7/30/2019 Safety Assessment for MHF
1/48
GUIDE FOR MAJOR
HAZARD FACILITIES
SAFETY ASSESSMENT
MARCH 2012
7/30/2019 Safety Assessment for MHF
2/48
Safe Work Australia is an Australian Government statutory agency established in 2009. Safe Work
Australia consists of representatives of the Commonwealth, state and territory governments, the
Australian Council of Trade Unions, the Australian Chamber of Commerce and Industry and the
Australian Industry Group.
Safe Work Australia works with the Commonwealth, state and territory governments to improvework health and safety and workers compensation arrangements. Safe Work Australia is a national
policy body, not a regulator of work health and safety. The Commonwealth, states and territories
have responsibility for regulating and enforcing work health and safety laws in their jurisdiction.
ISBN 978-0-642-33374-2 [PDF]
ISBN 978-0-642-33375-9 [RTF]
Creative Commons
Except for the logos of Safe Work Australia, SafeWork SA, WorkCover Tas, WorkSafe WA, Workplace
Health and Safety QLD, NT WorkSafe, Work Cover NSW, Comcare and WorkSafe ACT, this copyright
work is licensed under a Creative Commons Attribution-Noncommercial 3.0 Australia licence. To
view a copy of this licence, visit
http://creativecommons.org/licenses/by-nc/3.0/au/
In essence, you are free to copy, communicate and adapt the work for non commercial purposes,
as long as you attribute the work to Safe Work Australia and abide by the other licence terms.
Contact information
Safe Work Australia
Phone: +61 2 6121 5317Email: [email protected]
Website: www.safeworkaustralia.gov.au
Western Australia
SAFEWORK
7/30/2019 Safety Assessment for MHF
3/48
1
TABLE OF CONTENTS
1. INTRODUCTION 2
2. RISK MANAGEMENT 4
3. ESTABLISHING THE CONTEXT 5
3.1 Establishing the Scope and Objectives 5
3.2 Key items or preparation 6
4. HAZARD IDENTIFICATION 12
4.1 Understand the defnitions 12
4.2 Understand the chemical properties and how
they could cause harm 13
4.3 Research previous major incidents and near
misses 15
5. SAFETY ASSESSMENT 20
5.1 Identifcation o controls 20
5.2 Consequence estimation 20
5.3 Likelihood estimation 26
5.4 Risk assessment 29
5.5 Demonstration o adequacy 34
6 CONTROL OF RISK 35
6.1 Perormance standards and indicators 35
6.2 Critical operating parameters 36
7. REVIEW OF RISK MANAGEMENT 37
APPENDIX A: WHS REGULATIONS 38
APPENDIX B: DEFINITIONS 42
APPENDIX C: REFERENCES 45
GUIDE FOR MAJOR HAZARD FACILITIES | SAFETY ASSESSMENT
TABLE OF CONTENTS
7/30/2019 Safety Assessment for MHF
4/48
GUIDE FOR MAJOR HAZARD FACILITIES | SAFETY ASSESSMENT2
The Work Health and Saety Regulations (the WHS Regulations) require operators o
determined major hazard acilities (MHFs) to conduct a saety assessment in order to
provide a detailed understanding o all health and saety risks associated with major
incidents.
The purpose o this Guide is to assist operators o MHFs to prepare and conduct a saety
assessment in accordance with the WHS Regulations.
The guidance has been prepared or operators o MHFs rom all sectorsprocessing, storage
and warehousingnotwithstanding the signicant dierences in complexity. Examples have
been given where possible to illustrate possible application to each sector. Applicability
will depend on the specic circumstances o the MHF. Operators are advised to reer to
reputable texts or engage suitable specialists when choosing to apply a specic technique.
The guidance will provide:
assurance to the operator that the potential risk o major incidents will be eliminated or
controlled
a detailed understanding o all aspects o risks to health and saety associated with
major incidents
the production o a documented saety assessment that meets the requirements o
the Regulations and which can be used to orm part o the saety case submitted or
licensing.
This Guide orms part o a set o guidance material or MHFs that includes inormation on:
Notication and Determination
Saety Management Systems
Developing a Saety Case Outline
Preparation o a Saety Case
Saety Case: Demonstrating the Adequacy o Saety Management and Control Measures
Inormation, Training and Instruction or Workers and Others at the Facility
Providing Inormation to the Community
Emergency Plans.
WHAT IS A SAFETY ASSESSMENT?
A saety assessment is a comprehensive and systematic investigation and analysis o all
aspects o risks to health and saety associated with major incidents that may potentially
occur in the course o operation o the major hazard acility, including:
the nature o each major incident and major incident hazard
the likelihood o each major incident hazard causing a major incident
in the event o a major incident occurring, its potential magnitude and the severity o its
potential health and saety consequences
the range o control measures considered
the control measures the operator decides to implement.
1. INTRODUCTION
7/30/2019 Safety Assessment for MHF
5/48
GUIDE FOR MAJOR HAZARD FACILITIES | SAFETY ASSESSMENT 3
The ollowing are expected outcomes rom a saety assessment or a major hazard acility.
or each major incident:
the identication o all major incident hazards and the path by which the major
incident hazards could lead or have led to a major incident
the identication o consequences or each major incident without controls
an analysis o risk (likelihood and consequence) or each major incident (with current
controls and then with uture control measures)
the identication o all reasonably practicable control measures with a documented
justication o any potential control measure determined to not be reasonably
practicable
a description o how the identied risk control measures prevent or mitigate the
major incidents and major incident hazards
demonstration o adequacy o risk control measures or each major incident, so ar as
is reasonably practicable (see also demonstration o adequacy guidance)
or the acility:
the provision o a list o all potential major incidents
the provision o an assessment o the cumulative eects o the major incidents
(knock on eects, sum o all risks, common cause incidents, etc.)
a summary o the likelihood and consequences o the major incidents
the identication o the local community potentially aected by the consequences o
any major incident.
the identication o the maintenance and monitoring requirements and the critical
operating parameters identied or the selected control measures
a demonstration o the adequacy o control measures (so ar as is reasonably
practicable)
the preparation o an implementation plan or required risk control measures not yet
in place.
a description o how the risk assessment will be reviewed and updated to continuously
maintain its currency.
WHAT DO THE REGULATIONS REQUIRE?
Operators o determined MHFs must conduct a saety assessment in relation to the
operation o the MHF. The operator o a licensed major hazard acility must keep a copy o
the saety assessment at the acility and review and revise it as necessary. Further details o
the regulations are set out in Appendix A.
Relevant denitions are set out in Appendix B.
1. INTRODUCTION
7/30/2019 Safety Assessment for MHF
6/48
GUIDE FOR MAJOR HAZARD FACILITIES | SAFETY ASSESSMENT4
There are many authoritative texts on risk management that may be o use to an operator or
intending operator o a MHF. This Guide is not intended to be a risk management text. It is
designed to explain and describe how an operator may comply with the WHS legislation.
The hazard identication and saety assessment are components o the overall risk
management process (see Figure 1).
FIGURE 1: Risk management process
This Guide outlines the main components o risk management as ollows:
Establish the context:
Major incident and major incident hazard identication
Saety assessment:
control identication
consequence estimation
likelihood estimation
risk evaluation Control o risk
Monitoring and review.
2. RISK MANAGEMENT
7/30/2019 Safety Assessment for MHF
7/48
GUIDE FOR MAJOR HAZARD FACILITIES | SAFETY ASSESSMENT 5
3.1 Establishing the Scope and Objectives
The scope should cover the whole o the acility, all activities on site, routine or abnormal
operations, and any o-site hazard that could impact on the site, leading to a major incident.
The objectives should include providing assurance that the risks have been eliminated, so ar
as is reasonably practicable, and i it is not reasonably practicable to eliminate a risk, ensure
it is minimised so ar as is reasonably practicable (see Example 1).
An operator may declare the achievement o a risk target or risk tolerance criteria as an
objective o the saety assessment (see Example 2). This is particularly appropriate or
operators o complex acilities, multiple acilities or where a quantitative risk assessment isproposed. Operators o simple acilities with the ability to personally supervise the saety
assessment process may nd it more appropriate to ocus on eliminating and systematically
controlling the risks rather than calculating a risk number or rating.
It should be noted that a risk that meets an operators risk tolerance criteria must still satisy
the regulatory obligation to eliminate or minimise risk so ar as is reasonably practicable (see
Regulation 556). Consultation with the regulator is advised i quantitative tolerance criteria
are to be used.
EXAMPLE 1 SCOPE AND OBJECTIVES
ABC Chemical Company is a new MHF. They established the objectives o the saety
assessment as ollows:
to eliminate or, where that is not reasonably practical, reduce risk o each major
incident so ar as is reasonably practical
to systematically identiy and assess all major incidents and major incident hazards in
accordance with the Regulations
to identiy and demonstrate the adequacy o controls or major incidents.
3. ESTABLISHING THE CONTEXT
7/30/2019 Safety Assessment for MHF
8/48
GUIDE FOR MAJOR HAZARD FACILITIES | SAFETY ASSESSMENT6
EXAMPLE 2 RISK TOLERANCE CRITERIA: COMPLEX PROCESSING PLANT
ABC Multinational Company has an internal saety policy which requires that new
acilities are built and operated such that the HIPAP 41 risk criteria are met. Additionally,
they have adopted target IRPA values. Existing acilities that do not meet the criteria
must submit a risk reduction program and continue to manage risk as low as is
reasonably practical.
Incident heat fux radiation at residential or sensitive use areas should not exceed 4.7
kW/m2 at a requency o more than 50x10-6 pa.
Incident explosion overpressure at residential and sensitive use areas should not
exceed 7kPa at requencies o more than 50x10-6 pa.
Toxic concentrations in residential and sensitive use areas which could cause acute
physiological consequences should not exceed 50x10-6 pa (ERPG, SLOD or SLOT
values chosen as appropriate).
IRPA must not exceed 10-4 at any occupied area e.g. control rooms, sae havens,
maintenance workshops and administrative areas.
1. NSW Department o Planning, Hazardous Industry Planning Advisory Paper (HIPAP) No. 4 Risk Criteria or
Land Use Saety Planning
3.2 Key items or preparation
PREPARATION
The ollowing items need to be considered in preparing or a saety assessment:
inormation required
resources: people and time
resources: tools/techniques
systematic approach
communication and consultation
documentation o process and results.
INFORMATION REQUIRED
The ollowing inormation may be required during the saety assessment process. The
operator should gather this inormation both beore and during the process, and commit to
ensuring this inormation is up-to-date to acilitate uture reviews and revisions o the saety
assessment.
data on the saety properties o the materials e.g. MSDS, explosivity data, reactivity,
degradation, any conditions under which materials become dangerous, etc.
incident history rom the acility, corporation, national, industry or global sources
existing studies e.g. HAZID, HAZOP, PHA, re saety studies, likelihood analysis, QRA,
hazardous substance risk assessment, SIL/SIF and hazardous area zoning studies. These
studies may need to be reviewed and re-validated to ensure that they are still current
previous studies e.g. re saety studies and mechanical integrity studies
3. ESTABLISHING THE CONTEXT
7/30/2019 Safety Assessment for MHF
9/48
GUIDE FOR MAJOR HAZARD FACILITIES | SAFETY ASSESSMENT 7
design envelopes/criteria or plant and equipment, engineering saety margins, designed
operating conditions and design saety philosophy
any design standards (Australian, international or corporate) relevant to the operations at
the acility
critical operating parameters that have already been identied.
assessment o current plant condition e.g. integrity, reliability, equipment maintenance
history, etc.
description o operations or tasks undertaken at the acility, such as handling, storage
and processing
existing operational issues and problems
existing control perormance
maps or diagrams showing layout (e.g. storage or processing areas), process fows
(P&IDs etc), control strategies, etc.
surrounding population demographics and density
personnel experience
maintenance records, including breakdown data
equipment reliability/ailure rate data.
Sources o generic data and justication o its use, as well as any assumptions made, need to
be documented or the saety case. Weight should be given to data sources most relevant to
the acility, taking into account local conditions and equipment congurations.
EXAMPLE 3 AVAILABLE INFORMATION
ABC Chemical Company identies or their ammonia storage vessel and unloading
acility that the ollowing inormation will be necessary:
hazard identication records
vessel inspection records or the storage vessel
test records or the pressure relie valve and instrumentation
the tanker unloading procedure, as this is likely to be a key infuence on risk
incident history on site (requency and consequence)
incident history or industry (requency and consequence)
relevant Saety Data Sheets (SDSs)
exposure levels (e.g. Immediately Dangerous to Lie and Health (IDLH), Short Term
Exposure Limit (STEL), Emergency Response Planning Guidelines (ERPG))
any consequence inormation available (e.g. modelling).
RESOURCES: PEOPLE AND TIME
The process should involve personnel with a range o knowledge, skills and work experiences.
This should include personnel ranging rom those experienced in the chosen techniques,
those who carry out the tasks, supervisors, those with expertise in the design intent who canexplain why the plant design choices were made, and those with expertise in the hardware,
systems and materials. In some cases this may involve third parties such as consultants or
contractors (see Example 4).
3. ESTABLISHING THE CONTEXT
7/30/2019 Safety Assessment for MHF
10/48
GUIDE FOR MAJOR HAZARD FACILITIES | SAFETY ASSESSMENT8
Successul engagement o workers in the hazard identication and saety assessment tasks
improves outcome quality and complies with the worker consultation provisions o the WHS
Act (Sections 4749) and the WHS Regulations (574 and 575).
Even or a simple major hazard acility, the hazard identication and saety assessment may
be lengthy, involving many workshops over an extended time period.
Decisions on adequacy o controls and urther risk reduction will have to be made.
Improvements will need to be included in the relevant business and capital plans. Progress
will need to be monitored. Management should plan sucient time and resources or the
process to be done eectively.
EXAMPLE 4 RESOURCES
The workshop team or ABC Chemical Company ammonia hazard identication is:
acilitator
electrical maintenance worker
mechanical maintenance worker
two shit workers
area supervisor
ammonia truck driver (contractor).
Even though the ammonia truck driver is not an ABC Chemical Company employee, thedriver has been invited specically or hazard identication associated with ammonia
unloading. As the driver is the one doing this work, he/she may have an insight into
hazards and controls which the employees will not have.
RESOURCES: TOOLS/TECHNIQUES
The operator o the major hazard acility should apply hazard identication and saety
assessment tools and techniques that are suited to its objectives and capabilities, and to
major incidents and major incident hazards considered. Justication o the reasons or
technique selection should be included in the saety case and/or saety case outline.
A variety o hazard identication and assessment techniques exist that can be used
successully. Multiple techniques may be required to adequately identiy and assess themajor incident scenarios.
The acility should ensure the techniques:
are t or the complexity and scale o the acility
involve worker participation to a suitable extent
consider any external conditions or acility-specic attributes
clearly document the relationships between the major incidents, hazards and controls
reveal the rationale or the assessment, in particular the selection or rejection o control
measures
generate outputs that can be used in urther risk assessments and integrated in the
management systems o the acility.
Techniques may be qualitative or quantitative. The advantages o a qualitative process are
that it is simple, easy to use and understand, and low cost. The disadvantages may include
3. ESTABLISHING THE CONTEXT
7/30/2019 Safety Assessment for MHF
11/48
GUIDE FOR MAJOR HAZARD FACILITIES | SAFETY ASSESSMENT 9
a lack o dierentiation between major incidents and diculty establishing meaningul
cumulative assessment. A quantitative technique has advantages in ability to compare major
incidents and easy cumulative assessment, but disadvantages in being complex, harder to
understand and use, and higher cost.
A qualitative process may be better suited to storage or simple process sites, while a
quantitative process may be better suited to a site with a high level o complexity or high
risks.
It is likely that a combination o techniques will need to be used to ully understand a
complex major incident scenario.
SYSTEMATIC APPROACH
It is important to design the saety assessment approach so that all the possible major
incidents at the acility are identied and assessed.
The ollowing are examples only and are not an exhaustive list.
EXAMPLE 5 THE LOCATION APPROACH
An operator o a warehouse and blending acility chose to divide the acility into sheds.
A workshop examined the processes and tasks in each shed, and then checked or
any cross-shed or system-wide interactions. The data was collated into a list o major
incidents and major incident hazards or the site.
I this method is chosen, it is important to record the identied hazards and incidents in
sucient detail that there can be a check on consistency between workgroups. I similarmajor incidents are grouped together, the operator must be watchul that a specic
incident initiator or escalating actor peculiar to a single shed is not dropped rom the
analysis.
EXAMPLE 7 THE CHEMICAL APPROACH
An operator o a small acility with ew Schedule 15 chemicals examined each chemical
in turn, identiying the conditions under which it was kept and handled, and what could
go wrong. They then examined system-wide challenges (or example, power ailure,
unauthorised access, etc.) and collated the results into a major incident list.
EXAMPLE 8 THE REVIEW APPROACH
It is tempting, particularly i the acility has a history o risk assessments in place,
to merely revisit the existing assessments using a modied version o the original
techniques. I this approach is chosen, the operator needs to assure themselves and the
regulator that the approach will uncover any new hazards rather than merely validating
the status quo, and that the original assumptions remain valid. The operator must ensure
they go looking or hazards.
3. ESTABLISHING THE CONTEXT
7/30/2019 Safety Assessment for MHF
12/48
GUIDE FOR MAJOR HAZARD FACILITIES | SAFETY ASSESSMENT10
EXAMPLE 9 THE TOP DOWN APPROACH
An operator o several simple storage acilities (e.g. LPG or ammonia), with each acility
built to similar standards and undertaking similar tasks, chose to dene a representative
set o major hazards and potential major incidents, to be validated by workshops at
each site. While this allows signicant technical input in constructing the representative
set, the operator must ensure that the process allows incorporation o site-specic
eatures and external conditions, such as the presence o threats rom outside the acility
boundary.
There is also the assumption that the tasks are perormed the way envisaged by
head oce, which may not be the case on the ground. I the workshop attendees do
not understand the assumptions behind the representative set, they may not detecthow what they do on-site may cause or contribute to the major incident. Thus the
composition o the workshop team is an important success actor or this approach.
EXAMPLE 10 THE ENGINEERING APPROACH
Processing acilities usually commission a number o hazard studies through the
various phases o design, construction, commissioning and operation. Some o these
assessments are task-based (or example, lighting burners); others are hazard-based (e.g.
hazardous area assessments); others are process-based (HAZOPs and SIL assessments);
and yet others are based on an assessment o conditions and known ailure mechanisms
(e.g. as part o a RBI program). The operators challenge is to assimilate all o thesestudies into a detailed understanding o all aspects o risks to health and saety.
A common approach is to divide the process into natural operating units (or
management units) and conduct a process hazard analysis, utilising the results o all
the abovementioned studies. The operator must have some method o checking or
consistency and or ensuring that areas at the interace are covered. Areas o lesser
apparent risk (or example, as dangerous goods management in the warehouse, or
service systems) are included, as they can oten potentially involve Schedule 15 chemicals
and develop into major incidents.
COMMUNICATION AND CONSULTATION
This should occur at all stages o the saety assessment process and is covered in urtherdetail in other guidance material. The Regulations require worker consultation and
participation in hazard identication, saety assessment and many aspects o risk control
(regulations 574 and 575).
Inormation acquired during consultation with the local emergency, security and local area
authorities, required under dierent sections o the Regulations, should be utilised in the
saety assessment process.
DOCUMENTATION OF THE PROCESS AND RESULTS
Under the WHS Regulations, the identication o major incidents and major incident hazards,
and the saety assessment, must be documented.
Adequate documentation ensures that the risk management activities and decisions are
traceable and reproducible. These records provide the basis or improvements to methodsand tools, as well as to the overall process. Decisions concerning the level o detail, methods
3. ESTABLISHING THE CONTEXT
7/30/2019 Safety Assessment for MHF
13/48
GUIDE FOR MAJOR HAZARD FACILITIES | SAFETY ASSESSMENT 11
used or documentation and applicable records management should take into account:
the acility and organisations needs or continuous learning
benets o reusing inormation or management purposes
costs and eorts involved in creating and maintaining records
legal, regulatory and operational needs or records
method o access, ease o retrievability and storage media
ability to revisit and update inormation (or example, licence renewal)
retention period sensitivity o inormation.
3. ESTABLISHING THE CONTEXT
7/30/2019 Safety Assessment for MHF
14/48
GUIDE FOR MAJOR HAZARD FACILITIES | SAFETY ASSESSMENT12
4.1 Understand the defnitions
The hazard identication must identiy all major incidents and all major incident hazards that
could occur at the acility, including major incident hazards relating to the security o the
major hazard acility.
The meaning o a major incident is dened in regulation 531, and has the ollowing
qualities:
they result rom an uncontrolled event (i.e. unplanned and/or involving the ailure o one
or more controls)
they involve or potentially involve Schedule 15 chemicals (which include events initiatedby other circumstances that may knock-on to Schedule 15 chemical storage or handling
acilities)
they expose a person to serious risk to health and saety (at least one, and oten more
than one person, including those in the area surrounding the acility)
the risk emanates rom an immediate or imminent exposure to the incident (which
excludes long-term cumulative impacts such as some types o cancer).
Occurrences that may be classied as a major incident include:
re (loss o containment which could lead to re, jet re, reball, etc.)
explosion (BLEVE, vapour cloud explosion, dust explosion, etc.)
implosion (or example, vacuum rom steam condensation, etc.)
escape, spillage or leakage (damage, overll, decay. etc.).
The uncontrolled event which may lead to a major incident has a spectrum o possible
consequences. I any o the possible consequences o the event may lead to serious risk to
health and saety o one or more people, then the event leading to the serious risk must be
classed as a major incident. Serious risk includes risk leading to a single atality.
The intent o the saety assessment is to ocus on the high-consequence, low-probability
events.
There are incidents that do not involve or potentially involve Schedule 15 chemicals, but
that do potentially expose a person to serious risk to health or saety. These incidents do
not have to be included in the saety assessment and saety case as they do not meet the
denition o a major incident. Notwithstanding this, the operator still has the primary duty ocare to ensure the health and saety o other persons is not put at risk rom work carried out
at the acility. These risks should be adequately managed by the saety management system
and emergency plans prepared or the acility.
Major incident hazards are dened as those hazards that could cause or contribute
to causing a major incident or uncontrolled event. The intent is or the acility to ully
understand and control the chain o events (major incident pathways) that may lead to a
major incident.
IDENTIFY ALL SCHEDULE 15 CHEMICALS
It is important that all Schedule 15 chemicals, including products, by-products, intermediates,
raw materials and wasteswhether they are held in storage, or in process, or being
transerred or otherwise handledbe considered in the saety assessment. This includes
small quantities that may have been excluded rom the initial acility notication requirement.
4. HAZARD IDENTIFICATION
7/30/2019 Safety Assessment for MHF
15/48
GUIDE FOR MAJOR HAZARD FACILITIES | SAFETY ASSESSMENT 13
EXAMPLE 11 INCLUSION OF SMALL QUANTITIES OF SCHEDULE 15 CHEMICALS
Examples o small quantities o Schedule 15 chemicals that have been considered in past
saety assessments are as ollows:
A acility had a large gas-red dryer inside a building where there were many
employees. Because there was no gas stored on the site, only what was in the
natural gas supply line, the natural gas did not have to be considered in the threshold
calculations. The acility was determined as a MHF because o the total quantity
o other Schedule 15 chemicals on site. Nevertheless there was clearly potential or
a major incident such as an explosion and re i a sizeable leak o natural gas (a
Schedule 15 chemical) occurred inside the building ollowed by delayed ignition. Theacility included this potential major incident in its saety case.
A small hydrogen cylinder serving an online process gas chromatograph is another
example o a small quantity that would have no infuence on threshold calculations
but, because o its location inside the plant, may need to be included in the saety
assessment i it could initiate an incident that could in turn escalate to a major
incident. Similar cylinders in an adequately ventilated laboratory area remote rom
the process areas o the acility may not need to be considered at all.
Suggested methods or identiying all Schedule 15 chemicals include a review o dangerous
goods maniests, storages, saety data sheets or materials on the site, other inormation
rom chemical suppliers, etc. Rerigerants (or example, anhydrous ammonia), by-products
and unintended products o reaction should also be considered and included.
4.2 Understand the chemical properties and how they
could cause harm
The properties o the chemicals should be identied and understood. These properties may
include:
toxicity
fammability
explosivity
degradation behaviour
chemical reactivity and interactions
incompatibilities
physical state
concentrations
solubility
properties at temperatures and pressures that may occur at the acility.
The properties need to be understood at the conditions encountered in the acility during
both normal and abnormal operations. These properties will have a signicant impact on
what, i and how a major incident will occur.
4. HAZARD IDENTIFICATION
7/30/2019 Safety Assessment for MHF
16/48
GUIDE FOR MAJOR HAZARD FACILITIES | SAFETY ASSESSMENT14
EXAMPLE 12 UNDERSTANDING OF PROPERTIES OF SCHEDULE 15 CHEMICALS
Personnel at MHFs should be aware o the properties o the Schedule 15 chemicals and
how those properties may lead to a major incident i not properly managed. Some o the
consequences are not obvious. For example:
I chlorpyrios is heated above 90C it decomposes. Above 130C there is an
exothermic decomposition (runaway reaction).
Sodium chlorate is stable as a solid and soluble in water. However, when mixed with
other materials such as organics (or example, pesticides and herbicides) or acids,
there is a risk o re and explosion.
Hydrogen peroxide is a strong oxidiser and can react violently with reducing agents.
It also decomposes to oxygen and water naturally (or promoted by conditions),
which can cause re on contact with a fammable material.
Storage o incompatible materials in proximity based on their Class and Division is
recognised, but incompatibilities o materials based on subsidiary Class may not be
recognised e.g. bromine chloride is Division 2.3 and subsidiary Classes 5.1 and 8 could
react with other Division 2.3 goods.
Material let in storage or prolonged periods or as intermediate products may
result in unwanted product ormation. Depending on the product, this could cause
instability, increased toxicity or increased internal pressure (i.e. the IBC bulges and
potentially ruptures).
Ammonia is a toxic material and also soluble in water to orm an alkaline solution.At high pressures and temperatures. ammonia is capable o orming an explosive
mixture with air.
It is important to understand what needs to happen or a person to be exposed to a serious
risk to their health and saety. This area o investigation also helps with exploring potential
knock-on type events.
EXAMPLE 13 UNDERSTANDING TOXICITY EXPOSURE MECHANISMS
The operator o a warehouse reviewed the toxicity o the chemicals stored and the
mechanisms by which an employee may be exposed. They discovered that:
paraquat, normally in liquid orm, is very toxic by inhalation. Inhalation o a liquid in
a warehouse setting is very dicult. It is not particularly uncommon, however, or
paraquat to weep at the lid. I let in quarantine or a while, crystals orm around the
lid. An employee may conceivably receive a toxic dose i they are not cautious in
opening an over-drum.
aldicarb is very toxic by dermal and oral criteria. I a drum spills, an employee may
receive a toxic dose either by skin contact or clothing to skin contact when cleaning
up, or involuntarily ingesting the chemical i the leak is as a spray (or example, when
a orklit spear is removed rom the drum).
4. HAZARD IDENTIFICATION
7/30/2019 Safety Assessment for MHF
17/48
GUIDE FOR MAJOR HAZARD FACILITIES | SAFETY ASSESSMENT 15
EXAMPLE 14 UNDERSTANDING MINIMUM AMOUNT LIKELY TO CAUSE HARM
For an ammonia release to expose a person to serious risk to their health and saety, the
ammonia must be in a sucient concentration to cause harm. Lesser amounts cause
nuisance and irritation. While all releases are undesirable, it is necessary to ocus eorts
on preventing leaks/releases o sucient size to cause a major incident.
Consequence modelling o small releases ound that 50 kg was needed or the
immediate danger to lie and health threshold (IDLH) to be reached at distances over
2 m.
4.3 Research previous major incidents and near misses
Incidents rom industry and site are useul precedents, and graphically illustrate potential
consequences and particular incident pathways. Sources o incidents and ootage include:
site and industry history
site near miss incidents
Chemical Saety Board (CSB) www.csb.gov
Lees Loss Prevention in the Process Industries
Health and Saety Executive (HSE) www.hse.gov.uk.
IDENTIFY THE MAJOR INCIDENT AND MAJOR INCIDENT PATHWAYS
Identication o the major incident hazards and the potential major incidents they may lead
to requires some creativity, technical expertise, and amiliarity with the plant and equipment.
The major incident and major incident hazard identication is best perormed in teams. It is
important that the study teams:
understand what constitutes a major incident
are composed o an appropriate variety o people
are aware o the properties o the Schedule 15 chemicals
are aware o how the chemicals are used
are aware o plant and industry incident history
challenge assumptions and existing norms o design and operation
think beyond the immediate experience o the acility
look only at potential and ignore any consideration o likelihood or existing controls at
this stage.
Hazard identication techniques need to be systematically applied to each plant area and
each activity in order to generate a complete list or urther exploration. The operator should
be alert to common cause ailures, possible knock-on scenarios and any external conditions
which may aect the potential or a major incident to occur. The chosen technique needs to
be suited to the hazard and the acility (see discussion in 5.2 Resources: tools/techniques).
4. HAZARD IDENTIFICATION
7/30/2019 Safety Assessment for MHF
18/48
GUIDE FOR MAJOR HAZARD FACILITIES | SAFETY ASSESSMENT16
EXAMPLE 15 EXAMPLE MAJOR INCIDENTS: WAREHOUSE
Uncontrolled EventSchedule 15 Chemical
Involved
Potential Major Incident
Description
200 L drum alls and
splits, spilling into a
contained area
Flammable liquid, PG III Pool re o 200 L drum o
fammable liquid
Forklit damages 1,000 L
IBC o pesticide
Toxic solids and liquids Toxic exposure rom loss
o containment o IBC o
pesticide Lightning strike
Electric arc rom
distribution box
Arson attack
Incompatibles stored
in same bund leak and
react
All/part o warehouse
Schedule 15 chemicals
inventory
Warehouse re generating
heat and toxic smoke
EXAMPLE 16 EXAMPLE MAJOR INCIDENTS: STORAGE
Uncontrolled EventSchedule 15 Chemical
Involved
Potential Major Incident
Description
Hose leaks under
moderate pressure
Flammable liquid Flash re
Roo sinks due to ailure
to remove water
Lightning strike
Crude oil Crude oil tank top re
Feed valve ails, spillage
to bund
Crude oil Bund re in crude oil
storage
Hose ailure
Valve ailure
LPG Vapour cloud explosion o
LPG
Impact and guillotine
ailure o pipework
LPG Jet re rom bullet
Sustained re attack on
bullet
LPG BLEVE o bullet
4. HAZARD IDENTIFICATION
7/30/2019 Safety Assessment for MHF
19/48
GUIDE FOR MAJOR HAZARD FACILITIES | SAFETY ASSESSMENT 17
EXAMPLE 17 EXAMPLE MAJOR INCIDENTS: PROCESSING
Uncontrolled EventSchedule 15 Chemical
Involved
Potential Major Incident
Description
Sabotage Hydrogen Terrorist attack on
signicant storage leads to
explosion
Operator mistakes
chemical identity and
loads wrong chemical
Sodium hydrosulde
(class 4.2 PGII)
Accidental mixing o
incompatible material
releasing heat and toxic gas Failure o cooling water Methylcyclopentadienyl
manganese tricarbonyl
(MCMT)
Class 6.1 PGI
Runaway exothermic
reaction leading to loss o
containment and explosion
REFINE THE MAJOR INCIDENT LIST
All identied major incident hazards with a scientically credible mechanism linking to the
major incident should be included. I the mechanism cannot be established then the incident
can saely be removed rom urther consideration. It should not be deleted entirely, as
inclusion demonstrates a comprehensive enquiry. This is not the same as establishing a very
low likelihood.
EXAMPLE 18 REJECTED POTENTIAL MAJOR INCIDENTS
Hydrogen sulphide is present in a waste gas stream at a acility, and or
environmental reasons the waste stream is sent to a thermal oxidiser. When
conducting its Saety Assessment, the acility investigated i a leak rom a hole
in the duct to the thermal oxidiser could lead to a major incident. Ater careully
considering the maximum possible concentration o hydrogen sulphide, pressure
in the duct and toxic exposure criteria, the acility concluded that people would not
be put at serious risk unless they put their head in the hole in the duct (which was
several metres above ground level). Hence this scenario was rejected as a potential
major incident.
Release o a very small quantity o a toxic material may only be sucient to cause
irritation rather than hospitalisation or atality (inventory/toxicity combination
insucient).
A tsunami impacting an aboveground tank located 100 km inland on a hill
(diminishingly small likelihood).
BLEVE o an underground LPG tank (burying the tank, however, introduces other
loss o containment mechanisms which must be proven to be under control).
A Schedule 15 chemical that is known to decompose exothermically at temperatures
over 200C is stored in ull sunlight, away rom re risk material. The team could not
establish a mechanism where the Schedule 15 chemical would approach 200C.
Opening a drain line on a vessel that could contain volatile components was
considered a possible cause o low temperature and thus brittle racture at one
acility. However, fash calculations showed that the temperature would not all lowenough, even with the most volatile composition and highest pressure conditions.
4. HAZARD IDENTIFICATION
7/30/2019 Safety Assessment for MHF
20/48
GUIDE FOR MAJOR HAZARD FACILITIES | SAFETY ASSESSMENT18
EXAMPLE 19 INCORRECTLY REJECTED MAJOR INCIDENTS
Catastrophic ailure o a storage tank was rejected because the tank was designed to
Australian Standards and had pressure saety valves, pressure alarms and high level
alarms and shutdowns. A mechanism to a major incident still exists.
Electrical ailure resulting in loss o control o reaction and hence potential runaway
reaction, release and explosion was rejected because o a back-up power supply. A
mechanism to a major incident still exists, even i it is a double-jeopardy situation.
Mixing o incompatible materials in a storage warehouse was rejected because
procedures state that they must not be stored together. Procedural controls do not
remove the potential major incident.
These major incidents have been incorrectly rejected on the basis o the implemented
controls. The major incidents can still occur.
VALIDATE THE MAJOR INCIDENT PATHWAYS
The objective is to gain a detailed understanding o what can go wrong in order to correctly
assess what controls are necessary, and what perormance standards are required. It is
important to pursue understanding to sucient depth that all avenues are uncovered
to allow eective controls to be put in place. Work done at this stage is used later in
consequence and likelihood analysis.
It is reasonable to ocus eort in understanding the major incidents o highest concern
(highest consequence and/or highest risk).
EXAMPLE 20 UNDERSTANDING CORROSION AS AN INITIATOR
A HAZOP team identied the potential or corrosion to cause a loss o containment.
It is necessary to urther understand this hazard as there are a variety o approaches
available to control it:
Corrosion rom erosion may be controlled by velocity.
Internal corrosion rom acid attack may be controlled by regulation o pH and
monitoring o coupons.
External under insulation corrosion occurs more oten in dead legs and cannot
occur above certain temperatures. Stress corrosion cracking prevention may require maintenance o water
concentration within a certain range.
4. HAZARD IDENTIFICATION
7/30/2019 Safety Assessment for MHF
21/48
GUIDE FOR MAJOR HAZARD FACILITIES | SAFETY ASSESSMENT 19
EXAMPLE 21 UNDERSTANDING HOW THE EQUIPMENT IS DESIGNED TO FAIL
Engineers may design equipment with the intent that it shall leak beore break, giving
the operators time to either isolate or remove the items beore there is sucient quantity
to cause a major accident. The incident pathway is not eliminated, but the probability o
the major incident is reduced. Examples include the ollowing:
LPG hoses are designed to leak beore breaking. The hose can be saely taken out o
service without a major incident even i it does leak.
LPG hoses tend to creep as they deteriorate. Spraying the hose connection with
paint allows detection o this creep and removal beore any leak takes place.
Piping carrying coolant to a nuclear reactor is designed so that a crack will grow
through the wall, causing a leak that can be detected by leak detection systems
beore the crack would grow to a catastrophic guillotine ailure.
4. HAZARD IDENTIFICATION
7/30/2019 Safety Assessment for MHF
22/48
GUIDE FOR MAJOR HAZARD FACILITIES | SAFETY ASSESSMENT20
5.1 Identifcation o controls
A control measure, in relation to a risk to health and saety, means a measure to eliminate
or minimise the risk. Controls that eliminate or minimise the risk o a major incident
occurring (i.e. impact on either likelihood or consequence) are sometimes reerred to as
preventative or preventive controls, while those which minimise the magnitude and severity
o the consequences i a major incident occurs are reerred to as mitigative. Controls may
also be described by other terms, such as active or passive, engineering, organisational,
administrative or physical, and hardware or sotware.
There are usually a range o controls available to an operator. In selecting controls, the
hierarchy o controls must be considered in order as ollows:
substitution o a hazard by a hazard with a lesser risk
isolating the hazard rom the person at risk
minimising the risk by engineering means
minimising the risk by administrative means
using personal protective equipment.
Selection o controls should be based on what is reasonably practical to reduce the risk.
The saety assessment should identiy existing controls and potential controls. This includes
consideration o recognised and generally accepted good engineering practice (RAGAGEP),
best practice, emerging technologies, published codes o practice and industry standards, as
well as what is currently present.
When identiying controls it is important to understand what needs to happen or the control
to be eective and manage that control in its entirety (this is discussed urther in control o
risk). For example, an alarm without an operator able to notice it and respond has no saety
benet. A procedure only has a saety benet i it is technically adequate and personnel are
trained, equipped and expected to use it. Engineering standards are only o benet i they
deal with the issue at hand and are applied.
The saety assessment must include the range o control measures the operator has decided
to implement. The saety assessment should identiy those controls that are absolutely
necessary to avoid a major incident. They should be reliable and ail-sae. Some will already
be dened; some will be identied in the course o the saety assessment.
5.2 Consequence estimation
CONSEQUENCE MODELLING (NO CONTROLS)
Any major incident has a range o potential consequences. The operator must identiy the
worst consequence o a major incident where no controls are in place. The basis o this
calculation (inventory, external conditions, etc.) should be clearly documented and discussed.
The intent is to understand and be prepared or the worst major incident. Premature ocus
on the associated risk misses the opportunity to decide that the consequence is not to
be tolerated on any account (as has been decided by many oil companies about locating
temporary maintenance building near vents ater the Texas City incident, and why society
has deemed it inappropriate to have childcare centres adjacent to MHFs).
5. SAFETY ASSESSMENT
7/30/2019 Safety Assessment for MHF
23/48
GUIDE FOR MAJOR HAZARD FACILITIES | SAFETY ASSESSMENT 21
EXAMPLE 22 CONSEQUENCE ANALYSIS OF A WAREHOUSE FIRE
ABC Warehousing was a MHF storing pesticides, fammable liquids, a small amount o
fammable gases and general merchandise. They concluded that a re at the warehouse
would:
generate a toxic plume, with possible rain-out o toxic material at the edges
generate signicant heat, potentially aecting neighbours
generate projectiles and possibly reballs
generate signicant quantities o contaminated re-water run-o that would need to
be contained.
They concluded that the near neighbours (up to 500 m) could be aected. The number
o people aected would depend on the time o day. The nearest sensitive receptor was
a residence 1 km away, unlikely to be aected by any event at the warehouse. A nearby
oce building, however, had signicant amounts o glass acing the acility that could be
particularly vulnerable to heat. The acility chose to commission modelling to establish
the potential and recommend options to minimise potential impact in the event o a re.
5. SAFETY ASSESSMENT
7/30/2019 Safety Assessment for MHF
24/48
GUIDE FOR MAJOR HAZARD FACILITIES | SAFETY ASSESSMENT22
EXAM
PLE23CONSEQUENCEANALY
SISFORLOSSOFCONTAINMEN
TOFFLAMMABLEGAS
Anop
eratoroaMHFstoringandhand
lingsignicantquantitiesoLPGusedtheaboveeventtreetoidentiythepossibilityoa
BLEV
E,ajetreandvapourcloudexplosionattheiracilities.Theymode
lledaBLEVEothebiggesttank
causedbyasustained
jetreromtheadjacenttank,ajetre
romtheadjacenttank(toconrmithesecondtankcouldbeae
cted),avapourcloud
explo
sionandaBLEVEoastandardd
eliverytanker(themorelikelyeve
nt).
Theselectedmodellingendpointswere
heatfuxandoverpressure.Theassumptionsandmethodsusedinthemodellingwereclearly
statedintherelevantsectionothesaetyassessment.
5. SAFETY ASSESSMENT
7/30/2019 Safety Assessment for MHF
25/48
GUIDE FOR MAJOR HAZARD FACILITIES | SAFETY ASSESSMENT 23
EXAMPLE 24 POOL FIRE ASSESSMENT
ABC Chemical Company identied that a leak o fammable liquid may develop into a
pool re. They commissioned modelling to ully understand the potential consequence
o such a re.
The consultant delivered the ollowing table:
Pool Fire in Plant Area Pool Diameter (m)
Maximum distance rom
centre o the pool to heat
ux o concern (kW/m2)
4.7 12.6 23
Pump A 20 45 32 25
Tank B 50 90 70 57
Met 10 35 24 16
The model gives estimates o distance to specied end-points o concern. In this
example, the criteria and the predicted consequences are the same as in HIPAP 4.
A heat fux o 4.7kW/m2 is considered high enough to trigger injury to people ater 30
seconds exposure. This is particularly relevant to people who are unable to evacuate or
seek shelter.
A heat fux o 12.6 kW/m2 has a signicant chance o atality or extended exposure. Atthis level steel may reach a thermal stress level high enough to cause structural ailure.
A heat fux o 23 kW/m2 has a chance o atality or instant exposure. Pressure vessels
need to be relieved to avoid ailure.
These results were used to validate the potential or knock-on events and incorporated
into the quantitative risk assessment or the site.
SENSITIVITY ANALYSIS
The actual consequence o an event will be the result o a number o actors and is unlikely
to be the worst case. It is important to understand which actors are important and how the
consequence severity varies with variation in those actors (a sensitivity analysis). This allows
the operator to understand the perormance requirements or any emergency responsesystem.
5. SAFETY ASSESSMENT
7/30/2019 Safety Assessment for MHF
26/48
GUIDE FOR MAJOR HAZARD FACILITIES | SAFETY ASSESSMENT24
EXAMPLE 25 WAREHOUSE FIRES
ABC Warehousing understood that the erocity o the re depends upon:
the nature o the stored chemicals (or example, fammable liquids ignite easily)
how the chemicals are stored (combustible materials add to re load; high racking
may inhibit sprinkler systems; packages o fammable liquids may burst with heat,
ignite and spread re throughout the bund compound)
how long it takes to detect the re (automatic vs manual detection)
i the re is caught early enough (small res are easily extinguished).
The nature o the (toxic) smoke plume depends on:
wind speed and direction
re temperature (there are dierent stages o a re, with dierent temperature
proles)
the nature o the burning chemicals.
The operator realised that weather conditions and inventory had the greatest impact on
the consequence zone. The time o day also had a signicant infuence on how many
people were likely to be aected. As the operator cannot control the weather, it was
decided to ocus on preventing the incident, and ensuring ast communications and
response i an incident did occur.
CONSEQUENCE MODELLING WITH CONTROLS
The assessment o consequence with controls represents the most likely consequence.
All acilities benet rom being aware o the most likely consequence when determining
priorities. Management should control the most likely events and simultaneously avoid the
worst events. They can be dierent major incidents.
USING THE CONSEQUENCE MODELLING
A common mistake is to commission consequence and risk modelling rom a consultant, ail
to validate the results and ail to utilise the inormation in emergency response planning, in
both the location o equipment and oces and in the identication o potential knock-on
events.
When commissioning modelling, the acility operator should consider i it would be
advantageous to complement atality calculations with distances to injury or even distances
to irritation/nuisance to ully understand the potential consequences. This may improve the
understanding o the potential consequences, acilitate eective management o events and
potentially justiy additional protective measures.
KNOCK-ON EVENTS
An operator needs to ensure that they have addressed any potential events that may act as
a knock-on event. Modelling eect ranges allows the operator to determine i it is reasonably
oreseeable or one major incident to escalate and cause another.
Major incidents may also be triggered by signicant process saety events associated with
non-Schedule 15 chemicals that knock on or eect systems storing or handling Schedule 15chemicals.
5. SAFETY ASSESSMENT
7/30/2019 Safety Assessment for MHF
27/48
GUIDE FOR MAJOR HAZARD FACILITIES | SAFETY ASSESSMENT 25
EXAMPLE 26 KNOCK-ON EVENTS
A small re in a drum decanting operation could spread to an adjacent large drum
store via a common drain system.
A boiler ruptures when the drum level reduces below the re line. Projectiles
damage the adjacent control room, leading to a loss o control o a production unit
processing Schedule 15 chemicals.
A rupture o a large nitrogen storage vessel causes local evacuation and prevents
operators rom responding to a dangerous process excursion.
The escalation potential may warrant specic analysis and control o the initiating event,rather than using the generic initiator o re, loss o control system and operator ails
to intervene (operator error).
CONSEQUENCE RANKING
The regulations do not strictly require the risks to be ranked or otherwise placed into a
category. It is, however, very common to do so. Ranking allows the operator to prioritise
resources in a coherent and traceable way. Many organisations have also set up governance
structures around what the organisation determines to be acceptable or unacceptable, and
specied required courses o action accordingly.
EXAMPLE 27 CONSEQUENCE RATING
The ollowing example is loosely based on Appendix C o the Code o Practice:
Managing Risks o Hazardous Chemicals.
Consequence Examples
Insignicant Minor loss o containment
Potential chemical exposure
No adverse eect on workers health and saety
No adverse eect on the workplace, other properties and
premises.
Minor Minor loss o containment
First aid treatment Small re.
Moderate Major loss o containment
Medical treatment injury.
Major Total loss o containment
Multiple MTI
Extensive damage to workplace.
Catastrophic Death or multiple deaths
Extensive damage to the workplace
Adverse impact on surrounding environment.
5. SAFETY ASSESSMENT
7/30/2019 Safety Assessment for MHF
28/48
GUIDE FOR MAJOR HAZARD FACILITIES | SAFETY ASSESSMENT26
5.3 Likelihood estimation
LIKELIHOOD ANALYSIS
The likelihood o each major incident hazard causing the major incident must be analysed.
The likelihood depends on the likelihood o the initiating event and the control eectiveness.
Eectiveness is a measure o how well the control measure perorms, or is likely to perorm,
i required. An assessment o eectiveness may include:
unctionality: ability o control to address a particular hazard
reliability: whether control will be unctional when/i required
independence: control is not dependent on other controls unctioning
maintenance: whether control unctionality can be maintained (e.g. availability o parts,
access, training and knowledge)
monitoring: whether it is possible to monitor that the control is ully unctional or
impaired, and how this could be done.
Other eectiveness criteria may include survivability; that is, that the control continues to
unction during a major incident, such as a re or during abnormal process conditions, and
cost.
Standard tools and techniques or the analysis include ault trees, event trees, LOPA and
bow-tie analysis. All have been used successully. Common mistakes are to misapply the
techniques, claim benet rom controls that are not truly independent, ailure to considerperormance under all operating conditions and ailing to validate the current perormance
o existing controls.
EXAMPLE 28 BOW-TIE
ABC Warehouse Company elected to graphically represent each major incident that
couldnt be eliminated using a bow-tie diagram. They then identied all existing controls
in place, what other controls could be in place, the quality and eectiveness o those
controls, and whether the controls were good enough. This was documented using a
likelihood table.
Likelihood What it means
Certain to occur Expected to occur in most circumstances
Very likely Will probably occur in most circumstances
Possible Might occur occasionally
Unlikely Could happen at some time.
Rare May happen only in exceptional circumstances
5. SAFETY ASSESSMENT
7/30/2019 Safety Assessment for MHF
29/48
GUIDE FOR MAJOR HAZARD FACILITIES | SAFETY ASSESSMENT 27
EXA
MPLE29EVENTTREEANALYS
IS
ABC
WarehouseCompanyreliedona
sprinklersystemandrealarmworkingtominimisethelikelihoodo
areescalating.They
initiallythoughttheseaspectscombin
edgavethelikelihoodoareas
unlikely.
Disc
ussionswiththeoperatoroaneighbouringfammablegasstorage
acilityhighlightedthepossibility
oanexplosionaecting
thesite.Itwassuggestedthatthesprinklerandalarmsystemsshouldb
eupgradedtocopewiththiseventuality.Thecompany
decidedtoquantitativelyanalysetheimpactonlikelihoodothesprinklerandalarmsystemsbeoredecidingiitwasreasonably
prac
ticaltoupgradethesystems.
Thecurrentsprinklersystemwasjudgedlikelytoworkincontrollingare9timesouto10(probability0.9).Thenewsystem,with
enhancedreliabilityandunctionality,
wouldworkincontrollingthere99timesouto100(probability
0.99).
Thecurrentalarmsystemreliedonoperatorsinormingtherebrigade.Operatorswereonlypresentor8hours,5daysaweek,
and
socouldatbestbeeective40h
ours/168hours(probability0.24).
Itwasassumedthatthebrigadew
ouldalwaysrespond.In
contrast,theprobabilitythatanautom
atedalarmsystemwouldcallthe
brigadewas0.999.(Therewould
alsobeapossiblepenalty
oa
lsealarms,saytwoperyear,orw
hichtherebrigadewouldcharg
e).
Theeventtreeisshownbelow.Thecurrentdesignguresareshowninred.
5. SAFETY ASSESSMENT
7/30/2019 Safety Assessment for MHF
30/48
GUIDE FOR MAJOR HAZARD FACILITIES | SAFETY ASSESSMENT28
EXAMPLE 29 EVENT TREE ANALYSIS (CONTINUED)
ABC warehouse wanted to avoid an uncontrolled re with no alarm. This could result
in serious harm to employees and customers, and the potential loss o all the stock,
buildings, records, etc. and threaten the business. They took this as the worst possible
extent o harm. They noticed that upgrading the systems reduced the likelihood o this
worst case event by a actor o 7,600. The likelihood o better outcomes in all categories
increased.
The introduction o numbers meant that they were able to meaningully compare
other options. For example, they examined the possibility o only implementing the
improvement in the alarm system or implementing an improvement in the stand-alonesprinkler system. A stand-alone alarm improvement would be 50 per cent o the cost o
a sprinkler plus alarm package. A stand-alone sprinkler system would be 90 per cent o
the sprinkler plus alarm package cost. Armed with the estimates o likelihood, harm and
(last o all) cost, they compared all o the options and decided that implementing the
upgrade o the sprinkler and alarm system package was reasonably practical and the
best option in their circumstances.
This methodology is consistent with the denition o reasonably practical in the WHS Act.
Continued use o the qualitative assessment o unlikely would not have given the result
required to make this decision.
EXAMPLE 30 APPLICABLE FAILURE DATA AND USE IN A FAULT TREE
An operator o a chemical processing acility chose to use historical data on the
likelihood o equipment ailure using reputable sources such as Table A14.3 Appendix
14 o Lees Loss Prevention in the Process Industries, 3rd Edition (2005). Data or some
equipment is presented in orms such as:
Equipment Failure rate (ailures/106 h)
Pressure vessels (general)
(high standard)
Pipes
Bellows
Relie valves - LeakageBlockage
3
0.3
0.2
5
20.5
The data was checked to conrm correct values and limitations and or relevance to the
identied scenario. Where the conditions on site diered signicantly rom the source
database, the data was adjusted. The adjustment and rationale was highlighted to
management and the regulator.
The data was used in a ault tree analysis to estimate the requency o a loss o
containment.
It is also important to consider the infuence o human actors on likelihood and including
them in the saety assessment. This may be achieved by identiying the possible human
actors at play and managing those actors within the saety management system. The
infuence o human actors is then subjectively included in the demonstration o adequacy.Quantitative human actor assessment tools are available (or example, HEART) and can be
incorporated into the analysis o identied incident scenarios i appropriate or required.
5. SAFETY ASSESSMENT
7/30/2019 Safety Assessment for MHF
31/48
GUIDE FOR MAJOR HAZARD FACILITIES | SAFETY ASSESSMENT 29
EXAMPLE 31 HUMAN FACTOR ANALYSIS
ABC Chemical Company recognised that the ability o the operators to respond
to alarms was potentially aected by actors such as atigue and workload. They
implemented the ollowing programs to promote perormance:
atigue management program
drug and alcohol policy
leadership/supervision training or supervisors.
They also examined the workload during critical periods and introduced:
additional resources or planned start-ups and shut-downs
an alarm reduction program ocused on removing alarm fooding.
LIKELIHOOD ASSESSMENT
Likelihood is either expressed qualitatively as a rating or given a numerical value as a
requency per annum. The operator must understand and document the basis o the
assessment (the assumptions and incident pathway).
5.4 Risk assessment
Following the determination o likelihood and consequence, risk can be assessed.
Depending on whether a qualitative or quantitative technique was chosen, risk assessments
may be expressed via a position on a risk matrix, a numerical value o individual risk per
annum or similar. The risk assessment may be used to justiy rankings and priorities or
urther work and the need or additional control measures.
EXAMPLE 32 RISK ASSESSMENT
QUANTITATIVE
ABC Company conducted a quantitative risk assessment (QRA), which considered an
ammonia release rom one o three identical tanks at their premises as well as releases
rom transer pumps, piping and other items o equipment. The analysis used industry
data on ailure rates or items o equipment to calculate likelihood and consequence
modelling o expected releases to determine the extent o the consequences. The results
were combined on a site map to show individual risk o atality at specic points by a risk
contour as in the ollowing diagram.
ABC Company used these results to satisy land use planning requirements and internal
risk tolerability targets. It does not, o itsel, establish that the risk has been reduced so
ar as is reasonably practical.
5. SAFETY ASSESSMENT
7/30/2019 Safety Assessment for MHF
32/48
GUIDE FOR MAJOR HAZARD FACILITIES | SAFETY ASSESSMENT30
EXAMPLE 33 RISK ASSESSMENT
Qualitative
ABC Company considered an ammonia release rom one o three identical tanks at their premises
(Incident 1). Based on incidents at similar acilities, they decided that the likelihood was not likely to occur
while the consequence was that a number o atalities were possible.
Consequence
Insignifcant
circumstances
Minor Moderate Major Catastrophic
1 2 3 4 5
Health and Saety Near miss,
First Aid Injury
(FAI) or one or
more Medical
Treatment
Injuries (MTI)
One or
more
Lost
Time
Injuries
(LTIs)
One or
more
signicant
Lost Time
Injuries
(LTIs)
One or
more
atalities
Signicant
number o
atalities
5
Possibility o
repeated events
(1 x 10-1 per year)
Signifcant risk
4
Possibility o
isolated incidents
(1 x 10-2 per year)
Moderate risk
3
Possibility
o occurring
sometimes
(1 x 10-3 per year)
Low risk
2Not likely to occur
(1 x 10-4 per year)Incident 1
1Rare occurrence
(1 x 10-5 per year)
The company used the relative placement on the matrix to prioritise risk reduction projects. Potential major
incidents in the signicant risk category had to be documented and their management explained to senior
ocers o the company.
High risk
Signifcant risk
Moderate risk
Low risk
5. SAFETY ASSESSMENT
LIKELIHOOD
7/30/2019 Safety Assessment for MHF
33/48
GUIDE FOR MAJOR HAZARD FACILITIES | SAFETY ASSESSMENT 31
CONSIDER CUMULATIVE RISK
Regulation 555(3) requires the operator to consider all potential major incidents and major
incident hazards cumulatively, as well as individually, in the saety assessment.
Cumulative risk can be considered in a number o ways:
Consideration o risk in aggregate: I there are a large number o dierent hazards and
potential incidents at a acility, the total risk may be signicant even i the risk arising
rom each individual hazard or incident is low.
Consideration o risk in concert: the evaluation o the consequences o incidents
occurring in quick succession (or example, an earthquake ollowed by tsunami).
Consideration o risk by location: It may be useul or a acility to consider whether the
major incident risk is concentrated in specic locations or roles, and thereore whether
any additional controls may be prudent to reduce the likelihood or consequence, and
thus reduce the risk.
There is no specied quantitative risk level that is considered acceptable, so the above
should not be interpreted as a requirement to conduct a quantitative risk assessment (QRA).
It should also be recognised that meeting any o the quantitative risk criteria suggested
or recommended by dierent jurisdictions does not necessarily prove that a acility has
reduced risk to a level so ar as is reasonably practicable.
5. SAFETY ASSESSMENT
7/30/2019 Safety Assessment for MHF
34/48
GUIDE FOR MAJOR HAZARD FACILITIES | SAFETY ASSESSMENT32
EXAMPLE 34 ANALYSIS OF CUMULATIVE RISK
Hazard identication had identied that there were six possible mechanisms that could lead to a major
incident rom a batch polymerisation reactor at a acility:
reactor overll
high pressure
runaway reaction - excess reactant added
runaway reaction - excess catalyst
runaway reaction - agitator ailure
agitator seal ailure.
The saety assessment determined that each hazard individually was in the Medium Risk zone on a risk
matrix. However, the one operator responsible or this area is exposed to the risk presented by all o them
since he spends the shit close to the reactor. Thereore, cumulatively, the likelihood o the operator being
exposed to a major incident is sucient to increase the risk aced by that operator into the High Risk zone.
CONSEQUENCE
Ater reviewing this situation, the company decided to relocate the operators control console, etc. to a
central control room.
High risk
Signifcant risk
Moderate risk
5. SAFETY ASSESSMENT
LIKELIHOOD
7/30/2019 Safety Assessment for MHF
35/48
GUIDE FOR MAJOR HAZARD FACILITIES | SAFETY ASSESSMENT 33
RISK EVALUATION
Risk evaluation is the decision that the risks have been reduced so ar as is reasonably
practical and is acceptable to all stakeholders. Comparison o the level o risk ound during
the analysis process with risk criteria or with the standards declared in the saety policy is
oten a good predictor o whether risk could practicably be reduced urther.
The risk evaluation has three possible outcomes:
well below criteria: urther risk reduction is probably impracticable
suciently close to or above criteria or urther risk reduction controls to be investigated
seriously
well above criteria: urther controls need to be ound or continued operation questioned.
It is very unusual or an operator to complete a saety assessment without a risk reduction
program and without a list o items that are on watch or changes in technology or other
means that may move risk reduction rom impractical to reasonably practical.
EXAMPLE 35 RISK EVALUATION
QUANTITATIVE
The results o the quantitative risk assessment (QRA) conducted by ABC Company were
compared with the NSW planning criteria. This states that individual risk should not
exceed 1 x 10-6 per year in residential areas2. This may eliminate some areas as possible
locations or the operation.
2. NSW Department o Planning, Hazardous Industry Planning Advisory Paper (HIPAP) No. 4 Risk Criteria or
Land Use Planning.
EXAMPLE 36 RISK EVALUATION
QUALITATIVE
The ranking on the risk matrix determined by ABC Company can be compared with their
internal risk criteria, which state that any risk classied as a high risk must be reviewed to
ensure that all potential control measures have been identied and implemented where
practicable. In addition, any high risk items must be approved by management or the
risk to remain without alteration.
5. SAFETY ASSESSMENT
7/30/2019 Safety Assessment for MHF
36/48
GUIDE FOR MAJOR HAZARD FACILITIES | SAFETY ASSESSMENT34
EXAMPLE 37 RISK EVALUATION: IMPLEMENTATION OF ADDITIONAL CONTROLS
ABC Chemical Company identied during the control measure assessment that an
additional control measure (high level trip) should be considered to protect against
overlling o the storage vessel. The risk o overlling was considered high during the risk
assessment. This additional control was selected on the basis that:
it was considered essential to provide protection given that manual control is
insucient
the control was judged to have a signicant risk reduction potential
the proposed solution is known and o reliable technology
it is higher on the hierarchy o controls than alternative controls.
An alternative control was a proposal to use a smaller tanker and have the supervisor
check that sucient volume was available in the vessel beore unloading. This was
rejected on the basis that:
it is lower on the hierarchy o controls than the high level trip
it was likely to be ineective and possibly subject to human error
even though lower cost, the cost-benet ratio was higher.
5.5 Demonstration o adequacy
The operator must demonstrate that the identied controls are adequate i.e. that the controls
eliminate or reduce the risk so ar as is reasonably practicable.
The ollowing actors should be considered:
The assessment includes both preventative and mitigative controls.
The ull range o operating and start-up/shutdown conditions has been considered.
All identied hazards that could lead to a major incident should have at least one reliable
control which acts to limit or prevent their occurrence. Deence in depth (multiple and a
variety o controls) has been implemented where necessary.
The hierarchy o controls has been applied in understanding eectiveness (the wearing
o personal protective equipment and application o administrative controls are less
eective than engineering solutions).
Control independence has been considered and correctly accounted or (particularly
important in quantitative assessments e.g. SIL studies).
Critical operating parameters have been identied or all controls, compliance with which
is necessary to avoid a major incident.
Existing perormance indicators or selected controls have been considered (or devised i
absent), and validated against required perormance standards.
The operator should be able to show that the adopted controls are capable o
maintaining operation within the identied critical operating parameters.
Controls that have been identied but rejected during the saety assessment are
recorded, together with the reason why they have not been adopted (i.e. the justication
o why they are not reasonably practicable).
This is discussed urther in the Major Hazards Facility Guide: Saety Case: Demonstrating the
Adequacy of Safety Management and Control Measures.
5. SAFETY ASSESSMENT
7/30/2019 Safety Assessment for MHF
37/48
GUIDE FOR MAJOR HAZARD FACILITIES | SAFETY ASSESSMENT 35
Regulations 556 and 566 require the operator o determined or licensed MHFs to implement
risk control measures that eliminate or, i that is not reasonably practical, minimise the risk
o a major incident rom occurring, and to implement control measures that reduce the
magnitude and severity o the consequences. The saety assessment has identied what
could and should be done to minimise and control the risk; the onus is now to adopt and
implement those measures.
The means o implementing and maintaining the eectiveness o the selected control
measures is via the saety management system. Separate guidance is available on the
requirements o a saety management system at a MHF. The ollowing discussion emphasises
the elements o the saety management system that interact directly with the saety
assessment.
6.1 Perormance standards and indicators
Perormance standards and perormance indicators are required or each adopted control
to ensure the eectiveness o that control is tested and that a control ailure is detected and
remedied.
A perormance standard is the acceptable level o response, or the required perormance,
or a control to be considered eective in managing the risk. Standards may include both
the current required level o perormance and also a target level to be achieved within a
specied timerame.
A perormance indicator is an objective measure that shows current and/or pastperormance. The overall eectiveness o the control measure can then be judged by
comparing its perormance against the perormance standard.
EXAMPLE 38 PERFORMANCE INDICATORS AND STANDARDS FOR CONTROL
MEASURES
General standards may be set up or completion o testing, calibration or maintenance
within a xed timerame.
Control Measure Perormance Indicator Perormance Standards
PSV Pop test pressure Within + or - 2% o set
pressure
98% unction at set
pressure
Operating Procedure Compliance check 0 major deviations
1 minor deviation
For the pressure saety valve in the table above, the corrective action in the event
o ailure (i.e. not relieving at the set pressure) may be replacement, re-calibration
or a reduction in the test interval, depending on the valve and service. The second
perormance standard may be reported to management, while the rst is used primarily
as a guide or maintenance personnel to determine what their action should be in
response to ailure.
6. CONTROL OF RISK
7/30/2019 Safety Assessment for MHF
38/48
GUIDE FOR MAJOR HAZARD FACILITIES | SAFETY ASSESSMENT36
6.2 Critical operating parameters
Critical Operating Parameters (COPs) are the upper or lower perormance limits o any
equipment, process or procedure that, i not complied with, could result in a major incident.
COPs dene the sae operating envelope or a acility, where any exceedence could
undermine the sae operation o the acility.
Generally, the main dierence between a COP and a perormance standard is that COPs are
continuously monitored and managed, while perormance against a perormance standard
is generally periodically assessed (and included in the audit component o the saety
management system).
The operator should ensure that the critical operating parameters are monitored and
excursions outside the sae operating zone are minimised.
FIGURE 2: Sae operating zone and identication o critical operating parameters
Known unsae or uncertain
zone
Buer zone
COP neverexceed limit
Troubleshooting zone
Known sae zone
Normal operating zoneMaximum
normal
operating limit
EXAMPLE 39 CRITICAL OPERATING PARAMETERS
Typical COPs in use at some MHFs include:
acility minimum manning level
the number o re pumps available
maximum operating pressure o a pressure vessel
minimum operating temperature
maximum reactant addition rate or a reactor
minimum cooling water fow rate or a reactor
maximum running hours beore service o a orklit truck
maximum rpm o a high speed turbine
maximum number o pallets to be stored in a specic area
maximum height or number o vertically stacked pallets in a storage area.
6. CONTROL OF RISK
7/30/2019 Safety Assessment for MHF
39/48
GUIDE FOR MAJOR HAZARD FACILITIES | SAFETY ASSESSMENT 37
Determined and licensed MHFs must review and, as necessary, revise the saety assessment:
i there is a modication
i a control measure does not minimise the risk so ar as is reasonably practicable (e.g. in
the event o an incident or near miss, or the perormance standard is not being met)
i new hazards are identied
i there is a reasonable belie that it needs review
at least every ve years.
The monitoring and review o control measure perormance is a core component o the
saety management system.
EXAMPLE 40 MONITORING AND REVIEW
ABC Company reviews the control measure perormance results at a monthly saety
meeting, which includes maintenance and operations personnel, a health and saety
representative and the site manager. Control measure perormance results are grouped
or presentation. The saety management system perormance is also reported at this
meeting.
ABC Company has also established linkages in its systems that require review o the
saety assessment i an incident occurs at the acility or at a similar operating acility.
Incident investigation triggers a review o the saety assessment, as does the reporting
o a near-miss event and activation o the site emergency plan. Change management is
another system that may also trigger a review o the saety assessment.
7. REVIEW OF RISK MANAGEMENT
7/30/2019 Safety Assessment for MHF
40/48
GUIDE FOR MAJOR HAZARD FACILITIES | SAFETY ASSESSMENT38
OPERATORS OF DETERMINED MAJOR HAZARD FACILITIES
Regulation Requirement
554 Identifcation o major incidents and major incident hazards
(1) The operator o a determined major hazard acility must identiy:
(a) all major incidents that could occur in the course o the operation o the
major hazard acility; and
(b) all major incident hazards or the major hazard acility, including major
incident hazards relating to the security o the major hazard acility.
(2) In complying with subregulation (1), the operator must have regard to any advice
and recommendations given by:
(a) the emergency service organisations with responsibility or the area in which the
major hazard acility is located; and
(b) any government department or agency with a regulatory role in relation to major
hazard acilities.
(3) The operator must document:
(a) all identied major incidents and major incident hazards; and
(b) the criteria and methods used in identiying the major incidents and majorincident hazards; and
(c) any external conditions under which the major incident hazards, including those
relating to the security o the major hazard acility, might give rise to the major
incidents.
555 Saety assessment
(1) The operator o a determined major hazard acility must conduct a saety
assessment in relation to the operation o the major hazard acility.
(2) In order to provide the operator with a detailed understanding o all aspects o
risks to health and saety associated with major incidents, a saety assessment must
involve a comprehensive and systematic investigation and analysis o all aspects
o risks to health and saety associated with all major incidents that could occur inthe course o the operation o the major hazard acility, including the ollowing:
(a) the nature o each major incident and major incident hazard;
(b) the likelihood o each major incident hazard causing a major incident;
(c) in the event o a major incident occurring, its potential magnitude and the
severity o its potential health and saety consequences;
(d) the range o control measures considered;
(e) the control measures the operator decides to implement.
APPENDIX A - REVIEW OF RISK MANAGEMENT
7/30/2019 Safety Assessment for MHF
41/48
GUIDE FOR MAJOR HAZARD FACILITIES | SAFETY ASSESSMENT 39
Regulation Requirement
555 (3) In conducting a saety assessment, the operator must:
(a) consider major incidents and major incident hazards cumulatively as well as
individually; and
(b) use assessment methods (whether quantitative or qualitative, or both), that are
suitable or the major incidents and major incident hazards being considered.
(4) The operator must document all aspects o the saety assessment, including:
(a) the methods used in the investigation and analysis; and
(b) the reasons or deciding which control measures to implement.
(5) The operator must keep a copy o the saety assessment at the major hazard acility.
559 Review o risk management
(1) The operator o a determined major hazard acility must review and as necessary
revise each o the ollowing, in accordance with this regulation:
(a) the saety assessment conducted under regulation 555 in order to ensure the
adequacy o the control measures to be implemented by the operator;
(b) the major hazard acilitys emergency plan;
(c) the major hazard acilitys saety management system.
(2) Without limiting subregulation (1), the operator must conduct a review and revision
in each o the ollowing circumstances:
(a) a modication to the major hazard acility is proposed;
(b) a control measure implemented under regulation 556 does not minimise the
relevant risk so ar as is reasonably practicable;
Example
An eectiveness test indicates a deciency in the control measure.
(c) a new major hazard risk is identied;
(d) the results o consultation by the operator under Part 9.5 indicate that a
review is necessary;
(e) a health and saety representative requests the review;
() the regulator requires the review.
APPENDIX A - REVIEW OF RISK MANAGEMENT
7/30/2019 Safety Assessment for MHF
42/48
GUIDE FOR MAJOR HAZARD FACILITIES | SAFETY ASSESSMENT40
Regulation Requirement
559 (3) In reviewing and revising the emergency plan, the operator must consult with the
emergency service organisations reerred to in Regulation 557(2).
(4) For the purposes o subregulation (2)(e), a health and saety representative at a
workplace may request a review i the representative reasonably believes that:
(a) a circumstance reerred to in subregulation (2)(a), (b), (c) or (d) aects or may
aect the health and saety o a member o the work group represented by the
health and saety representative; and
(b) the operator has not adequately conducted a review in response to the
circumstance.
564 Identifcation o major incidents and major incident hazards
(1) The operator o a licensed major hazard acility must identiy:
(a) all major incidents that could occur in the course o the operation o the major
hazard acility; and
(b) all major incident hazards or the major hazard acility, including major incident
hazards relating to the security o the major hazard acility.
(2) In complying with subregulation (1), the operator must have regard to any adviceand recommendations given by:
(a) the emergency service organisations with responsibility or the area in which
the major ha
Top Related