GRP3.10001 Selection of Hazard Evaluation and Risk Assessment Techniques

BP Group Recommended Practice
Group Recommended Practice
Selection of Hazard Evaluation & Risk

Assessment Techniques.
GRP 3.1-0001
This Practice will be subject to periodic review.
Issue Date July 7, 2008
Revision Date To be determined by Approver for Issue to BP
Author Mike Broadribb, Distinguished Advisor - Process Safety,

Group Safety & Operations
Content Owner Steve Flynn, Head of Discipline HSSE, Group Safety &
Operations
Maintainer Tim Kozina Director, OMS Knowledge Management
Issued By Gareth James, Head of Technical Management Systems
Approver for Issue to BP Steve Flynn, Head of Discipline HSSE, Group Safety &
Operations
1
Uncontrolled Document. Valid Only at Time of Printing: 5/27/2019
Contents
Summary................................................................................................................................................ 3
1. Introduction ................................................................................................................................... 5
1.1 INTENT AND PURPOSE .................................................................................................................. 5
1.2 SCOPE AND APPLICABILITY............................................................................................................ 6
1.3 AUDITING AND COMPLIANCE ......................................................................................................... 6
1.4 ADMINISTRATION AND AUTHORISATION .......................................................................................... 7
2. The Practice Structure .................................................................................................................. 8
2.1 RECOMMENDATIONS .................................................................................................................... 8
2.2 LANGUAGE .................................................................................................................................. 8
2.3 REFERENCES AND RESPONSIBILITIES .............................................................................................. 9
3. The Practice Elements, Recommendations, and References ................................................. 10
3.1 ELEMENT 1: ROLES AND ACCOUNTABILITIES ................................................................................10
3.2 ELEMENT 2: CHOOSING THE APPROPRIATE METHODOLOGY .........................................................13
3.3 ELEMENT 3: STUDY REQUIREMENTS – PLANNING & PREPARATION................................................16
3.4 ELEMENT 4: STUDY REQUIREMENTS - REPORTING & FOLLOW-UP ..................................................18
3.5 ELEMENT 5: STUDY REQUIREMENTS - HUMAN FACTORS ...............................................................21
3.6 ELEMENT 6: ADDITIONAL SPECIFICS FOR CERTAIN SITUATIONS ......................................................22
5. Appendices .................................................................................................................................. 24
Appendix 1 – The Overall Risk Management Framework .............................................................. 25
Appendix 2 – Factors Influencing Choice of Technique .................................................................. 29
Appendix 3 – Typical Uses of Hazard Evaluation and Risk Assessment Techniques .................. 31
Appendix 4 – Criteria for Selecting Hazard Evaluation and Risk Assessment Techniques ......... 32
Appendix 5 – Flowcharts for Selecting Hazard Evaluation & Risk Assessment Technique ........ 33
Figure A5.1 Flowchart for Selecting Hazard Evaluation & Risk Assessment Technique ....... 33
Appendix 6 – Fact sheets for Hazard Evaluation and Risk Assessment Techniques ................... 44
Appendix 7 – Documentation for Hazard Evaluation and Risk Assessment Studies .................. 70
Appendix 8 – Definitions .................................................................................................................... 71
2
Summary
This Group Recommended Operating Practice recommends a structured process for the consistent
selection of appropriate hazard evaluation and risk assessment methodologies to identify and analyze
Health, Safety, Security, Environment and Operating (HSSE&O) hazards and risks in support of safe,
reliable and available operations. This Practice also includes:
1. an explanation of the overall risk management process and how the individual phases relate
to one another;
2. essential requirements for effective hazard evaluation and risk assessment studies; and
3. a description of each technique indicating its purpose, application, strengths/weaknesses,
resources, and information requirements.
There are a variety of hazard evaluation and risk assessment methodologies. Each technique has its
own purpose, strengths and weaknesses, resource requirements, costs, and produces results in
different formats. Particular techniques are suited to particular applications. This Practice covers the
hazard evaluation and risk management tools already in use within BP (e.g., MAR, HAZOP, JHA,
Security risk assessments, Health map, etc.) to support inherently safer design, continuous risk
reduction, and operational integrity. Over twenty different techniques that are used within the BP
Group are listed below and described in detail in Appendix 6.
This Practice supports the evaluation and
management of HSSE & Operations risks in a Fig.1: Hazard Evaluation and Risk
consistent and holistic way across the BP Group. Assessment Methodologies
For further information on risk management please Control of Work
refer to the Group Defined Operating Practice – Task Risk Assessment
Assessment, Prioritization and Management of
Risk (GDP 31-00-01). Hazard Identification/Evaluation
HSSE Review
This Practice does not address non operational HAZID
risks within the organization such as commercial MAHID (see MAHA)
PHA
risks, risks to projects, or enterprise risks Checklist
associated with joint ventures. What If
Relative Ranking / Risk Ranking
This Practice is aligned with the risk management HAZOP
process depicted in Fig. 2, and specifically covers FMEA
techniques for hazard identification, scenario Consequence Analysis
Fault Tree*
development, consequence analysis, likelihood Event Tree*
analysis, and risk analysis that build to deliver risk Bow Tie Analysis
assessment. Human Reliability Analysis
Who is it for? Risk Assessment

Risk Matrix
Management and other members of the BP LOPA
Workforce who need to understand the risk Facility Siting
management process and their role in it. This Fault Tree*
Event Tree*
Practice is for anyone who is involved in selecting, MAHA
conducting, reviewing, approving or implementing MAR
hazard evaluations and risk assessments of HSSE QRA
& Operations risks at BP Entities worldwide. This ALERT
Cost Benefit Analysis
Recommended Practice is also applicable to Joint
Ventures and Contractors to the extent described
in Section 1.2.
Fault and event trees may be used qualitatively for hazard identification purposes, but may also be quantified as part of a risk
assessment.
3
HAZARD
IDENTIFICATION
GENERIC EXTERNAL NATURAL HUMAN ERROR OTHER

HAZARDS HAZARDS HAZARDS HAZARDS HAZARDS?
SCENARIO DEVELOPMENT
(Release, Incident, Impact)
Develop Risk
Reduction
Measures CONSEQUENCE LIKELIHOOD
ANALYSIS ANALYSIS
(Safety,
Environmental, (Probability,
Reputation, Financial
Impact) Frequency)
Key:
RESIDUAL RISK OTHER Hazard Identification
MANAGEMENT CONSIDERATIONS
YES (Business, Feasibility) Assessment
Prioritization
NO Is Further Risk RISK
Reduction ANALYSIS Management
Required?
Fig 2: Risk management process
What is the process?

This Operating Practice identifies the individual circumstances and factors that can influence the
selection of a hazard evaluation and risk assessment technique for a specific application. These
factors are based upon the categories in Fig. 3.
Categories
Motivation for the Study
Type of Results Needed
Type of Information Available to Perform the Study
Characteristics of the Analysis Problem
Perceived Risk Associated with the Subject Process or Activity
Resource Availability and Analyst/Management Preference
Fig. 3: Categories of Factors That Influence the Selection of Technique
Before selecting the most appropriate methodology for a study, a checklist in Appendix 4 should be
used to determine the influential factors and criteria under each of the categories in Fig.3.
Next, the steps in the first flowchart in Appendix 5 (Fig. A5.1 should be followed), which culminates
in a decision to choose one of six potential risk assessment paths.
A series of more detailed decision trees for each of these six paths (Figs. A5.2 through A5.11) should
then be followed to determine which specific technique(s) are appropriate for the particular
circumstances of the problem or issue to be resolved. Or in the alternative, an experienced hazard
analyst may stop at the end of the first flowchart (Fig. A5.1), and use the additional guidance provided
in the individual descriptions of each technique (see Appendix 6) to choose the most appropriate
technique.
This Operating Practice also makes recommendations on competency, planning, reporting and follow-
up for effective hazard evaluation and risk assessment studies.
4
1. Introduction
1.1 Intent and Purpose
a) Description Many techniques have been developed over the years to assist in the
of Purpose identification, analysis and assessment of risk, which may be expressed in terms
of human injury, environmental damage, damage to reputation, or economic loss
including property damage and business interruption. These techniques vary in
degree of complexity, require different levels of skill to utilize and have specific
areas of application.
Selection of inappropriate methodologies can result in less effective hazard
evaluation and risk assessment studies. Ineffective hazard identification and
assessment of risk can impact the health and safety of people, the environment,
and operating performance.
b) Intent To provide a structured process for the selection of appropriate hazard

evaluation and risk assessment methodologies to identify and analyze HSSE &
Operations hazards and risks. This Practice aims to facilitate effective hazard
evaluation and risk assessment studies through more consistent selection of
appropriate techniques across the Group.
For Sites approved to Implement OMS, this Practice describes BP's
recommended approach for satisfying the following OMS Group Essentials:
1. Group Essential 3.1.3

2. Group Essential 3.3.2
For Entities currently operating on the Getting HSE Right (gHSEr) management
system, this Practice describes BP's recommended approach for satisfying
gHSEr Elements 2_(Risk Assessment and Management), 5.5 (Facilities Design
and Construction), 6.7 and 6.10 (Operations and Maintenance) and 7.1, 7.3 and
7.4 (Management of Change).
5
1.2 Scope and Applicability
a) Scope This Practice represents BP's Recommended approach for Selection of Hazard
Evaluation & Risk Assessment Techniques. Subject to this Practice’s intent and
subject to existing contractual constraints (to the extent they cannot be
renegotiated) this Practice should be applied by people who perform work in the
BP Work Environment on behalf of BP.
b) Applicability This Practice is recommended for all BP Entities, projects, facilities, sites and
operations that are wholly owned and operated by BP.
This Practice is also recommended for BP joint ventures, whether or not BP is
the operator. In these cases, subject to an appropriate risk assessment, BP
should try to use its influence to secure that the operation of the joint venture is
consistent with the relevant recommendations contained in this Practice.
Where BP relies on a contractor to carry out work to which the recommendations
in this Practice would apply if the work was performed by BP employees, BP
should, after an appropriate risk assessment, try to have the work carried out in a
way which is consistent with the relevant recommendations in this Practice.
Where existing contractual constraints prevent BP from securing that such a
joint venture or contractor operates consistent with the recommendations in this
Practice, BP should consider the possibility of renegotiating the relevant contract
terms.
If following any of the recommendations in this Group Recommended Practice
would conflict with an applicable legal requirement, it is necessary to comply
with the applicable legal requirement. If following a recommendation would go
beyond any applicable legal requirements, this should be done as long as
compliance with those requirements is achieved.
1.3 Auditing and Compliance
a) Auditing Not Applicable.

and
Compliance
6
1.4 Administration and Authorisation
a) Administration Administration and authorization responsibilities for this Group Recommended

and Practice are:
Authorisation
Content Owner: Group Head of HSSE
Maintainer: Director OMS Knowledge Management
Approver: Group Head of HSSE
The Content Owner is responsible for confirming the accuracy and integrity of
content and proposed changes to the Practice.
The Maintainer is responsible for the upkeep and continued integrity of the
Practice, including regular reviews and audits.
The Approver is responsible for authorizing and approving changes to the
Practice, and in the case of a Group Recommended Practice, is also the
‘Approver for Issue to BP’.
b) Interpretation Questions of interpretation should be directed in writing to the Content Owner

of this Practice for the purpose of clarification. The Maintainer should receive a
copy of the written questions as submitted to the Content Owner..
c) Changes and Any suggested changes or amendments to this Practice should be forwarded to
Amendments the Content Owner along with the reasons for suggesting them. The Maintainer
should receive a copy of the suggested changes or amendments as submitted to
the Content Owner.
All suggestions will be acknowledged and, if rejected, the reasons given for their
rejection.
Accepted changes will be administered through the document change control
system employed by Group Safety & Operations.
d) Document This Practice should be held and controlled in the Safety & Operations website
Control and until the Group OMS Library is available.
Review
This Practice will be subject to periodic review. The Maintainer is responsible for
scheduling these reviews. The review will be led by the Content Owner, and
include input from each of the business segments and Group S&O.
F
7
2. The Practice Structure

2.1 Recommendations
Recommendations contained within this Group recommended practice are

a) Recommendations
not Group requirements, but they do form a set of high quality, tried and
tested recommendations that entities are encouraged to use to deliver the
relevant Group Essentails. It is for each BP Entity to determine whether or
not to adopt this particular Group Recommended Practice (whole or in part)
under guidance from the BP Segment to which it belongs.
If any recommendations in a Group Recommended Practice overlap with
Group requirements in other documents, the Group requirements are to be
met. The recommendations are intended to support conformance with
relevant Group requirements, not as alternatives to conforming with Group
requirements.
In particular, there are situations where the BP Group requires the use of
certain hazard assessment methodologies described in this practice. Please
consult the following Group Defined Engineering Technical Practices for
further information:
GP 48-01 - HSSE Review of Projects (PHSSER)
GP 48-02 - Hazard and Operability Study (HAZOP)
GP 48-03 - Layer of Protection Analysis (LOPA)
GP 48-04 - Inherently Safer Design (ISD)
GP 48-50 - Major Accident Risk (MAR)
Each person who applies this practice is advised to consult Group Defined
Engineering Technical Practice GP 01-01 for a current list of the hazard
assessments that the BP Group requires in certain situations. GP 01-01 can
be found in the Engineering Technical Practices library at
http://etplib.bpweb.bp.com/home.jsp
Each person who applies this practice is also advised to consult local legal
requirements to determine whether a particular type of study methodology is
required under local law. In some countries, statutes or regulations may
dictate the frequency and type of methodology required.
2.2 Language
Throughout the Group Defined and Recommended Practices, when used in

a) Shall, Should and
the context of actions by BP or others, the following words have specific
May
meanings:
'Shall' is used where a provision is mandatory. (note: ‘Shall’ is not
used in Group Recommended Practices such as this)
'Should' is used where a provision is preferred.
'May' is used where alternatives are equally acceptable.
8
2.3 References and Responsibilities
a) References References, where appropriate, are made to other relevant Group Standards,
Group Practices, operating standards, guidelines, procedures and documents
should be used in order to support the application of this Group
Recommended Practice. Examples and case studies may be provided to aid
clarity and understanding.
b) Responsibilities Where appropriate, roles and responsibilities to deliver any process/activities

recommended within this Practice are clearly defined. Delivery of these
responsibilities should be locally assigned.
9
3. The Practice Elements, Recommendations, and References

3.1 Element 1: Roles and Accountabilities
a) Intent To define roles and responsibilities for hazard evaluation and risk
assessment. Selection of a competent study team will directly impact the
quality of the study generated and its use by the client business unit or major
project.
10
b) Recommendations 1. For each Entity, authorities for the following roles associated with hazard
evaluation and risk assessment studies should be delegated,
documented, and agreed:
a. scope development for each study
b. choice of study methodology
c. choice of who is to perform the study (for some techniques this
should be a multi-disciplinary team)
d. quality evaluation of deliverables at the conclusion of the study
e. resolution of actions from the study
Competency for these roles should be defined and assessed.
2. The hazard analyst (study leader) should be experienced in the specific
study methodology employed.
3. The hazard analyst should liaise with operations and engineering
personnel knowledgeable in the facility and its technology.
4. For new projects, the study leader should be independent of the project
team and design contractor.
5. To support the hazard evaluation and risk assessment process, key staff
with the appropriate breadth and depth of expertise should be engaged.
This should include those with responsibility for day to day operations,
and those with technical competence in hazard evaluation and risk
assessment.
6. It is important that the person leading the analysis be equipped with the
proper skills and experience, as this can affect the quality of the results
obtained. The study should be facilitated by a hazard analyst experienced
in the specific methodology selected for the study.
7. Regardless of which technique is chosen, the quality of the data it
produces is ultimately dependent upon the knowledge and commitment
of those involved.
8. Some hazard evaluation and risk assessment studies may be conducted
by a multi-discipline team, e.g. HAZOP. Specialists should be selected as
study team members on an "as needed" basis. For example, process
chemistry, HSSE, process safety, operations, electrical, maintenance,
corrosion, process and mechanical design engineers should be selected
on the basis of their knowledge and experience of the process or system
under review. Sufficient participants from different delivery teams or
operating units are also recommended to address interfaces being
covered.
9. It may also be beneficial to have third party representatives involved in the
study. The study team should include a vendor representative familiar
with the engineering and operation of any vendor package that is studied,
and a contractor representative familiar with any new facilities or
modifications being designed by a contractor.
10. The individual proposed as study team leader should have adequate
training and experience in the study methodology to be used. On
occasion contractors may be used to lead hazard evaluation and risk
assessment studies, if they have the appropriate level of training and
experience. The study team leader should be a specialist with a
background in risk analysis. BP representatives having risk analysis
expertise should participate in planning and executing the study.
11
c) References 1. Integrity Management (IM) Functional Standard

2. GP 48-01 Group Practice for Projects HSSE Review (PHSSER)
3. GP 48-02 Group Practice for Hazard and Operability Study (HAZOP)
4. GP 48-50 Group Practice for Major Accident Risk Process
12
3.2 Element 2: Choosing the Appropriate Methodology
a) Intent To choose a hazard evaluation and risk assessment methodology that is

appropriate to the individual circumstances of the activity or problem being
analysed.
13
b) Recommendations 1. Each Entity should have a process in place to consistently select

appropriate hazard evaluation and risk assessment methodologies. This
process should include consideration of the following influential factors,
which are detailed in the checklist in Appendix 4:
a. Motivation for the Study
b. Type of Results Needed
c. Type of Information Available to Perform the Study
d. Characteristics of the Analysis Problem
e. Perceived Risk Associated with the Subject Process or Activity
f. Resource Availability and Analyst/Management Preference
2. This process should consider the following logic, which is detailed in the
decision tree in Appendix 5, Fig. A5.1:
a. Any regulatory or BP policy requirement for a specific methodology
b. Whether there is a pre-existing study that addresses the problem to
sufficient depth and detail, but that may require updating or revising
c. If not, a new study should be performed
d. Type of results that are needed - whether qualitative or quantitative in
one of six groups:
d.1.1. Hazard Screening or Hazard List
d.1.2. Options for Risk Reduction / Safety Improvement
d.1.3. List of Specific Incident scenarios plus Options for Risk
Reduction / Safety Improvement
d.1.4. Measure of Process Unit, Plant, Site or SPU/BU Risk
d.1.5. Facility Siting and Layout
d.1.6. Societal / Individual Risk
3. This process should then either:
a. Consider the logic detailed in the decision trees for the six groups of
results in Appendix 5, Figs. A5.2 to A5.11 to determine a specific
technique appropriate to the particular circumstances of the problem
or issue to be resolved.
b. Or alternatively, an experienced hazard analyst may stop at the foot of
Appendix 5, Fig. A5.1, and choose the most appropriate technique
based upon the content of the detailed one-page fact sheets on each
methodology in Appendix 6.
4. Each hazard evaluation and risk assessment methodology has its unique
strengths and weaknesses. Appendix 6 describes many of the attributes
of the over 20 techniques covered in this Operating Practice.
Understanding these attributes is prerequisite to selecting an appropriate
methodology.
5. In general, one should consider the six categories of factors (listed in
subsection (b)(1) above) when selecting a technique for a specific
application. Appendix 3 describes these factors in more detail. The first
two categories are the most important factors to consider, and the
chosen methodology should be the most effective means of delivering
the required information. Other factors should not be allowed to
overshadow the first two factors.
14
c) References 1. CCPS, Guidelines for Chemical Process Quantified Risk

Assessment, 2nd Edition, 1999
2. CCPS, Guidelines for Hazard Evaluation Procedures, 3rd Edition, 2008
3. CCPS, Guidelines for Risk Based Process Safety, 2007 (Chapter 9)
15
3.3 Element 3: Study Requirements – Planning & Preparation
a) Intent Hazard evaluations and risk assessments are important studies that require
careful planning and preparation to deliver effective results.
b) Recommendations Scope Definition

1. Clear objectives and scope should be developed for each study and
formally agreed and documented before the study commences.
2. It should not be assumed that all stakeholders always know what a
hazard evaluation/risk assessment study is, what requirements are
necessary for a study to be effective, what the limitations of the
technique are and what should be the extent of the responsibilities
of the study team.
The study scope should clearly identify:
boundaries (site, facility, process and utility systems to be studied),
normal and abnormal operational modes to be studied, e.g. start-up,
shutdown, emergency shutdown, drilling, pigging, etc.
In the case of modifications to an existing plant, whether the study is
to be limited to the modifications only or applied to the whole plant.
Preparation and Planning
3. Prior to the study commencing, the Leader and other stakeholders
should discuss the way in which the study is to be run. Particular
points for discussion are availability and form of information, how the
study is to be recorded, timetable, venue, circulation of pre-study
reading material, and any accounting measures which need to be
taken.
4. A thorough briefing on the design and operation should be provided
to the study team by someone knowledgeable about the design in
the case of a new facility and by someone knowledgeable about the
design and operations in the case of an existing facility. If practical, a
site tour of the existing facility should be arranged.
5. If different operational modes are being covered, then the
corresponding operating procedures should be available and
referenced. In some cases, the different operational modes may be
defined in the design documentation, P&IDs or supplemented by
simplified process flow diagrams (PFDs).
Drawings and Information
6. All engineering and Process Safety Information (PSI) should be
accurate and up to date prior to starting the study. For existing
facilities that are not subject to modification, all documentation
should be signed off to "as-built" status. If, in unusual circumstances,
it is considered that a study is worthwhile on incomplete or informal
information, the full nature of the documentation should be recorded
together with appropriate qualifying comments.
7. A list of documentation that may be available and needed for hazard
evaluation and risk assessment studies is appended in Appendix 7.
16
c) References 1. CCPS, Guidelines for Chemical Process Quantified Risk Assessment,

2nd Edition, 1999
2. CCPS, Guidelines for Hazard Evaluation Procedures, 3rd Edition, 2008
17
3.4 Element 4: Study Requirements - Reporting & Follow-up
a) Intent Hazard evaluations and risk assessments are important studies that should
comply with various formal criteria for reporting, resolution, document
retention and revalidation.
18
b) Recommendations Reporting the Study Results

a. At the conclusion of the study, a formal report (or permit pro-forma
for JSA) should be issued to a BP Leader.
Recommendations
b. If the study team judges that the engineering system design and
operating procedures are unlikely to adequately reduce the risk of an
unwanted scenario, then a recommendation should be made. These
recommendations should be selected according to the risk reduction
hierarchies in Appendix 1.
c. The recommendations should be written to identify the rationale for
the recommendation, so that the intentions of the study team will be
easily understood at a later date.
Action Resolution
d. The BP Leader who receives the study report should address all
recommendations in a timely manner based on their risk ranking.
The BP Group Defined Practice on Risk Assessment, Prioritization
and Management (GDP 31-00-01) contains more information about
how to rank, prioritize and manage HSE risks.
e. Decisions to accept, accept with modifications, or reject the
recommendations in the study report should be clearly documented,
along with any decision to refer the recommendations to others for
further action. The reasons for modifications, referral, or rejection
should be clearly stated in writing. A formal note should be kept of
all such decisions which can be accessed in the future if needed.
f. The BP Leader should ensure that any actions needed to implement
the above decisions are completed in a timely manner. The BP
Leader should appoint a person to ensure that such actions are
completed, and instruct that person to provide a progress report at
regular intervals, until the actions are complete.
g. All report recommendations, Project / Asset management responses
and supporting documentation should ideally be recorded in a
records system, which will permit ready retrieval, status reporting,
progress chasing and independent audit. The supporting
documentation should include appropriate reports, memos, drawings
and other communications demonstrating that the recommendations
arising from the hazard evaluation/risk assessment have been carried
out or otherwise resolved.
h. An effective means of tracking recommendations should:
a. Track the status of all open action items
b. Record the action item closure and approval
c. Include or reference all documentation requirements
d. Track the transfer of action items between delivery teams
Study Revalidation
i. Hazard evaluation and risk analysis studies should be revalidated or
updated periodically or as significant process/plant/procedural
changes occur. The frequency of a periodic update may depend on
BP or regulatory guidance.
19
j. Revalidation may involve review of the previous hazard evaluation /

risk assessment study or conduct of a new hazard evaluation / risk
assessment study, or a combination of the two approaches. If
significant changes have taken place since the previous hazard
evaluation / risk assessment study, it is preferred to complete a
thorough hazard evaluation / risk assessment of the process or
facility again. However, if there have not been significant changes or
there is confidence that the changes have been subject to a mini-
HAZOP or otherwise effective MOC process, it may be sufficient to
review the old study. Prior to commencing revalidation, the following
data should be available:
a. The previous hazard evaluation / risk assessment study (including
drawings used).
b. A record of MOCs (and associated PHA reviews) completed since
the previous hazard evaluation / risk assessment study.
c. A copy of current as-built P&IDs and Cause and Effect Diagrams.
d. A record of all incidents and near misses since the previous
hazard evaluation / risk assessment study and the actions taken
following the incident investigation.
k. In some BUs, a Safety Case may be a regulatory requirement, and
Major Projects should develop a ‚Case for Safety‛ for handover to
the future Operator in line with the BP MPcp. These Safety Cases
record an assessment of the hazards and the management systems
in place for their prevention, control and mitigation. These
documents should be periodically revalidated or when there is a
significant change to the facility.
Document Retention
l. Study documents (reports, responses, action resolution, revalidation)
should be archived for the life of the facility (or in line with local
document retention policy) to maintain an audit trail for future
reference.
Communication
m. Relevant recommendations and actions from the study report should
be communicated to members of the BP Workforce who may be
affected by the recommendations or actions. Local legal
requirements should be reviewed to determine if additional
communication requirements apply to the site (e.g., a requirement to
make the study report accessible to persons who work with or near
the studied risk).
Performance Management
n. BU’s should set appropriate performance indicators to provide
assurance that hazard evaluation and risk assessment activities are
being adequately managed. KPI’s should typically cover issues such
as the number of outstanding study action items, and significant
MOC’s since the last study revalidation or update of the hazard
register. The Engineering Authority should review and use the
Hazard and Risk Register to identify and annually notify the top five
IM-related risks in their Annual Engineering Plan.
20
c. References 1. Integrity Management (IM) Functional Standard

2. GDP 31-00-01 Group Defined Operating Practice, Assessment,
Prioritization and Management of Risk
3. Major Projects common process (MPcp)
4. Design Safety in Major Projects Common Process
5. CCPS, Revalidating Process Hazard Analyses, 2001
3.5 Element 5: Study Requirements - Human Factors
a) Intent A significant number of major incidents involve human factors. An

understanding of human factors can significantly improve human
performance and reduce the potential for error.
b) Recommendations Human factors should be addressed in a number of ways:

a. As potential for causing the hazard, i.e. human error
b. Studies should consider performance shaping factors, such as shift
work, fatigue, task complexity, number of tasks vs. time, and
working environment.
c. Limitations of operator response
d. Studies should normally give little credit for operator intervention
particularly when the hazard is significant and occurs rapidly. Alarms
are normally largely discounted on the understanding that they will
only provide an opportunity for the operator to avoid the subsequent
executive action shutdown or relief valve operation, etc.
e. Operability Issues (man-machine interface)
f. Studies should consider operability or maintenance issues associated
with issues such as access/egress, alarm handling, control room
ergonomics, manual handling/lifting, and instrument visibility.
Study teams should bear in mind that applicable regulations may specifically
require human factors to be addressed (e.g., in the US, this may include
OSHA process safety management requirements and EPA RMP). The study
team should identify any local laws that require human factors to be studied,
and the study team should also consider the potential for human error where
manual control is necessary to correct deviations, or to provide critical
information and alarms to operators if deviations occur, or to enable
operators to intervene if deviations occur. Consideration should also be
given to the potential for operability problems to become hazards if unsafe
practices are necessary to overcome the problems.
21
c. References 1. 29 CFR 1910.119, OSHA, Process Safety Management Of Highly

Hazardous Chemicals, 1992
2. 40 CFR Part 68, EPA, Accidental Release Prevention Requirements:
Risk Management Programs Under Clean Air Act Section 112(r)(7),
1996
3. CCPS, Guidelines for Preventing Human Error in Process Safety,
1994
4. CCPS, Human Factors Methods for Improving Performance in the
Process Industries, 2007
6. Checklist for Human Factors in the Workplace v2
3.6 Element 6: Additional Specifics for Certain Situations
a) Intent The BP Group requires certain hazard evaluation and risk assessment
methodologies to be used in certain situations, including:
1. GP 48-01 - Project HSSE Review (PHSSER) is used at discrete
stages of Major Projects, and some smaller projects, to provide
independent assurance that appropriate engineering and
operating systems are being developed to manage identified
risks. Consult GP 48-01 for further information.
2. GP 48-02 - Hazard and Operability Study (HAZOP) is used to
identify hazards and evaluate the effectiveness of safeguards in
process system designs, and when significant changes to the
P&ID are proposed. Consult GP 48-02 for further information.
3. Any scenario that can result in single or multiple fatalities
requires a higher level of review than HAZOP to ensure that
adequate protection is in place. GP 48-03 - Layer of Protection
Analysis (LOPA) is used for risks at levels C through E on the
Risk and Manageability Matrix (GDP 31-00-01, App. 3) (the
Matrix). Methods such as Fault Tree Analysis (FTA), Failure
Modes and Effects Analysis (FMEA), or Quantitative Risk
Assessment (QRA) are used to evaluate risks at levels A or B on
the Matrix.
4. GP 48-04 - Hazard identification is key to achieving an Inherently
Safer Design (ISD). Initially a preliminary hazard identification
technique, such as HAZID, is used during the appraise stage of a
project. Later, during select and define stages, hazard
identification and risk assessment studies will build upon the
initial hazards identified using other more detailed techniques,
such as What If, HAZOP and MAR. Consult GP 48-04 for further
information.
5. GP 48-50 - Major Accident Risk (MAR) study is used by all BP
Operations and Major Projects with the potential for a major
incident.
22
b) Recommendations HAZOP
1. The HAZOP technique is used to identify hazards and operability
issues, and evaluate the effectiveness of safeguards, in the design of
process systems. Whenever a new P&ID is developed for a project,
or an existing P&ID is subject to significant modification for a MOC,
the process design is evaluated using the HAZOP technique.
2. Less rigorous techniques, such as What If and Checklists, should not
be used as a substitute for HAZOP for evaluating process designs,
where significant changes to the P&ID are proposed. HAZOP is the
preferred technique for hazard identification of modifications to
existing facilities where changes to the P&ID occur. However, if a
competent person determines that the changes to the P&ID are not
significant (i.e., they are minor and of sufficiently low hazard), then an
alternative technique such as What If or Checklist may be used.
Individual changes which are, by themselves, not significant may
become significant when combined with other such changes, so the
periodic revalidation of the baseline HAZOP should consider these
changes at the next scheduled revalidation.
LOPA
3. While HAZOP is used to evaluate process systems, a higher level of
review is should also be used if a scenario can result in single or
multiple fatalities. This ensures that adequate layers of protection
with sufficient availability are in place to reduce the risk. LOPA may
be used to fulfil this requirement for many risks, and is the preferred
technique for the evaluation of the effectiveness and independence
of safety measures, especially protective systems. However, LOPA
is not appropriate for risks with the most severe potential
consequences, including risks with the potential for 50 or more
fatalities. Methods such as FTA, FMEA, or QRA are used to
evaluate such risks.
4. Safety Integrity Levels (SIL) should be determined using the LOPA
technique.
MAR
5. The Group Major Accident Risk (MAR) Process is used to assess the
potential for a major incident in new projects and existing facilities.
c) References 1. GP 30-76 Safety Instrumented Systems – Process Requirements

Specification
2. GP 48-02 Group Practice for Hazard and Operability Study (HAZOP)
3. GP 48-03 Group Practice for Layers of Protection Analysis
4. GP 48-50 Group Practice for Major Accident Risk Process
5. CCPS, Layer of Protection Analysis – Simplified Process Risk
Analysis, 2001
6. CCPS, Guidelines for Safe and Reliable Instrumented Protective
Systems, 2007
23
5. Appendices
Group Recommended Practice
Selection of Hazard Evaluation & Risk

Assessment Techniques.
Appendices 1- 8
Uncontrolled Document. Valid Only at Time of Printing: 5/27/2019 24

Appendix 1 – The Overall Risk Management Framework
Phases of Risk Management

Figure 2 illustrates the philosophy for conducting hazard evaluation and risk assessment studies, which
vary widely in their complexity and application (see Appendix 6). As a general rule, the study should
proceed in a step-wise manner until a reliable decision may be made regarding the issue of interest. For
example, if a reliable decision can be made based upon the results of the hazard identification step, then
the study should be concluded at this point. However, if additional analysis is needed before a reliable
decision may be made, then additional steps (consequence analysis, likelihood analysis, or risk analysis)
should be performed. At each successive step, consideration should be given as to whether a decision
may be made before commencing the next step.
It may be readily apparent that only the hazard identification step is needed, for example, if evaluating a
new P&ID for a new project or modified process. Some of the techniques, like HAZID or HAZOP, only
address this first step, whereas other techniques, such as QRA, cover the full range of steps from
hazard identification through consequence analysis and likelihood analysis to risk analysis.
The seven-phase risk assessment process is illustrated below. These phases are:
1) hazard identification,
2) scenario development,
3) consequence analysis,
4) likelihood analysis,
5) combining likelihood analysis with consequence analysis in a risk analysis,
6) determining risk significance and if risk reduction is appropriate, and
7) developing risk reduction options.
Risk management involves an eighth and final step; decision-making (and implementation) of the risk
reduction options developed in the risk assessment process.
Phase 1: Hazard Identification (What can go wrong?)
The first step in managing risk is to identify the potential risks, or hazards, which exist in a process or
operation. There are many methods that can be employed to achieve this aim. Whichever one is most
appropriate is dependent upon a number of factors (see Appendix 2).
No one method will be suitable for all cases. These methods range from a simple but unstructured
safety review to critical examination under a Hazard and Operability (HAZOP) Study. While the simpler
methods may yield insight to the larger and more general hazards, the more rigorous techniques like
HAZOP can force a depth of evaluation capable of uncovering even the subtle potential risks of complex
chemical processes.
For existing facilities, hazard identification is generally conducted to determine where risk analysis is
warranted. This activity can be initiated in response to an incident, the raising of concerns or as part of
the analysis conducted before installing new equipment and systems and in preparation for start-up.
The earlier the hazard identification process is initiated in the development of a capital project, the more
effective it will be. Typically it is much more economical to effect a design change earlier rather than
later, even though availability of information is limited. There are study methodologies, such as HAZID,
that provide a type and depth of analysis that is appropriate to the use of the sometimes sparse data
(simple layouts, process flow diagrams etc.) which may be all that exists at earlier stages of a project.
These are appropriate to identify the larger hazards, and may be used as the input into Inherently Safer
Design practices (see GP 48-04). More detailed analyses that require piping and instrument diagrams
(P&ID’s), materials and equipment specifications, etc. are better suited to the later stages of the project
where the hazards are potentially smaller, but more subtle.
Phase 2: Scenario Development
An important step in understanding the identified hazards is the Scenario Development. This involves
identifying how the hazard might be realized into an unwanted outcome. Normally this involves a series
of potential events, such as a mechanical failure of a piece of process equipment, followed by a release
of hazardous material or energy, followed in turn by progression towards some consequential outcome,
such as vapour dispersion and ignition, resulting in impact of blast overpressure or thermal radiation

upon persons, property or environment. Alternative scenarios could involve different failure
mechanisms, different hazardous material or energy releases, different escalation mechanisms,
Figure A1.1 illustrates a typical progression from mechanical failure to release, dispersion, consequence,
and ultimately impact.
Figure A1.1: Progression of a Scenario
Failure
Release
Dispersion
Consequence
Impact
For example, if the hazard is identified as the presence of water in a pipeline transporting hydrocarbons,
then the scenario might involve the collection of water at low points in the pipeline during periods of low
throughput/flow rate. This collection of water might then result in enhanced corrosion, which in turn
would result in pin-hole leaks, or perhaps even a split in the pipe wall giving rise to a large leak.
Alternatively the collection of water might freeze at low temperatures resulting in a major fracture of the
pipeline and subsequent full bore rupture. Scenario development involves identifying all of the potential
failure mechanisms, loss of containment, escalation, exposure, and impact possibilities.
Some analysis techniques consider a single scenario at a time, such as the risk matrix. Others combine
the risk of numerous scenarios. In all cases, it is important to identify scenarios that are credible and
within the scope of the study.
Phase 3: Consequence Analysis (How bad?)
Once the hazards are identified, the next step is to assess the potential impact or consequence of the
identified hazards or adverse events, which can include consideration of vulnerability and numbers of
exposed people. This is done by either qualitatively or quantitatively stating the hazards in terms of the
magnitude of negative impacts.
The tools for consequence analysis range from simple loss of containment calculations through release,
dispersion, thermal radiation and blast overpressure computer models to complex computational fluid
dynamics (CFD) models. These tools progressively involve co-relative degrees of accuracy and cost,
and require increasing degrees of experience and skill in the user.
As with Hazard Identification, no single consequence analysis tool is appropriate for every situation. The
tool selected should properly reflect the nature of the activity to be assessed, experience with that
activity, and the objectives of the analysis.
Phase 4: Likelihood Analysis (How often?)
Once the impacts of the hazards are understood, the next step is to assess the risk of the hazards being
realized so that they may be prioritized, which can often include consideration of time of occupancy as
well as the likelihood of occurrence. This is done by either qualitatively or quantitatively assessing the
likelihood of negative impacts and/or adverse events occurring. As with hazard identification and
consequence analysis, no single likelihood analysis tool is appropriate for every situation. The tool
selected should properly reflect the nature of the activity to be assessed, experience with that activity,
and the objectives of the assessment.

Phase 5: Risk Analysis

The combination of a likelihood analysis with a consequence analysis produces a risk analysis. The tools
for risk analysis range from simple qualitative risk screening methods to rigorous quantitative risk
analyses (QRA) with co-relative degrees of accuracy and cost and requiring varying degrees of
experience and skill in the user.
Phase 6: Risk Significance (How Serious?)
Having determined the risks, it is necessary to consider their significance, e.g. are the risks sufficiently
high to warrant the implementation of risk reduction measures, or sufficiently low that available
resources should be devoted to greater priority issues? There are several approaches that may be
employed to determine significance. One of the simpler approaches involves the relative ranking of the
risks in order to prioritize areas requiring risk reduction. Risk matrices may be used as a semi-
quantitative means of prioritization, and more complex approaches involve comparison of risks in
absolute terms against regulatory risk criteria.
The output from hazard evaluation and risk assessment studies may be used to identify major and less
serious hazards which should be assembled into a register for easy reference.
BP’s risk policy is based upon the concept of continuous risk reduction. No level of risk is deemed
sufficiently low that it may be ignored. However, when resources are available for risk reduction, priority
should be given to reducing the most significant risks first. Appendices 1 and 2 to the BP Group Defined
Operating Practice for Assessment, Prioritization and Management of Risk (GDP 31-00-01) show how to
prioritize risks by plotting HSE impact levels and Business impact levels separately on a matrix, as these
different types of impact cannot be directly compared. Safe and reliable operations are BP's first priority,
and in line with this, Appendix 1 to GDP31-00-01 states that BP's commitment to health, safety and the
environment is paramount, as reflected in BP's goal of "No Accidents, No Harm to People, and No
Damage to the Environment.‛ BP Entities should also consider other factors, such as political, financial
and regulatory factors, before making risk reduction decisions, based upon the use of tools described in
this practice. Further information on continuous risk reduction is available in the Group Defined
Operating Practice for Assessment, Prioritization and Management of Risk (GDP 31-00-01) and in the
Major Accident Risk process (GP 48-50).
Phase 7: Developing Options for Reducing Risk (What next?)
Once the significance of risks is determined, and the risks are prioritized, the next step is to address the
risks by developing options for risk reduction. These are projects that, if implemented, would reduce the
risk appropriately.
There is a natural hierarchy to the effectiveness of risk reduction measures (see Fig. A1.2). The most
effective measures are those that eliminate the hazard entirely, followed by those that prevent the
hazardous outcome from occurring. Next are measures that control the magnitude or frequency of the
hazardous outcome, followed by those that mitigate the impact on people or the environment. Lastly
emergency response measures are likely to be the least effective in reducing risk.
Figure A1.2 Hierarchy of Risk Reduction Measures
Risk Reduction Measures

Increasing Effectiveness
Elimination
Prevention
Control
Mitigation
Emergency Response

There is also a preferred hierarchy regarding the reliability of the controls selected for risk reduction, as
follows:
Passive measures are more reliable than
Active measures are more reliable than
Administrative or procedural controls
Phase 8: Decision-Making
Once the risk reduction measures have been developed, it is necessary to select which options will be
implemented. The risk level with an individual risk reduction measure may be compared with the
original risk without the measure, in which case the difference should indicate a worthwhile reduction to
justify implementation of the measure. Alternatively the risk levels of two or more options may be
compared with each other to indicate which measure offers the greater risk reduction.
Cost-Benefit Analysis (CBA) identifies the costs and benefits of each risk reduction measure and
expresses them in financial terms, establishing a consistent and systematic basis for evaluating and
choosing among such measures. This can result in decisions of improved quality, consistency and
defensibility, especially funding decisions that have impacts on health, safety and the environment.
Because BP operates in some locations that restrict or regulate the use of cost-benefit analysis, it is
important to consult local legal requirements to determine whether cost-benefit analysis is required,
prohibited, or otherwise regulated under the laws that apply to the study in question. Local political,
regulatory and other factors should also be considered before deciding whether to use CBA in making
risk reduction decisions. It is important to ensure that any cost-benefit analysis is written in a way which
makes clear that in fact BP does not view non-financial impacts such as HSE impacts as capable of being
equated to financial values.
In the absence of a cost-benefit analysis in the selection and scheduling of projects, it is difficult to
quantify the reduction in risk achieved with a given project in financial terms and to ensure that
resources are invested to gain the maximum potential benefit. Where the goal is to reduce risk, and
available resources are finite, those resources should be spent on the right projects. The selection of
the most appropriate tools as discussed in this practice can help BP Operation Leaders knowledgeably
make these decisions.
Specific Techniques
This practice provides information on the tools available to assist the BP Workforce in each of the
phases of the risk management process. It is intended to help the BP Entity (and the HSSE, engineering
and other professionals supporting it) to decide which hazard evaluation and risk assessment technique
is most appropriate for the given need. For each hazard evaluation and risk assessment technique
identified, a summary is provided showing the degree of skill needed to apply it, its relative cost, and
degree of sophistication and value (see Appendix 6). A detailed description of each tool is included,
followed by guidance as to how, when and where the tool is best applied and its relative strengths and
weaknesses.
It should be appreciated that the sophistication and cost of a selected technique should be appropriate to
the level of detail needed to answer the question the technique is being used to provide. The amount
and quality of data available will also impact which technique is appropriate. Use of the more extensive
and costly techniques is not necessarily the best use of resources.
Note: it is outside the scope of this document to provide user-instruction for specific tools. This
guidance may be found in other BP and industry documents. The appropriate references are provided
for each technique addressed in this document.

Appendix 2 – Factors Influencing Choice of Technique
The Motivation for the Study

This is probably the single most important factor in determining the most appropriate methodology.
The hazard analyst should be provided with a well-defined purpose so that he can choose the
technique that efficiently executes the study. The following sub-factors may describe the motivation
for the study: legal requirement (legislation/regulation), BP requirement (policy, standard,
practice/ETP), new project (is design safe to move forward?), incident investigation, continuous risk
reduction of an existing facility, risk register, acquisition (due diligence), or other special requirement.
The Type of Results Needed
Depending upon the motivation for the study, a variety of results could be needed to meet the study
purpose. Defining the specific type of information needed to satisfy the study objective is an
important step in selecting the most appropriate methodology. The following are 6 categories of
qualitative and quantitative information that can be generated from hazard evaluation and risk
assessment studies:
Qualitative
List of hazards/hazard screening
List of potential incident scenarios
Options for risk reduction/HSSE improvement
Quantitative
Input for QRA
Layout/facility siting
Major accident risk
Some techniques can be used solely to identify hazards associated with a process or activity. If that
is the purpose of the study, a technique that generates a list of hazards or screens areas of the
process or activity for a particular hazardous characteristic should be selected.
Nearly all hazard evaluation and risk assessment methodologies can generate a list of potential
incident scenarios and options for risk reduction or HSSE improvement (i.e. recommendations). A
few of the techniques can also be used to prioritize the recommendations.
Where a qualitative analysis would not provide the necessary risk management results, the hazard
analyst may select a quantitative methodology that provides a more definitive basis.
Other Factors
The other factors that should be considered when selecting the most appropriate technique are: the
type of information available to perform the study, the characteristics of the analysis problem, the
perceived risk associated with the subject process or activity, the resource availability, and the
analyst/management preference. These factors should not be allowed to overshadow the first two
factors: the motivation for the study, and the type of results that are needed.
Type of Information
Different methodologies are most appropriate for use at different stages of the life cycle of a facility.
The type of information available to perform the study is largely dictated by the stage of the life cycle
of the process or activity, and by the quality or accuracy of the needed data. Obviously at the
Appraise or Select stage of a project, the available information will be less detailed than that available
at later stages. Appendix 3 illustrates the typical uses of hazard evaluation and risk assessment
techniques at the various stages of CVP including MOC. Existing facilities may already have a study
that addresses the scope of the study, in which case it may be appropriate to merely update the pre-
existing study. Irrespective of the technique chosen, if the input data are not accurate and up-to-
date, the study may be a waste of time.

Characteristics of the Analysis Problem

The characteristics of the analysis problem may be divided into a number of sub-factors: the
complexity and size of the problem (level of resolution compatible with the number of
processes/systems/operating steps/hazards), the type of process (e.g. FMEA better suited to
mechanical/electrical processes), the type of operation (potential for single or multiple events,
permanency, continuous/batch), the nature of inherent hazards, and the incidents or situations of
concern (potential for single or multiple events, failure type, process upset).
Perceived Risk
The perceived risk associated with the subject process or activity should be considered in terms of
the amount of experience with the process, number of incidents, and continued relevance of the
experience. The populations and facilities likely to be exposed to the associated risk should also be
considered. More systematic techniques employing a team approach should be selected where the
perceived risk is high.
Resource Availability
Resource availability can influence the choice of methodology, and the hazard analyst should consider
issues associated with people, duration and cost. Generally two types of personnel are needed:
leaders and hazard analysts skilled in the particular methodology selected, and persons
knowledgeable in the process or activity being analyzed. Generally quantitative techniques are more
demanding in terms of time and cost than qualitative techniques.
When selecting a methodology, its cost should be considered against the objectives of the
evaluation. Consider the nature and complexity of the process or operation to be evaluated, the
comprehensiveness of the codes and standards according to which the process was designed or the
operation conforms, and the company’s experience with the process or operation. The cost of the
more extensive modes of hazard analysis is not always justified.
Analyst/Management Preference
Preference can also influence the choice of methodology. Ideally studies should be performed using
methodologies that are technically most appropriate and also familiar to the leader/hazard analyst, and
management preferences should not override technical reasons for selecting a particular technique.

Appendix 3 – Typical Uses of Hazard Evaluation and Risk

Assessment Techniques
Appraise Select Define Execute Operate Retire
Methodology Conceptual Detailed Construction Routine Management

Design Design Operations of Change
incl.
Maintenanc
e
HSSE Review X X X X X X X X
Task Risk X X
Assessment
HAZID X X X X X X
MAHA X X revalidate
PHA X X X X X X
Checklist X X X X X
Relative Ranking X X X X X
What If X X X X X X
Risk Matrix X X X X X X X
HAZOP X X revalidate X
LOPA X X X
FMEA X X X
Facility Siting X X X X X revise
Consequence X X X X X
Analysis
Fault Tree X X X
Event Tree X X X
MAR X X X X X revalidate
QRA X X X X
ALERT X X X X X

Appendix 4 – Criteria for Selecting Hazard Evaluation and Risk

DEFINE MOVITATION
□ Legal requirement □ BP requirement
□ New Project □ Existing Facility
□ Acquisition □ Incident
□ Risk Register □ Continuous Risk Reduction
□ Recurrent Review □ Special Requirement
DETERMINE TYPE OF RESULTS NEEDED

Qualitative Quantitative
□ List of Hazards □ List of Potential Incident □ Input for QRA
□ Hazard Screening Scenarios □ Layout / Facility Siting
□ Options for Risk Reduction / □ Prioritisation of Results □ Major Accident Risk
HSSE Improvement □ Societal / Individual Risk
IDENTIFY AVAILABLE PROCESS INFORMATION

□ Materials □ Similar Experience □ Existing Process
□ Chemistry □ PFD □ Procedures
□ Inventories □ P&ID □ Operating History
□ Recurrent Review □ Equipment Reliability □ Incident Frequency
EXAMINE CHARACTERISTICS OF THE PROBLEM

Complexity/Size Type of Process
□ Simple/Small □ Oil/Gas/Chemical □ Electrical
□ Complex/Large □ Physical □ Electronic
□ Mechanical □ Computer
□ Biological □ Human
Type of Nature of
Operation □ Transportation Hazard □ Reactivity
□ Fixed facility □ Temporary □ Toxicity □ Radioactivity
□ Permanent □ Batch/Semi-batch □ Flammability □ Other
□ Continuous □ Explosivity
Situation/Accident/Event of Concern
□ Single failure □ Loss of function □ Procedure
□ Multiple failure □ Process upset □ Software
□ Simple loss of containment □ Hardware □ Human
CONSIDER PERCEIVED RISK AND EXPERIENCE

Length of Experience Accident Experience Relevance of Experience Perceived Risk
□ Long □ Current □ No changes □ High
□ Short □ Many □ Few changes □ Medium
□ None □ Few □ Many changes □ Low
□ Only with □ None
similar process
CONSIDER RESOURCES AND PREFERENCES

□ Availability of Skilled Personnel
□ Time Requirements
□ Funding Necessary
□ Analyst/Management Preference
SELECT THE TECHNIQUE

Appendix 5 – Flowcharts for Selecting Hazard Evaluation & Risk

Assessment Technique
Figure A5.1 Flowchart for Selecting Hazard Evaluation & Risk Assessment Technique
START
Use Appendix 4 to collect information
YES YES
Is study for regulatory or Is specific methodology Use required
BP purposes? required? methodology
NO
NO
YES
Is this a recurrent
review?
Consider Using and Revalidating Previous Study

NO
Revalidation Requirements
• Is adequate documentation available from

previous study?
• Is it less than 5 years since last study?
IF ALL
• No major process, technology or knowledge
ARE YES
changes since previous study? Previous study may be
• Are hazards associated with the process revalidated
perceived to be low or medium?
• Has industry experience been devoid of
significant incidents?
• No changes that make consequences of
previously identified hazards more severe?
IF ANY ARE NO
Conduct New Study
What type of results
is needed?
Qualitative Quantitative
FOLLOW ONE PATH FOLLOW ONE PATH
HAZARD OPTIONS FOR RISK LIST OF SPECIFIC INCIDENT MEASURE OF LAYOUT / SOCIETAL /
SCREENING OR REDUCTION / SCENARIOS PLUS OPTIONS PROCESS UNIT, FACILITY INDIVIDUAL
HAZARD LIST HSSE FOR RISK REDUCTION / PLANT, SITE OR SITING RISK
IMPROVEMENT HSSE IMPROVEMENT SPU/BU RISK
A E F
B C D

Figure A5.2 Flowchart for Selecting Hazard Evaluation & Risk Assessment Technique for
Hazard Screening
HAZARD
SCREENING OR
HAZARD LIST
Consider using HSSE

Review, Checklist, What If,
Risk Ranking or HAZID
Is ranking of
hazardous areas
YES Use Risk Ranking
or processes
required?
NO
Is there a significant YES Is a checklist YES Use Checklist,

experience base available or can HAZID or What If
associated with the one be
process? developed?
NO
NO
Use What If Use HSSE Review,
HAZID or What If

Options for Risk Reduction / HSSE Improvement
OPTIONS FOR RISK

REDUCTION / HSSE
IMPROVEMENT
Consider using HSSE

Review, Checklist or
What If
Is there a significant Consider using What Is a checklist

experience base YES If, HSSE Review or available or can YES Use Checklist or
associated with the Checklist one be What If
process? developed?
NO NO
Use What If Use HSSE Review or

What If

Specific Incident Scenarios plus Options for Risk Reduction / HSSE Improvement
LIST OF SPECIFIC INCIDENT

SCENARIOS PLUS OPTIONS
FOR RISK REDUCTION /
HSSE IMPROVEMENTS
Will results be YES

used as input to Consider using HAZOP,
QRA? FMEA, FT, ET, or HRA
NO
Does the process
Is the process YES include human YES
Consider using What If, operating? Are actions? Are human
HAZOP, FMEA, FT, ET, or Use HRA
procedures errors the greatest
HRA available? concern?
G NO NO
YES
Is detailed design Use HAZOP, FMEA,
information FT or ET
available?
I
NO
STOP
Obtain adequate
information before
performing study

Figure A5.5 Flowchart for Selecting Hazard Evaluation & Risk Assessment Technique for a
Measure of Process Unit, Plant, Site or SPU/BU Risk
MEASURE OF PROCESS
UNIT, PLANT, SITE OR
SPU/BU RISK
Consider using HRA, Risk

Matrix, MAR or QRA
Is the process Does the process

operating? Are YES include human YES
procedures interactions? Are Use HRA
available? human errors the
greatest concern?
NO NO
Is detailed design YES Consider using Risk

information available? Matrix, MAR or QRA
NO
Is a high level YES
STOP measure of site or Use MAR*
SPU/BU risk
Obtain adequate sufficient?
information before
performing study
NO
Use Risk Matrix or
QRA
Are equipment
Do you wish to YES failure and event YES Use Risk Matrix
evaluate individual frequency data or QRA
scenarios? available?
NO NO
Use QRA Use Risk Matrix
* Note: MAR studies for Major Projects may be initiated during the Select stage using basic process information to demonstrate
that the selected project will not have issues above the Group Reporting Line (see GP 48-50). This may be confirmed as
increasing information becomes available during detailed design.

Facility Siting and Layout
LAYOUT
Set initial plant and

equipment spacing using
ETP guidance and spacing
tables*?
Use HAZID to identify

fire, explosion, and toxic
hazards
Use Consequence
Analysis to estimate
minimum spacing
NO YES
Implement risk reduction to
prevent hazard or control / Are results acceptable? Evaluate building siting
mitigate consequences?
* Note: Spacing tables are typically based upon fire hazards only

Societal / Individual Risk
SOCIETAL /
INDIVIDUAL RISK
Consider using MAR,

QRA or prescribed
method
Is specific YES
methodology Use prescribed method /
allowed / required look-up table
by regulation?
NO
Are detailed design / YES

operating information Consider using MAR
available? or QRA
NO
YES
Is a high level Use MAR*
STOP measure of risk
sufficient?
Obtain adequate
information before
performing study
NO
Are specific equipment YES

failure and event Use QRA
frequency data
available?
NO
Use MAR*
* Note: MAR studies for Major Projects may be initiated during the Select stage using basic process information to demonstrate
that the selected project will not have issues above the Group Reporting Line (see GP 48-50). This may be confirmed as
increasing information becomes available during detailed design.

Specific Incident Scenarios plus Options for Risk Reduction / Safety
Improvement (cont.)
Consider using What If,

HAZOP, FMEA, ET or HRA
Does the process

Is the process include human
operating? Are YES actions? Are YES
procedures human errors the Use HRA
available? greatest concern?
NO
NO
Is detailed design YES Consider using What If,

information HAZOP, FMEA, FT, or
available? ET
NO H
Is basic process YES

information Use What If
available?
NO
STOP
Obtain adequate
information before
performing study

Specific Incident Scenarios plus Options for Risk Reduction / HSSE Improvement
(cont.)

HAZOP, FMEA, FT or ET
Are incidents
likely to be single
or multiple failure
events?
Single failure Multiple failure
events events
Consider using What If, Consider using HAZID,

HAZOP, or FMEA HAZOP, FMEA, FT or
ET
Is a
YES comprehensive YES Consider using
Is perceived risk Use HAZOP or FMEA list of failure
high? FT or ET
modes required?
NO
NO Is it a mechanical YES Use FT for
or electrical Use FMEA Consider using HAZOP, scenarios, ET for
system? FMEA, or HAZID escalation
HAZOP or FMEA
NO
Is it a mechanical YES
Use HAZOP or electrical Use FMEA
system?
Is it a mechanical YES NO
or electrical Use FMEA
system?
Is process YES
simple / small? Use HAZID
NO
Does the process YES NO

involve a new or Use HAZOP
revised P&ID?
Use HAZOP
NO
Use What If

Specific Incident Scenarios plus Options for Risk Reduction / HSSE
Improvement (cont.)
Consider using HAZOP,

FMEA, FT or ET
Are incidents
likely to be single
or multiple failure
events?
Single Failure Events Multiple Failure Events
Consider using HAZOP

Consider using FT or ET
or FMEA
Is it a mechanical YES Use FT for

or electrical Use FMEA scenarios, ET for
system? escalation
NO
Use HAZOP

Facility Siting and Layout (cont.)
FACILITY /
BUILDING SITING
Consider using Screening,

Consequence Analysis
Could potential YES

explosions, fires and Use Screening or
toxic releases impact remove hazard
buildings?
NO
Is the building YES Does the building YES
No further action occupied or provides comply with No further action
required essential function? design/spacing required
criteria?
NO NO
No further action Use Consequence

required Analysis, remove hazard or
move occupants
Note: Further guidance on methodologies for occupied buildings is available from the following ETPs GP 04-30/31/32.

Appendix 6 – Fact sheets for Hazard Evaluation and Risk

Described in the following pages are techniques for (i) hazard identification to meet
different hazard evaluation objectives, and (ii) risk assessment to evaluate the likelihood
of occurrence, suitable for a range of project and operational environments.

1. HAZARD EVALUATION TECHNIQUES
1.1 (a) HSSE Review
Title HSSE Review
Description A HSSE review is generally an unstructured brainstorming approach in which a group of

personnel consider potential health, safety, security and/or environmental problems. HSSE
Reviews may be comprised of interviews, document reviews and/or site inspections. They
are generally reactive, similar to audits, rather than proactive. HSSE review results are
qualitative descriptions of potential HSSE problems and suggested corrective actions.
Health Map is a combination of HSSE review (brainstorming) with the facilitator using a
checklist. Human Factors Expert Analysis is a form of HSSE Review (brainstorming).
Purpose/ Identification of plant conditions or operating practices that could lead to an incident and
Application result in injuries, property damage, or environmental impacts. HSSE Reviews can be used
at any stage of the life cycle of a facility. Projects and Operations may use HSSE Reviews
in combination with other hazard evaluation and risk assessment methodologies.
Rating Skill – low Cost – low

Sophistication – low Value – medium
Strengths The HSSE Review technique is the simplest hazard evaluation methodology used.
Weaknesses Lack of structure can result in variable outcomes, and review results are highly dependent
upon the experience and objectivity of the personnel involved.
Resources HSSE reviews may be conducted by any number of team members, but in excess of six
members may become inefficient. The time needed is dependent on the process
complexity.
Information For facilities that are being designed, a project team might review a set of drawings looking
Requirements for potential HSSE and/or process safety issues. When performed on existing facilities, the
HSSE Review typically also involves a walk-through inspection that can vary from an
informal, routine visual examination to a more formal team inspection that takes several
days or weeks.
References CCPS, Guidelines for Hazard Evaluation Procedures, 3rd Edition, 2008 (Chapter 4, Non-
Scenario-Based Hazard Evaluation Procedures)
See (b) Project HSSE Review below for a more structured form of HSSE Review.
See (c) Pre-Start-up Safety Review below.
Best Practices: none identified

(b) Project HSSE Review
Title Project HSSE Review
Description Project HSSE Review (PHSSER) is a more structured form of HSSE Review which is
required in certain situations under Group Defined Practice 48-01, and which may be used
to satisfy the requirements of Getting HSE Right and the IM Standard. PHSSERs are an
essential element of a major project’s HSSE Plan. PHSSER Reports are an important
element of the Decision Support Packages required at each gate of the Capital Value
Process. PHSSERs heighten the awareness of HSSE risks and help make HSSE an integral
part of the gated decision and approval processes for projects within CVP.
Purpose/ The overall objective of the PHSSER process is to assure the client BP Entity that HSSE-
Application sensitive areas have been identified and that the appropriate project, engineering and
operational systems have been or will be developed to manage the identified risks.
Assurance is provided by reviewing proposals at various key stages in their development.
Projects should embed HSSE principles of this GP throughout project design and execution
to enhance HSSE performance of the project and its subsequent operation and enable
HSSE risks to be resolved at the most effective point in a project’s lifecycle.
Rating Skill – low Cost – medium

Sophistication – low Value – high
Strengths The PHSSER is a relatively simple review process that leverages the experience of the
team to provide guidance to the Capital Project team.
Weaknesses The review results are highly dependent upon the experience, objectivity and independence
of the personnel involved. The volume of project data for review may be large for the team
size and time available.
Resources PHSSER teams are comprised of personnel from the Segment, outside contractors, and
other persons identified in GP 48-01. PHSSER Team leaders must be on BP’s list of trained
and competent PHSSER Team Leaders. The time needed to complete a PHSSER is
dependent on the process complexity.
Information Project data as available for the CVP stage of the project. This may include design basis
Requirements memorandum, P&IDs, PFDs, process hazards analysis studies, and other HSSE and
process safety related information.
References GP 48-01 Group Practice for HSSE Review of Projects (Group Defined Engineering
Technical Practice)
Training: Project HSSE Review for Team Leaders (2 days)
Overview of Project HSSE Review (PHSSER) Process (½ day)
NOTE: There may be some overlap between the recommendations in this practice, and
requirements in the Group Defined Practice on PHSSER. The Group Defined practice
should be consulted whenever consideration is given to whether a PHSSER study is
needed.

(c) PreStart-up Safety Review
Title Pre-Start-up Safety Review (PSSR)
Description A Pre-Start-up Safety Review is a special type of HSSE review conducted prior to start-up of
a facility. Most PSSRs are conducted by a team comprising operations and engineering
personnel, who use a checklist of issues to consider, including:
Design documentation is complete and up to date, e.g. as-built P&IDs
Safety, environmental, operating, maintenance, and emergency procedures are
complete
Safe work practices are in place
All MOC issues are addressed
All hazard analysis recommendations have been implemented.
Operators are trained on new procedures and equipment.
All work is completed according to specifications.
Mechanical completion review
Purpose/ To ensure that all design, construction, safety, documentation, and environmental issues
Application have been addressed and satisfactorily closed out prior to start-up. PSSR should be used
for start-up of existing facilities following shutdown as well as new facility designs or
modifications. Some PSSRs may be relatively simple depending on the scope of the facility
and/or change. Other PSSRs may be very complex and may take place in stages with
multiple teams.

Strengths Can reduce likelihood of costly accidents and delays that occur at start-up.
Weaknesses Highly dependent upon the experience of the team and the time available to conduct the
PSSR.
Resources Detailed written procedures which includes definition of scope, requirements of program,
descriptions of any changes, up to date P&IDs, equipment specifications and operating
procedures.
Information Mechanical and process design information

Requirements PHA documentation
MOC documentation
References CCPS, Guidelines for Performing Effective Pre-Start-up Safety Reviews, 2007
CCPS, Guidelines for Risk Based Process Safety, 2007 (Chapter 16, Operational Readiness)
Training:

1.2 Task Risk Assessment
Title Task Risk Assessment (TRA)
Description Task Risk Assessment (a.k.a. Job Safety Analysis (JSA)), is an integral part of a ‚Control of
Work‛ process, which involves members of the BP Workforce, including contractors,
identifying possible hazards in work execution not associated with normal operations,
considering their potential risks (probability and severity), and stipulating the various control
measures that need to be implemented. This normally involves issuance of a Permit to
Work. In some cases, routine ‘low risk’ activities may be covered by a formal procedure
that has been previously subjected to a task risk assessment.
Purpose/ The purpose of a TRA is to identify hazards, likelihood of those hazards being realized and
Application the appropriate controls and mitigation needed to ensure that the work can be completed
safely.
Rating Skill - low Cost – low

Strengths TRA is a basic of hazard evaluation and risk assessment methodologies. The involvement
of every individual on the work crew builds ownership and makes this a powerful technique
for understanding the risks inherent in the task.
Weaknesses The technique relies upon the work crew having the requisite knowledge and hazard
identification skills.
Resources Operations and all personnel involved in performing the task should participate in the Task
Risk Assessment. Sometimes other maintenance and HSSE personnel may participate.
Information A good description of the task and the tools to be used.

Requirements
References Control of Work (CoW) Standard,

Operating Practice for Hazard Identification and Task Risk Assessment (draft)
Training:

1.3 Process Hazard Analysis (PHA)
Title Process Hazard Analysis (PHA)
Description PHA is a generic title used by OSHA in the USA for various hazard evaluation
methodologies. These hazard evaluation methodologies range from simple checklists to
What-If and HAZOP. See the appropriate technique page for further information.
Purpose/ PHA’s are techniques used to identify potential hazards, their causes, and their
Application consequences and evaluate the effectiveness of safeguards in process plants.
Rating Skill – vary by the PHA technique used Cost – vary by the PHA technique used
Sophistication – vary by the PHA technique used Value – vary by the PHA technique used
Strengths The various PHA techniques provide a range of methodologies, one of which will be
suitable for most circumstances.
Weaknesses Some PHA techniques are relatively unstructured or rely upon previously compiled lists of
hazards, which are then dependent on past experience and can result in some hazards
being missed. PHA techniques are essentially qualitative, and do not provide a detailed
quantitative understanding of the hazards.
Resources PHA’s are carried out by a team of competent engineers from a mixture of disciplines,
including someone knowledgeable in the process being analysed, and are led by a person
who is experienced in the specific PHA technique used.
Information Data requirement vary by the PHA technique used.

Requirements
References CCPS, Guidelines for Risk Based Process Safety, 2007 (Chapter 8, Hazard Identification and
Risk Analysis)
CCPS, Guidelines for Hazard Evaluation Procedures, 3rd Edition, 2008 (Chapter 5, Scenario-
Based Hazard Evaluation Procedures)
Training:
Best Practices:

1.4 Checklists
Title Checklists
Description A Checklist Analysis uses a written list of items or procedural steps to identify potential
hazards or verify the status of a system. Traditional checklists vary widely in level of detail
and are frequently used to indicate compliance with standards and practices. The results
from checklist analysis are qualitative in nature, and invariably contain ‚yes‛, ‚no‛, ‚not
applicable‛, or ‚needs more information‛ answers to the items.
Human Factors Maturity Checklist is an example of a Checklist.
Purpose/ Checklists are used to identify hazards, plant conditions or operating practices that could
Application lead to an incident and result in injuries, environmental impacts, or property damage.
Checklists may also be used to identify hazards and evaluate the effectiveness of
safeguards in non-process designs. They may be applied at any stage of the life cycle of a
facility. Checklists may be used in combination with other hazard evaluation and risk
assessment methodologies.

Sophistication – low Value – low/medium
Strengths Checklists are simple and easy to use. Detailed checklists provide a basis for consistent
evaluation of hazards.
Weaknesses Checklists are only as good as the original compilation of items on the list. Some hazards
may be missed based on the experience of the person(s) compiling the checklist.
Checklists should not be used as an alternative for techniques such as HAZOP.
Resources Primatech’s ‚PHAWorks‛ software contains example checklists.
Information As much detail as possible on the process to be evaluated.

Requirements
‚PHAWorks‛ by Primatech
Training:
Best Practices:

1.5 HAZID
Title Hazard Identification (HAZID)
Description HAZID studies are very broad in their scope, addressing site selection, facility design,
infrastructure and logistical elements. Each area of the installation is considered against a
checklist of hazards. Where it is agreed that a hazard exists in a particular area, the risk
presented by the hazard is considered, and all possible means of either eliminating the
hazard or controlling the risk and/or the necessity for further study are noted on a HAZID
worksheet. Actions are assigned to either discipline groups or individuals to ensure the
mitigating control, or further study is completed. More hazards should be added at the
discretion of the Study Leader if the lists do not cover all the potential hazards on the
installation under review. The HAZID is sometimes called a Preliminary Hazard Analysis.
Health Risk Assessment (HRA), a.k.a. Chemicals Health Risk Assessment, is a form of
HAZID addressing chemicals and their properties, qualitative or quantitative assessment of
exposure, and comparison to exposure limits. An Environmental Aspects Analysis is also a
form of HAZID.
Purpose/ HAZID seeks to identify all reasonably possible sources of hazard to the facility by
Application examining each area / module / system in turn. They should initially be conducted during
the concept and front-end engineering stages, with the emphasis on the major hazards,
before detailed engineering design has begun. HAZID may be utilized in other phases of a
facility's operation to provide an initial screening of the hazards. The HAZID will support
pursuit of an inherently safer design.
Rating Skill – medium Cost – low

Strengths HAZID is very flexible and allows analysis with incomplete or basic information. It provides
general, non-detailed recommendations. It is a valuable means to provide an overview of
hazards on which future HSSE plans may be based. It will aid in identifying hazards early
thus averting potential cost and schedule impacts from hazards discovered later in project
development.
Weaknesses The study success is highly dependent on the experience of the team members
Resources The HAZID study is carried out by a team of competent engineers from a mixture of
disciplines and is led by a person who is experienced in the HAZID technique. A HAZID
may take from 1 day to 1 week, typically, depending on the size of the facility.
Information Data requirements include project data available at the time which may include layout,
Requirements design criteria, equipment and material specifications, and other similar preliminary/basic
design information. The value of the HAZID is in very early identification of potential issues;
hence the study should be driven by timing and not by data availability. Some HAZIDs may
be performed with just one or two pieces of project data but provide great value in
identifying an inherently safer path forward.
References CCPS, Guidelines for Risk Based Process Safety, 2007 (Chapter 8, Hazard Identification
and Risk Analysis)
rd
CCPS, Guidelines for Hazard Evaluation Procedures, 3 Edition, 2008 (Chapter 4, Non-
Best Practice: DW GoM STP GP 48-0201, Guidance on Practice for Hazard Identification
(HAZID) Study
Training:
Software: Primatech PHAWorks or Dyadem PHAPro (both under BP corporate license.)

1.6 What If Study
Title What If Study
Description The What If technique is a brainstorming approach in which a small multi-disciplinary team
of experienced personnel familiar with the subject ask questions or voice concerns about
possible undesired events. The level of analysis depends on the detail of the design
documents and questions posed during the study. What If questions are applied to identify
potential hazards, their consequences, safeguards provided, and recommendations (if
necessary). These questions may be developed before or during the What If Analysis. The
results of the study are qualitative, varying from a simple list of questions and answers to
tables of hazards, consequences, safeguards, and potential options for risk reduction.
What If may be combined with checklists in a hybrid methodology that combines the
creative, brainstorming features of What If with the systematic features of checklists,
which may partially compensate for the individual shortcomings of the separate techniques.
Purpose/ What If analysis may be used to identify potential process, design or operational hazards in
Application a structured manner. What If studies may be used to identify hazards and evaluate the
effectiveness of safeguards in MOC and other ‘low risk’ activities, such as non-process
designs. The technique is particularly suited to addressing organisational MOC.
What If studies may be applied to any stage of the life cycle of a facility. For new projects,
What If is generally applied during the design engineering when the P&ID’s are in
development. For existing facilities, this analysis may be used to identify where further risk
analysis may be warranted. They may be used in a detailed, structured manner similar to a
HAZOP or an overview manner similar to a HAZID, depending on the objective.
Rating Skill – medium Cost – medium

Sophistication – medium Value – high
Strengths What If is an excellent forum for operations personnel to have meaningful input, as the
process encourages much of the design intention to be revealed. Its greatest strength is
the flexibility to allow use mid-stream in a project detailed design when there is opportunity
to catch potential hazards and still time in the project to address them.
Weaknesses What If studies are not as structured as some other hazard evaluation methodologies, such
as HAZOP and FMEA and thus may not yield as thorough of a review. What if studies
should not be used as an alternative for the HAZOP technique.
The success of the technique depends upon the competency of the analyst, who adapts
the basic technique to the specific application.
Flexibility in detail and structure may lead to misunderstandings as to the level of detail
appropriate. Inexperienced and/or inappropriate selection of team members may result in
incomplete results, and more recommendations due to inability to understand the process
and/or make plant decisions.
Resources Three to five team members including process, operations, process safety, and a scribe.
The time needed is dependent on the process complexity but will generally take more time
than a HAZID and less time than a HAZOP of the same facility.
Information Process/project design criteria, equipment specifications, material specifications, P&ID’s

Requirements and other similar engineering design information.
References CCPS, Guidelines for Hazard Evaluation Procedures, 3rd Edition, 2008 (Chapter 5, Scenario-
Software: Primatech PHAWorks and Dyadem PHAPro (both are under BP corporate license)
Training:

1.7 HAZOP
Title Hazard and Operability Study (HAZOP)
HAZOP is a formal, rigorous, systematic study that is guideword driven. An experienced

Description
team leader guides a multi-discipline team through the design using P&ID’s, vessel by
vessel, line by line, by reviewing process parameters (e.g. flow, temperature, pressure,
etc.) to identify a series of deviations from the design intent for normal operating
conditions, e.g. more flow, no flow, reverse flow, etc.. The possible causes of such
deviations are then listed together with the consequences. These are compared with
existing safeguards built into the design. Where these are found to be insufficient, a
recommendation is generated to modify the design or develop appropriate operating
procedures. The team agrees on possible causes of the deviations (e.g., an operator
erroneously shuts off a pump that is part of a vessel cooling circuit) and the consequences
(e.g., vessel overpressure). Meaningful causes and consequences are recorded, applicable
safeguards are noted and any appropriate recommendations made. The HAZOP technique
is often combined with a checklist to evaluate other considerations such as maintainability,
human factors, start-up, shutdown, etc.
Environmental Hazard Review is a form of HAZOP/Checklist with a special list of
guidewords for environmental issues, and recommendations are plotted on a Risk Matrix.
HAZOP is a technique used to identify hazards and their safeguards in process designs, and
Purpose/ to identify major operability problems which, although not hazardous, could compromise
Application the plant’s ability to achieve design productivity.
GP 48-02 identifies certain situations that require a HAZOP. In other situations, HAZOP
should be used to evaluate the risks of a new project, and the HAZOP technique is best
applied during detailed engineering after the P&ID’s have been developed and undergone a
formal review. For existing facilities, HAZOPs should be performed as required by the
Company or a regulatory authority. The technique may be applied to continuous and batch
processes, and can be adapted to evaluate written operating procedures.
Skill – medium Cost – high
Rating
The HAZOP technique is an extremely powerful technique leveraging the skills and
Strengths experience of a multi-disciplinary team. It is very structured, ensuring that the small but
important details are not missed. It is an excellent forum for the operations personnel to
have a meaningful input as the process encourages much of the design intention to be
revealed. It should be used as the preferred technique to identify hazards when new or
revised P&ID’s are produced.
If conducted with incomplete information or on a design that is not fixed, the study may take longer
Weaknesses and result in a greater number of recommendations. Poor commitment from the team may increase
the time needed to complete the study. Selection of inexperienced or inappropriate team members
may result in a lower quality study, and in incomplete or more recommendations due to inability to
understand the process and/or make plant decisions. The use of HAZOP is not appropriate to address
spatial characteristics of a facility such as plant layout and their resultant effects.
For HAZOP studies, five to seven team members are generally required including process, operations,
Resources maintenance, instrumentation, process safety, and a scribe. The time needed is dependent on
complexity of the process. In general, a typical refinery process unit will require two to four weeks.
Ideally two sessions are held per day for no more than a total of 6 hours. Team members and their
supervisors must be aware of the commitment necessary for effectiveness. Team members must be
available for all sessions. Additional team leader time must be allowed for planning, team coordination,
and documentation.
Up-to-date P&ID's, detailed project design criteria, equipment specifications, material

Information
specifications, and other similar engineering design information.
Requirements
ETP GP 48-02 Hazard and Operability (HAZOP) Study
References
CCPS, Guidelines for Hazard Evaluation Procedures, 3rd Edition, 2008 (Chapter 5)
CCPS, Guidelines for Risk Based Process Safety, 2007 (Chapter 8)
Training: HAZOP Team Leader Training offered by Primatech, ABB and others.
Best Practices:
Software Primatech PHAWorks or Dyadem PHAPro available under BP license.
NOTE: There may be some overlap between the recommendations in this practice, and requirements
in the Group Defined Practice on HAZOP. The Group Defined practice should be consulted whenever
consideration is given to whether a HAZOP study is needed.

1.8 MAHA
Title Major Accident Hazard Analysis (MAHA)
Description MAHA is the identification and assessment of material properties, system elements or
events that could lead to major accidents, i.e. the death of 3 or more people, long term or
widespread damage to the environment, and/or property damage or business interruption in
excess of US $10M. It may include a qualitative or semi-quantitative judgement of the
likelihood and consequences from the event or incident, expressed in terms of a Major
Hazard Risk Matrix. Individual hazards in the yellow and red boxes represent levels of risk
requiring actions to reduce the risks.
The identification step may be performed alone as a Major Accident Hazard Identification
(MAHID). The MAHID is similar in approach to a conventional HAZID, except that it
concentrates on major accidents hazards, considers all aspects of the business (not just
process operations), and adopts a ‚what if‛ approach to identify the major accident
hazards. The MAHA then assesses and assigns a qualitative risk ranking to each major
accident hazard cause identified or identifies the need for further study (such as
consequence analysis or QRA) needed to assign a risk ranking.
Purpose/ Major Accident Hazard Assessment (MAHA) is a technique for the evaluation of major
Application hazards. This methodology pre-dated the Major Accident Risk methodology within the IM
Standard, and is still used by some BU’s.

Strengths MAHA is a valuable means to provide an overview of major accident hazards on which
future HSSE plans for risk reduction may be based. It is particularly effective for existing
facilities where there is already a detailed wealth of knowledge about the facility, residing in
the minds of operations, maintenance and support personnel.
Weaknesses Because this is a ‚creative‛ exercise, the behaviour of team members and their ability or
inability to work together can have a significant impact on the quality of the study. Poor
commitment from the team may increase the time needed to complete the study.
Inappropriate selection of team members may result in a lower quality study, and more
recommendations due to inability to understand the process and/or make plant decisions.
Lack of experience may result in major accident hazards being overlooked.
Resources The MAHA (or MAHID) study is carried out by a team of competent engineers from a
mixture of disciplines and is led by a person who is experienced in the MAHA technique.
Information Initial data requirements rely on the knowledge of experienced operations, maintenance
Requirements and support personnel. Subsequently more specific layout, design criteria, equipment and
material specifications, and other basic design information may be needed.
References Training:
Best Practices: BPTT Major Accident Hazard Management System (MAHMS) Reference
Manual, rev2

1.9 Relative Ranking/Risk Ranking
Title Relative Ranking / Risk Ranking
Description Relative Ranking is an analysis strategy rather than a single, well-defined analysis method.
This strategy allows hazard analysts to compare the attributes of several processes or
activities to determine whether they possess hazardous characteristics that are significant
enough to warrant further study. Most relative ranking tools employ a checklist approach
where scores are attributed to the individual items on the list. Some items are weighted
more heavily than others with larger scores.
Purpose/ Relative Ranking can be used to compare several process designs, or equipment layout
Application options, and provide information concerning which alternative appears to be the ‚best‛, or
least hazardous, option. Relative Ranking may also be used to compare safety measures to
identify the most advantageous risk reduction option. Relative Ranking studies should
normally be performed early in the life of a project or MOC, before the detailed design is
completed. Several Relative Ranking methods are used within the industry, e.g. the Dow
Fire and Explosion Index (fire and explosion hazards), and ICI Mond Index (chemical and
toxic hazards as well as fire/explosion). Insurance companies also use tools, such as
Instantaneous Fractional Annual Loss (IFAL), to evaluate the effect of process changes on
predicted losses from an insured facility. Government agencies use ranking tools to
determine facilities and process substances worthy of special regulatory effort.

Strengths Simple straightforward tool that provides rapid ranking or screening of conceptual options
for a new facility.
Weaknesses The tools are not flexible, and rely heavily upon the appropriateness of the original
weighting of items on the checklist.
Resources Relative ranking tools may be used by a single person or team who understand the options
for the conceptual design or safety/risk reduction measures being considered.
Information A clear understanding of the options for the conceptual design or safety/risk reduction
Requirements measures being considered.
AIChE, Dow’s Fire and Explosion Index Hazard Classification Guide, 7th Edition, 1994
Training:
Best Practices:

1.10 FMEA
Title Failure Modes and Effects Analysis (FMEA)
Description FMEA identifies single failure modes of equipment and their effects on a system or facility.
The failure mode describes how the equipment fails (open, closed, on, off, leaks, etc.). The
effect of the failure mode is determined by the system’s response to the equipment failure.
An FMEA identifies single failure modes that either directly result in or contribute
significantly to an accident. Human operator errors are usually not examined directly in an
FMEA; however, the effects of a mis-operation as a result of human error are usually
indicated by an equipment failure mode. The qualitative results are normally documented in
a table with columns for equipment, failure modes, and effects.
Purpose/ To identify equipment and system failure modes and the potential effects of each failure
Application mode on the system or facility.
This technique should be used to analyze equipment packages such as compressors,
generators, pumps, etc. and or simple systems, and may be applied at detailed design or
the operating stage of existing facilities.

Strengths FMEA employs a structured evaluation of individual components to assess the effects of
their failures on systems or sub-systems. The emphasis is on the hardware aspects of a
system, how it can fail, and the effects of each specific failure mode. It is a qualitative,
inductive approach that is easy to apply even to moderately complex systems, such as
electrical or hydraulic systems. This analysis typically generates recommendations for
increasing equipment reliability, thus improving process safety.
Weaknesses Not efficient for identifying an exhaustive list of combinations of equipment failures.
Not appropriate for analysis of multiple failures.
Not appropriate for analysis of highly complex systems.
Resources Can be conducted by one analyst or a team. Time and staff requirements depend on the
size and level of complexity of the equipment or system being analyzed.
Information Requires up to date P&IDs, equipment specifications, knowledge of failure modes of

Requirements equipment and how these failure modes will impact the entire system.
References CCPS, Guidelines for Risk Based Process Safety, 2007 (Chapter 8, Hazard Identification and
Risk Analysis)
CCPS, Guidelines for Hazard Evaluation Procedures, 3rd Edition, 2008 (Chapter 5, Scenario-
Training:
Best Practices:

1.11 Consequence Analysis
Title Consequence Analysis
Description Consequence analysis uses mathematical models of discharge, dispersion, fire and
explosion to predict toxic and flammable effects.
Chemicals modelled may be pure or a mixture of chemicals. Discharge models may be
from pipeline or vessel, leaks or ruptures. Weather parameters may be changed to affect
the dispersion. Fire effects modelled include fireball, BLEVE, pool fire, jet fire, and flash
fire. Explosions may be modelled using the, TNO or FLACs methods.
Purpose/ Consequence analysis enables the calculation of an estimation of the consequences of an

Application accidental atmospheric release of toxic or flammable chemicals. It may be used at any
time during a plant design or operation to quantify the potential consequences of a
flammable or toxic release. This may be in support of hazard analysis, siting of new
equipment/buildings, as part of a quantitative risk assessment.
Rating Skill – High Cost – Medium

Sophistication – High Value – High
Strengths Consequence analysis models provide a quantitative analysis method.
Weaknesses Software models for consequence analysis can be relatively easy to input data and get data
out and may offer a false sense of accuracy in results. Accurate use of the models is
dependent on user competency in the areas of scenario development, parameter settings,
and result interpretation.
Resources Technical expertise in the areas of release, vapour dispersion and fire/explosion modelling
Information The data is taken from plant PFD’s and P&ID’s including process composition, operating
Requirements temperature and pressure, unit layout, piping and vessel data, and process flow data. A site
visit provides layout data.
References CCPS, Guidelines for Evaluating the Characteristics of Vapour Cloud Explosions, Flash Fires,
and BLEVE’s, 1994
CCPS, Guidelines for Use of Vapour Cloud Dispersion Models, 2nd Edition, 1996
CCPS, Guidelines for Consequence Analysis of Chemical Releases, 1999
Software: BP Cirrus suite and manual
Training: Available from Process Safety Engineering, Group Safety & Operations
Best Practices:

1.12 Fault Tree
Title Fault Tree Analysis (FTA)
Description Fault Tree Analysis is a deductive technique that focuses on one particular incident or
primary system failure as a top event. It then works backward to determine causes and
combinations of causes that lead to that event. The fault tree provides a graphical model
that displays the various combinations of equipment failures and human errors that can
result in the top event.
Cause and Consequence Analysis is a form of Fault Tree and Event Tree.
Purpose/ FTA identifies combinations of equipment failures and human errors that can lead to an
Application incident.
Fault trees are used when other types of hazard identification or analysis have identified a
potential incident or system failure scenario that requires a more detailed analysis. It can
be used to quantify the probabilities of an incident or primary system failure occurring. FTA
may be used in incident investigations to compliment BP’s Comprehensive List of Causes
(CLC) methodology. Fault Trees may also be used in combination with other hazard
evaluation and risk assessment methodologies.
Rating Skill – high Cost – medium

Sophistication – high Value – medium
Strengths The strength of FTA as a qualitative tool is the ability to identify combinations of potential
equipment failures and human errors that can lead to an incident. It provides a high degree
of detail and is well suited to the analysis of highly redundant systems with multiple trains
and controls.
FTA may also be used as a quantitative tool within risk assessment techniques, such as
QRA and Reliability Analysis, to identify risk reduction measures focused on causes with
the highest probabilities of occurrence.
Weaknesses Inexperienced analysts may struggle to develop the correct logic and may use data that is
not statistically significant.
For systems vulnerable to single point or common cause failures that can lead to incidents,
it is better to use single failure oriented techniques, such as FMEA and HAZOP.
Resources Time and staff requirements depend on the size and level of complexity of the top event
and the required level of detail and quantification. FTA requires a skilled analyst
experienced in the development of fault trees and participants who are very knowledgeable
in the subject systems.
Information If the fault tree is to be quantified, it will require the use of databases for failure rates and
Requirements incident probabilities.
CCPS, Guidelines for Chemical Process Quantitative Risk Analysis, 2nd edition, 2000
Training:
Best Practices:

1.13 Event Trees
Title Event Tree Analysis (ETA)
Description An event tree graphically shows the possible outcomes of one particular initiating event,
such as specific equipment failure, releases, or human error, and provides a method for
determining the possible outcomes of that event. ETA addresses the responses of safety
systems and operators to the initiating event when determining the accident’s potential
outcome. The qualitative results are incident scenario sequences or sets of failures or
errors that lead to an accident. Event tree models are presented with the safety system
successes and failures that lead to each defined outcome, and are used to identify design
and procedural weaknesses worthy of recommendations for reducing the likelihood and/or
consequences of the potential incidents.
Cause and Consequence Analysis is a form of Fault Tree and Event Tree.
Purpose/ To identify potential incident outcomes that can occur, typically as a result of a loss of
Application containment, in terms of the sequence of events (successes or failures of safety functions)
that follow an initiating event. Identify potential consequences of specific initiating events
in processes that have several layers of safety systems or emergency procedures.
ETA may be used for new or operating equipment, and may be used in incident
investigations to compliment BP’s Comprehensive List of Causes (CLC) methodology.
Event Trees may also be used in combination with other hazard evaluation and risk
assessment methodologies.

Strengths ETA is useful for analysing complex processes that have several layers of protection or
emergency procedures in place to respond to specific initiating events. It is relatively easy
to apply, especially through pre-defined scenarios. It may also be used as a quantitative
tool within risk assessment techniques, such as QRA.
ETA may be combined with FTA to display the relationships between incident outcomes
and their basic causes. This is sometimes known as Cause-Consequence Analysis.
Weaknesses A skilled analyst is needed to develop a good understanding of hazardous scenarios from
loss of containment through all possible consequences to impacts on people, property and
environment. An inexperienced analyst may include inappropriate outcomes.
Resources Knowledge of the site and subject matter under review; understanding of hazards and their
potential consequences.
Information If the event tree is to be quantified, failure rate and incident probability data will be needed.
Requirements
CCPS, Guidelines for Chemical Process Quantitative Risk Analysis, 2nd edition, 2000
Training:
Best Practices:

1.14 Human Reliability Analysis
Title Human Reliability Analysis (HRA)
Description Human Reliability Analysis (HRA) is a generic title for several hazard evaluation
methodologies that focus on the performance of personnel (operators, technicians,
supervisors, etc.). Most HRA techniques systematically document the errors likely to be
encountered during normal or emergency operation, factors contributing to these errors,
and proposed system modifications to reduce the likelihood of the errors. The results are
usually qualitative, but may be quantified.
Human Factors Expert Analysis is a form of HSSE Review/Brainstorming, and sometimes
Human Reliability Analysis.
Purpose/ HRA is used to identify potential human errors and their effects, or to identify the
Application underlying causes of human errors.
HRA methodologies may be used in incident investigations to compliment BP’s
Comprehensive List of Causes (CLC) methodology. HRA may be used in combination with
other hazard evaluation and risk assessment methodologies.

Sophistication – high Value – medium
Strengths There are a variety of HRA methodologies for addressing human factors, and identifying
error-likely situations that can cause or lead to incidents.
Weaknesses HRA has been used extensively in the nuclear and aviation industries and to a lesser degree
in oil and gas. As a result there is limited experience and understanding in the selection
and application of the variety of methodologies.
Resources Requires a skilled human factors analyst experienced in the specific HRA methodology and
participants who are knowledgeable in the work practices. Analyst requires experience of
interviewing techniques.
Information Plant procedures, plant layout, task and work practices, control panel design, alarm system
Requirements design, employee interviews.
References CCPS, Guidelines for Hazard Evaluation Procedures, 3rd Edition, 2008 (Chapter 9,
Extensions and Special Applications)
Training:
Best Practices:

1.15 Bow Tie Analysis
Title Bow Tie Analysis
Description Bow Tie Analysis is a combination of two other techniques, fault tree analysis and event
tree analysis, with the fault tree on the left hand side, the hazard in the middle, and the
event tree on the right hand side. The Bow Tie diagram, comprised of the trees, can be
used to indicate preventive, controlling, and mitigating barriers that may impact the incident
and its consequences. From this point, means to ensure the integrity of each barrier can
be discussed along with the job role responsible for that barrier
Purpose/ Bow Tie is applicable to all potential hazards. It can be used to describe the means to
Application prevent a potential hazard and the controls and mitigation should it occur. This Bow Tie
diagram is particularly useful in communicating hazards and how they are managed.

Strengths The bowtie is a structured method to assess risk where a qualitative approach may not be
possible or desirable. It is a combination of two easily understood techniques and is
relatively simple for a diverse team to understand and support
It is a very effective tool for use in hazard and risk communication. The clear linkage
between barriers and job roles aids in the understanding of one’s role in hazard
management.
Weaknesses The analysis success is dependent on the experience of the team and the facilitator.
Inexperienced analysts may struggle to develop the correct logic and may use data that is
not statistically significant.
Resources A Bow Tie analysis is typically conducted by a multidisciplinary team. Bow Tie analyses are
typically conducted on the highest ranked risks from a HAZOP or a risk register. Time
requirements are typically 2 - 4 hours per hazard.
Information Data describing the process or installation. Previous process hazard analysis (PHA) studies
Requirements and LOPA will facilitate the Bow Tie development.
Software: Risktec BowTie XP , and ABS Consulting THESIS BowTie
Training: Available from Risktec
Best Practices:

2. RISK ASSESSMENT
2.1 Risk Matrix
Title Risk Matrix
Description The combination of the potential consequences of a particular hazard and the likelihood that
those consequences will occur are presented in matrix format as an estimate of the risk
imposed by the hazard. The consequences may include any or all of potential property
damage, environmental impact, injury/health effects, downtime, and public concern.
The axes of the matrix are consequence and likelihood and may be numerical ranges
(orders of magnitude) or qualitative. The risk squares are frequently colour coded into
several levels of risk.
Purpose/ Risk matrices are often used as a semi-quantitative tool for risk ranking a range of potential
Application hazard scenarios from occupational to major accidents. They are used to rank potential
risks, qualitatively, for the purpose of prioritizing risk management activities.
The risk matrix may be used to prioritize PHA and other process safety recommendations.
It is a screening level tool. It is frequently incorporated in PHA sessions such that the
recommendations may be prioritized based on the risk of the hazard they address.
The risk matrix for use in BP is provided in the Group Defined Operating Practice on
Assessment and Prioritization and Management of Risk.

Strengths The risk matrix provides an efficient method to prioritize risk management activities and a
very effective tool to communicate relative risks of various scenarios.
Weaknesses Matrices can be misinterpreted and misused. They are a screening level tool that is
qualitative and subjective. The consequences are usually well-understood and predictable,
but the treatment of probabilities is often more subjective and open to interpretation.
Numerous matrices with different axes have been developed and used over the years,
creating confusion and making comparisons difficult.
Resources A cross-section of disciplines with a general understanding of hazards and their potential
consequences and likelihood.
Information A list of identified hazards.

Requirements
References GDP 31-00-01 Group Defined Operating Practice Assessment and Prioritization and
Management of Risk
Training:
Best Practices:
requirements in the Group Defined Practice on Assessment and Prioritization and
Management of Risk. The Group Defined practice should be consulted whenever
consideration is given to whether a risk matrix is needed.

2.2 LOPA
Title Layer of Protection Analysis (LOPA)
Description LOPA is a semi-quantitative risk assessment technique that uses order of magnitude
categories for initiating event frequency, consequence severity, and the likelihood of failure
of independent protection layers (IPL’s) to approximate the risk of an incident scenario. The
team identifies the independent protection layers and assigns risk reduction credits to each
layer, depending on different criteria.
Purpose/ LOPA is used to evaluate the effectiveness and independence of safety measures,
Application especially protective systems. Safety Integrity Levels (SIL) may be determined using the
LOPA technique.

Strengths LOPA is a powerful technique that may be used to provide a higher level of review than
HAZOP for potential scenarios that can result in single or multiple fatalities to ensure that
adequate protection with sufficient availability is in place to reduce the risk. The technique
provides a more quantitative review of the hazards and associated safeguards or layers of
protections. It can be used to assist the determination of SIL, and may also be combined
with HAZOP to evaluate the safeguards identified in the HAZOP.
Weaknesses If conducted with incomplete information or on a design that is not fixed, the study may
take longer and result in a greater number of recommendations. Poor team commitment
may increase the time needed to complete the study. Inexperienced or inappropriate
selection of team members may result in a lower quality study, and in incomplete or more
recommendations due to inability to understand the process and/or make plant decisions.
Resources Like HAZOP, LOPA is best performed by a team of five to seven members including
process, operations, maintenance, instrumentation, process safety, and a scribe. It is most
effective if the LOPA is conducted at the same time as the HAZOP, making use of the
team’s knowledge. The time needed is dependent on complexity of the process. In
general, a typical refinery process unit will require one to two weeks longer than the
HAZOP study. Team members and their supervisors must be aware of the commitment
necessary for effectiveness. Team members must be available for all sessions.
Information LOPA is often used in conjunction with, and builds upon the information generated by, a
Requirements HAZOP. This requires up-to-date P&ID's, detailed project design criteria, equipment
specifications, material specifications, and other similar engineering design information.
References ETP GP 48-03 Layer of Protection Analysis (LOPA)

ETP GP 30-76 Safety Instrumented Systems (SIS) - Development of the Process
Requirements Specification (provides more information on LOPA)
CCPS, Guidelines for Risk Based Process Safety, 2007 (Chapter 8, Hazard Identification and
Risk Analysis)
CCPS, Layer of Protection Analysis – Simplified Process Risk Analysis, 2001
Training:
Best Practices:
requirements in the Group Defined Practice on LOPA. The Group Defined practice should
be consulted whenever consideration is given to whether a LOPA study is needed.

2.3 Facility Siting
Title Facility Siting
Description Facility siting studies are used to evaluate the layout and spacing of occupied buildings with
respect to potential hazards. These studies consider fires, explosions and toxics, as well as
the availability of shelter, muster points, and escape routes. The analysis generally follows
the procedure outlined in API RP 752 and API RP 753. The studies estimate potential
explosion, fire and toxic exposures based on existing operating conditions and screening of
selected buildings on these consequences, and identify those buildings where occupants may
be at greater risk.
Facility Siting is a term specifically used in the U.S. OSHA regulations.
Purpose/ Facility Siting Studies are intended to provide an approach to identify, evaluate, and manage
Application the process safety considerations associated with process plant building design and siting.
The facility siting analysis may be applied to buildings in existing facilities to analyze the risk
to occupants. It should be applied to proposed buildings in existing and new facilities to aid
in the siting of buildings.
Rating Skill – High Cost – Medium

Strengths This technique provides a rigorous method of analysis for siting of new buildings, and
determining occupant risk in existing buildings.
Weaknesses Models used are dependent on site specifics that may be subjective and can change,
thereby changing the analysis results. Modelling is dependent on user skill in the areas of
scenario development, parameter settings, and result analysis.
Resources Technical expertise in the areas of vapour dispersion and explosion modelling and risk
calculation
Information Building occupancy, function, and design details are needed. Analysis is based on scenarios
Requirements specific to the operations taken from PFD’s and P&ID’s including: process composition,
operating temperature, pressure and flow rate, unit layout, piping and vessel data. Potential
release scenarios are developed from hazard evaluations and risk assessments, and a
review of the operations. A site visit provides layout data.
References ETP GP 04-30 Design and Location of Occupied Permanent Buildings Subject to Blast, Fire,
and Gas Hazards on Onshore Facilities, plus related segment practices:
ETP GP 04-31 Design and Location of Occupied Portable Buildings for Onshore Locations
(to be based on existing RM-GP 04-30-1)
ETP GP 04-32 Design and Location of Occupied Portable Buildings for Offshore Locations
(to be based on existing EP-GP 04-30-1)
ETPs 24-20,21,22
API RP 752 Management of Hazards Associated with Location of Process Plant Buildings
(under review)
API RP 753 Management of Hazards Associated with the Location of Process Plant
Portable Buildings.
CCPS, Guidelines for Evaluating Process Plant Buildings for External Explosions and Fires,
1996
CCPS, Guidelines for Evaluating the Characteristics of Vapour Cloud Explosions, Flash Fires,
and BLEVEs, 1994
Baker Risk Building Evaluation and Screening Tool (BEAST)
Training:

2.4 Fault Trees

Fault Tree Analysis (FTA) is a deductive technique that focuses on one particular
incident or system failure, and provides a method for determining causes of that
event. See Appendix 6, 1.12 above. FTA may be used as a quantitative tool to
identify the risk of potential equipment failures and human errors that can lead to an
incident.
2.5 Event Trees

Event Tree Analysis (ETA) is a deductive technique that focuses on the potential
escalation outcomes from a particular incident or system failure. See Appendix 6,
1.13 above. ETA may be used as a quantitative tool to identify the risk of potential
escalation outcomes by applying conditional probabilities (of safety system
success/failure, ignition, and wind direction) to an initiating release frequency to
determine the resultant event frequency.

2.6 Major Accident Risk
Title Major Accident Risk Process (MAR)
Description MAR is a screening tool for the identification of major accident risks, and is a simplified
form of QRA, using a purpose-built tool (MAR Calculator) to streamline the analysis. It
involves (i) identifying a representative range of major accident events, (ii) quantifying the
likelihood of those events (influenced by the engineering design of the facilities), (iii)
quantifying the possible physical effects and assessing their consequences (influenced by
the location of the facilities and people), and (iv) presenting the results as Societal Risk (f-N
curve) for comparison against a BP Group Reporting Line.
Purpose/ The objective of the MAR process is to facilitate identification of major accident risks, and
Application provide a coarse assessment of risk, which is used to prioritize areas for remedial measures
and/or further assessment. It supports a program of continuous risk reduction within the
BU/SPU. It can be used to identify scenarios, where options to reduce the likelihood and/or
consequences of the events may be beneficial. The MAR Process is specifically focused at
major accidents which are defined as those involving 3 or more fatalities or environmental
impacts.

Sophistication – medium Value – medium
Strengths MAR is a simplified screening tool for the identification of major accident risks. It provides
a relatively rapid and approximate indication of risk associated with multiple fatality or gross
environmental damage events.
Weaknesses MAR is a coarse risk assessment and may not address all site risks. It is not a substitute
for other more detailed methodologies, such as QRA and Facility Siting. MAR studies may
identify areas for more focused QRA. MAR is not intended to predict incidents involving
less than 3 fatalities.
Resources MAR reduces the resources (skilled manpower, time, cost) required by QRA by using a
purpose-built tool, using a standard approach, and generic event frequency data. It requires
experienced risk analysts familiar with QRA and personnel with knowledge of the
operation.
Information PFD’s, P&ID’s, plot plans, on-site and off-site population densities and locations,
Requirements meteorological conditions, operating parameters, etc..
References GP 48-50 Major Accident Risk Process

Training: Available from Process Safety Engineering, Group S&O
Best Practices:
Software: Cirrus, MAR Calculator – available from Process Safety Engineering, Group S&O
requirements in the Group Defined Practice on the MAR Process. The Group Defined
practice should be consulted whenever consideration is given to whether a MAR study is
needed.

2.7 QRA
Title Quantified Risk Assessment (QRA)
Description Quantified Risk Assessment (QRA) is the most complex and detailed form of risk
assessment. It is particularly beneficial in analyzing specific issues or answering specific
questions. QRA may also be required by regulation.
QRA involves the quantification of both likelihood of occurrence and the consequences of
certain hazardous or unwanted outcomes. The probability or likelihood is determined from
historical databases of equipment failure or synthesised from fault and event trees of
smaller, more common events that lead to the outcome. The impact or consequences are
determined by various modelling approaches, such as Consequence Analysis to calculate
the dispersion of flammable and toxic vapours, thermal radiation from fires, and blast
overpressure from explosions.
Results are integrated to calculate Individual Risk and/or Societal Risk. These results may
be represented as geographic risk contours or FN curves.
Security Vulnerability Assessment (SVA) is a form of QRA focused on security risks. CRAM
is a variation of QRA specifically aimed at the concept safety evaluation of new projects.
Purpose/ QRA is typically used to evaluate ‚higher risk‛ operations, and is very effective in
Application identifying individual component risk contributors to a facility’s risk profile to specifically
identify the equipment or activities that dominate the risk. This enables specific risk-
reduction techniques to be targeted to generate substantial risk reduction in the most cost-
effective manner. It may be applied to existing operations and to the design of new
projects.
Rating Skill – High Cost – High

Strengths QRA studies can be comprehensive and perhaps the most accurate estimation of risk. This
allows objective decision-making on risk reduction measures to allocate resources in the
most cost-effective manner. It is a technique that should be used selectively and with a
focused scope when reliable decisions cannot be made using other simpler risk
assessment techniques. Risk quantification is particularly useful in addressing major
accident risks where past experience by itself is inadequate to provide the appropriate level
of assurance. It also helps to identify priority areas for attention, and enables consistent
decisions to be taken on risk reduction across multiple assets.
Weaknesses QRA can be expensive, requiring extensive time, data and highly skilled resources. In many
instances, QRA is not warranted as other techniques can provide the necessary insight at
substantially less cost.
Resources QRA can require significant resources (skilled manpower, time, and cost) to analyse risks.
Experienced risk assessment professional familiar with the methodology. Personnel with
knowledge of the operation.
Information PFD’s, P&ID’s, plot plans, on-site and off-site population densities and locations,
Requirements meteorological conditions, operating parameters, asset valuations, etc..
References CCPS, Guidelines for Chemical Process Quantitative Risk Analysis, 2nd edition, 2000
Software: MAR Calculator tools; BP Cirrus suite
Training:
Best Practices:

3. ALERT
Title ALERT
Description ALERT is a holistic risk assessment process that addresses other risks besides HSSE risks.
The process is a facilitated workshop, similar to a Peer Assist, involving the development of
a spreadsheet populated with the key risk information, such as cause, event,
consequences, probability of the risk occurring (expressed as percentage), potential impact
on project/BU, and risk owner. The magnitude of the impact is described by 3 scenarios –
optimistic, most likely, and pessimistic.
Purpose/ ALERT is a structured process to determine risk and uncertainty to support projects/BU’s
Application make better risk informed investment decisions. At least one risk workshop should be held
during each stage of CVP.

Strengths ALERT is a valuable means to provide a focus on key project risks and uncertainties on
which future plans for risk reduction may be based.
Weaknesses Lack of experience may result in risks and uncertainties being overlooked.
Resources Personnel trained in risk workshop facilitation plus participants drawn from all key elements
of the Asset Development Team (commercial, reservoir, engineering, wells, marketing,
HSE, operations, etc.) and other BU’s/Support Teams to promote active challenge.
Workshops typically last one to two days.
Information Process/project design criteria, equipment specifications, material specifications, P&ID’s

Requirements and other similar engineering design information.
References Training: ALERT 2 for Facilitators (1½ days)

Best Practices:
Website: http://projects.bpweb.bp.com/alert/
Guidance materials

4. Cost Benefit Analysis
Title Cost Benefit Analysis (CBA)
Description CBA is a technique that involves assessing the costs (labour, materials, etc.) and effects
(positive and negative) of alternative risk reduction approaches, and applying benefit-to-cost
ratios (e.g. willingness to pay to avert a negative outcome) between the alternative options.
A sensitivity analysis is performed on key input data and assumptions. The scope should
be broad enough to incorporate all individuals/organizations affected by any alternative both
immediately and in the foreseeable future .
Cost benefit analysis is in common usage in some parts of the world to demonstrate that
risks are being adequately managed, whereas in other locations the technique is not
accepted. For example, in the UK, a cost benefit approach is well recognized in terms of
demonstrating the legal requirement to manage risks to As Low As Reasonably Practicable
(ALARP). In the US, other methods should be used to evaluate measures to reduce
occupational health and safety risks. Before conducting a cost benefit analysis, each BP
Entity should consult local legal requirements to determine whether they allow or restrict
the use of cost-benefit analysis.
Purpose/ CBA provides a monetized basis for making decisions on cost vs. benefit in selecting from
Application approaches which are only partially expressed in financial terms. It is most useful where
there is a societal aspect to the decision making, and where technical analysis may not
address all factors that should be considered in making a rational decision.

Strengths CBA provides a systematic method to characterise hazards and risks in a manner that is in
context with other business drivers. Its use will result in risk management decisions of
improved quality, consistency and defensibility of any decision, especially funding decisions
that have impacts on engineering, operations and HSSE risks.
Weaknesses Cost benefit analysis is not accepted in some jurisdictions. When used in an HSE context,
it may be misperceived as an effort to place a monetary value on human life or human
health, rather than as an effort to identify the true cost of protecting human life and health.
CBA requires dedicated effort and breadth of scope that is not always easy to achieve. The
scope needs to be wide enough to capture all significant indirect effects. While appearing
sophisticated, the results are only as valid as the quality of the input data.
Resources Knowledge of external influences
Information Range of risk reduction alternatives, economic data, such as cost estimates for the
Requirements potential risk reduction alternatives.
References ETP GP 48-50 Major Accident Risk Process

Training:
Best Practices:
NOTE: Before conducting a cost benefit analysis, each BP Entity should consult local legal
requirements to determine whether they allow or restrict the use of cost-benefit analysis.
There may be some overlap between the recommendations in this practice, and
requirements in the Group Defined Practice on the MAR Process. The Group Defined
practice should be consulted whenever consideration is given to whether a cost benefit
analysis is needed.

Appendix 7 – Documentation for Hazard Evaluation and Risk

Assessment Studies
The following documentation may be available and needed for the study:
P & ID's
Previous Accident / Incident / Near Miss reports (for existing facilities)
Changes to the design since the last HAZOP or hazard review
Flow diagrams, heat and material balances
Operating procedures, if available (required for a procedural HAZOP)
Shutdown Matrices (Cause and Effect Diagrams)
Piping class specifications
Engineering design data sheets, especially relief device data sheets
Emergency shutdown (ESD) system functions
Emergency depressuring (EDP) system functions
Pump and compressor operating curves and dead head pressures
Valve capacities – particularly important for gas blow-by.
General arrangement and elevation drawings, including electrical area
classification and drainage
Building locations, occupancy and materials of construction
Location of 3rd party developments and sensitive environmental areas
Vessel inventories
Environmental impact assessment
Operations and Maintenance Philosophy document
Safety Philosophy document, especially relief/venting philosophy
Commissioning procedures
Start up procedures
Operating procedures
Shutdown procedures
Maintenance procedures
Relevant vendors' P & ID's
Previous safety review or HAZOP reports
Material Safety Data Sheets (MSDS)
Valve capacities – particularly important for gas blow-by
Previous Risk Assessment. In particular, any consequence modelling that has
been completed should be available to the team to assess the consequences of
identified scenarios.

Appendix 8 – Definitions
The following terms are used with the following meanings in this Practice. The principal focus
of this Practice is the management of threats to health, safety, environment and operations, in
the context of the Group’s HSSE goals. For this reason, the term ‚risk‛ as used in this Practice
is confined to threats rather than opportunities.
Administrative A procedural requirement for directing and/or checking engineered

Control systems or human performance associated with plant operations.
Barrier (a.k.a. Layer A safeguard comprising plant, process or people that is intended to
of Protection) reduce the probability or impact of an event.
BP Leader A BP employee who is responsible (accountable?) for the management

of an entity.
Competent Person Someone who has the professional qualifications, technical skills,
knowledge, understanding, experience and personal qualities (attributes,
attitude and aptitude) which enable them to:
carry out to the required standard their assigned duties at the
level of responsibility allocated to them;
understand all foreseeable hazards related to the task(s) or
equipment under consideration;
detect and recognise any technical defects or omissions in that
task or equipment, and recognise any HSSE implications caused
by those defects or omissions;
specify remedial action(s) necessary to mitigate those HSSE
implications
Consequence A measure of the expected effects of an incident should it occur.
Consequence The analysis of the effects of incident outcome cases independent of

Analysis frequency or probability.
Control The act of causing the effects of a consequence to be less severe or the
consequence to occur less often.
Engineering Control A specific hardware or software system designed to maintain a process

within safe operating limits, to safely shut it down in the event of a
process upset, or to reduce human exposure to the effects of an upset.
Entity An organizational unit within BP which may be a project, site, facility,

Performance Unit, Business Unit, Strategic Performance Unit, Segment,
or some logical subgroup of these, defined by the Segment, Function or
Region.
Event Occurrence of a particular set of circumstances.
Escalation factor A factor that alters the impact or probability of a risk.
Facility A portion of or complete plant, unit, installation, site, complex, or any

combination thereof, for the purposes of exploration, drilling, production,
storage or transportation.

Failure Modes and A systematic, tabular method for evaluating and documenting the causes
Effects Analysis and effects of known types of component failures.
(FMEA)
Frequency The number of occurrences of an event per unit of time.
Hazard A chemical or physical condition with the potential to cause harm to

people, environment, property or business performance.
Hazard Analyst A competent person who leads and/or conducts hazard evaluations and
(a.k.a. Risk Analyst) risk assessments.
Hazard and The systematic, qualitative approach for hazard identification that uses a
Operability Study structured questioning method to identify hazards and operability
(HAZOP) problems.
Hazard Evaluation The analysis of the significance of hazardous situations associated with a
process or operation.
Impact The loss / harm to people, environment or business performance if a risk

event should occur.
Incident An unplanned event or sequence of events that results in undesirable

consequences, e.g. the loss of containment of material or energy.
Individual Risk The frequency at which a specific individual (or group of individuals) may
be expected to sustain a given level of harm (typically, death or serious
injury) from the realization of specified hazards.
Layer of Protection A safeguard comprising plant, process or people that is intended to

(a.k.a. Barrier) reduce the probability or impact of an event.
Layer of Protection A semi-quantitative method for evaluating the effectiveness of

Analysis (LOPA) independent protection layers in reducing the likelihood or severity of an
undesirable event.
Likelihood A measure of the expected probability or frequency of occurrence of an

event.
Mitigation The act of protecting people, the environment or property from the
consequences of an incident.
Occupancy The probability that an individual is present at the time that a hazardous
event occurs.
Prevention The act of causing an event not to happen.
Probability The expression for the likelihood of occurrence of an event during an

interval of time, or the likelihood of occurrence of the success or failure
of an event on test or demand.
Process Hazard A hazard evaluation of identify and evaluate hazards associated with
Analysis (PHA) chemical processes and operations to enable their control.
Process Safety Information that might be used to aid in the understanding of the hazards
Information of a facility, including P&IDs, control information, equipment design data,
process limits, materials of construction, safety system design, MSDS,
relief design basis data.

Risk A measure of human injury, environmental damage, damage to

reputation, or economic loss in terms of the product of the incident
likelihood and the magnitude of the loss or injury.
Risk Analysis The development of an estimate of risk based on engineering evaluation

and mathematical techniques for combining estimates of incident
consequences and frequencies.
Risk Assessment The process by which options for risk reduction measures are developed
based upon the results of a risk analysis.
Risk Management The process by which the results of a risk assessment are used to make
decisions regarding risk reduction strategies.
Residual Risk The level of risk that remains when risk reduction measures are taken
into account.
Societal Risk Societal risk describes how often accidents occur and how many people
are killed (or harmed) in such accidents. Unlike Individual Risk, in
Societal Risk there is no distinction between particular individuals. The
relationship between frequency and the number of people suffering a
specified level of harm may be expressed graphically, in what is
generally termed an 'F/N' curve, with the frequency of exceeding given
numbers of casualties plotted on a cumulative basis.
Vulnerability The probability of death or a specified severity of harm when an

individual is exposed to a hazard.

GRP3.10001 Selection of Hazard Evaluation and Risk Assessment Techniques

Hochgeladen von

Dokumentinformationen

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

GRP3.10001 Selection of Hazard Evaluation and Risk Assessment Techniques

Hochgeladen von

Copyright:

Verfügbare Formate

BP Group Recommended Practice

Group Recommended Practice

Selection of Hazard Evaluation & Risk

This Practice will be subject to periodic review.

Issue Date July 7, 2008

Revision Date To be determined by Approver for Issue to BP

Author Mike Broadribb, Distinguished Advisor - Process Safety,

Maintainer Tim Kozina Director, OMS Knowledge Management

Issued By Gareth James, Head of Technical Management Systems

Who is it for? Risk Assessment

GENERIC EXTERNAL NATURAL HUMAN ERROR OTHER

(Release, Incident, Impact)

Fig 2: Risk management process

What is the process?

Fig. 3: Categories of Factors That Influence the Selection of Technique

b) Intent To provide a structured process for the selection of appropriate hazard

1. Group Essential 3.1.3

1.2 Scope and Applicability

1.3 Auditing and Compliance

a) Auditing Not Applicable.

1.4 Administration and Authorisation

a) Administration Administration and authorization responsibilities for this Group Recommended

b) Interpretation Questions of interpretation should be directed in writing to the Content Owner

2. The Practice Structure

Recommendations contained within this Group recommended practice are

Throughout the Group Defined and Recommended Practices, when used in

2.3 References and Responsibilities

b) Responsibilities Where appropriate, roles and responsibilities to deliver any process/activities

3. The Practice Elements, Recommendations, and References

c) References 1. Integrity Management (IM) Functional Standard

3.2 Element 2: Choosing the Appropriate Methodology

a) Intent To choose a hazard evaluation and risk assessment methodology that is

b) Recommendations 1. Each Entity should have a process in place to consistently select

c) References 1. CCPS, Guidelines for Chemical Process Quantified Risk

3.3 Element 3: Study Requirements – Planning & Preparation

b) Recommendations Scope Definition

c) References 1. CCPS, Guidelines for Chemical Process Quantified Risk Assessment,

3.4 Element 4: Study Requirements - Reporting & Follow-up

b) Recommendations Reporting the Study Results

j. Revalidation may involve review of the previous hazard evaluation /

c. References 1. Integrity Management (IM) Functional Standard

3.5 Element 5: Study Requirements - Human Factors

a) Intent A significant number of major incidents involve human factors. An

b) Recommendations Human factors should be addressed in a number of ways:

c. References 1. 29 CFR 1910.119, OSHA, Process Safety Management Of Highly

3.6 Element 6: Additional Specifics for Certain Situations

c) References 1. GP 30-76 Safety Instrumented Systems – Process Requirements

Group Recommended Practice

Selection of Hazard Evaluation & Risk

Uncontrolled Document. Valid Only at Time of Printing: 5/27/2019 24

Appendix 1 – The Overall Risk Management Framework

Phases of Risk Management

Uncontrolled Document. Valid Only at Time of Printing: 5/27/2019 25

Uncontrolled Document. Valid Only at Time of Printing: 5/27/2019 26

Phase 5: Risk Analysis

Figure A1.2 Hierarchy of Risk Reduction Measures

Risk Reduction Measures

Uncontrolled Document. Valid Only at Time of Printing: 5/27/2019 27

Uncontrolled Document. Valid Only at Time of Printing: 5/27/2019 28

Appendix 2 – Factors Influencing Choice of Technique

The Motivation for the Study

Uncontrolled Document. Valid Only at Time of Printing: 5/27/2019 29

Characteristics of the Analysis Problem

Uncontrolled Document. Valid Only at Time of Printing: 5/27/2019 30