Part 1 Major Incident Identification (PDF 3579kb) - WorkSafe Victoria

Seminar Two - Part 1Major Incident Identification26 th April 2006WorkSafe Victoria is a division of the Victorian WorkCover Authority

Session ObjectivePart 1 Major Incident Identification• To provide an overview of regulatory requirements for bothRound 1 and Round 2 with practical guidance andexperience from Round 1 assessment-What the regulations require-Major Incident identification process-Round 1 Assessment experiences-Round 2 Review and Revise Guidance-Questions and Discussion2

RegulationsBasic outline• Safety Management System (R301)• Hazard identification (R302)• Safety assessment (R303)• Control measures (R304)• Emergency planning (R305)• Review (R306)• Role of employees (R307)• Consultation - HSRs, employees, community(R501, R505, OHS Act)3

RegulationBackground• Reg 302 (1) (a) requires that ‘the operator of a MHF mustidentify all major incidents that could occur at the MHF’Objective• To Identify ALL POTENTIAL Major Incidents at Major HazardFacilities•Know whatcan go wrong and why before it happens4

RegulationApplication• Unless ALL possible MIs are identified, causal andcontributory hazards may be overlooked and risks will notable to be accurately identified. Likewise effectiveness ofcontrols cannot be assessed• Identification of MIs must therefore assume controlmeasures are absent/unavailable/not functional. That is:WHAT COULD HAPPEN IF CONTROL MEASURESWERENOT APPLIED AND MAINTAINED ??5

Major Incident DefinitionSteps to MI Identification• Determine the meaning/definition of “Major Incident” which isconsistent with the Regulations and appropriate to the facility•ie:-Uncontrolled Incident-Involving a Schedule 1 material-Which poses a SERIOUS and IMMEDIATE risk to Healthand Safety6

Schedule 1 Material• MHF Regs 2000 Tables 1,2 & 3• At commencement of Regulations-Approx 200 facilities notified WorkSafe of >10% MHFthreshold-47 above threshold and were registered MHF• In 2001, 2 facilities below threshold were determined asMHF• Today 42 Licensed MHF’s & 3 Registered MHF’s7

Schedule 1 – Aggregate Quantity ExampleMaterialInventories (te)ABSchedule 1Threshold (te)Inventory/ThresholdAcrolein Up to 2 Up to 2 200 0.02Sodium chlorate Up to 8 Up to 8 200 0.08Formaldehyde Up to 2 Up to 10 50 0.24LPG Up to 2 Up to 2 200 0.02Methyl isocyanate Up to 0.1 None 0.15 0.67Other (not Schedule 1) Up to 20 Up to 30 N/a 0.0Total - - - 1.038

Uncontrolled IncidentDefined within the Regulations as:• Loss of containment• Emission• Escape• Fire• Explosion• Release of energyRound 1 Experiences• Majority loss of containment• Explosion9

Serious and Immediate Risk to Health & SafetyDefinition• Interpretation varied in Safety Cases such as:- A major incident involving Schedule 1 materials that haspotential to cause physical injuries or health effects thatinvolve hospitalisation- The potential to cause a fatality10

Example MIA catastrophic failure of the refrigeration unit that results in therelease of the contents (1 tonne of ammonia) over a 30minute period• Schedule 1: Ammonia• Uncontrolled event: Loss of Containment of Scheduled 1-Based on a release rather than consequence outcome asconsidered easier to structure the hazard register around a‘loss of containment’11

Example MI• Serious and Immediate risk to health and safety-A release of this scale could have significant health effects(e.g. hospitalise persons for 3 days or more), andparticularly create offsite impacts12

Major IncidentMajor Incident is the central starting point of thesafety casePreventative ControlsMitigative ControlsCausesMIOutcomesHazardsControlsControlsConsequences13

Examples of MI Events - ConsequenceAlbright and Wilson, Avonmouth 1996A road tanker of sodium chlorite was off-loading to two tankscontaining epichlorohydrin. Soon after, a series of explosionsdestroyed both the storage tank and the road tanker and starteda fire, which persisted for an hour. The fire generated a 100mblack plume of smoke containing hydrogen chloride, whichdrifted across the Severn estuary closing local motorways andrail services.14

Examples of MI Events - ConsequenceBP Texas City Explosion March 2005Over-pressurisation and pressure relief of a refinery unitvented hydrocarbon to atmosphere forming a vapour cloudwhich was ignited. Fifteen people were killed and over 170persons were injured.Both these incidents are examples of anuncontrolled release of schedule 1 materials.15

Major Incident Identification Steps• Identify schedule 1 material on/or potentially onsite-List location and maximum inventory potentials• For each individual Schedule 1 locationdetermine if there is the potential for an“Uncontrolled Event”-Note: assume control measures are absent/unavailable/notfunctional-List identified uncontrolled events16

Major Incident Identification Steps• For each “Uncontrolled Event" determine ifconsequences meet the site specific definitionof “Serious and Immediate risk to health andsafety”-List Major Incidents• Consultation requirements Reg 50117

Major Incident IdentificationMI Identification tools• Examples of Tools which might be used include:-Analysis of Schedule 1 materials eg. Reactivity, stability etc.-Analysis of Major Incident history – local, industry & global-Structured checklist-Hazard based screening tools-Safety Cases-Fire safety studies-Consequence modelling18

Round One Experiences from Assessment• Care must be taken by facilities to ensure all Schedule 1’sare considered regardless of quantity• Inclusion of schedule one materials used in the main facilityprocesses and not those of ancillary activities• Events should not be screened out on the basis oflikelihood or control measures being active• Reactive chemistry19

Round Two Overview – Practical Guidance4.3 Hazard and Major Incident Identification ReviewIntroductionIt is important that all major incidents and hazards that could cause amajor incident are identified and reviewed (Reg 306(1)(a)) to ensurecompleteness of the subsequent review to confirm effectiveness ofcontrol measures (Reg 306(1)). This does not necessarily meanrepeating the complete hazard identification. The general process willinclude:• Quality assurance of the risk register for comprehensiveness,including full incorporation of changes over the licence period.• Review of site incident / near miss data for implications forhazards and major incident scenarios.• RegulationDriver• Whatcompliancelooks like• Consideration of new knowledge from external sources onpotentially applicable hazards and major incidents20• Application of new methodology to the analysis of hazards andmajor incidents, where the need for methodology change hasbeen identified.

Round Two Overview – Practical GuidanceInputsSafety Case (MI & Hazard Register)Incident and near miss reportsChanges to facility (MOC records)Non-routine modes of operationNew knowledgeStages ofReview &ReviseReview Hazard ID andMajor Incidents[Regs 306, 302]Review Hazard ID and Major IncidentsOutputsUpdate Safety Case (HazardRegister)Train employeesInput into Safety AssessmentreviewInputs Review & Revise Guidance OutputsMajor incident,incident & nearmiss reports• Review onsite and industry Incident and near missreports to identify possible new hazards andconsequences previously not identified.Examples of information that may be available to MHF’sare:- BP America Refinery explosion (Texas City, March 2005)- Worksafe MHF Website- Incident summaries and information via internalcorporate networks.- Liquid metal embrittlement in light ends processing(Santos incident)- Industry associations e.g. APEA, PACIA, API etc- World wide database e.g. MHIDAS etc• Update HazardRegister whererequired.Practical Guidance- Range of potentialinformation sources- Range of>Examples> Questions> Sources of information21

Major Incident Identification SessionPart 1 Major Incident Identification• To provide an overview of regulatory requirements bothround 1 and round 2 with practical guidance andexperience from round 1 assessment22

Questions & Discussion• Questions ?23

Seminar Two - Part 2Hazard Identification26 th April 2006WorkSafe Victoria is a division of the Victorian WorkCover Authority

Session ObjectivePart 2 Hazard Identification• To provide an overview of regulatory requirements for bothRound 1 and Round 2 with practical guidance andexperience from Round 1 assessment-What the regulations require-Hazard Identification process-Round 1 Assessment experiences-Round 2 Review and Revise Guidance-Analyst Assessment-Questions and Discussion25

Regulation Requirement• Reg 302 (1) (b) requires that ‘the operator of a MHF mustidentify all hazards that could cause or contribute tocausing’ the identified MIs• Hazard in this context is defined as:“any activity, procedure, plant, process, substance,situation orany other circumstance that could cause, orcontribute to causing , a major incident”26

Hazard Identification ProcessThe Hazard Identification process sets the foundation for theremainder of the safety case process. The process should:• Involve appropriate personnel & appropriate amount of timefor hazard Identification• Based on up-to-date and accurate information• An appropriate range of techniques employed• Foster creative thinking about possible hazards that havenot previously been experienced27

Hazard Identification Process• Ensure benefits of hindsight have been fully exploited;• A fresh view should be taken of any existing knowledge, andshould not automatically assume that no new knowledge isrequired;• Uncertainties are explicitly identified and recorded for lateranalysis;• All methods, results, assumptions and data are documented;and• It is regularly maintained and used as a live document.28

Hazard Identification ProcessPlanning and preparation for Hazard IdentificationStep 1 Step 2 Step 3 Step 4Hazard Identification(refer to GN 13)• Identify MajorIncidents• Identifyhazards andcausesSafety Assessment(refer GN 14)• Assess likely frequencyand consequences ofeach hazard withoutcontrols in place• Conduct the initial safetyassessment to assessthe level of risk posed byeach MI, taking existingcontrols into account.• Ensure all practicablesteps to reduce risk foreach MI have beenconsidered• Ensure allpracticable stepsto reduce riskassociated witheach MI havebeen considered• Conduct the finalSafetyAssessment -Assess the levelof risk posed byeach hazardassumingimprovementactions are inplaceControl Measures• Identifyingexisting ControlMeasures• Identify PotentialAdditional Controls• Adequacyassessments ofcontrols foreach MI• Identify/SelectPotential AdditionalControls• Prepareperformancestandards andensure procedures/audits in place.29

Hazard Identification ProcessHAZID Team Selection• The team selection for the area or plant is critical to thewhole hazard identification process• Personnel with suitable skills and experience should beavailable to cover all issues for discussion within the HAZIDprocess• Team selection and training in methodology used shouldbe provided30

Hazard Identification ProcessHAZID Team Selection• HAZID workshops are best conducted using a facilitatedmulti-disciplinary team based approach• Facilitation by a suitably qualified and experiencedindependent person• Sufficient involvement of suitably experienced and qualifiedpersonnel for the process, operations and equipmentinvolved31

Hazard Identification ProcessMeeting Venue• Hold on site if possible• Avoid interruptions if possible• Schedule within the normal work pattern, or within thesafety case activities• Meetings less than 3 hours are not effective• Meetings that last all day are also not effective, howeverpracticalities may require all day meetings• Don’t underestimate the time required32

Hazard Identification ProcessStep 1Divide the facility into manageable sections toprovide sufficient focus to fully identify potentialmajor incidents and hazards. The section could bedefined according to:• Similarity of hazard or activity• The chemicals involved• Geographical locationThe complexity of the section should control the size ofeach section. You should take care to ensure there areno gaps between your sections33

Hazard Identification ProcessStep 2The equipment, materials, human activities andprocess operations to be covered should be clearlydefined and understood. For each section describe:•The Schedule 1 materials involved•The activities that are, or could be, conducted•The design intent and any limitations to activities oroperations•Any changes that have occurred over time and thecurrent condition of equipment34

Hazard Identification ProcessStep 3Apply your selected Hazard Identification techniqueYou need to:• Consider full range of factors that could result in orinfluence a MI•Avoid inappropriate screening of hazards•Provide adequate depth of analysis including sufficientdetail to explain why, when and how•Use lateral thinking and realism in Hazard Identification•Fully document the Hazard Identification35

Hazard Identification ProcessDefine boundarySystem descriptionDivide system into sectionsAnalyse each section• asset or equipment failure• external events• process operational deviations• hazards associated with all materials• human activities which could contribute to incidents• interactions with other sections of the facilityExisting studiesSelected methodsSystematically record all hazardsHazard Register36Independent checkRevisit after safety assessment

Hazard Identification – Range of FactorsPeopleCulture, skills,knowledge, trainingAttitude, interactionOperating modesNormal operation,Start-up, Shutdown,Abnormal,EmergencyExternal Factors(Extreme weather,lightning, earthquake,supplier quality)TasksOperations,Construction ormaintenance activities,Work proceduresMajor IncidentIdentificationSystemsOrg chart, Supervision,management systems,communication,interfacesTechnologyEquipment, tools,control systems,processes37

Hazard Identification – Depth of AnalysisCorrosion was identified as being only very low for the materialsused. The equipment specification (or design standard) is theprimary control. There was no benefit in detailing underlyingcauses as no new controls would be justifiable.CorrosionNDTinspectionprogramEquipmentspecificationComponentfailureIncorrectoperationTankerUnloadingprocedureOverfillPressurerelief valveOverpressureLoss ofcontainmentUn-traineddriverDriver loss ofattentionApproveddriver accesscontrolDead manswitchInitially listed as ‘overfill’ only with procedureand relief valve as protection. However a moredetailed task analysis suggested that there wereunderlying causes that could significantlyinfluence the potential for overfill and for whichcontrol measures could be implemented (deadman switch, approved driver access control).38

Examples of MI Events – Storage TankCauses Hazards MI Consequences- Accounting error Overfill tank Liquid overflow- Vent blockage Overpressure Vapour andliquid release- Corrosion- ImpactTank failure Liquid release- Contamination- High temp- Air ingress- Ignition (hot work, static)ExothermicreactionInternalExplosionVapour andliquid releaseRelease ofenergy1. Fire2. Explosion3. Exposure tosmoke4. Exposure toproducts ofcombustion39

Examples of MI Events – Fractionation UnitCauses Hazards MI Consequences- Flow upsets- Heating problems- Cooling problems(too much or too little)- Control problems- Process monitoring(temp, pressure, level)- Corrosion- Impact- Contamination- High tempHigh levelLow levelHigh temperatureHigh pressureThermal shock(high or low temp)Vessel failureReactionUncontrolledrelease offlammablegas, liquid,vapour ortoxicmaterialsRelease ofenergy1. Fire2. Explosion3. Toxicexposure4. Exposure tosmoke5. Exposure toproducts ofcombustion40

Hazard Identification – Lateral Thinking• It is important to employ realism and lateral thinking• Challenge assumptions and existing norms• Think beyond the immediate experience• Explore the effect of failure of management systems,controls and procedures• Consider how relatively minor problems may grow into MI41

Consider the Past, Present and FutureHistoricalconditionsExistingconditionsFutureconditionsWhat has gone wrong in the past?Root CauseHistorical RecordsProcess ExperienceNear MissesWhat could go wrong currently?HAZID WorkshopHAZOP StudyScenario DefinitionsChecklistsWhat could go wrong due to change?Change ManagementWhat-If JudgementPredictionIdentifiedHazardsunforeseeable42

HAZID Techniques• HAZOP - identifies “process plant” type incidents• What If Analysis - possible outcomes of change• FMEA/FMECA - equipment failure causes• HAZAN - obtaining an understanding of hazards in terms ofrisk• Brainstorming - whatever anyone can think of43

HAZID Techniques• Task Analysis - maintenance etc, incidents• Fault Tree Analysis - combinations of failures• Checklists - questions to assist in hazard identification44

HAZOPExample of a HAZOP report for a single assessed item45

HAZOPAdvantages• HAZOPs are effective for identifying hazards, and eventsleading to an accident, release or other undesired event• The identification of these hazards is important inidentifying measures to mitigate risk• The HAZOP study is also a very systematic and rigorousprocess• The systematic approach goes some way to ensuring allhazards are considered46

HAZOPDisadvantages• HAZOPs are most effective when conducted using P&IDs,though they can be done with PFDs• Most effective when detailed P&IDs are available• Requires accurate P&IDs• Requires significant resource commitment• HAZOPs are time consuming• The HAZOP process is quite monotonous and maintainingparticipant interest can be a challenge47

HAZOPCaution• Relies on a suitable set of guidewords being applied whichtypically needs to be broader than the stock standardguideword set• For instance, batch operations will need a specific set ofguidewords developed• Application of the tool in itself does not guarantee success -skilled facilitation and very good process knowledge areessential• Best suited to chemical processing facilities48

What-IfFeatures• Multi-disciplined team exercise• Examines complete systems or sub-systems• Essentially a brainstorming process often supplemented /expanded by use of astructured guideword checklist eg SWIFT• Examines deviations from normal “as intended” operation• Provides advantage of a step back look at interactions within, between andbeyond the boundaries of plants• May provide broader perspective• More thorough than brainstorming aloneWeaknesses• Less rigorous than HAZOP• Very high dependency of skills of facilitatorCaution• Caution required to avoid overlooking the detail49

What-IfSWIFT Structure• Material Problems (MP)• External Effects of Influences (EE/I)• Operating Errors and other Human Factors (OE/HF)• Analytical of sampling errors (A/SA)• Equipment/instrument malfunction (E/IM)• Process upsets of unspecified origin (PUUO)• Utility Failures (UF)• Integrity failure or LOC (IF/LOC)• Emergency Operations (EO)• Environmental Release (ER)SWIFT Process• Define Process Section or Node• Discuss design intent, process conditions etc• Summarise Process description• Select Category• Initially “brainstorm” each category50• Finally apply SWIFT checklist prompts to mop up

FMEA/FMECAFailure Modes and Effects Analysis/ Failure Modes and Effects Criticality AnalysisFeatures51• Highly structured technique which explores the effects of failures or malfunctions ofindividual components in a system• Usually applied to a complex item of mechanical or electrical equipment• Defines the system as a composite of sub-systems• Individual system, sub-system and component failure individually analysed to identifyfailure modes and their causes• Generally applied to solve a specific problem or set of problems• Can be used for single point failures but can be extended to cover concurrent failuremodes• Valuable as a basis for FTA/ETAWeaknesses• Extremely time consuming - best used for complex items of equipment onlyCaution• Success relies on robust and detailed technical knowledge of system being studied

FMEA/FMECAFMEA Process• System under consideration is defined• System is broken down into sub-systems• Failure mode questions asked>How can each component/part fail?>What might cause these modes of failure?>What could be the effects if these failures did occur?>How serious are these failure modes?>How is each failure mode detected?• Level of risk is determined• Risk priority codes assigned• Corrective measures considered• Summary prepared in order of risk ranking52

BrainstormFeatures• Team based exercise• Based on the principle that several experts with different backgrounds caninteract and identify more problems when working together• Can be applied with many other techniques to vary the balance between freeflowing thought and structure• Can be effective at identifying obscure hazards which other techniques maymiss• Useful starting point for many HAZID techniques to focus group’s ideas andlubricate thought process• Facilitates active participation and input• Allows operator experience to surface readily• Enables “thinking outside the square”WeaknessesCaution53• Less rigorous and systematic than other techniques• High risk of missing hazards unless combined with other tools• Caution required to avoid overlooking the detail

HAZAN• Risk ranking tools are used- Dow index identifies fire, explosion and chemical reactivityhazards in plant design and is used for existing plant. Islimited to process units rather than auxiliary plant such aspower generators etc- Mond index developed by ICI after the Flixborough incidentand wider in scope than the Dow index. Includes widerconsideration of continuous and batch processes, loading,unloading and storage etc- HAZOP, FTA could form the basis of a HAZAN.54

Task Analysis (JSA etc)Features• Techniques which analyses human interactions with the tasks they perform, thetools they use and the plant, process or work environment.• Tool breaks down a task into individual steps and analyses each step for thepresence of potential hazards• Several highly developed tools on market (LPS etc)• Used widely to manage known injury related tasks in workplace• Excellent tool for hazard identification related to human tasksWeaknessesCaution• Relies on multi-disciplined input with specific input of person who normallycarries out task• Often assumed to be the only tool of hazard identification of riskassessment55• Does not address plant process deviations which are not related to humaninteraction

Fault Tree AnalysisFeatures• Graphical technique• Provides a systematic description of the combinations of possible occurrencesin a system which can result in an undesirable outcome• This method easily combines hardware failures and human failures• Uses logic gates to define modes of interaction (ANDs/ ORs)• Semi-quantitative > defines probabilities to each event which can be used tocalculate the probability of the top event.• Easy to read and understand hazard profile• Easily expanded to bow tie diagram by addition of event tree• Allows controls to be clearly indicated alongside hazardWeaknesses• Need to have identified the incident first• More difficult than other techniques to document• Trees can become rather complex• Time consuming approach• More difficult to update56 • Quantitative data needed to perform properly

Check-ListsFeatures• Simple set of prompts or checklist questions to assist in hazard identification• Can be used in combination with any other technique• Can be developed progressively to capture corporate learning of organisation• Particularly useful in early analysis of change projects• Highly valuable as a cross check review tool following application of othertechniques• Useful as a shop floor tool to review continued compliance with SMSWeaknesses• Tend to stifle creative juices• Used alone high risk of limiting study to already known hazards - no newhazard types are identifiedCaution• Checklists on their own will rarely be able to satisfy regulatory requirements57

Sources of Additional Information• Loss Prevention In The Process Industries, Second Edition,Reed Educational and Professional Publishing, F. P Lees,1996• Guidelines for Hazard Analysis, Hazardous Industry PlanningAdvisory Paper No.6, NSW Department of Planning, June 1992• HAZOP and HAZANs, Notes on the Identification andAssessment of Hazards, Second Edition, Trevor Kletz, TheInstitution of Chemical Engineers, 198658

Sources of Additional Information• Guidelines for Hazard Evaluation Procedures, SecondEdition, Centre for Chemical Process Safety, AmericanInstitute of Chemical Engineers, 1992• Layer of Protection Analysis, Simplified Process RiskAssessment, Centre for Chemical Process Safety, AmericanInstitute of Chemical Engineers, 2001• Hazard Identification and Risk Assessment, Geoff Wells, TheInstitution of Chemical Engineers, 19.• MIL-STD-1629A, 1980• Failure Modes and Effects Analysis, J. Moubray, RCM II,200059

Round One Safety Gains• Hazard (Inventory) reduction-Reduction in buffer storage quantities-Removal of surplus high-risk materials-Removal of waste and contaminated materials60

Round One Assessment Feedback• Operators need to ensure that hazard identification, andhence the safety assessment, addresses all Schedule 1materials used, all actual and proposed activities, allexternal hazards, and the human factor.• Operators should consider applying a range of hazardidentification techniques, to ensure complete coverage andproduce the most effective outcome.• Operators need to ensure that the results of the hazardidentification are linked to the consequent safetyassessment and its findings, and that the results of thesafety assessment are linked to the adopted controlmeasures.61

Round Two Overview – Practical Guidance4.3 Hazard and Major Incident Identification ReviewIntroductionIt is important that all major incidents and hazards that could cause amajor incident are identified and reviewed (Reg 306(1)(a)) to ensurecompleteness of the subsequent review to confirm effectiveness ofcontrol measures (Reg 306(1)). This does not necessarily meanrepeating the complete hazard identification. The general process willinclude:• Quality assurance of the risk register for comprehensiveness,including full incorporation of changes over the licence period.• Review of site incident / near miss data for implications forhazards and major incident scenarios.• RegulationDriver• Whatcompliancelooks like• Consideration of new knowledge from external sources onpotentially applicable hazards and major incidents62• Application of new methodology to the analysis of hazards andmajor incidents, where the need for methodology change hasbeen identified.

Safety Case – Analyst AssessmentIdentification of Hazards must be comprehensive(Reg 302(1)), Licence Test(803(1)(b))• Have all potential major incidents and hazards been identified for theSafety Case?• Has the identification of hazards for the Safety Case addressed allareas of the facility, and all foreseeable activities, where there is apotential for a major incident• Has identification of hazards included the full range of potential majorincidents, and the full range of hazards that may cause or contribute topotential major incidents?• Has identification of hazards included consideration of factors externalto the facility (or external to the specific section of the facility that isbeing studied)?• Has the identification of hazards avoided “screening-out” of hazardsand potential MIs?63

Safety Case – Analyst AssessmentIdentification of Hazards must be documented(Reg 302(2)) Licence Test(803(1)(b))• Has the hazard identification been fully documented?• Is the documentation suitably transparent and understandable?64

Safety Case – Analyst AssessmentMethods and Criteria for Identification of Hazards shouldbe Appropriate (Licence Test(803(1)(c))• Does the operator’s hazard identification use suitable definitions ofmajor incident etc?• Was a suitable method specified for each area of the facility, and eachoperating mode?• Was the identification of hazards based on a suitable scope, detail,etc?• Did the identification of hazards take account of all relevantinformation?• Did the identification of hazards consider possible limits or errors indesign, or breakdowns in operations?65

Safety Case – Analyst AssessmentIdentification of Hazards must be Reviewed and Revisedwhen Necessary (Reg 306, Licence Test(803(1)(b)&(803(1)(b))• Has hazard identification actually taken place in the circumstancesrequired by the Regulations?• Has any such review and revision of hazard identification addressed allrelevant aspects?• Does the documentation of the hazard identification facilitate the reviewand revision process?66

Major Incident Identification SessionPart 2 Hazard Incident Identification• To provide an overview of regulatory requirements for bothRound 1 and Round 2 with practical guidance andexperience from Round 1 assessment.67

Questions & Discussion• Questions ?68

Seminar Two – Part 3Safety Assessment (Part 1)26th April 2006WorkSafe Victoria is a division of the Victorian WorkCover Authority

Session ObjectivePart 3 Safety Assessment• To provide an overview of regulatory requirements for bothRound 1 and Round 2 with practical guidance andexperience from Round 1 assessment-What the regulations require-Safety Assessment process-Round 1 Assessment experiences-Round 2 Review and Revise Guidance-Questions and Discussion70

RegulationsBasic outline• Safety Management System (R301)• Hazard identification (R302)• Safety assessment (R303)• Control measures (R304)• Emergency planning (R305)• Review (R306)• Role of employees (R307)• Consultation - HSRs, employees, community(R501, R505, OHS Act)71

RegulationsRegulation 303 (Safety Assessment) states:1. The Operator of a major hazard facility must conduct acomprehensive and systematic Safety Assessment inrelation to all potential major incidents and all hazardsthat could cause, or contribute to causing, those potentialmajor incidents72

Regulations2. A safety assessment must involve an investigation and analysisof the hazards and major incidents that provide the Operatorwith a detailed understanding of all aspects of risk to health andsafety associated with major incidents, including:a) the nature of each hazard and major incidentb) the likelihood of each hazard causing a major incidentc) in the event of a major incident occurring, its magnitude andthe severity of consequences to persons both on-site andoff-sited) the range of control measures considered73

Regulations3.In conducting a safety assessment, the Operator must:a) consider hazards cumulatively and individually, andb) use assessment methodologies (whether quantitative orqualitative, or both) that are appropriate to the hazardsbeing considered74

Regulations4. The Operator must document all aspects of the safetyassessment, and the documentation must:a) describe the methodology used in the investigation andanalysisb) state all the matters specified in paragraphs (a) to (d) insub-regulation (2)c) contain judgments as to the matters specified inparagraphs (b) and (c) of sub-regulation (2), and reasonsfor those judgments75

Regulationsd) contain, in relation to the range of control measuresconsidered:1) statements as to their viability and effectiveness, and2) reasons for selecting certain control measures andrejecting otherse) be made available for inspection by the Authority or aninspector76

Definition for Safety Assessment• Any analysis or investigation that contributes tounderstanding of any or all aspects of the risk ofmajor incidents, including their:- causes- likelihood- consequences- means of control- risk evaluation77

Approach•An Operator must carry out safety assessments in order tohave a comprehensive and detailed understanding of allthese aspects for all major incidents and their causes• The safety assessment must evaluate the effects of arange of control measures and provide a basis forselection/rejection of measures - i.e. safety assessmentmust be a component of the demonstration of adequacyrequired within the safety case78

Approach• The MHF Regulations respond to this by requiringcomprehensive and systematic identification and assessmentof hazards• HAZID and Safety Assessment must have participation byemployees, as they have important knowledge to contributetogether with important learnings79

ApproachTypes of Safety AssessmentHazardIdentificationQualitativeAssessmentDetailed StudiesQuantitative Risk AnalysisLikelihood AnalysisPlant Condition AnalysisAsset Integrity StudiesConsequence AnalysisHuman Factors StudiesTechnology Studies80

Safety Assessment EvaluationCauses• From the HAZID and MI evaluation process, pick an MI forevaluation• From the hazard register, retrieve all of the hazards that leadto the MI being realised• In a structured approach, list all of the controls currently inplace to prevent each of the hazards that lead to the MI beingrealised• Examine critically all of the controls currently in placedesigned to prevent the hazard being realised81

Safety Assessment Evaluation - CausesList all possible causes of the incident (identified duringHAZID study)HazardScenario1HazardScenario2MIHazardScenario3, etc82

Safety Assessment Evaluation - CausesList all prevention controls for the incident (identified duringHAZID study)HazardScenario1PreventioncontrolC1-1PreventioncontrolC1-2HazardScenario2PreventioncontrolC2-1MIHazardScenario3, etcPreventioncontrolC3-183

Likelihood Assessment• Likelihood analysis can involve a range of approaches,depending on the organisations knowledge, data recordingsystems and culture• This knowledge can range from:- In-house data - existing data recording systems andoperational experience- Reviewing external information from failure rate datasources• Both are valid, however, the use of in-house data canprovide added value as it is reflective of the managementapproaches and systems in place84

Likelihood AssessmentLikelihood Analysis• A “Likelihood” is an expression of the chance of somethinghappening in the future - e.g. Catastrophic vessel failure,one chance in a million per year (1 x 10 -6 /year)• “Frequency” is similar to likelihood, but refers to historicaldata on actual occurrences85

Likelihood AssessmentLikelihood AnalysisConsider a pump failure scenario• From the company’s historical records- the type of pump with this operational duty (whichincorporates the company’s maintenance andmanagement systems approaches)- has failed once in one hundred years of operationaltime (1 x 10 -2 /year)86

Likelihood AssessmentLikelihood Analysis• Likelihood Analysis can use:- Historical♦ Site historical data♦ Generic failure rate data- Assessment♦ Workshops (operators and maintenancepersonnel)♦ Fault trees♦ Event trees♦ Assessment of human error87

Likelihood AssessmentSite Historical Data• This is taken from- site incident information- external incident and frequency information- maintenance records- corporate history88

Likelihood AssessmentWorkshops• Workshops are a very good basis for analysing informationand determining likelihood of events occurring• The structure of the workshops should be based uponsubject matter experts together with appropriaterepresentation (see HAZID seminar)• The information derived should be documented fortransparency and clarity purposes together with any furtherresearch or recommendations for additional investigationsto be undertaken89

Likelihood AssessmentExternal Incident Information• Information from external sources can be very useful• This would cover incident information and generic failurerate information from external sources• Information can also be used in a qualitative manner• Generic failure frequency data for piping, valves, vessels(process and storage) and other process items can beobtained from reviewing data banks and available publicliterature90

Likelihood AssessmentMaintenance Records• Properly kept maintenance records will provide excellentinformation on a range of equipment history• This information can be used to determine how oftenequipment has failed and the cause of failure• This information can support decision making processes• For instance, justification for extension of relief valve testingtime frame will be easier and more transparent if the actualhistory is available, complete and if previous testingundertaken in accordance with specific standards91

Likelihood AssessmentCorporate History• Corporate history is a valuable tool that can be used if theinformation is kept in a consistent and transparent format• Any information must be in accordance with the company’scorporate culture, testing and inspection regimes• Management systems need to be implemented andconsistent with management requirements at site level soas the information can be effectively used92

Likelihood AssessmentQualitative Approach• A qualitative approach can be used for assessment oflikelihood• This is based upon agreed scales for interpretation purposesand for ease of consistency- For example, reducing orders of magnitude ofoccurrence• It also avoids the sometimes more complicated issue ofusing frequency numbers, which can be difficult onoccasions for people to interpret• This approach is shown in the following slide93

Likelihood AssessmentQualitative InformationCategoryABCDELikelihoodPossibility of repeated events(once in 10 years)Possibility of isolated incidents(once in 100 years)Possibility of occurringsometimes(once in 1,000 years)Not likely to occur,(once in 10,000 years)Rare occurrence(once in 100,000 years)94

Likelihood AssessmentGeneric Failure Rate Data• This information can be obtained from:- American Institute of Chemical Engineers ProcessEquipment Reliability Data- Loss Prevention in the Process Industries- E&P Forum- UK Health and Safety Executive data- and other published reports(Refer to Sources of Additional Information slide forreferences)95

Likelihood AssessmentFault Trees• A fault tree is a graphical representation of the logicalrelationship between a particular system, accident or otherundesired event, typically called the top event, and theprimary cause events• In a fault tree analysis the state of the system is to find andevaluate the mechanisms influencing a particular failurescenario96

Likelihood AssessmentFault Trees• A fault tree is constructed by defining a top event and thendefining the cause events and the logical relations betweenthese cause events• This is based on:- equipment failure rates- design and operational error rates- human errors- analysis of design safety systems and their intendedfunction• An example is presented in the following slide97

Likelihood AssessmentFault Trees - ExampleProcessvessel overpressuredANDPressurerisesPSV dose notrelieveANDORProcesspressurerisesControlfails highPSV toosmallFouling inletor outletPSV stuckclosedSet pointtoo high98

Likelihood AssessmentAssessment of Human Error• Human error needs to be considered in any analysis oflikelihood of failure scenarios• The interaction between pending failure scenarios, actions tobe taken by people and the success of those actions needsto be carefully evaluated in any safety assessmentevaluation• Some key issues of note include:- Identifying particular issue- Procedures developed for handling the issue- Complexity of thought processing information required99

Likelihood AssessmentAssessment of Human ErrorType of BehaviourExtraordinary errors: of the type difficult to conceive how they could occur:stress free, powerful cues initiating for success.Error in regularly performed, commonplace, simple tasks with minimumstress (e.g. Selection of a key-operated switch rather than a non keyoperatedswitch).Errors of omission where dependence is placed on situation cues andmemory. Complex, unfamiliar task with little feedback and somedistractions (e.g. failure to return manually operated test valve to properconfiguration after maintenance).Highly complex task, considerable stress, little time to perform it e.g. duringabnormal operating conditions, operator reaching for a switch to shut off anoperating pump fails to realise from the indicator display that the switch isalready in the desired state and merely changes the status of the switch.ErrorProbability10 -5(1 in 100,000)10 -4(1 in 10,000)10 -2(1 in 100)10 -1(1 in 10)100

Event Trees• An event tree is used to determine the likelihood ofpotential consequences after the hazard has been realised• It starts with a particular event, such as failure of a pipecontaining LPG, and then defining the possibleconsequences which could occur• The main elements of the event tree are definitions andbranch points or logic branching points101

Event Trees• Each branching point represents a controlling point,incorporating the likelihood of success or failure, leading tospecific scenarios• Such scenarios could be:- Fire- Explosion- Toxic gas cloud• Information can then used to estimate the frequency of theoutcome for each scenario• An example is presented in the next slide102

Event TreesEvent tree example – LPG Pipeline Release103

ConsequencesApproach• Most scenarios will involve at leastone of the following outcomes:-loss of containment-reactive chemistry-injury/illness-facility reliability-community impacts-moving vehicle incidents-ineffective corrective action-failure to share learnings104

ConsequencesApproach• Consequence evaluation estimates the potential effects ofhazard scenarios• The consequences can be evaluated with specificconsequence modelling approaches• These approaches include:- Physical events modelling (explosion, fire, toxic gasconsequence modelling programs)- Occupied building impact assessment105

ConsequencesQualitative Evaluation• A qualitative evaluation is based upon a descriptiverepresentation of the likely outcome for each event• This requires selecting a specific category rating systemthat is consistent with corporate culture106

ConsequencesQualitative consequence descriptors - exampleConsequencedescriptorsHealth andSafety ValuesEnvironmentalValuesFinancial lossExposuresInsignificant Minor Moderate Major CatastrophicA near miss,first aid injuryNo impactLoss below$5,000One ormore losttimeinjuriesNo or lowimpactLoss$5,000 to$50,000One or moresignificant losttime injuriesMediumimpactReleasewithin facilityboundaryLoss from$50,000 to$1MOne ormorefatalitiesMediumimpactoutsidethefacilityboundaryLossfrom $1Mto $10MSignificantnumber offatalitiesMajor impacteventLoss above$10M107

ConsequencesQuantitative Evaluation• Consequence analysis estimates the potential effects ofscenarios• Tools include:- Potential consequences (event tree)- Physical events modelling (explosion, fire and/or gasdispersion consequence modelling programs)- Load resistance factor design (building design)108

ConsequencesQuantitative EvaluationScenario for evaluationPhysical effects model evaluationsPresentation of consequences109

ConsequencesQuantitative Evaluation – Impact of Fires110Heat Flux(kW/m 2 )Effects4.7 Will cause pain in approximately 30 seconds12.6 Significant chance of fatality after long exposure. Thinsteel away from fire may reach a thermal stress levelhigh enough to cause structural failure.23 Likely fatality for extended exposure. Unprotected steelwill reach thermal stress temperatures that can causefailure.37.5 Highly likely people will be killed in instantaneousexposure. Cellulostic material will ignite within 1 minute.Note Calculations can be undertaken to determine probability ofserious injury and fatality

Consequences111Quantitative Evaluation - Impact of ExplosionsExplosion Overpressure(kPa)Effects7 (1psi) Results in damage to internalpartitions and joinery but can berepaired.21 (3psi) Reinforced structures distort, storagetanks fail.35 (5psi) Wagons and plant items overturned,threshold of eardrum damage.70 (10psi) Complete demolition of houses,threshold of lung damage.Note Calculations can be undertaken to determine probability of seriousinjury and fatality

ConsequencesExample - Overpressure Contour - impact onfacility buildingsRelease scenario location35 kPa21 kPa14 kPa7 kPa112

ConsequencesQuantitative Evaluation - Impact of Gas Clouds• The impact of gas clouds requires greater analysis• Every product released as a gas will have its own• Characteristics• Probit values to be used if it is a toxic evaluation• Concentration of interest if it is a flammable gas cloud113

Safety AssessmentRisk Evaluation• Risk evaluation can be undertaken using qualitative and/orquantitative approaches• Qualitative methodologies that can be used are- Risk matrix- Risk nomograms• Semi – Quantitative technique to be used is- Layers of protection analysis• Quantitative - quantitative risk assessment114

Risk EvaluationWhat Type of Assessment?QualitativeAssessmentSimple, subjective, lowresolution, highuncertainty, low cost115Semi-QuantitativeAssessmentQuantitativeAssessmentDetailed, objective, highresolution, low uncertainty,increasing cost

Risk EvaluationIssues for consideration• Greater assessment detail provides more quantitative informationand supports decision-making• Strike a balance between increasing cost of assessment andreducing uncertainty in understanding• Pick methods that reflect the nature of the risk, and the decisionoptions116

Risk EvaluationIssues for consideration• Stop once all decision options are differentiated and therequired information compiled• Significant differences of opinion regarding the nature ofthe risk or the control regime indicate that furtherassessment is needed117

Risk EvaluationQualitative Assessment• Qualitative risk evaluation can be undertaken using thefollowing- risk nomogram- risk matrix• Both approaches are valid and the selection will dependupon the company and its culture118

Risk EvaluationRisk Nomogram• A nomogram is a graphical device designed to allow theapproximate graphical computation of a function• Its accuracy is limited by the precision with which physicalmarkings can be drawn, reproduced, viewed and aligned• Nomograms are usually designed to perform a specificcalculation, with tables of values effectively built into theconstruction of the scales119

Risk EvaluationRisk NomogramLIKELIHOODMight well beEXPOSUREExpected at SometimeQuite PossibleCould HappenUnusual butPossibleRemotelyPossibleConceivable butVery UnlikelyPracticallyImpossibleVery Rare,Yearly or LessRareFew per yearUnusualOnce per MonthOccasionalOnce per WeekFrequentDailyContinuousTIE LINEPOSSIBLECONSEQUENCESCatastropheMany Fatalities>$100M DamageDisasterMultiple Fatalities>$10M DamageVery SeriousFatality>$1M DamageSeriousSerious Injury>$100k DamageImportantDisability>$10k DamageNoticeableMinor Injury / First Aid>$1k Damage50040030020010080604020100Very High RiskConsiderDiscontinuingOperationHigh RiskImmediateCorrectionRequiredSubstantialRiskCorrectionRequiredRisk must beReducedSFARPRiskAcceptable ifReduced SFARPMostnomogramsare used insituationswhere anapproximateanswer isappropriateand useful120

Risk EvaluationRisk Matrix• Hazards can be allocated a qualitative risk ranking in termsof estimated likelihood and consequence and thendisplayed on a risk matrix• Consequence information has already been discussed,hence, information from this part of the safety assessmentcan be used effectively in a risk matrix• Risk matrices can be constructed in a number of formats,such as 5x5, 7x7, 4x5, etc121

Risk EvaluationRisk Matrix• Results can be easily presented- in tabular format for all MIs- within a risk matrix• Such processes can illustrate major risk contributors, aidthe safety assessment and demonstration of adequacy• Care needs to be taken to ensure categories areconsistently used and there are no anomalies• Australian/New Zealand Standard, AS4360, RiskManagement,1999, provides additional information on riskmatrices122

Risk EvaluationRisk matrixexample (AS4360)Insignificant1Minor2ConsequencesModerate3Major4Catastrophic5Health and SafetyValuesA near miss, First AidInjury (FAI) or one ormore Medical TreatmentInjuries (MTI)One or more LostTime Injuries(LTI)One or moresignificant Lost TimeInjuries (LTI)One or morefatalitiesSignificantnumber offatalitiesEnvironmentalValuesFinancial LossExposuresNo impactLoss below $5,000No or low impactLoss $5,000 to$50,000Medium impact.Release within facilityboundaryLoss from $50,000 to$1,000,000Medium impactoutside the facilityboundaryLoss from$1,000,000 to$10,000,000Major impacteventLoss of above$10,000,000A Possibility of repeatedevents, (1 x 10 -1 per year)Significant RiskSignificantRiskHigh RiskHigh RiskHigh RiskLikelihoodB Possibility of isolatedincidents, (1 x 10 -2 per year)C Possibility of occurringsometimes, (1 x 10 -3 per year)D Not likely to occur,(1 x 10 -4 per year)E Rare occurrence,(1 x 10 -5 per year)Moderate RiskLow RiskLow RiskLow RiskSignificantRiskModerateRiskLow RiskLow RiskSignificant RiskSignificant RiskModerate RiskModerate RiskHigh RiskHigh RiskSignificantRiskSignificantRiskHigh RiskHigh RiskHigh RiskSignificantRisk123

Risk EvaluationRisk Matrix• If used well, a risk matrix will:- Identify event outcomes that should be prioritised orgrouped for further investigation- Provides a good graphical portrayal of risks across afacility- Help to identify areas for risk reduction- Provide a quick and relatively inexpensive risk analysis- Enable more detailed analysis to be focused on high riskareas (proportionate analysis)124

Safety AssessmentSemi-Quantitative Approach• A semi-quantitative tool that is used for analysing andevaluating risk issues is a layers of protection analysisapproach (LOPA)• It is a simplified form of risk evaluation• The primary purpose of LOPA is to determine if there aresufficient layers of protection against a hazard scenario• The approach used for a LOPA is diagrammaticallypresented in the next slide125

Safety AssessmentDiagrammatic Representation - LOPA• Analysing the safetymeasures andcontrols that arebetween anuncontrolled releaseand the worstpotentialconsequence126

Safety AssessmentSemi-Quantitative Approach• The LOPA approach is very useful to represent hazardsand their controls in a specific manner• It can be used for representing an MI and how the influenceof specific approaches can impact on:- the likelihood of an MI occurring (prevention)- The consequences of an MI occurring (mitigation)• The interpretation of the approach into a useful tool needsto be developed127

Safety AssessmentSemi-Quantitative Approach• The tool needs to focus on:- Causes of hazards occurring- Controls needed to minimise the potential for hazardsoccurring- If the hazards do occur, what mitigation is needed tominimise the consequences• The risk evaluation is undertaken using a bow-tie approach• This is presented in the following slide128

Safety AssessmentThe information for assessment can be presentedas a bow-tie diagram.Preventative ControlsMitigative ControlsCausesMIOutcomesHazardsControlsControlsConsequences129

LOPA and Bow Tie EvaluationsItems To Note• Control measures can be quickly identified• The approach identifies convergence of different hazardsinto a single 'causal path', and control measures thatprevent multiple hazards• Early warning signs of an MI are explained, by showingboth basic hazards and resultant hazards, in a 'cause' and'effect' representation - “preventative” and “mitigative”130

LOPA and Bow Tie EvaluationsItems To Note• The importance of mitigating controls to minimise theseverity of an MI is highlighted and explained• Linking consequences on the right hand side of onediagram to basic hazards on the left hand side of anotherdiagram allows analysis of escalation events such asBLEVEs• This is presented on the bow-tie diagram in the followingslide131

Safety AssessmentThe information for assessment can be presentedas a bow-tie diagramPreventative Controls Mitigative ControlsCausesMIOutcomesEliminationmeasuresHazardsPreventionmeasuresControlsReductionmeasuresMitigationmeasuresControlsLand-use planningEmergencyresponseConsequences132

Safety AssessmentQuantitative risk assessment• Quantitative assessments can be undertaken for specifictypes of facilities• This is a tool that requires expert knowledge on thetechnique and has the following aspects:- It is very detailed- High focus on objective- Detailed process evaluations- Requires a high level of information input- Provides a high output resolution- Reduces uncertainty133

Safety AssessmentQuantitative risk assessment- Frequency component can be questionable as genericfailure rate data is generally used- Requires expert usage- Provides understanding on the high risk contributorsfrom a facility being evaluated- But is expensive to undertake134

Safety AssessmentQuantitative risk assessmentTypical result output from such an assessment is individual riskcontours.Exampleshown is forLUP(Numbersshown arechances in a10-5 10-10 million per-6 7year)SchoolSchoolLight Rail ReserveTownCenterSports Complex10 -6HospitalResidentualRacecourse135

PitfallsNomograms• Accuracy is limited• Designed to perform a specific calculation• Cannot easily denote different hazards leading to an MI136

PitfallsRisk Matrix• Risk comprises two categories - frequency andconsequence• Care needs to be exercised• Unless the consequence changes (unlikely for an existingMHF unless the Schedule 1 material is eliminated), the onlyaspect to change on the risk matrix will be a reduction infrequency of the MI result – this is also true for othermethods137

PitfallsRisk Matrix• Scale is always a limitation regarding frequency reduction -it does not provide an accurate reduction ranking• A reduction may occur at the extremity of the likelihoodscale but viewed as a perceived reduction and not a realreduction• Cumulative issues are difficult to show in a transparentmanner138

PitfallsRisk Matrix• Results can also be very poorly presented (and used):- By not summarising the results in one place- By using different definitions than those in the matrix- It is subjective – depends on personnel frame ofreference and experience139

PitfallsRisk Matrix• Cannot undertake cumulative risk evaluations transparently• There can be a strong tendency to try and provide a greaterlevel of accuracy than what is capable140

PitfallsLOPA• A procedural format needs to be developed by thecompany to ensure consistency of use across allevaluations.• External review (to the SC team) should be considered forconsistency and feedback• Correct personnel are needed to ensure the mostapplicable information is applied to the evaluation approach141

PitfallsQuantitative risk assessment• It is time consuming• It is expensive• Expert knowledge is required• Not suitable for every MHF site• For instance, it is not suitable for a storage warehouse MHF butwould be suitable for a refinery• Process upsets (such as a runaway reaction) cannot be easilymodeled as an initiating event using standard equipment partcounts - incorporation of FTA required142

PitfallsQuantitative risk assessment• Generic failure rate data is a limitation and does not takeinto consideration a specific company’s equipment andmanagement system strategies143

Summary• A safety assessment provides an understanding of themajor hazards, and a basis for determining controls inplace• Safety assessments can involve significant time and effort• Operations personnel and managers could cause,contribute to, control or be impacted by MIs• Hence they should be involved in the safety assessment144

Summary• HSRs may or may not take part, but must be consulted inrelation to the process of HAZID & Safety Assessment• They should also be involved in resolution of any issuesthat arise during the studies, covering but not limited too:- Improvement in methodology process145

Sources of Additional InformationThe following are a few sources of information coveringsafety assessment• Hazard and Operability Studies (HAZOP Studies), IEC61882, Edition 1.0, 2001-05• Functional Safety – Safety Instrumented Systems for theProcess Industry Sector, IEC 61511, 2004-11• Fault Tree Analysis, IEC 61025, 1990-10• Hydrocarbon Leak and Ignition Data Base, E&P Forum,February 1992 N658• Guidelines for Process Equipment Reliability Data, Centerfor Chemical Process Safety of the American Institute ofChemical Engineers, 1989146

Sources of Additional Information• Offshore Hydrocarbon Release Statistics, OffshoreTechnology Report – OTO 97 950, UK Health and SafetyExecutive, December 1997• Loss Prevention in the Process Industries , Lees F. P., 2ndEdition, Butterworth Heinemann• Layer of Protection Analysis, Simplified Process RiskAssessment, Center for Chemical Process Safety of theAmerican Institute of Chemical Engineers, 2001• Nomogram, Wikipedia, the free encyclopaedia147

Round One Safety Gains• HAZID, Safety Assessment and KnowledgeManagement-Improved understanding of the hazards, the risks, and theways to control them-Improved information, instruction and training toemployees and others-Improved management of knowledge grained148

Round One Assessment Feedback• Operators wishing to use consultants to assist in the formalrisk assessment aspects of the Safety Case need to strikea balance between using the consultants’ specialistknowledge whilst also involving the workforce and retainingthe generated knowledge in-house.• Operators need to be realistic in their assumptions (ortargets) for control measure reliability and effectiveness.Where little data exists to support an assumption, acautious approach should be taken.149

Round Two Overview – Practical Guidance4.3 Hazard and Major Incident Identification ReviewIntroductionIt is important that all major incidents and hazards that could cause amajor incident are identified and reviewed (Reg 306(1)(a)) to ensurecompleteness of the subsequent review to confirm effectiveness ofcontrol measures (Reg 306(1)). This does not necessarily meanrepeating the complete hazard identification. The general process willinclude:• Quality assurance of the risk register for comprehensiveness,including full incorporation of changes over the licence period.• Review of site incident / near miss data for implications forhazards and major incident scenarios.• RegulationDriver• Whatcompliancelooks like• Consideration of new knowledge from external sources onpotentially applicable hazards and major incidents150• Application of new methodology to the analysis of hazards andmajor incidents, where the need for methodology change hasbeen identified.

Safety Case – Analyst AssessmentSafety Assessment must be Comprehensive andSystematic (Reg 303(1)(2)) Licence Test(803(1)(b))• Has the safety assessment addressed all hazards and all potentialmajor incidents?• Has the safety assessment considered the nature of each hazard andmajor incident?• Has the safety assessment considered the likelihood of each hazardcausing a major incident?• Has the safety assessment considered the magnitude and severity ofconsequences of major incidents?151

Safety Case – Analyst Assessment• Has the safety assessment considered all possible routes by whichharm may be caused?• Has the safety assessment clearly taken account of all relevantknowledge and data?• Has the assessment been proportionate to the risk?152

Safety Case – Analyst AssessmentThe Safety Assessment must be DocumentedReg(303(4)) (Licence Test(803(1)(b))• Has the methodology for the safety assessment been documented?• Does the documentation of the safety assessment state all thenecessary matters?• Is the documentation available?• Have all critical assumptions and actions been documented andverified?• Is the documentation suitably transparent and understandable?153

Safety Case – Analyst AssessmentThe Safety Assessment should indicate risk levels thatare acceptable (Licence Test(803(1)(c))• Are the results compatible with established risk criteria?154

Safety Case – Analyst AssessmentThe Safety Assessment results must be understoodReg(303(2)) (Licence Test(803(1)(b))• Does the safety assessment provide a basis for the operator tounderstand the risk to health and safety?• Does the operator understand the results of the safety assessment?155

Safety Case – Analyst AssessmentSafety Assessment methods must be Appropriate(Reg303(3)) (Licence Test(803(1)(a)&(803(1)(c))• Has an appropriate method been applied to safety assessment for eacharea of the facility, for each operating mode and activity?• Has the safety assessment considered hazards cumulatively as well asindividually?• Has a suitable range and hierarchy of methods been applied?• Are the methods compatible with the safety basis for the facility?• Does the safety assessment suitably challenge the facility design andoperations?156

Safety Case – Analyst Assessment• Has the safety assessment considered the causes and impacts ofuncertainty?• Are any quantitative frequency, likelihood and probability estimatesreasonable?• Are consequence effect distance estimates reasonable?• Are any methods for calculating the level of harm valid?• Is any method used for quantification of risk valid?157

Safety Case – Analyst AssessmentSafety Assessment must be reviewed and revised whennecessary Reg(306) LicenceTest(803(1)(b)&Test(803(1)(c)• Has safety assessment revision actually taken place in thecircumstances required by the Regulations?• Has any such review and revision of safety assessment addressed allrelevant aspects?• Does the documentation of the safety assessment facilitate the reviewand revision process?158

Session ObjectivePart 3 Safety Assessment• To provide an overview of regulatory requirements for bothRound 1 and Round 2 with practical guidance andexperience from Round 1 assessment159

Questions & Discussion• Questions ?160

BackgroundHuntsman Chemical Company Aust. – West Footscray1941 W. FOOTSCRAY PLANT ESTABLISHED BY MONSANTO.1940’s→60’s PHENOLIC RESINS, FORMALDEHYDE, PHENOL/ACETONE,ASPIRIN, POLYESTERS, POLYSTYRENE, EPS, ABS, SB LATEX,HERBICIDES, RUBBER CHEMICALS1977 NEW STYRENE MONOMER, POLYESTER AND POLYSTYRENE PLANTSBUILT1988 MANUFACTURING OPERATIONS ACQUIRED BY CONSOLIDATEDPRESS HOLDINGS (CPH). (CHEMPLEX)1993 HCCA CREATED -- A 50/50 JV BETWEEN HUNTSMAN AND CPH.GLOBALLY HUNTSMAN HAS EXPANDED PURCHASING MONSANTO,TEXACO & ICI PLANTS161

West Footscray Process Flows162Plus Boilers, Effluent, Warehouse & other Services/Utilities

163

First MHF Safety CaseBefore MHF Legislation• Strong site culture of personal safety• Key elements of process safety were Hazops, MOCs, plant design standards,incident investigation, equipment integrity• No formal system for major hazard identification and risk managementPreparation for 1 st Safety Case• Engaged WorleyParsons as consultant• Initially trialled QRA, changed to LOPA methodology for hazard assessment• Relying heavily on the consultant, developed and implemented HazId,consequence modelling, PMI screening, LOPA methodologies to suit the site.• Methodologies not well documented, different Hazid & LOPA workshop leaders,non standardised LOPA inputs resulted in inconsistencies.164

Hazard Identification- Workshop, Guidewords- Incident/Near Miss Review- Technical Integrity Audit- Other plant experience- Plant changes- HazopsPreliminary Bowties- Cause ChecklistsHazard AssessmentModelConsequence Analysis- Modelling- CalculationsPMI Screening- PMI DefinitionsControl Measure Management- Inspections/Audits- Performance Standards- Performance IndicatorsExpand PMI Bowties- Initiating Causes- Control Measures- Incidents- Mitigation/Emergency ResponseRisk Assessments- Layers Of Protection Analysis- Generic- COPs & DOLsHazard Training- Traccess Modules- Desktop ExercisesRisk Criteria Comparison- On/Off Site- Individual Cause- Cumulative165Risk Reduction- Risk Reduction Process- RRAP Implementation

Second Round MHF Safety CasePreparationReview:• SC Assessment Report issues & recommendations• All correspondence from verification/clarification phases.• Annual Inspections, PLOP reports• MHF legislation, Guidance Notes, Assessment Focus Rules (MHFwebsite)Summarise and document how issues have or will be addressedTreat as a project – scope, resources, schedule, detailed plan166

Second Round MHF Safety CaseAreas for improvement identified from 1 st SC• Are all hazards/causes identified?• More consistent application of LOPA inputs• More ownership by operations• Robustness of SMS inspection/audit programs• Ongoing risk reduction program including hierarchy of controls• Training system• Technical Integrity Audits167

Second Round MHF Safety CaseGeneral Changes in SC Preparation• All workshops led by HCCA personnel• Consultants used for technical expertise rather than leading thewhole process• Detailed Procedures and Guidance Notes prepared to ensureconsistent implementation of methodologies168

Second Round MHF Safety CaseWorksafe/HCCA Interaction Improvements• SC assessors involved before SC submission- Common interpretation of legislation/focus rules- Discuss acceptability of methods before submission• Model SC prepared/reviewed before formal submission- Feedback with time to resolve issues (pool fires)169

Hazard IdentificationHCCA Second Round HazId• Build on 1 st Round. Don’t start afresh• Standardise causes for similar equipment e.g.gas fired appliances (heaters, boilers, incinerators)- purging/lighting sequence causes- flameout causes (f/g ratios, liquid carryover, instruments etc)- process side failures• Compressors- startup, overspeed, backflow, interstage/intercompressor flows-effect on associated vessels170

Hazard Identification (cont.)HCCA Second Round HazId• Ensure abnormal conditions considered- Startup/shutdown-trips• Check human error causes always considered- manual operations- incorrect response/ no response• Generic Cause/Control Measure prompt sheets prepared from similarequipment in all plants-Exchangers,reactors, tanks, flares, compressors- Used to check on bowties that causes/CM not missed171

Generic Cause/CMPrompt Sheet172

Hazard Identification (cont.)Other HazId Inputs• Review since previous Safety case:- Incidents/Near Misses*Local/Huntsman sites/Global eg BP-MOCs*- Hazops*• Technical Integrity Audit- Integrity issues* potential MIs should be identified as part of procedures at the time, butreview in case any missed173

Consequence Analysis2nd Round Activities• Review Selection of modelling software• Standardise model inputs and outputs• Guidance Notes PreparedHCCA modelled:-Toxic releases- Flash fires-VCEs- Jet fires- Pool fires- Vessel bursts174

Major Incident ScreeningScreen Hazards for Potential MIs• 1 st SC, some subjectivity involved in decisions• Guidance Note prepared to define when a hazard is an MI• Guidelines for each type of Major Incident• Includes definitions for both off-site and on-site• Pool fires included as MIs-previously screened out on-site pool fires based on CMs insteadof consequences175

Major Incident ScreeningExample from PMI Screening Guidance Note176

Risk Assessment177Hazard AssessmentModel

Hazard AssessmentHazard Assessment Methodology• Qualitative vs Semi-quantitative?• Benchmarking undertaken- Local MHFs- Overseas Huntsman plants (UK and USA)• Risk Targets reassessed- Individual cause and cumulative- On-site and off-site178

Hazard AssessmentHazard Assessment Methodology• Decision to stick with LOPA- Huntsman UK and USA moving from matrix to semi-quantitative(FTA and LOPA)- Easier evaluation of additional Risk Reduction- Demonstration of adequacy of CMs- Calculation of cumulative risk- Existing resource investment in LOPA- Consistent with SIL analysis179

Hazard AssessmentEnsuring LOPA consistency• Guidance Note prepared for Standard LOPA inputs:- Initiating Cause frequencies- Control Measure Protection Levels- Ignition probabilities- Occupancy- Exposure• Guidance Note prepared for Human Error frequencies (Causes &CMs)• Standard LOPA inputs applied to all LOPA sheets (over 1000)180

Hazard AssessmentGeneric Assessments• Hazards applicable to all equipment• Can’t separate frequencies from CMse.g.- vehicle impacts- dropping from cranes- open to atmosphereIn 2 nd SC we documented CMs for each cause, most of which areprocedures.Further improvement required for this methodology181