Documente Academic
Documente Profesional
Documente Cultură
Overview
This seminar has been developed in the context of the MHF regulations to provide:
An overview of MA identification and risk assessment The steps required for MA recording Examples of major accidents identified The steps required for a risk assessment Examples of risk assessment formats
Regulations
Occupational Health and Safety (Safety Standards) Regulations 1994
Hazard identification (R9.43) Risk assessment (R9.44) Risk control (i.e. control measures) (R9.45, S9A 210) Safety Management System (R9.46) Safety report (R9.47, S9A 212, 213) Emergency plan (R9.53) Consultation
Regulations
Occupational Health and Safety (Safety Standards) Regulations 1994
Regulation 9.43 (Hazard identification) states: The employer must identify, in consultation with employees, contractors (as far as is practicable) and HSRs: a) All reasonably foreseeable hazards at the MHF that may cause a major accident; and b) The kinds of major accidents that may occur at the MHF, the likelihood of a major accident occurring and the likely consequences of a major accident.
Regulations
Occupational Health and Safety (Safety Standards) Regulations 1994
Regulation 9.44 (Risk assessment) states: If a hazard or kind of major accident at the MHF is identified under regulation 9.43, the employer must ensure that any risks associated with the hazard or major accident are assessed, in consultation with employees, contractors (as far as is practicable) and HSRs. The employer must ensure that the risk assessment is reviewed: a) Within 5 years after the assessment is carried out, and afterwards at intervals of not more than 5 years; and b) Before a modification is made to the MHF that may significantly change a risk identified under regulation 9.43; and c) When developments in technical knowledge or the assessment of hazards and risks may affect the method at the MHF for assessing hazards and risks; and d) If a major accident occurs at the MHF.
Regulations
Occupational Health and Safety (Safety Standards) Regulations 1994
Regulation 9.45 (Risk control) states: The employer must, in consultation with employees, contractors (as far as is practicable) and HSRs, ensure that any risk associated with a hazard at the MHF is: a) eliminated; or b) If it is not practicable to eliminate the risk reduced as far as practicable. The employer must: a) Implement measures at the MHF to minimise the likelihood of a major accident occurring; and b) Implement measures to limit the consequences of a major accident if it occurs; and c) Protect relevant persons, an at-risk community, and the built and natural environment surrounding the MHF, by establishing an emergency plan and procedures in accordance with regulation 9.53.
Definition
Major Accident
A major accident is defined in the Regulations as: A sudden occurrence at the facility causing serious danger or harm to:
A relevant person or An at-risk community or Property or The environment
10
MA Identification Issues
Unless ALL possible MAs are identified then causal and contributory hazards may be overlooked and risks will not be accurately assessed Likewise, controls cannot be identified and assessed Identification of MAs must assume control measures are absent/unavailable/not functional
That is: WHAT COULD HAPPEN IF CONTROL MEASURES WERE NOT APPLIED AND MAINTAINED ?
11
MA Identification Issues
MAs can be identified in three different areas
These are: Process MAs MAs arising from concurrent activities Non-process MAs
12
MA Identification Issues
Process MAs These are MAs caused by hazards which are associated with upsets in the process, or failure of equipment in the process, etc MAs arising from concurrent activities Typical concurrent operations which must be considered are:
Major shutdowns/start ups Other activity on site Activities adjacent to the facility
13
MA Identification Issues
Non-Process MAs
MAs created by non-process hazards that could cause release of Schedule 9 materials Non-process hazards may typically include the following: aircraft crashing; dropped objects; extreme environmental conditions (earthquake, cyclone, high winds, lightning); nonprocess fires (e.g. bush fire); vehicles and road transport; heat stress
14
MA Identification Issues
Collate appropriate
Facility information Incident data/histories
15
MA Identification Issues
Develop/select a structured method for determining what types of MA can occur:
Loss of containment Fire Explosion Release of stored energy Where they can occur Under what circumstances
16
17
Approach to MA Identification
It may be efficient to treat similar equipment items handling the same Schedule 9 materials together - as often they have similar hazards and controls Further, to ensure correct mitigation analysis, the equipment grouped together should contain similar materials at similar process conditions, resulting in similar consequences on release
18
Approach to MA Identification
For consistency of analysis, all MAs should be defined in terms of an initial energy release event This can be characterised as a loss of control of the Schedule 9 material As an example, in the case of a hydrocarbon release from one vessel leading to a jet fire that subsequently causes a BLEVE in a second vessel, the MA should be defined in terms of the initial hydrocarbon release from the first vessel
19
Approach to MA Identification
Review HAZID studies to identify initiating events for each MA Review to ensure all hazards have been identified Special checklists should be developed to assist with this process Further hazards may be identified from: Discussions with appropriate subject experts Review of incident data Review of the records from a similar system
20
MA Recording
A structured approach is important It can then link equipment management strategies and systems Record the key outputs in a register
For each MA, the register should record the following information: Equipment that comprises the MA Group similar items into one MA Description Consequences
21
MA Recording
Consider all Schedule 9 materials - regardless of quantity Screen out incidents that do not pose a serious danger or harm to personnel, the community, the environment or property Screening should only be on the basis of consequence not likelihood
i.e. Events should not be screened out on the basis of likelihood or control measures being active Consequence modelling should be used as justification for screening decisions
External influences need to be considered, for example, potential for a power failure to cause a plant upset leading to an MA
22
Example MA Recording
The following are examples of MA recording details
MA Description LOC - pumps LOC finished flammable product release from tank farm Ignition of material
Equipment Included LPG transfer pumps (P254/A) Flammable storage tanks A202, A205,A206, B21, C55 Extruders E21/E22/D54
A26
23
What is Risk?
Regulatory definition (per Part 20 of the Occupational Health and Safety (Safety Standards) Regulations 1994) : Risk means the probability and consequences of occurrence of injury or illness AS/NZS 4360 (Risk Management Standard) the chance of something happening that will have an impact on objectives Risk combines the consequence and the likelihood RISK = CONSEQUENCE x LIKELIHOOD
25
26
27
28
Approach
The MHF Regulations respond to this by requiring comprehensive and systematic identification and assessment of hazards
HAZID and Risk Assessment must have participation by employees, as they have important knowledge to contribute together with important learnings These employees MAY BE the HSRs, but DO NOT HAVE TO BE However, the HSRs should be consulted in selection of appropriate participants in the process
29
Approach
Types of Risk Assessment Hazard Identification Qualitative Assessment
Detailed Studies
Technology Studies
30
Causes
From the HAZID and MA evaluation process, pick an MA for evaluation From the hazard register, retrieve all the hazards that can lead to the MA being realised In a structured approach, list all of the controls currently in place to prevent each of the hazards that lead to the MA being realised Examine critically all of the controls currently in place designed to prevent the hazard being realised
31
Causes
32
Causes
List all possible causes of the accident (identified during HAZID study)
Hazard Scenario 1
Hazard Scenario 2
33
Causes
List all prevention controls for the accident (identified during HAZID study)
Hazard Scenario 1
Hazard Scenario 2
34
Likelihood Assessment
Likelihood analysis can involve a range of approaches, depending on the organisations knowledge, data recording systems and culture This knowledge can range from:
In-house data - existing data recording systems and operational experience Reviewing external information from failure rate data sources
Both are valid, however, the use of in-house data can provide added value as it is reflective of the management approaches and systems in place
35
Likelihood Assessment
A Likelihood is an expression of the chance of something happening in the future - e.g. Catastrophic vessel failure, one chance in a million per year (1 x 10-6/year) Frequency is similar to likelihood, but refers to historical data on actual occurrences
36
Likelihood Assessment
Likelihood Analysis can use:
Historical
Site historical data Generic failure rate data
Assessment
Workshops (operators and maintenance personnel) Fault trees Event trees Assessment of human error
37
A qualitative approach can be used for assessment of likelihood This is based upon agreed scales for interpretation purposes and for ease of consistency
For example, reducing orders of magnitude of occurrence
It also avoids the sometimes more complicated issue of using frequency numbers, which can be difficult on occasions for people to interpret
38
D E
39
40
41
Pressure rises
AND
42
43
Human error needs to be considered in any analysis of likelihood of failure scenarios The interaction between pending failure scenarios, actions to be taken by people and the success of those actions needs to be carefully evaluated in any safety assessment evaluation Some key issues of note include:
Identifying particular issue Procedures developed for handling the issue Complexity of thought processing information required
44
Errors of omission where dependence is placed on situation cues and memory. Complex, unfamiliar task with little feedback and some distractions (e.g. failure to return manually operated test valve to proper configuration after maintenance).
Highly complex task, considerable stress, little time to perform it e.g. during abnormal operating conditions, operator reaching for a switch to shut off an operating pump fails to realise from the indicator display that the switch is already in the desired state and merely changes the status of the switch.
10-2 (1 in 100)
10-1 (1 in 10)
45
Used to determine the likelihood of potential consequences after the hazard has been realised It starts with a particular event and then defines the possible consequences which could occur Each branching point on the tree represents a controlling point, incorporating the likelihood of success or failure, leading to specific scenarios Such scenarios could be:
Fire Explosion Toxic gas cloud
Information can then used to estimate the frequency of the outcome for each scenario
46
47
Consequences
Most scenarios will involve at least one of the following outcomes:
Loss of containment Reactive chemistry Injury/illness Facility reliability Community impacts Moving vehicle incidents Ineffective corrective action Failure to share learnings
48
Consequences
Consequence evaluation estimates the potential effects of hazard scenarios The consequences can be evaluated with specific consequence modelling approaches These approaches include:
-
Physical events modelling (explosion, fire, toxic gas consequence modelling programs) Occupied building impact assessment
49
50
Moderate One or more significant lost time injuries Medium impact Release within facility boundary Loss from $50,000 to $1M
Major One or more fatalities Medium impact outside the facility boundary Loss from $1M to $10M
Environmental Values
No impact
51
52
Effects
Results in damage to internal partitions and joinery but can be repaired. Reinforced structures distort, storage tanks fail. Wagons and plant items overturned, threshold of eardrum damage. Complete demolition of houses, threshold of lung damage.
Note: Calculations can be undertaken to determine probability of serious injury and fatality
53
54
Risk Evaluation
Risk evaluation can be undertaken using qualitative and/or quantitative approaches Risk comprises two categories - frequency and consequence Qualitative methodologies that can be used are
Risk matrix Risk nomograms Layers of protection analysis Risk matrix
55
Qualitative Assessment
SemiQuantitative Assessment
Detailed, objective, high resolution, low uncertainty, increasing cost
Quantitative Assessment
56
Greater assessment detail provides more quantitative information and supports decision-making Strike a balance between increasing cost of assessment and reducing uncertainty in understanding Pick methods that reflect the nature of the risk, and the decision options
57
Stop once all decision options are differentiated and the required information compiled Significant differences of opinion regarding the nature of the risk or the control regime indicate that further assessment is needed
58
Both approaches are valid and the selection will depend upon the company and its culture
59
A nomogram is a graphical device designed to allow approximate calculation Its accuracy is limited by the precision with which physical markings can be drawn, reproduced, viewed and aligned Nomograms are usually designed to perform a specific calculation, with tables of values effectively built into the construction of the scales
60
LIKELIHOOD Might well be EXPOSURE Expected at Sometime Very Rare, Yearly or Less Quite Possible Could Happen Rare Few per year Unusual but Possible
POSSIBLE CONSEQUENCES Catastrophe Many Fatalities >$100M Damage Disaster Multiple Fatalities >$10M Damage Very Serious Fatality >$1M Damage
100 80 60
High Risk Immediate Correction Required Substantial Risk Correction Required Risk must be Reduced SFARP
Most nomograms are used in situations where an approximate answer is appropriate and useful
Remotely Possible
40
TIE LINE
Frequent Daily
20 Noticeable Minor Injury / First Aid 10 >$1k Damage 0 Risk Acceptable if Reduced SFARP
61
62
Hazards can be allocated a qualitative risk ranking in terms of estimated likelihood and consequence and then displayed on a risk matrix Consequence information has already been discussed, hence, information from this part of the assessment can be used effectively in a risk matrix Risk matrices can be constructed in a number of formats, such as 5x5, 7x7, 4x5, etc Often facilities may have a risk matrix for other risk assessments (eg Task analysis, JSA)
63
Such processes can illustrate major risk contributors, aid the risk assessment and demonstration of adequacy Care needs to be taken to ensure categories are consistently used and there are no anomalies Australian/New Zealand Standard, AS4360, Risk Management 1999, provides additional information on risk matrices
64
Consequences
Insignificant
1
A near miss, First Aid Injury (FAI) or one or more Medical Treatment Injuries (MTI)
Minor
2
One or more Lost Time Injuries (LTI)
Moderate
3
One or more significant Lost Time Injuries (LTI) Medium impact. Release within facility boundary Loss from $50,000 to $1,000,000
Major
4
One or more fatalities
Catastrophic
5
Significant number of fatalities
No impact
Medium impact Major impact outside the facility event boundary Loss from $1,000,000 to $10,000,000 Loss of above $10,000,000
Significant Risk Moderate Risk Low Risk Low Risk Low Risk
Significant Risk Significant Risk Moderate Risk Low Risk Low Risk
High Risk Significant Risk Significant Risk Moderate Risk Moderate Risk
High Risk High Risk High Risk Significant Risk Significant Risk
High Risk High Risk High Risk High Risk Significant Risk
Likelihood
B Possibility of isolated incidents, (1 x 10-2 per year) C Possibility of occurring sometimes, (1 x 10-3 per year) D Not likely to occur, (1 x 10-4 per year) E Rare occurrence, (1 x 10-5 per year)
65
Identify event outcomes that should be prioritised or grouped for further investigation Provides a good graphical portrayal of risks across a facility Help to identify areas for risk reduction Provide a quick and relatively inexpensive risk analysis Enable more detailed analysis to be focused on high risk areas (proportionate analysis)
66
67
One tool is a layer of protection analysis approach (LOPA) It is a simplified form of risk evaluation The primary purpose of LOPA is to determine if there are sufficient layers of protection against a hazard scenario It needs to focus on:
Causes of hazards occurring Controls needed to minimise the potential for hazards occurring If the hazards do occur, what mitigation is needed to minimise the consequences
68
69
Causes
M A
Hazards
Controls
Controls
Consequences
Outcomes
70
71
Quantitative assessments can be undertaken for specific types of facilities This is a tool that requires expert knowledge on the technique and has the following aspects:
It is very detailed High focus on objective Detailed process evaluations Requires a high level of information input Provides a high output resolution Reduces uncertainty
Frequency component can be questionable as generic failure rate data is generally used Provides understanding on the high risk contributors from a facility being evaluated
72
H os pi tal
Sch oo l
10-5
106
107
10-6
73
74
Summary
A risk assessment provides an understanding of the major hazards and a basis for determining controls in place
Risk assessments can involve significant time and effort Operations personnel and managers could cause, contribute to, control or be impacted by MAs Hence they should be involved in the risk assessment HSRs may or may not take part, but must be consulted in relation to the process of HAZID & Risk Assessment They should also be involved in resolution of any issues that arise during the studies, including improvements to methods and processes
75
76
77
78
Questions?
79
Cause
Hazard
Columns condenser, reboiler and piping maximum allowable working pressures are greater than maximum possible pressure from steam reboiler
Logic in BPCS trips steam flow valve and steam RCV on high pressure or high temperature . No credit since not independent of SIS.
High column pressure and temperature alarms can alert operator to shut off the steam to the reboiler (manual valve)
Logic in BPCS trips stream flow valve and steam RCV on high pressure or high temperatur e (dual sensors separate from DCS).
80
MA-1
MA-2
81