Beruflich Dokumente
Kultur Dokumente
GRP 3.1-0001
Content Owner Steve Flynn, Head of Discipline HSSE, Group Safety &
Operations
Approver for Issue to BP Steve Flynn, Head of Discipline HSSE, Group Safety &
Operations
1
Uncontrolled Document. Valid Only at Time of Printing: 5/27/2019
BP Group Recommended Practice
Contents
Summary................................................................................................................................................ 3
1. Introduction ................................................................................................................................... 5
1.1 INTENT AND PURPOSE .................................................................................................................. 5
1.2 SCOPE AND APPLICABILITY............................................................................................................ 6
1.3 AUDITING AND COMPLIANCE ......................................................................................................... 6
1.4 ADMINISTRATION AND AUTHORISATION .......................................................................................... 7
2. The Practice Structure .................................................................................................................. 8
2.1 RECOMMENDATIONS .................................................................................................................... 8
2.2 LANGUAGE .................................................................................................................................. 8
2.3 REFERENCES AND RESPONSIBILITIES .............................................................................................. 9
3. The Practice Elements, Recommendations, and References ................................................. 10
3.1 ELEMENT 1: ROLES AND ACCOUNTABILITIES ................................................................................10
3.2 ELEMENT 2: CHOOSING THE APPROPRIATE METHODOLOGY .........................................................13
3.3 ELEMENT 3: STUDY REQUIREMENTS – PLANNING & PREPARATION................................................16
3.4 ELEMENT 4: STUDY REQUIREMENTS - REPORTING & FOLLOW-UP ..................................................18
3.5 ELEMENT 5: STUDY REQUIREMENTS - HUMAN FACTORS ...............................................................21
3.6 ELEMENT 6: ADDITIONAL SPECIFICS FOR CERTAIN SITUATIONS ......................................................22
5. Appendices .................................................................................................................................. 24
Appendix 1 – The Overall Risk Management Framework .............................................................. 25
Appendix 2 – Factors Influencing Choice of Technique .................................................................. 29
Appendix 3 – Typical Uses of Hazard Evaluation and Risk Assessment Techniques .................. 31
Appendix 4 – Criteria for Selecting Hazard Evaluation and Risk Assessment Techniques ......... 32
Appendix 5 – Flowcharts for Selecting Hazard Evaluation & Risk Assessment Technique ........ 33
Figure A5.1 Flowchart for Selecting Hazard Evaluation & Risk Assessment Technique ....... 33
Appendix 6 – Fact sheets for Hazard Evaluation and Risk Assessment Techniques ................... 44
Appendix 7 – Documentation for Hazard Evaluation and Risk Assessment Studies .................. 70
Appendix 8 – Definitions .................................................................................................................... 71
2
Uncontrolled Document. Valid Only at Time of Printing: 5/27/2019
BP Group Recommended Practice
Summary
This Group Recommended Operating Practice recommends a structured process for the consistent
selection of appropriate hazard evaluation and risk assessment methodologies to identify and analyze
Health, Safety, Security, Environment and Operating (HSSE&O) hazards and risks in support of safe,
reliable and available operations. This Practice also includes:
1. an explanation of the overall risk management process and how the individual phases relate
to one another;
2. essential requirements for effective hazard evaluation and risk assessment studies; and
3. a description of each technique indicating its purpose, application, strengths/weaknesses,
resources, and information requirements.
There are a variety of hazard evaluation and risk assessment methodologies. Each technique has its
own purpose, strengths and weaknesses, resource requirements, costs, and produces results in
different formats. Particular techniques are suited to particular applications. This Practice covers the
hazard evaluation and risk management tools already in use within BP (e.g., MAR, HAZOP, JHA,
Security risk assessments, Health map, etc.) to support inherently safer design, continuous risk
reduction, and operational integrity. Over twenty different techniques that are used within the BP
Group are listed below and described in detail in Appendix 6.
This Practice supports the evaluation and
management of HSSE & Operations risks in a Fig.1: Hazard Evaluation and Risk
consistent and holistic way across the BP Group. Assessment Methodologies
For further information on risk management please Control of Work
refer to the Group Defined Operating Practice – Task Risk Assessment
Assessment, Prioritization and Management of
Risk (GDP 31-00-01). Hazard Identification/Evaluation
HSSE Review
This Practice does not address non operational HAZID
risks within the organization such as commercial MAHID (see MAHA)
PHA
risks, risks to projects, or enterprise risks Checklist
associated with joint ventures. What If
Relative Ranking / Risk Ranking
This Practice is aligned with the risk management HAZOP
process depicted in Fig. 2, and specifically covers FMEA
techniques for hazard identification, scenario Consequence Analysis
Fault Tree*
development, consequence analysis, likelihood Event Tree*
analysis, and risk analysis that build to deliver risk Bow Tie Analysis
assessment. Human Reliability Analysis
Fault and event trees may be used qualitatively for hazard identification purposes, but may also be quantified as part of a risk
assessment.
3
Uncontrolled Document. Valid Only at Time of Printing: 5/27/2019
BP Group Recommended Practice
HAZARD
IDENTIFICATION
SCENARIO DEVELOPMENT
Develop Risk
Reduction
Measures CONSEQUENCE LIKELIHOOD
ANALYSIS ANALYSIS
(Safety,
Environmental, (Probability,
Reputation, Financial
Impact) Frequency)
Key:
RESIDUAL RISK OTHER Hazard Identification
MANAGEMENT CONSIDERATIONS
YES (Business, Feasibility) Assessment
Prioritization
NO Is Further Risk RISK
Reduction ANALYSIS Management
Required?
Categories
Motivation for the Study
Type of Results Needed
Type of Information Available to Perform the Study
Characteristics of the Analysis Problem
Perceived Risk Associated with the Subject Process or Activity
Resource Availability and Analyst/Management Preference
Before selecting the most appropriate methodology for a study, a checklist in Appendix 4 should be
used to determine the influential factors and criteria under each of the categories in Fig.3.
Next, the steps in the first flowchart in Appendix 5 (Fig. A5.1 should be followed), which culminates
in a decision to choose one of six potential risk assessment paths.
A series of more detailed decision trees for each of these six paths (Figs. A5.2 through A5.11) should
then be followed to determine which specific technique(s) are appropriate for the particular
circumstances of the problem or issue to be resolved. Or in the alternative, an experienced hazard
analyst may stop at the end of the first flowchart (Fig. A5.1), and use the additional guidance provided
in the individual descriptions of each technique (see Appendix 6) to choose the most appropriate
technique.
This Operating Practice also makes recommendations on competency, planning, reporting and follow-
up for effective hazard evaluation and risk assessment studies.
4
Uncontrolled Document. Valid Only at Time of Printing: 5/27/2019
BP Group Recommended Practice
1. Introduction
1.1 Intent and Purpose
a) Description Many techniques have been developed over the years to assist in the
of Purpose identification, analysis and assessment of risk, which may be expressed in terms
of human injury, environmental damage, damage to reputation, or economic loss
including property damage and business interruption. These techniques vary in
degree of complexity, require different levels of skill to utilize and have specific
areas of application.
Selection of inappropriate methodologies can result in less effective hazard
evaluation and risk assessment studies. Ineffective hazard identification and
assessment of risk can impact the health and safety of people, the environment,
and operating performance.
5
Uncontrolled Document. Valid Only at Time of Printing: 5/27/2019
BP Group Recommended Practice
a) Scope This Practice represents BP's Recommended approach for Selection of Hazard
Evaluation & Risk Assessment Techniques. Subject to this Practice’s intent and
subject to existing contractual constraints (to the extent they cannot be
renegotiated) this Practice should be applied by people who perform work in the
BP Work Environment on behalf of BP.
b) Applicability This Practice is recommended for all BP Entities, projects, facilities, sites and
operations that are wholly owned and operated by BP.
This Practice is also recommended for BP joint ventures, whether or not BP is
the operator. In these cases, subject to an appropriate risk assessment, BP
should try to use its influence to secure that the operation of the joint venture is
consistent with the relevant recommendations contained in this Practice.
Where BP relies on a contractor to carry out work to which the recommendations
in this Practice would apply if the work was performed by BP employees, BP
should, after an appropriate risk assessment, try to have the work carried out in a
way which is consistent with the relevant recommendations in this Practice.
Where existing contractual constraints prevent BP from securing that such a
joint venture or contractor operates consistent with the recommendations in this
Practice, BP should consider the possibility of renegotiating the relevant contract
terms.
If following any of the recommendations in this Group Recommended Practice
would conflict with an applicable legal requirement, it is necessary to comply
with the applicable legal requirement. If following a recommendation would go
beyond any applicable legal requirements, this should be done as long as
compliance with those requirements is achieved.
6
Uncontrolled Document. Valid Only at Time of Printing: 5/27/2019
BP Group Recommended Practice
c) Changes and Any suggested changes or amendments to this Practice should be forwarded to
Amendments the Content Owner along with the reasons for suggesting them. The Maintainer
should receive a copy of the suggested changes or amendments as submitted to
the Content Owner.
All suggestions will be acknowledged and, if rejected, the reasons given for their
rejection.
Accepted changes will be administered through the document change control
system employed by Group Safety & Operations.
d) Document This Practice should be held and controlled in the Safety & Operations website
Control and until the Group OMS Library is available.
Review
This Practice will be subject to periodic review. The Maintainer is responsible for
scheduling these reviews. The review will be led by the Content Owner, and
include input from each of the business segments and Group S&O.
F
7
Uncontrolled Document. Valid Only at Time of Printing: 5/27/2019
BP Group Recommended Practice
2.2 Language
8
Uncontrolled Document. Valid Only at Time of Printing: 5/27/2019
BP Group Recommended Practice
a) References References, where appropriate, are made to other relevant Group Standards,
Group Practices, operating standards, guidelines, procedures and documents
should be used in order to support the application of this Group
Recommended Practice. Examples and case studies may be provided to aid
clarity and understanding.
9
Uncontrolled Document. Valid Only at Time of Printing: 5/27/2019
BP Group Recommended Practice
a) Intent To define roles and responsibilities for hazard evaluation and risk
assessment. Selection of a competent study team will directly impact the
quality of the study generated and its use by the client business unit or major
project.
10
Uncontrolled Document. Valid Only at Time of Printing: 5/27/2019
BP Group Recommended Practice
b) Recommendations 1. For each Entity, authorities for the following roles associated with hazard
evaluation and risk assessment studies should be delegated,
documented, and agreed:
a. scope development for each study
b. choice of study methodology
c. choice of who is to perform the study (for some techniques this
should be a multi-disciplinary team)
d. quality evaluation of deliverables at the conclusion of the study
e. resolution of actions from the study
Competency for these roles should be defined and assessed.
2. The hazard analyst (study leader) should be experienced in the specific
study methodology employed.
3. The hazard analyst should liaise with operations and engineering
personnel knowledgeable in the facility and its technology.
4. For new projects, the study leader should be independent of the project
team and design contractor.
5. To support the hazard evaluation and risk assessment process, key staff
with the appropriate breadth and depth of expertise should be engaged.
This should include those with responsibility for day to day operations,
and those with technical competence in hazard evaluation and risk
assessment.
6. It is important that the person leading the analysis be equipped with the
proper skills and experience, as this can affect the quality of the results
obtained. The study should be facilitated by a hazard analyst experienced
in the specific methodology selected for the study.
7. Regardless of which technique is chosen, the quality of the data it
produces is ultimately dependent upon the knowledge and commitment
of those involved.
8. Some hazard evaluation and risk assessment studies may be conducted
by a multi-discipline team, e.g. HAZOP. Specialists should be selected as
study team members on an "as needed" basis. For example, process
chemistry, HSSE, process safety, operations, electrical, maintenance,
corrosion, process and mechanical design engineers should be selected
on the basis of their knowledge and experience of the process or system
under review. Sufficient participants from different delivery teams or
operating units are also recommended to address interfaces being
covered.
9. It may also be beneficial to have third party representatives involved in the
study. The study team should include a vendor representative familiar
with the engineering and operation of any vendor package that is studied,
and a contractor representative familiar with any new facilities or
modifications being designed by a contractor.
10. The individual proposed as study team leader should have adequate
training and experience in the study methodology to be used. On
occasion contractors may be used to lead hazard evaluation and risk
assessment studies, if they have the appropriate level of training and
experience. The study team leader should be a specialist with a
background in risk analysis. BP representatives having risk analysis
expertise should participate in planning and executing the study.
11
Uncontrolled Document. Valid Only at Time of Printing: 5/27/2019
BP Group Recommended Practice
12
Uncontrolled Document. Valid Only at Time of Printing: 5/27/2019
BP Group Recommended Practice
13
Uncontrolled Document. Valid Only at Time of Printing: 5/27/2019
BP Group Recommended Practice
14
Uncontrolled Document. Valid Only at Time of Printing: 5/27/2019
BP Group Recommended Practice
15
Uncontrolled Document. Valid Only at Time of Printing: 5/27/2019
BP Group Recommended Practice
a) Intent Hazard evaluations and risk assessments are important studies that require
careful planning and preparation to deliver effective results.
16
Uncontrolled Document. Valid Only at Time of Printing: 5/27/2019
BP Group Recommended Practice
17
Uncontrolled Document. Valid Only at Time of Printing: 5/27/2019
BP Group Recommended Practice
a) Intent Hazard evaluations and risk assessments are important studies that should
comply with various formal criteria for reporting, resolution, document
retention and revalidation.
18
Uncontrolled Document. Valid Only at Time of Printing: 5/27/2019
BP Group Recommended Practice
19
Uncontrolled Document. Valid Only at Time of Printing: 5/27/2019
BP Group Recommended Practice
20
Uncontrolled Document. Valid Only at Time of Printing: 5/27/2019
BP Group Recommended Practice
21
Uncontrolled Document. Valid Only at Time of Printing: 5/27/2019
BP Group Recommended Practice
a) Intent The BP Group requires certain hazard evaluation and risk assessment
methodologies to be used in certain situations, including:
1. GP 48-01 - Project HSSE Review (PHSSER) is used at discrete
stages of Major Projects, and some smaller projects, to provide
independent assurance that appropriate engineering and
operating systems are being developed to manage identified
risks. Consult GP 48-01 for further information.
2. GP 48-02 - Hazard and Operability Study (HAZOP) is used to
identify hazards and evaluate the effectiveness of safeguards in
process system designs, and when significant changes to the
P&ID are proposed. Consult GP 48-02 for further information.
3. Any scenario that can result in single or multiple fatalities
requires a higher level of review than HAZOP to ensure that
adequate protection is in place. GP 48-03 - Layer of Protection
Analysis (LOPA) is used for risks at levels C through E on the
Risk and Manageability Matrix (GDP 31-00-01, App. 3) (the
Matrix). Methods such as Fault Tree Analysis (FTA), Failure
Modes and Effects Analysis (FMEA), or Quantitative Risk
Assessment (QRA) are used to evaluate risks at levels A or B on
the Matrix.
4. GP 48-04 - Hazard identification is key to achieving an Inherently
Safer Design (ISD). Initially a preliminary hazard identification
technique, such as HAZID, is used during the appraise stage of a
project. Later, during select and define stages, hazard
identification and risk assessment studies will build upon the
initial hazards identified using other more detailed techniques,
such as What If, HAZOP and MAR. Consult GP 48-04 for further
information.
5. GP 48-50 - Major Accident Risk (MAR) study is used by all BP
Operations and Major Projects with the potential for a major
incident.
22
Uncontrolled Document. Valid Only at Time of Printing: 5/27/2019
BP Group Recommended Practice
b) Recommendations HAZOP
1. The HAZOP technique is used to identify hazards and operability
issues, and evaluate the effectiveness of safeguards, in the design of
process systems. Whenever a new P&ID is developed for a project,
or an existing P&ID is subject to significant modification for a MOC,
the process design is evaluated using the HAZOP technique.
2. Less rigorous techniques, such as What If and Checklists, should not
be used as a substitute for HAZOP for evaluating process designs,
where significant changes to the P&ID are proposed. HAZOP is the
preferred technique for hazard identification of modifications to
existing facilities where changes to the P&ID occur. However, if a
competent person determines that the changes to the P&ID are not
significant (i.e., they are minor and of sufficiently low hazard), then an
alternative technique such as What If or Checklist may be used.
Individual changes which are, by themselves, not significant may
become significant when combined with other such changes, so the
periodic revalidation of the baseline HAZOP should consider these
changes at the next scheduled revalidation.
LOPA
3. While HAZOP is used to evaluate process systems, a higher level of
review is should also be used if a scenario can result in single or
multiple fatalities. This ensures that adequate layers of protection
with sufficient availability are in place to reduce the risk. LOPA may
be used to fulfil this requirement for many risks, and is the preferred
technique for the evaluation of the effectiveness and independence
of safety measures, especially protective systems. However, LOPA
is not appropriate for risks with the most severe potential
consequences, including risks with the potential for 50 or more
fatalities. Methods such as FTA, FMEA, or QRA are used to
evaluate such risks.
4. Safety Integrity Levels (SIL) should be determined using the LOPA
technique.
MAR
5. The Group Major Accident Risk (MAR) Process is used to assess the
potential for a major incident in new projects and existing facilities.
23
Uncontrolled Document. Valid Only at Time of Printing: 5/27/2019
5. Appendices
Appendices 1- 8
upon persons, property or environment. Alternative scenarios could involve different failure
mechanisms, different hazardous material or energy releases, different escalation mechanisms,
Figure A1.1 illustrates a typical progression from mechanical failure to release, dispersion, consequence,
and ultimately impact.
Figure A1.1: Progression of a Scenario
Failure
Release
Dispersion
Consequence
Impact
For example, if the hazard is identified as the presence of water in a pipeline transporting hydrocarbons,
then the scenario might involve the collection of water at low points in the pipeline during periods of low
throughput/flow rate. This collection of water might then result in enhanced corrosion, which in turn
would result in pin-hole leaks, or perhaps even a split in the pipe wall giving rise to a large leak.
Alternatively the collection of water might freeze at low temperatures resulting in a major fracture of the
pipeline and subsequent full bore rupture. Scenario development involves identifying all of the potential
failure mechanisms, loss of containment, escalation, exposure, and impact possibilities.
Some analysis techniques consider a single scenario at a time, such as the risk matrix. Others combine
the risk of numerous scenarios. In all cases, it is important to identify scenarios that are credible and
within the scope of the study.
Phase 3: Consequence Analysis (How bad?)
Once the hazards are identified, the next step is to assess the potential impact or consequence of the
identified hazards or adverse events, which can include consideration of vulnerability and numbers of
exposed people. This is done by either qualitatively or quantitatively stating the hazards in terms of the
magnitude of negative impacts.
The tools for consequence analysis range from simple loss of containment calculations through release,
dispersion, thermal radiation and blast overpressure computer models to complex computational fluid
dynamics (CFD) models. These tools progressively involve co-relative degrees of accuracy and cost,
and require increasing degrees of experience and skill in the user.
As with Hazard Identification, no single consequence analysis tool is appropriate for every situation. The
tool selected should properly reflect the nature of the activity to be assessed, experience with that
activity, and the objectives of the analysis.
Phase 4: Likelihood Analysis (How often?)
Once the impacts of the hazards are understood, the next step is to assess the risk of the hazards being
realized so that they may be prioritized, which can often include consideration of time of occupancy as
well as the likelihood of occurrence. This is done by either qualitatively or quantitatively assessing the
likelihood of negative impacts and/or adverse events occurring. As with hazard identification and
consequence analysis, no single likelihood analysis tool is appropriate for every situation. The tool
selected should properly reflect the nature of the activity to be assessed, experience with that activity,
and the objectives of the assessment.
Elimination
Prevention
Control
Mitigation
Emergency Response
There is also a preferred hierarchy regarding the reliability of the controls selected for risk reduction, as
follows:
Passive measures are more reliable than
Active measures are more reliable than
Administrative or procedural controls
Phase 8: Decision-Making
Once the risk reduction measures have been developed, it is necessary to select which options will be
implemented. The risk level with an individual risk reduction measure may be compared with the
original risk without the measure, in which case the difference should indicate a worthwhile reduction to
justify implementation of the measure. Alternatively the risk levels of two or more options may be
compared with each other to indicate which measure offers the greater risk reduction.
Cost-Benefit Analysis (CBA) identifies the costs and benefits of each risk reduction measure and
expresses them in financial terms, establishing a consistent and systematic basis for evaluating and
choosing among such measures. This can result in decisions of improved quality, consistency and
defensibility, especially funding decisions that have impacts on health, safety and the environment.
Because BP operates in some locations that restrict or regulate the use of cost-benefit analysis, it is
important to consult local legal requirements to determine whether cost-benefit analysis is required,
prohibited, or otherwise regulated under the laws that apply to the study in question. Local political,
regulatory and other factors should also be considered before deciding whether to use CBA in making
risk reduction decisions. It is important to ensure that any cost-benefit analysis is written in a way which
makes clear that in fact BP does not view non-financial impacts such as HSE impacts as capable of being
equated to financial values.
In the absence of a cost-benefit analysis in the selection and scheduling of projects, it is difficult to
quantify the reduction in risk achieved with a given project in financial terms and to ensure that
resources are invested to gain the maximum potential benefit. Where the goal is to reduce risk, and
available resources are finite, those resources should be spent on the right projects. The selection of
the most appropriate tools as discussed in this practice can help BP Operation Leaders knowledgeably
make these decisions.
Specific Techniques
This practice provides information on the tools available to assist the BP Workforce in each of the
phases of the risk management process. It is intended to help the BP Entity (and the HSSE, engineering
and other professionals supporting it) to decide which hazard evaluation and risk assessment technique
is most appropriate for the given need. For each hazard evaluation and risk assessment technique
identified, a summary is provided showing the degree of skill needed to apply it, its relative cost, and
degree of sophistication and value (see Appendix 6). A detailed description of each tool is included,
followed by guidance as to how, when and where the tool is best applied and its relative strengths and
weaknesses.
It should be appreciated that the sophistication and cost of a selected technique should be appropriate to
the level of detail needed to answer the question the technique is being used to provide. The amount
and quality of data available will also impact which technique is appropriate. Use of the more extensive
and costly techniques is not necessarily the best use of resources.
Note: it is outside the scope of this document to provide user-instruction for specific tools. This
guidance may be found in other BP and industry documents. The appropriate references are provided
for each technique addressed in this document.
DEFINE MOVITATION
□ Legal requirement □ BP requirement
□ New Project □ Existing Facility
□ Acquisition □ Incident
□ Risk Register □ Continuous Risk Reduction
□ Recurrent Review □ Special Requirement
START
YES YES
Is study for regulatory or Is specific methodology Use required
BP purposes? required? methodology
NO
NO
YES
Is this a recurrent
review?
IF ANY ARE NO
is needed?
Qualitative Quantitative
HAZARD OPTIONS FOR RISK LIST OF SPECIFIC INCIDENT MEASURE OF LAYOUT / SOCIETAL /
SCREENING OR REDUCTION / SCENARIOS PLUS OPTIONS PROCESS UNIT, FACILITY INDIVIDUAL
HAZARD LIST HSSE FOR RISK REDUCTION / PLANT, SITE OR SITING RISK
IMPROVEMENT HSSE IMPROVEMENT SPU/BU RISK
A E F
B C D
Figure A5.2 Flowchart for Selecting Hazard Evaluation & Risk Assessment Technique for
Hazard Screening
HAZARD
SCREENING OR
HAZARD LIST
Is ranking of
hazardous areas
YES Use Risk Ranking
or processes
required?
NO
NO
NO
Use What If Use HSSE Review,
HAZID or What If
Figure A5.3 Flowchart for Selecting Hazard Evaluation & Risk Assessment Technique for
Options for Risk Reduction / HSSE Improvement
NO NO
Figure A5.4 Flowchart for Selecting Hazard Evaluation & Risk Assessment Technique for
Specific Incident Scenarios plus Options for Risk Reduction / HSSE Improvement
NO
Does the process
Is the process YES include human YES
Consider using What If, operating? Are actions? Are human
HAZOP, FMEA, FT, ET, or Use HRA
procedures errors the greatest
HRA available? concern?
G NO NO
YES
Is detailed design Use HAZOP, FMEA,
information FT or ET
available?
I
NO
STOP
Obtain adequate
information before
performing study
Figure A5.5 Flowchart for Selecting Hazard Evaluation & Risk Assessment Technique for a
Measure of Process Unit, Plant, Site or SPU/BU Risk
MEASURE OF PROCESS
UNIT, PLANT, SITE OR
SPU/BU RISK
NO NO
NO
Is a high level YES
STOP measure of site or Use MAR*
SPU/BU risk
Obtain adequate sufficient?
information before
performing study
NO
Use Risk Matrix or
QRA
Are equipment
Do you wish to YES failure and event YES Use Risk Matrix
evaluate individual frequency data or QRA
scenarios? available?
NO NO
* Note: MAR studies for Major Projects may be initiated during the Select stage using basic process information to demonstrate
that the selected project will not have issues above the Group Reporting Line (see GP 48-50). This may be confirmed as
increasing information becomes available during detailed design.
Figure A5.6 Flowchart for Selecting Hazard Evaluation & Risk Assessment Technique for
Facility Siting and Layout
LAYOUT
Use Consequence
Analysis to estimate
minimum spacing
NO YES
Implement risk reduction to
prevent hazard or control / Are results acceptable? Evaluate building siting
mitigate consequences?
* Note: Spacing tables are typically based upon fire hazards only
Figure A5.7 Flowchart for Selecting Hazard Evaluation & Risk Assessment Technique for
Societal / Individual Risk
SOCIETAL /
INDIVIDUAL RISK
Is specific YES
methodology Use prescribed method /
allowed / required look-up table
by regulation?
NO
NO
YES
Is a high level Use MAR*
STOP measure of risk
sufficient?
Obtain adequate
information before
performing study
NO
NO
Use MAR*
* Note: MAR studies for Major Projects may be initiated during the Select stage using basic process information to demonstrate
that the selected project will not have issues above the Group Reporting Line (see GP 48-50). This may be confirmed as
increasing information becomes available during detailed design.
Figure A5.8 Flowchart for Selecting Hazard Evaluation & Risk Assessment Technique for
Specific Incident Scenarios plus Options for Risk Reduction / Safety
Improvement (cont.)
NO
NO
NO H
NO
STOP
Obtain adequate
information before
performing study
Figure A5.9 Flowchart for Selecting Hazard Evaluation & Risk Assessment Technique for
Specific Incident Scenarios plus Options for Risk Reduction / HSSE Improvement
(cont.)
Are incidents
likely to be single
or multiple failure
events?
Single failure Multiple failure
events events
Is a
YES comprehensive YES Consider using
Is perceived risk Use HAZOP or FMEA list of failure
high? FT or ET
modes required?
NO
NO Is it a mechanical YES Use FT for
or electrical Use FMEA Consider using HAZOP, scenarios, ET for
system? FMEA, or HAZID escalation
Consider using What If,
HAZOP or FMEA
NO
Is it a mechanical YES
Use HAZOP or electrical Use FMEA
system?
Is it a mechanical YES NO
or electrical Use FMEA
system?
Is process YES
simple / small? Use HAZID
NO
Use What If
Figure A5.10 Flowchart for Selecting Hazard Evaluation & Risk Assessment Technique for
Specific Incident Scenarios plus Options for Risk Reduction / HSSE
Improvement (cont.)
Are incidents
likely to be single
or multiple failure
events?
NO
Use HAZOP
Figure A5.11 Flowchart for Selecting Hazard Evaluation & Risk Assessment Technique for
Facility Siting and Layout (cont.)
FACILITY /
BUILDING SITING
NO
Is the building YES Does the building YES
No further action occupied or provides comply with No further action
required essential function? design/spacing required
criteria?
NO NO
Note: Further guidance on methodologies for occupied buildings is available from the following ETPs GP 04-30/31/32.
Described in the following pages are techniques for (i) hazard identification to meet
different hazard evaluation objectives, and (ii) risk assessment to evaluate the likelihood
of occurrence, suitable for a range of project and operational environments.
Purpose/ Identification of plant conditions or operating practices that could lead to an incident and
Application result in injuries, property damage, or environmental impacts. HSSE Reviews can be used
at any stage of the life cycle of a facility. Projects and Operations may use HSSE Reviews
in combination with other hazard evaluation and risk assessment methodologies.
Strengths The HSSE Review technique is the simplest hazard evaluation methodology used.
Weaknesses Lack of structure can result in variable outcomes, and review results are highly dependent
upon the experience and objectivity of the personnel involved.
Resources HSSE reviews may be conducted by any number of team members, but in excess of six
members may become inefficient. The time needed is dependent on the process
complexity.
Information For facilities that are being designed, a project team might review a set of drawings looking
Requirements for potential HSSE and/or process safety issues. When performed on existing facilities, the
HSSE Review typically also involves a walk-through inspection that can vary from an
informal, routine visual examination to a more formal team inspection that takes several
days or weeks.
References CCPS, Guidelines for Hazard Evaluation Procedures, 3rd Edition, 2008 (Chapter 4, Non-
Scenario-Based Hazard Evaluation Procedures)
See (b) Project HSSE Review below for a more structured form of HSSE Review.
See (c) Pre-Start-up Safety Review below.
Best Practices: none identified
Description Project HSSE Review (PHSSER) is a more structured form of HSSE Review which is
required in certain situations under Group Defined Practice 48-01, and which may be used
to satisfy the requirements of Getting HSE Right and the IM Standard. PHSSERs are an
essential element of a major project’s HSSE Plan. PHSSER Reports are an important
element of the Decision Support Packages required at each gate of the Capital Value
Process. PHSSERs heighten the awareness of HSSE risks and help make HSSE an integral
part of the gated decision and approval processes for projects within CVP.
Purpose/ The overall objective of the PHSSER process is to assure the client BP Entity that HSSE-
Application sensitive areas have been identified and that the appropriate project, engineering and
operational systems have been or will be developed to manage the identified risks.
Assurance is provided by reviewing proposals at various key stages in their development.
Projects should embed HSSE principles of this GP throughout project design and execution
to enhance HSSE performance of the project and its subsequent operation and enable
HSSE risks to be resolved at the most effective point in a project’s lifecycle.
Strengths The PHSSER is a relatively simple review process that leverages the experience of the
team to provide guidance to the Capital Project team.
Weaknesses The review results are highly dependent upon the experience, objectivity and independence
of the personnel involved. The volume of project data for review may be large for the team
size and time available.
Resources PHSSER teams are comprised of personnel from the Segment, outside contractors, and
other persons identified in GP 48-01. PHSSER Team leaders must be on BP’s list of trained
and competent PHSSER Team Leaders. The time needed to complete a PHSSER is
dependent on the process complexity.
Information Project data as available for the CVP stage of the project. This may include design basis
Requirements memorandum, P&IDs, PFDs, process hazards analysis studies, and other HSSE and
process safety related information.
References GP 48-01 Group Practice for HSSE Review of Projects (Group Defined Engineering
Technical Practice)
Training: Project HSSE Review for Team Leaders (2 days)
Overview of Project HSSE Review (PHSSER) Process (½ day)
Best Practices: none identified
NOTE: There may be some overlap between the recommendations in this practice, and
requirements in the Group Defined Practice on PHSSER. The Group Defined practice
should be consulted whenever consideration is given to whether a PHSSER study is
needed.
Description A Pre-Start-up Safety Review is a special type of HSSE review conducted prior to start-up of
a facility. Most PSSRs are conducted by a team comprising operations and engineering
personnel, who use a checklist of issues to consider, including:
Design documentation is complete and up to date, e.g. as-built P&IDs
Safety, environmental, operating, maintenance, and emergency procedures are
complete
Safe work practices are in place
All MOC issues are addressed
All hazard analysis recommendations have been implemented.
Operators are trained on new procedures and equipment.
All work is completed according to specifications.
Mechanical completion review
Purpose/ To ensure that all design, construction, safety, documentation, and environmental issues
Application have been addressed and satisfactorily closed out prior to start-up. PSSR should be used
for start-up of existing facilities following shutdown as well as new facility designs or
modifications. Some PSSRs may be relatively simple depending on the scope of the facility
and/or change. Other PSSRs may be very complex and may take place in stages with
multiple teams.
Strengths Can reduce likelihood of costly accidents and delays that occur at start-up.
Weaknesses Highly dependent upon the experience of the team and the time available to conduct the
PSSR.
Resources Detailed written procedures which includes definition of scope, requirements of program,
descriptions of any changes, up to date P&IDs, equipment specifications and operating
procedures.
References CCPS, Guidelines for Performing Effective Pre-Start-up Safety Reviews, 2007
CCPS, Guidelines for Risk Based Process Safety, 2007 (Chapter 16, Operational Readiness)
Training:
Best Practices: none identified
Description Task Risk Assessment (a.k.a. Job Safety Analysis (JSA)), is an integral part of a ‚Control of
Work‛ process, which involves members of the BP Workforce, including contractors,
identifying possible hazards in work execution not associated with normal operations,
considering their potential risks (probability and severity), and stipulating the various control
measures that need to be implemented. This normally involves issuance of a Permit to
Work. In some cases, routine ‘low risk’ activities may be covered by a formal procedure
that has been previously subjected to a task risk assessment.
Purpose/ The purpose of a TRA is to identify hazards, likelihood of those hazards being realized and
Application the appropriate controls and mitigation needed to ensure that the work can be completed
safely.
Strengths TRA is a basic of hazard evaluation and risk assessment methodologies. The involvement
of every individual on the work crew builds ownership and makes this a powerful technique
for understanding the risks inherent in the task.
Weaknesses The technique relies upon the work crew having the requisite knowledge and hazard
identification skills.
Resources Operations and all personnel involved in performing the task should participate in the Task
Risk Assessment. Sometimes other maintenance and HSSE personnel may participate.
Description PHA is a generic title used by OSHA in the USA for various hazard evaluation
methodologies. These hazard evaluation methodologies range from simple checklists to
What-If and HAZOP. See the appropriate technique page for further information.
Purpose/ PHA’s are techniques used to identify potential hazards, their causes, and their
Application consequences and evaluate the effectiveness of safeguards in process plants.
Rating Skill – vary by the PHA technique used Cost – vary by the PHA technique used
Sophistication – vary by the PHA technique used Value – vary by the PHA technique used
Strengths The various PHA techniques provide a range of methodologies, one of which will be
suitable for most circumstances.
Weaknesses Some PHA techniques are relatively unstructured or rely upon previously compiled lists of
hazards, which are then dependent on past experience and can result in some hazards
being missed. PHA techniques are essentially qualitative, and do not provide a detailed
quantitative understanding of the hazards.
Resources PHA’s are carried out by a team of competent engineers from a mixture of disciplines,
including someone knowledgeable in the process being analysed, and are led by a person
who is experienced in the specific PHA technique used.
References CCPS, Guidelines for Risk Based Process Safety, 2007 (Chapter 8, Hazard Identification and
Risk Analysis)
CCPS, Guidelines for Hazard Evaluation Procedures, 3rd Edition, 2008 (Chapter 5, Scenario-
Based Hazard Evaluation Procedures)
Training:
Best Practices:
1.4 Checklists
Title Checklists
Description A Checklist Analysis uses a written list of items or procedural steps to identify potential
hazards or verify the status of a system. Traditional checklists vary widely in level of detail
and are frequently used to indicate compliance with standards and practices. The results
from checklist analysis are qualitative in nature, and invariably contain ‚yes‛, ‚no‛, ‚not
applicable‛, or ‚needs more information‛ answers to the items.
Human Factors Maturity Checklist is an example of a Checklist.
Purpose/ Checklists are used to identify hazards, plant conditions or operating practices that could
Application lead to an incident and result in injuries, environmental impacts, or property damage.
Checklists may also be used to identify hazards and evaluate the effectiveness of
safeguards in non-process designs. They may be applied at any stage of the life cycle of a
facility. Checklists may be used in combination with other hazard evaluation and risk
assessment methodologies.
Strengths Checklists are simple and easy to use. Detailed checklists provide a basis for consistent
evaluation of hazards.
Weaknesses Checklists are only as good as the original compilation of items on the list. Some hazards
may be missed based on the experience of the person(s) compiling the checklist.
Checklists should not be used as an alternative for techniques such as HAZOP.
References CCPS, Guidelines for Hazard Evaluation Procedures, 3rd Edition, 2008 (Chapter 4, Non-
Scenario-Based Hazard Evaluation Procedures)
‚PHAWorks‛ by Primatech
Training:
Best Practices:
1.5 HAZID
Description HAZID studies are very broad in their scope, addressing site selection, facility design,
infrastructure and logistical elements. Each area of the installation is considered against a
checklist of hazards. Where it is agreed that a hazard exists in a particular area, the risk
presented by the hazard is considered, and all possible means of either eliminating the
hazard or controlling the risk and/or the necessity for further study are noted on a HAZID
worksheet. Actions are assigned to either discipline groups or individuals to ensure the
mitigating control, or further study is completed. More hazards should be added at the
discretion of the Study Leader if the lists do not cover all the potential hazards on the
installation under review. The HAZID is sometimes called a Preliminary Hazard Analysis.
Health Risk Assessment (HRA), a.k.a. Chemicals Health Risk Assessment, is a form of
HAZID addressing chemicals and their properties, qualitative or quantitative assessment of
exposure, and comparison to exposure limits. An Environmental Aspects Analysis is also a
form of HAZID.
Purpose/ HAZID seeks to identify all reasonably possible sources of hazard to the facility by
Application examining each area / module / system in turn. They should initially be conducted during
the concept and front-end engineering stages, with the emphasis on the major hazards,
before detailed engineering design has begun. HAZID may be utilized in other phases of a
facility's operation to provide an initial screening of the hazards. The HAZID will support
pursuit of an inherently safer design.
Strengths HAZID is very flexible and allows analysis with incomplete or basic information. It provides
general, non-detailed recommendations. It is a valuable means to provide an overview of
hazards on which future HSSE plans may be based. It will aid in identifying hazards early
thus averting potential cost and schedule impacts from hazards discovered later in project
development.
Weaknesses The study success is highly dependent on the experience of the team members
Resources The HAZID study is carried out by a team of competent engineers from a mixture of
disciplines and is led by a person who is experienced in the HAZID technique. A HAZID
may take from 1 day to 1 week, typically, depending on the size of the facility.
Information Data requirements include project data available at the time which may include layout,
Requirements design criteria, equipment and material specifications, and other similar preliminary/basic
design information. The value of the HAZID is in very early identification of potential issues;
hence the study should be driven by timing and not by data availability. Some HAZIDs may
be performed with just one or two pieces of project data but provide great value in
identifying an inherently safer path forward.
References CCPS, Guidelines for Risk Based Process Safety, 2007 (Chapter 8, Hazard Identification
and Risk Analysis)
rd
CCPS, Guidelines for Hazard Evaluation Procedures, 3 Edition, 2008 (Chapter 4, Non-
Scenario-Based Hazard Evaluation Procedures)
Best Practice: DW GoM STP GP 48-0201, Guidance on Practice for Hazard Identification
(HAZID) Study
Training:
Software: Primatech PHAWorks or Dyadem PHAPro (both under BP corporate license.)
Description The What If technique is a brainstorming approach in which a small multi-disciplinary team
of experienced personnel familiar with the subject ask questions or voice concerns about
possible undesired events. The level of analysis depends on the detail of the design
documents and questions posed during the study. What If questions are applied to identify
potential hazards, their consequences, safeguards provided, and recommendations (if
necessary). These questions may be developed before or during the What If Analysis. The
results of the study are qualitative, varying from a simple list of questions and answers to
tables of hazards, consequences, safeguards, and potential options for risk reduction.
What If may be combined with checklists in a hybrid methodology that combines the
creative, brainstorming features of What If with the systematic features of checklists,
which may partially compensate for the individual shortcomings of the separate techniques.
Purpose/ What If analysis may be used to identify potential process, design or operational hazards in
Application a structured manner. What If studies may be used to identify hazards and evaluate the
effectiveness of safeguards in MOC and other ‘low risk’ activities, such as non-process
designs. The technique is particularly suited to addressing organisational MOC.
What If studies may be applied to any stage of the life cycle of a facility. For new projects,
What If is generally applied during the design engineering when the P&ID’s are in
development. For existing facilities, this analysis may be used to identify where further risk
analysis may be warranted. They may be used in a detailed, structured manner similar to a
HAZOP or an overview manner similar to a HAZID, depending on the objective.
Strengths What If is an excellent forum for operations personnel to have meaningful input, as the
process encourages much of the design intention to be revealed. Its greatest strength is
the flexibility to allow use mid-stream in a project detailed design when there is opportunity
to catch potential hazards and still time in the project to address them.
Weaknesses What If studies are not as structured as some other hazard evaluation methodologies, such
as HAZOP and FMEA and thus may not yield as thorough of a review. What if studies
should not be used as an alternative for the HAZOP technique.
The success of the technique depends upon the competency of the analyst, who adapts
the basic technique to the specific application.
Flexibility in detail and structure may lead to misunderstandings as to the level of detail
appropriate. Inexperienced and/or inappropriate selection of team members may result in
incomplete results, and more recommendations due to inability to understand the process
and/or make plant decisions.
Resources Three to five team members including process, operations, process safety, and a scribe.
The time needed is dependent on the process complexity but will generally take more time
than a HAZID and less time than a HAZOP of the same facility.
References CCPS, Guidelines for Hazard Evaluation Procedures, 3rd Edition, 2008 (Chapter 5, Scenario-
Based Hazard Evaluation Procedures)
Software: Primatech PHAWorks and Dyadem PHAPro (both are under BP corporate license)
Training:
1.7 HAZOP
For HAZOP studies, five to seven team members are generally required including process, operations,
Resources maintenance, instrumentation, process safety, and a scribe. The time needed is dependent on
complexity of the process. In general, a typical refinery process unit will require two to four weeks.
Ideally two sessions are held per day for no more than a total of 6 hours. Team members and their
supervisors must be aware of the commitment necessary for effectiveness. Team members must be
available for all sessions. Additional team leader time must be allowed for planning, team coordination,
and documentation.
1.8 MAHA
Description MAHA is the identification and assessment of material properties, system elements or
events that could lead to major accidents, i.e. the death of 3 or more people, long term or
widespread damage to the environment, and/or property damage or business interruption in
excess of US $10M. It may include a qualitative or semi-quantitative judgement of the
likelihood and consequences from the event or incident, expressed in terms of a Major
Hazard Risk Matrix. Individual hazards in the yellow and red boxes represent levels of risk
requiring actions to reduce the risks.
The identification step may be performed alone as a Major Accident Hazard Identification
(MAHID). The MAHID is similar in approach to a conventional HAZID, except that it
concentrates on major accidents hazards, considers all aspects of the business (not just
process operations), and adopts a ‚what if‛ approach to identify the major accident
hazards. The MAHA then assesses and assigns a qualitative risk ranking to each major
accident hazard cause identified or identifies the need for further study (such as
consequence analysis or QRA) needed to assign a risk ranking.
Purpose/ Major Accident Hazard Assessment (MAHA) is a technique for the evaluation of major
Application hazards. This methodology pre-dated the Major Accident Risk methodology within the IM
Standard, and is still used by some BU’s.
Strengths MAHA is a valuable means to provide an overview of major accident hazards on which
future HSSE plans for risk reduction may be based. It is particularly effective for existing
facilities where there is already a detailed wealth of knowledge about the facility, residing in
the minds of operations, maintenance and support personnel.
Weaknesses Because this is a ‚creative‛ exercise, the behaviour of team members and their ability or
inability to work together can have a significant impact on the quality of the study. Poor
commitment from the team may increase the time needed to complete the study.
Inappropriate selection of team members may result in a lower quality study, and more
recommendations due to inability to understand the process and/or make plant decisions.
Lack of experience may result in major accident hazards being overlooked.
Resources The MAHA (or MAHID) study is carried out by a team of competent engineers from a
mixture of disciplines and is led by a person who is experienced in the MAHA technique.
Information Initial data requirements rely on the knowledge of experienced operations, maintenance
Requirements and support personnel. Subsequently more specific layout, design criteria, equipment and
material specifications, and other basic design information may be needed.
References Training:
Best Practices: BPTT Major Accident Hazard Management System (MAHMS) Reference
Manual, rev2
Description Relative Ranking is an analysis strategy rather than a single, well-defined analysis method.
This strategy allows hazard analysts to compare the attributes of several processes or
activities to determine whether they possess hazardous characteristics that are significant
enough to warrant further study. Most relative ranking tools employ a checklist approach
where scores are attributed to the individual items on the list. Some items are weighted
more heavily than others with larger scores.
Purpose/ Relative Ranking can be used to compare several process designs, or equipment layout
Application options, and provide information concerning which alternative appears to be the ‚best‛, or
least hazardous, option. Relative Ranking may also be used to compare safety measures to
identify the most advantageous risk reduction option. Relative Ranking studies should
normally be performed early in the life of a project or MOC, before the detailed design is
completed. Several Relative Ranking methods are used within the industry, e.g. the Dow
Fire and Explosion Index (fire and explosion hazards), and ICI Mond Index (chemical and
toxic hazards as well as fire/explosion). Insurance companies also use tools, such as
Instantaneous Fractional Annual Loss (IFAL), to evaluate the effect of process changes on
predicted losses from an insured facility. Government agencies use ranking tools to
determine facilities and process substances worthy of special regulatory effort.
Strengths Simple straightforward tool that provides rapid ranking or screening of conceptual options
for a new facility.
Weaknesses The tools are not flexible, and rely heavily upon the appropriateness of the original
weighting of items on the checklist.
Resources Relative ranking tools may be used by a single person or team who understand the options
for the conceptual design or safety/risk reduction measures being considered.
Information A clear understanding of the options for the conceptual design or safety/risk reduction
Requirements measures being considered.
References CCPS, Guidelines for Hazard Evaluation Procedures, 3rd Edition, 2008 (Chapter 4, Non-
Scenario-Based Hazard Evaluation Procedures)
AIChE, Dow’s Fire and Explosion Index Hazard Classification Guide, 7th Edition, 1994
Training:
Best Practices:
1.10 FMEA
Description FMEA identifies single failure modes of equipment and their effects on a system or facility.
The failure mode describes how the equipment fails (open, closed, on, off, leaks, etc.). The
effect of the failure mode is determined by the system’s response to the equipment failure.
An FMEA identifies single failure modes that either directly result in or contribute
significantly to an accident. Human operator errors are usually not examined directly in an
FMEA; however, the effects of a mis-operation as a result of human error are usually
indicated by an equipment failure mode. The qualitative results are normally documented in
a table with columns for equipment, failure modes, and effects.
Purpose/ To identify equipment and system failure modes and the potential effects of each failure
Application mode on the system or facility.
This technique should be used to analyze equipment packages such as compressors,
generators, pumps, etc. and or simple systems, and may be applied at detailed design or
the operating stage of existing facilities.
Strengths FMEA employs a structured evaluation of individual components to assess the effects of
their failures on systems or sub-systems. The emphasis is on the hardware aspects of a
system, how it can fail, and the effects of each specific failure mode. It is a qualitative,
inductive approach that is easy to apply even to moderately complex systems, such as
electrical or hydraulic systems. This analysis typically generates recommendations for
increasing equipment reliability, thus improving process safety.
Weaknesses Not efficient for identifying an exhaustive list of combinations of equipment failures.
Not appropriate for analysis of multiple failures.
Not appropriate for analysis of highly complex systems.
Resources Can be conducted by one analyst or a team. Time and staff requirements depend on the
size and level of complexity of the equipment or system being analyzed.
References CCPS, Guidelines for Risk Based Process Safety, 2007 (Chapter 8, Hazard Identification and
Risk Analysis)
CCPS, Guidelines for Hazard Evaluation Procedures, 3rd Edition, 2008 (Chapter 5, Scenario-
Based Hazard Evaluation Procedures)
Training:
Best Practices:
Description Consequence analysis uses mathematical models of discharge, dispersion, fire and
explosion to predict toxic and flammable effects.
Chemicals modelled may be pure or a mixture of chemicals. Discharge models may be
from pipeline or vessel, leaks or ruptures. Weather parameters may be changed to affect
the dispersion. Fire effects modelled include fireball, BLEVE, pool fire, jet fire, and flash
fire. Explosions may be modelled using the, TNO or FLACs methods.
Weaknesses Software models for consequence analysis can be relatively easy to input data and get data
out and may offer a false sense of accuracy in results. Accurate use of the models is
dependent on user competency in the areas of scenario development, parameter settings,
and result interpretation.
Resources Technical expertise in the areas of release, vapour dispersion and fire/explosion modelling
Information The data is taken from plant PFD’s and P&ID’s including process composition, operating
Requirements temperature and pressure, unit layout, piping and vessel data, and process flow data. A site
visit provides layout data.
References CCPS, Guidelines for Evaluating the Characteristics of Vapour Cloud Explosions, Flash Fires,
and BLEVE’s, 1994
CCPS, Guidelines for Use of Vapour Cloud Dispersion Models, 2nd Edition, 1996
CCPS, Guidelines for Consequence Analysis of Chemical Releases, 1999
Software: BP Cirrus suite and manual
Training: Available from Process Safety Engineering, Group Safety & Operations
Best Practices:
Description Fault Tree Analysis is a deductive technique that focuses on one particular incident or
primary system failure as a top event. It then works backward to determine causes and
combinations of causes that lead to that event. The fault tree provides a graphical model
that displays the various combinations of equipment failures and human errors that can
result in the top event.
Cause and Consequence Analysis is a form of Fault Tree and Event Tree.
Purpose/ FTA identifies combinations of equipment failures and human errors that can lead to an
Application incident.
Fault trees are used when other types of hazard identification or analysis have identified a
potential incident or system failure scenario that requires a more detailed analysis. It can
be used to quantify the probabilities of an incident or primary system failure occurring. FTA
may be used in incident investigations to compliment BP’s Comprehensive List of Causes
(CLC) methodology. Fault Trees may also be used in combination with other hazard
evaluation and risk assessment methodologies.
Strengths The strength of FTA as a qualitative tool is the ability to identify combinations of potential
equipment failures and human errors that can lead to an incident. It provides a high degree
of detail and is well suited to the analysis of highly redundant systems with multiple trains
and controls.
FTA may also be used as a quantitative tool within risk assessment techniques, such as
QRA and Reliability Analysis, to identify risk reduction measures focused on causes with
the highest probabilities of occurrence.
Weaknesses Inexperienced analysts may struggle to develop the correct logic and may use data that is
not statistically significant.
For systems vulnerable to single point or common cause failures that can lead to incidents,
it is better to use single failure oriented techniques, such as FMEA and HAZOP.
Resources Time and staff requirements depend on the size and level of complexity of the top event
and the required level of detail and quantification. FTA requires a skilled analyst
experienced in the development of fault trees and participants who are very knowledgeable
in the subject systems.
Information If the fault tree is to be quantified, it will require the use of databases for failure rates and
Requirements incident probabilities.
References CCPS, Guidelines for Hazard Evaluation Procedures, 3rd Edition, 2008 (Chapter 5, Scenario-
Based Hazard Evaluation Procedures)
CCPS, Guidelines for Chemical Process Quantitative Risk Analysis, 2nd edition, 2000
Training:
Best Practices:
Description An event tree graphically shows the possible outcomes of one particular initiating event,
such as specific equipment failure, releases, or human error, and provides a method for
determining the possible outcomes of that event. ETA addresses the responses of safety
systems and operators to the initiating event when determining the accident’s potential
outcome. The qualitative results are incident scenario sequences or sets of failures or
errors that lead to an accident. Event tree models are presented with the safety system
successes and failures that lead to each defined outcome, and are used to identify design
and procedural weaknesses worthy of recommendations for reducing the likelihood and/or
consequences of the potential incidents.
Cause and Consequence Analysis is a form of Fault Tree and Event Tree.
Purpose/ To identify potential incident outcomes that can occur, typically as a result of a loss of
Application containment, in terms of the sequence of events (successes or failures of safety functions)
that follow an initiating event. Identify potential consequences of specific initiating events
in processes that have several layers of safety systems or emergency procedures.
ETA may be used for new or operating equipment, and may be used in incident
investigations to compliment BP’s Comprehensive List of Causes (CLC) methodology.
Event Trees may also be used in combination with other hazard evaluation and risk
assessment methodologies.
Strengths ETA is useful for analysing complex processes that have several layers of protection or
emergency procedures in place to respond to specific initiating events. It is relatively easy
to apply, especially through pre-defined scenarios. It may also be used as a quantitative
tool within risk assessment techniques, such as QRA.
ETA may be combined with FTA to display the relationships between incident outcomes
and their basic causes. This is sometimes known as Cause-Consequence Analysis.
Weaknesses A skilled analyst is needed to develop a good understanding of hazardous scenarios from
loss of containment through all possible consequences to impacts on people, property and
environment. An inexperienced analyst may include inappropriate outcomes.
Resources Knowledge of the site and subject matter under review; understanding of hazards and their
potential consequences.
Information If the event tree is to be quantified, failure rate and incident probability data will be needed.
Requirements
References CCPS, Guidelines for Hazard Evaluation Procedures, 3rd Edition, 2008 (Chapter 5, Scenario-
Based Hazard Evaluation Procedures)
CCPS, Guidelines for Chemical Process Quantitative Risk Analysis, 2nd edition, 2000
Training:
Best Practices:
Description Human Reliability Analysis (HRA) is a generic title for several hazard evaluation
methodologies that focus on the performance of personnel (operators, technicians,
supervisors, etc.). Most HRA techniques systematically document the errors likely to be
encountered during normal or emergency operation, factors contributing to these errors,
and proposed system modifications to reduce the likelihood of the errors. The results are
usually qualitative, but may be quantified.
Human Factors Expert Analysis is a form of HSSE Review/Brainstorming, and sometimes
Human Reliability Analysis.
Purpose/ HRA is used to identify potential human errors and their effects, or to identify the
Application underlying causes of human errors.
HRA methodologies may be used in incident investigations to compliment BP’s
Comprehensive List of Causes (CLC) methodology. HRA may be used in combination with
other hazard evaluation and risk assessment methodologies.
Strengths There are a variety of HRA methodologies for addressing human factors, and identifying
error-likely situations that can cause or lead to incidents.
Weaknesses HRA has been used extensively in the nuclear and aviation industries and to a lesser degree
in oil and gas. As a result there is limited experience and understanding in the selection
and application of the variety of methodologies.
Resources Requires a skilled human factors analyst experienced in the specific HRA methodology and
participants who are knowledgeable in the work practices. Analyst requires experience of
interviewing techniques.
Information Plant procedures, plant layout, task and work practices, control panel design, alarm system
Requirements design, employee interviews.
References CCPS, Guidelines for Hazard Evaluation Procedures, 3rd Edition, 2008 (Chapter 9,
Extensions and Special Applications)
Training:
Best Practices:
Description Bow Tie Analysis is a combination of two other techniques, fault tree analysis and event
tree analysis, with the fault tree on the left hand side, the hazard in the middle, and the
event tree on the right hand side. The Bow Tie diagram, comprised of the trees, can be
used to indicate preventive, controlling, and mitigating barriers that may impact the incident
and its consequences. From this point, means to ensure the integrity of each barrier can
be discussed along with the job role responsible for that barrier
Purpose/ Bow Tie is applicable to all potential hazards. It can be used to describe the means to
Application prevent a potential hazard and the controls and mitigation should it occur. This Bow Tie
diagram is particularly useful in communicating hazards and how they are managed.
Strengths The bowtie is a structured method to assess risk where a qualitative approach may not be
possible or desirable. It is a combination of two easily understood techniques and is
relatively simple for a diverse team to understand and support
It is a very effective tool for use in hazard and risk communication. The clear linkage
between barriers and job roles aids in the understanding of one’s role in hazard
management.
Weaknesses The analysis success is dependent on the experience of the team and the facilitator.
Inexperienced analysts may struggle to develop the correct logic and may use data that is
not statistically significant.
Resources A Bow Tie analysis is typically conducted by a multidisciplinary team. Bow Tie analyses are
typically conducted on the highest ranked risks from a HAZOP or a risk register. Time
requirements are typically 2 - 4 hours per hazard.
Information Data describing the process or installation. Previous process hazard analysis (PHA) studies
Requirements and LOPA will facilitate the Bow Tie development.
References CCPS, Guidelines for Hazard Evaluation Procedures, 3rd Edition, 2008 (Chapter 5, Scenario-
Based Hazard Evaluation Procedures)
Software: Risktec BowTie XP , and ABS Consulting THESIS BowTie
Training: Available from Risktec
Best Practices:
2. RISK ASSESSMENT
Description The combination of the potential consequences of a particular hazard and the likelihood that
those consequences will occur are presented in matrix format as an estimate of the risk
imposed by the hazard. The consequences may include any or all of potential property
damage, environmental impact, injury/health effects, downtime, and public concern.
The axes of the matrix are consequence and likelihood and may be numerical ranges
(orders of magnitude) or qualitative. The risk squares are frequently colour coded into
several levels of risk.
Purpose/ Risk matrices are often used as a semi-quantitative tool for risk ranking a range of potential
Application hazard scenarios from occupational to major accidents. They are used to rank potential
risks, qualitatively, for the purpose of prioritizing risk management activities.
The risk matrix may be used to prioritize PHA and other process safety recommendations.
It is a screening level tool. It is frequently incorporated in PHA sessions such that the
recommendations may be prioritized based on the risk of the hazard they address.
The risk matrix for use in BP is provided in the Group Defined Operating Practice on
Assessment and Prioritization and Management of Risk.
Strengths The risk matrix provides an efficient method to prioritize risk management activities and a
very effective tool to communicate relative risks of various scenarios.
Weaknesses Matrices can be misinterpreted and misused. They are a screening level tool that is
qualitative and subjective. The consequences are usually well-understood and predictable,
but the treatment of probabilities is often more subjective and open to interpretation.
Numerous matrices with different axes have been developed and used over the years,
creating confusion and making comparisons difficult.
Resources A cross-section of disciplines with a general understanding of hazards and their potential
consequences and likelihood.
References GDP 31-00-01 Group Defined Operating Practice Assessment and Prioritization and
Management of Risk
Training:
Best Practices:
NOTE: There may be some overlap between the recommendations in this practice, and
requirements in the Group Defined Practice on Assessment and Prioritization and
Management of Risk. The Group Defined practice should be consulted whenever
consideration is given to whether a risk matrix is needed.
2.2 LOPA
Description LOPA is a semi-quantitative risk assessment technique that uses order of magnitude
categories for initiating event frequency, consequence severity, and the likelihood of failure
of independent protection layers (IPL’s) to approximate the risk of an incident scenario. The
team identifies the independent protection layers and assigns risk reduction credits to each
layer, depending on different criteria.
Purpose/ LOPA is used to evaluate the effectiveness and independence of safety measures,
Application especially protective systems. Safety Integrity Levels (SIL) may be determined using the
LOPA technique.
Strengths LOPA is a powerful technique that may be used to provide a higher level of review than
HAZOP for potential scenarios that can result in single or multiple fatalities to ensure that
adequate protection with sufficient availability is in place to reduce the risk. The technique
provides a more quantitative review of the hazards and associated safeguards or layers of
protections. It can be used to assist the determination of SIL, and may also be combined
with HAZOP to evaluate the safeguards identified in the HAZOP.
Weaknesses If conducted with incomplete information or on a design that is not fixed, the study may
take longer and result in a greater number of recommendations. Poor team commitment
may increase the time needed to complete the study. Inexperienced or inappropriate
selection of team members may result in a lower quality study, and in incomplete or more
recommendations due to inability to understand the process and/or make plant decisions.
Resources Like HAZOP, LOPA is best performed by a team of five to seven members including
process, operations, maintenance, instrumentation, process safety, and a scribe. It is most
effective if the LOPA is conducted at the same time as the HAZOP, making use of the
team’s knowledge. The time needed is dependent on complexity of the process. In
general, a typical refinery process unit will require one to two weeks longer than the
HAZOP study. Team members and their supervisors must be aware of the commitment
necessary for effectiveness. Team members must be available for all sessions.
Information LOPA is often used in conjunction with, and builds upon the information generated by, a
Requirements HAZOP. This requires up-to-date P&ID's, detailed project design criteria, equipment
specifications, material specifications, and other similar engineering design information.
NOTE: There may be some overlap between the recommendations in this practice, and
requirements in the Group Defined Practice on LOPA. The Group Defined practice should
be consulted whenever consideration is given to whether a LOPA study is needed.
Description Facility siting studies are used to evaluate the layout and spacing of occupied buildings with
respect to potential hazards. These studies consider fires, explosions and toxics, as well as
the availability of shelter, muster points, and escape routes. The analysis generally follows
the procedure outlined in API RP 752 and API RP 753. The studies estimate potential
explosion, fire and toxic exposures based on existing operating conditions and screening of
selected buildings on these consequences, and identify those buildings where occupants may
be at greater risk.
Facility Siting is a term specifically used in the U.S. OSHA regulations.
Purpose/ Facility Siting Studies are intended to provide an approach to identify, evaluate, and manage
Application the process safety considerations associated with process plant building design and siting.
The facility siting analysis may be applied to buildings in existing facilities to analyze the risk
to occupants. It should be applied to proposed buildings in existing and new facilities to aid
in the siting of buildings.
Strengths This technique provides a rigorous method of analysis for siting of new buildings, and
determining occupant risk in existing buildings.
Weaknesses Models used are dependent on site specifics that may be subjective and can change,
thereby changing the analysis results. Modelling is dependent on user skill in the areas of
scenario development, parameter settings, and result analysis.
Resources Technical expertise in the areas of vapour dispersion and explosion modelling and risk
calculation
Information Building occupancy, function, and design details are needed. Analysis is based on scenarios
Requirements specific to the operations taken from PFD’s and P&ID’s including: process composition,
operating temperature, pressure and flow rate, unit layout, piping and vessel data. Potential
release scenarios are developed from hazard evaluations and risk assessments, and a
review of the operations. A site visit provides layout data.
References ETP GP 04-30 Design and Location of Occupied Permanent Buildings Subject to Blast, Fire,
and Gas Hazards on Onshore Facilities, plus related segment practices:
ETP GP 04-31 Design and Location of Occupied Portable Buildings for Onshore Locations
(to be based on existing RM-GP 04-30-1)
ETP GP 04-32 Design and Location of Occupied Portable Buildings for Offshore Locations
(to be based on existing EP-GP 04-30-1)
ETPs 24-20,21,22
API RP 752 Management of Hazards Associated with Location of Process Plant Buildings
(under review)
API RP 753 Management of Hazards Associated with the Location of Process Plant
Portable Buildings.
CCPS, Guidelines for Evaluating Process Plant Buildings for External Explosions and Fires,
1996
CCPS, Guidelines for Evaluating the Characteristics of Vapour Cloud Explosions, Flash Fires,
and BLEVEs, 1994
Baker Risk Building Evaluation and Screening Tool (BEAST)
Training:
Description MAR is a screening tool for the identification of major accident risks, and is a simplified
form of QRA, using a purpose-built tool (MAR Calculator) to streamline the analysis. It
involves (i) identifying a representative range of major accident events, (ii) quantifying the
likelihood of those events (influenced by the engineering design of the facilities), (iii)
quantifying the possible physical effects and assessing their consequences (influenced by
the location of the facilities and people), and (iv) presenting the results as Societal Risk (f-N
curve) for comparison against a BP Group Reporting Line.
Purpose/ The objective of the MAR process is to facilitate identification of major accident risks, and
Application provide a coarse assessment of risk, which is used to prioritize areas for remedial measures
and/or further assessment. It supports a program of continuous risk reduction within the
BU/SPU. It can be used to identify scenarios, where options to reduce the likelihood and/or
consequences of the events may be beneficial. The MAR Process is specifically focused at
major accidents which are defined as those involving 3 or more fatalities or environmental
impacts.
Strengths MAR is a simplified screening tool for the identification of major accident risks. It provides
a relatively rapid and approximate indication of risk associated with multiple fatality or gross
environmental damage events.
Weaknesses MAR is a coarse risk assessment and may not address all site risks. It is not a substitute
for other more detailed methodologies, such as QRA and Facility Siting. MAR studies may
identify areas for more focused QRA. MAR is not intended to predict incidents involving
less than 3 fatalities.
Resources MAR reduces the resources (skilled manpower, time, cost) required by QRA by using a
purpose-built tool, using a standard approach, and generic event frequency data. It requires
experienced risk analysts familiar with QRA and personnel with knowledge of the
operation.
Information PFD’s, P&ID’s, plot plans, on-site and off-site population densities and locations,
Requirements meteorological conditions, operating parameters, etc..
NOTE: There may be some overlap between the recommendations in this practice, and
requirements in the Group Defined Practice on the MAR Process. The Group Defined
practice should be consulted whenever consideration is given to whether a MAR study is
needed.
2.7 QRA
Description Quantified Risk Assessment (QRA) is the most complex and detailed form of risk
assessment. It is particularly beneficial in analyzing specific issues or answering specific
questions. QRA may also be required by regulation.
QRA involves the quantification of both likelihood of occurrence and the consequences of
certain hazardous or unwanted outcomes. The probability or likelihood is determined from
historical databases of equipment failure or synthesised from fault and event trees of
smaller, more common events that lead to the outcome. The impact or consequences are
determined by various modelling approaches, such as Consequence Analysis to calculate
the dispersion of flammable and toxic vapours, thermal radiation from fires, and blast
overpressure from explosions.
Results are integrated to calculate Individual Risk and/or Societal Risk. These results may
be represented as geographic risk contours or FN curves.
Security Vulnerability Assessment (SVA) is a form of QRA focused on security risks. CRAM
is a variation of QRA specifically aimed at the concept safety evaluation of new projects.
Purpose/ QRA is typically used to evaluate ‚higher risk‛ operations, and is very effective in
Application identifying individual component risk contributors to a facility’s risk profile to specifically
identify the equipment or activities that dominate the risk. This enables specific risk-
reduction techniques to be targeted to generate substantial risk reduction in the most cost-
effective manner. It may be applied to existing operations and to the design of new
projects.
Strengths QRA studies can be comprehensive and perhaps the most accurate estimation of risk. This
allows objective decision-making on risk reduction measures to allocate resources in the
most cost-effective manner. It is a technique that should be used selectively and with a
focused scope when reliable decisions cannot be made using other simpler risk
assessment techniques. Risk quantification is particularly useful in addressing major
accident risks where past experience by itself is inadequate to provide the appropriate level
of assurance. It also helps to identify priority areas for attention, and enables consistent
decisions to be taken on risk reduction across multiple assets.
Weaknesses QRA can be expensive, requiring extensive time, data and highly skilled resources. In many
instances, QRA is not warranted as other techniques can provide the necessary insight at
substantially less cost.
Resources QRA can require significant resources (skilled manpower, time, and cost) to analyse risks.
Experienced risk assessment professional familiar with the methodology. Personnel with
knowledge of the operation.
Information PFD’s, P&ID’s, plot plans, on-site and off-site population densities and locations,
Requirements meteorological conditions, operating parameters, asset valuations, etc..
References CCPS, Guidelines for Chemical Process Quantitative Risk Analysis, 2nd edition, 2000
Software: MAR Calculator tools; BP Cirrus suite
Training:
Best Practices:
3. ALERT
Title ALERT
Description ALERT is a holistic risk assessment process that addresses other risks besides HSSE risks.
The process is a facilitated workshop, similar to a Peer Assist, involving the development of
a spreadsheet populated with the key risk information, such as cause, event,
consequences, probability of the risk occurring (expressed as percentage), potential impact
on project/BU, and risk owner. The magnitude of the impact is described by 3 scenarios –
optimistic, most likely, and pessimistic.
Purpose/ ALERT is a structured process to determine risk and uncertainty to support projects/BU’s
Application make better risk informed investment decisions. At least one risk workshop should be held
during each stage of CVP.
Strengths ALERT is a valuable means to provide a focus on key project risks and uncertainties on
which future plans for risk reduction may be based.
Weaknesses Lack of experience may result in risks and uncertainties being overlooked.
Resources Personnel trained in risk workshop facilitation plus participants drawn from all key elements
of the Asset Development Team (commercial, reservoir, engineering, wells, marketing,
HSE, operations, etc.) and other BU’s/Support Teams to promote active challenge.
Workshops typically last one to two days.
Description CBA is a technique that involves assessing the costs (labour, materials, etc.) and effects
(positive and negative) of alternative risk reduction approaches, and applying benefit-to-cost
ratios (e.g. willingness to pay to avert a negative outcome) between the alternative options.
A sensitivity analysis is performed on key input data and assumptions. The scope should
be broad enough to incorporate all individuals/organizations affected by any alternative both
immediately and in the foreseeable future .
Cost benefit analysis is in common usage in some parts of the world to demonstrate that
risks are being adequately managed, whereas in other locations the technique is not
accepted. For example, in the UK, a cost benefit approach is well recognized in terms of
demonstrating the legal requirement to manage risks to As Low As Reasonably Practicable
(ALARP). In the US, other methods should be used to evaluate measures to reduce
occupational health and safety risks. Before conducting a cost benefit analysis, each BP
Entity should consult local legal requirements to determine whether they allow or restrict
the use of cost-benefit analysis.
Purpose/ CBA provides a monetized basis for making decisions on cost vs. benefit in selecting from
Application approaches which are only partially expressed in financial terms. It is most useful where
there is a societal aspect to the decision making, and where technical analysis may not
address all factors that should be considered in making a rational decision.
Strengths CBA provides a systematic method to characterise hazards and risks in a manner that is in
context with other business drivers. Its use will result in risk management decisions of
improved quality, consistency and defensibility of any decision, especially funding decisions
that have impacts on engineering, operations and HSSE risks.
Weaknesses Cost benefit analysis is not accepted in some jurisdictions. When used in an HSE context,
it may be misperceived as an effort to place a monetary value on human life or human
health, rather than as an effort to identify the true cost of protecting human life and health.
CBA requires dedicated effort and breadth of scope that is not always easy to achieve. The
scope needs to be wide enough to capture all significant indirect effects. While appearing
sophisticated, the results are only as valid as the quality of the input data.
Information Range of risk reduction alternatives, economic data, such as cost estimates for the
Requirements potential risk reduction alternatives.
NOTE: Before conducting a cost benefit analysis, each BP Entity should consult local legal
requirements to determine whether they allow or restrict the use of cost-benefit analysis.
There may be some overlap between the recommendations in this practice, and
requirements in the Group Defined Practice on the MAR Process. The Group Defined
practice should be consulted whenever consideration is given to whether a cost benefit
analysis is needed.
The following documentation may be available and needed for the study:
P & ID's
Previous Accident / Incident / Near Miss reports (for existing facilities)
Changes to the design since the last HAZOP or hazard review
Flow diagrams, heat and material balances
Operating procedures, if available (required for a procedural HAZOP)
Shutdown Matrices (Cause and Effect Diagrams)
Piping class specifications
Engineering design data sheets, especially relief device data sheets
Emergency shutdown (ESD) system functions
Emergency depressuring (EDP) system functions
Pump and compressor operating curves and dead head pressures
Valve capacities – particularly important for gas blow-by.
General arrangement and elevation drawings, including electrical area
classification and drainage
Building locations, occupancy and materials of construction
Location of 3rd party developments and sensitive environmental areas
Vessel inventories
Environmental impact assessment
Operations and Maintenance Philosophy document
Safety Philosophy document, especially relief/venting philosophy
Commissioning procedures
Start up procedures
Operating procedures
Shutdown procedures
Maintenance procedures
Relevant vendors' P & ID's
Previous safety review or HAZOP reports
Material Safety Data Sheets (MSDS)
Valve capacities – particularly important for gas blow-by
Previous Risk Assessment. In particular, any consequence modelling that has
been completed should be available to the team to assess the consequences of
identified scenarios.
Appendix 8 – Definitions
The following terms are used with the following meanings in this Practice. The principal focus
of this Practice is the management of threats to health, safety, environment and operations, in
the context of the Group’s HSSE goals. For this reason, the term ‚risk‛ as used in this Practice
is confined to threats rather than opportunities.
Barrier (a.k.a. Layer A safeguard comprising plant, process or people that is intended to
of Protection) reduce the probability or impact of an event.
Competent Person Someone who has the professional qualifications, technical skills,
knowledge, understanding, experience and personal qualities (attributes,
attitude and aptitude) which enable them to:
carry out to the required standard their assigned duties at the
level of responsibility allocated to them;
understand all foreseeable hazards related to the task(s) or
equipment under consideration;
detect and recognise any technical defects or omissions in that
task or equipment, and recognise any HSSE implications caused
by those defects or omissions;
specify remedial action(s) necessary to mitigate those HSSE
implications
Control The act of causing the effects of a consequence to be less severe or the
consequence to occur less often.
Failure Modes and A systematic, tabular method for evaluating and documenting the causes
Effects Analysis and effects of known types of component failures.
(FMEA)
Frequency The number of occurrences of an event per unit of time.
Hazard Analyst A competent person who leads and/or conducts hazard evaluations and
(a.k.a. Risk Analyst) risk assessments.
Hazard and The systematic, qualitative approach for hazard identification that uses a
Operability Study structured questioning method to identify hazards and operability
(HAZOP) problems.
Hazard Evaluation The analysis of the significance of hazardous situations associated with a
process or operation.
Individual Risk The frequency at which a specific individual (or group of individuals) may
be expected to sustain a given level of harm (typically, death or serious
injury) from the realization of specified hazards.
Mitigation The act of protecting people, the environment or property from the
consequences of an incident.
Occupancy The probability that an individual is present at the time that a hazardous
event occurs.
Process Hazard A hazard evaluation of identify and evaluate hazards associated with
Analysis (PHA) chemical processes and operations to enable their control.
Process Safety Information that might be used to aid in the understanding of the hazards
Information of a facility, including P&IDs, control information, equipment design data,
process limits, materials of construction, safety system design, MSDS,
relief design basis data.
Risk Assessment The process by which options for risk reduction measures are developed
based upon the results of a risk analysis.
Risk Management The process by which the results of a risk assessment are used to make
decisions regarding risk reduction strategies.
Residual Risk The level of risk that remains when risk reduction measures are taken
into account.
Societal Risk Societal risk describes how often accidents occur and how many people
are killed (or harmed) in such accidents. Unlike Individual Risk, in
Societal Risk there is no distinction between particular individuals. The
relationship between frequency and the number of people suffering a
specified level of harm may be expressed graphically, in what is
generally termed an 'F/N' curve, with the frequency of exceeding given
numbers of casualties plotted on a cumulative basis.