ISO/TS 16901:2015

TECHNICAL ISO/TS
SPECIFICATION 16901
First edition
2015-03-01
Guidance on performing risk
assessment in the design of onshore
LNG installations including the ship/
shore interface
Guide pour l’évaluation des risques dans la conception d’installations
terrestres pour le GNL en incluant l’interface terre/navire
Reference number
©
ISO 2015
© ISO 2015
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form
or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior
written permission. Permission can be requested from either ISO at the address below or ISO’s member body in the country of
the requester.
ISO copyright office
Case postale 56 • CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail copyright@iso.org
Web www.iso.org
Published in Switzerland
ii © ISO 2015 – All rights reserved

Contents Page
Foreword .v
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Abbreviations. 6
5 Safety Risk Management . 7
5.1 Decision support framework for risk management . 7
5.2 Prescriptive safety or risk performance . 8
5.3 Risk assessment in relation to project development . 9
6 Risk .11
6.1 What is risk .11
6.2 Safety philosophy and risk criteria .11
6.3 Risk control strategy .11
6.4 ALARP .12
6.5 Ways to express risk to people .13
6.5.1 General.13
6.5.2 Risk contours (RC) .13
6.5.3 Risk transects (RT) . .14
6.5.4 Individual risk (IR) .14
6.5.5 Potential loss of life (PLL) .14
6.5.6 Fatal accident rate (FAR).14
6.5.7 Cost to avert a fatality (CAF) .14
6.5.8 F/N curves (FN) .14
6.6 Uncertainties in QRA.15
7 Methodologies .15
7.1 Main steps of risk assessment .15
7.2 Qualitative risk analysis .15
7.2.1 HAZID .15
7.2.2 Failure mode and effect analysis (FMEA) .17
7.2.3 Risk matrix .17
7.2.4 Bow-tie .18
7.2.5 HAZOP .19
7.2.6 SIL analysis .21
7.3 Quantitative analysis: consequence and impact assessment .21
7.3.1 Consequence assessment .21
7.3.2 Impact assessment .23
7.4 Quantitative analysis: frequency assessment .24
7.4.1 General.24
7.4.2 Failure data .24
7.4.3 Consensus data .25
7.4.4 FAULT tree .25
7.4.5 Event tree analysis (ETA) .25
7.4.6 Exceedance curves based on probabilistic simulations .25
7.5 Risk assessments (consequence*frequency) .26
7.5.1 Risk assessment tools .26
7.5.2 Ad hoc developed risk assessment tools .27
7.5.3 Proprietary risk assessment tools .27
8 Accident scenarios .28
8.1 Overview accident scenarios .28
8.2 LNG import facilities including SIMOPS .28
8.3 LNG export facilities .31
8.4 Chain of events following release scenarios .32
9 Standard presentation of risk .34
Annex A (informative) Impact criteria .36
Bibliography .57
iv © ISO 2015 – All rights reserved

Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards
bodies (ISO member bodies). The work of preparing International Standards is normally carried out
through ISO technical committees. Each member body interested in a subject for which a technical
committee has been established has the right to be represented on that committee. International
organizations, governmental and non-governmental, in liaison with ISO, also take part in the work.
ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of
electrotechnical standardization.
The procedures used to develop this document and those intended for its further maintenance are
described in the ISO/IEC Directives, Part 1. In particular the different approval criteria needed for the
different types of ISO documents should be noted. This document was drafted in accordance with the
editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives).
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. ISO shall not be held responsible for identifying any or all such patent rights. Details of
any patent rights identified during the development of the document will be in the Introduction and/or
on the ISO list of patent declarations received (see www.iso.org/patents).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation on the meaning of ISO specific terms and expressions related to conformity
assessment, as well as information about ISO’s adherence to the WTO principles in the Technical Barriers
to Trade (TBT) see the following URL: Foreword - Supplementary information.
The committee responsible for this document is ISO/TC 67, Materials, equipment and offshore structures
for petroleum, petrochemical and natural gas industries.
TECHNICAL SPECIFICATION ISO/TS 16901:2015(E)
Guidance on performing risk assessment in the design of
onshore LNG installations including the ship/shore interface
1 Scope
This Technical Specification provides a common approach and guidance to those undertaking assessment
of the major safety hazards as part of the planning, design, and operation of LNG facilities onshore and
at shoreline using risk-based methods and standards, to enable a safe design and operation of LNG
facilities. The environmental risks associated with an LNG release are not addressed in this Technical
Specification.
This Technical Specification is aimed to be applied both to export and import terminals, but can be
applicable to other facilities such as satellite and peak shaving plants.
It applies to all facilities inside the perimeter of the terminal and all hazardous materials including LNG
and associated products: LPG, pressurised natural gas, odorizers, and other flammable or hazardous
products handled within the terminal.
The navigation risks and LNG tanker intrinsic operation risks are recognised, but they are not in the
scope of this Technical Specification. Hazards arising from interfaces between port and facility and ship
are addressed and requirements are normally given by port authorities. It is assumed that LNG carriers
are designed according to the IGC code, and LNG fuelled vessels receiving bunker is designed according
to IMO’s regulations.
Border between port operation and LNG facility is when the ship/shore link (SSL) is established.
It is not intended to specify acceptable levels of risk; however, examples of tolerable levels of risk
are referenced.
This Technical Specification is not intended to be used retrospectively.
It is recognised that national and/or local laws, regulations, and guidelines take precedence where they
are in conflict with this Technical Specification.
Reference is made to ISO 31010 and ISO 17776 with regard to general risk assessment methods, while this
Technical Specification focuses on the specific needs scenarios and practices within the LNG industry.
2 Normative references
The following documents, in whole or in part, are normatively referenced in this document and are
indispensable for its application. For dated references, only the edition cited applies. For undated
references, the latest edition of the referenced document (including any amendments) applies
ISO/IEC Guide 73:2009, Risk management — Vocabulary
ISO 17776:2000, Petroleum and natural gas industries — Offshore production installations — Guidelines on
tools and techniques for hazard identification and risk assessment.
3 Terms and definitions
For the purposes of this document, the terms and definitions given in ISO/IEC Guide 73 and the
following apply.
3.1
as low as reasonably practical
ALARP
reducing a risk (3.26) to a level that represents the point, objectively assessed, at which the time,
trouble, difficulty, and cost of further reduction measures become unreasonably disproportionate to
the additional risk reduction obtained
3.2
boiling liquid expanding vapour explosion
BLEVE
sudden release of the content of a vessel containing a pressurised liquid and for flammables often
followed by a fireball
Note 1 to entry: This hazard is not applicable to atmospheric LNG tanks, but to pressurized forms of
hydrocarbon storage.
3.3
bow-tie
pictorial representation of how a hazard can be hypothetically released and further developed into a
number of consequences (3.6)
Note 1 to entry: The left-hand side of the diagram is constructed from the fault tree (causal) analysis and involves
those threats associated with the hazard, the controls associated with each threat, and any factors that escalate
likelihood. The right-hand side of the diagram is constructed from the hazard event tree (consequence) analysis
and involves escalation factors and recovery preparedness measures. The centre of the bow-tie is commonly
referred to as the “top event”.
3.4
cost to avert a fatality
CAF
value calculated by dividing the costs to install and operate the protection/mitigation (3.18) by the
reduction in potential loss (3.20) of life (PLL)
Note 1 to entry: It is a measure of effectiveness of the protection/mitigation.
3.5
computational fluid dynamics
CFD
numerical methods and algorithms to solve and analyse problems that involve fluid flows
3.6
consequence
outcome of an event
3.7
cost benefit analysis
CBA
means used to assess the relative cost and benefit of a number of risk (3.26) reduction alternatives
Note 1 to entry: The ranking of the risk reduction alternatives evaluated is usually shown graphically.
3.8
design accidental load
DAL
most severe accidental load that the function or system shall be able to withstand during a required
period of time, in order to meet the defined risk (3.26) acceptance criteria
3.9
explosion barrier
structural barrier installed to prevent explosion damage in adjacent areas
Note 1 to entry: A wall is an example of an explosion barrier.
2 © ISO 2015 – All rights reserved

3.10
F/N curve
FN
plot of cumulative frequency versus N or more persons that sustain a given level of harm from defined
sources of hazards
3.11
failure mode and effect analysis
FMEA
analytically derived identification of the conceivable equipment failure modes and the potential adverse
effects of those modes on the system and mission
Note 1 to entry: It is primarily used as a design tool for review of critical components.
3.12
fatal accident rate
FAR
number of fatalities per 100 million hours exposure for a certain activity
3.13
harm
physical injury or damage to the health of people or damage to property or the environment
3.14
hazard
potential source of harm (3.13)
3.15
hazard identification
HAZID
brainstorming exercise using checklists the hazards in a project are identified and gathered in a risk
register (3.37) for follow up in the project
3.16
hazard and operability study
HAZOP
systematic approach by an interdisciplinary team to identify hazards and operability problems occurring
as a result of deviations from the intended range of process conditions
Note 1 to entry: All four steps are in place and recorded to manage a hazard completely.
3.17
impact assessment
assessment of how consequences (3.6) (fires, explosions, etc.) do affect people, structures the
environment, etc.
3.18
mitigation
limitation of any negative consequence (3.6) of a particular event
3.19
Monte Carlo simulation
simulation having many repeats, each time with a different starting value, to obtain distribution function
3.20
potential loss
product of frequency and harm (3.13) summed over all the outcomes of a number of top events
3.21
probability
extent to which an event is likely to occur
3.22
probit
inverse cumulative distribution function associated with the standard normal distribution
Note 1 to entry: Probit is used in QRA to describe the relation between exposure, e.g. to radiation or toxics, and
fraction fatalities.
3.23
protective measure
means used to reduce risk
3.24
quantitative risk assessment
QRA
techniques which allow the risk (3.26) associated with a particular activity to be estimated in absolute
quantitative terms rather than in relative terms such as high or low
Note 1 to entry: QRA may be used to determine all risk dimensions, including risk to personnel, risk to the
environment, risk to the installation, and/or the assets and financial interests of the company. Reference is made
to ISO 17776:2000, B.12.
3.25
residual risk
risk (3.26) remaining after protective measures (3.23) have been taken
3.26
risk
combination of the probability (3.21) of occurrence of harm (3.13) and the severity of that harm
3.27
risk analysis
systematic use of information to identify sources and to estimate the risk (3.26)
3.28
risk assessment
overall process of risk analysis (3.27) and risk evaluation (3.31)
3.29
risk contour
RC
two dimensional representation of risk (3.26) on a map
Note 1 to entry: Also called individual risk contours (IRC) or location-specific risk (LSR).
3.30
risk criteria
terms of reference by which the significance of risk (3.26) is assessed
3.31
risk evaluation
procedure based on the risk analysis (3.27) to determine whether the tolerable risk (3.45) has been achieved
3.32
risk management
coordinated activities to direct and control an organization with regard to risk (3.26)
3.33
risk management system
set of elements of an organization’s management system concerned with managing risk (3.26)
4 © ISO 2015 – All rights reserved

3.34
risk matrix
matrix portraying risk (3.26) as the product of probability (3.21) and consequence (3.6), used as the basis
for risk determination
Note 1 to entry: Considerations for the assessment of probability are shown on the horizontal axis. Considerations
for the assessment of consequence are shown on the vertical axis. Multiple consequence categories are included:
impact on people, assets, environment and reputation. Plotting the intersection of the two considerations on the
matrix provides an estimate of the risk.
3.35
risk perception
way in which a stakeholder (3.44) views a risk (3.26) based on a set of values or concerns
3.36
risk ranking
outcome of a qualitative risk analysis (3.27) with a numerical annotation of risk (3.26)
Note 1 to entry: It allows accident scenarios and their risk to be ranked numerically so that the most severe risks
are evident and can be addressed.
3.37
risk register
hazard management communication document that demonstrates that hazards have been identified,
assessed, are being properly controlled, and that recovery preparedness measures are in place in the
event control is ever lost
3.38
risk transect
RT
representation of risk (3.26) as a function of distance from the hazard
3.39
rollover
sudden mixing of two layers in a tank resulting to a massive vapour generation
3.40
rapid phase transition
RPT
explosive change from liquid into vapour phase
Note 1 to entry: When two liquids at two different temperatures come into contact, explosive forces can occur, given
certain circumstances. This phenomenon, called rapid phase transition (RPT), can occur when LNG and water come
into contact. Although no combustion occurs, this phenomenon has all the other characteristics of an explosion.
RPTs resulting from an LNG spill on water have been both rare and with relatively limited consequences (3.6).
3.41
safety
freedom from unacceptable risk (3.26)
3.42
SIMOPS
concatenation of simultaneous operations
Note 1 to entry: SIMOPS often refers to events such as maintenance or construction work in an existing plant when
there are more personnel near a live operating plant and who are exposed to a higher level of risk (3.26) than normal.
3.43
showstopper
event or consequence (3.6) that produces an unacceptable level of risk (3.26) such that the project cannot
proceed and where the level of risk cannot be mitigated to an acceptable level
3.44
stakeholder
any individual, group, or organization that can affect, be affected by, or perceive itself to be affected by
a risk (3.26)
3.45
tolerable risk
risk (3.26) which is accepted in a given context based on the current values of society
4 Abbreviations
For the purposes of this Technical Specification, the following abbreviations apply:
ALARP as low as reasonably practical;
BLEVE boiling liquid expanding vapour explosion;
CAF cost to avert a fatality;
CFD computational fluid dynamics;
CBA cost benefit analysis;
DAL design accidental load;
EDP emergency depressuring;
ERC emergency release coupling;
ESD emergency shutdown;
ETA event tree analysis;
FAR fatal accident rate;
FEED front-end engineering design;
FEM finite element method;
FN frequency vs number (of affected individuals);
FMEA failure mode and effect analysis;
FMECA failure, modes, effects, and criticality analysis;
HAZID hazard identification;
HAZOP hazard and operability study;
HEMP hazards and effects management process;
IR individual risk contour;
LSR location-specific risk;
LOPA layers of protection analysis;
MTTF mean time to failure;
MTTR mean time to repair;
6 © ISO 2015 – All rights reserved

OBE operating basis earthquake;
PERC power emergency release coupler;
P&IDs process and instrument diagrams;
PIMS pipeline integrity management system;
PLL potential loss of life;
QRA quantitative risk assessment;
RC risk contour;
RPT rapid phase transition;
RT risk transect;
SIL safety integrity level;
SMS safety management system;
SSE safe shutdown earthquake;
SSL ship/shore link.
5 Safety Risk Management
5.1 Decision support framework for risk management
Safety risk management is integrated in the project development and decision making processes and
need as consistent support for decisions in all phases of an LNG development but does not include the
full operational lifecycle.
The approach to risk management should address the project-specific requirements as agreed between
the different parties and stakeholders and also establish an agreed format to communicate risk and
ensure that decisions are made in a consistent and agreed format through the life of the project.
The acceptance criteria including the format should be defined in compliance with regulations and company
standards. The format of the acceptance criteria prescribes thereby the approach as discussed below.
There is a wide range of tools and approaches that can be used to support decisions related to risk
management. UK Offshore Operators Association (UKOOA) presented a framework for decision support
reflecting the significance of the decision as well decision context. The framework as shown for
information in Figure 1 illustrates the balancing between use of codes and standards, QRA, and decision
processes reflecting company and societal values.
Signiicance to Decision
Making Progress
MEANS OF CALIBRATIONDECISION CONTEXT TYPE
Nothing new or unusual
Codes and Standards Well understood risks
A
Established practice
No major stakeholder implications
Veriication
Lifecycle implications
Peer Review
Some risk trade-offs/transfers
Some uncertainty or deviation from
B
standard or best practice
Benchmarking
Signiicant economic implications
Internal Stakeholder
Very novel or challenging
Consultation
Strong stakeholder views and perceptions
C Signiicant risk trade-offs or risk transfer
Large uncertainties
External Stakeholder
Perceived lowering of safety standards
Consultation
Figure 1 — Decision support framework for major accident risk management
5.2 Prescriptive safety or risk performance
Both prescriptive and risk-based approaches are used in the planning, design, and operation of LNG facilities.
Prescriptive approaches represent industry experience and practices.
The main advantages with prescriptive approaches are predictability and effective decision processes
in the design.
The main objections to the use of prescriptive approaches are that they do not accommodate new
solutions and thereby can limit novel development and improvement. Further, when the requirements
are met, the prescriptive approaches do not encourage a continued effort for further improvements.
Risk-based approaches have developed in the nuclear and offshore industries. Risk-based approaches
are used in many parts of the world and are gaining a wider usage.
In essence, risk-based approaches start from first principles aiming at demonstration that the risk
acceptance criteria are met with a proper selection of design and operational measures. In principle,
no “prescribed solutions” should be given as a starting point (but in reality, good industry experience,
practices, and standards are adopted as the starting point).
The main advantage of a risk-based approach is that it does stimulate new and improved solutions; it
encourages continuous focus on improved safety, and it focuses efforts on the key areas as formulated
in the risk acceptance criteria.
Normally, a risk-based approach starts early and focuses the attention on the key issues that should be
addressed in the different project phases. In most cases, a risk-based approach ensures that the correct
decisions are made at the right time and thereby avoids costly revisions and adjustments. Further, the
site specific conditions and particular stakeholder views are better reflected.
The main criticism to risk-based approaches focuses on the complexity of the process, and the line
of responsibility can become unclear. It is essential that risk acceptance criteria are established and
derived from national and international regulations and owner’s requirements.
It is often found that a risk-based design does not enable all engineering design disciplines to proceed on
a firm design basis until the results from the risk analysis is available. This can have a schedule impact.
8 © ISO 2015 – All rights reserved
Risk Based Analysis
e.g. QRA, CBA
Company Values
Engineering Judgement
Societal Values
Good Practice
Codes &
Standards
Further, the uncertainty involved due to e.g. lack of relevant failure data, model assumptions can make
it difficult to relate to the results. A situation where detailed results from sophisticated computational
models can generate false confidence in the results can lead to the wrong conclusion. The uncertainty is
a particular concern when a risk-based approach is used to demonstrate that sensible safety measures
are not needed.
Risk analyses shall not be used to deviate from good engineering practice.
Finally, it is often claimed that the lack of predictability leads to increased cost. But the savings earned
by adopting novel solutions can be significant but difficult to quantify.
Successful use of a risk-based approach normally requires an iterative process where the first layouts
and decision are based on experience and industry practice (i.e. prescriptive guidelines, standards for
process design, etc.) and that this first estimate is qualified and improved using risk-based techniques.
Risk analyses also enable areas and causes of higher risk to be identified so that mitigation measures
can be applied in a cost effective manner.
5.3 Risk assessment in relation to project development
Risk assessment is used for decision support.
The decisions being made in the different phases of a project development vary, and the need for decision
support accordingly.
The available information and level of detail as input to any risk assessment increase as the planning
progresses. As a result, the requirements to risk assessment techniques and results vary over the project
phases, and this can represent a challenge in the communication of the results.
In the early phase of the planning where the key issue is to select business model and technical concept,
the main risk activities are to establish risk criteria and safety targets, as well as to demonstrate absence
of showstoppers. This requires qualitative approaches.
At this stage of project development, quantitative risk analyses have limited value as no detailed
information to describe the facilities are available as input.
In the next phase, the risk assessment should provide quantitative risk information related to the land
planning in support of the permitting process.
In later project phases where key issues are the design of mitigation measures, more detailed analyses
are appropriate to provide a proper basis for project decisions.
In some jurisdictions, the planning process makes it difficult to modify proposals once they have been
submitted to the planning authorities. This makes it difficult to modify the design to reduce risk as
detailed engineering develops. This aspect should be considered in project planning.
The requirements, recommendations, and advice given in this Technical Specification reflect this need.
Risk assessment and risk results shall always reflect the following:
a) the type of decision that shall be made;
b) effective utilization of available information.
Actions arising from reviews such as HAZID, risk matrix, HAZOP, etc., which are not closed out after
the review, should be recorded in a tracking system (for example, a risk register). This should answer
that items requiring action at later project stages (i.e. items for operating manuals, etc.) should not be
overlooked or forgotten.
This varying level of details in the risk assessment process is illustrated in Table 1 which also is relevant
to a wide range of different types of industrial risk assessment
Table 1 should be used in preference to ISO 13010, Table A.1 to identify risk assessment methods. Further
description is given in Clause 7.
Table 1 — Typical requirements to risk-related information in different project phases
Project phase Needed risk related infor- Key decisions based on risk Method of risk assessment
mation assessment within this guideline
Pre-FEED — Identify stakeholders — Select site — HAZID
(i.e. Concept
— Input to the permitting — Select concept — Consequence analyses of
selection and
process (demonstrate major accident scenarios
business case — Identify and decide risk
absence of showstoppers)
development) criteria — Prepare risk criteria
— Risk criteria
— Select design criteria — Risk communication to
— First estimate of the risk legislation and stakeholders
— Select design options
level (when required by
regulators) — Approve continued devel-
opment
— Basic design options
— Go-ahead for the
development
FEED — Focus areas for the — Optimisation of the — Qualitative analysis (risk
Development of design process, i.e. results design in terms of safety by matrix)
basic design from HAZID and Consequence comparison of options
— HAZOPs and
analysis
— Select main technologies determination of SIL
— Estimate of the risk level requirements
— Performance standards for
of design options
safety system — QRA
— Basis for selection of an
— Confirm concept — Determine DALs
optimised basic design
selection
— Detailed consequence
— Authority permit assessment
— Decide to start detail — Fire/explosion analysis
design
— Risk communication to
legislation and stakeholders
Detail design — Performance standards — Selection of equipment, — Detailed QRA
for components and systems solutions and operational
— Detailed HAZOPs
procedures
— Issues to be addressed
— SIL assessment
in the design identified in — Detailed design
HAZOP findings incl. SIL
— Vendor HAZOPs
requirements
— Evacuation analysis
— Specifications for
buildings and equipment
Commissioning — Final results from risk — Approve the design — Completion of risk
and start-up assessment studies and verification
— Approve decision to
schemes
— Confirmation of start up
acceptance according to — Commissioning of safety
regulations systems
— Risk communication to
legislation and stakeholders
10 © ISO 2015 – All rights reserved

6 Risk
6.1 What is risk
Risk is defined in ISO 17776 as combination of the probability of an event and the consequences of the event.
To be able to express the risk, the consequences shall be defined and the associated probability determined.
Risk is also often referred to as potential loss. The loss or consequence can be loss of life, money,
production, or damage to the environment. The probability term is usually expressed as a frequency. In
QRAs, the potential loss in general is not calculated from the product of one event and one consequence,
but the sum of a large number of frequency and consequence probability combinations.
Risk or potential loss, combination of the probability of an event, and the consequences of the event
cannot be readily used as an indicator to decide the tolerability of the risk. It can be used to compare
options when all things different between the two options have been evaluated in terms of probability
and consequence and included in the assessment.
To be able to use risk in workable concepts, a number of risk indicators have been developed to express
risk. These risk indicators are discussed in 6.5.
6.2 Safety philosophy and risk criteria
LNG developments are often organized as project organizations (e.g. JV) with international participation.
It is therefore important for LNG projects to formulate a safety philosophy and risk criteria’s based
on recognized guidelines/standards in their risk management process, provided that they are not in
conflict with national statutory minimum requirements. This aids the project team in gaining a common
terminology, understanding of risk, risk philosophy, and ultimately a common risk management system.
The safety philosophy and risk criteria for the project can address the following categories:
— Risk to the population and third-party activities. This has significant impact on the land use and is
normally defined by national regulations;
— Risk to personnel in the plant. This is normally defined by the company philosophy but should also
be in agreement with national regulation;
— Risk with respect to material damage and loss of production. The criteria should be defined by the
company and are often based on a cost benefit assessment;
— Limitations on third-party activity due to hazards arising from the facility.
Examples of the risk criteria required by different authorities are discussed in A.7 and examples of
project-specific criteria in A.8.
6.3 Risk control strategy
A widely accepted risk control strategy is the following:
a) adopt inherently safe design;
b) prevent – consider measures that will avoid the hazard;
c) reduce probability of occurrence trough design, inspection, maintenance, and working practices;
d) mitigate consequences – minimise the outcome of an unwanted event;
e) emergency response – enable returning to a controlled situation.
This can be formalized in the bow-tie methodology as described in 7.2.4. The bow-tie is a model that
represents how a hazard can be released, escalate, and how it is controlled.
6.4 ALARP
A common approach is to divide risks into three bands:
a) an upper band where the level of risk is regarded as intolerable whatever benefits the activity can
bring, and risk treatment is essential whatever its cost;
b) a middle band (or “grey” area) where costs and benefits are taken into account and opportunities
balanced against potential consequences;
c) a lower band where the level of risk is regarded as negligible or so small that no risk treatment
measures are needed.
The “as low as reasonably practicable” or “ALARP” criteria system follows this approach and is
illustrated in Figure 2.
TOLERABILITYACTION
Intolerable Adopt alternative
Region lower risk solution
Decreasing
Risk & Societal
Tolerable Reduce risks to ALARP
Concerns
Region
Acceptable Region Manage for continuous
improvement
Figure 2 — Risk Reduction Triangle
ALARP is the process in which all identified options to reduce the risk have been evaluated. A major
part of the ALARP process is the documentation of which options have been evaluated and why they
have been included in the design or why they have been discarded. The documentation can be consulted
when the circumstances change or when the design is challenged in the future. In general, only full
documentation for high risks and complicated medium risk is required as it is not reasonable to insist
on full documentation for low risk.
The assessment of risk is not an exact science and the techniques used and the experience of the analyst
has been shown to produce widely varying result as discussed in studies on uncertainties in chemical
risk assessment using a benchmark exercise in 1992 and a 2002 Risø study about uncertainties in risk
analysis of chemical establishments.
The results are evaluated against company or regulatory criteria and there is often a tendency to stop
the improvement process when the criteria apparently are satisfied to minimise further capital and
manpower expenditure.
The ALARP approach is a conceptual model and there are no boundaries between the three regions. The
factors that ultimately decide how a risk is categorized (intolerable, tolerable, ALARP, or acceptable) are
dynamic in nature.
12 © ISO 2015 – All rights reserved

The addition/deletion or modification of mitigation features to just meet the acceptance criteria is
strongly discouraged due to the accuracy of the process.
The ALARP process should be continued until the optimum design without incurring excessive cost is
achieved. At the conceptual stage, it is often found that risk can be reduced at very low cost.
It is therefore important to start the risk assessment early in the project.
6.5 Ways to express risk to people
6.5.1 General
Risks should be expressed in understandable terms, and the units in which the level of risk is expressed
should be clear (see ISO 31010), and reflect the safety criteria as defined by legislation and operator. An
example of ways to express risk to people is given in A.8.
A number of risk indicators are used in the LNG industry for risk assessments when relating risk to
people. The more commonly used are discussed in detail in the next sub-clauses.
— risk contours (RC);
— risk transects (RT);
— individual risk (IR);
— potential loss of life (PLL);
— fatal accident rate (FAR);
— cost to avert a fatality (CAF);
— F/N curves (FN).
6.5.2 Risk contours (RC)
The risk contour is an iso-risk line overlaid on the site topography at which a hypothetical individual
staying there unprotected and for 24 hours per day 365 days per year is subject to a defined probability
of harm due to exposure to hazards induced by an activity.
Figure 3 — Examples of risk contours showing predicted risk levels
It is also called location risk and sometimes referred to as individual risk or individual risk contours. An
example of a set of risk contours is shown in Figure 3.
Although the hypothetical individual is exposed when the scenario occurs, escape and refuge can be
taken into account.
In general, risk contours are calculated by determining the consequences from a number of scenarios.
By adapting certain criteria
...