controls rel02

7/29/2019 Controls Rel02

1/77

Major Hazard Facilities

Control Measures and Adequacy


2/77

2

Overview

The seminar has been developed to provide:

Context with MHF Regulations An overview of what is required An overview of the steps required

Examples of control measures and their adequacy


3/77

3

Some Abbreviations and Terms

AFAP - As far as (reasonably) practicable DG - Dangerous goods Employer - Employer who has management control of the

facility ER or ERP - Emergency response or Emergency response plan Facility - any building or structure at which Schedule 9

materials are present or likely to be present for any purpose HAZID - Hazard identification HAZOP - Hazard and operability study HSR - Health and safety representative LOC - Loss of containment

LOPA - Layers of protection analysis


4/77

4

Some Abbreviations and Terms

MHF - Major hazard facility MA - Major accident OHS - Occupational health & safety PFD - Probability of failure on demand PSV Pressure safety valve

SMS - Safety management system


5/77

5

Topics Covered In This Presentation

Regulations Introduction Regulatory requirements What does this mean? Identify all control measures

Development of assessment Control category and examples Hierarchy of controls AFAP


6/77

6

Topics Covered In This Presentation

Effectiveness of control measures Control types Opportunities available to reduce risk Assessment and adequacy Sources of additional information

Review and revision


7/777

Hazard identification (R9.43) Risk assessment (R9.44) Risk control (i.e. control measures) (R9.45, S9A 210) Safety Management System (R9.46) Safety report (R9.47, S9A 212, 213) Emergency plan (R9.53) Consultation

Basic outline

Regulations


8/778

Hazards causingan MA

The controls preventing or mitigating consequences of

an MA

The controls in place andassess their effectiveness

and adequacy

In order to deliver safe operation the

Employer needs to understand therelationship between

Introduction


9/779

Controls DO fail and the consequences can be devastating(Skikda, Algiers, 20 January, 2004)

At least 23 workerswere killed

74 were injured $800,000,000 (U.S.)

estimated propertydamage

Introduction


10/7710

Control measures are the features of a facility that:- Eliminate- Prevent- Reduce

- Mitigate . . . the risks associated with potential MAs

They are the means by which the Employer ensures theoperation satisfies the Regulations and the AFAP requirement

A number of control options maybe considered and appliedindividually or in combination

Introduction


11/7711

In undertaking control measure identification and assessment,the Employer should seek to attain an understanding of:

- The processes involved in control measureidentification/selection and assessment

- The control measures used to reduce the risk of potential majoraccidents to AFAP

Introduction


12/7712

At the end of the controls and adequacy evaluation process, theEmployer should know:- The identity of all existing and potential control measures- The relationships between the hazards, control measures, MAs and

outcomes- The effectiveness of control measures in managing risk

- The opportunities that are available to reduce risk- The monitoring regime necessary to ensure the ongoing

effectiveness of the control measures

Introduction


13/7713

After the HAZID and Risk Assessment evaluations, theEmployer will have identified all of the hazards that can leadto MAs and the controls in place, including independence,reliability, effectiveness, robustness and applicability

A determination of the adequacy of the controls in managingthe hazards then needs to be undertaken

Regulation Requirements


14/7714

The opportunities present that are available to reduce riskneed to be assessed, including additional or alternativecontrols

The monitoring regime necessary to ensure the ongoingeffectiveness of the control measures for managing thehazards need to be assessed

Control measures and adequacy assessment will need to berevised as necessary, using performance monitoring resultsand other relevant new information

What Does This Mean?


15/7715

0

5

10

15

20

25

30

35

40

45

50

ChemicalExposure

EnvironRelease

Explosion Fire LOC First AidOffsite

First AidOnsite

N o o

f I n c

i d e n

t s

PetroleumUtilitiesLogistics

Chemicals & Plastics

Reported incidents by results involving Schedule 9 materials in Victoria (from

VWA)



16/7716

This accident

happened duringthe filling of a2000 m 3 LPGsphere

Its legs collapsed. One person was

killed and oneseriously injured



17/7717

Identity of All Control Measures

All of the MAs should be documented in an appropriate formatthat clearly identifies:- The MA (the release modes and the consequences of the

release)- All hazards that, if realised, can cause an MA- The controls in place to manage the hazard and any

recommended controls as a result of the HAZID process


18/7718


Hazard: Release of chlorine from chlorine storage drum

Incident: Forklift tynes impact on chlorine storage drum

Consequence: Release of chlorine liquid into storage drumbund resulting in personnel exposure tochlorine liquid/vapour

Potential for serious injury/fatality

Example, consider a chlorine drum handling operation


19/7719


Preventative Controls (IncidentPrevention)

Mitigation Controls (IncidentMitigation)

Design of chlorine storage drum andfork lift lifting mechanisms preventtynes puncturing cylinder (in accordancewith an appropriate standard) and

inspected regularly

Spill containment bunds (reduces theconsequences)

Traffic management system/forklift orpedestrian exclusion zones

Spill containment procedure, chlorinegas detection & alarms (reduces timefor intervention thereby reducingconsequences) procedure inspectedand found to be satisfactory

Forklift driver training training is heldat the prescribed intervals and recordsinspected are satisfactory

PPE including breathing apparatus(reduces the likelihood of exposure tochlorine) PPE training is held atprescribed intervals and recordsvalidated


20/77

20

Control measures are not only physical equipment, but mayinclude:- Engineered devices (physical barriers such as impact protection

bollards) or systems (high integrity trip systems)- High-level procedures or detailed operating instructions- Information systems (incident reporting systems)

- Personnel training (i.e. the actions people should take in anemergency)



21/77

21

Development of Assessment

It is important to understand how controls are arranged in amanner that eliminate or minimise the hazards leading to anMA occurring, and any interdependence

Control measures may be pro-active, in that they eliminate,prevent or reduce the likelihood of incidents

They may be reactive, in that they reduce or mitigate theconsequences of an MA


22/77

22

Control measures may be considered as barriers and arelocated between the intrinsic hazards that could lead to an MA Control measures can also reduce the harm that may be

caused to people and property in the event of an MA Hazards can result in an MA harming people or property only if

controls have failed to function as intended, or have beenbypassed/defeated



23/77

23

Development of Assessment1st barrier

2nd barrier

3rd barrier


24/77

24

There are methods for the control assessment process The size, complexity and knowledge of the MHF could

determine which approach to use Several methods can be used, e.g.:

- LOPA- Fault tree and event tree- Risk matrix



25/77

25

Increasing Reliability

Decreasing Reliability

The hierarchy of controls & effectiveness guidelines

Control type

100%Eliminate Hazard

90%Minimize hazard

Physical controls

50%Procedures

30%Personnel Skills & Training

EffectivenessEffectiveness

Control Measure Hierarchy


26/77

26

Elimination/substitution controls Prevention controls Reduction controls Mitigation controls



27/77

27

Control Category Control Example

Elimination controls Equipment removal Physical barriers such as mounding of LPG

sphere

Decommissioning Facility layout increasing separation

distances Plant design procedures



28/77

28


Substitution controls Replacement of a hazardous material with anon-hazardous substitute (E.g. Replacechlorine with sodium hypochlorite)

Systems to prevent incompatible materialson the site at the same time



29/77

29


Prevention Process alarms and notification systems Independent flow/level/pressure/temperature

indicators with a defined response

Engineering standards Safety process systems (safety integrity

systems), pressure relief valves



30/77

30


Prevention Operating procedures and instructions Personnel skill, training and competency Plant inspection

Equipment testing and repair Change management process Maintenance procedures Quality specifications Permit to work



31/77

31


Reduction Separation distances Shutdown and isolation systems Gas detection with leak isolation action

Bunding and other containmentsystems

Drainage



32/77

32


Mitigation Fire fighting systems Emergency response plans Plant evacuation alarms

Passive fire protection (thermalinsulation on bullets, spheres)



33/77

33

It is the risk assessment that provides the information necessaryto test this requirement, and this information must be includedin the safety report

The risk assessment must address hazards and risk bothindividually and cumulatively

Consequently the demonstration that risks are eliminated orreduced to AFAP may need to be made for control measuresindividually, in groups and as a whole

AFAP


34/77

34

The AFAP approach is not simply about satisfying a singlecriterion of whether the risk of an MA is less than a specificnumber or position on a risk matrix

It is about evaluation of all controls, their proportionality forcontrolling the risk of an MA occurring and if additionalcontrols can reasonably have an effect on reducing the risk of

an MA further

AFAP


35/77

35

The likelihood of the hazard or risk actually occurring- That is, the probability that someone could be injured or harmedthrough the work being done

The degree of harm that would result if the hazard or riskoccurred

- For example fatality, multiple injuries, medical or first aidtreatment, long or short term health effects

The availability and suitability of ways to eliminate or reduce thehazard or risk

AFAP


36/77

36

What is known, or ought reasonably be known, about thehazard or risk and any ways of eliminating or reducing it

The cost of eliminating or reducing the hazard or risk- That is, control measures should be implemented unless the risk

is insignificant compared with the cost of implementing themeasures

AFAP


37/77

37

The balance between benefits in terms of reduced risk andthe costs of further control measures will play a part inachieving and demonstrating AFAP

Every safety report will need to develop an approach as tohow the AFAP argument is to be applied to the facility

The AFAP approach then needs to be applied consistently toevery MA in order for demonstration of adequacy to besatisfied

AFAP


38/77

38

AFAP Cost/Benefit & Rejecting Controls

Low

High

Benefit(Risk Reduction)

Low

Should be implemented.Little analysis required

unless rejected.

More detailed justification required to

reject

More detailed justification required to

reject (lower priority)

Simple justification toreject

HighSacrifice (cost, time, effort and

inconvenience)


39/77

39

There are controls and safeguards A control is considered to be a device, system, or actionthat is capable of preventing a cause from proceeding toits undesired consequence, independent of the initiatingevent or the action of any other layer of protectionassociated with the scenario

A safeguard is any device, system or action that wouldlikely interrupt the chain of events following an initiatingevent

Effectiveness of Control Measures


40/77

40

Effective For the initiating event

IndependentOf the components of any other controlalready claimed for the same scenario

ReliableThe reliability, effectiveness and independenceof a control must be auditable

ApplicablePreventing the consequenceswhen it functions as designed

To be considered a control, it must be:



41/77

41

As an example, consider an employee action to read a levelgauge and a pressure gauge - both taken off the sametapping point

Is a single tapping point for two different information streamsapplicable, independent and reliable?

Will the employee reliably report the correct information?



42/77

42

These have been built into a system - but are they:

Effective

Independent

Reliable

Applicable

The answer - NO



43/77

43

Every designer, Employer and manager desires to have controlsthat are:- Robust- Reliable- Can survive harsh environments- Not dependent upon rigorous inspection and testing regimes that

involve manpower and cost Unfortunately this is not reality



44/77

44

Controls do fail and accidents occur as a result

Result of a fireat a bulkstorage facility was there

adequateseparation andfire protection?



45/77

45

Impact on: Environment People Business

interruption Cost of

inventory Reputation Legal cost



46/77

46

A goodmanagementsystem



47/77

47

With adequaterisk controlmeasures



48/77

48

Reduces therisk of loss



49/77

49

These controls are important to analyse in a structuredmanner so that their effectiveness can be assessed

For this to occur the Employer needs to know:- What type- How many- How reliable are the controls

- Are there sufficient to reduce MA risk to AFAP? Each control needs to be fit for purpose and designed into the

system as independent



50/77

50

In each evaluation the type of service being evaluated needsto be taken into consideration critically to ensure the controltype is effective and will perform its intended duty

For example consider an instrumented level gauge with highlevel and high high level independent alarms for controlling thelevel in a process tower

The alarms are not tested and the high high level is known tobe in fault mode

- Is this control reliable, effective and applicable?

Control Types


51/77

51

For example, having a rupture disc in place where the inletcan foul in this circumstance the correct pressure will not beseen by the rupture disc

- Such a control would not be suitable for the service

Bund in service for flammable liquid storage tanks which hasmajor penetrations

- This control would not be suitable as it cannot satisfy AS1940

Control Types

Controls need to be service and situation dependent inorder to be suitable


52/77

52

The following is an animated description of the US ChemicalSafety Board, Animation of BP Texas City Refinery Accident,October 27, 2005

This can be found at the following websitewww.csb.gov

Control Types
http://www.csb.gov/http://www.csb.gov/


53/77

53

Such controls involve reliance on employees to take action toprevent an undesirable consequence in response to alarms orfollowing a routine check of the system

Human performance is usually considered less reliable thanengineering controls

Not crediting human actions under well defined conditions is

considered to be unduly penalising the Employer

Control Types Human Controls


54/77

54

Human controls should have the following requirements:

The indication for action required by an employee must bedetectable

The action must always be:- Available for the employee- Clear to the employee even under emergency conditions- Simple and straight forward to understand- Repeatable by any similarly trained/competent employee



55/77

55

The time available to take action must be adequate Employees should not be expected to perform other tasks at

the same time there needs to be clear priorities The employee is capable of taking the action required under all

conditions expected to be reasonably present Training for the required action is performed regularly and is

documented Indication and action should normally be independent of any

other system already accredited



56/77

56

Human Control Comments

Human action with 10 minutesresponse time

Simple well documented action withclear and reliable indications thataction is required

Human response to BPCSindication or alarm with 40minutes response time

Simple well documented action withclear and reliable indications thataction is required

Human action with 40 minutesresponse time

Simple well documented action withclear and reliable indications that the

action is required

Examples of reduction (human) controls

Taken from Layer of Protection Analysis, Simplified Process RiskAssessment, Centre for Chemical Process Safety, American Instituteof Chemical Engineers, 2001



57/77

57

Each control, to be classified as a legitimate control againstan MA (i.e. implemented, functional, independent, monitoredand audited) must be evaluated in a structured format

To ensure proper management of the MAs, each control mustbe fully independent of the other controls listed

- there must be no failure that can deactivate two or morecontrols (e.g. common cause failure)

The effectiveness of control measures in managing risk

Opportunities Available to Reduce Risk


58/77

58

The question people ask is, how many controls are required toreduce a MA to AFAP?

This will depend on:- The circumstances- The process being analysed together with the mix of

independent controls

One approach used is to have a qualitative evaluation thatrequires three independent controls to be in place beforeAFAP can be achieved



59/77

59

Risk is based on the following equation:

Risk = (F i x C i) =(F 1 x C 1 ) + (F 2 x C 2 ) +.....(F n x C n )

WhereFi is the Frequency or likelihood of event i, andCi is the consequence of event i

Risk reduction can be implemented by changing either thefrequency of the MA occurring or the magnitude of theconsequence of the MA



60/77

60

For evaluation of control measures, there are several issuesthat need to be considered

Existing MHF Facility During a risk evaluation process for an existing facility, it

would be very unusual to achieve a reduction in the worst caseconsequences of an MA

Reducing the frequency or likelihood of the event occurring isgenerally the only option available



61/77

61

New MHF Facility

For a new facility, both components of the risk equation can bereduced

Several issues can be explored when designing a new facility The first point of examination is to focus on the hierarchy of

controls- Can we eliminate the hazard so it is not a problem?

The second area to examine is substitution- Use of alternative non Schedule 9 or DG materials



62/77

62

The effectiveness of an elimination control is considered to be100%

The risk from an event occurring is reduced to zero This is the optimal type of control

If an Employer cannot reduce the risk to an acceptable level,the feasibility of shutting down plant equipment/processes,substituting non-hazardous substances for hazardoussubstances should be considered

Elimination Controls



63/77

63

The effectiveness of prevention controls is based on theirProbability to Fail on Demand (PFD)

PFDs can be determined from site specificmaintenance/inspection data and incident data

In the absence of site specific data, PFDs can be referencedfrom worldwide failure rate data publications such as OREDA,E&P Forum, etc

Prevention controls



64/77

64

Assessing the effectiveness of reduction controls is a lot moresubjective than assessing the effectiveness of elimination orprevention controls

There are many variables that affect the integrity/effectivenessof such controls

These cover- Reliability of instrumentation- Inspection and testing frequency requirements- Effectiveness of testing programs and feedback on opportunities for

improvement- Frequency of training employees

Reduction controls



65/77

65

For example, an operating procedure can be a highly effectivereduction control provided it is readily available, regularlyreferenced and frequently reviewed and there is independentverification of its output

The same argument holds for a change management process Human factors evaluations should be used to determine the

reliability of an operating procedure if it is critical to the activity

Reduction controls



66/77

66

Training/competency controls

The effectiveness of training controls is not easily assessed Training programs that are:

- Specific to the task at hand- Competency assessed

- Revisited via re-fresher training courses Are likely to be highly effective with confirmation being available

through human factors evaluations



67/77

67

Where elimination or substitution cannot be achieved then acombination of controls is preferred

- This provides a balance- The failure of a single control should not lead to the MA

occurring



68/77

68

There are a number of approaches that can be used toundertake an assessment of an MAs controls to determine if the AFAP argument is satisfied

These include- LOPA- Fault and event tree analysis

- Risk analysis using a matrix approach The approach to use will depend on the complexity of the MA

and the culture of the organisation

Assessment and Adequacy


69/77

69

Less complex and smaller operations could use a risk matrixtype approach

A more complex operation such as a refinery or gasprocessing plant could use all three approaches

When determining effectiveness of control measures, thefollowing issues will also need to be considered:

- Independence- Functionality- Survivability- Reliability- Availability



70/77

70

Cost benefit analyses can be undertaken to determine the

viability of each proposed recommendation for further riskreduction This is a valid approach and at some point, depending on the

circumstances involved, the cost of reducing risk furtherbecomes costly compared to the benefit gained

Controls that are rejected need to be documented including the

reason why The definition of a critical control is hard to define as various

interpretations can be provided This could, in some circumstances, skew thinking to the

detriment of other controls For the purpose of MA controls and adequacy evaluation, all

controls that prevent or minimise the potential for an MA tooccur should be appropriately evaluated



71/77

71

In essence there will have been a determination made onevery MA covering:

- What controls are in place?- What other controls are in place?- Is there only one control in place or is there a proportionality of

controls available to achieve AFAP?- Is the risk adequately controlled?- Are additional controls required?



72/77

72

Are they effective? Would alternative controls be more suitable and effective for

preventing or reducing the MA? What testing regime is required for maintaining the control

performance? Is the testing regime adequate for every control?

- For example, if some controls are tested every 12 months, whatimprovement would there be if testing was undertaken every 3months?



73/77

73

Are the controls audited and their performance evaluatedagainst appropriate criteria?

How are failures reported? What is the corrective action process in place? Is there verification of the entire process?



74/77

74

A safety management process will need to be developed forthe facility (i.e. SMS)

This will enable the performance of all control measures forevery MA to be evaluated for effectiveness and opportunitiesfor improvement identified



75/77

75

Major Hazard Facility Guidance Material Comcare website

www.comcare.gov.au WorkSafe Victoria Guidance Material WorkSafe website

www.workcover.vic.gov.au Layer of Protection Analysis , Simplified Process Risk

Assessment, Centre for Chemical Process Safety, American

Institute of Chemical Engineers, 2001 Hazard Identification and Risk Assessment , Geoff Wells,1996

Classification of Hazardous Locations , A.W. Cox, F.P. Leesand M.L. Ang, IChemE, 1993

Sources of Additional Information
http://www.comcare.gov.au/http://www.workcover.vic.gov.au/http://www.workcover.vic.gov.au/http://www.comcare.gov.au/


76/77

76

Guidelines for Process Equipment Reliability Data, Center for

Chemical Process Safety of the American Institute of ChemicalEngineers, 1989

Loss Prevention in the Process Industries , F. P. Lees,Appendix 14/5, 2nd Edition, Butterworth Heinemann

IEC 61511-3 Ed. 1.0 E - 2003 - Functional safety - Safety

instrumented systems for the process industry

Sources of Additional Information


77/77

Questions?

controls rel02

Documents