Professional Documents
Culture Documents
Overview Hazards
and Effects
Management
Process
EP 95-0300
HSE
MANUAL
* In this publication, some of the figures have been colour enhanced. This was done after the issue of the CD
ROM. The next issue of the CD ROM will include these enhancements. There is no difference in content.
Contents
CONTENTS
Glossary 82
References 85
1 INTRODUCTION
Volume 3 of the EP HSE manual is concerned with the tools and techniques which are available to
achieve the management of HSE issues. It is a first reference for all those involved in EP business
activities particularly those who are responsible for the management of hazards and their effects.
the need, within the context of an HSE Management System, to define both the techniques and tools
commonly in use together with the competencies required for their effective application
the more common terminology and concepts used in the analysis of hazards and effects and the
determination of risk
the stages of the Hazards and Effects Management Process and its role within the HSE
Management System. The role of experience, codes and standards, checklists and structured
techniques are discussed
in summary the various structured review techniques available in Shell to support the process.
The Hazards and Effects Management Process (HEMP) is central to the effective implementation of
the HSE Management System. The process ensures that hazards and potential effects are fully
evaluated. To do this they must first be identified then assessed and then mitigation and recovery
preparedness measures put in place to reduce the consequences of any remaining risk. To achieve this a
number of tools and techniques are used. These are described in this Volume.
(Specific guidance on when to use the techniques within various business activities is given in the
relevant sections of Volume 2, e.g. EP 95-0230 Design, EP 95-0220 Appraisal and Development,
etc.)
This document is designed to identify, specify and aid the effective selection of an integrated suite of
tools and techniques. Most of these have been in use for some time. The various tools and techniques
have been collated for ease of reference, to demonstrate their relationship to each other and to describe
their input to the HSE MS and HSE Case. As stated above this document does not specify when to use
the tools, this is done in the documents describing the business activities. A very broad framework of
tools, techniques and guidelines used in hazards and effects identification and assessment during the life
cycle is provided in Appendices I and II.
Codes, standards, checklists, as well as individual experience and judgement are in no way replaced by
any of these techniques and continue to play a vital role.
The application of tools in the hazards and effects management process such as Environmental
Assessment, Health Risk Assessment and QRA will continue to involve specialists but their output can
now be brought together with other studies in a common HSE Management System. Specialist
assistance when using other tools and techniques may also be necessary. However the successful
application of any tool and technique will always be dependent on the participation of the staff involved
in the activities under study. Most of the tools described require a multi-disciplinary approach.
Health, Safety and Environmental Management is no different from any other aspect of EP business
and remains a line responsibility. HSE therefore falls under the same management and management
system. H, S and E have been considered together in this document although external reasons may exist
for presenting certain studies separately. For example, when two separate authorities deal with safety
and environmental
A comprehensive list of terms and their definitions is provided in the glossary of this document.
'The potential to cause harm, ill health or injury, damage to property, plant, products or the
environment, production losses or increased liabilities'. This definition can be extended to include
social/cultural disruption.
This represents a specific use of the word hazard which in more common usage can mean danger,
chance or risk. Risk is defined in 2.4. It is important to recognise the adopted definition of this basic
term and to be consistent when using common techniques. Hazards should not be confused with
hazardous activities (e.g. drilling). Examples of hazards are: hydrocarbons under pressure, objects at
height , electricity. Appendix III contains a listing of generic hazards.
The terms 'chronic' and 'acute' are introduced in Volume 1 and are used to differentiate between hazards
and effects associated with continuous discharges and occupational exposure (prolonged) and those
relating to one off events, (health, safety and environmental incidents) which might include poisoning,
oil spills, fires and explosions.
In environmental terms, 'chronic' effects are sometimes referred to as 'routine' and are defined as the
result of planned emission or discharge to the environment. Such releases may include flaring of gas, or
discharge to sea of produced water following repeated and prolonged exposure to relatively low levels
or concentrations of a hazardous agent.
The aim is to control all health and environmental hazards and effects within defined limits. For health,
for example, controls for benzene define levels in air for long term exposure. For environment, for
example, controls for flaring may include limiting the volume of gas disposed of, defining criteria for
the combustion efficiency and defining environmental quality standards for combustion products.
Similarly, control of noise emission will be based on noise limits which will be set for a given location.
An effect in the context of this manual is usually an adverse effect either on the health or safety of
employees or the public. An environmental effect is any direct or indirect impingement, whether
adverse or beneficial, upon the environment of the activities, products and services of the company.
This also includes impact on social and cultural systems.
The undesired release of a hazard is a hazardous event. If the hazardous event is the first event
resulting from the release of a hazard then it is called a 'Top Event'. This is the undesired event at the
end of the fault tree and at the beginning of an event tree (see 2.5). In the context of environmental
routine hazards, the undesired event can relate to the breaching of defined limits, such as oil in water
discharged to sea or noise levels in and around locations, or in the context of health hazards, this relates
to exceeding occupational exposure limits and other standards for the full range of agents hazardous to
health.
An incident is an unplanned event or chain of events which has caused or could have caused injury,
illness and/or damage (loss) to assets, revenue, the environment or third parties. An incident involves
the release or near release of a hazard which includes the exceedance of defined limits.
To prevent a threat or combination of threats ultimately resulting in the release of a hazard, some kind
of countermeasures are necessary. These measures are called barriers. In the case of corrosion as a
threat, for example, appropriate barriers could be a corrosion-resistant coating, inspection programmes
or corrosion allowances. For overpressure one barrier would be a pressure relief system.
Environmental barriers could include operational controls, e.g. traffic restrictions for noise, or
hardware controls, e.g. provision of water treatment equipment. Health barriers include, for example
local exhaust ventilation (LEV) and PPE.
THREATS ESCALATION
Hazard :
Hydrocarbon gas
under pressure
Examples:
Corrosion Fire
Pressure Vessel
Erosion
Impact
Hazardous
Event
Leak ! Fire
CAUSATION CONSEQUENCE
THREATS ESCALATION
Ecological damage
Water supply contamination
Irrigation contamination
Hazard : Liabilities
Effluent Reputation
Discharge
Hazardous
Event
Discharge
ppm Limit Exceeded !
Pollution
ppm
ppm
Limit
CAUSATION CONSEQUENCE
THREATS ESCALATION
Increased risk :
Hazard:
Leukaemia
Toxic vapour
Liabilities
Loss of reputation
Examples:
Corrosion
Handling of toxic chemical
Maloperation
Leaking flanges
Release of benzene
Increased
risk of
leukaemia
Exposure to benzene
exceeding OEL* !
ppm
ppm
Limit
CAUSATION CONSEQUENCE
e.g.maloperation
E
e.g. overpressure S
H C
A A
Z L
A e.g.ESD Loss of A
R bypassed gas e.g.detector failure T
D containment I
O
N
Hazardous Event
e.g. explosion
2.4 Risk
Risk is the product of the probability that a specified undesired event will occur and the severity of
the consequences of the event. To determine the risk of a specific hazardous event taking place
therefore requires information on the likelihood of the event taking place and the severity of the adverse
consequences that could be expected to follow from it. Risk is a term which combines the chance that a
specified undesired event will occur and the severity of the consequences of the event.
To determine the risk associated with a specific 'hazardous event', information is therefore required on
the chance of the event taking place and the severity of the consequences that might be expected to
follow from it. Risk is sometimes also defined as the product of probability and the severity of
consequences.
The terms 'probability', 'likelihood', 'frequency' and 'chance' are often used interchangeably however in
the HEMP terminology, the following apply and should be consistently used:
llikelihood and chance both indicate the possibility of something happening
frequency is a rate, e.g. number of incidents per hour
probability is a ratio
It indicates the number of chances of something happening to the total number of chances.
Fault Tree Analysis is used to show the sequence of possible threats or causes that could lead to the
release of a hazard. The fault tree leads to a single point where the undesired event has taken place or
where the hazard has been released. This is known in risk assessment terms as the Top Event and
represents the transition from the Fault Tree (threats/causes) to the Event Tree (consequence).
The Event Tree is made up of nodes which correspond to the different stages in an escalating incident
sequence. The lines which lead out of each node correspond to the paths of success or failure in
mitigation of the incident.
The whole sequence showing the progression from any cause, (Fault Tree) through the Top Event to the
full range of consequences (Event Tree), for a single hazard can be represented in a single diagram
(often called a 'bow tie') as shown in Figure 2.4. In a quantitative assessment such as QRA, a number
of hazards will be considered together, however in qualitative assessment it is normal to consider one
hazard or one bow tie.
For qualitative and quantitative risk assessment the same process is used (i.e. bow tie) but in QRA,
risks are quantified initially per Top Event then summated for a number of scenarios and hazards.
Lack of good data may limit the development of a fault tree however in some circumstances the
historical frequency of the top event may provide an adequate timate.
Consequence analysis can be applied to assess HSE aspects for a range of scenarios and typically
involves the use of predictive models. Examples include the use of:
physical effects models for predicting the behaviour and loading from potential hydrocarbon
releases (dispersion, fire, radiation, explosion and smoke) in terms of flammable limits, heat
radiation, explosion overpressure, etc
physical consequence models for predicting the consequence of the effects of hydrocarbon release
events (structural damage, vessel integrity loss, etc)
air and water dispersion models for predicting the behaviour of discharges to the atmosphere or
water bodies respectively
The tools and techniques used for both likelihood and consequence analysis are described in Chapter 4.
The principles of 'identify', 'assess', 'control' and 'recover' are the basis of HEMP, with the individual
stages summarised in the following steps:
These documents will then be included in Parts 3 and 5 of the HSE MS and HSE Case.
People involved in operational activities however should always be alert to identify new hazards
particularly in non routine operations.
Appendices I and II give an indication of when the tools and techniques are used during the life cycle of
a development and in the development of an HSE Case for an asset. Full guidance is provided in the
respective business activity guidelines such as EP 95-0230 Design and Engineering and EP 95-0220
Concept Development.
The output from the various tools and techniques used in the HEMP in the planning and review stages
of a new development is used primarily to refine the design by identifying the hazards and threats,
removing them if possible and making the design as inherently safe to operate as practicable. The
output therefore primarily concerns the hardware although the design planning phase can profoundly
affect all subsequent stages of the development. Information from this work is included in the HSE
Case for an asset for use in the operational phase.
In the implementation or operations phase, planning activities such as the systematic preparation of
Permits to Work and Job Hazard Analysis address all the steps of the HEMP. EP 95-0315 describes the
basic Permit-to-Work System and EP 95-0311 describes Job Hazard Analysis which can be used for a
team review of the procedure for a repeated activity or as a one-off review of a new activity. The
computerised system THESIS (see EP 95-0323) can also be used to assess hazards and effects and
identify the necessary controls. EP 95-0270 General Workplace Practices contains activity
specification sheets and hazard register sheets for typical HSE activities and hazards encountered in the
workplace. The Manual of Permitted Operation (MOPO) describes conditions where specific activities
cannot be carried out at the same time and is described in EP 95-0310 Implementing and Documenting
an HSE MS and HSE Case. Waste management procedures, described in EP 95-0390 Waste
Management Guidelines, provide information for the inclusion of waste management activities.
At the time of writing this Guide, work is proceeding on the preparation of Generic HSE Cases for
activities such as drilling, seismic and transport. These are aimed at providing a basic 'starter kit' HSE
case containing all the common activities, procedures and controls which can be subsequently made
'site-specific' for local application.
The output from the various tools and techniques in the HEMP for operational-type activities will be
used in the development and review of working procedures and form part of the HSE Case for the
operation of the facility. For a significant or new activity, such as a major construction project, a
seismic or drilling campaign or abandonment, the output from the various tools will be included in an
HSE Case.
For a smaller work scope usually confined to one contract the HSE Case is sometimes called an HSE
Plan or where the work or operational task is one of many to be undertaken, terms like 'Work
Procedure' or 'Work Statement' are sometimes used. All these descriptions only reflect the scale of the
operation. The most important point is that in their preparation the steps of the Hazards and Effects
Management Process must be followed. That is hazards and potential effects must be identified and
assessed and Control and Recovery Preparedness measures must be developed and in place ahead of
time.
experience/judgement
checklists
codes and standards
structural review techniques
Structured
Review
Techniques
Checklists
Experience /
Judgement
IDENTIFY ASSESS
HEMP
RECOVER CONTROL
3.3.1 Experience/judgement
The knowledge of experienced staff provides a sound basis for hazard identification and assessment.
One can draw on experience gained from different aspects of the EP business in different locations.
Practical staff experience gained in the field and feedback from incidents, accidents and near misses is
invaluable.
3.3.2 Checklists
These are a useful way of ensuring that known hazards and threats have all been identified and
assessed. The use of checklists, however, must not be allowed to limit the scope of review. They are
normally drawn up from standards and operational experience and focus on areas where the potential
for mistakes is high or where problems have occurred in the past. Hazard Registers taken from the life
cycle of previous developments are particularly useful as a basis for checklists. They should be
maintained throughout the life of the development and include both the operational and abandonment
phases (Ref. 1).
Table VI.1 is a checklist called the Hazard Hierarchy which includes health, safety and environmental
hazards previously identified by Opcos. The checklist approach is used in several techniques such as
HAZID, HAZOP and FIREPRAN for example.
compliance with prescriptive standards alone will reduce risk to 'as low as reasonably practicable'.
Similarly, the acceptability or otherwise of emissions or discharges to the environment or release of
agents harmful to health can be assessed by reference to environmental quality standards and
occupational health exposure limits. For environmental and occupational health, the process begins
with an inventory of emissions and effects agents hazardous to health respectively.
Codes and standards can therefore provide guidance on all four steps of identify, assess, control and
recovery.
Where new or non-standard designs are concerned, especially ones containing configurations with
multiple interfaces, it is unlikely that all the possible interactions can be identified using codes and
standards alone. In more complex facilities such as offshore process facilities, other hazard
management tools will be required.
For EP facilities, a generic Hazards and Effects Hierarchy has been generated and is included in
Appendix III. This provides a structured listing of hazards and effects and attributes which can be used
as a completeness check during hazard identification. The hierarchy provides the basis for a
computerised approach to the systematic identification and assessment of hazards and their effects.
Technique Reference
HAZID (Hazard Identification) A structured brainstorming technique that is EP 95-0312
particularly useful in the early stages of a
development, either as a stand alone exercise or as
part of a more general review. The prompt or
checklist approach guides the less experienced
and prompts the experienced. Success when using
the technique depends upon a properly constructed
team being well managed and having the
opportunity to think beyond the checklist and
identify the unusual. The same technique can be
applied for health hazards associated with the
living environment (e.g. tropical diseases) and
lifestyle (e.g. substance abuse).
Health Risk Assessment Is used for identifying and assessing occupational SHSEC Guide
health hazards and the controls needed to manage (Ref. 2)
them effectively. Chemical, physical, biological,
ergonomic as well as psychological aspects of the HMSO publication
occupational environment are included. (Ref. 3)
Health Risk Assessment and Supplements the general guide on Health Risk SHSEC 1995
Exposure Evaluation for Chemical Assessment (Ref. 4) by providing specific (Ref. 4)
Agents additional advice on assessing risk to health
arising from chemical agents in the work place.
Technique Reference
Human Factors Encompasses a number of techniques directed at EP 95-0324
the assessment of the human element of the
management of hazardous events from design
through to emergency response.
Environmental Assessment (EA) Includes development of an environmental profile EP 95-0370
which provides information necessary to:
build an environmental description of the
area or location and its environment before
development
assess the beneficial and/or adverse effects of
the development
identify mitigation measures
prepare a plan to enable measures to be
implemented
Also applicable to ongoing activities.
Soil and Groundwater Guides Provides guidance on assessing soil and EP 95-0385
groundwater quality at EP locations from initial
desk studies to more detailed site investigations. EP 95-0386
EP 95-0387
Social Impact Assessment Describes the component parts of a social impact EP 95-0371
assessment including relationship to the natural
environment, cultural and historical attitudes and
sensitivities, population characteristics and
political social institutions. Means to involve the
wider public are seen as critical.
HAZOP (Hazard and Operability One of the most widely accepted and powerful of EP 95-0313
Study) the hazard identification and assessment tools
available for reviewing the design of process
facilities. It is carried out in varying degrees of
detail throughout a project after design checks
have been completed. HAZOP is not a design tool
but a supplementary team checking exercise which
also includes the operational aspect of a design.
It is unusual to make other than a subjective
assessment of the consequences of a particular
failure scenario during a HAZOP. The HAZOP
technique has been extended with success by
others to areas like maintenance, drilling, etc.
FIREPRAN To identify deficiencies and opportunities for EP 95-0350
improvement in order to meet objectives with
respect to fire and explosion management.
FIREPRAN is not suited to complex, compact
integrated facilities.
Technique Reference
SAFOP (Electrical Safety and Comprises three components:
Operability Study)
SAFAN - (Safety Analysis) identification of DEP (under
hazards to personnel in the vicinity of preparation)
electrical systems (Ref. 5)
SYSOP (System Operability) critical Refer to SIPM
assessment of electrical network and plant
design
OPTAN (Operational Task Analysis) analysis
of operator actions to determine areas of
potential operator error.
There are few if any tools and techniques which are limited solely to the identification of Hazards and
Potential Effects. Most include assessment as well as identification. Indeed techniques, such as Health
Risk Assessment and Environmental Assessment include all four elements, identify, assess, control
and recover.
Inherent in some techniques, such as HAZOP, is a qualitative assessment of risk based on judgement of
threats, such as hardware failure, control system failure, human error, corrosion, extreme conditions,
etc.
Technique Reference
Job Hazard Analysis Identification of potential problems within a job EP 95-0311
task that could lead to hazardous situations.
Elimination or reduction of the hazard by
development of safe working procedures.
Tripod-BETA To facilitate accident or incident investigation and EP 95-0321
analysis by providing the means to assemble and
manipulate investigation information into a logical
structure consistent with the Tripod accident
causation model and the hazards and effects model
of SMS (HSE MS).
Tripod-DELTA The proactive identification of potential latent EP 95-0320
failures that could lead to hazardous situations and
the development of remedial actions to be taken to
reduce or eliminate such hazards.
evaluate and assess have the same meaning. The THESIS software can also be used to assist in the
hazard/risk evaluation and also uses the Risk Matrix. Guidance on when to use quantitative risk
assessment is provided in the following paragraphs.
4.2.2 Probability
The probability of a hazardous event occurring may be determined by evaluation of the associated
possible threats and circumstances or from historical data bases. Once established, the probability of
occurrence of each event can be included in a fault tree.
Historical records such as those described in EP 92-1020 (Ref. 6) provide failure data for various types
of event in the fault tree and event tree including the Top Event. Alternatively, probability can be
generated in a qualitative way by the relative classification of probability into those shown on the Risk
Matrix in 4.2.4.
It is planned to replace EP 92-1020 (Ref. 6) with a data base prepared on an industry wide basis. This
development is underway with the E&P Forum.
In performing consequence analyses it should be recognised that the majority of models provide only a
good approximation of what might happen. It is a mistake to base design calculations wholly on model
results. The designed system should be capable of withstanding the range of possible anticipated
loadings.
Technique Reference
Physical Effects Modelling This encompasses a number of techniques EP 95-0314
available for modelling the effects of hazardous
releases such as explosions, gas dispersion and
fire
Technique Reference
Oil Spill trajectory Models Used to predict the behaviour of marine spills and A range of models
can play an important role in oil spill contingency available. For
planning. A number of models are available. advice on selection
and use refer to
SIEP
Risk Assessment Models for These have been developed to evaluate the Env. quality
Contaminated Soil significance of soil contaminants to human and standards for soil
environmental health. The Human Exposure to and groundwater:
Soil Pollutants (HESP) developed in SIPM is an
example. EP 95-0385
Setting Priorities
for contaminated
soil and
groundwater:
EP 95-0387
Groundwater Models These have been developed to predict the A range of models
behaviour of contaminants in groundwater and available. For
focus on the movements of the contaminants. advice on selection
and use refer to
SIPM
The matrix need not remain as a static display of risk and measures to be taken. Over the years
tolerance to risk will change therefore the shading in the diagram will change.
The above matrix gives an indication of risk tolerability but this should relate to the operation under
consideration . An example of how the matrix can be further defined for a particular operation is
included in Appendix V.
Guidelines are available for undertaking quantitative risk assessment for specific applications including
risers and pipelines.
These are:
Technique Reference
ASPIN Pipeline failure risk analysis technique and EP 94-0101
data base. (Ref. 13)
An easy to use quantitative failure risk EP 94-0102
assessment tool to compare different (Ref. 14)
options and conditions during pipeline
design and operation and to assist in
optimising and planning inspection and EP 94-0195
maintenance efforts. (Ref. 15)
Simplified version.
RISER Risk Evaluation of Risers. EP 90-1045
(Ref. 16)
Assessment of risks of pipeline riser on or
near platforms with comparative risk
analysis to assess the benefits of subsea
valve installation on pipelines.
These quantitative risk assessments should only be used by personnel with adequate training and
experience. It is most important that those familiar with the operation, the facility or the design are
involved in the study particularly with respect to the input, assumptions and conclusions drawn to
ensure that the model reflects reality.
Assumptions must reflect actual practice including inspection and maintenance frequencies and
techniques, frequency of drills and operating procedures, etc.
QRA provides a structured approach to assessing risk and expresses this numerically. The main
function of QRA is to identify high risk areas and assist in the comparison of design options and the
selection of operations philosophies with a view to establishing effective and efficient risk management.
QRA assists in the determination of 'how safe is safe enough' by helping to analyse options to establish
whether or not ALARP (As Low As Reasonably Practicable) has been achieved.
Engineers and decision makers sometimes like to use quantitative risk assessment to make a decision
for them. For this purpose they would like to see well defined acceptance criteria for risk and a
calculation resulting in one number to tell them whether their design is 'right' or 'wrong'. However, risk
figures which are based on probabilities should be used with caution and comparison against absolute
numerical risk criteria avoided where possible. This is important for a number of reasons.
First, the accuracy of QRA studies means that the comparison of calculated numbers with specified
numerical criteria must be used with considerable caution. The inaccuracies are less important in
comparisons between various options analysed in a consistent manner. Nevertheless absolute risk
figures may be required to fulfil legislative requirements and to ascertain whether ALARP risk levels
have been reached.
Secondly, the risk of EP operations calculated in a QRA is often in the 'Too High' area and nowhere
near the Negligible area. This means that regardless of acceptance criteria set by authorities or others,
there is a need to identify further improvements and to implement them if the cost, time and effort can
be justified.
Thirdly, there is always the temptation to use comparison with absolute risk criteria as a means to
justify not carrying out risk reduction measures, with data being manipulated solely to meet the criteria.
Playing the 'numbers game' in this way could lead to QRA being used to justify risk levels that could
realistically still be reduced.
Fourthly, using statistical likelihood values carries with them a set of inherent assumptions which may
or may not be appropriate for the operation being studied.
Expressions like 'acceptably safe' or 'an acceptable risk' should be avoided when discussing risk. Risks
are never acceptable when the benefits of an activity are perceived to be smaller than the risks. Further,
a risk is never considered acceptable while there are effective alternatives to lower it. If there are no
effective alternatives or the cost of further reduction is disproportionate then it may be necessary to live
with or 'tolerate' the risk.
QRA can be used to assess risk to the company's workforce, assets and environment as well as risk to
the public. At present, QRA or environmental QRA is confined to 'incidental' or 'acute' hazardous
events. In EP operations, the facilities are in many cases sufficiently remote that considerations of this
type of risk to the public do not dominate. In downstream activities, risk to the public is often the main
concern.
The application of QRA is not necessarily limited to large, complex and expensive studies. It is a
technique which can be used relatively quickly and cheaply to help to structure the solution to problems
for which the solution is not intuitively obvious. Without the quantification of risk in some situations,
there may a danger of allocating scarce resources for little benefit. Risk is often defined as a function
of the chance that a specified undesired event will occur and the severity of the consequences of the
event. For QRA purposes, chance can be expressed as frequency or probability of an occurrence. If
no attempt is made to estimate the chance, we may be driven by the consequence into investing heavily
on risk reduction measures which are ineffective. This is illustrated in Figure 4.1. The risk curve
(shaded) indicates the area in which effective risk reduction measures can be taken.
On the left side of the curve the consequences are too small to cause concern, regardless of the
probability. On the right side the consequences could be dramatic but the probability is so low that it
would be more effective to invest in those risk reduction measures which concentrate on the events
contributing to the peak of the risk curve. The above can be easily aligned with the Risk Matrix.
It must be recognised that the public and regulatory authorities are most interested in high consequence
events. In the context of the Risk Matrix this might be in the 'never heard of incident in EP industry'
column but nevertheless risk reduction measures must still be considered.
References to occupational exposure limits and standards are listed in Health Risk Assessment (Ref. 2)
and Ionising Radiation Safety Guide (Ref. 17).
4.3.1 Records
The documentation relating to the hazards and effects analysis and the management of hazards and
effects is included in Parts 3 and 5 of the HSE MS and HSE Case described in EP 95-0310.
In a major project or facility the studies carried out as part of the HEMP are recorded formally usually
via the first draft of the Hazards and Effects Register. The level of detail addressed increases as
familiarity with the project or facility improves. Different techniques are then applied to identify and
assess hazards. The hazards and control measures identified during the design phase are recorded for
later transfer to the operator of the facility who will be responsible for the HSE Case. A PC based tool
developed to do this is THESIS described in EP 95-0323.
Assembly of the Hazards and Effects Register, which forms part of the HSE Case, begins at the design
and development stage of a project when hazards and effects from this phase are incorporated. Hazards
applicable during the construction and commissioning phase may be included or listed separately.
Later, hazards encountered in the operations and maintenance phase are included. The Hazards and
Effects Register is a live document and is passed from phase to phase of a development through to
abandonment. When the design phase is complete, the Hazards and Effects Register is handed over to
and subsequently maintained by, the operations management of a facility. The Hazards and Effects
Register will subsequently be used in the planning of abandonment and held on record for a period
thereafter.
the level and number of barriers installed initially and the recovery preparedness measures to be in
place
the limit of safe operation if the barriers and/or recovery preparedness measures (sometimes
referred to as the 'Integrity Envelope') are reduced, removed or purposely defeated
the limit of safe operation permitted during periods of escalated risk, in either likelihood or
consequence. This includes external factors like extreme weather conditions
which activities may or may not be carried out concurrently, e.g. simultaneous welding and crude
sampling.
Further details on the preparation of a MOPO are given in EP 95-0310 Implementing and Documenting
on HSE MS and HSE Case.
4.5.1 General
Risk reduction measures include preventative measures (likelihood reducing) and mitigatory measures
(consequence reducing). As described in EP 95-0100, the point at which measures may be classified as
prevention, mitigation or recovery can sometimes become unclear depending on the perspective of what
constitutes the hazardous event. Fortunately, in practice, this makes little or no difference to the process
of risk reduction.
Control and recovery aspects form a significant part of design standards. These are not listed
separately in this document.
A number of reference documents describing the controls are frequently used in applying the HEMP.
These are summarised below together with references for full descriptions.
EP HSE Manual:
EP 95-0376 Monitoring Air Quality
EP 95-0381 Monitoring Water Quality
Recovery Preparedness Measures include active, passive and operational (contingency plans) response
arrangements.
In a crude oil separation module a loss of containment will probably be controlled by ESD,
depressurisation and containment/fire protection devices. These control and recovery measures have
been installed to achieve the HSE objectives that have been set. They might reduce a worst case
occurrence to a single major injury or fatality as compared with the possible catastrophe that could
have occurred with no controls at all in place.
From an environmental perspective recovery includes site clean up and rehabilitation. An example in
occupational health would be the redeployment of a radiographer who has exceeded his radiation
exposure or a cargo handler who has a back injury.
Documents which will assist in the development of recovery procedures include amongst others:
APPENDIX I
ACTIVITIES: PLANNING AND REVIEW
HEMP TOOLS AND TECHNIQUES
In the EP Business Model (EPBM) Version 3 (Ref. 23) the activity grouping (ACT) 'Managing
Activities' applies equally to all activities including those shown below against the life cycle.
In the 'Establishment of Business Controls' (ACT-01-06), the controls to manage HSE risk are
addressed in an HSE Case. The broad HSE objectives to be met in the activities: establishment of
business controls (ACT-01-06), 'planning' (ACT-01-08) and 'monitoring/control during execution'
(ACT-03-02) are bulletised on the left of the table below. Some of the tools and techniques available
are listed on the right.
produce and
explore appraise develop maintain abandon
Execute Surveys
Drilling Drilling
Appraisal and
Development
Design
Construction
Commissioning
Production and
Maintenance
Decommissioning
Logistics
objectives
APPENDIX II
ASSETS: PLANNING AND REVIEW
HEMP TOOLS AND TECHNIQUES
The activities (Ref. 23) described in this appendix encompass the life cycle of an asset. The HSE Case
which is prepared during the execution of these activities becomes the HSE Case for the asset and
forms part of the Asset Reference Plan.
The broad HSE objectives are bulletised on the left of the table. Some of the tools and techniques
available are listed on the right.
DESIGN, CONSTRUCT, MODIFY OR ABANDON FACILITIES (A12)
Prepare Conceptual Design (A12-01) (Validate 'Basis for Design')
ensure technical integrity of HAZOP (coarse)
basic process
develop layout to minimise Coarse Layout Methodology
consequences in developing Human Factors
the 'Project Specification'
review technical integrity of HAZOP (detailed)
detailed process Instrumented Protection Function (IPF) classification
minimise risk of escalation
-for offshore and complex plant Detailed Layout Methodology, Fire and Explosion Analysis
-for less complex and onshore Emergency System Survivability Analysis
FIREPRAN
ensure adequate provision Escape, Evacuation and Rescue Analysis (use judgement
for escape for less complex plant)
review overall risks QRA (as necessary)
minimise construction risks HAZID
incorporate HSE-specific Health Risk Assessment, Human Factors,
requirements Environmental Assessment
HSE CASE FOR ASSET
HAZARDS AND
EFFECTS REGISTER
objectives
DESIGN, CONSTRUCT, MODIFY OR ABANDON FACILITIES (A12) cont'd)
Prepare Detailed Design (A12-02)
ensure change does not QRA
HAZOP
impair technical integrity
prepare input for HSE Case Instrumented Protection Function (IPF) classification
for facility see ACT-01-06
DESIGN, CONSTRUCT, MODIFY OR ABANDON WELLS (A09)
(as for A12 for Wells)
OPERATE AND MAINTAIN FACILITIES AND WELLS (A71/A72)
(see under HSE Case for Asset)
MANAGE ASSETS (ASS)
(Includes HSE Case for Asset)
Asset Reference Plan (ASS-01-02)
demonstrate that risks HAZID
associated with asset and its Health Risk Assessment
operation are managed Environmental Assessment
Job Hazard Analysis
Permit-to-Work
Instrumented Protection Function (IPF) classification
H2 S
Fire Control and Recovery
Safe Handling of Chemicals (SDS)
Human Factors
Emergency Response (including oil spill plans)
Oil Spill Dispersants
Contaminated Soil and Groundwater
Classification of Waste
Waste Management
Appraise Asset Integrity (ASS-04-02)
confirm process integrity and Process Hazard Review
containment HAZOP
compare fire and explosion FIREPRAN
provisions against objectives set
HSE CASE FOR ASSET
HAZARDS AND
EFFECTS REGISTER
APPENDIX III
HAZARDS AND EFFECTS HIERARCHY
The Hazards and Effects Hierarchy is a structured list of HSE-related hazards and effects that may
occur in the EP business. It can provide a starting point in hazard identification (the first step of the
Hazards and Effects Management Process, HEMP). Use of the Hazards and Effects Hierarchy as a
checklist gives greater assurance that all hazards and effects have been addressed and identification and
initial assessment is complete.
The Hazards and Effects Hierarchy is a structured checklist incorporated in the PC-based tool THESIS
(EP 95-0323). It is continually being improved with use in different operations and environments. The
hierarchy in the attached Table III.1 is therefore only included as an example or 'snapshot'. For the
most up-to-date version, refer to the latest version of THESIS software.
In THESIS each hazard and effect has been assigned a number which has been consistently carried
through to the Hazards and Effects Register. The same numbering system is used here.
The Hazards and Effects Hierarchy, Table III.1, consists of main hazard groups such as H-01
Hydrocarbons. Under these are sub-groupings, such as H-01.06 Hydrocarbon Gas. Some examples are
given of typical sources of these hazards or locations where they will be found.
Under the three columns 'Safety', 'Health' and 'Environment' an arbitrary coding has been given which
has been found useful in grouping hazards. The reason for the Health grouping is explained below. Any
other coding or tagging can be used.
No attempt has been made to link the listing of hazards with, for example business activities or types of
facilities, since any one hazard can invariably be present in many situations. The Hazards and Effects
Hierarchy nevertheless lends itself to use as part of a systematised approach to hazard management.
chemical hazards
physical hazards such as noise, vibration, ionising radiation
biological hazards such as micro-organisms
ergonomic hazards such as manual handling
psychological hazards such as stress
life style such as substance abuse
living environment such as malaria and environmental pollution
The Hazards and Effects Hierarchy as presented in this appendix can be sorted to cover all significant
health hazards and effects in this order or any other order that is required.
The Hazards and Effects Hierarchy listing, Table III.1, is valid for both incidental releases and routine
releases. As described in 2.1, a hazardous event in the case of the routine or chronic release is when
defined limits have been exceeded. A hazardous event in the case of an acute or incidental release is
an occurrence or incident.
Limits should be defined for routine releases which have an adverse effect on the environment.
Reviewers often find it easier to think in terms of sources of environmental effects. To assist in this
identification Table III.1 is a checklist of sources, of environmental hazards and of potential effects.
This table can assist in the identification of hazards and effects when reviewing a proposed
development or operation (i.e. in the Environmental Assessment process) or when reviewing effects
from the existing operation and preparing reduction plans.
The list is not complete and any further additions to the checklist should be forwarded to SIEP.
It is not always possible to pinpoint a genuine hazard causing the effect, e.g. resource use can result
from a number of activities.
Key to Hazards
CO health damage
noise nuisance/health damage
light nuisance/health effects
H2S health damage/odour nuisance
odorous compounds nuisance/odour
particulates health damage/ecological damage/soot deposition
radiation health damage/ecological
heat nuisance/ecological damage
trace toxics - ecological/health damage
metals
- PAH
Energy generating CH4 global warming/climate change/atmospheric ozone increase
equipment
- turbines SOx acid deposition, water and soil acidification, global cooling
storm water run off heavy metals accumulation in biota and sediments, adverse effects on
organisms, unfit for drinking, recreation, irrigation, livestock.
produced water salts biological damage
cooling water barite (mud), drilling fluids, smothering/damage to sea bed and biota
drilling cuttings
tank bottom water nutrients eutrophication
odour nuisance
chemicals/corrosion damage to aquatic organisms
inhibitors/biocides/
fungicides
volume of water to land increased water table, flooding, change in riverflow
fresh water discharge decreased salinity
suspended solids decreased transparency, damage to coral reefs, damage to and
bottom organisms, recreation, habitat
soil/ erosion sediments smothering, damage to vegetation
PAH damage to aquatic organisms, water not fit for drinking,
irrigation, livestock.
Grease water not fit for recreation, damage to bottom sediments
salts/brine increased salinity, damage to aquatic organisms, water unfit for
drinking, recreation, irrigation, livestock
acids/caustics damage to aquatic organisms
temperature change change in oxygen concentration, damage to aquatic organisms,
increased growth/blooms
detergents eutrophication/toxicity
Black water and/or grey pathogens health damage
water (sewage and wash
water)
anoxia (deoxygenation) biological damage
nutrients eutrophication
specific chemicals damage to aquatic organisms water unfit for drinking, recreation,
irrigation, livestock
odorous compounds nuisance odour/smell
Sacrificial anodes heavy metals damage to aquatic organisms, water unfit for drinking,
recreation, irrigation, livestock
Detonators noise/pressure waves damage to aquatic organisms/repellent
Chemicals paints biological toxic or chronic damage/global warming
solvents health/biological toxic or chronic damage/global warming
cleaners biological toxic or chronic damage
Soil oil/hydrocarbons soil contamination; ground water contamination
- oil sludges heavy metals soil contamination
- tank bottom sludges chemicals soil contaminations; groundwater contamination; smothering.
- oil based muds specific chemicals soil contamination; groundwater contamination; smothering.
- water based muds
- drilled cuttings
- contaminated soil
Eroded Materials soil sediments smothering, biological damage
Source* ROUTINE HAZARDS POTENTIAL EFFECTS
* any indented (-) are covered by all aspects in the adjacent columns.
APPENDIX IV
STRUCTURED REVIEW TECHNIQUES
SUMMARY DESCRIPTION SHEETS
Title Assets* Activities*
ASPIN *
Emergency Systems Survivability Analysis (ESSA) *
Environmental Assessment (EA) *
Explosion Protection Review (EPR) *
Fire and Explosion Analysis (FEA) *
FIREPRAN * *
HAZID *
HAZOP * *
Health Risk Assessment (HRA) * *
Job Hazard Analysis *
Physical Effects Modelling (PEM) *
Process Hazard Review (PHR) * *
Platform Layout Methodology (PLM) * *
RISER *
Smoke Ingress Analysis (SIA) *
SAFOP *
Structural Consequence Analysis (SCA) *
Temporary Refuge/Escape Evacuation and Rescue Analysis (TR/EERA) *
The Health, Environment, Safety Information System (THESIS) * *
Tripod-BETA *
Tripod-DELTA *
Assets* Used primarily in planning, design, longer term review and preparation of HSE Cases for assets.
Activities* Used primarily for developing and reviewing operational-type procedures, systems and preparing
activity HSE Cases, plans or method statements, e.g. seismic drilling, construction and
commissioning, and production and maintenance.
ASPIN
Objective
To provide an easy-to-use quantitative failure risk assessment tool to compare different options and
conditions during pipeline design and operation and to assist in optimising and planning inspection and
maintenance efforts.
It is a tool that is situated between a full Quantitative Risk Assessment (QRA) and simple risk
ranking/scoring methods, less complicated and expensive than the former and more quantitative (and
therefore more accurate) than the latter. It is intended as a decision support tool and does not specify
acceptance criteria for risk levels. It can, for example, identify the effect of use of inspection pigging and a
leak detection system on risk levels.
Method
The methodology is based on the generally applied risk analysis technique whereby the probability of a
failure, expressed in terms of expected failure frequency, is multiplied by the consequence of such a failure
to arrive at risk. Failure risk is determined cumulatively over a given longer period of time as well as on a
yearly basis.
The method is structured in four main parts:
1. Identify the possible failure causes and derive potential failure frequencies
2. Identify the most likely failure type distribution
3. Identify the consequences of pipeline failure
4. Combine parts 1 and 3 to derive risk levels
Deliverables (Output)
Safety, environmental and economic risk comparison assessments that can be used in support of pipeline
design and operation decisions. ASPIN can be used in the development of HSE Cases as part of the HSE
MS including input into Hazards and Effects Register. ASPIN identifies and assesses all potential major
hazards, evaluates the risks and the effectiveness of the various measures to reduce the risks to the lowest
practicable level.
Further Information
EP 94-0101 - ASPIN Version 1.1 Pipeline Failure Risk Assessment (Ref. 13)
EP 94-0102 - ASPIN Version 1.1 Pipeline Failure Risk Assessment (Ref. 14)
EP 94-0195 - Simplified Method for Pipeline Risk Ranking, Version 2.0 (Ref. 15)
DEP 31.40.60.11 - Gen Pipeline Leak Detection (Ref. 24).
Information Required
Site and potential waste product descriptions, project description including process materials and sources,
materials of construction, project schedule and both strategic and local economic benefits.
Deliverables
Environmental Statement
Agreed adjustment to design options
Mitigation and recovery measures during operations
Environmental report covering suggested monitoring programmes and environmental management
systems. This report can be used as the basis for public meetings and exhibitions if required.
Overlap
Environmental Assessment (EP 95-0370) describes the Hazards and Effects Management Process (HEMP)
as it applies to environmental matters throughout the life cycle of a development.
Further Information
EP HSE Manual, Environmental Assessment, EP 95-0370.
FIREPRAN
Objective
A structured review technique for the review and assessment of:
1. hydrocarbon release and combustion related risks in a facility
2. the fire and explosion control and recovery preparedness measures in place.
3. the capability to meet the performance standards set and satisfy the objectives and criteria set for the
management of fire and explosion hazards.
To identify deficiencies and opportunities for improvement in order to meet objectives with respect to fire
and explosion management. FIREPRAN is not suited to complex, compact integrated facilities.
Method
A multi-disciplined team uses a structured HEMP compatible approach to identify hazards related to
hydrocarbon releases and explosions and develops a hazards and effects hierarchy. The hazard control
measures and related hazardous events mitigation and recovery measures are recorded in a hazards and
effects register. Potential fire and explosion scenarios are developed enabling review of the resources
needed to respond effectively to these incidents. Resources needed to respond effectively to fire and
explosion hazardous event scenarios are compared with those already in place. Results are presented with
opportunities for improved risk reduction measures as appropriate to plant criticality.
Information Required
Process flow schemes, plot plans, plant layouts and hazardous area drawings
Fire system and fire water piping drawings, fire areas, equipment layout, fire and blast walls and
passive fire protection drawings
Operating and maintenance philosophies
Deliverables
This technique permits the identification of hazards as well as potential, related fire and explosion
scenarios. It assists line management in the process of developing realistic, cost effective, control and
recovery measures which can be justified in terms of reducing risks to personnel, environment, assets and
production, to tolerable levels. Deliverables take the form of a hazards and effects register, fire and
explosion scenario development sheets and a set of recommendations for actions needed to achieve
tolerable risk levels.
Overlap
HAZOP, QRA (for complex studies).
Further Information
EP HSE Manual, FIREPRAN, EP 95-0350.
Health and environmental aspects must be included on the same basis as safety.
Method
A multi-disciplined team review using a structured step-by-step methodology with the application of
parameter and guide word combinations to sections (nodes) of the system to identify hazards and operability
problems normally with a facility but also with procedures.
Coarse HAZOP - Large nodes concentrating on major issues, requires a team of experienced senior
engineers. The recommendations from a Coarse HAZOP may involve significant changes to the design.
Main HAZOP - Rigorous application of the technique to relatively small nodes, requires a team of
experienced engineers with extensive project experience.
Final HAZOP - Rigorous application of the technique to relatively small nodes, requires similar team as
for Main HAZOP with the addition of vendor representatives. At this stage recommendations should be
concentrated on will it work rather than it would improve the safety of design to have.
Procedural HAZOP - Application of specialised guide words to operating procedures, requires a team
similar to that for main HAZOP with greater emphasis on operational personnel.
HAZOP (continued)
Deliverables (Output)
Coarse HAZOP - Recommendations for adjustment to design options, QRA studies and other supporting
investigations. A risk ranking may be given to assist in prioritising the actions. This list may be
incorporated into the Hazards and Effects register for the project.
Main HAZOP - Recommendations to amend the design to remove or reduce hazards and operability
problems. Categorisation of the recommendations into approximate risk groups to assist in prioritising
the actions. This list should be used to update the Hazard register for the project.
Procedural HAZOP - Recommendations to amend the procedures to remove or reduce hazards and
operating problems. This will allow Safety Critical Procedures/Operations to be identified.
Overlap
HAZOP is a stand alone process hazard and operability problem identification and assessment (qualitative)
tool.
Further Information
EP HSE Manual, HAZOP, EP 95-0313.
Health Risk Assessment (HRA)
Objective
The identification of health hazards in the workplace and subsequent evaluation of risk to health, taking
account of existing control measures. Where appropriate, the need for further measures to control exposure
is identified.
Method
HRA consists of a number of steps:
Step 1 Define management's role and responsibilities and allocate resources
Step 2 Define structure for implementation (identify assessment units; assessment team; job types; tasks;
hazardous agents)
Step 3 For each job type gather information on agents and their harmful effects; nature and degree of
exposure; screening and performance criteria
Step 4 Evaluate the risk to health (assign severity rating and exposure rating)
Step 5 Decide on remedial action
Step 6 Record the health risk assessment
Step 7 Review the health risk assessment.
Information Required
Detailed information on hazards and effects (e.g. toxic properties of chemicals); exposures (e.g. exposure
levels to toxic chemicals); performance of existing controls; information from health surveillance records,
etc.
Deliverables
HRA, as a tool for use as party of a company's HEMP, assists to identify, evaluate and control health risks
related to the company's operations to a level 'as low as reasonably practicable'. The recommendations
emerging from the HRA provide the input into the HSE Management System to ensure ongoing control of
health risks and continual improvement in health performance.
Further Information
SHSEC Guide (Ref. 2) and references contained within that document.
Information Required
Facility layout drawings and any available information from physical effect and consequence modelling.
Deliverables
A structured auditable description of the development of an offshore platform topsides layout.
Overlap
Input data from PEM and consequence modelling.
Further Information
EP 90-2500 (Ref. 9)
EP 91-1600 (Ref. 7)
EP 91-1601 (Ref. 8).
A similar document describing an onshore layout procedure is planned.
RISER
Objective
Assessment of risks of pipeline riser on or near platforms with comparative risk analysis to assess the
benefits of subsea valve installation on pipelines.
Method
The method is based on the following steps (using the information required described below):
definition of release cases using clear selection rules
failure frequency estimation (using a standard historical data set modified where needed to allow for
local factors)
consequence modelling (from release rate calculations using models for dispersion, jet fires, explosions,
etc)
impact assessment (determination of fatalities/damage and probabilities followed by event tree analysis)
risk calculation (determination of total risk for the riser system).
Information Required
Platform and pipeline engineering data, personnel numbers and distribution, environmental data and
evacuation systems.
Deliverables
Data on the comparative risk expressed as Potential Loss of Life (PLL)
Overlap
Input data from hazard identification techniques such as FIREPRAN, Quantitative Risk Assessment (QRA)
and Hazard and Operability Studies (HAZOP).
Output data are used in Quantitative Risk Assessment (QRA), FIREPRAN, Plant Layout Methodology
(PLM) and Fire and Explosion Analysis (FEA).
Further Information
EP 90-1045 RISER Riser Safety Evaluation Routine (Ref.16).
Information Required
Detailed electrical system design and layout drawings, control circuit diagrams, system designs and
functional specifications, and electrical system operating and emergency procedures.
Deliverables
Report detailing the findings of the audit and where necessary making recommendations categorised as
Strongly Recommended, Advice or call for further information Information Required.
Overlap
SAFOP is a stand alone technique but it has some overlap with Job Hazard Analysis EP 95-0311, Human
Factors Analysis EP 95-0324 and Procedural HAZOP.
Further Information
DEP (Ref. 5) under preparation. Until release consult Electrical Engineering. Refer to SIEP.
Note:
There are several practical and theoretical problems with the methodology in EN/066. The model is
written in Supercalc 5 which is not a Shell-supported package and there may be considerable difficulty
in running the software. Expro are planning to revise EN/066 to provide guidance on smoke, heat, CO
and low oxygen impairment of the TR. This work is planned to also overcome the technical limitations
of the current methodology and to incorporate results of relevant research in these areas.
Information Required
Details of potential fires from FEA , data on the type and layout of existing fire protection facilities.
Detailed structural drawings.
Deliverables
Report on the ability of the structure to withstand the fire scenarios identified. This will reveal if there
exists the potential exists for fire to lead to progressive collapse of the structure or loss of the TR within the
required endurance period. If necessary recommendations for remedial actions and distribution of
protective equipment should be made.
Overlap
Input data is required from Fire and Explosion Analysis (FEA) and physical effects modelling. SCA may be
used in QRA.
Further Information
Expertise and advice should be sought from SIEP Structural engineering function.
Information Required
Detailed information on the TR/EERA provisions and details of the major hazard scenarios identified.
Details of installation layout including muster stations, refuges, evacuation points and escape to sea
facilities. Input data from Fire and Explosion Analysis (FEA), Smoke Ingress Analysis (SIA) and
Emergency Systems Survivability Analysis (ESSA).
Deliverables
A formal record of the EER facilities and arrangements with details of the direct and escalated impact of
the identified hazard scenarios coupled with considerations on the likelihood of their occurrence.
Overlap
Input data required from FEA , SIA and ESSA. The results of the TR/EERA may be used in the QRA.
Further Information
Shell Expro document - EA/032 (Ref. 27) and DEP 37.17.10.11 Gen (Ref. 12).
Tripod-BETA
Objective
To facilitate accident or incident investigation and analysis by providing the means to assemble and
manipulate investigation information into a logical structure consistent with the Tripod accident causation
model and the hazards and effects model of SMS (HSE MS).
Method
A PC tool which provides the means to record information from the investigation, linking related
information on events, people, damage, locations, etc.
Information is transferred to a screen where it can be manipulated and linked as nodes in a BETA tree.
Nodes are classified, the connecting logic tested and anomalies flagged for amendment. Nodes are assigned
General Failure Type (GFT) classifications.
Information Required
Accident or incident investigation data.
Deliverables
A draft report for final editing, presenting salient details of the events, actual and potential damage,
failures and identified causes
A BETA tree diagram
GFT profile for the accident/incident.
Overlap
Tripod-BETA is a stand-alone technique.
Further Information
EP HSE Manual, Tripod-BETA, EP 95-0321
Tripod-DELTA
Objective
The proactive identification of potential latent failures that could lead to hazardous situations and the
development of remedial actions to be taken to reduce or eliminate such hazards.
Used where there are few incidents providing information on causation therefore tries to avoid 'requiring
incidents to improve'.
Method
Development of indicator question database. These are used in the form of yes/no answer questions to
reveal the presence of General Failure Types (GFT) in the operation or organisation
Tripod-DELTA Profiling-derivation of checklists based on the indicator questions, answering of
indicator questions, analysis of answers. Results are presented as a Failure State Profile. The analysis
identifies those areas where remedial action is required.
Information Required
Access to personnel with detailed working knowledge of the operation or organisation being analysed.
Deliverables
The Failure State Profile indicates the extent to which each of the 11 GFTs is present in the system under
study. This allows remedial actions to be prioritised.
Overlap
Tripod-DELTA is a stand alone technique.
Further Information
EP HSE Manual, Tripod-DELTA, EP 95-0320
APPENDIX V
EXAMPLE OF FURTHER DEFINITION OF CONSEQUENCE -
SEVERITY RATING FOR RISK MATRIX
Table V.1 Example of further definition of consequence - severity rating for risk matrix
Severity People Assets*, Equipment
Injury Health
Potential Definition Potential Definition Potential Definition
Impact Impact Impact
0 No injury No injury or damage to health No injury No injury or damage to health No No damage to
damage equipment
1 Slight Not detrimental to individual Slight injury Not affecting work performance Slight No disruption to
injury employability or to the or causing disability. damage the process,
performance of present work -Agents which are not hazardous minimum cost of
to health repair (below
$10,000)
2 Minor Detrimental to the performance Minor Affecting work performance, such Minor Possible brief
injury of present work, such as injury/ as restriction to activities damage disruption of the
curtailment of activities or illness (Restricted Work Case) or a process;
some calendar days to recover need to take a few calendar days isolation of
fully, maximum one week to recover fully equipment for
-Agents which have limited repair (estimated
health effects which are cost below
reversible, e.g. irritants, many $100,000)
food poisoning bacteria
3 Major Leading to permanent partial Major Resulting in permanent partial Localised Plant partly
injury disablement or unfitness for injury/ disability or affecting work damage down; process
work or detrimental to illness performance in the longer term, can (possibly) be
performance of work over such as a prolonged absence restarted.
extended period, such as long from work (estimated cost
term absence -Agents which are capable of of repair below
irreversible damage without $1,000,000)
serious disability, e.g. noise,
poorly designed manual handling
tasks
4 Single Alternatively victim with Permanent - Agents which are capable of Major Partial loss of
fatality permanent total disablement or total irreversible damage with serious damage plant; plant shut
unfitness for work. Also disability or disability or death, e.g. down (for at most
includes the possibility of fatality corrosives, known human two weeks and/or
multiple fatalities (maximum 3) (small carcinogens estimated repair
in close succession due to the exposed costs below
incident, e.g. explosion population) $10,000,000)
5 Multiple May include four fatalities in Multiple -Agents with potential to cause Extensive Total loss of the
fatalities close succession due to the fatalities multiple fatalities, e.g. chemicals damage plant; extensive
incident, or multiple fatalities with acute toxic effects (e.g. damage
(four or more) each at different hydrogen sulphide, carbon (estimated cost
points and/or with different monoxide), known human of repair exceeds
activities carcinogens $10,000,000)
* Assets are understood as referring to: the oil and gas reservoirs, production facilities, pipelines, money, capital, and other Opco and third party
property
Table V.1 Example of further definition of consequence - severity rating for risk matrix
(continued)
Severity Environment Reputation
1 Slight effect Negligible financial <10 0-100 Slight impact Public awareness of the
consequences, local incident* may exist; there is no
environmental risk within the public concern
fence and within systems
2 Minor effect Contamination, damage <100 100 - Limited Some local public concern;
sufficiently large to affect the 1,000 impact some complaints received;
environment, single slight local media and/or local
exceedance of statutory or political attention with
prescribed criteria, single potentially negative aspects for
complaint, no permanent effect Opco operations
on the environment
3 Localised Limited loss of discharges of 100 1,000- Considerable Regional public concern;
effect known toxicity, repeated -1,000 10,000 impact numerous complaints;
exceedance of statutory or extensive negative attention in
prescribed limit and beyond local media; slight national
fence/neighbourhood media and/or local/regional
political attention with possible
negative stance of local
government and/or action
groups
4 Major effect Severe environmental damage, 1000 - 10,000 - National National public concern;
the Opco is required to take 10,000 100,000 impact continuing complaints;
extensive measures to restore extensive negative attention in
the contaminated environment national media and/or
to its original state. Extended regional/national politics with
exceedance of statutory or potentially restrictive measures
prescribed limit and/or impact on grant of
licences; mobilisation of action
groups
The above table is an example for crude oil contamination. For other chemical discharge criteria, environmental experts should be consulted.
Incidents relating to air, noise, small, light and soil vibrations should be addressed on the basis of expert judgement and, in the case of
uncertainty, local expertise may be called in.
* 'Incident' as used in Severity level 1 must be seen as the source of the concern for all severity levels. It is defined in the glossary but recognise it
includes an environmental problem, an event or chain of events which has caused or could have caused spills, leaks, complaints, public concern,
issue debates, failing to follow commitments and so forth.
'Public' must be seen as encompassing a wide range including 'opinion formers', e.g. environmental scientists; groups; politicians; authorities (of
various types); media (scientific general).
APPENDIX VI
WHEN TO USE QRA
Quantified Risk Assessment (QRA) is used to:
Guidance is given below which addresses the cases when QRA is likely to be of benefit and when it is
not. Each individual case should be treated on its merits. Further advice is given in EP 95-0352.
(i) assist with final major decision-making with respect to design options
(ii) provide a basis for further design optimisation during completion of conceptual engineering and
detailed engineering and (ultimately) to reach risk levels regarded as As Low As Reasonably
Practicable (ALARP)
(iii) confirm to senior management, shareholders and the Regulator that risk criteria will be achieved.
At the end of detailed engineering, i.e. when all optimisation has been completed, the risk assessment is
issued in the form of a final report for input to the HSE Case. This is intended to demonstrate that the
risk criteria have been achieved and this risk is as low as reasonably practicable.
This is the case unless the layout is so well spaced-out that the workforce is for the majority of the
time outside the maximum effect area of the high pressure hydrocarbon production/process facilities
and the risk of escalation is considered to be negligible.
onshore plants
This is where the public is within the maximum effect radius and/or where the plant is complex and
the hydrocarbon processing equipment cannot be spaced to minimise the risk of escalation.
In other cases, physical effects modelling combined with other non-quantitative methodologies may be
sufficient to manage the hazards.
GLOSSARY
The general glossary for the EP HSE Manual is now in a separate Section EP95-0010 Glossary.
REFERENCES
1 MF 92-0130 Issue 4, Technical HSE Reviews and Fire Safety Reviews: Checklists Planning and
Execution, Shell Manufacturing Division, March 1995.
3 ISBN 0 11 430020, Understanding Stress - Part Two Line Managers' Guide, HMSO, June 1992.
4 Chemical Hazards: Health Risk Assessment and Exposure Evaluation, SHSEC, 1995.
7 EP 91-1600, Layout Considerations for Offshore Topsides Facilities, Volume II, Step by Step
Procedure and Template, SIPM, 1991.
8 EP 91-1601, Layout Considerations for Offshore Topsides Facilities, Volume III, 'Ariadne'
Demonstrator, SIPM, 1991.
13 EP 94-0101, ASPIN Version 1.1 Pipeline Failure Risk Assessment, User Manual, Worked
examples, December 1993.
14 EP 94-0102, ASPIN Version 1.1 Pipeline Failure Risk Assessment, Reference Manual, December
1993.
15 EP 94-0195, Simplified Method for Pipeline Risk Ranking, Version 2.0, January 1994.
20 HSE 94023, Medical Emergency Guidelines for Health Care Professionals and First Aiders,
January 1995
23 EP 95-7000 EP Business Model (Version 3.0) Flowcharts and Description of Process Activities,
SIEP, 1995.
27 EA/032, Escape, Refuge, Evacuation and Rescue - Offshore Installations, Shell Expro.
30 ISBN 0 11 8859889 Successful Health and Safety Management UK Health and Safety
Executive, HMSO, 1991.
32 Incident Investigation and Analysis Guide (Revision of Accident Investigation), SHSEC, August
1993.