ISO 17776:2000

INTERNATIONAL ISO
STANDARD 17776
First edition
2000-10-15
Petroleum and natural gas industries —
Offshore production installations —
Guidelines on tools and techniques for
hazard identification and risk assessment
Industries du pétrole et du gaz naturel — Installations des plates-formes en
mer — Lignes directrices relatives aux outils et techniques pour
l'identification et l'évaluation des risques
Reference number
©
ISO 2000
PDF disclaimer
This PDF file may contain embedded typefaces. In accordance with Adobe's licensing policy, this file may be printed or viewed but shall not
be edited unless the typefaces which are embedded are licensed to and installed on the computer performing the editing. In downloading this
file, parties accept therein the responsibility of not infringing Adobe's licensing policy. The ISO Central Secretariat accepts no liability in this
area.
Adobe is a trademark of Adobe Systems Incorporated.
Details of the software products used to create this PDF file can be found in the General Info relative to the file; the PDF-creation parameters
were optimized for printing. Every care has been taken to ensure that the file is suitable for use by ISO member bodies. In the unlikely event
that a problem relating to it is found, please inform the Central Secretariat at the address given below.
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means, electronic
or mechanical, including photocopying and microfilm, without permission in writing from either ISO at the address below or ISO's member body
in the country of the requester.
ISO copyright office
Case postale 56 � CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail copyright@iso.ch
Web www.iso.ch
Printed in Switzerland
ii © ISO 2000 – All rights reserved

Contents Page
Foreword.iv
Introduction.v
1 Scope .1
2 Terms, definitions and abbreviated terms .1
2.1 Terms and definitions .1
2.2 Abbreviated terms .3
3 Hazards and risk assessment concepts .4
4 Methods for hazard identification and risk assessment .6
4.1 Selection of methods .6
4.2 Role of experience/judgement.7
4.3 Checklists.7
4.4 Codes and standards .7
4.5 Selection of structured review techniques .8
5 Risk management .8
5.1 General.8
5.2 Identification.10
5.3 Assessment.10
5.4 Risk reduction.11
6 Guidelines for use in specific activities .13
Annex A (informative) Hazard identification and risk assessment concepts .14
Annex B (informative) Structured review techniques.20
Annex C (informative) Hazards identification and risk assessment considerations for offshore E&P
activities.31
Annex D (informative) Hazards checklist.46
Bibliography.58
Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards bodies (ISO
member bodies). The work of preparing International Standards is normally carried out through ISO technical
committees. Each member body interested in a subject for which a technical committee has been established has
the right to be represented on that committee. International organizations, governmental and non-governmental, in
liaison with ISO, also take part in the work. ISO collaborates closely with the International Electrotechnical
Commission (IEC) on all matters of electrotechnical standardization.
International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 3.
Draft International Standards adopted by the technical committees are circulated to the member bodies for voting.
Publication as an International Standard requires approval by at least 75 % of the member bodies casting a vote.
Attention is drawn to the possibility that some of the elements of this International Standard may be the subject of
patent rights. ISO shall not be held responsible for identifying any or all such patent rights.
International Standard ISO 17776 was prepared by Technical Committee ISO/TC 67, Materials, equipment and
offshore structures for petroleum and natural gas industries, Subcommittee SC 6, Processing equipment and
systems.
Annexes A, B, C and D of this International Standard are for information only.
iv © ISO 2000 – All rights reserved

Introduction
Oil and gas exploration and production activities have many hazards and hazardous events associated with them.
Different tools and techniques can be used to identify and assess hazards and risks, and it is important that the
approach selected is appropriate to the particular circumstances.
This International Standard identifies some of the tools and techniques that may be used for this purpose in the
offshore exploration and production industry and gives guidance on how they may be applied to particular activities.
This International Standard incorporates advice and guidance given in other documents used in the industry, some
of which are cited in the Bibliography.
This International Standard does not provide a detailed description of the practical application of the various tools
and techniques, as this will need to be specifically developed to deal with particular circumstances. In many cases
expert advice from competent practitioners will be required to effectively apply the tools and techniques described
in this International Standard.
INTERNATIONAL STANDARD ISO 17776:2000(E)
Petroleum and natural gas industries — Offshore production
installations — Guidelines on tools and techniques for hazard
identification and risk assessment
1 Scope
This International Standard describes some of the principal tools and techniques that are commonly used for the
identification and assessment of hazards associated with offshore oil and gas exploration and production activities,
including seismic and topographical surveys, drilling and well operations, field development, operations,
decommissioning and disposal together with the necessary logistical support of each of these activities. It provides
guidance on how these tools and techniques can be used to assist in development of strategies both to prevent
hazardous events and to control and mitigate any events that may arise.
This International Standard is applicable to:
� fixed offshore structures;
� floating production, storage and off-take systems;
for the petroleum and natural gas industries.
This International Standard is not applicable to design and construction aspects of mobile offshore units that fall
under the jurisdiction of the International Maritime Organization.
This International Standard is not intended to be used as part of certification criteria, and no defect in the
management of risks should be inferred if any of the tools and techniques covered by this International Standard
are not applied to an installation.
2 Terms, definitions and abbreviated terms
For the purpose of this International Standard, the following terms, definitions and abbreviated terms apply.
2.1 Terms and definitions
2.1.1
barrier
measure which reduces the probability of realizing a hazard’s potential for harm and which reduces its
consequence
NOTE Barriers may be physical (materials, protective devices, shields, segregation, etc.) or non-physical (procedures,
inspection, training, drills, etc.).
2.1.2
control
�of hazards� limiting the extent and/or duration of a hazardous event to prevent escalation
2.1.3
environment
surroundings in which an organization operates, including air, water, land, natural resources, flora, fauna, humans
and their interrelation
2.1.4
environmental impact
any change to the environment, whether adverse or beneficial, wholly or partially resulting from an organization’s
activities, products or services
2.1.5
escalation
spread of the impact of a hazardous event to equipment or other areas, thereby causing an increase in the
consequences of the event
2.1.6
event tree
event tree analysis
ETA
tree-like diagram used to determine alternative potential scenarios arising from a particular hazardous event
NOTE It can be used quantitatively to determine the probability or frequency of different consequences arising from the
hazardous event.
2.1.7
fault tree
fault tree analysis
FTA
tree-like diagram based upon the application of “and/or” logic used to identify alternative sequences of hardware
faults and human errors that result in system failures or hazardous events
NOTE When quantified, fault trees allow system-failure probability or frequency to be calculated.
2.1.8
functional requirements
minimum criteria which should be satisfied to meet the stated health, safety and environmental objectives
NOTE See 5.4.2 for further information.
2.1.9
hazard
potential source of harm
NOTE In the context of this International Standard, the potential harm may relate to human injury, damage to the
environment, damage to property, or a combination of these.
2.1.10
hazards register
document providing a brief, but complete, overview of the identified hazards and the measures necessary to
manage them
NOTE The hazards register also provides references to more detailed information relevant to a particular hazard.
2.1.11
hazardous event
incident which occurs when a hazard is realized
EXAMPLES Release of gas, fire, loss of buoyancy.
2 © ISO 2000 – All rights reserved

2.1.12
incident
accident
event or chain of events which cause, or could have caused, injury, illness and/or damage (loss) to assets, the
environment or third parties
2.1.13
mitigation
limitation of the undesirable effects of a particular event
2.1.14
procedure
series of steps to be carried out in a logical order for a defined operation or in a given situation
2.1.15
risk
combination of the probability of an event and the consequences of the event
2.1.16
risk analysis
use of available information to identify hazards and to estimate risk
2.1.17
risk assessment
overall process of risk analysis and risk evaluation
2.1.18
risk evaluation
judgement, on the basis of risk analysis, of whether a risk is tolerable
2.1.19
screening criterion
target or standard used to judge the tolerability of an identified hazard or effect
NOTE See 5.3.2 for further information.
2.1.20
tolerable risk
risk which is accepted in a given context based on the current values of society
2.1.21
top event
particular hazardous event considered in the development of fault and event trees
2.2 Abbreviated terms
CBA cost-benefit analysis
CFD computational fluid dynamics
EERA escape, evacuation and rescue analysis
ESD emergency shutdown
ETA event tree analysis
FMEA failure modes and effects analysis
FTA fault tree analysis
HAZAN hazard analysis
HAZID hazard identification
HAZOP hazard and operability study
HEMP hazard effect and management process
HRA health risk assessment
HSE health, safety and environment
JHA job hazard analysis
LNG liquefied natural gas
LPG liquefied petroleum gas
P&ID process and instrument diagram
PHA preliminary hazard analysis
PEM physical effects modelling
QRA quantitative risk assessment
SAR search and rescue
SIL safety integrity level
3 Hazards and risk assessment concepts
Effective management systems are required to address the health and safety aspects of the activities undertaken
1)
by all companies associated with the offshore recovery of hydrocarbons . These management systems should be
applied to all stages in the life cycle of an installation and to all related activities. Such a management system,
which has been developed for environmental issues, is described in ISO 14001 [3] and the principles contained in
this International Standard can also be applied to issues relating to health and safety.
One key element of effective management systems is a systematic approach to the identification of hazards and
the assessment of the associated risk in order to provide information to aid decision-making on the need to
introduce risk-reduction measures.
Risk-reduction measures should include those to prevent incidents (i.e. reduce the probability of occurrence), to
control incidents (i.e. limit the extent and duration of a hazardous event) and to mitigate the effects (i.e. reduce the
consequences). Preventive measures, such as using inherently safer designs and ensuring asset integrity, should
be emphasized wherever practicable. Measures to recover from incidents should be provided based on risk
assessment and should be developed taking into account possible failures of the control and mitigation measures.
Based on the results of the evaluation, detailed health, safety and environmental objectives and functional
requirements should be set at appropriate levels.
1) For example, operators should have an effective management system. Contractors should have either their own
management system or conduct their activities consistently with the operator's management system.
4 © ISO 2000 – All rights reserved

ISO 13702 [2] introduced the concept of strategies, but stated that such strategies do not have to be separately
documented as the relevant information may be included with other HSE information for an installation or may be
contained in recognized codes and standards that are relevant to the operating location. Indeed there can be
significant overlap between strategies and other HSE information, so that combining this information into one
source is likely to assist the understanding by the people on the installation of how the various measures are
integrated.
The results of the hazard identification and risk assessment activities and the decisions taken with respect to the
need for, and role of, any measures required for risk reduction should be recorded in strategies.
Hazards identification and risk assessment involves a series of steps as described below.
a) Step 1: Identification of the hazard, based upon consideration of factors such as the physical and chemical
properties of the fluids being handled, the arrangement of equipment, operating and maintenance procedures
and processing conditions. External hazards such as ship collision, extreme environmental conditions,
helicopter crash, etc. also need to be considered at this stage.
b) Step 2: Assessment of the risk arising from the hazards and consideration of its tolerability to personnel, the
facility and the environment. This normally involves the identification of initiating events, identification of
possible accident sequences, estimation of the probability of occurrence of accident sequences and
assessment of the consequences. The acceptability of the estimated risk must then be judged based upon
criteria appropriate to the particular situation.
c) Step 3: Elimination or reduction of the risk where this is deemed to be necessary. This involves identifying
opportunities to reduce the probability and/or consequence of an accident.
These three generic steps are inherent in all the methods which are described in this International Standard.
In selecting the appropriate hazard identification and risk assessment tools and techniques, the nature and scale of
the installation, the stage in the life cycle and experience of similar installations should all be considered. The level
of effort devoted to hazard identification and risk assessment should be based on the anticipated level of risk, the
novelty of the undertaking and any limitations in knowledge.
Where the more complex, structured review techniques are used, the uncertainties in the assumptions used must
be appreciated and considered when assessing necessary risk-reduction measures. It is important that
uncertainties in the assumptions are well documented and communicated to the personnel who are using the
results of the hazards and risk assessment to assist in decision-making.
For new installations or activities it is important to identify hazards as early as possible, in order that sufficient time
can be given to the study and evaluation of the hazard before determining the most appropriate solution to manage
it. It is always easier to make modifications early in the design stage of a project, when changes can be made with
minimal effect on cost and schedule.
Hazards and risk assessment can also be applied to existing facilities, but in some cases changes that would be
justified during design may not be practicable for an existing facility. As an example, improvements in layout
concepts may not be practicable for existing facilities. The work necessary in undertaking modifications to an
existing facility in itself introduces an additional risk of an accident which needs to be considered.
Figure 1 shows approaches with differing levels of complexity that may be used for hazards and risk assessment.
Figure 1 — Approaches to hazards and risk assessment
In many circumstances, the knowledge and expertise of experienced staff using a structured approach may be
sufficient to manage risk.
Checklists are quick and easy to use, and can help determine whether design standards and practices are met and
whether previously recognized hazards are properly addressed.
Where the experience gained by industry has been incorporated into codes and standards, a high level of safety
can be achieved by checking for compliance with these standard practices in design, construction, operation and
maintenance.
Structured review techniques can be used to identify and evaluate previously unforeseen hazards and unintended
events that are not adequately addressed by the previous methods.
Further details are given in annex A.
4 Methods for hazard identification and risk assessment
4.1 Selection of methods
The level and extent of hazard identification and risk assessment activities vary depending on the scale of the
installation and the stage in the installation life cycle when the identification and assessment process is undertaken.
For example:
� complex installations, e.g. large production platforms incorporating complex facilities, drilling modules and
large accommodation modules, are likely to require detailed studies to address hazardous events such as
fires, explosions, ship collisions, structural damage, etc.;
� for simpler installations, e.g. wellhead platforms with limited process facilities, it may be possible to rely on
application of recognized codes and standards as a suitable base which reflects industry experience for this
type of facility;
� for installations which are a repeat of earlier designs, evaluations undertaken for the original design may be
deemed sufficient to determine the measures needed to manage hazardous events;
6 © ISO 2000 – All rights reserved

� for installations in the early design phases, evaluations will necessarily be less detailed than those undertaken
during later design phases, and will focus on design issues rather than management and procedural aspects.
Any design criteria developed during these early stages need to be verified once the installation is operational.
Hazard identification and risk assessment activities may need to be reviewed and updated if significant new issues
are identified or if there is significant change to the installation.
4.2 Role of experience/judgement
An often adequate approach is one in which the knowledge and expertise of staff, having appropriate experience,
is used for hazard identification and assessment. This is particularly useful where the activity under consideration is
similar to activities undertaken previously at the same or different locations. Practical staff experience gained in the
field and feedback from hazardous events and near misses that have occurred is essential in this respect.
This approach on its own, however, is unlikely to be sufficient when dealing with novel or innovative systems and
facilities, or where local conditions render previous experience invalid. For example, operating experience gained in
benign tropical waters should not generally be used as the basis for evaluations of arctic installations.
4.3 Checklists
These are a useful way of ensuring that known hazards and threats have all been identified and assessed,
although the use of checklists shall not be allowed to limit the scope of any review. Checklists are normally drawn
up from standards and operational experience, and therefore focus on areas where the potential for mistakes is
high or where problems have occurred in the past. Checklists are easy to apply and can be used at any stage in
the project life cycle.
The checklist should be prepared by experienced personnel familiar with the design and operation of the facilities
and with the company and industry standards and procedures. Checklists may be applied by less experienced
personnel, although the effectiveness of the checklist technique is limited by the experience of the authors and the
diligence of the users. However, they do not provide a creative format for the identification and evaluation of new
hazards where experience is lacking.
Checklists should be reviewed and updated regularly to incorporate new experience by the company and industry,
including the results from any accident or incident investigations.
Hazard registers from previous similar developments, which contain a record of hazards identified for that
installation, are useful as a basis for checklists.
A checklist may be as detailed or as general as necessary, depending upon the specific application. It should be
conscientiously applied, in order to evaluate whether standard procedures are being followed and to identify
aspects that requires further attention. A checklist is generally the quickest and easiest method of hazards and risk
assessment, and is very effective in the control of risk arising from standard, well understood hazards.
4.4 Codes and standards
Codes and standards reflect collective knowledge and experience, accumulated on the basis of company, national
or international operations. These documents incorporate the lessons learned from previous designs, from hazards
and risk assessment and from accident and incident investigations. They thus contain an inherent hazards and risk
assessment, since the hazards have already been identified and the standard methods for their control and
mitigation defined.
Information on hazards that may be contained in codes and standards is usually applicable to a particular type of
operation. For example, the designer of a pressure vessel relief system can use a standard to find detailed
guidance on the relief cases that should be considered. In some cases, compliance with prescriptive standards
alone will reduce risks to a tolerable level. Similarly, the acceptability of emissions or discharges to the
environment, or release of agents harmful to health, can be assessed by reference to environmental quality
standards and occupational health exposure limits.
The use of checklists based upon the requirements laid out in codes and standards is a frequently used technique
which is very effective in identifying compliance with industry standard practice and highlighting aspects which
require further investigation.
4.5 Selection of structured review techniques
Where it is considered necessary to use hazards and risk assessment based upon structured review techniques,
as described in annex B, the following guidelines may be used to select the appropriate method.
Identification of the main hazards is important in the early stages of a design, in order to allow design decisions to
be made which reduce risk. HAZID and PHA may be useful to achieve this objective. If suitable information is
available, preliminary QRA may be used at this stage and can make a contribution towards optimizing the platform
layout. Sensitivity analyses, allowing the identification of parameters which have a significant effect on risk, often
form a part of such assessments.
At later stages in a design, evaluation techniques, such as FMEA, FTA (2.1.7) and ETA (2.1.6), QRA and HAZOP
may be found useful. Annex B presents information to input data for these techniques.
Evaluation of hazards and risks associated with construction tasks and operations, including inspection, testing and
maintenance are effectively undertaken using techniques such as JHA and HAZOP, whilst FTA can sometimes be
useful in identifying sequences or events which could give rise to a hazardous situation.
QRA should only be used when the input data are adequate to ensure that valid and robust results will be obtained.
In most practical applications, there will be uncertainties in both the key parameters used and the QRA model itself.
The effect of these uncertainties should be evaluated to confirm that they would not change the conclusion.
Limitations in input data are likely to be less significant when QRA is being used to evaluate options, such as during
concept selection.
QRA should only be undertaken by personnel with adequate skills and competencies. It is most important that the
QRA model effectively reflects reality and thus those familiar with the facilities and their operation need to be
involved in the evaluation. This is particularly true in relation to the preparation of input data and assumptions and
the review of results from the evaluation.
All evaluation techniques provide results which are themselves subject to a range of uncertainty and consequently,
the results should be compared with the judgement of experienced personnel.
Where there is felt to be potentially significant uncertainty in a key element of the evaluation, the use of alternative
techniques should be investigated to validate results.
Usually the identification of hazards and the evaluation of risks are undertaken to reflect the situation at a particular
point in time (e.g. construction activities, start-up of production, abandonment). Conditions on offshore installations
are however dynamic, with changes in operating parameters such as pressure, temperature and produced fluids
often being reflected in changed operating procedures and facilities. It is important therefore that the range of
conditions for which the hazard identification and risk assessment are valid are clearly stated, and that the criteria
triggering the need for re-evaluation are defined.
5 Risk management
5.1 General
5.1.1 Overview of risk management process
The process of identification of hazards and the assessment and control of risk is shown diagrammatically in
Figure 2, which also illustrates the three steps described in clause 3.
8 © ISO 2000 – All rights reserved

After the relevant hazards have been identified, the risks arising from them are evaluated either qualitatively or, if
appropriate, quantitatively. Risk-reducing measures should be introduced if the risks exceed any screening criteria,
or if there are other reasonable measures that can be justified. Once the measures required to achieve a tolerable
level of risk have been identified, the functional requirements of these measures should be defined.
The remainder of clause 5 provides more guidance on some of the important features of the risk management
process.
Figure 2 — The process of risk management
5.1.2 Organization and personnel
Hazards and risk assessment is normally performed by a team, but for some facilities or operations it may be
undertaken by an individual. The effectiveness of a hazards and risk assessment depends on the skills, knowledge
and efforts of the personnel undertaking the work.
The number of people involved and their range of experience should be determined by the size and complexity of
the facility or operation being analysed. The identification of hazards and the subsequent evaluation of risk should
be undertaken by personnel, or groups of personnel, who are both skilled in the techniques involved and
knowledgeable about the design, operation and maintenance of the facilities under consideration.
The involvement, from an early stage, of work force representatives with “hands-on” experience has been shown to
be particularly beneficial.
The effectiveness of any hazards and risk assessment is dependent upon careful planning and execution of the
various tasks. Hazards and risk assessment should be started as early as possible, subject to the availability of the
necessary information, in order that it may be a positive influence rather than a restrictive constraint on progress,
requiring rework and additional cost.
5.1.3 Documentation
The key information and the decisions made in the identification and assessment of hazardous events should be
documented in an ordered and comprehensive manner, for the benefit of both those that operate the installation
and those who may be involved in subsequent changes.
The documentation should not only record the various decisions made during the assessment process, but should
also detail the basis for the decisions.
The base data and assumptions used during the evaluations should be clearly stated and references provided
where appropriate.
NOTE The use of tables or forms for recording information in a structured manner is often useful when using many of the
evaluation techniques.
5.2 Identification
Before the risks associated with a particular activity can be assessed, it is first necessary to systematically identify
the hazards which may affect, or arise from, the particular operation under consideration. The likely effect of each
hazard being realized is also assessed, to determine whether the hazard is significant or not and whether it should
be taken forward for further investigation.
Various systematic approaches are outlined in clause 4. A hazard checklist to assist in the identification of hazards
is provided in annex D.
5.3 Assessment
5.3.1 Hazards and risk assessment
Once the hazards have been identified, the risks they present to personnel, environment and the facilities are
evaluated.
For a new development project, the hazards and risk assessment normally involves some iteration, beginning with
the evaluation of overall concepts and methods and then becoming more precise and focused as the necessary
detail becomes available in the field development lifecycle. For simple installations, the same techniques may be
used although the validity of the data used in the analysis will be better at a later stage in the project. For more
complex installations, simple analytical methods may be used at an early stage, to be followed by more
sophisticated methods when more data are available.
For an existing installation a similar step-by-step approach may be adopted, starting with a relatively wide-ranging
consideration of the general issues and then converging on areas of specific concern, using more detailed
evaluation techniques if necessary.
In evaluating risk, due consideration is given to both the likelihood (or frequency) of occurrence and the severity of
consequences arising from the initiating hazardous event.
Based upon the hazards and risk assessment, recommendations should be made to management for risk
reduction, where needed in order to achieve a tolerable level of risk. Recommendations may be based upon the
judgement of the analyst or may use criteria adopted by the company to guide decision-making on risk reduction.
5.3.2 Screening criteria
Screening criteria are the targets or standards used to judge the tolerability of an identified hazard or effect. They
are used to judge the significance of the hazards and effects and together with the results from the risk assessment
provide the basis for risk management decision-making. Screening criteria may include adoption of parameters
contained in codes and standards.
Screening criteria are normally framed in terms of parameter levels which define the tolerable threshold, based
upon the current state of science and technology and the general views of society. Criteria developed by a
company to define maximum tolerable risk levels are also screening criteria.
Appropriate screening criteria should be selected when hazards have been identified and should subsequently be
used for comparison with the results of the hazards and risk assessment. Failure to achieve a screening criterion
identifies an unacceptable condition unless it can be shown that the particular screening criterion is inappropriate in
10 © ISO 2000 – All rights reserved

the particular situation. Parameters outside the tolerable range defined in the screening criteria should only be
accepted after the consideration and agreement of senior management.
5.4 Risk reduction
5.4.1 Evaluation of risk-reducing measures
In many cases, the measures to control and mitigate hazards and risks are simple and obvious and involve
modifications to conform to standard practice. In other cases, alternative measures to reduce risk need to be
considered to achieve the best solution. It is important to consider a wide range of possible solutions to the defined
hazards, and not to assume that modification of physical facilities is the most appropriate method to control and
mitigate risk, e.g. by reducing the frequency and duration of exposure of personnel to risk.
The general hierarchy of risk-reducing measures is
a) prevention,
b) detection,
c) control,
d) mitigation,
e) emergency response.
Particular attention should always first be given to risk-reducing measures which have the effect of eliminating or
reducing the probability of hazardous events occurring. The use of inherently safer design principles to manage
risks is preferred. In inherently safer design, the following concepts are used to reduce risk:
� reduction, e.g. reducing the hazardous inventories or the frequency or duration of exposure;
� substitution, e.g. substituting hazardous materials with less hazardous ones (but recognizing that there could
be some trade-offs here between plant safety and the wider product and lifecycle issues);
� attenuation, e.g. using the hazardous materials or processes in a way that limits their hazard potential, such
as segregating the process plant into smaller sections using ESD valves, processing at lower temperature or
pressure;
� simplification, e.g. making the plant and process simpler to design, build and operate, hence less prone to
equipment, control and human failure.
Protective measures should be considered after the assessment of possible preventive measures, and should be
aimed at mitigating the effects of a hazardous event once it has occurred. Measures to restrict escalation of a
hazardous event, together with measures to protect personnel and measures to normalize the situation, may all be
considered. Fire and gas detection systems, fire-water systems, active and passive fire protection, temporary
refuge, evacuation systems, oil clean-up and recovery equipment and procedures, protective clothing, etc. are all
examples of protective measures.
Factors that will influence the selection of measures to reduce the risk include
� the technical feasibility of the risk-reducing measure,
� the contribution of the risk-reducing measure,
� the costs and risks associated with implementing the measure,
� the degree of uncertainty associated with the risk, or the risk-reduction technique, including human factors.
A progressive approach to risk reduction should be adopted, giving attention first to those measures which have
greatest effect in risk reduction for least effort. Successive evaluations of risk-reducing measures are undertaken
until a point is reached where all the screening criteria have been satisfied (or dispensation has been given by
senior management) and no further risk-reducing measures are reasonable.
Risk-reducing measures should be assessed to determine whether they are technically viable and have significant
effect. In many situations such assessments can be left to the judgement of the person undertaking the risk
management decision-making, who will decide what is satisfactory based upon experience and normal good
practice.
In other situations, the effort required to implement a risk-reducing measure in terms of cost, time, difficulty,
necessary resources, etc. needs to be considered against the benefit likely to be achieved.
An approach widely used is to evaluate the effort and cost involved in a number of different risk-reducing measures
and to estimate the risk-reducing effect of each. By evaluating the cost or effort necessary to arrive at a common
level of risk reduction it is often possible to identify those measures which are clearly more effective in risk
reduction. In addition, sensitivity analyses should be included as part of a cost-benefit analysis in order to highlight
the effect of uncertainties.
The uncertainties associated with cost-benefit analysis are such that the results of such analysis should only be
used in conjunction with good engineering judgement when deciding whether or not to implement a risk-reducing
measure.
Evaluation of risk-reducing measures should always be based on sound engineering principles and common
sense. The following aspects should also be observed: local conditions and circumstances, the state of scientific
and technical knowledge relating to the particular situation, and the estimated costs and benefits.
5.4.2 Strategies and functional requirements
The results of the hazards and risk assessment and the decisions taken in respect to the need for, and role of, any
risk-reducing measures should be recorded so that they are available to those who operate the installation and for
those involved in any subsequent change to the installation. In ISO 13702 [2], the term used to refer to this record
is “strategy”. The level of detail in a strategy needs to be consistent with the stage of the project. In the initial stages
it is of necessity relatively brief, setting out general principles and overall requirements, but as the project proceeds
it will become more specific.
For a particular installation a number of such strategies may be required. The level of detail in a strategy depends
upon the scale of the installation and the stage in the installation life cycle at which the risk management process is
undertaken. The strategies should describe the role, and any functional requirements, of each of the systems
required to manage possible hazardous events on the installation. ISO 13702 [2] provides guidance on appropriate
levels of detail in the strategies.
A focused approach should be used to the specification of functional requirements, with greater attention given to
the definition and monitoring of critical equipment, systems and procedures than to less critical elements.
Functional requirements should be verifiable, realistic and achievable, and should be reviewed at specified intervals
to ensure their continuing relevance and suitability.
An important principle to be adopted in the setting of functional requirements is that their number and level of detail
should be commensurate with the magnitude of the risk to be managed. Thus caution should be exercised to avoid
setting functional requirements at a level of detail that makes little contribution to the management of the risks on
an installation.
In identifying the systems for which functional requirements are developed, the following factors should be
considered:
� the systems selected should make a significant contribution in controlling risk;
� the parameters selected should be directly relevant to the achievement of the system goals;
12 © ISO 2000 – All rights reserved

� the parameters selected should be capable of verification.
Functional requirements for risk-reducing measures should include
� those parameters which are are clearly identifiable and important to fulfil a role in risk reduction;
� procedural or operational criteria, where essential in the control of risk;
� directly verifiable criteria which do not require extensive computational effort;
� recording of data to confirm compliance with functional requirements.
This should, wherever possible, be part of the normal operational and recording tasks associated with the particular
activity. This reduces the possibility of duplication of effort and increases the probability that the task will be
undertaken in a conscientious and efficient manner.
6 Guidelines for use in specific activities
The methods used in the identification of hazards and the evaluation of risk as described in clause 4 may be
applied to any exploration and production activity. Although the general approach is the same for all activities, the
techniques and detailed approach used will vary depending upon the particular activity under consideration.
Although different types of evaluation may be carried out for different exploration
...