DNV-RP-A203 is the primary DNV recommended practice for risk management of offshore facilities. It provides a structured framework covering risk identification and assessment methodologies, risk tolerability criteria (the ALARP principle), barrier management, bow-tie analysis, and risk matrices. Edition 4 (2023) aligns with the ISO 31000 risk management vocabulary and extends coverage of barrier performance requirements.
The recommended practice is normatively referenced by DNV-OS-A101 (safety principles and arrangements for offshore facilities), which mandates that major accident risk be managed to ALARP and that barrier management plans be maintained throughout the facility lifetime. Together, they define the risk governance framework for FPSO, semi-submersible, jack-up, and fixed platform installations.
- The ALARP Principle and Risk Tolerability
- Risk Matrix Structure
- Hazard Identification: HAZID
- Operability Studies: HAZOP
- Quantitative Risk Assessment (QRA)
- Failure Mode and Effects Analysis (FMEA)
- Bow-Tie Analysis and Barrier Management
- Barrier Performance Requirements
- Risk Governance and Documentation
- Common Pitfalls
1. The ALARP Principle and Risk Tolerability
ALARP — As Low As Reasonably Practicable — is the cornerstone risk management principle in DNV-RP-A203. It defines three regions of risk tolerability for individual risk (IR), the probability of fatality per year for a person exposed to the hazard:
| Region | Individual Risk (IR) [per year] | Tolerability | Required Action |
|---|---|---|---|
| Intolerable | IR > 10−3 | Not tolerable except in extraordinary circumstances | Risk must be reduced regardless of cost; activity cannot proceed as-is |
| ALARP Region | 10−6 < IR ≤ 10−3 | Tolerable only if risk has been reduced to ALARP | Gross disproportion test: implement all risk-reduction measures unless cost is grossly disproportionate to benefit |
| Broadly Acceptable | IR ≤ 10−6 | Broadly acceptable — no further reduction required | Monitor; maintain; ensure risk does not drift upward |
Societal Risk
Beyond individual risk, DNV-RP-A203 addresses societal (or group) risk — the risk to multiple people simultaneously. This is typically expressed as an F-N curve (frequency of accidents causing N or more fatalities). Acceptance criteria for F-N curves are:
- No single accident scenario with N ≥ 10 fatalities should have a frequency exceeding 10−4 per year
- The F-N slope should be steeper than −1 (indicating that large accidents are weighted more severely than multiple small accidents)
- For a 100-person POB facility: total individual risk (IR) averaged across the workforce should not exceed 3 × 10−4 per year under normal operating conditions
2. Risk Matrix Structure
The DNV-RP-A203 risk matrix is a 5×5 grid combining likelihood (probability or frequency) against consequence severity. It is used throughout qualitative risk assessment (HAZID, HAZOP action prioritisation) to rank risks and drive mitigation decisions.
| Likelihood | Negligible | Minor | Moderate | Major | Catastrophic |
|---|---|---|---|---|---|
| Frequent (>10−1/yr) | Medium | High | High | Very High | Very High |
| Probable (10−2–10−1/yr) | Low | Medium | High | High | Very High |
| Occasional (10−3–10−2/yr) | Low | Medium | Medium | High | High |
| Remote (10−4–10−3/yr) | Low | Low | Medium | Medium | High |
| Improbable (<10−4/yr) | Low | Low | Low | Medium | Medium |
Consequence Severity Definitions
| Severity Level | People | Environment | Asset |
|---|---|---|---|
| Negligible | First-aid injury; no lost-time incident | Negligible / reversible | < USD 100k |
| Minor | Lost-time injury; no permanent disability | Minor, short-term, localised | USD 100k–1M |
| Moderate | Serious injury; partial disability | Moderate, limited spread | USD 1M–10M |
| Major | Single fatality or multiple serious injuries | Major, significant cleanup required | USD 10M–100M |
| Catastrophic | Multiple fatalities | Massive, long-term, widespread | > USD 100M |
3. Hazard Identification: HAZID
A HAZID (Hazard Identification study) is a structured, team-based qualitative review that identifies hazard sources, potential accidents, and their consequences before detailed design is finalised. DNV-RP-A203 recommends HAZID at concept selection stage and again at basic engineering.
HAZID Methodology
- Team composition: discipline leads (process, structural, electrical, safety, operations), a facilitator, and a scribe; typically 6–12 people
- Guide words: broader than HAZOP — "loss of containment", "energy release", "impact", "dropped object", "utility failure", "environmental release", etc.
- Scope nodes: the facility is divided into nodes by system or area (e.g. wellhead area, process deck, accommodation); each node reviewed systematically
- Output: register of identified hazards with initial likelihood/consequence rating, responsible party, and required follow-up study (HAZOP, QRA, structural review, etc.)
4. Operability Studies: HAZOP
A HAZOP (Hazard and Operability Study) is a systematic, clause-by-clause review of process systems and utilities at detailed design stage, using structured guide words applied to process parameters to identify deviations from design intent.
HAZOP Guide Words and Parameters
| Guide Word | Meaning | Applied to Parameter | Example Deviation |
|---|---|---|---|
| NO / NOT | Complete negation of intent | Flow, level, pressure | No flow in fuel gas header |
| MORE | Quantitative increase | Flow, temperature, pressure, concentration | High pressure in separator |
| LESS | Quantitative decrease | Flow, temperature, pressure | Low cooling water flow to HX |
| AS WELL AS | Qualitative increase / additional component | Phase, composition | Liquid carry-over to compressor suction |
| PART OF | Qualitative decrease | Composition, specification | Off-spec gas to flare |
| REVERSE | Opposite direction | Flow | Backflow through check valve |
| OTHER THAN | Complete substitution | Activity, material | Wrong chemical injected |
HAZOP vs. HAZID: When to Use Each
- HAZID: concept/FEED stage, before P&IDs are complete — captures facility-level hazards and major accident scenarios
- HAZOP: detailed design stage, requires complete P&IDs — captures process deviations and safeguarding gaps at system level
- Follow-on studies: HAZOP findings that require quantification are escalated to QRA; equipment-specific findings become FMEA inputs
5. Quantitative Risk Assessment (QRA)
A QRA quantifies the risk to personnel by combining accident frequencies with consequence models to produce individual risk and F-N curves. DNV-RP-A203 outlines the QRA process for offshore facilities:
QRA Process Steps
- Hazard identification: from HAZID/HAZOP registers; define accident scenarios (fire, explosion, toxic release, structural failure, dropped object)
- Frequency estimation: historical failure frequencies from databases (OREDA, PDS) combined with fault tree / event tree analysis
- Consequence modelling: dispersion (gas cloud), explosion overpressure (CFD or empirical), fire radiation (jet fire, pool fire, BLEVE), structural response
- Vulnerability assessment: probit functions relating exposure (radiation, overpressure, toxic dose) to probability of fatality
- Risk integration: combine frequency × probability of fatality across all scenarios and exposure zones to produce individual risk per year for representative personnel locations (control room, TR, open deck, wellhead area)
- ALARP demonstration: compare results against 10−3/10−6 thresholds; document risk-reduction measures and residual risk
Key QRA Outputs for Offshore Facilities
- Individual Risk contours: isopleth maps of 10−4 and 10−5 per year risk levels on facility layout
- Impairment frequencies: frequency of loss of main safety functions — temporary refuge (TR), evacuation, and escape — used to size TR and lifeboat placement
- Dimensioning accidental loads (DAL): the explosion overpressure and fire duration used as design basis for blast walls and passive fire protection (linked to DNV-OS-A101)
6. Failure Mode and Effects Analysis (FMEA)
An FMEA is an inductive, bottom-up technique that analyses individual equipment failure modes and their effects on system function and safety. DNV-RP-A203 recommends FMEA for safety-critical systems (emergency shutdown systems, fire and gas detection, blowdown).
FMEA Structure
| Column | Content |
|---|---|
| Item / function | Component identified (e.g. "ESDV-101 — well shut-in valve") and its design function |
| Failure mode | How the item can fail (fails to close on demand, spurious closure, external leakage, position indication failure) |
| Failure cause | Root cause (solenoid coil burnout, seal degradation, instrument air failure) |
| Local effect | Effect on the item itself (valve stuck open) |
| System effect | Effect on the system and mission (well not shut in on gas detector activation) |
| Severity (S) | Consequence rating 1–5 per DNV-RP-A203 risk matrix |
| Occurrence (O) | Failure rate from OREDA or PDS database |
| Detection (D) | Ability to detect the failure before it causes an accident (1 = easily detected; 5 = undetectable) |
| RPN | Risk Priority Number = S × O × D; used to prioritise corrective actions |
| Mitigation | Design change, redundancy, increased inspection, or operational procedure |
FMEA for Safety Instrumented Systems (SIS)
For SIS/SIL assessments, FMEA is linked to IEC 61511: the FMEA provides the failure mode data used in Safety Integrity Level (SIL) verification calculations. DNV-RP-A203 notes that FMEA is not a substitute for SIL quantification but provides the qualitative basis for identifying whether a SIF (Safety Instrumented Function) requires a SIL study.
7. Bow-Tie Analysis and Barrier Management
The bow-tie diagram is the central visual tool in DNV-RP-A203 for communicating risk and barriers. It maps the relationship between hazard sources, the top event (loss of control of a hazard), threats (causes), consequences, and the barriers that prevent or mitigate the accident.
Bow-Tie Structure
Threat 2 ──[Prevention Barrier]──┤
Threat 3 ──[Prevention Barrier]──┼──► TOP EVENT ──[Mitigation Barrier]──► Consequence A
└──[Mitigation Barrier]──► Consequence B
- Top event: the loss of control event — loss of containment, structural failure, loss of position, uncontrolled ignition, etc.
- Threats (left side): causes or initiating events that can lead to the top event (corrosion, overpressure, human error, dropped object, etc.)
- Prevention barriers: controls that prevent a threat from reaching the top event (pressure relief, corrosion monitoring, permit-to-work, structural inspection)
- Consequences (right side): outcomes if the top event is not controlled (fire, explosion, structural failure, environmental release)
- Mitigation barriers: controls that reduce the severity of consequences (deluge, emergency shutdown, evacuation, temporary refuge integrity)
- Escalation factors: conditions that defeat a barrier (maintenance override, instrument failure, simultaneous operations)
Major Accident Hazards (MAH) and Critical Barriers
DNV-RP-A203 requires the operator to identify all Major Accident Hazards (MAH) for the facility — typically 5–15 bow-ties covering hydrocarbon release and ignition, structural/buoyancy failure, loss of position, dropped objects, and marine casualties. For each MAH, critical barriers are those whose failure alone can lead to a major accident; these barriers must be:
- Identified and documented in the barrier management plan
- Assigned a performance standard (what it must do, under what conditions, with what reliability)
- Monitored during operation — leading indicators (inspection results, test results) tracked against performance standard thresholds
- Reported to management when a critical barrier is impaired (degraded barrier management procedure)
8. Barrier Performance Requirements
Edition 4 (2023) significantly expanded the barrier performance standard framework. A performance standard defines the required performance of a barrier in terms of:
| Criterion | Description | Example (ESDV) |
|---|---|---|
| Functionality | What the barrier must do | Close to isolate wellhead on confirmed gas detection |
| Reliability | Probability of performing the function on demand | PFD ≤ 0.01 (SIL 2 equivalent) |
| Availability | Fraction of time the barrier is available (accounts for maintenance downtime) | ≥ 98% availability; maintenance requires isolation permit + concurrent monitoring |
| Capacity / robustness | The load or condition the barrier must withstand | Rated for full wellhead shut-in pressure; fire-safe valve body to API 607 |
| Response time | How quickly the barrier must activate | Valve to close within 30 seconds of ESD signal |
Degraded Barrier Management
When a critical barrier is impaired (e.g. ESDV under maintenance, gas detector offline, firewater pump out of service), the operator must:
- Assess whether the remaining barriers are sufficient to maintain overall risk within ALARP limits
- Implement compensatory measures (reduced inventory, increased fire watch, restricted hot work)
- Set a reinstatement deadline — the barrier must be restored within a defined window (typically 24–72 hours for primary barriers)
- Notify relevant personnel and record the impairment in the barrier management register
9. Risk Governance and Documentation
DNV-RP-A203 Ed.4 outlines the governance structure for risk management throughout the facility lifecycle:
Key Risk Documents
- Risk Management Plan (RMP): overall governance document; defines risk criteria, methodology selection, roles and responsibilities, and the review cycle
- Hazard Register: living document updated from HAZID, HAZOP, and incident investigations; each hazard tracked through to closure or acceptance
- QRA Report: quantified individual and societal risk results with ALARP demonstration; updated when facility changes trigger re-assessment thresholds
- Barrier Management Plan (BMP): documents all critical barriers, their performance standards, monitoring indicators, and the degraded barrier management procedure
- Risk Register: operational risk register maintained by operations team; captures current barrier status, outstanding actions from inspections, and near-miss learnings
Management of Change (MoC)
Any modification to the facility (equipment, process parameters, staffing, procedures) must be screened against the risk management framework:
- Modifications affecting MAH bow-ties require formal bow-tie update and barrier assessment before implementation
- Temporary deviations from design intent must follow the degraded barrier management procedure
- Simultaneous Operations (SIMOPS) — e.g. drilling while production is on-stream — require a dedicated SIMOPS risk assessment with explicit barrier identification
10. Common Pitfalls
- Applying ALARP only at the design stage and not revisiting it during operations — risk acceptance is a continuous obligation; barrier degradation during operations can push individual risk back above 10−3
- Treating the risk matrix as a standalone decision tool without quantification — a 5×5 matrix has too much uncertainty for major accident risk acceptance; QRA is required for MAH scenarios
- Bow-tie with no escalation factors — real bow-ties almost always have escalation factors that defeat barriers (common-cause failures, maintenance windows, SIMOPS); omitting them gives false assurance
- Performance standards that are vague ("valve shall work") — a performance standard must specify functionality, reliability, availability, capacity, and response time; vague standards are unverifiable and unenforceable
- FMEA focused only on catastrophic failures — many major accidents involve chains of "moderate" failures. FMEA should cover all failure modes, not just those with obvious immediate catastrophic effects
- Using the same risk matrix thresholds for occupational safety (slip/trip/fall) and major accident risk — the criteria are different; mixing them produces false priorities in the hazard register
- Relying on a single HAZOP to cover both process safety and operability — HAZOP optimally covers process deviations; structural and marine hazards require HAZID and separate specialist assessments
- Integrating the barrier management plan with the computerised maintenance management system (CMMS) — barrier health indicators appear on operations dashboards alongside standard maintenance KPIs, making degraded barriers visible to management
- Running the HAZID at concept selection, before layouts are frozen — this is when risk-informed decisions about area separation, TR location, and escape route geometry have the most design freedom and lowest cost to implement
Query DNV-RP-A203 in Leide
Ask about ALARP thresholds, bow-tie methodology, barrier performance standards, or how risk management integrates with DNV-OS-A101 safety principles — Leide retrieves the exact clause from the ingested standard.