ABU DHABI NATIONAL OIL COMPANYHEALTH SAFETY AND ENVIRONMENTAL MANAGEMENT MANUAL OF CODES OF PRACTICE VOLUME 5 : RISK ASSESSMENT AND CONTROL OF MAJOR ACCIDENT HAZARDS GUIDELINE ON RISK ASSESSMENT & QUANTITATIVE RISK ASSESSMENT (QRA) ADNOC-COPV5-03 HSE MANAGEMENT CODES OF PRACTICE Volume 5: RISK ASSESSMENT AND CONTROL OF MAJOR ACCIDENT HAZARDS COP G/L ON RISK ASSESSMENT & QRA Document No: ADNOC-COPV5-03 Version 1 November, 2005 Page 1 of 42 RECORD OF REVISION Revision No. Date Section/Page Reason Copyright The copyright and all other rights of a like nature in this document are vested in Abu Dhabi National Oil Company (ADNOC) Abu Dhabi, United Arab Emirates. This document is issued as part of the Manual of HSE Codes of Practice (the “Manual”) and as guidance to ADNOC, ADNOC Group Companies and independent operators engaged in the Abu Dhabi oil & gas industries. Any of these parties may give copies of the entire Manual or selected parts thereof to their contractors implementing HSE standards in order to qualify for award of contracts or fir the execution of awarded contracts. Such copies should carry a statement that they are reproduced by permission of ADNOC, and an explanatory note on the manner in which the Manual is to be used. Disclaimer No liability whatsoever in contract, tort or otherwise is accepted by ADNOC or any of its Group Companies, their respective shareholders, directors, officers and employees whether or not involved in the preparation of the Manual for any consequences whatsoever resulting directly or indirectly from reliance on or form the use of the Manual or for any error or omission therein even if such error or omission is caused by a failure to exercise reasonable care. All administrative queries should be directed to the Manual of HSE Codes of Practice Administrator in: Environment Health & Safety Division, Supreme Petroleum Council, Abu Dhabi National Oil Company, P. O. Box : 898, Abu Dhabi, United Arab Emirates. Telephone : (9712) 6023782 Fax: (9712) 6668089 Internet site: www.adnoc.com E-mail:
[email protected] HSE MANAGEMENT CODES OF PRACTICE Volume 5: RISK ASSESSMENT AND CONTROL OF MAJOR ACCIDENT HAZARDS COP G/L ON RISK ASSESSMENT & QRA Document No: ADNOC-COPV5-03 Version 1 November, 2005 Page 2 CONTENTS PAGE I. PURPOSE ............................................................................................................... 3 II. DEFINITIONS.......................................................................................................... 3 III. EXISTING LAWS .................................................................................................... 6 1. INTRODUCTION..................................................................................................... 7 2. THE RISK ASSESSMENT PROCESS................................................................... 8 3. HAZARD IDENTIFICATION ................................................................................... 9 3.1 Principles of Hazard Identification .............................................................. 9 3.2 Hazard Identification Techniques.............................................................. 10 3.2.1 HAZOP............................................................................................... 10 3.2.2 HAZID ................................................................................................ 10 3.2.3 Task Risk Assessment .................................................................... 11 3.2.4 Check-lists ........................................................................................ 11 3.2.5 Failure Modes and Effects Analysis............................................... 11 3.3 Hazard and Operability Studies (HAZOP)................................................. 12 4. CONSEQUENCE ANALYSIS............................................................................... 18 4.1 Principles of Consequence Analysis and General Guidance ................ 18 4.2 Source Terms .............................................................................................. 19 4.3 Gas Dispersion............................................................................................ 20 4.4 Fire Hazards................................................................................................. 20 4.5 Explosions ................................................................................................... 22 4.6 Toxic Effects and Control Measures......................................................... 24 4.7 Escalation .................................................................................................... 25 5. QUANTIFICATION OF EVENT PROBABILITIES AND RISK............................. 27 5.1 Event Frequency/Probability Estimation.................................................. 27 5.2 Fault Trees ................................................................................................... 27 5.3 Event Trees.................................................................................................. 29 5.4 Basic Data .................................................................................................... 30 5.5 Presentation of Risk ................................................................................... 32 5.6 Individual Risk............................................................................................. 33 5.7 Risk Contours.............................................................................................. 33 5.8 Potential Loss of Life.................................................................................. 33 5.9 Cumulative Frequency (F-N) Curves......................................................... 33 6. JUDGEMENT OF TOLERABILITY AND ACCEPTABILITY OF RISK................ 35 7. QUALIFICATIONS, TRAINING AND COMPETENCE......................................... 37 8. REVIEW REQUIREMENTS .................................................................................. 39 REFERENCES ........................................................................................................... 40 HSE MANAGEMENT CODES OF PRACTICE Volume 5: RISK ASSESSMENT AND CONTROL OF MAJOR ACCIDENT HAZARDS COP G/L ON RISK ASSESSMENT & QRA Document No: ADNOC-COPV5-03 I. Version 1 November, 2005 Page 3 PURPOSE The ADNOC Group Guidelines on HSE Risk Management [Ref. 1] and the ADNOC Code of Practice: Control of Major Accident Hazards (COMAH) [Ref. 3] provide high level recommendations regarding use of Quantitative Risk Assessment (QRA) and similar techniques by Group Companies. This Guideline on Risk Assessment and QRA complements the Guidelines on HSE Risk Management and provides technical support in both carrying out and interpreting risk studies. It focuses on ensuring that such techniques are applied in appropriate situations and that results are interpreted in a consistent manner across the Group. II. DEFINITIONS Accident See incident. Within the ADNOC Group it has been agreed that terms accident and incident are synonymous ALARP See "As Low As Reasonably Practicable". As Low As Reasonably Practicable Means to reduce a risk to a level that is as low as reasonably practicable and involves balancing reduction in risk against the time, trouble, difficulty and cost of achieving it. This level represents the point, objectively assessed, at which the time, trouble, difficulty and cost of further reduction measures becomes unreasonably disproportionate to the additional risk reduction obtained. BLEVE A boiling liquid expanding vapour explosion is typically the result of fire engulfing a pressure vessel containing volatile flammable liquid. When the vessel fails the remaining contents burn in an intense fireball. Consequence Analysis The study of the possible extent of harmful effects of potential incidents, e.g. calculation of the size of the flammable region of a vapour cloud following a spill. Deviation Where a process or procedure does not work as intended. Fault Tree Logic diagram describing all the potential causes and event chains that lead to a specific incident scenario termed the top-event. FMEA Failure Modes and Effects Analysis [1] ADNOC Group Guideline ‘HSE Risk Management’, March 2000. [3] ADNOC Manual of Codes of Practice: ‘Control of Major Accident Hazards (COMAH)’, ADNOC-COPV5-01. physical effect. • Service vessel colliding with or otherwise affecting offshore installations . severe or catastrophic consequences (as defined in ADNOC Risk Management Guideline). illness. controlling or mitigating the risks from Major Accident Hazards or occupational hazards with the potential for critical. flammable or toxic substances. It can apply to equipment.HSE MANAGEMENT CODES OF PRACTICE Volume 5: RISK ASSESSMENT AND CONTROL OF MAJOR ACCIDENT HAZARDS COP G/L ON RISK ASSESSMENT & QRA Document No: ADNOC-COPV5-03 Version 1 November. injury. or condition with potential to harm people. Note: Examples of ‘Major Accidents’ would include. assets.g.g. records. procedures. propane) or low temperature (e. company reputation or third parties. HAZOP Hazard and Operability – a study in the context of hazards and effects management Heavy Gas A gas with a density greater than air due to either high molecular weight (e. the environment. The consequences may be immediate or delayed and may occur outside as well as inside the site. Incident An event or chain of events which has caused or could have caused fatality. 2005 Page 4 Hazard Any substance. management systems. but are not limited to: • Loss of containment of flammable and/or toxic fluids leading to fire. activities and tasks (and the competencies required for these tasks). methane boil off from a liquefied natural gas spill) HSE Health. Safety and Environment HSE-Critical Of particular importance to preventing. explosion and/or toxic injury • Events resulting in structural failure which could lead to further progressive collapse • Loss of stability of mobile offshore installation • Well blowouts • Ships colliding with offshore installations or onshore jetties used for bulk loading explosive. and/or damage (loss) to assets. Major Accident Major accident means an ‘Uncontrolled Occurrence’ in the operation of a site which leads to severe or catastrophic consequences to people. the environment and/or company reputation (as defined in the ADNOC Group HSE Risk Management Guidelines). property or the environment or affect on the company reputation. There will also be a high potential for escalation. accommodation/work barges alongside fixed installations. with the benefit of hindsight. etc) to prevent the potential incidents from happening. Major Accident Hazard or Major Hazard A hazard that has the potential to result in a ‘Major Accident’ QRA Quantitative Risk Assessment Quantitative Risk Assessment A structured approach to assessing the potential for incidents and expressing this potential numerically. procedures. quite preventable. QRA is not to be used to justify or encourage risk taking. plants and social . It should always be recognised that the calculated fatality (or loss) figures are based on experience. Note: These values should not be interpreted as unavoidable and acceptable losses. This includes the liabilities arising from injuries and property damage to third parties including the cross liabilities that may arise between the interdependent ADNOC Group Companies. This means that one or more pedestrian fatalities resulting from a road accident on a site (however regrettable and tragic) would not be defined as a ‘Major Accident’. road/marine product tankers The definition of ‘Major Accident’ specifically excludes ‘occupational accidents’ which have bounded.Environment – water. one or more fatalities resulting from a fall from a scaffolding platform (again regrettable and tragic) would not be defined as a ‘Major Accident’.People – injury or harm to physical or psychological health . QRA is a tool which helps to translate this hindsight into foresight (planning) in order to assist management in deciding the best approach and show ways and means (eg improved engineering.Reputation – employees and third parties. supervision. helicopters and aircraft.HSE MANAGEMENT CODES OF PRACTICE Volume 5: RISK ASSESSMENT AND CONTROL OF MAJOR ACCIDENT HAZARDS COP G/L ON RISK ASSESSMENT & QRA Document No: ADNOC-COPV5-03 Version 1 November. soil. In QRA statistical values are derived for potential loss of life and damage to resources and environment. . albeit possibly severe or catastrophic consequences. animals.Assets (or Revenue) – damage to property (assets) or loss of production .g. Incident investigations usually show that these ‘historical’ incidents were. Risk = Frequency x Consequences. Risk Risk is the product of the measure of the likelihood of occurrence of an undesired event and the potential adverse consequences which this event may have upon: . 2005 Page 5 • Other external hazards affecting offshore and onshore sites e. statistical failure and incident rates representing an average historical quality of management. air. Similarly. Note the difference between Risk Assessment and Task Risk Assessment in this Guidance. Scenario An idealised description of a potential incident. Uncontrolled Occurrence An event that escalates. Top Event Specific incident scenario described by a fault tree. EXISTING LAWS There are currently no specific UAE laws applicable to the control of major hazards. • Federal Law No 8 of 1980 re Regulation of Labour Relations. 2005 Page 6 Risk Analysis An imprecise term which infers the quantified calculation of probabilities and risks without taking any judgements about their relevance. [24] ADNOC Manual of Codes of Practice: ‘Guideline on HSE Definitions & Abbreviations’’. laws on protection of the environment and people are relevant in that the consequences of a major hazard may result in either adverse environmental impacts or effects on people.HSE MANAGEMENT CODES OF PRACTICE Volume 5: RISK ASSESSMENT AND CONTROL OF MAJOR ACCIDENT HAZARDS COP G/L ON RISK ASSESSMENT & QRA Document No: ADNOC-COPV5-03 Version 1 November. III. so that it is beyond the normal span of operations over which control can be exercised. usually in a quantitative or semiquantitative manner. They often provide input to other types of consequence models. However. . Further detail on definitions is provided in the document ADNOC Manual of Codes of Practice “Guideline on HSE Definitions and Abbreviations”. It is an evaluation of the likelihood of undesired events and the likelihood of harm or damage being caused together with the value judgements made concerning the significance of the results. recording and assessment of the risks involved in any particular operation so that appropriate controls can be introduced. ADNOC-COPV1-05. [Ref. or has the potential to escalate. Risk Assessment The process of determination of risk. Source Term Consequence models that define the rate and conditions at which hazardous material reaches the environment. Task Risk Assessment A process of formal identification. 24]. Relevant legislation includes: • Federal Law No 24 of 1999 for the Protection and Development of the Environment. • Techniques for evaluating the consequences of hazards reaching their potential (Section 4). . Version 1 November. training and competence necessary for personnel engaged in risk assessment and quantitative risk assessment activities (Section 7). • Guidance on judging the tolerability and acceptability of risk. The ADNOC Codes of Practice on ‘Health. ADNOC-COPV1-02. including the practical use of ALARP (Section 6). 3] specify requirements for identifying hazards. The assessment can be qualitative (where hazard frequency and consequences are assigned to generic categories). 2005 Page 7 INTRODUCTION This Guideline provides technical support in both carrying out and interpreting qualitative and quantitative risk studies. • Techniques for evaluating the likelihood of hazards reaching their potential (Section 5). • Review and update of risk assessments and quantitative risk assessments (Section 8). • The qualifications. • Hazard Identification Techniques . and quantitative (where a numeric "best estimate" of risk is calculated).HSE MANAGEMENT CODES OF PRACTICE Volume 5: RISK ASSESSMENT AND CONTROL OF MAJOR ACCIDENT HAZARDS COP G/L ON RISK ASSESSMENT & QRA Document No: ADNOC-COPV5-03 1. It focuses on ensuring that such techniques are applied in appropriate situations and that results are interpreted in a consistent manner across the Group. [3] ADNOC Manual of Codes of Practice: ‘Control of Major Accident Hazards (COMAH)’. semi-quantitative (where the hazard frequency and consequence categories have an explicit quantitative definition). [2] ADNOC Manual of Codes of Practice: ‘Code of Practice on HSEIA Requirements’. ADNOC-COPV5-01. This Guideline will assist Group Companies to fulfil these requirements. This Guideline covers: • The overall risk assessment process that should be used in any application of risk assessment techniques (Section 2). assessing risks and demonstrating that necessary measures have been taken to reduce risks to as low as reasonably practicable (ALARP). Safety and Environmental Impact Assessment (HSEIA) Requirements’ [Ref. It also covers the use of some technical and analytical tools that may be useful Risk Assessment is the process of evaluating identified hazards by determining the likelihood of the hazard and its consequences.the first stage of a risk assessment (Section 3). 2] and ‘Control of Major Accident Hazards (COMAH)’ [Ref. . tools and presentation to answer the question and will often make interpretation of the results much easier. Version 1 November. or individual stages can be used separately to help in making specific decisions. 2. This will facilitate adoption of the best approach. Summation of scenarios to produce a measure of risk (Section 4) 6.HSE MANAGEMENT CODES OF PRACTICE Volume 5: RISK ASSESSMENT AND CONTROL OF MAJOR ACCIDENT HAZARDS COP G/L ON RISK ASSESSMENT & QRA Document No: ADNOC-COPV5-03 2. Identification of hazards and definition of representative scenarios for study (Section 2). Calculation of the probability of potential scenario outcomes (Section 4) 5. Interpretation of the calculated risk to draw relevant and practical conclusions (Section 5) These stages can be used together. Analysis of the potential consequences of each scenario (Section 3) 3. 2005 Page 8 THE RISK ASSESSMENT PROCESS The risk assessment process can be broken down into six broad stages: 1. It is recommended that Group Companies clearly define the question that the risk assessment is trying to answer. Calculation of the expected frequency of each scenario (Section 4) 4. prior to carrying out the work. HAZARD IDENTIFICATION 3. Structured: The procedure used should ensure that adequate attention is given to all parts of the plant. The action tracking system should record all data necessary to ensure that the action is properly closed out including: .2. modifications to plant. damage to the environment and damage to property. including further actions and recommendations that may result from detailed studies. hazard The technique selected for a particular application should take account of the specific requirements of that application. procedures or other items under study and that nothing is missed. • Modify operational procedures. prevented or controlled. especially the end use of the hazard identification process. Once hazards are identified they can be assessed and if necessary avoided. • Carry out more detailed assessments. Hazard identification techniques used by Group Companies should be: Formalised: The hazard identification should be carried out according to a documented procedure. Typically. a hazard identification type study will result in a series of actions such as the requirement to: • Modify the design of plant. procedures or An appropriate action tracking system should be used to ensure that all actions are carried out and closed out in a timely fashion. 2005 The aim of hazard identification is to identify all relevant potential causes of harm to people. Some common hazard identification techniques are summarised in Section 3. Thorough: The hazard identification process should be complete within a boundary. Repeatable: Experienced personnel carrying out the same identification exercise should furnish similar results.1 Principles of Hazard Identification Version 1 November. • Modify maintenance procedures. The goal of the hazard identification should be clearly defined.HSE MANAGEMENT CODES OF PRACTICE Volume 5: RISK ASSESSMENT AND CONTROL OF MAJOR ACCIDENT HAZARDS COP G/L ON RISK ASSESSMENT & QRA Page 9 Document No: ADNOC-COPV5-03 3. which should be defined beforehand. The output of the hazard identification process should be followed up to ensure that risks are assessed and control measures implemented as appropriate. • Evaluate the need for maintenance activities. HAZOP typically focuses on detailed piping and instrument diagrams (or their equivalent) and operational and maintenance procedures. 3. Experience has shown that the effort required to close out all actions from a hazard identification study usually exceeds the effort required to organise and carry out the study itself.1 HAZOP Hazard and Operability Study or HAZOP is probably the most widely used hazard identification technique in the oil and gas industry worldwide. 3. 3. the first step in a comprehensive risk assessment.HSE MANAGEMENT CODES OF PRACTICE Volume 5: RISK ASSESSMENT AND CONTROL OF MAJOR ACCIDENT HAZARDS COP G/L ON RISK ASSESSMENT & QRA Document No: ADNOC-COPV5-03 Version 1 November. ADNOC recommend use of HAZOP during the design and modification of all major hazard plant and of all plant that is HSE-critical.2. • The proposed response of the respondee to fulfil the action. whereas HAZID typically focuses on . • Verification that the proposed response has been carried out. It uses a series of guidewords to prompt study participants to identify possible hazards and their causes and consequences by using their imaginations. • The date by which the action must be completed. Further guidance on the technique is given below.2 Hazard Identification Techniques This section gives a brief overview of some commonly used hazard identification techniques. • Authorisation for the proposed response. It focuses on the strengths. • The person responsible for carrying out the action (the respondee). which may be initiation of a design change or similar under the Group Company change management process. 2005 Page 10 • The action and its context. weaknesses and limitations of each so that the right technique can be selected for each application. It is carried out by a multi-disciplinary team to ensure maximum input of experience. HAZOP will identify potential operability deficiencies as well as hazards. Use of an efficient action tracking system will facilitate processing. including independent audit or verification. The output of the hazard identification may also define incident scenarios.2.2 HAZID Hazid is similar to HAZOP in that it uses guidewords to prompt study team members to identify hazards by using their imaginations. The system used should be defined in the Group Company HSE Management System and should be subject both to regular management monitoring and review. management and close-out of the actions. HSE MANAGEMENT CODES OF PRACTICE Volume 5: RISK ASSESSMENT AND CONTROL OF MAJOR ACCIDENT HAZARDS COP G/L ON RISK ASSESSMENT & QRA Document No: ADNOC-COPV5-03 Version 1 November. American Institute of Chemical Engineers Center for Chemical Process Safety). 4]. 3. 1992. [4] ADNOC Manual of Codes of Practice: ‘Framework of Occupational Safety Risk Management’. 5] considers each item of equipment or operation in turn and evaluates the consequences of each failure mode in turn. It provides a mechanism for going through the activities in a systematic way and identifying potential hazards at each stage. as it aims to identify intrinsic hazards.2. ADNOC-COPV5-01. or from complex interactions. nor where the main danger comes from the properties of hazardous materials. It is not recommended for general use as a hazard identification method.2. 2005 Page 11 plant layout drawings. However. HAZID is also the technique of choice for identifying hazards as the first stage of demonstration of ALARP.5 Failure Modes and Effects Analysis Failure mode and effects analysis (FMEA) [Ref. They are not effective in identifying hazards arising from either the application of novel technology. It will specify those aspects of plant or operations that require attention from the point of view of safe design.2. regulations and past incidents. . 3. 3]. 3.4 Check-lists A check-list is a list of hazards that may be associated with particular plant or operations. Further details and guidance can be found in the Code of Practice on ‘Framework of Occupational Safety Risk Management’ [Ref. [3] ADNOC Manual of Codes of Practice: ‘Control of Major Accident Hazards (COMAH)’. Checklists are derived from industry codes of practice. as required by the ADNOC Code of Practice on ‘Control of Major Accident Hazards (COMAH)’ [Ref. The best use of FMEA is as a supplement to HAZOP by application to specific equipment. such as package units. The review is conducted at the job site. so that the potential for interaction with other ongoing activities and the effect of local conditions can be included. It provides a thorough investigation of the causes and consequences of single failures and is useful where the main danger comes from equipment failure. [5] Guidelines for Hazard Evaluation Procedures. Second Edition.3 Task Risk Assessment Task Risk Assessment is a review undertaken by personnel prior to carrying out work activities. HAZID can be very useful at an early stage of a new design so that all potential hazards can be taken into account. They are helpful in ensuring designers address hazards that are known and obvious. ADNOC recommends use of task risk assessment prior to carrying out all non-routine activities which are HSE-critical. ADNOC-COPV4-01. it is not so effective in dealing with complex interactions where more than one failure can occur at a time. Planning The length of time required to complete a HAZOP depends on the number of sections or procedures to be reviewed and also on their complexity. Institution of Chemical Engineers. For many projects. 2000. 6]. A Guide to Hazard and Operability Studies [Ref. Chemical Industries Association. [Ref. but not so far advanced that any necessary changes cannot be included. • Planning. M. Crawley. 2005 Page 12 Hazard and Operability Studies (HAZOP) Hazard and Operability Study (HAZOP) is a detailed method for systematic examination of a well-defined process or operation. but can be minimised by careful planning. the optimum time to carry out the main HAZOP will be after the end of front-end engineering design. HAZOP studies may also be carried out in later stages of a project. care must be taken in dividing the work between the two teams.3 Version 1 November. Tyler. The key elements of any HAZOP study include: • Timing. or to examine specific issues of construction or commissioning. [7] HAZOP: Guide to Best Practice. [6] A Guide to Hazard and Operability Studies. because of changes during detailed design. . 7]). to provide input to concept selection. • Study team. F. and the United Kingdom Institution of Chemical Engineers'. However the general principles of the technique can be applied to any system.HSE MANAGEMENT CODES OF PRACTICE Volume 5: RISK ASSESSMENT AND CONTROL OF MAJOR ACCIDENT HAZARDS COP G/L ON RISK ASSESSMENT & QRA Document No: ADNOC-COPV5-03 3. Nor should a HAZOP be carried out so late that the design cannot be modified to incorporate the findings of the study. In such cases. either planned or existing. the design is well defined. • HAZOP study method. Preston and B. Timing The timing of a HAZOP is critical to its success and to facilitate implementation of its findings. A HAZOP should not be carried out so early that the design is still fluid. The most common application of HAZOP is to process equipment. including heating and ventilation systems and electronic logic systems. • Recording. At this stage. as this will lead to ambiguities in applying the technique and confusion amongst the participants. 1977. Detailed descriptions of the technique are available from authoritative reference works (see for example the Chemical Industries Association's. Some overlap is inevitable to ensure that the interfaces are fully covered. Some projects may require a preliminary HAZOP on process flow diagrams at concept stage. it may be necessary to utilise two HAZOP teams working in parallel for timely completion of the study. Experience from similar studies provides a good guide to the length of time required. For large projects. but before detailed design. HAZOP: Guide to Best Practice. The minimum size for an effective HAZOP team is four people. however. adequate time should be allowed to set up and test the facilities prior to the first HAZOP session. • Technical specialist. so that team members can draw attention to oversights or errors in the record at an early stage. it will be difficult for some individuals to play an effective part. This should include a breakdown of the scope into sections and will need to be based on the documentation to be studied in the HAZOP. In larger teams. comfortable and well ventilated room. HAZOP Study Team The personnel who form the core of the HAZOP team must be selected to fulfil specific roles such as: • Team leader.HSE MANAGEMENT CODES OF PRACTICE Volume 5: RISK ASSESSMENT AND CONTROL OF MAJOR ACCIDENT HAZARDS COP G/L ON RISK ASSESSMENT & QRA Document No: ADNOC-COPV5-03 Version 1 November. • Technical secretary (sometimes referred to as the scribe or recorder). it is recommended that an ongoing record of the HAZOP be displayed during the HAZOP session. The maximum effective size is around nine or ten. • Operations input. The plan will allow the scheduling of time to the HAZOP by designers or specialists who may need to attend study sessions on a part time basis. If such facilities are to be used. Prior to the first meeting. A single individual may fulfil two or more roles depending on experience. and many studies must be progressed as a full time activity. 2005 Page 13 Planning The length of time required to complete a HAZOP depends on the number of sections or procedures to be reviewed and also on their complexity. • HSE specialist input. This is often impractical. the HAZOP team leader should prepare a plan of the HAZOP. • Independent engineering input. In order to keep the HAZOP team fresh and focused. Experience from similar studies provides a good guide to the length of time required. . Meetings should be held in an adequately sized. Where video projection facilities are available. The team should not be interrupted except for emergencies. • Design input. the study leader must monitor team performance to ensure an acceptable standard is maintained. an ideal arrangement is to limit the HAZOP to three or four half-day sessions per week. In such cases. • Project input. • Applies good analytical thinking. Crawley. but this is not recommended for studies lasting more than one day. Project input will often be fully covered by personnel providing design input.HSE MANAGEMENT CODES OF PRACTICE Volume 5: RISK ASSESSMENT AND CONTROL OF MAJOR ACCIDENT HAZARDS COP G/L ON RISK ASSESSMENT & QRA Document No: ADNOC-COPV5-03 Version 1 November. In this context. these persons are likely to work on the plant when the project is completed. 2000. HAZOP studies will benefit from provision of one or more persons who have extensive design or operational experience with the type of plant under review. as well as running the process. This has the advantage that they will understand the company codes and standards that have been adopted. operations input includes all relevant operational topics such as management and maintenance. • Prior training in leading HAZOP studies. Desirable attributes of a team leader are [Ref. . Institution of Chemical Engineers. these persons are likely to already be working on the plant to be modified. • Has motivational skills including the encouragement of creativity and open speaking. Operations input is essential for the success of a HAZOP. • Prior experience as a HAZOP team member. Preston and B. M. It is emphasised that they are not present to defend the design. 7]: • Wide experience of process hazard studies. including quantitative risk assessment. Tyler. but to assist in its critical examination. Project input is similar to design input. The technical secretary should have a technical background so that specialist explanations are not required. [7] HAZOP: Guide to Best Practice. The role of the technical secretary is to record the HAZOP and to aid the team leader in collation of documents and other administrative tasks. Persons providing this input should have extensive experience of similar plant. • Independence from the project or other organisation carrying out the study. Design input is given by one or more engineers covering relevant disciplines. Their role is to explain how the design works. For modifications. The Team Leader can take on the role of Technical Secretary for short studies. • Gives attention to relevant detail. • Technical competence and the ability to quickly understand the system and its operation. preferably in the role of technical secretary. 2005 Page 14 The role of the team leader is to ensure that the HAZOP method is systematically applied. F. For new projects. The study leader can also fulfil this role if he has the appropriate experience. Such a person may be seconded from another facility or department of the organisation that is carrying out the study. but who have some independence from the organisation conducting the study. 2005 Page 15 HSE specialists should be able to provide specific information on health. The team leader should allow the team short breaks at regular intervals to maximise team efficiency. Then for each section of the plant. may be required where the system to be reviewed contains complex technical features. such as a chemist. such as temperature and pressure. such as piping and instrument diagrams. HAZOP Study Method The HAZOP study method is an intense process. a "design intention" is defined. TABLE 1: STANDARD HAZOP GUIDEWORDS Guideword Meaning No (not/none) None of the design intention is achieved More (more of) More (quantitative increase) of a parameter Less (less of) Less (quantitative decrease) of a parameter As well as An additional activity occurs as well as the design intention Part of Only part of the design intention is achieved Reverse The reverse (logical opposite) of the design intention occurs Other than Complete substitution . At the outset of the study the HAZOP team creates a conceptual model of the plant or operation in their minds by reference to relevant documentation. before or after it should occur Faster/slower Timing is incorrect and something happens faster or slower than intended . including legal and other compliance requirements. The "design intention" is what the system is intended to do. including the acceptable range of operational parameters. Potential deviations to the design intention are generated by considering a series of guidewords and combining them with the parameters of operation. cause and effect charts and operating procedures. safety and environmental aspects and limitations. or for each step in a procedure.HSE MANAGEMENT CODES OF PRACTICE Volume 5: RISK ASSESSMENT AND CONTROL OF MAJOR ACCIDENT HAZARDS COP G/L ON RISK ASSESSMENT & QRA Document No: ADNOC-COPV5-03 Version 1 November.some activity other than the design intention takes place Additional guidewords that are useful for studying procedures or batch operations are: Before/after A step is attempted out of sequence. Technical specialists. Hazards and potential operating issues are then sought by considering possible deviations to the design intention. Table 1 lists some standard guidewords used in HAZOP studies and their meanings. No Temperature). Once one or more realistic causes have been established. Actions can also be raised if the operability of the system is below what would be expected for "good industry practice". Additional guidewords may be added if required by company procedure or where relevant for examination of a particular technology. property and the environment must be as low as reasonably practicable. Also. The study leader will guide the team using the guidewords and parameters to generate meaningful deviations from the design intention. a few parameter and guideword combinations do not result in meaningful deviations (e. This list is not meant to be exhaustive but is intended to demonstrate the wide range of parameters that can be used. does not meet the standard that risks to people. the team should determine what the consequences are for each cause and whether there are any protective systems (includes both equipment and procedures). Not all parameters listed will be relevant in every situation. Some of the guidewords. especially "More" and "Less”.HSE MANAGEMENT CODES OF PRACTICE Volume 5: RISK ASSESSMENT AND CONTROL OF MAJOR ACCIDENT HAZARDS COP G/L ON RISK ASSESSMENT & QRA Document No: ADNOC-COPV5-03 Version 1 November. TABLE 2: EXAMPLES OF HAZOP PARAMETERS Flow Phase Pressure Speed Temperature Particle Size Mixing Measure Stirring Control Transfer pH Level Sequence Viscosity Signal Reaction Start/stop Composition Operate Addition Maintain Separation Services Time Communication . Poor operability can ultimately degrade safety. require the addition of a parameter to generate a meaningful deviation. consequence severity and protective system effectiveness. Each HAZOP should utilise a list of parameters that is appropriate for the system to be studied. 2005 Page 16 The guidewords in Table 1 should be considered as a basic minimum for an acceptable HAZOP. Table 2 is a list of example parameters. the team should raise an appropriate action. The team must then consider whether there is anything that could cause such a deviation to the design intention.g. Where the combination of cause likelihood. but may not be sufficient if the HAZOP is intended to give input to a COMAH Report [Ref. [3] ADNOC Manual of Codes of Practice: ‘Control of Major Accident Hazards (COMAH)’. Recording formats that combine consequences and protective equipment under a single heading is not regarded as best practice. where a hazard exists. Selection of the appropriate software should be made based on ease of use and on the ability to transfer the requisite data to the action tracking system. A copy of the full HAZOP records. There are a number of commercial packages available. The HAZOP record should state the equipment or procedure being reviewed and clearly define the boundaries of each section. together with the main documentation used in the study. Members of the study team should not attempt to resolve actions or otherwise redesign the system in the HAZOP meeting. 2. Protective Systems and Actions Raised.a record is made only when an action results. should be retained and filed for future reference or audit. There are three main philosophies for recording a HAZOP: 1.a record is made when an action results. The HAZOP record should also include descriptions of Causes. 3]. Recording by exception . Consequences. together with any associated report. or where significant discussion takes place. ADNOC-COPV5-01. . Recording The technical secretary should record the HAZOP onto a computer during the session. 3. Recording by exception may be most effective for a new design. Alternatively. The HAZOP study leader should act to enforce this. The HAZOP team leader should review and authorise the record of the HAZOP. Full record The choice of recording philosophy should be selected which best fulfils the goal of the HAZOP.HSE MANAGEMENT CODES OF PRACTICE Volume 5: RISK ASSESSMENT AND CONTROL OF MAJOR ACCIDENT HAZARDS COP G/L ON RISK ASSESSMENT & QRA Document No: ADNOC-COPV5-03 Version 1 November. 2005 Page 17 Any actions must be followed up outside the HAZOP meeting. use can also be made of the "Tables" functions of standard word processors. Intermediate record . QRA or similar. It is also normal practice to include guidewords/parameter/deviation that resulted in the cause. the rate of outflow of hydrocarbon gas from a pipe may be calculated using a model based on the equations of fluid flow. Group Companies should only use models where the range of validity is known. It is important for users to understand such sensitivities. Many consequence models consist of a mathematical description of an idealised incident scenario. there may be a conflict between the application of the model and the inherent assumptions. In some instances. The rest of this section on consequence analysis focuses on providing guidance on use. For example. Engineering design quality management principles of checking and authorisation of work should be applied whatever method is employed. It is recommended that Group Companies only use consequence models where the inherent assumptions are known. Uncertainty analysis should be performed if there is any doubt regarding model sensitivities. relevant assumptions made by the user should be recorded to ensure that future use or revision of the work does not result in conflict. limitations and interpretation of specific models. using a spreadsheet. the extent of the flammable region of the cloud formed can be calculated using a model that describes the dispersion of the gas in the atmosphere. The calculations required are defined by mathematical models that describe the physical or chemical process of the potential incident. However it should be noted that modelling is a specialised task and should only be carried out by suitably experienced and competent persons. From this. some types of heavy gas dispersion model are sensitive to how ambient air temperature changes with height (atmospheric stability). or using dedicated software. Such idealised incident scenarios are often taken to be descriptive of a range of possible real incidents. In all consequence analysis.HSE MANAGEMENT CODES OF PRACTICE Volume 5: RISK ASSESSMENT AND CONTROL OF MAJOR ACCIDENT HAZARDS COP G/L ON RISK ASSESSMENT & QRA Document No: ADNOC-COPV5-03 Version 1 November. Such calculations can be carried out manually.1 Principles of Consequence Analysis and General Guidance Consequence analysis is the study of the possible extent of harmful effects of potential incidents. Where this type of assumption is used. Many consequence models are only valid (or calibrated) for a particular range of conditions. 2005 Page 18 4. Use of the models outside their range will result in unreliable results. so that inputs can be correctly defined for each application. . For example. Some consequence models may be particularly sensitive to certain inputs. it should be critically evaluated to determine if it materially affects conclusions. Most consequence models contain inherent assumptions. It is carried out by making calculations for an idealised description of one or more potential incidents (or scenarios). so that this possibility can be tested. CONSEQUENCE ANALYSIS 4. This is a dimensionless parameter with a generally accepted value of 0. 0. convection within the water will keep the vaporisation rate per unit area relatively constant. For non-boiling liquids. IChem E. 1996.95 for gases and values between these limits for two phase flows (see Pitblado and Turvey. 8]. In many practical cases the discharge flow rate will not be constant. 9]). [10] Risk Analysis of Six Potentially Hazardous Industrial Objects in the Rijnmond Area: A Pilot Study. Pitblado & R. Reidel Dordrecht. Turney (Editors). L. Risk Assessment in the Process Industries. unless the water is shallow or confined in some way. 1981. [Ref. Discharge Rates Through Holes in Process Piping and Vessels [Ref. . but will reduce over time. J. the vaporisation rate per unit area will reduce as the ground cools. (Cd). the vaporisation rate is determined by heat transfer from the substrate into the liquid.HSE MANAGEMENT CODES OF PRACTICE Volume 5: RISK ASSESSMENT AND CONTROL OF MAJOR ACCIDENT HAZARDS COP G/L ON RISK ASSESSMENT & QRA Document No: ADNOC-COPV5-03 4. Blowdown models can be readily adapted for this situation [Ref. Consideration should be given to the possibility of liquid flowing over the containment wall. then the surface area for evaporation and boil off can be much reduced.61 for liquids. If the spill is confined.2 Version 1 November. Woodward.A Pilot Study [Ref. 10]. the evaporation rate is principally determined by the surface area and by air movement over the spill. such as assuming that all liquid will remain in the gas and none will rain out. Woodward in Prevention and Control of Accidental Releases of Hazardous Gases. Models for the spreading of liquid pools and their subsequent evaporation and boil-off are described in references such as Risk Analysis of Six Potentially Hazardous Industrial Objects . A further complication with two phase releases lies in determining how much of the liquid rains-out close to the point of discharge and how much is entrained by the gas forming a cloud of gas plus fine liquid droplets (aerosol). [9] Risk Assessment in the Process Industries. R. 2005 Page 19 Source Terms A source term is a consequence model that describes the rate at which hazardous material reaches the environment and the conditions of the hazardous material. They are often used to provide input for other consequence models. such as temperature and composition. For spills on land. Equations for the discharge of fluids can be obtained from reference sources (see for example J. For spills on water.L. For boiling liquids. Rijnmond Area. There is no generally accepted approach to aerosol treatment at present and it is recommended that a conservative approach be adopted. 1993. 8]). COVO Committee. A key parameter in estimating discharge rates is the coefficient of discharge. Van Nostrand Reinhold. [8] Discharge Rates Through Holes in Process Vessels and Piping. 3 Version 1 November. Upwind and cross wind dispersion can also be important. Care should be taken that either simplification does not result in unrepresentative dispersion behaviour. or the ground slopes significantly. Some models allow transition between the three simple types of dispersion. These models can be sensitive to the point at which transition occurs. the surface roughness. Simple neutral buoyancy and heavy gas models assume flat terrain characterised by a single parameter. which in the absence of significant . they are more difficult to use because of the requirement to describe the detailed local conditions within the model and so tend to be used to investigate specific situations of interest. 2005 Page 20 Gas Dispersion Gas/aerosol dispersion models are used to determine outputs such as the distance from the release point to a concentration of interest and the mass of flammable material within a cloud. Without specific modification they may not provide realistic results in situations where there are major obstacles. then dispersion effects based on gas density become important and a heavy gas dispersion model should be used. including thermal heat flux and smoke generation. For simpler models the gas/aerosol release rate is categorised either as a continuous discharge at a constant rate. These models can incorporate terrain effects and complex geometries and can also deal with discharge rates that vary with time. Computational fluid dynamics (CFD) models are more complex models that numerically integrate suitably simplified equations of mass. and the effect on people.4 Fire Hazards There are two parts to the modelling of fire hazards. or as an instantaneous discharge of a finite quantity at a single point in time. However. structures and equipment. then neutral buoyancy models can be used. If the initial velocity is low. The two most important parameters that affect the selection of an appropriate model are the initial velocity of the gas/aerosol and the density of the gas/aerosol. If the gas/aerosol has a high initial velocity then momentum effects will dominate the dispersion and a jet dispersion model should be used.HSE MANAGEMENT CODES OF PRACTICE Volume 5: RISK ASSESSMENT AND CONTROL OF MAJOR ACCIDENT HAZARDS COP G/L ON RISK ASSESSMENT & QRA Document No: ADNOC-COPV5-03 4. the modelling of the fire. and the gas/aerosol has a density similar to ambient air. 4. There are five distinct types of situations considered by basic fire models: • Flash fires or cloud fires arise from the delayed ignition of a flammable gas or vapour cloud. momentum and energy conservation in three dimensions. Simple jet dispersion models often take no account of impingement of the jet with the ground and so care should be taken where this is a possibility. If the initial velocity is low. but the gas/aerosol has a density greater than air. Flash Fires And BLEVEs. results in a low velocity flame front. SINTEF with Scandpower. • Jet fires arise from the ignition of a high velocity gas. 11]. 13]. 1992. usually from a pressurised source. others. For BLEVEs. For all types of damage two parameters have been found to be significant – the level of thermal radiation and its duration. AIChE Centre for Chemical Process Safety. . [11] Methods for the Calculation of Physical Effects Resulting from Releases of Hazardous Materials. aerosol or liquid. Second Edition. where the initiating fire is of short duration (due to limited available inventory) modelling of the temperature and pressure rise can demonstrate that the fire can be extinguished prior to equipment failure. [Ref. due to the lifting of relief valves and the action of the blowdown system. • Pool fires arise where flammable or combustible liquids burn on a flat horizontal surface. [Ref. They are characterised by high momentum and good combustion conditions. 2005 Page 21 confinement or obstruction. deal with a highly transient flame. with minimal overpressure effects and primarily local impacts. deal with a steady state flame. The Centre For Chemical Process Safety's Guidelines For Evaluating The Consequences Of Vapour Cloud Explosions. Pool fires often have poor combustion and can generate large quantities of smoke. [13] Handbook for Fire Calculations and Fire Risk Assessment in the Process Industry. such as BLEVE models. 12] and SINTEF's Handbook For Fire Calculations And Fire Risk Assessment In The Process Industry. [12] Guidelines for Evaluating the Consequences of Vapour Cloud Explosions. such as most pool fire models.HSE MANAGEMENT CODES OF PRACTICE Volume 5: RISK ASSESSMENT AND CONTROL OF MAJOR ACCIDENT HAZARDS COP G/L ON RISK ASSESSMENT & QRA Document No: ADNOC-COPV5-03 Version 1 November. Some models. the mass of flammable material released when the equipment fails is important in determining the size of the fireball. Further details and descriptions of fire models can be found in key references such as: TNO's Methods For The Calculation Of Physical Effects Resulting From The Release Of Hazardous Materials [Ref. • Fireballs or BLEVEs arise from the surface-burning of a cloud of unmixed flammable gas. 1994. The equipment inventory will often reduce from its initial maximum at the start of the incident. • Ventilation-controlled fires arise when the intensity of the fire is determined by the rate of ventilation and hence access to oxygen. A jet fire variant is a diffusive fire. Damage resulting from heat radiation covers damage to structures and injury to humans. which can be solid or liquid. In some cases. which is characterised by a lower exit velocity and is dominated by thermal buoyancy effects rather than momentum. rather than the availability of fuel. Some overpressure may arise from BLEVEs due to the rapid expansion on loss of containment. Many fires within buildings and enclosed compartments are ventilation controlled. typically following rapid release of volatile material from pressurised equipment. Flash Fires and BLEVEs. TNO 1988. As these effects are often injurious or even fatal to humans trapped by fire. In the case of a non-combustible material.HSE MANAGEMENT CODES OF PRACTICE Volume 5: RISK ASSESSMENT AND CONTROL OF MAJOR ACCIDENT HAZARDS COP G/L ON RISK ASSESSMENT & QRA Document No: ADNOC-COPV5-03 Version 1 November. it is important to limit the exposure duration. The severity of the injury can be calculated from the given heat radiation. Much consequence analysis is based on simple thermal flux criteria which are determined from an assumed exposure time. Determination of the size. However fires can also harm people as a result of inhalation of toxic combustion products. 2. Some studies have shown that. Clothing can have a protective influence for humans. These times have been derived from animal experiments or from piloted or unpiloted ignition of combustible materials. taking due cognisance of reaction time. 4. the lethality is 14% of the lethality for unprotected bodies. One approach frequently used is to find the LD50 (lethal dose) radiation level appropriate to the time for which the individual will be exposed. second and third degree burns and lethality. People who are mobile will seek to escape from high levels of thermal radiation and this possibility should also be taken into account. 3. Injury caused to humans by fires is mostly characterised as first. assuming about 20% of the body area remains unprotected for an average population. the availability of escape routes and the presence of other factors such as smoke. starting from a known exposure duration and radiation intensity. Empirical relations are also available in which a type of injury is expressed in probit (probability unit) functions. otherwise low thermal fluxes (for example.5 Explosions There are three parts to the modelling of explosion hazards: 1. such as carbon monoxide and disorientation by smoke impairment of vision. until the moment it ignites. The above fire models focus on the threat to people and structures from thermal radiation. below solar radiation levels) can be predicted to lead to thermal injury. they must also be taken into account. 2005 Page 22 Fire damage to structures can range from paint flaking off to the ignition and burning of the object. If such a material is used in load-bearing constructions. When probits are used. shape and composition of the gas or aerosol cloud. Prediction of structural damage as a result of the blast wave. . Modelling of the explosion to determine likely overpressure values and other relevant factors such as the period for which overpressure exists (the positive phase duration). the temperature can increase to the point at which the material loses strength and stiffness. it is possible that the construction will collapse at a given heat load. . or as a result of missiles generated in the explosion. The main source of direct harm to people from blast effects is eardrum rupture.HSE MANAGEMENT CODES OF PRACTICE Volume 5: RISK ASSESSMENT AND CONTROL OF MAJOR ACCIDENT HAZARDS COP G/L ON RISK ASSESSMENT & QRA Document No: ADNOC-COPV5-03 Version 1 November. Explosion experiments clearly show that very high overpressures can be generated in congested areas [Ref. Furthermore. "Failure Of Atmospheric Tanks" and "Failure Of Pipework". doors and windows shattered at 0. The blast effect (overpressure) produced by a burning vapour cloud is determined by the speed of flame propagation. such as for setting the design criteria of a blast wall on an offshore platform. size. Steel Construction Institute.0 bar overpressure. collapsing structures. Turbulence in a vapour cloud explosion can arise either from the release of pressurised flammable material or by the presence of multiple obstacles. that a probabilistic approach be used. However these experiments also show that overpressures are highest when the gas cloud is close to stoichiometric in composition. although fatality from lung haemorrhage is possible at very high overpressures. houses severely damaged at 0. "Collapse Of Non-explosion Proof Buildings. Simple models relate overpressure to qualitative levels of damage such as "Window Breakage". More detailed models seek to simulate the way in which structures respond to the dynamic load from the explosion. such as pipework.25 to 0.025 bar overpressure. the blast wave will interact with structures in its path so steps 2 and 3 are not independent. including bricks from shattered walls and flying glass from windows. Also. shape and composition is part of the dispersion modelling process. most fatal effects from explosions are a result of being inside.Phase 2. Turbulence within the cloud will accelerate the flame and can result in damaging overpressures. [14] Blast and Fire Engineering for Topsides Structures . Determination of cloud. In the absence of turbulence.07 bar overpressure. 2005 Page 23 Some models seek to combine one or more of these steps in an effort to simplify understanding and to eliminate sources of uncertainty. Such an approach would determine a cumulative frequency curve for blast overpressure. These qualitative levels can then be applied to assess the likelihood of harm to people or the likelihood of further loss of containment and escalation. where detailed explosion results are required for a specific purpose. 14]. A realistic design level can then be set in a similar manner as for design against seismic risks. on. the point of ignition was also shown to have an effect on explosion overpressure. the flame speed is low and the cloud burns as a flash fire. 2002. It is therefore recommended that. Both these mechanisms can result in very high overpressures. In practice.4 bar overpressure and ground cleared at 2. or adjacent to. Combustion of gas clouds away from stoichiometric composition can result in significantly lower overpressures. Damage effects of explosions can range from 50% window breakage at 0. • Modelling of the dynamic response of structures.is the time of exposure (usually given in minutes) Dispersion models can be used to predict concentrations of toxic gas or aerosol at particular points in space. especially for carcinogens and mutagens. • People seek to escape from the gas or aerosol cloud by moving cross wind. • Uncertainty regarding the existence of no-effect levels.is the toxic index t . 2005 Page 24 Some aspects of explosion modelling are highly complex and should be undertaken only by specialists in the relevant subject. The principal reasons for the uncertainty are: • Individual people can show varying levels of response to the same dose of toxic material due to differing fitness levels. However.6 • Three-dimensional numerical modelling of blast wave interaction with structures and surrounding objects. However the dose needed to give any particular effect is subject to considerable uncertainty. genetic and other factors. Toxic Effects and Control Measures The effects of toxic materials range from mild irritation through to fatality. susceptibility to panic. . • The limitations in the applicability of experimental results obtained from animals and micro-organisms to humans and the scarcity of valid epidemiological data. For example the 50% fatality level is the dose at which 50% of people die. • Categorisation of both acute and chronic toxic effects A probabilistic approach is often adopted where a particular effect is defined by the number of people who suffer that effect. the concentration to which people are exposed can vary with time or may otherwise require modification because: • The toxic cloud dispersion results in time varying concentrations at points where people are located. Specifically these subjects are: 4.is the toxic gas concentration (usually given in ppm or mg m-3) n . • People don escape sets.HSE MANAGEMENT CODES OF PRACTICE Volume 5: RISK ASSESSMENT AND CONTROL OF MAJOR ACCIDENT HAZARDS COP G/L ON RISK ASSESSMENT & QRA Document No: ADNOC-COPV5-03 Version 1 November. Toxic dose for any particular effect or probability of effect is most usually defined as: Cnt in which: C . which then become missiles. • Thermal radiation from a fire weakens the structure supporting equipment sufficiently to cause collapse. the missile has potential to travel further than the major thermal effects of the fire/BLEVE that caused it. the potential for escalation in fires can be judged from incident thermal radiation levels. The potential for escalation is normally judged by reference to defined overpressure levels. . loss of containment of hazardous material and consequent additional potential for hazardous effects. 4. In such cases. • Water sprays or other vapour cloud control equipment reduce the effective concentration to which people are exposed. However. such as: • Fire impingement of gas cylinder storage areas that results in failure of cylinders.7 Escalation Escalation occurs when one event.HSE MANAGEMENT CODES OF PRACTICE Volume 5: RISK ASSESSMENT AND CONTROL OF MAJOR ACCIDENT HAZARDS COP G/L ON RISK ASSESSMENT & QRA Document No: ADNOC-COPV5-03 Version 1 November. passive fire protection and blowdown systems may reduce the potential for escalation in a fire and should be taken into account where relevant. varies with time is known. Missile damage leading to escalation is not normally treated as a specific event. the total dose can be calculated by integrating C(t)n with respect to time. Similarly. • Fire impingement on large pressure vessels containing volatile flammable material leading to a BLEVE and turning the remains of the pressure vessel into a missile. In both cases. C(t). Explosion overpressures are discussed in Section 4. Active fire control. causing eventual failure of the equipment through a combination of increasing the pressure of the contents and decreasing the inherent strength of the materials of construction.5. leads to failure of adjacent facilities. The principal mechanisms of escalation are: • Explosion overpressure causes failure of equipment or structures. such as fire or explosion. there are cases where explicit treatment of missiles may be required. 2005 Page 25 • People seek to escape from the gas or aerosol cloud by seeking shelter indoors. but is implicitly included in the level of damage from overpressures as the two are closely related. • Missiles generated during an explosion or BLEVE penetrate equipment. • Thermal radiation from a fire heats equipment containing hazardous material. provided the way the toxic concentration. the time delay to escalation can be very small. In particular: • During the time between the start of the initial event and escalation. However. The branches of the event tree should include the action and status of the various protective systems including shutdown. • Fire or explosion damage from the first event may have eliminated important protective systems. Event trees (Section 5. as well as the potential escalations. blowdown and fire control. 2005 Page 26 The effects of escalation can be modelled in much the same manner as the initiating event.3) can be used to model the potential for escalations. such as by destroying fire walls. people may have had time to escape and various safety systems may have had time to act. • Fire or explosion damage from the first event may hamper escape or response to the escalation. . or damaging valve actuators and preventing them closing. rupturing fire mains. such modelling must take into account the specifics of the initiating event. Note that in the case of explosion.HSE MANAGEMENT CODES OF PRACTICE Volume 5: RISK ASSESSMENT AND CONTROL OF MAJOR ACCIDENT HAZARDS COP G/L ON RISK ASSESSMENT & QRA Document No: ADNOC-COPV5-03 Version 1 November. blowing off passive fire protection. 5. The technique of Fault Tree Analysis should be used to determine the frequency of a scenario whenever detailed analysis is required or whenever the potential causes are complex. there is no need to explicitly produce event trees and simple calculation will suffice. In simple situations. The level of detail required should reflect: • The overall goals of the risk assessment. which can be component failures. 2005 Page 27 5. In simple cases. justification for such a cut off should always be made that this simplification has no effect on the conclusions.HSE MANAGEMENT CODES OF PRACTICE Volume 5: RISK ASSESSMENT AND CONTROL OF MAJOR ACCIDENT HAZARDS COP G/L ON RISK ASSESSMENT & QRA Document No: ADNOC-COPV5-03 Version 1 November. However. • The relative contribution of the individual scenario to the overall risk. particularly those where mitigation and control measures. Events within fault trees and event trees can be quantified as either probabilities or frequencies. passive fire protection and explosion suppression systems. Note that use of such a simplification still implies a simple fault tree. such as shutdown valves. It will often be appropriate to apply a cut off at a particular (low) frequency or probability and exclude scenarios or events that occur at a lower frequency or probability. Checking the dimensions of calculations and results can often detect errors in both construction and quantification of fault trees and event trees. The technique of Event Tree Analysis should be used to determine the potential outcomes of a scenario and their frequency. It is important that the two are properly distinguished in both logic diagrams and calculations. even though no specific fault tree diagram has been produced or detailed analysis of causes made. Effort should not be wasted in detailed evaluation of events or scenarios that have no material affect on the conclusions of the risk assessment.1 Event Frequency/Probability Estimation Careful definition of the event or chain of events that lead ultimately to a particular hazard scenario is an important precursor to evaluating the frequency of the scenario. QUANTIFICATION OF EVENT PROBABILITIES AND RISK 5. can play a significant part. Guidance on Fault Tree Analysis is given below. Explicit use of Event Trees should be used in complex situations. • The relative contribution of individual event chains to the scenario. often with only one or two branches. explicit fault tree analysis is not necessary and the scenario frequency can be determined by calculation using the laws of probability. environmental conditions or other pertinent .2 Fault Trees The basic process of fault tree construction is to take the scenario definition (top event) and to trace it back to the possible causes. human errors. Each gate has a number of inputs. then a commercially available computer programme that can handle this type of situation should be used to evaluate the fault tree. by first identifying the immediate precursors and then identifying the precursors to those events. However. An example fault tree is given in Figure 1. It is usually best to redraw the fault tree so that each event only occurs once. but only one output.HSE MANAGEMENT CODES OF PRACTICE Volume 5: RISK ASSESSMENT AND CONTROL OF MAJOR ACCIDENT HAZARDS COP G/L ON RISK ASSESSMENT & QRA Version 1 November. 2005 Page 28 Document No: ADNOC-COPV5-03 events. simple evaluation may cause error. An AND gate which has frequencies for two or more of its inputs is . The procedure should be followed methodically. Fault trees mostly use two types of logic gates. The inputs to AND gates are either all probabilities or all probabilities except for one frequency. For AND gates. AND and OR. Overpressure Of Equipment And Release Of Fluid OR Failure To Detect Excessive Pressure Valves Fail To Close OR OR Common Cause Independent ESD System Failure Of Valves Failure Of Valves Fault Pressure Switch Failed AND Valve 1 Fails Valve 2 Fails To Close To Close Figure 1: Fault Tree Analysis Fault trees are relatively easily quantified (see below). if the same event occurs two or more times in the fault tree. all inputs must be true for the output to be true. If this is not possible. 3 Event Trees The basic process of event tree analysis is to take the initial state of the scenario and work through to the possible outcomes.8. Even if a fault tree is not quantified. This is referred to as common cause failure. Where the likelihood of an event in one branch depends on the likelihood of another event. Two systems of different types will often have a lower likelihood of common cause failure than two identical systems. Either of these single causes can prevent both valves from closing. A probability of greater than 1 is meaningless. The ratio of common cause failure modes to other failure modes can thus be calculated. For OR gates.9 give an output probability of 0. where two or more systems (equipment or procedures) are provided that can provide similar protection. safety systems. The inputs to OR gates are either all probabilities or all frequencies. However. Possible outcomes may be affected by such factors as prevailing environmental conditions. it can still be useful as a graphical display. For example. Input units cannot be mixed and the output will be of the same type. 2005 Page 29 not possible. then the two are said to be dependent. Other failure modes will only lead to failure of a single valve to close. common cause failure modes might include: • Failure of a control signal to reach the valves. • Solids in the line blocking the valve and preventing closure. . The output value is calculated by addition of the inputs. this addition should be made using Boolean arithmetic. If one system fails. Common cause failure can be included in fault trees explicitly as in the example in Figure 1. However. a safety system of two actuated valves in series that must close to protect against a hazard. For example two input probabilities of 0.99. but also of the way in which the individual causes can combine to lead to the top-event. in such cases. the other may still work. The frequency/probability of the output is calculated by multiplying the inputs. 5. Care should be taken that individual branches of the fault tree are independent. one or more of the inputs must be true for the output to be true. Many safety systems include redundancy. Where practicable the fault tree should be redrawn to make the dependency explicit to avoid errors in the evaluation of the tree. the possibility always exists that whatever caused the first system to fail might result in failure of the second system also. The probability/frequency of common cause failure can be evaluated by considering the relative likelihood of modes of failure that might lead to a common failure compared to other failure modes. not only of the potential causes of the top event.HSE MANAGEMENT CODES OF PRACTICE Volume 5: RISK ASSESSMENT AND CONTROL OF MAJOR ACCIDENT HAZARDS COP G/L ON RISK ASSESSMENT & QRA Document No: ADNOC-COPV5-03 Version 1 November. actions by personnel and presence of ignition sources. not 1. a choice is made between two or more possible outcomes. 5. A "Best Estimate" is the most likely value given the available information. use of data that errs on the side of danger) should never be . Initial event Ignition at A Wind To B Ignition at B Explosion on ignition Yes Outcomes Explosion at A Yes No Yes Flammable gas Release at A Fire at A Explosion at B Yes No Yes No No No Fire At B Vapour cloud disperses Vapour cloud disperses Figure 2: Example Event Tree Analysis Event trees are relatively straightforward to evaluate by simple calculation of the outcome frequencies at each branch point.e. Usually the choice between two outcomes is sufficient. The probabilities at each branch point must sum to one and the sum of the final outcome frequencies (not the frequencies at each branch point) must equal frequency for the scenario. Figure 2 is an example event tree.4 Basic Data Probability and frequency data for the evaluation of fault trees and event trees should be derived or determined on a "Best Estimate" basis. then the scenario should be split into two or more sub-scenarios and separate event trees used that avoid such dependence. 2005 Page 30 At each branch point in the event tree. An optimistic approach (i. but occasionally three or more outcomes of a single gate can be used. Unquantified event trees can be useful to provide a graphical explanation of the way an incident can develop. When the likelihood of an event in the event tree is dependent on some factor that also affects the frequency of the scenario itself.HSE MANAGEMENT CODES OF PRACTICE Volume 5: RISK ASSESSMENT AND CONTROL OF MAJOR ACCIDENT HAZARDS COP G/L ON RISK ASSESSMENT & QRA Document No: ADNOC-COPV5-03 Version 1 November. • Reliability and other performance related data bases. Risk Assessment Data Directory [Ref.HSE MANAGEMENT CODES OF PRACTICE Volume 5: RISK ASSESSMENT AND CONTROL OF MAJOR ACCIDENT HAZARDS COP G/L ON RISK ASSESSMENT & QRA Document No: ADNOC-COPV5-03 Version 1 November. [16] Offshore Reliability Database (OREDA). • FACTS is an incident data base compiled by the Dutch research organisation TNO (TNO. [Ref. [15] Risk Assessment Data Directory. MHIDAS Administrator. Det Norsk Veritas.a collection of reliability data drawn from conventional plant (AEA Technology. [20] MHIDAS Accident Database. [17] SRD Association Reliability Databank.8/250. MHIDAS Accident Database. • Maintenance records. • Human error trials Data sources in the public domain that will be of most use to Group Companies are: • OGP Database . AEA Technology. In many cases. 20]). 1996. TNO Department of Industrial Safety. • Worldwide Offshore Accident Database (WOAD) is a database with an offshore focus compiled by Det Norske Veritas (Det Norsk Veritas. but too much use of overly conservative data may result in a build up of uncertainty in the calculations and unrealistic results. • MHIDAS is an incident database compiled on behalf of the UK Health and Safety Executive (AEA Technology.is a database compiled by the Oil and Gas Producers Association (formerly E&P Forum) (OGP. Norway. 19]). Det Norske Veritas. they should be clearly recorded. AEA Technology. • AEA Technology database .Worldwide Offshore Accident Database. FACTS database [Ref. 18]). [18] FACTS database.e. 1992. Care should be taken that such judgements are not too optimistic. WOAD . available data will not be precisely that required and some engineering judgement may be necessary to adjust or apply the data for the relevant application. Appeldorn. Where such judgements are made. 15]). . Data for the quantification of fault trees and event trees can come from many sources such as: • Accident records. use of data that errs on the side of safety) can be used. which is otherwise hard to find. SRD Association Reliability Data Bank [Ref. Warrington. A conservative approach (i. Oil and Gas Producers Association Report No 11. 2005 Page 31 used. This includes some data on ignition probability.Worldwide Offshore Accident Database [Ref. • Near miss records. 17]). Offshore Reliability Data [Ref. The Netherlands. [19] WOAD . • Offshore Reliability Database (OREDA) is a database compiled by oil companies in the offshore sector (mostly North Sea) (Det Norske Veritas. United Kingdom. Oslo. 16]). a summation of individual risks over an exposed population. The most common forms of risk presentation include: • Individual risk . Potential loss of life and cumulative frequency curves are examples of measures of group risk. which can be high when dealing with events of which there are very few examples. 5. in particular to avoid conclusions that are not actually statistically significant. In such a case. Data of this type is statistical in nature and there is always a level of uncertainty. such that they do not affect the conclusions of the assessment. but does not give information on the size of the incidents causing the risk. it should be clearly stated. • Risk contours .a graph of the frequency of events with a particular consequence or greater versus the consequence magnitude. but they give no information on who is exposed to the risk. care should be taken when using risk aversion since the results are not easy to interpret. even if the product of the number of incidents and the consequences is the same in both cases. Risk aversion can be built into group risk calculations and interpretations by simple weighting of higher consequence events according to predetermined and recorded criteria.5 Presentation of Risk Whenever risk is presented. whether in quantitative or semi-quantitative terms it should be qualified both by the type of risk (examples are: risk of fatality. a check should be made that the difference in risk between the two helicopter types is real and not just a result of uncertainty in the base data. 2005 Page 32 Some incident data is sensitive to particular interpretations or categorisations of the incident from which it is drawn. If a risk presentation includes risk aversion. Care should be taken that such uncertainties are allowed for. Care should always be taken regarding uncertainty in the base data. Individual risk is a measure of risk to specific or average individuals in a population. Similar parameters can be derived for outcome types other than fatality.HSE MANAGEMENT CODES OF PRACTICE Volume 5: RISK ASSESSMENT AND CONTROL OF MAJOR ACCIDENT HAZARDS COP G/L ON RISK ASSESSMENT & QRA Document No: ADNOC-COPV5-03 Version 1 November. The presentation of risk should be selected to fulfil the goal of the assessment. • Potential loss of life .individual risk plotted over an area so as to show the relative risk between locations. . which apply to a population as a whole. an offshore helicopter safety study might show lower risks to personnel by using one type of helicopter rather than another. risk of a particular spill size) and by an associated unit time (an example is: risk of fatality per year). However. For example. The term risk aversion is often used to express the postulate that larger incidents are of greater concern than a number of smaller incidents. • Cumulative Frequency Curves or F-N Curves .a single number representing the risk of a particular level of harm to a person or location. The approximate slope of the curve shows the relative important of small more common events to large less common events and can be used to judge risk aversion.7 Risk Contours A plot of individual risk on a map provides a graphic picture of the geographical distribution of risk. For example. M. C. IChem E Symposium Series No 71. Further details on the calculation and interpretation of risk contours can be found in specialist papers e. The specific individual and degree of harm should always be specified. 5. They can also be useful to show to what extent incidents on one unit can lead to incidents on another (escalation). Sylvester-Evans. The two-dimensional nature of cumulative frequency curves makes them hard to interpret. However such calculations can only be made where the effectiveness of the safety measure is amenable to quantification.8 Potential Loss of Life The potential loss of life represents the number of fatalities that might be expected per unit time.g.9 Cumulative Frequency (F-N) Curves Figure 3 is an example of a cumulative frequency curve. 1983. [21] Siting and Layout of Major Hazard Installations. Ramsay. English. [Ref.HSE MANAGEMENT CODES OF PRACTICE Volume 5: RISK ASSESSMENT AND CONTROL OF MAJOR ACCIDENT HAZARDS COP G/L ON RISK ASSESSMENT & QRA Document No: ADNOC-COPV5-03 5. 5.6 Version 1 November. A. Increasing the size of the population group can significantly decrease the average individual risk if large numbers of people have low exposures to the hazards of interest. 5. 2005 Page 33 Individual Risk Individual risk is the frequency with which an individual (or location) suffers a defined degree of harm. Also presentation of individual risks should clearly state specifics of the exposure to relevant hazards. Differences in the likely number of fatalities over the plant life time can be an effective method of quantifying the benefit of safety measures. 21]. Sylvester-Evans and English: Siting and Layout of Major Hazard Installations. Ramsay. or at another site? Average individual risk is where individual risk is averaged over a population. It is important that the population over which the averaging takes place is appropriate. I Chem E. Such contours can be useful to show to what extent a plant affects neighbouring communities and installations. G. . R. does the individual risk apply only whilst on a particular site or does it include for time spent at home. The best use of these curves is in communicating the nature and extent of the overall risk. This parameter can be combined with the plant life time to give the number of fatalities expected over the entire life of the plant. HSE MANAGEMENT CODES OF PRACTICE Volume 5: RISK ASSESSMENT AND CONTROL OF MAJOR ACCIDENT HAZARDS COP G/L ON RISK ASSESSMENT & QRA Version 1 November. 2005 Page 34 Document No: ADNOC-COPV5-03 Frequenc y of N or more Fatalities (per year) 1E+0 1E-1 1E-2 1E-3 1E-4 1E-5 1E-6 1E-7 1E-8 1 10 100 Number Of Fatalities (N) Figure 3: Example Cumulative Frequency Curve 1.000 . . but also on the type of hazard and other factors [Ref. a hazardous plant being built near his home). Typically. [22] Canvey: An Investigation. 2005 Page 35 JUDGEMENT OF TOLERABILITY AND ACCEPTABILITY OF RISK In general. 1].g. 22]). It is recognised that an individual accepts risk for a variety of reasons not just the expected chance of occurrence and the benefits of the risk source. [Ref. 9]. The high uncertainty means that comparison with an absolute risk criterion is only possible in order of magnitude terms. Reidel Dordrecht. but can rise to a factor of 10 or more [Ref. [10] Risk Analysis of Six Potentially Hazardous Industrial Objects in the Rijnmond Area: A Pilot Study.HSE MANAGEMENT CODES OF PRACTICE Volume 5: RISK ASSESSMENT AND CONTROL OF MAJOR ACCIDENT HAZARDS COP G/L ON RISK ASSESSMENT & QRA Document No: ADNOC-COPV5-03 6. Canvey an Investigation.g. sports) and involuntary risk. [9] Risk Assessment in the Process Industries. March 2000. COVO Committee. IChem E. semi-quantitative (where risk frequency and consequences are assigned to categories that have an explicit quantitative definition) and qualitative (where risk frequency and consequences are assigned to categories that are defined on a qualitative basis). The usual approach is to consider three regions: • An acceptable region where the risk is clearly so low that it can be considered tolerable. Pitblado & R. R. It is therefore important to distinguish between risk to employees who receive a direct benefit from the hazardous activity and members of the public. Rijnmond Area. Turney (Editors). 1996. 1978. In such circumstances. the relative significance of quantitative risk can be assessed by comparison with every day risks to which people are exposed. the uncertainty associated with risk estimates is relatively high compared to other engineering disciplines. This is the approach adopted by ADNOC and specific criteria for both individual risk and cumulative frequency curves are given in the ADNOC HSE Risk Management Guidelines [Ref. Version 1 November. HSE Books. Voluntary and involuntary risks should not be directly compared. who may not. • Between the acceptable and unacceptable region lies the ALARP region. Health and Safety Executive. where a person is exposed to some hazardous activity outside his control (e. • An unacceptable region where the risk is clearly so high as to be considered intolerable. The lower limit for uncertainty given by most authorities is around a factor of 2 to 3 (Health And Safety Executive. it is important to distinguish between voluntary risk. [1] ADNOC Group Guideline ‘HSE Risk Management’. where a person engages in hazardous activity by choice (e. 10]. The criteria given cover the full range of assessment detail: quantitative (where a numeric "best estimate" of risk is calculated). The quantitative risk can then be expressed as a fraction of the existing risk and a judgement made to its acceptability. 1981. where effort should be expended to reduce risks till they are as low as reasonably practicable. ADNOC-COPV5-01. • Evaluation of potential risk reduction measures. [3] ADNOC Manual of Codes of Practice: ‘Control of Major Accident Hazards (COMAH)’.HSE MANAGEMENT CODES OF PRACTICE Volume 5: RISK ASSESSMENT AND CONTROL OF MAJOR ACCIDENT HAZARDS COP G/L ON RISK ASSESSMENT & QRA Document No: ADNOC-COPV5-03 Version 1 November. ADNOC does not at present specify a "Value Of A Life". but use of the absolute number is limited by uncertainty. Cost-benefit analysis can also include comparison with an absolute criterion usually expressed in terms of the 'Value Of A Life'. Use of risk assessment on a comparative basis can eliminate some of the uncertainty in the results. March 2000.01 per million years. not to demonstrate "Acceptable" risks by calculation. Such uses include: • Ranking of risk sources to identify where there is greatest scope for risk reduction. but recommends that Group Companies develop their own criteria that match industry standards pertaining to their particular business [Ref. Costbenefit analysis can be used in a comparative manner to determine where the greatest risk reduction can be attained per unit expenditure. • Comparison of design concepts. [23] ADNOC Group Guideline ‘HSEMS Management Systems’. A risk in the "Unacceptable" region means that action should be taken immediately to improve the situation.99 per million years and one of 1. January 2002. A significant consideration in this is the ADNOC HSEMS [Ref. Different figures have been used by different industries. Comparison of risk estimates with absolute criteria will give a general idea of the status of hazardous plant with regard to acceptability or unacceptability. 1]. Risk reduction measures can be evaluated using cost-benefit analysis as described in the ADNOC HSE Risk Management Guidelines [Ref. • Comparison with other hazardous installations that have been assessed using the same data and on the same basis. 2005 Page 36 These criteria can be used as a basis for judging the need for introducing specific risk reduction measures and as an aid in explicitly demonstrating ALARP. A well-constructed quantitative risk assessment will provide a ranking of risk sources that is robust with respect to uncertainty. Ranking of risk sources is of particular relevance to reducing risks and demonstrating ALARP. even though the first is in the "Acceptable" range and the second is in the "ALARP" range. 1]. as may be required in a COMAH Report [Ref. 3]. For example. It is emphasised that the duty of ADNOC Group Companies is to reduce risks to as low as reasonably practicable. Risk reduction measures can then be targeted at the most important risk sources. The difference is far less than the uncertainty in the results. standards and expectations. so it is perhaps better viewed as an abstract criterion embodying the practicability limits of each industry. 23] expectation that Group Companies should continually improve their performance towards meeting or exceeding their particular industry benchmarks. . [1] ADNOC Group Guidelines on HSE Risk Management. there is little practical difference between a calculated individual risk of fatality to a member of the public of 0. • Be able to distinguish results that are not statistically significant. • Understand the sensitivities of the model and how these relate to reality. • Be able to interact with engineers and operators to obtain a good understanding of how the systems they are considering work and how they can fail. Persons using consequence models should be: • Familiar with the model and understand its basic assumptions. • Understand the laws of probability including Boolean algebra. including the production of fault trees and event trees should. TRAINING AND COMPETENCE Risk assessment and quantitative risk assessment are highly technical disciplines.3. • Understand the level of detail required to fulfil the goal of the study. This section lists some issues that should be considered when determining qualification. • Have a good understanding of the technique to be used. Version 1 November. • Understand when it is no longer valid to represent a range of possible incidents by a single idealised scenario. • Have knowledge of the available base data and its limitations. • Attended a suitable training course for study leaders. such as detailed explosion modelling. Additional desirable attributes for HAZOP study leaders are given in Section 3. training and competence requirements for both in-house personnel and when selecting outside consultants or contractors. • Have a good general understanding of past incidents. Persons determining the frequency or probability of events. Persons leading hazard identification studies such as HAZOP should have: • Prior experience in similar studies such as a Technical Secretary. can be beyond the abilities of general risk analysts and specialist expertise must be sought. • Know when the model is being used outside its range of validity. 2005 Page 37 QUALIFICATIONS. • Have a good general understanding of hazards. . Indeed parts of some assessments.HSE MANAGEMENT CODES OF PRACTICE Volume 5: RISK ASSESSMENT AND CONTROL OF MAJOR ACCIDENT HAZARDS COP G/L ON RISK ASSESSMENT & QRA Document No: ADNOC-COPV5-03 7. • Have a good general understanding of past incidents. • Understand the ALARP principle. . • Understand the limitations caused by uncertainty. • Understand the application of cost-benefit analysis. • Know how to draw out important practical conclusions that result in reduced risk.HSE MANAGEMENT CODES OF PRACTICE Volume 5: RISK ASSESSMENT AND CONTROL OF MAJOR ACCIDENT HAZARDS COP G/L ON RISK ASSESSMENT & QRA Document No: ADNOC-COPV5-03 Version 1 November. 2005 Page 38 Persons calculating or interpreting risks should: • Understand the various forms of risk presentation and the associated ADNOC criteria and their meaning. • Be familiar with background risk levels. either in the report or by reference. Version 1 November. The assessment report should be written to facilitate such reviews especially it should: • Describe the methods used in detail. appendices or software that can be used in a future update The review requirements for risk assessments and quantitative risk assessments should be built into project schedules and. • Provide details of calculations and intermediate results in a back up document.HSE MANAGEMENT CODES OF PRACTICE Volume 5: RISK ASSESSMENT AND CONTROL OF MAJOR ACCIDENT HAZARDS COP G/L ON RISK ASSESSMENT & QRA Document No: ADNOC-COPV5-03 8. operation or management of the system studied. • Future review following a significant change to the design. • Review of recommendations and other findings of the study to determine action to be taken. especially the parts dealing with action tracking and management of change. • Review of the initial report prior to issue to ensure that operational. 2005 Page 39 REVIEW REQUIREMENTS Risk assessments and QRA studies should be subject to review. engineering and management features have been correctly interpreted by the risk analysts. • Where appropriate. • List all assumptions clearly. • Implementation of the actions and monitoring of status by an action tracking system. Review requirements for risk assessments and quantitative risk assessments include: • Review of the initial report prior to issue to ensure technical accuracy. where appropriate. confirmation that the action taken meets the intent of the recommendation that led to it. included in the Group Company HSE Management Systems. . • Document models used and calculations made. L. ADNOC Manual of Codes of Practice: ‘Framework of Occupational Safety Risk Management’. American Institute of Chemical Engineers (Center for Chemical Process Safety). Second Edition. 14. Chemical Industries Association. 6. Risk Assessment Data Directory. Guidelines for Evaluating the Consequences of Vapour Cloud Explosions. Tyler. The Netherlands. 2002. ADNOC-COPV5-01. 8. 3. Steel Construction Institute. ADNOC Group Guideline ‘HSE Risk Management’. ADNOC Manual of Codes of Practice: ‘Code of Practice on HSEIA Requirements’. 1994. March 2000. TNO 1988. 1977. Van Nostrand Reinhold. Flash Fires and BLEVEs. Rijnmond Area. Turney (Editors). AEA Technology. Second Edition. 2005 Page 40 REFERENCES 1. ADNOC-COPV1-02. FACTS database. Offshore Reliability Database (OREDA). J. 1996. 11. AIChE Centre for Chemical Process Safety. Pitblado & R. 18. 16. Risk Assessment in the Process Industries. Det Norske Veritas. 2. Woodward in Prevention and Control of Accidental Releases of Hazardous Gases. 1993. Crawley. HAZOP: Guide to Best Practice. Methods for the Calculation of Physical Effects Resulting from Releases of Hazardous Materials. ADNOC-COPV4-01. Appeldorn. 1996. 15. SRD Association Reliability Databank. 1981.HSE MANAGEMENT CODES OF PRACTICE Volume 5: RISK ASSESSMENT AND CONTROL OF MAJOR ACCIDENT HAZARDS COP G/L ON RISK ASSESSMENT & QRA Document No: ADNOC-COPV5-03 Version 1 November. 12. . IChem E. Blast and Fire Engineering for Topsides Structures . Risk Analysis of Six Potentially Hazardous Industrial Objects in the Rijnmond Area: A Pilot Study. TNO Department of Industrial Safety. COVO Committee. 10. 2000. 13. 7. 17. F. SINTEF with Scandpower. Discharge Rates Through Holes in Process Vessels and Piping. Oil and Gas Producers Association Report No 11. 4. 9. Institution of Chemical Engineers. 1992. A Guide to Hazard and Operability Studies. 1992. 5. Preston and B.Phase 2. Handbook for Fire Calculations and Fire Risk Assessment in the Process Industry. Guidelines for Hazard Evaluation Procedures. M. Reidel Dordrecht. R. ADNOC Manual of Codes of Practice: ‘Control of Major Accident Hazards (COMAH)’.8/250. 1992. 21. R. United Kingdom. 20. 1983. AEA Technology. 23. MHIDAS Administrator. M. Norway. Ramsay. HSE Books.Worldwide Offshore Accident Database. Warrington. Canvey: An Investigation. ADNOC Group Guideline ‘HSEMS Management Systems’. Det Norsk Veritas. A. SylvesterEvans. WOAD . Health and Safety Executive. C. MHIDAS Accident Database. ADNOC Manual of Codes of Practice: ‘Guideline on HSE Definitions & Abbreviations’. 22.HSE MANAGEMENT CODES OF PRACTICE Volume 5: RISK ASSESSMENT AND CONTROL OF MAJOR ACCIDENT HAZARDS COP G/L ON RISK ASSESSMENT & QRA Document No: ADNOC-COPV5-03 Version 1 November. I Chem E. Oslo. . IChem E Symposium Series No 71. 24. G. English. ADNOC-COPV1-05. Siting and Layout of Major Hazard Installations. January 2002. 2005 Page 41 19. 1978.