Escolar Documentos
Profissional Documentos
Cultura Documentos
BOOKLET 4
Hazard identification, risk assessment and control measures for Major Hazard Facilities Booklet 4
page 1 of 49
TABLE OF CONTENTS
1 Who is this booklet for?...............................................................................................3 2 What does the booklet aim to do?...............................................................................3 3 Hazard identification, risk assessment and control measures introduction.............3 4 Hazard identification...................................................................................................3 4.1 The importance of getting the hazard identification right........................................4 4.2 Features of HAZID.................................................................................................5 4.3 Hazard identification processes and techniques......................................................8 4.4 Review, revision and typical problems..................................................................15 5 Risk assessment..........................................................................................................17 5.1 Risk assessment aims............................................................................................17 5.2 Examples of risk assessment methods...................................................................24 6 Control measures.......................................................................................................33 6.1 Introduction...........................................................................................................33 6.2 What is a control measure?...................................................................................33 6.3 Understanding control measures...........................................................................35 6.4 Selecting and rejecting control measures..............................................................39 6.5 Additional or alternative control measures............................................................40 6.6 Defining performance indicators for control measures..........................................42 6.7 Critical operating parameters................................................................................45 6.8 Involving employees in control measures.............................................................46 6.9 Control measures within the safety report and SMS..............................................46 6.10 Reviewing and revising control measures...........................................................47 6.11 SMS - A suggested combination of key elements...............................................48
Hazard identification, risk assessment and control measures for Major Hazard Facilities Booklet 4
page 2 of 49
Hazard identification
The Regulations require the employer, in consultation with employees, to identify: a) b) all reasonably foreseeable hazards at the MHF that may cause a major accident; and the kinds of major accidents that may occur at the MHF, the likelihood of a major accident occurring and the likely consequences of a major accident.
page 3 of 49
Hazard identification, risk assessment and control measures for Major Hazard Facilities Booklet 4
4.1
HAZID must address potentially rare events and situations to ensure the full range of major accidents and their causes. To achieve this, employers should: a) b) c) d) a) identify and challenge assumptions and existing norms of design and operation to test whether they may contain weaknesses; think beyond the immediate experience at the specific MHF; recognise that existing controls and procedures cannot always be guaranteed to work as expected; and learn lessons from similar organisations and businesses. substantial time is needed to identify all hazards and potential major accidents and to understand the complex circumstances that typify major accidents; the need for a combination of expertise in HAZID techniques, knowledge of the facility and systematic tools;
b)
Hazard identification, risk assessment and control measures for Major Hazard Facilities Booklet 4
page 4 of 49
c)
the possibility that a combination of different HAZID techniques may be needed, depending on the nature of the facility to ensure that the full range of factors (e.g. human and engineering) is properly considered; obtaining information on HAZID from a range of sources and opinions; and ensuring objectivity during the HAZID process.
d) e)
Comcare must be satisfied that hazard identification has been comprehensive and the risks are eliminated or controlled before granting a licence or certificate of compliance to operate an MHF.
4.2
Features of HAZID
Comcares expectations and some important features of HAZID
Comcare will expect: a) a clear method statement or description of the HAZID process, defining when it was conducted, how it was planned and prepared, who was involved and what tools and resources were employed; that the HAZID process was based on a comprehensive and accurate description of the facility, including all necessary diagrams, process information, existing conditions and modifications; and that the overall HAZID process did not rely solely on data that was historical or reactive and that employers ensured that predictive methods were also used.
b)
c)
The HAZID process must identify hazards that could cause a potential major accident for the full range of operational modes, including normal operations, start-up, shutdown, and also potential upset, emergency or abnormal conditions. Employers should also reassess their HAZID whenever a significant change in operations has occurred or a new substance has been introduced. They should also consider incidents, which have occurred elsewhere at similar facilities including within the same industry and in other industries. Refer to the guidance material for Safety Safety Report and Report Outline guidance material (booklet 4) for the definition of significant change.
Hazard identification, risk assessment and control measures for Major Hazard Facilities Booklet 4
page 5 of 49
so that they can fully participate in the process; and d) be alert for hazards that can be revealed by the combination of knowledge from specialists in different work groups.
System description: At the commencement of the HAZID, the complete system of assets, materials, human activities and process operations within the boundaries of the study should be clearly defined and understood, taking account of the original design, subsequent changes and current conditions. Typically, the system should be divided into distinct separate components or sections to enable manageable quantities of information to be handled at each stage. Systematic evaluation and recording: The HAZID should move progressively through the system, applying the HAZID tools to each component or section in turn. All identified hazards and incidents should be recorded in some way. (See Figure 16 in this booklet for some examples of how hazard registers may be configured.) A checklist of guidewords, questions or issues should be considered at each stage. Some key questions and issues could be: a) What is the design intent, what are the broad ranges of activities to be conducted, what is the condition of equipment, and what limitations apply to activities and operations? What are the critical operating parameters? What process operations occur, and how could they deviate from the design intent or critical operating parameters? This should consider routine and abnormal operations, start-up, shutdown and process upsets. What materials are present? Are they a potential source of major accidents in their own right? Could they cause an accident involving another material? Could two or more materials interact with
b)
c)
Hazard identification, risk assessment and control measures for Major Hazard Facilities Booklet 4
page 6 of 49
each other to create additional hazards? d) What operations, construction or maintenance activities occur that could cause or contribute towards hazards or accidents? How could these activities go wrong? Could other hazardous activities be introduced into this section by error or by work in neighbouring sections of the facility? Could other materials, not normally or not intended to be present, be introduced into the process? What equipment within the section could fail or be impacted by internal or external hazardous events? What are the possible events? What could happen in this section to create additional hazards, e.g. temporary storage or road tankers? Could a particular section of the facility interact with other sections (e.g. adjacent equipment, an upstream or downstream process, or something sharing a service) in such a way as to cause an accident?
e) f) g) h)
Hazard identification, risk assessment and control measures for Major Hazard Facilities Booklet 4
page 7 of 49
4.3
Hazard identification, risk assessment and control measures for Major Hazard Facilities Booklet 4
page 8 of 49
page 9 of 49
for all equipment within the study boundary. Process flow and equipment diagrams are studied systematically, and all equipment is assigned appropriate loss of containment scenarios, such as pinhole leaks, according to design, construction and operation. This form of hazard identification may be necessary for many major hazard facilities, to avoid missing potential scenarios, but is not sufficient on its own because it does not consider specific causes or circumstances. Therefore, this technique should only be used in combination with other techniques for MHF purposes.
Checklists
There are many established hazard checklists which can be used to guide the identification of hazards. Checklists offer straightforward and effective ways of ensuring that basic types of events are considered. Checklists may not be sufficient on their own, as they may not cover all types of hazards, particularly facility-specific hazards, and could also suppress lateral thinking. Again, this technique should only be used in combination with other techniques for MHF purposes.
What-If Techniques
This is typically a combination of the above techniques, often using a prepared set of what-if questions on potential deviations and upsets in the facility. This approach is broader but less detailed than HAZOP.
Brainstorming
Brainstorming is typically an unstructured or partially structured group process, which can be effective at identifying obscure hazards that may be overlooked by the more systematic methods.
Task Analysis
This is a technique developed to address human factors, procedural errors and man-machine interface issues. This type of hazard identification is useful for identifying potential problems relating to procedural failures, human resources, human errors, fault recognition, alarm response, etc. Task Analysis can be applied to specific jobs such as lifting operations, moving equipment off-line or to specific working environments such as control rooms. Task Analysis is particularly useful for looking at areas of a facility where there is a low fault-tolerance, or where human error can easily take a plant out of its safe operating envelope.
page 10 of 49
down to component level. Individual system, sub-system and component failures are systematically analysed to identify their causes (which are failures at the next lower-level system), and to determine their possible outcomes, which are potential causes of failure in the next higher-level system. This technique is quite specialised and usually requires expert assistance.
Hazard identification, risk assessment and control measures for Major Hazard Facilities Booklet 4
page 11 of 49
Examples of major accidents and the role of multiple factors in those accidents
Texas City, USA, 2005. An explosion at a large refinery killed 15 workers and injured over 170 others. Equipment upgrades and SMS elements including process safety information, communications and training were targeted for improvements following the incident. Total cost of plant upgrade reported to be 1 billion dollars over 5 years. Longford, Victoria, 1998. Two workers were killed and eight others injured in an explosion at a gas processing plant. As a result, many elements of the SMS were targeted for improvements including process safety information and communication of critical safety information. Pasadena, USA, 1989. A fire and a series of explosions at a refinery complex resulted in 23 fatalities. Inadequate and unofficial isolation procedures, together with human error induced by poor ergonomics played a role in causing the accident. The loss of life and scale of damage were increased due to poor plant layout and subsequent damage to fire-fighting systems. Piper Alpha, UK, 1988. The accident was triggered by a small leak in a condensate pump system, which by itself would most likely have had only minor consequences. However, in combination with failures in management systems, design and equipment, the event resulted in the loss of 167 lives and destruction of the entire platform. Bhopal, India, 1984. Half a million people were exposed and over 20,000 have died to date as a result of a release of methyl-isocyanate via a vent stack. A range of systems and equipment had been malfunctioning or were taken out of service over a period leading up to the disaster, including a safety system for scrubbing tank vent releases, but this was disabled because the plant was shut down and not considered to be a risk. After the plants construction, a large shanty town had grown up around it, but this had not led to any recognition of changes in risk. Flixborough, UK, 1974. A modification was made to a bypass for one of a series of reactor vessels. Due to the urgency of the work, and the fact that there had been significant organisational change, the modification was designed and constructed inadequately. The bypass failed, releasing a large cloud of cyclohexane, which exploded and killed 28 persons. Not only was the new hazard not considered during the modification, it was not recognised during subsequent operations even though the bypass was seen to move as process pressure rose and fell.
Hazard identification, risk assessment and control measures for Major Hazard Facilities Booklet 4
page 12 of 49
page 13 of 49
necessary to involve first-line operations and maintenance personnel in the hazard identification, it is also necessary to consider wider issues than the day-to-day roles and activities of these persons. When considering the type and level of human factors input that is needed in hazard identification, employers should consider their specific circumstances, and in particular, the amount of reliance they place on human actions and decisions in the prevention and control of major accidents. Cases where detailed consideration of human factors might be appropriate include a process plant that requires employee action to prevent or control emergency situations or a dangerous goods warehouse that relies heavily on procedural controls to ensure correct segregation of goods. In addition to calling upon the necessary range of operations personnel to take part in the hazard identification, it may also be appropriate to use persons having specialist human factors knowledge. This specialist knowledge may be essential if human factors hazards can influence critical safety controls. Human factor HAZID techniques are evolving and are based on methods developed from engineering HAZID methods. They follow the same principles and can be conducted in conjunction with an engineering HAZID.
Task analysis
An important set of human factors techniques, which can be used in all areas of human factors consideration, is a set of methods collectively called task analysis. Task analysis is not only used in HAZID but is also a tool for risk assessment and development of control measures to accommodate human factors. Task analysis is used to study what a person, or team, is required to do, in terms of actions and/or mental processes to achieve a system goal. The information used in and derived from a task analysis will depend on the technique used and the objective of the analysis.
HTA is one of the most commonly used task analysis techniques. It is used to systematically analyse a task or series of tasks. The outcomes of the HTA will depend on the reasons for its use. For example, if a new control room is being designed for a process facility, the design layout and equipment available in the control room should be tested to ensure that it is appropriate for handling all foreseeable operations (start-up, normal, abnormal). If HTA is used to assess workload, the information, processing Hazard identification, risk assessment and control measures for Major Hazard Facilities Booklet 4
page 14 of 49
4.4
assess. The worst-case scenario is sometimes incorrectly deemed to be the largest event within the capacity of the on-site protection systems, simply on the basis that any event worse than this cannot be planned for. However, such events are merely the worst that has been allowed for during design and are not necessarily the worst that can occur. Most examples of major accidents given above clearly exceeded the design basis, which is why they resulted in such serious outcomes. Both the design events and the true worst case events are required to be considered. It should also be recognised that the worst case in terms of the distance of impact might not be the worst case in terms of potential consequences. It may be necessary to consider both these consequences. The worst-case scenario for one area of a facility may not be the same as that for another area of the same facility. This will depend on a large number of factors such as materials normally or not normally present, extreme process conditions, isolation systems that may fail, the proximity and the layout of vessels and the presence of personnel. Employers should consider all available information, including historical incident records, in deriving the worst-case scenario.
d) widening the scope to include too great a range of incident types, such as all occupational health and safety issues. If these issues must be considered they should only be the issues relevant to controlling the risk of a major accident; e) carrying out the HAZID with incomplete or inaccurate facility descriptive information; f) proceeding with the study without first having developed, agreed and planned the approach and the method of recording. A pilot study on a selected area of the facility, may be beneficial in deciding on an effective HAZID approach;
g) failing to be comprehensive and systematic with respect to the activities, operations and possible different states of each part of the facility; h) failing to record important information discussed during the HAZID, e.g. assumptions, uncertainties or debated issues and gaps in knowledge; i) j) allowing the hazard identification workshops to be dominated by individual persons or groups within the organisation; and where HAZIDs are conducted across several sessions - failing to review previous session findings or remind participants of the scope and objectives.
5
5.1
Risk assessment
Risk assessment aims
The aims of risk assessment are to: a) provide a basis for identifying, evaluating, defining and justifying the selection of control measures for eliminating or reducing risk, and to therefore lay the foundations for demonstrating the adequacy of the standards of safety proposed for the facility; b) provide the employer and employees with sufficient objective knowledge, awareness and understanding of the risks of major accidents at the facility; c) capture knowledge of risk of a major accident at the facility so it can be managed, disseminated and maintained. The management of knowledge generated in the risk assessment will also greatly assist the efficient development of a safety report for the facility, for example by handling assumptions and actions arising; and d) provide practical effect to the employer's safety report philosophy. For example, if the employer intends to base the safety report largely on the facilitys compliance with specific codes or standards, the risk assessment should address corresponding issues such as the basis of the codes and standards and their applicability to the facility.
Hazard identification, risk assessment and control measures for Major Hazard Facilities Booklet 4
page 17 of 49
Hazard identification, risk assessment and control measures for Major Hazard Facilities Booklet 4
page 18 of 49
page 19 of 49
of incidents being controlled; c) reliability, or number of control measures, reflecting the likelihood of the corresponding incidents.
The risk assessment should use assessment methods (quantitative or qualitative or both) that suit the hazards being considered. This means that the tools employed must be selected according to the nature of the risk. A tool that does not address any variability or uncertainty in the nature of the hazards and incidents identified can fail to generate the necessary understanding and provide no basis for differentiating between control measures. There is no single tool able to meet all the requirements for risk assessment, and all tools have limitations and weaknesses. For example: If the dominant contributor to a major accident relates to aging of equipment and associated mechanical integrity problems, then an analysis of mechanical integrity, corrosion rates, breakdown data, reliability and inspection/testing/maintenance issues may be necessary to develop the required understanding. In such a case, a quantitative risk assessment (QRA), which is usually based on generic data, may not provide the necessary information or lead to effective solutions. Hazard identification, risk assessment and control measures for Major Hazard Facilities Booklet 4
page 20 of 49
Similarly, if a facility employer has identified human error as a key risk driver, then a Task Analysis, Human Reliability Analysis, or detailed analysis of the operating procedures may be appropriate. Analysis of equipment condition and reliability in this case would probably not be effective. For many facilities, there may be several types of assessment required. In the interests of efficiency, it is desirable to clearly identify the types of detailed study required, before following any particular route. Two basic tools can assist this process, they are preliminary/qualitative risk assessments and hazard or risk ranking. There are plenty of examples of both types of tool, but they all have a common purpose - to determine the nature of the risk in terms of the basic causes, likelihood, consequences and controls. Where it is clear that the employer has insufficient knowledge of causes or likelihood, detailed studies may be needed. A preliminary evaluation should point towards the types of detailed study required. An appropriate ranking methodology allows the key areas to be identified and prioritised. It enables the employer to determine if the gaps in knowledge correspond to what may be major risk contributors. Priority should be given to those areas where it is obvious there is likely to be a high risk and there are also gaps in knowledge about the things giving rise to the risk. Some iteration may be required where the ranking of key areas is revisited following detailed assessment, to see if any hazards have increased in rank and now require more detailed study. Figure 5 aims to illustrate the relationship of preliminary evaluation, ranking and detailed studies. Figure 5: Relationship between preliminary evaluations, ranking and detailed studies
The above discussion introduces the concept of a "tiered approach" that is frequently used in risk assessment. If a simple technique generates the information required by the Regulations and also generates sufficient understanding of the risk and the options for its control, further risk Hazard identification, risk assessment and control measures for Major Hazard Facilities Booklet 4
page 21 of 49
assessment may not be necessary. However, if substantial uncertainty remains, or the employer wishes to look at a range of options in greater detail, then further effort is justified and more detailed tools may be desirable. In general, greater assessment effort should result in a more quantitative, accurate and robust understanding, thereby allowing a more transparent and rational basis for decision-making. The key to the tiered approach is that, at each stage, the employer should compare the potential cost of increasing the detail of the assessment against the benefit that further assessment may give. In this context, the benefit may be a higher level of knowledge of the hazards and the risk, or may be a better understanding of the optimum means of controlling the risk (described in Figure 6).
Some facilities may use a semi-quantitative risk assessment where qualitative brainstorming sessions of staff are combined with quantitative studies and information. If data and knowledge have been collected previously about the MHF and remain relevant to risk assessments under the MHF Regulations, it is acceptable to make use of that data and knowledge.
page 22 of 49
hazards or combinations of hazards, each of which could lead to that accident, and several control measures which may be particularly critical because they may influence one or more of those hazards. The risk assessment should give an understanding of the total likelihood of each accident and the relative importance of each separate hazard and control measure. The potential for escalation of major accidents, and the consequences of this which may be greater than an event in isolation, need to be considered along with the consequences and their effects (e.g. number of injuries, extent of property damage). A facility may have a range of major hazards that could lead to potential major accidents. Both the highest risk incidents and the overall profile of risks from all incidents must be determined, so that the risk can be shown to be adequately controlled. In cases where a large number of different hazards and potential accidents exist, the cumulative risk may be significant even if the risk arising from each event is low. The "bow tie" diagram (Figure 7) is similar to a combined fault and event tree that shows how a range of causes, controls and consequences can be linked together and associated with each major accident scenario. Cumulative consideration of the hazards can be seen as the overall evaluation of interactions between different parts of a single bow tie or consideration of a range of bow ties together. Cumulative consideration of hazards enables the employer to assess the overall risk picture for the facility and to understand how different causes and events can combine to lead to an accident. It also enables the key causes and controls for the risks to be identified and evaluated in more detail if required.
Hazard identification, risk assessment and control measures for Major Hazard Facilities Booklet 4
page 23 of 49
5.2
Hazard identification, risk assessment and control measures for Major Hazard Facilities Booklet 4
page 24 of 49
b) likelihood of each hazard causing a major accident c) magnitude of each major accident d) severity of consequences of each major accident to persons on-site and off-site e) range of control measures available to control each major accident f) effectiveness and viability of control measures for each major accident g) individual and cumulative effects of hazards Each of these aspects is discussed below, with examples to illustrate the concepts, together with discussion of simplified, overall, preliminary qualitative methods of risk assessment, that may be used to focus the detail of the assessment onto the high-risk cases. This section is not intended to be a detailed or comprehensive description of risk assessment methods. The methods and figures shown below are purely selective examples to illustrate the approaches and are not a recommendation for any specific application.
Hazard identification, risk assessment and control measures for Major Hazard Facilities Booklet 4
page 25 of 49
Ranking methods
Most forms of preliminary risk assessment can be used as a basis for ranking different incidents to establish their approximate order of importance. In the risk matrix example, a simple scoring system can be introduced to represent the combined effect of likelihood and consequence. For example, the highest-ranking incident is m.a.7 (i.e. major accident Hazard identification, risk assessment and control measures for Major Hazard Facilities Booklet 4
page 26 of 49
number 7) with a score or risk index of 16, closely followed by m.a.12 with a risk index of 15. The sum of the risk indices for all incidents is 76; therefore, the contribution of incident m.a.7 is 16/76 or about 21% of the cumulative risk. Note that the risk index on the matrix is a multiplication of the numbers assigned to the rows and columns NOT an addition. An extension of the above scoring approach is to define a range of specific factors that affect the likelihood or consequences of each incident. For each factor, each incident may be given a score such as from 1 to 5 or a simple rating such as low, medium or high based on specific, established criteria. The scores for each incident are then added to give an overall likelihood, consequence or risk score for each incident.
See under the heading Examples of HAZID techniques in section 6.6 of this booklet for a brief explanation of an FMECA.
2
Also see the reference above for a brief explanation of a fault tree and event tree analysis. page 27 of 49
Hazard identification, risk assessment and control measures for Major Hazard Facilities Booklet 4
low-level failures may affect higher-level systems.3 A Fault Tree may then be used to show how low-level failures, combined with external aspects such as loss of power supply or human error may combine to cause overall system failure. The Fault Tree can also be used, in principle, to estimate the likelihood or frequency of the failure occurring.
Also see the reference above for a brief explanation of an FMEA. page 28 of 49
Hazard identification, risk assessment and control measures for Major Hazard Facilities Booklet 4
Event Trees may be used to determine what alternative outcomes may arise from an initial event, and the relative likelihood of each outcome. Again, it is possible to develop qualitative or quantitative event trees. Event trees also assist in defining the significant consequence scenarios, which need to be evaluated in detail. Both Event Trees and Fault Trees can be used to evaluate quantitatively or qualitatively what effect existing or potential control measures have on risk levels. The effects of control measures assumed in these assessments should be reflected in the performance indicators defined for the control measures.
page 29 of 49
the radiation from pool fires or the toxic gas cloud formation from releases of chlorine. Typical consequences which need to be considered within a risk assessment are toxic exposure from gas clouds or smoke inside or outside buildings. The selective use of worst-case consequence modelling can improve the efficiency of a process when it is necessary to identify which areas of the facility can cause offsite effects. It is necessary to also consider less than worst-case conditions to develop a comprehensive understanding of the risk. The Regulations apply equally to onsite and offsite populations, and the worst-case scenarios for onsite and offsite populations may be very different. The worst-case approach involves defining the credible combination of conditions giving rise to the maximum consequence zone for the identified accident, in relation to the target population. This can include defining release quantity, duration, pressure, composition, location, wind speed and other atmospheric conditions, time of ignition and functioning of control measures. It is common to assume the worst-case release quantity is the maximum vessel contents, released over a defined period of time. However it should be noted that this cannot be assumed to be the correct assumption for all types of plant or storage area. Where there is a clear mechanism for releasing more than the maximum vessel inventory, this should be considered in the consequence analysis. Active control systems such as isolation valves and blowdown systems need to be assessed for worst-case scenario. Passive control measures that are assured of functioning in the event of the worst-case accident may be included in the assessment. The impact distance in all directions from the release point should be determined allowing for the fact that the wind can blow from any direction. The impact distance is usually determined to a predefined consequence criterion which can be material and/or effect specific. For example, LPG flash fires will occur to a defined lower flammable limit while LPG can also produce fireballs or jet fires that can cause injury or damage from thermal radiation effects. Thermal radiation criteria are the same for all flammable materials. Employers should carefully define all relevant consequence criteria based on their definition of a major accident. Below is an example of one method for illustrating the consequences and effects of a major accident. The example is a major accident involving a pool fire. This method may prove helpful during the risk assessment process and, if used, should be included in risk assessment documentation.
Hazard identification, risk assessment and control measures for Major Hazard Facilities Booklet 4
page 30 of 49
The employer should consider consequences under a range of meteorological conditions. Usually the worst-case meteorological condition for toxic or non-dense gas releases is high atmospheric stability and a low wind speed, typically experienced at night-time or in the very early morning. For dense gases, the worst-case condition is typically a high wind speed, which tends to occur at neutral atmospheric stability and during the day. Definitions of stability and other environmental conditions can be found in safety or meteorology literature. Ambient temperature and humidity may also affect the consequences of releases. In particular, high temperature can increase the flammable effect range of low volatility materials. Surface type and topography can also affect the consequence, such as a spill into water or onto sloping areas. For flammable materials the consequences should be analysed both when ignition occurs immediately following the release, and if ignition occurs after sufficient delay for a flammable cloud to fully develop. Further factors to consider include day versus night conditions, extreme weather conditions such as flooding, storms and including cyclones for facilities located in cyclone-prone areas of Australia. To evaluate the impacts of major accidents on people, it is necessary to consider the number and distribution of potentially exposed people, and their characteristics. Variations in these factors should also be considered Hazard identification, risk assessment and control measures for Major Hazard Facilities Booklet 4
page 31 of 49
such as temporary populations, maintenance crews and on-site populations for specific operational modes. A further factor that should be considered is that people such as emergency services or investigators may be present specifically because there is a developing incident.
g) all methods, results, assumptions and data reflect the nature of the hazards considered and are documented; h) a range of control measures are considered and their effects on risk are explicitly addressed; i) j) it supports the development of the safety management system; it is used as a basis for adoption of control measures, including
Hazard identification, risk assessment and control measures for Major Hazard Facilities Booklet 4
page 32 of 49
emergency planning; and k) it is used as a basis for the demonstrations in the safety report.
6
6.1
Control measures
Introduction
The previous sections discussed key elements for the range of control measures that should be in place at an MHF. This section provides more detailed guidance on how to select and judge the effectiveness of specific control measures. Choosing the best control measures and being able to demonstrate their effectiveness is a critical feature of compliance with the Regulations.
6.2
Hazard identification, risk assessment and control measures for Major Hazard Facilities Booklet 4
page 33 of 49
Control measures can be identified while identifying hazards and during the risk assessment. Employers should be able to identify a range of control measures immediately, both the existing measures and possible alternatives. Checklists of "typical" control measures may be able to assist in the process, but these should not be used in isolation. The specific nature of each hazard and the associated part of the facility should be considered when identifying control measures. The table below is an example of the consequences and key control measures that might apply for a warehouse. An example: Identification of scenarios and control measures, dangerous goods warehouse Scenarios Flash or pool fires from puncturing drums containing flammable liquids. Fires in packaged goods areas, in pallet storage stacks, or amongst general rubbish. Fire escalation. Key Controls Drum inspection and handling procedures Ignition source control Fire fighting equipment Housekeeping Ignition source control Smoke detection and automatic vents Separation and segregation rules Stacking restrictions Fire fighting equipment and emergency response
Hazard identification, risk assessment and control measures for Major Hazard Facilities Booklet 4
page 34 of 49
6.3
procedures). Controls may also be grouped into categories that define the nature and spread of the control such as engineering, organisational, procedural and administrative controls. Whatever method of categorisation is employed, safe operation will depend on an appropriate balance of different types of control measures. These categorisations can help in determining the most effective control measures for a facility and in ensuring a range of measures is chosen so that one failure does not remove many controls. A single category of control measure will rarely be enough for a risk to be controlled as far as is reasonably practicable unless the elimination of the hazard has occurred. Most commonly, layers of protection will be required to reduce a risk so far as is reasonably practicable. For most facilities or items of equipment, there are numerous layers acting as barriers to eliminate, prevent, reduce or mitigate incidents. This is illustrated in Figure 15. Equipment integrity, operating and maintenance procedures are the "inner layers", and are the barriers normally relied on to ensure incidents do not occur. Systems that reduce or mitigate incidents are the "outer layers" which are relied on in abnormal or emergency conditions. A robust risk control regime will feature a range of risk control layers; the number and integrity of which should reflect the inherent level of hazard and risk within the protected part of the facility.
Examples of control measures are shown below, using the above categorisation. The table is illustrative only, and is not intended to be a complete list of possible controls for any facility. The categorisation shown is not intended to be rigid, and many controls may apply in more than one category. Hazard identification, risk assessment and control measures for Major Hazard Facilities Booklet 4
page 36 of 49
Some examples of control measures Type Elimination Engineering Controls Mounding of LPG storage tanks. Substitution with nonhazardous materials. Inherent design features, layout. Prevention Administrative Controls Inherently safe process concept. Feedstock quality specifications. Plant design procedures.
Impact and dropped object Operating procedures and barriers. instructions. Isolation valves to enable safe maintenance work. Mechanical ventilation systems. Process Control systems. Corrosion and erosion probes. Materials specifications, corrosion allowance. Maintenance and isolation procedures. Management of change.
Reduction
Physical barriers between incompatible materials. Secondary containment of hazardous substances. Process emergency controls and alarms. Shutdown, isolation and de-pressurisation systems. Bursting disks. Safety and relief valves. Bunds, other containment and drainage systems.
Mitigation
Fire detection systems. Fire suppression and cooling systems. Passive fire protection systems.
Hazard identification, risk assessment and control measures for Major Hazard Facilities Booklet 4
page 37 of 49
Control measures may vary for different stages of the facility's life cycle. For example, design and construction standards are important for new facilities, but as the facility ages more emphasis may be required on asset integrity management. Similarly, control measures may themselves have life cycles that may need to be considered. The balance and type of control measures are expected to be consistent with the employers overall safety philosophy. If the safety philosophy is based primarily on engineering controls there is less need for other controls such as administrative ones. On the other hand, if the safety philosophy is based on personnel knowledge and skills, then procedural and competency controls might be dominant, although there would need to be additional hardware controls. The assessment required to understand control measures, their function and their effects on hazards and associated risks, is driven by three factors: a) a highly complex reaction process, new technology, or complex process equipment may require detailed assessment to understand the control measures, whereas a simple system can be understood more rapidly and without using sophisticated methods of assessment; b) where there are numerous options available to control the associated risk, more effort is likely to be required to reach an understanding of the available controls, to differentiate the options in terms of their effects on risk and to provide a basis for selecting or rejecting options appropriately; and c) a high level of uncertainty regarding the nature of the hazard or risk or the behaviour of the control measures is likely to require greater effort to reach an overall understanding; e.g. Class 6.1 liquids are more straightforward to analyse than Class 2.3 toxic gases. The above concepts illustrate the issues that need to be considered in defining and understanding control measures. There may be many other issues that need to be considered in developing an understanding of control measures for a facility. For many facilities this may result in a significant amount of information. Therefore a simple method of linking and communicating the information together should be considered, for example "bow tie" diagrams or registers of hazards and controls. Figure 16 provides examples of how to use bow tie diagrams or registers to link and communicate control measure information. Alternatively, simple hazard management tables or diagrams can be developed.
Hazard identification, risk assessment and control measures for Major Hazard Facilities Booklet 4
page 38 of 49
Figure 16: Examples of presentation formats for hazard and control information a) "Bow Tie" diagram
6.4
Hazard identification, risk assessment and control measures for Major Hazard Facilities Booklet 4
page 39 of 49
Core questions to ask when selecting or rejecting control measures Are there controls clearly linked to each hazard, or are there some hazards having no (or insufficient) control measures? Does the number of controls reflect the level of severity of the hazards? The extent of demonstration should be proportional to the level of risk. What is the functionality of a control measure against the relevant hazards? Is it sufficient to control the hazard in the intended manner, i.e. is it fit for purpose, will it suppress the hazard completely, prevent escalation or simply mitigate effects? What is the survivability of the control measure in an accident? Is the control measure able to function as intended during the types of accidents it is intended to reduce or mitigate? Is the reliability of individual control measures, and of all control measures in combination, appropriate to the level of risk presented by the associated hazards? Is function testing sufficiently frequent to detect failures, and will failures once detected be rectified sufficiently promptly? Has the hierarchy of control measures been considered, with measures to eliminate the hazard adopted first if practicable, followed by measures to prevent, reduce and mitigate? Is there a balance of different types of control measure for each hazard, i.e. is there a diversity of control measures? Are the control measures associated with individual hazards independent of each other, or can they all be disabled by the same mechanism? Are the control measures maintainable? For example, are they accessible, can they be maintained (i.e. safety valve with no means for removal/maintenance as it is the only one and must remain in service)? Are new control measures compatible with the facility , and any other control measures already in use? Can the control measures be implemented at the facility considering their availability and cost?
6.5
Hazard identification, risk assessment and control measures for Major Hazard Facilities Booklet 4
page 40 of 49
Longford Royal Commission and the Cullen Inquiry into Piper Alpha. Therefore the employer should typically consider the following circumstances: a) existing control measures which are believed to be fully functional and appropriate; b) existing control measures which may have become disabled, degraded or deficient; c) existing control measures which function as intended but could be improved; d) control measures which were considered or used in the past and rejected for some reason; e) existing control measures which are to be replaced due to obsolescence or old age; f) new control measures which could replace or add to the existing range of control measures; and g) new control measures for modifications to the facility. For many existing facilities, there may be control measures that were adopted or rejected in the past without records to support those decisions. Employers should identify past decisions and control measures that need to be recorded and reviewed, to understand what was done in the past and why it was done, and to maintain the integrity of existing control measures in the future. This relates to the need for a knowledge base of the control measures on the facility and is an important part of justifying the adequacy of an existing facility in the safety report. Given the potentially large number of decisions and control measures for a typical MHF, which may have decades of operating experience, the employer will need to identify the critical areas that require review, and determine which areas need to be reviewed in brief or in detail. Circumstances where control measures would require review include: a) new operating conditions have arisen; b) knowledge of the basis for safe operation has been lost; c) there may have been a degradation in effectiveness of existing controls; d) the knowledge or technology employed is now outdated; and e) an incident occurred. The employer should identify both proven technology and newly developed options, as appropriate and not dismiss any option on the grounds that it is "unproven". The process of risk assessment should include the evaluation of new technologies and practices to determine if they are appropriate to the facility. A reasonable number of existing and alternative control measures should therefore be considered, depending on: a) the scale and complexity of the facility; Hazard identification, risk assessment and control measures for Major Hazard Facilities Booklet 4
page 41 of 49
b) the nature of the risk profile; and c) the rate of development of new technologies and practices.
6.6
An example of performance indicators for control measures: Hazard identification, risk assessment and control measures for Major Hazard Facilities Booklet 4
page 42 of 49
A hardware control measure has performance standards relating to its capacity and reliability, plus management system standards for inspection, testing and maintenance, which aim to assure that the capacity and reliability of the control measure are maintained. Performance indicators need to be set that measure performance against these standards. For example, for a pressure relief valve the performance indicators and standards may relate to: Min number on-line: x Min relief rate: y kg/s Max probability of failure: y% Max interval between tests : z yrs One example of a performance indicator that provides a range of acceptable performance is a pre-alarm limit that can be exceeded for a period of abnormal operations provided this is monitored. A performance indicator that does not allow a range of acceptable performance is set at the level of the critical operating parameter (see the section on critical operating parameters). Performance indicators for control measures should include the following considerations: a) failure of any control measures - what are the performance requirements for functionality, availability, reliability and survivability of control measures that indicate how or how often the control measures may fail to perform, and what performance standards are required for any activities necessary to achieve these standards? b) reporting of control measure failures - what activities are necessary to confirm or assure performance, what degree of reporting of failures is required, how quickly will the reporting system identify a failure, and what level of independent verification is needed in addition to routine assurance? c) corrective action in the event of such failures - what steps are to be taken and how quickly following detection, and what performance standards are required of the corrective process? Performance indicators can be defined at various levels, e.g. there may be high-level performance indicators as well as lower level and detailed performance indicators. High-level indicators tend to address overall performance issues, for example: a) employee perceptions, incident rates, improvement programs, availability of control measures which may be taken as indicators of overall safety performance; b) maintenance of operating conditions within a critical operating envelope, which may indicate overall integrity of the process control regime; and c) total number of resources dedicated to testing, inspection and Hazard identification, risk assessment and control measures for Major Hazard Facilities Booklet 4
page 43 of 49
maintenance of critical control measures. Detailed performance indicators tend to relate to individual measures that when combined; contribute to achieving overall high-level performance. At a detailed level, there are many different types of performance indicators that can be defined for each control measure. When specifying performance indicators or standards, it may be necessary to provide detail on who, what, where, and when for implementation of procedures and activities relating to these indicators and standards. The responsibility for implementation of performance indicators can be defined at a very specific level for each performance standard. For example, responsibility for operational parameters may lie with operations management teams. Where performance standards relate to control measures, they should be assessed as part of the justification of adequacy. It is also necessary to show that the control measures achieve the standard that has been set. In the simplest cases, performance standards may be industry standards, codes or norms. However, these need to be shown to be appropriate to the specific facility and this can be by a combination of techniques such as: a) risk assessment results; b) qualitative argument or reference to the basis for the standard; and c) cost-benefit or cost-effectiveness analysis of options. In more complex cases, where there may be no appropriate existing standards, the employer may need to demonstrate the suitability of the performance standard based solely on the risk assessment. Some examples of performance indicators for control measures: Management system compliance levels as shown by audit. Test frequency/interval for safety-critical equipment. Average skill level of the operations shift personnel. Compliance level with operating procedures as shown by monitoring. Number of failures in specific safety devices. Number of times staffing levels fall below target minimum numbers. Number of times pressure, temperature etc exceed particular levels. Measured mechanical integrity (e.g. extent of corrosion). Detection and response times for unintended material releases. Sensitivity levels and response times for process alarms. Compliance levels with manufacturer's or design standards. Vibration levels in rotating equipment (e.g. compressors).
Hazard identification, risk assessment and control measures for Major Hazard Facilities Booklet 4
page 44 of 49
6.7
Hazard identification, risk assessment and control measures for Major Hazard Facilities Booklet 4
page 45 of 49
6.8
6.9
Hazard identification, risk assessment and control measures for Major Hazard Facilities Booklet 4
page 46 of 49
assessments, and the reasons for selection or rejection of control measures. It should also include the COPs and performance indicators for the adopted control measures and a justification of the adequacy of control measures, including the means by which performance is assured. The SMS must relate to each activity used in the selection and ongoing maintenance of control measures. Each element of the SMS should have performance standards to provide regular monitoring of the effectiveness of each element. Consultative methods used to involve the people working at the facility to identify and develop control measures should be described. The employers processes for adopting and managing control measures and their related information are illustrated in Figure 18. Examples of methods for recording information, such as a register of hazards and control measures, were discussed above. However, these can be expanded if necessary to include additional data on the control measures, for example consequence and likelihood information from the risk assessment, performance indicators, the responsibility for "who, what, when and how", and information to support the justification of adequacy.
page 47 of 49
about hazards, risks and control measure options. Reviews of control measures should be triggered whenever a situation arises that would indicate that control measures are no longer valid or effective, for example if there is a proposal to modify the facility, if there has been a major accident or if a control measure fails to meet the set performance standard. In addition, reviews of the safety report HAZID and risk assessment are required if requested by Comcare and at least every 5 years. It follows that an ongoing process of reviewing and revising control measures simplifies the 5-year requirement to review the safety report.
This combination of key elements is mainly derived from the US Department of Labours Occupational Safety and Health Administrations (usually contracted to OSHA) guidelines for process safety management (see reference in Appendix A under the topic heading Role and development of an SMS.)
Hazard identification, risk assessment and control measures for Major Hazard Facilities Booklet 4
page 48 of 49
Hazard identification, risk assessment and control measures for Major Hazard Facilities Booklet 4
page 49 of 49