Presentation is loading. Please wait.

Presentation is loading. Please wait.

Major Hazard Facilities Control Measures and Adequacy.

Similar presentations

Presentation on theme: "Major Hazard Facilities Control Measures and Adequacy."— Presentation transcript:

1 Major Hazard Facilities Control Measures and Adequacy

2 2 Overview The seminar has been developed to provide: Context with MHF Regulations An overview of what is required An overview of the steps required Examples of control measures and their adequacy

3 3 Some Abbreviations and Terms AFAP - As far as (reasonably) practicable DG - Dangerous goods Employer - Employer who has management control of the facility ER or ERP - Emergency response or Emergency response plan Facility - any building or structure at which Schedule 9 materials are present or likely to be present for any purpose HAZID - Hazard identification HAZOP - Hazard and operability study HSR - Health and safety representative LOC - Loss of containment LOPA - Layers of protection analysis

4 4 Some Abbreviations and Terms MHF - Major hazard facility MA - Major accident OHS - Occupational health & safety PFD - Probability of failure on demand PSV – Pressure safety valve SMS - Safety management system

5 5 Topics Covered In This Presentation Regulations Introduction Regulatory requirements What does this mean? Identify all control measures Development of assessment Control category and examples Hierarchy of controls AFAP

6 6 Topics Covered In This Presentation Effectiveness of control measures Control types Opportunities available to reduce risk Assessment and adequacy Sources of additional information Review and revision

7 7 Hazard identification (R9.43) Risk assessment (R9.44) Risk control (i.e. control measures) (R9.45, S9A 210) Safety Management System (R9.46) Safety report (R9.47, S9A 212, 213) Emergency plan (R9.53) Consultation Basic outline Regulations

8 8 Hazards causing an MA The controls preventing or mitigating consequences of an MA The controls in place and assess their effectiveness and adequacy In order to deliver safe operation the Employer needs to understand the relationship between Introduction

9 9 Controls DO fail and the consequences can be devastating (Skikda, Algiers, 20 January, 2004) At least 23 workers were killed 74 were injured $800,000,000 (U.S.) estimated property damage Introduction

10 10 Control measures are the features of a facility that: -Eliminate -Prevent -Reduce -Mitigate... the risks associated with potential MAs They are the means by which the Employer ensures the operation satisfies the Regulations and the AFAP requirement A number of control options maybe considered and applied individually or in combination Introduction

11 11 In undertaking control measure identification and assessment, the Employer should seek to attain an understanding of: -The processes involved in control measure identification/selection and assessment -The control measures used to reduce the risk of potential major accidents to AFAP Introduction

12 12 At the end of the controls and adequacy evaluation process, the Employer should know: -The identity of all existing and potential control measures -The relationships between the hazards, control measures, MAs and outcomes -The effectiveness of control measures in managing risk -The opportunities that are available to reduce risk -The monitoring regime necessary to ensure the ongoing effectiveness of the control measures Introduction

13 13 After the HAZID and Risk Assessment evaluations, the Employer will have identified all of the hazards that can lead to MAs and the controls in place, including independence, reliability, effectiveness, robustness and applicability A determination of the adequacy of the controls in managing the hazards then needs to be undertaken Regulation Requirements

14 14 The opportunities present that are available to reduce risk need to be assessed, including additional or alternative controls The monitoring regime necessary to ensure the ongoing effectiveness of the control measures for managing the hazards need to be assessed Control measures and adequacy assessment will need to be revised as necessary, using performance monitoring results and other relevant new information What Does This Mean?

15 15 0 5 10 15 20 25 30 35 40 45 50 Chemical Exposure Environ Release ExplosionFire LOCFirst Aid Offsite First Aid Onsite No of Incidents Petroleum Utilities Logistics Chemicals & Plastics Reported incidents by results involving Schedule 9 materials in Victoria (from VWA) What Does This Mean?

16 16 This accident happened during the filling of a 2000 m 3 LPG sphere Its legs collapsed. One person was killed and one seriously injured What Does This Mean?

17 17 Identity of All Control Measures All of the MAs should be documented in an appropriate format that clearly identifies: -The MA (the release modes and the consequences of the release) -All hazards that, if realised, can cause an MA -The controls in place to manage the hazard and any recommended controls as a result of the HAZID process

18 18 Identity of All Control Measures Hazard:Release of chlorine from chlorine storage drum Incident:Forklift tynes impact on chlorine storage drum Consequence:Release of chlorine liquid into storage drum bund resulting in personnel exposure to chlorine liquid/vapour Potential for serious injury/fatality Example, consider a chlorine drum handling operation

19 19 Identity of All Control Measures Preventative Controls (Incident Prevention) Mitigation Controls (Incident Mitigation) Design of chlorine storage drum and fork lift lifting mechanisms prevent tynes puncturing cylinder (in accordance with an appropriate standard) and inspected regularly Spill containment bunds (reduces the consequences) Traffic management system/forklift or pedestrian exclusion zones Spill containment procedure, chlorine gas detection & alarms (reduces time for intervention thereby reducing consequences) – procedure inspected and found to be satisfactory Forklift driver training – training is held at the prescribed intervals and records inspected are satisfactory PPE including breathing apparatus (reduces the likelihood of exposure to chlorine) – PPE training is held at prescribed intervals and records validated

20 20 Control measures are not only physical equipment, but may include: -Engineered devices (physical barriers such as impact protection bollards) or systems (high integrity trip systems) -High-level procedures or detailed operating instructions -Information systems (incident reporting systems) -Personnel training (i.e. the actions people should take in an emergency) Identity of All Control Measures

21 21 Development of Assessment It is important to understand how controls are arranged in a manner that eliminate or minimise the hazards leading to an MA occurring, and any interdependence Control measures may be pro-active, in that they eliminate, prevent or reduce the likelihood of incidents They may be reactive, in that they reduce or mitigate the consequences of an MA

22 22 Control measures may be considered as “barriers” and are located between the intrinsic hazards that could lead to an MA Control measures can also reduce the harm that may be caused to people and property in the event of an MA Hazards can result in an MA harming people or property only if controls have failed to function as intended, or have been bypassed/defeated Development of Assessment

23 23 Development of Assessment 1st barrier 2nd barrier 3rd barrier

24 24 There are methods for the control assessment process The size, complexity and knowledge of the MHF could determine which approach to use Several methods can be used, e.g.: -LOPA -Fault tree and event tree -Risk matrix Development of Assessment

25 25 Increasing Reliability Decreasing Reliability The hierarchy of controls & effectiveness guidelines Control type 100% Eliminate Hazard 90% Minimize hazard Physical controls 50% Procedures 30% Personnel Skills & Training Effectiveness Control Measure Hierarchy

26 26 Elimination/substitution controls Prevention controls Reduction controls Mitigation controls Control Measure Hierarchy

27 27 Control CategoryControl Example Elimination controlsEquipment removal Physical barriers such as mounding of LPG sphere Decommissioning Facility layout – increasing separation distances Plant design procedures Control Measure Hierarchy

28 28 Control CategoryControl Example Substitution controlsReplacement of a hazardous material with a non-hazardous substitute (E.g. Replace chlorine with sodium hypochlorite) Systems to prevent incompatible materials on the site at the same time Control Measure Hierarchy

29 29 Control CategoryControl Example PreventionProcess alarms and notification systems Independent flow/level/pressure/temperature indicators with a defined response Engineering standards Safety process systems (safety integrity systems), pressure relief valves Control Measure Hierarchy

30 30 Control CategoryControl Example PreventionOperating procedures and instructions Personnel skill, training and competency Plant inspection Equipment testing and repair Change management process Maintenance procedures Quality specifications Permit to work Control Measure Hierarchy

31 31 Control CategoryControl Example ReductionSeparation distances Shutdown and isolation systems Gas detection with leak isolation action Bunding and other containment systems Drainage Control Measure Hierarchy

32 32 Control CategoryControl Example MitigationFire fighting systems Emergency response plans Plant evacuation alarms Passive fire protection (thermal insulation on bullets, spheres) Control Measure Hierarchy

33 33 It is the risk assessment that provides the information necessary to test this requirement, and this information must be included in the safety report The risk assessment must address hazards and risk both individually and cumulatively Consequently the demonstration that risks are eliminated or reduced to AFAP may need to be made for control measures individually, in groups and as a whole AFAP

34 34 The AFAP approach is not simply about satisfying a single criterion of whether the risk of an MA is less than a specific number or position on a risk matrix It is about evaluation of all controls, their proportionality for controlling the risk of an MA occurring and if additional controls can reasonably have an effect on reducing the risk of an MA further AFAP

35 35 The likelihood of the hazard or risk actually occurring -That is, the probability that someone could be injured or harmed through the work being done The degree of harm that would result if the hazard or risk occurred -For example fatality, multiple injuries, medical or first aid treatment, long or short term health effects The availability and suitability of ways to eliminate or reduce the hazard or risk AFAP

36 36 What is known, or ought reasonably be known, about the hazard or risk and any ways of eliminating or reducing it The cost of eliminating or reducing the hazard or risk -That is, control measures should be implemented unless the risk is insignificant compared with the cost of implementing the measures AFAP

37 37 The balance between benefits in terms of reduced risk and the costs of further control measures will play a part in achieving and demonstrating AFAP Every safety report will need to develop an approach as to how the AFAP argument is to be applied to the facility The AFAP approach then needs to be applied consistently to every MA in order for demonstration of adequacy to be satisfied AFAP

38 38 AFAP – Cost/Benefit & Rejecting Controls Low High Benefit (Risk Reduction) Low Should be implemented. Little analysis required unless rejected. More detailed justification required to reject More detailed justification required to reject (lower priority) Simple justification to reject High Sacrifice (cost, time, effort and inconvenience)

39 39 There are controls and safeguards A control is considered to be a device, system, or action that is capable of preventing a cause from proceeding to its undesired consequence, independent of the initiating event or the action of any other layer of protection associated with the scenario A safeguard is any device, system or action that would likely interrupt the chain of events following an initiating event Effectiveness of Control Measures

40 40 EffectiveFor the initiating eventIndependent Of the components of any other control already claimed for the same scenario Reliable The reliability, effectiveness and independence of a control must be auditable Applicable Preventing the consequences when it functions as designed To be considered a control, it must be: Effectiveness of Control Measures

41 41 As an example, consider an employee action to read a level gauge and a pressure gauge - both taken off the same tapping point Is a single tapping point for two different information streams applicable, independent and reliable? Will the employee reliably report the correct information? Effectiveness of Control Measures

42 42 These have been built into a system - but are they: EffectiveIndependent Reliable Applicable The answer - NO Effectiveness of Control Measures

43 43 Every designer, Employer and manager desires to have controls that are: - Robust - Reliable - Can survive harsh environments - Not dependent upon rigorous inspection and testing regimes that involve manpower and cost Unfortunately this is not reality Effectiveness of Control Measures

44 44 Controls do fail and accidents occur as a result Result of a fire at a bulk storage facility – was there adequate separation and fire protection? Effectiveness of Control Measures

45 45 Impact on: Environment People Business interruption Cost of inventory Reputation Legal cost Effectiveness of Control Measures

46 46 A good management system Effectiveness of Control Measures

47 47 With adequate risk control measures Effectiveness of Control Measures

48 48 Reduces the risk of loss Effectiveness of Control Measures

49 49 These controls are important to analyse in a structured manner so that their effectiveness can be assessed For this to occur the Employer needs to know: - What type - How many - How reliable are the controls - Are there sufficient to reduce MA risk to AFAP? Each control needs to be fit for purpose and designed into the system as independent Effectiveness of Control Measures

50 50 In each evaluation the type of service being evaluated needs to be taken into consideration critically to ensure the control type is effective and will perform its intended duty For example consider an instrumented level gauge with high level and high high level independent alarms for controlling the level in a process tower The alarms are not tested and the high high level is known to be in fault mode -Is this control reliable, effective and applicable? Control Types

51 51 For example, having a rupture disc in place where the inlet can foul – in this circumstance the correct pressure will not be seen by the rupture disc -Such a control would not be suitable for the service Bund in service for flammable liquid storage tanks which has major penetrations -This control would not be suitable as it cannot satisfy AS1940 Control Types Controls need to be service and situation dependent in order to be suitable

52 52 The following is an animated description of the US Chemical Safety Board, Animation of BP Texas City Refinery Accident, October 27, 2005 This can be found at the following website Control Types

53 53 Such controls involve reliance on employees to take action to prevent an undesirable consequence in response to alarms or following a routine check of the system Human performance is usually considered less reliable than engineering controls Not crediting human actions under well defined conditions is considered to be unduly penalising the Employer Control Types – Human Controls

54 54 Human controls should have the following requirements: The indication for action required by an employee must be detectable The action must always be: - Available for the employee - Clear to the employee even under emergency conditions - Simple and straight forward to understand - Repeatable by any similarly trained/competent employee Control Types – Human Controls

55 55 The time available to take action must be adequate Employees should not be expected to perform other tasks at the same time – there needs to be clear priorities The employee is capable of taking the action required under all conditions expected to be reasonably present Training for the required action is performed regularly and is documented Indication and action should normally be independent of any other system already accredited Control Types – Human Controls

56 56 Human ControlComments Human action with 10 minutes response time Simple well documented action with clear and reliable indications that action is required Human response to BPCS indication or alarm with 40 minutes response time Simple well documented action with clear and reliable indications that action is required Human action with 40 minutes response time Simple well documented action with clear and reliable indications that the action is required Examples of reduction (human) controls Taken from “Layer of Protection Analysis, Simplified Process Risk Assessment, Centre for Chemical Process Safety, American Institute of Chemical Engineers, 2001” Control Types – Human Controls

57 57 Each control, to be classified as a legitimate control against an MA (i.e. implemented, functional, independent, monitored and audited) must be evaluated in a structured format To ensure proper management of the MAs, each control must be fully independent of the other controls listed -there must be no failure that can deactivate two or more controls (e.g. common cause failure) The effectiveness of control measures in managing risk Opportunities Available to Reduce Risk

58 58 The question people ask is, how many controls are required to reduce a MA to AFAP? This will depend on: -The circumstances -The process being analysed together with the mix of independent controls One approach used is to have a qualitative evaluation that requires three independent controls to be in place before AFAP can be achieved Opportunities Available to Reduce Risk

59 59 Risk is based on the following equation: Risk = ∑(F i x C i )=(F 1 x C 1 ) + (F 2 x C 2 ) +.....(F n x C n ) Where F i is the Frequency or likelihood of event i, and C i is the consequence of event i Risk reduction can be implemented by changing either the frequency of the MA occurring or the magnitude of the consequence of the MA Opportunities Available to Reduce Risk

60 60 For evaluation of control measures, there are several issues that need to be considered Existing MHF Facility During a risk evaluation process for an existing facility, it would be very unusual to achieve a reduction in the worst case consequences of an MA Reducing the frequency or likelihood of the event occurring is generally the only option available Opportunities Available to Reduce Risk

61 61 New MHF Facility For a new facility, both components of the risk equation can be reduced Several issues can be explored when designing a new facility The first point of examination is to focus on the hierarchy of controls -Can we eliminate the hazard so it is not a problem? The second area to examine is substitution -Use of alternative non Schedule 9 or DG materials Opportunities Available to Reduce Risk

62 62 The effectiveness of an elimination control is considered to be 100% The risk from an event occurring is reduced to zero This is the optimal type of control If an Employer cannot reduce the risk to an acceptable level, the feasibility of shutting down plant equipment/processes, substituting non-hazardous substances for hazardous substances should be considered Elimination Controls Opportunities Available to Reduce Risk

63 63 The effectiveness of prevention controls is based on their Probability to Fail on Demand (PFD) PFDs can be determined from site specific maintenance/inspection data and incident data In the absence of site specific data, PFDs can be referenced from worldwide failure rate data publications such as OREDA, E&P Forum, etc Prevention controls Opportunities Available to Reduce Risk

64 64 Assessing the effectiveness of reduction controls is a lot more subjective than assessing the effectiveness of elimination or prevention controls There are many variables that affect the integrity/effectiveness of such controls These cover -Reliability of instrumentation -Inspection and testing frequency requirements -Effectiveness of testing programs and feedback on opportunities for improvement -Frequency of training employees Reduction controls Opportunities Available to Reduce Risk

65 65 For example, an operating procedure can be a highly effective reduction control provided it is readily available, regularly referenced and frequently reviewed and there is independent verification of its output The same argument holds for a change management process Human factors evaluations should be used to determine the reliability of an operating procedure if it is critical to the activity Reduction controls Opportunities Available to Reduce Risk

66 66 Training/competency controls The effectiveness of training controls is not easily assessed Training programs that are: -Specific to the task at hand -Competency assessed -Revisited via re-fresher training courses Are likely to be highly effective with confirmation being available through human factors evaluations Opportunities Available to Reduce Risk

67 67 Where elimination or substitution cannot be achieved then a combination of controls is preferred -This provides a balance -The failure of a single control should not lead to the MA occurring Opportunities Available to Reduce Risk

68 68 There are a number of approaches that can be used to undertake an assessment of an MA’s controls to determine if the AFAP argument is satisfied These include -LOPA -Fault and event tree analysis -Risk analysis using a matrix approach The approach to use will depend on the complexity of the MA and the culture of the organisation Assessment and Adequacy

69 69 Less complex and smaller operations could use a risk matrix type approach A more complex operation such as a refinery or gas processing plant could use all three approaches When determining effectiveness of control measures, the following issues will also need to be considered: - Independence - Functionality - Survivability - Reliability - Availability Assessment and Adequacy

70 70 Cost benefit analyses can be undertaken to determine the viability of each proposed recommendation for further risk reduction This is a valid approach and at some point, depending on the circumstances involved, the cost of reducing risk further becomes costly compared to the benefit gained Controls that are rejected need to be documented including the reason why The definition of a “critical control” is hard to define as various interpretations can be provided This could, in some circumstances, skew thinking to the detriment of other controls For the purpose of MA controls and adequacy evaluation, all controls that prevent or minimise the potential for an MA to occur should be appropriately evaluated Assessment and Adequacy

71 71 In essence there will have been a determination made on every MA covering: -What controls are in place? -What other controls are in place? -Is there only one control in place or is there a proportionality of controls available to achieve AFAP? -Is the risk adequately controlled? -Are additional controls required? Assessment and Adequacy

72 72 Are they effective? Would alternative controls be more suitable and effective for preventing or reducing the MA? What testing regime is required for maintaining the control performance? Is the testing regime adequate for every control? -For example, if some controls are tested every 12 months, what improvement would there be if testing was undertaken every 3 months? Assessment and Adequacy

73 73 Are the controls audited and their performance evaluated against appropriate criteria? How are failures reported? What is the corrective action process in place? Is there verification of the entire process? Assessment and Adequacy

74 74 A safety management process will need to be developed for the facility (i.e. SMS) This will enable the performance of all control measures for every MA to be evaluated for effectiveness and opportunities for improvement identified Assessment and Adequacy

75 75 Major Hazard Facility Guidance Material – Comcare website WorkSafe Victoria Guidance Material – WorkSafe website Layer of Protection Analysis, Simplified Process Risk Assessment, Centre for Chemical Process Safety, American Institute of Chemical Engineers, 2001 Hazard Identification and Risk Assessment, Geoff Wells, 1996 Classification of Hazardous Locations, A.W. Cox, F.P. Lees and M.L. Ang, IChemE, 1993 Sources of Additional Information

76 76 Guidelines for Process Equipment Reliability Data, Center for Chemical Process Safety of the American Institute of Chemical Engineers, 1989 Loss Prevention in the Process Industries, F. P. Lees, Appendix 14/5, 2nd Edition, Butterworth Heinemann IEC 61511-3 Ed. 1.0 E - 2003 - Functional safety - Safety instrumented systems for the process industry Sources of Additional Information

77 77 Questions?

Download ppt "Major Hazard Facilities Control Measures and Adequacy."

Similar presentations

Ads by Google