- Email: [email protected]
Appropriate Risk Assessment Methods for Major Accident Establishments
0957–5820/03/$23.50+0.00 # Crown Copyright Trans IChemE, Vol 81, Part B, January 2003
www.ingentaselect.com=titles=09575820.htm
APPROPRIATE RISK ASSESSMENT METHODS FOR MAJOR ACCIDENT ESTABLISHMENTS{ D. A. CARTER, I. L. HIRST, T. E. MADDISON and S. R. PORTER Hazardous Installations Directorate, Health and Safety Executive, Merseyside, UK
R
isk assessment is a necessary step in the management of risk. In the UK the general legislation requires duty holders to reduce risks to as low as is reasonably practicable (ALARP) and conduct a suitable and suf cient risk assessment for the purpose of identifying the measures to take to comply with the relevant statutory provisions. Risk assessment has a particularly important role where major accidents are possible and describing conformity with standards is not suf cient to demonstrate that all necessary measures have been taken. This paper is an attempt to clarify the important role of risk assessment and the various techniques available, particularly where the use of fully quanti ed risk assessment would not be proportionate to the scale of hazards and risks. Keywords: risk assessment; methodology; major accidents; demonstration.
risks must be reasonable and kept as low as reasonably practicable (the ALARP principle). The meaning of this term has been further clari ed in guidance (HSE, 2001). The risks need to be periodically reviewed to ensure that they still meet the ALARP criteria and further or new controls need to be considered taking into account changes over time, such as new knowledge about the risk or the availability of new techniques for reducing or eliminating risks. Both the level of individual risks and societal concerns must be taken into account when deciding whether a risk is unacceptable, tolerable or broadly acceptable (HSE, 2001).
INTRODUCTION The Control of Major Accident Hazard Regulations 1999 (COMAH) in the UK, requires operators of qualifying establishments to submit a safety report, which demonstrates that all necessary measures have been taken to prevent major accidents, and to limit the consequences to people and the environment of any that do occur. The experience of the Health and Safety Executive (HSE) in assessing COMAH safety reports has shown that this aspect is not well understood and about 40% of reports have been returned for not demonstrating that risks have been reduced. Successful management of health and safety in industry requires a systematic approach. This must include a decisionmaking process which is appropriate, soundly based, open and transparent, so that all interested parties can participate and see that the objectives are achieved (HSE, 1997). For all installations with the potential to cause a major accident, a risk assessment is necessary where all signi cant hazards must be addressed, and suitable controls provided(HSE, 1999). The outcome of the risk assessment must enable the decision-makers to identify any shortcomings in the existing or proposed preventive measures. The controls, as a minimum, must implement authoritative good practice irrespective of situation-based risk estimates. Three regions of risk can be described, namely the unacceptable and the broadly acceptable regions, with the tolerable region in between. Risks in the tolerable region are typical of the risks from activities that people are prepared to tolerate in order to secure bene ts providing the risks are adequately assessed and the results used appropriately to determine control measures. The residual
SCOPE It is very important to de ne carefully the scope of the risk assessment at the outset. This can be done by answering some simple questions: (1) Risk from what? The system under scrutiny must be de ned, including the circumstances in which it operates. Any relevant factors which are being excluded from consideration must be clearly stated. (2) Risks to what? The persons concerned need to be clearly speci ed. For the purposes of the assessment a hypothetical person may need to be postulated such that their location is consistent with a cautious approach. Transient populations need to be considered. (3) Risks of what? What are the measures of exposure and harm that we wish to assess? In most cases this will include ‘fatality’ but lesser outcomes and consequences for the environment also need consideration. (4) So what? The purpose of the assessment has to be clearly de ned along with the criteria to be used in any subsequent decision-making. Are the results to be used to choose between alternatives or to compare against some absolute criteria?
{
Crown Copyright 2003. Reproduced with the permission of the Controller of Her Majesty’s Stationery Of ce.
12
APPROPRIATE RISK ASSESSMENT METHODS HAZARD ANALYSIS This can be considered to be a two-stage process but in all cases a hazard analysis needs to be carried out. Checklists, HAZOP (Institution of Chemical Engineers, 1999), fault tree, and similar techniques are available. Firstly the range of possible accidents must be identi ed with no allowance for mitigating measures. For example, although secondary containment measures may be present, it would be wrong to assume that they would be fully effective in all circumstances. Initially a ‘worst case’ may be identi ed to indicate the appropriate extent of the subsequent analysis. Secondly measures to reduce the severity or frequency of accidents should be identi ed, and their operation and possible failure described. Appropriate standards should be identi ed and the extent to which they are relevant and have been followed. Proposers of new hazardous installations need to show that adequate consideration has been given to the adoption of inherently safe technology. CONSEQUENCE AND FREQUENCY ANALYSIS Where quanti cation of risk is required, a representative set of events needs to be established. The set needs to contain suf cient members to ensure both the ‘worst case’ events are included, and lesser, more frequent events are suitably represented. This will enable the effects of existing and postulated risk reduction measures to be considered. Separate events are generally necessary to incorporate the conditional probabilities of success and failure of protective systems. The consequences of the events are modelled and the frequencies and probabilities of all signi cant events allocated. Sensitivity analysis and further re nement of the representative set may be needed to ensure that the set is suf ciently descriptive, robust and t for the purpose. RISK CALCULATIONS The set of consequences and frequencies (as modi ed by conditional probabilities) are combined to give the risk values (e.g. risk contours, F–N relationships). The selection of the type of output depends on the purpose of the risk assessment and should be established at the outset. QUANTIFIED RISK ASSESSMENT Quanti ed risk assessment (QRA) is only appropriate where it is both reasonable and practicable, reasonable in that the cost of doing it is not high compared with the value of solving the problem, and practicable in terms of the availability of information and data. Consistency in the application of QRA to major chemical hazards can be achieved by the strict application of standardized methodology; however the signi cance of the results may be questionable in absolute terms. The methodologies are now well established and provide good insight into the relative merits of risk-reducing options (Center for Chemical Process Safety, 1989). UNCERTAINTY Uncertainty analysis is needed to aid decision-making. Uncertainties occur in the data used to set frequencies and probabilities, in the consequence models, and in the Trans IChemE, Vol 81, Part B, January 2003
13
risk-assessment methodology, particularly where important aspects of a problem have not been identi ed during the hazard analysis (UK Offshore Operators Association, 2000). However, a ‘cautious’ or ‘conservative’ basis is sometimes used merely to establish that a criterion has not been breached, for example, that the individual risk of death to a hypothetical person at a particular location does not exceed a threshold value. COST±BENEFIT ANALYSIS If the purpose of a risk assessment is to decide on expenditure on additional protective measures or demonstrate that all necessary measures have been taken, then some form of cost–bene t analysis is required (French et al., 2001). For simple issues this need not be quantitative but can in many cases be based on performance standards, codes of practice etc., where all that is needed is to show ‘ tness for purpose’. Normally the underlying standard will have taken into account elements of cost and practicability, but not explicitly. These should be treated as minimum good practice. Where the possible consequences to persons are severe it will then be necessary to consider options for further risk reduction. The main questions are ‘What more can be done to reduce the risks?’ and ‘Why have I not done it?’. In most cases the frequency of events will not be more accurate than a factor of 10, and under such circumstances parameters such as ‘discount rates’ and ‘remaining life of the plant’ do not need to be known precisely. A simple method is based on an annual value for the costs and bene ts. For example, if the annualized cost of a possible improvement is £10 k per year and the expected reduction in fatalities is 0.01 per year, then the cost of preventing a fatality is the ratio of these values, that is £1 million. Given the base criterion for preventing a fatality of about £1 million, there is no ‘gross disproportion’ between the costs and bene ts and therefore the proposed improvement is reasonably practicable. SAFETY REPORTS In all safety reports the scope of the assessment should be clearly stated. The criteria for making decisions based on the risk to people need to be clear. Relevant good practice needs to be described including the identi cation of recognized codes, standards and guidance and any appropriate ‘in-house’ company standards. Detailed hazard studies carried out at the design stage provide a good basis for this. The methodology and process adopted for hazard identi cation needs to be described. An analysis of known incidents both within the company and beyond is usefully undertaken using collected data. A list of all major accidents with a summary of initiating events is produced. For each type of major accident the extent and severity is described. The effects of variations in ambient conditions are considered. The consequences in terms of the numbers of persons who may be affected both on and off site are needed both for subsequent decision-making and emergency planning. Control and mitigation systems are identi ed. The likelihoods of the consequences are described taking into account the probability that protective systems will not function on demand.
CARTER et al.
14
The resulting consequence and likelihood pairs are ranked and used to identify safety-critical events. Human factors are considered particularly in relation to the critical events. Practicable additional protective measures are considered to enable ‘all necessary measures’ to be demonstrated. When uncertainty is high the precautionary principle is used and practicable measures are judged prime-facie to be reasonable. An implementation plan is formulated. The analysis is up-dated in the light of performance data.
substances, and warehouses containing low-toxicity solid products. SEMI-QUANTITATIVE RISK ASSESSMENT
The type and extent of assessment needs to be no more than ‘ t for purpose’, that is proportionate to the scale of the risks with particular emphasis on the potential consequences. Likewise the measures taken to control a risk also need to be proportionate. Proportionality is a measure of the concern that is appropriate for an installation and the causes of risk within that installation. The individual risk of death to workers in the chemical and allied industries is generally low. For most persons on chemical manufacturing sites the risks from major accident hazards are assessed by an occupied buildings risk assessment (Chemical Industries Association, 1998), although persons in the open also need consideration. For hazardous installations subject to the COMAH Regulations societal concerns, and speci cally societal risk, are therefore the main determinants of proportionality. For this purpose the possible consequences of an incident are given more prominence than the likelihood.
More complex installations will need site-speci c hazard analysis with estimates of the consequences and frequencies of a representative sample of events. The taking of all necessary measures may be generally demonstrated by comparison with standards but site-speci c features need to be considered as well (e.g. areas of semi-con nement for possible VCE, proximity of off-site population). Accident pathways are often best represented by the ‘bow-tie’ diagram where the initiating events, preventive measures, release, mitigating measures and consequences are described in a single diagram (Figure 1). In the example four initiating events are identi ed. Seven preventive measures are identi ed but only a maximum of three operate on any one initiating event. Mitiation measures in this case are common to all initiating events but the consequences vary depending on whether any fail on demand. Such diagrams aid identi cation of safety-critical systems. Additional risk reduction measures should be identi ed and considered. Examples would include most pressurized ammable gas storage sites, bulk lique ed toxic gas user sites, and agricultural chemicals warehouses. As the complexity of the operations and the possible risk control methods increase then more quanti ed site-speci c analysis is necessary.
RELEVANT GOOD PRACTICE
RISK MATRICES
The options for reducing risk in most situations are limited, and the optimum option is likely to have been established as good practice and may be documented, for example in HSE Approved Codes of Practice and HSE Guidance. However such documents may only address some of the risks that need consideration. A complete statement of good practice may not be available, particularly where major investment decisions are needed or hazards are regulated through safety case regimes. Current practice cannot be assumed to be suf cient for the control of major accidents.
A risk matrix-based method can bridge the gap between purely qualitative and fully quantitative approaches. The risk matrix enables combinations of likelihood and consequences of major accidents to be combined in a single diagram (Figure 2). When all signi cant events are plotted on the same diagram safety critical events can be recognized and some indication of cumulative risks can be obtained (Middleton and Franks, 2001).
PROPORTIONALITY
QUALITATIVE RISK ASSESSMENT Where the risks are small and well known, and the site is not located in the vicinity of possibly incompatible development, a simple description of the types of major accident, their consequences and their likelihoods (e.g. based on published information), and a review of compliance with standards is suf cient. Examples would include low-pressure gasholders, chlorine drum installations in rural areas, ambient storage facilities for low-volatility
LAYERS OF PROTECTION ANALYSIS Layers of Protection Analysis (LOPA) (CCPS, 2001) is a semi-quantitative methodology that is based on ‘lines-of-defence’ concepts similar to TRAM (Naylor et al., 2000). Simple event sequences are described, starting with an initiator and resulting in a consequence. The consequence can be described in general terms as is usual in ‘matrix’-type representation systems (e.g. serious injuries, on-site fatalities, off-site fatalities). Safety systems (including operator actions) are represented by IPLs (independent protection layers) that have to satisfy three
Figure 1. ‘Bow-tie’ diagram.
Trans IChemE, Vol 81, Part B, January 2003
APPROPRIATE RISK ASSESSMENT METHODS
15
Figure 2. Illustrative risk matrix.
tests: independence, effectiveness and auditability. An IPL credit is equivalent to two orders of magnitude reduction in event frequency. A half credit may be identi ed as appropriate (e.g. for the basic process control system). Initiating event frequency and conditional probabilities are given order of magnitude values. Caution is adopted for each input. The result is the frequency of an event sequence producing a certain level of consequence. These can be represented on the two axes of a matrix or graph. This can be used to determine the appropriate number of (additional) IPLs (Figure 3). Where a system has the appropriate number of IPLs the risk may be considered to be ‘broadly acceptable’ and no further action is required. Otherwise the urgency of the remedial action is proportionate to the number of additional IPLs required and the severity of the consequences. This is shown (Figure 3) where the events are plotted on a matrix, the number of IPLs required is shown, and the shading represents the urgency of remedial action. The frequencies are given in cpm (chances per million per year). Also the resulting frequencies may be summed to give the probability of certain consequences arising from certain activities (e.g. the frequency of off-site fatality incidents from over-pressurization of a reactor). There are no HSE published criteria for judging whether the ‘risk from’ something is considered to be as low as is reasonably practicable (ALARP) or broadly acceptable, and individual risk of fatality criteria cannot be directly compared with the result of the LOPA analysis. The methodology has some important limitations: very large consequences are not considered; there is no consideration of
costs and bene ts; it cannot consider complex event sequences; other than in a very simple way human factors are not represented; and safety measures that do not meet the de nition of an IPL are ignored. It is therefore concluded that for most MAH events at a COMAH installation LOPA presents a simple methodology with order of magnitude accuracy, which complements hazard identi cation studies and matrix representation schemes. The more severe or complex cases need more detailed methodology (e.g. QRA). When LOPA suggests more IPLs are necessary but expense is an important factor, the case would need to be referred for cost–bene t analysis. In all cases a clear and robust manual for implementation of the methodology is essential. QRA As a full QRA may not be practicable, this cannot be an automatic requirement, but where the potential consequences of events are greatest and there is a substantial population at risk it will be hard to demonstrate that all necessary measures have been taken without a QRA to show that the total risks are below published criteria. QRA is well suited to complex problems, particularly where high consequence=low frequency events are signi cant and there is a choice of remedial measures (e.g. alkylation units at re neries, bulk toxic gas production facilities) or situations where a standard methodology can be established and easily applied (e.g. assessments for land use planning) (Nussey et al., 1993). SOCIETAL RISK ANALYSIS
Figure 3. LOPA matrix showing appropriate numbers of IPLs.
Trans IChemE, Vol 81, Part B, January 2003
The perception of risk by individuals or groups that may be affected by the hazard can be in uenced by many factors, mainly of a subjective nature. Objective measures of societal risk are not subject to transient concerns and form a consistent basis for decision-making. This is certainly the case in relation to decisions concerning land use planning involving major accident hazard installations in the UK. The likelihood and scale of any potential disaster is the main concern when considering the siting of new major accident installations and the development of land within the vicinity
16
CARTER et al.
Figure 4. A set of frequency ( f ), numbers (n) data and the cumulative frequency (F) curve.
of existing establishments. The risk can only be completely de ned by the identi cation of all possible events at the hazardous installation capable of affecting the population or area speci ed. Events with a very remote probability (e.g. the coincident catastrophic failure of more than one vessel where no common cause exists) can be excluded from further consideration. The rest are represented by a manageable number of speci c events, and the total frequency of all events is apportioned between those in the representative sample. The result is a set of frequency and consequence (usually fatality) pairs plotted in the form of a log–log graph, also showing the cumulative frequency and numbers or ‘F–N curve’ (Figure 4). RISK INTEGRAL METHODS The interpretation of an F–N curve requires a criterion. Some criteria are expressed in the form of a disutility function. The simplest is the ‘expectation value’ (EV) of the numbers of fatalities per annum. This is the same as the integral of the F–N curve. X X EV ˆ Fˆ … f £ n† …1†
In the example shown in Figure 4, the result is 4 £ 10¡4 fatalities per year.
For land use planning in the UK a disutility function incorporating a high degree of scale aversion is used called RILUP. ¶ X Xµ …n ‡ n2 † RILUP ˆ …F £ N † ˆ f £ …2† 2
In the example shown in Figure 4, the result is 6000 (no units). A value of 10,000 is used for comparison purposes, below which the risks are considered to be broadly acceptable. In practice, the F–N curve is often dif cult to calculate due to the need for off-site population data (Mooney and Walker, 2002), extending to the maximum extent of the hazard (possibly many kilometres for a lique ed toxic gas installation). Variations in population according to the time of day or day of the week can also be important. It is also dif cult to include suf cient detail to determine the frequency of small numbers of fatalities. APPROXIMATE SOCIETAL RISK CALCULATIONS
Risk assessments need only be t for the purpose and therefore complex societal risk calculations are often neither appropriate nor reasonably practicable. A proportionate methodology is necessary.
Figure 5. A set of frequency ( f ), numbers (n) data and the theoretical approximations.
Trans IChemE, Vol 81, Part B, January 2003
APPROPRIATE RISK ASSESSMENT METHODS
17
Figure 6. Societal risk criteria and types of risk assessment.
So that an estimate of the potential for societal risk from an installation can be made for the purposes of determining the appropriate response, approximate methods based on a single ‘worst case’ event have been developed. This event usually corresponds to the event with the maximum consequences on the F–N curve. An assumption is made that for an omni-directional event the F–N curve has a slope of ¡1 truncated at Nmax, and for a uni-directional event that the F–N data has a slope of ¡2. This latter assumption is compared with the data from the example (Figure 5). This is equivalent to assuming that the worst case represents the scale of the whole activity. For a lique ed toxic gas installation the worst case is likely to result from large or catastrophic failures of the storage vessels. Thus the risks from installations with relatively small vessels but a high throughput of substance will tend to be underestimated, and installations with indoor road tanker off-loading facilities will tend to be over estimated. The results should therefore only be used as a guide. For land use planning ARILUP has been developed (Hirst and Carter, 2000), using one of two formulae as appropriate where the consequences of the worst case event are omnidirectional (e.g. a reball or vapour cloud explosion): ARILUP ˆ FNmax £ Nmax 2
…3†
and for uni-directional events (e.g. a toxic gas cloud or ash re), ARILUP ˆ 0:5 £ FNmax £ Nmax 3
…4†
In the example we have a uni-directional event with Nmax ˆ 109 and FNmax ˆ 0.007. This results in an ARILUP of 4500. This compares reasonably well with the exact value of RILUP of 6000. RILUP incorporates a high degree of scale aversion that is not considered appropriate for decisions on risk reduction measures where some form of cost–bene t analysis is Trans IChemE, Vol 81, Part B, January 2003
usually the nal arbiter. The equations are altered to give a new measure RICOMAH (Hirst and Carter, 2002). X RICOMAH ˆ … f £ na † with a ˆ 1:4 …5† Again approximations are possible based on the same worst case assumptions. However the resulting equations contain expressions that need to be evaluated numerically. For omni-directional events: ARICOMAH ˆ FNmax £ Nmax ( ) µ a¡1 ¶ …NX max ¡1† n a¡1 £ ‡ Nmax …n ‡ 1† 1
For uni-directional events:
2
ARICOMAH ˆ FNmax £ Nmax £
"
N max X 1
…n
a¡2
#
†
…6†
…7†
The equivalent value to an RILUP of 10,000 is 2000. The above example has a result of 1200. This would indicate that a more accurate societal risk assessment method would not be appropriate and options for further risk reduction should be low cost. Criteria for use with ARICOMAH by assessors have been developed, to judge the importance of societal risk at an installation, and to give an indication of the general type of risk assessment methodology that would be appropriate [qualitative (Q), semi-quantitative (SQ), fully-quantitative (QRA)]; (Figure 6). CONCLUSION With the appropriate selection of qualitative, semiquantitative and fully quantitative risk assessment methods and approximate societal risk methodologies, it is possible to be proportionate in the way that risk levels are determined, without the need for overly complex and expensive
CARTER et al.
18
analyses. These methods are suf ciently useful to satisfy the requirements of the COMAH Regulations to describe the risks as part of the consideration and demonstration that all necessary measures are in place. REFERENCES CCPS, 2001, Layer Of Protection Analysis—Simplied Process Risk Assessment (AIChE, New York, USA). Center for Chemical Process Safety, 1989, Guidelines for Chemical Process Quantitative Risk Analysis (AIChE, New York, USA). Chemical Industries Association, 1998, Guidance for the Location and Design of Occupied Buildings on Chemical Manufacturing Sites. French, S., Bedford, T. and Atherton, E., 2001, Supporting ALARP decision-making by cost bene t analysis and multi-attribute utility theory. Research Paper 2001=15, University of Strathclyde, Strathclyde Business School. Health & Safety Executive, 1997, Successful Health & Safety Management, HSG65, 2nd edn (HSE Books, London, UK). Health & Safety Executive, 1999, A Guide to the Control of Major Accident Hazards Regulations 1999, (HSE Books, London, UK). Health & Safety Executive, 2001, Reducing Risks, Protecting People, (HSE Books, London, UK). Hirst, I.L. and Carter, D.A., 2000, A worst case methodology for risk assessment of major accident installations, Proc Safety Prog, 19(2).
Hirst, I.L. and Carter, D.A., 2002, A ‘worst case’ methodology for obtaining a rough but rapid indication of the societal risk from a major accident hazard installation, J Haz Mater, 92(3): 223–237. Institution of Chemical Engineers, 1999, HAZOP: Guide to Best Practice, (IChemE, Rugby, UK). Middleton, M. and Franks, A., 2001, Using risk matrices, Chem Engnr. Mooney, J. and Walker, G., 2002, The derivation and use of population data for major accident modelling, HSE Contract Research Report 410. Naylor, P.J., Maddison, T. and Stans eld, R., 2000, TRAM: technical risk audit methodology for COMAH sites, in Hazards XV Symposium, Manchester (IChemE, Rugby, UK). Nussey, C., Pantony, M. and Smallwood, R., 1993, Health & Safety Executive’s risk assessment tool RISKAT, Trans IChemE, 171B: 29–40. UK Offshore Operators Association, 2000, Guidelines for Quantitative Risk Assessment Uncertainty.
ADDRESS Correspondence concerning this paper should be addressed to Mr D. A. Carter, Hazardous Installations Directorate, Health and Safety Executive, Stanley Precinct, Bootle L20 3RA, UK. E-mail: [email protected] The manuscript was received 10 July 2002 and accepted for publication 12 September 2002.
Trans IChemE, Vol 81, Part B, January 2003
www.ingentaselect.com=titles=09575820.htm
APPROPRIATE RISK ASSESSMENT METHODS FOR MAJOR ACCIDENT ESTABLISHMENTS{ D. A. CARTER, I. L. HIRST, T. E. MADDISON and S. R. PORTER Hazardous Installations Directorate, Health and Safety Executive, Merseyside, UK
R
isk assessment is a necessary step in the management of risk. In the UK the general legislation requires duty holders to reduce risks to as low as is reasonably practicable (ALARP) and conduct a suitable and suf cient risk assessment for the purpose of identifying the measures to take to comply with the relevant statutory provisions. Risk assessment has a particularly important role where major accidents are possible and describing conformity with standards is not suf cient to demonstrate that all necessary measures have been taken. This paper is an attempt to clarify the important role of risk assessment and the various techniques available, particularly where the use of fully quanti ed risk assessment would not be proportionate to the scale of hazards and risks. Keywords: risk assessment; methodology; major accidents; demonstration.
risks must be reasonable and kept as low as reasonably practicable (the ALARP principle). The meaning of this term has been further clari ed in guidance (HSE, 2001). The risks need to be periodically reviewed to ensure that they still meet the ALARP criteria and further or new controls need to be considered taking into account changes over time, such as new knowledge about the risk or the availability of new techniques for reducing or eliminating risks. Both the level of individual risks and societal concerns must be taken into account when deciding whether a risk is unacceptable, tolerable or broadly acceptable (HSE, 2001).
INTRODUCTION The Control of Major Accident Hazard Regulations 1999 (COMAH) in the UK, requires operators of qualifying establishments to submit a safety report, which demonstrates that all necessary measures have been taken to prevent major accidents, and to limit the consequences to people and the environment of any that do occur. The experience of the Health and Safety Executive (HSE) in assessing COMAH safety reports has shown that this aspect is not well understood and about 40% of reports have been returned for not demonstrating that risks have been reduced. Successful management of health and safety in industry requires a systematic approach. This must include a decisionmaking process which is appropriate, soundly based, open and transparent, so that all interested parties can participate and see that the objectives are achieved (HSE, 1997). For all installations with the potential to cause a major accident, a risk assessment is necessary where all signi cant hazards must be addressed, and suitable controls provided(HSE, 1999). The outcome of the risk assessment must enable the decision-makers to identify any shortcomings in the existing or proposed preventive measures. The controls, as a minimum, must implement authoritative good practice irrespective of situation-based risk estimates. Three regions of risk can be described, namely the unacceptable and the broadly acceptable regions, with the tolerable region in between. Risks in the tolerable region are typical of the risks from activities that people are prepared to tolerate in order to secure bene ts providing the risks are adequately assessed and the results used appropriately to determine control measures. The residual
SCOPE It is very important to de ne carefully the scope of the risk assessment at the outset. This can be done by answering some simple questions: (1) Risk from what? The system under scrutiny must be de ned, including the circumstances in which it operates. Any relevant factors which are being excluded from consideration must be clearly stated. (2) Risks to what? The persons concerned need to be clearly speci ed. For the purposes of the assessment a hypothetical person may need to be postulated such that their location is consistent with a cautious approach. Transient populations need to be considered. (3) Risks of what? What are the measures of exposure and harm that we wish to assess? In most cases this will include ‘fatality’ but lesser outcomes and consequences for the environment also need consideration. (4) So what? The purpose of the assessment has to be clearly de ned along with the criteria to be used in any subsequent decision-making. Are the results to be used to choose between alternatives or to compare against some absolute criteria?
{
Crown Copyright 2003. Reproduced with the permission of the Controller of Her Majesty’s Stationery Of ce.
12
APPROPRIATE RISK ASSESSMENT METHODS HAZARD ANALYSIS This can be considered to be a two-stage process but in all cases a hazard analysis needs to be carried out. Checklists, HAZOP (Institution of Chemical Engineers, 1999), fault tree, and similar techniques are available. Firstly the range of possible accidents must be identi ed with no allowance for mitigating measures. For example, although secondary containment measures may be present, it would be wrong to assume that they would be fully effective in all circumstances. Initially a ‘worst case’ may be identi ed to indicate the appropriate extent of the subsequent analysis. Secondly measures to reduce the severity or frequency of accidents should be identi ed, and their operation and possible failure described. Appropriate standards should be identi ed and the extent to which they are relevant and have been followed. Proposers of new hazardous installations need to show that adequate consideration has been given to the adoption of inherently safe technology. CONSEQUENCE AND FREQUENCY ANALYSIS Where quanti cation of risk is required, a representative set of events needs to be established. The set needs to contain suf cient members to ensure both the ‘worst case’ events are included, and lesser, more frequent events are suitably represented. This will enable the effects of existing and postulated risk reduction measures to be considered. Separate events are generally necessary to incorporate the conditional probabilities of success and failure of protective systems. The consequences of the events are modelled and the frequencies and probabilities of all signi cant events allocated. Sensitivity analysis and further re nement of the representative set may be needed to ensure that the set is suf ciently descriptive, robust and t for the purpose. RISK CALCULATIONS The set of consequences and frequencies (as modi ed by conditional probabilities) are combined to give the risk values (e.g. risk contours, F–N relationships). The selection of the type of output depends on the purpose of the risk assessment and should be established at the outset. QUANTIFIED RISK ASSESSMENT Quanti ed risk assessment (QRA) is only appropriate where it is both reasonable and practicable, reasonable in that the cost of doing it is not high compared with the value of solving the problem, and practicable in terms of the availability of information and data. Consistency in the application of QRA to major chemical hazards can be achieved by the strict application of standardized methodology; however the signi cance of the results may be questionable in absolute terms. The methodologies are now well established and provide good insight into the relative merits of risk-reducing options (Center for Chemical Process Safety, 1989). UNCERTAINTY Uncertainty analysis is needed to aid decision-making. Uncertainties occur in the data used to set frequencies and probabilities, in the consequence models, and in the Trans IChemE, Vol 81, Part B, January 2003
13
risk-assessment methodology, particularly where important aspects of a problem have not been identi ed during the hazard analysis (UK Offshore Operators Association, 2000). However, a ‘cautious’ or ‘conservative’ basis is sometimes used merely to establish that a criterion has not been breached, for example, that the individual risk of death to a hypothetical person at a particular location does not exceed a threshold value. COST±BENEFIT ANALYSIS If the purpose of a risk assessment is to decide on expenditure on additional protective measures or demonstrate that all necessary measures have been taken, then some form of cost–bene t analysis is required (French et al., 2001). For simple issues this need not be quantitative but can in many cases be based on performance standards, codes of practice etc., where all that is needed is to show ‘ tness for purpose’. Normally the underlying standard will have taken into account elements of cost and practicability, but not explicitly. These should be treated as minimum good practice. Where the possible consequences to persons are severe it will then be necessary to consider options for further risk reduction. The main questions are ‘What more can be done to reduce the risks?’ and ‘Why have I not done it?’. In most cases the frequency of events will not be more accurate than a factor of 10, and under such circumstances parameters such as ‘discount rates’ and ‘remaining life of the plant’ do not need to be known precisely. A simple method is based on an annual value for the costs and bene ts. For example, if the annualized cost of a possible improvement is £10 k per year and the expected reduction in fatalities is 0.01 per year, then the cost of preventing a fatality is the ratio of these values, that is £1 million. Given the base criterion for preventing a fatality of about £1 million, there is no ‘gross disproportion’ between the costs and bene ts and therefore the proposed improvement is reasonably practicable. SAFETY REPORTS In all safety reports the scope of the assessment should be clearly stated. The criteria for making decisions based on the risk to people need to be clear. Relevant good practice needs to be described including the identi cation of recognized codes, standards and guidance and any appropriate ‘in-house’ company standards. Detailed hazard studies carried out at the design stage provide a good basis for this. The methodology and process adopted for hazard identi cation needs to be described. An analysis of known incidents both within the company and beyond is usefully undertaken using collected data. A list of all major accidents with a summary of initiating events is produced. For each type of major accident the extent and severity is described. The effects of variations in ambient conditions are considered. The consequences in terms of the numbers of persons who may be affected both on and off site are needed both for subsequent decision-making and emergency planning. Control and mitigation systems are identi ed. The likelihoods of the consequences are described taking into account the probability that protective systems will not function on demand.
CARTER et al.
14
The resulting consequence and likelihood pairs are ranked and used to identify safety-critical events. Human factors are considered particularly in relation to the critical events. Practicable additional protective measures are considered to enable ‘all necessary measures’ to be demonstrated. When uncertainty is high the precautionary principle is used and practicable measures are judged prime-facie to be reasonable. An implementation plan is formulated. The analysis is up-dated in the light of performance data.
substances, and warehouses containing low-toxicity solid products. SEMI-QUANTITATIVE RISK ASSESSMENT
The type and extent of assessment needs to be no more than ‘ t for purpose’, that is proportionate to the scale of the risks with particular emphasis on the potential consequences. Likewise the measures taken to control a risk also need to be proportionate. Proportionality is a measure of the concern that is appropriate for an installation and the causes of risk within that installation. The individual risk of death to workers in the chemical and allied industries is generally low. For most persons on chemical manufacturing sites the risks from major accident hazards are assessed by an occupied buildings risk assessment (Chemical Industries Association, 1998), although persons in the open also need consideration. For hazardous installations subject to the COMAH Regulations societal concerns, and speci cally societal risk, are therefore the main determinants of proportionality. For this purpose the possible consequences of an incident are given more prominence than the likelihood.
More complex installations will need site-speci c hazard analysis with estimates of the consequences and frequencies of a representative sample of events. The taking of all necessary measures may be generally demonstrated by comparison with standards but site-speci c features need to be considered as well (e.g. areas of semi-con nement for possible VCE, proximity of off-site population). Accident pathways are often best represented by the ‘bow-tie’ diagram where the initiating events, preventive measures, release, mitigating measures and consequences are described in a single diagram (Figure 1). In the example four initiating events are identi ed. Seven preventive measures are identi ed but only a maximum of three operate on any one initiating event. Mitiation measures in this case are common to all initiating events but the consequences vary depending on whether any fail on demand. Such diagrams aid identi cation of safety-critical systems. Additional risk reduction measures should be identi ed and considered. Examples would include most pressurized ammable gas storage sites, bulk lique ed toxic gas user sites, and agricultural chemicals warehouses. As the complexity of the operations and the possible risk control methods increase then more quanti ed site-speci c analysis is necessary.
RELEVANT GOOD PRACTICE
RISK MATRICES
The options for reducing risk in most situations are limited, and the optimum option is likely to have been established as good practice and may be documented, for example in HSE Approved Codes of Practice and HSE Guidance. However such documents may only address some of the risks that need consideration. A complete statement of good practice may not be available, particularly where major investment decisions are needed or hazards are regulated through safety case regimes. Current practice cannot be assumed to be suf cient for the control of major accidents.
A risk matrix-based method can bridge the gap between purely qualitative and fully quantitative approaches. The risk matrix enables combinations of likelihood and consequences of major accidents to be combined in a single diagram (Figure 2). When all signi cant events are plotted on the same diagram safety critical events can be recognized and some indication of cumulative risks can be obtained (Middleton and Franks, 2001).
PROPORTIONALITY
QUALITATIVE RISK ASSESSMENT Where the risks are small and well known, and the site is not located in the vicinity of possibly incompatible development, a simple description of the types of major accident, their consequences and their likelihoods (e.g. based on published information), and a review of compliance with standards is suf cient. Examples would include low-pressure gasholders, chlorine drum installations in rural areas, ambient storage facilities for low-volatility
LAYERS OF PROTECTION ANALYSIS Layers of Protection Analysis (LOPA) (CCPS, 2001) is a semi-quantitative methodology that is based on ‘lines-of-defence’ concepts similar to TRAM (Naylor et al., 2000). Simple event sequences are described, starting with an initiator and resulting in a consequence. The consequence can be described in general terms as is usual in ‘matrix’-type representation systems (e.g. serious injuries, on-site fatalities, off-site fatalities). Safety systems (including operator actions) are represented by IPLs (independent protection layers) that have to satisfy three
Figure 1. ‘Bow-tie’ diagram.
Trans IChemE, Vol 81, Part B, January 2003
APPROPRIATE RISK ASSESSMENT METHODS
15
Figure 2. Illustrative risk matrix.
tests: independence, effectiveness and auditability. An IPL credit is equivalent to two orders of magnitude reduction in event frequency. A half credit may be identi ed as appropriate (e.g. for the basic process control system). Initiating event frequency and conditional probabilities are given order of magnitude values. Caution is adopted for each input. The result is the frequency of an event sequence producing a certain level of consequence. These can be represented on the two axes of a matrix or graph. This can be used to determine the appropriate number of (additional) IPLs (Figure 3). Where a system has the appropriate number of IPLs the risk may be considered to be ‘broadly acceptable’ and no further action is required. Otherwise the urgency of the remedial action is proportionate to the number of additional IPLs required and the severity of the consequences. This is shown (Figure 3) where the events are plotted on a matrix, the number of IPLs required is shown, and the shading represents the urgency of remedial action. The frequencies are given in cpm (chances per million per year). Also the resulting frequencies may be summed to give the probability of certain consequences arising from certain activities (e.g. the frequency of off-site fatality incidents from over-pressurization of a reactor). There are no HSE published criteria for judging whether the ‘risk from’ something is considered to be as low as is reasonably practicable (ALARP) or broadly acceptable, and individual risk of fatality criteria cannot be directly compared with the result of the LOPA analysis. The methodology has some important limitations: very large consequences are not considered; there is no consideration of
costs and bene ts; it cannot consider complex event sequences; other than in a very simple way human factors are not represented; and safety measures that do not meet the de nition of an IPL are ignored. It is therefore concluded that for most MAH events at a COMAH installation LOPA presents a simple methodology with order of magnitude accuracy, which complements hazard identi cation studies and matrix representation schemes. The more severe or complex cases need more detailed methodology (e.g. QRA). When LOPA suggests more IPLs are necessary but expense is an important factor, the case would need to be referred for cost–bene t analysis. In all cases a clear and robust manual for implementation of the methodology is essential. QRA As a full QRA may not be practicable, this cannot be an automatic requirement, but where the potential consequences of events are greatest and there is a substantial population at risk it will be hard to demonstrate that all necessary measures have been taken without a QRA to show that the total risks are below published criteria. QRA is well suited to complex problems, particularly where high consequence=low frequency events are signi cant and there is a choice of remedial measures (e.g. alkylation units at re neries, bulk toxic gas production facilities) or situations where a standard methodology can be established and easily applied (e.g. assessments for land use planning) (Nussey et al., 1993). SOCIETAL RISK ANALYSIS
Figure 3. LOPA matrix showing appropriate numbers of IPLs.
Trans IChemE, Vol 81, Part B, January 2003
The perception of risk by individuals or groups that may be affected by the hazard can be in uenced by many factors, mainly of a subjective nature. Objective measures of societal risk are not subject to transient concerns and form a consistent basis for decision-making. This is certainly the case in relation to decisions concerning land use planning involving major accident hazard installations in the UK. The likelihood and scale of any potential disaster is the main concern when considering the siting of new major accident installations and the development of land within the vicinity
16
CARTER et al.
Figure 4. A set of frequency ( f ), numbers (n) data and the cumulative frequency (F) curve.
of existing establishments. The risk can only be completely de ned by the identi cation of all possible events at the hazardous installation capable of affecting the population or area speci ed. Events with a very remote probability (e.g. the coincident catastrophic failure of more than one vessel where no common cause exists) can be excluded from further consideration. The rest are represented by a manageable number of speci c events, and the total frequency of all events is apportioned between those in the representative sample. The result is a set of frequency and consequence (usually fatality) pairs plotted in the form of a log–log graph, also showing the cumulative frequency and numbers or ‘F–N curve’ (Figure 4). RISK INTEGRAL METHODS The interpretation of an F–N curve requires a criterion. Some criteria are expressed in the form of a disutility function. The simplest is the ‘expectation value’ (EV) of the numbers of fatalities per annum. This is the same as the integral of the F–N curve. X X EV ˆ Fˆ … f £ n† …1†
In the example shown in Figure 4, the result is 4 £ 10¡4 fatalities per year.
For land use planning in the UK a disutility function incorporating a high degree of scale aversion is used called RILUP. ¶ X Xµ …n ‡ n2 † RILUP ˆ …F £ N † ˆ f £ …2† 2
In the example shown in Figure 4, the result is 6000 (no units). A value of 10,000 is used for comparison purposes, below which the risks are considered to be broadly acceptable. In practice, the F–N curve is often dif cult to calculate due to the need for off-site population data (Mooney and Walker, 2002), extending to the maximum extent of the hazard (possibly many kilometres for a lique ed toxic gas installation). Variations in population according to the time of day or day of the week can also be important. It is also dif cult to include suf cient detail to determine the frequency of small numbers of fatalities. APPROXIMATE SOCIETAL RISK CALCULATIONS
Risk assessments need only be t for the purpose and therefore complex societal risk calculations are often neither appropriate nor reasonably practicable. A proportionate methodology is necessary.
Figure 5. A set of frequency ( f ), numbers (n) data and the theoretical approximations.
Trans IChemE, Vol 81, Part B, January 2003
APPROPRIATE RISK ASSESSMENT METHODS
17
Figure 6. Societal risk criteria and types of risk assessment.
So that an estimate of the potential for societal risk from an installation can be made for the purposes of determining the appropriate response, approximate methods based on a single ‘worst case’ event have been developed. This event usually corresponds to the event with the maximum consequences on the F–N curve. An assumption is made that for an omni-directional event the F–N curve has a slope of ¡1 truncated at Nmax, and for a uni-directional event that the F–N data has a slope of ¡2. This latter assumption is compared with the data from the example (Figure 5). This is equivalent to assuming that the worst case represents the scale of the whole activity. For a lique ed toxic gas installation the worst case is likely to result from large or catastrophic failures of the storage vessels. Thus the risks from installations with relatively small vessels but a high throughput of substance will tend to be underestimated, and installations with indoor road tanker off-loading facilities will tend to be over estimated. The results should therefore only be used as a guide. For land use planning ARILUP has been developed (Hirst and Carter, 2000), using one of two formulae as appropriate where the consequences of the worst case event are omnidirectional (e.g. a reball or vapour cloud explosion): ARILUP ˆ FNmax £ Nmax 2
…3†
and for uni-directional events (e.g. a toxic gas cloud or ash re), ARILUP ˆ 0:5 £ FNmax £ Nmax 3
…4†
In the example we have a uni-directional event with Nmax ˆ 109 and FNmax ˆ 0.007. This results in an ARILUP of 4500. This compares reasonably well with the exact value of RILUP of 6000. RILUP incorporates a high degree of scale aversion that is not considered appropriate for decisions on risk reduction measures where some form of cost–bene t analysis is Trans IChemE, Vol 81, Part B, January 2003
usually the nal arbiter. The equations are altered to give a new measure RICOMAH (Hirst and Carter, 2002). X RICOMAH ˆ … f £ na † with a ˆ 1:4 …5† Again approximations are possible based on the same worst case assumptions. However the resulting equations contain expressions that need to be evaluated numerically. For omni-directional events: ARICOMAH ˆ FNmax £ Nmax ( ) µ a¡1 ¶ …NX max ¡1† n a¡1 £ ‡ Nmax …n ‡ 1† 1
For uni-directional events:
2
ARICOMAH ˆ FNmax £ Nmax £
"
N max X 1
…n
a¡2
#
†
…6†
…7†
The equivalent value to an RILUP of 10,000 is 2000. The above example has a result of 1200. This would indicate that a more accurate societal risk assessment method would not be appropriate and options for further risk reduction should be low cost. Criteria for use with ARICOMAH by assessors have been developed, to judge the importance of societal risk at an installation, and to give an indication of the general type of risk assessment methodology that would be appropriate [qualitative (Q), semi-quantitative (SQ), fully-quantitative (QRA)]; (Figure 6). CONCLUSION With the appropriate selection of qualitative, semiquantitative and fully quantitative risk assessment methods and approximate societal risk methodologies, it is possible to be proportionate in the way that risk levels are determined, without the need for overly complex and expensive
CARTER et al.
18
analyses. These methods are suf ciently useful to satisfy the requirements of the COMAH Regulations to describe the risks as part of the consideration and demonstration that all necessary measures are in place. REFERENCES CCPS, 2001, Layer Of Protection Analysis—Simplied Process Risk Assessment (AIChE, New York, USA). Center for Chemical Process Safety, 1989, Guidelines for Chemical Process Quantitative Risk Analysis (AIChE, New York, USA). Chemical Industries Association, 1998, Guidance for the Location and Design of Occupied Buildings on Chemical Manufacturing Sites. French, S., Bedford, T. and Atherton, E., 2001, Supporting ALARP decision-making by cost bene t analysis and multi-attribute utility theory. Research Paper 2001=15, University of Strathclyde, Strathclyde Business School. Health & Safety Executive, 1997, Successful Health & Safety Management, HSG65, 2nd edn (HSE Books, London, UK). Health & Safety Executive, 1999, A Guide to the Control of Major Accident Hazards Regulations 1999, (HSE Books, London, UK). Health & Safety Executive, 2001, Reducing Risks, Protecting People, (HSE Books, London, UK). Hirst, I.L. and Carter, D.A., 2000, A worst case methodology for risk assessment of major accident installations, Proc Safety Prog, 19(2).
Hirst, I.L. and Carter, D.A., 2002, A ‘worst case’ methodology for obtaining a rough but rapid indication of the societal risk from a major accident hazard installation, J Haz Mater, 92(3): 223–237. Institution of Chemical Engineers, 1999, HAZOP: Guide to Best Practice, (IChemE, Rugby, UK). Middleton, M. and Franks, A., 2001, Using risk matrices, Chem Engnr. Mooney, J. and Walker, G., 2002, The derivation and use of population data for major accident modelling, HSE Contract Research Report 410. Naylor, P.J., Maddison, T. and Stans eld, R., 2000, TRAM: technical risk audit methodology for COMAH sites, in Hazards XV Symposium, Manchester (IChemE, Rugby, UK). Nussey, C., Pantony, M. and Smallwood, R., 1993, Health & Safety Executive’s risk assessment tool RISKAT, Trans IChemE, 171B: 29–40. UK Offshore Operators Association, 2000, Guidelines for Quantitative Risk Assessment Uncertainty.
ADDRESS Correspondence concerning this paper should be addressed to Mr D. A. Carter, Hazardous Installations Directorate, Health and Safety Executive, Stanley Precinct, Bootle L20 3RA, UK. E-mail: [email protected] The manuscript was received 10 July 2002 and accepted for publication 12 September 2002.
Trans IChemE, Vol 81, Part B, January 2003