Transcript
ABU DHABI NATIONAL OIL COMPANY
HEALTH SAFETY AND ENVIRONMENTAL MANAGEMENT MANUAL OF CODES OF PRACTICE VOLUME 5 : RISK ASSESSMENT AND CONTROL OF MAJOR ACCIDENT HAZARDS
GUIDELINE ON RISK ASSESSMENT & QUANTITATIVE RISK ASSESSMENT (QRA) ADNOC-COPV5-03
HSE MANAGEMENT CODES OF PRACTICE Volume 5: RISK ASSESSMENT AND CONTROL OF MAJOR ACCIDENT HAZARDS COP G/L ON RISK ASSESSMENT & QRA Document No: ADNOC-COPV5-03
Version 1 November, 2005 Page 1 of 42
RECORD OF REVISION Revision No.
Date
Section/Page
Reason
Copyright The copyright and all other rights of a like nature in this document are vested in Abu Dhabi National Oil Company (ADNOC) Abu Dhabi, United Arab Emirates. This document is issued as part of the Manual of HSE Codes of Practice (the “Manual”) and as guidance to ADNOC, ADNOC Group Companies and independent operators engaged in the Abu Dhabi oil & gas industries. Any of these parties may give copies of the entire Manual or selected parts thereof to their contractors implementing HSE standards in order to qualify for award of contracts or fir the execution of awarded contracts. Such copies should carry a statement that they are reproduced by permission of ADNOC, and an explanatory note on the manner in which the Manual is to be used.
Disclaimer No liability whatsoever in contract, tort or otherwise is accepted by ADNOC or any of its Group Companies, their respective shareholders, directors, officers and employees whether or not involved in the preparation of the Manual for any consequences whatsoever resulting directly or indirectly from reliance on or form the use of the Manual or for any error or omission therein even if such error or omission is caused by a failure to exercise reasonable care.
All administrative queries should be directed to the Manual of HSE Codes of Practice Administrator in:
Environment Health & Safety Division, Supreme Petroleum Council, Abu Dhabi National Oil Company, P. O. Box : 898, Abu Dhabi, United Arab Emirates. Telephone : (9712) 6023782 Fax: (9712) 6668089 Internet site: www.adnoc.com E-mail:
[email protected]
HSE MANAGEMENT CODES OF PRACTICE Volume 5: RISK ASSESSMENT AND CONTROL OF MAJOR ACCIDENT HAZARDS COP G/L ON RISK ASSESSMENT & QRA Document No: ADNOC-COPV5-03
Version 1 November, 2005 Page 2
CONTENTS PAGE I. PURPOSE ............................................................................................................... 3 II. DEFINITIONS.......................................................................................................... 3 III. EXISTING LAWS .................................................................................................... 6 1. INTRODUCTION..................................................................................................... 7 2. THE RISK ASSESSMENT PROCESS................................................................... 8 3. HAZARD IDENTIFICATION ................................................................................... 9 3.1 Principles of Hazard Identification .............................................................. 9 3.2 Hazard Identification Techniques.............................................................. 10 3.2.1 HAZOP............................................................................................... 10 3.2.2 HAZID ................................................................................................ 10 3.2.3 Task Risk Assessment .................................................................... 11 3.2.4 Check-lists ........................................................................................ 11 3.2.5 Failure Modes and Effects Analysis............................................... 11 3.3 Hazard and Operability Studies (HAZOP)................................................. 12 4. CONSEQUENCE ANALYSIS............................................................................... 18 4.1 Principles of Consequence Analysis and General Guidance ................ 18 4.2 Source Terms .............................................................................................. 19 4.3 Gas Dispersion............................................................................................ 20 4.4 Fire Hazards................................................................................................. 20 4.5 Explosions ................................................................................................... 22 4.6 Toxic Effects and Control Measures......................................................... 24 4.7 Escalation .................................................................................................... 25 5. QUANTIFICATION OF EVENT PROBABILITIES AND RISK............................. 27 5.1 Event Frequency/Probability Estimation.................................................. 27 5.2 Fault Trees ................................................................................................... 27 5.3 Event Trees.................................................................................................. 29 5.4 Basic Data .................................................................................................... 30 5.5 Presentation of Risk ................................................................................... 32 5.6 Individual Risk............................................................................................. 33 5.7 Risk Contours.............................................................................................. 33 5.8 Potential Loss of Life.................................................................................. 33 5.9 Cumulative Frequency (F-N) Curves......................................................... 33 6. JUDGEMENT OF TOLERABILITY AND ACCEPTABILITY OF RISK................ 35 7. QUALIFICATIONS, TRAINING AND COMPETENCE......................................... 37 8. REVIEW REQUIREMENTS .................................................................................. 39 REFERENCES ........................................................................................................... 40
HSE MANAGEMENT CODES OF PRACTICE Volume 5: RISK ASSESSMENT AND CONTROL OF MAJOR ACCIDENT HAZARDS COP G/L ON RISK ASSESSMENT & QRA Document No: ADNOC-COPV5-03
I.
Version 1 November, 2005 Page 3
PURPOSE The ADNOC Group Guidelines on HSE Risk Management [Ref. 1] and the ADNOC Code of Practice: Control of Major Accident Hazards (COMAH) [Ref. 3] provide high level recommendations regarding use of Quantitative Risk Assessment (QRA) and similar techniques by Group Companies. This Guideline on Risk Assessment and QRA complements the Guidelines on HSE Risk Management and provides technical support in both carrying out and interpreting risk studies. It focuses on ensuring that such techniques are applied in appropriate situations and that results are interpreted in a consistent manner across the Group.
II.
DEFINITIONS Accident See incident. Within the ADNOC Group it has been agreed that terms accident and incident are synonymous ALARP See "As Low As Reasonably Practicable". As Low As Reasonably Practicable Means to reduce a risk to a level that is as low as reasonably practicable and involves balancing reduction in risk against the time, trouble, difficulty and cost of achieving it. This level represents the point, objectively assessed, at which the time, trouble, difficulty and cost of further reduction measures becomes unreasonably disproportionate to the additional risk reduction obtained. BLEVE A boiling liquid expanding vapour explosion is typically the result of fire engulfing a pressure vessel containing volatile flammable liquid. When the vessel fails the remaining contents burn in an intense fireball. Consequence Analysis The study of the possible extent of harmful effects of potential incidents, e.g. calculation of the size of the flammable region of a vapour cloud following a spill. Deviation Where a process or procedure does not work as intended. Fault Tree Logic diagram describing all the potential causes and event chains that lead to a specific incident scenario termed the top-event. FMEA Failure Modes and Effects Analysis
[1] ADNOC Group Guideline ‘HSE Risk Management’, March 2000. [3] ADNOC Manual of Codes of Practice: ‘Control of Major Accident Hazards (COMAH)’, ADNOC-COPV5-01.
HSE MANAGEMENT CODES OF PRACTICE Volume 5: RISK ASSESSMENT AND CONTROL OF MAJOR ACCIDENT HAZARDS COP G/L ON RISK ASSESSMENT & QRA Document No: ADNOC-COPV5-03
Version 1 November, 2005 Page 4
Hazard Any substance, physical effect, or condition with potential to harm people, property or the environment or affect on the company reputation. HAZOP Hazard and Operability – a study in the context of hazards and effects management Heavy Gas A gas with a density greater than air due to either high molecular weight (e.g. propane) or low temperature (e.g. methane boil off from a liquefied natural gas spill) HSE Health, Safety and Environment HSE-Critical Of particular importance to preventing, controlling or mitigating the risks from Major Accident Hazards or occupational hazards with the potential for critical, severe or catastrophic consequences (as defined in ADNOC Risk Management Guideline). It can apply to equipment, management systems, procedures, records, activities and tasks (and the competencies required for these tasks). Incident An event or chain of events which has caused or could have caused fatality, injury, illness, and/or damage (loss) to assets, the environment, company reputation or third parties. Major Accident Major accident means an ‘Uncontrolled Occurrence’ in the operation of a site which leads to severe or catastrophic consequences to people, assets, the environment and/or company reputation (as defined in the ADNOC Group HSE Risk Management Guidelines). The consequences may be immediate or delayed and may occur outside as well as inside the site. There will also be a high potential for escalation. Note: Examples of ‘Major Accidents’ would include, but are not limited to: • Loss of containment of flammable and/or toxic fluids leading to fire, explosion and/or toxic injury • Events resulting in structural failure which could lead to further progressive collapse • Loss of stability of mobile offshore installation • Well blowouts • Ships colliding with offshore installations or onshore jetties used for bulk loading explosive, flammable or toxic substances. • Service vessel colliding with or otherwise affecting offshore installations
HSE MANAGEMENT CODES OF PRACTICE Volume 5: RISK ASSESSMENT AND CONTROL OF MAJOR ACCIDENT HAZARDS COP G/L ON RISK ASSESSMENT & QRA Document No: ADNOC-COPV5-03
Version 1 November, 2005 Page 5
•
Other external hazards affecting offshore and onshore sites e.g. accommodation/work barges alongside fixed installations, helicopters and aircraft, road/marine product tankers The definition of ‘Major Accident’ specifically excludes ‘occupational accidents’ which have bounded, albeit possibly severe or catastrophic consequences. This means that one or more pedestrian fatalities resulting from a road accident on a site (however regrettable and tragic) would not be defined as a ‘Major Accident’. Similarly, one or more fatalities resulting from a fall from a scaffolding platform (again regrettable and tragic) would not be defined as a ‘Major Accident’. Major Accident Hazard or Major Hazard A hazard that has the potential to result in a ‘Major Accident’ QRA Quantitative Risk Assessment Quantitative Risk Assessment A structured approach to assessing the potential for incidents and expressing this potential numerically. In QRA statistical values are derived for potential loss of life and damage to resources and environment. Note:
These values should not be interpreted as unavoidable and acceptable losses. It should always be recognised that the calculated fatality (or loss) figures are based on experience, statistical failure and incident rates representing an average historical quality of management. Incident investigations usually show that these ‘historical’ incidents were, with the benefit of hindsight, quite preventable. QRA is a tool which helps to translate this hindsight into foresight (planning) in order to assist management in deciding the best approach and show ways and means (eg improved engineering, procedures, supervision, etc) to prevent the potential incidents from happening. QRA is not to be used to justify or encourage risk taking. Risk Risk is the product of the measure of the likelihood of occurrence of an undesired event and the potential adverse consequences which this event may have upon: - People – injury or harm to physical or psychological health - Assets (or Revenue) – damage to property (assets) or loss of production - Environment – water, air, soil, animals, plants and social - Reputation – employees and third parties. This includes the liabilities arising from injuries and property damage to third parties including the cross liabilities that may arise between the interdependent ADNOC Group Companies. Risk = Frequency x Consequences.
HSE MANAGEMENT CODES OF PRACTICE Volume 5: RISK ASSESSMENT AND CONTROL OF MAJOR ACCIDENT HAZARDS COP G/L ON RISK ASSESSMENT & QRA Document No: ADNOC-COPV5-03
Version 1 November, 2005 Page 6
Risk Analysis An imprecise term which infers the quantified calculation of probabilities and risks without taking any judgements about their relevance. Risk Assessment The process of determination of risk, usually in a quantitative or semiquantitative manner. It is an evaluation of the likelihood of undesired events and the likelihood of harm or damage being caused together with the value judgements made concerning the significance of the results. Note the difference between Risk Assessment and Task Risk Assessment in this Guidance. Scenario An idealised description of a potential incident. Source Term Consequence models that define the rate and conditions at which hazardous material reaches the environment. They often provide input to other types of consequence models. Task Risk Assessment A process of formal identification, recording and assessment of the risks involved in any particular operation so that appropriate controls can be introduced. Top Event Specific incident scenario described by a fault tree. Uncontrolled Occurrence An event that escalates, or has the potential to escalate, so that it is beyond the normal span of operations over which control can be exercised. Further detail on definitions is provided in the document ADNOC Manual of Codes of Practice “Guideline on HSE Definitions and Abbreviations”, [Ref. 24].
III. EXISTING LAWS There are currently no specific UAE laws applicable to the control of major hazards. However, laws on protection of the environment and people are relevant in that the consequences of a major hazard may result in either adverse environmental impacts or effects on people. Relevant legislation includes: •
Federal Law No 24 of 1999 for the Protection and Development of the Environment.
•
Federal Law No 8 of 1980 re Regulation of Labour Relations.
[24] ADNOC Manual of Codes of Practice: ‘Guideline on HSE Definitions & Abbreviations’’, ADNOC-COPV1-05.
HSE MANAGEMENT CODES OF PRACTICE Volume 5: RISK ASSESSMENT AND CONTROL OF MAJOR ACCIDENT HAZARDS COP G/L ON RISK ASSESSMENT & QRA Document No: ADNOC-COPV5-03
1.
Version 1 November, 2005 Page 7
INTRODUCTION This Guideline provides technical support in both carrying out and interpreting qualitative and quantitative risk studies. It focuses on ensuring that such techniques are applied in appropriate situations and that results are interpreted in a consistent manner across the Group. It also covers the use of some technical and analytical tools that may be useful Risk Assessment is the process of evaluating identified hazards by determining the likelihood of the hazard and its consequences. The assessment can be qualitative (where hazard frequency and consequences are assigned to generic categories); semi-quantitative (where the hazard frequency and consequence categories have an explicit quantitative definition); and quantitative (where a numeric "best estimate" of risk is calculated). The ADNOC Codes of Practice on ‘Health, Safety and Environmental Impact Assessment (HSEIA) Requirements’ [Ref. 2] and ‘Control of Major Accident Hazards (COMAH)’ [Ref. 3] specify requirements for identifying hazards, assessing risks and demonstrating that necessary measures have been taken to reduce risks to as low as reasonably practicable (ALARP). This Guideline will assist Group Companies to fulfil these requirements. This Guideline covers: •
The overall risk assessment process that should be used in any application of risk assessment techniques (Section 2).
•
Hazard Identification Techniques - the first stage of a risk assessment (Section 3).
•
Techniques for evaluating the consequences of hazards reaching their potential (Section 4).
•
Techniques for evaluating the likelihood of hazards reaching their potential (Section 5).
•
Guidance on judging the tolerability and acceptability of risk, including the practical use of ALARP (Section 6).
•
The qualifications, training and competence necessary for personnel engaged in risk assessment and quantitative risk assessment activities (Section 7).
•
Review and update of risk assessments and quantitative risk assessments (Section 8).
[2] ADNOC Manual of Codes of Practice: ‘Code of Practice on HSEIA Requirements’, ADNOC-COPV1-02. [3] ADNOC Manual of Codes of Practice: ‘Control of Major Accident Hazards (COMAH)’, ADNOC-COPV5-01.
HSE MANAGEMENT CODES OF PRACTICE Volume 5: RISK ASSESSMENT AND CONTROL OF MAJOR ACCIDENT HAZARDS COP G/L ON RISK ASSESSMENT & QRA Document No: ADNOC-COPV5-03
2.
Version 1 November, 2005 Page 8
THE RISK ASSESSMENT PROCESS The risk assessment process can be broken down into six broad stages: 1.
Identification of hazards and definition of representative scenarios for study (Section 2).
2.
Analysis of the potential consequences of each scenario (Section 3)
3.
Calculation of the expected frequency of each scenario (Section 4)
4.
Calculation of the probability of potential scenario outcomes (Section 4)
5.
Summation of scenarios to produce a measure of risk (Section 4)
6.
Interpretation of the calculated risk to draw relevant and practical conclusions (Section 5)
These stages can be used together, or individual stages can be used separately to help in making specific decisions. It is recommended that Group Companies clearly define the question that the risk assessment is trying to answer, prior to carrying out the work. This will facilitate adoption of the best approach, tools and presentation to answer the question and will often make interpretation of the results much easier.
HSE MANAGEMENT CODES OF PRACTICE Volume 5: RISK ASSESSMENT AND CONTROL OF MAJOR ACCIDENT HAZARDS COP G/L ON RISK ASSESSMENT & QRA
Page 9
Document No: ADNOC-COPV5-03
3.
HAZARD IDENTIFICATION
3.1
Principles of Hazard Identification
Version 1 November, 2005
The aim of hazard identification is to identify all relevant potential causes of harm to people, damage to the environment and damage to property. Once hazards are identified they can be assessed and if necessary avoided, prevented or controlled. Hazard identification techniques used by Group Companies should be: Formalised:
The hazard identification should be carried out according to a documented procedure.
Thorough:
The hazard identification process should be complete within a boundary, which should be defined beforehand.
Repeatable:
Experienced personnel carrying out the same identification exercise should furnish similar results.
Structured:
The procedure used should ensure that adequate attention is given to all parts of the plant, procedures or other items under study and that nothing is missed.
hazard
The technique selected for a particular application should take account of the specific requirements of that application, especially the end use of the hazard identification process. The goal of the hazard identification should be clearly defined. Some common hazard identification techniques are summarised in Section 3.2. The output of the hazard identification process should be followed up to ensure that risks are assessed and control measures implemented as appropriate. Typically, a hazard identification type study will result in a series of actions such as the requirement to: •
Modify the design of plant.
•
Modify operational procedures.
•
Modify maintenance procedures.
•
Evaluate the need for maintenance activities.
•
Carry out more detailed assessments.
modifications
to
plant,
procedures
or
An appropriate action tracking system should be used to ensure that all actions are carried out and closed out in a timely fashion, including further actions and recommendations that may result from detailed studies. The action tracking system should record all data necessary to ensure that the action is properly closed out including:
HSE MANAGEMENT CODES OF PRACTICE Volume 5: RISK ASSESSMENT AND CONTROL OF MAJOR ACCIDENT HAZARDS COP G/L ON RISK ASSESSMENT & QRA Document No: ADNOC-COPV5-03
Version 1 November, 2005 Page 10
•
The action and its context.
•
The person responsible for carrying out the action (the respondee).
•
The date by which the action must be completed.
•
The proposed response of the respondee to fulfil the action, which may be initiation of a design change or similar under the Group Company change management process.
•
Authorisation for the proposed response.
•
Verification that the proposed response has been carried out.
The system used should be defined in the Group Company HSE Management System and should be subject both to regular management monitoring and review, including independent audit or verification. Experience has shown that the effort required to close out all actions from a hazard identification study usually exceeds the effort required to organise and carry out the study itself. Use of an efficient action tracking system will facilitate processing, management and close-out of the actions. The output of the hazard identification may also define incident scenarios, the first step in a comprehensive risk assessment. 3.2
Hazard Identification Techniques This section gives a brief overview of some commonly used hazard identification techniques. It focuses on the strengths, weaknesses and limitations of each so that the right technique can be selected for each application.
3.2.1 HAZOP Hazard and Operability Study or HAZOP is probably the most widely used hazard identification technique in the oil and gas industry worldwide. It uses a series of guidewords to prompt study participants to identify possible hazards and their causes and consequences by using their imaginations. It is carried out by a multi-disciplinary team to ensure maximum input of experience. HAZOP will identify potential operability deficiencies as well as hazards. ADNOC recommend use of HAZOP during the design and modification of all major hazard plant and of all plant that is HSE-critical. Further guidance on the technique is given below. 3.2.2 HAZID Hazid is similar to HAZOP in that it uses guidewords to prompt study team members to identify hazards by using their imaginations. HAZOP typically focuses on detailed piping and instrument diagrams (or their equivalent) and operational and maintenance procedures, whereas HAZID typically focuses on
HSE MANAGEMENT CODES OF PRACTICE Volume 5: RISK ASSESSMENT AND CONTROL OF MAJOR ACCIDENT HAZARDS COP G/L ON RISK ASSESSMENT & QRA Document No: ADNOC-COPV5-03
Version 1 November, 2005 Page 11
plant layout drawings, as it aims to identify intrinsic hazards. HAZID can be very useful at an early stage of a new design so that all potential hazards can be taken into account. HAZID is also the technique of choice for identifying hazards as the first stage of demonstration of ALARP, as required by the ADNOC Code of Practice on ‘Control of Major Accident Hazards (COMAH)’ [Ref. 3]. 3.2.3 Task Risk Assessment Task Risk Assessment is a review undertaken by personnel prior to carrying out work activities. It provides a mechanism for going through the activities in a systematic way and identifying potential hazards at each stage. The review is conducted at the job site, so that the potential for interaction with other ongoing activities and the effect of local conditions can be included. ADNOC recommends use of task risk assessment prior to carrying out all non-routine activities which are HSE-critical. Further details and guidance can be found in the Code of Practice on ‘Framework of Occupational Safety Risk Management’ [Ref. 4]. 3.2.4 Check-lists A check-list is a list of hazards that may be associated with particular plant or operations. It will specify those aspects of plant or operations that require attention from the point of view of safe design. Checklists are derived from industry codes of practice, regulations and past incidents. They are helpful in ensuring designers address hazards that are known and obvious. They are not effective in identifying hazards arising from either the application of novel technology, or from complex interactions. 3.2.5 Failure Modes and Effects Analysis Failure mode and effects analysis (FMEA) [Ref. 5] considers each item of equipment or operation in turn and evaluates the consequences of each failure mode in turn. It provides a thorough investigation of the causes and consequences of single failures and is useful where the main danger comes from equipment failure. However, it is not so effective in dealing with complex interactions where more than one failure can occur at a time, nor where the main danger comes from the properties of hazardous materials. The best use of FMEA is as a supplement to HAZOP by application to specific equipment, such as package units. It is not recommended for general use as a hazard identification method.
[3] ADNOC Manual of Codes of Practice: ‘Control of Major Accident Hazards (COMAH)’, ADNOC-COPV5-01. [4] ADNOC Manual of Codes of Practice: ‘Framework of Occupational Safety Risk Management’, ADNOC-COPV4-01. [5] Guidelines for Hazard Evaluation Procedures, American Institute of Chemical Engineers Center for Chemical Process Safety), Second Edition, 1992.
HSE MANAGEMENT CODES OF PRACTICE Volume 5: RISK ASSESSMENT AND CONTROL OF MAJOR ACCIDENT HAZARDS COP G/L ON RISK ASSESSMENT & QRA Document No: ADNOC-COPV5-03
3.3
Version 1 November, 2005 Page 12
Hazard and Operability Studies (HAZOP) Hazard and Operability Study (HAZOP) is a detailed method for systematic examination of a well-defined process or operation, either planned or existing. Detailed descriptions of the technique are available from authoritative reference works (see for example the Chemical Industries Association's, A Guide to Hazard and Operability Studies [Ref. 6], and the United Kingdom Institution of Chemical Engineers', HAZOP: Guide to Best Practice, [Ref. 7]). The most common application of HAZOP is to process equipment. However the general principles of the technique can be applied to any system, including heating and ventilation systems and electronic logic systems. The key elements of any HAZOP study include: •
Timing.
•
Planning.
•
Study team.
•
HAZOP study method.
•
Recording.
Timing The timing of a HAZOP is critical to its success and to facilitate implementation of its findings. A HAZOP should not be carried out so early that the design is still fluid, as this will lead to ambiguities in applying the technique and confusion amongst the participants. Nor should a HAZOP be carried out so late that the design cannot be modified to incorporate the findings of the study. For many projects, the optimum time to carry out the main HAZOP will be after the end of front-end engineering design, but before detailed design. At this stage, the design is well defined, but not so far advanced that any necessary changes cannot be included. Some projects may require a preliminary HAZOP on process flow diagrams at concept stage, to provide input to concept selection. HAZOP studies may also be carried out in later stages of a project, because of changes during detailed design, or to examine specific issues of construction or commissioning. For large projects, it may be necessary to utilise two HAZOP teams working in parallel for timely completion of the study. In such cases, care must be taken in dividing the work between the two teams. Some overlap is inevitable to ensure that the interfaces are fully covered, but can be minimised by careful planning. Planning The length of time required to complete a HAZOP depends on the number of sections or procedures to be reviewed and also on their complexity. Experience from similar studies provides a good guide to the length of time required. [6] A Guide to Hazard and Operability Studies, Chemical Industries Association, 1977. [7] HAZOP: Guide to Best Practice, F. Crawley, M. Preston and B. Tyler, Institution of Chemical Engineers, 2000.
HSE MANAGEMENT CODES OF PRACTICE Volume 5: RISK ASSESSMENT AND CONTROL OF MAJOR ACCIDENT HAZARDS COP G/L ON RISK ASSESSMENT & QRA Document No: ADNOC-COPV5-03
Version 1 November, 2005 Page 13
Planning The length of time required to complete a HAZOP depends on the number of sections or procedures to be reviewed and also on their complexity. Experience from similar studies provides a good guide to the length of time required. In order to keep the HAZOP team fresh and focused, an ideal arrangement is to limit the HAZOP to three or four half-day sessions per week. This is often impractical, however, and many studies must be progressed as a full time activity. In such cases, the study leader must monitor team performance to ensure an acceptable standard is maintained. Meetings should be held in an adequately sized, comfortable and well ventilated room. The team should not be interrupted except for emergencies. Prior to the first meeting, the HAZOP team leader should prepare a plan of the HAZOP. This should include a breakdown of the scope into sections and will need to be based on the documentation to be studied in the HAZOP. The plan will allow the scheduling of time to the HAZOP by designers or specialists who may need to attend study sessions on a part time basis. Where video projection facilities are available, it is recommended that an ongoing record of the HAZOP be displayed during the HAZOP session, so that team members can draw attention to oversights or errors in the record at an early stage. If such facilities are to be used, adequate time should be allowed to set up and test the facilities prior to the first HAZOP session. HAZOP Study Team The personnel who form the core of the HAZOP team must be selected to fulfil specific roles such as: •
Team leader.
•
Technical secretary (sometimes referred to as the scribe or recorder).
•
Design input.
•
Project input.
•
Operations input.
•
Independent engineering input.
•
HSE specialist input.
•
Technical specialist.
A single individual may fulfil two or more roles depending on experience. The minimum size for an effective HAZOP team is four people. The maximum effective size is around nine or ten. In larger teams, it will be difficult for some individuals to play an effective part.
HSE MANAGEMENT CODES OF PRACTICE Volume 5: RISK ASSESSMENT AND CONTROL OF MAJOR ACCIDENT HAZARDS COP G/L ON RISK ASSESSMENT & QRA Document No: ADNOC-COPV5-03
Version 1 November, 2005 Page 14
The role of the team leader is to ensure that the HAZOP method is systematically applied. Desirable attributes of a team leader are [Ref. 7]: •
Wide experience of process hazard studies, including quantitative risk assessment.
•
Prior experience as a HAZOP team member, preferably in the role of technical secretary.
•
Prior training in leading HAZOP studies.
•
Technical competence and the ability to quickly understand the system and its operation.
•
Gives attention to relevant detail.
•
Applies good analytical thinking.
•
Has motivational skills including the encouragement of creativity and open speaking.
•
Independence from the project or other organisation carrying out the study.
The role of the technical secretary is to record the HAZOP and to aid the team leader in collation of documents and other administrative tasks. The technical secretary should have a technical background so that specialist explanations are not required. The Team Leader can take on the role of Technical Secretary for short studies, but this is not recommended for studies lasting more than one day. Design input is given by one or more engineers covering relevant disciplines. Their role is to explain how the design works. It is emphasised that they are not present to defend the design, but to assist in its critical examination. Project input is similar to design input. Project input will often be fully covered by personnel providing design input. Operations input is essential for the success of a HAZOP. Persons providing this input should have extensive experience of similar plant. For new projects, these persons are likely to work on the plant when the project is completed. For modifications, these persons are likely to already be working on the plant to be modified. In this context, operations input includes all relevant operational topics such as management and maintenance, as well as running the process. HAZOP studies will benefit from provision of one or more persons who have extensive design or operational experience with the type of plant under review, but who have some independence from the organisation conducting the study. Such a person may be seconded from another facility or department of the organisation that is carrying out the study. This has the advantage that they will understand the company codes and standards that have been adopted. The study leader can also fulfil this role if he has the appropriate experience. [7] HAZOP: Guide to Best Practice, F. Crawley, M. Preston and B. Tyler, Institution of Chemical Engineers, 2000.
HSE MANAGEMENT CODES OF PRACTICE Volume 5: RISK ASSESSMENT AND CONTROL OF MAJOR ACCIDENT HAZARDS COP G/L ON RISK ASSESSMENT & QRA Document No: ADNOC-COPV5-03
Version 1 November, 2005 Page 15
HSE specialists should be able to provide specific information on health, safety and environmental aspects and limitations, including legal and other compliance requirements. Technical specialists, such as a chemist, may be required where the system to be reviewed contains complex technical features. HAZOP Study Method The HAZOP study method is an intense process. The team leader should allow the team short breaks at regular intervals to maximise team efficiency. At the outset of the study the HAZOP team creates a conceptual model of the plant or operation in their minds by reference to relevant documentation, such as piping and instrument diagrams, cause and effect charts and operating procedures. Then for each section of the plant, or for each step in a procedure, a "design intention" is defined. The "design intention" is what the system is intended to do, including the acceptable range of operational parameters, such as temperature and pressure. Hazards and potential operating issues are then sought by considering possible deviations to the design intention. Potential deviations to the design intention are generated by considering a series of guidewords and combining them with the parameters of operation. Table 1 lists some standard guidewords used in HAZOP studies and their meanings. TABLE 1:
STANDARD HAZOP GUIDEWORDS
Guideword
Meaning
No (not/none)
None of the design intention is achieved
More (more of)
More (quantitative increase) of a parameter
Less (less of)
Less (quantitative decrease) of a parameter
As well as
An additional activity occurs as well as the design intention
Part of
Only part of the design intention is achieved
Reverse
The reverse (logical opposite) of the design intention occurs
Other than
Complete substitution - some activity other than the design intention takes place
Additional guidewords that are useful for studying procedures or batch operations are: Before/after
A step is attempted out of sequence, before or after it should occur
Faster/slower
Timing is incorrect and something happens faster or slower than intended
HSE MANAGEMENT CODES OF PRACTICE Volume 5: RISK ASSESSMENT AND CONTROL OF MAJOR ACCIDENT HAZARDS COP G/L ON RISK ASSESSMENT & QRA Document No: ADNOC-COPV5-03
Version 1 November, 2005 Page 16
The guidewords in Table 1 should be considered as a basic minimum for an acceptable HAZOP. Additional guidewords may be added if required by company procedure or where relevant for examination of a particular technology. Some of the guidewords, especially "More" and "Less”, require the addition of a parameter to generate a meaningful deviation. Table 2 is a list of example parameters. This list is not meant to be exhaustive but is intended to demonstrate the wide range of parameters that can be used. Not all parameters listed will be relevant in every situation. Also, a few parameter and guideword combinations do not result in meaningful deviations (e.g. No Temperature). Each HAZOP should utilise a list of parameters that is appropriate for the system to be studied. The study leader will guide the team using the guidewords and parameters to generate meaningful deviations from the design intention. The team must then consider whether there is anything that could cause such a deviation to the design intention. Once one or more realistic causes have been established, the team should determine what the consequences are for each cause and whether there are any protective systems (includes both equipment and procedures). Where the combination of cause likelihood, consequence severity and protective system effectiveness, does not meet the standard that risks to people, property and the environment must be as low as reasonably practicable, the team should raise an appropriate action. Actions can also be raised if the operability of the system is below what would be expected for "good industry practice". Poor operability can ultimately degrade safety. TABLE 2:
EXAMPLES OF HAZOP PARAMETERS
Flow
Phase
Pressure
Speed
Temperature
Particle Size
Mixing
Measure
Stirring
Control
Transfer
pH
Level
Sequence
Viscosity
Signal
Reaction
Start/stop
Composition
Operate
Addition
Maintain
Separation
Services
Time
Communication
HSE MANAGEMENT CODES OF PRACTICE Volume 5: RISK ASSESSMENT AND CONTROL OF MAJOR ACCIDENT HAZARDS COP G/L ON RISK ASSESSMENT & QRA Document No: ADNOC-COPV5-03
Version 1 November, 2005 Page 17
Any actions must be followed up outside the HAZOP meeting. Members of the study team should not attempt to resolve actions or otherwise redesign the system in the HAZOP meeting. The HAZOP study leader should act to enforce this. Recording The technical secretary should record the HAZOP onto a computer during the session. There are a number of commercial packages available. Alternatively, use can also be made of the "Tables" functions of standard word processors. Selection of the appropriate software should be made based on ease of use and on the ability to transfer the requisite data to the action tracking system. The HAZOP team leader should review and authorise the record of the HAZOP. The HAZOP record should state the equipment or procedure being reviewed and clearly define the boundaries of each section. The HAZOP record should also include descriptions of Causes, Consequences, Protective Systems and Actions Raised. It is also normal practice to include guidewords/parameter/deviation that resulted in the cause. Recording formats that combine consequences and protective equipment under a single heading is not regarded as best practice. There are three main philosophies for recording a HAZOP: 1.
Recording by exception - a record is made only when an action results.
2.
Intermediate record - a record is made when an action results, where a hazard exists, or where significant discussion takes place.
3.
Full record
The choice of recording philosophy should be selected which best fulfils the goal of the HAZOP. Recording by exception may be most effective for a new design, but may not be sufficient if the HAZOP is intended to give input to a COMAH Report [Ref. 3], QRA or similar. A copy of the full HAZOP records, together with any associated report, together with the main documentation used in the study, should be retained and filed for future reference or audit.
[3] ADNOC Manual of Codes of Practice: ‘Control of Major Accident Hazards (COMAH)’, ADNOC-COPV5-01.
HSE MANAGEMENT CODES OF PRACTICE Volume 5: RISK ASSESSMENT AND CONTROL OF MAJOR ACCIDENT HAZARDS COP G/L ON RISK ASSESSMENT & QRA Document No: ADNOC-COPV5-03
Version 1 November, 2005 Page 18
4.
CONSEQUENCE ANALYSIS
4.1
Principles of Consequence Analysis and General Guidance Consequence analysis is the study of the possible extent of harmful effects of potential incidents. It is carried out by making calculations for an idealised description of one or more potential incidents (or scenarios). Such calculations can be carried out manually, using a spreadsheet, or using dedicated software. Engineering design quality management principles of checking and authorisation of work should be applied whatever method is employed. The calculations required are defined by mathematical models that describe the physical or chemical process of the potential incident. For example, the rate of outflow of hydrocarbon gas from a pipe may be calculated using a model based on the equations of fluid flow. From this, the extent of the flammable region of the cloud formed can be calculated using a model that describes the dispersion of the gas in the atmosphere. Many consequence models consist of a mathematical description of an idealised incident scenario. Such idealised incident scenarios are often taken to be descriptive of a range of possible real incidents. Where this type of assumption is used, it should be critically evaluated to determine if it materially affects conclusions. Most consequence models contain inherent assumptions. In some instances, there may be a conflict between the application of the model and the inherent assumptions. It is recommended that Group Companies only use consequence models where the inherent assumptions are known, so that this possibility can be tested. In all consequence analysis, relevant assumptions made by the user should be recorded to ensure that future use or revision of the work does not result in conflict. Many consequence models are only valid (or calibrated) for a particular range of conditions. Use of the models outside their range will result in unreliable results. Group Companies should only use models where the range of validity is known. Some consequence models may be particularly sensitive to certain inputs. For example, some types of heavy gas dispersion model are sensitive to how ambient air temperature changes with height (atmospheric stability). It is important for users to understand such sensitivities, so that inputs can be correctly defined for each application. Uncertainty analysis should be performed if there is any doubt regarding model sensitivities. The rest of this section on consequence analysis focuses on providing guidance on use, limitations and interpretation of specific models. However it should be noted that modelling is a specialised task and should only be carried out by suitably experienced and competent persons.
HSE MANAGEMENT CODES OF PRACTICE Volume 5: RISK ASSESSMENT AND CONTROL OF MAJOR ACCIDENT HAZARDS COP G/L ON RISK ASSESSMENT & QRA Document No: ADNOC-COPV5-03
4.2
Version 1 November, 2005 Page 19
Source Terms A source term is a consequence model that describes the rate at which hazardous material reaches the environment and the conditions of the hazardous material, such as temperature and composition. They are often used to provide input for other consequence models. Equations for the discharge of fluids can be obtained from reference sources (see for example J.L. Woodward, Discharge Rates Through Holes in Process Piping and Vessels [Ref. 8]). A key parameter in estimating discharge rates is the coefficient of discharge, (Cd). This is a dimensionless parameter with a generally accepted value of 0.61 for liquids, 0.95 for gases and values between these limits for two phase flows (see Pitblado and Turvey, Risk Assessment in the Process Industries, [Ref. 9]). In many practical cases the discharge flow rate will not be constant, but will reduce over time. Blowdown models can be readily adapted for this situation [Ref. 8]. A further complication with two phase releases lies in determining how much of the liquid rains-out close to the point of discharge and how much is entrained by the gas forming a cloud of gas plus fine liquid droplets (aerosol). There is no generally accepted approach to aerosol treatment at present and it is recommended that a conservative approach be adopted, such as assuming that all liquid will remain in the gas and none will rain out. Models for the spreading of liquid pools and their subsequent evaporation and boil-off are described in references such as Risk Analysis of Six Potentially Hazardous Industrial Objects - A Pilot Study [Ref. 10]. If the spill is confined, then the surface area for evaporation and boil off can be much reduced. Consideration should be given to the possibility of liquid flowing over the containment wall. For non-boiling liquids, the evaporation rate is principally determined by the surface area and by air movement over the spill. For boiling liquids, the vaporisation rate is determined by heat transfer from the substrate into the liquid. For spills on land, the vaporisation rate per unit area will reduce as the ground cools. For spills on water, convection within the water will keep the vaporisation rate per unit area relatively constant, unless the water is shallow or confined in some way.
[8] Discharge Rates Through Holes in Process Vessels and Piping, J. L. Woodward in Prevention and Control of Accidental Releases of Hazardous Gases, Van Nostrand Reinhold, 1993. [9] Risk Assessment in the Process Industries, R. Pitblado & R. Turney (Editors), IChem E, 1996. [10] Risk Analysis of Six Potentially Hazardous Industrial Objects in the Rijnmond Area: A Pilot Study, COVO Committee, Rijnmond Area, 1981, Reidel Dordrecht.
HSE MANAGEMENT CODES OF PRACTICE Volume 5: RISK ASSESSMENT AND CONTROL OF MAJOR ACCIDENT HAZARDS COP G/L ON RISK ASSESSMENT & QRA Document No: ADNOC-COPV5-03
4.3
Version 1 November, 2005 Page 20
Gas Dispersion Gas/aerosol dispersion models are used to determine outputs such as the distance from the release point to a concentration of interest and the mass of flammable material within a cloud. Upwind and cross wind dispersion can also be important. For simpler models the gas/aerosol release rate is categorised either as a continuous discharge at a constant rate, or as an instantaneous discharge of a finite quantity at a single point in time. Care should be taken that either simplification does not result in unrepresentative dispersion behaviour. The two most important parameters that affect the selection of an appropriate model are the initial velocity of the gas/aerosol and the density of the gas/aerosol. If the gas/aerosol has a high initial velocity then momentum effects will dominate the dispersion and a jet dispersion model should be used. If the initial velocity is low, and the gas/aerosol has a density similar to ambient air, then neutral buoyancy models can be used. If the initial velocity is low, but the gas/aerosol has a density greater than air, then dispersion effects based on gas density become important and a heavy gas dispersion model should be used. Some models allow transition between the three simple types of dispersion. These models can be sensitive to the point at which transition occurs. Simple jet dispersion models often take no account of impingement of the jet with the ground and so care should be taken where this is a possibility. Simple neutral buoyancy and heavy gas models assume flat terrain characterised by a single parameter, the surface roughness. Without specific modification they may not provide realistic results in situations where there are major obstacles, or the ground slopes significantly. Computational fluid dynamics (CFD) models are more complex models that numerically integrate suitably simplified equations of mass, momentum and energy conservation in three dimensions. These models can incorporate terrain effects and complex geometries and can also deal with discharge rates that vary with time. However, they are more difficult to use because of the requirement to describe the detailed local conditions within the model and so tend to be used to investigate specific situations of interest.
4.4
Fire Hazards There are two parts to the modelling of fire hazards, the modelling of the fire, including thermal heat flux and smoke generation, and the effect on people, structures and equipment. There are five distinct types of situations considered by basic fire models: •
Flash fires or cloud fires arise from the delayed ignition of a flammable gas or vapour cloud, which in the absence of significant
HSE MANAGEMENT CODES OF PRACTICE Volume 5: RISK ASSESSMENT AND CONTROL OF MAJOR ACCIDENT HAZARDS COP G/L ON RISK ASSESSMENT & QRA Document No: ADNOC-COPV5-03
Version 1 November, 2005 Page 21
confinement or obstruction, results in a low velocity flame front, with minimal overpressure effects and primarily local impacts. •
Jet fires arise from the ignition of a high velocity gas, aerosol or liquid, usually from a pressurised source. They are characterised by high momentum and good combustion conditions. A jet fire variant is a diffusive fire, which is characterised by a lower exit velocity and is dominated by thermal buoyancy effects rather than momentum.
•
Pool fires arise where flammable or combustible liquids burn on a flat horizontal surface, which can be solid or liquid. Pool fires often have poor combustion and can generate large quantities of smoke.
•
Fireballs or BLEVEs arise from the surface-burning of a cloud of unmixed flammable gas, typically following rapid release of volatile material from pressurised equipment. Some overpressure may arise from BLEVEs due to the rapid expansion on loss of containment.
•
Ventilation-controlled fires arise when the intensity of the fire is determined by the rate of ventilation and hence access to oxygen, rather than the availability of fuel. Many fires within buildings and enclosed compartments are ventilation controlled.
For BLEVEs, the mass of flammable material released when the equipment fails is important in determining the size of the fireball. The equipment inventory will often reduce from its initial maximum at the start of the incident, due to the lifting of relief valves and the action of the blowdown system. In some cases, where the initiating fire is of short duration (due to limited available inventory) modelling of the temperature and pressure rise can demonstrate that the fire can be extinguished prior to equipment failure. Some models, such as most pool fire models, deal with a steady state flame, others, such as BLEVE models, deal with a highly transient flame. Damage resulting from heat radiation covers damage to structures and injury to humans. For all types of damage two parameters have been found to be significant – the level of thermal radiation and its duration. Further details and descriptions of fire models can be found in key references such as: TNO's Methods For The Calculation Of Physical Effects Resulting From The Release Of Hazardous Materials [Ref. 11], The Centre For Chemical Process Safety's Guidelines For Evaluating The Consequences Of Vapour Cloud Explosions, Flash Fires And BLEVEs, [Ref. 12] and SINTEF's Handbook For Fire Calculations And Fire Risk Assessment In The Process Industry, [Ref. 13].
[11] Methods for the Calculation of Physical Effects Resulting from Releases of Hazardous Materials, Second Edition, TNO 1988. [12] Guidelines for Evaluating the Consequences of Vapour Cloud Explosions, Flash Fires and BLEVEs, AIChE Centre for Chemical Process Safety, 1994. [13] Handbook for Fire Calculations and Fire Risk Assessment in the Process Industry, SINTEF with Scandpower, 1992.
HSE MANAGEMENT CODES OF PRACTICE Volume 5: RISK ASSESSMENT AND CONTROL OF MAJOR ACCIDENT HAZARDS COP G/L ON RISK ASSESSMENT & QRA Document No: ADNOC-COPV5-03
Version 1 November, 2005 Page 22
Fire damage to structures can range from paint flaking off to the ignition and burning of the object. In the case of a non-combustible material, the temperature can increase to the point at which the material loses strength and stiffness. If such a material is used in load-bearing constructions, it is possible that the construction will collapse at a given heat load. Injury caused to humans by fires is mostly characterised as first, second and third degree burns and lethality. The severity of the injury can be calculated from the given heat radiation, starting from a known exposure duration and radiation intensity. One approach frequently used is to find the LD50 (lethal dose) radiation level appropriate to the time for which the individual will be exposed. Much consequence analysis is based on simple thermal flux criteria which are determined from an assumed exposure time. These times have been derived from animal experiments or from piloted or unpiloted ignition of combustible materials. Empirical relations are also available in which a type of injury is expressed in probit (probability unit) functions. When probits are used, it is important to limit the exposure duration, otherwise low thermal fluxes (for example, below solar radiation levels) can be predicted to lead to thermal injury. Clothing can have a protective influence for humans, until the moment it ignites. Some studies have shown that, assuming about 20% of the body area remains unprotected for an average population, the lethality is 14% of the lethality for unprotected bodies. People who are mobile will seek to escape from high levels of thermal radiation and this possibility should also be taken into account, taking due cognisance of reaction time, the availability of escape routes and the presence of other factors such as smoke. The above fire models focus on the threat to people and structures from thermal radiation. However fires can also harm people as a result of inhalation of toxic combustion products, such as carbon monoxide and disorientation by smoke impairment of vision. As these effects are often injurious or even fatal to humans trapped by fire, they must also be taken into account. 4.5
Explosions There are three parts to the modelling of explosion hazards: 1.
Determination of the size, shape and composition of the gas or aerosol cloud.
2.
Modelling of the explosion to determine likely overpressure values and other relevant factors such as the period for which overpressure exists (the positive phase duration).
3.
Prediction of structural damage as a result of the blast wave.
HSE MANAGEMENT CODES OF PRACTICE Volume 5: RISK ASSESSMENT AND CONTROL OF MAJOR ACCIDENT HAZARDS COP G/L ON RISK ASSESSMENT & QRA Document No: ADNOC-COPV5-03
Version 1 November, 2005 Page 23
Some models seek to combine one or more of these steps in an effort to simplify understanding and to eliminate sources of uncertainty. Also, the blast wave will interact with structures in its path so steps 2 and 3 are not independent. Determination of cloud, size, shape and composition is part of the dispersion modelling process. The blast effect (overpressure) produced by a burning vapour cloud is determined by the speed of flame propagation. In the absence of turbulence, the flame speed is low and the cloud burns as a flash fire. Turbulence within the cloud will accelerate the flame and can result in damaging overpressures. Turbulence in a vapour cloud explosion can arise either from the release of pressurised flammable material or by the presence of multiple obstacles, such as pipework. Both these mechanisms can result in very high overpressures. Explosion experiments clearly show that very high overpressures can be generated in congested areas [Ref. 14]. However these experiments also show that overpressures are highest when the gas cloud is close to stoichiometric in composition. Combustion of gas clouds away from stoichiometric composition can result in significantly lower overpressures. Furthermore, the point of ignition was also shown to have an effect on explosion overpressure. It is therefore recommended that, where detailed explosion results are required for a specific purpose, such as for setting the design criteria of a blast wall on an offshore platform, that a probabilistic approach be used. Such an approach would determine a cumulative frequency curve for blast overpressure. A realistic design level can then be set in a similar manner as for design against seismic risks. The main source of direct harm to people from blast effects is eardrum rupture, although fatality from lung haemorrhage is possible at very high overpressures. In practice, most fatal effects from explosions are a result of being inside, on, or adjacent to, collapsing structures, or as a result of missiles generated in the explosion, including bricks from shattered walls and flying glass from windows. Simple models relate overpressure to qualitative levels of damage such as "Window Breakage", "Collapse Of Non-explosion Proof Buildings, "Failure Of Atmospheric Tanks" and "Failure Of Pipework". These qualitative levels can then be applied to assess the likelihood of harm to people or the likelihood of further loss of containment and escalation. Damage effects of explosions can range from 50% window breakage at 0.025 bar overpressure, doors and windows shattered at 0.07 bar overpressure, houses severely damaged at 0.25 to 0.4 bar overpressure and ground cleared at 2.0 bar overpressure. More detailed models seek to simulate the way in which structures respond to the dynamic load from the explosion. [14] Blast and Fire Engineering for Topsides Structures - Phase 2, Steel Construction Institute, 2002.
HSE MANAGEMENT CODES OF PRACTICE Volume 5: RISK ASSESSMENT AND CONTROL OF MAJOR ACCIDENT HAZARDS COP G/L ON RISK ASSESSMENT & QRA Document No: ADNOC-COPV5-03
Version 1 November, 2005 Page 24
Some aspects of explosion modelling are highly complex and should be undertaken only by specialists in the relevant subject. Specifically these subjects are:
4.6
•
Three-dimensional numerical modelling of blast wave interaction with structures and surrounding objects.
•
Modelling of the dynamic response of structures.
Toxic Effects and Control Measures The effects of toxic materials range from mild irritation through to fatality. However the dose needed to give any particular effect is subject to considerable uncertainty. The principal reasons for the uncertainty are: •
Individual people can show varying levels of response to the same dose of toxic material due to differing fitness levels, susceptibility to panic, genetic and other factors.
•
The limitations in the applicability of experimental results obtained from animals and micro-organisms to humans and the scarcity of valid epidemiological data.
•
Uncertainty regarding the existence of no-effect levels, especially for carcinogens and mutagens.
•
Categorisation of both acute and chronic toxic effects
A probabilistic approach is often adopted where a particular effect is defined by the number of people who suffer that effect. For example the 50% fatality level is the dose at which 50% of people die. Toxic dose for any particular effect or probability of effect is most usually defined as: Cnt in which: C - is the toxic gas concentration (usually given in ppm or mg m-3) n - is the toxic index t - is the time of exposure (usually given in minutes) Dispersion models can be used to predict concentrations of toxic gas or aerosol at particular points in space. However, the concentration to which people are exposed can vary with time or may otherwise require modification because: •
The toxic cloud dispersion results in time varying concentrations at points where people are located.
•
People don escape sets.
•
People seek to escape from the gas or aerosol cloud by moving cross wind.
HSE MANAGEMENT CODES OF PRACTICE Volume 5: RISK ASSESSMENT AND CONTROL OF MAJOR ACCIDENT HAZARDS COP G/L ON RISK ASSESSMENT & QRA Document No: ADNOC-COPV5-03
Version 1 November, 2005 Page 25
•
People seek to escape from the gas or aerosol cloud by seeking shelter indoors.
•
Water sprays or other vapour cloud control equipment reduce the effective concentration to which people are exposed.
In such cases, provided the way the toxic concentration, C(t), varies with time is known, the total dose can be calculated by integrating C(t)n with respect to time. 4.7
Escalation Escalation occurs when one event, such as fire or explosion, leads to failure of adjacent facilities, loss of containment of hazardous material and consequent additional potential for hazardous effects. The principal mechanisms of escalation are: •
Explosion overpressure causes failure of equipment or structures.
•
Thermal radiation from a fire heats equipment containing hazardous material, causing eventual failure of the equipment through a combination of increasing the pressure of the contents and decreasing the inherent strength of the materials of construction.
•
Thermal radiation from a fire weakens the structure supporting equipment sufficiently to cause collapse.
•
Missiles generated during an explosion or BLEVE penetrate equipment.
Explosion overpressures are discussed in Section 4.5. The potential for escalation is normally judged by reference to defined overpressure levels. Similarly, the potential for escalation in fires can be judged from incident thermal radiation levels. Active fire control, passive fire protection and blowdown systems may reduce the potential for escalation in a fire and should be taken into account where relevant. Missile damage leading to escalation is not normally treated as a specific event, but is implicitly included in the level of damage from overpressures as the two are closely related. However, there are cases where explicit treatment of missiles may be required, such as: •
Fire impingement of gas cylinder storage areas that results in failure of cylinders, which then become missiles.
•
Fire impingement on large pressure vessels containing volatile flammable material leading to a BLEVE and turning the remains of the pressure vessel into a missile.
In both cases, the missile has potential to travel further than the major thermal effects of the fire/BLEVE that caused it.
HSE MANAGEMENT CODES OF PRACTICE Volume 5: RISK ASSESSMENT AND CONTROL OF MAJOR ACCIDENT HAZARDS COP G/L ON RISK ASSESSMENT & QRA Document No: ADNOC-COPV5-03
Version 1 November, 2005 Page 26
The effects of escalation can be modelled in much the same manner as the initiating event. However, such modelling must take into account the specifics of the initiating event. In particular: •
During the time between the start of the initial event and escalation, people may have had time to escape and various safety systems may have had time to act. Note that in the case of explosion, the time delay to escalation can be very small.
•
Fire or explosion damage from the first event may hamper escape or response to the escalation.
•
Fire or explosion damage from the first event may have eliminated important protective systems, such as by destroying fire walls, blowing off passive fire protection, rupturing fire mains, or damaging valve actuators and preventing them closing.
Event trees (Section 5.3) can be used to model the potential for escalations. The branches of the event tree should include the action and status of the various protective systems including shutdown, blowdown and fire control, as well as the potential escalations.
HSE MANAGEMENT CODES OF PRACTICE Volume 5: RISK ASSESSMENT AND CONTROL OF MAJOR ACCIDENT HAZARDS COP G/L ON RISK ASSESSMENT & QRA Document No: ADNOC-COPV5-03
Version 1 November, 2005 Page 27
5.
QUANTIFICATION OF EVENT PROBABILITIES AND RISK
5.1
Event Frequency/Probability Estimation Careful definition of the event or chain of events that lead ultimately to a particular hazard scenario is an important precursor to evaluating the frequency of the scenario. The level of detail required should reflect: •
The overall goals of the risk assessment.
•
The relative contribution of the individual scenario to the overall risk.
•
The relative contribution of individual event chains to the scenario.
Effort should not be wasted in detailed evaluation of events or scenarios that have no material affect on the conclusions of the risk assessment. It will often be appropriate to apply a cut off at a particular (low) frequency or probability and exclude scenarios or events that occur at a lower frequency or probability. However, justification for such a cut off should always be made that this simplification has no effect on the conclusions. The technique of Fault Tree Analysis should be used to determine the frequency of a scenario whenever detailed analysis is required or whenever the potential causes are complex. Guidance on Fault Tree Analysis is given below. In simple cases, explicit fault tree analysis is not necessary and the scenario frequency can be determined by calculation using the laws of probability. Note that use of such a simplification still implies a simple fault tree, often with only one or two branches, even though no specific fault tree diagram has been produced or detailed analysis of causes made. The technique of Event Tree Analysis should be used to determine the potential outcomes of a scenario and their frequency. Explicit use of Event Trees should be used in complex situations, particularly those where mitigation and control measures, such as shutdown valves, passive fire protection and explosion suppression systems, can play a significant part. In simple situations, there is no need to explicitly produce event trees and simple calculation will suffice. Events within fault trees and event trees can be quantified as either probabilities or frequencies. It is important that the two are properly distinguished in both logic diagrams and calculations. Checking the dimensions of calculations and results can often detect errors in both construction and quantification of fault trees and event trees. 5.2
Fault Trees The basic process of fault tree construction is to take the scenario definition (top event) and to trace it back to the possible causes, which can be component failures, human errors, environmental conditions or other pertinent
HSE MANAGEMENT CODES OF PRACTICE Volume 5: RISK ASSESSMENT AND CONTROL OF MAJOR ACCIDENT HAZARDS COP G/L ON RISK ASSESSMENT & QRA
Version 1 November, 2005 Page 28
Document No: ADNOC-COPV5-03
events. The procedure should be followed methodically, by first identifying the immediate precursors and then identifying the precursors to those events. An example fault tree is given in Figure 1. Overpressure Of Equipment And Release Of Fluid
OR
Failure To Detect Excessive Pressure
Valves Fail To Close
OR
OR
Common Cause
Independent
ESD System
Failure Of Valves
Failure Of Valves
Fault
Pressure Switch Failed
AND
Valve 1 Fails
Valve 2 Fails
To Close
To Close
Figure 1: Fault Tree Analysis Fault trees are relatively easily quantified (see below). However, if the same event occurs two or more times in the fault tree, simple evaluation may cause error. It is usually best to redraw the fault tree so that each event only occurs once. If this is not possible, then a commercially available computer programme that can handle this type of situation should be used to evaluate the fault tree. Fault trees mostly use two types of logic gates, AND and OR. Each gate has a number of inputs, but only one output. For AND gates, all inputs must be true for the output to be true. The inputs to AND gates are either all probabilities or all probabilities except for one frequency. An AND gate which has frequencies for two or more of its inputs is
HSE MANAGEMENT CODES OF PRACTICE Volume 5: RISK ASSESSMENT AND CONTROL OF MAJOR ACCIDENT HAZARDS COP G/L ON RISK ASSESSMENT & QRA Document No: ADNOC-COPV5-03
Version 1 November, 2005 Page 29
not possible. The frequency/probability of the output is calculated by multiplying the inputs. For OR gates, one or more of the inputs must be true for the output to be true. The inputs to OR gates are either all probabilities or all frequencies. Input units cannot be mixed and the output will be of the same type. The output value is calculated by addition of the inputs. However, this addition should be made using Boolean arithmetic. For example two input probabilities of 0.9 give an output probability of 0.99, not 1.8. A probability of greater than 1 is meaningless. Even if a fault tree is not quantified, it can still be useful as a graphical display, not only of the potential causes of the top event, but also of the way in which the individual causes can combine to lead to the top-event. Care should be taken that individual branches of the fault tree are independent. Where the likelihood of an event in one branch depends on the likelihood of another event, then the two are said to be dependent. Where practicable the fault tree should be redrawn to make the dependency explicit to avoid errors in the evaluation of the tree. Many safety systems include redundancy, where two or more systems (equipment or procedures) are provided that can provide similar protection. If one system fails, the other may still work. However, in such cases, the possibility always exists that whatever caused the first system to fail might result in failure of the second system also. This is referred to as common cause failure. Two systems of different types will often have a lower likelihood of common cause failure than two identical systems. Common cause failure can be included in fault trees explicitly as in the example in Figure 1. The probability/frequency of common cause failure can be evaluated by considering the relative likelihood of modes of failure that might lead to a common failure compared to other failure modes. For example, a safety system of two actuated valves in series that must close to protect against a hazard, common cause failure modes might include: •
Failure of a control signal to reach the valves.
•
Solids in the line blocking the valve and preventing closure.
Either of these single causes can prevent both valves from closing. Other failure modes will only lead to failure of a single valve to close. The ratio of common cause failure modes to other failure modes can thus be calculated. 5.3
Event Trees The basic process of event tree analysis is to take the initial state of the scenario and work through to the possible outcomes. Possible outcomes may be affected by such factors as prevailing environmental conditions, safety systems, actions by personnel and presence of ignition sources.
HSE MANAGEMENT CODES OF PRACTICE Volume 5: RISK ASSESSMENT AND CONTROL OF MAJOR ACCIDENT HAZARDS COP G/L ON RISK ASSESSMENT & QRA Document No: ADNOC-COPV5-03
Version 1 November, 2005 Page 30
At each branch point in the event tree, a choice is made between two or more possible outcomes. Usually the choice between two outcomes is sufficient, but occasionally three or more outcomes of a single gate can be used. Figure 2 is an example event tree. Initial event
Ignition at A Wind To B
Ignition at B Explosion on ignition Yes
Outcomes
Explosion at A
Yes No
Yes Flammable gas Release at A
Fire at A
Explosion at B
Yes No
Yes No No
No
Fire At B
Vapour cloud disperses
Vapour cloud disperses
Figure 2: Example Event Tree Analysis Event trees are relatively straightforward to evaluate by simple calculation of the outcome frequencies at each branch point. The probabilities at each branch point must sum to one and the sum of the final outcome frequencies (not the frequencies at each branch point) must equal frequency for the scenario. When the likelihood of an event in the event tree is dependent on some factor that also affects the frequency of the scenario itself, then the scenario should be split into two or more sub-scenarios and separate event trees used that avoid such dependence. Unquantified event trees can be useful to provide a graphical explanation of the way an incident can develop. 5.4
Basic Data Probability and frequency data for the evaluation of fault trees and event trees should be derived or determined on a "Best Estimate" basis. A "Best Estimate" is the most likely value given the available information. An optimistic approach (i.e. use of data that errs on the side of danger) should never be
HSE MANAGEMENT CODES OF PRACTICE Volume 5: RISK ASSESSMENT AND CONTROL OF MAJOR ACCIDENT HAZARDS COP G/L ON RISK ASSESSMENT & QRA Document No: ADNOC-COPV5-03
Version 1 November, 2005 Page 31
used. A conservative approach (i.e. use of data that errs on the side of safety) can be used, but too much use of overly conservative data may result in a build up of uncertainty in the calculations and unrealistic results. Data for the quantification of fault trees and event trees can come from many sources such as: •
Accident records.
•
Near miss records.
•
Maintenance records.
•
Reliability and other performance related data bases.
•
Human error trials
Data sources in the public domain that will be of most use to Group Companies are: •
OGP Database - is a database compiled by the Oil and Gas Producers Association (formerly E&P Forum) (OGP, Risk Assessment Data Directory [Ref. 15]). This includes some data on ignition probability, which is otherwise hard to find.
•
Offshore Reliability Database (OREDA) is a database compiled by oil companies in the offshore sector (mostly North Sea) (Det Norske Veritas, Offshore Reliability Data [Ref. 16]).
•
AEA Technology database - a collection of reliability data drawn from conventional plant (AEA Technology, SRD Association Reliability Data Bank [Ref. 17]).
•
FACTS is an incident data base compiled by the Dutch research organisation TNO (TNO, FACTS database [Ref. 18]).
•
Worldwide Offshore Accident Database (WOAD) is a database with an offshore focus compiled by Det Norske Veritas (Det Norsk Veritas, WOAD - Worldwide Offshore Accident Database [Ref. 19]).
•
MHIDAS is an incident database compiled on behalf of the UK Health and Safety Executive (AEA Technology, MHIDAS Accident Database, [Ref. 20]).
In many cases, available data will not be precisely that required and some engineering judgement may be necessary to adjust or apply the data for the relevant application. Care should be taken that such judgements are not too optimistic. Where such judgements are made, they should be clearly recorded. [15] Risk Assessment Data Directory, Oil and Gas Producers Association Report No 11.8/250, 1996. [16] Offshore Reliability Database (OREDA), Det Norske Veritas, 1992. [17] SRD Association Reliability Databank, AEA Technology. [18] FACTS database, TNO Department of Industrial Safety, Appeldorn, The Netherlands. [19] WOAD - Worldwide Offshore Accident Database, Det Norsk Veritas, Oslo, Norway. [20] MHIDAS Accident Database, MHIDAS Administrator, AEA Technology, Warrington, United Kingdom.
HSE MANAGEMENT CODES OF PRACTICE Volume 5: RISK ASSESSMENT AND CONTROL OF MAJOR ACCIDENT HAZARDS COP G/L ON RISK ASSESSMENT & QRA Document No: ADNOC-COPV5-03
Version 1 November, 2005 Page 32
Some incident data is sensitive to particular interpretations or categorisations of the incident from which it is drawn. Care should be taken that such uncertainties are allowed for, such that they do not affect the conclusions of the assessment. Data of this type is statistical in nature and there is always a level of uncertainty, which can be high when dealing with events of which there are very few examples. Care should always be taken regarding uncertainty in the base data, in particular to avoid conclusions that are not actually statistically significant. For example, an offshore helicopter safety study might show lower risks to personnel by using one type of helicopter rather than another. In such a case, a check should be made that the difference in risk between the two helicopter types is real and not just a result of uncertainty in the base data. 5.5
Presentation of Risk Whenever risk is presented, whether in quantitative or semi-quantitative terms it should be qualified both by the type of risk (examples are: risk of fatality, risk of a particular spill size) and by an associated unit time (an example is: risk of fatality per year). The presentation of risk should be selected to fulfil the goal of the assessment. The most common forms of risk presentation include: •
Individual risk - a single number representing the risk of a particular level of harm to a person or location.
•
Risk contours - individual risk plotted over an area so as to show the relative risk between locations.
•
Potential loss of life - a summation of individual risks over an exposed population. Similar parameters can be derived for outcome types other than fatality.
•
Cumulative Frequency Curves or F-N Curves - a graph of the frequency of events with a particular consequence or greater versus the consequence magnitude.
Individual risk is a measure of risk to specific or average individuals in a population, but does not give information on the size of the incidents causing the risk. Potential loss of life and cumulative frequency curves are examples of measures of group risk, which apply to a population as a whole, but they give no information on who is exposed to the risk. The term risk aversion is often used to express the postulate that larger incidents are of greater concern than a number of smaller incidents, even if the product of the number of incidents and the consequences is the same in both cases. Risk aversion can be built into group risk calculations and interpretations by simple weighting of higher consequence events according to predetermined and recorded criteria. If a risk presentation includes risk aversion, it should be clearly stated. However, care should be taken when using risk aversion since the results are not easy to interpret.
HSE MANAGEMENT CODES OF PRACTICE Volume 5: RISK ASSESSMENT AND CONTROL OF MAJOR ACCIDENT HAZARDS COP G/L ON RISK ASSESSMENT & QRA Document No: ADNOC-COPV5-03
5.6
Version 1 November, 2005 Page 33
Individual Risk Individual risk is the frequency with which an individual (or location) suffers a defined degree of harm. The specific individual and degree of harm should always be specified. Also presentation of individual risks should clearly state specifics of the exposure to relevant hazards. For example, does the individual risk apply only whilst on a particular site or does it include for time spent at home, or at another site? Average individual risk is where individual risk is averaged over a population. It is important that the population over which the averaging takes place is appropriate. Increasing the size of the population group can significantly decrease the average individual risk if large numbers of people have low exposures to the hazards of interest.
5.7
Risk Contours A plot of individual risk on a map provides a graphic picture of the geographical distribution of risk. Such contours can be useful to show to what extent a plant affects neighbouring communities and installations. They can also be useful to show to what extent incidents on one unit can lead to incidents on another (escalation). Further details on the calculation and interpretation of risk contours can be found in specialist papers e.g. Ramsay, Sylvester-Evans and English: Siting and Layout of Major Hazard Installations, [Ref. 21].
5.8
Potential Loss of Life The potential loss of life represents the number of fatalities that might be expected per unit time. This parameter can be combined with the plant life time to give the number of fatalities expected over the entire life of the plant. Differences in the likely number of fatalities over the plant life time can be an effective method of quantifying the benefit of safety measures. However such calculations can only be made where the effectiveness of the safety measure is amenable to quantification.
5.9
Cumulative Frequency (F-N) Curves Figure 3 is an example of a cumulative frequency curve. The approximate slope of the curve shows the relative important of small more common events to large less common events and can be used to judge risk aversion. The two-dimensional nature of cumulative frequency curves makes them hard to interpret. The best use of these curves is in communicating the nature and extent of the overall risk.
[21] Siting and Layout of Major Hazard Installations, C. G. Ramsay, R. Sylvester-Evans, M. A. English, IChem E Symposium Series No 71, I Chem E, 1983.
HSE MANAGEMENT CODES OF PRACTICE Volume 5: RISK ASSESSMENT AND CONTROL OF MAJOR ACCIDENT HAZARDS COP G/L ON RISK ASSESSMENT & QRA
Version 1 November, 2005 Page 34
Document No: ADNOC-COPV5-03
Frequenc y of N or more Fatalities (per year)
1E+0 1E-1 1E-2 1E-3 1E-4 1E-5 1E-6 1E-7 1E-8 1
10
100
Number Of Fatalities (N)
Figure 3: Example Cumulative Frequency Curve
1,000
HSE MANAGEMENT CODES OF PRACTICE Volume 5: RISK ASSESSMENT AND CONTROL OF MAJOR ACCIDENT HAZARDS COP G/L ON RISK ASSESSMENT & QRA Document No: ADNOC-COPV5-03
6.
Version 1 November, 2005 Page 35
JUDGEMENT OF TOLERABILITY AND ACCEPTABILITY OF RISK In general, the relative significance of quantitative risk can be assessed by comparison with every day risks to which people are exposed. The quantitative risk can then be expressed as a fraction of the existing risk and a judgement made to its acceptability. In such circumstances, it is important to distinguish between voluntary risk, where a person engages in hazardous activity by choice (e.g. sports) and involuntary risk, where a person is exposed to some hazardous activity outside his control (e.g. a hazardous plant being built near his home). Voluntary and involuntary risks should not be directly compared. It is recognised that an individual accepts risk for a variety of reasons not just the expected chance of occurrence and the benefits of the risk source, but also on the type of hazard and other factors [Ref. 9]. It is therefore important to distinguish between risk to employees who receive a direct benefit from the hazardous activity and members of the public, who may not. Typically, the uncertainty associated with risk estimates is relatively high compared to other engineering disciplines. The lower limit for uncertainty given by most authorities is around a factor of 2 to 3 (Health And Safety Executive, Canvey an Investigation, [Ref. 22]), but can rise to a factor of 10 or more [Ref. 10]. The high uncertainty means that comparison with an absolute risk criterion is only possible in order of magnitude terms. The usual approach is to consider three regions: •
An acceptable region where the risk is clearly so low that it can be considered tolerable.
•
An unacceptable region where the risk is clearly so high as to be considered intolerable.
•
Between the acceptable and unacceptable region lies the ALARP region, where effort should be expended to reduce risks till they are as low as reasonably practicable.
This is the approach adopted by ADNOC and specific criteria for both individual risk and cumulative frequency curves are given in the ADNOC HSE Risk Management Guidelines [Ref. 1]. The criteria given cover the full range of assessment detail: quantitative (where a numeric "best estimate" of risk is calculated), semi-quantitative (where risk frequency and consequences are assigned to categories that have an explicit quantitative definition) and qualitative (where risk frequency and consequences are assigned to categories that are defined on a qualitative basis).
[1] ADNOC Group Guideline ‘HSE Risk Management’, March 2000. [9] Risk Assessment in the Process Industries, R. Pitblado & R. Turney (Editors), IChem E, 1996. [10] Risk Analysis of Six Potentially Hazardous Industrial Objects in the Rijnmond Area: A Pilot Study, COVO Committee, Rijnmond Area, 1981, Reidel Dordrecht. [22] Canvey: An Investigation, Health and Safety Executive, HSE Books, 1978.
HSE MANAGEMENT CODES OF PRACTICE Volume 5: RISK ASSESSMENT AND CONTROL OF MAJOR ACCIDENT HAZARDS COP G/L ON RISK ASSESSMENT & QRA Document No: ADNOC-COPV5-03
Version 1 November, 2005 Page 36
These criteria can be used as a basis for judging the need for introducing specific risk reduction measures and as an aid in explicitly demonstrating ALARP, as may be required in a COMAH Report [Ref. 3]. Comparison of risk estimates with absolute criteria will give a general idea of the status of hazardous plant with regard to acceptability or unacceptability, but use of the absolute number is limited by uncertainty. For example, there is little practical difference between a calculated individual risk of fatality to a member of the public of 0.99 per million years and one of 1.01 per million years, even though the first is in the "Acceptable" range and the second is in the "ALARP" range. The difference is far less than the uncertainty in the results. It is emphasised that the duty of ADNOC Group Companies is to reduce risks to as low as reasonably practicable, not to demonstrate "Acceptable" risks by calculation. A risk in the "Unacceptable" region means that action should be taken immediately to improve the situation. Use of risk assessment on a comparative basis can eliminate some of the uncertainty in the results. Such uses include: •
Ranking of risk sources to identify where there is greatest scope for risk reduction.
•
Comparison of design concepts.
•
Evaluation of potential risk reduction measures.
•
Comparison with other hazardous installations that have been assessed using the same data and on the same basis.
Ranking of risk sources is of particular relevance to reducing risks and demonstrating ALARP. A well-constructed quantitative risk assessment will provide a ranking of risk sources that is robust with respect to uncertainty. Risk reduction measures can then be targeted at the most important risk sources. Risk reduction measures can be evaluated using cost-benefit analysis as described in the ADNOC HSE Risk Management Guidelines [Ref. 1]. Costbenefit analysis can be used in a comparative manner to determine where the greatest risk reduction can be attained per unit expenditure. Cost-benefit analysis can also include comparison with an absolute criterion usually expressed in terms of the 'Value Of A Life'. Different figures have been used by different industries, so it is perhaps better viewed as an abstract criterion embodying the practicability limits of each industry. ADNOC does not at present specify a "Value Of A Life", but recommends that Group Companies develop their own criteria that match industry standards pertaining to their particular business [Ref. 1]. A significant consideration in this is the ADNOC HSEMS [Ref. 23] expectation that Group Companies should continually improve their performance towards meeting or exceeding their particular industry benchmarks, standards and expectations. [1] ADNOC Group Guidelines on HSE Risk Management, March 2000. [3] ADNOC Manual of Codes of Practice: ‘Control of Major Accident Hazards (COMAH)’, ADNOC-COPV5-01. [23] ADNOC Group Guideline ‘HSEMS Management Systems’, January 2002.
HSE MANAGEMENT CODES OF PRACTICE Volume 5: RISK ASSESSMENT AND CONTROL OF MAJOR ACCIDENT HAZARDS COP G/L ON RISK ASSESSMENT & QRA Document No: ADNOC-COPV5-03
7.
Version 1 November, 2005 Page 37
QUALIFICATIONS, TRAINING AND COMPETENCE Risk assessment and quantitative risk assessment are highly technical disciplines. Indeed parts of some assessments, such as detailed explosion modelling, can be beyond the abilities of general risk analysts and specialist expertise must be sought. This section lists some issues that should be considered when determining qualification, training and competence requirements for both in-house personnel and when selecting outside consultants or contractors. Persons leading hazard identification studies such as HAZOP should have: •
Prior experience in similar studies such as a Technical Secretary.
•
Have a good understanding of the technique to be used.
•
Attended a suitable training course for study leaders.
•
Have a good general understanding of hazards.
•
Have a good general understanding of past incidents.
Additional desirable attributes for HAZOP study leaders are given in Section 3.3. Persons using consequence models should be: •
Familiar with the model and understand its basic assumptions.
•
Know when the model is being used outside its range of validity.
•
Understand when it is no longer valid to represent a range of possible incidents by a single idealised scenario.
•
Understand the sensitivities of the model and how these relate to reality.
Persons determining the frequency or probability of events, including the production of fault trees and event trees should. •
Understand the level of detail required to fulfil the goal of the study.
•
Understand the laws of probability including Boolean algebra.
•
Be able to interact with engineers and operators to obtain a good understanding of how the systems they are considering work and how they can fail.
•
Have a good general understanding of past incidents.
•
Have knowledge of the available base data and its limitations.
•
Be able to distinguish results that are not statistically significant.
HSE MANAGEMENT CODES OF PRACTICE Volume 5: RISK ASSESSMENT AND CONTROL OF MAJOR ACCIDENT HAZARDS COP G/L ON RISK ASSESSMENT & QRA Document No: ADNOC-COPV5-03
Version 1 November, 2005 Page 38
Persons calculating or interpreting risks should: •
Understand the various forms of risk presentation and the associated ADNOC criteria and their meaning.
•
Be familiar with background risk levels.
•
Understand the ALARP principle.
•
Understand the limitations caused by uncertainty.
•
Know how to draw out important practical conclusions that result in reduced risk.
•
Understand the application of cost-benefit analysis;
HSE MANAGEMENT CODES OF PRACTICE Volume 5: RISK ASSESSMENT AND CONTROL OF MAJOR ACCIDENT HAZARDS COP G/L ON RISK ASSESSMENT & QRA Document No: ADNOC-COPV5-03
8.
Version 1 November, 2005 Page 39
REVIEW REQUIREMENTS Risk assessments and QRA studies should be subject to review. Review requirements for risk assessments and quantitative risk assessments include: •
Review of the initial report prior to issue to ensure technical accuracy.
•
Review of the initial report prior to issue to ensure that operational, engineering and management features have been correctly interpreted by the risk analysts.
•
Review of recommendations and other findings of the study to determine action to be taken.
•
Implementation of the actions and monitoring of status by an action tracking system.
•
Where appropriate, confirmation that the action taken meets the intent of the recommendation that led to it.
•
Future review following a significant change to the design, operation or management of the system studied.
The assessment report should be written to facilitate such reviews especially it should: •
Describe the methods used in detail, either in the report or by reference.
•
List all assumptions clearly.
•
Document models used and calculations made.
•
Provide details of calculations and intermediate results in a back up document, appendices or software that can be used in a future update
The review requirements for risk assessments and quantitative risk assessments should be built into project schedules and, where appropriate, included in the Group Company HSE Management Systems, especially the parts dealing with action tracking and management of change.
HSE MANAGEMENT CODES OF PRACTICE Volume 5: RISK ASSESSMENT AND CONTROL OF MAJOR ACCIDENT HAZARDS COP G/L ON RISK ASSESSMENT & QRA Document No: ADNOC-COPV5-03
Version 1 November, 2005 Page 40
REFERENCES 1.
ADNOC Group Guideline ‘HSE Risk Management’, March 2000.
2.
ADNOC Manual of Codes of Practice: ‘Code of Practice on HSEIA Requirements’, ADNOC-COPV1-02.
3.
ADNOC Manual of Codes of Practice: ‘Control of Major Accident Hazards (COMAH)’, ADNOC-COPV5-01.
4.
ADNOC Manual of Codes of Practice: ‘Framework of Occupational Safety Risk Management’, ADNOC-COPV4-01.
5.
Guidelines for Hazard Evaluation Procedures, American Institute of Chemical Engineers (Center for Chemical Process Safety), Second Edition, 1992.
6.
A Guide to Hazard and Operability Studies, Chemical Industries Association, 1977.
7.
HAZOP: Guide to Best Practice, F. Crawley, M. Preston and B. Tyler, Institution of Chemical Engineers, 2000.
8.
Discharge Rates Through Holes in Process Vessels and Piping, J. L. Woodward in Prevention and Control of Accidental Releases of Hazardous Gases, Van Nostrand Reinhold, 1993.
9.
Risk Assessment in the Process Industries, R. Pitblado & R. Turney (Editors), IChem E, 1996.
10.
Risk Analysis of Six Potentially Hazardous Industrial Objects in the Rijnmond Area: A Pilot Study, COVO Committee, Rijnmond Area, 1981, Reidel Dordrecht.
11.
Methods for the Calculation of Physical Effects Resulting from Releases of Hazardous Materials, Second Edition, TNO 1988.
12.
Guidelines for Evaluating the Consequences of Vapour Cloud Explosions, Flash Fires and BLEVEs, AIChE Centre for Chemical Process Safety, 1994.
13.
Handbook for Fire Calculations and Fire Risk Assessment in the Process Industry, SINTEF with Scandpower, 1992.
14.
Blast and Fire Engineering for Topsides Structures - Phase 2, Steel Construction Institute, 2002.
15.
Risk Assessment Data Directory, Oil and Gas Producers Association Report No 11.8/250, 1996.
16.
Offshore Reliability Database (OREDA), Det Norske Veritas, 1992.
17.
SRD Association Reliability Databank, AEA Technology.
18.
FACTS database, TNO Department of Industrial Safety, Appeldorn, The Netherlands.
HSE MANAGEMENT CODES OF PRACTICE Volume 5: RISK ASSESSMENT AND CONTROL OF MAJOR ACCIDENT HAZARDS COP G/L ON RISK ASSESSMENT & QRA Document No: ADNOC-COPV5-03
Version 1 November, 2005 Page 41
19.
WOAD - Worldwide Offshore Accident Database, Det Norsk Veritas, Oslo, Norway.
20.
MHIDAS Accident Database, MHIDAS Administrator, AEA Technology, Warrington, United Kingdom.
21.
Siting and Layout of Major Hazard Installations, C. G. Ramsay, R. SylvesterEvans, M. A. English, IChem E Symposium Series No 71, I Chem E, 1983.
22.
Canvey: An Investigation, Health and Safety Executive, HSE Books, 1978.
23.
ADNOC Group Guideline ‘HSEMS Management Systems’, January 2002.
24.
ADNOC Manual of Codes of Practice: ‘Guideline on HSE Definitions & Abbreviations’, ADNOC-COPV1-05.