Major hazard facilities control measures and adequacy
1 / 77

Major Hazard Facilities Control Measures and Adequacy - PowerPoint PPT Presentation

  • Updated On :

Major Hazard Facilities Control Measures and Adequacy. Overview. The seminar has been developed to provide: Context with MHF Regulations An overview of what is required An overview of the steps required Examples of control measures and their adequacy. Some Abbreviations and Terms.

Related searches for Major Hazard Facilities Control Measures and Adequacy

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'Major Hazard Facilities Control Measures and Adequacy' - jana

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Major hazard facilities control measures and adequacy l.jpg

Major Hazard FacilitiesControl Measures and Adequacy

Overview l.jpg

The seminar has been developed to provide:

  • Context with MHF Regulations

  • An overview of what is required

  • An overview of the steps required

  • Examples of control measures and their adequacy

Some abbreviations and terms l.jpg
Some Abbreviations and Terms

  • AFAP - As far as (reasonably) practicable

  • DG - Dangerous goods

  • Employer - Employer who has management control of the facility

  • ER or ERP - Emergency response or Emergency response plan

  • Facility - any building or structure at which Schedule 9 materials are present or likely to be present for any purpose

  • HAZID - Hazard identification

  • HAZOP - Hazard and operability study

  • HSR - Health and safety representative

  • LOC - Loss of containment

  • LOPA - Layers of protection analysis

Some abbreviations and terms4 l.jpg
Some Abbreviations and Terms

  • MHF - Major hazard facility

  • MA - Major accident

  • OHS - Occupational health & safety

  • PFD - Probability of failure on demand

  • PSV – Pressure safety valve

  • SMS - Safety management system

Topics covered in this presentation l.jpg
Topics Covered In This Presentation

  • Regulations

  • Introduction

  • Regulatory requirements

  • What does this mean?

  • Identify all control measures

  • Development of assessment

  • Control category and examples

  • Hierarchy of controls

  • AFAP

Topics covered in this presentation6 l.jpg
Topics Covered In This Presentation

  • Effectiveness of control measures

  • Control types

  • Opportunities available to reduce risk

  • Assessment and adequacy

  • Sources of additional information

  • Review and revision

Regulations l.jpg

Basic outline

  • Hazard identification (R9.43)

  • Risk assessment (R9.44)

  • Risk control (i.e. control measures) (R9.45, S9A 210)

  • Safety Management System (R9.46)

  • Safety report (R9.47, S9A 212, 213)

  • Emergency plan (R9.53)

  • Consultation

Introduction l.jpg

Hazards causing an MA

The controls preventing or mitigating consequences of an MA

The controls in place and assess their effectiveness and adequacy


In order to deliver safe operation the Employer needs to understand the relationship between

Introduction9 l.jpg

  • At least 23 workers were killed

  • 74 were injured

  • $800,000,000 (U.S.) estimated property damage

Controls DO fail and the consequences can be devastating

(Skikda, Algiers, 20 January, 2004)

Introduction10 l.jpg

  • Control measures are the features of a facility that:

    • Eliminate

    • Prevent

    • Reduce

    • Mitigate

      . . . the risks associated with potential MAs

  • They are the means by which the Employer ensures the operation satisfies the Regulations and the AFAP requirement

  • A number of control options maybe considered and applied individually or in combination

Introduction11 l.jpg

  • In undertaking control measure identification and assessment, the Employer should seek to attain an understanding of:

    • The processes involved in control measure identification/selection and assessment

    • The control measures used to reduce the risk of potential major accidents to AFAP

Introduction12 l.jpg

  • At the end of the controls and adequacy evaluation process, the Employer should know:

    • The identity of all existing and potential control measures

    • The relationships between the hazards, control measures, MAs and outcomes

    • The effectiveness of control measures in managing risk

    • The opportunities that are available to reduce risk

    • The monitoring regime necessary to ensure the ongoing effectiveness of the control measures

Regulation requirements l.jpg
Regulation Requirements

  • After the HAZID and Risk Assessment evaluations, the Employer will have identified all of the hazards that can lead to MAs and the controls in place, including independence, reliability, effectiveness, robustness and applicability

  • A determination of the adequacy of the controls in managing the hazards then needs to be undertaken

What does this mean l.jpg
What Does This Mean?

  • The opportunities present that are available to reduce risk need to be assessed, including additional or alternative controls

  • The monitoring regime necessary to ensure the ongoing effectiveness of the control measures for managing the hazards need to be assessed

  • Control measures and adequacy assessment will need to be revised as necessary, using performance monitoring results and other relevant new information

What does this mean15 l.jpg








No of Incidents


Chemicals & Plastics








First Aid



First Aid







What Does This Mean?

Reported incidents by results involving Schedule 9 materials in Victoria (from VWA)

What does this mean16 l.jpg
What Does This Mean?

  • This accident happened during the filling of a 2000 m3 LPG sphere

  • Its legs collapsed.

  • One person was killed and one seriously injured

Identity of all control measures l.jpg
Identity of All Control Measures

  • All of the MAs should be documented in an appropriate format that clearly identifies:

    • The MA (the release modes and the consequences of the release)

    • All hazards that, if realised, can cause an MA

    • The controls in place to manage the hazard and any recommended controls as a result of the HAZID process

Identity of all control measures18 l.jpg
Identity of All Control Measures

Example, consider a chlorine drum handling operation

Identity of all control measures20 l.jpg
Identity of All Control Measures

  • Control measures are not only physical equipment, but may include:

    • Engineered devices (physical barriers such as impact protection bollards) or systems (high integrity trip systems)

    • High-level procedures or detailed operating instructions

    • Information systems (incident reporting systems)

    • Personnel training (i.e. the actions people should take in an emergency)

Development of assessment l.jpg
Development of Assessment

  • It is important to understand how controls are arranged in a manner that eliminate or minimise the hazards leading to an MA occurring, and any interdependence

  • Control measures may be pro-active, in that they eliminate, prevent or reduce the likelihood of incidents

  • They may be reactive, in that they reduce or mitigate the consequences of an MA

Development of assessment22 l.jpg
Development of Assessment

  • Control measures may be considered as “barriers” and are located between the intrinsic hazards that could lead to an MA

  • Control measures can also reduce the harm that may be caused to people and property in the event of an MA

  • Hazards can result in an MA harming people or property only if controls have failed to function as intended, or have been bypassed/defeated

Development of assessment23 l.jpg
Development of Assessment

1st barrier

2nd barrier

3rd barrier

Development of assessment24 l.jpg
Development of Assessment

  • There are methods for the control assessment process

  • The size, complexity and knowledge of the MHF could determine which approach to use

  • Several methods can be used, e.g.:

    • LOPA

    • Fault tree and event tree

    • Risk matrix

Control measure hierarchy l.jpg




Increasing Reliability

Eliminate Hazard


Minimize hazard


Physical controls



Decreasing Reliability

Personnel Skills &Training


Control Measure Hierarchy

The hierarchy of controls & effectiveness guidelines

Control measure hierarchy26 l.jpg
Control Measure Hierarchy

  • Elimination/substitution controls

  • Prevention controls

  • Reduction controls

  • Mitigation controls

Slide33 l.jpg

  • It is the risk assessment that provides the information necessary to test this requirement, and this information must be included in the safety report

  • The risk assessment must address hazards and risk both individually and cumulatively

  • Consequently the demonstration that risks are eliminated or reduced to AFAP may need to be made for control measures individually, in groups and as a whole

Slide34 l.jpg

  • The AFAP approach is not simply about satisfying a single criterion of whether the risk of an MA is less than a specific number or position on a risk matrix

  • It is about evaluation of all controls, their proportionality for controlling the risk of an MA occurring and if additional controls can reasonably have an effect on reducing the risk of an MA further

Slide35 l.jpg

  • The likelihood of the hazard or risk actually occurring

    • That is, the probability that someone could be injured or harmed through the work being done

  • The degree of harm that would result if the hazard or risk occurred

    • For example fatality, multiple injuries, medical or first aid treatment, long or short term health effects

  • The availability and suitability of ways to eliminate or reduce the hazard or risk

Slide36 l.jpg

  • What is known, or ought reasonably be known, about the hazard or risk and any ways of eliminating or reducing it

  • The cost of eliminating or reducing the hazard or risk

    • That is, control measures should be implemented unless the risk is insignificant compared with the cost of implementing the measures

Slide37 l.jpg

  • The balance between benefits in terms of reduced risk and the costs of further control measures will play a part in achieving and demonstrating AFAP

  • Every safety report will need to develop an approach as to how the AFAP argument is to be applied to the facility

  • The AFAP approach then needs to be applied consistently to every MA in order for demonstration of adequacy to be satisfied

Afap cost benefit rejecting controls l.jpg



(Risk Reduction)


Should be implemented. Little analysis required unless rejected.

More detailed justification required to reject


More detailed justification required to reject (lower priority)

Simple justification to reject

Sacrifice (cost, time, effort and inconvenience)


AFAP – Cost/Benefit & Rejecting Controls

Effectiveness of control measures l.jpg
Effectiveness of Control Measures

  • There are controls and safeguards

  • A control is considered to be a device, system, or action that is capable of preventing a cause from proceeding to its undesired consequence, independent of the initiating event or the action of any other layer of protection associated with the scenario

  • A safeguard is any device, system or action that would likely interrupt the chain of events following an initiating event

Effectiveness of control measures40 l.jpg

Preventing the consequences when it functions as designed


For the initiating event



Of the components of any other control already claimed for the same scenario


The reliability, effectiveness and independence of a control must be auditable

Effectiveness of Control Measures

To be considered a control, it must be:

Effectiveness of control measures41 l.jpg
Effectiveness of Control Measures

  • As an example, consider an employee action to read a level gauge and a pressure gauge - both taken off the same tapping point

  • Is a single tapping point for two different information streams applicable, independent and reliable?

  • Will the employee reliably report the correct information?

Effectiveness of control measures42 l.jpg





Effectiveness of Control Measures

These have been built into a system - but are they:

The answer - NO

Effectiveness of control measures43 l.jpg
Effectiveness of Control Measures

  • Every designer, Employer and manager desires to have controls that are:

    • Robust

    • Reliable

    • Can survive harsh environments

    • Not dependent upon rigorous inspection and testing regimes that involve manpower and cost

  • Unfortunately this is not reality

Effectiveness of control measures44 l.jpg
Effectiveness of Control Measures

Controls do fail and accidents occur as a result

Result of a fire at a bulk storage facility – was there adequate separation and fire protection?

Effectiveness of control measures45 l.jpg
Effectiveness of Control Measures

  • Impact on:

  • Environment

  • People

  • Business interruption

  • Cost of inventory

  • Reputation

  • Legal cost

Effectiveness of control measures46 l.jpg
Effectiveness of Control Measures

A good management system

Effectiveness of control measures47 l.jpg
Effectiveness of Control Measures

With adequate risk control measures

Effectiveness of control measures48 l.jpg
Effectiveness of Control Measures

Reduces the risk of loss

Effectiveness of control measures49 l.jpg
Effectiveness of Control Measures

  • These controls are important to analyse in a structured manner so that their effectiveness can be assessed

  • For this to occur the Employer needs to know:

    • What type

    • How many

    • How reliable are the controls

    • Are there sufficient to reduce MA risk to AFAP?

  • Each control needs to be fit for purpose and designed into the system as independent

Control types l.jpg
Control Types

  • In each evaluation the type of service being evaluated needs to be taken into consideration critically to ensure the control type is effective and will perform its intended duty

  • For example consider an instrumented level gauge with high level and high high level independent alarms for controlling the level in a process tower

  • The alarms are not tested and the high high level is known to be in fault mode

    • Is this control reliable, effective and applicable?

Control types51 l.jpg
Control Types

Controls need to be service and situation dependent in

order to be suitable

  • For example, having a rupture disc in place where the inlet can foul – in this circumstance the correct pressure will not be seen by the rupture disc

    • Such a control would not be suitable for the service

  • Bund in service for flammable liquid storage tanks which has major penetrations

    • This control would not be suitable as it cannot satisfy AS1940

Control types52 l.jpg
Control Types

  • The following is an animated description of the US Chemical Safety Board, Animation of BP Texas City Refinery Accident, October 27, 2005

  • This can be found at the following website

Control types human controls l.jpg
Control Types – Human Controls

  • Such controls involve reliance on employees to take action to prevent an undesirable consequence in response to alarms or following a routine check of the system

  • Human performance is usually considered less reliable than engineering controls

  • Not crediting human actions under well defined conditions is considered to be unduly penalising the Employer

Control types human controls54 l.jpg
Control Types – Human Controls

Human controls should have the following requirements:

  • The indication for action required by an employee must be detectable

  • The action must always be:

    • Available for the employee

    • Clear to the employee even under emergency conditions

    • Simple and straight forward to understand

    • Repeatable by any similarly trained/competent employee

Control types human controls55 l.jpg
Control Types – Human Controls

  • The time available to take action must be adequate

  • Employees should not be expected to perform other tasks at the same time – there needs to be clear priorities

  • The employee is capable of taking the action required under all conditions expected to be reasonably present

  • Training for the required action is performed regularly and is documented

  • Indication and action should normally be independent of any other system already accredited

Control types human controls56 l.jpg
Control Types – Human Controls

Examples of reduction (human) controls

Taken from “Layer of Protection Analysis, Simplified Process Risk Assessment, Centre for Chemical Process Safety, American Institute of Chemical Engineers, 2001”

Opportunities available to reduce risk l.jpg
Opportunities Available to Reduce Risk

The effectiveness of control measures in managing risk

  • Each control, to be classified as a legitimate control against an MA (i.e. implemented, functional, independent, monitored and audited) must be evaluated in a structured format

  • To ensure proper management of the MAs, each control must be fully independent of the other controls listed

    • there must be no failure that can deactivate two or more controls (e.g. common cause failure)

Opportunities available to reduce risk58 l.jpg
Opportunities Available to Reduce Risk

  • The question people ask is, how many controls are required to reduce a MA to AFAP?

  • This will depend on:

    • The circumstances

    • The process being analysed together with the mix of independent controls

  • One approach used is to have a qualitative evaluation that requires three independent controls to be in place before AFAP can be achieved

Opportunities available to reduce risk59 l.jpg
Opportunities Available to Reduce Risk

  • Risk is based on the following equation:

  • Risk = ∑(Fi x Ci) =(F1 x C1) + (F2 x C2) +.....(Fn x Cn)

  • Where

  • Fi is the Frequency or likelihood of event i, and

  • Ci is the consequence of event i

  • Risk reduction can be implemented by changing either the frequency of the MA occurring or the magnitude of the consequence of the MA

Opportunities available to reduce risk60 l.jpg
Opportunities Available to Reduce Risk

  • For evaluation of control measures, there are several issues that need to be considered

    Existing MHF Facility

  • During a risk evaluation process for an existing facility, it would be very unusual to achieve a reduction in the worst case consequences of an MA

  • Reducing the frequency or likelihood of the event occurring is generally the only option available

Opportunities available to reduce risk61 l.jpg
Opportunities Available to Reduce Risk

New MHF Facility

  • For a new facility, both components of the risk equation can be reduced

  • Several issues can be explored when designing a new facility

  • The first point of examination is to focus on the hierarchy of controls

    • Can we eliminate the hazard so it is not a problem?

  • The second area to examine is substitution

    • Use of alternative non Schedule 9 or DG materials

Opportunities available to reduce risk62 l.jpg
Opportunities Available to Reduce Risk

Elimination Controls

  • The effectiveness of an elimination control is considered to be 100%

  • The risk from an event occurring is reduced to zero

  • This is the optimal type of control

  • If an Employer cannot reduce the risk to an acceptable level, the feasibility of shutting down plant equipment/processes, substituting non-hazardous substances for hazardous substances should be considered

Opportunities available to reduce risk63 l.jpg
Opportunities Available to Reduce Risk

Prevention controls

  • The effectiveness of prevention controls is based on their Probability to Fail on Demand (PFD)

  • PFDs can be determined from site specific maintenance/inspection data and incident data

  • In the absence of site specific data, PFDs can be referenced from worldwide failure rate data publications such as OREDA, E&P Forum, etc

Opportunities available to reduce risk64 l.jpg
Opportunities Available to Reduce Risk

Reduction controls

  • Assessing the effectiveness of reduction controls is a lot more subjective than assessing the effectiveness of elimination or prevention controls

  • There are many variables that affect the integrity/effectiveness of such controls

  • These cover

    • Reliability of instrumentation

    • Inspection and testing frequency requirements

    • Effectiveness of testing programs and feedback on opportunities for improvement

    • Frequency of training employees

Opportunities available to reduce risk65 l.jpg
Opportunities Available to Reduce Risk

Reduction controls

  • For example, an operating procedure can be a highly effective reduction control provided it is readily available, regularly referenced and frequently reviewed and there is independent verification of its output

  • The same argument holds for a change management process

  • Human factors evaluations should be used to determine the reliability of an operating procedure if it is critical to the activity

Opportunities available to reduce risk66 l.jpg
Opportunities Available to Reduce Risk

Training/competency controls

  • The effectiveness of training controls is not easily assessed

  • Training programs that are:

    • Specific to the task at hand

    • Competency assessed

    • Revisited via re-fresher training courses

  • Are likely to be highly effective with confirmation being available through human factors evaluations

Opportunities available to reduce risk67 l.jpg
Opportunities Available to Reduce Risk

  • Where elimination or substitution cannot be achieved then a combination of controls is preferred

    • This provides a balance

    • The failure of a single control should not lead to the MA occurring

Assessment and adequacy l.jpg
Assessment and Adequacy

  • There are a number of approaches that can be used to undertake an assessment of an MA’s controls to determine if the AFAP argument is satisfied

  • These include

    • LOPA

    • Fault and event tree analysis

    • Risk analysis using a matrix approach

  • The approach to use will depend on the complexity of the MA and the culture of the organisation

Assessment and adequacy69 l.jpg
Assessment and Adequacy

  • Less complex and smaller operations could use a risk matrix type approach

  • A more complex operation such as a refinery or gas processing plant could use all three approaches

  • When determining effectiveness of control measures, the following issues will also need to be considered:

    • Independence

    • Functionality

    • Survivability

    • Reliability

    • Availability

Assessment and adequacy70 l.jpg
Assessment and Adequacy

  • Cost benefit analyses can be undertaken to determine the viability of each proposed recommendation for further risk reduction

  • This is a valid approach and at some point, depending on the circumstances involved, the cost of reducing risk further becomes costly compared to the benefit gained

  • Controls that are rejected need to be documented including the reason why

  • The definition of a “critical control” is hard to define as various interpretations can be provided

  • This could, in some circumstances, skew thinking to the detriment of other controls

  • For the purpose of MA controls and adequacy evaluation, all controls that prevent or minimise the potential for an MA to occur should be appropriately evaluated

Assessment and adequacy71 l.jpg
Assessment and Adequacy

  • In essence there will have been a determination made on every MA covering:

    • What controls are in place?

    • What other controls are in place?

    • Is there only one control in place or is there a proportionality of controls available to achieve AFAP?

    • Is the risk adequately controlled?

    • Are additional controls required?

Assessment and adequacy72 l.jpg
Assessment and Adequacy

  • Are they effective?

  • Would alternative controls be more suitable and effective for preventing or reducing the MA?

  • What testing regime is required for maintaining the control performance?

  • Is the testing regime adequate for every control?

    • For example, if some controls are tested every 12 months, what improvement would there be if testing was undertaken every 3 months?

Assessment and adequacy73 l.jpg
Assessment and Adequacy

  • Are the controls audited and their performance evaluated against appropriate criteria?

  • How are failures reported?

  • What is the corrective action process in place?

  • Is there verification of the entire process?

Assessment and adequacy74 l.jpg
Assessment and Adequacy

  • A safety management process will need to be developed for the facility (i.e. SMS)

  • This will enable the performance of all control measures for every MA to be evaluated for effectiveness and opportunities for improvement identified

Sources of additional information l.jpg
Sources of Additional Information

  • Major Hazard Facility Guidance Material – Comcare website

  • WorkSafe Victoria Guidance Material – WorkSafe website

  • Layer of Protection Analysis, Simplified Process Risk Assessment, Centre for Chemical Process Safety, American Institute of Chemical Engineers, 2001

  • Hazard Identification and Risk Assessment, Geoff Wells, 1996

  • Classification of Hazardous Locations, A.W. Cox, F.P. Lees and M.L. Ang, IChemE, 1993

Sources of additional information76 l.jpg
Sources of Additional Information

  • Guidelines for Process Equipment Reliability Data, Center for Chemical Process Safety of the American Institute of Chemical Engineers, 1989

  • Loss Prevention in the Process Industries , F. P. Lees, Appendix 14/5, 2nd Edition, Butterworth Heinemann

  • IEC 61511-3 Ed. 1.0 E - 2003 - Functional safety - Safety instrumented systems for the process industry