Presentation on theme: "Major Hazard Facilities Major Accident Identification and Risk Assessment The approaches outlined in this seminar are required for new facilities (as."— Presentation transcript:
1 Major Hazard Facilities Major Accident Identification and Risk Assessment The approaches outlined in this seminar are required for new facilities (as well as existing)
2 OverviewThis seminar has been developed in the context of the MHF regulations to provide:An overview of MA identification and risk assessmentThe steps required for MA recordingExamples of major accidents identifiedThe steps required for a risk assessmentExamples of risk assessment formats
3 Some Abbreviations and Terms AFAP - As far as (reasonably) practicableBLEVE – Boiling liquid expanding vapour explosionBPCS – Basic process control systemDG - Dangerous goodsEmployer - Employer who has management control of the facilityFacility - any building or structure which is classified as an MHF under the regulationsHAZID - Hazard identificationHSR - Health and safety representativeLOC - Loss of containmentLOPA – Layers of protection analysisMHF - Major hazard facilityMA - Major accidentSIS – Safety instrumented system
4 Topics Covered In This Presentation RegulationsDefinition - Major accident (MA)MA identification issuesApproaches to MA identificationMA recordingPitfalls
5 Topics Covered In This Presentation Definition of a risk assessmentApproachesRisk assessmentLikelihood assessmentConsequencesRisk evaluation and assessmentSummarySources of additional informationReview and revision
6 Regulations Hazard identification (R9.43) Risk assessment (R9.44) Occupational Health and Safety (Safety Standards) Regulations 1994Hazard identification (R9.43)Risk assessment (R9.44)Risk control (i.e. control measures) (R9.45, S9A 210)Safety Management System (R9.46)Safety report (R9.47, S9A 212, 213)Emergency plan (R9.53)ConsultationThe approaches outlined in this seminar are appropriate and relevant for new facilities
7 Regulations Regulation 9.43 (Hazard identification) states: Occupational Health and Safety (Safety Standards) Regulations 1994Regulation 9.43 (Hazard identification) states:The employer must identify, in consultation with employees,contractors (as far as is practicable) and HSRs:All reasonably foreseeable hazards at the MHF that may cause a major accident; andThe kinds of major accidents that may occur at the MHF, the likelihood of a major accident occurring and the likely consequences of a major accident.
8 Regulations Regulation 9.44 (Risk assessment) states: Occupational Health and Safety (Safety Standards) Regulations 1994Regulation 9.44 (Risk assessment) states:If a hazard or kind of major accident at the MHF is identified under regulation 9.43, the employer must ensure that any risks associated with the hazard or major accident are assessed, in consultation with employees, contractors (as far as is practicable) and HSRs.The employer must ensure that the risk assessment is reviewed:Within 5 years after the assessment is carried out, and afterwards at intervals of not more than 5 years; andBefore a modification is made to the MHF that may significantly change a risk identified under regulation 9.43; andWhen developments in technical knowledge or the assessment of hazards and risks may affect the method at the MHF for assessing hazards and risks; andIf a major accident occurs at the MHF.Historically there has been a focus on risk from hazardous facilities to neighboring land users. Under the OH&S Act an Employer is required to provide a safe place of work. The MHF regulations focus on both on-site and off-site risk exposures
9 Regulations Regulation 9.45 (Risk control) states: Occupational Health and Safety (Safety Standards) Regulations 1994Regulation 9.45 (Risk control) states:The employer must, in consultation with employees, contractors (as far as is practicable) and HSRs, ensure that any risk associated with a hazard at the MHF is:eliminated; orIf it is not practicable to eliminate the risk – reduced as far as practicable.The employer must:Implement measures at the MHF to minimise the likelihood of a major accident occurring; andImplement measures to limit the consequences of a major accident if it occurs; andProtect relevant persons, an at-risk community, and the built and natural environment surrounding the MHF, by establishing an emergency plan and procedures in accordance with regulation 9.53.
10 A sudden occurrence at the facility causing serious danger or harm to: DefinitionMajor AccidentA major accident is defined in the Regulations as:A sudden occurrence at the facility causing serious danger or harm to:A relevant person orAn at-risk community orProperty orThe environmentwhether the danger or harm occurs immediately or at a later timeIt is important that the focus of MHF is on Schedule 9 materials, DGs etc and large consequences not on identifying natural disasters.“Sudden Occurrence” – infers release of “energy”. In many cases this will mean material although an explosion is a direct release of stored energy.We are not considering OH&S type incidents – slips, trips, falls, traffic accidents etc. Although these can have serious consequences, they are not the focus of the MHF regulations.
11 MA Identification Issues Unless ALL possible MAs are identified then causal and contributory hazards may be overlooked and risks will not be accurately assessedLikewise, controls cannot be identified and assessedIdentification of MAs must assume control measures are absent/unavailable/not functionalThat is:WHAT COULD HAPPEN IF CONTROL MEASURES WERE NOT APPLIED AND MAINTAINED ?Hazards are there all the time. The controls are what prevent the hazards from becoming major accidents.
12 MA Identification Issues MAs can be identified in three different areasThese are:Process MAsMAs arising from concurrent activitiesNon-process MAs
13 MA Identification Issues Process MAsThese are MAs caused by hazards which are associated with upsets in the process, or failure of equipment in the process, etcMAs arising from concurrent activitiesTypical concurrent operations which must be considered are:Major shutdowns/start upsOther activity on siteActivities adjacent to the facilityProcess MAs: Overpressure of the vessel, overfill of the storage tankConcurrent activities MAs: Construction activities, new projects
14 MA Identification Issues Non-Process MAsMAs created by non-process hazards that could cause release of Schedule 9 materialsNon-process hazards may typically include the following: aircraft crashing; dropped objects; extreme environmental conditions (earthquake, cyclone, high winds, lightning); non-process fires (e.g. bush fire); vehicles and road transport; heat stressNon-Process MAs: External events
15 MA Identification Issues Collate appropriateFacility informationIncident data/historiesTo ensure a thorough understanding of :The nature of the facilityIts environmentIts materialsIts processesAll aspects need to be considered
16 MA Identification Issues Develop/select a structured method for determining what types of MA can occur:Loss of containmentFireExplosionRelease of stored energyWhere they can occurUnder what circumstancesDefine and document any restrictions applied to the above
17 MA Identification – Tools Usage Examples of tools which might be used include:Analysis of Schedule 9 materials and DG propertiesUse of HAZID techniquesReview of existing hazard identification or risk assessment studiesAnalysis of incident history – local, industry, company and applicable global experienceA good HAZID would form the basis for selection of potential MAs for further analysis. This screening would be done based on consequence only and not consider any prior screening of the hazard register based on likelihood or risk.
18 Approach to MA Identification It may be efficient to treat similar equipment items handling the same Schedule 9 materials together - as often they have similar hazards and controlsFurther, to ensure correct mitigation analysis, the equipment grouped together should contain similar materials at similar process conditions, resulting in similar consequences on releaseAs an example, LPG storage vessels will be different to ammonia storage vessels and should not be grouped together as the same MA, but a group of storage tanks all used for the same material could be grouped together.
19 Approach to MA Identification For consistency of analysis, all MAs should be defined in terms of an initial energy release eventThis can be characterised as a loss of control of the Schedule 9 materialAs an example, in the case of a hydrocarbon release from one vessel leading to a jet fire that subsequently causes a BLEVE in a second vessel, the MA should be defined in terms of the initial hydrocarbon release from the first vesselDefine for an explosion. – Loss of controls preventing the initial detonation of explosives and mitigating controls preventing escalation.
20 Approach to MA Identification Review HAZID studies to identify initiating events for each MAReview to ensure all hazards have been identifiedSpecial checklists should be developed to assist with this processFurther hazards may be identified from:Discussions with appropriate subject expertsReview of incident dataReview of the records from a similar systemSubject matter experts can provide valuable experience and input into specific situations and provide direction for the group to be investigating for the later controls and adequacy demonstration
21 MA Recording A structured approach is important It can then link equipment management strategies and systemsRecord the key outputs in a registerFor each MA, the register should record the following information:Equipment that comprises the MAGroup similar items into one MADescriptionConsequencesA structured approach is important as it enables the identification of common issues and system problems and the development of strategies.The central hazard register may be used if well structured and managed.
22 MA RecordingConsider all Schedule 9 materials - regardless of quantityScreen out incidents that do not pose a serious danger or harm to personnel, the community, the environment or propertyScreening should only be on the basis of consequence not likelihoodi.e. Events should not be screened out on the basis of likelihood or control measures being activeConsequence modelling should be used as justification for screening decisionsExternal influences need to be considered, for example, potential for a power failure to cause a plant upset leading to an MAA degree of practical evaluation is also required and this should be backed up with consequence modelling/analysis. For example, a release rate of 0.1 kg/sec of crude oil will be unlikely to cause an exposure to personnel if it caught fire.Unless MA recording is managed (documented and communicated) then this will lead to a significant additional workload during the safety report preparation and will not add value to the safety report process and will increase costs unnecessarily
23 Example – MA RecordingThe following are examples of MA recording detailsMA Reference No.MA DescriptionEquipment IncludedLPG-PULOC - pumpsLPG transfer pumps (P254/A)TKF-SA10LOC – finished flammable product release from tank farmFlammable storage tanks A202, A205,A206, B21, C55A26Ignition of materialExtruders E21/E22/D54Helps to use a standardised reference numbering system for each MA. This will make it easy to link HAZID, MA and risk assessments and controls.
24 Major Hazard Facilities Risk Assessment The approaches outlined in this seminar are required for new facilities (as well as existing)
25 What is Risk?Regulatory definition (per Part 20 of the Occupational Health and Safety (Safety Standards) Regulations 1994) :“Risk means the probability and consequences of occurrence of injury or illness”AS/NZS 4360 (Risk Management Standard)“the chance of something happening that will have an impact on objectives”Risk combines the consequence and the likelihoodRISK = CONSEQUENCE x LIKELIHOODFor MHF, the application is a wider than that defined in Part 20 – also includes ‘risk’ to environment and property.It can be easy to confuse ‘hazard’ and ‘risk’.‘Hazard’ is the source of potential harm.‘Risk’ includes the likelihood of that hazard occurring and the consequences that may result if it did occur.Hazards are present in almost everything we do. E.g. Cars driving on the road.There are very high consequences of that hazard (e.g. our death) yet we accept that risk every day in walking across the road because we perceive the likelihood to be low due to good controls in place (traffic rules, crossing signs). We also have a higher tolerance for risk that we choose to take versus those risks imposed on us (e.g. from a neighbouring MHF)Review if needed.
26 Hazard versus Risk Is that a hazardous task? Is it high risk? What is the damaging energy?Gravity (electricity too)What is the hazard?FallingWhat are some controls that could be used? Cherry picker, extended pole, fold light pole to groundHow would these effect the hazard? The risk?
27 Risk Assessment Definition Any analysis or investigation that contributes to understanding of any or all aspects of the risk of major accidents, including their:CausesLikelihoodConsequencesMeans of controlRisk evaluationThese are the main factors included in a risk assessment.
28 The Risk Assessment Should… Ensure a comprehensive and detailed understanding of all aspects for all major accidents and their causesBe a component of the demonstration of adequacy required in the safety report - e.g. by evaluating the effects of a range of control measures and provide a basis for selection/rejection of measuresDemonstration of adequacy will be covered later.
29 ApproachThe MHF Regulations respond to this by requiring comprehensive and systematic identification and assessment of hazardsHAZID and Risk Assessment must have participation by employees, as they have important knowledge to contribute together with important learningsThese employees MAY BE the HSRs, but DO NOT HAVE TO BEHowever, the HSRs should be consulted in selection of appropriate participants in the processInvolvement of employees in both hazard identification and risk assessment is essential.
30 Qualitative Assessment ApproachTypes of Risk AssessmentQualitative AssessmentHazardIdentificationQuantitative Risk AssessmentAsset Integrity StudiesPlant Condition AnalysisHuman Factors StudiesConsequence AnalysisLikelihood AnalysisTechnology StudiesDetailed StudiesThe information from the more detailed analysis can be presented in a qualitative manner, enabling a method to be used that provides clear understanding of the risk for every MA.
31 CausesFrom the HAZID and MA evaluation process, pick an MA for evaluationFrom the hazard register, retrieve all the hazards that can lead to the MA being realisedIn a structured approach, list all of the controls currently in place to prevent each of the hazards that lead to the MA being realisedExamine critically all of the controls currently in place designed to prevent the hazard being realised
32 Ignition of materials (MA - A26) CausesAs an example, from hazard register, MA - A26Ignition of materials(MA - A26)This might be an example of a major accident identified in the hazard register.
33 Ignition of materials (MA - A26) CausesList all possible causes of the accident (identified during HAZID study)Ignition of materials(MA - A26)Hazard Scenario 1Hazard Scenario 2Hazard Scenario 3, etc
34 Ignition of materials (MA - A26) CausesList all prevention controls for the accident (identified during HAZID study)Ignition of materials(MA - A26)Hazard Scenario 1Hazard Scenario 2Hazard Scenario 3, etcPreventioncontrolC1-1C1-2C2-1C3-1
35 Likelihood Assessment Likelihood analysis can involve a range of approaches, depending on the organisation’s knowledge, data recording systems and cultureThis knowledge can range from:In-house data - existing data recording systems and operational experienceReviewing external information from failure rate data sourcesBoth are valid, however, the use of in-house data can provide added value as it is reflective of the management approaches and systems in placeIn-house information is a very good source as it represents the company’s actual management strategies
36 Likelihood Assessment A “Likelihood” is an expression of the chance of something happening in the future - e.g. Catastrophic vessel failure, one chance in a million per year (1 x 10-6/year)“Frequency” is similar to likelihood, but refers to historical data on actual occurrencesNote that probability is something different – it does not have a time scale so does not tell you how often something may occur!
37 Likelihood Assessment Likelihood Analysis can use:HistoricalSite historical dataGeneric failure rate dataAssessmentWorkshops (operators and maintenance personnel)Fault treesEvent treesAssessment of human errorOperators and maintenance personnel are very valuable sources of information to verify or validate based on their specific experience for issues of interest. Need to ensure the Facilitator provides suitable examples to expand participants’ horizons beyond “not in my experience”Site historical data covers site incident information, external incident and frequency information, maintenance records, corporate historyNear miss information from the site should also be used. For example, if a compressor has activated a vibration sensor, how many times has this gone off, is it indicative of an underlying fault and how have management dealt with the issue?External information – can be very useful, incident information, generic failure rates/data, sometimes qualitative, also may avoid finger pointing on known issuesMaintenance records – if well kept excellent source of information, can be used for both causes of failure and how often, can support decision making and identify system problemsAs an example, testing of PSVs. If a PSV is within test period and conforms to a known suitable testing standard and it is appropriately documented then very good information will be collected on the service of that PSV with the known duty. Should there be an argument raised to vary the testing period, then the data can be used for this purpose. If the PSV is not tested in accordance with the stated requirements, and it is found to be severely deficient, then it could be questionable as to its suitability for an independent layer of protection within an assessment.Corporate history – useful if information is available and transparent, relates to corporate culture, testing and inspection regimes, management systems need to be consistent with management requirements so that they are usefulWorkshops – good for analysis of hazards and likelihoods, usefulness depends on getting right mix of attendants, recommendations/further work need to be recorded. Subject experts within a company (if they have them) can be very valuable sources of information and should be used when possible for checking and validating issues. Ensure any assumptions are documented and validated, where possible, with hard site data on operational experience.
38 Likelihood Assessment – Qualitative Approach A qualitative approach can be used for assessment of likelihoodThis is based upon agreed scales for interpretation purposes and for ease of consistencyFor example, reducing orders of magnitude of occurrenceIt also avoids the sometimes more complicated issue of using frequency numbers, which can be difficult on occasions for people to interpretThe approach is shown in the following slide.
39 Likelihood Assessment – Qualitative Approach CategoryLikelihoodAPossibility of repeated events(once in 10 years)BPossibility of isolated incidents(once in 100 years)CPossibility of occurring sometimes(once in 1,000 years)DNot likely to occur,(once in 10,000 years)ERare occurrence(once in 100,000 years)Qualitative terms for likelihood helps people to assign for the risk assessment. Frequencies are not a requirement.
40 Likelihood Assessment – Fault Trees A fault tree is a graphical representation of the logical relationship between a particular system, accident or other undesired event, typically called the top event, and the primary cause eventsIn a fault tree analysis the state of the system is to find and evaluate the mechanisms influencing a particular failure scenario
41 Likelihood Assessment – Fault Trees A fault tree is constructed by defining a top event and then defining the cause events and the logical relations between these cause eventsThis is based on:Equipment failure ratesDesign and operational error ratesHuman errorsAnalysis of design safety systems and their intended functionFault tree is used to calculate frequencies for a ‘top event’ based on the underlying failure rates of components. Used for complex or multiple causes. Requires quantitative failure rate data.
42 Likelihood Assessment – Fault Trees Example ANDORPSV does not relieveProcess pressure risesControl fails highPSV too smallSet point too highPSV stuck closedFouling inlet or outletPressure risesProcess vessel over pressuredEstimates of failure rates would be needed for each of the basic failures. Generic or specific ‘random’ failure rate data is available for equipment and instrumentation (engineering controls) but would be harder to develop for human factor or systematic causes.
43 Likelihood Assessment – Generic Failure Rate Data This information can be obtained from:American Institute of Chemical Engineers Process Equipment Reliability DataLoss Prevention in the Process IndustriesE&P ForumUK Health and Safety Executive dataand other published reports(Refer to Sources of Additional Information slides for references)Note that these relate to ‘random’ failures only. Systematic failures (e.g. environmental conditions, operator errors etc) would need to be determined for the specific facility/process/procedure under study.
44 Likelihood Assessment – Human Error Human error needs to be considered in any analysis of likelihood of failure scenariosThe interaction between pending failure scenarios, actions to be taken by people and the success of those actions needs to be carefully evaluated in any safety assessment evaluationSome key issues of note include:Identifying particular issueProcedures developed for handling the issueComplexity of thought processing information requiredHumans can be unreliable, especially in emergency situations. With modern day controls it is very easy to add on alarms to ease the operational interaction of the plant and to aid diagnosing of faults. This is alright if the plant is not in an emergency operational situation. A control room operator can be faced with having lots of alarms coming up in an emergency and it is required to sift through all of the alarms and determine which is the important ones to act upon and take the correct action to minimize the consequences of the plant upset, including mitigation of potential MAs. Abnormal situation management approaches have been developed to handle this. Human factors evaluations have an important contribution to provide, especially when there are many controls in place that are procedural and their effectiveness needs to be critically evaluated.
45 Likelihood Assessment – Human Error Type of BehaviourError ProbabilityExtraordinary errors: of the type difficult to conceive how they could occur: stress free, powerful cues initiating for success.10-5(1 in 100,000)Error in regularly performed, commonplace, simple tasks with minimum stress (e.g. Selection of a key-operated switch rather than a non key-operated switch).10-4(1 in 10,000)Errors of omission where dependence is placed on situation cues and memory. Complex, unfamiliar task with little feedback and some distractions (e.g. failure to return manually operated test valve to proper configuration after maintenance).10-2(1 in 100)Highly complex task, considerable stress, little time to perform it e.g. during abnormal operating conditions, operator reaching for a switch to shut off an operating pump fails to realise from the indicator display that the switch is already in the desired state and merely changes the status of the switch.10-1(1 in 10)Table 5: Example Human Error Potential Values (based on Hunns and Daniels 1980 and Kletz 1991
46 Likelihood Assessment – Event Trees Used to determine the likelihood of potential consequences after the hazard has been realisedIt starts with a particular event and then defines the possible consequences which could occurEach branching point on the tree represents a controlling point, incorporating the likelihood of success or failure, leading to specific scenariosSuch scenarios could be:FireExplosionToxic gas cloudInformation can then used to estimate the frequency of the outcome for each scenario
47 Likelihood Assessment – Event Trees Event tree example – LPG Pipeline Release
48 ConsequencesMost scenarios will involve at least one of the following outcomes:Loss of containmentReactive chemistryInjury/illnessFacility reliabilityCommunity impactsMoving vehicle incidentsIneffective corrective actionFailure to share learnings
49 ConsequencesConsequence evaluation estimates the potential effects of hazard scenariosThe consequences can be evaluated with specific consequence modelling approachesThese approaches include:Physical events modelling (explosion, fire, toxic gas consequence modelling programs)Occupied building impact assessmentOccupied buildings assessment are undertaken to determine whether any impacts form explosions or fires will exceed the building design criteria. For instance administration buildings located within the plant, or temporary huts located for projects – BP Texas city incident.
50 Consequences - Qualitative Evaluation A qualitative evaluation is based upon a descriptive representation of the likely outcome for each eventThis requires selecting a specific category rating system that is consistent with corporate culture
51 Consequences - Qualitative Descriptors Example Consequence descriptorsInsignificantMinorModerateMajorCatastrophicHealth and Safety ValuesA near miss, first aid injuryOne or more lost time injuriesOne or more significant lost time injuriesOne or more fatalitiesSignificant number of fatalitiesEnvironmental ValuesNo impactNo or low impactMedium impactRelease within facility boundaryMedium impact outside the facility boundaryMajor impact eventFinancial Loss ExposuresLoss below $5,000Loss $5,000 to $50,000Loss from $50,000 to $1MLoss from $1M to $10MLoss above $10MPurely an example and each company will have their own approach to these
52 Consequences – Quantitative Evaluation Consequence analysis estimates the potential effects of scenariosTools include:Potential consequences (event tree)Physical events modelling (explosion, fire and/or gas dispersion consequence modelling programs)Load resistance factor design (building design)
53 Consequences - Qualitative Evaluation Example Example: Impact of ExplosionsExplosion Overpressure (kPa)Effects7 (1 psi)Results in damage to internal partitions and joinery but can be repaired.21 (3 psi)Reinforced structures distort, storage tanks fail.35 (5 psi)Wagons and plant items overturned, threshold of eardrum damage.70 (10 psi)Complete demolition of houses, threshold of lung damage.This is an example of criteria that would be used for building overpressure design.Ref: NSW Department of Urban Affairs and Planning, ”Risk Criteria for Land Use Planning”, Hazardous Industry Planning Advisory paper No. 4, 2nd Edition, Sydney 1992, pNote: Calculations can be undertaken to determine probability of serious injury and fatality
54 Consequences - Qualitative Evaluation Example Example - Overpressure Contour - impact on facility buildingsRelease scenario location35 kPa21 kPa14 kPa7 kPaThe overpressure contours are developed from explosion modelling software and can be plotted onto the site plan to determine buildings that would be impacted.
55 Risk EvaluationRisk evaluation can be undertaken using qualitative and/or quantitative approachesRisk comprises two categories - frequency and consequenceQualitative methodologies that can be used areRisk matrixRisk nomogramsSemi – quantitative techniquesLayers of protection analysisQuantitative - quantitative techniquesRisk evaluation considers both the likelihood and the consequence to determine the risk.
56 Risk Assessment - What Type? Simple, subjective, low resolution, high uncertainty, low costQualitative AssessmentSemi-Quantitative AssessmentDetailed, objective, high resolution, low uncertainty, increasing costChoose the appropriate method to suit the facility and the type of analysis needed.Quantitative Assessment
57 Risk Assessment – Issues For Consideration Greater assessment detail provides more quantitative information and supports decision-makingStrike a balance between increasing cost of assessment and reducing uncertainty in understandingPick methods that reflect the nature of the risk, and the decision optionsSimper methods are easier to understand for employees but may not provide the information required – e.g. difficult to assess off-site risk using a risk matrix.
58 Risk Assessment – Issues For Consideration Stop once all decision options are differentiated and the required information compiledSignificant differences of opinion regarding the nature of the risk or the control regime indicate that further assessment is needed
59 Risk Assessment - Qualitative Qualitative risk assessment can be undertaken using the followingRisk nomogramRisk matrixBoth approaches are valid and the selection will depend upon the company and its cultureThe frequencies used for these methods can be purely qualitative or semi-quantitative (I.e. assign numbers to the frequency categories).
60 Risk Assessment - Risk Nomogram A nomogram is a graphical device designed to allow approximate calculationIts accuracy is limited by the precision with which physical markings can be drawn, reproduced, viewed and alignedNomograms are usually designed to perform a specific calculation, with tables of values effectively built into the construction of the scalesNOTE: HAVE NEVER SEEN THIS USED BY MHFS FOR SAFETY REPORT WORK, actually never seen it used by industry for any risk assessment work – although academics and risk assessment teachers do like it!!
61 Risk Assessment - Risk Nomogram PracticallyImpossibleConceivable butVery UnlikelyRemotelyPossibleUnusual butQuite PossibleCould HappenMight well beExpected at SometimeLIKELIHOODContinuousFrequentDailyOccasionalOnce per WeekUnusualOnce per MonthRareFew per yearVery Rare,Yearly or LessEXPOSURETIE LINENoticeableMinor Injury / First Aid>$1k DamageImportantDisability>$10k DamageSeriousSerious Injury>$100k DamageVery SeriousFatality>$1M DamageDisasterMultiple Fatalities>$10M DamageCatastropheMany Fatalities>$100M DamagePOSSIBLECONSEQUENCES5004003002001008060402010Very High RiskConsiderDiscontinuingOperationHigh RiskImmediateCorrectionRequiredSubstantialRiskRisk must beReducedSFARPAcceptable ifReduced SFARPMost nomograms are used in situations where an approximate answer is appropriate and useful
62 Risk Assessment - Risk Nomogram Advantages and DisadvantagesAccuracy is limitedDesigned to perform a specific calculationCannot easily denote different hazards leading to an MATypically not used by MHFs
63 Risk Assessment - Risk Matrix Hazards can be allocated a qualitative risk ranking in terms of estimated likelihood and consequence and then displayed on a risk matrixConsequence information has already been discussed, hence, information from this part of the assessment can be used effectively in a risk matrixRisk matrices can be constructed in a number of formats, such as 5x5, 7x7, 4x5, etcOften facilities may have a risk matrix for other risk assessments (eg Task analysis, JSA)Very commonly used – both purely qualitative and semi-quantitatively
64 Risk Assessment - Risk Matrix Results can be easily presentedIn tabular format for all MAsWithin a risk matrixSuch processes can illustrate major risk contributors, aid the risk assessment and demonstration of adequacyCare needs to be taken to ensure categories are consistently used and there are no anomaliesAustralian/New Zealand Standard, AS4360, Risk Management 1999, provides additional information on risk matrices
65 Risk Assessment - Risk Matrix E Rare occurrence,(1 x 10-5 per year)D Not likely to occur,(1 x 10-4 per year)C Possibility of occurring sometimes, (1 x 10-3 per year)B Possibility of isolated incidents, (1 x 10-2 per year)A Possibility of repeated events, (1 x 10-1 per year)LikelihoodFinancial Loss ExposuresEnvironmental ValuesHealth and Safety ValuesSignificant RiskModerate RiskLow RiskHigh RiskLoss of above $10,000,000Loss from $1,000,000 to $10,000,000Loss from $50,000 to $1,000,000Loss $5,000 to $50,000Loss below $5,000Major impact eventMedium impact outside the facility boundaryMedium impact.Release within facility boundaryNo or low impactNo impactSignificant number of fatalitiesOne or more fatalitiesOne or more significant Lost Time Injuries (LTI)One or more Lost Time Injuries (LTI)A near miss, First Aid Injury (FAI) or one or more Medical Treatment Injuries (MTI)54321CatastrophicMajorModerateMinorInsignificantConsequencesRisk matrix example (AS4360)NOTE: risk matrix cannot be used additively to present cumulative risk
66 Risk Assessment - Risk Matrix AdvantagesIf used well, a risk matrix will:Identify event outcomes that should be prioritised or grouped for further investigationProvides a good graphical portrayal of risks across a facilityHelp to identify areas for risk reductionProvide a quick and relatively inexpensive risk analysisEnable more detailed analysis to be focused on high risk areas (proportionate analysis)
67 Risk Assessment - Risk Matrix DisadvantagesScale is always a limitation regarding frequency reduction - it does not provide an accurate reduction rankingCumulative issues and evaluations are difficult to show in a transparent mannerThere can be a strong tendency to try and provide a greater level of accuracy than what is capableUnless the consequence changes (unlikely for an existing MHF unless the Schedule 9 material is eliminated), the only aspect to change on the risk matrix will be a reduction in frequency of the MA result – this is also true for other methods
68 Risk Assessment - Semi-Quantitative Approach One tool is a layer of protection analysis approach (LOPA)It is a simplified form of risk evaluationThe primary purpose of LOPA is to determine if there are sufficient layers of protection against a hazard scenarioIt needs to focus on:Causes of hazards occurringControls needed to minimise the potential for hazards occurringIf the hazards do occur, what mitigation is needed to minimise the consequences
69 Diagrammatic Representation - LOPA Risk Assessment - Semi-Quantitative Approach (LOPA)Diagrammatic Representation - LOPAAnalysing the safety measures and controls that are between an uncontrolled release and the worst potential consequenceExplain briefly each layer.
70 Risk Assessment - Semi-Quantitative Approach (LOPA) The information for assessment can be presented as a bow-tie diagramPreventative ControlsMitigative ControlsMACausesOutcomesControl measures can be quickly identifiedThe approach identifies convergence of different hazards into a single 'causal path', and control measures that prevent multiple hazardsEarly warning signs of an MA are explained, by showing both basic hazards and resultant hazards, in a 'cause' and 'effect' representation - “preventative” and “mitigative”The importance of mitigating controls to minimise the severity of an MA is highlighted and explainedLinking consequences on the right hand side of one diagram to basic hazards on the left hand side of another diagram allows analysis of escalation events such as BLEVEsHazardsControlsControlsConsequences
71 Risk Assessment - Semi-Quantitative Approach (LOPA) Advantages and DisadvantagesRisk evaluation can be undertaken using a bow-tie approachA procedural format needs to be developed by the company to ensure consistency of use across all evaluationsExternal review (to the safety report team) should be considered for consistency and feedbackCorrect personnel are needed to ensure the most applicable information is applied to the evaluation approachConsistent procedures are required.
72 Risk Assessment - Quantitative Quantitative assessments can be undertaken for specific types of facilitiesThis is a tool that requires expert knowledge on the technique and has the following aspects:It is very detailedHigh focus on objectiveDetailed process evaluationsRequires a high level of information inputProvides a high output resolutionReduces uncertaintyFrequency component can be questionable as generic failure rate data is generally usedProvides understanding on the high risk contributors from a facility being evaluated
73 Risk Assessment - Quantitative Typical result output from such an assessment is individual risk contoursExample shown is for land use planningUse only to determine off-site risks. Commonly used for land use planning issues. Published criteria are available.
74 Risk Assessment - Quantitative Time consumingExpensiveExpert knowledge is requiredNot suitable for every MHF siteProcess upsets (such as a runaway reaction) cannot be easily modelled as an initiating event using standard equipment part counts - incorporation of fault tree analysis requiredUse of generic failure rate data has limitations and does not take into consideration a specific company’s equipment and management system strategiesEnsure analysis is transparent and well documented and that all controls, as far as practicable, are appropriately reflected in the analysisFor instance, it is not suitable for a storage warehouse MHF but would be suitable for a refinery
75 SummaryA risk assessment provides an understanding of the major hazards and a basis for determining controls in placeRisk assessments can involve significant time and effortOperations personnel and managers could cause, contribute to, control or be impacted by MAsHence they should be involved in the risk assessmentHSRs may or may not take part, but must be consulted in relation to the process of HAZID & Risk AssessmentThey should also be involved in resolution of any issues that arise during the studies, including improvements to methods and processes
76 Review and RevisionEmployer must review (and revise) Hazard Identifications, Risk Assessments and Control Measures to ensure risks remain reduced to AFAP:At the direction of the CommissionPrior to modificationAfter a major accidentWhen a control measure is found to be deficientAt least every 5 yearsUpon licence renewal conditions
77 Sources of Additional Information The following are a few sources of information covering risk assessmentHazard and Operability Studies (HAZOP Studies), IEC 61882, Edition 1.0,Functional Safety – Safety Instrumented Systems for the Process Industry Sector, IEC 61511,Fault Tree Analysis, IEC 61025,Hydrocarbon Leak and Ignition Data Base, E&P Forum, February 1992 N658Guidelines for Process Equipment Reliability Data, Center for Chemical Process Safety of the American Institute of Chemical Engineers, 1989
78 Sources of Additional Information Offshore Hydrocarbon Release Statistics, Offshore Technology Report – OTO , UK Health and Safety Executive, December 1997Loss Prevention in the Process Industries , Lees F. P., 2nd Edition, Butterworth HeinemannLayer of Protection Analysis, Simplified Process Risk Assessment, Center for Chemical Process Safety of the American Institute of Chemical Engineers, 2001Nomogram, Wikipedia, the free encyclopaedia
80 Example LOPA Assessment – Spreadsheet Format CauseHazardIndependent Preventative Protection LayersMitigative Protection LayersLoss of cooling tower water to condenser once every 10 yearsCatastrophic rupture of distillation column with shrapnel, toxic releaseColumns condenser, reboiler and piping maximum allowable working pressures are greater than maximum possible pressure from steam reboilerLogic in BPCS trips steam flow valve and steam RCV on high pressure or high temperature. No credit since not independent of SIS.High column pressure and temperature alarms can alert operator to shut off the steam to the reboiler (manual valve)Logic in BPCS trips stream flow valve and steam RCV on high pressure or high temperature (dual sensors separate from DCS).Pressure safety valve opens on high pressure
81 Example Example Bowtie Assessment – System Format