Doc. Title: Procedure for Hazard and Operability Analysis Management Doc.

Type: Procedure Custodian: Corporate Engineering & Construction Department

Doc. No.: CNPCI Corp HSE 4.10 Revision: 1.0 Issue Date: February 2013

Appendix D Risk Matrix

Figure D.1: Risk matrix
Probability of occurrence of an undesired accident Risk matrix Severity of consequence of an undesired accident Risk level Level risk IV Score 15-25 Level risk III 10-14 Level risk II 5-9 Level I risk 1-5 5 I 5 I 4 I 3 I 2 I 1 1 III 10 II 8 II 6 I 4 I 2 2 IV 15 III 12 II 9 II 6 I 3 3 IV 20 IV 16 III 12 II 8 I 4 4 IV 25 IV 20 IV 15 III 10 II 5 5

4 3 2

Table D.1 Criteria for defining risk level

Description Severe risk (Absolutely intolerable) Action needed Engineering and/or administrative measures are required to reduce the risk to level II or below within 6 months. Engineering and/or administrative measures are required to reduce the risk to level II or below within 12 months. Measures are taken based on cost analysis. Make sure the procedures and control measures have been implemented and maintained. PHA improvement suggestions A specific management plan is needed to reduce the risk.

High risk (intolerable) Medium risk (tolerable when control actions are implemented)

A specific management plan is needed to reduce the risk.

A case by case assessment is needed to address if the existing control measures are effective. No risk management plan needed, but the opportunities improve the safety level can considered. (beyond the scope PHA) is to be of

Acceptable risk

No additional measure is needed to further reduce the risk.

12

Doc. Title: Procedure for Hazard and Operability Analysis Management Doc. Type: Procedure Custodian: Corporate Engineering & Construction Department

Doc. No.: CNPCI Corp HSE 4.10 Revision: 1.0 Issue Date: February 2013

Table D.2: Level of probability of risks

Level (L) Hardware control measures
1. There are two or more layers of passive safety protection systems which are mutually independent and highly reliable; 2. Comprehensive written inspection and testing procedures are available, comprehensive functional tests have been conducted, and the facility functions well with few failures; 3. Staffs are familiar with the technical processes and the process of the operation is always under control; 4. The technical processes maintain stable, potential hazard sources are understood, and comprehensive technical process and safe operation procedures are in place. 1. There are two or more layers of safety protection systems and at least one of them is passive and reliable; 2. Regular inspections and testing are conducted, but functional tests may not be comprehensive and failures occur occasionally; 3. Process abnormalities occur occasionally, the causes of most abnormalities have been identified and effective measures have been taken to eliminate the causes; 4. Changes are made in a rational way, new technology may be associated with certain uncertainties, and PHA is of high quality. 1. There are one or two complicated and active safety protection systems which have a certain level of reliability, but may suffer from common cause failures;2. No frequent inspections and tests are conducted, failures occurred frequently in the past, and inspections and testing havent been effectively implemented; 3. Small abnormalities occur constantly in the process, the causes have not been completely identified or eliminate, and major process (technical process, facility and operation process) abnormalities have been identified and finally eliminated;4. Changes or new technologies are frequently introduced, PHA is not deep-going and of ordinary quality, and operation limits are not certain. 1. There is only one simple active safety protective system with low reliability; 2. The requirements for inspection and testing are unclear and no inspection or no proper inspection has been conducted; 3. Procss abnormalities occur constantly and many of them have never been explained; 4. Changes or new technologies are frequently introduced, PHA has not been completely conducted and is of poor quality, and relevant information has to be gathered from operations.

Software control measures

1. There are clear and definite operation guides and established, disciplines, errors are pointed out and corrected immediately, and regular trainings are conducted to address normal, special and emergency operation procedures and, cover all undesired events; 2. For each shift there are multiple experienced operators, the work stress is not high and all staffs are qualified, take their work seriously and understand and keep alert to hazard sources.

Frequency of Occurrence (F) /year

Not expected to occur in reality (no precedence in the industry in the country) <10-4

1. Key operation guides are correct and clear, but other guides may have non-critical errors or defects; inspections and reviews are conducted regularly and staffs are familiar with the procedures; 2. Some employees are inexperienced, but they do not work at the same shift. Staffs suffer from occasional and temporary fatigue and kind of boredom and they know what they are qualified to do and their deficiencies and have enough knowledge about hazard sources.

Not expected to occur, but may occur in special circumstances (with precedence in the industry in the country) -3 -4 10 to 10

1. Operation guides are available but not timely updated or reviewed; and emergency operation procedure training is of poor quality; 2. More than half of the staff in a shift may be inexperienced, but this does not occur frequently; staffs sometimes suffer from shortterm mass fatigue and strong boredom, they do not think proactively, some of them are complacent, and not everyone has enough knowledge of hazard sources.

No likely to occur in the lifecycle of a specific facility, but may occur in one of several similar facilities (with precedence in CNPC Group) 10-2 to 10-3

1. Staffs have no knowledge of operation guides, trainings are only through oral instructions, there is no formal operation procedure and only excessive oral instructions, which has caused the operations being flexible,, and no emergency operation procedure training has been provided; 2. Staff turnover rate is high and more than half staffs in some shifts are inexperienced. Excessive overtime work makes staffs to suffer from, constant fatigue. The work plan has often been overset and staffs are suffering from low morale. Work is done by unskilled staff; job responsibilities are not clear; and staffs only have some knowledge of hazard sources. 1. Staffs have no knowledge of operation guides, no operation procedures are in place and operations are conducted without approval. 2. Staff turnover rate is high and more than half of the staffs working for the facility are inexperienced. There is no work plan. The work is done by non-professionals. Staffs generally have no knowledge of hazard sources.

May occur at least once in the lifecycle of the facility (expected to occur) 10-1 to 10-2

1. No relevant inspections and testing have been conducted; 2. Process abnormalities occur constantly and no measures have been taken; 3. No PHA is made for the changes or new technologies frequently introduced.

Often occur in the lifecycle of the facility > 10-1

13

Doc. Title: Procedure for Hazard and Operability Analysis Management Doc. Type: Procedure Custodian: Corporate Engineering & Construction Department

Doc. No.: CNPCI Corp HSE 4.10 Revision: 1.0 Issue Date: February 2013

Table D.3: Level of severity of consequences of undesired events

Level Personal injury No personal injury or o nly minor injury, and wi th no severe injury or fa tality. Severe injuries or acute industrial poisoning but no fatality. 1 or 2 fatalities or 3 to 9 people being poisoned o r severely injured in one accident 3 to 9 fatalities or 10 to 49 people being poisone d or severely injured in one accident Property loss Direct economic loss below RMB 500,00 0 in one accident. Direct economic loss above RMB 500,00 0 and below RMB 1 million in one accide nt. Direct economic loss above RMB 1 millio n and below RMB 5 million in one accide nt. Direct economic loss above RMB 5 millio n and below RMB 1 0 million in one accid ent. Environment impact The impact is only within the operation area and there is no i mpact to the surrounding environment.

Minor pollution to the surrounding environment, but no mass disturbance. 1. Across-county dispute and ordinary mass disturbance has b een caused. 2. Less than one ton of oil was spilled in sensitive environme nt or less than 10 tons of oil was spilled in non-sensitive envir onment, which caused moderate pollution. 1. Across-province dispute was caused, which leads to negati ve impact on local economy and social activities. 2. 1 to 10 tons of oil was spilled in sensitive environment or 1 0 to 100 tons of oil was spilled in non-sensitive environment, which caused major pollution. 1. The accident resulted in partial loss of ecologic function of the region or pollution of the inhibits of endangered species. 2. The accident had severe impact on local economy and soci al activities and more than 10,000 people were evacuated. 3. The accident caused widespead pollution of critical rivers, lakes, reservoirs or sea waters or the interruption of water int aking from water sources by towns above county-level. 4. More than 10 tons of oil was spilled in sensitive environme nt or more than 100 tons of oil was spilled in non-sensitive en vironment, which caused significant pollution.

10 or more fatalities or 50 or more people being poisoned or severely in jured in one accident

Direct economic loss above RMB 10 milli on.

14