Criterion 3.4 "The safety report should contain estimates of the probability (qualitative or quantitative), of each major accident scenario or the conditions under which they occur, including a summary of the initiating events and event sequences (internal and external), which may play a role in triggering each scenario."
Criterion 3.4 is about the completeness of the accident analysis and the quantification of probabilities. It focuses on initiators - have all of them been identified and whether the methods used to determine accident sequence probabilities are appropriate.
The depth of the analysis of the event sequences, which determine the likelihood of realising each major accident scenario needs to be proportionate. At the lowest level of proportionality - provided it is demonstrated that a plant is designed, built and operated to current standards - it will usually suffice for qualitative descriptors of likelihood to be assigned to each MA. For example, the CIA's guidance on emergency planning for chlorine installations gives the following frequency categories:-
Extremely <
Very unlikely
Unlikely
Quite unlikely
Somewhat unlikely
Fairly probable
Probable >
10-6/year
10-6 to 10-5
10-5 to 10-4
10-4 to 10-3
10-3 to 10-2
10-2 to 10-1
10-1
In more complex situations a satisfactory demonstration under Schedule 4 may require the consideration of the conditions under which events occur, their likelihood, and how the events interact so that the likelihood of certain major accidents can be estimated. This will require consideration of the whole causation/outcome sequence.
In order for Assessors to form a judgement on these issues, they should ask the following questions:-
Assessors should expect to see all events producing a major accident hazard identified and the frequency of each event sequence determined. There is a requirement to demonstrate that the risk from risk dominating sequences is ALARP. The greater the risk to people off-site, the more reliable must be the quantification.
For single event initiators such as aircraft impact and earthquake, probabilities based on historical data are acceptable. But it may not be sufficient for the Operator to use data from published sources for event sequences involving say hot work and operator error, without justifying their suitability. The safety report should justify the absence of further redundancy and diversity and show that all necessary measures have been taken to minimise operator error.
Fault tree analysis is not essential to determine accident probability and companies are much more likely to use argument based on the following:-
Approaches based on well founded argument are acceptable, but a safety report that:-
may be judged as failing to meet the assessment criteria.
Base event failure rate data are essential components of quantitative risk assessments, but they must be relevant and applicable to site circumstances. Simply taking a number from the literature without consideration of whether it applies to the site in question is unlikely to be acceptable. On the other hand, use of a failure rate that is not consistent with historical or relevant generic industry data must be justified.
All events/initiators identified in Table 1 should be considered, even if some of them are not applicable to the site. If the warehouse does not store explosive materials or peroxides, some accident scenarios listed in Table 3 may not relevant. In such cases the safety report should state that there is no intention to store these particular materials, therefore their associated hazards do not need to be considered.
Assessors should not expect quantitative analysis in respect of the probability of some on-site fire initiators such as employees smoking, arson, spillage of incompatible chemicals etc. because they are almost impossible to quantify.
The frequency of accidents that have severe consequences for local populations need to be determined more precisely than accidents that have only on-site effects. For most sites this implies that fires should be analysed in depth while thermal radiation hazards from the flame pillar can be treated simply. The radiation falling on targets more than about 30m from the warehouse can be calculated using a point source model approximation assuming 33% of the heat generated by combustion is radiated.
Accidents that are the result of multiple failures should not be assigned a frequency unless details of the analysis of the mode and probability of each of the failures that comprise the accident sequence are provided. For example, a safety report that simply states that the frequency of an event is 'f' on the basis of historical data should be judged as containing insufficient detail.
If a safety report does not predict the frequency of one or more major accidents, it must describe the conditions under which the accidents can occur. It must then show that the installed safeguards (see Table 2 for some examples) ensure that those conditions are very unlikely ever to arise. This demonstration is only possible for certain systems which have been designed to be intrinsically safe. A system that depends on operators and a mixture of active and passive control systems is always at risk from human and equipment failures.
Table 2: Measures to reduce risk and mitigate accident consequences
| Initiators and MAH control | Measure to reduce risk |
|---|---|
| Fire initiators | |
| Smoking | Clear no smoking signs, staff instructions/training and threat of loss of employment. |
| Vehicle fire | Vehicles not unloaded in warehouse, strictly enforced speed limit on site, fire extinguishers at main entrance. |
| Fork-lift truck fire | Scheduled maintenance programme, well trained drivers, use of electric vehicles, fire extinguisher on each vehicle. |
| Spill of flammable liquid | Staff training, spill cleanup kits available, use of non sparking tools in warehouse, oversized drums and trays available, regular inspections of warehouse stock. |
| Incompatible chemicals | Incompatible chemicals not kept in same warehouse, stock inspection before storing, operator training. |
| Overloaded electrical circuit | Absence of electrical circuits in warehouse. |
| Arson | Security fence, intruder alarms, CCTV, forecourt lighting. |
| Hot work | Permit to work system, work fully supervised, risk assessment prior to work starting. |
| Fire during fork lift truck charging | Fork lift trucks not charged in warehouse. |
| Diesel tank fire | Diesel tank sited well away from warehouse, ignition sources well controlled. |
| Other on-site fire | LPG tank sited well away from warehouse. |
| Fire Control | |
| Sprinkler system | in rack foam+water system, testing of diesel engines, back up , regular testing. |
| Fire fighting arrangements | Staff training, fire fighting facilities in warehouses, specially trained staff, good supply of fire fighting water, fire fighting plans drawn up in consultation in fire service. |
| Fire walls | Between warehouses and dividing warehouses, structural elements clad in fire resisting material, vents to reduce smoke logging. |
| Accident consequence mitigation | |
| Fire fighting strategy | Agree let-burn policy with fire service. |
| Site isolation | Single valve prevents water leaving site, instruction to isolate in emergency plan, hold up for several hundred cubic metres of water. |
| Clean up | Plans for dealing with large volume of contaminated water. |
Criterion 3.4.1 "The report should demonstrate that a systematic process has been used to identify events and event combinations, which could cause MAHs to be realised."
Most fire initiators are common to all warehouse sites and the severity of spills, for which accident scenarios are easily identified, depends on location. Highly reactive substances such as peroxides can be responsible for major accidents and several scenarios need to be identified, but again the number of scenarios leading to a dangerous situation are limited and tend not to be site specific. In order to test compliance with this criterion Assessors may find the following questions useful.
It is more important for the Assessor to be satisfied with the completeness of the accidents considered than for the report to use a formalised methodology to identify accident scenarios. If the accident analysis deals with each item of plant in turn and identifies all initiators and all types of fire/explosion, then it can be considered systematic. However, if by reference to Table 3, the Assessor can identify scenarios that have been overlooked, the report is deficient. The seriousness of the omission depends on whether the consequences to the public are worse than those from other accidents that are dealt with and whether the risk from the event in question is ALARP.
The risk to local populations and the environment from different warehouses on a large site is likely to vary depending on the inventory and location. A safety report should evaluate the consequences of fire/explosions in all warehouses that store significantly different substances, and/or are located such the fire is more probable, or fire fighting water run-off is more likely. The location factors that may be significant include:-
With respect to warehouse inventory, the differences that may be significant include:-
Table 3: Check list of accident initiators
| Accident | Comment |
| Off-site Accident initiation probability | |
| Aircraft impact | |
| Seismic event | |
| Subsidence | |
| Extreme
environmental conditions
abnormal rain fall |
|
| Vehicle impact | |
| Land slip | |
| Explosion | |
| Fire | |
| Missile | |
| Pipeline rupture | |
| On site accident initiator probability | |
| Overloaded electrical cable | |
| Malfunctioning fork lift truck | |
| Uncontrolled hot work | |
| Arson | |
| Spillage of incompatible chemicals | |
| Employee smoking | |
| Ignition of spill of HFL | |
| Diesel tank fire | |
| Lorry fire | |
| Fire during battery charging | |
| Other on-site fire |
Criterion 3.4.2 "All safety critical events and associated initiators should be identified."
Since the majority of hazards presented by chemical warehouses stem from fires and explosions (following a fire), the concept of safety critical events may not be strictly applicable.
Criterion 3.4.3 "Estimates of, or assumptions made about, the reliability of protective systems and the time for operators to respond and isolate loss-of-containment accidents, etc need to be realistic and adequately justified."
Dangerous materials tend to be stored in warehouses in small quantities ranging from 1kg to 1m3 IBC. In general the loss of containment in an accident results in a small spill that has little off-site safety implications for people but could have an impact on the local environment.
However, failures (or inappropriate use or omission) of protective systems such as sprinklers, fire doors, spill kits, respiratory protective equipment and protective clothing in general should be considered, together with issues covered by Criterion 3.1.1. This is particularly important when failure of such systems can lead to escalation of an event.
Criterion 3.4.4 "The methods used to generate event sequences and estimates of the probabilities of potential major accidents should be appropriate and have been used correctly."
The only event sequences that were related to warehouses are those that result in a major fire/explosion. In general, these consist of an initiating event and a failure to prevent the fire from spreading. Therefore, criteria 3.4.4 is not strictly relevant to warehouse safety reports.
Criterion 3.4.5 "The safety report should provide adequate justification for event probabilities that are not consistent with historical or relevant generic industry data."
It is acceptable for Operators to make use of historical data on the frequency of off-site and some on-site accident initiators. However, Assessors should be convinced that the measures and procedures to reduce the probability of fires/explosions are adequate. In order to test "adequacy" Assessors may find the following questions and answers useful.
Warehouses located several tens of miles from an airfield are unlikely to suffer aircraft impacts at a higher rate than the background rate for the area. This has one of three values depending on location: -
9.7x10-5km-2yr-1 if warehouse lies within one of three high crash concentration zones.
5x10-6km-2yr-1 if it lies more than 40km from one of these zones.
A value between these two figures, based on linear interpolation, if it lies within 40km of a high crash rate zone.
If the site is located with 15km of an airfields, regardless of size, then a methodology similar to that proposed by AEA should be used to determine impact frequency.
Although seismic activity varies slightly across the UK, Operators are justified in making use of average background data produced by the British Geological Survey. It is probable that modern warehouses will not suffer serious damage at seismic intensities of less than MSK VIII and these events occur at a frequency of 2x10-5 yr-1 The probability of an earthquake causing a major fire is not likely to be more than 0.1, hence 2x10-6 yr-1 is about the figure Assessors should expect to see in a COMAH safety report for a major fire initiated by a seismic.
The frequency of lightning strikes in the UK is between 0.1 and 0.6 flashes to the ground per km2 per year. Most modern warehouse, with the exception of high-bay warehouses, are not more than 15m to the ridge and the frequency of a lightning strike on the building can be determined by multiplying the appropriate location figure by the area of the warehouse in km2.
Essentially all scenarios resulting in a major fire can be split into an initiating event and a conditional probability of a fire in the warehouse. Operators should rank scenarios and show that none have an intolerable frequency, and that the risk from those with a frequency between about 10-6yr-1 and 10-4yr-1 is ALARP.
Most Operators will not calculate frequencies and probabilities, but may simply place points on a diagrammatic representation of the event risks. Assessors should expect to see some form of justification for the location of the points even if it is entirely qualitative. Operators who do not address fire or explosion probability fail to comply with the criteria.
In order to be satisfied about the level of safeguards, Assessors should ask themselves - could this Operator have done more to reduce the probability of fire at a cost that is in proportion to the decrease in risk that would be achieved, and using a system or procedure that would not unreasonably hinder normal day-to-day operations. The sort of measures falling into this category include:-