for the project.
Main HAZOP - Recommendations to amend the design to remove or reduce hazards and operability
problems. Categorisation of the recommendations into approximate risk groups to assist in prioritising
the actions. This list should be used to update the Hazard register for the project.
Procedural HAZOP - Recommendations to amend the procedures to remove or reduce hazards and
operating problems. This will allow Safety Critical Procedures/Operations to be identified.
Overlap
HAZOP is a stand alone process hazard and operability problem identification and assessment (qualitative)
tool.
Further Information
EP HSE Manual, HAZOP, EP 95-0313.

Health Risk Assessment (HRA)
Objective
The identification of health hazards in the workplace and subsequent evaluation of risk to health, taking
account of existing control measures. Where appropriate, the need for further measures to control exposure
is identified.
Method
HRA consists of a number of steps:
Step 1 Define management's role and responsibilities and allocate resources
Step 2 Define structure for implementation (identify assessment units; assessment team; job types; tasks;
hazardous agents)
Step 3 For each job type gather information on agents and their harmful effects; nature and degree of
exposure; screening and performance criteria
Step 4 Evaluate the risk to health (assign severity rating and exposure rating)
Step 5 Decide on remedial action
Step 6 Record the health risk assessment
Step 7 Review the health risk assessment.
Detailed information on hazards and effects (e.g. toxic properties of chemicals); exposures (e.g. exposure
levels to toxic chemicals); performance of existing controls; information from health surveillance records,
etc.
Deliverables
HRA, as a tool for use as party of a company's HEMP, assists to identify, evaluate and control health risks
related to the company's operations to a level 'as low as reasonably practicable'. The recommendations
emerging from the HRA provide the input into the HSE Management System to ensure ongoing control of
health risks and continual improvement in health performance.
Further Information
SHSEC Guide (Ref. 2) and references contained within that document.

Job Hazard Analysis (JHA)
Objective
Identification of potential problems within a job task that could lead to hazardous situations. Elimination or
reduction of the hazard by development of safe working procedures.
Method
The method is derived from Task Analysis. It is a structured step-by-step team analysis of the job. Initially
the job is broken down into individual steps which are then analysed sequentially to identify potential
injuries to personnel, damage to equipment and pollution of the environment. The controls and preventative
measures are considered and if found to be inadequate remedial recommendations are made. Consideration
is also given to the establishment of recovery measures if necessary.
Job description, plans and drawings. Historical records of accidents and near misses. Team members with
technical competence relevant to the job being analysed.
Deliverables
Step-by-step analysis of each job highlighting potential departures from normal practice, with associated
hazards and recommendations for remedial action. The analysis also identifies the accident prevention
responsibilities for key personnel. The report can also be used as the basis for the development/ modification
of operating/working procedures.
Overlap
Job Hazard Analysis is a stand alone technique but is often used in configuration with PTW system.
Further Information
EP HSE Manual, Job Hazard Analysis, EP 95-0311.

Physical Effects Modelling (PEM)
Objective
To model the physical behaviour of the potential release of a hazardous fluid or substance and subsequent
related events to determine a measure of the effect, in terms of loading, on people, the environment and
assets for each potential outcome.
Method
The physical effects, such as dispersion, explosion over pressures and heat radiation are calculated as input
to assess potential extent of loss of life or damage. Use of step-by-step modelling allows potential escalation
scenarios to be assessed.
Detailed information on: physical properties, such as density and toxicity; environmental factors, such as
wind velocity, humidity ambient temperature, and geometrical obstructions, confinement, etc.
Information on process flows and any mitigating measures, such as inventory ESD or blowdown systems.
Access to sophisticated consequence modelling computer programs, e.g. FRED, HG SYSTEMS and
SCOPE.
Deliverables
Data on the potential consequential loadings of previously identified hazardous scenarios with respect to the
potential effects to personnel, the environment and the facilities.
Overlap
Input data for Physical Effects Modelling can be generated from hazard identification techniques contained
in FIREPRAN, QRA and HAZOP.
Physical effects modelling may be used as an aid to Quantitative Risk Assessment, (QRA), FIREPRAN,
PHR, Plant Layout Methodology (PLM) and Fire and Explosion Analysis (FEA). Output from physical
effects modelling will provide input to physical response assessment (e.g. SCA) and consequent modelling.
Further Information
EP HSE Manual, Physical Effects Modelling, EP 95-0314.

Process Hazard Review (PHR)
Objective
An assessment of the safety status of existing process plant. It is intended for use when a plant has been in
operation for a considerable time and/or has undergone equipment modifications and operation changes. It is
used to provide an HSE Assurance report for ongoing operations in advance of major modifications or for
life extension evaluations.
Method
PHR is an 'expert review' led by an experienced leader, containing design engineers but heavily weighted
towards plant operators and maintenance staff. The review primarily focuses on potential causes of 'loss of
containment'.
The study progresses through the plant looking at each major equipment items, applying a leader's checklist
(aide-mmoire) of causes of loss of containment. The current design and operation of the plant is assessed
and a critical examination made of the revision history to identify any causes of release resulting from
changes to the design and operation of the equipment item since commissioning.
The team also reviews any hazards arising from variations (due to the age of the plant) from current design
or operating standards.
The technique assumes that most of the drawings are near to current status. The meetings are normally held
on the plant with regular site visits to check any details not 'as built' on drawings. The latest version of the
Process Engineering Flow Schemes (PEFS) is used as the major study document to ensure complete
coverage of the scope of the study. Additional information required includes the cause and effect diagrams
and the full revision history and incident reports for the plant together with changes in the operating
envelope and operation/maintenance procedures.
The expertise of the team is of critical importance. Where data are incomplete the PHR technique is
applicable but success relies heavily on the study team containing operating staff with considerable depth of
experience and knowledge of the plant throughout its operating life.
Deliverables
A report showing the identified hazards, their causes and the concern of the team together with
recommendations for any remedial action including, if appropriate, more detailed HAZOP in discrete areas.
Overlap
HAZOP, FIREPRAN, Technical Audit.
Further Information
SIEP.

Platform Layout Methodology (PLM)
Objective
Provision of an auditable framework within which the essential processes in the development of an offshore
platform topsides layout can be structured.
Method
Establishment of the functional shape of the facility with due regard to safety and operational
constraints
A structured approach is used to select layout preferences based on the inherent active and reactive
behaviour characteristics of equipment items with due regard for separation distances and physical
barriers
Consideration of previously identified hazardous scenarios to identify those which are highly likely to
reach adjacent areas of the facility.
Facility layout drawings and any available information from physical effect and consequence modelling.
Deliverables
A structured auditable description of the development of an offshore platform topsides layout.
Overlap
Input data from PEM and consequence modelling.
Further Information
EP 90-2500 (Ref. 9)
EP 91-1600 (Ref. 7)
EP 91-1601 (Ref. 8).
A similar document describing an onshore layout procedure is planned.

RISER
Objective
Assessment of risks of pipeline riser on or near platforms with comparative risk analysis to assess the
benefits of subsea valve installation on pipelines.
Method
The method is based on the following steps (using the information required described below):
definition of release cases using clear selection rules
failure frequency estimation (using a standard historical data set modified where needed to allow for
local factors)
consequence modelling (from release rate calculations using models for dispersion, jet fires, explosions,
etc)
impact assessment (determination of fatalities/damage and probabilities followed by event tree analysis)
risk calculation (determination of total risk for the riser system).
Platform and pipeline engineering data, personnel numbers and distribution, environmental data and
evacuation systems.
Deliverables
Data on the comparative risk expressed as Potential Loss of Life (PLL)
Overlap
Input data from hazard identification techniques such as FIREPRAN, Quantitative Risk Assessment (QRA)
and Hazard and Operability Studies (HAZOP).
Output data are used in Quantitative Risk Assessment (QRA), FIREPRAN, Plant Layout Methodology
(PLM) and Fire and Explosion Analysis (FEA).
Further Information
EP 90-1045 RISER Riser Safety Evaluation Routine (Ref.16).

SAFOP (Electrical Safety and Operability Study)
Objective
Identification of potential hazards to personnel in the vicinity of electrical systems. Critical assessment of
electrical network and plant design and analysis of operator actions to determine areas of potential operator
error. Making recommendations to eliminate or reduce risks.
Method
A multi-disciplined team and a structured step by step methodology are used.
SAFAN - Hazards present in construction, commissioning and operation of electrical systems are
examined in relation to the safety of personnel in the vicinity.
SYSOP - Examination is made of the control systems, the main items of plant and their auxiliaries in
relation to any limitations and their effects on the overall system operability.
OPTAN - Considers probable tasks to be under taken during normal and upset conditions. The usability
of equipment and clarity of instructions are reviewed with the aim of reducing the potential for human
error as low as is reasonably practicable.
Detailed electrical system design and layout drawings, control circuit diagrams, system designs and
functional specifications, and electrical system operating and emergency procedures.
Deliverables
Report detailing the findings of the audit and where necessary making recommendations categorised as
Strongly Recommended, Advice or call for further information Information Required.
Overlap
SAFOP is a stand alone technique but it has some overlap with Job Hazard Analysis EP 95-0311, Human
Factors Analysis EP 95-0324 and Procedural HAZOP.
Further Information
DEP (Ref. 5) under preparation. Until release consult Electrical Engineering. Refer to SIEP.

Smoke Ingress Analysis (SIA)
Objective
Determination of the rate of build-up of gases and smoke in and around designated Temporary Refuges
(TRs) and the effect this will have on TR integrity and the ability of occupants to survive. The SIA is an
integral part of Escape Evacuation and Rescue Analysis/Temporary Refuge (EERA/TR) but is so significant
that it has been documented separately.
Method
Input on the type size and duration of potential fires is taken from the Fire and Explosion Analysis (FEA).
Each scenario will then be analysed to determine the concentration of smoke and gases at the boundary of
the TR and subsequently the build-up inside and around the TR. Consideration is given to the dilution and
dispersion effects that may occur between the fire source and the TR. Assessment is also made of the leak
paths and any localised over or under pressures caused by wind effects in order to determine the rate of
ingress to the TR. If available, actual installation test data are used to increase the realism of the SIA.
Installation layout drawings, details of TR construction and the details of the fire scenarios from the FEA .
Leak test data for the TR.
Deliverables
Identification of scenarios that have the potential to effect significantly the TR in terms of smoke or gas
ingress at build-up rates which would impair TR integrity or impact on the emergency response capability.
Overlap
The results from the SIA are be used in TR/EERA analyses.
Further Information
Shell Expro document EN/066 (Ref. 26).
Note:
There are several practical and theoretical problems with the methodology in EN/066. The model is
written in Supercalc 5 which is not a Shell-supported package and there may be considerable
difficulty in running the software. Expro are planning to revise EN/066 to provide guidance on
smoke, heat, CO and low oxygen impairment of the TR. This work is planned to also overcome the
technical limitations of the current methodology and to incorporate results of relevant research in
these areas.

Structural Consequence Analysis (SCA)
Objective
Assessment of the response of a structure under fire conditions. Determination of the extent of any failure
under fire loading and, if necessary, proposal of remedial measures.
Method
Coarse analysis is based on determining the time to failure of the structure from linear elastic techniques.
This analysis determines those structures which are critical and which should be the subject of more
detailed analysis.
Detailed analysis is based on non-linear analysis methods. These allow the true collapse load of the
structure to be estimated by modelling elastic-plastic behaviour of the structure at elevated temperatures.
The USFOS analysis program may be used for these studies.
Details of potential fires from FEA , data on the type and layout of existing fire protection facilities.
Detailed structural drawings.
Deliverables
Report on the ability of the structure to withstand the fire scenarios identified. This will reveal if there exists
the potential exists for fire to lead to progressive collapse of the structure or loss of the TR within the
required endurance period. If necessary recommendations for remedial actions and distribution of protective
equipment should be made.
Overlap
Input data is required from Fire and Explosion Analysis (FEA) and physical effects modelling. SCA may be
used in QRA.
Further Information
Expertise and advice should be sought from SIEP Structural engineering function.

Temporary Refuge/Escape, Evacuation and Rescue Analysis (TR/EERA)
Objective
Analysis of escape to TR, the provisions within the TR system, and Evacuation, Escape and Rescue with
respect to the major scenarios previously identified for comparison against respective acceptance standards
highlighting critical elements and revealing any shortfalls.
Method
The EERA/TRA comprises three related elements:
a goal analysis which considers how the goals for the EER process will be satisfied in likely EER
situations as a basis for determining the adequacy of the proposed arrangements
an escape and evacuation time analysis which considers the time needed to complete all phases of the
EER process under conditions which may be present when there is a need for EER
a TR impairment analysis to determine the frequency that the TR and related evacuation facilities will be
impaired.
Detailed information on the TR/EERA provisions and details of the major hazard scenarios identified.
Details of installation layout including muster stations, refuges, evacuation points and escape to sea
facilities. Input data from Fire and Explosion Analysis (FEA), Smoke Ingress Analysis (SIA) and
Emergency Systems Survivability Analysis (ESSA).
Deliverables
A formal record of the EER facilities and arrangements with details of the direct and escalated impact of the
identified hazard scenarios coupled with considerations on the likelihood of their occurrence.
Overlap
Input data required from FEA , SIA and ESSA. The results of the TR/EERA may be used in the QRA.
Further Information
Shell Expro document - EA/032 (Ref. 27) and DEP 37.17.10.11 Gen (Ref. 12).

THESIS (The Health, Environment, Safety Information System)
Objective
To provide a structured method for building, using and maintaining Safety (HSE) Management Systems and
Cases. To store Safety (HSE) Management System and Case data in an electronic relational data bank on a
computer for easy access and use and generate HSE Cases in a consistent structured manner.
Method
THESIS provides checklists, models, prompts and facilitates structured brainstorming to identify the hazards
and effects and critical activities of an operation. Once the hazards and effects and activities are identified a
process is provided to document and qualitatively assess the controls in place and identify shortfalls. It uses
workforce experience and engineering judgement to identify and qualitatively assess the HSE management
system in use. The build process is designed to provoke and facilitate discussion concerning the degree of
existing hazard control provided and how adequately HSE critical activities are performed.
Personnel with detailed working knowledge of the operation or installation for which the Case is being
prepared. Operational information about the operation or installation such as operating manuals, inspection
and maintenance manuals, equipment standards and specifications, environmental and health standards,
specifications and monitoring data.
Deliverables
Safety or HSE Case data stored on a computer in a relational data bank for easy access and use. Printed
reports are generated which provide a fully documented record of the build and assessment process carried
out including the 7 part Safety (HSE) Case document, Hazard Registers, HSE MS Specification Sheets, a list
of shortfalls and many more. Once completed, HSE specialists, managers, supervisors and operators have
the information needed at their fingertips to implement their HSE management system. They can use
THESIS to assess the HSE implications of proposed actions and changes.
Overlap
THESIS is a stand alone tool. It is designed to be complementary with other management systems such as a
maintenance management system.
Further Information
EP HSE Manual, THESIS, EP 95-0323.

Tripod-BETA
Objective
To facilitate accident or incident investigation and analysis by providing the means to assemble and
manipulate investigation information into a logical structure consistent with the Tripod accident causation
model and the hazards and effects model of SMS (HSE MS).
Method
A PC tool which provides the means to record information from the investigation, linking related
information on events, people, damage, locations, etc.
Information is transferred to a screen where it can be manipulated and linked as nodes in a BETA tree.
Nodes are classified, the connecting logic tested and anomalies flagged for amendment. Nodes are assigned
General Failure Type (GFT) classifications.
Accident or incident investigation data.
Deliverables
A draft report for final editing, presenting salient details of the events, actual and potential damage,
failures and identified causes
A BETA tree diagram
GFT profile for the accident/incident.
Overlap
Tripod-BETA is a stand-alone technique.
Further Information
EP HSE Manual, Tripod-BETA, EP 95-0321
Tripod-DELTA
Objective
The proactive identification of potential latent failures that could lead to hazardous situations and the
development of remedial actions to be taken to reduce or eliminate such hazards.
Used where there are few incidents providing information on causation therefore tries to avoid 'requiring
incidents to improve'.
Method
Development of indicator question database. These are used in the form of yes/no answer questions to
reveal the presence of General Failure Types (GFT) in the operation or organisation
Tripod-DELTA Profiling-derivation of checklists based on the indicator questions, answering of
indicator questions, analysis of answers. Results are presented as a Failure State Profile. The analysis
identifies those areas where remedial action is required.
Access to personnel with detailed working knowledge of the operation or organisation being analysed.
Deliverables
The Failure State Profile indicates the extent to which each of the 11 GFTs is present in the system under
study. This allows remedial actions to be prioritised.
Overlap
Tripod-DELTA is a stand alone technique.
Further Information
EP HSE Manual, Tripod-DELTA, EP 95-0320



APPENDIX V
EXAMPLE OF FURTHER DEFINITION OF CONSEQUENCE -
SEVERITY RATING FOR RISK MATRIX
Table V.1 Example of further definition of consequence - severity rating for risk matrix
Severit People Assets*, Equipment
y
Injury Health
Potential Definition Potential Definition Potential Definition
Impact Impact Impact
0 No injury No injury or damage to health No injury No injury or damage to health No No damage to
damage equipment
1 Slight Not detrimental to individual Slight injury Not affecting work performance Slight No disruption to
injury employability or to the or causing disability. damage the process,
performance of present work -Agents which are not hazardous minimum cost of
to health repair (below
$10,000)
2 Minor Detrimental to the performance Minor Affecting work performance, Minor Possible brief
injury of present work, such as injury/ such as restriction to activities damage disruption of the
curtailment of activities or illness (Restricted Work Case) or a process;
some calendar days to recover need to take a few calendar days isolation of
fully, maximum one week to recover fully equipment for
-Agents which have limited repair (estimated
health effects which are cost below
reversible, e.g. irritants, many $100,000)
food poisoning bacteria
3 Major Leading to permanent partial Major Resulting in permanent partial Localised Plant partly
injury disablement or unfitness for injury/ disability or affecting work damage down; process
work or detrimental to illness performance in the longer term, can (possibly) be
performance of work over such as a prolonged absence restarted.
extended period, such as long from work (estimated cost
term absence -Agents which are capable of of repair below
irreversible damage without $1,000,000)
serious disability, e.g. noise,
poorly designed manual handling
tasks
4 Single Alternatively victim with Permanent - Agents which are capable of Major Partial loss of
fatality permanent total disablement or total irreversible damage with serious damage plant; plant shut
unfitness for work. Also disability or disability or death, e.g. down (for at
includes the possibility of fatality corrosives, known human most two weeks
multiple fatalities (maximum 3) (small carcinogens and/or estimated
in close succession due to the exposed repair costs
incident, e.g. explosion population) below
$10,000,000)
5 Multiple May include four fatalities in Multiple -Agents with potential to cause Extensive Total loss of the
fatalities close succession due to the fatalities multiple fatalities, e.g. chemicals damage plant; extensive
incident, or multiple fatalities with acute toxic effects (e.g. damage
(four or more) each at different hydrogen sulphide, carbon (estimated cost
points and/or with different monoxide), known human of repair
activities carcinogens exceeds
$10,000,000)
* Assets are understood as referring to: the oil and gas reservoirs, production facilities, pipelines, money, capital, and other Opco and third party
property

Appendix V Example of Further Definition of Consequence
Table V.1 Example of further definition of consequence - severity rating for risk matrix
(continued)
Severity Environment Reputation
Potential Definition Oil Contamination Potential Definition

Impact per incident Impact
(litres)
Sensitive Offshore
areas
0 No effect No environmental risk, no Several No impact No public awareness

financial consequences
1 Slight effect Negligible financial <10 0-100 Slight impact Public awareness of the
consequences, local incident* may exist; there is no
environmental risk within the public concern
fence and within systems
2 Minor effect Contamination, damage <100 100 - Limited Some local public concern;
sufficiently large to affect the 1,000 impact some complaints received;
environment, single slight local media and/or local
exceedance of statutory or political attention with
prescribed criteria, single potentially negative aspects for
complaint, no permanent effect Opco operations
on the environment
3 Localised Limited loss of discharges of 100 - 1,000- Considerable Regional public concern;
effect known toxicity, repeated 1,000 10,000 impact numerous complaints;
exceedance of statutory or extensive negative attention in
prescribed limit and beyond local media; slight national
fence/neighbourhood media and/or local/regional
political attention with possible
negative stance of local
government and/or action
groups
4 Major effect Severe environmental 1000 - 10,000 - National National public concern;
damage, the Opco is required 10,000 100,000 impact continuing complaints;
to take extensive measures to extensive negative attention in
restore the contaminated national media and/or
environment to its original regional/national politics with
state. Extended exceedance of potentially restrictive measures
statutory or prescribed limit and/or impact on grant of
licences; mobilisation of action
groups
5 Massive Persistent severe >10,000 >100,000 International International public attention;

effect environmental damage or impact extensive negative attention in
severe nuisance extending international media and
over a large area. In terms of national/international politics;
commercial or recreational use potential to harm access to
or nature conservancy, a major new areas, grants of licences
economic loss for the Opco. and/or tax legislation;
Constant high exceedance of concerted pressure by action
statutory or prescribed limit groups; adverse effects in
Opcos in other countries
The above table is an example for crude oil contamination. For other chemical discharge criteria, environmental experts should be consulted.
Incidents relating to air, noise, small, light and soil vibrations should be addressed on the basis of expert judgement and, in the case of
uncertainty, local expertise may be called in.
* 'Incident' as used in Severity level 1 must be seen as the source of the concern for all severity levels. It is defined in the glossary but recognise
it includes an environmental problem, an event or chain of events which has caused or could have caused spills, leaks, complaints, public
concern, issue debates, failing to follow commitments and so forth.
'Public' must be seen as encompassing a wide range including 'opinion formers', e.g. environmental scientists; groups; politicians; authorities (of
various types); media (scientific general).

APPENDIX VI
WHEN TO USE QRA
Quantified Risk Assessment (QRA) is used to:
assist in reducing risks

This is done by identifying areas of high risk or identifying areas where risk can be further
reduced.
assist in option selection by ranking options in terms of risk
assess the cost-effectiveness of risk-reducing measures
assist in the demonstration and achievement of ALARP
act as an aid to communication with the workforce and third parties regarding their impact
on risk and their exposure to risk
indicate whether or not risks are tolerable
comply with legislation and company policy.
Guidance is given below which addresses the cases when QRA is likely to be of benefit and when it
is not. Each individual case should be treated on its merits. Further advice is given in EP 95-0352.
VI.1 Projects for Which QRA is Likely to be Beneficial

VI.1.1 Project identification phase - comparative coarse QRA
All projects onshore or offshore for which several options have been identified which are considered
to have significantly different risks. A risk assessment should be undertaken early in a project
development (in some cases this may be during the prospect stage, if for instance, novel technology is
used). A comparison of risks associated with, for example, onshore versus offshore processing,
manned versus unmanned facilities, platform versus subsea installation, location and operating
strategy of onshore installations, etc may be effectively studied using QRA.
VI.1.2 Definition phase - project specification - detailed QRA

During the definition phase, a more detailed risk assessment may be required to:
(i) assist with final major decision-making with respect to design options
(ii) provide a basis for further design optimisation during completion of conceptual engineering and
detailed engineering and (ultimately) to reach risk levels regarded as As Low As Reasonably
Practicable (ALARP)
(iii) confirm to senior management, shareholders and the Regulator that risk criteria will be achieved.
At the end of detailed engineering, i.e. when all optimisation has been completed, the risk assessment
is issued in the form of a final report for input to the HSE Case. This is intended to demonstrate that
the risk criteria have been achieved and this risk is as low as reasonably practicable.
The above is particularly applicable to:
all offshore permanently manned installations

Appendix VI When to use QRA
This is the case unless the layout is so well spaced-out that the workforce is for the majority of the
time outside the maximum effect area of the high pressure hydrocarbon production/process
facilities and the risk of escalation is considered to be negligible.
onshore plants
This is where the public is within the maximum effect radius and/or where the plant is complex
and the hydrocarbon processing equipment cannot be spaced to minimise the risk of escalation.
studies to compare transport and manning philosophy options

If the option under development has significantly different operating philosophies to those
considered during the comparative QRA in the project identification phase.
VI.1.3 Operations Phase

Existing facilities
Any facility or operation which is considered to be safety critical and for which there are doubts as to
whether or not the risks have been reduced to as low as reasonably practicable. A QRA study would
assist in the identification of high-risk areas and the ranking of risk reduction measures, identify the
need for modifying the operating philosophy (e.g. MOPO), and increase the awareness of the
workforce of the risks they are exposed to and have influence over.
Upgrades to existing facilities

Plant modifications which will result in significant risks during construction and/ or which are
expected to increase significantly the risk level during operations. The need for an additional or
revalidated risk assessment at the time of proposed upgrades or refurbishments has to be considered.
In cases where the proposals are viewed as having a minimal impact on safety or asset integrity, no
additional work will be necessary. However, for some modifications the earlier risk assessment will
require reviewing and additional risk assessment may be required.
VI.2 Projects for Which QRA is not Likely to be Beneficial

QRA would not usually be used for Not Normally Manned offshore installations and onshore
facilities, except in connection with the determination of the operating philosophy unless:
the equipment spacing allows escalation

the facility has a high strategic or asset value
there are environmental concerns
the public is in permanently occupied areas within the maximum effect radius
it is a legal requirement
several expensive risk reduction measures have been identified whose relative effectiveness is not
obvious.
In other cases, physical effects modelling combined with other non-quantitative methodologies may
be sufficient to manage the hazards.

GLOSSARY
The general glossary for the EP HSE Manual is now in a separate Section EP95-0010 Glossary.

Glossary

References
REFERENCES
1 MF 92-0130 Issue 4, Technical HSE Reviews and Fire Safety Reviews: Checklists Planning
and Execution, Shell Manufacturing Division, March 1995.
2 Health Risk Assessment, SHSEC, September 1994.
3 ISBN 0 11 430020, Understanding Stress - Part Two Line Managers' Guide, HMSO, June
1992.
4 Chemical Hazards: Health Risk Assessment and Exposure Evaluation, SHSEC, 1995.
5 SAFOP DEP (under preparation).
6 EP 92-1020, Guidelines for Risk Assessment Data Sheets, SIPM, 1992.
7 EP 91-1600, Layout Considerations for Offshore Topsides Facilities, Volume II, Step by Step
Procedure and Template, SIPM, 1991.
8 EP 91-1601, Layout Considerations for Offshore Topsides Facilities, Volume III, 'Ariadne'
Demonstrator, SIPM, 1991.
9 EP 90-2500, Technology Development, Layout Considerations for Offshore Topside Facilities,

SIPM,1990.
10 DEP to be prepared, Onshore Layout Methodology.
11 EN/074, Hazard Identification and Assessment, Shell Expro.
12 DEP 37.17.10.11 - Gen, Design of Offshore Temporary Refuges,
13 EP 94-0101, ASPIN Version 1.1 Pipeline Failure Risk Assessment, User Manual, Worked
examples, December 1993.
14 EP 94-0102, ASPIN Version 1.1 Pipeline Failure Risk Assessment, Reference Manual,
December 1993.
15 EP 94-0195, Simplified Method for Pipeline Risk Ranking, Version 2.0, January 1994.
16 EP 90-1045, RISER: Riser Safety Evaluation Routine, SIPM, April 1990.
17 Ionising Radiation Safety Guide, SSHC, November 1993.
18 DEP 00.00.05.05-Gen, Index DEP Publications and Standard Specifications, SIPM.
19 Medical Emergency Guidelines for Management, SHSEC, November 1994.
20 HSE 94023, Medical Emergency Guidelines for Health Care Professionals and First Aiders,
January 1995
21 HSE 94023a, Guidance to First Aiders, January 1995.
22 Standards for Clinical Services, E&P Forum.

23 EP 95-7000 EP Business Model (Version 3.0) Flowcharts and Description of Process Activities,
SIEP, 1995.
24 DEP 31.40.60.11 - Gen, Pipeline Leak Detection, September 1994.
25 EA/083, Explosion Protection of Offshore Installations, Shell Expro.
26 EN/066, Methodology of Assessing Smoke/Gas Ingress to Offshore Modules, Shell Expro.
27 EA/032, Escape, Refuge, Evacuation and Rescue - Offshore Installations, Shell Expro.
28 HSE MS, E&P Forum, 1994.
29 EP 92-0945, Business Process Management Guideline, SIPM EPO/72, June 1992.
30 ISBN 0 11 8859889 Successful Health and Safety Management UK Health and Safety
Executive, HMSO, 1991.
31 ISO/CD 14.690, Health, Safety and Environmental Management System (Draft).
32 Incident Investigation and Analysis Guide (Revision of Accident Investigation), SHSEC,

August 1993.

Hazard. Norma Shell. Shell Standard

Transféré par

Informations du document

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

Hazard. Norma Shell. Shell Standard

Transféré par

Droits d'auteur :

Formats disponibles

Shell International Exploration & Production B.V.

Revision 0: 16 October 1995

Section Number: EP 95-0300

Section Title: Overview Hazards and Effects Management Process

Rev Chapter Description to amendment Date Amended by

2.4 Risk 8 4.3 Record Hazards and Effects 26

2.5 Fault and Event Trees 9 4.3.1 Records 26

3.2.2 Activities: planning and 4.5.2 Control of release of hazards

3.3 Approaches to the Hazards and 4.5.3 Recovery preparedness

3.3.1 Experience/judgement 14 Appendix I Activities: Planning

EP 95-0300 Revision 0: 16 October 1995 i

Appendix III Hazards and Effects

Appendix IV Structured Review

Appendix V Example of Further

Appendix VI When to use QRA 76

ii EP 95-0300 Revision 0: 16 October 1995

The objectives of Volume 3 are to:

provide a general overview of the Hazards and Effects Management Process

This document, EP 95-0300, provides an overview of Volume 3 and describes:

1.1 Elements of the HSE Management System

Leadership and Commitment

EP 95-0300 Revision 0: 16 October 1995 1

1.2 Tools for the Hazards and Effects Management Process

1.2.2 Application and competence

2 EP 95-0300 Revision 0: 16 October 1995

2 HAZARDS AND EFFECTS TERMINOLOGY

2.1 Hazards, Effects and Incidents

EP 95-0300 Revision 0: 16 October 1995 3

2.2 Threats and Barriers

Barriers may be physical (shields, isolation, separation, protective devices) or non-physical

2.3 Consequences, Mitigation and Recovery Preparedness

4 EP 95-0300 Revision 0: 16 October 1995

Figure 2.1 Terminology: acute or incidental release (safety example)

Rupture and Leak

First Hazardous Event

Inspection Corrosion Detection Detection Plant Detection

Threat Barriers Recovery Preparedness Measures

EP 95-0300 Revision 0: 16 October 1995 5

Figure 2.2 Terminology: chronic or routine release (environmental example)

Examples: Treatment system

First Hazardous Event

Auto Level Procedures Alarm System Divert to Plant Clean-up

Threat Barriers Recovery Preparedness Measures

6 EP 95-0300 Revision 0: 16 October 1995

Figure 2.3 Terminology - Chronic or Routine Release (Health Example)

First Hazardous Event

* OEL Occupational Exposure Limit

Threat Barriers Recovery Preparedness Measures

EP 95-0300 Revision 0: 16 October 1995 7

Figure 2.4 Cause consequence diagram (bow tie)

8 EP 95-0300 Revision 0: 16 October 1995

2.5 Fault and Event Trees

2.6 Likelihood and Consequence (or Effect)

EP 95-0300 Revision 0: 16 October 1995 9

This page intentionally left blank

10 EP 95-0300 Revision 0: 16 October 1995

3 HAZARDS AND EFFECTS MANAGEMENT

1. Identify Hazards and Potential Effects

Step 1: Identify hazards and potential effects

Step 2: Evaluate risks

Step 3: Record hazards and effects

HSE MS Activities Catalogue

EP 95-0300 Revision 0: 16 October 1995 11

Step 4: Compare with objectives and performance criteria