Add to collection(s) Add to saved
  1. Business
  2. Management
  3. Human Resource Management

Document

advertisement 
Major Hazard Facilities
Control Measures and Adequacy
Overview
The seminar has been developed to provide:
•
•
•
•
Context with MHF Regulations
An overview of what is required
An overview of the steps required
Examples of control measures and their adequacy
2
Some Abbreviations and Terms
•
•
•
•
•
•
•
•
•
•
AFAP - As far as (reasonably) practicable
DG - Dangerous goods
Employer - Employer who has management control of the
facility
ER or ERP - Emergency response or Emergency response plan
Facility - any building or structure at which Schedule 9
materials are present or likely to be present for any purpose
HAZID - Hazard identification
HAZOP - Hazard and operability study
HSR - Health and safety representative
LOC - Loss of containment
LOPA - Layers of protection analysis
3
Some Abbreviations and Terms
•
•
•
•
•
•
MHF - Major hazard facility
MA - Major accident
OHS - Occupational health & safety
PFD - Probability of failure on demand
PSV – Pressure safety valve
SMS - Safety management system
4
Topics Covered In This Presentation
•
•
•
•
•
•
•
•
•
Regulations
Introduction
Regulatory requirements
What does this mean?
Identify all control measures
Development of assessment
Control category and examples
Hierarchy of controls
AFAP
5
Topics Covered In This Presentation
•
•
•
•
•
•
Effectiveness of control measures
Control types
Opportunities available to reduce risk
Assessment and adequacy
Sources of additional information
Review and revision
6
Regulations
Basic outline
•
•
•
•
•
•
•
Hazard identification (R9.43)
Risk assessment (R9.44)
Risk control (i.e. control measures) (R9.45, S9A 210)
Safety Management System (R9.46)
Safety report (R9.47, S9A 212, 213)
Emergency plan (R9.53)
Consultation
7
Introduction
In order to deliver safe operation the
Employer needs to understand the
relationship between
Hazards causing
an MA
The controls preventing or
mitigating consequences of
an MA
The controls in place and
assess their effectiveness
and adequacy
8
Introduction
• At least 23 workers
were killed
• 74 were injured
• $800,000,000 (U.S.)
estimated property
damage
Controls DO fail and the consequences can be devastating
(Skikda, Algiers, 20 January, 2004)
9
Introduction
•
Control measures are the features of a facility that:
-
Eliminate
Prevent
Reduce
-
Mitigate
. . . the risks associated with potential MAs
•
•
They are the means by which the Employer ensures the
operation satisfies the Regulations and the AFAP requirement
A number of control options maybe considered and applied
individually or in combination
10
Introduction
•
In undertaking control measure identification and assessment,
the Employer should seek to attain an understanding of:
-
The processes involved in control measure
identification/selection and assessment
The control measures used to reduce the risk of potential major
accidents to AFAP
11
Introduction
• At the end of the controls and adequacy evaluation process, the
Employer should know:
-
The identity of all existing and potential control measures
The relationships between the hazards, control measures, MAs and
outcomes
The effectiveness of control measures in managing risk
The opportunities that are available to reduce risk
The monitoring regime necessary to ensure the ongoing
effectiveness of the control measures
12
Regulation Requirements
•
•
After the HAZID and Risk Assessment evaluations, the
Employer will have identified all of the hazards that can lead
to MAs and the controls in place, including independence,
reliability, effectiveness, robustness and applicability
A determination of the adequacy of the controls in managing
the hazards then needs to be undertaken
13
What Does This Mean?
•
•
•
The opportunities present that are available to reduce risk
need to be assessed, including additional or alternative
controls
The monitoring regime necessary to ensure the ongoing
effectiveness of the control measures for managing the
hazards need to be assessed
Control measures and adequacy assessment will need to be
revised as necessary, using performance monitoring results
and other relevant new information
14
What Does This Mean?
No of Incidents
Reported incidents by results involving Schedule 9 materials in Victoria (from
VWA)
50
Petroleum
45
Utilities
Logistics
40
Chemicals & Plastics
35
30
25
20
15
10
5
0
Chemical Environ Explosion
Exposure Release
Fire
LOC
First Aid First Aid
Offsite Onsite
15
What Does This Mean?
•
•
•
This accident
happened during
the filling of a
2000 m3 LPG
sphere
Its legs collapsed.
One person was
killed and one
seriously injured
16
Identity of All Control Measures
•
All of the MAs should be documented in an appropriate format
that clearly identifies:
-
The MA (the release modes and the consequences of the
release)
All hazards that, if realised, can cause an MA
The controls in place to manage the hazard and any
recommended controls as a result of the HAZID process
17
Identity of All Control Measures
Example, consider a chlorine drum handling operation
Hazard:
• Release of chlorine from chlorine storage drum
Incident:
• Forklift tynes impact on chlorine storage drum
Consequence:
• Release of chlorine liquid into storage drum
bund resulting in personnel exposure to
chlorine liquid/vapour
• Potential for serious injury/fatality
18
Identity of All Control Measures
Preventative Controls (Incident
Prevention)
Mitigation Controls (Incident
Mitigation)
Design of chlorine storage drum and
fork lift lifting mechanisms prevent
tynes puncturing cylinder (in accordance
with an appropriate standard) and
inspected regularly
Spill containment bunds (reduces the
consequences)
Traffic management system/forklift or
pedestrian exclusion zones
Spill containment procedure, chlorine
gas detection & alarms (reduces time
for intervention thereby reducing
consequences) – procedure inspected
and found to be satisfactory
Forklift driver training – training is held
at the prescribed intervals and records
inspected are satisfactory
PPE including breathing apparatus
(reduces the likelihood of exposure to
chlorine) – PPE training is held at
prescribed intervals and records
validated
19
Identity of All Control Measures
•
Control measures are not only physical equipment, but may
include:
-
Engineered devices (physical barriers such as impact protection
bollards) or systems (high integrity trip systems)
High-level procedures or detailed operating instructions
Information systems (incident reporting systems)
Personnel training (i.e. the actions people should take in an
emergency)
20
Development of Assessment
•
•
•
It is important to understand how controls are arranged in a
manner that eliminate or minimise the hazards leading to an
MA occurring, and any interdependence
Control measures may be pro-active, in that they eliminate,
prevent or reduce the likelihood of incidents
They may be reactive, in that they reduce or mitigate the
consequences of an MA
21
Development of Assessment
•
•
•
Control measures may be considered as “barriers” and are
located between the intrinsic hazards that could lead to an MA
Control measures can also reduce the harm that may be
caused to people and property in the event of an MA
Hazards can result in an MA harming people or property only if
controls have failed to function as intended, or have been
bypassed/defeated
22
Development of Assessment
1st barrier
2nd barrier
3rd barrier
23
Development of Assessment
•
•
•
There are methods for the control assessment process
The size, complexity and knowledge of the MHF could
determine which approach to use
Several methods can be used, e.g.:
-
LOPA
Fault tree and event tree
Risk matrix
24
Control Measure Hierarchy
The hierarchy of controls & effectiveness guidelines
Control type
Eliminate Hazard
Effectiveness
Effectiveness
100%
Increasing Reliability
Minimize hazard
90%
Physical controls
Procedures
50%
Personnel Skills &
Training
30%
Decreasing
Reliability
25
Control Measure Hierarchy
•
•
•
•
Elimination/substitution controls
Prevention controls
Reduction controls
Mitigation controls
26
Control Measure Hierarchy
Control Category
Control Example
Elimination controls
• Equipment removal
• Physical barriers such as mounding of LPG
sphere
• Decommissioning
• Facility layout – increasing separation
distances
• Plant design procedures
27
Control Measure Hierarchy
Control Category
Control Example
Substitution controls
• Replacement of a hazardous material with a
non-hazardous substitute (E.g. Replace
chlorine with sodium hypochlorite)
• Systems to prevent incompatible materials
on the site at the same time
28
Control Measure Hierarchy
Control Category
Control Example
Prevention
• Process alarms and notification systems
• Independent flow/level/pressure/temperature
indicators with a defined response
• Engineering standards
• Safety process systems (safety integrity
systems), pressure relief valves
29
Control Measure Hierarchy
Control Category
Control Example
Prevention
• Operating procedures and instructions
• Personnel skill, training and competency
• Plant inspection
• Equipment testing and repair
• Change management process
• Maintenance procedures
• Quality specifications
• Permit to work
30
Control Measure Hierarchy
Control Category
Control Example
Reduction
• Separation distances
• Shutdown and isolation systems
• Gas detection with leak isolation action
• Bunding and other containment
systems
• Drainage
31
Control Measure Hierarchy
Control Category
Control Example
Mitigation
• Fire fighting systems
• Emergency response plans
• Plant evacuation alarms
• Passive fire protection (thermal
insulation on bullets, spheres)
32
AFAP
•
•
•
It is the risk assessment that provides the information necessary
to test this requirement, and this information must be included
in the safety report
The risk assessment must address hazards and risk both
individually and cumulatively
Consequently the demonstration that risks are eliminated or
reduced to AFAP may need to be made for control measures
individually, in groups and as a whole
33
AFAP
•
•
The AFAP approach is not simply about satisfying a single
criterion of whether the risk of an MA is less than a specific
number or position on a risk matrix
It is about evaluation of all controls, their proportionality for
controlling the risk of an MA occurring and if additional
controls can reasonably have an effect on reducing the risk of
an MA further
34
AFAP
•
The likelihood of the hazard or risk actually occurring
-
•
The degree of harm that would result if the hazard or risk
occurred
-
•
That is, the probability that someone could be injured or harmed
through the work being done
For example fatality, multiple injuries, medical or first aid
treatment, long or short term health effects
The availability and suitability of ways to eliminate or reduce the
hazard or risk
35
AFAP
•
What is known, or ought reasonably be known, about the
hazard or risk and any ways of eliminating or reducing it
•
The cost of eliminating or reducing the hazard or risk
-
That is, control measures should be implemented unless the risk
is insignificant compared with the cost of implementing the
measures
36
AFAP
•
•
•
The balance between benefits in terms of reduced risk and
the costs of further control measures will play a part in
achieving and demonstrating AFAP
Every safety report will need to develop an approach as to
how the AFAP argument is to be applied to the facility
The AFAP approach then needs to be applied consistently to
every MA in order for demonstration of adequacy to be
satisfied
37
AFAP – Cost/Benefit & Rejecting Controls
High
Should be implemented.
Little analysis required
unless rejected.
More detailed
justification required to
reject
More detailed
justification required to
reject (lower priority)
Simple justification to
reject
Benefit
(Risk Reduction)
Low
Low
High
Sacrifice (cost, time, effort and
inconvenience)
38
Effectiveness of Control Measures
•
•
•
There are controls and safeguards
A control is considered to be a device, system, or action
that is capable of preventing a cause from proceeding to
its undesired consequence, independent of the initiating
event or the action of any other layer of protection
associated with the scenario
A safeguard is any device, system or action that would
likely interrupt the chain of events following an initiating
event
39
Effectiveness of Control Measures
To be considered a control, it must be:
Independent
Of the components of any other control
already claimed for the same scenario
Reliable
The reliability, effectiveness and independence
of a control must be auditable
Effective
For the initiating event
Applicable
Preventing the consequences
when it functions as designed
40
Effectiveness of Control Measures
•
•
•
As an example, consider an employee action to read a level
gauge and a pressure gauge - both taken off the same
tapping point
Is a single tapping point for two different information streams
applicable, independent and reliable?
Will the employee reliably report the correct information?
41
Effectiveness of Control Measures
These have been built into a system - but are they:
Independent
The answer - NO
Reliable
Effective
Applicable
42
Effectiveness of Control Measures
•
Every designer, Employer and manager desires to have controls
that are:
-
•
Robust
Reliable
Can survive harsh environments
Not dependent upon rigorous inspection and testing regimes that
involve manpower and cost
Unfortunately this is not reality
43
Effectiveness of Control Measures
Controls do fail and accidents occur as a result
Result of a fire
at a bulk
storage facility
– was there
adequate
separation and
fire protection?
44
Effectiveness of Control Measures
Impact on:
• Environment
• People
• Business
interruption
• Cost of
inventory
• Reputation
• Legal cost
45
Effectiveness of Control Measures
A good
management
system
46
Effectiveness of Control Measures
With adequate
risk control
measures
47
Effectiveness of Control Measures
Reduces the
risk of loss
48
Effectiveness of Control Measures
•
•
These controls are important to analyse in a structured
manner so that their effectiveness can be assessed
For this to occur the Employer needs to know:
-
•
What type
How many
How reliable are the controls
Are there sufficient to reduce MA risk to AFAP?
Each control needs to be fit for purpose and designed into the
system as independent
49
Control Types
•
•
•
In each evaluation the type of service being evaluated needs
to be taken into consideration critically to ensure the control
type is effective and will perform its intended duty
For example consider an instrumented level gauge with high
level and high high level independent alarms for controlling the
level in a process tower
The alarms are not tested and the high high level is known to
be in fault mode
-
Is this control reliable, effective and applicable?
50
Control Types
Controls need to be service and situation dependent in
order to be suitable
•
For example, having a rupture disc in place where the inlet
can foul – in this circumstance the correct pressure will not be
seen by the rupture disc
-
•
Such a control would not be suitable for the service
Bund in service for flammable liquid storage tanks which has
major penetrations
-
This control would not be suitable as it cannot satisfy AS1940
51
Control Types
•
•
The following is an animated description of the US Chemical
Safety Board, Animation of BP Texas City Refinery Accident,
October 27, 2005
This can be found at the following website
www.csb.gov
52
Control Types – Human Controls
•
•
•
Such controls involve reliance on employees to take action to
prevent an undesirable consequence in response to alarms or
following a routine check of the system
Human performance is usually considered less reliable than
engineering controls
Not crediting human actions under well defined conditions is
considered to be unduly penalising the Employer
53
Control Types – Human Controls
Human controls should have the following requirements:
•
•
The indication for action required by an employee must be
detectable
The action must always be:
-
Available for the employee
Clear to the employee even under emergency conditions
Simple and straight forward to understand
Repeatable by any similarly trained/competent employee
54
Control Types – Human Controls
•
•
•
•
•
The time available to take action must be adequate
Employees should not be expected to perform other tasks at
the same time – there needs to be clear priorities
The employee is capable of taking the action required under all
conditions expected to be reasonably present
Training for the required action is performed regularly and is
documented
Indication and action should normally be independent of any
other system already accredited
55
Control Types – Human Controls
Examples of reduction (human) controls
Human Control
Comments
Human action with 10 minutes
response time
Simple well documented action with
clear and reliable indications that
action is required
Human response to BPCS
indication or alarm with 40
minutes response time
Simple well documented action with
clear and reliable indications that
action is required
Human action with 40 minutes
response time
Simple well documented action with
clear and reliable indications that the
action is required
Taken from “Layer of Protection Analysis, Simplified Process Risk
Assessment, Centre for Chemical Process Safety, American Institute
of Chemical Engineers, 2001”
56
Opportunities Available to Reduce Risk
The effectiveness of control measures in managing risk
•
•
Each control, to be classified as a legitimate control against
an MA (i.e. implemented, functional, independent, monitored
and audited) must be evaluated in a structured format
To ensure proper management of the MAs, each control must
be fully independent of the other controls listed
-
there must be no failure that can deactivate two or more
controls (e.g. common cause failure)
57
Opportunities Available to Reduce Risk
•
•
The question people ask is, how many controls are required to
reduce a MA to AFAP?
This will depend on:
-
•
The circumstances
The process being analysed together with the mix of
independent controls
One approach used is to have a qualitative evaluation that
requires three independent controls to be in place before
AFAP can be achieved
58
Opportunities Available to Reduce Risk
Risk is based on the following equation:
Risk = ∑(Fi x Ci)
=(F1 x C1) + (F2 x C2) +.....(Fn x Cn)
Where
Fi is the Frequency or likelihood of event i, and
Ci is the consequence of event i
•
Risk reduction can be implemented by changing either the
frequency of the MA occurring or the magnitude of the
consequence of the MA
59
Opportunities Available to Reduce Risk
•
For evaluation of control measures, there are several issues
that need to be considered
Existing MHF Facility
• During a risk evaluation process for an existing facility, it
would be very unusual to achieve a reduction in the worst case
consequences of an MA
• Reducing the frequency or likelihood of the event occurring is
generally the only option available
60
Opportunities Available to Reduce Risk
New MHF Facility
•
•
•
For a new facility, both components of the risk equation can be
reduced
Several issues can be explored when designing a new facility
The first point of examination is to focus on the hierarchy of
controls
-
•
Can we eliminate the hazard so it is not a problem?
The second area to examine is substitution
-
Use of alternative non Schedule 9 or DG materials
61
Opportunities Available to Reduce Risk
Elimination Controls
•
•
•
•
The effectiveness of an elimination control is considered to be
100%
The risk from an event occurring is reduced to zero
This is the optimal type of control
If an Employer cannot reduce the risk to an acceptable level,
the feasibility of shutting down plant equipment/processes,
substituting
non-hazardous
substances
for
hazardous
substances should be considered
62
Opportunities Available to Reduce Risk
Prevention controls
•
•
•
The effectiveness of prevention controls is based on their
Probability to Fail on Demand (PFD)
PFDs can be determined from site specific
maintenance/inspection data and incident data
In the absence of site specific data, PFDs can be referenced
from worldwide failure rate data publications such as OREDA,
E&P Forum, etc
63
Opportunities Available to Reduce Risk
Reduction controls
•
•
•
Assessing the effectiveness of reduction controls is a lot more
subjective than assessing the effectiveness of elimination or
prevention controls
There are many variables that affect the integrity/effectiveness
of such controls
These cover
-
Reliability of instrumentation
Inspection and testing frequency requirements
Effectiveness of testing programs and feedback on opportunities for
improvement
Frequency of training employees
64
Opportunities Available to Reduce Risk
Reduction controls
•
•
•
For example, an operating procedure can be a highly effective
reduction control provided it is readily available, regularly
referenced and frequently reviewed and there is independent
verification of its output
The same argument holds for a change management process
Human factors evaluations should be used to determine the
reliability of an operating procedure if it is critical to the activity
65
Opportunities Available to Reduce Risk
Training/competency controls
•
•
•
The effectiveness of training controls is not easily assessed
Training programs that are:
-
Specific to the task at hand
Competency assessed
-
Revisited via re-fresher training courses
Are likely to be highly effective with confirmation being available
through human factors evaluations
66
Opportunities Available to Reduce Risk
•
Where elimination or substitution cannot be achieved then a
combination of controls is preferred
-
This provides a balance
The failure of a single control should not lead to the MA
occurring
67
Assessment and Adequacy
•
•
There are a number of approaches that can be used to
undertake an assessment of an MA’s controls to determine if
the AFAP argument is satisfied
These include
-
•
LOPA
Fault and event tree analysis
Risk analysis using a matrix approach
The approach to use will depend on the complexity of the MA
and the culture of the organisation
68
Assessment and Adequacy
•
•
•
Less complex and smaller operations could use a risk matrix
type approach
A more complex operation such as a refinery or gas
processing plant could use all three approaches
When determining effectiveness of control measures, the
following issues will also need to be considered:
-
Independence
Functionality
Survivability
Reliability
Availability
69
Assessment and Adequacy
•
•
•
•
•
•
Cost benefit analyses can be undertaken to determine the
viability of each proposed recommendation for further risk
reduction
This is a valid approach and at some point, depending on the
circumstances involved, the cost of reducing risk further
becomes costly compared to the benefit gained
Controls that are rejected need to be documented including the
reason why
The definition of a “critical control” is hard to define as various
interpretations can be provided
This could, in some circumstances, skew thinking to the
detriment of other controls
For the purpose of MA controls and adequacy evaluation, all
controls that prevent or minimise the potential for an MA to
occur should be appropriately evaluated
70
Assessment and Adequacy
•
In essence there will have been a determination made on
every MA covering:
-
What controls are in place?
What other controls are in place?
Is there only one control in place or is there a proportionality of
controls available to achieve AFAP?
Is the risk adequately controlled?
Are additional controls required?
71
Assessment and Adequacy
•
•
•
•
Are they effective?
Would alternative controls be more suitable and effective for
preventing or reducing the MA?
What testing regime is required for maintaining the control
performance?
Is the testing regime adequate for every control?
-
For example, if some controls are tested every 12 months, what
improvement would there be if testing was undertaken every 3
months?
72
Assessment and Adequacy
•
•
•
•
Are the controls audited and their performance evaluated
against appropriate criteria?
How are failures reported?
What is the corrective action process in place?
Is there verification of the entire process?
73
Assessment and Adequacy
•
•
A safety management process will need to be developed for
the facility (i.e. SMS)
This will enable the performance of all control measures for
every MA to be evaluated for effectiveness and opportunities
for improvement identified
74
Sources of Additional Information
•
•
•
•
•
Major Hazard Facility Guidance Material – Comcare website
www.comcare.gov.au
WorkSafe Victoria Guidance Material – WorkSafe website
www.workcover.vic.gov.au
Layer of Protection Analysis, Simplified Process Risk
Assessment, Centre for Chemical Process Safety, American
Institute of Chemical Engineers, 2001
Hazard Identification and Risk Assessment, Geoff Wells,
1996
Classification of Hazardous Locations, A.W. Cox, F.P. Lees and
M.L. Ang, IChemE, 1993
75
Sources of Additional Information
•
•
•
Guidelines for Process Equipment Reliability Data, Center for
Chemical Process Safety of the American Institute of Chemical
Engineers, 1989
Loss Prevention in the Process Industries , F. P. Lees,
Appendix 14/5, 2nd Edition, Butterworth Heinemann
IEC 61511-3 Ed. 1.0 E - 2003 - Functional safety - Safety
instrumented systems for the process industry
76
Questions?
77
Related documents
Task Hazard Analysis Worksheet
Task Hazard Analysis Worksheet
Defining and classifying hazards.
Defining and classifying hazards.
Job Hazard Analysis Blank Form
Job Hazard Analysis Blank Form
Job Safety and Environmental Analysis Worksheet
Job Safety and Environmental Analysis Worksheet
Special (or Unique) Flood
Special (or Unique) Flood
SUPERVISOR`S RESPONSIBILITIES
SUPERVISOR`S RESPONSIBILITIES
Download
advertisement