Criterion 1.7 "Do the findings and conclusions in the safety report demonstrate that the measures adopted to prevent and mitigate major accidents make the risk: ALARP?"
This criterion requires the Safety Report Assessment team to take a view on the suitability and sufficiency of the Operator’s risk assessment that underpins the demonstration that all measures necessary have been taken to prevent and limit the consequences of major accidents. This means that the Operator must demonstrate compliance with Sections 2 and 3 of the HSW Act, i.e. show that the risks to people on and off site from the Operator’s activities are ALARP.
The predictive assessors need to form their own view on how the safety report meets this criterion. Further guidance on this matter is provided in SRAM Part 2 Chapter 1. The assessment guidance is repeated here and expanded upon where relevant for explosives installations.
Most safety reports will present uncertain estimates for both accident probabilities and consequence predictions. This uncertainty should be offset by conservatism in the analysis. The Operator should aim to identify all assumptions that could have a significant effect on the results of the assessment, and, if necessary, carry out sensitivity tests to determine the effects of changes in input data to the various models used. For example, if the fatality estimates are sensitive to assumptions regarding population density at a particular exposed site, then the effect of varying the population density at that site should be explored - the population density at a particular spot may vary with time of day and day of the week.
The Operator is only required to provide numerical risk estimates in cases where there is non-compliance with either QD prescriptions or normally accepted standards; otherwise semi-quantitative assessments of risk will suffice. In the latter case, the Operator should categorise the likelihood of each identified major accident scenario using semi-quantitative terms such as "occasional", "unlikely", "remote", "incredible", etc. Any terms used should be clearly defined and the likelihood analysis should be based on the safeguarding and mitigating measures that singly or in combination form Lines of Defence against major accidents (see assessment against criterion 3.4). The Operator should also provide estimates for:
To this end freely available explosion effects and consequence models are available to help the Operator (see assessment against Criterion 3.5.4).
In cases where quantified risk estimates (full QRA) are required, the Operator should provide numerical estimates of individual risk for all locations on and off site where persons may be exposed to harmful effects in the event of an accident. The Operator should also provide FN curves (i.e. curves showing the frequency of events resulting in N or more fatalities) to show the group risk arising from operations on the installation.
Irrespective of the mix of argument, semi-quantitative evidence and quantitative analysis used to determine risk, Assessors should have confidence in the results and concur with the conclusions presented in the safety report. The Assessors should treat with great caution any risk calculations based on optimistic assumptions and highly uncertain data.
In addition to evaluating the sufficiency and suitability of the risk assessment presented in the safety report, the Assessors needs to take a view on whether the Operator has taken all measures necessary to prevent and limit the consequences of major accidents. The following set of questions may aid this process.
The Assessors should check that the accumulated probability of death of the off-site individual most at risk from all accident sequences is less than 10-4. If it is not, it is probable that either the safety measures on the installation are deficient (i.e. risks are not ALARP), or that the accident analysis is overly conservative. In either case the Assessors should reflect their concerns in their assessment report.
It is possible that a situation may arise where the risk to any one person is sufficiently low, but where nevertheless the risk of a multiple-fatality accident is uncomfortably high. In such cases, the safety report should not be deemed deficient, but the Assessors should convey their feelings to the Assessment Manager for the safety report.
The Operator should systematically examine the risk dominant accident sequences and identify additional measure that would reduce the residual risk. For example, it may be possible to automate certain processes; or replace certain types of sensitive explosives with less sensitive explosives; or if there is a hospital or an environmentally sensitive area in the vicinity of the installation, then it may be reasonably practicable to take preventative or mitigation measures over and above recognized standards. The safety report should explain why any additional measures so identified have not been taken. Such arguments remove the grounds for rejecting the safety report and open up the possibility of a dialogue about which improvements would be cost effective.
The level of quantification expected for the various types of risk assessment is dealt with by other criteria. Where a full QRA has been undertaken, the presentation of the quantitative arguments may need to be coupled with cost benefit analysis in order to provide the justification that all measures necessary have been taken.
If quantitative arguments are used, the methods, assumptions and the criteria adopted for decision making should be explained. For example in the case of fatality risks to people off site it is common practice [HSE, 1992] for the maximum tolerable level of individual fatality risk to be set at 10-4 per year and for the broadly acceptable level to be set at 10-6 per year. The corresponding figures for workers are 10-3 and 10-6. There are no commonly agreed criteria for lower severity levels. However, HSE has published harm criteria for land use planning purposes for a variety of substances, i.e. the "dangerous dose" level, which is equivalent to a 1% chance of fatality when a healthy person receives the dose.
The safety report should demonstrate that a systematic and sufficiently comprehensive approach to the identification of risk reduction measures has been adopted.
Where proportionality indicates that a site could rely on qualitative ALARP demonstration, operators may refer to relevant standards or guidance on good practice to support their demonstration that adequate safety and reliability have been incorporated and that by the measures provided they have reduced the risks to ALARP (much guidance is given in the consultative document issued by HSE for the proposed new regulations on the ‘Manufacture and Storage of Explosives’). However, in making this demonstration, Operators need to consider the particular circumstances of their installations and the consequences of identified major accidents both on and off site and decide whether there are any further reasonably practicable risk-reduction measures that could be taken. Attention should be focused both on measures to prevent major accidents and to mitigate the consequences of any accidents that might occur. This is a step which Operators must take before they can demonstrate that risks are ALARP.
Where proportionality indicates that full QRA is required, the safety report should show that a systematic assessment of additional risk-reduction measures has been carried out. In some circumstances there may be risk-reduction measures that are reasonably practicable in addition to existing published industry good practice.
Determination of whether risks have been reduced ALARP involves an assessment of the benefits arising from the reduction in risk achieved by particular measures, an assessment of the cost in time, money or trouble of implementing those measures and a comparison of the two. Where there is deemed to be a "gross disproportion" between the two, i.e. the risk reduction being insignificant in relation to the cost then such measures can be ruled out as not reasonably practicable.
Operators often refer to standards and published papers in their risk assessment. These may be HSE guidance documents, or plant design and operating standards, or papers containing information on historical accident rates, etc. In each case, the Assessors should consider whether the standard is applicable to the Operator's plant and if it is appropriate, given that HSE guidance and standards are updated from time to time. British Standards are revised at regular intervals and while not all the data in the standard may change, a major accident somewhere in the world can lead to a revision of failure frequencies of certain plant items.
At five-year updates HSE expects Operators to carry out a reappraisal of the risks from their operations and to determine whether recent technological advances offer opportunities for risk reduction.
The main conclusions on the measures necessary to control risks should adequately take account of the sensitivity of the results of the analysis to the critical assumptions and data uncertainties.
One of the purposes of the risk assessment in a COMAH safety report is to demonstrate that sufficient control measures are in place to reduce the risks from the installation to a tolerable level. This is possible if the Operator has accounted for uncertainty in both the frequency and consequences of accidents. Considerable uncertainty is tolerable in the frequency and consequences of accidents that are, beyond a shadow of doubt, not risk dominating, but Operators should present sensitivity studies that show their predictions for safety critical events are not seriously in error. Assessors can ask the following questions to test compliance with this criterion:
It is unlikely that any model can be relied upon to give exact predictions for the outcomes of explosives events at all the ranges of practical interest. These outcomes will be dependent on numerous factors, such as the stacking arrangements within the danger building, the type of construction and state of repair of the danger building, the topography surrounding the danger building, the type of construction and state of repair of the exposed buildings, climatic conditions and the state of health of the exposed population. Not all of these factors are amenable to modelling. Predictions for the numbers of fatalities/injuries to be expected in the event of an accident will thus inevitably subject to uncertainty. In view of this uncertainty, it is important that the underlying assumptions built into the models used by the Operator should err on the side of caution. The models should likely produce a slight overestimate of risk for the typical situation but not produce results which are patently exaggerated - in other words the models should give "conservative best estimates" for accident outcomes. The models discussed under Criterion 3.5.4 are considered to give such predictions. Further advice on suitable models is given in the HSE publication ‘Selection and use of explosion effects and consequence models for explosives’.
As well as uncertainties in the consequence analysis, it should be clear that the Operator has addressed possible uncertainty in the following areas: mishap frequencies; conditional probabilities of initiation; reliability of safeguarding measures, time-variable population data; efficacy of emergency plans and evacuation procedures. Where there is any doubt as to the exact value of any of these parameters, then the Operator should err on the side of caution and the Assessors should expect to see conservative values adopted. Any assumptions made by the Operator should be based on sound engineering judgement and backed up by strong qualitative arguments.
The conclusions drawn from the risk analysis with respect to emergency planning should be soundly based.
A safety report does not need to describe the off-site emergency plan, but it should provide guidance for the Local Authority on the severity of the risk dominant accidents. This information should be presented in an easy to assimilate form such as a table that summarizes accident probability and likely numbers of casualties in three severity groups (superficial injuries, hospitalisation and fatalities). It should also indicate the number of people likely to be made homeless by the effects of explosions.
In the event of a major accident the emergency services will want to know where to deploy their staff in order to bring relief to the maximum number of people in the shortest time. The Operator should consider the worst possible major accident scenarios when drawing up emergency plans. It should be clear that the Operator has considered the consequences of accidents involving the full licence limits for the potential explosives sites. It should be clear that the Operator has determined the areas where people may be seriously injured and require hospitalisation. The maximum distance out to which people are likely to be injured is of vital importance.
EU 1998. G A Papadakis and A Amendola (Editors) Guidance on the Preparation of a Safety Report to meet the requirements of Council Directive 96/82/EC (Seveso II). Report EUR 17690 EN.
HSE 1978. CANVEY: An investigation of the potential hazards from operations in the Canvey Island/Thurrock area. HMSO
HSE 1981. CANVEY: A second report. HMSO
HSE 1992. The tolerability of risk from nuclear power stations. HMSO
HSE 1999a. A guide to the COMAH Regulations 1999.L111, HSE Books 1999.
HSE 1999b. HSG190 Preparing Safety Reports: COMAH 1999. HSE Books 1999.
HSE 2002. Reducing Risks Protecting People:. HSE Books
Middleton M. & Franks A. "Using Risk Matrices", The Chemical Engineer, September 2001, pp 34 – 37
Public Register of COMAH Establishments
