Beruflich Dokumente
Kultur Dokumente
PTS 60.2210
Rev 1
JUNE 2006
2
PREFACE
PETRONAS Technical Standards (PTS) publications reflect the views, at the time of publication, of
PETRONAS Group of Companies Joints Venture
They are based on the experience acquired during the involvement with the design, construction, operation and
maintenance of processing units and facilities. Where appropriate they are based on, or reference is made to,
national and international standards and codes of practice.
The objective is to set the recommended standard for good technical practice to be applied by PETRONAS'
Group of Companies and Joint Ventures in oil and gas production facilities, refineries, gas processing plants,
chemical plants, marketing facilities or any other such facility, and thereby to achieve maximum technical and
economic benefit from standardisation.
The information set forth in these publications is provided to users for their consideration and decision to
implement. This is of particular importance where PTS may not cover every requirement or diversity of
condition at each locality. The system of PTS is expected to be sufficiently flexible to allow individual
operating units to adapt the information set forth in PTS to their own environment and requirements.
When Contractors or Manufacturers/Suppliers use PTS they shall be solely responsible for the quality of work
and the attainment of the required design and engineering standards. In particular, for those requirements not
specifically covered, the Principal will expect them to follow those design and engineering practices which will
achieve the same level of integrity as reflected in the PTS. If in doubt, the Contractor or Manufacturer/Supplier
shall, without detracting from his own responsibility, consult the Principal or its technical advisor.
The right to use PTS rests with three categories of users:
2) Other parties who are authorised to use PTS subject to appropriate contractual arrangements.
Subject to any particular terms and conditions as may be set forth in specific agreements with users,
PETRONAS disclaims any liability of whatsoever nature for any damage (including injury or death) suffered
by any company or person whomsoever as a result of or in connection with the use, application or
implementation of any PTS, combination of PTS or any part thereof. The benefit of this disclaimer shall inure
in all respects to PETRONAS and/or any company affiliated to PETRONAS that may issue PTS or require the
use of PTS.
Without prejudice to any specific terms in respect of confidentiality under relevant contractual arrangements,
PTS shall not, without the prior written consent of PETRONAS, be disclosed by users to any company or
person whomsoever and the PTS shall be used exclusively for the purpose they have been provided to the user.
They shall be returned after use, including any copies which shall only be made by users with the express prior
written consent of PETRONAS. The copyright of PTS vests in PETRONAS. Users shall arrange for PTS to be
held in safe custody and PETRONAS may at any time require information satisfactory to PETRONAS in order
to ascertain how users implement this requirement.
2
PTS 60.2210
JUNE 2006
3
3
PTS 60.2210
JUNE 2006
4
CONTENTS
Preface
1. Introduction 8
1.1 Background 8
1.2 Objectives 8
1.3 Scope 9
1.4 Limitations 10
3. Risk Quantification 18
4. Presentation of Results 31
5.4 Legislation 51
5
PTS 60.2210
JUNE 2006
6
7.4.3 Training 71
8.1 Databases 72
8.2.2 HGSYSTEMS 73
8.2.3 SCOPE 73
8.2.6 General 74
8.3.2 PLATO 74
7
PTS 60.2210
JUNE 2006
8
8.3.4 SAFETI 74
8.3.5 CARA 75
8.3.6 ASPIN 75
Appendices
Glossary 97
References 97
8
PTS 60.2210
JUNE 2006
9
1. INTRODUCTION
1.1 BACKGROUND
There are a number of different tools and techniques available within the Hazards
and Effects Management Process (HEMP) for the assessment and control of
industrial risk. They are not mutually exclusive, each having appropriate
applications. One of these, Quantitative Risk Assessment (QRA), is a powerful
decision-making tool which can assist in the selection of acceptable solutions to
safety problems. This technique can be defined as the formal and systematic
approach to identifying hazards, potentially hazardous events, and estimating
likelihood and consequences to people, environment and assets, of incidents
developing from these events. The total process of risk analysis, interpretation of
results and recommendations of corrective actions is usually called 'Risk
Assessment'.
In the last few years, QRA has gained a wide acceptance as a powerful tool to
identify and assess the significant sources of risk and evaluate alternative risk control
measures in PETRONAS's business. Extensive use has been made of quantification
methods such as Fault Tree Analysis and Event Tree Analysis. Physical effects
modelling has also been applied extensively to estimate the severity and
consequences of specific incident scenarios. Much experience has been gained in
presenting the results of all this work in a consistent and understandable format,
providing interpretations of the results and recommending the most appropriate
improvements.
With the introduction of safety (HSE) management systems and Safety (HSE) Cases,
the role of QRA in the HEMP has become more clearly defined. Few major projects
are now contemplated without the risks first being quantified. This trend is expected
to continue in the future with QRAs being carried out at all phases of projects from
feasibility studies to refurbishment of ageing facilities, both on- and offshore.
1.2 OBJECTIVES
This manual builds on the experience gained to date and provides an outline of QRA
techniques and its utility in all sectors of the business. The objectives of the manual
are:
• to provide essential information to review QRA studies and interpret its results.
1.3 SCOPE
The QRA process can be represented by the flowchart Figure 1.1. This flowchart is
used as a framework for this guidance document.
This guidance begins with a scene-setting discussion on the use and misuse of QRA
10
PTS 60.2210
JUNE 2006
11
(Chapter 2). Here concerns that the technique may not always be used appropriately
and thecurrent thinking regarding when risks should be quantified are outlined. The
QRA process is then traced as follows:
o hazard identification
o method of analysis
o summation of risks
o methods available
o yardsticks
o ALARP
o improvement recommendations
o communication
o appropriate application
o databases
o PC programs
11
PTS 60.2210
JUNE 2006
12
Chapter 9 describes the role of PETRONAS with respect to QRA within its activities.
1.4 LIMITATIONS
The manual is not a detailed guide to the suite of techniques and computer programs
in use in QRA, although some of the more significant programs are mentioned.
Although the information provided is also essential reading for the experienced risk
analyst it is certainly not sufficient as a training for risk analysts. Reference is made
to detailed QRA text books.
Many of the views expressed in this document on the utility of risk assessment have
also been presented outside PETRONAS Group of Companies. The E&P Forum
position paper on QRA (Ref. 1) is fully in line with the ideas expressed in this
manual. The paper prepared for the Oslo 1989 Loss Prevention Symposium (Ref. 2)
is also based on the ideas in this manual. The document is therefore not limited to
PETRONAS operations; its terminology and ideas can be used in discussions with
partners, regulatory bodies and authorities.
The preface to this report may be considered useful for any QRA report issued by
PETRONAS or PETRONAS OPUs. The wording has been carefully chosen in order
to avoid the impression that QRA is used to calculate and justify acceptance of risks.
The first two paragraphs are quoted literally from PETRONAS's HSE policy; this
wording shall not be changed other than to bring it in line with any subsequent
changes in the wording of the policy.
Once hazards and hazardous events have been identified, their causes, consequences
and probability can be estimated and the risk determined. Risk assessment may be
on a qualitative or quantitative basis. Both involve the same steps. Qualitative
methods may be adequate for risk assessments of simple facilities or operations
where the exposure of the workforce, public, environment or the asset is low.
However, the application of quantitative methods is considered to be desirable
when:
• several risk reduction options have been identified whose relative effectiveness is
not obvious
• the exposure to the workforce, public, environment or the strategic value of the
asset is high, and reduction measures are to be evaluated
• novel technology is involved resulting in a perceived high level of risk for which
no historical data is available (eg deep water developments in hostile
environments)
12
PTS 60.2210
JUNE 2006
13
• demonstration of relative risk levels and their causes to the workforce is needed
to make them more conscious of the risks
• demonstration within the OPU and to third parties, including the regulating
authorities, that risks are as low as reasonably practicable is required.
The application of QRA should not be limited to large complex expensive studies. It
is a technique which can be used quickly and cheaply to help structure the solution
to problems for which the solution is not intuitively obvious.
13
PTS 60.2210
JUNE 2006
14
Risk is often defined as a function of the chance that a specified undesired event will
occur and the severity of the consequences of the event. When risk is assessed
qualitatively a Risk Matrix may be used. When assessed quantitatively, risk is
derived from the product of chance and potential consequence. For QRA purposes,
chance is usually expressed as the frequency of occurrence. If no attempt is made to
estimate the frequency, we may be driven by the consequence into investing heavily
on risk reduction measures which are ineffective.
Many are concerned about the accuracy of the quantification and use this as a reason
why the technique should not be applied. However, whether we realise it or not, we
are always making implicit comparative quantification whenever we make a
decision. What we gain with QRA is a structured assessment of the risk instead of an
intuitive type of quantification. The numbers used in a QRA may be very
approximate, but at least we have broken down the problem into its basic elements
and made an objective judgement for each of these elements rather than an overall
judgement on a largely subjective basis. However, when there are a large number of
situations to be analysed, it may be advantageous to precede the QRA study by a
consequence analysis. This may filter out the cases where a full QRA would not add
additional information (ref. 6.8). See also 7.1.1 and 7.1.2 for advice on the use of
QRA.
There are several situations in which QRA has and is being misused. This misuse is
not necessarily deliberate but can arise from a misunderstanding of the QRA process.
A common form of misuse results from the desire to prove that a deviation from
company standards or practices is 'acceptably' safe. As with any type of study, it is
always possible for the less scrupulous to steer the process so that the conclusions are
biased towards a preconceived goal. No-one gains from this. Unless the study is
carried out objectively and with an open mind, ill-conceived decisions may be made
and the opportunity missed to reduce risks. In principle, the use of QRA to challenge
the need for retrofitting to revised standards and to aid in the development of
standards and procedures should be encouraged. However, such assessments must be
carried out objectively with the overall aim of reducing risks to ALARP (as low as
reasonably practicable) (see 5.1 and 5.6). Under no circumstances should QRA be
used to justify or encourage risk taking.
Adoption of the concept that something can be 'acceptably' safe is also a source of
misuse. The only level of risk which is truly acceptable is zero. Whatever we do has a
risk associated with it and therefore, in practice, an acceptable risk level is
unattainable. Society and industry tend to agree that the dividing line between
tolerable and intolerable risk of fatality to those individuals that obtain commensurate
benefits from the activity is around 10-3 per year. Below this level, provided
individuals are aware of the risks, enjoy some commensurate benefit and everything
reasonable has been done to reduce the risk, risks may be tolerated (Ref. 3). The aim
of the management of risks in this tolerable region is not to reduce risks to some
fixed 'acceptable' level but to reduce them until they are ALARP. The resulting actual
risk levels could thereby be different for different projects but with the common
feature that they are ALARP for that project.
15
PTS 60.2210
JUNE 2006
16
2.2.3 Representing reality rather than force fitting into a rigid model
Another criticism of the way some of our QRAs are carried out is that they are too
mechanistic. Risk assessment is a process by which one tries to represent reality by
a much simplified model. It is important that the modelling should not be forced into
a preconceived model template structure, but that each study should be modelled to
include all areas which impact the risk levels.
Figure 2.6 Representing reality rather than force-fitting into a rigid model
One criticism of the application of QRA in the past is that studies have focused too
much on mitigation of the consequences of hazardous or top events and too little
attention has been given to looking for ways to reduce the likelihood or eliminate the
top event itself. Once the top events have been identified, their occurrence should not
just be accepted but effort should be spent on seeking ways to eliminate them -
prevention is better than cure!
It is also important that the right boundaries are drawn around the options so that one
is comparing like with like.
In some projects, QRA is still regarded as the sole province of QRA experts. A
consequence of this is that the experts, usually consultants, may be asked to carry out
a QRA study with insufficient thought having been given to the objectives and
benefits of the study. Also, there is a danger that the study will be carried out with a
minimum involvement of those that are directly involved in the business being
analysed. The possibility then exists that the assumptions (including the operating
philosophy) and data used will bear little relationship with reality. The study is then
of little value.
It is imperative that the relevant staff are involved throughout the study to ensure that
the right assumptions are being made and are correctly used. It is also essential that
any assumptions made in a QRA study of new projects are carried through into the
HSE Case and Asset Reference Plan. Also, for existing facilities, the results of a
QRA should be fed back into the HSE Case.
17
PTS 60.2210
JUNE 2006
18
The blind use of data needs to be avoided. There are various sources of data.
However, not all are reliable and not all will be applicable to the operation under
study. When the reliability or applicability of the available data is in question it is
important that this is highlighted. For data which has a significant impact on the risk
picture, a separate study should be made to evaluate the probable range of
uncertainty. Sensitivity runs should then be carried out to test the robustness of the
analysis.
For cases where the data is so uncertain that no conclusions can be drawn regarding
the relative safety of the options considered, this should be highlighted in the report.
18
PTS 60.2210
JUNE 2006
19
Significant errors can be made in QRA by not using the level of detail appropriate to
the objective of the study. The level of detail should be selected such that, for
instance, it is possible to identify which combination of event size and probability
contributes most to the risk of a particular operation.
Areas of QRA which have recently been the subject of debate include the distinction
between controllable and uncontrollable risk with respect to structural reliability
analysis, risk aversion, cyclic risk and the summation of risk from different project
phases. The debate surrounding these issues is summarised in a position paper (See
Ref. 4)
19
PTS 60.2210
JUNE 2006
20
3. RISK QUANTIFICATION
A quantification of the risks of past Oil and Gas and Petrochemical activities can be
provided by incident statistics. It is likely that the risk of Oil and Gas and
Petrochemical activities in the future would be identical to past risks if these
activities were to be performed with the same means, measures and safety
management as used in the past. However, different techniques for performing the
Oil and Gas and Petrochemical activities have been developed over the years and
safety improvements have been identified and carried out. Quantification of future
risk therefore requires a methodology that makes it possible to take account of these
differences and improvements.
The methodology outlined in this document makes it possible to analyse the risk for
future operations and give credit for improvements in design, engineering and
operational procedures. Methods which give credit for the quality of safety
management are being developed but are not yet proven; the results of QRA where
these tools have not been applied are therefore representative of an average quality of
management at all levels of the organisation, industry wide.
In order to set the scene for quantification of future risks, the nature of incidents in
Oil and Gas and Petrochemical is discussed first. The quantification methodology
is presented thereafter.
During the past years a number of personnel (PETRONAS Group of Companies and
contractor staff) died in work-related incidents and there were thousands of Lost
Time Injuries (LTIs). Many incidents occurred with significant damage to
installations and loss of production. QRA can be used to estimate all these risks,
however, the emphasis is usually on the potential for loss of life. The fact that
measures to reduce the risk to people usually also reduce risk to assets and
production is however a welcome argument to strengthen the justification for
pursuing risk reduction.
In the 1980s QRA concentrated on major incidents such as fires, explosions, releases
of toxic materials, collisions, etc. The emphasis on these major incidents has often
detracted from the smaller incidents where a person chose to do the wrong thing in
the wrong place at the wrong time, with or without knowing the risk he was taking.
Also transport-related incidents were often excluded from the analysis as this was
usually considered to be outside the control of the company.
An analysis of the fatal incidents in the industry (Figure 3.1) shows that, on average
over all operations, major incidents such as explosions and fires make a relatively
small contribution to the number of fatalities in the industry operations.
20
PTS 60.2210
JUNE 2006
21
Opportunities to reduce risks in these shaded areas can often be identified by QRA,
21
PTS 60.2210
JUNE 2006
22
but it should be realised that only a part of the total risk is addressed and that the
overall safety improvement may be small. Also, efforts to reduce risk in one cell of
the matrix may affect risks elsewhere. For example, the installation of extensive fire
detection and deluge systems on small, normally unmanned platforms, may reduce
the loss of lives, assets and production but many man-hours and materials will be
required to install and maintain this equipment. This has an effect on the project
economics and it exposes more personnel to the hazards of work offshore. Moreover,
incidents can occur during transportation of the additional personnel to the offshore
locations. The net effect of the safety measure on the safety of personnel and on cost
effectiveness may therefore be less than expected. A comparison of options should
therefore take all elements of the matrix into account, i.e. all project phases and all
types of risk. The next chapter describes how these types of risk can be analysed and
merged together.
Under guidance of a risk assessment specialist, but with input from the various
disciplines, the quantification of risks from major incidents is performed in the
following steps:
The potentially hazardous event is usually called the 'top event'. Examples of such
top events in industry operations are:
• reactor failure
Formal approaches exist to identify hazards and top events, e.g. Hazard Identification
(HAZID), Hazard and Operability studies (HAZOP) and Failure Mode and Effect
Analysis (FMEA). Reference should be made to the HSE Manual Volume 3 for
further details. These techniques provide some assurance that potentially hazardous
events will be revealed. Checklists are sometimes used to aid top event identification
such as the hazard hierarchy checklist and incorporated in the HSE MS IT tool
THESIS. Imagination combined with experience is probably the most powerful tool
for identification of events that may create incidents ('creative destructive thinking').
In this identification stage it is important to list all hazardous event and not to start
22
PTS 60.2210
JUNE 2006
23
Once the hazardous or top events have been identified, their occurrence should not
just be accepted but effort should be spent on seeking ways to eliminate them -
prevention is better than cure! (see 2.2).
Hazardous events do not necessarily cause loss of life or damage. The development
of the top event into a serious incident depends on the effect of mitigating factors,
e.g. an un-ignited hydrocarbon release in a module can be sensed by gas detectors
activating a shutdown system. If immediate ignition occurs, fire detectors can
activate shutdown and deluge systems prior to further escalation. Similarly,
intervention by human beings can also effect outcomes.
The formal techniques to project this development of events into incidents are Event
Trees. They provide a diagrammatic and systematic presentation of this development
and make it possible to include opinions of experienced personnel.
An example of an Event Tree is given in Figure 3.3. The top event is a hydrocarbon
release in an offshore platform module. The questions are phrased in such a manner
that escalation of the event appears on the right hand branch. Each of the branches
terminates at the bottom of the tree in an 'outcome' or 'end event'. As each of the
'outcomes' reflects a particular development of a hazard into an incident it is also
referred to as the 'incident scenario'.
The questions are arranged in chronological order, so that reading one particular path
through the tree, from 'top event' to 'end event' presents a story, e.g. 'A hydrocarbon
leak; does not ignite immediately; is detected by gas detection system; release
continues because shutdown system fails; delayed ignition causes explosion'.
23
PTS 60.2210
JUNE 2006
24
The action, or inaction, of people during an emergency can have a profound effect on
how scenarios may develop and the consequences there from. (Similarly on the
causes of hazardous events). Techniques and tools to aid this aspect of an assessment
are addressed in human factor analysis described in section 6.2.
This is a relatively young area of application study within the Oil and Gas and
Petrochemical activities and within QRA and there remains wide scope for
development (Refer also to 6.2).
24
PTS 60.2210
JUNE 2006
25
The calculation rules for Event Trees are extremely simple: the frequency of the end
events is found through multiplication of the top event frequency by the probabilities
along the branches that lead to the end event. A necessary condition is that the
estimates for branch probabilities take account of the circumstances developed by
preceding branches. To this aim the chronological sequence of the branch questions
is essential.
Note that the top event likelihood is expressed as a frequency (i.e. number of
occurrences per unit time). The branch probabilities are real probabilities, i.e. a
number between 0 and 1 (dimensionless). Each 'outcome' or 'end event' likelihood is
again expressed as a frequency.
25
PTS 60.2210
JUNE 2006
26
independent of each other (Note: in Event Trees the events are dependent on all
previous events).
Note that the Event Trees are used for the 'forward' analysis to project the
development of scenarios following the occurrence of an event, while Fault Trees are
used for the 'backwards' analysis, tracing back the possible causes of an identified
event. This is shown in a cause-consequence diagram, Figure 3.6.
Fault Trees may also be used to trace back the possible causes and, if quantified,
probability for branches in an Event Tree.
Appendix II provides additional guidance for the construction and calculus of Fault
Trees and illustrates several of the pitfalls present in Fault Tree analysis.
The techniques for calculating frequencies and probabilities in Fault and Event Trees
are well documented (see Refs. 5, 6, 7) and relatively simple. However, there are
26
PTS 60.2210
JUNE 2006
27
numerous pitfalls for the inexperienced user. For example, ignoring the dependence
between events in Fault and Event Trees can lead to errors of several orders of
magnitude.
Unlike Event Trees, Fault Trees do not account for sequence or time. This, together
with the pitfalls outlined in Appendix II, demands care by the analyst and tends to
limit their use for risk analysis. Use of Fault Trees is more appropriate for reliability
analysis.
More information on estimation of failure probabilities and frequencies is given in
Appendix III.
Throughout the construction and analysis of Fault and Event Trees, assumptions will
have to be made regarding the ways in which the facilities are operated and
maintained. It is important that those persons with the appropriate experience and
expertise (e.g. production operators) are consulted regarding these assumptions. It is
essential to list these assumptions and to include the assumptions in the HSE Case so
that a full traceability of results is achieved.
An assessment of the consequences is required for the scenarios in which the failure
of safety systems and the absence of mitigating factors leads to an escalation of the
hazardous event (e.g. escalation of initially controllable releases of hydrocarbons into
major fires and explosions, waterway pollution, etc).
An important input to these calculations is the release (or leakage) rate. As the hole
size is estimated on the basis of statistical data and hole shapes are simplified it is
difficult to be precise. The difference between a small release from either a 0.5 inch
or 1 inch hole may seem irrelevant in statistical data, however, the release rate differs
by a factor 4. The calculated physical effects based on these release rates may also
differ significantly.
Another important aspect of the release rate calculation is its time dependence.
Usually inventories of hydrocarbons and toxic materials are limited or can be limited
by ESD systems. The release rate will therefore decline with time.
Once the (time dependent) release rate has been estimated the calculation of physical
effects will depend on many other factors. Figure 3.7 provides an overview of the
various physical effects following a release. Many computer programs exist for the
calculation of these effects (see Chapter 8). In all cases these calculations are strongly
dependent on a large number of physical (density, toxicity, burning rate),
environmental (wind, stability, humidity, temperature) and geometrical (obstructions,
confinement, etc) parameters which are either unknown or cannot be modelled
accurately. Refer also to PTS 60.2211 Physical Effects Modelling.
27
PTS 60.2210
JUNE 2006
28
Physical effects calculations can thus only be used to provide an indication of the
extent of the physical effects. Such calculations cannot be used to define accurately
the location at which a given level of effects will be exceeded. In incident scenarios
such as collisions causing structural damage, etc other calculations may be required
to assess consequences.
The physical effects calculations together with knowledge of the relative proximity
of other equipment (vessels, tanks, etc) will allow escalation routes to be identified.
These routes are then further developed using Event Trees. The effectiveness of
control/mitigation/recovery measures is also modelled in the Event Tree. For
example, given a jet flame at a particular location, the chances of safe escape of
personnel can be evaluated taking into account evacuation possibilities, the potential
for rapid escalation of the incident, etc. The effect of smoke also needs to be
assessed.
Estimates of the consequences to people, environment and resources (Ref. 8) are then
made with the input from the appropriate experts (who may also use modelling
techniques, such as those for the prediction of the movement of people within
escalation scenarios, and those for prediction of river pollutant flows). These
estimates require information regarding average numbers of the different types of
worker likely to be present at various times and locations, environmental effect data
and replacement costs for damaged equipment.
and 5.7.4).
29
PTS 60.2210
JUNE 2006
30
Having assessed the frequency and consequence for each of the incident scenarios of
the Event Tree, it is possible to calculate the statistically expected loss for each
scenario by multiplication of frequency and consequence. The total statistically
expected loss can be calculated by summation of the loss over all scenarios.
The use of the statistical expression 'expected' has serious drawbacks in QRA as it
creates the impression that we expect the loss to occur with an almost mathematical
certainty. It is recommended to use the expression 'potential' instead, as this supports
the views expressed in the preface of this report that incidents can be avoided.
The potential loss from one hazardous event can thus be calculated by:
where 'n' is the number of outcomes developing from one hazardous event, F is the
frequency and C the consequence of each outcome.
The potential loss from all hazardous events identified can be calculated in a similar
fashion. This calculation scheme is shown in Figure 3.8.
Figure 3.8 Scheme for calculation of potential loss from incident scenarios
30
PTS 60.2210
JUNE 2006
31
3.2.7 Major incident risk to people calculated on the basis of exposure hours
In a more cursory type of QRA it is often desirable to calculate risks due to major
incidents on the basis of an estimated Fatal Accident Rate (FAR: fatalities/100
million exposure hours) and exposure to particular hazards. This type of estimation
is often applied in the earlier phases of a project.
The FAR could also be calculated from the potential for loss of life from all major
incidents (as calculated in 3.2.6) divided by the number of hours that people are
exposed to this hazard.
The economic loss from transport and small work-related incidents is usually small;
however, the loss of life can be significant. The quantification of risks from these
incidents therefore concentrates on fatality risk. The calculation is usually based on
the following steps:
• determine the exposure (e.g. in man-hours) to these activities for each individual
or group of individuals exposed to similar risks
• derive from statistical information a Fatal Accident Rate (FAR) for each activity
(FAR expressed in fatalities/100 million hours exposure)
• for each activity: multiply exposure hours by FAR; summation over all activities
yields the potential loss from transport and small work-related incidents.
The calculation for 'm' different activities can be presented in formula form:
Potential loss where it relates to human fatalities is labelled potential loss of life,
PLL.
Dependent on the statistical data available exposure can also be expressed per
operation, e.g. a well drilled, a transport trip or a platform installation.
In combination with the calculation method mentioned in 3.2.7, the above way of
calculating risk is a powerful tool to provide an overview risk picture.
The risks to people calculated by one of the previously described methods can be
merged in order to arrive at the risk for an entire operation or development. One way
31
PTS 60.2210
JUNE 2006
32
of merging the results is by summation of the potential loss over all types of hazards
(major, small and transport) over all relevant project phases. The scheme for such a
calculation for PLL is presented in Figure 3.9.
The above has outlined the process whereby the PLL can be estimated. If PLL alone
is used as a measure of risk, then the situation may arise whereby a project option
with the lowest PLL exposes some types of worker to a higher risk than for other
options. Hence it is essential that, in addition to PLL, the individual risk to the most
exposed workers is also assessed. (Also referred to as occupational risk and described
further in 4.4).
Individual risk is calculated in a similar manner to PLL. The difference is that the
risk is 'personalised'. That is, the work pattern of a particular worker is studied and
each risk to which that worker is exposed is summated over a defined period, usually
one year. Periods outside of the direct influence of the company are not counted, i.e.
periods at home and on leave are excluded. The risks associated with transport to and
from the workplace are only included if the transport has to be provided by the
company (e.g. helicopter flights).
Individual risk is usually expressed as risk of fatality per annum (IRPA) for a named
type of worker. The worker is assumed to be representative of that type of worker
(e.g. driller, production operator, maintenance operator, etc). It is important that the
Event Trees are set up at the start of a QRA study with a view to facilitating the
calculation of individual risk. If this is not done, calculation of individual risk can be
time consuming.
personnel can be assessed taking into account their involvement with a single
platform. With minimum intervention or not normally manned facilities, operators
and maintenance workers are likely to divide their time between several platforms
potentially giving rise to very high individual risk levels from helicopter risk
exposure. Consequently, the individual risk must be assessed not on a single facility
basis but on a worker work schedule basis. Hence the operator and maintenance
worker annual work schedules need to be reviewed in order to reduce exposure of the
individual to helicopter risks as much as possible.
The type of situation discussed above, can also occur when contractor staff are only
employed for short periods. Care has to be taken to ensure that this type of person is
not exposed to very high risks for short periods which are masked by the fact that
either risk tends to be averaged over a period of one year or longer or the individual
is only involved with the project for a short period before moving to another contract.
Similar arguments can apply, say, when considering possible peak periods of risk to a
company or contractor employee which may be masked by the fact that risks tend to
be averaged over a period of one year or longer. Such peaks may for instance, be
associated with periods of intense construction activity. There is a case for assuring
that risks are ALARP at each stage of the project.
The QRA carried out for onshore plants are similar and is more critical as it is
normally situated in areas where there are people in the surroundings. The cases will
have to be assessed taking into consideration the impact to the surrounding areas and
the public factor has to be considered.
4. PRESENTATION OF RESULTS
Various methods are available to present the risk ranging from simple tables to
complex graphs. The most basic presentation of risk from work-and transport-related
incidents is a table with the potential loss of life per activity. Another very basic form
of presenting risk from major incidents is by showing the Event Tree with
frequencies, consequences and their product for each of the incident scenarios
(Figure 4.1). It gives an immediate indication of the most serious incident scenario,
the most frequent one and the most damaging one in terms of potential loss.
33
PTS 60.2210
JUNE 2006
34
Figure 4.1 Most basic form of presenting risks from major incidents
A commonly used presentation form for risk to the public is the so-called risk
contour. The number at this contour represents the frequency at which a person,
assumed to be permanently present at the location of the contour, sustains a given
level of harm.
An important aspect of the definition is that the risk is related to a particular location,
which in general is not the same as distance to the source. For example, prevailing
winds may result in the same individual risk at different distances.
35
PTS 60.2210
JUNE 2006
36
The example shown in Figure 4.2 is, by necessity, illustrative. In practice, a risk
contour would be developed by calculating the cumulative risk at any one point in
space as a result of all potential hazardous events likely to occur within a facility.
36
PTS 60.2210
JUNE 2006
37
In practice the cumulative frequency of a potential event with 'N' fatalities is plotted
against 'N'. Figure 4.3 is an example of a cumulative F/N plot, generally called the
Cumulative Frequency Graph. This graph shows the probability of N or more
fatalities occurring. Such graphs tend to be of interest when the risk acceptance
criterion selected or, as is more often the case, imposed by the regulator, includes an
aversion to potential incidents that would result in, say, more than ten fatalities.
Within the PETRONAS Group of Companies the policy is to adopt risk aversion
criteria that give equal weight to single as well as multiple potential fatalities.
A quantity relating to the Cumulative Frequency Graph is the so-called Group Risk,
the frequency that N or more persons will sustain a given level of harm from a
defined source of hazard(s). When Group Risk is used in the context of the public
(rather than to the workforce) the term Societal Risk is sometimes used. It is
important to note that Group Risk refers to the actual people exposed not to the
hypothetical group of people assumed to be permanently present at a particular
location when constructing risk contours.
F/N plots, Cumulative Frequency Graphs and, hence, Group Risks are obtained by
adding the frequencies of a number of consequence scenarios (after sorting on
numbers of fatalities per scenario). Table 4.1 gives and example of the data and
calculations required to plot the Cumulative Frequency Graph shown in Figure 4.3.
37
PTS 60.2210
JUNE 2006
38
The calculated cumulative frequency points are often connected so that a more linear
plot is obtained rather than the stepped plot of Figure 4.3.
38
PTS 60.2210
JUNE 2006
39
In another example, such as that shown in Figure 4.4b it is not possible to compare
the options.
39
PTS 60.2210
JUNE 2006
40
Figure 4.4b shows the risk to personnel for several offshore oilfield development
options. One graph represents a rather simple option with relatively few safety
features. Another represents an option with extensive additional features. Whilst the
latter reduces the likelihood of major accidents, the likelihood of small accidents is
increased as more personnel are needed offshore to operate and maintain the extra
equipment. Consequently the two graphs cross.
40
PTS 60.2210
JUNE 2006
41
The less experienced reviewer of QRA results generally finds the cumulative graphs
rather confusing and at times even experienced analysts will draw wrong conclusions
from them. It is therefore recommended to avoid this form of presentation. The main
use of the cumulative frequency graph is probably to satisfy the requirement of some
regulators. Authorities use the graphs of risk to the public (off-site risk) to assist in
the planning of their emergency services (e.g. maximum likely number of
ambulances, hospital beds, etc).
Both risk contours and cumulative frequency graphs are mainly used to present risk
to the public. Risk to employees is recommended to be presented in bar chart form as
individual risk and potential loss of life as discussed below.
If we assume that the scenarios in Table 4.1 represent all major incident scenarios for
a particular operation the potential for loss of life can be calculated as:
The potential loss of life from major incidents for an operation lasting 10 years is
thus 4.8 lives.
In cases where it is essential to take the size of the incident into account the potential
loss for each range of fatalities can be displayed. In Figure 4.5 such a presentation is
made for the three development options given in Figure 4.4b. Note the clear
difference between the various options; this is hardly visible in Figure 4.4b.
41
PTS 60.2210
JUNE 2006
42
Figure 4.5 Recommended form for presentation of potential loss of life where the
number of potential fatalities per outcome are grouped
The same type of bar chart can be used to highlight other aspects of the risk makeup.
For instance, it may be important to highlight the relative contributions of major,
transport and small work-related risk.
Whichever aspects of risk are highlighted, the end of the bars gives the same single
number, the overall PLL. This number is usually the PLL over all project phases and
all types of incidents, although, for specific studies, it may be limited to a single
project phase and to a single year in order to focus on a particular high risk source.
An example of a presentation of the overall PLL is given in Figure 4.6 which shows
the PLL split into types of risk.
42
PTS 60.2210
JUNE 2006
43
Figure 4.6 Recommended form for presentation of overall potential loss of life
The PLL should be seen as a measure to compare the relative degree of 'safety'
expressed as potential loss of life for different developments. It cannot be used to
compare the degree of risks of different projects (see also 5.2). A further discussion
on the use of the various presentation forms is given in Chapter 5.
Within the PETRONAS Group of Companies the term 'individual risk' is most often
used to present the risk to company and contractor individuals during their time spent
at work (this being the period when the company is able to bring influence to prevail
on the safety of the individual). Sometimes referred to as 'occupational risk' this type
of risk is also labelled Individual Risk (of death) Per Annum (IRPA).
IRPA is the probability that an individual is killed in any one calendar year by a
particular set of hazards. In literature this risk is expressed in many different ways, eg
annual risk of death, death rate, individual risk of death or individual risk, fatality
risk, etc. In practice, individuals can invariably be assigned to groups of people with
similar jobs, work patterns and exposure (for example, drilling crews and
maintenance).
The individual risk calculation takes account of the fact that people move from one
place to another.
43
PTS 60.2210
JUNE 2006
44
As was shown in 3.3 the risk of particular activities can also be expressed in the Fatal
Accident Rate (FAR). FAR is defined as the potential number of fatalities in a group
of people exposed for a specific time to the activity in question. In the PETRONAS
Group of Companies, the FAR is used as the number of fatalities per 100 million
exposure hours.
In addition to providing estimates of risk to the public (refer to 4.1), risk contours are
sometimes used to estimate the risk to individuals (company and contractor) who are
involved in the company's activities.
The contours in Figure 4.8 for hazards 'A' and 'B' are used to explain the relation
between these contours, FAR and individual risk. In this example the risk is
calculated for a person working 200 days per year near the hazards. Per working day,
44
PTS 60.2210
JUNE 2006
45
he spends one hour at location X and seven hours at location Y. The remainder of his
time is spent at location Z. It is assumed in the calculations that buildings and
obstacles do not provide protection against the hazards.
45
PTS 60.2210
JUNE 2006
46
Statistics covering a large group of people are often used to derive numbers for risk
to a certain individual. This only has a meaning if all persons have a similar degree of
exposure to the risks considered.
In the example given in 4.5 for instance one could also consider the risk of all other
people working on the same site. If most of them work more remotely from the
sources of hazard, the average occupational risk for the other individuals is lower
than that for the person in the example. Risk acceptability considerations are
therefore often based on the person(s) that is (are) most at risk. Two examples of
published statistics, where confusion is created by averaging over large groups, are
given below:
In a text book on Loss Prevention the annual risk of death from floods in The
Netherlands is listed as 1 per 10 million. This figure seems to be based on the
expected annual number of fatalities divided by the entire population of The
Netherlands. As only a limited number of people are at risk (many parts of The
Netherlands will never flood) the individual risk for people living in the low parts of
the Netherlands is estimated to be a factor 100 greater than quoted.
In a paper on risk to the public from the chemical industry the number of fatalities
over the past years caused by this industry in Europe is divided by the entire
population of Europe. This yields a conveniently low annual risk of death to the
individual of 1.6 per 10 million. However, many people will not be exposed to this
risk while people living in the vicinity of chemical industries will be subjected to an
annual risk, which is orders of magnitude higher.
Monetary risk can be presented as the probability of a particular loss (or range of
losses) occurring in a given period. The magnitude of the loss can be very important
as it may threaten the continuation of the business. This may be particularly relevant
for small companies. For the larger PETRONAS OPUs, it is difficult to envisage an
incident scenario with such high losses that the company would not be able to absorb
them. The Net Present Value (NPV) of the potential loss is therefore more relevant.
For a detailed description of discounting techniques reference is made to
PETRONAS Training manuals.
46
PTS 60.2210
JUNE 2006
47
This makes it possible to perform a simple discounted cash flow analysis on a 'before
tax' basis and, where appropriate, on the more complex 'after tax' basis. As an
illustration the effect on the cash flow of the implementation of additional risk
reducing means is shown in Figure 4.9 below. In order to make a realistic comparison
it is essential that all changes in the cash flow of the various options are considered.
In the first year there will be a significant capital expenditure for implementing the
means. Assuming that the measure is effective from the second year onwards the
Capex in this year should be lower (usually negative) to reflect the fact that capital
losses are reduced by the risk reducing means. The decrease is given by:
where:
The Opex is increased in order to reflect the cost of maintaining the risk reducing
means.
The revenues increase as the production losses decrease. The loss reduction can again
be calculated with the above formula. It is important depending on the length of the
project, to determine whether production losses are deferred (to be recovered later) or
47
PTS 60.2210
JUNE 2006
48
'lost' (impossible to recover) so that the correct monetary value can be assigned to
them.
The effect on the overall cash flow depends on the relative magnitude of the
variations in Capex, Opex and Revenues.
The NPV of the implementation of the additional safety means can now be derived
by discounting the cash flows of the projects before and after implementation.
Alternatively the implementation can be seen as an incremental project and the
incremental cash flow can be discounted.
The discount rate to be used in this type of evaluations is open for debate. The
minimum rate to be used is the net interest that can be obtained for a risk free
investment. Other possibilities are to use the average rate of return on investments in
the company or the normal project screening rate. The latter one is usually higher
than the other rates. This makes it unattractive to invest in risk reducing means as the
future benefits are heavily discounted. Potential measures to reduce risk may be seen
as an optimisation exercise.
The total damage to the environment from accidental spills and emissions is difficult
to quantify. However, some aspects such as the costs of clean up, compensation
claims and fines for spills can be estimated and should be included in the cost
estimates of the consequences. Models are under development for the ranking of
relative environmental effects. PETRONAS CHSE should be consulted for further
advice. A number of smaller incidents over a long time period do not necessarily
have the same effect as a single large incident.
Incidents which could result in large loss of life, environmental impact and/or assets
are likely to incur indirect, less tangible as well as direct consequences. These less
tangible consequences could include:
• loss of reputation and business for both the Opco and for the Group.
• taxes
48
PTS 60.2210
JUNE 2006
49
If these are not taken into account in the risk assessment, then it is possible that gross
under-estimation of the potential consequences could occur leading to non-optimal
decisions. Specialist advice may need to be sought on how best to address these
issues within the QRA.
In the studies on the tolerability of risk a distinction is made between voluntary risk,
for example from leisure time activities, risk from natural hazards such as storms
floods, earthquakes, risk from terminal diseases and work-related risk. Digesting all
this information, one readily comes to the conclusion that the workplace is often not
presenting the highest risk to an individual.
The company is concerned about some of our employees being involved in hazardous
recreational and household activities and having unhealthy habits. Employees are
stimulated to live in a healthier and safety conscious manner, but the company has no
right or wish to interfere with their private lives. Also, the company cannot divert
natural disasters. The discussion will therefore concentrate on the risk to people from
their daily work. This is the area where the company is responsible for controlling the
risk.
commonly about one in a million. It might, in some circumstances, be ten times less
and an annual risk ten times as great in travelling by train does not cause the ordinary
traveller any concern.'
A more recent publication (Ref. 10) (December 1987) by the UK Health and Safety
Executive on the tolerability of risk from nuclear power stations deals also with
general risk acceptance criteria. They present the following table:
Table 5.1 Levels of fatal risk (UK, average figures, approximated) per annum
In the discussion on tolerable risks the UK HSE OSD concludes for workers:
'Broadly, a risk of death of 1 in 1000 per annum is about the most that is ordinarily
accepted under modern conditions for workers in the UK (see Table 5.1) and it seems
reasonable to adopt it as the dividing line between what is just tolerable and what is
intolerable.'
and:
'...we must now consider what might be a broadly acceptable risk to an individual of
dying from some particular cause, i.e. what is the level of risk below which, so long
as precautions are maintained, it would not be reasonable to insist on expensive
further improvements to standards. This level might be taken to be 1 in a million per
annum bearing in mind the very small addition this would involve to the ordinary
risks of life.'
The above views on individual risk to workers are recommended as guidance for the
assessment of acceptability of risk. The views on risk to the public seem more
appropriate for a regulatory body than for PETRONAS. The benefits to members of
the public from PETRONAS Group of Companies' activities that expose them to risk
are very limited. In general it can be stated that risk without benefit is not acceptable.
A further discussion on risk to members of the public is given in 5.3.
The individual risk levels for workers mentioned above usually leads to a 'risk region
approach' (see Figure 5.1). In the lower region the risk is considered negligible
provided normal precautions are maintained (individual risk of death less than 1 in a
million per annum); many areas can be found in the Oil and Gas and Petrochemical
50
PTS 60.2210
JUNE 2006
51
operations where money can be spent more effectively to improve safety. The upper
region (annual risk greater than 1 in 1000) represents an intolerable risk level. In the
area in-between, the so called ALARP region, decisions will have to be based on a
balance between business and safety objectives. A further narrowing of this band
follows from PETRONAS's declared objective to be among the leaders in the
industry in HSE.
The average individual fatality risk from work related incidents, per annum
calculated from actual fatalities and exposure hours over the years 1989 to 1993 is
given in Table 5.2. The level of risk over this period has not changed significantly
compared to the period 1985 to 1989.
Table 5.2 Average Individual Fatality Risk in PETRONAS per year from work
related incidents (to be replaced with new info)
The average individual risk has been estimated from (n x 1760)/h where n equals
number of fatalities in period, h equals number of man-hours worked in period and
1760 is the approximate number of man-hours worked per man year.
The figures represent averages over a large group; within each of the groups there
will be people with higher or lower risk than this average. Figure 5.2 provides a
51
PTS 60.2210
JUNE 2006
52
The fatal incident data, in combination with the statements by management, provide a
clear indication that work related individual risk in the range of 1 fatality in 1000
man-years to 1 fatality in 10,000 man-years is considered too high.
In the area in-between negligible and intolerable a decision on the most appropriate
way to proceed can only be made when all alternative ways to perform the activity
have been considered. Specific features of the alternatives such as their effectiveness
to improve safety, economic viability, affects on future business and image, etc
should be considered in the decision making process. A yardstick to measure cost
effectiveness of safety measures is given in 5.5.
Relatively high risk levels may be tolerated if effective alternatives to operate more
safely cannot be identified.
Reduction of risk to negligible levels, or even below this, may be desirable if the cost
is low and if the risk reduction measure provides the only safeguard against a certain
hazard.
The level of risk considered tolerable in the middle band where the balance has to be
made up, depends to a certain extent on the degree of difficulty to make further
improvements. This is reflected in the often quoted ALARP principle; any risk must
be reduced so far as reasonably practicable or to a level which is 'as low as
reasonably practicable' (ALARP) (see also 5.6).
'Catastrophic accidents, killing or injuring many people as the result of one event,
have little influence on the level of individual risk but have a disproportionate effect
on the response of society.' There is a clear desire to ensure that large accidents have
a more than is proportionately lower probability than small ones but firm
relationships between size and probability have yet to emerge as indicators either of
unacceptability or of triviality'.
The above mentioned desire seems justified when it concerns risk to large groups of
members of the public. In PETRONAS Group of Companies’ operations, the people
at risk are usually restricted to the workers while the number of fatalities from one
incident may be small (or strictly limited to the workforce). Furthermore, the
managements of PETRONAS Group of Companies are not only driven by the
response of the society (and the press), but also by the responsibility assumed for
employees and their relatives. Several smaller incidents (say 10 incidents with 1
fatality each) may therefore receive similar attention as one larger incident (e.g. 1
incident with 10 fatalities).
The perception of risk by the public may differ drastically from those of a company
or regulatory body. Although a risk level of 1 in a million per annum may be
acceptable to the public in general, the exposed persons may find it totally
unacceptable. For example the calculated risk to the public from a H2S release at a
specific distance still means that if there is a release under stable weather conditions
and the wind is in their direction they can be killed instantly. The maximum effect
53
PTS 60.2210
JUNE 2006
54
distance may therefore in many cases be a more suitable yardstick, i.e. ensure that the
distance to the public is such that they can never be injured permanently. Individual
risk to members of the public may have to be considered if this is impossible.
The criterion mentioned by the UK Health and Safety Executive for tolerability of
risk to the public of 1 in 10,000 (see 5.1) is not consistent with our own criteria for
personnel. As stated above, this level is considered too high for PETRONAS
personnel. The appropriate upper figure for the public at large that does not receive
direct benefits from the operations of PETRONAS Group of Companies should be
set lower, e.g. 1 fatality per 100,000 or 1,000,000 exposed people per year. In order
to set the level of risk to the public which might be considered negligible it should be
realised that the public at large probably expects a better performance from
PETRONAS than from a small company. Conversely, PETRONAS Group of
Companies want to protect themselves from undue criticism by the public. Further, it
can be expected that a major incident in a similar operation in any part of the world
will change the views of the public: initially tolerable risk levels may then become
totally unacceptable. For these reasons it is suggested to set the 'negligible' level of
risk to the public at one fatality per 100 million exposed people per year.
5.4 LEGISLATION
Safety legislation has changed over the years, the changes being accelerated as a
result of public enquiries into several major incidents. Offshore the main incidents
affecting legislation have been the capsize of the Sea Gem jack-up in December 1965
(UK), Ekofisk Bravo blowout in April 1977 (Norway), capsize of the Alexander
Kielland semi-submersible in March 1980 (Norway), sinking of the Ocean Ranger in
February 1982 (Canada) and the Piper Alpha disaster in July 1988 (UK). Onshore,
the incidents having the largest impact on regulations have been the Flixborough
explosion in June 1974 (UK) and the Seveso toxic chemical release in July 1976
(Italy) and the Bhopal incident in December 1984 (India).
Since Piper Alpha, there has been an increasing trend amongst governments and
regulatory bodies towards self-regulation and goal setting rather than prescriptive
legislation. This approach requires companies to think through safety problems by
identifying hazards and methods for their prevention and mitigation and encourages
innovation. There are still, however, wide differences in approach and pace of
change.
QRA enables a better understanding of the relative risks associated with options
being considered. Where risk is measured in terms of potential loss of life, perhaps in
combination with individual risk, then a measure of the relative safety of each option
is derived. Each option will also have an economic value attached to it. When the
safest option is much more expensive than the less safe option it is necessary to
gauge the relative worth of each. While no amount of money can compensate for the
loss of life it would be unrealistic to assume that an investment aimed at the potential
54
PTS 60.2210
JUNE 2006
55
reduction of loss of life must be made regardless of the size of that investment.
Implicit in such evaluations is the fact that one is gauging the relative costs to avert a
potential fatality as the logic applied is:
Cost of measures = Potential saving of life x Cost per potential life saved.
The cost per potential life saved is referred to as Implied Cost to Avert a Fatality,
ICAF.
Discussion on this subject can be emotive and care must be taken to provide a
detailed explanation as to why it is necessary to venture into this seemingly sensitive
area of option evaluation. Experience within the group is that derivation of ICAF
achieves not only a ranking of improvement options but also provides a spur to the
creative development of yet safer and more economic options.
The assessment of value shows widely differing figures varying from US $100 per
life saved by vaccination programmes in Third World countries to well over US $10
million per life saved in certain risky professions. Extensive information on this
subject can be found in Data Sheet 53 (Ref. 11). The data sheet shows that there is in
general a willingness to pay more to avert a fatality when the individual risk is high,
than when the risk is low. Examples are given in Table 5.3 below.
Table 5.3 Money spent (in US $'000) to save one human life
Some companies use the cost for avoidance of a fatality as a basic criterion.
However, they only apply it if the risk to personnel is below a specific threshold
value, e.g. probability of an incident with 1-5 fatalities should be less than 1 in
10,000. Values between £300,000 and £2 million to avert a fatality are mentioned
(Ref. 12).
PETRONAS Group of Companies do not express the value of life in monetary terms.
QRAs usually lead to clear recommendations without this valuation. Also, for risk
55
PTS 60.2210
JUNE 2006
56
In cases where the cost to avert a fatality seems prohibitive it should be verified
whether all hazards and all incident types have been considered. Dependent on the
cost of labour and the fatal accident rate for the specific type of activity a potential
loss of 1 fatality per US $50 to 100 million expenditure in the Oil and Gas and
Petrochemical industries is estimated. In other words: it is difficult to justify
expenditure of more than this amount per fatality averted as this would only result in
a shift of the risk to another location.
For expensive safety measures it is therefore suggested to calculate the cost to avert a
fatality. However, if high values are found this should not necessarily lead to
acceptance of the status quo. It should be used as a stimulus to develop more
innovative and cost effective safety measures.
The use of the cost to avert a fatality as a rigid and absolute yardstick should be
avoided. There is no amount of money that can compensate the loss of life.
The table below provides some guidance to using the cost to avert a fatality in
decision making, however, its use shall always be preceded by careful explanations
as highlighted in this chapter.
56
PTS 60.2210
JUNE 2006
57
As discussed above, for operations which have risk levels in the tolerable area
between intolerable and negligible, it is necessary to ensure that risk levels have been
reduced to ALARP (as low as reasonably practicable). A hierarchy of evidence from
qualitative to quantitative can be used to demonstrate that ALARP has been achieved
as listed below (Refs. 10, 13 and 14):
• Engineering judgement
• QRA
All these approaches can be used to support decisions regarding the need for both
minor and major improvements. For example, under 'engineering judgement' for well
understood problems, existing codes and standards and previous experience will
usually be sufficient to demonstrate the safety of a particular design. Where there is
an installation which essentially mirrors another on which a recent analysis has
demonstrated ALARP, there should be no need to repeat the detailed analysis for the
second installation. Consequence analysis has sometimes been used as a means to
establish whether or not an event of significant consequence can occur for the
situation under review. For instance, a riser failure consequence analysis alone may
show that under no circumstances will a jet fire give rise to failure of the temporary
refuge, the installation structure or be a source of escalation to other significant
hydrocarbon inventories. This alone should be sufficient to demonstrate that the
current system is ALARP in this example.
For cases which are not so straight forward, QRA will be required to assist in the
demonstration of ALARP. In cases where the cost differences between the options is
low, or where the least risk option is also the most attractive for other reasons
(economics, etc), and it can be shown that all technically feasible options have been
studied, then the QRA study itself will be sufficient to demonstrate ALARP. All of
the options considered should, of course be documented. However, in cases where
57
PTS 60.2210
JUNE 2006
58
the least risk option is very expensive, some form of cost benefit analysis will be
necessary to demonstrate that ALARP has been achieved (see 5.5).
In this example, options for modification to the facilities layout are being studied and
their effect on PLL plotted. For this particular example, more of the options have a
bearing on the PLL due to immediate hydrocarbon release, small work and
helicopter-related events. Such a plot provides an overview of the overall benefits per
option.
Figure 5.4 Demonstration of ALARP by ranking PLL of options and plotting cost
of further risk reduction
58
PTS 60.2210
JUNE 2006
59
This plot provides an overview of the incremental costs for incremental benefits in
PLL. The ICAF per option can be readily calculated and plotted as shown in Figure
5.5.
Note: The 'as is' situation is used as the basis This plot may be necessary to show the reduction in IRPA for each option. This is
particularly useful when the IRPA levels for certain groups are felt to be in or near the intolerable region.
59
PTS 60.2210
JUNE 2006
60
60
PTS 60.2210
JUNE 2006
61
The following summarises the action to be taken dependent on the level of individual
risk (IRPA) to the most exposed workers:
Review of the results of the previous steps will identify the main contributors to the
overall risk. Measures to reduce the overall risk can be developed and their
effectiveness can be analysed. QRA thus assists in the identification of new
alternatives. These can then be assessed together with the alternatives considered
from the outset of the study, resulting in an indication of the relative safety and cost
effectiveness of the alternatives.
Validity and accuracy of QRA results are usually not questioned in studies where
cost effective safety improvements are found and when the conclusions agree with
sound engineering judgement. However, when the safest option can only be achieved
at considerable expense the QRA results are questioned. A further discussion on the
applicability of QRA results is therefore given in the following paragraphs of this
chapter.
61
PTS 60.2210
JUNE 2006
62
if ambitious targets reduce, possibly even eliminate seem impossible to meet; strict
management and control of the operation can eliminate incidents.
62
PTS 60.2210
JUNE 2006
63
Most, if not all, incidents in the Oil and Gas and Petrochemical industries are not
only the result of technical failure but of a combination of human errors, coincidence
of events and circumstances, and equipment failure (all of which can be tolerable
when occurring in isolation). Human error also plays a key role in equipment failure,
e.g. errors during specification, design, fabrication, installation, etc. It is further noted
that major incidents may have similar causes as minor 'trivial' incidents.
A number of areas have been identified where human factor aspects need to be
addressed in QRA and related studies. These include incident initiation and
mitigation and escape, evacuation and rescue. Where these areas are modelled in the
QRA, they should be investigated to identify if there are any hazards which are only
prevented from becoming significant risks by procedural and software measures.
Where there is potential for escalation as a result of human action or non-action and
this is safety critical, these activities should be identified and assessed such that risks
associated with human failures are ALARP. Quantitative analysis should only be
done if qualitative analysis does not satisfactorily resolve such aspects.
Probabilistic data obtained from experts has the same problem. They are usually
based on experiences gathered under different circumstances and also need careful
review.
The accuracy of the probabilistic estimates also depends on the population size from
which the statistics are drawn. Data on frequent occurrences usually results in more
accurate estimates than data on rare events. The calculated risk from major incidents
with a low probability is therefore in principle less accurate than the risk from small
work and transport related incidents calculated from FARs and exposure hours.
However, it should be mentioned that there is much room for improvement in the
available FAR data.
63
PTS 60.2210
JUNE 2006
64
Errors of much more than one order of magnitude can occur due to errors and
omissions in the fault- and event-tree analysis. In particular erroneous assumptions
regarding the mutual dependence of events can result in errors of two or three orders
of magnitude (Examples of this are given in Appendix II.). A competent risk analyst
can avoid these errors. Omission ofparticular events that affect the development of an
incident can only be identified by experts who are fully familiar with the type of
operation. Efficient co-operation between various groups of experts is a prerequisite
for meaningful risk assessment.
• the effects of safety devices on production availability (e.g. shutdowns for testing,
reduced loss due to prevention of escalation of incidents)
64
PTS 60.2210
JUNE 2006
65
Not all of these factors can be fully quantified. A rough estimate by experts may be
required in some instances to account for some of them, however, this is likely to be
better than ignoring them.
The results of a well documented QRA covering the right scope, both in level of
detail and width of the analysis, can be used to arrive at cost effective safety
measures and a preferred development alternative.
In this process the accuracy of the results should always be taken into account and
creativeness in presenting and interpreting the results is required. For example, the
results can be put in an overall context by comparing the calculated individual risk
numbers with those of similar industries or past PETRONAS’ experience.
Reductions or increases in risk can be compared with the risk contribution from other
recognisable hazards, e.g. a reduction of blowout risk on an offshore platform could
be compared with the risk reduction from elimination of all helicopter flying or a 5
minute reduction of the helicopter flying time.
QRA will identify the main risk contributors to the overall potential for loss of life
and individual risk for groups of persons. This can best be done by first analysing
these losses in the format suggested in Figures 4.3 and 4.4 in which the various risk
contributors are shown.
Event Trees and Fault Trees may have to be analysed in more detail if the main risk
contribution comes from a major incident scenario. It is usually found that only very
few major incident scenarios contribute significantly to the overall loss. Considering
the various probabilities in the paths of the incident scenarios will make it clear
which of these could change the risk contribution. Safety measures can then be
developed that would affect either the event probabilities or the consequences. With
these measures new development alternatives can be engineered and analysed. The
floating oil platform development example in Appendix IV illustrates the above
process.
65
PTS 60.2210
JUNE 2006
66
When comparing alternative ways of performing an activity which does not involve
members of the public it is recommended to use the following quantitative
yardsticks:
• the overall potential loss of life over all relevant project phases and incident types
• the project Net Present Value (NPV) taking into account Capex, Opex and
Revenues; this can be given on an incremental basis relative to the base case.
For the individual risk both the level of risk in the base case (varying from intolerable
to negligible) and the change (increase or decrease relative to base case) should be
considered. For the potential loss of life and the project NPV the absolute levels in
the base case are less relevant (assuming that project screening criteria are met). The
cost to avert a fatality should also be seen as a measure of effectiveness to compare
alternatives.
Detailed guidelines on the ranking of the yardsticks cannot be given as each situation
is different. Fortunately, for most comparisons the situation is quite clear when all
yardsticks have been considered. Chapter 5 provides the necessary guidelines.
In general it will be found from the QRA results that the individual risk is high and
nowhere near a negligible risk.
The most difficult decisions for the analyst are those where the various yardsticks
show trends in different directions. For instance, one option may show a higher PLL
but lower individual risks than for an alternative option. In these cases, the first
approach is to try to find a solution whereby both PLL and individual risk is
minimised. If this is unsuccessful, then additional, often more subjective, information
may have to be used to arrive at a recommendation. Additional information that may
be useful is:
If everything else remains the same the option with a smaller size of maximum
incident is preferred.
The final evaluation of QRA results may require input from management to interpret
the Company safety policy and the socio-political circumstances. Although QRA
provides transparency, in the form of documented and numeric material to assist
decision making, the decision is not made by QRA. The prime objective of QRA
should not be to force a decision but to highlight how the main risk contributors
affect the comparison and how these insights can be used to further develop
alternatives where all yardsticks show a positive trend (i.e. improved economics,
lower potential loss of life, lower individual risk and lower cost to avert a fatality).
The QRA results can also be used to increase awareness of the operator of the
facilities. Awareness of hazards, potential hazardous events and information on
scenario-based escalation combined with suitable information for avoidance, and
exercises to train emergency response to avoid escalation can considerably lower the
risk incurred.
QRA can be used as a means to communicate risks to authorities and the public. The
yardsticks mentioned in 6.5.2 are hardly relevant when evaluating risks to the public.
The probabilistic concept is difficult to convey to the public and the fact that a
particular scenario can happen may be more important than its probability. A recent
incident in a similar operation may also have a strong impact on the risk perception
of public and press. For new installations it is recommended to search for designs
that avoid overlap of the maximum effect distance and areas with continued presence
of members of the public (see also 5.3).
A properly performed QRA would arrive at the same conclusions, however, this
would take more time.
Therefore, when a large number of situations has to be analysed it can in many cases
be advantageous to precede the QRA by a consequence analysis. This may filter out
the cases where a full QRA would not add additional information.
67
PTS 60.2210
JUNE 2006
68
This chapter provides practical guidance for the performance of a QRA study, either
internally or by a consultant. It addresses the need for a QRA study, its timing, the
setting of objectives and the definition of the workscope. Duration and personnel to
be involved are also discussed.
The objectives of QRA studies are usually different for the various project phases. In
all cases the main objective should be to reduce risk rather than purely estimate risk
levels. For all QRA work it is important to assess in advance how the results of the
QRA study will be used. It may be concluded in some cases that a QRA will not
assist in furthering the project or improving its safety, in which case there would be
little point in carrying out the study unless it was a legal requirement.
• as an aid to communication with the workforce and third parties regarding their
impact on risk and their exposure to risk
• to indicate whether or not risks are tolerable (but this should never be the sole
objective)
• in order to comply with legislation and company policy (and only then when the
need for QRA is appropriate and justified).
Guidance is given below which addresses when QRA is likely to be of benefit and
when it is not. Each individual case should be treated on its merits.
QRAs can be performed in all project phases of a development, however, the scope
for identification of effective safety improvements and the implementation thereof is
68
PTS 60.2210
JUNE 2006
69
greatest during project identification and conceptual design phases. In some cases
this may be during the prospect stage if for instance novel technology is used. It is
considered that QRA studies should be carried out on all projects onshore or offshore
for which several options have been identified which are considered to have
significantly different risks.
Examples of safety aspects that can be addressed during the earliest project phases
are:
• drilling of sour gas wells in clusters or spread out over a populated area
The QRA objectives during these early stages are to identify major risk contributors
and effective safety measures and to aid in the selection of the best alternative from a
safety, operational and economic point of view. Usually these two objectives cannot
be clearly separated; identification of possible improvements will lead to comparison
of alternatives to establish the measure of improvement. Conversely, when
comparing alternatives it is normal that further effective safety measures are
identified (leading to new alternatives to be evaluated). It is therefore recommended
to set the double objective of 'identification' and 'comparison'.
Initial 'coarse' QRA work should be designed such that it can be conveniently
developed to a detailed QRA later.
During the project definition phase a more detailed risk assessment may be required:
• to assist with final major decision making with respect to design options; and
At the end of detailed engineering, i.e. when all optimisation has been completed, the
risk assessment is issued in the form of a final report for input to the HSE Case. This
69
PTS 60.2210
JUNE 2006
70
• all offshore permanently manned installations, unless the layout is so well spaced
out that the workforce is for the majority of the time outside the maximum effect
area of the high pressure hydrocarbon production/ process facilities and the risk
of escalation is considered to be negligible.
• onshore plants, where the public is within the maximum effect area and / or
where the plant is complex and the storage and processing equipment cannot be
spaced so as to minimise the risk of escalation.
• studies to compare transport and manning philosophy options if the option under
development has significantly different operating philosophies to those
considered during the comparative QRA in the project identification phase.
The maximum effect area is defined as the area within which there is a potential for
loss of life or injury as a consequence of any credible hazardous event, regardless of
its probability.
Operations Phase
• Existing facilities
A QRA study should be carried out on any facility, operation or activity which is
considered to be safety-critical and for which there are doubts as to whether or not
the risks have been reduced to ALARP. A QRA study would assist in the
identification of high risk areas, the ranking of risk reduction measures and identify
the need for modifying the operating philosophy, e.g. Manual of Permitted
Operations (MOPO).
Sometimes attempts are made to evaluate whether an existing situation, which is not
fully in line with standards and sound practices, is 'acceptably safe'. This (mis)use of
QRA to justify deviations from effective and applicable standards and sound
practices should be avoided. If the cost of compliance with standards and sound
practices is prohibitive whilst the standards are not really applicable for the case
considered, QRA could be used to assess the risks of a deviation and help decide
whether or not such a deviation is ALARP (see also 2.2).
70
PTS 60.2210
JUNE 2006
71
A QRA study should be carried out when plant modifications are planned which will
result in significant risks during construction and/or which are expected to
significantly increase the risk level during operations. The need for an additional or
revalidated risk assessment at the time of proposed upgrades or refurbishments has to
be considered. In cases where the proposals are viewed as having a minimal impact
on safety, no additional work will be necessary, but for some modifications the
earlier risk assessment will require reviewing and additional risk assessment may be
required.
71
PTS 60.2210
JUNE 2006
72
QRA would not usually be used for Not Normally Manned offshore installations and
onshore facilities, except in connection with the determination of the operating
philosophy unless:
• there are serious concerns regarding company image, licence to operate or that
the public is in permanently occupied areas within the maximum effect radius.
• it is a legal requirement
Engineers and decision makers like to use risk assessment to make the decision for
them. For this purpose they would like to see well defined acceptance criteria for risk
and a calculation resulting in one number to tell them whether their design is right or
wrong.
Several regulatory bodies also promote the use of QRA for establishing that
acceptance criteria are met. However, in general they also promote the use of QRA to
identify improvements and as a means of communication between professionals.
Although a QRA will almost always result in meaningful recommendations the use
of QRA in an absolute sense is not promoted by PETRONAS for a number of
reasons.
Firstly, the accuracy of QRA work makes the comparison of calculated numbers with
specified criteria rather meaningless. The inaccuracies are less important in
comparisons between various options analysed in a consistent manner.
Secondly, the risk of industry operations calculated in a QRA is usually in the 'too
high' area and nowhere near the 'negligible' area (see 5.1). This means that regardless
of acceptance criteria set by authorities or others, there is a need to identify further
improvements and to implement them if their cost is not prohibitive.
Expressions like 'acceptably safe' or 'an acceptable risk' are to be avoided in QRA
work scopes. Risks are never acceptable when the benefits of an activity are not
perceived to be larger than the risks. Also, a risk is never considered acceptable while
there are effective alternatives to lower the risk. If there are no further effective
72
PTS 60.2210
JUNE 2006
73
alternatives it may be necessary 'to live' with the risk (see also 2.2).
• always specify the dual objective of QRA, i.e. to identify improvements and
compare alternatives
• do not use QRA to justify deviations from applicable standards and sound
practices.
The scope for a QRA should contain the steps discussed in Chapters 3 and 4. It is
suggested to address the following points in the scope of work for a QRA:
Always mention dual objective of identification of main risk contributors and the
comparison of options.
• definition of the boundaries of the development to be analysed
Ensure that comparisons are made on plans that have an equal achievement. This
usually means that a time frame has to be considered in which equal achievement
is obtained, and that within this time frame all hazards that are different for the
options to be compared will have to be evaluated.
A full list of all hazards and top events should first be made and screened by
relevant personnel to ensure that it is complete. The less significant can be
screened out on the basis of experience or a cursory analysis. HAZID and
HAZOP studies may assist this process.
73
PTS 60.2210
JUNE 2006
74
This will usually be done on the basis of statistical information or by Fault Tree
Analyses. Many assumptions on the performance of people and equipment may
have to be made. All these assumptions have to be listed so that it is possible to
verify them. Ensure also that the change of physical effects over time is
considered; very often a small release of toxic or flammable fluids over a long
period of time is more hazardous than an instantaneous release of larger
quantities. Therefore the maximum assumed incident does not always result in
the worst consequences (see Appendix IV - Appropriate level of detail)
• identification of the means by which the likelihood of the top events can be
reduced or eliminated.
• careful assurance that the appropriate level of detail is used to achieve the
objectives of the study.
• development of the top events into incidents by using Event Trees (also by
simulation studies such as PLATO).
• presentation of results
Formats are specified in Chapter 4, e.g. overall potential for loss of life, individual
riskfor highly exposed groups of personnel, potential for loss of assets and
production, potential for damage to the environment, cost to avert one fatality, and a
description of intangibles. Event Trees, Fault Trees and bar charts of results should
be included in the report. The bar chart should highlight the most significant risk
contributors.
These should not necessarily be limited to design changes but should also review
the possibility for changes in procedures and operational practices. Likelihood
reduction measures for the top event as well as mitigation measures should be
identified.
• sensitivity analysis
74
PTS 60.2210
JUNE 2006
75
• compilation of a draft report giving full traceability of all data and assumptions
used in the assessment.
• completion of final report including all comments made by the reviewers of the
draft report.
Points to note:
• stress the need for a factual interpretation and treat consultant's conclusions and
recommendations with care.
The duration of a QRA can vary from one day involving two to three people to
several months with a team of five to ten personnel.
Although the studies with more man-hours create more paper, they do not always
increase the understanding of the main risk contributors or identify effective ways to
reduce risks. It may therefore be advantageous to start with a more cursory analysis
of a short duration and to extend the scope in width or level of detail if this does not
yield the required insights. It is most effective to perform a QRA with a small team
of say one to two men permanently with part-time assistance on specialists’ topics
such as physical effects calculations.
the design and operation of the facility or of similar facilities are indispensable in the
QRA process.
Only with their experience is it possible to identify all foreseeable hazardous events,
all relevant possibilities for the development into an incident, and develop sensible
risk-reducing alternatives. For this reason an in-house QRA is often far more
effective than one performed by an outside consultant.
The following are some indications for man-hours to perform a QRA and to report it:
• consultant studies with a similar scope as above but extended in detail: 300 to
600 man-hours
NB The 'Concept Risk Assessment Methodology' (see also 8.3.3), for which there is
a licence for Group-wide use, allows rapid coarse comparison of platform options at
the concept stage: 20 man-hours per option run (this does not include data
preparation, etc). (Further information from PETRONAS)
Note that the minimum QRA performed by a consultant is in the order of some 300
man-hours. A large portion of this will be used for familiarisation with the facilities
and their operation.
The man-hour rates for QRA consultants are considerably higher (40 to 80 percent in
1989) than for normal engineering consultants.
There is a clear need to ensure that company or contractor staff involved in the
execution of QRA studies are sufficiently competent to carry out their assigned tasks.
The degree of competency needed will depend on the nature of the study
(complexity, scale, etc) and the make-up of the study team. In this document issue no
attempt is made to establish definitively standards of competence, this will be
76
PTS 60.2210
JUNE 2006
77
considered for the future. As a first step seek advice from the QRA specialists within
the OPU. Where no such QRA specialist is established PETRONAS CHSE can
provide advice. In either case PETRONAS CHSE, in consultation with other OPUs,
can obtain and provide supplementary information concerning the performance of
contractors and, if the information is available, the competence of individuals within
contracting organisations.
7.4.3 Training
Attendees of the PETRONAS Group QRA Training Course will achieve a high level
of QRA knowledge. They will gain skills sufficient to carry out a simple study and to
supervise a QRA study contract. Beyond this, skill development will be on the job
and this will be essential if larger studies are to be carried out competently.
The quantification of risks to people, assets and production makes use of information
on historical performance of equipment and systems, techniques for calculation of
physical effects from releases of dangerous substances, and methods to facilitate the
evaluation and calculation of Fault Trees, Event Trees, etc.
PETRONAS, closely follows the development of such databases and tools and
evaluates their suitability. PETRONAS organises workshops, and information will be
given on the available tools and their features. The same applies to incident and
component reliability databases. Apart from monitoring developments in this field
PETRONAS has developed a data sheet system for use in QRA (Ref. 11). Appendix
III provides information on the objectives of this system, the subjects addressed in it
and the format of the data sheets.
Several databases and tools in which PETRONAS has an interest are discussed
below.
8.1 DATABASES
WOAD is a dBase III data bank containing offshore accidents that have been
published or reported. Also contains US Coast Guard data, Lloyd's, Mineral Mining
Services data bank, etc. The data bank is regularly updated (2 x per year) and
presently contains data and a short description on 1706 incidents.
A dBase III data bank and data book on reliability of offshore components and
77
PTS 60.2210
JUNE 2006
78
systems. Extensions of the database and a more user-friendly access to the data are
being implemented.
For those facilities for which the hydrocarbons are the dominant source of risk, good
quality leak and ignition frequency data is essential. Without it, there is the risk of
making inappropriate investments in risk reduction measures. The E&P Forum has
taken on the task of co-ordinating a world-wide project to improve the quality of
these data. For further details of the E&P Forum Hydrocarbon Leak and Ignition
Database Project ( See Ref. 15). Data collection guidelines have been distributed to
E&P Forum work group members. The software for the database has been completed
in 1995 and is comparative with the UK Health and Safety Executive, Offshore
Safety Division(UK HSE-OSD) scheme.
Currently, the blowout frequency used in QRA studies are obtained from historic
world-wide databases. These data take little account of the type of well, the way it
was drilled or the specific problems associated with the geology of the area.
Consequently, the applicability of the blowout frequencies to a specific well is
questionable. (Is this true – to be deleted)
International Tanker Owners Oil Pollution Federation maintains an oil spill database
on spills at sea which includes major facilities as well as tanker spills. Further
information via PETRONAS Marine.
FRED is a computer package for PC (XT or AT) developed by the SHELL Group
containing models for calculation of physical effects from releases of hydrocarbons
and toxic materials. The package contains the well known 'Yellow-Book' models but
also more accurate models based on research by Thornton Research Centre (TRC).
FRED is extended and updated regularly to incorporate latest research developments.
It is now available commercially.
8.2.2 HGSYSTEMS
8.2.3 SCOPE
BHEPPC is a program for PC (XT or AT) for calculation of dispersion, heat radiation
and noise level from a well blowout or breakage of a pipeline. The program has been
developed by TRC and provides extensive graphical output of dispersion, heat and
noise contours. It is planned to include BHEPPC within FRED.
79
PTS 60.2210
JUNE 2006
80
The main suite of Group recommended fire, gas and explosion physical effect models
(PEMs) are contained in the computer packages FRED, HGSYSTEMS and SCOPE.
However, there are many third party PEMs on the market which are used by various
QRA consultants. A research programme has been set up to evaluate a short list of
these models in order to be able to advise on their suitability for use by OPUs. Gaps
in our knowledge regarding fire, gas and explosion physical effects processes have
been identified, ranked and a research programme firmed up. Some of the work is
carried out internally by TRC, with the remainder by JIPs (e.g. JIP Fire and
Explosion project led by the Steel Construction Industry).
8.2.6 General
Some time ago, it was recognised that the quality assurance, efficiency, consistency,
auditability, ease of updating/carrying out sensitivity studies and general user
friendliness of the computer tools needs enhancement. In view of the increasing
requirement for QRA studies to become more detailed, this need for improvement
has become even more necessary. Experiences with the use of OHRAT to date are
mixed. It is hoped that, the current version (1.3) will meet the original aims. OPUs
are encouraged to use OHRAT for their QRA studies.
8.3.2 PLATO
There are several computer packages for the estimation and presentation by means of
risk contours of off-site risk or risk to the public. PETRONAS has a licence for the
SAFETI package and should be consulted on its use. (Is this true?)
8.3.5 CARA
8.3.6 ASPIN
ASPIN is a tool that offers the possibility for pipeline engineers and risk analysts to
adopt a more structured approach towards managing pipeline failure risks. ASPIN's
main objective is to assess failure risks of pipes to enable option comparisons.
81
PTS 60.2210
JUNE 2006
82
In order to meet the above challenges the following tasks can be identified:
1. Develop and apply QRA as a technique for identification of cost effective safety
measures and as an aid in decision making by, for instance participating in and
steering joint industry projects for the improvement of data, physical effects
modelling and risk estimation tools.
2. Promote the use of QRA in OPUs and enhance the understanding of its merits
and shortcomings. Train PETRONAS staff in the appropriate use of QRA
through courses and workshops. One of the objectives of the training is that
major OPUs become largely self-supporting for their QRA work.
4. Ensure that insights and data obtained by one OPU are shared, as appropriate,
with the other OPUs in order to avoid duplication of work.
6. Provide ad-hoc advice to OPUs and review QRA studies on their behalf.
82
PTS 60.2210
JUNE 2006
83
APPENDIX I
The history of probability shows a stimulating interplay of theory and applications. This
appendix contains the definitions of the various types of probabilities and provides a brief
description of some basic calculation rules. The following is intended only as an introduction
to key points, for further information specialist advice should be sought.
2. The probability of the 'certain' event equals 1. The probability of the 'impossible' event
equals 0.
3. The following applies for the 'NOT' relation (i.e. an event A will not occur)
* P(NOT A) = 1 - P(A)
4. For two independent events A and B the probability of combined events is obtained by
the following rules:
* P( A OR B ) = P(A) + P(B) - P(A) x P(B)
* P( A AND B) = P(A) x P(B)
5. For three independent events A, B and C the probability of combined events is obtained
by:
* P(A AND B AND C) = P(A) x P(B) x P(C)
83
PTS 60.2210
JUNE 2006
84
Where, for example, the number of observations is the number of platform years or
the number of wells drilled.
The accuracy of the estimation improves with the number of observations. A measure
for the accuracy is provided by a so-called confidence interval. For example a 95 per
cent confidence interval with respect to a probability means roughly that there is 95
per cent confidence that the probability belongs to the interval. This interval can be
constructed by the following simple procedure:
• Define Q = R/N
• Define A = 2 [Q (1-Q)/N]½
• The 95 per cent confidence interval for the probability P(E) is given by:
[Q-A,Q+A]
If probabilities are assessed as long term frequencies, the use of the above type of
confidence intervals is strongly recommended as a measure of accuracy.
Subjective probability
84
PTS 60.2210
JUNE 2006
85
The constant failure rate is a simple but fundamental concept in probabilistic risk
assessment studies. The formal (difficult) definition is as follows:
Failure rate is the conditional probability that a failure occurs per time unit at time t
given that no failure occurred before time t.
If it is assumed that the frequency of failures does not change with time or
equivalently that the probability of future failures is independent of the past then the
following simple definition applies:
Note that the above simple definition implies that the failure rate is a constant
indicating the number of failures per unit time. Although often used as such the
failure rate is NOT a probability.
Assuming a MTTF of 3 years the probability that a sub-surface safety valve fails
within a specified time period can be calculated. The table below shows an example:
Time
P(T<t)
(years)
0 0.00
1 0.28
2 0.49
3 0.63
85
PTS 60.2210
JUNE 2006
86
4 0.74
5 0.81
10 0.96
20 0.99
Note that although the MTTF is 3 years it may not have failed after 20 years.
There are systems which are not operating continuously but are to operate for a short
duration when required. Examples are starting up a pump, opening a safety valve,
detecting a gas cloud, etc. These systems function 'per demand'. The probability of
failure of the functional performance is called 'probability of failure on demand'.
The probability of failure on demand for a system with a failure rate f which is tested
at intervals T can be calculated by:
For the above example of a sub-surface safety valve with a MTTF of 3 years
and a test interval of three months the probability of failure on demand is:
• availability A(t) is the probability of the component or system being in its normal
state at time t
• unavailability Q(t) is the probability that the component or system is in its failed
state at time t
For component or systems which are repaired upon failure, the availability or
unavailability can be calculated as follows:
86
PTS 60.2210
JUNE 2006
87
Fault Tree analysis is a common probabilistic technique applied in reliability analysis and, to
a lesser extent, risk assessment. It allows the user to concentrate on a particular system
failure, which is usually giving rise to the 'top event' or 'branch event' of an Event Tree. The
Fault Tree approach, introduced in this appendix traces back the possible causes of an
identified 'top event' or 'branch event'. This analysis is characterised by the question:
The forward analysis is the Event Tree analysis; it starts with an initiating event ('top event')
and projects possible consequences from that event. This analysis concentrates on the
question:
In general the construction of Fault Trees and Event Trees can only be achieved by relying
on the experience of those persons who are familiar with the real system under
consideration.
Fault Trees cannot take account of sequential failures or time dependency. This limits their
usefulness in risk analysis where the development of scenarios with time is important.
A Fault Tree consists of two types of building blocks: GATE symbols and EVENT symbols.
Events are represented by rectangles.
GATE symbols connect events according to their causal relations. GATES may have two or
more input events but only one output event. In this manual only two types of GATES, the
OR GATE and the AND GATE will be used. Other gates, such as the NOT gate and the
INVERSE gate are not considered.
87
PTS 60.2210
JUNE 2006
88
All possible combinations of gates and events are allowed, provided the following
two conditions are satisfied:
1. The Fault Tree must have a typical tree structure, i.e. all events and gates should
converge into a single event: the top event.
2. Events are connected by gate symbols, i.e. an event is never directly connected to
another event.
Note: The text in the circles and gate symbols is used to provide a convenient label in probability calculation formulae.
Often the construction of Fault Trees is a useful exercise in itself, for it provides an insight
into the possible failure modes of sometimes rather complex systems. However, the success
of Fault Trees is mainly due to the quantitative aspects. The probability calculus associated
with AND and OR gates is a direct result of the standard ways in which probabilities can be
combined (see Appendix I). It can be used to calculate the probability of an event occurring
within a certain time interval (alternatively the frequency of such an event) or the probability
of failure on demand (unavailability).
The definition of the top event is important both for deriving the appropriate logic and the
calculus of probabilities. Care should be taken to be very precise in defining the top event,
e.g. probability of a gas detection system to fail on demand, failure of deluge system in case
of a major fire, occurrence of a fire during a one year period, etc.
The following example deals with the probability of failure on demand of a fire protection
system. The system consists of two fire water pumps, each of which could supply 100 per
cent of the required capacity, and a single deluge valve. The Top Event of interest is: 'Failure
on demand of deluge system' It is obvious in this example that the top event occurs when
either the deluge valve fails to open or when there is no water delivered to the valve. A
further breakdown shows that pump failure, pipe rupture or pipe blockage are possible
causes for not delivering water. Failure of the deluge valve to open can be caused by failure
of the valve itself or failure to activate the valve. The Fault Tree for the above sequences of
events is shown below:
88
PTS 60.2210
JUNE 2006
89
The rules for calculating the probabilities are given in Appendix I. For example, assuming
that the pumps are independent of each other and have a probability of failure on demand of
0.02, the probability of the event 'failure to pump water' is calculated as 0.0004.
P{PU1} = 0.02
----------- AND---> P{FTPW}= 0.0004
P{PU2} = 0.02
The assumption on independence of the events is essential. Very often the assumption is
incorrect. Possible links between the failures of the two pumps are:
• both pumps switched to local start because of a human failure to set switches on
automatic/remote after maintenance
89
PTS 60.2210
JUNE 2006
90
If such links can be identified it is recommended to restructure the Fault Tree. An example is
given below.
The calculation can now be performed using the rules from Appendix I:
P{LOW} = 0.005
P{FUEL} = 0.004 --- OR--->
0.01
P{CMF}=
P{PU1} = 0.01
--AND--->P{PUMP}=0.0001
P{PU2} = 0.01
The probability of 'failure to pump water' is now calculated as 0.0101 rather than 0.0004, i.e.
a factor 25 difference. Note that the probability of failure to pump water by switching on one
pump is still 0.02 as used in the simple tree (Figure II.3).
It will be clear from the above example that major errors can be made by ignoring
dependence of events and the so-called common mode failures. Usually the risk analyst
cannot identify all failure causes and dependencies himself. Only the experienced
operator/design engineer has knowledge of all the details and circumstances that can lead to
system failure. An experienced risk analyst can ask the right questions, develop the logical
structure and calculate results. The combination of these persons is required to perform
successfully a Fault Tree analysis.
Another example is given below with scope for even larger errors by ignoring dependencies
between events. The example concerns the calculation of dispersion of a toxic gas.
Calculations show that lethal concentrations can reach a housing area under specific weather
90
PTS 60.2210
JUNE 2006
91
conditions:
The combined probability using AND gate calculus yields P = 0.0001. However, the events
are not independent: very stable weather at that location only occurs at low wind speeds
from a certain direction. Although the probabilities of the events were taken correctly from
the weather data the calculation was incorrect. The correct data can be obtained from
combined weather statistics and can be found to be in the order of 0.01, i.e. a factor 100
difference.
It will be clear from the above examples that it is essential to check on dependencies
between events in the Fault Trees. The results should especially be treated as suspect when
very low probabilities or event frequencies are calculated, e.g. of less than 1 in a million per
annum. It is very likely that events that will impact on all systems simultaneously have been
overlooked
(e.g. floods, earthquakes, high winds, etc).
More information on Fault Tree analysis and tools to draw and evaluate Fault Trees can be
found in the references (see Refs. 5, 6, 7).
In QRA Fault Trees are mostly used to assess the branch probabilities in Event Trees. In
such trees all basic events shall be probabilities or unavailability.
Fault Trees are sometimes used to estimate the frequency of the top event of an Event Tree.
In such trees the basic events will be a mixture of frequencies, probabilities and
unavailability. An example of such a Fault Tree is given in Figure II.5.
91
PTS 60.2210
JUNE 2006
92
GEN1 and GEN2 fail once per year and require on average 12 days repair. This information
shall be used to derive the unavailability of each of the generators:
The probability of the electrical power being unavailable can now be calculated
by: P(ELEC) = P(GEN1) x (P(GEN2) = 0.001
Further:
P(PUMP) = P(DIES) x P(ELEC) = 0.0005
P(FTC) = P(DEL) + P(PUMP) - P(DEL) x P(PUMP) = 0.1
F(FIRE) = 1/year
F(SFE) = F(FIRE) x P(FTC) = 0.1/year
F(FEX) = 0.05/year
F(MF) = F(FEX) + F(SFE) = 0.15/year.
92
PTS 60.2210
JUNE 2006
93
93
PTS 60.2210
JUNE 2006
94
Data sheets will have a consistent content and style to help the user locate information
quickly with the least chance of misinterpretation. The data sheets have been structured as
follows:
- scope
- key data
- further data
Table III.1 Index of data sheets, QRA data (May 1992) (Ref. 11)
Index 01 A Formal
Introduction 02 A Formal
FARS - work related accident
Small work related 11 A Formal
accidents
Major accident severity 13 A Formal
Top events
Blowout and ignition 21 A Formal
Riser and pipeline leak 22
A Formal
and ignition
Process releases and 23 A Formal
ignition
Vessel collision 24 A Formal
Natural hazards 25 Not started
Massive structural failure 26 Not started
Accidental failures of 28
major equipment and A Formal
secondary structures
Crane failures 29 A Formal
Safety systems and components
Fire and gas detection 31 A Formal
Blow out prevention 32 A Formal
ESD and blowdown 33 A Formal
systems
Fire protection systems 34A A Formal
94
PTS 60.2210
JUNE 2006
95
Transport risk
Accidents on roads 61 A Formal
Accidents involving
62 A Formal
aircraft and helicopters
Casualties to vessels and
63 A Formal
men
95
PTS 60.2210
JUNE 2006
96
APPENDIX IV
Two examples are give to illustrate the principles and application of the approach outlined in
this report. A first simple example is related to helicopter operations for jungle seismic
surveys. A second example deals with offshore oil and gas operations.
To lay seismic lines in the jungle it is necessary to cut a narrow track through the jungle. In
areas of limited access it is sometimes unavoidable to use helicopters as a means of
transportation for people and supplies when carrying out seismic operations.
The helicopters are essentially used to move people and associated seismic equipment along
the line of seismic traverse. In general this requires that helipads (dimension 23 x 170 m) be
cut every 4-6 km along the line. These helipads will subsequently be used for a maximum of
forty take-offs and landings during acquisition of seismic data. The normal flight path in
such conditions is shown in Figure IV.1. The helicopter has sufficient clearance to miss the
top of the trees. However, if a twin-engined helicopter (normal practice in PETRONAS
jungle operations) loses the power of one of its engines during part of this flight path it is
possible that the climbing power is not sufficient to miss the trees while it is also impossible
to land safely. A crash into the trees is likely in such conditions.
To avoid a crash from loss of one engine during take off the Civil Aviation Authorities
require for civil operations a longer airstrip. Application of these rules for jungle seismic
would yield an airstrip with a length of 300 m. The question was therefore naturally raised
whether the size of the jungle seismic airstrips should be increased to improve the safety of
operations.
96
PTS 60.2210
JUNE 2006
97
Drawing on statistics on the likelihood of failure of one engine during 4 critical seconds of
the flight path, the safety improvement per flight from a longer landing area can indeed be
demonstrated. However, the reduction in overall risk of a helicopter flight is small, of the
order of only a few percent. Considering other risks involved, the risk per kilometre of
seismic track shows the 'safety improvement' in a different light.
Figure IV.2 Potential loss of life related to helicopter operations for 100 km seismic line
in the jungle
Figure IV.2 shows the overall potential loss of life from such helicopter operation related
activities, including clearing the helicopter landing area. It can now be seen that a longer
landing area would actually increase the risk. This is partly caused by the increased potential
for accidents from clearing an additional 130 m of jungle and partly by the additional flights
that would have to be made to supply the crews clearing the next airstrip. Consideration of
all effects of a decision to change the airstrip size leads to a conclusion that differs from the
simple analysis concentrating on helicopter accidents during take-off.
97
PTS 60.2210
JUNE 2006
98
The overall potential loss of life and the individual risk of death of personnel regularly
working on the platform are shown in Figures IV.3 and IV.4. ('Conventional' and 'Minimum'
respectively for the two cases described above).
98
PTS 60.2210
JUNE 2006
99
Figure IV.3 Overall potential loss of life for several development options
Figure IV.4 Individual risk to regular platform personnel for several development options
99
PTS 60.2210
JUNE 2006
100
The risk of a fatal accident whilst working on the platform would probably be somewhat
higher on the smaller platform as it has slightly less active safety provisions. The overall
potential loss of life for the project, from construction to abandonment, is lower because both
the number of people exposed to the hazards and their exposure time is much lower. The
individual risk for personnel, shuttling frequently to the offshore platform, is however much
higher for the smaller platform as a result of the relatively high risk associated with
helicopter flying.
The significant risk contribution from helicopter flying makes it clear that development
options involving less flying should also be considered. These options are also shown in
Figures IV.3 and IV.4. The second option from the top (Temporary Living Quarters) allows
maintenance personnel to stay on board overnight for jobs that last longer then say 10 hours.
The third option (Permanent Living Quarters), where a minimum crew stays on the platform
for longer periods, reduces the risk to the individual to a level that is comparable to that of
offshore workers on larger platforms. This solution leads to a lower risk to life without
putting personnel at greater individual risk than on other small platforms, ie it satisfies
society's and individuals' interests. Further reductions of individual risk from helicopter
flying are possible by concentrating maintenance in planned campaigns, shuttling personnel
from nearby platforms and less frequent crew changes.
The example shows that a reduction of overall risk to life does not necessarily reduce the risk
to an individual. Also in the helicopter example the risk to the individual pilot is higher for
the smaller landing area while the overall loss of life is lower. Similarly, it is found in many
cases that the number of additional accidents that may occur during fabrication, installation
and maintenance of safety devices is greater than their envisaged effect.
Erroneous conclusions can be drawn by concentrating on the overall potential loss of life as
this averages the risk over all personnel and all project phases. The example demonstrates
that individual risk provides additional insights. In the calculation of individual risk it is
important to differentiate between individuals that are most exposed to the hazards and
groups of people that are less exposed. Averaging over groups with widely differing
exposures to risks is misleading.
Significant errors can be made in QRA by simplifying assumptions such as considering the
maximum credible accident, excluding infrequent accidents from an analysis or ignoring the
effects of time during the development of accident scenarios. The following two examples
illustrate this point. However, they have a much wider bearing than this particular example.
The first example deals with a floating production development in the North Sea, producing
oil from various subsea wells and re-injecting compressed gas into other wells. The flow
lines between the floating platform and the seabed are made of flexible pipe (Figure IV.5). A
Quantitative Risk Assessment was performed to assess the risk from a leak in one of the gas
re-injection lines. To this aim the lines were divided in sections with different failure modes
or consequences, i.e. a subsea section remote from the platform, a subsea section near the
platform, a section from the connection at the pontoon to the splash zone, a splash zone
section and a deck section.
100
PTS 60.2210
JUNE 2006
101
Figure IV.5 Offshore floating platform producing from subsea wells through flexible pipes
101
PTS 60.2210
JUNE 2006
102
For each of these sections certain types of potential failure were identified and the likelihood
of certain hole sizes established either directly from statistical data or by using Fault Trees.
The physical effects of such releases and the possible consequences for people, assets and
production were estimated by the development of Event Trees. By multiplication of
probabilities and consequences, and summation over all Event Trees the overall potential
loss from a riser failure was established (Figure IV.6).
From this analysis it was found that one specific scenario, out of the many scenarios
developed from the Event Trees, contributed more than 90 percent to the overall risk from
riser failure. This was the scenario in which the gas jet from a medium-sized hole in the
splash zone ignited and impinged on one of the structural members of the platform. A larger
hole size would make a smaller contribution to the overall risk because the rapid
depressurisation of the line would result in such a short duration of the release that it could
not damage the structure. A smaller release hole, although 10 times more likely, could not
cause a flame of sufficient intensity to heat the structure.
Figure IV.6 Calculation of overall potential loss from a riser accident. Shading shows path
contributing 90 percent to overall potential loss
The identification of the main contributor to the overall risk, and the understanding of the
phenomena behind it, is a very important feature of QRA enabling effective safety
improvements to be developed. In this particular example safety improvements are possible
by reducing the duration of a potential release by, eg a blowdown valve on the platform to
rapidly depressurise the entire line or an isolation valve below the splashzone to shorten the
line section fuelling the fire. Consideration of a reasonable range of hole sizes was necessary
to identify the main risk contributor and recognise the accident scenario that could cause
disaster.
102
PTS 60.2210
JUNE 2006
103
The second example illustrating the need for an appropriate level of detail is a QRA on an
installation with natural gas containing hydrogen sulphide. Calculations were performed to
establish the likelihood of hazardous dose of hydrogen sulphide reaching outside the fence.
Detailed investigation of possible release scenarios showed that a pitting corrosion hole was
the only realistic scenario that could cause a significant release of gas. Corrosion experts
assessed a range of pitting corrosion hole sizes and estimated their likelihood.
Meteorological data for use in gas dispersion calculations were obtained from a local airport.
An initial calculation based on the most likely hole size and prevailing weather conditions
showed that hazardous dose of hydrogen sulphide could not reach outside the fence. After a
more detailed analysis, however, it became clear that a slightly larger, but less likely, release
hole, combined with a less likely weather type could present a hazard outside the fence.
From the above examples it is concluded that the level of detail should be selected such that
it is possible to identify which combination of event size and probability contributes most to
the risk of a particular operation. This can be illustrated by a diagram in which the
probability of an event, possible consequences and potential loss are plotted as a function of
the size of an event.
Postulating a specific frequency distribution for the event size, and a curve describing the
consequences as a function of the event size the potential loss can be found by multiplication
of the values of the two curves (Figure IV.7). The potential loss curve now indicates the area
in which effective safety measures can be taken. On the left side of the curve the
consequences are too small to cause concern, regardless of the frequency. On the right side
the consequences can be dramatic but the chances are so low that it may be better to invest
elsewhere in safety improvements. Safety improvements that concentrate on the events
contributing to the peak of the expected loss curve are the most effective.
103
PTS 60.2210
JUNE 2006
104
104
PTS 60.2210
JUNE 2006
105
GLOSSARY
A glossary of commonly used terms in HSE is given in PTS 60.0101 HSE Management
Systems Manual
REFERENCES
2. G.C. van der Graaf and J.P. Visser, Risk Assessment in Exploration and Production,
SIPM, Paper presented at the 6th International Symposium on Loss Prevention and
Safety Promotion in the Process Industries, Oslo, June 1989.
3. Risk Assessment, A Study Group Report, The Royal Society, ISBN 0 85403 208 8,
1983.
Methods for Determining and Processing Probabilities (The Red Book), Committee for
the Prevention of Disasters caused by dangerous substances, Edition 1, 1988.
8. Committee for the Prevention of Disasters caused by Dangerous Substances, The 'Green
Book' or 'Damage Book', Methods for the determination of possible damage to people
and objects resulting from releases of hazardous materials, First Edition 1992 CPR 16E.
10. Health and Safety Executive, The tolerability of risk from nuclear power stations,
HMSO, London, December 1987 and 1992.
11. Guidelines for Risk Assessment Data: Data Sheets, SIPM EPO/63.
12. A.B. Fleishman, M.S. Hogh, BP, The use of cost benefit analysis in evaluating the
acceptability of industrial risks - an illustrative case study, Paper presented at the 6th
International Symposium on Loss Prevention and Safety Promotion in the Process
Industries, Oslo, June 1989.
13. Paper to Offshore Safety Conference, ALARP in Practice, Shell Expro, Aberdeen, 1-2
April 1993.
14. (EA/099) Rev.2, Code of Practice Use of QRA in Shell Expro, Shell Expro, Aberdeen,
105
PTS 60.2210
JUNE 2006
106
UESE/1, 1993.
15. SPE Paper 27234, Hydrocarbon Leak and Ignition Database Project, E&P Forum.
106
PTS 60.2210
JUNE 2006