Pan Asset Operations Guide To Risk Assessment

Sakhalin Energy Investment Company Ltd.
APPROVED BY
Position: Operations and Process Safety

Support Manager
Signature:
Name: Sergey Shishebarov
Date: 27.09.2021
PAN ASSET OPERATIONS: GUIDE TO RISK ASSESSMENT
ОПЕРАЦИИ НА ОБЪЕКТАХ КОМПАНИИ

РУКОВОДСТВО ПО ПРОВЕДЕНИЮ ОЦЕНКИ РИСКОВ
Document Number 1000-S-90-01-P-0631-00-E
Confidentiality Level Restricted
Information Custodian S.L. Shishebarov, Operations and Process Safety Support

Manager
Revision Number 03
Issue Purpose AFU – Approved for Use
Effective Date (corresponds to the issue

date unless specified otherwise)
ACAL ID NA
This document belongs to Sakhalin Energy Investment Company Ltd. (Sakhalin Energy) and is intended for use by Sakhalin Energy
personnel only. This document can be provided for use to third parties under the agreement with Sakhalin Energy only. Title and all
rights to this document and information contained in the document are vested in to Sakhalin Energy. All rights reserved.
Decision on changes of the contents of this document can be made by Information Custodian only. The document control process
is regulated by the Procedure No. 0000-S-90-01-P-0501-00-E.
Current revision of this document is located in the controlled area in UNICA. Before using the copy of this
document, it is the User’s responsibility to ensure that it is current.
REVIEW LIST
Visa Description Position Signature Name Date
Document Lead Technical

developed Safety Engineer
Maxim Nikitin 22.09.21
Lead Process 22-09-21

Document reviewed Samir Awad
Safety Engineer
1000-S-90-01-P-0631-00-E Rev. 03 AFU – Approved for Use Restricted Page 2 of 41

DOCUMENT REVISIONS HISTORY
Rev. Location of Change Brief Description of Change
Approved for Use

01 Complete Document
Previously entitled HAZOP terms of reference (TOR) guide.

Updated to include application of various types of
02 Throughout document
qualitative risk assessment in addition to HAZOP for use in
asset operations and engineering design
Key roles and responsibilities tables for risk assessment

processes added
Desktop Safety Review section 5 expanded with detailed
information, requirements for execution, pool of facilaitators
and the reposnibilities of participants.
03 Throughout document Cummulative risk assessment section removed.

Additional schematics added throughout the document
sections.
Templates of risk assessment worksheets added in
appendices
Examples of of RAM cases explanation added.
1000-S-90-01-P-0631-00 Rev. 03 AFU – Approved for Use Restricted Page 3 of 41

TABLE OF CONTENT:
1 INTRODUCTION............................................................................................................... 6
PURPOSE ........................................................................................................... 6
SCOPE ................................................................................................................ 6
TERMINOLOGY .................................................................................................. 8
2 TASK RISK ASSESSMENT ............................................................................................. 9
1.1 DEFINITION AND RESPONBILITIES .................................................................. 9
1.2 TRA REPORTING ............................................................................................. 10
1.3 DYNAMIC RISK ASSESSMENT ........................................................................ 10
3 HAZID ............................................................................................................................. 11
SCOPE .............................................................................................................. 11
HAZID METHODOLOGY ................................................................................... 11
HAZID RESPONSIBILITIES............................................................................... 14
HAZID TASKS ................................................................................................... 15
4 HAZOP ........................................................................................................................... 19
METHODOLOGY............................................................................................... 19
HAZOP REQUIREMENTS AND GUIDELINES .................................................. 20
COMPETENCE REQUIREMENTS .................................................................... 20
Approved Facilitator (CHAIRMAN) ................................................................................... 20
Scribe .............................................................................................................................. 20
NODE SELECTION ........................................................................................... 20
HAZOP REPORTS ............................................................................................ 22
RULES FOR HAZOP ......................................................................................... 22
HAZOP DEVIATIONS ........................................................................................ 23
HAZOP KEY PHASES AND RESPONSIBILITIES ............................................. 23
5 DESKTOP SAFETY REVIEW (DSR) .............................................................................. 24
METHODOLOGY............................................................................................... 24
TEAM COMPOSITION....................................................................................... 25
FACILITATOR (CHAIRMAN) REQUIREMENTS ................................................ 25
LIST OF COMMON DEVIATIONS AND CONSEQUENCES. ............................. 25
DSR KEY PHASES AND RESPONSIBILITIES .................................................. 26
6 ALARP WORKSHEET .................................................................................................... 27
7 REFERENCES................................................................................................................ 28
APPENDIX A – MANDATORY HSSE&SP DELIVERABLES THROUGH PROJECT PHASES
............................................................................................................................................... 29
APPENDIX B – EXAMPLE OF HAZARDS AND EFFECTS REGISTER................................ 30

APPENDIX C – HAZARDS INVENTORY............................................................................... 31

APPENDIX D – HAZOP REQUEST FORM EXAMPLE (HAZOP WAIVER) ........................... 32
APPENDIX E – TASK RISK ASSESSMENT EXAMPLE TEMPLATE ................................... 33
APPENDIX F – EXAMPLE OF DSR WORKSHEET ............................................................... 35
APPENDIX G – EXAMPLE OF ALARP WORKSHEET ......................................................... 36
APPENDIX H – PROCESS SAFETY EVENTS RAM CLASSIFICATION EXAMPLES .......... 38

1 INTRODUCTION
PURPOSE
The purpose of this document is to provide necessary advisory guidance to Asset operations and Project
personnel for organising and implementing a risk assessment for new and existing installations, as defined
in the Sakhalin Energy Management Risk Standard [Ref.11]. This guide seeks to clarify the purpose,
scope and application of each form of qualitative risk assessment and the controls of usage in Sakhalin
Energy of:
• Task Risk Assessment
• HAZID
• HAZOP
• Desktop Safety Review
• ALARP Worksheet
Contractors may have risk assessment procedures as part of their management systems. Should
contractors use their procedures for work on Sakhalin Energy assets and projects, they shall be aligned
with the contents of this guide.
It is recommended that staff, involved in the above-mentioned reviews, receive training with regard to risk
management aspects.
This guide does not represent all qualitative risk assessments available in the industry, hovewer it focuses
on mostly used within Sakhalin Energy.
Information about various methods of risk assessment can be found in different industry practices, for
example GOST 12.0.230.5-2018 [Ref. 21] and ISO 17776 [Ref. 14] (RF equivalent is GOST R ISO 17776-
2012).
The selection and application of different risk assessments is dependent on the complexity of the solution,
and Process Safety group could be contacted for further clarifications on suitable risk assessment
technique to use.
SCOPE
HSE risk in Sakhalin Energy is managed through Managing Risk Standard [Ref. 11], which set out to
achieve continuous improvement and to reduce HSE Risks in the red and yellow areas of the Risk
Assessment Matrix to levels As Low As Reasonably Practicable (ALARP) through application of the
Hazard and Effects Management Process (HEMP).
Process Safety risk assessment in Sakhalin Energy relates to Major Accident Hazard management and
is classified as either Quantitative Risk Assessment (QRA) or qualitative risk assessment. This guide
covers only application of qualitative risk assessment for projects and asset modifications.
Results of QRA for each asset may be found in the asset HSE Case and specialist quantitative studies
required for design HSE Cases for major projects. The HSE Case QRA is prepared as set out in the
Sakhalin Energy Managing Risk Standard [Ref. 11, Appendix 7].
Semi-quantitative risk assessment techniques used in Instrumented Protective Function assessments use
HEMP and Layers of Protection (LOPA) techniques which are covered by DEP 32.80.10.10 [Ref. 13].
Risk assessment is part of the HEMP process described as:

Figure 1. HEMP process (simplified)

The guidance on the classification of risk in accordance with the RAM is provided in Managing Risk
Standard – Appendix 5. Risk Assessment Matrix Specification [Ref. 11]. Typical examples of using RAM
for Process Safety events ranking is represented in Appendix H.
Risks associated with Major Accident Hazard for each asset are documented in the asset Hazard and
Effect Register as part of the asset HSE Case. The development of the HSE Case starts in the project
phase with the Design HSE Case with underpinning safety studies and culminating in the Operations HSE
Case when the project is handed over to asset operations. The risk assessments of supporting studies
are not covered in this guide but are included here for completeness.
Figure 2. Risk Assessment During Design and Operate Phases (HSE Case Development process)
Deliverables supporting HSE Case development including risk assessments at each phase of the project
are defined in Project Standard 1 – Capital Project HSSE & SP Management [Ref. 17] and represented
in Appendix A. The process is shown in Figure 2 and required by the HSSE & SP Control Framework,
which Sakhalin Energy adopted.
Risk assessment associated with well design are also not included in this document and the reader is
referred to Sakhalin Energy Technical Directorate Management System [Ref. 12, Section 4]. Risk
assessments associated with operating a well with a known defect / issue need to follow this risk
assessment guide.
The application of the requirements in Sakhalin Energy as related to Process Safety in facilities design
are further set out in the Application of ALARP Framework within Sakhalin Energy Risk Management
Standard [Ref. 1]. Scaling of the Process Safety deliverables to the risk of the project as measured by
project cost and complexity, are agreed with the Process Safety TA2.
All changes in Sakhalin Energy are governed by Management of Change (MoC) process [Ref. 9]. Each
MoC is classified for implementation either as a project or a plant change. For project, there are different
executing parties in design phase e.g., International Design and Engineering contractors, Russian Design
Institutes (RDIs), Technical Advisors and OEM etc. Sakhalin Energy implements Plant Changes via
Engineering and Maintenance discipline engineers. Irrespective of whether project or plant change, the

Process Safety deliverables assuring adequate assessment of risk must be agreed with the Process
Safety TA2.
This document provides guidance to risk assessment in both design and in operations.
TERMINOLOGY
ALARP As Low As Reasonably Practicable
DSR Desktop Safety Review
DAM Discipline Authority Matrix
DCAF Discipline Control and Assurance Framework
HAZID Hazard Identification
HAZOP Hazard and Operability
HSE Health Safety Environment
IA Impact Assessment
MOPO Manual of Permitted Operations
OEM Original Equipment Manufacturer
OR&A Operations Readiness and Assurance
PCAP Project Controls & Assurance Plan
PEFS Process Engineering Flow Scheme
SIMOPS Simultaneous Operations
SoF Statement of Fitness
TA Technical Authority
TA2 Technical Authority Level 2
TOR Terms of Reference
TRA Task Risk Assessment

2 TASK RISK ASSESSMENT
1.1 DEFINITION AND RESPONBILITIES

Task Risk Assessment (TRA) is defined in the PTW manual [Ref.15, Section 7]. TRA is a risk assessment
at a detailed level of an activity, which requires documented assessment of hazards and controls to be
approved at specific organizational levels. The TRA may be in support of:
• a permit to work (WCC) for a planned hazardous operation
• a FSR deviation such as for continued operation with an impaired Safety Critical Element
• a Management of Change request form
The TRA demonstrates that risks have been identified and reduced to ALARP through mitigating
measures which must be put in place before commencement or during work period. The risks may be
Process Safety (with major accident hazard potential) or personal safety related.
HAZOP, HAZID and DSR are predominantly aimed at identifying and mitigating design risks, for which
both technical and operational skills are required. TRA is aimed at operational activities and predominantly
requires asset operational skills in preparing the permit (WCC). Risk assessment associated with
Management of Change may also require technical competences.
Operational Risk Assessment (ORAs) are also defined in the PTW manual [Ref.15, Section 4]) and are
defined as risk assessments associated with equipment rather than a specific task. ORAs serve as
visualization of risk associated with equipment, such as out of service instrumentation where
controls/restrictions on work would be applied, and where work on the equipment, system or area is to be
undertaken.
Responsibilities for the TRA and ORA are defined in the PTW manual. The responsibilities of the initiator
of the TRA are to:
• Ensure that the assessment team includes personnel with all the necessary knowledge and
competences for the task involved
• Ensure the team understands the assessment process and what it is trying to achieve
• Lead the team in performing the TRA
• Ensure that the TRA includes a worksite visit where practicable
• Review each task step and identify what level of risk assessment is required
• Ensure the team is guided systematically through the assessment process and kept on track
• Take responsibility for the quality of the TRA
• Ensure that the detail of the assessment is adequately recorded.
• Lead the Toolbox Talk before work commences.
The initiator of the TRA can be the Performing Authority in the Permit To Work system.
TRA may require specialist technical skills to be part of the TRA team, where the nature of the task is of
a specialized or complex nature. The TRA can be prepared separately from the asset but the site
operations personnel need to be involved and agree to the hazards and controls as part of the permit
(WCC) preparation.
There is no restriction on who can initiate a TRA. The skills necessary to undertake the responsibilities
above need to be developed, in particular to ensure that adequate technical and operational skills and
experience have been part of the TRA process. There are no prescribed skills to facilitate a TRA beyond
having broad operational and technical experience and qualifications. The facilitator must be able to
assemble a team for the TRA with the appropriate operational technical skills to identify and address the
hazards. The skill of the facilitator is therefore in understanding the right skills to have in the TRA.
Accountability for completeness and accuracy of the TRA remain with the issuer and authorizer of the

permit (WCC), in accordance with the PTW manual.
1.2 TRA REPORTING

The TRA may be either Level 1 or level 2 in support of the Permit (WCC). The decision on Level 1 or
Level 2 RA is defined in the PTW manual [Ref. 15]. The reporting of the results of the TRA can be simply
hazards and controls documented in the WCC risk assessment section.
An example template of a separate L2 RA, which can be done externally and outside of ePTW system to
supplement a WCC, is shown in Appendix E. Sakhalin Energy RAM is used is used for L2 RA to define
the risk level associated with a task. Once it is defined, the team works on determining required controls
to the extent allowing to judge that the risks are at ALARP level to proceed with the task.
More complex Level 2 RAs may require procedures to mitigate risk. All such procedures, if not part of
asset approved procedures, must be approved by the appropriate technical authorities.
1.3 DYNAMIC RISK ASSESSMENT

Dynamic risk assessment is defined in the Hazardous Activities Standard - Tool Box Talk Procedure
[Ref. 18, Appendix 4] as part of the Worksite Hazard Management with more details included within Permit
to Work Manual [Ref. 15]. Should the conditions, hazards or controls change during the course of the
work since the TBT was held with the work party, the change should be reassessed for any new risks and
appropriate controls documented.

3 HAZID
SCOPE
HAZID is a technique for early identification of potential hazards, including Major Accident Hazards and
threats for greenfield project or brownfield modifications. The technique has two styles, Conceptual (Initial)
and Detailed (Main) and should be applied during the early stages of a project development / modification.
It is therefore likely to be the first formal HSE-related study for any new project, which provides essential
input to project development decisions.
The application of the hierarchy of risk controls, which starts with the controls perceived to be most
effective and moves down to those considered least effective (Figure 3), will lead to safer and more cost-
effective design options being adopted with a minimum cost of change penalty.
Figure 3. Risk control Hierarchy

Major Accident Hazards are those which are with RAM level 5 or RAM Red potential and have been
documented in the asset HSE Case (Hazards and Effect Register) or project design HSE Case.
HAZID can apply to a project, an activity such as construction or marine operation or SIMOPS.
HAZID Study is normally done prior to HAZOP Study.
It is used for structured identification of hazards by applying checklist to steps in a process/activity, entire
site/facility.
The result of HAZID is identification of causes and consequences of hazard scenarios (process releases
and external hazards), controls in place, risk associated with each scenario. In case of greenfield project
HAZID becomes the basis for the list of MAH.
HAZID METHODOLOGY
The study method is a combination of identification, analysis and brainstorming based on the hazards
identified on the checklist.

Most hazard identification techniques rely on some form of checklist. Frequently the term HAZID is used
interchangeably with a checklist approach.
The HAZID technique is:
• a means of identifying and describing occupational HSE hazards and threats at the earliest
practicable stage of a project or for plant modification
• a meeting employing a highly experienced multi-discipline team using a structured brainstorming
technique, based on a checklist of potential HSE issues, to assess the applicability of potential
hazards
• a rapid identification and description process only, not a forum for trying to solve potential
problems
• actions developed from a HAZID should be listed, action parties and completion dates assigned
and tracked to closure
The methodology has been based on the HAZID Manual EP 95-312 [Ref. 6] and ISO 17776 [Ref. 14] and
diagrammatically can be shown in Figure 4.
Figure 4. HAZID process

HAZID has been developed specifically to reflect the importance of HSE issues on the fundamental (and
often non-HSE-related) decisions that are made at the inception of all development projects (e.g., design
concept and location). HAZID is the first opportunity to collect experienced line and HSE staff together to
address, in a short timeframe, the issues surrounding a new project. For existing assets, the Hazards and
Effects Register documented in the asset HSE Case is used as the basis of a HAZID. The format of the
HSE Case Hazards and Effects register is shown in Appendix B.
Consequences of each hazard are those with the worst case credible outcome. It is essential that an
experienced and balanced team take part in the HAZID with HSE staff participating to remind participants
of major accidents in the oil and gas industry as well as near miss incidents in Sakhalin Energy. It is also

important that worst case credible outcomes are not discounted because other barriers prevent or mitigate
the outcome. Beware of multiple barrier failure or the Swiss Cheese model of James Reason.
It has been often said that “no that can’t happen here because of double jeopardy” when what is being
said is that other barriers will prevent the consequence from materialising. Major accidents in industry
have shown that their causes have been failures of multiple barriers. Relying on other barriers is not
sufficient justification for allowing a barrier to be impaired or unavailable.
If no new hazards to those in the asset HSE case are envisaged, then a HAZID is not required for each
project or modification. If in doubt, the initiator should convene the HAZID with the appropriate technical
and operational personnel and confirm that this is the case. Managing Risk Standard – Appendix 5. Risk
Assessment Matrix Specification [Ref. 11] explains how to classify risk.
The inventory of generic hazards which should be consulted to ensure all hazards have been covered in
the HAZID can be found in Appendix C [Ref. 19].
Reporting of the HAZID should use the same format as the asset or project hazard and effect register
(see example in Appendix B).

HAZID RESPONSIBILITIES
Figure 5. Activity Responsibility Matrix

The key roles and responsibilities are summarised below with more detail provided in the task descriptions

Task Role and Responsibility Position
1 Identification of need for HAZID and allocation of suitable Sponsor

resources
2 Allocation of adequate time and resources for the review Sponsor

and identification of Co-ordinator
3 Collation of drawings and procedures, selection, Co-ordinator

contracting and briefing Chairman and team members,
organisation of venue, provision of IT services. Quality of
the HAZID process.
4 Provision of suitable team members Sponsor
5 Competent Chairman appointment Coordinator in consultation with

Process Safety TA
6 Selection of suitable checklist, running of HAZID study, Chairman

preparation of session records and accountable for report
7 Recording team discussions Secretary
8 Confirmation that proposed action meets intent raised in Chairman and Co-ordinator
review
9 Entry of actions to action tracking system Co-ordinator
10 Implementation of actions Sponsor
HAZID TASKS
Task 1: Identify need for HAZID study and define scope
Accountability with Sponsor (Project Manager, Asset Leader or Activity Manager)
There are different justifications for HAZIDs. These include Project Gates, Management Of Change
procedures, HSE or Safety Case preparation or revisions, or any situation where there is concern over
controls and the level of risks in design, construct, operate or decommission phases. HSE critical activities
such as major construction, SIMOPS, marine operations and combined operations would generally
require a HAZID unless previous reviews were considered robust or standard controls, procedures and
safeguards are appropriate to the specific location and activities proposed.
A critical input to the Hazard Register is an Initial HAZID completed for the ORP Phase, Assess.
A Main HAZID may be completed for the ORP Phase, Select for a project but at any stage during the
Operate phase for a new activity.
Since HAZIDs are generally undertaken at the front end of projects the actions are expected to be closed
out during the project life. However, for projects or activities covered by generic HAZIDs it may be
appropriate to review the actions on a periodic basis.
The Sponsor should specify the scope of the HAZID in terms of facility or activity boundaries, workpacks,
activities, operating scenarios and the deliverables and timing.

Task 2: Select Chairman and Secretary

Accountability with HAZID Co-ordinator.
The HAZID Co-ordinator must be a senior project or discipline engineer with experience of the HAZID
process.
The Chairman shall be selected in consultation with the Technical Safety Engineering discipline (Process
Safety TA) on the basis of the list of approved Facilitators Competence Register.
Where the HAZID has been initiated during a design project managed by an engineering contractor the
Sakhalin Energy representative must satisfy himself of the competence of the Chairman proposed by the
contractor in consultation with the Safety Engineering function.
Depending on the complexity and duration of the HAZID the Chairman should then use his or her preferred
Secretary. This will enable the sessions to be summarised and recorded most efficiently. For small or low
risk HAZIDs the Chairman may record the output, but the workload should not be allowed to compromise
the quality of the deliverables.
The Co-ordinator and Chairman should discuss a preliminary estimate of the cost, time and resources for
the HAZID at this stage and agree full or exception reporting and the format of the final report and action
close-out process. Full reporting against the chosen checklist is the expected norm.
Task 3: Select Team Members

Accountability with HAZID Co-ordinator, Chairman to concur
The Co-ordinator should discuss the composition of the team with the Chairman. The involvement of an
experienced Operator is essential for any HAZID during the Operate phase. For Initial HAZIDs in new
locations knowledge of local regulations is also essential. Other expertises should be represented if the
scope requires e.g. representatives of operations, process, drilling, well services, subsea, vendor reps,
construction, logistics, contractors, or other specialist engineers. The Chairman should satisfy himself of
the role and experience of all personnel proposed for the team and confirm the HAZID is suitably staffed
for the study.
Task 4: Identify Drawings and Procedures

For an Initial HAZID information may be limited but might include basic information on the proposed
exploration and production facilities, locations of the development, the quality of the infrastructure and
details about the population and previous land use. For a proposed development, several options may
have been under consideration and some information on costing and project economics should be
available. Because of the immaturity of the information, it is particularly important to record the base
assumptions and revisit the findings if the scope subsequently changes.
For a Main HAZID design work would normally have progressed to the point where Process Flow
Schemes (PFS) have been developed and some thought has been given to plot layout, hazardous
inventories, utility requirements, etc.
Available information (discipline checked and frozen) should be discussed by the HAZID Co-ordinator and
Chairman and then issued to the Chairman. This will allow the Chairman to finalise the HAZID scope and
duration prior to the start of the work. An estimate should be prepared accordingly.
The drawings and critical procedures should then be copied to each team member. Additional sets in
electronic files or large scale paper copies may assist discussions in the HAZID session. Key personnel
may have specific procedures or philosophies for individual reference.
Task 5: Confirm location and arrangements

A room of sufficient size and arrangements to ensure smooth running of Team sessions is essential. The
necessary arrangements include tables and seating, lighting, PC, screen, HVAC, catering, printing,
photocopying, telecoms, IT support etc.
An off-site venue usually provides these arrangements and limits the opportunities for team members to
absent themselves.
Task 6: Prepare programme for HAZID

Accountability with Chairman
The Chairman should use his experience to divide the scope into logical and manageable sections to
conduct the review. A HAZID terms of reference should be developed and agreed with the Co-ordinator
so that the scope of work is clearly identified. Discussions may be required between the Chairman and
e.g. the project engineer to confirm understanding and approach.
HAZID scopes can be quite varied. It is not feasible to list all possible hazards for all possible scopes.
Worksheets for the full scope should be defined by the Chairman before the start of the HAZID.
Appendix B and Appendix C provide report template (Hazards and Effects Register) format and HAZID
checklist (inventory) respectively. These are not exhaustive and there are other examples in industry
guidance. It is the Chairman’s responsibility to ensure an appropriate structure is used and described in
the HAZID report. This is a critical success factor for any HAZID and a reason behind competence
assessment for HAZID leaders.
The Chairman must prepare an agenda and programme at start of session and must monitor progress
against it.
Task 7: Undertake and record HAZID

Accountability with Chairman
The Chairman should explain the HAZID process and then lead the session using the checklist and
reference to marked up drawings or key procedures. A PC based system in the form of spreadsheet (see
example in Appendix B) is strongly recommended for communication as it speeds up reporting and issuing
of actions and enables team members to see all worksheet entries.
A project engineer should introduce the scope of work and explain the key HSE features and design
thinking at the time.
During the session the Chairman is expected to moderate discussions and challenge the assembled
specialists on adoption of future standards and the suitability of generic procedures for project designs
and the robustness of controls and application of industry practices for activity HAZIDs.
For issues or concerns that raise actions it is only necessary to record the action, action party and closure
date. The actions raised may be categorised to assist management review or monitoring as follows:
• Assessment of the hazard Consequence and Frequency for risk indication,
• Assign potential criticality of action e.g. High, Medium, or Low,
• Hazard category e.g. Safety, Health, Environment, Asset, Operability,
• Milestone e.g. Detailed Design completion, first oil, first gas.
Irrespective of size, HAZID sessions should not exceed six hours. The Chairman should be alert to fatigue
causing a reduction in quality and be prepared to extend the overall time requirements.
Task 8: Prepare draft report, issue and incorporate comments

Accountability with Chairman for the report, and with HAZID Co-ordinator to circulate and collate
comments for Chairman.
On completion of the HAZID the Secretary should prepare the first draft of the HAZID report. The

Chairman is accountable for the contents and technical accuracy of the report. The minimum contents for
a report are;
• Scope
• Objectives
• Team, place, date
• Action Summary
• Method and Guidewords
• Worksheets
• Appendices should include essential drawings or procedures and a listing of all documents (and
their revision status) considered in the sessions.
The Co-ordinator is responsible for circulating the draft report for comment, collecting comments and
distribution to the Chairman to enable him to incorporate or reject.
Task 9: Track and close-out actions

Accountability with HAZID Close-out Co-ordinator.
The Close-out Co-ordinator should enter actions in an appropriate tracking system and regularly report
progress on close-out to the Co-ordinator and Sponsor. For example, Company recognized web-based
actions tracking system “iAcTra” may be used for this process. Actions should be sent to appropriate
parties for completion and should be sent on by the Close-out Co-ordinator if further review is required
e.g. by technical specialists or Technical Authorities. The most robust close-out involves the Chairman
confirming that individual responses fully address the concern raised in the original action. Where, for
reasons of availability, this cannot be done the Co-ordinator should approve the response. Alternatively,
a designated Asset or Project individual with suitable independence and experience may be used.
Where actions are not closed out before a contract milestone e.g. completion of conceptual design, a
suitable handover package relating to the outstanding actions must be prepared by the Close-out
Coordinator.
Task 10: Issue close-out report

Accountability with HAZID Close-out Co-ordinator.
Issue a brief summary report with signed, accepted action sheets included. Recipients of HAZID reports
may include safety specialists or compliance focal points.
The HAZID Co-ordinator is responsible for arranging that relevant correspondence up to the completion
of the HAZID report is archived for the duration of the project to provide an auditable trail behind ALARP
demonstrations, hazard registers and decision registers. The HAZID report is then part of project
documentation.
For activities during the Operate phase the HAZID report will provide the basis of an ALARP
demonstration. This includes the original study session notes, technical correspondence (including
comments on the draft report) and covering letter for issuing the report. The registration of HAZID report
is through the Sakhalin Energy document control procedure. Where the asset hazard and effect register
has been affected by the HAZID eg. where hazards or controls have been modified, the asset HSE Case
document should be updated.
The main objective of HAZID during Project phase is to identify a list of Major Accident Hazards (MAHs)
that will subsequently feed into a more detailed assessment of each MAH using the bowtie method, which
consequently lead to Safety Critical Elements identification for each MAH.
The Co-ordinator should provide feedback on performance to the Chairman and to the Technical Safety
Engineering function (Process Safety TA).

4 HAZOP
METHODOLOGY
HAZOP is a structured hazard identification and analysis tool in the design and operation of a facility. It is
the application of a formal, systematic examination of process and engineering intentions of new or
existing facilities to assess the potential of mal-operation or malfunction of individual items of equipment
and their consequential effects on the facility as a whole. HAZOPs are not design reviews and any design
issues raised are to be captured in close out and transferred back to design group.
The main difference between HAZID and HAZOP studies is that HAZID Study focuses on hazards outside
of pipes whereas HAZOP Study focuses on hazards inside the pipes. HAZID Study can be carried out
using PFS and without PEFS being available. However, HAZOP Study must be carried out using PEFS
being available.
Designers are expected to use this document as their base case Terms of Reference when developing
their own HAZOP TOR. This guide specifies requirements for Sakhalin Energy that are not addressed in
the Shell DEM1 DEP 80.00.00.15 HAZOP Study [Ref. 7] and sets the qualifications and approvals for
conducting a HAZOP as required by the DEM1 DEP. The custodian of this guide is the registrar of
competent HAZOP Facilitator qualified to chair HAZOPs in and/or for Sakhalin Energy.
This guide sets requirements for any deviation from the HAZOP as required by the HAZOP DEP. The
HAZOP waiver process must be followed as per the form attached in Appendix D of this guide.
Sakhalin Energy has modifications which are executed through Brownfield projects where for the
application of HAZOP workshops the external facilitation is required.
The aim of HAZOP is to review and verify approved Process Engineering Flow Schemes (PEFS) against
the standards adopted for the project in relation with Technical Safety issues as a whole, in particular
process safety and to identify any weaknesses in the safety features and safeguards.
The method is equally applicable to major Greenfield developments, Brownfield projects, small plant
modifications or operating procedures. The concept is to break the system selected for study into small
sections (‘nodes’) and then to identify hazards by examining each section and using a series of parameter
and guide word filters to structure the brainstorming process (Figure 6).
Figure 6. HAZOP Process

The TA for Process Engineering must endorse all PEFS for HAZOP and if applicable Control & Automation
TA must endorse instrument safeguards.

HAZOP REQUIREMENTS AND GUIDELINES

The details of HAZOP Process are provided in various international requirements including RF standards
(e.g. GOST 27.012-2019 “Dependability in technics. Hazard and operability studies (HAZOP studies)”).
Sakhalin Energy has adopted mandatory Shell DEM1 DEPs Specification and Informative for HAZOP -
DEP 80.00.00.15 [Ref. 7] for HAZOP process. DEP provides specific instructions on the HAZOP study
and identifies requirements beyond that covered by industry guidelines.
HAZOP is also further identified and described in the Discipline Controls Assurance Framework (DCAF,
[Ref. 4]) and close out of all actions derived from HAZOP are a requirement of the Statement of Fitness
(SoF) [Ref. 20].
HAZOP’s on Brownfield Projects are predominately facilitated by Sakhalin Energy design and engineering
contractors with 3rd party involvement and consideration of independency of Chairman. These HAZOP’s
are attended by discipline engineers and Technical Authorities from these design and engineering
contractors and Sakhalin Energy and are a project responsibility as part of the project PCAP identified in
DCAF.
HAZOP’s can also be facilitated by suitably qualified consultant companies approved by Sakhalin Energy.
HAZOP workshops are also carried out both in Yuzhno and remotely between design and engineering
contractor’s office and Sakhalin.
Existing Sakhalin Energy Guidelines for HAZOP doc. No 2000-M-99-N-S-0001 and 1000-S-00-N-S-0002
are superseded by this guide.
COMPETENCE REQUIREMENTS
HAZOP participants are encouraged to go through HAZOP Awareness course and will be formally
registered in write-protected HAZOP Competence Register and kept by the custodian of this document.
Competence training is made available to identified personnel and they will be the only signatories of
HAZOP close out report. Personnel such as TAs who have currently contributed to HAZOPs will be
included in the HAZOP Competence Register without the need for formal training.
Approved Facilitator (CHAIRMAN)
The HAZOP Chairman shall be independent of the project team organization (design contractor). In this
context, independent means a Chairperson has a reporting line separate from the project organisation.
External HAZOP facilitators will be in the register recognized by company name. The company shall
provide the proposed CVs to Process Safety TA2 for review and approval.
Internal facilitators will be required to go through HAZOP Leadership course with qualifications provided
in Shell DEM1 DEP 80.00.00.15 [Ref. 7] and verified competent by Process Safety TA2.
Scribe
The Scribe is the person who records the minutes of the HAZOP Study. The HAZOP Recorder/Scribe
should be an experienced disciplines or operations professional who has participated in HAZOP before
and is able to articulate participant's discussions in write-up.
NODE SELECTION
The selection of nodes is carried out by the facilitator and identified on the Process Engineering Flow
Scheme (PEFS) drawings and approved by Sakhalin Energy Process Engineer TA2.
An example is given in Figure 7 below where the node selected will be identified on each PEFS by number
and colour.
A node represents a section of a process in which conditions undergo a significant change. For example,
a pump system will be a node because liquid pressure is increased, a reactor is a node because chemical
composition changes, and a heat exchanger is a node because it causes changes in fluid temperatures.
In practice, a single node will frequently involve more than one process change. For example, the node
for a chemical reactor will include changes to pressure, temperature and composition.

Figure 6 shows how a PEFS can be divided into three nodes. Each node has been circled with a cloud
line.
• Node 1 (blue line) is the Tank, T-100, with its associated equipment and instrumentation (the
process change is level in the tank).
• Node 2 (red line) incorporates two pumps, P-101 A/B, and the flow control valve, FCV-101 (the
process changes are flow rate and liquid pressure).
• Node 3 (green line) includes the pressure vessel, V-101, with its associated relief valve, and other
instrumentation (the process changes are pressure, chemical composition and level).
Figure 7. Example of Node Selection (schematic only)

Figure 8. Example of Node Selection on PEFS
HAZOP REPORTS
The draft HAZOP Report should be issued within a week after the HAZOP session. The final HAZOP
Closed-Out Report should be issued after proper closure of all action items.
HAZOP’s on Brownfield projects including Wells and facilitated by the Designer, the final HAZOP Close-
Out will be tracked by HAZOP Co-ordinator using the agreed company’s or contractor’s assurance
system. The HAZOP Closed-Out Reports must be approved by the relevant Process Safety Discipline TA
or business equivalent competent person to ensure the intent of the original actions is fully satisfied.
HAZOP Close-out is a SoF requirement and could prevent handover and start-up.
If actions are not closed-out by a pre-determined date, all the outstanding actions will be included in the
Fountain Action. A Fountain Assurance Coordinator will be appointed by the Process Safety TA2. The
Fountain Assurance Coordinator will track all the open actions to closure and Process Safety TA2 will be
approving all these fountain actions.
RULES FOR HAZOP

PEFS to be marked up by number and colour by Facilitator and agreed by Sakhalin Energy Process
Engineering TA2.
Marked-up PEFS to be printed and individual participant copies available on the day of the workshop.
Remote facilitation (i.e., the HAZOP Facilitator/Chairman being in remote location to the participants of
the study) for HAZOP studies that are looking at hydrocarbon and utilities (system which is health and
safety critical) processes normally is not allowed by Sakhalin Energy as this could cause reduction in
quality due to lack of face to face direct communication. The deviation from this requirement on case by
case basis should be sought and approved by relevant Process Safety TA. Sakhalin Energy has already
had IT issues that prevented videoconferencing capability during process design reviews. Project team
on both Sakhalin Energy and engineering contractors are accountable for ensuring that IT and
videoconferencing capability is in good working order before requesting for deviation. Project team to
ensure proper arrangement is in place so that visas will be available in advance in anticipation of trips to
facilitate workshops.

If during discussion it is evident that the point raised is a design issue it is to be captured as action and
move on.
HAZOP review session should ideally not exceed six hours per day. This is particularly relevant for larger
studies which are run over several days or weeks where team fatigue and other work priorities may
accumulate. This could cause a reduction in quality and possibly extend the overall time requirements.
HAZOP Facilitator should use his/her discretion when planning the HAZOP Study.
Facilitators and attendees must be listed in competence register as highlighted in section 3.3 of this
document.
HAZOP DEVIATIONS
In some cases where there is no process engineering involved, deviation from HAZOP requirements can
be sought and approved by Process Safety TA2. HAZOP waiver is required (via HAZOP Request Form)
which is to be signed by engineering contractor’s Lead Technical Safety Engineer and Project Engineer.
A form (HAZOP Request Form) is attached in Appendix D as an example.
The HAZOP waiver process must be followed as per the form attached (as an example) in this guide.
HAZOP KEY PHASES AND RESPONSIBILITIES

Phase Task / Activity Responsibility
1: Definition Define Scope Authorised Person
Provide competent team members Sponsor
Identify HAZOP Facilitator Sponsor/Authorised Person
2: Preparation Prepare HAZOP agenda and logistics HAZOP Co-ordinator
Prepare Terms of Reference, Nodes, Chairman

Programme
Prepare documents for review HAZOP Co-ordinator
3: Examination Lead the Team through the HAZOP Process Chairman
Record the minutes of the Study Recorder/Scribe
4: Documentation Prepare and finalise draft report, and obtain Chairman

and follow-up management approval of the final report
Confirm that recommendations meet intent Technical Authority (TA2) or

raised in the review equivalent
Track and close recommendations HAZOP Close Out Coordinator
Issue Close-out report and audit HAZOP Close Out Coordinator
Sign off Close-out report Authorised Person

5 DESKTOP SAFETY REVIEW (DSR)
METHODOLOGY
Determining ALARP throughout the Management of Change (MoC) [Ref. 9] phase for Operating facilities
requires a different approach from that used in the project phase established in Sakhalin Energy, and
requires a documented review of the risk posed by the change (permanent, temporary and emergency).
This includes the following essential items:
• risks identified;
• auditable link to a documented risk assessment;
• actions required during implementation phase to mitigate risks of change itself or in physically
implementing the change;
• any additions checks/requirements to the implementation phase.
Desktop Safety Review (DSR) is one of the HEMP qualitative tools commonly used in Sakhalin Energy to
document risk assessments of minor plant modifications (i.e. plant changes through MoC process with
ample design and operating experience is available) or operating procedures. This guideline outlines the
process that need to be followed during the risk assessments including approved leader to facilitate the
DSR and relevant participants experience.
The decision to use the Desktop Safety Review process and any deviations from it requires the approval
of the Process Safety Team as identified in DAM.
Technical Desktop Safety Review is a line-by-line multiple-discipline review of the MoC initiated redline
marked-up Process Engineering Flow Schemes (PEFS) for the process, off-plot and utility under the lead
of an experienced facilitator.
The aim of this review is to verify the PEFS against the standards adopted in relation with Technical Safety
issues as a whole, in particular process safety and to identify any weaknesses in the safety features and
safeguards. This is to ensure that the plant will handle all foreseeable operating conditions, including
maintenance, start-up and shut-down (both normal and emergency), in a safe, healthy and reliable
manner, with minimum environmental impact. To facilitate progress, reviewed systems will be marked in
an easily identified color on the PEFS studied by the team leader.
DSR should only be carried out for those processes, which are well known in the Company. Where
insufficient design and operating experience is considered to be available, HAZOP studies are
recommended instead.
The Desktop Safety Review shall be performed in a similar manner as a HAZOP review by following the
guidance provided in DEM1 DEP 80.00.00.15 [Ref. 7], however the methodology does not rely on the
formal use of a list of guidewords - such as for the HAZOP review - to generate deviations from the design
intent, but relies on the experience of the review team to identify such deviations. This is considered
acceptable for those processes for which ample design and operating experience is available in the
Company and, more importantly, in the review team.
There two subtle differences between the DSR and HAZOP as follows:
• DSR takes advantage of the experience and technical safety expertise of the facilitator, and
allows the facilitator the flexibility to skip or minimize the discussion for the guideword-parameter
combinations that the facilitator doesn’t see significant safety implication. Operability issues those
do not have the potential to lead to safety concerns are also skipped. This allows much stronger
focus on safety related scenarios. The time saved is used for more in-depth discussion and
analysis of the major hazardous scenarios identified in the review to ensure there are sufficient
and robust safeguards present, and also used for coming up with robust recommendations.
• Unlike HAZOP that documents discussions for every Guideword-Parameter combination, DSR
mostly documents exceptions or gaps unless full documentation is specifically requested.
Documentation for only gaps works well for processes that Company has already had significant
operational experiences so that most of the hazards have been understood and operating
procedures and manuals have covered the hazards and precautions needed.

The review includes:

• Identification of possible deviations from the actual design intent
• Identification of possible causes for deviations and determination of the consequences
• Identification of deviations from design practices, guidelines and recommendations on technical
HSE, fire safety and operability issues.
Operability aspects in this context include those features of equipment, tanks, piping, valves,
spades, instruments, etc., that allow the installation to be operated in a safe and healthy way by
trained personnel, and that provide adaptability to the installation to different operating modes
(including start-up, shut-down, upsets, venting and draining of equipment, etc.) with minimum
impact on environment and on personnel and equipment safety. Not primarily related to reliability
and on-stream time.
• Evaluation of the impact of the consequences on the technical and fire safety and operability) of
the plant and its interconnected facilities2 and on the environment. Recommendations for design
changes are made by the team. The team leader is the catalyst for maintaining a structured
discussion, challenging existing practices or design parameters where considered necessary, to
ensure a thorough review of the facility.
Review of the interfaces with other installations, to ensure that the safety and environmental
integrity of both new and interconnected plants is not violated by the interconnections. This
includes Utility Systems, where impact on existing facilities must be assessed with respect to
capacity, reliability, safety and environment
The example of the DSR worksheet is attached in Appendix F.
TEAM COMPOSITION
To allow good focus and perform an effective DSR it is required from the team participants to be
knowledgeable in their field of expertise. The discussion will be led through the unit’s design, technology
and operability aspects.
The key team members involved in the review are:
• Team leader (Chairman)
• Process technologist / Process engineer
• Process automation and Control Engineer
• Process Safety engineer
• Operations representative
FACILITATOR (CHAIRMAN) REQUIREMENTS

Internal facilitators will be required to go through DSR / HAZOP Leadership course and verified competent
by Process Safety TA.
DSR / HAZOP Leadership course shall be provided externally via formal training with provided
certification. The training provider shall be approved by Process Safety TA before the course.
After formal training new facilitator requires to participate and lead at least one Desktop Safety Review
under the supervision of Process Safety TA in order to verify his/her competency.
The internal facilitator shall be from the list of qualified trained DSR leaders (Competence Register) and
shall be independent of the MoC team for which the risk assessment is conducted.
LIST OF COMMON DEVIATIONS AND CONSEQUENCES.

Unlike the HAZOP review, which encompasses a very structured use of a list of standard guidewords for
problem identification, the desk review relies more on experience and expertise in the review team. As
mentioned before, this is considered acceptable for those processes where ample design – and operating

experience is available. However, HAZOP guidewords might be applicable for DSR as well.
Notwithstanding this, it is helpful if an informal list with key words is available, related to the most frequently
found deviations from design intent and consequences. This will assist further in guiding the creative
thinking process in identifying deviations and consequences.
This list may be different for different systems and assets and could be developed prior to or during the
review, as appropriate.
Common examples are:
DSR KEY PHASES AND RESPONSIBILITIES

Phase Task / Activity Responsibility
1: Definition Identify the assessment scope MoC Coordinator

(DSR requirement shall be agreed with Process
Safety TA)
Provide competent team members Relevant discipline leads
Identify and agree independent DSR Facilitator MoC Coordinator
2: Preparation Prepare DSR agenda (arrange a suitable time MoC Initiator

schedule in accordance with the status of
documentation)
Prepare Terms of Reference, documents for MoC Initiator with consultation

review with Chairman
Prepare Nodes (mark-up) Chairman
3: Examination Lead the Team through the DSR Process Chairman
Record the minutes of the Study Chairman or Scribe
4: Documentation Prepare and finalise draft report (DSR Chairman

and follow-up worksheet)
Confirm that recommendations meet intent Technical Authority (TA2) or

raised in the review equivalent
Upload finilised DSR worksheet into e-MoC MoC Coordinator

tool
Track and close recommendations MoC Initiator
Upload evidence of recommendations Close- MoC Coordinator

outs into e-MoC tool

6 ALARP WORKSHEET
The ALARP determination process is defined in Application of ALARP Framework within Sakhalin Energy
Risk Management Standard [Ref. 1]. The purpose of the ALARP worksheet is document decisions made
where there are options in design or in asset operations and to demonstrate that the risk of the selected
option cannot be reduced further without grossly disproportionate effort or cost.
The example of ALARP worksheet template is shown in Appendix G. The team composition and
facilitation of the ALARP worksheet preparation follows the HAZID rules in section 3 of this guideline.
Figure 9. Screening and Concept Selection Process (ISO 17776 [Ref. 14])

7 REFERENCES
1. Application of ALARP Framework within Sakhalin Energy Risk Management Standard, 1000-S-
90-04-O-0009
2. Asset Integrity Process Safety Manual, 1000-S-90-01-P-1404
3. Cumulative Risk Guidelines, Oil and Gas UK, Issue 1, ISBN 1 903 004 76 7, October 2016
4. Discipline Controls and Assurance Framework Standard, July 2016
5. HAZID Procedure, EPE Safety Engineering PR01, EP200801248658, Chris Wilson, 2007
6. HAZID, Shell HSE Manual, EP 95-0312
7. HAZOP Study, Shell DEM 1 DEP 80.00.00.15
8. HSE Case Specification, Appendix 7, Sakhalin Energy Managing Risk Standard, 0000-S-90-04-
O-0006
9. Management of Change Procedure, 0000-S-90-01-P-0268
10. Pan-Asset Application of Matrix of Permitted Operations (MOPO) Guideline, 1000-S-90-01-T-
0525-00
11. Sakhalin Energy Managing Risk Standard, 0000-S-90-04-O-0006
12. Sakhalin Energy Technical Directorate Management System, 1000-S-90-01-M-0086-00
13. Safety Instrumented Systems, DEP 32.80.10.10
14. Petroleum and natural gas industries – offshore production installations – Major accident hazard
management during design of new installations, ISO 17776
15. Permit to Work Manual: Integrated Safe System of Work (ISSOW), 1000-S-90-04-P-0031
16. Process Safety Events/ Wells Process Safety Incident Management Procedure, 1000-S-90-04-
P-0202
17. Project Guide 1 Capital Projects HSSE & SP Management (Health, Safety, Security, Environment
& Social Performance), Shell P&T
18. Tool Box Talk Procedure, Appendix 4, Sakhalin Energy Hazardous Activities Standard, 0000-S-
90-04-O-0261
19. HSE Specification: Hazard Inventory, EP2005-0300-SP-01
20. Production Directorate Operations Pan-Asset Procedure - Statement of Fitness, 1000-S-90-01-
P-0435-00
21. Occupational safety standards system. Нealth management systems. Risk assessment methods
to ensure the safety of work, GOST 12.0.230.5-2018

APPENDIX A – MANDATORY HSSE&SP DELIVERABLES THROUGH PROJECT PHASES

APPENDIX B – EXAMPLE OF HAZARDS AND EFFECTS REGISTER

APPENDIX C – HAZARDS INVENTORY
Hazard
Inventory.xlsm
[open attachment to access full list of hazards]
Ref. No. Hazard Category Possible Source

H-01 Hydrocarbons (Unrefined)
H-01.001 Liquid Natural Gases (LNGs) Cryogenic plants, tankers.
H-01.002 Condensate Storage tanks, gas wells, gas pipelines, gas separation vessels.
H-01.003 Hydrocarbon gas Reservoirs, wells, oil/gas separators, gas processing plants, compressors, gas
pipelines.
H-01.004 Coal Mining activities, boiler fuel source.
H-01.005 Crude (oil) Reservoirs, wells, pipelines, pressure vessels, storage tanks.
H-01.006 Hydrocarbons from Shale Mining activities, extracted oil shale deposits.
H-01.007 Oil Sands Tar sands, bituminous sands (clay, sand, water, bitumen).
H-01.008 Other Hydrocarbon source Sub sea gas hydrates.
H-02 Hydrocarbons (Refined)
H-02.001 Liquefied Petroleum Gases (e.g., Propane) Process fractionating equipment, storage tanks, transport trucks and rail cars.
H-02.002 Gasoline's (Napthas) Vehicle fueling stations, vehicle maintenance.
H-02.003 Kerosene's / Jet Fuels Aircraft, portable stoves, portable lanterns, heating systems, storage tanks.
H-02.004 Gas Oils (Diesel Fuels / Heating Oils) Vehicle fueling stations, vehicle maintenance.
H-02.005 Heavy Fuel Oils Shipping fuel, bunkers, heating systems, storage tanks.
H-02.006 Lubricating Oil Base Stocks Engines and rotating equipment, hydraulic pistons, hydraulic reservoirs and pumps.
H-02.007 Aromatic Extracts Heavy fuels, petroleum pitches and resins, rubber and plastics, naphtha.
H-02.008 Waxes and Related Products Filter separators, well tubulars, pipelines.
H-02.009 Bitumen's and Bitumen Derivatives Road construction.
H-02.010 Petroleum Coke Furnaces, boilers
H-03 Explosives
H-03.001 Detonators Seismic operations, pipeline construction.
H-03.002 Commercial Explosive Material Seismic operations, blasting, construction, firework displays.
H-03.003 Shaped Charges Well completion activities, demolition.

APPENDIX D – HAZOP REQUEST FORM EXAMPLE (HAZOP WAIVER)

APPENDIX E – TASK RISK ASSESSMENT EXAMPLE TEMPLATE
Risk_Assessment_Te
mplate.docx
[open the attachment to access the template]
Activity Description: Assessment No:
Rev:
Date(s):
Background: Assessment Team:
References: (pre-reading) Company/ Department:
Frequency of Activity: Persons Affected: Location:
Severity / RAM rating RED and yellow 5A/5B excluding consequential business loss.
Likelihood of
Occurrence A B C D E
1 May be acceptable; however, review task to see if risk can be reduced further.
2
Task should only proceed with appropriate management authorization after consultation with specialist personnel and assessment team.
3 Where possible, the task should be redefined to take account of the hazards involved or the risk should be reduced further prior to
commencement
4
Task must not proceed. It should be redefined, or further control measures put in place to reduce the risk. The controls should be re-assessed
5
for adequacy prior to task commencement.
L=Likelihood, S=Severity, R=RAM Risk before mitigations

Event / Activity Identified Hazard Credible Consequence L S R Required Controls Action
Policy/ Guidance: Pan asset Operations: Guide to Risk Assessment. 1000-S-90-01-P-0631-00-E
Approved By:
Sign:
Date:

APPENDIX F – EXAMPLE OF DSR WORKSHEET
DSR TS assessment
Worksheet - template.xlsx
[open the attachment to access the template]
Site:
Project:
Unit / Equipment / Line:
Design intention:
Drawings:
Cause / Safeguards /
Item Deviation / Hazard Consequence Comments Recommendations Action party
Threat Barriers
1
2
4
5
6
7
8

APPENDIX G – EXAMPLE OF ALARP WORKSHEET
TITLE
PROBLEM DEFINITION
IDENTIFY
HSE ISSUES AND POTENTIAL RISK
HSE STANDARDS AND TOLERABILITY CRITERIA
HSSE & SP CONTROL FRAMEWORK

DEPS
GOOD ENGINEERING PRACTICES
OPTIONS CONSIDERED
Option 1
• HSE risk,
• Cost, Schedule,
• Production Impact,
• Resources required
Option 2
• HSE risk,
ASSESS
• Cost, Schedule,
Option 3
• HSE risk,
• Cost, Schedule,
BASIS FOR SELECTION AND UNCERTAINTIES

TITLE
JUSTIFICATION FOR CHOSEN OPTION
Option X is recommended because of ………

ALARP is demonstrated as risk reduction is only achieved through cost, time, effort which are grossly
disproportionate to the benefit achieved
RESIDUAL HSE RISKS

CONTROL & EVALUATION
RECOMMENDATIONS FOR NEXT PROJECT

PHASE
REQUIREMENTS FOR THE OPERATIONS HSE-

PLAN

APPENDIX H – PROCESS SAFETY EVENTS RAM CLASSIFICATION EXAMPLES
Example 1. LOPC.
Offshore platform. Crude Oil leak (100 kg) though a seal of a crude oil pump. This resulted in a spill around
the pump and all Oil was contained in hazardous drain system. (Note, see page 7 for guidance on People
Potential from LOPC)
Some of the potential Consequences could be:
a) Crude oil spill into the sea from the drain system damaging the environment and requiring oil spill
cleanup response with adverse impact on the Community;
b) Ignition of the crude oil resulting in a small fire around the pump;
c) Inadequate firefighting and escalation of the fire to the point where other process equipment fails
and a major fire and explosion occurs resulting in injuries or even fatalities.
Remember that in most cases Potential Consequences are higher than actual.
1. Think whether those Consequences are credible.
Always think "What if other Controls didn't work right or failed". At the same time avoid too many 'what if's'.
Let's try to consider credibility of Consequences listed above.
a) Crude oil spill into the sea. If leak would be much smaller and maximum possible quantity of a spill
would be relatively small and limited – possibility of oil getting into the sea from drain would probably
be not credible. Still a spill from a drain system to the sea, like in our example can be treated as a
credible scenario.
b) Ignition of crude can be treated as credible only if circumstances of incident could contribute to it.
Generally hazardous assets have multiple Controls over sources of ignition. Still if in the past you
heard of such Consequences or for example there were cases of permit to work incompliances
during hot work execution or there were incidents with sources of ignition in process areas or for
example ex integrity of equipment or seal failure in the past resulted in overheating of bearing –
such Consequence can be considered to be credible.
c) Inadequate firefighting and escalation. Consequence of major accident happening from described
above case can hardly be called credible unless you have objective reasons to call it so. Still always
remember that LOPC is a C5 risk for Offshore Installation. Remember in Risk Assessment the
causes of Major Industry incidents like "Piper Alpha". It was between 50 and 70 kg's of condensate
released which caused 167 fatalities and complete loss of Piper Alpha installation.
2. Estimate the severity

If during RAM rating you came to a conclusion that only consequences "a (Crude oil spill into the sea)" are
worst case credible - Potential Consequences of oil spill into the sea would probably have Severity up to
Environment 2, People 0, Asset 0. Still if for example only by a coincident spill was 100 kg, but could credibly
be of much higher quantity, then Potential Consequences could also be higher.
3. Estimate the Likelihood
Ask yourself a question - 'How often in the past has a pump seal leak resulted in similar Consequences'.
Not 'how often pump seal leaked?' Likelihood would probably be C – Has happened in the Organization or
>1 a year in industry, still this depends on history of incidents at your Asset and Company. Ask your HSE
advisor for history of incidents if required.
Notes:
For example, in the past you had a leak to the environment but from other equipment (e.g., Crane lube oil
leak). You never had a leak from crude oil pump with similar Consequences, neither you think it happened
> once a year in Industry. Should likelihood be 'B' instead of 'C'? If past leaks were from absolutely different
systems you shouldn't count them in likelihood estimation. Likelihood would be B in this case.

For example, if in the past you had a leak from oil pump, but from flexible hose body - not from a seal.
Should likelihood be B instead of C? This is a same system so likelihood would probably be C.
For example, in the past you had a leak from other rotating equipment and liquid was different, but
Consequences were similar – leak into the sea of hazardous substance. Should likelihood be 'B' instead of
'C'? It still should be 'C'. But if you have strong justification that circumstances were absolutely different it
can be B. Experience plays a part here. Group discussion is important.
4. Estimate Risk rating. 2C Environment (Blue).
Example 2. Ignition Incident. Active hydrocarbons area.

Electrical cable found melted in active hydrocarbons area of an onshore hazardous facility.
Some of the potential Consequences could be as follows:
a) Escalation of fire and damage to other equipment;
b) Escalation of fire and harm to people due to fire or smoke inhalation;
c) Escalation of fire to process area and ignition of flammable materials. Incident with major
Consequences to asset.
1. Think whether those Worst Case Consequences are credible

a) Escalation of fire and damage to other equipment may be credible depending on circumstances
of Incident. Electrical engineer can advise you on credibility of escalation and damage of other
equipment.
b) Escalation of fire and harm to people. In most cases temperature of cable melting is capable of
igniting gas. Potential of this incident should probably be equal to LSR 2 (ignition source in
active Hydrocarbons area). This is People 5 (>3 Fatalities). Always remember that Company
pays careful attention to control of ignition sources in active hydrocarbon areas!
c) Escalation of fire resulting in major Consequences to asset from described above case can be
called credible if you have objective reasons to say so.
Notes:
What consequences would be credible if cable was found in non-active hydrocarbons area? This would
depend on circumstances as potential of escalation, operability of firefighting and fire detection systems,
presence of hazardous / flammable materials near ignition source etc.

People 5 (Consequence b, Escalation of fire and harm to people).
Let's estimate the likelihood of Consequences for People. Fatalities from ignitions happened in the industry,
so likelihood will be 'B' – Has happened in the industry. If you know of other similar incidents in the past –
then likelihood may become C.
Notes:
What likelihood would it be if this incident was not with an ordinary wire melted but with some very specific
electrical equipment burnt and you never heard of such equipment causing Consequences of 5. Should it
be A5? - In our case this incident is equal to LSR#2 likelihood should be B by default (See C-HSE User

guide for LSR RAM assessment). If you know of such events happening in the Organization or > 1 year in
industry – likelihood may become C.
4. Estimate Risk. For Consequences (b) described above risk will be – 5B People (Yellow).
Example 3. HSE Case Barrier challenge.

Planned turnaround. Maintenance override switch (MOS) was inadvertently left 'on' in one F&G Zone. Gas
detectors were inoperable for 30 hours until it was discovered. In case of gas presence in the area - F&G
system automatic executive actions (e.g., EDP, Shutdown, GPA) wouldn't have been initiated automatically.
When assessing Consequences of Barrier failure you should always look at primary purpose of this Barrier.
1. A credible Consequence could be:
- Late response to a gas release.
- High gas concentration in an area.
- Gas finds ignition source.
- Explosion localized in one zone of the plant occurs.
This is a credible Consequence as Natural gas is a highly explosive material and gas detection system is
one of the last Barriers before major accident (Remember Deepwater Horizon Platform Explosion when gas
detection system override was one of the last failed barriers and resulted in multiple fatalities). Bowties in
HSE case may help illustrate the barriers.
Severity of gas explosion depends on circumstances of the incident (e.g. number of people that could work
in that area, possible quantity of gas). Severity could be up to People 4 (up to 3 fatalities or PTD), Asset 3.
Still rating depends on circumstances of each particular incident.
Likelihood of B or C would be credible – we know of such barriers failure causing similar consequences.
4. Estimate Risk. People 4B – Yellow. Asset 3B – Blue.
Notes:
Argumentation described in this Incident example above can be used for a Risk Assessment of a failed
assurance task (e.g., inability to perform functional test of Gas detectors)
Example 4. HSE Case Barrier challenge.

Helicopter hydraulic system failure.
During routine inspection it was found that the hydraulic system of the Helicopter which was supposed to
take 4 people to the platform was found faulty.
1. One of the possible Consequences could be:
- Helicopter crash and death of > 3 people.
2. Estimate the severity. Severity will be People 5
3. Likelihood here will be C because Helicopter crashes with fatalities has happened > once a year in
the industry (varies from year to year).
4. Risk will be People 5C – Red.
Notes:
For example, you heard of helicopter crashes with similar consequences happening > once a year in a
different industry, not oil and gas. Would likelihood be A instead of C. Probably not. When we are looking at
common industry-wide situations such as helicopter transfers, an incident in aviation is just as relevant as
an incident in our industry.

For example, you have heard of helicopter crashes, but not sure if Hydraulic system failure was the cause.
Should Likelihood be B instead of C. Probably a fair rating should still be C, unless you are sure that causes
of previous crashes were absolutely different.

Pan Asset Operations Guide To Risk Assessment

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Pan Asset Operations Guide To Risk Assessment

Uploaded by

Copyright:

Available Formats

Sakhalin Energy Investment Company Ltd.

Position: Operations and Process Safety

Name: Sergey Shishebarov

PAN ASSET OPERATIONS: GUIDE TO RISK ASSESSMENT

ОПЕРАЦИИ НА ОБЪЕКТАХ КОМПАНИИ

Document Number 1000-S-90-01-P-0631-00-E

Confidentiality Level Restricted

Information Custodian S.L. Shishebarov, Operations and Process Safety Support

Issue Purpose AFU – Approved for Use

Effective Date (corresponds to the issue

Visa Description Position Signature Name Date

Document Lead Technical

Lead Process 22-09-21

1000-S-90-01-P-0631-00-E Rev. 03 AFU – Approved for Use Restricted Page 2 of 41

DOCUMENT REVISIONS HISTORY

Rev. Location of Change Brief Description of Change

Approved for Use

Previously entitled HAZOP terms of reference (TOR) guide.

Key roles and responsibilities tables for risk assessment

03 Throughout document Cummulative risk assessment section removed.

1000-S-90-01-P-0631-00 Rev. 03 AFU – Approved for Use Restricted Page 3 of 41

1000-S-90-01-P-0631-00 Rev. 03 AFU – Approved for Use Restricted Page 4 of 41

APPENDIX C – HAZARDS INVENTORY............................................................................... 31

1000-S-90-01-P-0631-00 Rev. 03 AFU – Approved for Use Restricted Page 5 of 41

1000-S-90-01-P-0631-00 Rev. 03 AFU – Approved for Use Restricted Page 6 of 41

Figure 1. HEMP process (simplified)

1000-S-90-01-P-0631-00 Rev. 03 AFU – Approved for Use Restricted Page 7 of 41

DSR Desktop Safety Review

DAM Discipline Authority Matrix

DCAF Discipline Control and Assurance Framework

HAZID Hazard Identification

HAZOP Hazard and Operability

HSE Health Safety Environment

MOPO Manual of Permitted Operations

OEM Original Equipment Manufacturer

OR&A Operations Readiness and Assurance

PCAP Project Controls & Assurance Plan

PEFS Process Engineering Flow Scheme

SIMOPS Simultaneous Operations

SoF Statement of Fitness

TA2 Technical Authority Level 2

TOR Terms of Reference

TRA Task Risk Assessment

1000-S-90-01-P-0631-00 Rev. 03 AFU – Approved for Use Restricted Page 8 of 41

2 TASK RISK ASSESSMENT

1.1 DEFINITION AND RESPONBILITIES

1000-S-90-01-P-0631-00 Rev. 03 AFU – Approved for Use Restricted Page 9 of 41

permit (WCC), in accordance with the PTW manual.

1.2 TRA REPORTING

1.3 DYNAMIC RISK ASSESSMENT

1000-S-90-01-P-0631-00 Rev. 03 AFU – Approved for Use Restricted Page 10 of 41

Figure 3. Risk control Hierarchy

1000-S-90-01-P-0631-00 Rev. 03 AFU – Approved for Use Restricted Page 11 of 41

Figure 4. HAZID process

1000-S-90-01-P-0631-00 Rev. 03 AFU – Approved for Use Restricted Page 12 of 41

1000-S-90-01-P-0631-00 Rev. 03 AFU – Approved for Use Restricted Page 13 of 41

Figure 5. Activity Responsibility Matrix

1000-S-90-01-P-0631-00 Rev. 03 AFU – Approved for Use Restricted Page 14 of 41

Task Role and Responsibility Position

1 Identification of need for HAZID and allocation of suitable Sponsor

2 Allocation of adequate time and resources for the review Sponsor

3 Collation of drawings and procedures, selection, Co-ordinator

4 Provision of suitable team members Sponsor