Presentation on theme: "Major Hazard Facilities Control Measures and Adequacy"— Presentation transcript:
1Major Hazard Facilities Control Measures and Adequacy All aspects of this training seminar are applicable to new facilities
2Overview The seminar has been developed to provide: Context with MHF RegulationsAn overview of what is requiredAn overview of the steps requiredExamples of control measures and their adequacy
3Some Abbreviations and Terms AFAP - As far as (reasonably) practicableDG - Dangerous goodsEmployer - Employer who has management control of the facilityER or ERP - Emergency response or Emergency response planFacility - any building or structure at which Schedule 9 materials are present or likely to be present for any purposeHAZID - Hazard identificationHAZOP - Hazard and operability studyHSR - Health and safety representativeLOC - Loss of containmentLOPA - Layers of protection analysis
4Some Abbreviations and Terms MHF - Major hazard facilityMA - Major accidentOHS - Occupational health & safetyPFD - Probability of failure on demandPSV – Pressure safety valveSMS - Safety management system
5Topics Covered In This Presentation RegulationsIntroductionRegulatory requirementsWhat does this mean?Identify all control measuresDevelopment of assessmentControl category and examplesHierarchy of controlsAFAP
6Topics Covered In This Presentation Effectiveness of control measuresControl typesOpportunities available to reduce riskAssessment and adequacySources of additional informationReview and revision
7Regulations Basic outline Hazard identification (R9.43) Risk assessment (R9.44)Risk control (i.e. control measures) (R9.45, S9A 210)Safety Management System (R9.46)Safety report (R9.47, S9A 212, 213)Emergency plan (R9.53)ConsultationThe approaches outlined in this seminar are appropriate and relevant for new facilities
8The controls preventing or mitigating consequences of an MA IntroductionHazards causing an MAIn order to deliver safe operation the Employer needs to understand the relationship betweenThe controls preventing or mitigating consequences of an MAThe controls in place and assess their effectiveness and adequacyLongford incident, 1998
9Introduction At least 23 workers were killed 74 were injured $800,000,000 (U.S.) estimated property damageA defective, high pressure, steam boiler rupturedHigh vibrations were heard just before the boiler rupturedThe resultant explosion on rupture damaged nearby vessels containing flammablesThe flammable loss of containment resulted in further fires and explosionsControls DO fail and the consequences can be devastating(Skikda, Algiers, 20 January, 2004)
10Introduction Control measures are the features of a facility that: EliminatePreventReduceMitigate. . . the risks associated with potential MAsThey are the means by which the Employer ensures the operation satisfies the Regulations and the AFAP requirementA number of control options maybe considered and applied individually or in combination
11IntroductionIn undertaking control measure identification and assessment, the Employer should seek to attain an understanding of:The processes involved in control measure identification/selection and assessmentThe control measures used to reduce the risk of potential major accidents to AFAPThe use of the control hierarchy suggests that a higher level of protection can be provided that will better ensure that the risk is reduced AFAP.
12IntroductionAt the end of the controls and adequacy evaluation process, the Employer should know:The identity of all existing and potential control measuresThe relationships between the hazards, control measures, MAs and outcomesThe effectiveness of control measures in managing riskThe opportunities that are available to reduce riskThe monitoring regime necessary to ensure the ongoing effectiveness of the control measures
13Regulation Requirements After the HAZID and Risk Assessment evaluations, the Employer will have identified all of the hazards that can lead to MAs and the controls in place, including independence, reliability, effectiveness, robustness and applicabilityA determination of the adequacy of the controls in managing the hazards then needs to be undertaken
14What Does This Mean?The opportunities present that are available to reduce risk need to be assessed, including additional or alternative controlsThe monitoring regime necessary to ensure the ongoing effectiveness of the control measures for managing the hazards need to be assessedControl measures and adequacy assessment will need to be revised as necessary, using performance monitoring results and other relevant new informationHave all control measures been identified and implemented where practicable?Are the control measures working effectively?What improvements are needed to make the control measures more effective?Other relevant new information would be a review of incidents at the site involving MAs, relevant information from other sites, locally or internationallyReview and revision is an ongoing big picture important component of the safety report and it is considered to be an important feedback loop into the safety report.
15What Does This Mean?Reported incidents by results involving Schedule 9 materials in Victoria (from VWA)5101520253035404550ChemicalExposureEnvironReleaseExplosionFireLOCFirst AidOffsiteOnsiteNo of IncidentsPetroleumUtilitiesLogisticsChemicals & PlasticsHistorical information provides insight into what has previously occurred (referred to as lag indicator).In what are should MHF controls focus most?
16What Does This Mean?This accident happened during the filling of a 2000 m3 LPG sphereIts legs collapsed.One person was killed and one seriously injuredFailure of maintenance and inspection control?Total Fina Elf, Safety Feedback NoticeAt the time of the accident, the sphere was approximately 80% full of fresh water.The vessels last hydro-test was 10 years ago and the last inspection of its legs was 5 years ago.Severe corrosion of the legs under the concrete fire protection was the main cause.The corrosion occurred due to water ingress between the concrete and the steel legs. The water protective cap located over the concrete was not sufficient to keep the water out. After the accident, it was verified that the steel legs had thickness reductions of up to 8mm, with pitting holes of up to 10cm2.After analysis and tests, it has been found that the following factors caused the collapse:Water caps over the fire-proofing concrete were of poor design thereby letting water penetrate between the steel beams and the concrete.Vertical cracks in the concrete let water in.Repairs had been done to the concrete, but with poor workmanship.The new concrete had not adhered to the old concrete, again letting water in.The deluge system had been tested with salt water, increasing the possibility of corrosion.
17Identity of All Control Measures All of the MAs should be documented in an appropriate format that clearly identifies:The MA (the release modes and the consequences of the release)All hazards that, if realised, can cause an MAThe controls in place to manage the hazard and any recommended controls as a result of the HAZID processIf the Employer is grouping MAs, then the consequences must be similar. Again, a well formatted hazard register can be used to document the controls for each MA.
18Identity of All Control Measures Example, consider a chlorine drum handling operationHazard:Release of chlorine from chlorine storage drumIncident:Forklift tynes impact on chlorine storage drumConsequence:Release of chlorine liquid into storage drum bund resulting in personnel exposure to chlorine liquid/vapourPotential for serious injury/fatality
19Identity of All Control Measures Preventative Controls (Incident Prevention)Mitigation Controls (Incident Mitigation)Design of chlorine storage drum and fork lift lifting mechanisms prevent tynes puncturing cylinder (in accordance with an appropriate standard) and inspected regularlySpill containment bunds (reduces the consequences)Traffic management system/forklift or pedestrian exclusion zonesSpill containment procedure, chlorine gas detection & alarms (reduces time for intervention thereby reducing consequences) – procedure inspected and found to be satisfactoryForklift driver training – training is held at the prescribed intervals and records inspected are satisfactoryPPE including breathing apparatus (reduces the likelihood of exposure to chlorine) – PPE training is held at prescribed intervals and records validated
20Identity of All Control Measures Control measures are not only physical equipment, but may include:Engineered devices (physical barriers such as impact protection bollards) or systems (high integrity trip systems)High-level procedures or detailed operating instructionsInformation systems (incident reporting systems)Personnel training (i.e. the actions people should take in an emergency)Note that in many cases training is not independent of procedures etc so is not a separate control (ie the training just reinforces what you do according to the procedure)
21Development of Assessment It is important to understand how controls are arranged in a manner that eliminate or minimise the hazards leading to an MA occurring, and any interdependenceControl measures may be pro-active, in that they eliminate, prevent or reduce the likelihood of incidentsThey may be reactive, in that they reduce or mitigate the consequences of an MA
22Development of Assessment Control measures may be considered as “barriers” and are located between the intrinsic hazards that could lead to an MAControl measures can also reduce the harm that may be caused to people and property in the event of an MAHazards can result in an MA harming people or property only if controls have failed to function as intended, or have been bypassed/defeated
23Development of Assessment 1st barrier2nd barrier3rd barrier
24Development of Assessment There are methods for the control assessment processThe size, complexity and knowledge of the MHF could determine which approach to useSeveral methods can be used, e.g.:LOPAFault tree and event treeRisk matrix
25Control Measure Hierarchy The hierarchy of controls & effectiveness guidelinesControl typeEffectivenessEffectiveness100%Eliminate HazardIncreasing ReliabilityDecreasing Reliability90%Minimize hazardPhysical controls50%ProceduresEffectiveness measure is an indication only. Actual effectiveness will depend on many factors.30%Personnel Skills & Training
26Control Measure Hierarchy Elimination/substitution controlsPrevention controlsReduction controlsMitigation controlsEliminate – Do we need to use a raw ingredient to the process that is toxicPrevention measures Standards such as Australian Standards are the starting point, not the end point. A corporate engineering standard may require two full size PSVs instead of a single one.Reduction measures – reducing time frame for shut down of a systems after a leak has been detected; improving early detection of a fire scenario and applying fire protection fasterMitigation measure – reduce the severity once the event has occurred. Fire fighting system.
27Control Measure Hierarchy Control CategoryControl ExampleElimination controlsEquipment removalPhysical barriers such as mounding of LPG sphereDecommissioningFacility layout – increasing separation distancesPlant design proceduresThey eliminate the underlying hazard and are therefore the most effective category of control measure.If practicable they should be selected in preference to any other type, as their existence removes the need for other controls.
28Control Measure Hierarchy Control CategoryControl ExampleSubstitution controlsReplacement of a hazardous material with a non-hazardous substitute (E.g. Replace chlorine with sodium hypochlorite)Systems to prevent incompatible materials on the site at the same time
29Control Measure Hierarchy Control CategoryControl ExamplePreventionProcess alarms and notification systemsIndependent flow/level/pressure/temperature indicators with a defined responseEngineering standardsSafety process systems (safety integrity systems), pressure relief valvesThese controls are intended to remove certain causes of incidents or reduce their likelihood. The corresponding hazard remains, but the frequency of incidents involving the hazard is lowered. For example the introduction of a regular maintenance programs can prevent the development of hazardsPrevention control (active)An active control is required to move from one state to another in response to a change in a measurable process property (for example, temperature or pressure) or a signal from another source (such as a push button or switch)These controls generally comprise:A sensor of some type (instrument, mechanical or human)A decision making process (logic solver, relay, spring)An action (automatic, mechanical or human)
30Control Measure Hierarchy Control CategoryControl ExamplePreventionOperating procedures and instructionsPersonnel skill, training and competencyPlant inspectionEquipment testing and repairChange management processMaintenance proceduresQuality specificationsPermit to work
31Control Measure Hierarchy Control CategoryControl ExampleReductionSeparation distancesShutdown and isolation systemsGas detection with leak isolation actionBunding and other containment systemsDrainageThese are intended to limit the scale and consequence of an incident.
32Control Measure Hierarchy Control CategoryControl ExampleMitigationFire fighting systemsEmergency response plansPlant evacuation alarmsPassive fire protection (thermal insulation on bullets, spheres)These controls take effect in response to an incident. They are the last line of defence but are very necessary
33AFAPIt is the risk assessment that provides the information necessary to test this requirement, and this information must be included in the safety reportThe risk assessment must address hazards and risk both individually and cumulativelyConsequently the demonstration that risks are eliminated or reduced to AFAP may need to be made for control measures individually, in groups and as a wholeAFAP is required by the OHS/MHF regulations.Individual control measures are effective in their own right.Sufficient control measures to reduce the risk of the scenario to AFAP.
34AFAPThe AFAP approach is not simply about satisfying a single criterion of whether the risk of an MA is less than a specific number or position on a risk matrixIt is about evaluation of all controls, their proportionality for controlling the risk of an MA occurring and if additional controls can reasonably have an effect on reducing the risk of an MA furtherIn AFAP think most about the controls rather than the risk (e.g. off the risk matrix). The reason the risk might look low on the risk matrix is that it assumes the controls are implemented and effective. What would the risk be if that was not the case?
35AFAP The likelihood of the hazard or risk actually occurring That is, the probability that someone could be injured or harmed through the work being doneThe degree of harm that would result if the hazard or risk occurredFor example fatality, multiple injuries, medical or first aid treatment, long or short term health effectsThe availability and suitability of ways to eliminate or reduce the hazard or riskThe risk assessment considers both likelihood and consequence – so by followng a good risk assessment process, you will automatically be making decisions based on both likelihood and consequences (risk) rather than either one alone.It is expected that all available and suitable controls are implemented where practicable.
36AFAPWhat is known, or ought reasonably be known, about the hazard or risk and any ways of eliminating or reducing itThe cost of eliminating or reducing the hazard or riskThat is, control measures should be implemented unless the risk is insignificant compared with the cost of implementing the measuresWorkshops help to ensure that appropriate knowledge and experience on ways to reduce the risk are considered (So long as the right people are in the workshop)Cost can be a significant factor in the practicability argument. Care should be taken on ruling out control measures on the basis of cost alone. Cost-benefit analysis can be used to help justify rejection of control measures.
37AFAPThe balance between benefits in terms of reduced risk and the costs of further control measures will play a part in achieving and demonstrating AFAPEvery safety report will need to develop an approach as to how the AFAP argument is to be applied to the facilityThe AFAP approach then needs to be applied consistently to every MA in order for demonstration of adequacy to be satisfied
38AFAP – Cost/Benefit & Rejecting Controls LowHighBenefit(Risk Reduction)Should be implemented. Little analysis required unless rejected.More detailed justification required to rejectMore detailed justification required to reject (lower priority)Simple justification to rejectSacrifice (cost, time, effort and inconvenience)
39Effectiveness of Control Measures There are controls and safeguardsA control is considered to be a device, system, or action that is capable of preventing a cause from proceeding to its undesired consequence, independent of the initiating event or the action of any other layer of protection associated with the scenarioA safeguard is any device, system or action that would likely interrupt the chain of events following an initiating eventIt is difficult to quantify the effectiveness of safeguards due to lack of data, uncertainty as to independence or effectiveness or other factors.The distinction between a control and a safeguard is important to understand.In this presentation we shall only be discussing controls.Examples of controls vs safeguards – discuss.
40Effectiveness of Control Measures To be considered a control, it must be:IndependentOf the components of any other control already claimed for the same scenarioReliableThe reliability, effectiveness and independence of a control must be auditableEffectiveFor the initiating eventApplicablePreventing the consequences when it functions as designed
41Effectiveness of Control Measures As an example, consider an employee action to read a level gauge and a pressure gauge - both taken off the same tapping pointIs a single tapping point for two different information streams applicable, independent and reliable?Will the employee reliably report the correct information?
42Effectiveness of Control Measures These have been built into a system - but are they:IndependentThe answer - NOReliableEffectiveThe controls provided are not independent as it is inappropriate to have a level reading taken off a pressure reading tapping point. They should be taken off two separate tapping points, one where the level can be correctly read and the pressure tapping point taken off at a point where it reads pressure onlyApplicable
43Effectiveness of Control Measures Every designer, Employer and manager desires to have controls that are:RobustReliableCan survive harsh environmentsNot dependent upon rigorous inspection and testing regimes that involve manpower and costUnfortunately this is not reality
44Effectiveness of Control Measures Controls do fail and accidents occur as a resultResult of a fire at a bulk storage facility – was there adequate separation and fire protection?Presenter to discuss separation distances between tanks. In this fire scenario from Guam, the fire pumps did not operate. Note the total destruction of 3 tanks and serious damage to at least another 2In an ideal world tanks could be spaced far enough apart so as a tank top fire in one tank will not spread or damage another tank – the escalation hazard could be eliminated from this scenario. In reality there needs to be a compromise as space can be at a premium. The quality, type and reliability of fire protection systems then become important. It is very important to get it right as when a hazard does occur, the results could be very expensive
45Effectiveness of Control Measures Impact on:EnvironmentPeopleBusiness interruptionCost of inventoryReputationLegal costThis is from the Orion refinery crude oil tank fire. The tank is approximately 75m in diameter and it was (at that time) the largest tank fire successfully extinguished. Not the red glow around the circumference on top of the tank shell. Large volume foam cannons were used to extinguish the fire.
46Effectiveness of Control Measures A good management system
47Effectiveness of Control Measures With adequate risk control measures
48Effectiveness of Control Measures Reduces the risk of loss
49Effectiveness of Control Measures These controls are important to analyse in a structured manner so that their effectiveness can be assessedFor this to occur the Employer needs to know:What typeHow manyHow reliable are the controlsAre there sufficient to reduce MA risk to AFAP?Each control needs to be fit for purpose and designed into the system as independent
50Control TypesIn each evaluation the type of service being evaluated needs to be taken into consideration critically to ensure the control type is effective and will perform its intended dutyFor example consider an instrumented level gauge with high level and high high level independent alarms for controlling the level in a process towerThe alarms are not tested and the high high level is known to be in fault modeIs this control reliable, effective and applicable?Speaker to discuss
51Control Types Controls need to be service and situation dependent in order to be suitableFor example, having a rupture disc in place where the inlet can foul – in this circumstance the correct pressure will not be seen by the rupture discSuch a control would not be suitable for the serviceBund in service for flammable liquid storage tanks which has major penetrationsThis control would not be suitable as it cannot satisfy AS1940
52Control TypesThe following is an animated description of the US Chemical Safety Board, Animation of BP Texas City Refinery Accident, October 27, 2005This can be found at the following websiteThis presentation last for approximately 7 minutesInvite the audience to comment and discuss the effectiveness of the controls in this situationEmphasise that do not place trust in systems that are not maintained. If it is not maintained then it may as well not be there
53Control Types – Human Controls Such controls involve reliance on employees to take action to prevent an undesirable consequence in response to alarms or following a routine check of the systemHuman performance is usually considered less reliable than engineering controlsNot crediting human actions under well defined conditions is considered to be unduly penalising the Employer
54Control Types – Human Controls Human controls should have the following requirements:The indication for action required by an employee must be detectableThe action must always be:Available for the employeeClear to the employee even under emergency conditionsSimple and straight forward to understandRepeatable by any similarly trained/competent employeeProcedures available and accessible, adequate time to complete the tasks, training and refresher training completed
55Control Types – Human Controls The time available to take action must be adequateEmployees should not be expected to perform other tasks at the same time – there needs to be clear prioritiesThe employee is capable of taking the action required under all conditions expected to be reasonably presentTraining for the required action is performed regularly and is documentedIndication and action should normally be independent of any other system already accredited
56Control Types – Human Controls Examples of reduction (human) controlsHuman ControlCommentsHuman action with 10 minutes response timeSimple well documented action with clear and reliable indications that action is requiredHuman response to BPCS indication or alarm with 40 minutes response timeHuman action with 40 minutes response timeSimple well documented action with clear and reliable indications that the action is requiredFor example, within 10 minutes of high pressure alarm, technician opens vent valve. Note the time frames quoted are similar. Human factors analysis methods can be used to refine these results furtherTaken from “Layer of Protection Analysis, Simplified Process Risk Assessment, Centre for Chemical Process Safety, American Institute of Chemical Engineers, 2001”
57Opportunities Available to Reduce Risk The effectiveness of control measures in managing riskEach control, to be classified as a legitimate control against an MA (i.e. implemented, functional, independent, monitored and audited) must be evaluated in a structured formatTo ensure proper management of the MAs, each control must be fully independent of the other controls listedthere must be no failure that can deactivate two or more controls (e.g. common cause failure)
58Opportunities Available to Reduce Risk The question people ask is, how many controls are required to reduce a MA to AFAP?This will depend on:The circumstancesThe process being analysed together with the mix of independent controlsOne approach used is to have a qualitative evaluation that requires three independent controls to be in place before AFAP can be achievedThe last comment is just an example of a criteria that may be applied. By no means should this be considered a requirement for every situation.
59Opportunities Available to Reduce Risk Risk is based on the following equation:Risk = ∑(Fi x Ci) =(F1 x C1) + (F2 x C2) (Fn x Cn)WhereFi is the Frequency or likelihood of event i, andCi is the consequence of event iRisk reduction can be implemented by changing either the frequency of the MA occurring or the magnitude of the consequence of the MAFor MA scenarios, reducing likelihood is often the only available means to reduce the risk.
60Opportunities Available to Reduce Risk For evaluation of control measures, there are several issues that need to be consideredExisting MHF FacilityDuring a risk evaluation process for an existing facility, it would be very unusual to achieve a reduction in the worst case consequences of an MAReducing the frequency or likelihood of the event occurring is generally the only option availableThe facility is designed to provide chlorine dosing to treat water supplies. Chlorine has been chosen by the water authority for a number of reasons. The chlorine will be a constant in the risk equation as it cannot be eliminated or substituted for an alternative. Thus to reduce the risk (Risk = F x C) the only component of the equation that can be altered is the frequency (F).
61Opportunities Available to Reduce Risk New MHF FacilityFor a new facility, both components of the risk equation can be reducedSeveral issues can be explored when designing a new facilityThe first point of examination is to focus on the hierarchy of controlsCan we eliminate the hazard so it is not a problem?The second area to examine is substitutionUse of alternative non Schedule 9 or DG materialsAs an example, cooling towers for a plant are being dosed with chlorine. The chlorine can be substituted for sodium hypochlorite, eliminating the chlorine storage and handling hazards. However, care needs to be taken to carefully evaluate the sodium hypochlorite hazards introduced through the substitution.As another example, consider a Greenfield site requiring large fire protection cooling water requirements. Can this need be reduced by looking at facility spacing and interspacing between storage tanks/systems?
62Opportunities Available to Reduce Risk Elimination ControlsThe effectiveness of an elimination control is considered to be 100%The risk from an event occurring is reduced to zeroThis is the optimal type of controlIf an Employer cannot reduce the risk to an acceptable level, the feasibility of shutting down plant equipment/processes, substituting non-hazardous substances for hazardous substances should be considered
63Opportunities Available to Reduce Risk Prevention controlsThe effectiveness of prevention controls is based on their Probability to Fail on Demand (PFD)PFDs can be determined from site specific maintenance/inspection data and incident dataIn the absence of site specific data, PFDs can be referenced from worldwide failure rate data publications such as OREDA, E&P Forum, etcFurther references are provided in the Sources of Additional Information section
64Opportunities Available to Reduce Risk Reduction controlsAssessing the effectiveness of reduction controls is a lot more subjective than assessing the effectiveness of elimination or prevention controlsThere are many variables that affect the integrity/effectiveness of such controlsThese coverReliability of instrumentationInspection and testing frequency requirementsEffectiveness of testing programs and feedback on opportunities for improvementFrequency of training employees
65Opportunities Available to Reduce Risk Reduction controlsFor example, an operating procedure can be a highly effective reduction control provided it is readily available, regularly referenced and frequently reviewed and there is independent verification of its outputThe same argument holds for a change management processHuman factors evaluations should be used to determine the reliability of an operating procedure if it is critical to the activityIn specific circumstances, operating procedures and training maybe the only controls which are feasible to satisfy AFAP. This is particularly relevant to operations which are batch activities and undertaken relatively infrequently such as ordnance manufacturing. Audience invited to provide further examples.Where procedures or human factors controls are the only type available, detailed human factors analysis should be seriously considered.
66Opportunities Available to Reduce Risk Training/competency controlsThe effectiveness of training controls is not easily assessedTraining programs that are:Specific to the task at handCompetency assessedRevisited via re-fresher training coursesAre likely to be highly effective with confirmation being available through human factors evaluationsTraining controls are based on a specific action being taken when it is supposed to be taken.Normally training is not considered as a control. It is a requirement to ensure the effectiveness of procedural or human factors controls is maintained.
67Opportunities Available to Reduce Risk Where elimination or substitution cannot be achieved then a combination of controls is preferredThis provides a balanceThe failure of a single control should not lead to the MA occurringDiversity. Not reliance on a single type of control.
68Assessment and Adequacy There are a number of approaches that can be used to undertake an assessment of an MA’s controls to determine if the AFAP argument is satisfiedThese includeLOPAFault and event tree analysisRisk analysis using a matrix approachThe approach to use will depend on the complexity of the MA and the culture of the organisation
69Assessment and Adequacy Less complex and smaller operations could use a risk matrix type approachA more complex operation such as a refinery or gas processing plant could use all three approachesWhen determining effectiveness of control measures, the following issues will also need to be considered:IndependenceFunctionalitySurvivabilityReliabilityAvailabilitySpeaker to emphasise this is not the only approach
70Assessment and Adequacy Cost benefit analyses can be undertaken to determine the viability of each proposed recommendation for further risk reductionThis is a valid approach and at some point, depending on the circumstances involved, the cost of reducing risk further becomes costly compared to the benefit gainedControls that are rejected need to be documented including the reason whyThe definition of a “critical control” is hard to define as various interpretations can be providedThis could, in some circumstances, skew thinking to the detriment of other controlsFor the purpose of MA controls and adequacy evaluation, all controls that prevent or minimise the potential for an MA to occur should be appropriately evaluatedIt is acknowledged that as a LOPA assessment, if a control is given a three orders of magnitude reduction, such a control will be perceived more important than a control which is only given one order of magnitude reduction. On balance this could be perceived as more important than others. However, all controls that maintain an MA to AFAP are all important and should be treated this way accordingly. The proportionality of controls is also to be kept in perspective.
71Assessment and Adequacy In essence there will have been a determination made on every MA covering:What controls are in place?What other controls are in place?Is there only one control in place or is there a proportionality of controls available to achieve AFAP?Is the risk adequately controlled?Are additional controls required?
72Assessment and Adequacy Are they effective?Would alternative controls be more suitable and effective for preventing or reducing the MA?What testing regime is required for maintaining the control performance?Is the testing regime adequate for every control?For example, if some controls are tested every 12 months, what improvement would there be if testing was undertaken every 3 months?It is acknowledged there will be a trade off between cost of testing and any benefit, together with any increase of risk due to human error whilst testing (revealed and unrevealed failure potential)
73Assessment and Adequacy Are the controls audited and their performance evaluated against appropriate criteria?How are failures reported?What is the corrective action process in place?Is there verification of the entire process?
74Assessment and Adequacy A safety management process will need to be developed for the facility (i.e. SMS)This will enable the performance of all control measures for every MA to be evaluated for effectiveness and opportunities for improvement identified
75Sources of Additional Information Major Hazard Facility Guidance Material – Comcare websiteWorkSafe Victoria Guidance Material – WorkSafe websiteLayer of Protection Analysis, Simplified Process Risk Assessment, Centre for Chemical Process Safety, American Institute of Chemical Engineers, 2001Hazard Identification and Risk Assessment, Geoff Wells, 1996Classification of Hazardous Locations, A.W. Cox, F.P. Lees and M.L. Ang, IChemE, 1993The information list is not exhaustive however it does contain the major references that an experienced person would use.
76Sources of Additional Information Guidelines for Process Equipment Reliability Data, Center for Chemical Process Safety of the American Institute of Chemical Engineers, 1989Loss Prevention in the Process Industries , F. P. Lees, Appendix 14/5, 2nd Edition, Butterworth HeinemannIEC Ed. 1.0 E Functional safety - Safety instrumented systems for the process industry