Professional Documents
Culture Documents
Approved by:
Chief Engineering and Projects Officer- Ali Abdulrahman Digital signature 01/12/2019
A A Al-Mohannadi verified
Endorsed By
When downloaded from the ORYX GTL Document Center, this document is uncontrolled but remains subject to ORYX GTL
Information Security requirements
Reviewed By
When downloaded from the ORYX GTL Document Center, this document is uncontrolled but remains subject to ORYX GTL
Information Security requirements.
Technical Standard
Approved by:
Content
Page
1 Supporting Clauses ...................................................................................................................3
2 Introduction ................................................................................................................................6
3 Risk Management Philosophy ...................................................................................................6
4 Roles and Responsibilities.......................................................................................................34
5 Authorisation............................................................................................................................35
6 Revisions .................................................................................................................................35
7 Endorsed by Quality Section ...................................................................................................35
8 Development Team .................................................................................................................35
When downloaded from the ORYX GTL Document Center this document is uncontrolled but remains subject to ORYX
GTL Information security requirements
Engineering Risk Management Philosophy Reference: GTL-04-03
Classification: Public
Revision: 05
Page: 3 of 35
1 Supporting Clauses
1.1 Scope
1.1.1 Purpose
This Engineering risk management philosophy is to serve as a fundamental guide for decisions made
during the Conceptualization, Development and Execution stages of Engineering projects within ORYX
GTL. It is based on internationally accepted practices as well as ORYX GTL experience. This
philosophy defines a broad approach to risk, and is supported by standards and specifications, which
may be referred for further details.
1.1.2 Applicability
International Codes:
Sastech Engineering QMS Project Risk Management Studies, Philosophies, Reviews and Reports
909 (A), Rev.2, 1998 Applicable to the Feasibility Stage
Sastech Engineering QMS Sastech Engineering QMS 918(A) - Scoping Environmental Impact
909 (A), Rev.1, 1998 Assessments
ICI Design for Process Safety Manual
ICI-Volume 10 ICI Process Safety Guide Volume 10 - Risk Assessment Methodology
ICI-Volume 1-1974 ICI Process Safety Guide Volume 1 - Emergency Isolation of Chemical
Plant - T Kletz
ICI-Volume 16, 1994 ICI Process SHE Guide Volume 16 - Inherent SHE in Process Selection
and Development
AICHE Guidelines for Mitigation of Vapour Release - R. Prugh, R Johnson
Conseil European des Principles and Guidelines for the Safe Transfer of Technology -
Federations de l’Industrie
Chimique - 1987
ICheme-1993- Chemical Reaction Hazards - J Barton, R Rogers
Warwickshire
Reference Standard
PLAN-ST-0009 Enterprise Risk Management Standard
When downloaded from the ORYX GTL Document Center this document is uncontrolled but remains subject to ORYX
GTL Information security requirements
Engineering Risk Management Philosophy Reference: GTL-04-03
Classification: Public
Revision: 05
Page: 4 of 35
EBDS-ST-0005 Rev.1 Capital Project Evaluation & Governance (PEG) Model Standard
Sept.2015
Should there be any conflict between this Technical Standard and the above
codes/standards/regulations/specifications and requirements, the more stringent shall apply. The User
shall inform ORYX GTL of any conflict.
1.3 Definitions
Item Definition
VENDOR Shall mean any person, firm or company having a purchase order with
the Contractor for the performance of any item of work.
OWNER Shall mean the responsible ORYX GTL representative for which
services are being rendered by the CONTRACTOR.
When downloaded from the ORYX GTL Document Center this document is uncontrolled but remains subject to ORYX
GTL Information security requirements
Engineering Risk Management Philosophy Reference: GTL-04-03
Classification: Public
Revision: 05
Page: 5 of 35
The other documents which have been referred to are listed in section 1.2.
When downloaded from the ORYX GTL Document Center this document is uncontrolled but remains subject to ORYX
GTL Information security requirements
Engineering Risk Management Philosophy Reference: GTL-04-03
Classification: Public
Revision: 05
Page: 6 of 35
2 Introduction
This Engineering risk management philosophy is to serve as a guide for decisions made during the
Conceptualization, Development and Execution Stages of an Engineering project within ORYX GTL.
The Technical Standard shall be applied as a subset of the Enterprise Risk Management Standard.
The ORYX GTL Corporate Risk Matrix shall be used in assessment of all Engineering (& Project)
risks.
When downloaded from the ORYX GTL Document Center this document is uncontrolled but remains subject to ORYX
GTL Information security requirements
Engineering Risk Management Philosophy Reference: GTL-04-03
Classification: Public
Revision: 05
Page: 7 of 35
Engineering Risk management is to consider various actions in descending hierarchical order. The
inherently safe design consideration should be first in the hierarchy, followed by prevention systems,
mitigation and response.
The risk assessment for the ORYX GTL facility shall be in compliance with the QCS document;
“Section 11: Health and Safety, Part 2.4.01: Risk Assessment Guides and Method Statement.
a. Minimise:
Use smaller quantities of hazardous substances (also called Intensification).
b. Substitute:
Replace a material with a less hazardous substance.
c. Moderate:
Use less hazardous conditions, a less hazardous form of a material, or facilities which minimise the
impact of a release of hazardous material or energy (also called Attenuation and Limitation of Effects).
d. Simplify:
Design facilities which eliminate unnecessary complexity, make operating errors less likely, and which
are forgiving of errors (also called Error Tolerance).
Within the proposed installation there are sub-systems that contribute to the impacts on the
surroundings and on each other. The risk management philosophy shall adopt the inherent safe
design principle by considering the above mentioned strategies to these sub systems within work
environment. These sub systems must be considered and include but are not limited to:
The material or substances in use,
The inventories of these substances,
The type of processing of the substances,
The type of equipment used to process,
The persons operating and controlling all of the above (human factor),
The direct work environment.
When downloaded from the ORYX GTL Document Center this document is uncontrolled but remains subject to ORYX
GTL Information security requirements
Engineering Risk Management Philosophy Reference: GTL-04-03
Classification: Public
Revision: 05
Page: 8 of 35
The type of chemical e.g. aliphatic organic, metal oxide, acid etc.
The chemical composition of the substance e.g. C25H44O2 , H2O2, TiCl4
The physical properties boiling point, flash point, vapour pressure etc.
The health hazards e.g. carcinogen, narcotic, asphyxiant.
The biological hazards e.g. TWA TLV, odor threshold, IDLH etc.
The environmental hazards e.g. toxic to crayfish.
The fire / explosion hazards e.g. highly flammable, explosive limits in air, auto-ignition
temperature, detonable.
Reactivity hazards e.g. polymerisation, rapid evolution of gas, and auto-explosive.
Compatibility with materials of construction, other substances and likely impurities.
Special handling and storage requirements.
Unusual properties e.g. lower ignition temperature when thinly distributed in tower packing
internals.
First aid and medical treatment to be undertaken in an emergency.
During the life cycle of the project this information must be updated.
It is important that potential impurities be considered, as they have a tendency to accumulate and may
jeopardise the quality of the product. They may also react uncontrollably, jeopardising the integrity of
the materials of construction and therefore the containment of substances.
Using the data or methodology in codes such as the NFPA HAZ10 or NFPA 704, the health,
flammability and reactivity hazard ratings for each substance must be determined. The design must
always take this hazardous rating into account and any measures taken to contain the hazards must
be in relation to the rating.
When downloaded from the ORYX GTL Document Center this document is uncontrolled but remains subject to ORYX
GTL Information security requirements
Engineering Risk Management Philosophy Reference: GTL-04-03
Classification: Public
Revision: 05
Page: 9 of 35
By reviewing the international major hazardous incident databases e.g. the British Icemen database,
determine if there have been any previous major hazardous events related to using or producing
similar substances.
Having determined the risks associated with the substances it is now necessary to formulate suitable
responses to unacceptable risks. The risk response hierarchy outlined in the foreword to this
document must be considered. For examples;
For substances with high hazardous ratings (health, flammability or reactivity) the use of
alternative less hazardous substances must be thoroughly investigated.
For medium to low hazard materials, alternative substances or use of the material in a different
physical form (e.g. pellets instead of powder or liquids in premixed form) should be considered.
For low risk materials the risks may be acceptable, however they must be monitored and kept up
to date with possible new research findings that increase the hazardous ratings of these
substances.
In terms of the impact on the environment the necessary assessments must be conducted (Refer to
GTL-01-2 Environmental Design Basis).
Refer to Classification of Hazardous Chemicals (GTL-05-03) for details of hazardous chemicals.
3.6 Inventories
Minimising the inventory of material or substance will be the part of the inherently safer design. The
inventory of material or substance will be reduced by adopting the following philosophy.
Minimize material inventory.
Reduce number of storage tank.
Reduce vapour volume in vessels.
Minimize generation of hazardous material.
Deliver Hazardous material or substance through pipeline instead of rail or truck.
Reduce piping length
Provide isolation valves between the fire risk areas
Fundamental to managing risk, is the concept that as long as the hazardous substances remain within
containment, i.e. they are controlled, hazardous events should not occur. Should there be a loss of
containment of hazardous substances the extent of the impact is dependent on the quantities of
materials released. In order to select a site, the impact on the surroundings of the single largest
credible loss of containment hazard needs to be understood and analysed in detail. It is therefore refer
necessary to establish the inventories of hazardous substances required on the site.
For each substance, identify the total maximum inventory that is expected to be on site. In addition to
the total inventories, identify the distribution of these inventories within the processing units, as well as
those quantities in bulk storage in tank farms.
If there is no information concerning the processing inventories, then the following assumptions should
be made.
For petrochemical substances assume that the single largest inventory, and therefore the single
largest loss of containment scenario, will be 10 tonnes for both flammable and /or toxic material. For
fine chemical, biological or pharmaceutical substances, assume smaller quantities.
If information is not available for inventories in bulk storage, consider production rates, logistics and
market requirements to estimate the quantities. The maximum loss of containment scenario would
depend on the largest single storage vessel.
Using these potential losses of containment scenarios, conduct a preliminary evaluation of the
magnitude of possible fires, explosions, toxic releases and other effects. Fire radiation levels,
explosive over pressures and toxic substance dispersion concentrations need to be modelled to
determine the severity of the incidents at various distances from the source. If assumptions have been
made in terms of the quantities of materials, then the analysis should include a sensitivity analysis to
indicate the relative impact of half and/ or double the quantities of substances.
When downloaded from the ORYX GTL Document Center this document is uncontrolled but remains subject to ORYX
GTL Information security requirements
Engineering Risk Management Philosophy Reference: GTL-04-03
Classification: Public
Revision: 05
Page: 10 of 35
This analysis will indicate the impacts on the surroundings beyond the boundary of the installation, as
well as the impacts within the installation itself. Suitable risk management responses must be
formulated to minimise these impacts.
Inventories of hazardous substances with potential significant impacts extending beyond the site
boundary must be eliminated. This can be achieved by:
Reducing or splitting inventories to levels at which particular consequences are highly unlikely;
Relocating storage vessels so that consequences do not extend beyond the boundary;
Introducing design preventative and protective measures to significantly reduce the likelihood of
the event;
Using an alternative site location;
Termination of the project.
Impacts within the site must be also be minimised by:
Reducing inventories,
Splitting inventories,
Relocating storage vessels,
Aligning the equipment design to the possible hazards, including preventative, mitigating and
emergency operational systems.
When downloaded from the ORYX GTL Document Center this document is uncontrolled but remains subject to ORYX
GTL Information security requirements
Engineering Risk Management Philosophy Reference: GTL-04-03
Classification: Public
Revision: 05
Page: 11 of 35
With respect to liquids that are normally in the vapour phase at atmospheric pressure, the storage
of the material at ambient temperatures in pressurised bullets increases the magnitude of loss of
containment risk when compared to refrigerated storage at atmospheric pressure;
The continuous or intermittent planned production of unwanted waste is inherently an inability to
contain the process within acceptable parameters;
A complex and extensive man-machine interface increases the chance of operator error leading to
possible loss of containment;
Interfaces between different processes such as highly automated continuous production, moving
to manually intensive packaging plants, present risks of loss of containment at process
boundaries. Similarly for high pressure processes connected to low pressure processes;
Interfaces to other installations also present risks;
Some processes require extensive frequent maintenance. Each additional “break-in” presents a
potential loss of containment situation;
Different tools are available to assist in comparing the risk associated with two or more different
processes. These tools are the Dow Fire and Explosion Index and ICIs Mond Index.
The proposed processes should be evaluated to understand the risk levels, and how the risks develop.
The mechanisms of the risk in terms of the frequency of possible loss of containment and the resultant
magnitude of the loss should also be evaluated. Consider also the relative robustness of the process,
i.e. how sensitive is it to gross operational errors.
Where feasible, processes that have a high risk of loss of containment should be eliminated and
substituted with processes that are inherently safer.
The loss of containment possibilities in each remaining process should be reduced through design
measures and management systems to control those remaining risks.
When downloaded from the ORYX GTL Document Center this document is uncontrolled but remains subject to ORYX
GTL Information security requirements
Engineering Risk Management Philosophy Reference: GTL-04-03
Classification: Public
Revision: 05
Page: 12 of 35
The activities and the role of human factors on the installation should be identified, and the following
aspects considered;
Human abilities both physical and mental;
The time delay from detecting a process deviation, to deciding what to do, and to finally acting to
rectify the situation;
The probability that the human will make an error;
The decreasing effectiveness of successive human checking steps;
The reliability of the human factors (number of actions, frequency of actions etc.);
Consider the requirements of the process in terms of error tolerance, time lags etc, and compare the
performance of human factors with the requirements of the process. If the human factor risks are high,
then consider to automating or mechanising the activities.
Well-designed human systems can produce inherently safer plant designs and operating procedures.
If we understand how humans work and how human errors occur, we can design better systems for
managing, supervising, designing, reviewing, training, auditing, and monitoring.
The human systems include:
Appropriate training,
Reviews,
Audits,
Error correction cycles.
From a human factors perspective, the chemistry of the process can be made inherently safer by
selecting materials that can better tolerate human error in handling, mixing, and charging.
Similarly, the equipment can be made inherently safer from the influence of human factors by:
Making it easier to understand,
Making it easier to do what is intended,
Limiting what can be done containing to the desired actions.
The facilities will be inherently safer when designed considering operability and personnel safety. Note
that inherently safer human factor features can reduce risk of injury to employees (improved personnel
safety) and can reduce risk to the process from the worker (improved process safety).
Ergonomics should be applied in the layout of equipment, valves, controls, and anything else that the
operating and maintenance personnel need to access. Designs that avoid bending, climbing, and
stretching are inherently safer.
When downloaded from the ORYX GTL Document Center this document is uncontrolled but remains subject to ORYX
GTL Information security requirements
Engineering Risk Management Philosophy Reference: GTL-04-03
Classification: Public
Revision: 05
Page: 13 of 35
When downloaded from the ORYX GTL Document Center this document is uncontrolled but remains subject to ORYX
GTL Information security requirements
Engineering Risk Management Philosophy Reference: GTL-04-03
Classification: Public
Revision: 05
Page: 14 of 35
When downloaded from the ORYX GTL Document Center this document is uncontrolled but remains subject to ORYX
GTL Information security requirements
Engineering Risk Management Philosophy Reference: GTL-04-03
Classification: Public
Revision: 05
Page: 15 of 35
Determine the possible impact of hazardous incidents at neighbouring installations on the proposed
project. Consider the impact of possible future infrastructure changes, or lack thereof, e.g. decreasing
availability of water.
Consider methods to eliminate high risk factors e.g. on site power generation if deterioration in quality
of supply is expected, reduce water consumption, recycle effluents etc.
When downloaded from the ORYX GTL Document Center this document is uncontrolled but remains subject to ORYX
GTL Information security requirements
Engineering Risk Management Philosophy Reference: GTL-04-03
Classification: Public
Revision: 05
Page: 16 of 35
Deviations Loss of
Containment
Disaster
When downloaded from the ORYX GTL Document Center this document is uncontrolled but remains subject to ORYX
GTL Information security requirements
Engineering Risk Management Philosophy Reference: GTL-04-03
Classification: Public
Revision: 05
Page: 17 of 35
The process of transferring materials to and from road or rail tankers requires specific attention.
These processes have many separate activities and require the involvement of human operators to
connect temporary transfer lines and initiate other transfer activities. Due to the number and nature of
the activities there is a relatively high potential for error leading to loss of containment; as such. All
loading facilities must have a manually activated emergency shut-off valve.
The properties of the material being loaded and the location must be considered when choosing
between open versus enclosed loading facilities.
The three hazards namely fire; explosion and toxic release will be the result of uncontrolled release of
material followed by vapourisation and dispersion of materials.
The uncontrolled material releases are either gaseous, mists or liquids and are either atmospheric
releases or pressurised. Gas and mist releases are considered more significant since they are readily
ignitable and which if ignited are instantly destructive in a widespread nature due to the generation of
vapour clouds. Liquid fires are generally less prone to ignition, Localised and relatively controllable.
The cause of a release can be external or internal corrosion, internal erosion, equipment wear,
metallurgical defects, operator errors third party damage or for operational requirements.
Generally releases are categorised as:
3.20.1.5 Leak:
Leaks are typically developed from valve or pump seal packing failures, localised corrosion or erosion
effects and are typically "small" to "pin-hole" sized.
The uncontrolled release of material and their effects after release shall be minimised by the following
means, and will be strictly adopted at the time of design.
Segregation, separation and arrangement of different process facilities and equipments.
Proper design of grading, containment and drainage systems.
When downloaded from the ORYX GTL Document Center this document is uncontrolled but remains subject to ORYX
GTL Information security requirements
Engineering Risk Management Philosophy Reference: GTL-04-03
Classification: Public
Revision: 05
Page: 18 of 35
3.20.2 Preventing formation of hydrocarbon mixture (within LEL and UEL limit)
The hydrocarbon material will only ignite when the concentration of flammable mixture within the air is
shall between the lower explosive limit (LEL) and upper explosive limit (UEL).
The most important thing is that flammability limits are not an inherent property of a material but are
dependent on the surface to volume ratio and velocity or direction of air flow under the test.
Due to this characteristic, the formation of ignitable mixtures can be reduced by applying the following
measures.
1. All hydrocarbon areas should be provided with maximum ventilation capability. Specific
examinations should be undertaken at all areas where the hazardous area classification is defined
as Class 1 Division 1 or Class 1 Division 2. These are areas where hydrocarbon vapours are
expected to be present, so adequate ventilation is provided.
2. Area congestion should be kept to a minimum such that vessels should be orientated to allow
maximum ventilation or explosion venting, and bulky equipment should not block air circulation or
dispersion capability.
3. Release or exposure of flammable vapours to the atmosphere should be avoided.
4. Gas detection is provided, particularly to areas handling low flash point materials with a negative
or neutral buoyancy (i.e. vapour density is 1.0 or less), since these have the highest probability to
collect or resist to dispersion.
5. Air or oxygen is eliminated from the interior of process systems.
When downloaded from the ORYX GTL Document Center this document is uncontrolled but remains subject to ORYX
GTL Information security requirements
Engineering Risk Management Philosophy Reference: GTL-04-03
Classification: Public
Revision: 05
Page: 19 of 35
diagram. Materials can fail due to mechanical, structural or corrosion inadequacies. Mechanical
failures include fatigue, creep etc. Corrosion is the chemical degradation of the material and can
be uniform and predictable or localized and erratic.Consider, in particular, corrosion at points
where there are changes either in material of construction, the condition of process fluids or
changes in flow rates or phases etc.
5. Equipment design, manufacture and testing must be in accordance with internationally accepted
mechanical design codes and practices such as ASME, DIN and ANSI.
6. The integrity of the equipment must support the philosophy of containment of materials, e.g.
design to contain the maximum foreseeable pressure, consider installing overhead condensers
inside distillation columns to limit the number of leak sources.
7. Consider alternative processing methods and/or equipment that will eliminate or reduce the
possible routes for loss of containment e.g. gravity flow eliminates the need for a pump with seals
that could possibly leak.
8. Process functional steps must be reduced to eliminate excessive equipment; for example,
integration of different steps such as cooling one stream and heating and pumping another, into
one item of equipment. In this regard the design must facilitate minimisation of items of equipment
without reducing the redundancy requirements.
9. The process design must include manufacturer’s requirements on the equipment such as
minimum flow protections systems, internal pressure relief etc.
3.21.1 Furnaces
There are two primary risk issues to consider when specifying furnaces:
Internal explosions of the combustion materials in the fireside.
Loss of containment of process materials into the fire side of the furnace, and resultant explosion,
fires or toxic releases.
Furnace design must comply with the NFPA burner management, safe start-up, operation, shutdown
and fuel systems codes / standards. The furnaces shall be located at least 50 ft (15 m) horizontally
from all vents.
3.21.5 Filters
Design for self-cleaning filters to reduce the potential of loss of containment.
When downloaded from the ORYX GTL Document Center this document is uncontrolled but remains subject to ORYX
GTL Information security requirements
Engineering Risk Management Philosophy Reference: GTL-04-03
Classification: Public
Revision: 05
Page: 20 of 35
Ensure a vacuum is not drawn during draining and that over-pressurisation does not occur during
filling or purging.
Consider vessel exposure to an external fire.
Design for over- or under-pressure relief considering API 2000 (2014) requirements.
Consider possible temperature changes due to residual process materials flashing during de-
pressurisation or venting.
Consider rollover of tank contents.
Avoid allowing liquids to free-fall into vessels in order to avoid / reduce static generation, frothing and
erosion.
3.21.9 Columns
As for vessels, consider vacuum and over-pressurisation.
Consider bed collapse in towers. Internal supports must be able to handle flooding, pressure surges
etc.
When downloaded from the ORYX GTL Document Center this document is uncontrolled but remains subject to ORYX
GTL Information security requirements
Engineering Risk Management Philosophy Reference: GTL-04-03
Classification: Public
Revision: 05
Page: 21 of 35
Special care should be taken when opening columns containing flammable materials and high surface
area internals. Design for sufficient purging to prevent fires.
3.21.11 Dryers
The primary hazards are possible overheating, fires and explosions.
Any leakages or spillages may give risk to flammable and explosive atmospheres as mentioned
above. To protect both personnel and the plant, precautions must be taken to ensure that the
atmosphere cannot be ignited. It is generally recognised that there are three main categories of
ignition sources in a hydrocarbon facility – open flames, hot surfaces and sparks. The overall objective
for protection is to remove, or provide a barrier in between these ignition sources from materials that
can readily ignite if contact is made. The ability of these sources to ignite a material depends on their
available energy and configuration.
Following are the typical sources of ignition that may be found in process areas:
Flares
Boilers
Fired heaters
Static electricity
Vehicle traffic
Electrical motors
Hot work—welding and cutting
Hot surfaces
Lighting
Overhead high voltage lines
Mechanical—sparks friction, impact, vibration, etc.
When downloaded from the ORYX GTL Document Center this document is uncontrolled but remains subject to ORYX
GTL Information security requirements
Engineering Risk Management Philosophy Reference: GTL-04-03
Classification: Public
Revision: 05
Page: 22 of 35
Chemical reactions
All areas of the plant must be classified according to the presence of different categories of flammable
materials and the manner in which these are processed. All electrical equipment must be specified
according to the classification of the area in which it is located (Electrical Area Classification).
Ensure that the classification of areas is completed according to local as well as internationally
accepted standards (The Institute of Petroleum Model Code of Safe Practice, Part 15, and Area
Classification Code for Petroleum Installations).
Two other sources of electrical sparks are lightning and the build-up of static electricity on equipment.
Identify circumstances that can lead to the accumulation of static, e.g. two phase flow, pouring solids,
connecting road tankers to off-loading systems, splash filling, belt drives, personnel, overhead power
transmission cables etc. particular situations where static electricity can lead to a hazardous event
First seek to eliminate the presence of flammable materials and then consider eliminating the possible
causes of static. Ensure adequate preventative and protective measures are in place to deal with
remaining possible sources of static electricity. The basic philosophy for static electricity protection is
to provide a means of harmlessly discharging (e.g. earthing) the potential before it reaches sparking
levels.
Where necessary, lightning protection must be installed according to accepted codes and standards.
Refer to the standard for ignition control source (OHSE-ST-0315) for more details regarding the control
of sources of ignition
A second risk management issue related to electrical systems is the use of power for safe shutdown of
the plant and the implication of power failures.
Identify all electrical equipment connected to processing equipment containing hazardous materials.
Identify the source of power in terms of distribution systems.
Determine the impact of failure of the electrical supply during normal and anticipated upset operating
conditions in terms of possible escalation of events and ultimate loss of containment of hazardous
materials.
For applications where containment can be jeopardised by failure of electrical equipment, eliminate the
dependency on power, consider redundancy of electrical equipment, or supply back-up power.
Ensure adequate clean ventilation of cable ducts to reduce corrosion etc.
Electrocution of personnel must be prevented.
When downloaded from the ORYX GTL Document Center this document is uncontrolled but remains subject to ORYX
GTL Information security requirements
Engineering Risk Management Philosophy Reference: GTL-04-03
Classification: Public
Revision: 05
Page: 23 of 35
Determine the level of reliability, accuracy and availability that is required of monitoring and control
instrumentation in view of the relative hazards. The systems must be able to prevent hazardous events
from developing.
The level of reliability required of the monitoring systems must be supported by sufficient instrument
redundancy and /or diversity. The entire instrument system from detection through transmission to
actuation, must be put together to ensure the highest availability. Consider also the possibility of
common mode failures such as instrument air failures and the effects on containing hazards.
The level of reliability of the monitoring systems must also be supported by sufficient computational
back up, fault revealing systems and systems to ensure safe shut down mode. (i.e. watch dog system,
failure mode to safe). UPS supply from battery shall be used.
Ensure that the normal control and monitoring instrumentation is completely separated from the
emergency protection systems i.e. the entire system from measurement, through transmission to
activation must be segregated.
Any over pressure monitoring and control system for process purposes, must not be considered as
over-pressure protection to maintain equipment integrity (see following section). These systems must
fail to the closed position to protect the downstream dumping facilities such as flares or effluent
systems from unnecessary overload. Over-pressure control systems will only be allowed to fail open
where a risk assessment or process condition necessitates such an action, i.e. not the normal case.
To insure plant safety and operability, qualitative risk assessment shall be carried out.
Qualitative reviews are studies base on the generic experience of personnel and do not involve
mathematical estimations. These reviews are essentially checklist reviews in which questions or
process parameters are used to prompt discussions of the process design and operations and
possible accident scenarios.
3.23.1.4 HAZOP
A formal, systematic critical safety study where deviations of design intent of each component are
formulated and analysed from a standardised list. Risks are typically expressed in a quantitative
numerical series (e.g. 1 to 5) relative to one another.
When downloaded from the ORYX GTL Document Center this document is uncontrolled but remains subject to ORYX
GTL Information security requirements
Engineering Risk Management Philosophy Reference: GTL-04-03
Classification: Public
Revision: 05
Page: 24 of 35
When downloaded from the ORYX GTL Document Center this document is uncontrolled but remains subject to ORYX
GTL Information security requirements
Engineering Risk Management Philosophy Reference: GTL-04-03
Classification: Public
Revision: 05
Page: 25 of 35
When downloaded from the ORYX GTL Document Center this document is uncontrolled but remains subject to ORYX
GTL Information security requirements
Engineering Risk Management Philosophy Reference: GTL-04-03
Classification: Public
Revision: 05
Page: 26 of 35
3.26.1 Flaring
A flare provides a means of disposing of gaseous effluents by burning them under controlled
conditions and converting them to less objectionable compounds. Flares may be elevated or located at
ground level and are either open or enclosed. Elimination of VOC emissions may necessitate small
“stick flares” for low-pressure releases from tanks, DAF units, and wastewater treatment plants etc.
Ensure that all over-pressure control systems failing open into the flare system have been subject to a
risk assessment indicating process conditions that necessitate such an action, i.e. not the normal
case.
Ensure that only pressure safety devices are relieving into flare systems.
Flare design must comply with API 521. Issues requiring attention include radiation exposure levels,
stack, height, header sizing, tip design, noise, smokeless burning, continuous purging, pilot flame etc.
Avoid guyed stacks.
Consider purging, and pilot gas requirements individually in view of aspects such as lightning strikes,
static etc.
There are generally five types of liquid draining systems, which must be kept separate:
Clean storm water sewers;
Oily water sewers;
Chemical sewers;
Special closed conservation sewers for recovery of chemicals;
Sanitation sewers.
Rainwater collection and catchment must be of such a nature that clear rainwater will not be
contaminated with process material or allowed to run off with the normal process run-off system.
When sizing sewers, accommodate the typical storm intensity cycle and related run-off quantities for
the area.
Rainwater will be allowed to flow freely to a safe location if contaminated with flammable materials. If
contaminated with process materials it will be allowed to flow under controlled conditions to the effluent
handling facilities.
All process inventories of products, feedstock materials etc. must be drained to closed systems. The
area under vessels must be bunded to contain at least the full volume of the largest vessel in the area.
Drainage areas should be paved for protection of the underlying ground and ground water. Drainage
areas must also be paved; not covered with gravel, as the latter tends to increase the vapourisation
rate of volatile materials.
Process chemicals must be contained in conservation sewers within the plant boundaries for recovery
purposes, or only be allowed to drain outside the plant into chemical sewers under controlled approved
conditions.
Flammable material, if spilled, must drain to a safe location. Combustible materials must not be
allowed to collect within the processing unit or under equipment, but must drain away.
Draining must be rapid and natural; within bunded areas, consider curbing to direct flows, minimise fire
intensity and aid with foam dispersion. The intensity of radiation from a fire is directly related to the
surface area of the fire, thus, minimising areas where materials can accumulate is an important
abatement measure. Consider firewalls between drain-off catchment pits and vessels to protect
vessels from possible fires in the catchment pits. Catchment pits should normally be kept empty.
Care must be taken to provide some form of isolation on sewers connecting plants of differing
electrical classifications. This will prevent flammable materials being distributed through the sewer
system to non-flammable areas etc.
When downloaded from the ORYX GTL Document Center this document is uncontrolled but remains subject to ORYX
GTL Information security requirements
Engineering Risk Management Philosophy Reference: GTL-04-03
Classification: Public
Revision: 05
Page: 27 of 35
Draining of toxic materials must be avoided at all times. Under extreme emergency conditions, ensure
that the area is bunded to contain the full volume of the spill. Consider rapid drainage to secondary
containment, vapourisation suppression, emergency scrubbers etc.
Forced drainage should be provided in basements and low laying areas.
Drainage in road and rail loading areas should ensure that a spill at one point does not drain
underneath other vehicles.
For releases of highly flammable gaseous materials, it is generally best to design for rapid dispersion
in open, well ventilated structures rather than secondary containment. For heavier flammable
materials, secondary containment is desirable, as described above.
Finally reduce the impact of a fire using passive or active fire protection systems.
3.27.1 Passive Protection
The passive fire protection design shall consider the following methods to achieve protection for any
plant facilities:
Spacing and layout
Fireproofing
Containment and drainage
Diking
Fire walls
Electrical area classification
Basic equipment protection systems and integrity must support containment of materials under fire
conditions.
Spillage control must support rapid drainage away from equipment and minimum pool area formation
by sloping and curbing.
Fire proofing must be applied to avoid collapse of structures supporting equipment or piping and to
vessel or column supporting skirts in fire hazardous areas.
Electrical and instrument cables will only be fireproofed if required to be operable for up to a maximum
of 30 minutes for safe shutdown of the plant. Sufficient redundancy of cabling must be provided prior
When downloaded from the ORYX GTL Document Center this document is uncontrolled but remains subject to ORYX
GTL Information security requirements
Engineering Risk Management Philosophy Reference: GTL-04-03
Classification: Public
Revision: 05
Page: 28 of 35
to fire proofing. The plant must be designed to automatically go to safe mode during any sudden
stoppage.
On flammable gas systems, flame arrestors are sometimes considered as a last line of defence; these
devices are permeable to gas but not to flames. By providing a large, relatively cool surface area
through which the burning gas must move, the device quenches the flame and cools the products
sufficiently to prevent re-ignition at the arrestor outlet. Installation and location of the arrestor must
consider, the flame characteristic of the material, the equipment configuration, process conditions,
possible fouling and plugging etc.
Active fire protection systems shall be designed to accomplish a combination of the following
objectives:
Fire protection systems achieve extinguishment of fire through a number of methods, principally:
Reducing the heat release rate of a fire and preventing flashback by cooling—this reduction of the
heat release rate and cooling usually occurs by direct and sufficient application of cooling medium
through or into the fire plume and onto the burning fuel surface.
Separating fuel vapours from oxygen (smothering) thereby inhibiting the chemical chain reaction.
For example, extinguishment of fire by water is accomplished by any or a combination of cooling,
smothering from produced steam, emulsification of some liquids, and dilution.
3.27.2.2 Control of burning
Fire protection systems achieve control by limiting the size of a fire through:
Distribution of extinguishing agent to absorb heat released
Providing exposure protection to adjacent combustibles
Containment
Control of burning systems operates until one of the following occurs:
Agent supply is exhausted
Burning fuel is consumed
Flow of fuel is stopped
Leaking fuel is extinguished
3.27.2.3 Exposure protection
Fire protection systems achieve exposure protection by absorbing heat through the application of
extinguishing agents to structures or equipment exposed to a fire. The application of some
extinguishing agents removes or reduces the heat transferred to the structures or equipment from the
exposing fire, as well as limits the surface temperature of exposed structures and equipment to a level
that will minimise damage and prevent failure.
Exposure protection systems provide protection by the applying of water to structures and equipment
for the anticipated duration of the exposure fire. Water spray curtains are generally less effective than
direct application due to unfavourable conditions such as wind, thermal updrafts, and inadequate
drainage. Extinguishing agents such as CO2 or dry chemical agents are not able to provide this type of
cooling.
Fire protection systems prevent of fires by operating until flammable vapour, gases, or hazardous
materials dissolve, dilute, disperse, or cool. The following firefighting agents are normally used to
achieve the above purpose:
When downloaded from the ORYX GTL Document Center this document is uncontrolled but remains subject to ORYX
GTL Information security requirements
Engineering Risk Management Philosophy Reference: GTL-04-03
Classification: Public
Revision: 05
Page: 29 of 35
Water
Foam
Carbon Dioxide
Dry chemical
Clean Agents
Fire water systems comprised of hydrants, fire equipment boxes and fixed monitors are common
features installed in larger facilities. Fixed water spray systems are proven to be effective for certain
applications, such as removing heat from a hot-oil pump fire, thus protecting nearby equipment. Dry
chemical extinguishers are used for quick extinguishment of small fires. Other agents such as foam,
steam and carbon dioxide are also used to provide extinguishment capability. The most commonly
used firefighting agent is water in the plant facilities. A fire water distribution system shall be designed
according to NFPA and owner standards.
The level of automation of fire detection, automatic handling and immediate automatic isolation
protections will depend on:
The type of plant,
Potential fire hazards,
Human resources to operate fire systems,
Value of the installation,
Human resources to take part in fire handling.
With the height of pool fires and associated fire proofing, the surface to be considered is the possible
pool fire surface not necessarily only grade level i.e. there could be a fire on the second floor of a
concrete structure.
Refer to the engineering standard, GTL-55-1 Fire and Gas Detection.
When downloaded from the ORYX GTL Document Center this document is uncontrolled but remains subject to ORYX
GTL Information security requirements
Engineering Risk Management Philosophy Reference: GTL-04-03
Classification: Public
Revision: 05
Page: 30 of 35
Avoid cladding or lagging which encourages pockets of gas and aids combustion,
Inerting philosophies,
Explosion inhibiting materials can be added,
Rapid reaction quenching,
Prevention of explosion propagation through use of critical diameters etc.
Buildings whether manned or unmanned shall take into account prevailing wind direction and should
be orientated with their long axis north-south where practicable. This will reduce the extent of solar
heat gain.
Buildings, especially control and technical rooms, shall be positioned in non-hazardous areas.
Where manned buildings or buildings containing safety critical equipment cannot be separated from
plant hazards the buildings in question must be designed to sustain the design accidental loads (fire
and explosion). Blast resistance I resilient design shall be determined by the risk analysis such as fire
and explosion hazards analysis, QRA (blast contours).
When downloaded from the ORYX GTL Document Center this document is uncontrolled but remains subject to ORYX
GTL Information security requirements
Engineering Risk Management Philosophy Reference: GTL-04-03
Classification: Public
Revision: 05
Page: 31 of 35
information to complete all the tasks associated with petroleum activities. This includes activities
associated with emergency fire and explosion protection measures.
Identify the man /machine interface, the number of controls, alarms, read-out, activities etc. that have
to be undertaken by each operator under normal, expected abnormal, and emergency conditions.
Identify high-risk activities where operator input is important. Determine the probability of operator
error in each of the high-risk tasks.
Eliminate the need for critical operator intervention in numerous high-risk tasks, or reduce the number
of tasks per operator.
Also consider how the following aspects impact on reducing operator error:
Audible vs. flashing alarms are more effective in gaining operator attention,
Human error variation under normal routine tasks versus high stress emergency scenarios,
Human performance tends to deteriorate over time in routine tasks,
General uncomfortable and stressful surrounding e.g. noise, heat, and bad ergonomics.
To reduce the potential for accidents from human error, the design shall incorporate all of the following
human error considerations as a minimum. The following guidelines shall also be incorporated into
vendor specifications for packaged equipment. Floors in work areas and walkways shall be designed
in accordance with the following:
Walkways for access to permanently and intermittently manned work places shall be provided;
these shall be shown on relevant drawings.
Slippery liquid on floors shall be avoided, (e.g. by using drip trays).
Protruding objects shall be avoided in walkways.
The need for anti-skid surfaces shall be evaluated in all work areas where spill of slippery liquid,
dusts etc. may occur.
Storage and lay down areas should be located in the vicinity of each other and on the same level.
Stairs for platforms.
Workplaces shall be arranged to provide contact with others; solitary work shall be avoided in
permanently and intermittently manned areas.
When downloaded from the ORYX GTL Document Center this document is uncontrolled but remains subject to ORYX
GTL Information security requirements
Engineering Risk Management Philosophy Reference: GTL-04-03
Classification: Public
Revision: 05
Page: 32 of 35
Identify the possible release of toxic materials, fires, explosion and other hazards on the plant.
Determine the frequency and consequences of these events and compile a short list of credible
high-risk emergency scenarios.
Develop emergency procedures, systems and infrastructure to cater for the above emergency
scenarios.
When downloaded from the ORYX GTL Document Center this document is uncontrolled but remains subject to ORYX
GTL Information security requirements
Engineering Risk Management Philosophy Reference: GTL-04-03
Classification: Public
Revision: 05
Page: 33 of 35
When downloaded from the ORYX GTL Document Center this document is uncontrolled but remains subject to ORYX
GTL Information security requirements
Engineering Risk Management Philosophy Reference: GTL-04-03
Classification: Public
Revision: 05
Page: 34 of 35
When downloaded from the ORYX GTL Document Center this document is uncontrolled but remains subject to ORYX
GTL Information security requirements
Engineering Risk Management Philosophy Reference: GTL-04-03
Classification: Public
Revision: 05
Page: 35 of 35
5 Authorisation
The Projects Services Manager and Chief Engineering & Projects Officer have seen and approved this
document as per the sign-off page.
6 Revisions
Head of Quality
8 Development Team
When downloaded from the ORYX GTL Document Center this document is uncontrolled but remains subject to ORYX
GTL Information security requirements