Table of Contents

• 1. Executive Summary and Asset Risk Profile3
• 2. Introduction, Scope and Methodology4
• 3. Facility Description5
• 4. Major Accident Hazard Register6
• 5. System-Level Bowtie Assessments7
• 5.1 Node 17
• 6. Asset Barrier Register60
• 7. SCE/SCA Register70
• 8. Risk Assessment and ALARP Demonstration80
• 9. Findings, Gap Analysis and Improvement Plan85
• 10. Assessment Confidence and Verification Requirements95
• 11. Conclusions and Forward Look100

1. Executive Summary and Asset Risk Profile

Scope: This assessment converts the submitted HAZOP study (200 rows, 1 nodes) into bowtie format. The submitted study covers 0 of 32 mandatory systems for a complete CCGT asset-level scope (0% mandatory coverage; classification LIMITED). The remaining 32 mandatory systems (of 32 in total) are outside the submitted scope and are not represented in this bowtie package; see §2.3 for the full scope coverage table. Conclusions in this report relate only to the packages studied; a complete asset-level risk picture requires extension of the HAZOP to the excluded scope before operational decisions, lender engagement, or regulatory submission.

Scope Coverage: 0 of 32 mandatory systems -- LIMITED

1.1 Risk Landscape Overview

This Bowtie Risk Assessment evaluated 1 Major Accident Hazard scenarios across qassim_sample.xlsx (CCGT), developing 1 bowtie diagrams encompassing 1 threat pathways and 1 consequence pathways. A total of 1 prevention barriers and 0 mitigation barriers were identified and assessed against CCPS / EI barrier validity criteria (Effective, Independent, Auditable). The assessment is based on desk review of the source HAZOP (200 rows, 120 scenarios at S>=3) and carries an evidence confidence cap of 40/100. All outputs require validation by the Process Safety Team.

1.2 Barrier Adequacy Summary

System-level adequacy ratings combining prevention coverage and mitigation specificity. Priority is set by the worse of the two ratings combined with the system's maximum consequence severity.

1.3 Key Findings

1. 0 of 1 threat pathways (0%) currently have zero prevention barriers. If any of these threats materialises, there is no engineered defence between the initiating event and loss of containment.
2. 0% of mitigation barriers are generic shared trunk controls (detection, ESD, access restriction, emergency response) rather than consequence-specific protection. The plant's post-release defence posture is weighted toward reactive response rather than targeted consequence reduction.
3. 0 barriers each appear across 3 or more systems, creating a systemic dependency where degradation of one shared barrier weakens protection across multiple MAH scenarios. The most widely shared barrier is psv: psv set (safeguard 3: relief valve sized for fire case), present in 1 of 1 systems (100%).
4. The HAZOP safeguard set is dominated by instrumented hardware: 0% Hardware-Active. Only 0 of 1 barriers (0%) are human, procedural or organizational. This reflects HAZOP-methodology bias rather than necessarily inadequate plant protection.
5. 100% of barriers are assessed as Partially Effective from desk review -- the barrier exists but its reliability or completeness cannot be fully confirmed without site evidence. Lowest-effectiveness system: Node 1 at 0% Effective.

1.4 Priority Recommendations

1.5 ALARP Position Statement

Based on this desk-review assessment, risks from 1 of 1 MAH scenarios cannot be confirmed as ALARP until the priority recommendations are addressed. The principal concerns are Node 1 where barrier coverage falls below industry good practice for CCGT facilities. The 3 Critical and 5 Major findings identified in Section 9 represent the minimum actions required before an ALARP demonstration can be completed. A formal ALARP assessment requires site-validated PFD data and operational performance evidence, which are outside the scope of this desk review.

2. Introduction, Scope and Methodology

2.1 Purpose and Objectives

This report converts the HAZOP study for qassim_sample.xlsx into structured bowtie risk assessment diagrams per CCPS / EI "Bow Ties in Risk Management" (2018). Objectives: (a) classify HAZOP safeguards as prevention or mitigation barriers, (b) identify gaps where barriers are missing or weakened, (c) derive the SCE/SCA register with FARSI performance standards, and (d) produce a Synergi-compatible barrier register for downstream import.

2.2 Scope and Battery Limits

HAZOP source: 200 rows analysed, 120 scenarios with severity S>=3 (SPEC-XL §5 step 1 filter). Out of scope: electrical protection systems (covered in a separate E-HAZOP study), and equipment with no S>=3 scenarios.

2.3 Scope Completeness Check

The submitted HAZOP is benchmarked against the Ascendera Reference Scope v1.0 for CCGT (40 reference systems, 32 mandatory). Scope Coverage: 0 of 32 mandatory systems -- LIMITED

Submitted HAZOP covers 0 of 32 mandatory systems for CCGT scope (0% mandatory coverage). Classification: LIMITED. Missing mandatory: Fuel Gas Receiving Station, Fuel Gas Heating, Filtration and Let-down, Gas Turbine and Enclosure, Gas Turbine Fuel Manifold, Nozzles, Purge, Gas Turbine Lubrication System, GT Enclosure Ventilation and Fire Suppression, HRSG Drums (HP/IP/LP) and Downcomer System, Superheater and Reheater, Economiser, Steam Turbine, Steam Turbine Lube, Seal, and Control Oil, Condenser (Surface or Air-Cooled), Condensate Polishing, Feedwater System (HP / IP / LP), Demineralisation Water Treatment, Boiler Water Chemical Dosing, Auxiliary (Closed-Loop) Cooling Water System, Generator, Exciter, Cooling, Seal Oil, Generator Step-Up Transformer, Unit Auxiliary and Station Service Transformers, HV / EHV Switchyard (AIS or GIS), Medium Voltage Switchgear, Emergency Diesel Generator, Distributed Control System and SCADA, Safety Instrumented System / Emergency Shutdown, Fire and Gas Detection, Plant Fire Water System, Special Hazard Fire Suppression, Instrument Air Compression, Drying, Distribution, Plant Service Air, Nitrogen Generation and Distribution, HVAC for MCC, Chemical Buildings, Control Room. Conclusions in this report relate only to the packages studied; a complete asset-level risk picture requires extension of the HAZOP to the excluded scope.

2.4 Methodology

2.5 Confidence Doctrine

Evidence confidence is capped at 65/100 for any desk-review run. Site verification is a separate, paid activity that is not covered by this report. Every page footer carries the FOR REVIEW -- REQUIRES PROCESS SAFETY TEAM VALIDATION notice.

3. Facility Description

Facility name: qassim_sample.xlsx
Technology: CCGT
HAZOP source file: /data/output/4d9cf73c-9686-4497-96ab-51c8bc4485e4/input.xlsx
HAZOP rows ingested: 200

3.1 Asset Boundaries

Asset boundaries follow the systems defined in the source HAZOP. See Section 5 for system-by-system breakdown including hazardous inventory, operating envelope, threat pathways, and barrier coverage. Section 4 lists the Major Accident Hazards this assessment addresses.

4. Major Accident Hazard Register

The following MAH register summarises every Major Accident Hazard scenario identified at this facility. Each MAH maps to one bowtie diagram in Section 5.

5. System-Level Bowtie Assessments

One sub-section per system. Each contains the system description, the hazard, the bowtie SVG, the barrier register, and the gap findings specific to that system.

5.1 Node 1

Catalogue ref: BT-N-001
Hazard: Fluid in Node 1
Top Event: Loss of containment of fluid from Node 1
Max severity: S=5 | Prev barriers: 1 | Mit barriers: 0 | Gaps: 2

Node 1 has 1 prevention and 0 mitigation barriers. Of these, 1 were traced to HAZOP safeguards while 0 were identified from domain knowledge or engineering standards and require site verification. Defence-in-depth includes 1 barrier type (Hardware - Passive). Barrier effectiveness from desk review: 0% Effective; the remainder are Partially Effective and need site validation.

6. Asset Barrier Register

Every barrier identified across the assessment, with side, category, condition, PFD/SIL where known, and provenance tier. Three quality columns help reviewers scope their verification: Independence flags barriers that depend on another (e.g. operator response to an alarm); Shared Count shows how many systems carry the same barrier title (a high count signals systemic dependency); EIA Status is the desk-review Effective / Independent / Auditable validity bucket (Valid / Conditional / Verify / Concern). Cross-references the WORLD_CLASS.xlsx Bowtie Elements sheet.

7. SCE/SCA Register

Safety Critical Elements (SCE, hardware) and Safety Critical Activities (SCA, human / procedural). Performance standards follow the Energy Institute FARSI model (Functionality, Availability, Reliability, Survivability, plus Test Interval). Cross-references WORLD_CLASS.xlsx SCE Register.

8. Risk Assessment and ALARP Demonstration

This section follows the four-step qualitative ALARP demonstration structure from HSE UK SPC / Permissioning / 37 -- codes-and-standards compliance, good-practice comparison, risk-reduction measures register, and an explicit ALARP conclusion statement.

8.1 Codes and Standards Compliance

8.2 Good Practice Comparison

8.3 Risk Reduction Measures

Generated from the CRITICAL and MAJOR gap findings. All measures are standard industry practice (workshop, verification, walkdown) so feasibility is High and cost is Low to Medium.

8.4 ALARP Conclusion

Based on this desk-review assessment, the residual risk from 1 of 1 MAH scenarios cannot be confirmed as ALARP until the 3 Critical findings are addressed. The principal barriers to an ALARP demonstration are: (a) unconfirmed SIL ratings on safety-instrumented functions; (b) suggested mitigation barriers requiring site verification; and (c) unprotected threat pathways where HAZOP safeguards could not be matched to specific initiating events. A formal ALARP assessment requires site-validated PFD / SIL data, operational performance records, and a reasonably-practicable cost / benefit analysis, which are outside the scope of this desk review.

9. Findings, Gap Analysis and Improvement Plan

9.1 Cross-Cutting Systemic Findings

These findings frame the assessment as a whole. They surface HAZOP methodology gaps and defence-in-depth diversity gaps that affect every system rather than any single MAH scenario.

9.2 System-Specific Findings by Priority

System-specific findings are listed below in priority order. Standard closure timelines are CRITICAL within 60 days, MAJOR within 90 days, MINOR within 180 days.

Systems carrying CRITICAL findings: Node 1.

9.3 Common Themes

Cross-finding analysis -- the recurring patterns that emerge when the per-bowtie findings are read together.

10. Assessment Confidence and Verification Requirements

10.1 Five-Factor Confidence Framework

Confidence in this assessment is decomposed into five weighted factors. Each factor is rated Low (30 points), Medium (55 points) or High (80 points). The weighted overall rolls up to the evidence confidence number reported on the cover.

Weighted overall confidence: 46/100 · Structural confidence: 85% · Evidence confidence cap: 40/100 (non-negotiable for desk reviews per SPEC-XL §19).

Dual confidence cap: confidence is capped at min(desk-review cap 65/100, scope-coverage cap 40/100) = 40/100. Scope cap reflects 0% coverage of mandatory reference systems for CCGT.

10.2 Provenance Breakdown

10.3 Post-Report Verification Plan

Phase 1 (60 days): Process Safety Team validates bowtie groupings, top events and barrier classifications. Phase 2 (90 days): Mechanical Integrity Engineer validates PFD / SIL on all hardware barriers. Phase 3 (120 days): Site walkdown confirms presence and condition of suggested barriers (gap-fill). Phase 4 (180 days): Improvement plan (Section 9) implemented and closed.

11. Conclusions and Forward Look

11.1 Overall Risk Posture

qassim_sample.xlsx's barrier framework provides a foundation of instrumented hardware protection across 1 MAH scenarios. 0 systems are assessed as Adequate or Adequate with Concerns; 0 Require Improvement; 1 Inadequate. The barrier set is strong in prevention (alarm and trip-based protection from HAZOP) but weak in post-release mitigation, non-hardware defence layers, and barrier-independence assurance.

11.2 Hierarchy of Concerns

Recommended actions sorted by timeframe. Immediate items unblock the ALARP demonstration; systemic items improve future HAZOP and barrier management processes.

11.3 Confidence and Limitations

This assessment carries an evidence confidence of 65/100 reflecting its desk-review basis. The three principal limitations are: (a) barrier condition has not been verified by site observation or maintenance records; (b) PFD / SIL data is from design basis, not operational performance; (c) human / procedural barriers were predominantly added from domain knowledge rather than extracted from the HAZOP. These limitations are inherent to desk-review methodology and are addressed in the four-phase verification plan (Section 10.3).

11.4 Forward Look

Integrate the SCE / SCA register (Section 7) into the asset's barrier management system (DNV Synergi Life or equivalent) using the WORLD_CLASS.xlsx output. Establish recurring barrier-health reporting against the FARSI performance standards. Re-run this assessment whenever the underlying HAZOP is revised, the process design changes, or following any process safety event at the facility.

Prepared by Ascendera Group (for ACWA Power). FOR REVIEW -- REQUIRES PROCESS SAFETY TEAM VALIDATION.