Criterion 3.1 "The safety report should clearly describe how the Operator uses risk assessment to help make decisions about the measures necessary to prevent major accidents and to mitigate their consequences."
The hazards arising from explosives installations have for many years been limited by formal licensing procedures based on quantity-distance (QD) principles. These principles limit the quantities of explosives that can be present in workshops, magazines, etc. according to the proximity of nearby buildings and certain other facilities both on and off site. Explosives limits for these buildings might be further constrained following consideration of such factors as remote vs non-remote manufacture and minimal quantities for highly sensitive explosives. The aim of QD-licensing is to provide an acceptable degree of protection for the workforce and a high level of protection for the public, though it should be noted that the QD prescriptions have never at any stage guaranteed workers and members of the public complete immunity against the effects of explosives events - for which aim impracticably large separation distances would be required. Rather these prescriptions have been formulated on the understanding that the likelihood of a major accident is low and that a limited amount of damage can be tolerated in the unlikely event that an accident should occur. The conditions of the licence thus provide important measures for mitigating the effects of a major accident but have limited impact on preventing major accidents arising or for dealing with the safety of people who would be immediately affected. These issues need to be covered elsewhere in the safety report.
Under COMAH, a site Operator may choose not to comply with the QD prescriptions, but in which case the Operator must carry out a full quantitative risk assessment (QRA) - i.e. the Operator must quantify the individual and societal risk for persons on and off site and show that these risks are not intolerable and have been reduced as low as is reasonably practicable (ALARP). If, on the other hand, the Operator chooses to comply with the QD prescriptions, then a full QRA is not required in respect of offsite population but rather only a semi-quantitative risk assessment to demonstrate ALARP (see Criterion 3.4) - though a QD-compliant Operator may still choose to carry out a full QRA. Full QRA is also required in cases where there is non-conformity to normally accepted control measures (i.e. non-compliance with industry standards, HSE guidance and approved codes of practice) and where the risks to process workers approach the intolerable level.
Whether an installation is QD-compliant or not, the safety report should clearly state the Operator’s policy on the use of risk assessment, and the HSE should expect to see a policy statement confirming a commitment to risk minimization on the ALARP principle. The type of risk-assessment information that should appear in the safety report will depend on whether the Operator has undertaken a semi-quantitative risk assessment or a full QRA. In broad outline, the information requirement for these two cases is summarised in the table below:
| Qualitative/Semi-quantitative risk assessment | Full QRA |
|---|---|
|
|
The Operator must demonstrate a systematic approach to risk minimization. Failure to address the issues summarised in the above table should be viewed as a major shortcoming.
Criterion 3.1.1
"It should be clear that human factors have been taken into account in the risk analysis."
The safety report should describe the procedure used to identify potential errors by operatives that might result in dangerous occurrences and ultimately major accidents. The report should state what measures have been taken to reduce the likelihood of human error. The Assessors should look for evidence to show that process instructions have been clearly written and operatives have been properly trained and are adequately supervised. A failure to address human factors constitutes a serious omission.
Quantification of the likelihood of human error is not straightforward, however, and some of the human reliability data found in the general literature are not universally applicable. Assessors should be concerned primarily with checking that human reliability is included in the analysis rather than with the accuracy of the data used.
The safety report should include consideration of:
In practice many safety reports do not address human factors as thoroughly or with as much rigour as engineering issues. This can be understood in the light of traditional approaches to safety and safety reports, but cannot be justified when human reliability plays a critical role.
The following are examples of common omissions in safety reports:
The potential for an operative to override designed safety features has not been covered.
There should be some mention of "violations" or "breaking the rules" as well as "human error".
The hazard analysis process failed to identify anything more than errors of omission (the operative failing to act).
Most safety reports need to consider errors of commission (an operative taking an action but the wrong one), or decision-making errors.
The role of people other than as front-line operatives (e.g. maintainers, supervisors) is not considered.
Many human failures are the result of actions, omissions and decisions taken by other people including designers and managers. For example, the potential for a maintenance error on a safety related system might not be addressed in the risk assessment process.
There was no consideration of the possibility of a hardware failure with a simultaneous human error.
Some appreciation that when the hardware of a protective system fails the operative may also not respond in the intended manner.
The operative is being asked to do a critical task that would probably be more reliably done automatically.
There appears to be undue reliance on an operative identifying and responding rapidly to an alarm condition.
If so, there should be some justification for the human error probability included. This should be justified in relation to the specific design of the system interface on site rather than a generic value taken from a table.
There is reliance on 'heroic' acts by operatives to recover situations, e.g. going back to the control room when suffering from effects of shock, smoke inhalation, etc.
Historical data suggests that human failures contribute up to 80% of industrial accidents. The implications of this run throughout the safety report and through many of the assessment criteria, so they will need to be considered by several members or all of the assessment team.
The safety report should consider in a rigorous and proportionate way how human error might initiate a major accident (see Criterion 3.4.4). It should also describe the part personnel play in controlling hazards and risks. If an operative is required to take certain actions following an alarm, the risk analysis will need to make assumptions about the likelihood that the correct action will be taken.
If a task is critical to the prevention of a major hazard and an unrealistically high level of human reliability has to be assumed to make the risks ALARP, this may not be acceptable as it places an undue burden on the operative. Instead automatic control and protection systems can be used to reduce the reliance on the operative to intervene correctly. To achieve the required reliability it may be necessary to build redundancy and diversity into the control systems.
Not all safety reports will need to quantify human reliability. The focus should be on demonstrating the quality of the training and supervision. If a human reliability figure is used in a fault tree, the Assessors should check that the top event is not sensitive to the value adopted.
In the context of human error and how the company ensures that it is minimized, the safety report should:
Criterion 3.1.2
"Any criteria for eliminating possible hazardous events from further consideration should be clearly justified."
This criterion deals with the Operator's limitation of accident analysis in the safety report and can be judged by reference to the following questions:
Operators are obliged to demonstrate that low frequency events with severe consequences are adequately controlled, that all necessary measures have been taken to prevent their occurrence. However, very improbable accident initiators, such as aircraft crashes (for installations which are not on major flight paths or within the vicinity of any type of airport), meteorite strikes and earthquakes may be discounted.
Assessors should recognize that the COMAH regulations do not necessarily call for QRA. Frequency evaluation for highly improbable accidents does not need to be as detailed as that for risk dominating sequences and can be based on historical data, industry standards and regulatory guidance, etc.
The safety report should address all major accident hazards. The term "major accident" is fundamental to the provisions in the regulations and the duties placed upon operators. All incidents involving the unintentional initiation or ignition of a quantity of explosives must be considered an uncontrolled development and outside the operating conditions normally experienced. Even small quantities of explosives can cause significant injury and death. All incidents which have the potential to cause injury to people or damage to the environment should be considered in the safety report.
Many processes are operated remotely or are arranged so that only the minimum of explosive is present but these should still be identified in the report as potential major accident hazards. This would include "covenanted" ignitions if there is any possibility that such ignitions could, in the most adverse circumstances, result in injury. The arrangements for remote operation or minimizing the quantity of explosives form part of the control measures for the prevention of injury to people and damage to the environment and should be included in the demonstration that all the measures necessary are being taken. The Operator should describe how decisions are made on which processes are to be undertaken remotely.
It is permissible for an Operator to describe in detail the consequences of only a relatively small number of representative types of event, provided all significant potential accidents are identified and ranked according to risk. For example, if six different sequences of event are identified with the potential to initiate the same type and quantity of explosives, then the consequences of only one of them need be described, provided the likelihood of the others is addressed. However, the Operator must demonstrate that the risk from every accident scenario is ALARP.
As noted previously, an Operator who is fully compliant with the QD rules and normally accepted control measures (i.e. industry standards, HSE guidance and approved codes of practice) need not undertake a full QRA. In such cases semi-quantitative estimates of accident likelihood will suffice. One such scheme is illustrated below.
Table 2: Definition of accident likelihood
| Likelihood | Definition | Expected frequency band (per year) |
|---|---|---|
|
Frequent |
Likely to occur a number of times in a year |
F > 10 |
The Operator is not obliged to use the scheme outlined this table, but what is important is that any qualitative terms used by an Operator should be clearly defined.
Where accident likelihood is quantified, this need not be based on formalised methods such as fault and event tree analysis. Historical data, industry standards, regulatory guidance, etc. can all be used to determine failure rates of individual components and whole accident sequences. However, statements of the kind "the probability of this accident occurring is judged to be less than 10-6 per year" are not acceptable if not backed by supporting evidence. A poorly documented or sparsely detailed frequency analysis that appears somewhat optimistic may be judged as failing to comply with the assessment criteria.
Public Register of COMAH Establishments
