Major Hazard Facilities

Control Measures and Adequacy

Overview

The seminar has been developed to provide:

• Context with MHF Regulations

• An overview of what is required
• An overview of the steps required
• Examples of control measures and their adequacy

2
Some Abbreviations and Terms

• AFAP - As far as (reasonably) practicable

• DG - Dangerous goods
• Employer - Employer who has management control of the
facility
• ER or ERP - Emergency response or Emergency response plan
• Facility - any building or structure at which Schedule 9
materials are present or likely to be present for any purpose
• HAZID - Hazard identification
• HAZOP - Hazard and operability study
• HSR - Health and safety representative
• LOC - Loss of containment
• LOPA - Layers of protection analysis

3
Some Abbreviations and Terms

• MHF - Major hazard facility

• MA - Major accident
• OHS - Occupational health & safety
• PFD - Probability of failure on demand
• PSV – Pressure safety valve
• SMS - Safety management system

4
Topics Covered In This Presentation

• Regulations
• Introduction
• Regulatory requirements
• What does this mean?
• Identify all control measures
• Development of assessment
• Control category and examples
• Hierarchy of controls
• AFAP

5
Topics Covered In This Presentation

• Effectiveness of control measures

• Control types
• Opportunities available to reduce risk
• Assessment and adequacy
• Sources of additional information
• Review and revision

6
Regulations
Basic outline

• Hazard identification (R9.43)

• Risk assessment (R9.44)
• Risk control (i.e. control measures) (R9.45, S9A 210)
• Safety Management System (R9.46)
• Safety report (R9.47, S9A 212, 213)
• Emergency plan (R9.53)
• Consultation

7
Introduction

In order to deliver safe operation the Hazards causing

Employer needs to understand the
an MA
relationship between

The controls preventing or

mitigating consequences
of an MA

The controls in place and

assess their effectiveness
and adequacy

8
Introduction

• At least 23 workers
were killed
• 74 were injured
• $800,000,000 (U.S.)
estimated property
damage

Controls DO fail and the consequences can be devastating

(Skikda, Algiers, 20 January, 2004)

9
Introduction

• Control measures are the features of a facility that:

- Eliminate
- Prevent
- Reduce
- Mitigate
. . . the risks associated with potential MAs

• They are the means by which the Employer ensures the

operation satisfies the Regulations and the AFAP requirement
• A number of control options maybe considered and applied
individually or in combination

10
Introduction

• In undertaking control measure identification and assessment,

the Employer should seek to attain an understanding of:
- The processes involved in control measure
identification/selection and assessment
- The control measures used to reduce the risk of potential major
accidents to AFAP

11
Introduction

• At the end of the controls and adequacy evaluation process, the

Employer should know:
- The identity of all existing and potential control measures
- The relationships between the hazards, control measures, MAs and
outcomes
- The effectiveness of control measures in managing risk
- The opportunities that are available to reduce risk
- The monitoring regime necessary to ensure the ongoing
effectiveness of the control measures

12
Regulation Requirements

• After the HAZID and Risk Assessment evaluations, the

Employer will have identified all of the hazards that can lead
to MAs and the controls in place, including independence,
reliability, effectiveness, robustness and applicability
• A determination of the adequacy of the controls in managing
the hazards then needs to be undertaken

13
What Does This Mean?

• The opportunities present that are available to reduce risk

need to be assessed, including additional or alternative
controls
• The monitoring regime necessary to ensure the ongoing
effectiveness of the control measures for managing the
hazards need to be assessed
• Control measures and adequacy assessment will need to be
revised as necessary, using performance monitoring results
and other relevant new information

14
 What Does This Mean?
Reported incidents by results involving Schedule 9 materials in Victoria (from
VWA)

50 Petroleum
45 Utilities
40 Logistics
Chemicals & Plastics
35
No of Incidents
30
25
20
15
10
5

0
Chemical Environ Explosion Fire LOC First Aid First Aid
Exposure Release Offsite Onsite

15
What Does This Mean?
• This accident
happened during
the filling of a
2000 m3 LPG
sphere
• Its legs collapsed.
• One person was
killed and one
seriously injured

16
Identity of All Control Measures

• All of the MAs should be documented in an appropriate format

that clearly identifies:
- The MA (the release modes and the consequences of the
release)
- All hazards that, if realised, can cause an MA
- The controls in place to manage the hazard and any
recommended controls as a result of the HAZID process

17
Identity of All Control Measures

Example, consider a chlorine drum handling operation

Hazard: • Release of chlorine from chlorine storage drum

Incident: • Forklift tynes impact on chlorine storage drum

Consequence: • Release of chlorine liquid into storage drum

bund resulting in personnel exposure to
chlorine liquid/vapour
• Potential for serious injury/fatality

18
Identity of All Control Measures
Preventative Controls (Incident Mitigation Controls (Incident
Prevention) Mitigation)

Design of chlorine storage drum and fork Spill containment bunds (reduces the
lift lifting mechanisms prevent tynes consequences)
puncturing cylinder (in accordance with
an appropriate standard) and inspected
regularly
Traffic management system/forklift or Spill containment procedure, chlorine
pedestrian exclusion zones gas detection & alarms (reduces time
for intervention thereby reducing
consequences) – procedure inspected
and found to be satisfactory
Forklift driver training – training is held PPE including breathing apparatus
at the prescribed intervals and records (reduces the likelihood of exposure to
inspected are satisfactory chlorine) – PPE training is held at
prescribed intervals and records
validated

19
Identity of All Control Measures

• Control measures are not only physical equipment, but may

include:
- Engineered devices (physical barriers such as impact protection
bollards) or systems (high integrity trip systems)
- High-level procedures or detailed operating instructions
- Information systems (incident reporting systems)
- Personnel training (i.e. the actions people should take in an
emergency)

20
Development of Assessment

• It is important to understand how controls are arranged in a

manner that eliminate or minimise the hazards leading to an
MA occurring, and any interdependence
• Control measures may be pro-active, in that they eliminate,
prevent or reduce the likelihood of incidents
• They may be reactive, in that they reduce or mitigate the
consequences of an MA

21
Development of Assessment

• Control measures may be considered as “barriers” and are

located between the intrinsic hazards that could lead to an MA
• Control measures can also reduce the harm that may be
caused to people and property in the event of an MA
• Hazards can result in an MA harming people or property only if
controls have failed to function as intended, or have been
bypassed/defeated

22
Development of Assessment
1st barrier
2nd barrier

3rd barrier

23
Development of Assessment

• There are methods for the control assessment process

• The size, complexity and knowledge of the MHF could
determine which approach to use
• Several methods can be used, e.g.:
- LOPA
- Fault tree and event tree
- Risk matrix

24
Control Measure Hierarchy
The hierarchy of controls & effectiveness guidelines

Control type Effectiveness

Effectiveness

Eliminate Hazard 100% Increasing

Reliability
Minimize hazard
90%
Physical controls

Procedures 50%
Decreasing
Reliability
Personnel Skills &
30%
Training

25
Control Measure Hierarchy

• Elimination/substitution controls
• Prevention controls
• Reduction controls
• Mitigation controls

26
Control Measure Hierarchy

Control Category Control Example

Elimination controls • Equipment removal

• Physical barriers such as mounding of LPG
sphere
• Decommissioning
• Facility layout – increasing separation
distances
• Plant design procedures

27
Control Measure Hierarchy

Control Category Control Example

Substitution controls • Replacement of a hazardous material with a

non-hazardous substitute (E.g. Replace
chlorine with sodium hypochlorite)
• Systems to prevent incompatible materials
on the site at the same time

28
Control Measure Hierarchy

Control Category Control Example

Prevention • Process alarms and notification systems

• Independent flow/level/pressure/temperature
indicators with a defined response
• Engineering standards
• Safety process systems (safety integrity
systems), pressure relief valves

29
Control Measure Hierarchy

Control Category Control Example

Prevention • Operating procedures and instructions
• Personnel skill, training and competency
• Plant inspection
• Equipment testing and repair
• Change management process
• Maintenance procedures
• Quality specifications
• Permit to work

30
Control Measure Hierarchy

Control Category Control Example

Reduction • Separation distances
• Shutdown and isolation systems
• Gas detection with leak isolation action
• Bunding and other containment
systems
• Drainage

31
Control Measure Hierarchy

Control Category Control Example

Mitigation • Fire fighting systems

• Emergency response plans
• Plant evacuation alarms
• Passive fire protection (thermal
insulation on bullets, spheres)

32
AFAP

• It is the risk assessment that provides the information necessary

to test this requirement, and this information must be included in
the safety report
• The risk assessment must address hazards and risk both
individually and cumulatively
• Consequently the demonstration that risks are eliminated or
reduced to AFAP may need to be made for control measures
individually, in groups and as a whole

33
AFAP

• The AFAP approach is not simply about satisfying a single

criterion of whether the risk of an MA is less than a specific
number or position on a risk matrix
• It is about evaluation of all controls, their proportionality for
controlling the risk of an MA occurring and if additional
controls can reasonably have an effect on reducing the risk of
an MA further

34
AFAP

• The likelihood of the hazard or risk actually occurring

- That is, the probability that someone could be injured or harmed
through the work being done

• The degree of harm that would result if the hazard or risk

occurred
- For example fatality, multiple injuries, medical or first aid
treatment, long or short term health effects

• The availability and suitability of ways to eliminate or reduce the

hazard or risk

35
AFAP

• What is known, or ought reasonably be known, about the

hazard or risk and any ways of eliminating or reducing it

• The cost of eliminating or reducing the hazard or risk

- That is, control measures should be implemented unless the risk
is insignificant compared with the cost of implementing the
measures

36
AFAP

• The balance between benefits in terms of reduced risk and the

costs of further control measures will play a part in achieving
and demonstrating AFAP
• Every safety report will need to develop an approach as to
how the AFAP argument is to be applied to the facility
• The AFAP approach then needs to be applied consistently to
every MA in order for demonstration of adequacy to be
satisfied

37
AFAP – Cost/Benefit & Rejecting Controls

High
 
 
Should be implemented. More detailed
Little analysis required justification required to
unless rejected. reject
Benefit
(Risk Reduction)
 
 
 
 

More detailed
Simple justification to
justification required to
reject
  reject (lower priority)
Low

Low
High

  Sacrifice (cost, time, effort and

inconvenience)

38
Effectiveness of Control Measures

• There are controls and safeguards

• A control is considered to be a device, system, or action
that is capable of preventing a cause from proceeding to its
undesired consequence, independent of the initiating event
or the action of any other layer of protection associated
with the scenario
• A safeguard is any device, system or action that would
likely interrupt the chain of events following an initiating
event

39
Effectiveness of Control Measures

To be considered a control, it must be:

Of the components of any other control

Independent
already claimed for the same scenario

Reliable The reliability, effectiveness and independence

of a control must be auditable

Effective For the initiating event

Preventing the consequences

Applicable
when it functions as designed

40
Effectiveness of Control Measures

• As an example, consider an employee action to read a level

gauge and a pressure gauge - both taken off the same
tapping point
• Is a single tapping point for two different information streams
applicable, independent and reliable?
• Will the employee reliably report the correct information?

41
Effectiveness of Control Measures

These have been built into a system - but are they:

Independent

The answer - NO
Reliable

Effective

Applicable

42
Effectiveness of Control Measures

• Every designer, Employer and manager desires to have controls

that are:
- Robust
- Reliable
- Can survive harsh environments
- Not dependent upon rigorous inspection and testing regimes that
involve manpower and cost
• Unfortunately this is not reality

43
Effectiveness of Control Measures

Controls do fail and accidents occur as a result

Result of a fire
at a bulk
storage facility
– was there
adequate
separation and
fire protection?

44
Effectiveness of Control Measures

Impact on:
• Environment
• People
• Business
interruption
• Cost of
inventory
• Reputation
• Legal cost

45
Effectiveness of Control Measures

A good
management
system

46
Effectiveness of Control Measures

With adequate
risk control
measures

47
Effectiveness of Control Measures

Reduces the
risk of loss

48
Effectiveness of Control Measures

• These controls are important to analyse in a structured

manner so that their effectiveness can be assessed
• For this to occur the Employer needs to know:
- What type
- How many
- How reliable are the controls
- Are there sufficient to reduce MA risk to AFAP?
• Each control needs to be fit for purpose and designed into the
system as independent

49
Control Types

• In each evaluation the type of service being evaluated needs

to be taken into consideration critically to ensure the control
type is effective and will perform its intended duty
• For example consider an instrumented level gauge with high
level and high high level independent alarms for controlling the
level in a process tower
• The alarms are not tested and the high high level is known to
be in fault mode
- Is this control reliable, effective and applicable?

50
Control Types

Controls need to be service and situation dependent in

order to be suitable
• For example, having a rupture disc in place where the inlet
can foul – in this circumstance the correct pressure will not be
seen by the rupture disc
- Such a control would not be suitable for the service
• Bund in service for flammable liquid storage tanks which has
major penetrations
- This control would not be suitable as it cannot satisfy AS1940

51
Control Types

• The following is an animated description of the US Chemical

Safety Board, Animation of BP Texas City Refinery Accident,
October 27, 2005
• This can be found at the following website
www.csb.gov

52
Control Types – Human Controls

• Such controls involve reliance on employees to take action to

prevent an undesirable consequence in response to alarms or
following a routine check of the system
• Human performance is usually considered less reliable than
engineering controls
• Not crediting human actions under well defined conditions is
considered to be unduly penalising the Employer

53
Control Types – Human Controls

Human controls should have the following requirements:

• The indication for action required by an employee must be

detectable
• The action must always be:
- Available for the employee
- Clear to the employee even under emergency conditions
- Simple and straight forward to understand
- Repeatable by any similarly trained/competent employee

54
Control Types – Human Controls

• The time available to take action must be adequate

• Employees should not be expected to perform other tasks at
the same time – there needs to be clear priorities
• The employee is capable of taking the action required under all
conditions expected to be reasonably present
• Training for the required action is performed regularly and is
documented
• Indication and action should normally be independent of any
other system already accredited

55
Control Types – Human Controls
Examples of reduction (human) controls

Human Control Comments

Human action with 10 minutes
response time
Human response to BPCS
indication or alarm with 40
minutes response time
Simple well documented action with
clear and reliable indications that
action is required
Simple well documented action with
clear and reliable indications that
action is required

Human action with 40 minutes Simple well documented action with

response time clear and reliable indications that the
action is required

Taken from “Layer of Protection Analysis, Simplified Process Risk

Assessment, Centre for Chemical Process Safety, American Institute
of Chemical Engineers, 2001”

56
Opportunities Available to Reduce Risk

The effectiveness of control measures in managing risk

• Each control, to be classified as a legitimate control against

an MA (i.e. implemented, functional, independent, monitored
and audited) must be evaluated in a structured format
• To ensure proper management of the MAs, each control must
be fully independent of the other controls listed
- there must be no failure that can deactivate two or more
controls (e.g. common cause failure)

57
Opportunities Available to Reduce Risk

• The question people ask is, how many controls are required to
reduce a MA to AFAP?
• This will depend on:
- The circumstances
- The process being analysed together with the mix of
independent controls
• One approach used is to have a qualitative evaluation that
requires three independent controls to be in place before AFAP
can be achieved

58
Opportunities Available to Reduce Risk

Risk is based on the following equation:

Risk = ∑(Fi x Ci) =(F1 x C1) + (F2 x C2) +.....(Fn x Cn)

Where
Fi is the Frequency or likelihood of event i, and
Ci is the consequence of event i

• Risk reduction can be implemented by changing either the

frequency of the MA occurring or the magnitude of the
consequence of the MA

59
Opportunities Available to Reduce Risk

• For evaluation of control measures, there are several issues

that need to be considered

Existing MHF Facility

• During a risk evaluation process for an existing facility, it
would be very unusual to achieve a reduction in the worst case
consequences of an MA
• Reducing the frequency or likelihood of the event occurring is
generally the only option available

60
Opportunities Available to Reduce Risk

New MHF Facility

• For a new facility, both components of the risk equation can be

reduced
• Several issues can be explored when designing a new facility
• The first point of examination is to focus on the hierarchy of
controls
- Can we eliminate the hazard so it is not a problem?
• The second area to examine is substitution
- Use of alternative non Schedule 9 or DG materials

61
Opportunities Available to Reduce Risk

Elimination Controls

• The effectiveness of an elimination control is considered to be

100%
• The risk from an event occurring is reduced to zero
• This is the optimal type of control
• If an Employer cannot reduce the risk to an acceptable level,
the feasibility of shutting down plant equipment/processes,
substituting non-hazardous substances for hazardous
substances should be considered

62
Opportunities Available to Reduce Risk

Prevention controls

• The effectiveness of prevention controls is based on their

Probability to Fail on Demand (PFD)
• PFDs can be determined from site specific
maintenance/inspection data and incident data
• In the absence of site specific data, PFDs can be referenced
from worldwide failure rate data publications such as OREDA,
E&P Forum, etc

63
Opportunities Available to Reduce Risk

Reduction controls

• Assessing the effectiveness of reduction controls is a lot more

subjective than assessing the effectiveness of elimination or
prevention controls
• There are many variables that affect the integrity/effectiveness
of such controls
• These cover
- Reliability of instrumentation
- Inspection and testing frequency requirements
- Effectiveness of testing programs and feedback on opportunities for
improvement
- Frequency of training employees

64
Opportunities Available to Reduce Risk

Reduction controls

• For example, an operating procedure can be a highly effective

reduction control provided it is readily available, regularly
referenced and frequently reviewed and there is independent
verification of its output
• The same argument holds for a change management process
• Human factors evaluations should be used to determine the
reliability of an operating procedure if it is critical to the activity

65
Opportunities Available to Reduce Risk

Training/competency controls

• The effectiveness of training controls is not easily assessed

• Training programs that are:
- Specific to the task at hand
- Competency assessed
- Revisited via re-fresher training courses
• Are likely to be highly effective with confirmation being available
through human factors evaluations

66
Opportunities Available to Reduce Risk

• Where elimination or substitution cannot be achieved then a

combination of controls is preferred
- This provides a balance
- The failure of a single control should not lead to the MA
occurring

67
Assessment and Adequacy

• There are a number of approaches that can be used to

undertake an assessment of an MA’s controls to determine if
the AFAP argument is satisfied
• These include
- LOPA
- Fault and event tree analysis
- Risk analysis using a matrix approach
• The approach to use will depend on the complexity of the MA
and the culture of the organisation

68
Assessment and Adequacy

• Less complex and smaller operations could use a risk matrix

type approach
• A more complex operation such as a refinery or gas
processing plant could use all three approaches
• When determining effectiveness of control measures, the
following issues will also need to be considered:
- Independence
- Functionality
- Survivability
- Reliability
- Availability

69
Assessment and Adequacy

• Cost benefit analyses can be undertaken to determine the

viability of each proposed recommendation for further risk
reduction
• This is a valid approach and at some point, depending on the
circumstances involved, the cost of reducing risk further
becomes costly compared to the benefit gained
• Controls that are rejected need to be documented including the
reason why
• The definition of a “critical control” is hard to define as various
interpretations can be provided
• This could, in some circumstances, skew thinking to the
detriment of other controls
• For the purpose of MA controls and adequacy evaluation, all
controls that prevent or minimise the potential for an MA to
occur should be appropriately evaluated

70
Assessment and Adequacy

• In essence there will have been a determination made on

every MA covering:
- What controls are in place?
- What other controls are in place?
- Is there only one control in place or is there a proportionality of
controls available to achieve AFAP?
- Is the risk adequately controlled?
- Are additional controls required?

71
Assessment and Adequacy

• Are they effective?

• Would alternative controls be more suitable and effective for
preventing or reducing the MA?
• What testing regime is required for maintaining the control
performance?
• Is the testing regime adequate for every control?
- For example, if some controls are tested every 12 months, what
improvement would there be if testing was undertaken every 3
months?

72
Assessment and Adequacy

• Are the controls audited and their performance evaluated

against appropriate criteria?
• How are failures reported?
• What is the corrective action process in place?
• Is there verification of the entire process?

73
Assessment and Adequacy

• A safety management process will need to be developed for

the facility (i.e. SMS)
• This will enable the performance of all control measures for
every MA to be evaluated for effectiveness and opportunities
for improvement identified

74
Sources of Additional Information

• Major Hazard Facility Guidance Material – Comcare website

www.comcare.gov.au
• WorkSafe Victoria Guidance Material – WorkSafe website
www.workcover.vic.gov.au
• Layer of Protection Analysis, Simplified Process Risk
Assessment, Centre for Chemical Process Safety, American
Institute of Chemical Engineers, 2001
• Hazard Identification and Risk Assessment, Geoff Wells,
1996
• Classification of Hazardous Locations, A.W. Cox, F.P. Lees
and M.L. Ang, IChemE, 1993

75
Sources of Additional Information

• Guidelines for Process Equipment Reliability Data, Center for

Chemical Process Safety of the American Institute of Chemical
Engineers, 1989
• Loss Prevention in the Process Industries , F. P. Lees,
Appendix 14/5, 2nd Edition, Butterworth Heinemann
• IEC 61511-3 Ed. 1.0 E - 2003 - Functional safety - Safety
instrumented systems for the process industry

76
Questions?

77