Documente Academic
Documente Profesional
Documente Cultură
BOOKLET 4
page 1 of 46
TABLE OF CONTENTS
1 Who is this booklet for?..............................................................................................3
2 What does the booklet aim to do?..............................................................................3
3 Hazard identification, risk assessment and control measures introduction............3
4 Hazard identification..................................................................................................3
4.1
4.2
Features of HAZID...........................................................................................5
4.3
4.4
5 Risk assessment.........................................................................................................16
5.1
5.2
6 Control measures......................................................................................................32
6.1
Introduction.....................................................................................................32
6.2
6.3
6.4
6.5
6.6
6.7
6.8
6.9
6.10
6.11
page 2 of 46
Hazard identification
The Regulations require the employer, in consultation with employees, to
identify:
4.1
a)
b)
the kinds of major accidents that may occur at the MHF, the
likelihood of a major accident occurring and the likely consequences of
a major accident.
page 3 of 46
Major accidents by their nature are rare events, which may be beyond the
experience of many employers. These accidents tend to be low frequency,
high consequence events as illustrated in Figure 1 below. However, the
circumstances or conditions that could lead to a major accident may already
be present, and the risks of such incidents should be proactively identified
and managed.
HAZID must address potentially rare events and situations to ensure the full
range of major accidents and their causes. To achieve this, employers
should:
a)
b)
c)
d)
b)
c)
d)
page 4 of 46
e)
4.2
Features of HAZID
Comcares expectations and some important features of
HAZID
Comcare will expect:
a)
b)
c)
that the overall HAZID process did not rely solely on data
that was historical or reactive and that employers ensured that
predictive methods were also used.
The HAZID process must identify hazards that could cause a potential
major accident for the full range of operational modes, including normal
operations, start-up, shutdown, and also potential upset, emergency or
abnormal conditions. Employers should also reassess their HAZID
whenever a significant change in operations has occurred or a new
substance has been introduced. They should also consider incidents, which
have occurred elsewhere at similar facilities including within the same
industry and in other industries. Refer to the guidance material for Safety
Safety Report and Report Outline guidance material (booklet 4) for the
definition of significant change.
b)
c)
d)
page 5 of 46
b)
c)
d)
e)
f)
g)
page 6 of 46
h)
4.3
The flowchart below summarises all the steps needed in a HAZID process
and how those steps relate to one another.
page 7 of 46
page 8 of 46
Checklists
There are many established hazard checklists which can be used to guide the
identification of hazards. Checklists offer straightforward and effective ways
of ensuring that basic types of events are considered. Checklists may not be
sufficient on their own, as they may not cover all types of hazards,
particularly facility-specific hazards, and could also suppress lateral
thinking. Again, this technique should only be used in combination with
other techniques for MHF purposes.
What-If Techniques
This is typically a combination of the above techniques, often using a
prepared set of what-if questions on potential deviations and upsets in the
facility. This approach is broader but less detailed than HAZOP.
Brainstorming
Brainstorming is typically an unstructured or partially structured group
process, which can be effective at identifying obscure hazards that may be
overlooked by the more systematic methods.
Task Analysis
This is a technique developed to address human factors, procedural errors
and man-machine interface issues. This type of hazard identification is
useful for identifying potential problems relating to procedural failures,
human resources, human errors, fault recognition, alarm response, etc.
Task Analysis can be applied to specific jobs such as lifting operations,
moving equipment off-line or to specific working environments such as
control rooms. Task Analysis is particularly useful for looking at areas of a
facility where there is a low fault-tolerance, or where human error can easily
take a plant out of its safe operating envelope.
page 9 of 46
page 10 of 46
page 11 of 46
page 12 of 46
When considering the type and level of human factors input that is needed
in hazard identification, employers should consider their specific
circumstances, and in particular, the amount of reliance they place on human
actions and decisions in the prevention and control of major accidents.
Cases where detailed consideration of human factors might be appropriate
include a process plant that requires employee action to prevent or control
emergency situations or a dangerous goods warehouse that relies heavily on
procedural controls to ensure correct segregation of goods.
In addition to calling upon the necessary range of operations personnel to
take part in the hazard identification, it may also be appropriate to use
persons having specialist human factors knowledge. This specialist
knowledge may be essential if human factors hazards can influence critical
safety controls.
Human factor HAZID techniques are evolving and are based on methods
developed from engineering HAZID methods. They follow the same
principles and can be conducted in conjunction with an engineering HAZID.
Task analysis
An important set of human factors techniques, which can be used in all
areas of human factors consideration, is a set of methods collectively called
task analysis. Task analysis is not only used in HAZID but is also a tool
for risk assessment and development of control measures to accommodate
human factors.
Task analysis is used to study what a person, or team, is required to do, in
terms of actions and/or mental processes to achieve a system goal. The
information used in and derived from a task analysis will depend on the
technique used and the objective of the analysis.
Task simulation
Timeline analysis
HTA is one of the most commonly used task analysis techniques. It is used
to systematically analyse a task or series of tasks. The outcomes of the HTA
will depend on the reasons for its use. For example, if a new control room
is being designed for a process facility, the design layout and equipment
available in the control room should be tested to ensure that it is appropriate
for handling all foreseeable operations (start-up, normal, abnormal). If HTA
is used to assess workload, the information, processing and time
requirements of the task, or tasks, should be tested.
4.4
page 13 of 46
page 14 of 46
why they resulted in such serious outcomes. Both the design events and
the true worst case events are required to be considered.
It should also be recognised that the worst case in terms of the distance of
impact might not be the worst case in terms of potential consequences. It
may be necessary to consider both these consequences. The worst-case
scenario for one area of a facility may not be the same as that for another
area of the same facility. This will depend on a large number of factors such
as materials normally or not normally present, extreme process conditions,
isolation systems that may fail, the proximity and the layout of vessels and
the presence of personnel. Employers should consider all available
information, including historical incident records, in deriving the worst-case
scenario.
proceeding with the study without first having developed, agreed and
planned the approach and the method of recording. A pilot study on a
page 15 of 46
j)
Risk assessment
5.1
page 16 of 46
page 17 of 46
page 18 of 46
page 19 of 46
page 20 of 46
page 21 of 46
The "bow tie" diagram (Figure 7) is similar to a combined fault and event
tree that shows how a range of causes, controls and consequences can be
linked together and associated with each major accident scenario.
Cumulative consideration of the hazards can be seen as the overall
evaluation of interactions between different parts of a single bow tie or
consideration of a range of bow ties together.
Cumulative consideration of hazards enables the employer to assess the
overall risk picture for the facility and to understand how different causes
and events can combine to lead to an accident. It also enables the key causes
and controls for the risks to be identified and evaluated in more detail if
required.
page 22 of 46
5.2
page 23 of 46
page 24 of 46
Ranking methods
Most forms of preliminary risk assessment can be used as a basis for
ranking different incidents to establish their approximate order of
importance. In the risk matrix example, a simple scoring system can be
introduced to represent the combined effect of likelihood and consequence.
For example, the highest-ranking incident is m.a.7 (i.e. major accident
number 7) with a score or risk index of 16, closely followed by m.a.12 with
a risk index of 15. The sum of the risk indices for all incidents is 76;
therefore, the contribution of incident m.a.7 is 16/76 or about 21% of the
cumulative risk. Note that the risk index on the matrix is a multiplication of
the numbers assigned to the rows and columns NOT an addition.
An extension of the above scoring approach is to define a range of specific
factors that affect the likelihood or consequences of each incident. For each
factor, each incident may be given a score such as from 1 to 5 or a simple
rating such as low, medium or high based on specific, established criteria.
The scores for each incident are then added to give an overall likelihood,
consequence or risk score for each incident.
page 25 of 46
identification, the HAZOP process can also include assessment of the causes
of accidents, their likelihood and the consequences that may arise, so as to
decide if the risk is acceptable, unacceptable or requires further study.
However, within the scope of a combined HAZID and risk assessment
workshop, this assessment would necessarily be coarse, qualitative and
subjective and would in many cases need to be supplemented by more
detailed assessment outside the workshop.
A HAZOP would not necessarily be the appropriate technique for detailed
analysis of the causes of some other types of accidents (e.g. failures within
complex electrical or mechanical equipment). In such cases, a failure mode
effects and criticality analysis (FMECA) may be more useful and
supplemented by whatever mechanical integrity information already exists
for the systems within the facilitys maintenance and breakdown records.1
Alternatively, a Fault Tree Analysis may provide the necessary
understanding of the nature and causes of different types of hazard.2 In
many cases, an FMEA may be used to identify what can go wrong, and how
low-level failures may affect higher-level systems.3 A Fault Tree may then
be used to show how low-level failures, combined with external aspects
such as loss of power supply or human error may combine to cause overall
system failure. The Fault Tree can also be used, in principle, to estimate the
likelihood or frequency of the failure occurring.
See under the heading Examples of HAZID techniques in section 6.6 of this booklet for a brief
explanation of an FMECA.
2
Also see the reference above for a brief explanation of a fault tree and event tree analysis.
page 26 of 46
page 27 of 46
page 28 of 46
same for all flammable materials. Employers should carefully define all
relevant consequence criteria based on their definition of a major accident.
Below is an example of one method for illustrating the consequences and
effects of a major accident. The example is a major accident involving a
pool fire. This method may prove helpful during the risk assessment
process and, if used, should be included in risk assessment documentation.
page 29 of 46
The risk assessment is conducted for all hazards and potential major
accidents at a facility, ensuring that:
a) it is comprehensive, systematic, rigorous and transparent;
b) it generates all information required by the Regulations, and provides
employers with sufficient knowledge to operate safely;
c) the knowledge is kept up to date, through review and revision;
d) the information is provided to persons who require it to work safely;
e) an appropriate group of employees is actively involved;
f)
g) all methods, results, assumptions and data reflect the nature of the
hazards considered and are documented;
Hazard identification, risk assessment and
control measures for Major Hazard Facilities Booklet 4
page 30 of 46
h) a range of control measures are considered and their effects on risk are
explicitly addressed;
i)
j)
Control measures
6.1
Introduction
The previous sections discussed key elements for the range of control
measures that should be in place at an MHF. This section provides more
detailed guidance on how to select and judge the effectiveness of specific
control measures. Choosing the best control measures and being able to
demonstrate their effectiveness is a critical feature of compliance with the
Regulations.
6.2
page 31 of 46
con
seq
uen
ces
Control measures can be identified while identifying hazards and during the
risk assessment. Employers should be able to identify a range of control
measures immediately, both the existing measures and possible alternatives.
Checklists of "typical" control measures may be able to assist in the process,
but these should not be used in isolation. The specific nature of each hazard
and the associated part of the facility should be considered when identifying
control measures. The table below is an example of the consequences and
key control measures that might apply for a warehouse.
An example: Identification of scenarios and control measures,
dangerous goods warehouse
Scenarios
Flash or pool fires from
puncturing drums containing
flammable liquids.
Fires in packaged goods
areas, in pallet storage stacks,
or amongst general rubbish.
Fire escalation.
6.3
Key Controls
Drum inspection and handling
procedures
Ignition source control
Fire fighting equipment
Housekeeping
Ignition source control
Smoke detection and automatic
vents
Separation and segregation rules
Stacking restrictions
Fire fighting equipment and
emergency response
page 32 of 46
page 33 of 46
Engineering Controls
Administrative Controls
page 34 of 46
Elimination
Prevention
Feedstock quality
specifications.
Mechanical ventilation
systems.
Management of change.
Secondary containment of
hazardous substances.
Ignition suppression
equipment.
Process emergency
controls and alarms.
Procedures.
Emergency alarms.
Employer-owned buffer
zones.
Control measures may vary for different stages of the facility's life cycle.
For example, design and construction standards are important for new
facilities, but as the facility ages more emphasis may be required on asset
integrity management. Similarly, control measures may themselves have life
cycles that may need to be considered.
The balance and type of control measures are expected to be consistent with
the employers overall safety philosophy. If the safety philosophy is based
Hazard identification, risk assessment and
control measures for Major Hazard Facilities Booklet 4
page 35 of 46
primarily on engineering controls there is less need for other controls such
as administrative ones. On the other hand, if the safety philosophy is based
on personnel knowledge and skills, then procedural and competency
controls might be dominant, although there would need to be additional
hardware controls.
The assessment required to understand control measures, their function and
their effects on hazards and associated risks, is driven by three factors:
a) a highly complex reaction process, new technology, or complex process
equipment may require detailed assessment to understand the control
measures, whereas a simple system can be understood more rapidly and
without using sophisticated methods of assessment;
b) where there are numerous options available to control the associated
risk, more effort is likely to be required to reach an understanding of the
available controls, to differentiate the options in terms of their effects
on risk and to provide a basis for selecting or rejecting options
appropriately; and
c) a high level of uncertainty regarding the nature of the hazard or risk or
the behaviour of the control measures is likely to require greater effort
to reach an overall understanding; e.g. Class 6.1 liquids are more
straightforward to analyse than Class 2.3 toxic gases.
The above concepts illustrate the issues that need to be considered in
defining and understanding control measures. There may be many other
issues that need to be considered in developing an understanding of control
measures for a facility. For many facilities this may result in a significant
amount of information. Therefore a simple method of linking and
communicating the information together should be considered, for example
"bow tie" diagrams or registers of hazards and controls. Figure 16
provides examples of how to use bow tie diagrams or registers to link and
communicate control measure information. Alternatively, simple hazard
management tables or diagrams can be developed.
page 36 of 46
6.4
page 37 of 46
6.5
page 38 of 46
d) control measures which were considered or used in the past and rejected
for some reason;
e) existing control measures which are to be replaced due to obsolescence
or old age;
f) new control measures which could replace or add to the existing range
of control measures; and
g) new control measures for modifications to the facility.
For many existing facilities, there may be control measures that were
adopted or rejected in the past without records to support those decisions.
Employers should identify past decisions and control measures that need to
be recorded and reviewed, to understand what was done in the past and why
it was done, and to maintain the integrity of existing control measures in the
future.
This relates to the need for a knowledge base of the control measures on the
facility and is an important part of justifying the adequacy of an existing
facility in the safety report. Given the potentially large number of decisions
and control measures for a typical MHF, which may have decades of
operating experience, the employer will need to identify the critical areas
that require review, and determine which areas need to be reviewed in brief
or in detail.
Circumstances where control measures would require review include:
a) new operating conditions have arisen;
b) knowledge of the basis for safe operation has been lost;
c) there may have been a degradation in effectiveness of existing controls;
d) the knowledge or technology employed is now outdated; and
e) an incident occurred.
The employer should identify both proven technology and newly developed
options, as appropriate and not dismiss any option on the grounds that it is
"unproven". The process of risk assessment should include the evaluation
of new technologies and practices to determine if they are appropriate to the
facility.
A reasonable number of existing and alternative control measures should
therefore be considered, depending on:
a) the scale and complexity of the facility;
b) the nature of the risk profile; and
c) the rate of development of new technologies and practices.
6.6
page 39 of 46
page 40 of 46
page 41 of 46
6.7
page 42 of 46
6.8
6.9
page 43 of 46
page 44 of 46
This combination of key elements is mainly derived from the US Department of Labours
Occupational Safety and Health Administrations (usually contracted to OSHA) guidelines for
process safety management (see reference in Appendix A under the topic heading Role and
development of an SMS.)
page 45 of 46
page 46 of 46