Engineering Risk Management Philosophy

Technical Standard - TS
Title: Engineering Risk Reference: GTL-04-03

Management Philosophy
Revision: 5
Effective date: 01/12/2019
Total pages: 35
Revision date: 01/12/2022
Classification: Public
Custodian: Signature Date
Projects Services Manager- Hussain Abdulla H A Al- Digital signature 01/12/2019

Sada verified
Approved by:
Chief Engineering and Projects Officer- Ali Abdulrahman Digital signature 01/12/2019
A A Al-Mohannadi verified
Endorsed By
Sr. No. Endorsed By Endorsed Date
1 Integrated Management Specialist- 01/12/2019

Lakhdar Barka
2 Head of Quality-Mooza Abdulla 01/12/2019
Mubarak A Ali
When downloaded from the ORYX GTL Document Center, this document is uncontrolled but remains subject to ORYX GTL
Information Security requirements
Reviewed By
Sr. No. Reviewed By Position Reviewed Comments

Date
1 Melvin Bryan Arellano Chief Secretary 30/09/2019 [Action Taken - Review
Ebreo Started]This Technical
Standard has been updated as
per the new template only. No
revision to its
content.<br>Please note that
currently, the CDMS document
Viewer is not working properly.
Kindly just download the
softcopy if you want to view it
on its original format.<br>
2 Hussain Abdulla H A Projects Services 01/10/2019 [Action Taken - Approved]
Al-Sada Manager
3 Ali Khedher Projects Manager 01/10/2019 [Action Taken - Approved]
4 Khemais Besbes Lead Discipline 01/10/2019 [Action Taken - Approved]
Engineering
5 Ismail Saleh M A Al- Chief QHSE 03/10/2019 [Action Taken - Approved]
Khabani Officer
6 Barend Johannes De Maintenance 09/10/2019 [Action Taken -
Klerk Manager Approved]Approved
7 Marcel Juergen Technical 14/10/2019 [Action Taken - Approved]
Krause Manager
8 Paul Dennis Production 22/10/2019 [Action Taken - Approved]
Vardanega Manager
9 Paul Mathew Gaius Technical 27/10/2019 [Action Taken - Review
Assistant Completed]Approved as there
is no comments from the
previous approvers/re-
viewers.<br>For IMS further
action and approvals.
When downloaded from the ORYX GTL Document Center, this document is uncontrolled but remains subject to ORYX GTL
Information Security requirements.
Technical Standard
Title: Engineering Risk Management Reference: GTL-04-03

Philosophy
Revision: 05
Effective date: October 2019
Total pages: 1 of 35
Revision date: September 2022
Custodian: Signature Date
Projects Services Manager Hussain A. Al Sada
Approved by:
Chief Engineering & Projects Ali A. Al Mohannadi

Officer
Engineering Risk Management Philosophy Reference: GTL-04-03
Revision: 05
Page: 2 of 35
Content
Page
1 Supporting Clauses ...................................................................................................................3
2 Introduction ................................................................................................................................6
3 Risk Management Philosophy ...................................................................................................6
4 Roles and Responsibilities.......................................................................................................34
5 Authorisation............................................................................................................................35
6 Revisions .................................................................................................................................35
7 Endorsed by Quality Section ...................................................................................................35
8 Development Team .................................................................................................................35
When downloaded from the ORYX GTL Document Center this document is uncontrolled but remains subject to ORYX
GTL Information security requirements
Revision: 05
Page: 3 of 35
1 Supporting Clauses
1.1 Scope
1.1.1 Purpose
This Engineering risk management philosophy is to serve as a fundamental guide for decisions made
during the Conceptualization, Development and Execution stages of Engineering projects within ORYX
GTL. It is based on internationally accepted practices as well as ORYX GTL experience. This
philosophy defines a broad approach to risk, and is supported by standards and specifications, which
may be referred for further details.
1.1.2 Applicability
This document shall apply throughout ORYX GTL.

1.2 Normative/Informative Codes
Parties using this document shall apply the most recent edition of the documents listed herein.
International Codes:
Code/Standard Title of Document

No/Rev/Date
3rd Edition Lees - Loss Prevention in the Process Industries
AICHE Guidelines 1993 Engineering Design for Process Safety
Sastech Engineering QMS Project Risk Management Studies, Philosophies, Reviews and Reports
909 (A), Rev.2, 1998 Applicable to the Feasibility Stage
Sastech Engineering QMS Sastech Engineering QMS 918(A) - Scoping Environmental Impact
909 (A), Rev.1, 1998 Assessments
ICI Design for Process Safety Manual
ICI-Volume 10 ICI Process Safety Guide Volume 10 - Risk Assessment Methodology
ICI-Volume 1-1974 ICI Process Safety Guide Volume 1 - Emergency Isolation of Chemical
Plant - T Kletz
ICI-Volume 16, 1994 ICI Process SHE Guide Volume 16 - Inherent SHE in Process Selection
and Development
AICHE Guidelines for Mitigation of Vapour Release - R. Prugh, R Johnson
Conseil European des Principles and Guidelines for the Safe Transfer of Technology -
Federations de l’Industrie
Chimique - 1987
ICheme-1993- Chemical Reaction Hazards - J Barton, R Rogers
Warwickshire
Reference Standard
PLAN-ST-0009 Enterprise Risk Management Standard
PLAN-ST-0001 Corporate Risk Matrix Standard
Revision: 05
Page: 4 of 35
GTL-01-02 Environmental Design Basis
GTL-04-06 Plant Layout Basis
GTL-04-04 Noise Control Philosophy
GTL-04-05 Relief and Venting Philosophy
GTL-05-03 Classification of Hazardous Chemicals
EBDS-ST-0005 Rev.1 Capital Project Evaluation & Governance (PEG) Model Standard
Sept.2015
1.2.1 Order of Precedence
The Order of Precedence shall be as follows:
 This Technical Standard

 Enterprise Risk Management Standard
 Qatar statutory law and regulations
 RLIC Regulations
 ORYX GTL HSE Regulations
 OHSA United States Occupational Health & Safety Administration Regulations
 Approved technical exception / deviation list (as applicable)
 Amendments to National/International codes and standards
 National/International codes and standards
 Qatar Construction Specifications 2014
Should there be any conflict between this Technical Standard and the above
codes/standards/regulations/specifications and requirements, the more stringent shall apply. The User
shall inform ORYX GTL of any conflict.
1.3 Definitions
Item Definition
CONTRACTOR Shall mean any person or persons, firm, partnership, corporation or

combination thereof (including its Subcontractors) employed for the
performance of services by ORYX GTL
VENDOR Shall mean any person, firm or company having a purchase order with
the Contractor for the performance of any item of work.
OWNER Shall mean the responsible ORYX GTL representative for which
services are being rendered by the CONTRACTOR.
Plant Shall mean ORYX Gas to Liquids Facility
Shall Refers to a requirement
Should Refers to a recommendation
May Refers to one acceptable course of action.
Revision: 05
Page: 5 of 35
1.4 Abbreviations and Acronyms
Abbreviation/Acronym Expanded Name

DAF Dissolved Air Flotation
ESD Emergency Safety Valve
GTL Gas to Liquid
HAZOP Hazard and operability studies
ICI Imperial Chemical Industries
NFPA National fire Protection Association
QCS Qatar Construction Standards
RLIC Ras Laffan Industrial City
TLV Threshold limit value
TWA Time Weighted Average
UEL Upper Explosive Limit
LEL Lower Explosive Limit
IDHL Immediately Dangerous to Life and Health
VOC Volatile Organic Compounds
PSV Pressure Safety Valve
ALARP As Low as Reasonably Practicable
1.5 Implementation Date

The implementation date is 13th October 2016.
1.6 Process for Monitoring

The custodian of the document along with other users within ORYX GTL shall monitor compliance with
the requirements of this Standard. Any revision to the standard shall be processed in accordance with
ORYX GTL- IMS Procedure for “Update Engineering Technical Standards”.
1.7 Related/Supporting Documents

The following are particularly important documents which have been referred to whilst preparing this
document.
1. Lees - Loss Prevention in the Process Industries (3rd-Edition)
2. Inherently Safer Chemical Processes by Trevor Kletz
The other documents which have been referred to are listed in section 1.2.
1.8 Key Words

Risk, Hazard, Process, Inherent, substance, environment,
Revision: 05
Page: 6 of 35
2 Introduction
This Engineering risk management philosophy is to serve as a guide for decisions made during the
Conceptualization, Development and Execution Stages of an Engineering project within ORYX GTL.
The Technical Standard shall be applied as a subset of the Enterprise Risk Management Standard.
The ORYX GTL Corporate Risk Matrix shall be used in assessment of all Engineering (& Project)
risks.
3 Risk Management Philosophy
3.1 Definition of Risk Management

The term “risk management” is generally used to cover the whole process of identifying risk, selecting
goals and creating and operating systems for their control.
The hazards with which risk management is concerned include in general those from events and
manmade systems that give rise to a range of physical, financial, legal and social risks.
3.2 Scope of This Document

This Technical Standard addresses Engineering risk management by first considering the impacts of
the installation on the surroundings and then the impacts of the surroundings on the installation. The
Technical Standard then focuses on specific aspects of risk management to be considered during
Engineering design phases. .
The Technical Standard handles any technical risk factors that is not normally fully addressed in other
design requirements and may therefore overlap with other design guides and philosophies. This
guideline is not intended to handle the detail of every conceivable situation but rather to entrench the
approach and highlight typical risks that may occur. Sound judgement by skilled and experienced
people, within the parameters of this philosophy, and support from risk assessment studies, is
essential to the optimum solution under specific local conditions.
In order to have the widest scope to affect alternative responses; it is essential that the risk
management process begins as early as possible in the life cycle of a project, even if sufficient
information is not available. The risks can be monitored and information updated as the project
progresses. The Capital Project Evaluation & Governance (PEG) Model Standard allows for decision
gates where the risks will be evaluated before approval is granted to proceed with the project.
3.3 General Principles

The foremost requirement of any development is that it must comply with the legislation of the host
country and the requirements of the local authorities. Secondly, the development must comply with
internationally accepted standards, codes and practices. If there is a dispute concerning the standards
and requirements, the owner will decide which route is appropriate. The transfer of technology must
always consider the capacity of the host country to operate, manage and maintain the facilities and all
responsibilities must be very clearly defined and allocated early in the project. International treaties,
conventions and agreements must also be respected.
Any design matters related to environmental risks must be addressed as early as possible in the
development of a project. The design will comply with the environmental legislation of the host country
and local authorities and the principle of sustainable improvement will be respected. Where local
legislation or regulation is limited the owner will ensure a responsible approach.
The risk management for the ORYX GTL plant shall be as per the RLIC document, HSE Management
system (QPR-RHT-003). RLIC have established and maintain a system for systematic identification,
assessment and control of potential risks that may arise from its activities or material in use. RLIC shall
ensure that the results of assessments and the effects of controls be considered when setting its HSE
management objectives. RLIC shall document and keep this information up to date
Revision: 05
Page: 7 of 35
Engineering Risk management is to consider various actions in descending hierarchical order. The
inherently safe design consideration should be first in the hierarchy, followed by prevention systems,
mitigation and response.
The risk assessment for the ORYX GTL facility shall be in compliance with the QCS document;
“Section 11: Health and Safety, Part 2.4.01: Risk Assessment Guides and Method Statement.
3.4 Risk Management Scope Related to the Work Environment

The inherently safe design principle is the base tool of risk management philosophy related to the work
environment. It is the fact that safety begins with the process design; an inherently safer process
design is the objective of any modern plant design. When this cannot be achieved, process hazards of
varying severity will exist.
A chemical manufacturing process is inherently safer if it reduces or eliminates the hazards associated
with materials or substances (type, inventories) and operations (equipment type, human factors) used
in the process, and if this reduction or elimination is permanent and inseparable. To appreciate this
definition fully, it is essential to understand the precise meaning of the word "hazard." A hazard is
defined as a physical or chemical characteristic that has the potential for causing harm to people, the
environment, or property.
It is always preferable to design an inherently safe plant which can withstand human error and
equipment failure (with serious effect on safely, the environment or output and efficiency).This is
desired over adding equipment to control hazards or protect people from their consequence.
Approaches to the design of inherently safer processes and plants have been grouped into four major
strategies as follows.
a. Minimise:
Use smaller quantities of hazardous substances (also called Intensification).
b. Substitute:
Replace a material with a less hazardous substance.
c. Moderate:
Use less hazardous conditions, a less hazardous form of a material, or facilities which minimise the
impact of a release of hazardous material or energy (also called Attenuation and Limitation of Effects).
d. Simplify:
Design facilities which eliminate unnecessary complexity, make operating errors less likely, and which
are forgiving of errors (also called Error Tolerance).
Within the proposed installation there are sub-systems that contribute to the impacts on the
surroundings and on each other. The risk management philosophy shall adopt the inherent safe
design principle by considering the above mentioned strategies to these sub systems within work
environment. These sub systems must be considered and include but are not limited to:
 The material or substances in use,
 The inventories of these substances,
 The type of processing of the substances,
 The type of equipment used to process,
 The persons operating and controlling all of the above (human factor),
 The direct work environment.
Revision: 05
Page: 8 of 35
3.5 Material or Substances

The materials or substances used in the chemical process is the raw materials or feedstock’s, the
intermediates, the products and also any catalysts, additives etc. In inherently safe design the material
or substance used in chemical processing plays a fundamental role as the hazard is either intrinsic to
the material, or depends on its conditions of storage or use and its processing.
The inherently safe approach is to reduce the hazard by reducing the quantity of hazardous material or
energy, or by completely eliminating the hazardous agent
This phase of the technical risk management program must be done as thoroughly as possible, and as
early as possible in the life cycle of a project.
In line with the fundamental philosophy of risk management as outlined in the foreword to this
document, the first step is to identify the risk factors. Within this sub-system this means identifying all
the materials or substances involved in the proposed process, such as;
 Raw materials,
 Process chemicals,
 Solvents,
 Catalysts,
 Impurities,
 Intermediate products,
 Final products,
 By-products,
 Waste products,
 Others.
As described above also the materials or substances present inherent hazards, which if not properly
managed can lead to injury, damage or loss. For each of the substances, obtain or compile hazardous
substance data-sheets (also referred to as Material Safety Data-Sheets, MSDS).The following
minimum information should be established to allow for adequate risk assessment and management.
 The type of chemical e.g. aliphatic organic, metal oxide, acid etc.
 The chemical composition of the substance e.g. C25H44O2 , H2O2, TiCl4
 The physical properties boiling point, flash point, vapour pressure etc.
 The health hazards e.g. carcinogen, narcotic, asphyxiant.
 The biological hazards e.g. TWA TLV, odor threshold, IDLH etc.
 The environmental hazards e.g. toxic to crayfish.
 The fire / explosion hazards e.g. highly flammable, explosive limits in air, auto-ignition
temperature, detonable.
 Reactivity hazards e.g. polymerisation, rapid evolution of gas, and auto-explosive.
 Compatibility with materials of construction, other substances and likely impurities.
 Special handling and storage requirements.
 Unusual properties e.g. lower ignition temperature when thinly distributed in tower packing
internals.
 First aid and medical treatment to be undertaken in an emergency.
During the life cycle of the project this information must be updated.
It is important that potential impurities be considered, as they have a tendency to accumulate and may
jeopardise the quality of the product. They may also react uncontrollably, jeopardising the integrity of
the materials of construction and therefore the containment of substances.
Using the data or methodology in codes such as the NFPA HAZ10 or NFPA 704, the health,
flammability and reactivity hazard ratings for each substance must be determined. The design must
always take this hazardous rating into account and any measures taken to contain the hazards must
be in relation to the rating.
Revision: 05
Page: 9 of 35
By reviewing the international major hazardous incident databases e.g. the British Icemen database,
determine if there have been any previous major hazardous events related to using or producing
similar substances.
Having determined the risks associated with the substances it is now necessary to formulate suitable
responses to unacceptable risks. The risk response hierarchy outlined in the foreword to this
document must be considered. For examples;
 For substances with high hazardous ratings (health, flammability or reactivity) the use of
alternative less hazardous substances must be thoroughly investigated.
 For medium to low hazard materials, alternative substances or use of the material in a different
physical form (e.g. pellets instead of powder or liquids in premixed form) should be considered.
 For low risk materials the risks may be acceptable, however they must be monitored and kept up
to date with possible new research findings that increase the hazardous ratings of these
substances.
In terms of the impact on the environment the necessary assessments must be conducted (Refer to
GTL-01-2 Environmental Design Basis).
Refer to Classification of Hazardous Chemicals (GTL-05-03) for details of hazardous chemicals.
3.6 Inventories
Minimising the inventory of material or substance will be the part of the inherently safer design. The
inventory of material or substance will be reduced by adopting the following philosophy.
 Minimize material inventory.
 Reduce number of storage tank.
 Reduce vapour volume in vessels.
 Minimize generation of hazardous material.
 Deliver Hazardous material or substance through pipeline instead of rail or truck.
 Reduce piping length
 Provide isolation valves between the fire risk areas
Fundamental to managing risk, is the concept that as long as the hazardous substances remain within
containment, i.e. they are controlled, hazardous events should not occur. Should there be a loss of
containment of hazardous substances the extent of the impact is dependent on the quantities of
materials released. In order to select a site, the impact on the surroundings of the single largest
credible loss of containment hazard needs to be understood and analysed in detail. It is therefore refer
necessary to establish the inventories of hazardous substances required on the site.
For each substance, identify the total maximum inventory that is expected to be on site. In addition to
the total inventories, identify the distribution of these inventories within the processing units, as well as
those quantities in bulk storage in tank farms.
If there is no information concerning the processing inventories, then the following assumptions should
be made.
For petrochemical substances assume that the single largest inventory, and therefore the single
largest loss of containment scenario, will be 10 tonnes for both flammable and /or toxic material. For
fine chemical, biological or pharmaceutical substances, assume smaller quantities.
If information is not available for inventories in bulk storage, consider production rates, logistics and
market requirements to estimate the quantities. The maximum loss of containment scenario would
depend on the largest single storage vessel.
Using these potential losses of containment scenarios, conduct a preliminary evaluation of the
magnitude of possible fires, explosions, toxic releases and other effects. Fire radiation levels,
explosive over pressures and toxic substance dispersion concentrations need to be modelled to
determine the severity of the incidents at various distances from the source. If assumptions have been
made in terms of the quantities of materials, then the analysis should include a sensitivity analysis to
indicate the relative impact of half and/ or double the quantities of substances.
Revision: 05
Page: 10 of 35
This analysis will indicate the impacts on the surroundings beyond the boundary of the installation, as
well as the impacts within the installation itself. Suitable risk management responses must be
formulated to minimise these impacts.
Inventories of hazardous substances with potential significant impacts extending beyond the site
boundary must be eliminated. This can be achieved by:
 Reducing or splitting inventories to levels at which particular consequences are highly unlikely;
 Relocating storage vessels so that consequences do not extend beyond the boundary;
 Introducing design preventative and protective measures to significantly reduce the likelihood of
the event;
 Using an alternative site location;
 Termination of the project.
Impacts within the site must be also be minimised by:
 Reducing inventories,
 Splitting inventories,
 Relocating storage vessels,
 Aligning the equipment design to the possible hazards, including preventative, mitigating and
emergency operational systems.
3.7 Type of Process

A process goes through various stages of evolution; research, process development design and
construction. Progression through these stages is typically referred to as the process life cycle.
Throughout a process's life cycle the opportunity to apply the philosophies and practices of inherently
safer technologies and strategies must be recognised and cultivated.
Type of process selection is the key factor for applying inherently safer strategies and Process
Engineers have essential roles to play. The chemistry has already been established, thus defining the
hazards of the materials. Process development personnel need to focus primarily on process
synthesis, unit operations, and the type of equipment required for an inherently safer process. A
thorough understanding of the necessary operational steps and alternative operational steps is
essential to develop an efficient and safe process.
The starting point for inherently safe design is the selection of the process, with a view to eliminating
particularly hazardous chemicals and /or operating under less hazardous conditions.
Each type of process presents certain inherent risks of loss of containment resulting from the manner
in which it handles the materials, the particular process conditions and the reactions /interactions
occurring within the process. For example:
 Outdoor plants are inherently unable to contain materials as well as indoor plants;
 Processes with many steps or activities present more opportunities for loss of containment during
transfer between steps;
 Processes with reactions that have the potential to become of control ,both in terms of energy
generation (e.g. exothermic), consumption or in terms of production of unwanted products;
 Processes using /producing highly unstable products such as peroxides or ethylene oxide which
can explode, rupturing containment;
 Processes with extreme temperatures and pressures, which stress materials of construction, and
which also have inherently high rates at which materials are expelled from leaks etc.;
 High energy processes that stress containment e.g. compression, pumping;
 The start-up and shutdown of processes present interfaces where loss of containment is more
likely. Batch processes inherently have more starts and stops than continuous processes;
 The liquid phase of any material contains more mass per unit volume than the vapour phase. All
other things being equal ,processes containing liquid risk larger initial loss of containment;
Revision: 05
Page: 11 of 35
 With respect to liquids that are normally in the vapour phase at atmospheric pressure, the storage
of the material at ambient temperatures in pressurised bullets increases the magnitude of loss of
containment risk when compared to refrigerated storage at atmospheric pressure;
 The continuous or intermittent planned production of unwanted waste is inherently an inability to
contain the process within acceptable parameters;
 A complex and extensive man-machine interface increases the chance of operator error leading to
possible loss of containment;
 Interfaces between different processes such as highly automated continuous production, moving
to manually intensive packaging plants, present risks of loss of containment at process
boundaries. Similarly for high pressure processes connected to low pressure processes;
 Interfaces to other installations also present risks;
 Some processes require extensive frequent maintenance. Each additional “break-in” presents a
potential loss of containment situation;
Different tools are available to assist in comparing the risk associated with two or more different
processes. These tools are the Dow Fire and Explosion Index and ICIs Mond Index.
The proposed processes should be evaluated to understand the risk levels, and how the risks develop.
The mechanisms of the risk in terms of the frequency of possible loss of containment and the resultant
magnitude of the loss should also be evaluated. Consider also the relative robustness of the process,
i.e. how sensitive is it to gross operational errors.
Where feasible, processes that have a high risk of loss of containment should be eliminated and
substituted with processes that are inherently safer.
The loss of containment possibilities in each remaining process should be reduced through design
measures and management systems to control those remaining risks.
3.8 Type of Equipment

Each specific type of equipment presents certain inherent risks of loss of containment. For example,
rotary equipment present risks due to interface sealing arrangements or due to the possibility of
rotation being reversed leading to failures. Vessels also pose a risk of failure and loss of containment
due the fact that they can be over pressurised or subject to vacuum.
Different types of process equipment have different inherently safer characteristics, such as inventory,
operating conditions, operating techniques, mechanical complexity, and forgiveness (i.e. the process/
unit operation is inclined to move itself toward a safe region, rather than unsafe). To access /manage
the level of risk:
1. Identify the functional steps in the process and the equipment selected to handle these functions.
2. Identify the mechanisms that could lead to a loss of containment via the specific item of
equipment.
3. Consider normal operation, start-up, shutdown and expected upset conditions. For further typical
risks related to specific items of equipment refer to section 3.2 of this document.
4. Consider the particular role or function of each item of equipment and possible alternative means
of fulfilling that process function.
5. Try to eliminate the high potential leak sources such as moving parts. Reduce the number of
items of equipment by integrating processing steps without reducing the required redundancy.
6. Ensure that reliability and integrity of the equipment are monitored once equipment is selected. To
facilitate this, design to make provision for fulfilment of maintenance requirements.
3.9 Human Factors

The human factors associated with the installation of equipment (operator, manager etc) present
certain inherent risks that can lead to loss of containment of hazardous substances. For example
humans have limited attention spans, limited reaction times and limited decision-making abilities under
stressful conditions etc.
Revision: 05
Page: 12 of 35
The activities and the role of human factors on the installation should be identified, and the following
aspects considered;
 Human abilities both physical and mental;
 The time delay from detecting a process deviation, to deciding what to do, and to finally acting to
rectify the situation;
 The probability that the human will make an error;
 The decreasing effectiveness of successive human checking steps;
 The reliability of the human factors (number of actions, frequency of actions etc.);
Consider the requirements of the process in terms of error tolerance, time lags etc, and compare the
performance of human factors with the requirements of the process. If the human factor risks are high,
then consider to automating or mechanising the activities.
Well-designed human systems can produce inherently safer plant designs and operating procedures.
If we understand how humans work and how human errors occur, we can design better systems for
managing, supervising, designing, reviewing, training, auditing, and monitoring.
The human systems include:
 Appropriate training,
 Reviews,
 Audits,
 Error correction cycles.
From a human factors perspective, the chemistry of the process can be made inherently safer by
selecting materials that can better tolerate human error in handling, mixing, and charging.
Similarly, the equipment can be made inherently safer from the influence of human factors by:
 Making it easier to understand,
 Making it easier to do what is intended,
 Limiting what can be done containing to the desired actions.
The facilities will be inherently safer when designed considering operability and personnel safety. Note
that inherently safer human factor features can reduce risk of injury to employees (improved personnel
safety) and can reduce risk to the process from the worker (improved process safety).
Ergonomics should be applied in the layout of equipment, valves, controls, and anything else that the
operating and maintenance personnel need to access. Designs that avoid bending, climbing, and
stretching are inherently safer.
3.10 Exothermic Runaway Reaction

Exothermic runaway reactions can be eliminated by adopting the inherently safe design principle in the
plant facility:
 Replace hazardous materials with safer materials;
 Have lower raw material inventories in the reactor, e.g. use a continuous process instead of a
batch reactor;
 Use a semi-batch method (in which one of the raw materials is added over time) instead of a batch
process;
 Use a heating medium which has a maximum temperature that is too low for the reaction mixture
to decompose.
3.11 Direct Work Environment

The direct work environment where the substances, equipment, human factors etc. are located,
presents certain inherent risks of loss of containment. The slope of the site, the type of ground, the
degree of congestion on the site etc. can all contribute to increasing the risk of loss of containment and
must be considered.
Revision: 05
Page: 13 of 35
3.12 Risk Management Scope Related to the External Environment

Risk management must always consider the risk related to the external environment of project.
Elements within the surroundings present certain inherent risks, which could impact upon the
installation. These sub-systems include but are not limited to:
a. Physical or Environmental Systems
 Air
 Land
 water
b. Biological Systems
 Plants
 Animals
 Humans
c. Human Social Systems
 Economics
 Education and skills
 Cultural development
 Infrastructure
d. Political Systems
Generally, the risk presented by the surroundings cannot be eliminated and responses are limited to
aligning the design to reduce the impacts of the risk factors, for example earthquake protection. Only
with the social impacts can efforts be made towards preventing risk factors from escalating in the
future.
3.13 Physical or Environmental Systems

Identify any geographical, meteorological, or topographical hazards of the location or the anticipated
transportation routes. This should include earthquakes, subsidence, floods, strong winds, temperature
extremes and unusual landscape features. Then determine the possible severity of the impacts.
These risks are generally beyond the control of the project and therefore cannot be eliminated or
reduced. Hence, the appropriate response is to align the design and site to consider these hazards
and minimise the overall risk.
Also consider the impact on the human sub-element of the installation, and not only the more physical
aspects such as equipment design.
All aspects of this analysis must be forwarded to the environment impact assessment.
In addition to this, environmental risk management shall be in accordance with QCS document
(Section 11: Health and Safety, Part 2.1.01: Safety, Health and Environment Management System and
Section 11: Health and Safety, Part 2.3.15: Environmental Protection)
3.14 Biological System

Identify any impacts of biological systems in the area on the technical design of the project. The impact
is more likely to be upon the human element of the installation and possibly the substances e.g.
diseases, biological product contaminants etc. Determine if the impact is significant.
Align the design to cater for the possible impacts, as it is unlikely that it will be possible to change the
local biological conditions.
All aspects of this analysis must be forwarded to the environment impact assessment.
Revision: 05
Page: 14 of 35
3.15 Human Social Systems - Markets and Economics

Identify any impacts of the market and economic dynamics in the area, and in the world on the
technical design of the project e.g. product quality, anticipated market growth rate etc.
Conduct a sensitivity analysis relating throughput, quality, sales etc. to profitability.
In areas where the project profitability is very sensitive to deviations, the risk management response
principles must be applied to optimise the project objectives. Where necessary, align the technical
design to allow for possible increases in production rates or for sustained operation at turndown rates.
Also consider possible changes in product quality specifications.
3.16 Human Social Systems - Education and Skills

Consider the human resources at the proposed location and identify the following:
 Availability of resources,
 Level of skills of available resources.
Consider the level of technical sophistication and complexity of the proposed installation. Evaluate the
skills, experience and abilities of the human resources available to manage, operate and maintain the
plant. Compare these with the requirements of the installation.
Ensure the level of process automation is commensurate with the level of human resources available.
Eliminate any inconsistency between skills available and skills required by adjusting the technical
design, importing the skills or reducing the skills gap through training and development of personnel.
Keep process design as simple as possible.
3.17 Human Social Systems - Cultural Development

Identify the social circumstances and trends of the surrounding location that could impact the technical
design of the installation by considering as a minimum:
 Informal urbanization trends,
 Development strategies for the area, e.g. industrial, commercial etc.
 Specific cultural requirements e.g. siesta, attitude toward risk, language etc.
 Regulatory trends e.g. possible restriction on sources of supply, impending environmental
legislation etc.
 The environment in the very long term, in which de-commissioning of the installation may occur.
Consider the longer-term risk exposure of the installation in terms of potential increase in population
exposed to hazards due to encroachment of residential areas around the facility, and the possible
changing levels of skills available in the area.
It is generally not possible to eliminate risky trends; therefore the design must be aligned to reduce
their impact as much as practicable. Management efforts should be directed toward influencing trends
to reduce risk exposure.
3.18 Human Social Systems - Infrastructure

With regards to the possible impact on the proposed installation, identify the present and planned
future availability, reliability and quality of infrastructure such as transport links (road, rail, air and
water), power supply, water supply, communication networks, and emergency response services etc.
Identify possible neighbouring hazardous installations and potential hazards that could impact beyond
their boundary.
Consider the availability of supporting industries e.g. competent licensed waste disposal contractors,
engineering contractors for extended intense shutdown/turnaround periods
Revision: 05
Page: 15 of 35
Determine the possible impact of hazardous incidents at neighbouring installations on the proposed
project. Consider the impact of possible future infrastructure changes, or lack thereof, e.g. decreasing
availability of water.
Consider methods to eliminate high risk factors e.g. on site power generation if deterioration in quality
of supply is expected, reduce water consumption, recycle effluents etc.
3.19 Specific Prevention, Mitigation and Responses for Risk Management

within the Work Environment
The elements of the installation defined earlier with their inherently safer design, will now be
considered in more detail. Specific responses based on lessons learnt will be presented.
In terms of responding to risk factors, the focus of section 1 was to eliminate the high risk factors and
reduce the risk to acceptable levels.
The focus of this section is on the tactical responses to managing the remaining tolerable risk.
To maintain the risk at a tolerable level limit the risk assessment shall be carried at the results used.
To make decisions, either through a relative ranking of risk reduction strategies or through comparison
with risks targets.
The standard for risk analysis (OHSE-ST-0701) shall be referred to, which clearly defines the guidance
to the company for assessment of the risks arising from ORYX GTL facilities and for implementation of
appropriate control measures to minimise the corresponding incidents arising from these risks.
Also refer to the RLIC Risk Assessment Procedure (QPR-RHT-007) and QCS document (Section 11:
Health and Safety, Part 2.4.01: Risk Assessment Guides and Method Statement).
A risk assessment procedure that determines probabilities is frequently called a probabilistic risk
assessment (PRA), whereas a procedure that determines probability and consequences is called
quantitative risk analysis (QRA). Similarly the risk assessment involving identifying hazards, assessing
the risks and identifying measures which could reduce the risks, without the use of detailed numerical
calculations and data it is called a Qualitative Risk Assessment.
Within the installation, there are elements, which exist purely for managing the remaining tolerable
risk. For example, instrumentation is installed to identify process deviations that have the potential to
lead to loss of control. Further instrumentation is installed to respond rapidly to bring the deviations
under control, and other equipment and instrumentation, such as ESD systems, are installed to
prevent escalation of events. Finally, certain features such as fire deluge systems; blast walls etc. are
installed to limit the severity of the consequences.
Figure 3 illustrates the progression of deviations through to a disaster, and where the various
preventative and mitigating elements become effective in the process.
The elements that are considered in this section are:
a. Substances and inventories,
b. Process and equipment,
 Equipment,
 Electrical systems,
 Monitoring and control systems,
 Protection systems,
 Emergency systems (ESD),
 Inventory dumping,
 Fire prevention and protection,
 Explosion prevention and protection,
 Toxic release prevention and protection,
c. Human Factors,
 Personnel,
Revision: 05
Page: 16 of 35
 Operational and emergency procedures ,

 Documentation,
d. Internal micro environment,
SEQUENCE OF EVENTS AND RESPONSE SYSTEMS
Normal Abnormal Out of Accident

Operation Operation Control
Deviations Loss of
Containment
Disaster
Automatic Protective Safe Emergency

Control Instrumentation Shutdown Response
Instrumentation Systems ESDsystem
Systems Secondary
Containment
Control Prevent Reduce Mitigate

Protect
Figure 3 - Sequence Of Events And Control / Mitigation Response Measures
3.20 Substances and Inventories

Identify all toxic, eco-toxic, unstable, combustible, flammable, explosive and reactive materials in the
processes. Identify all items of process equipment that contain these materials. Determine the
quantities of materials in each item of equipment, in each processing unit and in each section of plant.
Minimise the inventories within the processing units without jeopardising the process stability. Allow
sufficient buffer capacity for operators and/ or control instrumentation to bring deviations back within
tolerable limits or to affect normal controlled shut downs. Also allow for start-up conditions.
The inventories of substances must be located around the site in accordance with the Plant Layout
Standard (GTL-05-2) and the Plant Layout Basis (GTL-04-6). Segregate the inventories so as to limit
the possible magnitude of events and possible “domino” effects. However, avoid unnecessary
scattering of inventories around the entire site; group inventories with natural similarities, such as
pressure.
Consider internal over-pressurisation of major equipment items and identify the possible weak points
that would be likely to fail first, such as welded dished ends on vessels etc. Orientate the equipment so
that failure of the weak point is directed away from other activities happening in the area e.g. sampling,
emergency escape routes etc.
Give attention to the design of warehouses for the storage of materials. The necessary codes and
standards must be respected, e.g. flammable stores, or peroxide stores, as well as general building
regulations.
Revision: 05
Page: 17 of 35
The process of transferring materials to and from road or rail tankers requires specific attention.
These processes have many separate activities and require the involvement of human operators to
connect temporary transfer lines and initiate other transfer activities. Due to the number and nature of
the activities there is a relatively high potential for error leading to loss of containment; as such. All
loading facilities must have a manually activated emergency shut-off valve.
The properties of the material being loaded and the location must be considered when choosing
between open versus enclosed loading facilities.
3.20.1 Preventing uncontrolled release of Material or substances
The three hazards namely fire; explosion and toxic release will be the result of uncontrolled release of
material followed by vapourisation and dispersion of materials.
The uncontrolled material releases are either gaseous, mists or liquids and are either atmospheric
releases or pressurised. Gas and mist releases are considered more significant since they are readily
ignitable and which if ignited are instantly destructive in a widespread nature due to the generation of
vapour clouds. Liquid fires are generally less prone to ignition, Localised and relatively controllable.
The cause of a release can be external or internal corrosion, internal erosion, equipment wear,
metallurgical defects, operator errors third party damage or for operational requirements.
Generally releases are categorised as:
3.20.1.1 Catastrophic Failure:

A vessel or tank opens completely, immediately releasing its contents. The amount of release is
dependent of the size of the container.
3.20.1.2 Long Rupture:

A section of pipe is removed leading to two sources of gas. Each section being vented in an opening
whose cross sectional areas are equal to the cross sectional area of the pipe (e.g., external pipeline
impact and a section of the pipe is dismantled).
3.20.1.3 Open Pipe:

The end of a pipe is fully opened exposing the cross sectional area of the pipe (e.g. drilling blowouts).
3.20.1.4 Short Rupture:

A split occurs on the side of the pipe or hose. The cross sectional area of the opening will typically be
equal to the cross sectional area of the pipe or hose (e.g. pipe seam split).
3.20.1.5 Leak:
Leaks are typically developed from valve or pump seal packing failures, localised corrosion or erosion
effects and are typically "small" to "pin-hole" sized.
3.20.1.6 Vents, Drains, Sample Ports Failures:

Small diameter piping or valves may be opened or fail, which release vapours or liquids to the
environment unexpectedly.
3.20.1.7 Normal Operational Releases:

Process storage or sewer vents, relief valve outlets, tank seals, are considered normal and acceptable
practices that release to the atmosphere.
The uncontrolled release of material and their effects after release shall be minimised by the following
means, and will be strictly adopted at the time of design.
 Segregation, separation and arrangement of different process facilities and equipments.
 Proper design of grading, containment and drainage systems.
Revision: 05
Page: 18 of 35
 Proper implementation of process control systems.

 Proper isolation of inventories based on different risk areas resulting emergency shutdown.
 Proper design of depressurisation, blow down and venting
 Proper design of overpressure and thermal relief valves.
 Minimisation or control of ignition sources
 Proper design of active fire protection (spray or monitor etc)
 Proper passive fire design
 Proper fire and gas detection system design.
 Implementing proper evacuation procedure for alarming and providing notification in case of
emergency.
 Adopting proper human factor and ergonomic considerations in plant facility layout.
3.20.2 Preventing formation of hydrocarbon mixture (within LEL and UEL limit)
The hydrocarbon material will only ignite when the concentration of flammable mixture within the air is
shall between the lower explosive limit (LEL) and upper explosive limit (UEL).
The most important thing is that flammability limits are not an inherent property of a material but are
dependent on the surface to volume ratio and velocity or direction of air flow under the test.
Due to this characteristic, the formation of ignitable mixtures can be reduced by applying the following
measures.
1. All hydrocarbon areas should be provided with maximum ventilation capability. Specific
examinations should be undertaken at all areas where the hazardous area classification is defined
as Class 1 Division 1 or Class 1 Division 2. These are areas where hydrocarbon vapours are
expected to be present, so adequate ventilation is provided.
2. Area congestion should be kept to a minimum such that vessels should be orientated to allow
maximum ventilation or explosion venting, and bulky equipment should not block air circulation or
dispersion capability.
3. Release or exposure of flammable vapours to the atmosphere should be avoided.
4. Gas detection is provided, particularly to areas handling low flash point materials with a negative
or neutral buoyancy (i.e. vapour density is 1.0 or less), since these have the highest probability to
collect or resist to dispersion.
5. Air or oxygen is eliminated from the interior of process systems.
3.21 Equipment - Processing Units

Having minimised the inventories that could be released from equipment, identify, eliminate and
reduce the mechanisms that may lead to such a loss of containment.
Some hazards, such as internal fires, internal explosions and decompositions require the ingress of
oxidants or excessive reactants into the equipment. The mechanisms that lead to ingress also need to
be understood.
1. Identify the specific type of equipment used for each unit operation, e.g. centrifugal pump with
double mechanical seals, as opposed to rotating lobe pump with flushed gland seals. It may be
possible to further reduce internal inventories by choosing a specific type of processing equipment
e.g. falling / rising film exchangers vs. kettle type reboilers.
2. Identify the normal, start-up, shutdown and expected upset operating conditions of all items of
equipment.
3. For each item of equipment identify possible routes for loss of containment. (Drains, vents, seals,
sample points, and small piping systems are typical ingress or loss of containment points.)
4. Failure of materials of construction, although usually infrequent, can be extremely severe leading
to catastrophic accidents. Conduct a study to determine the materials of construction and the
product compatibility under normal and expected upset conditions and compile a metallurgical flow
Revision: 05
Page: 19 of 35
diagram. Materials can fail due to mechanical, structural or corrosion inadequacies. Mechanical
failures include fatigue, creep etc. Corrosion is the chemical degradation of the material and can
be uniform and predictable or localized and erratic.Consider, in particular, corrosion at points
where there are changes either in material of construction, the condition of process fluids or
changes in flow rates or phases etc.
5. Equipment design, manufacture and testing must be in accordance with internationally accepted
mechanical design codes and practices such as ASME, DIN and ANSI.
6. The integrity of the equipment must support the philosophy of containment of materials, e.g.
design to contain the maximum foreseeable pressure, consider installing overhead condensers
inside distillation columns to limit the number of leak sources.
7. Consider alternative processing methods and/or equipment that will eliminate or reduce the
possible routes for loss of containment e.g. gravity flow eliminates the need for a pump with seals
that could possibly leak.
8. Process functional steps must be reduced to eliminate excessive equipment; for example,
integration of different steps such as cooling one stream and heating and pumping another, into
one item of equipment. In this regard the design must facilitate minimisation of items of equipment
without reducing the redundancy requirements.
9. The process design must include manufacturer’s requirements on the equipment such as
minimum flow protections systems, internal pressure relief etc.
3.21.1 Furnaces
There are two primary risk issues to consider when specifying furnaces:
 Internal explosions of the combustion materials in the fireside.
 Loss of containment of process materials into the fire side of the furnace, and resultant explosion,
fires or toxic releases.
Furnace design must comply with the NFPA burner management, safe start-up, operation, shutdown
and fuel systems codes / standards. The furnaces shall be located at least 50 ft (15 m) horizontally
from all vents.
3.21.2 Heat Transfer Fluid Systems

If possible, use hot water or steam instead of flammable oils for heat transfer fluids.
Certain fluids degrade and de-compose at high temperatures.
Consider the possible periodic need to de-inventory the system and how to dispose of or contain the
fluid.
3.21.3 Heat Exchangers

Combine heating and cooling services into one exchanger.
Consider intermediate cooling/ heating circuits to contain extremely hazardous materials.
Consider the effects of treatment chemicals added to the cooling or heating medium, e.g. corrosion.
3.21.4 Standby Equipment

Standby equipment must be protected against sudden starts if conditions of extreme temperature
difference exist, e.g. with pumps and heat exchangers.
3.21.5 Filters
Design for self-cleaning filters to reduce the potential of loss of containment.
3.21.6 Vessels / Tanks

Remember draining, venting, steaming out, hydro-testing and purging requirements.
Revision: 05
Page: 20 of 35
Ensure a vacuum is not drawn during draining and that over-pressurisation does not occur during
filling or purging.
Consider vessel exposure to an external fire.
Design for over- or under-pressure relief considering API 2000 (2014) requirements.
Consider possible temperature changes due to residual process materials flashing during de-
pressurisation or venting.
Consider rollover of tank contents.
Avoid allowing liquids to free-fall into vessels in order to avoid / reduce static generation, frothing and
erosion.
3.21.7 Piping and Valve Systems

Use spiral wound gaskets as they reduce the chance of cracks leading to blowout of sections of
gasket.
Orientate potential weak points in piping away from plant escape routes.
Minimise valves in vertical lines, unless specified to operate in a vertical position.
Consider restriction orifices to contain flow in the event of control valve failure.
Consider check valves on all utility lines entering the process.
Expansion bellows should be avoided. Bellows are designed to sustain a certain force under a certain
movement. Consider the operational movement cycle to which they will be exposed and the related
lifetime. Generally the materials specified for bellows must be superior to those of the line in which
they are located, and pressure thrusts and stress calculations are a must for the whole piping system
into which the bellow is inserted. For toxic materials, use double-walled expansion joints.
Ensure adequate facilities for venting high points and draining low points.
Avoid dead ends on pipes, as materials tend to accumulate, jeopardising pipe integrity.
When selecting valves, carefully consider the degree to which they ensure containment, the speed
with which they react to achieve this and the overall reliability of the valve system.
Consider hydro testing piping and the loads that this may produce in the systems in terms of support
and flexibility.
Consider vibration and resonance induced by fluid movement in the system.
Consider thermal stresses during steam purging.
Seals on valves are potential loss of containment routes.
3.21.8 Reactors (High Temperature)

All reactors must be protected against over-pressure.
Design to contain the over-pressures resulting from a deflagration explosion.
Channelling within reactors can lead to formation of hot spots.
Consider heat sensitive paint to indicate possible weak spots in refractory lining.
Limit the size of charging vessels to limit the quantities of reagents that can be added at any one time,
and /or use gravity flow and /or restriction orifices.
Consider rapid quenching, dumping and heat removal for run-away reactions.
3.21.9 Columns
As for vessels, consider vacuum and over-pressurisation.
Consider bed collapse in towers. Internal supports must be able to handle flooding, pressure surges
etc.
Revision: 05
Page: 21 of 35
Special care should be taken when opening columns containing flammable materials and high surface
area internals. Design for sufficient purging to prevent fires.
3.21.10 Air Coolers

Do not locate air coolers above areas where there is a possibility of a pool fire.
3.21.11 Dryers
The primary hazards are possible overheating, fires and explosions.
3.21.12 Rotary Equipment (Pumps, compressors, centrifuges etc.)

Seals are weak points for loss of containment.
Rotary equipment rotated in the wrong direction could disintegrate, fracture and lead to loss of
containment.
Consider the maximum process temperatures and possible contact with combustible lubricants as per
GTL-36-01and GTL-36-02 and API 614 (2008).
3.21.13 Lagging / cladding

Lagging inhibits the detection of gas leaks, and prevents easy dispersion of the gas.
Spontaneous ignition of insulation saturated with flammable materials is possible.
Corrosion under wet lagging leads to failure of materials of construction.
3.21.14 Container or Drum Storage

Segregate incompatible materials.
Safe, easy access for inspection, transport etc. is imperative.
Consider secondary containment requirements.
3.22 Equipment - Electrical Systems and Electricity
3.22.1 Minimizing or Control of Ignition Sources
Any leakages or spillages may give risk to flammable and explosive atmospheres as mentioned
above. To protect both personnel and the plant, precautions must be taken to ensure that the
atmosphere cannot be ignited. It is generally recognised that there are three main categories of
ignition sources in a hydrocarbon facility – open flames, hot surfaces and sparks. The overall objective
for protection is to remove, or provide a barrier in between these ignition sources from materials that
can readily ignite if contact is made. The ability of these sources to ignite a material depends on their
available energy and configuration.
Following are the typical sources of ignition that may be found in process areas:
 Flares
 Boilers
 Fired heaters
 Static electricity
 Vehicle traffic
 Electrical motors
 Hot work—welding and cutting
 Hot surfaces
 Lighting
 Overhead high voltage lines
 Mechanical—sparks friction, impact, vibration, etc.
Revision: 05
Page: 22 of 35
 Chemical reactions
All areas of the plant must be classified according to the presence of different categories of flammable
materials and the manner in which these are processed. All electrical equipment must be specified
according to the classification of the area in which it is located (Electrical Area Classification).
Ensure that the classification of areas is completed according to local as well as internationally
accepted standards (The Institute of Petroleum Model Code of Safe Practice, Part 15, and Area
Classification Code for Petroleum Installations).
Two other sources of electrical sparks are lightning and the build-up of static electricity on equipment.
Identify circumstances that can lead to the accumulation of static, e.g. two phase flow, pouring solids,
connecting road tankers to off-loading systems, splash filling, belt drives, personnel, overhead power
transmission cables etc. particular situations where static electricity can lead to a hazardous event
First seek to eliminate the presence of flammable materials and then consider eliminating the possible
causes of static. Ensure adequate preventative and protective measures are in place to deal with
remaining possible sources of static electricity. The basic philosophy for static electricity protection is
to provide a means of harmlessly discharging (e.g. earthing) the potential before it reaches sparking
levels.
Where necessary, lightning protection must be installed according to accepted codes and standards.
Refer to the standard for ignition control source (OHSE-ST-0315) for more details regarding the control
of sources of ignition
A second risk management issue related to electrical systems is the use of power for safe shutdown of
the plant and the implication of power failures.
Identify all electrical equipment connected to processing equipment containing hazardous materials.
Identify the source of power in terms of distribution systems.
Determine the impact of failure of the electrical supply during normal and anticipated upset operating
conditions in terms of possible escalation of events and ultimate loss of containment of hazardous
materials.
For applications where containment can be jeopardised by failure of electrical equipment, eliminate the
dependency on power, consider redundancy of electrical equipment, or supply back-up power.
Ensure adequate clean ventilation of cable ducts to reduce corrosion etc.
Electrocution of personnel must be prevented.
3.23 Equipment – Process Monitoring and Control Instrumentation

Process monitoring and control plays an important role in how a plant process upset can be controlled
and subsequent emergency actions executed. Without adequate and reliable process controls, an
unexpected process occurrence cannot be monitored, controlled and eliminated. Process controls can
range from simple manual actions to computer logic controllers, remote from the required action point,
with supplemental instrumentation feedback systems. These systems should be designed to minimise
the need to activate secondary safety devices. The process principles, margins allowed, reliability and
the means of process control are mechanisms of inherent safety that will influence the risk level at a
facility. Refer to GTL-61-3 and API 670 (2014).
Equipment and instrumentation is installed to monitor operating parameters, to act to control the
parameters within set limits and to return the process to within the limits should any deviation occur.
For each item of equipment or process section discussed in the previous section, identify the
parameters that need to be monitored to indicate that the process is moving towards a hazardous
regime e.g. pressure, oxygen content etc. Determine the parameters that need to be manipulated to
prevent the system from moving to this regime. Determine the normal and expected abnormal
operating ranges for the monitored and manipulated parameters.
Determine the relative risk of possible loss of containment or explosion hazards in the equipment and
rank the risks from high to low risk.
Revision: 05
Page: 23 of 35
Determine the level of reliability, accuracy and availability that is required of monitoring and control
instrumentation in view of the relative hazards. The systems must be able to prevent hazardous events
from developing.
The level of reliability required of the monitoring systems must be supported by sufficient instrument
redundancy and /or diversity. The entire instrument system from detection through transmission to
actuation, must be put together to ensure the highest availability. Consider also the possibility of
common mode failures such as instrument air failures and the effects on containing hazards.
The level of reliability of the monitoring systems must also be supported by sufficient computational
back up, fault revealing systems and systems to ensure safe shut down mode. (i.e. watch dog system,
failure mode to safe). UPS supply from battery shall be used.
Ensure that the normal control and monitoring instrumentation is completely separated from the
emergency protection systems i.e. the entire system from measurement, through transmission to
activation must be segregated.
Any over pressure monitoring and control system for process purposes, must not be considered as
over-pressure protection to maintain equipment integrity (see following section). These systems must
fail to the closed position to protect the downstream dumping facilities such as flares or effluent
systems from unnecessary overload. Over-pressure control systems will only be allowed to fail open
where a risk assessment or process condition necessitates such an action, i.e. not the normal case.
3.23.1 Plant Safe Operations
To insure plant safety and operability, qualitative risk assessment shall be carried out.
Qualitative reviews are studies base on the generic experience of personnel and do not involve
mathematical estimations. These reviews are essentially checklist reviews in which questions or
process parameters are used to prompt discussions of the process design and operations and
possible accident scenarios.
3.23.1.1 Checklist or Worksheet:

A standardised list which identifies common protection features required for typical facilities is
compared against the facility design and operation. Risks are expressed by the omission of safety
systems or system features.
3.23.1.2 Preliminary Hazard Analysis (PHA):

Each hazard is identified with potential causes and effects. Recommendations or known protective
measures are listed.
3.23.1.3 What-If Reviews:

A safety study which by which “What-If’ investigative questions (brainstorming approach) are asked by
an experienced team of a hydrocarbon system or components under examination. Risks are normally
expressed in a quantitative numerical series (e.g. 1 to 5).
3.23.1.4 HAZOP
A formal, systematic critical safety study where deviations of design intent of each component are
formulated and analysed from a standardised list. Risks are typically expressed in a quantitative
numerical series (e.g. 1 to 5) relative to one another.
3.23.1.5 Relative Ranking Techniques (DOW and MOND Hazard Indices)

This method assigns relative penalties and awards points for hazards and protection measures
respectively in a checklist accounting form. The penalties and award points are combined into an index
which is an indication of the relative ranking of the plant risk.
Revision: 05
Page: 24 of 35
3.24 Equipment - Protective Equipment

If a process deviation cannot be brought within acceptable limits, then the protective equipment must
prevent uncontrolled loss of containment and ensure equipment integrity is maintained.
Based on the hazardous regimes that could develop, and the parameters identified in the previous
section, identify equipment or sections of the process that will need emergency protection e.g.
pressure safety relieving devices, explosion suppression systems. Identify possible secondary hazards
or domino effects from the development of the initial hazard. For example, a pool fire from an initial
loss of flammable material may jeopardise the integrity of vessels above the fire leading to further loss
of material, or an initial small dust explosion may create large dust clouds which lead to a larger
secondary dust explosion. In this regard, other equipment in the vicinity, the plant layout, the draining
and the venting requirements on all equipment in the area etc. must be considered.
Determine the extent of the hazards. Determine the type and extent of emergency protection
equipment that could be installed.
Over-pressure protection must comply with international standards such as API 520, API RP 521, and
NPFA 30 etc.
Equipment will be protected against over-pressure primarily by a mechanical pressure safety valve.
Each item of equipment that can be isolated from other equipment by a valve must be provided with
protection. The sizing of this valve will consider the worst of the following cases:
 Blocked in process case (e.g. run away reaction, thermal expansion, others)
 Fire case.
 In sizing the PSV, credits may be taken to reduce the size/number of PSV’s by considering the
following:
 Passive fire protection that reduces the extent of the fire case.
 An energy curtailment system that reduces the blocked in process case.
Where there is a possibility of a blockage on the inlet or outlet of the PSV, the cause of the problem
must be analysed to obtain the optimum solution e.g. continuous purging, upstream bursting disk etc.
Retention of documentation pertaining to relief valves is extremely important.
Sufficient redundancy and /or diversity must be provided, as well as a means to ensure that over
protection systems are never closed such that the equipment is not protected while in operation.
Protection on electrical equipment includes overload trips, which aim to prevent electrical fires.
3.25 Equipment - Emergency Shutdown Systems - ESD

An emergency shutdown system comes into effect once an abnormal operating situation has already
deteriorated into being out of control. Generally, the shutdown philosophy assumes that the plant is to
remain “hot”, i.e. ready to restart, unless a specific decision is taken to totally shut down the plant after
the initial event.
Identify all large inventories of hazardous materials (flammable, toxic etc.). Identify sections of the
plant operating at drastically different conditions such as high pressure versus low pressure or utility
versus process sections. Identify operating regimes that would indicate that a hazardous situation has
already developed, and cannot be prevented and mitigation of effects and secondary hazards will be
required.
Analyse possible likely routes for loss of containment of these inventories; e.g. water drain points,
pump or compressor seals, nozzle failure etc Determine the expected magnitude of the release, the
likelihood that it will occur and the relative significance thereof.
The underlying philosophy of an emergency shutdown system is to contain the situation, as opposed
to preventing it; the philosophy of partitioning of the plant and /or inventories is appropriate. Only loss
of containment hazards that are of large magnitude and /or high frequency should be isolated.
ESD isolation valves are required at any point where there is a possible loss of containment of
inventories of the following:
Revision: 05
Page: 25 of 35
 Extremely toxic material (classified according to NFPA HAZ10)

 1 (one) ton or more of highly toxic material (NFPA health hazard rating 4). Smaller inventories
must be subject to a risk assessment to confirm that rapid emergency isolation is unnecessary.
 20 m3 or more of toxic material (NFPA health hazard rating 3). Again, inventories of less than 20
m3 must be subject to a risk assessment to confirm that rapid emergency isolation is unnecessary.
 20 m3 or more of flammable liquids.
 10 m3 or more of highly volatile flammable liquids, i.e. where the liquid temperature is above the
flash point of the material.
 10 m3 or more of flammable material operated at above 250 C.
 Flammable liquid stored above its atmospheric boiling point e.g. pressurised LPG.
 Flammable gas in gasholders or pressurised gas bullets.
The exact location of the ESD isolation valve will be upstream of the most likely and /or most
significant possible route of loss of containment e.g. drains, flexible hoses, pumps etc.
An ESD system is only of use if there is some form of early indication of loss of containment, e.g. gas
detectors, operators inspecting the plant etc.
Flammable gas detectors must be installed in all places where a risk assessment indicates a high risk
of loss of containment. Similarly for toxic material, gas detectors can serve as early warning systems
to either sound alarms, activate emergency shut-off valves, or activate emergency response systems
such as water sprays, scrubbers etc. The location of gas analysers must consider the prevailing
environmental conditions, the dispersion characteristics of the gas, the location of the equipment
indoors or outside, ventilation systems, and the required reaction time for emergency response
systems.
On road /rail tankers /storage transfer systems for highly flammable or toxic materials, quick acting
emergency isolation valves are preferable to (or should be installed in addition to) excess flow valves,
as the latter require high flows prior to closing.
All ESD and excess flow valves to fail to the closed position.
Suitable instrument redundancy / diversity must be installed to prevent nuisance trips / shutdowns.
Some ESD valves may need powered actuators and /or emergency blow-off systems in order to seal
tightly. If an ESD valve is installed upstream of a pump or compressor, the machine should be tripped
at the same time as the ESD valve is closed to prevent dry running.
Although not specified as ESD valves, the location and orientation of battery limit isolation valves
should take into account of possible plant emergency scenarios and the need for manual isolation.
3.26 Equipment - Emergency Systems - Inventory Dumping

Any release of material from the over-protection pressure relief and other emergency release system,
must still be managed to prevent deterioration of the emergency into a disaster. For this purpose
managed inventory dumping systems are required. These consist of combustion (either in a flare or
incinerator) for toxic or flammable gases and controlled draining of similar liquids.
Identify all equipment with over-pressure relief, purging, venting, draining or other connections to
dumping systems such as flares, stacks or sewers. Identify all possible sources of flared / drained
materials. Consider normal and anticipated abnormal operating conditions.
Determine the expected quantities of materials that will be released, the temperature and pressure
properties, the combustion and decomposition properties, and the toxicity characteristics of these
materials.
Determine the possible loss of containment scenarios and effects on the flaring or draining systems
e.g. flameout, freezing blockages, overload etc. Determine the relative risk thereof.
Where possible, eliminate the need for, and reduce the quantities of dump inventory.
Revision: 05
Page: 26 of 35
3.26.1 Flaring
A flare provides a means of disposing of gaseous effluents by burning them under controlled
conditions and converting them to less objectionable compounds. Flares may be elevated or located at
ground level and are either open or enclosed. Elimination of VOC emissions may necessitate small
“stick flares” for low-pressure releases from tanks, DAF units, and wastewater treatment plants etc.
Ensure that all over-pressure control systems failing open into the flare system have been subject to a
risk assessment indicating process conditions that necessitate such an action, i.e. not the normal
case.
Ensure that only pressure safety devices are relieving into flare systems.
Flare design must comply with API 521. Issues requiring attention include radiation exposure levels,
stack, height, header sizing, tip design, noise, smokeless burning, continuous purging, pilot flame etc.
Avoid guyed stacks.
Consider purging, and pilot gas requirements individually in view of aspects such as lightning strikes,
static etc.
3.26.2 Liquid Drainage
There are generally five types of liquid draining systems, which must be kept separate:
 Clean storm water sewers;
 Oily water sewers;
 Chemical sewers;
 Special closed conservation sewers for recovery of chemicals;
 Sanitation sewers.
Rainwater collection and catchment must be of such a nature that clear rainwater will not be
contaminated with process material or allowed to run off with the normal process run-off system.
When sizing sewers, accommodate the typical storm intensity cycle and related run-off quantities for
the area.
Rainwater will be allowed to flow freely to a safe location if contaminated with flammable materials. If
contaminated with process materials it will be allowed to flow under controlled conditions to the effluent
handling facilities.
All process inventories of products, feedstock materials etc. must be drained to closed systems. The
area under vessels must be bunded to contain at least the full volume of the largest vessel in the area.
Drainage areas should be paved for protection of the underlying ground and ground water. Drainage
areas must also be paved; not covered with gravel, as the latter tends to increase the vapourisation
rate of volatile materials.
Process chemicals must be contained in conservation sewers within the plant boundaries for recovery
purposes, or only be allowed to drain outside the plant into chemical sewers under controlled approved
conditions.
Flammable material, if spilled, must drain to a safe location. Combustible materials must not be
allowed to collect within the processing unit or under equipment, but must drain away.
Draining must be rapid and natural; within bunded areas, consider curbing to direct flows, minimise fire
intensity and aid with foam dispersion. The intensity of radiation from a fire is directly related to the
surface area of the fire, thus, minimising areas where materials can accumulate is an important
abatement measure. Consider firewalls between drain-off catchment pits and vessels to protect
vessels from possible fires in the catchment pits. Catchment pits should normally be kept empty.
Care must be taken to provide some form of isolation on sewers connecting plants of differing
electrical classifications. This will prevent flammable materials being distributed through the sewer
system to non-flammable areas etc.
Revision: 05
Page: 27 of 35
Draining of toxic materials must be avoided at all times. Under extreme emergency conditions, ensure
that the area is bunded to contain the full volume of the spill. Consider rapid drainage to secondary
containment, vapourisation suppression, emergency scrubbers etc.
Forced drainage should be provided in basements and low laying areas.
Drainage in road and rail loading areas should ensure that a spill at one point does not drain
underneath other vehicles.
3.27 Equipment - Emergency Systems - Fire Prevention and Protection

Four elements must be present in order for fire to exist. These elements are heat, fuel, oxygen and
chain reaction. To prevent fires, first avoid the use of flammable/ combustible materials, secondly
eliminate heat sources and finally eliminate the presence of any oxidants.
Identify likely sources of ignition within an installation where combustible/ flammable materials are
present e.g.
 Naked flames,
 Electrical sparks,
 Static sparks,
 Chemical reactions e.g. rust,
 Auto-ignition
 Metal on metal impact sparks,
 Pyrophoric materials,
 Lightning,
 Hot surfaces or smouldering dust layers,
 Mechanical shock in the case of unstable materials such as peroxides, NCl3 etc.
If feasible, provide secondary containment of the flammable /combustible materials e.g. drain to
adjacent catchment pit.
For releases of highly flammable gaseous materials, it is generally best to design for rapid dispersion
in open, well ventilated structures rather than secondary containment. For heavier flammable
materials, secondary containment is desirable, as described above.
Finally reduce the impact of a fire using passive or active fire protection systems.
3.27.1 Passive Protection
The passive fire protection design shall consider the following methods to achieve protection for any
plant facilities:
 Spacing and layout
 Fireproofing
 Containment and drainage
 Diking
 Fire walls
 Electrical area classification
Basic equipment protection systems and integrity must support containment of materials under fire
conditions.
Spillage control must support rapid drainage away from equipment and minimum pool area formation
by sloping and curbing.
Fire proofing must be applied to avoid collapse of structures supporting equipment or piping and to
vessel or column supporting skirts in fire hazardous areas.
Electrical and instrument cables will only be fireproofed if required to be operable for up to a maximum
of 30 minutes for safe shutdown of the plant. Sufficient redundancy of cabling must be provided prior
Revision: 05
Page: 28 of 35
to fire proofing. The plant must be designed to automatically go to safe mode during any sudden
stoppage.
On flammable gas systems, flame arrestors are sometimes considered as a last line of defence; these
devices are permeable to gas but not to flames. By providing a large, relatively cool surface area
through which the burning gas must move, the device quenches the flame and cools the products
sufficiently to prevent re-ignition at the arrestor outlet. Installation and location of the arrestor must
consider, the flame characteristic of the material, the equipment configuration, process conditions,
possible fouling and plugging etc.
3.27.2 Active Protection
Active fire protection systems shall be designed to accomplish a combination of the following
objectives:
3.27.2.1 Extinguishment of fire
Fire protection systems achieve extinguishment of fire through a number of methods, principally:
 Reducing the heat release rate of a fire and preventing flashback by cooling—this reduction of the
heat release rate and cooling usually occurs by direct and sufficient application of cooling medium
through or into the fire plume and onto the burning fuel surface.
 Separating fuel vapours from oxygen (smothering) thereby inhibiting the chemical chain reaction.
For example, extinguishment of fire by water is accomplished by any or a combination of cooling,
smothering from produced steam, emulsification of some liquids, and dilution.
3.27.2.2 Control of burning
Fire protection systems achieve control by limiting the size of a fire through:
 Distribution of extinguishing agent to absorb heat released
 Providing exposure protection to adjacent combustibles
 Containment
Control of burning systems operates until one of the following occurs:
 Agent supply is exhausted
 Burning fuel is consumed
 Flow of fuel is stopped
 Leaking fuel is extinguished
3.27.2.3 Exposure protection
Fire protection systems achieve exposure protection by absorbing heat through the application of
extinguishing agents to structures or equipment exposed to a fire. The application of some
extinguishing agents removes or reduces the heat transferred to the structures or equipment from the
exposing fire, as well as limits the surface temperature of exposed structures and equipment to a level
that will minimise damage and prevent failure.
Exposure protection systems provide protection by the applying of water to structures and equipment
for the anticipated duration of the exposure fire. Water spray curtains are generally less effective than
direct application due to unfavourable conditions such as wind, thermal updrafts, and inadequate
drainage. Extinguishing agents such as CO2 or dry chemical agents are not able to provide this type of
cooling.
3.27.2.4 Prevention of fire
Fire protection systems prevent of fires by operating until flammable vapour, gases, or hazardous
materials dissolve, dilute, disperse, or cool. The following firefighting agents are normally used to
achieve the above purpose:
Revision: 05
Page: 29 of 35
 Water
 Foam
 Carbon Dioxide
 Dry chemical
 Clean Agents
Fire water systems comprised of hydrants, fire equipment boxes and fixed monitors are common
features installed in larger facilities. Fixed water spray systems are proven to be effective for certain
applications, such as removing heat from a hot-oil pump fire, thus protecting nearby equipment. Dry
chemical extinguishers are used for quick extinguishment of small fires. Other agents such as foam,
steam and carbon dioxide are also used to provide extinguishment capability. The most commonly
used firefighting agent is water in the plant facilities. A fire water distribution system shall be designed
according to NFPA and owner standards.
The level of automation of fire detection, automatic handling and immediate automatic isolation
protections will depend on:
 The type of plant,
 Potential fire hazards,
 Human resources to operate fire systems,
 Value of the installation,
 Human resources to take part in fire handling.
With the height of pool fires and associated fire proofing, the surface to be considered is the possible
pool fire surface not necessarily only grade level i.e. there could be a fire on the second floor of a
concrete structure.
Refer to the engineering standard, GTL-55-1 Fire and Gas Detection.
3.28 Equipment - Emergency Systems - Explosion Prevention and Protection

An explosion is a sudden and rapid over-pressurisation, which is usually the result of combustion or
exothermic run-away chemical reactions. The pressure increase is due to the generation and
expansion of gaseous materials generated by the reaction. The reactants can be in either the vapour
phase, the liquid phase; the semi-liquid condensed phase or finely distributed combustible mists or
dusts. Certain materials have very high heats of formation or contain both fuel and oxidants. These are
therefore highly unstable and can support flames by undergoing exothermic de-composition.
For any fire or explosion, three components are needed:
 A fuel
 An oxidant
 A source of heat / ignition
Without one of these elements there will be no fire or explosion. Therefore, prevention and control of
explosions revolves around eliminating the possibility of all three elements being present
simultaneously.
Identify all items of equipment containing flammable/explosive materials.
Determine the possible causes for loss of containment of explosive materials and possible
mechanisms for the explosion thereof. Also consider possible explosions inside to equipment e.g.
runaway reactions, decomposition, pyrophoric materials, ignition of flammable mixtures etc.
Determine the extent of the potential explosion damage and the relative significance of the risk.
Eliminate possible explosive releases and reduce the quantities of explosive materials involved.
Thereafter, consider mitigation of the effects through:
 Rapid dilution of flammable mixtures to below the flammable limits,
 Explosion /deflagration venting,
 Explosion suppression systems,
 Open structures to aid the dispersion of gases,
Revision: 05
Page: 30 of 35
 Avoid cladding or lagging which encourages pockets of gas and aids combustion,
 Inerting philosophies,
 Explosion inhibiting materials can be added,
 Rapid reaction quenching,
 Prevention of explosion propagation through use of critical diameters etc.
3.28.1 Location of Buildings in Plant facilities
Buildings whether manned or unmanned shall take into account prevailing wind direction and should
be orientated with their long axis north-south where practicable. This will reduce the extent of solar
heat gain.
Buildings, especially control and technical rooms, shall be positioned in non-hazardous areas.
Where manned buildings or buildings containing safety critical equipment cannot be separated from
plant hazards the buildings in question must be designed to sustain the design accidental loads (fire
and explosion). Blast resistance I resilient design shall be determined by the risk analysis such as fire
and explosion hazards analysis, QRA (blast contours).
3.29 Equipment - Emergency Systems - Toxic Release Prevention and

Protection
Using the information in the previous section, identify all the possible loss of containment of toxic
material scenarios in each section of plant.
Determine the consequences of loss of containment and the relative risk of the various scenarios.
For highly toxic materials with extremely severe consequences, the risk of loss of containment can be
reduced by:
 Double equipment containment,
 Containment within buildings.
Should containment be lost, the following mitigating factors could be considered:
 Bursting disks and PSVs can relieve into secondary containment vessels with intermediate
pressure indicator alarms,
 Draining into a contained area /building,
 Emergency stand-by scrubber,
 Water or steam curtains, vapour knockout systems, or spray systems,
 Foam generation for vaporisation suppression,
 Escape havens for personnel,
 Evacuation procedures.
3.30 Human Systems - Personnel

Human factors and ergonomics play a key role in the prevention of accidents. Some theories attribute
up to 90% of all accidents to human factor features. It is therefore imperative that an examination of
human factors and ergonomics be undertaken to prevent fire and explosions at petroleum facilities,
since historical experience has also shown it is a major contributor, either as a primary or underlining
cause.
Human factors and ergonomics concern the ability of personnel to perform their job functions within
the physical and mental capabilities, or limitations, of a human being. Human beings have certain
tolerances and personal attitudes. Tolerances can be related to the ability to accept information, how
quickly the information can be understood and the ability and speed to perform manual activities.
When information is confusing, lacking or overtaxing, the ability to understand and act upon it quickly
or effectively is absent. It is therefore imperative to provide concise, adequate and only pertinent
Revision: 05
Page: 31 of 35
information to complete all the tasks associated with petroleum activities. This includes activities
associated with emergency fire and explosion protection measures.
Identify the man /machine interface, the number of controls, alarms, read-out, activities etc. that have
to be undertaken by each operator under normal, expected abnormal, and emergency conditions.
Identify high-risk activities where operator input is important. Determine the probability of operator
error in each of the high-risk tasks.
Eliminate the need for critical operator intervention in numerous high-risk tasks, or reduce the number
of tasks per operator.
Also consider how the following aspects impact on reducing operator error:
 Audible vs. flashing alarms are more effective in gaining operator attention,
 Human error variation under normal routine tasks versus high stress emergency scenarios,
 Human performance tends to deteriorate over time in routine tasks,
 General uncomfortable and stressful surrounding e.g. noise, heat, and bad ergonomics.
To reduce the potential for accidents from human error, the design shall incorporate all of the following
human error considerations as a minimum. The following guidelines shall also be incorporated into
vendor specifications for packaged equipment. Floors in work areas and walkways shall be designed
in accordance with the following:
 Walkways for access to permanently and intermittently manned work places shall be provided;
these shall be shown on relevant drawings.
 Slippery liquid on floors shall be avoided, (e.g. by using drip trays).
 Protruding objects shall be avoided in walkways.
 The need for anti-skid surfaces shall be evaluated in all work areas where spill of slippery liquid,
dusts etc. may occur.
 Storage and lay down areas should be located in the vicinity of each other and on the same level.
 Stairs for platforms.
 Workplaces shall be arranged to provide contact with others; solitary work shall be avoided in
permanently and intermittently manned areas.
3.31 Prevention of Exothermic Runaway Reaction

An exothermic reaction can lead to thermal runaway, which begins when the heat produced by the
reaction exceeds the heat removed. The surplus heat raises the temperature of the reaction mass,
which causes the rate of reaction to increase. This in turn accelerates the rate of heat production.
The following prevention or protective measures shall be adopted to avoid the exothermic run away
reaction.
Protective measures do not prevent a runaway but reduce the consequences should one occur. They
are rarely used on their own as a number of preventive measures are normally required to reduce the
demand upon each individual measure. As they operate once a runaway has started, a detailed
knowledge of the reaction under runaway conditions is needed for their effective specification. You
can:
 Design the plant to contain the maximum pressure.
 Fit emergency relief vents and ensure vented material goes to a safe place.
 Crash cool the reaction mixture if it moves outside set limits;
 Add a reaction inhibitor to kill the reaction and prevent runaway
 Dump the reaction into a quenching fluid.
 Process control includes the use of sensors, alarms, trips and other control systems that either
take automatic action or allow for manual intervention to prevent the conditions for uncontrolled
reaction occurring. Specifying such measures requires a thorough understanding of the chemical
process involved, especially the limits of safe operation.
Revision: 05
Page: 32 of 35
3.32 Management Systems

The primary responsibility of any management system is to minimise the risks in the plant facilities.
The following elements are listed for effective management systems:
 Competent people
 Systems and procedures
 Project safety reviews
 Management of change
 Standards and codes of practice
 Documentations
 Audit systems
Primarily, the hazards and the associated risks can be reduced or eliminated by adopting the proper
procedures.
 Identify the possible release of toxic materials, fires, explosion and other hazards on the plant.
 Determine the frequency and consequences of these events and compile a short list of credible
high-risk emergency scenarios.
 Develop emergency procedures, systems and infrastructure to cater for the above emergency
scenarios.
Ensure the following aspects are addressed:

 At least two independent emergency escape routes to be provided,
 Emergency escape routes should not be difficult to negotiate,
 Location of control rooms and other buildings,
 Emergency early warning systems,
 Evacuation procedures
All emergency plans internal to the plant and dealing with the public must be in place prior to the
arrival of the first hazardous materials on site.
Ensure procedures are in place to address the safe execution of normal operation, maintenance,
inspections, auditing, access control, traffic control and any other aspect of normal operation.
3.33 Human Systems - Documentation

Documentation forms part of the long-term management of the risks of the process. The
documentation that must be retained for the management of risk throughout the life cycle of a plant
should be identified and systems out in place to maintain it. This should include documentation related
to all the impacts and aspects discussed thus far in this document and including any additional aspects
not considered here-in.
Critical aspects include but are not limited to;
 Accountabilities and responsibilities of all parties involved,
 Design calculations, data and reviews,
 Hazard, risk, process safety, economic, labour, and utilities studies /reviews,
 Plot and plant layout studies,
 Drawings, data sheets, vendor information,
 Operating and maintenance procedures, instruction etc.
 Proof of training,
 Operating data /logs,
 Management of change, justification, hazard assessment etc.,
 Equipment and process integrity checks,
 Audit schedules and results,
Revision: 05
Page: 33 of 35
 Inspection schedules and results,

 Quality control of materials,
 Incident investigation,
3.34 Internal Micro Environment

Identify the impacts of the substances on the health of employees. A complete health risk assessment
must be conducted and from this, the need for biological monitoring, etc. will be determined.
Assess all aspects of the direct site environment, such as sloping, congestion, access for
maintenance, access for emergencies, traffic control, flooding and draining problems, low points where
vapours could collect, etc.
Revision: 05
Page: 34 of 35
4 Roles and Responsibilities
4.1 Implementation of the Document

The custodian has the responsibility to manage and implement the requirements of this Technical
Standard.
Document Custodian
Document custodian must:
 Ensure that only latest approved documents are filed
 Work with Quality Section to ensure that IMS document and IMS record center are maintained
according to the requirements of the Document Management Standard
 Review all the comments of the Development Team and makes the final decision on what
comments to be included.
 Ensure that approved copies are available in IMS Document and IMS Record Center
 Communicate the Operational Policies, Standards and Technical Standards
 Ensure the requirements in the documents are implemented
 Be in compliance with the requirements of the documents
 Identify Development Team Members
 Standard Custodian to resolve any raised dispute with development team members
4.2 Content of the Document
Development Team Members

The Development Team Members must:
 Develop the documents only on approved templates
 Ensure that the latest approved documents are uploaded and filed
 Log an IMS issue and distribute a copy of the draft document to the Quality Section for checking
the format and document number
 Partake in meetings to discuss and timely review the relevant draft document
 Suggests essential changes, including deletion and addition to the document
Head of Quality
Does a final review before signoff of Policies, Standards and Technical Standards to ensure that:
 The development team is aligned with the requirements of the Standards and Technical Standards
 Ensure the completeness of the roles and responsibility clause in the Standards and Technical
Standards
 Ensure the completeness of the Standards and Technical Standards (all required clauses are
completed)
 Review the completeness of the requirements in the Standards and Technical Standards
 The appropriate references to procedures and supporting documentation is made
 There is no duplication of information.
 The document content meets the requirements of the Document and Record Management
Standards
 Possible gaps in the information is identified in liaison with the Development Team.
Information Management Specialist
Does a final review of Procedures and Supporting Documentation to ensure that:
 The structure, template, format, correctness and completeness of the documents
 Proper filing of the approved hard copy of IMS documents and maintain the electronic version of
the documents
 Keep all the document templates updated and make them available to the users
 Ensure the content of the document is aligned with document type
Revision: 05
Page: 35 of 35
5 Authorisation
The Projects Services Manager and Chief Engineering & Projects Officer have seen and approved this
document as per the sign-off page.
6 Revisions
Date Rev. Remarks

08-Aug-01 01
29-Nov-01 02
May 2012 03 Template Correction, No revision to contents
October 2016 04 Section 3 has been comprehensively revised in-line with latest
applicable codes and best industry practices & compliance with
ORYX GTL CPE&G Model Standard Rev.1 Sept. 2015
September 2019 05 Template update, No revision to contents.
7 Endorsed by Quality Section
Head of Quality
8 Development Team
Designation Name Reviewed Date Signature
Projects Services Manager Hussain A. Al Sada

Projects Manager Ali Khedher
HSE Manager Ismail Saleh M A Al-Khabani
Technical Manager Marcel Krause
Production Manager Paul Vardanega
Maintenance Manager Barend Johannes De Klerk

Engineering Risk Management Philosophy

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Engineering Risk Management Philosophy

Uploaded by

Copyright:

Available Formats

Technical Standard - TS

Title: Engineering Risk Reference: GTL-04-03

Custodian: Signature Date

Projects Services Manager- Hussain Abdulla H A Al- Digital signature 01/12/2019

Sr. No. Endorsed By Endorsed Date

1 Integrated Management Specialist- 01/12/2019

Sr. No. Reviewed By Position Reviewed Comments

Title: Engineering Risk Management Reference: GTL-04-03

Custodian: Signature Date

Projects Services Manager Hussain A. Al Sada

Chief Engineering & Projects Ali A. Al Mohannadi

This document shall apply throughout ORYX GTL.

Code/Standard Title of Document

PLAN-ST-0001 Corporate Risk Matrix Standard

GTL-01-02 Environmental Design Basis

GTL-04-06 Plant Layout Basis

GTL-04-04 Noise Control Philosophy

GTL-04-05 Relief and Venting Philosophy

GTL-05-03 Classification of Hazardous Chemicals

1.2.1 Order of Precedence

The Order of Precedence shall be as follows:

 This Technical Standard

CONTRACTOR Shall mean any person or persons, firm, partnership, corporation or

Plant Shall mean ORYX Gas to Liquids Facility

Shall Refers to a requirement

Should Refers to a recommendation

May Refers to one acceptable course of action.

1.4 Abbreviations and Acronyms

Abbreviation/Acronym Expanded Name

1.5 Implementation Date

1.6 Process for Monitoring

1.7 Related/Supporting Documents

1. Lees - Loss Prevention in the Process Industries (3rd-Edition)

2. Inherently Safer Chemical Processes by Trevor Kletz

1.8 Key Words

3 Risk Management Philosophy

3.1 Definition of Risk Management

3.2 Scope of This Document

3.3 General Principles

3.4 Risk Management Scope Related to the Work Environment

3.5 Material or Substances

3.7 Type of Process

3.8 Type of Equipment

3.9 Human Factors

3.10 Exothermic Runaway Reaction

3.11 Direct Work Environment

3.12 Risk Management Scope Related to the External Environment

3.13 Physical or Environmental Systems

3.14 Biological System

3.15 Human Social Systems - Markets and Economics

3.16 Human Social Systems - Education and Skills

3.17 Human Social Systems - Cultural Development

3.18 Human Social Systems - Infrastructure

3.19 Specific Prevention, Mitigation and Responses for Risk Management

 Operational and emergency procedures ,

d. Internal micro environment,

SEQUENCE OF EVENTS AND RESPONSE SYSTEMS

Normal Abnormal Out of Accident

Automatic Protective Safe Emergency

Control Prevent Reduce Mitigate

Figure 3 - Sequence Of Events And Control / Mitigation Response Measures

3.20 Substances and Inventories

3.20.1 Preventing uncontrolled release of Material or substances