2. Overview
• This seminar has been developed in the context of the MHF
2
regulations to provide:
– An overview of MA identification and risk assessment
– The steps required for MA recording
– Examples of major accidents identified
– The steps required for a risk assessment
– Examples of risk assessment formats
3. Some Abbreviations and Terms
• AFAP - As far as (reasonably) practicable
• BLEVE – Boiling liquid expanding vapour explosion
• BPCS – Basic process control system
• DG - Dangerous goods
• Employer - Employer who has management control of the
3
facility
• Facility - any building or structure which is classified as an
MHF under the regulations
• HAZID - Hazard identification
• HSR - Health and safety representative
• LOC - Loss of containment
• LOPA – Layers of protection analysis
• MHF - Major hazard facility
• MA - Major accident
• SIS – Safety instrumented system
4. 4
Topics Covered In This Presentation
• Regulations
• Definition - Major accident (MA)
• MA identification issues
• Approaches to MA identification
• MA recording
• Pitfalls
5. 5
Topics Covered In This Presentation
• Definition of a risk assessment
• Approaches
• Risk assessment
• Likelihood assessment
• Consequences
• Risk evaluation and assessment
• Summary
• Sources of additional information
• Review and revision
6. Regulations
Occupational Health and Safety (Safety Standards) Regulations 1994
6
• Hazard identification (R9.43)
• Risk assessment (R9.44)
• Risk control (i.e. control measures) (R9.45, S9A 210)
• Safety Management System (R9.46)
• Safety report (R9.47, S9A 212, 213)
• Emergency plan (R9.53)
• Consultation
7. Regulations
Occupational Health and Safety (Safety Standards) Regulations 1994
Regulation 9.43 (Hazard identification) states:
The employer must identify, in consultation with employees,
contractors (as far as is practicable) and HSRs:
a) All reasonably foreseeable hazards at the MHF that may
7
cause a major accident; and
b) The kinds of major accidents that may occur at the MHF,
the likelihood of a major accident occurring and the likely
consequences of a major accident.
8. Regulations
Occupational Health and Safety (Safety Standards) Regulations 1994
Regulation 9.44 (Risk assessment) states:
If a hazard or kind of major accident at the MHF is identified
under regulation 9.43, the employer must ensure that any
risks associated with the hazard or major accident are
assessed, in consultation with employees, contractors (as far
as is practicable) and HSRs.
The employer must ensure that the risk assessment is reviewed:
a) Within 5 years after the assessment is carried out, and
8
afterwards at intervals of not more than 5 years; and
b) Before a modification is made to the MHF that may
significantly change a risk identified under regulation 9.43;
and
c) When developments in technical knowledge or the
assessment of hazards and risks may affect the method at
the MHF for assessing hazards and risks; and
d) If a major accident occurs at the MHF.
9. Regulations
Occupational Health and Safety (Safety Standards) Regulations 1994
Regulation 9.45 (Risk control) states:
The employer must, in consultation with employees, contractors
(as far as is practicable) and HSRs, ensure that any risk
associated with a hazard at the MHF is:
a) eliminated; or
b) If it is not practicable to eliminate the risk – reduced as far as
9
practicable.
The employer must:
a) Implement measures at the MHF to minimise the likelihood of
a major accident occurring; and
b) Implement measures to limit the consequences of a major
accident if it occurs; and
c) Protect relevant persons, an at-risk community, and the built
and natural environment surrounding the MHF, by
establishing an emergency plan and procedures in
accordance with regulation 9.53.
10. 10
Major Accident
A major accident is defined in the Regulations as:
A sudden occurrence at the facility causing serious danger or
harm to:
– A relevant person or
– An at-risk community or
– Property or
– The environment
whether the danger or harm occurs immediately or
at a later time
Definition
11. 11
MA Identification Issues
• Unless ALL possible MAs are identified then causal and
contributory hazards may be overlooked and risks will not be
accurately assessed
• Likewise, controls cannot be identified and assessed
• Identification of MAs must assume control measures are
absent/unavailable/not functional
That is:
WHAT COULD HAPPEN IF CONTROL MEASURES WERE
NOT APPLIED AND MAINTAINED ?
12. 12
MA Identification Issues
MAs can be identified in three different areas
These are:
• Process MAs
• MAs arising from concurrent activities
• Non-process MAs
13. MA Identification Issues
Process MAs
• These are MAs caused by hazards which are associated with
upsets in the process, or failure of equipment in the process,
etc
MAs arising from concurrent activities
• Typical concurrent operations which must be considered are:
13
- Major shutdowns/start ups
- Other activity on site
- Activities adjacent to the facility
14. 14
MA Identification Issues
Non-Process MAs
• MAs created by non-process hazards that could cause release
of Schedule 9 materials
• Non-process hazards may typically include the following:
aircraft crashing; dropped objects; extreme environmental
conditions (earthquake, cyclone, high winds, lightning); non-process
fires (e.g. bush fire); vehicles and road transport;
heat stress
15. 15
MA Identification Issues
• Collate appropriate
– Facility information
– Incident data/histories
• To ensure a thorough understanding of :
– The nature of the facility
– Its environment
– Its materials
– Its processes
16. MA Identification Issues
• Develop/select a structured method for determining what types
16
of MA can occur:
– Loss of containment
– Fire
– Explosion
– Release of stored energy
– Where they can occur
– Under what circumstances
• Define and document any restrictions applied to the above
17. 17
MA Identification – Tools Usage
Examples of tools which might be used include:
• Analysis of Schedule 9 materials and DG properties
• Use of HAZID techniques
• Review of existing hazard identification or risk assessment
studies
• Analysis of incident history – local, industry, company and
applicable global experience
18. • It may be efficient to treat similar equipment items handling the
same Schedule 9 materials together - as often they have
similar hazards and controls
• Further, to ensure correct mitigation analysis, the equipment
grouped together should contain similar materials at similar
process conditions, resulting in similar consequences on release
18
Approach to MA Identification
19. Approach to MA Identification
• For consistency of analysis, all MAs should be defined in terms
19
of an initial energy release event
• This can be characterised as a loss of control of the Schedule 9
material
• As an example, in the case of a hydrocarbon release from one
vessel leading to a jet fire that subsequently causes a BLEVE in
a second vessel, the MA should be defined in terms of the initial
hydrocarbon release from the first vessel
20. Approach to MA Identification
• Review HAZID studies to identify initiating events for each MA
• Review to ensure all hazards have been identified
• Special checklists should be developed to assist with this
20
process
• Further hazards may be identified from:
- Discussions with appropriate subject experts
- Review of incident data
- Review of the records from a similar system
21. • A structured approach is important
• It can then link equipment management strategies and systems
• Record the key outputs in a register
For each MA, the register should record the following information:
• Equipment that comprises the MA
• Group similar items into one MA
• Description
• Consequences
21
MA Recording
22. MA Recording
• Consider all Schedule 9 materials - regardless of quantity
• Screen out incidents that do not pose a serious danger or
22
harm to personnel, the community, the environment or
property
• Screening should only be on the basis of consequence not
likelihood
– i.e. Events should not be screened out on the basis of
likelihood or control measures being active
– Consequence modelling should be used as justification for
screening decisions
• External influences need to be considered, for example,
potential for a power failure to cause a plant upset leading to
an MA
23. 23
Example – MA Recording
The following are examples of MA recording details
MA Reference
No.
MA Description Equipment Included
LPG-PU23-
00110
LOC - pumps LPG transfer pumps
(P254/A)
TKF-SA10 LOC – finished
flammable product
release from tank
farm
Flammable storage
tanks A202, A205,A206,
B21, C55
A26 Ignition of material Extruders E21/E22/D54
25. 25
What is Risk?
• Regulatory definition (per Part 20 of the Occupational
Health and Safety (Safety Standards) Regulations 1994) :
“Risk means the probability and consequences of occurrence
of injury or illness”
• AS/NZS 4360 (Risk Management Standard)
“the chance of something happening that will have an impact
on objectives”
• Risk combines the consequence and the likelihood
RISK = CONSEQUENCE x LIKELIHOOD
27. 27
Risk Assessment Definition
• Any analysis or investigation that contributes to
understanding of any or all aspects of the risk of major
accidents, including their:
– Causes
– Likelihood
– Consequences
– Means of control
– Risk evaluation
28. 28
The Risk Assessment Should…
• Ensure a comprehensive and detailed understanding of all
aspects for all major accidents and their causes
• Be a component of the demonstration of adequacy required in
the safety report - e.g. by evaluating the effects of a range
of control measures and provide a basis for
selection/rejection of measures
29. 29
Approach
• The MHF Regulations respond to this by requiring
comprehensive and systematic identification and assessment of
hazards
• HAZID and Risk Assessment must have participation by
employees, as they have important knowledge to contribute
together with important learnings
• These employees MAY BE the HSRs, but DO NOT HAVE TO BE
• However, the HSRs should be consulted in selection of
appropriate participants in the process
31. 31
Causes
• From the HAZID and MA evaluation process, pick an MA for
evaluation
• From the hazard register, retrieve all the hazards that can lead
to the MA being realised
• In a structured approach, list all of the controls currently in
place to prevent each of the hazards that lead to the MA being
realised
• Examine critically all of the controls currently in place designed
to prevent the hazard being realised
32. 32
• As an example, from hazard register, MA - A26
Ignition of
materials
(MA - A26)
Causes
33. 33
Causes
List all possible causes of the accident (identified during
HAZID study)
Ignition of
materials
(MA - A26)
Hazard
Scenario
1
Hazard
Scenario
2
Hazard
Scenario
3, etc
34. List all prevention controls for the accident (identified during
HAZID study)
34
Causes
Ignition of
materials
(MA - A26)
Hazard
Scenario
1
Hazard
Scenario
2
Hazard
Scenario
3, etc
Prevention
control
C1-1
Prevention
control
C1-2
Prevention
control
C2-1
Prevention
control
C3-1
35. 35
Likelihood Assessment
• Likelihood analysis can involve a range of approaches,
depending on the organisation’s knowledge, data recording
systems and culture
• This knowledge can range from:
- In-house data - existing data recording systems and operational
experience
- Reviewing external information from failure rate data sources
• Both are valid, however, the use of in-house data can provide
added value as it is reflective of the management approaches
and systems in place
36. Likelihood Assessment
• A “Likelihood” is an expression of the chance of something
happening in the future - e.g. Catastrophic vessel failure, one
chance in a million per year (1 x 10-6/year)
• “Frequency” is similar to likelihood, but refers to historical
36
data on actual occurrences
37. 37
Likelihood Assessment
Likelihood Analysis can use:
• Historical
– Site historical data
– Generic failure rate data
• Assessment
– Workshops (operators and maintenance personnel)
– Fault trees
– Event trees
– Assessment of human error
38. 38
Likelihood Assessment – Qualitative Approach
• A qualitative approach can be used for assessment of
likelihood
• This is based upon agreed scales for interpretation purposes
and for ease of consistency
– For example, reducing orders of magnitude of occurrence
• It also avoids the sometimes more complicated issue of
using frequency numbers, which can be difficult on
occasions for people to interpret
39. 39
Likelihood Assessment – Qualitative Approach
Category Likelihood
A Possibility of repeated
events
(once in 10 years)
B Possibility of isolated
incidents
(once in 100 years)
C Possibility of occurring
sometimes
(once in 1,000 years)
D Not likely to occur,
(once in 10,000 years)
E Rare occurrence
(once in 100,000 years)
40. 40
Likelihood Assessment – Fault Trees
• A fault tree is a graphical representation of the logical
relationship between a particular system, accident or other
undesired event, typically called the top event, and the
primary cause events
• In a fault tree analysis the state of the system is to find and
evaluate the mechanisms influencing a particular failure
scenario
41. Likelihood Assessment – Fault Trees
• A fault tree is constructed by defining a top event and then
defining the cause events and the logical relations between
these cause events
41
• This is based on:
- Equipment failure rates
- Design and operational error rates
- Human errors
- Analysis of design safety systems and their intended function
42. 42
Likelihood Assessment – Fault Trees Example
PSV does not
relieve
AND OR
Process
pressure
rises
Control
fails high
PSV too
small
Set point
too high
PSV stuck
closed
Fouling inlet
or outlet
Pressure
rises
Process
vessel over
pressured
AND
43. 43
Likelihood Assessment – Generic Failure Rate Data
• This information can be obtained from:
- American Institute of Chemical Engineers Process Equipment
Reliability Data
- Loss Prevention in the Process Industries
- E&P Forum
- UK Health and Safety Executive data
- and other published reports
(Refer to Sources of Additional Information slides for references)
44. 44
Likelihood Assessment – Human Error
• Human error needs to be considered in any analysis of
likelihood of failure scenarios
• The interaction between pending failure scenarios, actions to
be taken by people and the success of those actions needs to
be carefully evaluated in any safety assessment evaluation
• Some key issues of note include:
– Identifying particular issue
– Procedures developed for handling the issue
– Complexity of thought processing information required
45. Type of Behaviour Error
Probability
45
Extraordinary errors: of the type difficult to conceive how they could occur:
stress free, powerful cues initiating for success.
10-5
(1 in
100,000)
Error in regularly performed, commonplace, simple tasks with minimum
stress (e.g. Selection of a key-operated switch rather than a non key-operated
switch).
10-4
(1 in
10,000)
Errors of omission where dependence is placed on situation cues and
memory. Complex, unfamiliar task with little feedback and some distractions
(e.g. failure to return manually operated test valve to proper configuration
after maintenance).
10-2
(1 in 100)
Highly complex task, considerable stress, little time to perform it e.g. during
abnormal operating conditions, operator reaching for a switch to shut off an
operating pump fails to realise from the indicator display that the switch is
already in the desired state and merely changes the status of the switch.
10-1
(1 in 10)
Likelihood Assessment – Human Error
46. Likelihood Assessment – Event Trees
• Used to determine the likelihood of potential consequences
46
after the hazard has been realised
• It starts with a particular event and then defines the possible
consequences which could occur
• Each branching point on the tree represents a controlling
point, incorporating the likelihood of success or failure, leading
to specific scenarios
• Such scenarios could be:
– Fire
– Explosion
– Toxic gas cloud
• Information can then used to estimate the frequency of the
outcome for each scenario
48. 48
Consequences
• Most scenarios will involve at
least one of the following
outcomes:
– Loss of containment
– Reactive chemistry
– Injury/illness
– Facility reliability
– Community impacts
– Moving vehicle incidents
– Ineffective corrective action
– Failure to share learnings
49. Consequences
• Consequence evaluation estimates the potential effects of
49
hazard scenarios
• The consequences can be evaluated with specific consequence
modelling approaches
• These approaches include:
- Physical events modelling (explosion, fire, toxic gas consequence
modelling programs)
- Occupied building impact assessment
50. 50
Consequences - Qualitative Evaluation
• A qualitative evaluation is based upon a descriptive
representation of the likely outcome for each event
• This requires selecting a specific category rating system that is
consistent with corporate culture
51. 51
Consequences - Qualitative Descriptors Example
Consequence
descriptors
Insignificant Minor Moderate Major Catastrophic
Health and
Safety Values
A near miss,
first aid injury
One or
more lost
time
injuries
One or more
significant lost
time injuries
One or
more
fatalities
Significant
number of
fatalities
Environmental
Values
No impact No or low
impact
Medium impact
Release within
facility
boundary
Medium
impact
outside
the facility
boundary
Major impact
event
Financial Loss
Exposures
Loss below
$5,000
Loss
$5,000 to
$50,000
Loss from
$50,000 to $1M
Loss from
$1M to
$10M
Loss above
$10M
53. 53
Consequences - Qualitative Evaluation Example
Example: Impact of Explosions
Explosion Overpressure
(kPa)
Effects
7 (1 psi) Results in damage to internal
partitions and joinery but can be
repaired.
21 (3 psi) Reinforced structures distort,
storage tanks fail.
35 (5 psi) Wagons and plant items overturned,
threshold of eardrum damage.
70 (10 psi) Complete demolition of houses,
threshold of lung damage.
Note: Calculations can be undertaken to determine probability of serious injury and fatality
54. Example - Overpressure Contour - impact on facility buildings
Release scenario location
54
35 kPa
21 kPa
14 kPa
7 kPa
Consequences - Qualitative Evaluation Example
55. Risk Evaluation
• Risk evaluation can be undertaken using qualitative and/or
55
quantitative approaches
• Risk comprises two categories - frequency and consequence
• Qualitative methodologies that can be used are
- Risk matrix
- Risk nomograms
• Semi – quantitative techniques
- Layers of protection analysis
- Risk matrix
• Quantitative - quantitative techniques
56. 56
Qualitative
Assessment
Semi-
Quantitative
Assessment
Quantitative
Assessment
Simple, subjective, low
resolution, high uncertainty,
low cost
Detailed, objective, high resolution,
low uncertainty, increasing cost
Risk Assessment - What Type?
57. Risk Assessment – Issues For Consideration
• Greater assessment detail provides more quantitative information
57
and supports decision-making
• Strike a balance between increasing cost of assessment and
reducing uncertainty in understanding
• Pick methods that reflect the nature of the risk, and the decision
options
58. 58
Risk Assessment – Issues For Consideration
• Stop once all decision options are differentiated and the
required information compiled
• Significant differences of opinion regarding the nature of the
risk or the control regime indicate that further assessment is
needed
59. Risk Assessment - Qualitative
• Qualitative risk assessment can be undertaken using the
59
following
- Risk nomogram
- Risk matrix
• Both approaches are valid and the selection will depend upon
the company and its culture
60. 60
Risk Assessment - Risk Nomogram
• A nomogram is a graphical device designed to allow
approximate calculation
• Its accuracy is limited by the precision with which physical
markings can be drawn, reproduced, viewed and aligned
• Nomograms are usually designed to perform a specific
calculation, with tables of values effectively built into the
construction of the scales
61. Most nomograms
are used in
situations where
an approximate
answer is
appropriate and
useful
61
LIKELIHOOD
Might well be
Expected at Sometime
Quite Possible
Could Happen
Unusual but
Possible
Remotely
Possible
Conceivable but
Very Unlikely
Practically
Impossible
EXPOSURE
Very Rare,
Yearly or Less
Rare
Few per year
Unusual
Once per Month
Occasional
Once per Week
Frequent
Daily
Continuous
TIE LINE
POSSIBLE
CONSEQUENCES
Catastrophe
Many Fatalities
>$100M Damage
Disaster
Multiple Fatalities
>$10M Damage
Very Serious
Fatality
>$1M Damage
Serious
Serious Injury
>$100k Damage
Important
Disability
>$10k Damage
500
400
300
200
100
80
60
Noticeable
Minor Injury / First Aid
>$1k Damage
40
20
10
0
Very High Risk
Consider
Discontinuing
Operation
High Risk
Immediate
Correction
Required
Substantial
Risk
Correction
Required
Risk must be
Reduced
SFARP
Risk
Acceptable if
Reduced SFARP
Risk Assessment - Risk Nomogram
62. 62
Risk Assessment - Risk Nomogram
Advantages and Disadvantages
• Accuracy is limited
• Designed to perform a specific calculation
• Cannot easily denote different hazards leading to an MA
• Typically not used by MHFs
63. Risk Assessment - Risk Matrix
• Hazards can be allocated a qualitative risk ranking in terms of
estimated likelihood and consequence and then displayed on a
risk matrix
• Consequence information has already been discussed, hence,
information from this part of the assessment can be used
effectively in a risk matrix
• Risk matrices can be constructed in a number of formats, such
63
as 5x5, 7x7, 4x5, etc
• Often facilities may have a risk matrix for other risk
assessments (eg Task analysis, JSA)
64. 64
Risk Assessment - Risk Matrix
• Results can be easily presented
- In tabular format for all MAs
- Within a risk matrix
• Such processes can illustrate major risk contributors, aid the
risk assessment and demonstration of adequacy
• Care needs to be taken to ensure categories are consistently
used and there are no anomalies
• Australian/New Zealand Standard, AS4360, Risk Management
1999, provides additional information on risk matrices
65. Risk Assessment - Risk Matrix
Risk matrix Consequences
example
(AS4360)
Insignificant Minor Moderate Major Catastrophic
1 2 3 4 5
Significant
number of
fatalities
Major impact
event
Loss of above
$10,000,000
One or more
fatalities
Medium impact
outside the facility
boundary
Loss from
$1,000,000 to
$10,000,000
One or more
significant Lost Time
Injuries (LTI)
Medium impact.
Release within facility
boundary
Loss from $50,000 to
$1,000,000
High Risk High Risk High Risk
Significant Risk High Risk High Risk
Significant Risk High Risk High Risk
One or more
Lost Time
Injuries (LTI)
No or low
impact
Loss $5,000 to
$50,000
Significant
Risk
Significant
Risk
Moderate
Risk
A near miss, First Aid
Injury (FAI) or one or
more Medical
Treatment Injuries
(MTI)
No impact
Loss below $5,000
Significant
Risk
Moderate Risk
Low Risk
Low Risk Low Risk Moderate Risk Significant Risk High Risk
65
Health and
Safety
Values
Environmental
Values
Financial Loss
A Possibility of repeated
events, (1 x 10-1 per year)
B Possibility of isolated
incidents, (1 x 10-2 per year)
C Possibility of occurring
sometimes, (1 x 10-3 per year)
D Not likely to occur,
(1 x 10-4 per year)
E Rare occurrence,
(1 x 10-5 per year)
Likelihood
Exposures
Low Risk Low Risk Moderate Risk Significant Risk Significant Risk
66. 66
Risk Assessment - Risk Matrix
Advantages
If used well, a risk matrix will:
• Identify event outcomes that should be prioritised or grouped
for further investigation
• Provides a good graphical portrayal of risks across a facility
• Help to identify areas for risk reduction
• Provide a quick and relatively inexpensive risk analysis
• Enable more detailed analysis to be focused on high risk
areas (proportionate analysis)
67. 67
Risk Assessment - Risk Matrix
Disadvantages
• Scale is always a limitation regarding frequency reduction - it
does not provide an accurate reduction ranking
• Cumulative issues and evaluations are difficult to show in a
transparent manner
• There can be a strong tendency to try and provide a greater
level of accuracy than what is capable
68. Risk Assessment - Semi-Quantitative Approach
• One tool is a layer of protection analysis approach (LOPA)
• It is a simplified form of risk evaluation
• The primary purpose of LOPA is to determine if there are
68
sufficient layers of protection against a hazard scenario
• It needs to focus on:
– Causes of hazards occurring
– Controls needed to minimise the potential for hazards occurring
– If the hazards do occur, what mitigation is needed to minimise
the consequences
69. 69
Risk Assessment - Semi-Quantitative Approach (LOPA)
Diagrammatic Representation - LOPA
• Analysing the safety
measures and
controls that are
between an
uncontrolled release
and the worst
potential consequence
70. Risk Assessment - Semi-Quantitative Approach (LOPA)
The information for assessment can be presented as a bow-tie
diagram
70
Preventative Controls
Hazards Controls
Mitigative Controls
Controls
MA
Causes
Outcomes
Consequences
71. 71
Risk Assessment - Semi-Quantitative Approach (LOPA)
Advantages and Disadvantages
• Risk evaluation can be undertaken using a bow-tie approach
• A procedural format needs to be developed by the company to
ensure consistency of use across all evaluations
• External review (to the safety report team) should be
considered for consistency and feedback
• Correct personnel are needed to ensure the most applicable
information is applied to the evaluation approach
72. Risk Assessment - Quantitative
• Quantitative assessments can be undertaken for specific types
72
of facilities
• This is a tool that requires expert knowledge on the technique
and has the following aspects:
– It is very detailed
– High focus on objective
– Detailed process evaluations
– Requires a high level of information input
– Provides a high output resolution
– Reduces uncertainty
• Frequency component can be questionable as generic failure
rate data is generally used
• Provides understanding on the high risk contributors from a
facility being evaluated
73. VRJ Risk Engineers Pty Ltd
Example
shown is for
land use
planning
73
Risk Assessment - Quantitative
Typical result output from such an assessment is individual risk
contours
10-5 10-
6
10-
7
10-6
Town
Center
Hospital
Racecourse
Light Rail Reserve
Residentual
School
Sports Complex
School
Figure 13: Sample Risk Plot - VRJ QRA Risks are in chances per
million per year
74. Risk Assessment - Quantitative
• Time consuming
• Expensive
• Expert knowledge is required
• Not suitable for every MHF site
• Process upsets (such as a runaway reaction) cannot be easily
modelled as an initiating event using standard equipment part
counts - incorporation of fault tree analysis required
• Use of generic failure rate data has limitations and does not take
74
into consideration a specific company’s equipment and
management system strategies
75. Summary
• A risk assessment provides an understanding of the major
75
hazards and a basis for determining controls in place
• Risk assessments can involve significant time and effort
• Operations personnel and managers could cause, contribute
to, control or be impacted by MAs
• Hence they should be involved in the risk assessment
• HSRs may or may not take part, but must be consulted in
relation to the process of HAZID & Risk Assessment
• They should also be involved in resolution of any issues that
arise during the studies, including improvements to methods
and processes
76. Review and Revision
• Employer must review (and revise) Hazard Identifications,
76
Risk Assessments and Control Measures to ensure risks
remain reduced to AFAP:
– At the direction of the Commission
– Prior to modification
– After a major accident
– When a control measure is found to be deficient
– At least every 5 years
– Upon licence renewal conditions
77. Sources of Additional Information
The following are a few sources of information covering risk
77
assessment
• Hazard and Operability Studies (HAZOP Studies), IEC
61882, Edition 1.0, 2001-05
• Functional Safety – Safety Instrumented Systems for the
Process Industry Sector, IEC 61511, 2004-11
• Fault Tree Analysis, IEC 61025, 1990-10
• Hydrocarbon Leak and Ignition Data Base, E&P Forum,
February 1992 N658
• Guidelines for Process Equipment Reliability Data, Center for
Chemical Process Safety of the American Institute of
Chemical Engineers, 1989
78. Sources of Additional Information
• Offshore Hydrocarbon Release Statistics, Offshore Technology
78
Report – OTO 97 950, UK Health and Safety Executive,
December 1997
• Loss Prevention in the Process Industries , Lees F. P., 2nd
Edition, Butterworth Heinemann
• Layer of Protection Analysis, Simplified Process Risk
Assessment, Center for Chemical Process Safety of the
American Institute of Chemical Engineers, 2001
• Nomogram, Wikipedia, the free encyclopaedia
80. Cause Hazard Independent Preventative Protection Layers Mitigative
Protection
Layers
80
Loss of
cooling
tower
water
to
conden
ser
once
every
10
years
Catastrophic
rupture of
distillation
column with
shrapnel,
toxic release
Columns
condenser,
reboiler and
piping maximum
allowable
working
pressures are
greater than
maximum
possible pressure
from steam
reboiler
Logic in
BPCS trips
steam flow
valve and
steam RCV
on high
pressure or
high
temperature
. No credit
since not
independent
of SIS.
High column
pressure
and
temperature
alarms can
alert
operator to
shut off the
steam to the
reboiler
(manual
valve)
Logic in
BPCS trips
stream flow
valve and
steam RCV
on high
pressure or
high
temperature
(dual
sensors
separate
from DCS).
Pressure
safety
valve
opens on
high
pressure
Example LOPA Assessment – Spreadsheet Format
The approaches outlined in this seminar are required for new facilities (as well as existing)
<number>
<number>
<number>
The approaches outlined in this seminar are appropriate and relevant for new facilities
<number>
Historically there has been a focus on risk from hazardous facilities to neighboring land users. Under the OH&S Act an Employer is required to provide a safe place of work. The MHF regulations focus on both on-site and off-site risk exposures
<number>
<number>
It is important that the focus of MHF is on Schedule 9 materials, DGs etc and large consequences not on identifying natural disasters.
“Sudden Occurrence” – infers release of “energy”. In many cases this will mean material although an explosion is a direct release of stored energy.
We are not considering OH&S type incidents – slips, trips, falls, traffic accidents etc. Although these can have serious consequences, they are not the focus of the MHF regulations.
<number>
Hazards are there all the time. The controls are what prevent the hazards from becoming major accidents.
<number>
Process MAs: Overpressure of the vessel, overfill of the storage tank
Concurrent activities MAs: Construction activities, new projects
Non-Process MAs: External events
<number>
All aspects need to be considered
A good HAZID would form the basis for selection of potential MAs for further analysis. This screening would be done based on consequence only and not consider any prior screening of the hazard register based on likelihood or risk.
<number>
As an example, LPG storage vessels will be different to ammonia storage vessels and should not be grouped together as the same MA, but a group of storage tanks all used for the same material could be grouped together.
Define for an explosion. – Loss of controls preventing the initial detonation of explosives and mitigating controls preventing escalation.
<number>
Subject matter experts can provide valuable experience and input into specific situations and provide direction for the group to be investigating for the later controls and adequacy demonstration
A structured approach is important as it enables the identification of common issues and system problems and the development of strategies.
The central hazard register may be used if well structured and managed.
<number>
A degree of practical evaluation is also required and this should be backed up with consequence modelling/analysis. For example, a release rate of 0.1 kg/sec of crude oil will be unlikely to cause an exposure to personnel if it caught fire.
Unless MA recording is managed (documented and communicated) then this will lead to a significant additional workload during the safety report preparation and will not add value to the safety report process and will increase costs unnecessarily
Helps to use a standardised reference numbering system for each MA. This will make it easy to link HAZID, MA and risk assessments and controls.
The approaches outlined in this seminar are required for new facilities (as well as existing)
For MHF, the application is a wider than that defined in Part 20 – also includes ‘risk’ to environment and property.
It can be easy to confuse ‘hazard’ and ‘risk’.
‘Hazard’ is the source of potential harm.
‘Risk’ includes the likelihood of that hazard occurring and the consequences that may result if it did occur.
Hazards are present in almost everything we do. E.g. Cars driving on the road.
There are very high consequences of that hazard (e.g. our death) yet we accept that risk every day in walking across the road because we perceive the likelihood to be low due to good controls in place (traffic rules, crossing signs). We also have a higher tolerance for risk that we choose to take versus those risks imposed on us (e.g. from a neighbouring MHF)
Review if needed.
Is that a hazardous task?
Is it high risk?
What is the damaging energy?
Gravity (electricity too)
What is the hazard?
Falling
What are some controls that could be used? Cherry picker, extended pole, fold light pole to ground
How would these effect the hazard? The risk?
These are the main factors included in a risk assessment.
<number>
Demonstration of adequacy will be covered later.
Involvement of employees in both hazard identification and risk assessment is essential.
<number>
The information from the more detailed analysis can be presented in a qualitative manner, enabling a method to be used that provides clear understanding of the risk for every MA.
This might be an example of a major accident identified in the hazard register.
<number>
In-house information is a very good source as it represents the company’s actual management strategies
Note that probability is something different – it does not have a time scale so does not tell you how often something may occur!
<number>
Operators and maintenance personnel are very valuable sources of information to verify or validate based on their specific experience for issues of interest. Need to ensure the Facilitator provides suitable examples to expand participants’ horizons beyond “not in my experience”
Site historical data covers site incident information, external incident and frequency information, maintenance records, corporate history
Near miss information from the site should also be used. For example, if a compressor has activated a vibration sensor, how many times has this gone off, is it indicative of an underlying fault and how have management dealt with the issue?
External information – can be very useful, incident information, generic failure rates/data, sometimes qualitative, also may avoid finger pointing on known issues
Maintenance records – if well kept excellent source of information, can be used for both causes of failure and how often, can support decision making and identify system problems
As an example, testing of PSVs. If a PSV is within test period and conforms to a known suitable testing standard and it is appropriately documented then very good information will be collected on the service of that PSV with the known duty. Should there be an argument raised to vary the testing period, then the data can be used for this purpose. If the PSV is not tested in accordance with the stated requirements, and it is found to be severely deficient, then it could be questionable as to its suitability for an independent layer of protection within an assessment.
Corporate history – useful if information is available and transparent, relates to corporate culture, testing and inspection regimes, management systems need to be consistent with management requirements so that they are useful
Workshops – good for analysis of hazards and likelihoods, usefulness depends on getting right mix of attendants, recommendations/further work need to be recorded. Subject experts within a company (if they have them) can be very valuable sources of information and should be used when possible for checking and validating issues. Ensure any assumptions are documented and validated, where possible, with hard site data on operational experience.
The approach is shown in the following slide.
Qualitative terms for likelihood helps people to assign for the risk assessment. Frequencies are not a requirement.
Fault tree is used to calculate frequencies for a ‘top event’ based on the underlying failure rates of components. Used for complex or multiple causes. Requires quantitative failure rate data.
Estimates of failure rates would be needed for each of the basic failures. Generic or specific ‘random’ failure rate data is available for equipment and instrumentation (engineering controls) but would be harder to develop for human factor or systematic causes.
Note that these relate to ‘random’ failures only. Systematic failures (e.g. environmental conditions, operator errors etc) would need to be determined for the specific facility/process/procedure under study.
<number>
Humans can be unreliable, especially in emergency situations. With modern day controls it is very easy to add on alarms to ease the operational interaction of the plant and to aid diagnosing of faults. This is alright if the plant is not in an emergency operational situation. A control room operator can be faced with having lots of alarms coming up in an emergency and it is required to sift through all of the alarms and determine which is the important ones to act upon and take the correct action to minimize the consequences of the plant upset, including mitigation of potential MAs. Abnormal situation management approaches have been developed to handle this. Human factors evaluations have an important contribution to provide, especially when there are many controls in place that are procedural and their effectiveness needs to be critically evaluated.
<number>
Table 5: Example Human Error Potential Values (based on Hunns and Daniels 1980 and Kletz 1991
<number>
Occupied buildings assessment are undertaken to determine whether any impacts form explosions or fires will exceed the building design criteria. For instance administration buildings located within the plant, or temporary huts located for projects – BP Texas city incident.
<number>
Purely an example and each company will have their own approach to these
<number>
This is an example of criteria that would be used for building overpressure design.
Ref: NSW Department of Urban Affairs and Planning, ”Risk Criteria for Land Use Planning”, Hazardous Industry Planning Advisory paper No. 4, 2nd Edition, Sydney 1992, p 5- 14.
The overpressure contours are developed from explosion modelling software and can be plotted onto the site plan to determine buildings that would be impacted.
Risk evaluation considers both the likelihood and the consequence to determine the risk.
Choose the appropriate method to suit the facility and the type of analysis needed.
Simper methods are easier to understand for employees but may not provide the information required – e.g. difficult to assess off-site risk using a risk matrix.
<number>
The frequencies used for these methods can be purely qualitative or semi-quantitative (I.e. assign numbers to the frequency categories).
NOTE: HAVE NEVER SEEN THIS USED BY MHFS FOR SAFETY REPORT WORK, actually never seen it used by industry for any risk assessment work – although academics and risk assessment teachers do like it!!
Very commonly used – both purely qualitative and semi-quantitatively
NOTE: risk matrix cannot be used additively to present cumulative risk
Unless the consequence changes (unlikely for an existing MHF unless the Schedule 9 material is eliminated), the only aspect to change on the risk matrix will be a reduction in frequency of the MA result – this is also true for other methods
<number>
Explain briefly each layer.
Control measures can be quickly identified
The approach identifies convergence of different hazards into a single 'causal path', and control measures that prevent multiple hazards
Early warning signs of an MA are explained, by showing both basic hazards and resultant hazards, in a 'cause' and 'effect' representation - “preventative” and “mitigative”
The importance of mitigating controls to minimise the severity of an MA is highlighted and explained
Linking consequences on the right hand side of one diagram to basic hazards on the left hand side of another diagram allows analysis of escalation events such as BLEVEs
Consistent procedures are required.
<number>
Use only to determine off-site risks. Commonly used for land use planning issues. Published criteria are available.
Ensure analysis is transparent and well documented and that all controls, as far as practicable, are appropriately reflected in the analysis
For instance, it is not suitable for a storage warehouse MHF but would be suitable for a refinery