QUANTITATIVE RISK ASSESSMENT (QRA)

PTS 60.2210
Rev 1

JUNE 2006
 2

PREFACE

PETRONAS Technical Standards (PTS) publications reflect the views, at the time of publication, of
PETRONAS Group of Companies Joints Venture

They are based on the experience acquired during the involvement with the design, construction, operation and
maintenance of processing units and facilities. Where appropriate they are based on, or reference is made to,
national and international standards and codes of practice.

The objective is to set the recommended standard for good technical practice to be applied by PETRONAS'
Group of Companies and Joint Ventures in oil and gas production facilities, refineries, gas processing plants,
chemical plants, marketing facilities or any other such facility, and thereby to achieve maximum technical and
economic benefit from standardisation.

The information set forth in these publications is provided to users for their consideration and decision to
implement. This is of particular importance where PTS may not cover every requirement or diversity of
condition at each locality. The system of PTS is expected to be sufficiently flexible to allow individual
operating units to adapt the information set forth in PTS to their own environment and requirements.

When Contractors or Manufacturers/Suppliers use PTS they shall be solely responsible for the quality of work
and the attainment of the required design and engineering standards. In particular, for those requirements not
specifically covered, the Principal will expect them to follow those design and engineering practices which will
achieve the same level of integrity as reflected in the PTS. If in doubt, the Contractor or Manufacturer/Supplier
shall, without detracting from his own responsibility, consult the Principal or its technical advisor.
The right to use PTS rests with three categories of users:

1) PETRONAS and its affiliates.

2) Other parties who are authorised to use PTS subject to appropriate contractual arrangements.

3) Contractors/subcontractors and Manufacturers/Suppliers under a contract with users referred to

under 1) and 2) which requires that tenders for projects materials supplied or - generally - work
performed on behalf of the said users comply with the relevant standards.

Subject to any particular terms and conditions as may be set forth in specific agreements with users,
PETRONAS disclaims any liability of whatsoever nature for any damage (including injury or death) suffered
by any company or person whomsoever as a result of or in connection with the use, application or
implementation of any PTS, combination of PTS or any part thereof. The benefit of this disclaimer shall inure
in all respects to PETRONAS and/or any company affiliated to PETRONAS that may issue PTS or require the
use of PTS.

Without prejudice to any specific terms in respect of confidentiality under relevant contractual arrangements,
PTS shall not, without the prior written consent of PETRONAS, be disclosed by users to any company or
person whomsoever and the PTS shall be used exclusively for the purpose they have been provided to the user.
They shall be returned after use, including any copies which shall only be made by users with the express prior
written consent of PETRONAS. The copyright of PTS vests in PETRONAS. Users shall arrange for PTS to be
held in safe custody and PETRONAS may at any time require information satisfactory to PETRONAS in order
to ascertain how users implement this requirement.

2
PTS 60.2210
JUNE 2006
 3

HSE Manual Amendment Record Sheet

PTS Number: 60.2210
PTS Title: Quantitative Risk Assessment

Chapter Section Description Issue Date Revisio Date Approve

No. No. No. n by : (initial)
No.

All All PTS 60.166 1 Oct 0 0 IGA

Quantitative 04
Risk
Assessment

Chapter Section Description Issue Date Revisio Date Approve

No. No. No. n by : (initial)
No.

All All Renumbering 1 June 1 June IGA

from PTS 06 06
60.2103 to
PTS 60.2210

3
PTS 60.2210
JUNE 2006
 4

CONTENTS
Preface

1. Introduction 8

1.1 Background 8

1.2 Objectives 8

1.3 Scope 9

1.4 Limitations 10

2. Use and Misuse of QRA 11

2.1 Qualitative versus Quantitative Risk Assessment 11

2.2 Concerns Regarding Misuse of QRA 13

2.2.1 Reducing risk rather than proving acceptability 13

2.2.2 Reducing risk to ALARP rather than to a fixed level 14

2.2.3 Representing reality rather than force fitting

into a rigid model 15

2.2.4 Comparing like with like 15

2.2.5 QRA specialists must not work in isolation 16

2.2.6 Handling data 17

2.2.7 Using the correct level of detail 18

3. Risk Quantification 18

3.1 Incidents in Exploration and Production Operations 19

3.2 Quantification of Risk from Major Incidents 21

3.2.1 Identification of potentially hazardous events (top events) 21

3.2.2 Reduction of likelihood of top event 21

3.2.3 Development of the top event into incident scenarios 22

3.2.4 Estimation of likelihood of events 23

3.2.5 Assessment of consequences of the incident scenarios 26

4
PTS 60.2210
JUNE 2006
 5

3.2.6 Calculation of the potential loss from incident scenarios 28

3.2.7 Major incident risk to people calculated on the

basis of exposure hours 29

3.3 Transport Incidents and Small Work Related Incidents 29

3.4 Merging Risks from all Hazards and Activities: PLL 29

3.5 Individual Risk 30

4. Presentation of Results 31

4.1 Risk Contours 32

4.2 Risk to Groups of People (F/N Plots) 34

4.3 Potential for Loss of Life (PLL) 38

4.3.1 Presentation of PLL figures 38

4.4 Individual Risk, Occupational Risk,

Fatal Accident Rates (FARs) 40

4.5 Risk Contours and Individual Risk 41

4.6 Application of Individual Risk to Large Groups 43

4.7 Monetary Risk 43

4.8 Environmental Damage from Incidents 45

4.9 Less Tangible Aspects 45

5. Yardsticks to Assess Risk to People 46

5.1 Individual Risk 46

5.2 Group Risk 50

5.3 Risk to Members of the Public 50

5.4 Legislation 51

5.5 Implied Cost to Avert a Fatality (ICAF or CAF) 51

5.5.1 Discussion of ICAF 51

5
PTS 60.2210
JUNE 2006
 6

5.5.2 A global view of ICAF 52

5.5.3 Application of ICAF within EP 52

5.5.4 ICAF guidance 53

5.6 Demonstration of ALARP 53

5.7 Guidance for Decision Making 56

5.7.1 Individual risk of workers 58

6. The Use of QRA Results 58

6.1 Validity of Results 58

6.2 Human Factors 59

6.3 Accuracy of Risk Quantification 59

6.4 Completeness and Level of Detail of QRA 60

6.5 Recommendations from QRA 61

6.5.1 Cost effective safety measures 61

6.5.2 Selection of alternatives 62

6.6 QRA to Increase Awareness of Hazards 63

6.7 Communication of Risk to Members of the Public 63

6.8 Decisions Based on Consequence Analysis 63

7. Performance of Quantitative Risk Assessment 64

7.1 Objectives and Timing of the QRA 64

7.1.1 Projects for which use of QRA is likely

to be beneficial 64

7.1.2 Projects for which use of QRA not likely

to be beneficial 64

7.1.3 QRA to meet acceptance criteria 67

7.1.4 Summary of key points 68

7.2 Scope of Work 68

6
PTS 60.2210
JUNE 2006
 7

7.3 Duration, Manpower and Cost 70

7.4 Personnel Involved in the Assessment 71

7.4.1 QRA analyst's interaction 71

7.4.2 Competency assurance 71

7.4.3 Training 71

8. Methods and Data 71

8.1 Databases 72

8.1.1 WOAD (Worldwide Offshore Accident Data bank) 72

8.1.2 OREDA (Offshore Reliability Data bank) 72

8.1.3 E&P Forum hydrocarbon leak and ignition

database project 72

8.1.4 Drilling blowout frequency JIP 72

8.1.5 Ship collisions 72

8.1.6 ITOPF oil spill database 73

8.2 Physical Effects Models 73

8.2.1 FRED (Fire, Radiation, Explosion and Dispersion) 73

8.2.2 HGSYSTEMS 73

8.2.3 SCOPE 73

8.2.4 BHEPPC (Blowout Hazards Evaluation Program) 73

8.2.5 Advice on third party physical effects models 74

8.2.6 General 74

8.3 Risk Estimation Programs 74

8.3.1 OHRAT (Offshore Hazard and Risk

Assessment Toolkit) 74

8.3.2 PLATO 74

7
PTS 60.2210
JUNE 2006
 8

8.3.3 Concept risk assessment methodology 74

8.3.4 SAFETI 74

8.3.5 CARA 75

8.3.6 ASPIN 75

9. Description of PETRONAS QRA Activities 75

9.1 Main Challenges 75

9.2 Principal Tasks 76

Appendices

I Some Basic Probability Theory 77

II Fault Tree Analysis 81

III Risk Analysis Data Sheet System 87

IV Examples of QRA to Illustrate the Need for Completeness

and the Appropriate Level of Detail 90

Glossary 97

References 97

8
PTS 60.2210
JUNE 2006
 9

1. INTRODUCTION

1.1 BACKGROUND

There are a number of different tools and techniques available within the Hazards
and Effects Management Process (HEMP) for the assessment and control of
industrial risk. They are not mutually exclusive, each having appropriate
applications. One of these, Quantitative Risk Assessment (QRA), is a powerful
decision-making tool which can assist in the selection of acceptable solutions to
safety problems. This technique can be defined as the formal and systematic
approach to identifying hazards, potentially hazardous events, and estimating
likelihood and consequences to people, environment and assets, of incidents
developing from these events. The total process of risk analysis, interpretation of
results and recommendations of corrective actions is usually called 'Risk
Assessment'.

In the last few years, QRA has gained a wide acceptance as a powerful tool to
identify and assess the significant sources of risk and evaluate alternative risk control
measures in PETRONAS's business. Extensive use has been made of quantification
methods such as Fault Tree Analysis and Event Tree Analysis. Physical effects
modelling has also been applied extensively to estimate the severity and
consequences of specific incident scenarios. Much experience has been gained in
presenting the results of all this work in a consistent and understandable format,
providing interpretations of the results and recommending the most appropriate
improvements.

QRA is considered a valuable tool in the decision making processes, to communicate

among the experts involved, to quantify opinions and to combine these effectively
with available statistical data. A properly performed risk analysis documents the best
knowledge of the company's technical experts. The application of QRA has
contributed not only to increased safety but also to improved cost effectiveness in
many areas.

With the introduction of safety (HSE) management systems and Safety (HSE) Cases,
the role of QRA in the HEMP has become more clearly defined. Few major projects
are now contemplated without the risks first being quantified. This trend is expected
to continue in the future with QRAs being carried out at all phases of projects from
feasibility studies to refurbishment of ageing facilities, both on- and offshore.

1.2 OBJECTIVES

This manual builds on the experience gained to date and provides an outline of QRA
techniques and its utility in all sectors of the business. The objectives of the manual
are:

• to increase the awareness of the benefits, shortcomings and applicability of QRA

• to reduce misuse of the technique

• to enable setting of a scope of work for a QRA study, estimating required

9
PTS 60.2210
JUNE 2006
 10

resources and assessing the most suitable timing

• to provide essential information to review QRA studies and interpret its results.

1.3 SCOPE

The QRA process can be represented by the flowchart Figure 1.1. This flowchart is
used as a framework for this guidance document.

This guidance begins with a scene-setting discussion on the use and misuse of QRA

10
PTS 60.2210
JUNE 2006
 11

(Chapter 2). Here concerns that the technique may not always be used appropriately
and thecurrent thinking regarding when risks should be quantified are outlined. The
QRA process is then traced as follows:

• risk quantification (Chapter 3)

o hazard identification

o method of analysis

o summation of risks

• presentation of QRA Study results (Chapter 4)

o methods available

• assessment of QRA Study results (Chapter 5)

o yardsticks

o ALARP

o guidance for decision making

• use of QRA Study results (Chapter 6)

o validity and sensitivities

o improvement recommendations

o communication

• QRA Study execution and timing (Chapter 7)

o appropriate application

o study scope, timing and resources

• QRA data, tools and examples (Chapter 8 and Appendices)

o databases

o physical effects modelling

o PC programs

o illustrative examples of studies

11
PTS 60.2210
JUNE 2006
 12

Chapter 9 describes the role of PETRONAS with respect to QRA within its activities.

1.4 LIMITATIONS

The manual is not a detailed guide to the suite of techniques and computer programs
in use in QRA, although some of the more significant programs are mentioned.
Although the information provided is also essential reading for the experienced risk
analyst it is certainly not sufficient as a training for risk analysts. Reference is made
to detailed QRA text books.

Many of the views expressed in this document on the utility of risk assessment have
also been presented outside PETRONAS Group of Companies. The E&P Forum
position paper on QRA (Ref. 1) is fully in line with the ideas expressed in this
manual. The paper prepared for the Oslo 1989 Loss Prevention Symposium (Ref. 2)
is also based on the ideas in this manual. The document is therefore not limited to
PETRONAS operations; its terminology and ideas can be used in discussions with
partners, regulatory bodies and authorities.

The preface to this report may be considered useful for any QRA report issued by
PETRONAS or PETRONAS OPUs. The wording has been carefully chosen in order
to avoid the impression that QRA is used to calculate and justify acceptance of risks.
The first two paragraphs are quoted literally from PETRONAS's HSE policy; this
wording shall not be changed other than to bring it in line with any subsequent
changes in the wording of the policy.

2. USE AND MISUSE OF QRA

2.1 QUALITATIVE VERSUS QUANTITATIVE RISK ASSESSMENT

Once hazards and hazardous events have been identified, their causes, consequences
and probability can be estimated and the risk determined. Risk assessment may be
on a qualitative or quantitative basis. Both involve the same steps. Qualitative
methods may be adequate for risk assessments of simple facilities or operations
where the exposure of the workforce, public, environment or the asset is low.
However, the application of quantitative methods is considered to be desirable
when:

• several risk reduction options have been identified whose relative effectiveness is
not obvious

• the exposure to the workforce, public, environment or the strategic value of the
asset is high, and reduction measures are to be evaluated

• equipment spacing allows significant risk of escalation

• novel technology is involved resulting in a perceived high level of risk for which
no historical data is available (eg deep water developments in hostile
environments)

12
PTS 60.2210
JUNE 2006
 13

• demonstration of relative risk levels and their causes to the workforce is needed
to make them more conscious of the risks

• demonstration within the OPU and to third parties, including the regulating
authorities, that risks are as low as reasonably practicable is required.

The application of QRA should not be limited to large complex expensive studies. It
is a technique which can be used quickly and cheaply to help structure the solution
to problems for which the solution is not intuitively obvious.

Without the quantification of risk in some situations, we may be in danger of

allocating scarce resources for little benefit.

Figure 2.2 Quantitative versus qualitative assessment

13
PTS 60.2210
JUNE 2006
 14

Risk is often defined as a function of the chance that a specified undesired event will
occur and the severity of the consequences of the event. When risk is assessed
qualitatively a Risk Matrix may be used. When assessed quantitatively, risk is
derived from the product of chance and potential consequence. For QRA purposes,
chance is usually expressed as the frequency of occurrence. If no attempt is made to
estimate the frequency, we may be driven by the consequence into investing heavily
on risk reduction measures which are ineffective.

Many are concerned about the accuracy of the quantification and use this as a reason
why the technique should not be applied. However, whether we realise it or not, we
are always making implicit comparative quantification whenever we make a
decision. What we gain with QRA is a structured assessment of the risk instead of an
intuitive type of quantification. The numbers used in a QRA may be very
approximate, but at least we have broken down the problem into its basic elements
and made an objective judgement for each of these elements rather than an overall
judgement on a largely subjective basis. However, when there are a large number of
situations to be analysed, it may be advantageous to precede the QRA study by a
consequence analysis. This may filter out the cases where a full QRA would not add
additional information (ref. 6.8). See also 7.1.1 and 7.1.2 for advice on the use of
QRA.

2.2 CONCERNS REGARDING MISUSE OF QRA

There are several situations in which QRA has and is being misused. This misuse is
not necessarily deliberate but can arise from a misunderstanding of the QRA process.

2.2.1 Reducing risk rather than proving acceptability

14
PTS 60.2210
JUNE 2006
 15

A common form of misuse results from the desire to prove that a deviation from
company standards or practices is 'acceptably' safe. As with any type of study, it is
always possible for the less scrupulous to steer the process so that the conclusions are
biased towards a preconceived goal. No-one gains from this. Unless the study is
carried out objectively and with an open mind, ill-conceived decisions may be made
and the opportunity missed to reduce risks. In principle, the use of QRA to challenge
the need for retrofitting to revised standards and to aid in the development of
standards and procedures should be encouraged. However, such assessments must be
carried out objectively with the overall aim of reducing risks to ALARP (as low as
reasonably practicable) (see 5.1 and 5.6). Under no circumstances should QRA be
used to justify or encourage risk taking.

Figure 2.4 Reducing risk rather than proving acceptability

2.2.2 Reducing risk to ALARP rather than to a fixed level

Adoption of the concept that something can be 'acceptably' safe is also a source of
misuse. The only level of risk which is truly acceptable is zero. Whatever we do has a
risk associated with it and therefore, in practice, an acceptable risk level is
unattainable. Society and industry tend to agree that the dividing line between
tolerable and intolerable risk of fatality to those individuals that obtain commensurate
benefits from the activity is around 10-3 per year. Below this level, provided
individuals are aware of the risks, enjoy some commensurate benefit and everything
reasonable has been done to reduce the risk, risks may be tolerated (Ref. 3). The aim
of the management of risks in this tolerable region is not to reduce risks to some
fixed 'acceptable' level but to reduce them until they are ALARP. The resulting actual
risk levels could thereby be different for different projects but with the common
feature that they are ALARP for that project.

15
PTS 60.2210
JUNE 2006
 16

2.2.3 Representing reality rather than force fitting into a rigid model

Another criticism of the way some of our QRAs are carried out is that they are too
mechanistic. Risk assessment is a process by which one tries to represent reality by
a much simplified model. It is important that the modelling should not be forced into
a preconceived model template structure, but that each study should be modelled to
include all areas which impact the risk levels.

Figure 2.6 Representing reality rather than force-fitting into a rigid model

One criticism of the application of QRA in the past is that studies have focused too
much on mitigation of the consequences of hazardous or top events and too little
attention has been given to looking for ways to reduce the likelihood or eliminate the
top event itself. Once the top events have been identified, their occurrence should not
just be accepted but effort should be spent on seeking ways to eliminate them -
prevention is better than cure!

2.2.4 Comparing like with like

16
PTS 60.2210
JUNE 2006
 17

It is also important that the right boundaries are drawn around the options so that one
is comparing like with like.

2.2.5 QRA specialists must not work in isolation

In some projects, QRA is still regarded as the sole province of QRA experts. A
consequence of this is that the experts, usually consultants, may be asked to carry out
a QRA study with insufficient thought having been given to the objectives and
benefits of the study. Also, there is a danger that the study will be carried out with a
minimum involvement of those that are directly involved in the business being
analysed. The possibility then exists that the assumptions (including the operating
philosophy) and data used will bear little relationship with reality. The study is then
of little value.

It is imperative that the relevant staff are involved throughout the study to ensure that
the right assumptions are being made and are correctly used. It is also essential that
any assumptions made in a QRA study of new projects are carried through into the
HSE Case and Asset Reference Plan. Also, for existing facilities, the results of a
QRA should be fed back into the HSE Case.

17
PTS 60.2210
JUNE 2006
 18

2.2.6 Handling data

The blind use of data needs to be avoided. There are various sources of data.
However, not all are reliable and not all will be applicable to the operation under
study. When the reliability or applicability of the available data is in question it is
important that this is highlighted. For data which has a significant impact on the risk
picture, a separate study should be made to evaluate the probable range of
uncertainty. Sensitivity runs should then be carried out to test the robustness of the
analysis.

For cases where the data is so uncertain that no conclusions can be drawn regarding
the relative safety of the options considered, this should be highlighted in the report.

18
PTS 60.2210
JUNE 2006
 19

Figure 2.9 Handling data uncertainty

2.2.7 Using the correct level of detail

Significant errors can be made in QRA by not using the level of detail appropriate to
the objective of the study. The level of detail should be selected such that, for
instance, it is possible to identify which combination of event size and probability
contributes most to the risk of a particular operation.

Figure 2.10 QRA: using the correct level of detail

Areas of QRA which have recently been the subject of debate include the distinction
between controllable and uncontrollable risk with respect to structural reliability
analysis, risk aversion, cyclic risk and the summation of risk from different project
phases. The debate surrounding these issues is summarised in a position paper (See
Ref. 4)

19
PTS 60.2210
JUNE 2006
 20

3. RISK QUANTIFICATION

A quantification of the risks of past Oil and Gas and Petrochemical activities can be
provided by incident statistics. It is likely that the risk of Oil and Gas and
Petrochemical activities in the future would be identical to past risks if these
activities were to be performed with the same means, measures and safety
management as used in the past. However, different techniques for performing the
Oil and Gas and Petrochemical activities have been developed over the years and
safety improvements have been identified and carried out. Quantification of future
risk therefore requires a methodology that makes it possible to take account of these
differences and improvements.

The methodology outlined in this document makes it possible to analyse the risk for
future operations and give credit for improvements in design, engineering and
operational procedures. Methods which give credit for the quality of safety
management are being developed but are not yet proven; the results of QRA where
these tools have not been applied are therefore representative of an average quality of
management at all levels of the organisation, industry wide.

In order to set the scene for quantification of future risks, the nature of incidents in
Oil and Gas and Petrochemical is discussed first. The quantification methodology
is presented thereafter.

3.1 INCIDENTS IN OIL AND GAS AND PETROCHEMICAL OPERATIONS

During the past years a number of personnel (PETRONAS Group of Companies and
contractor staff) died in work-related incidents and there were thousands of Lost
Time Injuries (LTIs). Many incidents occurred with significant damage to
installations and loss of production. QRA can be used to estimate all these risks,
however, the emphasis is usually on the potential for loss of life. The fact that
measures to reduce the risk to people usually also reduce risk to assets and
production is however a welcome argument to strengthen the justification for
pursuing risk reduction.

In the 1980s QRA concentrated on major incidents such as fires, explosions, releases
of toxic materials, collisions, etc. The emphasis on these major incidents has often
detracted from the smaller incidents where a person chose to do the wrong thing in
the wrong place at the wrong time, with or without knowing the risk he was taking.
Also transport-related incidents were often excluded from the analysis as this was
usually considered to be outside the control of the company.

An analysis of the fatal incidents in the industry (Figure 3.1) shows that, on average
over all operations, major incidents such as explosions and fires make a relatively
small contribution to the number of fatalities in the industry operations.

20
PTS 60.2210
JUNE 2006
 21

Figure 3.1 Company and contractor fatalities by cause in PETRONAS Operations

1990-1994 (Any new figures to replace?)

When comparing various alternatives to perform an operation it is therefore essential

to take possible fatalities from all types of incidents during all phases of a project into
account. For a typical offshore project this may include all incidents during onshore
construction, offshore installation, drilling of wells, commissioning, maintenance and
operation, and decommissioning. Major incidents, smaller incidents and transport-
related incidents from all work performed under direct PETRONAS’ control or
influence, are to be considered.

This is schematically presented in a matrix (Figure 3.2) in which the columns

represent the various phases of the project and the rows represent the type of
incident. The areas that traditionally receive a lot of attention are shaded.

Figure 3.2 Incident types during various phases of an offshore project

Opportunities to reduce risks in these shaded areas can often be identified by QRA,
21
PTS 60.2210
JUNE 2006
 22

but it should be realised that only a part of the total risk is addressed and that the
overall safety improvement may be small. Also, efforts to reduce risk in one cell of
the matrix may affect risks elsewhere. For example, the installation of extensive fire
detection and deluge systems on small, normally unmanned platforms, may reduce
the loss of lives, assets and production but many man-hours and materials will be
required to install and maintain this equipment. This has an effect on the project
economics and it exposes more personnel to the hazards of work offshore. Moreover,
incidents can occur during transportation of the additional personnel to the offshore
locations. The net effect of the safety measure on the safety of personnel and on cost
effectiveness may therefore be less than expected. A comparison of options should
therefore take all elements of the matrix into account, i.e. all project phases and all
types of risk. The next chapter describes how these types of risk can be analysed and
merged together.

3.2 QUANTIFICATION OF RISK FROM MAJOR INCIDENTS

Under guidance of a risk assessment specialist, but with input from the various
disciplines, the quantification of risks from major incidents is performed in the
following steps:

3.2.1 Identification of potentially hazardous events (top events)

The potentially hazardous event is usually called the 'top event'. Examples of such
top events in industry operations are:

• hydrocarbon leaks from process equipment, risers or pipelines

• reactor failure

• storage tank leaks or failure

• gas compressor failure

• blowouts during drilling, production and work-over

• collisions with visiting or passing vessels

• extreme environmental loads.

Formal approaches exist to identify hazards and top events, e.g. Hazard Identification
(HAZID), Hazard and Operability studies (HAZOP) and Failure Mode and Effect
Analysis (FMEA). Reference should be made to the HSE Manual Volume 3 for
further details. These techniques provide some assurance that potentially hazardous
events will be revealed. Checklists are sometimes used to aid top event identification
such as the hazard hierarchy checklist and incorporated in the HSE MS IT tool
THESIS. Imagination combined with experience is probably the most powerful tool
for identification of events that may create incidents ('creative destructive thinking').
In this identification stage it is important to list all hazardous event and not to start

22
PTS 60.2210
JUNE 2006
 23

rejecting them on the basis of their rare occurrence or small effects.

3.2.2 Reduction of likelihood of top event

Once the hazardous or top events have been identified, their occurrence should not
just be accepted but effort should be spent on seeking ways to eliminate them -
prevention is better than cure! (see 2.2).

3.2.3 Development of the top event into incident scenarios

Hazardous events do not necessarily cause loss of life or damage. The development
of the top event into a serious incident depends on the effect of mitigating factors,
e.g. an un-ignited hydrocarbon release in a module can be sensed by gas detectors
activating a shutdown system. If immediate ignition occurs, fire detectors can
activate shutdown and deluge systems prior to further escalation. Similarly,
intervention by human beings can also effect outcomes.

The formal techniques to project this development of events into incidents are Event
Trees. They provide a diagrammatic and systematic presentation of this development
and make it possible to include opinions of experienced personnel.

An example of an Event Tree is given in Figure 3.3. The top event is a hydrocarbon
release in an offshore platform module. The questions are phrased in such a manner
that escalation of the event appears on the right hand branch. Each of the branches
terminates at the bottom of the tree in an 'outcome' or 'end event'. As each of the
'outcomes' reflects a particular development of a hazard into an incident it is also
referred to as the 'incident scenario'.

The questions are arranged in chronological order, so that reading one particular path
through the tree, from 'top event' to 'end event' presents a story, e.g. 'A hydrocarbon
leak; does not ignite immediately; is detected by gas detection system; release
continues because shutdown system fails; delayed ignition causes explosion'.

23
PTS 60.2210
JUNE 2006
 24

On each branch probabilities can be entered. It is essential to realise that these

probabilities are dependent on the events that occurred before this branch was
reached. An example of this is the delayed ignition probability which is dependent on
the functioning of the detection system (see Figure 3.4 below).

Manual interventions could be taken account of in an Event Tree either as an extra

branch or via the actual probability assigned to each branch. For example, if the
detection system raises an alarm, people are aware of the hazard and can act
accordingly so that the probability of delayed ignition is lower than upon failure to
detect the gas cloud.

The action, or inaction, of people during an emergency can have a profound effect on
how scenarios may develop and the consequences there from. (Similarly on the
causes of hazardous events). Techniques and tools to aid this aspect of an assessment
are addressed in human factor analysis described in section 6.2.

This is a relatively young area of application study within the Oil and Gas and
Petrochemical activities and within QRA and there remains wide scope for
development (Refer also to 6.2).

24
PTS 60.2210
JUNE 2006
 25

Figure 3.4 Event tree with quantification

The calculation rules for Event Trees are extremely simple: the frequency of the end
events is found through multiplication of the top event frequency by the probabilities
along the branches that lead to the end event. A necessary condition is that the
estimates for branch probabilities take account of the circumstances developed by
preceding branches. To this aim the chronological sequence of the branch questions
is essential.

Note that the top event likelihood is expressed as a frequency (i.e. number of
occurrences per unit time). The branch probabilities are real probabilities, i.e. a
number between 0 and 1 (dimensionless). Each 'outcome' or 'end event' likelihood is
again expressed as a frequency.

3.2.4 Estimation of likelihood of events

The estimation of frequencies and probabilities of events in Event Trees is based

either directly on statistical analysis of historical data, or derived by the use of Fault
Trees. When historical data is not available, or only available for facilities operating
in different circumstances, it is necessary to rely on the opinion of experts to interpret
data for comparable equipment in order to make a best estimate.

An example of a Fault Tree to assess the probability of failure of a particular deluge

system is given in Figure 3.5. A Fault Tree describes the logical interconnection
between various components within a system by using a diagrammatic presentation
in which 'or' and 'and' gate symbols are used. Gate symbols connect events according
to their causal relations. It is usually assumed that the events in the Fault Tree are

25
PTS 60.2210
JUNE 2006
 26

independent of each other (Note: in Event Trees the events are dependent on all
previous events).

Figure 3.5 Example of a Fault Tree

Note that the Event Trees are used for the 'forward' analysis to project the
development of scenarios following the occurrence of an event, while Fault Trees are
used for the 'backwards' analysis, tracing back the possible causes of an identified
event. This is shown in a cause-consequence diagram, Figure 3.6.

Figure 3.6 Difference between Fault and Event Trees, a cause-consequence

diagram

Fault Trees may also be used to trace back the possible causes and, if quantified,
probability for branches in an Event Tree.

Appendix II provides additional guidance for the construction and calculus of Fault
Trees and illustrates several of the pitfalls present in Fault Tree analysis.
The techniques for calculating frequencies and probabilities in Fault and Event Trees
are well documented (see Refs. 5, 6, 7) and relatively simple. However, there are
26
PTS 60.2210
JUNE 2006
 27

numerous pitfalls for the inexperienced user. For example, ignoring the dependence
between events in Fault and Event Trees can lead to errors of several orders of
magnitude.

Unlike Event Trees, Fault Trees do not account for sequence or time. This, together
with the pitfalls outlined in Appendix II, demands care by the analyst and tends to
limit their use for risk analysis. Use of Fault Trees is more appropriate for reliability
analysis.
More information on estimation of failure probabilities and frequencies is given in
Appendix III.

Throughout the construction and analysis of Fault and Event Trees, assumptions will
have to be made regarding the ways in which the facilities are operated and
maintained. It is important that those persons with the appropriate experience and
expertise (e.g. production operators) are consulted regarding these assumptions. It is
essential to list these assumptions and to include the assumptions in the HSE Case so
that a full traceability of results is achieved.

3.2.5 Assessment of consequences of the incident scenarios

An assessment of the consequences is required for the scenarios in which the failure
of safety systems and the absence of mitigating factors leads to an escalation of the
hazardous event (e.g. escalation of initially controllable releases of hydrocarbons into
major fires and explosions, waterway pollution, etc).

Physical effects from releases of hydrocarbons or toxic material such as dispersion,

explosion over-pressures and heat radiation, have to be calculated to assess whether
escalation is a realistic possibility and the extent of damage following the escalation.

An important input to these calculations is the release (or leakage) rate. As the hole
size is estimated on the basis of statistical data and hole shapes are simplified it is
difficult to be precise. The difference between a small release from either a 0.5 inch
or 1 inch hole may seem irrelevant in statistical data, however, the release rate differs
by a factor 4. The calculated physical effects based on these release rates may also
differ significantly.

Another important aspect of the release rate calculation is its time dependence.
Usually inventories of hydrocarbons and toxic materials are limited or can be limited
by ESD systems. The release rate will therefore decline with time.

Once the (time dependent) release rate has been estimated the calculation of physical
effects will depend on many other factors. Figure 3.7 provides an overview of the
various physical effects following a release. Many computer programs exist for the
calculation of these effects (see Chapter 8). In all cases these calculations are strongly
dependent on a large number of physical (density, toxicity, burning rate),
environmental (wind, stability, humidity, temperature) and geometrical (obstructions,
confinement, etc) parameters which are either unknown or cannot be modelled
accurately. Refer also to PTS 60.2211 Physical Effects Modelling.

27
PTS 60.2210
JUNE 2006
 28

Figure 3.7 Physical effects following a release of hazardous material

Physical effects calculations can thus only be used to provide an indication of the
extent of the physical effects. Such calculations cannot be used to define accurately
the location at which a given level of effects will be exceeded. In incident scenarios
such as collisions causing structural damage, etc other calculations may be required
to assess consequences.

The physical effects calculations together with knowledge of the relative proximity
of other equipment (vessels, tanks, etc) will allow escalation routes to be identified.
These routes are then further developed using Event Trees. The effectiveness of
control/mitigation/recovery measures is also modelled in the Event Tree. For
example, given a jet flame at a particular location, the chances of safe escape of
personnel can be evaluated taking into account evacuation possibilities, the potential
for rapid escalation of the incident, etc. The effect of smoke also needs to be
assessed.

Estimates of the consequences to people, environment and resources (Ref. 8) are then
made with the input from the appropriate experts (who may also use modelling
techniques, such as those for the prediction of the movement of people within
escalation scenarios, and those for prediction of river pollutant flows). These
estimates require information regarding average numbers of the different types of
worker likely to be present at various times and locations, environmental effect data
and replacement costs for damaged equipment.

Usually, mathematical algorithms are developed to relate physical effects model

results to consequences. These are often referred to as 'rule sets'.

Consequences such as loss of reputation as a prudent operator and loss of future

business as result of a disaster are difficult to estimate. Management is probably in
the best position to judge such consequences after having received information on the
likelihood and extent of damage from the various incident scenarios (see also 4.7, 5.5
28
PTS 60.2210
JUNE 2006
 29

and 5.7.4).

29
PTS 60.2210
JUNE 2006
 30

3.2.6 Calculation of the potential loss from incident scenarios

Having assessed the frequency and consequence for each of the incident scenarios of
the Event Tree, it is possible to calculate the statistically expected loss for each
scenario by multiplication of frequency and consequence. The total statistically
expected loss can be calculated by summation of the loss over all scenarios.

The use of the statistical expression 'expected' has serious drawbacks in QRA as it
creates the impression that we expect the loss to occur with an almost mathematical
certainty. It is recommended to use the expression 'potential' instead, as this supports
the views expressed in the preface of this report that incidents can be avoided.

The potential loss from one hazardous event can thus be calculated by:

where 'n' is the number of outcomes developing from one hazardous event, F is the
frequency and C the consequence of each outcome.

The potential loss from all hazardous events identified can be calculated in a similar
fashion. This calculation scheme is shown in Figure 3.8.

Figure 3.8 Scheme for calculation of potential loss from incident scenarios

30
PTS 60.2210
JUNE 2006
 31

3.2.7 Major incident risk to people calculated on the basis of exposure hours

In a more cursory type of QRA it is often desirable to calculate risks due to major
incidents on the basis of an estimated Fatal Accident Rate (FAR: fatalities/100
million exposure hours) and exposure to particular hazards. This type of estimation
is often applied in the earlier phases of a project.

The FAR could also be calculated from the potential for loss of life from all major
incidents (as calculated in 3.2.6) divided by the number of hours that people are
exposed to this hazard.

3.3 TRANSPORT INCIDENTS AND SMALL WORK RELATED INCIDENTS

The economic loss from transport and small work-related incidents is usually small;
however, the loss of life can be significant. The quantification of risks from these
incidents therefore concentrates on fatality risk. The calculation is usually based on
the following steps:

• identify the activities in which individuals or groups of individuals are involved

• determine the exposure (e.g. in man-hours) to these activities for each individual
or group of individuals exposed to similar risks

• derive from statistical information a Fatal Accident Rate (FAR) for each activity
(FAR expressed in fatalities/100 million hours exposure)

• for each activity: multiply exposure hours by FAR; summation over all activities
yields the potential loss from transport and small work-related incidents.

The calculation for 'm' different activities can be presented in formula form:
Potential loss where it relates to human fatalities is labelled potential loss of life,
PLL.

Dependent on the statistical data available exposure can also be expressed per
operation, e.g. a well drilled, a transport trip or a platform installation.

In combination with the calculation method mentioned in 3.2.7, the above way of
calculating risk is a powerful tool to provide an overview risk picture.

Appendix IV provides an example of the use of overview QRA in decision making.

Care needs to be taken, however, to ensure that all significant risks have been
included in the estimate.

3.4 MERGING RISKS FROM ALL HAZARDS AND ACTIVITIES: PLL

The risks to people calculated by one of the previously described methods can be
merged in order to arrive at the risk for an entire operation or development. One way
31
PTS 60.2210
JUNE 2006
 32

of merging the results is by summation of the potential loss over all types of hazards
(major, small and transport) over all relevant project phases. The scheme for such a
calculation for PLL is presented in Figure 3.9.

3.5 INDIVIDUAL RISK

The above has outlined the process whereby the PLL can be estimated. If PLL alone
is used as a measure of risk, then the situation may arise whereby a project option
with the lowest PLL exposes some types of worker to a higher risk than for other
options. Hence it is essential that, in addition to PLL, the individual risk to the most
exposed workers is also assessed. (Also referred to as occupational risk and described
further in 4.4).

Individual risk is calculated in a similar manner to PLL. The difference is that the
risk is 'personalised'. That is, the work pattern of a particular worker is studied and
each risk to which that worker is exposed is summated over a defined period, usually
one year. Periods outside of the direct influence of the company are not counted, i.e.
periods at home and on leave are excluded. The risks associated with transport to and
from the workplace are only included if the transport has to be provided by the
company (e.g. helicopter flights).

Individual risk is usually expressed as risk of fatality per annum (IRPA) for a named
type of worker. The worker is assumed to be representative of that type of worker
(e.g. driller, production operator, maintenance operator, etc). It is important that the
Event Trees are set up at the start of a QRA study with a view to facilitating the
calculation of individual risk. If this is not done, calculation of individual risk can be
time consuming.

On conventionally operated offshore manned facilities, the individual risk to

32
PTS 60.2210
JUNE 2006
 33

personnel can be assessed taking into account their involvement with a single
platform. With minimum intervention or not normally manned facilities, operators
and maintenance workers are likely to divide their time between several platforms
potentially giving rise to very high individual risk levels from helicopter risk
exposure. Consequently, the individual risk must be assessed not on a single facility
basis but on a worker work schedule basis. Hence the operator and maintenance
worker annual work schedules need to be reviewed in order to reduce exposure of the
individual to helicopter risks as much as possible.

The type of situation discussed above, can also occur when contractor staff are only
employed for short periods. Care has to be taken to ensure that this type of person is
not exposed to very high risks for short periods which are masked by the fact that
either risk tends to be averaged over a period of one year or longer or the individual
is only involved with the project for a short period before moving to another contract.
Similar arguments can apply, say, when considering possible peak periods of risk to a
company or contractor employee which may be masked by the fact that risks tend to
be averaged over a period of one year or longer. Such peaks may for instance, be
associated with periods of intense construction activity. There is a case for assuring
that risks are ALARP at each stage of the project.

The QRA carried out for onshore plants are similar and is more critical as it is
normally situated in areas where there are people in the surroundings. The cases will
have to be assessed taking into consideration the impact to the surrounding areas and
the public factor has to be considered.

4. PRESENTATION OF RESULTS

Risk is a multi-dimensional concept, ie it involves frequency and (various)

consequences. It is therefore useful to present risk as a multiple set, describing the
possible consequences with their associated frequency of occurrence. Dependent on
the actual circumstances, recommendations may be based on either consequences or
frequencies or on a combination of these values. Presentation of risk as a
combination of frequency and consequences can be very useful for comparisons.

Various methods are available to present the risk ranging from simple tables to
complex graphs. The most basic presentation of risk from work-and transport-related
incidents is a table with the potential loss of life per activity. Another very basic form
of presenting risk from major incidents is by showing the Event Tree with
frequencies, consequences and their product for each of the incident scenarios
(Figure 4.1). It gives an immediate indication of the most serious incident scenario,
the most frequent one and the most damaging one in terms of potential loss.

33
PTS 60.2210
JUNE 2006
 34

Figure 4.1 Most basic form of presenting risks from major incidents

More advanced presentation methods are given in the following paragraphs. A

distinction is made between the presentation of risk to people and economic risk.
Our activities have the potential to affect the risks to which not only those directly
involved in our activities are exposed, but also the general public. The quantification
process is similar for both, however, the presentation of risk is different. Risk
contours and F/N curves are a common form of presentation of the risk to the public.

4.1 RISK CONTOURS

A commonly used presentation form for risk to the public is the so-called risk
contour. The number at this contour represents the frequency at which a person,
assumed to be permanently present at the location of the contour, sustains a given
level of harm.

An important philosophical point is that the risk contours must be interpreted as

characterising points in space and not characterising the risk to individual people;
people move from place to place during their normal living activity. Further, the
contours are usually derived on the assumption that an unprotected individual is
located at a point 24 hours per day 365 days per year and does not escape from the
effects of the dose. This will in general overestimate the average risk. In reality,
people will move from place to place, may be able to escape and may to some extent
be protected by the topography, buildings or vehicles. However, the contours do
allow a consistent indication of risk levels for the area surrounding the facilities.
34
PTS 60.2210
JUNE 2006
 35

An important aspect of the definition is that the risk is related to a particular location,
which in general is not the same as distance to the source. For example, prevailing
winds may result in the same individual risk at different distances.

A toxic release from a particular process is considered as an example. Wind

condition 2 occurs twice as often as wind condition 1. For certain concentrations, the
frequency of reaching specific concentrations for the two different wind directions
can be plotted in a manner similar to that shown in Figure 4.2. Since the
concentration of the toxic release is directly proportional to the degree of harm, then
this can be equated to consequence. Therefore the combination of concentration
(consequence) and frequency as plotted, results in a risk contour.

Figure 4.2 Risk Contours (Risk = frequency x concentration)

Risk contours have typically been presented in applications submitted to local

planning authorities in some countries. Some authorities require these contours to be
presented as 'dangerous dose' contours. Dangerous dose is a dose of toxic gas, or heat
or explosion overpressure with the potential to cause death but will not necessarily do
so.

35
PTS 60.2210
JUNE 2006
 36

The example shown in Figure 4.2 is, by necessity, illustrative. In practice, a risk
contour would be developed by calculating the cumulative risk at any one point in
space as a result of all potential hazardous events likely to occur within a facility.

36
PTS 60.2210
JUNE 2006
 37

4.2 RISK TO GROUPS OF PEOPLE (F/N PLOTS)

Another frequently used method to represent risks to workforce personnel or the

surrounding community is a probability/consequence diagram also called an F/N plot
where 'F' denotes the frequency of a potential event and 'N' the number of associated
fatalities.

In practice the cumulative frequency of a potential event with 'N' fatalities is plotted
against 'N'. Figure 4.3 is an example of a cumulative F/N plot, generally called the
Cumulative Frequency Graph. This graph shows the probability of N or more
fatalities occurring. Such graphs tend to be of interest when the risk acceptance
criterion selected or, as is more often the case, imposed by the regulator, includes an
aversion to potential incidents that would result in, say, more than ten fatalities.
Within the PETRONAS Group of Companies the policy is to adopt risk aversion
criteria that give equal weight to single as well as multiple potential fatalities.

A quantity relating to the Cumulative Frequency Graph is the so-called Group Risk,
the frequency that N or more persons will sustain a given level of harm from a
defined source of hazard(s). When Group Risk is used in the context of the public
(rather than to the workforce) the term Societal Risk is sometimes used. It is
important to note that Group Risk refers to the actual people exposed not to the
hypothetical group of people assumed to be permanently present at a particular
location when constructing risk contours.

F/N plots, Cumulative Frequency Graphs and, hence, Group Risks are obtained by
adding the frequencies of a number of consequence scenarios (after sorting on
numbers of fatalities per scenario). Table 4.1 gives and example of the data and
calculations required to plot the Cumulative Frequency Graph shown in Figure 4.3.

Table 4.1 Frequencies and fatalities of some incident scenarios

Scenario Number (N) of Frequency of Frequency of incidents with

potential scenario per potential (N) or more
fatalities year fatalities per year
1 1 0.1 0.11518
2 10 0.01 0.01518
3 50 0.005 0.00518
4 100 0.0001 0.00018
5 200 0.00007 0.00008
6 500 0.00001 0.00001

37
PTS 60.2210
JUNE 2006
 38

Figure 4.3 Example of an F/N plot and Cumulative Frequency Graph

The calculated cumulative frequency points are often connected so that a more linear
plot is obtained rather than the stepped plot of Figure 4.3.

Presentation of cumulative frequency graphs

Cumulative Frequency Graphs can sometimes be used for comparison of options.

Figure 4.4a shows a case where one option is clearly better than the others.

38
PTS 60.2210
JUNE 2006
 39

Figure 4.4a Cumulative Frequency Graph - Options comparable

In another example, such as that shown in Figure 4.4b it is not possible to compare
the options.

39
PTS 60.2210
JUNE 2006
 40

Figure 4.4b Cumulative Frequency Graph - Options not comparable

This drawback which is explained below severely limits the usefulness of

Cumulative Frequency Graphs.

Figure 4.4b shows the risk to personnel for several offshore oilfield development
options. One graph represents a rather simple option with relatively few safety
features. Another represents an option with extensive additional features. Whilst the
latter reduces the likelihood of major accidents, the likelihood of small accidents is
increased as more personnel are needed offshore to operate and maintain the extra
equipment. Consequently the two graphs cross.

Another development option avoids permanent manning offshore by shuttling

personnel by helicopter from shore to the platform when needed. The total number of
man-hours spent in the relatively hazardous offshore environment is now reduced as
well as the maximum size of an incident. The potential for incidents with helicopters,
involving some ten to twenty people increases. Again, the cumulative frequency
graph for the latter case crosses the earlier ones.

40
PTS 60.2210
JUNE 2006
 41

The less experienced reviewer of QRA results generally finds the cumulative graphs
rather confusing and at times even experienced analysts will draw wrong conclusions
from them. It is therefore recommended to avoid this form of presentation. The main
use of the cumulative frequency graph is probably to satisfy the requirement of some
regulators. Authorities use the graphs of risk to the public (off-site risk) to assist in
the planning of their emergency services (e.g. maximum likely number of
ambulances, hospital beds, etc).

Both risk contours and cumulative frequency graphs are mainly used to present risk
to the public. Risk to employees is recommended to be presented in bar chart form as
individual risk and potential loss of life as discussed below.

4.3 POTENTIAL FOR LOSS OF LIFE (PLL)

If we assume that the scenarios in Table 4.1 represent all major incident scenarios for
a particular operation the potential for loss of life can be calculated as:

1 x 0.1 /yr = 0.1 /yr

10 x 0.01 /yr = 0.1 /yr
50 x 0.005 /yr = 0.25 /yr
100 x 0.0001 yr = 0.01 /yr
200 x .00007/yr = 0.014 /yr
500 x .00001/yr = 0.005/yr +
Potential loss of life: 0.479/yr

The potential loss of life from major incidents for an operation lasting 10 years is
thus 4.8 lives.

4.3.1 Presentation of PLL figures

In cases where it is essential to take the size of the incident into account the potential
loss for each range of fatalities can be displayed. In Figure 4.5 such a presentation is
made for the three development options given in Figure 4.4b. Note the clear
difference between the various options; this is hardly visible in Figure 4.4b.

41
PTS 60.2210
JUNE 2006
 42

Figure 4.5 Recommended form for presentation of potential loss of life where the
number of potential fatalities per outcome are grouped

The same type of bar chart can be used to highlight other aspects of the risk makeup.
For instance, it may be important to highlight the relative contributions of major,
transport and small work-related risk.

Whichever aspects of risk are highlighted, the end of the bars gives the same single
number, the overall PLL. This number is usually the PLL over all project phases and
all types of incidents, although, for specific studies, it may be limited to a single
project phase and to a single year in order to focus on a particular high risk source.
An example of a presentation of the overall PLL is given in Figure 4.6 which shows
the PLL split into types of risk.

42
PTS 60.2210
JUNE 2006
 43

Figure 4.6 Recommended form for presentation of overall potential loss of life

The PLL should be seen as a measure to compare the relative degree of 'safety'
expressed as potential loss of life for different developments. It cannot be used to
compare the degree of risks of different projects (see also 5.2). A further discussion
on the use of the various presentation forms is given in Chapter 5.

4.4 INDIVIDUAL RISK, OCCUPATIONAL RISK, FATAL ACCIDENT RATES

(FARS)

Within the PETRONAS Group of Companies the term 'individual risk' is most often
used to present the risk to company and contractor individuals during their time spent
at work (this being the period when the company is able to bring influence to prevail
on the safety of the individual). Sometimes referred to as 'occupational risk' this type
of risk is also labelled Individual Risk (of death) Per Annum (IRPA).

IRPA is the probability that an individual is killed in any one calendar year by a
particular set of hazards. In literature this risk is expressed in many different ways, eg
annual risk of death, death rate, individual risk of death or individual risk, fatality
risk, etc. In practice, individuals can invariably be assigned to groups of people with
similar jobs, work patterns and exposure (for example, drilling crews and
maintenance).

The individual risk calculation takes account of the fact that people move from one
place to another.

43
PTS 60.2210
JUNE 2006
 44

A recommended presentation of individual risk for different alternatives to perform

an operation is given in Figure 4.7 below. This presentation form also gives the
possibility to show the main contributing causes. Note that the individual (in this case
a 'group') is clearly stated.

Figure 4.7 Recommended form for presenting individual risk

As was shown in 3.3 the risk of particular activities can also be expressed in the Fatal
Accident Rate (FAR). FAR is defined as the potential number of fatalities in a group
of people exposed for a specific time to the activity in question. In the PETRONAS
Group of Companies, the FAR is used as the number of fatalities per 100 million
exposure hours.

When presenting the comparison of development options the evaluation of risk to

humans shall be based on the potential loss of life over all project phases and all
personnel involved, in combination with the individual risk to highly exposed groups
of individuals.

4.5 RISK CONTOURS AND INDIVIDUAL RISK

In addition to providing estimates of risk to the public (refer to 4.1), risk contours are
sometimes used to estimate the risk to individuals (company and contractor) who are
involved in the company's activities.

The contours in Figure 4.8 for hazards 'A' and 'B' are used to explain the relation
between these contours, FAR and individual risk. In this example the risk is
calculated for a person working 200 days per year near the hazards. Per working day,
44
PTS 60.2210
JUNE 2006
 45

he spends one hour at location X and seven hours at location Y. The remainder of his
time is spent at location Z. It is assumed in the calculations that buildings and
obstacles do not provide protection against the hazards.

Figure 4.8 Risk contours from hazards 'A' and 'B'

The annual exposure is:

1 hour/workday = 200 hours/year
7 hours/workday = 1400 hours/year
Remaining time at 'Z' = 7160 hours/year
Total hours/year (24 hours/day) = 8760 hours/year

The contours can be used to calculate the following risks:

Contour from A at X
Contour from A at Y
Contour from A at Z
Individual risk from A
: 0.01 /year
: 0.0001 /year
: 0.00001 /year
:0.01 x 200/8760 +
0.000 x 1400/8760 +
0.00001x 160/8760 = 0.00025 /year

Individual risk, work related only

(Occupational risk) from A 0.01 x 200/8760 +
:
0.0001 x 1400/8760 +
from B : 0.0001 x 200/8760 +
0.001 x 1400/8760 = 0.00041 /year

45
PTS 60.2210
JUNE 2006
 46

FAR from work at location X:

100,000,000 x (0.01 + 0.0001)/8760 = 115

The risk to groups of people is discussed in Chapter 5, however, at this point it is

essential to emphasise again that the above risk is for one particular individual with a
specific working and living pattern.

4.6 APPLICATION OF INDIVIDUAL RISK TO LARGE GROUPS

Statistics covering a large group of people are often used to derive numbers for risk
to a certain individual. This only has a meaning if all persons have a similar degree of
exposure to the risks considered.

In the example given in 4.5 for instance one could also consider the risk of all other
people working on the same site. If most of them work more remotely from the
sources of hazard, the average occupational risk for the other individuals is lower
than that for the person in the example. Risk acceptability considerations are
therefore often based on the person(s) that is (are) most at risk. Two examples of
published statistics, where confusion is created by averaging over large groups, are
given below:

In a text book on Loss Prevention the annual risk of death from floods in The
Netherlands is listed as 1 per 10 million. This figure seems to be based on the
expected annual number of fatalities divided by the entire population of The
Netherlands. As only a limited number of people are at risk (many parts of The
Netherlands will never flood) the individual risk for people living in the low parts of
the Netherlands is estimated to be a factor 100 greater than quoted.

In a paper on risk to the public from the chemical industry the number of fatalities
over the past years caused by this industry in Europe is divided by the entire
population of Europe. This yields a conveniently low annual risk of death to the
individual of 1.6 per 10 million. However, many people will not be exposed to this
risk while people living in the vicinity of chemical industries will be subjected to an
annual risk, which is orders of magnitude higher.

4.7 MONETARY RISK

Monetary risk can be presented as the probability of a particular loss (or range of
losses) occurring in a given period. The magnitude of the loss can be very important
as it may threaten the continuation of the business. This may be particularly relevant
for small companies. For the larger PETRONAS OPUs, it is difficult to envisage an
incident scenario with such high losses that the company would not be able to absorb
them. The Net Present Value (NPV) of the potential loss is therefore more relevant.
For a detailed description of discounting techniques reference is made to
PETRONAS Training manuals.

46
PTS 60.2210
JUNE 2006
 47

Simplification of the standard discounting and economic evaluation techniques is

recommended as the accuracy of the quantitative risk data is limited. Simplifying
assumptions are:

• constant prices for oil and gas

• inflation = price escalation

This makes it possible to perform a simple discounted cash flow analysis on a 'before
tax' basis and, where appropriate, on the more complex 'after tax' basis. As an
illustration the effect on the cash flow of the implementation of additional risk
reducing means is shown in Figure 4.9 below. In order to make a realistic comparison
it is essential that all changes in the cash flow of the various options are considered.

Figure 4.9 Effect on cash flow of risk reducing measures

Year Capex Opex Revenues Cash flow

1 ++ 0 0 --
2 - + + +/-
3 - + + +/-
... - + + +/-
++ major increase
+ increase
- decrease
-- major decrease

In the first year there will be a significant capital expenditure for implementing the
means. Assuming that the measure is effective from the second year onwards the
Capex in this year should be lower (usually negative) to reflect the fact that capital
losses are reduced by the risk reducing means. The decrease is given by:

where:

n = number of incident scenarios considered

Fi = Frequency of incident 'i'
Fj = Frequency of incident after implementation of safety measure
Ci = Financial loss of incident 'i'
Cj = Financial loss of incident after implementation of safety measure

The Opex is increased in order to reflect the cost of maintaining the risk reducing
means.

The revenues increase as the production losses decrease. The loss reduction can again
be calculated with the above formula. It is important depending on the length of the
project, to determine whether production losses are deferred (to be recovered later) or

47
PTS 60.2210
JUNE 2006
 48

'lost' (impossible to recover) so that the correct monetary value can be assigned to
them.
The effect on the overall cash flow depends on the relative magnitude of the
variations in Capex, Opex and Revenues.

The NPV of the implementation of the additional safety means can now be derived
by discounting the cash flows of the projects before and after implementation.
Alternatively the implementation can be seen as an incremental project and the
incremental cash flow can be discounted.

The discount rate to be used in this type of evaluations is open for debate. The
minimum rate to be used is the net interest that can be obtained for a risk free
investment. Other possibilities are to use the average rate of return on investments in
the company or the normal project screening rate. The latter one is usually higher
than the other rates. This makes it unattractive to invest in risk reducing means as the
future benefits are heavily discounted. Potential measures to reduce risk may be seen
as an optimisation exercise.

In the Economics Guidelines it is recommended to use the 'cost of capital' as the

discount rate for all project internal optimisations, provided that the overall project
remains robust in terms of corporate screening criteria.

4.8 ENVIRONMENTAL DAMAGE FROM INCIDENTS

The total damage to the environment from accidental spills and emissions is difficult
to quantify. However, some aspects such as the costs of clean up, compensation
claims and fines for spills can be estimated and should be included in the cost
estimates of the consequences. Models are under development for the ranking of
relative environmental effects. PETRONAS CHSE should be consulted for further
advice. A number of smaller incidents over a long time period do not necessarily
have the same effect as a single large incident.

4.9 LESS TANGIBLE ASPECTS

Incidents which could result in large loss of life, environmental impact and/or assets
are likely to incur indirect, less tangible as well as direct consequences. These less
tangible consequences could include:

• loss of reputation and business for both the Opco and for the Group.

• more stringent (prescriptive) legislation as a consequence of the accident.

• possible compensation claims, fines, etc

• higher insurance premiums

• taxes

48
PTS 60.2210
JUNE 2006
 49

If these are not taken into account in the risk assessment, then it is possible that gross
under-estimation of the potential consequences could occur leading to non-optimal
decisions. Specialist advice may need to be sought on how best to address these
issues within the QRA.

Presentation of these less tangible consequences should be done by listing the

frequency of the critical incident scenarios with a description of their possible
consequences. In addition, whilst it is recognised that quantification will be
subjective and inaccurate, it is recommended that sensitivity runs are made using best
estimates of the less tangible consequences. Management can then explicitly include
these considerations in the final decision making process.

5. YARDSTICKS TO ASSESS RISK TO PEOPLE

5.1 INDIVIDUAL RISK

An assessment of the tolerability of risk requires information on the risk of other

activities and how these risks are perceived by workers and the public. Many studies
have recently been performed by scientific institutions to define levels of risk that are
considered either 'negligible' or 'intolerable'. These levels of risk are usually given for
the individual risk of death to the most exposed persons.

In the studies on the tolerability of risk a distinction is made between voluntary risk,
for example from leisure time activities, risk from natural hazards such as storms
floods, earthquakes, risk from terminal diseases and work-related risk. Digesting all
this information, one readily comes to the conclusion that the workplace is often not
presenting the highest risk to an individual.

The company is concerned about some of our employees being involved in hazardous
recreational and household activities and having unhealthy habits. Employees are
stimulated to live in a healthier and safety conscious manner, but the company has no
right or wish to interfere with their private lives. Also, the company cannot divert
natural disasters. The discussion will therefore concentrate on the risk to people from
their daily work. This is the area where the company is responsible for controlling the
risk.

An important reference in this context is a report on Risk Assessment by the Royal

Society Study Group, 1983 (Ref. 3). After a careful evaluation of many types of risk
they come to the following conclusion:

'While it is clearly not possible to set single quantitative guidelines on risk

acceptability, some broad indicators of the current position can be noted. If the
average expectation of life is 70 to 75 years, then the imposition of a continuing
annual risk of death to the individual of 0.01 seems unacceptable. At 0.001 it may not
be totally unacceptable if the individual knows of the situation, enjoys some
commensurate benefit, and everything reasonable has been done to reduce the risk.
At the other extreme, there are levels of assumed risk so low that the manager or
regulator can regard them as trivial. The Study Group judges this figure to be
49
PTS 60.2210
JUNE 2006
 50

commonly about one in a million. It might, in some circumstances, be ten times less
and an annual risk ten times as great in travelling by train does not cause the ordinary
traveller any concern.'

A more recent publication (Ref. 10) (December 1987) by the UK Health and Safety
Executive on the tolerability of risk from nuclear power stations deals also with
general risk acceptance criteria. They present the following table:

Table 5.1 Levels of fatal risk (UK, average figures, approximated) per annum

risk of death in high risk groups within relatively risky industries

1 in 1000
such as mining
1 in 10,000 general risk of death in a traffic accident
risk of death in an incident at work in the very safest parts of
1 in 100,000
industry
1 in 1 million general risk of death in a fire or explosion from gas at home
1 in 10 million risk of death by lightning

In the discussion on tolerable risks the UK HSE OSD concludes for workers:
'Broadly, a risk of death of 1 in 1000 per annum is about the most that is ordinarily
accepted under modern conditions for workers in the UK (see Table 5.1) and it seems
reasonable to adopt it as the dividing line between what is just tolerable and what is
intolerable.'

For risk to members of the public it is concluded that:

' ...the maximum level that we should be prepared to tolerate for any individual
member of the public from any large-scale industrial hazard should not be less than
ten times lower, i.e. 1 in 10,000.'

and:
'...we must now consider what might be a broadly acceptable risk to an individual of
dying from some particular cause, i.e. what is the level of risk below which, so long
as precautions are maintained, it would not be reasonable to insist on expensive
further improvements to standards. This level might be taken to be 1 in a million per
annum bearing in mind the very small addition this would involve to the ordinary
risks of life.'

The above views on individual risk to workers are recommended as guidance for the
assessment of acceptability of risk. The views on risk to the public seem more
appropriate for a regulatory body than for PETRONAS. The benefits to members of
the public from PETRONAS Group of Companies' activities that expose them to risk
are very limited. In general it can be stated that risk without benefit is not acceptable.
A further discussion on risk to members of the public is given in 5.3.

The individual risk levels for workers mentioned above usually leads to a 'risk region
approach' (see Figure 5.1). In the lower region the risk is considered negligible
provided normal precautions are maintained (individual risk of death less than 1 in a
million per annum); many areas can be found in the Oil and Gas and Petrochemical
50
PTS 60.2210
JUNE 2006
 51

operations where money can be spent more effectively to improve safety. The upper
region (annual risk greater than 1 in 1000) represents an intolerable risk level. In the
area in-between, the so called ALARP region, decisions will have to be based on a
balance between business and safety objectives. A further narrowing of this band
follows from PETRONAS's declared objective to be among the leaders in the
industry in HSE.

The average individual fatality risk from work related incidents, per annum
calculated from actual fatalities and exposure hours over the years 1989 to 1993 is
given in Table 5.2. The level of risk over this period has not changed significantly
compared to the period 1985 to 1989.

Table 5.2 Average Individual Fatality Risk in PETRONAS per year from work
related incidents (to be replaced with new info)

The average individual risk has been estimated from (n x 1760)/h where n equals
number of fatalities in period, h equals number of man-hours worked in period and
1760 is the approximate number of man-hours worked per man year.

The figures represent averages over a large group; within each of the groups there
will be people with higher or lower risk than this average. Figure 5.2 provides a
51
PTS 60.2210
JUNE 2006
 52

subdivision over on-and offshore incidents and the types of incident.

The fatal incident data, in combination with the statements by management, provide a
clear indication that work related individual risk in the range of 1 fatality in 1000
man-years to 1 fatality in 10,000 man-years is considered too high.

In the area in-between negligible and intolerable a decision on the most appropriate
way to proceed can only be made when all alternative ways to perform the activity
have been considered. Specific features of the alternatives such as their effectiveness
to improve safety, economic viability, affects on future business and image, etc
should be considered in the decision making process. A yardstick to measure cost
effectiveness of safety measures is given in 5.5.

Relatively high risk levels may be tolerated if effective alternatives to operate more
safely cannot be identified.

The risk of flying helicopters is an example of this principle. Alternative means of

offshore transport in harsh environments with a significantly lower risk cannot be
identified. For an offshore worker the risk of death contribution from flying
helicopters can vary from say 1 in 10,000 per year for permanent platform personnel
to 5 in 10,000 per year when shuttling between platforms takes place. This is a level
that seems intolerable for future operations and continued efforts through improved
procedures and journey management to reduce the level of exposure are essential. In
many areas, e.g. the North Sea, continuation of helicopter flying at the present risk
levels is only tolerable because there are no safer alternatives. A balance between
business and safety objectives is hardly relevant in this case.
52
PTS 60.2210
JUNE 2006
 53

Reduction of risk to negligible levels, or even below this, may be desirable if the cost
is low and if the risk reduction measure provides the only safeguard against a certain
hazard.

The level of risk considered tolerable in the middle band where the balance has to be
made up, depends to a certain extent on the degree of difficulty to make further
improvements. This is reflected in the often quoted ALARP principle; any risk must
be reduced so far as reasonably practicable or to a level which is 'as low as
reasonably practicable' (ALARP) (see also 5.6).

5.2 GROUP RISK

On the risk of death to groups of people the Royal Society concludes:

'Catastrophic accidents, killing or injuring many people as the result of one event,
have little influence on the level of individual risk but have a disproportionate effect
on the response of society.' There is a clear desire to ensure that large accidents have
a more than is proportionately lower probability than small ones but firm
relationships between size and probability have yet to emerge as indicators either of
unacceptability or of triviality'.

The above mentioned desire seems justified when it concerns risk to large groups of
members of the public. In PETRONAS Group of Companies’ operations, the people
at risk are usually restricted to the workers while the number of fatalities from one
incident may be small (or strictly limited to the workforce). Furthermore, the
managements of PETRONAS Group of Companies are not only driven by the
response of the society (and the press), but also by the responsibility assumed for
employees and their relatives. Several smaller incidents (say 10 incidents with 1
fatality each) may therefore receive similar attention as one larger incident (e.g. 1
incident with 10 fatalities).

It is therefore quite usual in PETRONAS Group of Companies to base decisions on

the overall potential for loss of life (PLL) from small and large incidents together.
However, PLL is not in itself a yardstick for making judgements regarding levels of
risk as it is heavily dependent on the specific characteristics of the particular
installation (number of personnel, etc). A large manned integrated installation in the
North Sea, for instance will have a far higher PLL than a small bridge-linked or
integrated platform in the South China Sea, although the risks to individuals may be
the same. PLL shall only be used for the comparison of risk levels between options
for the same project.

5.3 RISK TO MEMBERS OF THE PUBLIC

The perception of risk by the public may differ drastically from those of a company
or regulatory body. Although a risk level of 1 in a million per annum may be
acceptable to the public in general, the exposed persons may find it totally
unacceptable. For example the calculated risk to the public from a H2S release at a
specific distance still means that if there is a release under stable weather conditions
and the wind is in their direction they can be killed instantly. The maximum effect
53
PTS 60.2210
JUNE 2006
 54

distance may therefore in many cases be a more suitable yardstick, i.e. ensure that the
distance to the public is such that they can never be injured permanently. Individual
risk to members of the public may have to be considered if this is impossible.

The criterion mentioned by the UK Health and Safety Executive for tolerability of
risk to the public of 1 in 10,000 (see 5.1) is not consistent with our own criteria for
personnel. As stated above, this level is considered too high for PETRONAS
personnel. The appropriate upper figure for the public at large that does not receive
direct benefits from the operations of PETRONAS Group of Companies should be
set lower, e.g. 1 fatality per 100,000 or 1,000,000 exposed people per year. In order
to set the level of risk to the public which might be considered negligible it should be
realised that the public at large probably expects a better performance from
PETRONAS than from a small company. Conversely, PETRONAS Group of
Companies want to protect themselves from undue criticism by the public. Further, it
can be expected that a major incident in a similar operation in any part of the world
will change the views of the public: initially tolerable risk levels may then become
totally unacceptable. For these reasons it is suggested to set the 'negligible' level of
risk to the public at one fatality per 100 million exposed people per year.

5.4 LEGISLATION

Safety legislation has changed over the years, the changes being accelerated as a
result of public enquiries into several major incidents. Offshore the main incidents
affecting legislation have been the capsize of the Sea Gem jack-up in December 1965
(UK), Ekofisk Bravo blowout in April 1977 (Norway), capsize of the Alexander
Kielland semi-submersible in March 1980 (Norway), sinking of the Ocean Ranger in
February 1982 (Canada) and the Piper Alpha disaster in July 1988 (UK). Onshore,
the incidents having the largest impact on regulations have been the Flixborough
explosion in June 1974 (UK) and the Seveso toxic chemical release in July 1976
(Italy) and the Bhopal incident in December 1984 (India).

Since Piper Alpha, there has been an increasing trend amongst governments and
regulatory bodies towards self-regulation and goal setting rather than prescriptive
legislation. This approach requires companies to think through safety problems by
identifying hazards and methods for their prevention and mitigation and encourages
innovation. There are still, however, wide differences in approach and pace of
change.

5.5 IMPLIED COST TO AVERT A FATALITY (ICAF OR CAF)

5.5.1 Discussion of ICAF

QRA enables a better understanding of the relative risks associated with options
being considered. Where risk is measured in terms of potential loss of life, perhaps in
combination with individual risk, then a measure of the relative safety of each option
is derived. Each option will also have an economic value attached to it. When the
safest option is much more expensive than the less safe option it is necessary to
gauge the relative worth of each. While no amount of money can compensate for the
loss of life it would be unrealistic to assume that an investment aimed at the potential
54
PTS 60.2210
JUNE 2006
 55

reduction of loss of life must be made regardless of the size of that investment.

Implicit in such evaluations is the fact that one is gauging the relative costs to avert a
potential fatality as the logic applied is:

Cost of measures = Potential saving of life x Cost per potential life saved.

The cost per potential life saved is referred to as Implied Cost to Avert a Fatality,
ICAF.

Discussion on this subject can be emotive and care must be taken to provide a
detailed explanation as to why it is necessary to venture into this seemingly sensitive
area of option evaluation. Experience within the group is that derivation of ICAF
achieves not only a ranking of improvement options but also provides a spur to the
creative development of yet safer and more economic options.

5.5.2 A global view of ICAF

The assessment of value shows widely differing figures varying from US $100 per
life saved by vaccination programmes in Third World countries to well over US $10
million per life saved in certain risky professions. Extensive information on this
subject can be found in Data Sheet 53 (Ref. 11). The data sheet shows that there is in
general a willingness to pay more to avert a fatality when the individual risk is high,
than when the risk is low. Examples are given in Table 5.3 below.

Table 5.3 Money spent (in US $'000) to save one human life

Medical care Traffic

Intestinal cancer 20 Road maintenance 20
Lung cancer 70 Traffic signs & crash barriers 34
Heart attack ambulance 80 UK transport safety policy 1000
Kidney dialysis 200 Bicycle wheel reflectors 2000
Third World: Industry:
Immunisation 0.1 Desulphurisation power station 500
Food aid 5 Shielding nuclear reactors 7000
Avoiding vinyl chloride
7500
exposure

5.5.3 Application of ICAF within EP

Some companies use the cost for avoidance of a fatality as a basic criterion.
However, they only apply it if the risk to personnel is below a specific threshold
value, e.g. probability of an incident with 1-5 fatalities should be less than 1 in
10,000. Values between £300,000 and £2 million to avert a fatality are mentioned
(Ref. 12).

PETRONAS Group of Companies do not express the value of life in monetary terms.
QRAs usually lead to clear recommendations without this valuation. Also, for risk
55
PTS 60.2210
JUNE 2006
 56

reduction measures which are relatively inexpensive, costs to avert fatality

calculations can be misleading. A very cheap measure which may have HSE benefits
but not significantly reduce fatality risk may have a very high ICAF and hence be
rejected whilst common sense would dictate that it should be done (e.g. bicycle
wheel reflectors, Table 5.3).

Nevertheless, to assess the effectiveness of expensive safety measures, it is

recommended to calculate and compare the amount spent to avert a fatality. This
calculation should take account of the fact that measures to reduce risk to people are
also likely to reduce the potential loss of assets and production. Sensitivity
calculations should also be carried out in which the less tangible or indirect costs
(such as tax) are also included if thought to be significant (see also 4.7). The net cost
of the safety measures is therefore reduced:

Net cost of measures = Cost of measures minus (-)

Reductions in PV loss of assets and production and:

Net cost of measures = Potential fatalities averted x ICAF

In cases where the cost to avert a fatality seems prohibitive it should be verified
whether all hazards and all incident types have been considered. Dependent on the
cost of labour and the fatal accident rate for the specific type of activity a potential
loss of 1 fatality per US $50 to 100 million expenditure in the Oil and Gas and
Petrochemical industries is estimated. In other words: it is difficult to justify
expenditure of more than this amount per fatality averted as this would only result in
a shift of the risk to another location.

For expensive safety measures it is therefore suggested to calculate the cost to avert a
fatality. However, if high values are found this should not necessarily lead to
acceptance of the status quo. It should be used as a stimulus to develop more
innovative and cost effective safety measures.

For comparison of the effectiveness of alternative safety improvements the cost to

avert a fatality is a very suitable yardstick. However, some people may not readily
accept this way of presentation of effectiveness. Especially for presentations to a
larger audience or outside the company it is recommended to avoid its use without a
detailed explanation.

5.5.4 ICAF guidance

The use of the cost to avert a fatality as a rigid and absolute yardstick should be
avoided. There is no amount of money that can compensate the loss of life.

The table below provides some guidance to using the cost to avert a fatality in
decision making, however, its use shall always be preceded by careful explanations
as highlighted in this chapter.

56
PTS 60.2210
JUNE 2006
 57

Cost to avert a fatality Assessment

(in US $)
0 Highly effective; always implement
10,000 Effective; always implement
100,000 Effective; implement unless individual risk is negligible
1,000,000 Consider; effective if individual risk levels are high
10,000,000 Consider at high individual risk levels or when there are
other benefits
100,000,000 Ineffective
1,000,000,000

5.6 DEMONSTRATION OF ALARP

As discussed above, for operations which have risk levels in the tolerable area
between intolerable and negligible, it is necessary to ensure that risk levels have been
reduced to ALARP (as low as reasonably practicable). A hierarchy of evidence from
qualitative to quantitative can be used to demonstrate that ALARP has been achieved
as listed below (Refs. 10, 13 and 14):

• Engineering judgement

• Screening consequence and probability analysis

• QRA

• QRA with cost benefit analysis.

All these approaches can be used to support decisions regarding the need for both
minor and major improvements. For example, under 'engineering judgement' for well
understood problems, existing codes and standards and previous experience will
usually be sufficient to demonstrate the safety of a particular design. Where there is
an installation which essentially mirrors another on which a recent analysis has
demonstrated ALARP, there should be no need to repeat the detailed analysis for the
second installation. Consequence analysis has sometimes been used as a means to
establish whether or not an event of significant consequence can occur for the
situation under review. For instance, a riser failure consequence analysis alone may
show that under no circumstances will a jet fire give rise to failure of the temporary
refuge, the installation structure or be a source of escalation to other significant
hydrocarbon inventories. This alone should be sufficient to demonstrate that the
current system is ALARP in this example.

For cases which are not so straight forward, QRA will be required to assist in the
demonstration of ALARP. In cases where the cost differences between the options is
low, or where the least risk option is also the most attractive for other reasons
(economics, etc), and it can be shown that all technically feasible options have been
studied, then the QRA study itself will be sufficient to demonstrate ALARP. All of
the options considered should, of course be documented. However, in cases where
57
PTS 60.2210
JUNE 2006
 58

the least risk option is very expensive, some form of cost benefit analysis will be
necessary to demonstrate that ALARP has been achieved (see 5.5).

The following series of plots could be useful to illustrate the demonstration of

ALARP:

Figure 5.3 Demonstration of ALARP by ranking PLL of options

In this example, options for modification to the facilities layout are being studied and
their effect on PLL plotted. For this particular example, more of the options have a
bearing on the PLL due to immediate hydrocarbon release, small work and
helicopter-related events. Such a plot provides an overview of the overall benefits per
option.

Figure 5.4 Demonstration of ALARP by ranking PLL of options and plotting cost
of further risk reduction

58
PTS 60.2210
JUNE 2006
 59

This plot provides an overview of the incremental costs for incremental benefits in
PLL. The ICAF per option can be readily calculated and plotted as shown in Figure
5.5.

Note: The 'as is' situation is used as the basis This plot may be necessary to show the reduction in IRPA for each option. This is
particularly useful when the IRPA levels for certain groups are felt to be in or near the intolerable region.

5.7 GUIDANCE FOR DECISION MAKING

A suggested decision-making flow scheme is given in Figure 5.7. The risk

tolerability levels including ALARP levels are pre-determined dependent on
activities, environment, etc.

59
PTS 60.2210
JUNE 2006
 60

The information given in the previous sectors is summarised below as guidance in

the decision-making process. This information should not be considered as rigid
criteria. It remains the responsibility of management to make a final assessment of
the risks, taking due account of the activities, environment and sensitivities as well as
keeping in mind the accuracy of the results and deciding on the means and measures
needed to safely perform activities.

60
PTS 60.2210
JUNE 2006
 61

5.7.1 Individual risk of workers

The following summarises the action to be taken dependent on the level of individual
risk (IRPA) to the most exposed workers:

Individual risk Assessment

(per annum)
IRPA
Above 1 in 1000 Intolerable, fundamental improvements needed.
1 in 1000 Too high, significant effort required to improve
1 in 10,000 High, investigate alternatives
1 in 100,000 Low, consider cost effective alternatives
1 in 1,000,000 Negligible, maintain normal precautions
1 in 10,000,000 Negligible, maintain normal precautions

6. THE USE OF QRA RESULTS

Review of the results of the previous steps will identify the main contributors to the
overall risk. Measures to reduce the overall risk can be developed and their
effectiveness can be analysed. QRA thus assists in the identification of new
alternatives. These can then be assessed together with the alternatives considered
from the outset of the study, resulting in an indication of the relative safety and cost
effectiveness of the alternatives.

An alternative with an optimum performance on both safety and economics is

desirable, and indeed in many studies it is found that such an option can be found.
When no further effective safety improvements can be identified a decision will have
to be made regarding tolerability of the calculated risk level and whether or not
ALARP has been achieved. The previous chapter provides guidance to assess this
tolerability.

Validity and accuracy of QRA results are usually not questioned in studies where
cost effective safety improvements are found and when the conclusions agree with
sound engineering judgement. However, when the safest option can only be achieved
at considerable expense the QRA results are questioned. A further discussion on the
applicability of QRA results is therefore given in the following paragraphs of this
chapter.

6.1 VALIDITY OF RESULTS

Safety awareness and system understanding, motivation, maintenance workmanship,

etc will affect the likelihood of all incidents. Line management plays a key role in
controlling these factors. However, the probability data (based on historical data and
experience) used in the fault and Event Tree analysis represent an average (HSE)
management quality. QRA results should be interpreted in this light. A low
calculated expected loss figure should not lead to complacency; actual loss may be
much higher if HSE management relaxes. Conversely, there is no reason for despair

61
PTS 60.2210
JUNE 2006
 62

if ambitious targets reduce, possibly even eliminate seem impossible to meet; strict
management and control of the operation can eliminate incidents.

62
PTS 60.2210
JUNE 2006
 63

6.2 HUMAN FACTORS

Most, if not all, incidents in the Oil and Gas and Petrochemical industries are not
only the result of technical failure but of a combination of human errors, coincidence
of events and circumstances, and equipment failure (all of which can be tolerable
when occurring in isolation). Human error also plays a key role in equipment failure,
e.g. errors during specification, design, fabrication, installation, etc. It is further noted
that major incidents may have similar causes as minor 'trivial' incidents.

A number of areas have been identified where human factor aspects need to be
addressed in QRA and related studies. These include incident initiation and
mitigation and escape, evacuation and rescue. Where these areas are modelled in the
QRA, they should be investigated to identify if there are any hazards which are only
prevented from becoming significant risks by procedural and software measures.
Where there is potential for escalation as a result of human action or non-action and
this is safety critical, these activities should be identified and assessed such that risks
associated with human failures are ALARP. Quantitative analysis should only be
done if qualitative analysis does not satisfactorily resolve such aspects.

Various approaches to human reliability analysis exist, from engineering-type

approaches (rather like cause-consequence analysis) to structured expert judgement
techniques. Although to date there is limited experience in PETRONAS Group of
Companies with the quantitative assessment of human error it does appear to be a
technique with some potential in carefully selected applications.

6.3 ACCURACY OF RISK QUANTIFICATION

The accuracy of a thoroughly performed QRA is usually accepted to be plus or minus

one order of magnitude. Uncertainties are introduced mainly by the estimation of
probabilities and frequencies and, to a lesser degree, by estimating effects and
consequences. Failure probabilities are usually estimated from historical data
collected from widely differing operations with different conditions, maintenance and
management. Estimates for the operation being analysed can be factored up and
down in accordance with the perceived differences provided sufficient objective
evidence exists to justify the change in data. The logic used should be thoroughly
documented and any concern regarding the validity of the data highlighted in the
report.

Probabilistic data obtained from experts has the same problem. They are usually
based on experiences gathered under different circumstances and also need careful
review.

The accuracy of the probabilistic estimates also depends on the population size from
which the statistics are drawn. Data on frequent occurrences usually results in more
accurate estimates than data on rare events. The calculated risk from major incidents
with a low probability is therefore in principle less accurate than the risk from small
work and transport related incidents calculated from FARs and exposure hours.
However, it should be mentioned that there is much room for improvement in the
available FAR data.
63
PTS 60.2210
JUNE 2006
 64

Inaccuracy and dependence on probabilistic data obtained from a subjective

interpretation of data and experience by experts are often mentioned as arguments
against the use of QRA. Although it cannot be denied that some subjectivity is
introduced at this stage, the QRA is considered the best means to substantiate and
document this and to make it possible to communicate between the various experts.
The numbers agreed between the experts will present the best knowledge available
and decisions based thereon will generally be better than those based on the overall
subjective assessment of one person.

Errors of much more than one order of magnitude can occur due to errors and
omissions in the fault- and event-tree analysis. In particular erroneous assumptions
regarding the mutual dependence of events can result in errors of two or three orders
of magnitude (Examples of this are given in Appendix II.). A competent risk analyst
can avoid these errors. Omission ofparticular events that affect the development of an
incident can only be identified by experts who are fully familiar with the type of
operation. Efficient co-operation between various groups of experts is a prerequisite
for meaningful risk assessment.

An analysis to check the sensitivity to variations in the assumptions made is

recommended in order to provide an indication of the criticality of the input data. A
more detailed analysis on the most critical data can improve the confidence in the
results.
When QRA is used for comparison of options the inaccuracies are less important. A
review of the analysis quickly identifies the (usually few) dominating parameters that
can change a decision in favour of one of the alternatives and the probability required
to effect this change. An opinion whether such a probability falls in line with
reasonable expectations can then be obtained from experts familiar with the type of
operation. (see also 2.2).

6.4 COMPLETENESS AND LEVEL OF DETAIL OF QRA

A QRA can only result in meaningful recommendations if all types of risks to

personnel and resources during all relevant project phases have been addressed. This
may sound rather obvious, however, the examples provided in Appendix IV show the
need for this statement. Some examples of factors that should not be overlooked are:

• risk during installation, commissioning and abandonment

• transport risk of operations and maintenance personnel

• the effects of safety devices on production availability (e.g. shutdowns for testing,
reduced loss due to prevention of escalation of incidents)

• increased risk from risk reducing measures (e.g. additional maintenance,

protection against impact or heat may prevent maintenance and inspection or
increase risk of these operations)

64
PTS 60.2210
JUNE 2006
 65

Not all of these factors can be fully quantified. A rough estimate by experts may be
required in some instances to account for some of them, however, this is likely to be
better than ignoring them.

Significant errors can be made in QRA by simplifying assumptions such as

considering the maximum credible incident, excluding infrequent incidents from an
analysis or ignoring the effects of time during the development of incident scenarios.
Examples to illustrate these points are provided in Appendix IV. One of the most
frequently made misjudgements is to assume that a hydrocarbon or toxic gas release
from a pipe or vessel rupture is worse than from a small release. The longer duration
of the small release may result in far more serious consequences than the relatively
short, though larger, release from a rupture.

6.5 RECOMMENDATIONS FROM QRA

The results of a well documented QRA covering the right scope, both in level of
detail and width of the analysis, can be used to arrive at cost effective safety
measures and a preferred development alternative.

In this process the accuracy of the results should always be taken into account and
creativeness in presenting and interpreting the results is required. For example, the
results can be put in an overall context by comparing the calculated individual risk
numbers with those of similar industries or past PETRONAS’ experience.
Reductions or increases in risk can be compared with the risk contribution from other
recognisable hazards, e.g. a reduction of blowout risk on an offshore platform could
be compared with the risk reduction from elimination of all helicopter flying or a 5
minute reduction of the helicopter flying time.

6.5.1 Cost effective safety measures

QRA will identify the main risk contributors to the overall potential for loss of life
and individual risk for groups of persons. This can best be done by first analysing
these losses in the format suggested in Figures 4.3 and 4.4 in which the various risk
contributors are shown.

Event Trees and Fault Trees may have to be analysed in more detail if the main risk
contribution comes from a major incident scenario. It is usually found that only very
few major incident scenarios contribute significantly to the overall loss. Considering
the various probabilities in the paths of the incident scenarios will make it clear
which of these could change the risk contribution. Safety measures can then be
developed that would affect either the event probabilities or the consequences. With
these measures new development alternatives can be engineered and analysed. The
floating oil platform development example in Appendix IV illustrates the above
process.

65
PTS 60.2210
JUNE 2006
 66

6.5.2 Selection of alternatives

When comparing alternative ways of performing an activity which does not involve
members of the public it is recommended to use the following quantitative
yardsticks:

• the individual risk of the most highly exposed groups of workers

• the overall potential loss of life over all relevant project phases and incident types

• the cost to avert a fatality

• the project Net Present Value (NPV) taking into account Capex, Opex and
Revenues; this can be given on an incremental basis relative to the base case.

For the individual risk both the level of risk in the base case (varying from intolerable
to negligible) and the change (increase or decrease relative to base case) should be
considered. For the potential loss of life and the project NPV the absolute levels in
the base case are less relevant (assuming that project screening criteria are met). The
cost to avert a fatality should also be seen as a measure of effectiveness to compare
alternatives.

Detailed guidelines on the ranking of the yardsticks cannot be given as each situation
is different. Fortunately, for most comparisons the situation is quite clear when all
yardsticks have been considered. Chapter 5 provides the necessary guidelines.

In general it will be found from the QRA results that the individual risk is high and
nowhere near a negligible risk.

The most difficult decisions for the analyst are those where the various yardsticks
show trends in different directions. For instance, one option may show a higher PLL
but lower individual risks than for an alternative option. In these cases, the first
approach is to try to find a solution whereby both PLL and individual risk is
minimised. If this is unsuccessful, then additional, often more subjective, information
may have to be used to arrive at a recommendation. Additional information that may
be useful is:

• how are the risk levels perceived by workers and public?

• which alternative is likely to be preferred by partners in joint ventures and

regulatory bodies?

• is there any difference in environmental impact?

Reference should be made to the environmental impact assessments (EIAs).

• is there any difference in risk to the public?

• is there any difference in the size of the maximum incident?
66
PTS 60.2210
JUNE 2006
 67

If everything else remains the same the option with a smaller size of maximum
incident is preferred.

The final evaluation of QRA results may require input from management to interpret
the Company safety policy and the socio-political circumstances. Although QRA
provides transparency, in the form of documented and numeric material to assist
decision making, the decision is not made by QRA. The prime objective of QRA
should not be to force a decision but to highlight how the main risk contributors
affect the comparison and how these insights can be used to further develop
alternatives where all yardsticks show a positive trend (i.e. improved economics,
lower potential loss of life, lower individual risk and lower cost to avert a fatality).

6.6 QRA TO INCREASE AWARENESS OF HAZARDS

The QRA results can also be used to increase awareness of the operator of the
facilities. Awareness of hazards, potential hazardous events and information on
scenario-based escalation combined with suitable information for avoidance, and
exercises to train emergency response to avoid escalation can considerably lower the
risk incurred.

6.7 COMMUNICATION OF RISK TO MEMBERS OF THE PUBLIC

QRA can be used as a means to communicate risks to authorities and the public. The
yardsticks mentioned in 6.5.2 are hardly relevant when evaluating risks to the public.
The probabilistic concept is difficult to convey to the public and the fact that a
particular scenario can happen may be more important than its probability. A recent
incident in a similar operation may also have a strong impact on the risk perception
of public and press. For new installations it is recommended to search for designs
that avoid overlap of the maximum effect distance and areas with continued presence
of members of the public (see also 5.3).

6.8 DECISIONS BASED ON CONSEQUENCE ANALYSIS

Occasionally an evaluation of consequences provides sufficient information to reach

conclusions. For instance, if the maximum effect distance of a hazard is too small to
have consequences it is not useful to further reduce effects or its likelihood.
Conversely, if the physical effects remain too great to allow escape of personnel it is
also not useful to spend efforts to reduce physical effects (however, a reduction of
likelihood would be effective in this case).

A properly performed QRA would arrive at the same conclusions, however, this
would take more time.

Therefore, when a large number of situations has to be analysed it can in many cases
be advantageous to precede the QRA by a consequence analysis. This may filter out
the cases where a full QRA would not add additional information.

67
PTS 60.2210
JUNE 2006
 68

7. PERFORMANCE OF QUANTITATIVE RISK ASSESSMENT

This chapter provides practical guidance for the performance of a QRA study, either
internally or by a consultant. It addresses the need for a QRA study, its timing, the
setting of objectives and the definition of the workscope. Duration and personnel to
be involved are also discussed.

7.1 OBJECTIVES AND TIMING OF THE QRA

The objectives of QRA studies are usually different for the various project phases. In
all cases the main objective should be to reduce risk rather than purely estimate risk
levels. For all QRA work it is important to assess in advance how the results of the
QRA study will be used. It may be concluded in some cases that a QRA will not
assist in furthering the project or improving its safety, in which case there would be
little point in carrying out the study unless it was a legal requirement.

In general, QRA is used:

• to reduce risks by:

- identifying areas of high risk

- identifying areas where risk can be further reduced

• to assist in option selection by ranking options in terms of risk

• to assess the cost effectiveness of risk reduction measures

• to assist in the demonstration and achievement of ALARP

• as an aid to communication with the workforce and third parties regarding their
impact on risk and their exposure to risk

• to indicate whether or not risks are tolerable (but this should never be the sole
objective)

• in order to comply with legislation and company policy (and only then when the
need for QRA is appropriate and justified).

Guidance is given below which addresses when QRA is likely to be of benefit and
when it is not. Each individual case should be treated on its merits.

7.1.1 Projects for which use of QRA is likely to be beneficial

Project identification phase - comparative coarse QRA

QRAs can be performed in all project phases of a development, however, the scope
for identification of effective safety improvements and the implementation thereof is

68
PTS 60.2210
JUNE 2006
 69

greatest during project identification and conceptual design phases. In some cases
this may be during the prospect stage if for instance novel technology is used. It is
considered that QRA studies should be carried out on all projects onshore or offshore
for which several options have been identified which are considered to have
significantly different risks.

Examples of safety aspects that can be addressed during the earliest project phases
are:

• drilling of sour gas wells in clusters or spread out over a populated area

• location of onshore processing plants relative to population or existing facilities

• manned or unmanned operations

• onshore or offshore processing of hydrocarbons from offshore wells

• subsea wells or platform wells

• separate bridge-linked accommodation platform or integral platform.

The QRA objectives during these early stages are to identify major risk contributors
and effective safety measures and to aid in the selection of the best alternative from a
safety, operational and economic point of view. Usually these two objectives cannot
be clearly separated; identification of possible improvements will lead to comparison
of alternatives to establish the measure of improvement. Conversely, when
comparing alternatives it is normal that further effective safety measures are
identified (leading to new alternatives to be evaluated). It is therefore recommended
to set the double objective of 'identification' and 'comparison'.

Initial 'coarse' QRA work should be designed such that it can be conveniently
developed to a detailed QRA later.

Definition phase - project specification - detailed QRA

During the project definition phase a more detailed risk assessment may be required:

• to assist with final major decision making with respect to design options; and

• to provide a basis for further design optimisation during completion of conceptual

engineering and detailed engineering and (ultimately) to reach risk levels
regarded as ALARP; and

• to confirm to senior management, shareholders and the Regulator that ALARP

will be achieved.

At the end of detailed engineering, i.e. when all optimisation has been completed, the
risk assessment is issued in the form of a final report for input to the HSE Case. This
69
PTS 60.2210
JUNE 2006
 70

is intended to demonstrate that risk is ALARP.

The above is particularly applicable to:

• all offshore permanently manned installations, unless the layout is so well spaced
out that the workforce is for the majority of the time outside the maximum effect
area of the high pressure hydrocarbon production/ process facilities and the risk
of escalation is considered to be negligible.

• onshore plants, where the public is within the maximum effect area and / or
where the plant is complex and the storage and processing equipment cannot be
spaced so as to minimise the risk of escalation.

• studies to compare transport and manning philosophy options if the option under
development has significantly different operating philosophies to those
considered during the comparative QRA in the project identification phase.

The maximum effect area is defined as the area within which there is a potential for
loss of life or injury as a consequence of any credible hazardous event, regardless of
its probability.

Operations Phase

• Existing facilities

A QRA study should be carried out on any facility, operation or activity which is
considered to be safety-critical and for which there are doubts as to whether or not
the risks have been reduced to ALARP. A QRA study would assist in the
identification of high risk areas, the ranking of risk reduction measures and identify
the need for modifying the operating philosophy, e.g. Manual of Permitted
Operations (MOPO).

Risk can be affected significantly by performance of people and equipment. The

performance of QRA during operational phases can be an effective means to increase
awareness of the major hazards and to reduce the risk thereof by motivation of
personnel, development of effective procedures and tighter maintenance and
inspection of the equipment involved.

Sometimes attempts are made to evaluate whether an existing situation, which is not
fully in line with standards and sound practices, is 'acceptably safe'. This (mis)use of
QRA to justify deviations from effective and applicable standards and sound
practices should be avoided. If the cost of compliance with standards and sound
practices is prohibitive whilst the standards are not really applicable for the case
considered, QRA could be used to assess the risks of a deviation and help decide
whether or not such a deviation is ALARP (see also 2.2).

In connection with this, if risk reduction modifications to existing facilities are

contemplated, the risk of implementation in such facilities should be carefully

70
PTS 60.2210
JUNE 2006
 71

evaluated to ensure that there is a significant net safety benefit.

• Upgrades to existing facilities

A QRA study should be carried out when plant modifications are planned which will
result in significant risks during construction and/or which are expected to
significantly increase the risk level during operations. The need for an additional or
revalidated risk assessment at the time of proposed upgrades or refurbishments has to
be considered. In cases where the proposals are viewed as having a minimal impact
on safety, no additional work will be necessary, but for some modifications the
earlier risk assessment will require reviewing and additional risk assessment may be
required.

71
PTS 60.2210
JUNE 2006
 72

7.1.2 Projects for which use of QRA is not likely to be beneficial

QRA would not usually be used for Not Normally Manned offshore installations and
onshore facilities, except in connection with the determination of the operating
philosophy unless:

• the equipment spacing allows escalation or

• the facility has a high strategic or asset value or

• there are environmental concerns particularly related to incident scenarios

• there are serious concerns regarding company image, licence to operate or that
the public is in permanently occupied areas within the maximum effect radius.

• it is a legal requirement

In other cases, physical effects modelling combined with other non-quantitative

methodologies may be sufficient to manage the hazards.

7.1.3 QRA to meet acceptance criteria

Engineers and decision makers like to use risk assessment to make the decision for
them. For this purpose they would like to see well defined acceptance criteria for risk
and a calculation resulting in one number to tell them whether their design is right or
wrong.

Several regulatory bodies also promote the use of QRA for establishing that
acceptance criteria are met. However, in general they also promote the use of QRA to
identify improvements and as a means of communication between professionals.

Although a QRA will almost always result in meaningful recommendations the use
of QRA in an absolute sense is not promoted by PETRONAS for a number of
reasons.

Firstly, the accuracy of QRA work makes the comparison of calculated numbers with
specified criteria rather meaningless. The inaccuracies are less important in
comparisons between various options analysed in a consistent manner.

Secondly, the risk of industry operations calculated in a QRA is usually in the 'too
high' area and nowhere near the 'negligible' area (see 5.1). This means that regardless
of acceptance criteria set by authorities or others, there is a need to identify further
improvements and to implement them if their cost is not prohibitive.

Expressions like 'acceptably safe' or 'an acceptable risk' are to be avoided in QRA
work scopes. Risks are never acceptable when the benefits of an activity are not
perceived to be larger than the risks. Also, a risk is never considered acceptable while
there are effective alternatives to lower the risk. If there are no further effective

72
PTS 60.2210
JUNE 2006
 73

alternatives it may be necessary 'to live' with the risk (see also 2.2).

Finally, as studies to check conformance with criteria are often performed

immediately prior to or during detailed engineering, the scope for implementation of
radical changes is limited. Therefore, it is recommended to perform QRA at the right
time; this avoids costly and disruptive changes to the project.

7.1.4 Summary of key points

• perform QRA where possible in the earliest project phases

• always specify the dual objective of QRA, i.e. to identify improvements and
compare alternatives

• avoid comparison with 'acceptance' criteria

• avoid expressions 'acceptably safe' or 'an acceptable risk'

• always try to identify further effective improvements

• do not use QRA to justify deviations from applicable standards and sound
practices.

7.2 SCOPE OF WORK

The scope for a QRA should contain the steps discussed in Chapters 3 and 4. It is
suggested to address the following points in the scope of work for a QRA:

• objectives of the work

Always mention dual objective of identification of main risk contributors and the
comparison of options.
• definition of the boundaries of the development to be analysed

Ensure that comparisons are made on plans that have an equal achievement. This
usually means that a time frame has to be considered in which equal achievement
is obtained, and that within this time frame all hazards that are different for the
options to be compared will have to be evaluated.

• identification of all possible hazards and related hazardous or top events

A full list of all hazards and top events should first be made and screened by
relevant personnel to ensure that it is complete. The less significant can be
screened out on the basis of experience or a cursory analysis. HAZID and
HAZOP studies may assist this process.

• analysis of size and likelihood of the top events

73
PTS 60.2210
JUNE 2006
 74

This will usually be done on the basis of statistical information or by Fault Tree
Analyses. Many assumptions on the performance of people and equipment may
have to be made. All these assumptions have to be listed so that it is possible to
verify them. Ensure also that the change of physical effects over time is
considered; very often a small release of toxic or flammable fluids over a long
period of time is more hazardous than an instantaneous release of larger
quantities. Therefore the maximum assumed incident does not always result in
the worst consequences (see Appendix IV - Appropriate level of detail)

• identification of the means by which the likelihood of the top events can be
reduced or eliminated.

• careful assurance that the appropriate level of detail is used to achieve the
objectives of the study.

• development of the top events into incidents by using Event Trees (also by
simulation studies such as PLATO).

It is suggested to limit the number of scenarios in the Event Tree to 12 to 15,

otherwise the overview is lost. Physical effects calculations will have to be made
and consequences to people, facilities and production will have to be estimated.

All assumptions made should be clearly listed.

• presentation of results

Formats are specified in Chapter 4, e.g. overall potential for loss of life, individual
riskfor highly exposed groups of personnel, potential for loss of assets and
production, potential for damage to the environment, cost to avert one fatality, and a
description of intangibles. Event Trees, Fault Trees and bar charts of results should
be included in the report. The bar chart should highlight the most significant risk
contributors.

• identification of possible improvements and their effectiveness and comparison

of alternatives

These should not necessarily be limited to design changes but should also review
the possibility for changes in procedures and operational practices. Likelihood
reduction measures for the top event as well as mitigation measures should be
identified.

• sensitivity analysis

An evaluation has to be made of the sensitivity of the results to changes in

assumptions and estimated probabilities and physical effects. This is particularly
important where data is considered to have wide confidence bands or its
applicability is in question. Only those assumptions or data that have a significant
contribution to the end result require such a sensitivity analysis.

74
PTS 60.2210
JUNE 2006
 75

• interpretation of results, conclusions and recommendations

• compilation of a draft report giving full traceability of all data and assumptions
used in the assessment.

• completion of final report including all comments made by the reviewers of the
draft report.

Points to note:

• conclusions and recommendations made may be somewhat limited in value as

consultants are less likely to have insight into the priorities and interpretation of
policies in PETRONAS.

• recommendations may lack the necessary engineering judgement and lateral

thinking due to the consultant's limited operational experience.

Summary of key points:

• clearly define objectives and boundaries

• ask for completeness and appropriate level of detail

• demand full traceability of all results and assumptions made

• specify presentation format of results

• stress the need for a factual interpretation and treat consultant's conclusions and
recommendations with care.

7.3 DURATION, MANPOWER AND COST

The duration of a QRA can vary from one day involving two to three people to
several months with a team of five to ten personnel.

Although the studies with more man-hours create more paper, they do not always
increase the understanding of the main risk contributors or identify effective ways to
reduce risks. It may therefore be advantageous to start with a more cursory analysis
of a short duration and to extend the scope in width or level of detail if this does not
yield the required insights. It is most effective to perform a QRA with a small team
of say one to two men permanently with part-time assistance on specialists’ topics
such as physical effects calculations.

It is essential for personnel involved in the QRA to obtain a good understanding of

the facilities to be analysed, their layout and the way in which these are operated. A
site visit is strongly recommended if not essential (particularly for hazardous event
identification and scenario development). Personnel that are intimately familiar with
75
PTS 60.2210
JUNE 2006
 76

the design and operation of the facility or of similar facilities are indispensable in the
QRA process.

Only with their experience is it possible to identify all foreseeable hazardous events,
all relevant possibilities for the development into an incident, and develop sensible
risk-reducing alternatives. For this reason an in-house QRA is often far more
effective than one performed by an outside consultant.
The following are some indications for man-hours to perform a QRA and to report it:

• in-house studies on several critical aspects of a facility or operation combined

with an overall QRA on a cursory level allowing the interpretation of results in
overall context: 40 to 200 man-hours

• consultant studies with a similar scope as above but extended in detail: 300 to
600 man-hours

NB The 'Concept Risk Assessment Methodology' (see also 8.3.3), for which there is
a licence for Group-wide use, allows rapid coarse comparison of platform options at
the concept stage: 20 man-hours per option run (this does not include data
preparation, etc). (Further information from PETRONAS)

• detailed evaluation of a facility by a consultant: 600 to 1500 man-hours.

Note that the minimum QRA performed by a consultant is in the order of some 300
man-hours. A large portion of this will be used for familiarisation with the facilities
and their operation.

The man-hour rates for QRA consultants are considerably higher (40 to 80 percent in
1989) than for normal engineering consultants.

7.4 PERSONNEL INVOLVED IN THE ASSESSMENT

7.4.1 QRA analyst's interaction

A QRA cannot be performed by a risk analyst working in isolation. As stated in 7.3

the risk analyst needs input from people who are familiar with the facilities and
operations to be analysed. When preparing for a QRA it is essential to recognise this
and to allow for extensive discussions between consultant and company staff. All
assumptions, including operating philosophy and any modelling simplifications
should be thoroughly discussed with those responsible for that aspect of the design or
operation.

7.4.2 Competency assurance

There is a clear need to ensure that company or contractor staff involved in the
execution of QRA studies are sufficiently competent to carry out their assigned tasks.
The degree of competency needed will depend on the nature of the study
(complexity, scale, etc) and the make-up of the study team. In this document issue no
attempt is made to establish definitively standards of competence, this will be
76
PTS 60.2210
JUNE 2006
 77

considered for the future. As a first step seek advice from the QRA specialists within
the OPU. Where no such QRA specialist is established PETRONAS CHSE can
provide advice. In either case PETRONAS CHSE, in consultation with other OPUs,
can obtain and provide supplementary information concerning the performance of
contractors and, if the information is available, the competence of individuals within
contracting organisations.

7.4.3 Training

Attendees of the PETRONAS Group QRA Training Course will achieve a high level
of QRA knowledge. They will gain skills sufficient to carry out a simple study and to
supervise a QRA study contract. Beyond this, skill development will be on the job
and this will be essential if larger studies are to be carried out competently.

8. METHODS AND DATA

The quantification of risks to people, assets and production makes use of information
on historical performance of equipment and systems, techniques for calculation of
physical effects from releases of dangerous substances, and methods to facilitate the
evaluation and calculation of Fault Trees, Event Trees, etc.

As the application of QRA is becoming more common, there is a rapid development

of tools (often for use with a personal computer) to assist in the performance of this
work. This makes it impossible to make a complete and up-to-date list of all these
tools.

PETRONAS, closely follows the development of such databases and tools and
evaluates their suitability. PETRONAS organises workshops, and information will be
given on the available tools and their features. The same applies to incident and
component reliability databases. Apart from monitoring developments in this field
PETRONAS has developed a data sheet system for use in QRA (Ref. 11). Appendix
III provides information on the objectives of this system, the subjects addressed in it
and the format of the data sheets.

Several databases and tools in which PETRONAS has an interest are discussed
below.

8.1 DATABASES

8.1.1 WOAD (Worldwide Offshore Accident Data bank)

WOAD is a dBase III data bank containing offshore accidents that have been
published or reported. Also contains US Coast Guard data, Lloyd's, Mineral Mining
Services data bank, etc. The data bank is regularly updated (2 x per year) and
presently contains data and a short description on 1706 incidents.

8.1.2 OREDA (Offshore Reliability Data bank)

A dBase III data bank and data book on reliability of offshore components and
77
PTS 60.2210
JUNE 2006
 78

systems. Extensions of the database and a more user-friendly access to the data are
being implemented.

8.1.3 E&P Forum hydrocarbon leak and ignition database project

For those facilities for which the hydrocarbons are the dominant source of risk, good
quality leak and ignition frequency data is essential. Without it, there is the risk of
making inappropriate investments in risk reduction measures. The E&P Forum has
taken on the task of co-ordinating a world-wide project to improve the quality of
these data. For further details of the E&P Forum Hydrocarbon Leak and Ignition
Database Project ( See Ref. 15). Data collection guidelines have been distributed to
E&P Forum work group members. The software for the database has been completed
in 1995 and is comparative with the UK Health and Safety Executive, Offshore
Safety Division(UK HSE-OSD) scheme.

8.1.4 Drilling blowout frequency JIP

Currently, the blowout frequency used in QRA studies are obtained from historic
world-wide databases. These data take little account of the type of well, the way it
was drilled or the specific problems associated with the geology of the area.
Consequently, the applicability of the blowout frequencies to a specific well is
questionable. (Is this true – to be deleted)

8.1.5 Ship collisions

Collisions of vessels with offshore facilities have been calculated to form a

significant proportion of the total potential loss of life (PLL) of platform personnel in
some areas. The collision risk calculations have been carried out to date almost
exclusively using either the Siktec (now called DOVRE SAFETEC) COLLIDE or
the DNV Technica CRASH computer simulators. Both programs indicate very high
risk levels but are not consistent with each other. The fact that there have been very
few collisions would indicate that the programs may be too pessimistic and do not
give realistic predictions. Several efforts are being made both to reduce the actual
risk of collision and to improve the prediction modelling. These efforts range from
consideration of extending a country's zone of legal jurisdiction in order to gain a
better control over ship movements and to enforce measures once a ship is in
difficulty (drifting) or behaving strangely to the STARR (Shipping Track Analysis
for Risk Reduction) project which involves the appraisal of shipping behaviour in the
vicinity of offshore structures.

8.1.6 ITOPF oil spill database

International Tanker Owners Oil Pollution Federation maintains an oil spill database
on spills at sea which includes major facilities as well as tanker spills. Further
information via PETRONAS Marine.

8.2 PHYSICAL EFFECTS MODELS

8.2.1 FRED (Fire, Radiation, Explosion and Dispersion)

78
PTS 60.2210
JUNE 2006
 79

FRED is a computer package for PC (XT or AT) developed by the SHELL Group
containing models for calculation of physical effects from releases of hydrocarbons
and toxic materials. The package contains the well known 'Yellow-Book' models but
also more accurate models based on research by Thornton Research Centre (TRC).
FRED is extended and updated regularly to incorporate latest research developments.
It is now available commercially.

8.2.2 HGSYSTEMS

HGSYSTEMS is a more sophisticated computer model for dispersion calculations

than those provided in FRED. TRC should be consulted via PETRONAS CHSE, on
its use.

8.2.3 SCOPE

An explosion overpressure prediction computer code called SCOPE was first

developed by TRC in 1993. The code is based on the 1992 SOLVEX explosion
experiments carried out by TRC at Buxton. SCOPE is a physically based code which
replaces VENTEX and VENTEXPC for the prediction of explosion overpressures in
partially confined, congested modules. PETRONAS CHSE should be contacted
before using for the first time.

8.2.4 BHEPPC (Blowout Hazards Evaluation Program)

BHEPPC is a program for PC (XT or AT) for calculation of dispersion, heat radiation
and noise level from a well blowout or breakage of a pipeline. The program has been
developed by TRC and provides extensive graphical output of dispersion, heat and
noise contours. It is planned to include BHEPPC within FRED.

79
PTS 60.2210
JUNE 2006
 80

8.2.5 Advice on third party physical effects models

The main suite of Group recommended fire, gas and explosion physical effect models
(PEMs) are contained in the computer packages FRED, HGSYSTEMS and SCOPE.
However, there are many third party PEMs on the market which are used by various
QRA consultants. A research programme has been set up to evaluate a short list of
these models in order to be able to advise on their suitability for use by OPUs. Gaps
in our knowledge regarding fire, gas and explosion physical effects processes have
been identified, ranked and a research programme firmed up. Some of the work is
carried out internally by TRC, with the remainder by JIPs (e.g. JIP Fire and
Explosion project led by the Steel Construction Industry).

8.2.6 General

PTS 60.2211 Physical Effects Modelling provides further information on modelling

and the application and selection of models and the role of PETRONAS CHSE and
TRC.

8.3 RISK ESTIMATION PROGRAMS

8.3.1 OHRAT (Offshore Hazard and Risk Assessment Toolkit)

Some time ago, it was recognised that the quality assurance, efficiency, consistency,
auditability, ease of updating/carrying out sensitivity studies and general user
friendliness of the computer tools needs enhancement. In view of the increasing
requirement for QRA studies to become more detailed, this need for improvement
has become even more necessary. Experiences with the use of OHRAT to date are
mixed. It is hoped that, the current version (1.3) will meet the original aims. OPUs
are encouraged to use OHRAT for their QRA studies.

8.3.2 PLATO

In parallel with the OHRAT development, PLATO was developed by another

consultant. PLATO is a computer tool based on object-oriented programming which
assists in gaining a better understanding of escalation routes on offshore platforms. It
is expected that PLATO will be of assistance particularly during detailed design in
order to assist in layout decisions.

8.3.3 Concept risk assessment methodology

A methodology has been developed which allows rapid comparison of offshore

platform options at the concept stage. The methodology was developed by WS
Atkins for another major oil company. Essentially it comprises a number of 'look up'
tables for generic building blocks, i.e. groups of equipment whose risk levels have
been calibrated against detailed QRAs, of both the other major oil company and
SHELL, and incorporated into spreadsheets linked together. It is relatively simple to
expand to include new and additional building blocks. It is only suitable at its present
stage of development for option ranking at the concept stage of a project.
8.3.4 SAFETI
80
PTS 60.2210
JUNE 2006
 81

There are several computer packages for the estimation and presentation by means of
risk contours of off-site risk or risk to the public. PETRONAS has a licence for the
SAFETI package and should be consulted on its use. (Is this true?)

8.3.5 CARA

CARA is an integrated suite of programs for PC developed by SINTEF in

Norway and also marketed by DNV Consultants London. The package contains
programs for:

• Fault Tree construction and analysis (CAFTAN)

• Cause-consequence diagram construction and analysis (CCA)

• Failure Mode, Effect and Criticality Analysis (FMECA)

• Data analysis (ANEX)

• Survival and repair time analysis (SAREPTA).

8.3.6 ASPIN

ASPIN (ASsessment of Pipeline INtegrity) was first developed by SIPM in 1988. In

1995, version 2.0 was issued.

ASPIN is a tool that offers the possibility for pipeline engineers and risk analysts to
adopt a more structured approach towards managing pipeline failure risks. ASPIN's
main objective is to assess failure risks of pipes to enable option comparisons.

9. DESCRIPTION OF PETRONAS QRA ACTIVITIES

9.1 MAIN CHALLENGES

The main QRA related challenges to PETRONAS are as follows:

• the promotion of the sensible use of QRA by PETRONAS OPUs as a practical

tool to identify cost effective safety measures and to assist in decision making
processes

• the development of QRA methodology, databases, physical effects models and

consultants and

• to influence industry and regulators in the field of QRA.

81
PTS 60.2210
JUNE 2006
 82

9.2 PRINCIPAL TASKS

In order to meet the above challenges the following tasks can be identified:

1. Develop and apply QRA as a technique for identification of cost effective safety
measures and as an aid in decision making by, for instance participating in and
steering joint industry projects for the improvement of data, physical effects
modelling and risk estimation tools.

2. Promote the use of QRA in OPUs and enhance the understanding of its merits
and shortcomings. Train PETRONAS staff in the appropriate use of QRA
through courses and workshops. One of the objectives of the training is that
major OPUs become largely self-supporting for their QRA work.

3. Ensure that the use of QRA in PETRONAS Group of Companies is in harmony

with developments in other PETRONAS functions, PETRONAS research
laboratories, industry and scientific institutions.

4. Ensure that insights and data obtained by one OPU are shared, as appropriate,
with the other OPUs in order to avoid duplication of work.

5. Critically review trends in industry and regulatory bodies, and be proactive in

legislative matters to ensure that cost effective and safe proposals can be pursued.

6. Provide ad-hoc advice to OPUs and review QRA studies on their behalf.

7. Perform or co-ordinate QRA studies that have a Group wide interest.

82
PTS 60.2210
JUNE 2006
 83

APPENDIX I

SOME BASIC PROBABILITY THEORY

The history of probability shows a stimulating interplay of theory and applications. This
appendix contains the definitions of the various types of probabilities and provides a brief
description of some basic calculation rules. The following is intended only as an introduction
to key points, for further information specialist advice should be sought.

Definition of probability and probability of combined events

The concept of probability can be defined as follows:

A probability is a mathematical concept which assigns a number between 0 and 1 to an

event or a combination of events. The number expresses the likelihood that the event
occurs, where 0 means impossible and 1 means certain.

Probabilities are numbers of the same nature as distances in geometry or masses in

mechanics, i.e. the concept of probability can be used without any assumptions about their
numerical value or how they are measured in practice. The methods to assess probabilities
vary as widely as do methods to measure distances.

The following rules apply:

1. The probability of an event A, written P(A), is a number between 0 and 1.

2. The probability of the 'certain' event equals 1. The probability of the 'impossible' event
equals 0.

3. The following applies for the 'NOT' relation (i.e. an event A will not occur)
* P(NOT A) = 1 - P(A)

4. For two independent events A and B the probability of combined events is obtained by
the following rules:
* P( A OR B ) = P(A) + P(B) - P(A) x P(B)
* P( A AND B) = P(A) x P(B)

5. For three independent events A, B and C the probability of combined events is obtained
by:
* P(A AND B AND C) = P(A) x P(B) x P(C)

* P(A OR B OR C) = P(A) + P(B) + P(C) - P(A) x P(B) - P(A) x P(C)

-P(B) x P(C) + P(A) x P(B) x P(C)

Probability as a relative frequency

83
PTS 60.2210
JUNE 2006
 84

Probabilities can be considered as a relative frequency, i.e. the probability of an event

is considered as the relative frequency of occurrence of that event to be expected in
the long run. The probability of an event E occurring is estimated as follows:

Where, for example, the number of observations is the number of platform years or
the number of wells drilled.

Probabilities are dimensionless quantities. However, the relative frequency method

requires the specification of an 'observation', e.g. a year. This is generally an arbitrary
choice in the sense that one could equally well select a month or a day as the
observation period.

The accuracy of the estimation improves with the number of observations. A measure
for the accuracy is provided by a so-called confidence interval. For example a 95 per
cent confidence interval with respect to a probability means roughly that there is 95
per cent confidence that the probability belongs to the interval. This interval can be
constructed by the following simple procedure:

• N is the total number of observations

• R = n(E) is the number of observations comprising a particular event E

• Define Q = R/N

• Define A = 2 [Q (1-Q)/N]½

• The 95 per cent confidence interval for the probability P(E) is given by:

[Q-A,Q+A]

If probabilities are assessed as long term frequencies, the use of the above type of
confidence intervals is strongly recommended as a measure of accuracy.

Subjective probability

The relative frequency method to estimate probabilities is widely accepted and

applied. However, sometimes events are unique, i.e. the situation cannot be
duplicated. Although some information may be available regarding past occurrences
in 'similar' situations, no information in the form of observed frequencies is available.

Subjective probability assessment often provides an efficient solution to the above

situation. In this approach a probability is interpreted as a measure of degree of
belief, or as a quantified judgement. Since a probability, in this interpretation, is a
measure of a degree of belief rather than a frequency, it is perfectly reasonable to
assign a probability to an event that involves a non-repetitive situation. However, it is
not necessary, of course, for a situation to be non-repetitive for the subjective

84
PTS 60.2210
JUNE 2006
 85

interpretation of probability to be applicable. If factual information is available, this

can be used to increase the confidence in the estimate. A discussion of the formal
approach (using Bayesian Statistics) to increase accuracy and confidence of the
estimates falls outside the scope of this appendix.

Estimation of failure rates

The constant failure rate is a simple but fundamental concept in probabilistic risk
assessment studies. The formal (difficult) definition is as follows:

Failure rate is the conditional probability that a failure occurs per time unit at time t
given that no failure occurred before time t.

If it is assumed that the frequency of failures does not change with time or
equivalently that the probability of future failures is independent of the past then the
following simple definition applies:

The common engineering interpretation of this definition, which is also used to

estimate failure rates from factual data is as follows:

Note that the above simple definition implies that the failure rate is a constant
indicating the number of failures per unit time. Although often used as such the
failure rate is NOT a probability.

Mean time to failure (MTTF)

In a failure-repair process the MTTF is sometimes used as a measure of the

likelihood of failure. For short repair times, the following applies:

Assuming a MTTF of 3 years the probability that a sub-surface safety valve fails
within a specified time period can be calculated. The table below shows an example:

P{Failure within t years} = 1 - exp{-t/MTTF}

Time
P(T<t)
(years)
0 0.00
1 0.28
2 0.49
3 0.63

85
PTS 60.2210
JUNE 2006
 86

4 0.74
5 0.81
10 0.96
20 0.99

Note that although the MTTF is 3 years it may not have failed after 20 years.

Probability of failure per demand

There are systems which are not operating continuously but are to operate for a short
duration when required. Examples are starting up a pump, opening a safety valve,
detecting a gas cloud, etc. These systems function 'per demand'. The probability of
failure of the functional performance is called 'probability of failure on demand'.

The probability of failure on demand for a system with a failure rate f which is tested
at intervals T can be calculated by:

P{on demand} = f x T/2

For the above example of a sub-surface safety valve with a MTTF of 3 years
and a test interval of three months the probability of failure on demand is:

Availability or unavailability as a probability

The definitions of availability and unavailability are given below:

• availability A(t) is the probability of the component or system being in its normal
state at time t

• unavailability Q(t) is the probability that the component or system is in its failed
state at time t

For component or systems which are repaired upon failure, the availability or
unavailability can be calculated as follows:

Q(t) = MTTR/(MTTR + MTTF)

where: MTTR = Mean Time To Repair
MTTF = Mean Time To Failure
A(t) = 1 - Q(t)

Availability and unavailability can be treated as normal probabilities; all calculation

rules apply.

86
PTS 60.2210
JUNE 2006
 87

APPENDIX II FAULT TREE ANALYSIS

Fault Tree analysis is a common probabilistic technique applied in reliability analysis and, to
a lesser extent, risk assessment. It allows the user to concentrate on a particular system
failure, which is usually giving rise to the 'top event' or 'branch event' of an Event Tree. The
Fault Tree approach, introduced in this appendix traces back the possible causes of an
identified 'top event' or 'branch event'. This analysis is characterised by the question:

'How can it occur?'

The forward analysis is the Event Tree analysis; it starts with an initiating event ('top event')
and projects possible consequences from that event. This analysis concentrates on the
question:

'What happens if it occurs?'

In general the construction of Fault Trees and Event Trees can only be achieved by relying
on the experience of those persons who are familiar with the real system under
consideration.

Fault Trees cannot take account of sequential failures or time dependency. This limits their
usefulness in risk analysis where the development of scenarios with time is important.

A Fault Tree consists of two types of building blocks: GATE symbols and EVENT symbols.
Events are represented by rectangles.

GATE symbols connect events according to their causal relations. GATES may have two or
more input events but only one output event. In this manual only two types of GATES, the
OR GATE and the AND GATE will be used. Other gates, such as the NOT gate and the
INVERSE gate are not considered.

Figure II.1 : AND GATE and OR GATE

87
PTS 60.2210
JUNE 2006
 88

All possible combinations of gates and events are allowed, provided the following
two conditions are satisfied:

1. The Fault Tree must have a typical tree structure, i.e. all events and gates should
converge into a single event: the top event.

2. Events are connected by gate symbols, i.e. an event is never directly connected to
another event.

A very basic example of a Fault Tree is shown below (Figure II.2).

Figure II.2 : Example of a simple Fault Tree

Note: The text in the circles and gate symbols is used to provide a convenient label in probability calculation formulae.

Often the construction of Fault Trees is a useful exercise in itself, for it provides an insight
into the possible failure modes of sometimes rather complex systems. However, the success
of Fault Trees is mainly due to the quantitative aspects. The probability calculus associated
with AND and OR gates is a direct result of the standard ways in which probabilities can be
combined (see Appendix I). It can be used to calculate the probability of an event occurring
within a certain time interval (alternatively the frequency of such an event) or the probability
of failure on demand (unavailability).

The definition of the top event is important both for deriving the appropriate logic and the
calculus of probabilities. Care should be taken to be very precise in defining the top event,
e.g. probability of a gas detection system to fail on demand, failure of deluge system in case
of a major fire, occurrence of a fire during a one year period, etc.

The following example deals with the probability of failure on demand of a fire protection
system. The system consists of two fire water pumps, each of which could supply 100 per
cent of the required capacity, and a single deluge valve. The Top Event of interest is: 'Failure
on demand of deluge system' It is obvious in this example that the top event occurs when
either the deluge valve fails to open or when there is no water delivered to the valve. A
further breakdown shows that pump failure, pipe rupture or pipe blockage are possible
causes for not delivering water. Failure of the deluge valve to open can be caused by failure
of the valve itself or failure to activate the valve. The Fault Tree for the above sequences of
events is shown below:
88
PTS 60.2210
JUNE 2006
 89

Figure II.3: Fault Tree of deluge system

The rules for calculating the probabilities are given in Appendix I. For example, assuming
that the pumps are independent of each other and have a probability of failure on demand of
0.02, the probability of the event 'failure to pump water' is calculated as 0.0004.

P{PU1} = 0.02
----------- AND---> P{FTPW}= 0.0004
P{PU2} = 0.02

The assumption on independence of the events is essential. Very often the assumption is
incorrect. Possible links between the failures of the two pumps are:

• failure of electrical power supply (for electrical pumps)

• failure to fill common fuel tank (for diesel pumps)

• blockage of common suction line

• low level in river or tank from which water is supplied

• water in river frozen

• failure of common control system

• both pumps switched to local start because of a human failure to set switches on
automatic/remote after maintenance

• failure introduced in both pumps through wrong maintenance.

89
PTS 60.2210
JUNE 2006
 90

If such links can be identified it is recommended to restructure the Fault Tree. An example is
given below.

Figure II.4: Restructured Fault Tree

The calculation can now be performed using the rules from Appendix I:

P{LOW} = 0.005
P{FUEL} = 0.004 --- OR--->
0.01
P{CMF}=

P{LEAK} = 0.001 -- OR--> P{FTPW} = 0.0101

P{PU1} = 0.01

--AND--->P{PUMP}=0.0001
P{PU2} = 0.01

The probability of 'failure to pump water' is now calculated as 0.0101 rather than 0.0004, i.e.
a factor 25 difference. Note that the probability of failure to pump water by switching on one
pump is still 0.02 as used in the simple tree (Figure II.3).

It will be clear from the above example that major errors can be made by ignoring
dependence of events and the so-called common mode failures. Usually the risk analyst
cannot identify all failure causes and dependencies himself. Only the experienced
operator/design engineer has knowledge of all the details and circumstances that can lead to
system failure. An experienced risk analyst can ask the right questions, develop the logical
structure and calculate results. The combination of these persons is required to perform
successfully a Fault Tree analysis.

Another example is given below with scope for even larger errors by ignoring dependencies
between events. The example concerns the calculation of dispersion of a toxic gas.
Calculations show that lethal concentrations can reach a housing area under specific weather
90
PTS 60.2210
JUNE 2006
 91

conditions:

- low wind-speeds P{LOW} = 0.1;

- very stable weather (no turbulence) P{STABLE} = 0.1;
- wind in direction of houses P{DIREC} = 0.01.

The combined probability using AND gate calculus yields P = 0.0001. However, the events
are not independent: very stable weather at that location only occurs at low wind speeds
from a certain direction. Although the probabilities of the events were taken correctly from
the weather data the calculation was incorrect. The correct data can be obtained from
combined weather statistics and can be found to be in the order of 0.01, i.e. a factor 100
difference.

It will be clear from the above examples that it is essential to check on dependencies
between events in the Fault Trees. The results should especially be treated as suspect when
very low probabilities or event frequencies are calculated, e.g. of less than 1 in a million per
annum. It is very likely that events that will impact on all systems simultaneously have been
overlooked
(e.g. floods, earthquakes, high winds, etc).

More information on Fault Tree analysis and tools to draw and evaluate Fault Trees can be
found in the references (see Refs. 5, 6, 7).

Mixing frequencies and probabilities

In QRA Fault Trees are mostly used to assess the branch probabilities in Event Trees. In
such trees all basic events shall be probabilities or unavailability.
Fault Trees are sometimes used to estimate the frequency of the top event of an Event Tree.
In such trees the basic events will be a mixture of frequencies, probabilities and
unavailability. An example of such a Fault Tree is given in Figure II.5.

Figure II.5 : Fault Tree with unavailability, probabilities and frequencies

91
PTS 60.2210
JUNE 2006
 92

The calculus of the tree is as follows:

GEN1 and GEN2 fail once per year and require on average 12 days repair. This information
shall be used to derive the unavailability of each of the generators:

The probability of the electrical power being unavailable can now be calculated
by: P(ELEC) = P(GEN1) x (P(GEN2) = 0.001

Further:
P(PUMP) = P(DIES) x P(ELEC) = 0.0005
P(FTC) = P(DEL) + P(PUMP) - P(DEL) x P(PUMP) = 0.1
F(FIRE) = 1/year
F(SFE) = F(FIRE) x P(FTC) = 0.1/year
F(FEX) = 0.05/year
F(MF) = F(FEX) + F(SFE) = 0.15/year.

92
PTS 60.2210
JUNE 2006
93

93
PTS 60.2210
JUNE 2006
 94

Data sheets will have a consistent content and style to help the user locate information
quickly with the least chance of misinterpretation. The data sheets have been structured as
follows:

- scope

- key data

- further data

- ranking and application of data

- notes supporting data

The index of data sheets and their status is attached.

Table III.1 Index of data sheets, QRA data (May 1992) (Ref. 11)

General Doc. No. F-RADS Latest Rev. Status

Index 01 A Formal
Introduction 02 A Formal
FARS - work related accident
Small work related 11 A Formal
accidents
Major accident severity 13 A Formal
Top events
Blowout and ignition 21 A Formal
Riser and pipeline leak 22
A Formal
and ignition
Process releases and 23 A Formal
ignition
Vessel collision 24 A Formal
Natural hazards 25 Not started
Massive structural failure 26 Not started
Accidental failures of 28
major equipment and A Formal
secondary structures
Crane failures 29 A Formal
Safety systems and components
Fire and gas detection 31 A Formal
Blow out prevention 32 A Formal
ESD and blowdown 33 A Formal
systems
Fire protection systems 34A A Formal

94
PTS 60.2210
JUNE 2006
 95

Firewater supply systems 34B A Formal

Firewater distribution and 34C
A Formal
water based systems
Foam and gaseous 34D A Formal
systems
Escape and evacuation 35 A Formal
Human reliability in 36
Not started
emergency
Natural and mechanical 37
Not started
ventilation
Emergency power 38 Not started
systems
Consequences from loads
Vulnerability of humans 51 Not started
Vulnerability of plant 52 Not started
Cost to avert fatalities 53
A Formal
and injuries

Transport risk
Accidents on roads 61 A Formal
Accidents involving
62 A Formal
aircraft and helicopters
Casualties to vessels and
63 A Formal
men

95
PTS 60.2210
JUNE 2006
 96

APPENDIX IV

EXAMPLES OF QRA TO ILLUSTRATE THE NEED FOR COMPLETENESS AND

THE APPROPRIATE LEVEL OF DETAIL

Two examples are give to illustrate the principles and application of the approach outlined in
this report. A first simple example is related to helicopter operations for jungle seismic
surveys. A second example deals with offshore oil and gas operations.

Risk from helicopter operations for jungle seismic

To lay seismic lines in the jungle it is necessary to cut a narrow track through the jungle. In
areas of limited access it is sometimes unavoidable to use helicopters as a means of
transportation for people and supplies when carrying out seismic operations.

The helicopters are essentially used to move people and associated seismic equipment along
the line of seismic traverse. In general this requires that helipads (dimension 23 x 170 m) be
cut every 4-6 km along the line. These helipads will subsequently be used for a maximum of
forty take-offs and landings during acquisition of seismic data. The normal flight path in
such conditions is shown in Figure IV.1. The helicopter has sufficient clearance to miss the
top of the trees. However, if a twin-engined helicopter (normal practice in PETRONAS
jungle operations) loses the power of one of its engines during part of this flight path it is
possible that the climbing power is not sufficient to miss the trees while it is also impossible
to land safely. A crash into the trees is likely in such conditions.

Figure IV.1 Flight path of a helicopter involved in jungle seismic surveys

To avoid a crash from loss of one engine during take off the Civil Aviation Authorities
require for civil operations a longer airstrip. Application of these rules for jungle seismic
would yield an airstrip with a length of 300 m. The question was therefore naturally raised
whether the size of the jungle seismic airstrips should be increased to improve the safety of
operations.

96
PTS 60.2210
JUNE 2006
 97

Drawing on statistics on the likelihood of failure of one engine during 4 critical seconds of
the flight path, the safety improvement per flight from a longer landing area can indeed be
demonstrated. However, the reduction in overall risk of a helicopter flight is small, of the
order of only a few percent. Considering other risks involved, the risk per kilometre of
seismic track shows the 'safety improvement' in a different light.

Figure IV.2 Potential loss of life related to helicopter operations for 100 km seismic line
in the jungle

Figure IV.2 shows the overall potential loss of life from such helicopter operation related
activities, including clearing the helicopter landing area. It can now be seen that a longer
landing area would actually increase the risk. This is partly caused by the increased potential
for accidents from clearing an additional 130 m of jungle and partly by the additional flights
that would have to be made to supply the crews clearing the next airstrip. Consideration of
all effects of a decision to change the airstrip size leads to a conclusion that differs from the
simple analysis concentrating on helicopter accidents during take-off.

Risk from development of an offshore oil field

Recently studies have been performed, by PETRONAS Group of Companies to determine

the feasibility of developing offshore resources with much simpler facilities and much lower
manning levels. The example deals with a field that can be produced using a platform with a
permanent manning of about 36. Alternatively it has been considered to develop the field
with a normally unmanned platform with facilities that have less redundancy. It was found
that the reduction in production availability is minimal whilst the cost of the platform is
reduced by 50 percent. The simple, normally unmanned, facility also has less safety related
equipment such as active fire protection systems. Escape means are similar to that of the
fully manned platform. Maintenance on such a platform is performed by a crew that is flown
in by helicopter from an onshore base.

97
PTS 60.2210
JUNE 2006
 98

The overall potential loss of life and the individual risk of death of personnel regularly
working on the platform are shown in Figures IV.3 and IV.4. ('Conventional' and 'Minimum'
respectively for the two cases described above).

98
PTS 60.2210
JUNE 2006
 99

Figure IV.3 Overall potential loss of life for several development options

Figure IV.4 Individual risk to regular platform personnel for several development options

99
PTS 60.2210
JUNE 2006
 100

The risk of a fatal accident whilst working on the platform would probably be somewhat
higher on the smaller platform as it has slightly less active safety provisions. The overall
potential loss of life for the project, from construction to abandonment, is lower because both
the number of people exposed to the hazards and their exposure time is much lower. The
individual risk for personnel, shuttling frequently to the offshore platform, is however much
higher for the smaller platform as a result of the relatively high risk associated with
helicopter flying.

The significant risk contribution from helicopter flying makes it clear that development
options involving less flying should also be considered. These options are also shown in
Figures IV.3 and IV.4. The second option from the top (Temporary Living Quarters) allows
maintenance personnel to stay on board overnight for jobs that last longer then say 10 hours.
The third option (Permanent Living Quarters), where a minimum crew stays on the platform
for longer periods, reduces the risk to the individual to a level that is comparable to that of
offshore workers on larger platforms. This solution leads to a lower risk to life without
putting personnel at greater individual risk than on other small platforms, ie it satisfies
society's and individuals' interests. Further reductions of individual risk from helicopter
flying are possible by concentrating maintenance in planned campaigns, shuttling personnel
from nearby platforms and less frequent crew changes.

The example shows that a reduction of overall risk to life does not necessarily reduce the risk
to an individual. Also in the helicopter example the risk to the individual pilot is higher for
the smaller landing area while the overall loss of life is lower. Similarly, it is found in many
cases that the number of additional accidents that may occur during fabrication, installation
and maintenance of safety devices is greater than their envisaged effect.

Erroneous conclusions can be drawn by concentrating on the overall potential loss of life as
this averages the risk over all personnel and all project phases. The example demonstrates
that individual risk provides additional insights. In the calculation of individual risk it is
important to differentiate between individuals that are most exposed to the hazards and
groups of people that are less exposed. Averaging over groups with widely differing
exposures to risks is misleading.

Appropriate level of detail

Significant errors can be made in QRA by simplifying assumptions such as considering the
maximum credible accident, excluding infrequent accidents from an analysis or ignoring the
effects of time during the development of accident scenarios. The following two examples
illustrate this point. However, they have a much wider bearing than this particular example.

The first example deals with a floating production development in the North Sea, producing
oil from various subsea wells and re-injecting compressed gas into other wells. The flow
lines between the floating platform and the seabed are made of flexible pipe (Figure IV.5). A
Quantitative Risk Assessment was performed to assess the risk from a leak in one of the gas
re-injection lines. To this aim the lines were divided in sections with different failure modes
or consequences, i.e. a subsea section remote from the platform, a subsea section near the
platform, a section from the connection at the pontoon to the splash zone, a splash zone
section and a deck section.

100
PTS 60.2210
JUNE 2006
 101

Figure IV.5 Offshore floating platform producing from subsea wells through flexible pipes

101
PTS 60.2210
JUNE 2006
 102

For each of these sections certain types of potential failure were identified and the likelihood
of certain hole sizes established either directly from statistical data or by using Fault Trees.
The physical effects of such releases and the possible consequences for people, assets and
production were estimated by the development of Event Trees. By multiplication of
probabilities and consequences, and summation over all Event Trees the overall potential
loss from a riser failure was established (Figure IV.6).

From this analysis it was found that one specific scenario, out of the many scenarios
developed from the Event Trees, contributed more than 90 percent to the overall risk from
riser failure. This was the scenario in which the gas jet from a medium-sized hole in the
splash zone ignited and impinged on one of the structural members of the platform. A larger
hole size would make a smaller contribution to the overall risk because the rapid
depressurisation of the line would result in such a short duration of the release that it could
not damage the structure. A smaller release hole, although 10 times more likely, could not
cause a flame of sufficient intensity to heat the structure.

Figure IV.6 Calculation of overall potential loss from a riser accident. Shading shows path
contributing 90 percent to overall potential loss

The identification of the main contributor to the overall risk, and the understanding of the
phenomena behind it, is a very important feature of QRA enabling effective safety
improvements to be developed. In this particular example safety improvements are possible
by reducing the duration of a potential release by, eg a blowdown valve on the platform to
rapidly depressurise the entire line or an isolation valve below the splashzone to shorten the
line section fuelling the fire. Consideration of a reasonable range of hole sizes was necessary
to identify the main risk contributor and recognise the accident scenario that could cause
disaster.

102
PTS 60.2210
JUNE 2006
 103

The second example illustrating the need for an appropriate level of detail is a QRA on an
installation with natural gas containing hydrogen sulphide. Calculations were performed to
establish the likelihood of hazardous dose of hydrogen sulphide reaching outside the fence.
Detailed investigation of possible release scenarios showed that a pitting corrosion hole was
the only realistic scenario that could cause a significant release of gas. Corrosion experts
assessed a range of pitting corrosion hole sizes and estimated their likelihood.
Meteorological data for use in gas dispersion calculations were obtained from a local airport.
An initial calculation based on the most likely hole size and prevailing weather conditions
showed that hazardous dose of hydrogen sulphide could not reach outside the fence. After a
more detailed analysis, however, it became clear that a slightly larger, but less likely, release
hole, combined with a less likely weather type could present a hazard outside the fence.

From the above examples it is concluded that the level of detail should be selected such that
it is possible to identify which combination of event size and probability contributes most to
the risk of a particular operation. This can be illustrated by a diagram in which the
probability of an event, possible consequences and potential loss are plotted as a function of
the size of an event.

Figure IV.7 Potential loss = Probability x Consequences

Postulating a specific frequency distribution for the event size, and a curve describing the
consequences as a function of the event size the potential loss can be found by multiplication
of the values of the two curves (Figure IV.7). The potential loss curve now indicates the area
in which effective safety measures can be taken. On the left side of the curve the
consequences are too small to cause concern, regardless of the frequency. On the right side
the consequences can be dramatic but the chances are so low that it may be better to invest
elsewhere in safety improvements. Safety improvements that concentrate on the events
contributing to the peak of the expected loss curve are the most effective.
103
PTS 60.2210
JUNE 2006
104

104
PTS 60.2210
JUNE 2006
 105

GLOSSARY

A glossary of commonly used terms in HSE is given in PTS 60.0101 HSE Management
Systems Manual

REFERENCES

1. Report No. 11.2/150, Quantitative Risk Assessment, E&P Forum.

2. G.C. van der Graaf and J.P. Visser, Risk Assessment in Exploration and Production,
SIPM, Paper presented at the 6th International Symposium on Loss Prevention and
Safety Promotion in the Process Industries, Oslo, June 1989.

3. Risk Assessment, A Study Group Report, The Royal Society, ISBN 0 85403 208 8,
1983.

4. Quantitative Risk Assessment - Review of Underlying Philosophy, EPO/63 SIPM,

November 1994.

5. E. J. Henley and H. Kumamoto, Prentice-Hall Inc, Englewood Cliffs, Reliability

Engineering and Risk Assessment, NJ07632; ISBN-0-13-772251-6.

6. Publication of the Directorate-General of labour, PO Box 69, 2270MA Voorburg,

Holland

Methods for Determining and Processing Probabilities (The Red Book), Committee for
the Prevention of Disasters caused by dangerous substances, Edition 1, 1988.

7. User's Manual, CARA, Computer Aided Reliability Analysis, August 1989.

8. Committee for the Prevention of Disasters caused by Dangerous Substances, The 'Green
Book' or 'Damage Book', Methods for the determination of possible damage to people
and objects resulting from releases of hazardous materials, First Edition 1992 CPR 16E.

9. EP Economics Guidelines, EPE/2, October 1993.

10. Health and Safety Executive, The tolerability of risk from nuclear power stations,
HMSO, London, December 1987 and 1992.

11. Guidelines for Risk Assessment Data: Data Sheets, SIPM EPO/63.

12. A.B. Fleishman, M.S. Hogh, BP, The use of cost benefit analysis in evaluating the
acceptability of industrial risks - an illustrative case study, Paper presented at the 6th
International Symposium on Loss Prevention and Safety Promotion in the Process
Industries, Oslo, June 1989.
13. Paper to Offshore Safety Conference, ALARP in Practice, Shell Expro, Aberdeen, 1-2
April 1993.

14. (EA/099) Rev.2, Code of Practice Use of QRA in Shell Expro, Shell Expro, Aberdeen,
105
PTS 60.2210
JUNE 2006
 106

UESE/1, 1993.

15. SPE Paper 27234, Hydrocarbon Leak and Ignition Database Project, E&P Forum.

106
PTS 60.2210
JUNE 2006