controls rel02
TRANSCRIPT
-
7/29/2019 Controls Rel02
1/77
Major Hazard Facilities
Control Measures and Adequacy
-
7/29/2019 Controls Rel02
2/77
2
Overview
The seminar has been developed to provide:
Context with MHF Regulations An overview of what is required An overview of the steps required
Examples of control measures and their adequacy
-
7/29/2019 Controls Rel02
3/77
3
Some Abbreviations and Terms
AFAP - As far as (reasonably) practicable DG - Dangerous goods Employer - Employer who has management control of the
facility ER or ERP - Emergency response or Emergency response plan Facility - any building or structure at which Schedule 9
materials are present or likely to be present for any purpose HAZID - Hazard identification HAZOP - Hazard and operability study HSR - Health and safety representative LOC - Loss of containment
LOPA - Layers of protection analysis
-
7/29/2019 Controls Rel02
4/77
4
Some Abbreviations and Terms
MHF - Major hazard facility MA - Major accident OHS - Occupational health & safety PFD - Probability of failure on demand PSV Pressure safety valve
SMS - Safety management system
-
7/29/2019 Controls Rel02
5/77
5
Topics Covered In This Presentation
Regulations Introduction Regulatory requirements What does this mean? Identify all control measures
Development of assessment Control category and examples Hierarchy of controls AFAP
-
7/29/2019 Controls Rel02
6/77
6
Topics Covered In This Presentation
Effectiveness of control measures Control types Opportunities available to reduce risk Assessment and adequacy Sources of additional information
Review and revision
-
7/29/2019 Controls Rel02
7/777
Hazard identification (R9.43) Risk assessment (R9.44) Risk control (i.e. control measures) (R9.45, S9A 210) Safety Management System (R9.46) Safety report (R9.47, S9A 212, 213) Emergency plan (R9.53) Consultation
Basic outline
Regulations
-
7/29/2019 Controls Rel02
8/778
Hazards causingan MA
The controls preventing or mitigating consequences of
an MA
The controls in place andassess their effectiveness
and adequacy
In order to deliver safe operation the
Employer needs to understand therelationship between
Introduction
-
7/29/2019 Controls Rel02
9/779
Controls DO fail and the consequences can be devastating(Skikda, Algiers, 20 January, 2004)
At least 23 workerswere killed
74 were injured $800,000,000 (U.S.)
estimated propertydamage
Introduction
-
7/29/2019 Controls Rel02
10/7710
Control measures are the features of a facility that:- Eliminate- Prevent- Reduce
- Mitigate . . . the risks associated with potential MAs
They are the means by which the Employer ensures theoperation satisfies the Regulations and the AFAP requirement
A number of control options maybe considered and appliedindividually or in combination
Introduction
-
7/29/2019 Controls Rel02
11/7711
In undertaking control measure identification and assessment,the Employer should seek to attain an understanding of:
- The processes involved in control measureidentification/selection and assessment
- The control measures used to reduce the risk of potential majoraccidents to AFAP
Introduction
-
7/29/2019 Controls Rel02
12/7712
At the end of the controls and adequacy evaluation process, theEmployer should know:- The identity of all existing and potential control measures- The relationships between the hazards, control measures, MAs and
outcomes- The effectiveness of control measures in managing risk
- The opportunities that are available to reduce risk- The monitoring regime necessary to ensure the ongoing
effectiveness of the control measures
Introduction
-
7/29/2019 Controls Rel02
13/7713
After the HAZID and Risk Assessment evaluations, theEmployer will have identified all of the hazards that can leadto MAs and the controls in place, including independence,reliability, effectiveness, robustness and applicability
A determination of the adequacy of the controls in managingthe hazards then needs to be undertaken
Regulation Requirements
-
7/29/2019 Controls Rel02
14/7714
The opportunities present that are available to reduce riskneed to be assessed, including additional or alternativecontrols
The monitoring regime necessary to ensure the ongoingeffectiveness of the control measures for managing thehazards need to be assessed
Control measures and adequacy assessment will need to berevised as necessary, using performance monitoring resultsand other relevant new information
What Does This Mean?
-
7/29/2019 Controls Rel02
15/7715
0
5
10
15
20
25
30
35
40
45
50
ChemicalExposure
EnvironRelease
Explosion Fire LOC First AidOffsite
First AidOnsite
N o o
f I n c
i d e n
t s
PetroleumUtilitiesLogistics
Chemicals & Plastics
Reported incidents by results involving Schedule 9 materials in Victoria (from
VWA)
What Does This Mean?
-
7/29/2019 Controls Rel02
16/7716
This accident
happened duringthe filling of a2000 m 3 LPGsphere
Its legs collapsed. One person was
killed and oneseriously injured
What Does This Mean?
-
7/29/2019 Controls Rel02
17/7717
Identity of All Control Measures
All of the MAs should be documented in an appropriate formatthat clearly identifies:- The MA (the release modes and the consequences of the
release)- All hazards that, if realised, can cause an MA- The controls in place to manage the hazard and any
recommended controls as a result of the HAZID process
-
7/29/2019 Controls Rel02
18/7718
Identity of All Control Measures
Hazard: Release of chlorine from chlorine storage drum
Incident: Forklift tynes impact on chlorine storage drum
Consequence: Release of chlorine liquid into storage drumbund resulting in personnel exposure tochlorine liquid/vapour
Potential for serious injury/fatality
Example, consider a chlorine drum handling operation
-
7/29/2019 Controls Rel02
19/7719
Identity of All Control Measures
Preventative Controls (IncidentPrevention)
Mitigation Controls (IncidentMitigation)
Design of chlorine storage drum andfork lift lifting mechanisms preventtynes puncturing cylinder (in accordancewith an appropriate standard) and
inspected regularly
Spill containment bunds (reduces theconsequences)
Traffic management system/forklift orpedestrian exclusion zones
Spill containment procedure, chlorinegas detection & alarms (reduces timefor intervention thereby reducingconsequences) procedure inspectedand found to be satisfactory
Forklift driver training training is heldat the prescribed intervals and recordsinspected are satisfactory
PPE including breathing apparatus(reduces the likelihood of exposure tochlorine) PPE training is held atprescribed intervals and recordsvalidated
-
7/29/2019 Controls Rel02
20/77
20
Control measures are not only physical equipment, but mayinclude:- Engineered devices (physical barriers such as impact protection
bollards) or systems (high integrity trip systems)- High-level procedures or detailed operating instructions- Information systems (incident reporting systems)
- Personnel training (i.e. the actions people should take in anemergency)
Identity of All Control Measures
-
7/29/2019 Controls Rel02
21/77
21
Development of Assessment
It is important to understand how controls are arranged in amanner that eliminate or minimise the hazards leading to anMA occurring, and any interdependence
Control measures may be pro-active, in that they eliminate,prevent or reduce the likelihood of incidents
They may be reactive, in that they reduce or mitigate theconsequences of an MA
-
7/29/2019 Controls Rel02
22/77
22
Control measures may be considered as barriers and arelocated between the intrinsic hazards that could lead to an MA Control measures can also reduce the harm that may be
caused to people and property in the event of an MA Hazards can result in an MA harming people or property only if
controls have failed to function as intended, or have beenbypassed/defeated
Development of Assessment
-
7/29/2019 Controls Rel02
23/77
23
Development of Assessment1st barrier
2nd barrier
3rd barrier
-
7/29/2019 Controls Rel02
24/77
24
There are methods for the control assessment process The size, complexity and knowledge of the MHF could
determine which approach to use Several methods can be used, e.g.:
- LOPA- Fault tree and event tree- Risk matrix
Development of Assessment
-
7/29/2019 Controls Rel02
25/77
25
Increasing Reliability
Decreasing Reliability
The hierarchy of controls & effectiveness guidelines
Control type
100%Eliminate Hazard
90%Minimize hazard
Physical controls
50%Procedures
30%Personnel Skills & Training
EffectivenessEffectiveness
Control Measure Hierarchy
-
7/29/2019 Controls Rel02
26/77
26
Elimination/substitution controls Prevention controls Reduction controls Mitigation controls
Control Measure Hierarchy
-
7/29/2019 Controls Rel02
27/77
27
Control Category Control Example
Elimination controls Equipment removal Physical barriers such as mounding of LPG
sphere
Decommissioning Facility layout increasing separation
distances Plant design procedures
Control Measure Hierarchy
-
7/29/2019 Controls Rel02
28/77
28
Control Category Control Example
Substitution controls Replacement of a hazardous material with anon-hazardous substitute (E.g. Replacechlorine with sodium hypochlorite)
Systems to prevent incompatible materialson the site at the same time
Control Measure Hierarchy
-
7/29/2019 Controls Rel02
29/77
29
Control Category Control Example
Prevention Process alarms and notification systems Independent flow/level/pressure/temperature
indicators with a defined response
Engineering standards Safety process systems (safety integrity
systems), pressure relief valves
Control Measure Hierarchy
-
7/29/2019 Controls Rel02
30/77
30
Control Category Control Example
Prevention Operating procedures and instructions Personnel skill, training and competency Plant inspection
Equipment testing and repair Change management process Maintenance procedures Quality specifications Permit to work
Control Measure Hierarchy
-
7/29/2019 Controls Rel02
31/77
31
Control Category Control Example
Reduction Separation distances Shutdown and isolation systems Gas detection with leak isolation action
Bunding and other containmentsystems
Drainage
Control Measure Hierarchy
-
7/29/2019 Controls Rel02
32/77
32
Control Category Control Example
Mitigation Fire fighting systems Emergency response plans Plant evacuation alarms
Passive fire protection (thermalinsulation on bullets, spheres)
Control Measure Hierarchy
-
7/29/2019 Controls Rel02
33/77
33
It is the risk assessment that provides the information necessaryto test this requirement, and this information must be includedin the safety report
The risk assessment must address hazards and risk bothindividually and cumulatively
Consequently the demonstration that risks are eliminated orreduced to AFAP may need to be made for control measuresindividually, in groups and as a whole
AFAP
-
7/29/2019 Controls Rel02
34/77
34
The AFAP approach is not simply about satisfying a singlecriterion of whether the risk of an MA is less than a specificnumber or position on a risk matrix
It is about evaluation of all controls, their proportionality forcontrolling the risk of an MA occurring and if additionalcontrols can reasonably have an effect on reducing the risk of
an MA further
AFAP
-
7/29/2019 Controls Rel02
35/77
35
The likelihood of the hazard or risk actually occurring- That is, the probability that someone could be injured or harmedthrough the work being done
The degree of harm that would result if the hazard or riskoccurred
- For example fatality, multiple injuries, medical or first aidtreatment, long or short term health effects
The availability and suitability of ways to eliminate or reduce thehazard or risk
AFAP
-
7/29/2019 Controls Rel02
36/77
36
What is known, or ought reasonably be known, about thehazard or risk and any ways of eliminating or reducing it
The cost of eliminating or reducing the hazard or risk- That is, control measures should be implemented unless the risk
is insignificant compared with the cost of implementing themeasures
AFAP
-
7/29/2019 Controls Rel02
37/77
37
The balance between benefits in terms of reduced risk andthe costs of further control measures will play a part inachieving and demonstrating AFAP
Every safety report will need to develop an approach as tohow the AFAP argument is to be applied to the facility
The AFAP approach then needs to be applied consistently toevery MA in order for demonstration of adequacy to besatisfied
AFAP
-
7/29/2019 Controls Rel02
38/77
38
AFAP Cost/Benefit & Rejecting Controls
Low
High
Benefit(Risk Reduction)
Low
Should be implemented.Little analysis required
unless rejected.
More detailed justification required to
reject
More detailed justification required to
reject (lower priority)
Simple justification toreject
HighSacrifice (cost, time, effort and
inconvenience)
-
7/29/2019 Controls Rel02
39/77
39
There are controls and safeguards A control is considered to be a device, system, or actionthat is capable of preventing a cause from proceeding toits undesired consequence, independent of the initiatingevent or the action of any other layer of protectionassociated with the scenario
A safeguard is any device, system or action that wouldlikely interrupt the chain of events following an initiatingevent
Effectiveness of Control Measures
-
7/29/2019 Controls Rel02
40/77
40
Effective For the initiating event
IndependentOf the components of any other controlalready claimed for the same scenario
ReliableThe reliability, effectiveness and independenceof a control must be auditable
ApplicablePreventing the consequenceswhen it functions as designed
To be considered a control, it must be:
Effectiveness of Control Measures
-
7/29/2019 Controls Rel02
41/77
41
As an example, consider an employee action to read a levelgauge and a pressure gauge - both taken off the sametapping point
Is a single tapping point for two different information streamsapplicable, independent and reliable?
Will the employee reliably report the correct information?
Effectiveness of Control Measures
-
7/29/2019 Controls Rel02
42/77
42
These have been built into a system - but are they:
Effective
Independent
Reliable
Applicable
The answer - NO
Effectiveness of Control Measures
-
7/29/2019 Controls Rel02
43/77
43
Every designer, Employer and manager desires to have controlsthat are:- Robust- Reliable- Can survive harsh environments- Not dependent upon rigorous inspection and testing regimes that
involve manpower and cost Unfortunately this is not reality
Effectiveness of Control Measures
-
7/29/2019 Controls Rel02
44/77
44
Controls do fail and accidents occur as a result
Result of a fireat a bulkstorage facility was there
adequateseparation andfire protection?
Effectiveness of Control Measures
-
7/29/2019 Controls Rel02
45/77
45
Impact on: Environment People Business
interruption Cost of
inventory Reputation Legal cost
Effectiveness of Control Measures
-
7/29/2019 Controls Rel02
46/77
46
A goodmanagementsystem
Effectiveness of Control Measures
-
7/29/2019 Controls Rel02
47/77
47
With adequaterisk controlmeasures
Effectiveness of Control Measures
-
7/29/2019 Controls Rel02
48/77
48
Reduces therisk of loss
Effectiveness of Control Measures
-
7/29/2019 Controls Rel02
49/77
49
These controls are important to analyse in a structuredmanner so that their effectiveness can be assessed
For this to occur the Employer needs to know:- What type- How many- How reliable are the controls
- Are there sufficient to reduce MA risk to AFAP? Each control needs to be fit for purpose and designed into the
system as independent
Effectiveness of Control Measures
-
7/29/2019 Controls Rel02
50/77
50
In each evaluation the type of service being evaluated needsto be taken into consideration critically to ensure the controltype is effective and will perform its intended duty
For example consider an instrumented level gauge with highlevel and high high level independent alarms for controlling thelevel in a process tower
The alarms are not tested and the high high level is known tobe in fault mode
- Is this control reliable, effective and applicable?
Control Types
-
7/29/2019 Controls Rel02
51/77
51
For example, having a rupture disc in place where the inletcan foul in this circumstance the correct pressure will not beseen by the rupture disc
- Such a control would not be suitable for the service
Bund in service for flammable liquid storage tanks which hasmajor penetrations
- This control would not be suitable as it cannot satisfy AS1940
Control Types
Controls need to be service and situation dependent inorder to be suitable
-
7/29/2019 Controls Rel02
52/77
52
The following is an animated description of the US ChemicalSafety Board, Animation of BP Texas City Refinery Accident,October 27, 2005
This can be found at the following websitewww.csb.gov
Control Types
http://www.csb.gov/http://www.csb.gov/ -
7/29/2019 Controls Rel02
53/77
53
Such controls involve reliance on employees to take action toprevent an undesirable consequence in response to alarms orfollowing a routine check of the system
Human performance is usually considered less reliable thanengineering controls
Not crediting human actions under well defined conditions is
considered to be unduly penalising the Employer
Control Types Human Controls
-
7/29/2019 Controls Rel02
54/77
54
Human controls should have the following requirements:
The indication for action required by an employee must bedetectable
The action must always be:- Available for the employee- Clear to the employee even under emergency conditions- Simple and straight forward to understand- Repeatable by any similarly trained/competent employee
Control Types Human Controls
-
7/29/2019 Controls Rel02
55/77
55
The time available to take action must be adequate Employees should not be expected to perform other tasks at
the same time there needs to be clear priorities The employee is capable of taking the action required under all
conditions expected to be reasonably present Training for the required action is performed regularly and is
documented Indication and action should normally be independent of any
other system already accredited
Control Types Human Controls
-
7/29/2019 Controls Rel02
56/77
56
Human Control Comments
Human action with 10 minutesresponse time
Simple well documented action withclear and reliable indications thataction is required
Human response to BPCSindication or alarm with 40minutes response time
Simple well documented action withclear and reliable indications thataction is required
Human action with 40 minutesresponse time
Simple well documented action withclear and reliable indications that the
action is required
Examples of reduction (human) controls
Taken from Layer of Protection Analysis, Simplified Process RiskAssessment, Centre for Chemical Process Safety, American Instituteof Chemical Engineers, 2001
Control Types Human Controls
-
7/29/2019 Controls Rel02
57/77
57
Each control, to be classified as a legitimate control againstan MA (i.e. implemented, functional, independent, monitoredand audited) must be evaluated in a structured format
To ensure proper management of the MAs, each control mustbe fully independent of the other controls listed
- there must be no failure that can deactivate two or morecontrols (e.g. common cause failure)
The effectiveness of control measures in managing risk
Opportunities Available to Reduce Risk
-
7/29/2019 Controls Rel02
58/77
58
The question people ask is, how many controls are required toreduce a MA to AFAP?
This will depend on:- The circumstances- The process being analysed together with the mix of
independent controls
One approach used is to have a qualitative evaluation thatrequires three independent controls to be in place beforeAFAP can be achieved
Opportunities Available to Reduce Risk
-
7/29/2019 Controls Rel02
59/77
59
Risk is based on the following equation:
Risk = (F i x C i) =(F 1 x C 1 ) + (F 2 x C 2 ) +.....(F n x C n )
WhereFi is the Frequency or likelihood of event i, andCi is the consequence of event i
Risk reduction can be implemented by changing either thefrequency of the MA occurring or the magnitude of theconsequence of the MA
Opportunities Available to Reduce Risk
-
7/29/2019 Controls Rel02
60/77
60
For evaluation of control measures, there are several issuesthat need to be considered
Existing MHF Facility During a risk evaluation process for an existing facility, it
would be very unusual to achieve a reduction in the worst caseconsequences of an MA
Reducing the frequency or likelihood of the event occurring isgenerally the only option available
Opportunities Available to Reduce Risk
-
7/29/2019 Controls Rel02
61/77
61
New MHF Facility
For a new facility, both components of the risk equation can bereduced
Several issues can be explored when designing a new facility The first point of examination is to focus on the hierarchy of
controls- Can we eliminate the hazard so it is not a problem?
The second area to examine is substitution- Use of alternative non Schedule 9 or DG materials
Opportunities Available to Reduce Risk
-
7/29/2019 Controls Rel02
62/77
62
The effectiveness of an elimination control is considered to be100%
The risk from an event occurring is reduced to zero This is the optimal type of control
If an Employer cannot reduce the risk to an acceptable level,the feasibility of shutting down plant equipment/processes,substituting non-hazardous substances for hazardoussubstances should be considered
Elimination Controls
Opportunities Available to Reduce Risk
-
7/29/2019 Controls Rel02
63/77
63
The effectiveness of prevention controls is based on theirProbability to Fail on Demand (PFD)
PFDs can be determined from site specificmaintenance/inspection data and incident data
In the absence of site specific data, PFDs can be referencedfrom worldwide failure rate data publications such as OREDA,E&P Forum, etc
Prevention controls
Opportunities Available to Reduce Risk
-
7/29/2019 Controls Rel02
64/77
64
Assessing the effectiveness of reduction controls is a lot moresubjective than assessing the effectiveness of elimination orprevention controls
There are many variables that affect the integrity/effectivenessof such controls
These cover- Reliability of instrumentation- Inspection and testing frequency requirements- Effectiveness of testing programs and feedback on opportunities for
improvement- Frequency of training employees
Reduction controls
Opportunities Available to Reduce Risk
-
7/29/2019 Controls Rel02
65/77
65
For example, an operating procedure can be a highly effectivereduction control provided it is readily available, regularlyreferenced and frequently reviewed and there is independentverification of its output
The same argument holds for a change management process Human factors evaluations should be used to determine the
reliability of an operating procedure if it is critical to the activity
Reduction controls
Opportunities Available to Reduce Risk
-
7/29/2019 Controls Rel02
66/77
66
Training/competency controls
The effectiveness of training controls is not easily assessed Training programs that are:
- Specific to the task at hand- Competency assessed
- Revisited via re-fresher training courses Are likely to be highly effective with confirmation being available
through human factors evaluations
Opportunities Available to Reduce Risk
-
7/29/2019 Controls Rel02
67/77
67
Where elimination or substitution cannot be achieved then acombination of controls is preferred
- This provides a balance- The failure of a single control should not lead to the MA
occurring
Opportunities Available to Reduce Risk
-
7/29/2019 Controls Rel02
68/77
68
There are a number of approaches that can be used toundertake an assessment of an MAs controls to determine if the AFAP argument is satisfied
These include- LOPA- Fault and event tree analysis
- Risk analysis using a matrix approach The approach to use will depend on the complexity of the MA
and the culture of the organisation
Assessment and Adequacy
-
7/29/2019 Controls Rel02
69/77
69
Less complex and smaller operations could use a risk matrixtype approach
A more complex operation such as a refinery or gasprocessing plant could use all three approaches
When determining effectiveness of control measures, thefollowing issues will also need to be considered:
- Independence- Functionality- Survivability- Reliability- Availability
Assessment and Adequacy
-
7/29/2019 Controls Rel02
70/77
70
Cost benefit analyses can be undertaken to determine the
viability of each proposed recommendation for further riskreduction This is a valid approach and at some point, depending on the
circumstances involved, the cost of reducing risk furtherbecomes costly compared to the benefit gained
Controls that are rejected need to be documented including the
reason why The definition of a critical control is hard to define as various
interpretations can be provided This could, in some circumstances, skew thinking to the
detriment of other controls For the purpose of MA controls and adequacy evaluation, all
controls that prevent or minimise the potential for an MA tooccur should be appropriately evaluated
Assessment and Adequacy
-
7/29/2019 Controls Rel02
71/77
71
In essence there will have been a determination made onevery MA covering:
- What controls are in place?- What other controls are in place?- Is there only one control in place or is there a proportionality of
controls available to achieve AFAP?- Is the risk adequately controlled?- Are additional controls required?
Assessment and Adequacy
-
7/29/2019 Controls Rel02
72/77
72
Are they effective? Would alternative controls be more suitable and effective for
preventing or reducing the MA? What testing regime is required for maintaining the control
performance? Is the testing regime adequate for every control?
- For example, if some controls are tested every 12 months, whatimprovement would there be if testing was undertaken every 3months?
Assessment and Adequacy
-
7/29/2019 Controls Rel02
73/77
73
Are the controls audited and their performance evaluatedagainst appropriate criteria?
How are failures reported? What is the corrective action process in place? Is there verification of the entire process?
Assessment and Adequacy
-
7/29/2019 Controls Rel02
74/77
74
A safety management process will need to be developed forthe facility (i.e. SMS)
This will enable the performance of all control measures forevery MA to be evaluated for effectiveness and opportunitiesfor improvement identified
Assessment and Adequacy
-
7/29/2019 Controls Rel02
75/77
75
Major Hazard Facility Guidance Material Comcare website
www.comcare.gov.au WorkSafe Victoria Guidance Material WorkSafe website
www.workcover.vic.gov.au Layer of Protection Analysis , Simplified Process Risk
Assessment, Centre for Chemical Process Safety, American
Institute of Chemical Engineers, 2001 Hazard Identification and Risk Assessment , Geoff Wells,1996
Classification of Hazardous Locations , A.W. Cox, F.P. Leesand M.L. Ang, IChemE, 1993
Sources of Additional Information
http://www.comcare.gov.au/http://www.workcover.vic.gov.au/http://www.workcover.vic.gov.au/http://www.comcare.gov.au/ -
7/29/2019 Controls Rel02
76/77
76
Guidelines for Process Equipment Reliability Data, Center for
Chemical Process Safety of the American Institute of ChemicalEngineers, 1989
Loss Prevention in the Process Industries , F. P. Lees,Appendix 14/5, 2nd Edition, Butterworth Heinemann
IEC 61511-3 Ed. 1.0 E - 2003 - Functional safety - Safety
instrumented systems for the process industry
Sources of Additional Information
-
7/29/2019 Controls Rel02
77/77
Questions?