Criterion 3.3 "The safety report should identify all potential major accidents and define a representative and sufficient set for the purpose of risk assessment."
All activities involving explosives pose a hazard. Looked at from first principles, an explosive will initiate when exposed to energetic stimuli such that the rate at which energy is transferred to the explosive material exceeds some critical value. However, this critical value varies considerably across the broad range of substances and articles classed as "explosives". The most sensitive explosives, i.e. primary explosives and certain pyrotechnic compositions, will detonate when exposed to levels of stimuli generated in many common place activities - for example, crystals of mercury fulminate will detonate if trampled underfoot. At the other end of the scale are certain insensitive secondary explosives, which will detonate only when exposed to very high levels of stimuli - an example is provided by certain types of modern blasting explosives which cannot be reliably initiated by a standard detonator but rather require an intermediate booster charge. Thus the risk of accidental initiation for any activity involving explosives will depend both on the "sensitiveness" of the explosives and the types and amounts of energy to which the explosives may be potentially exposed.
It follows that the measures taken by Operators to guard against explosives events will be determined by both the nature of the activities undertaken on site and the ease with which the explosives may be initiated by an accidental stimulus. In general, one could expect to see increasingly more stringent measures applied the greater the sensitiveness of the explosives handled and the more energetic the activities undertaken. For instance, machining and pressing are operations in which explosives are subjected to comparatively high levels of stimuli - and in which explosives may be exposed to large amounts of energy in the event of a mishap - and accordingly remote working with minimal quantities is often preferred for these types of operations: such a measure safeguards against injury in the event of an initiation. An Operator may also choose to install shields and barricades to protect workers against the effects of accidental initiations of explosives materials.
The Operator should summarize, in a proportionate way, the results of studies undertaken to identify the potential causes of major accidents. The methods of study used and the expertise of the team involved should also be mentioned. To provide a convincing demonstration that the study has been comprehensive, the Operator needs to have examined each danger building on the installation and the processes undertaken in those buildings. The possibility of interactions between different processes and between different items of plant also needs to be addressed. Assessors should judge the completeness and adequacy of the way these issues have been dealt with by asking the following questions:
The report should explain how the potential causes of major accidents have been identified and demonstrate that no important scenarios have been overlooked. When the method of identifying accident causes is not systematic or transparent it will be much more difficult to convince the Assessors of its completeness. Simple lists of accident scenarios may be appropriate in those cases where the risks to off-site population are negligible; but generally Operators will need to demonstrate that no potential causes of major accidents have been overlooked, by including within the safety report a full account of the hazard identification exercises undertaken.
Further guidance on the potential causes of accidents leading to ignitions of explosives material is given at the end of this section. While the examples given may not embrace the entire range of possible sources of ignition, they do form a checklist to help Assessors judge the completeness of the Operator’s accident analysis.
Further guidance on systematic techniques that may be used to identify causes of potential accidents is given in the discussion under Criterion 3.3.1. Further guidance is provided in Appendix 2, where some of the lessons drawn from past accidents are discussed.
The safety report should identify all potential causes of major accidents originating outside the installation, such as lightning strikes, vegetation fires and spread of fire from adjoining installations. However, very improbable causes of such accidents, such as aircraft crashes (for installations which are not on major flight paths or within the vicinity of any type of airport), meteorite strikes and earthquakes may be discounted.
The Operator should take account of any other types of hazardous materials, other than explosives, that might be on site. The report should recognize the presence of any such materials (e.g. pressurized gases) on the installation, and state whether the quantities of these materials are sufficient to constitute a major hazard in their own right. The report should state whether an explosives event could trigger a major accident involving these types of materials.
There is no requirement for the Operator to describe the consequences of every major accident if many of these would have a similar impact on employees, local populations and the environment. The safety report need only define a representative set of accidents for the purpose of consequence analysis. However, the consequence analysis must embrace the most severe accident that could potentially occur on the installation.
At the same time the Operator should separately determine the consequences of any accidents leading to the initiation of identical quantities of explosives if the circumstances of ignition could give rise to different effects. For example, an ignition of explosives in a confined area could result in much more severe consequences than an ignition of the same quantity of material in an open space.
The Assessors must be satisfied that the accident scenarios considered dominate the risk and encompass the complete spectrum of severity. The safety report must consider explosions and fires at the "worst locations", for example, the danger buildings nearest to office blocks or other populated buildings on and off site. The report should also consider the effects of an event involving the maximum quantity of explosives allowed to be present at the "worst locations". The safety report should also recognize that the number of people at risk from an event could vary with time. There may be occasions when personnel pass close to the danger building or when routine work is undertaken in the vicinity of the danger building – grass cutting, for example. It should be clear that the maximum possible exposure has been considered.
An accidental initiation of explosives (hereafter called an explosives event) may give rise to a number of harmful and damaging effects. The particular effects would depend on the types of explosives initiated while the magnitude of these effects would largely depend on the quantities of explosives initiated. The table below lists the different types of effects that could be expected from the four Hazard Types of explosives defined by the HSE.
Table 5: The potential hazards of different types of explosives
| Hazard type | Explosion effect |
|---|---|
|
1 (subs.) 1 (articles) 2 3 4 |
Blast, cratering, ground shock and secondary fragments. Blast, cratering, ground shock and primary & secondary fragments. Small blast effect plus primary fragments. Fire and thermal radiation effects. No significant effect. |
In general, the magnitude of the effects produced by an explosives event will increase with the quantities of explosives initiated. Explosives articles of Hazard Type 2 are an exception in that these articles, when exposed to fire, tend to explode in ones and twos over a period of time; and so the effects from an event involving a large number of such articles would be no more severe than those generated in an event involving a small number, rather the effects would continue over a longer period.
An explosives event may escalate in one of two ways: by a process of instantaneous communication, where a detonation of explosives in one location causes a virtually simultaneous detonation of explosives in another; and by delayed communication, where a fire started by the initial event spreads and eventually involves other explosives. Failure of the Operator to list any measures designed to prevent escalation - measures such as detonator traps, evacuation and fire-fighting procedures, etc. - would be indicative of a lack of thoroughness in the performance of the hazard identification exercise. A failure to list these measures would also subsequently hinder the Assessors in reaching judgements concerning accident consequences.
The safety report should also address any measures designed to unitise risk within a danger building. These measures might include engineered systems and/or procedures to limit the quantities of explosives present at any particular workbench or in any particular apparatus or item of equipment. Whilst such measures might protect against instantaneous communication, any potential for escalation by subsequent spread of fire, etc. should be addressed.
"The safety report should demonstrate that a systematic process has been used to identify all foreseeable major accidents."
In order to judge compliance with this requirement of the regulations, Assessors can ask the following questions:
The types of energetic stimuli that can, in principle, bring about initiations of explosives are as follows:
Thus the Operator should consider the ways in which explosives material might be exposed to these stimuli. There are a number of techniques, including Hazard and Operability Study (HAZOP) and Failure Modes and Effects Analysis (FMEA), which the Operator might use to help identify such incidents. However, the regulations do not require the application of any one particular technique. An Operator might be able to demonstrate that all potential major accidents have been identified without resort to formalized methods, such as HAZOP and FMEA, by providing a detailed description of the plant and processes and systematically addressing the hazards from each in turn.
Nor need an Operator necessarily undertake detailed exercises for every danger building on site, providing one particular building can be regarded as sufficiently representative of a group of buildings. For example, there may be a number of magazines on site, all built to the same design, all containing the same types of fixtures and fittings, and all containing the same types of explosives. Clearly there is no need to carry out separate exercises for each magazine; one such exercise performed on a representative magazine would suffice.
What is important is that the Operator should identify the hazards arising from each type of process carried out on site. The Operator should consider all the types of initiating stimuli listed above or provide good reasons for discounting these stimuli as potential causes of accidents. As already mentioned, an Operator is not obliged to use any one particular hazard identification technique: the requirement is that the Operator should endeavour to identify all potential causes of major accidents and employ a systematic technique to this end.
Criterion 3.3.2
"The hazard identification methods used should be appropriate for the scale and nature of the hazards."
The technique employed by the Operator to identify potential causes of accidents should be proportionate to the severity of the potential outcome of those accidents. Where an explosives event has the potential to cause significant off-site effects, i.e. damage to several properties and possible injury to members of the public, the use of a formalized technique, such as HAZOP, should be considered. For lesser events, the Operator might use some other technique, such as safety reviews and studies of the causes of past accidents and incidents, or standard or bespoke checklists drawn up from the results of previous hazard identification exercises. However, the Operator should clearly state the technique that has been used as well as the expertise of the personnel involved in the exercise.
As mentioned, the level of analysis employed by the Operator should be proportionate to the perceived risk. The greatest risks are likely to be posed by manual operations involving sensitive explosives, or in terms of consequence, operations involving quantities of explosives sufficiently large to cause an off-site effect should an initiation occur. In such cases the Operator may choose to undertake a HAZOP study.
HAZOP is essentially a brainstorming technique in which the members of a team are prompted by a series of parameters and guidewords to think laterally about possible causes of undesired events. The technique was first developed in the chemical industry, and for those process operations which involve chemical engineering plant, e.g. mixing of emulsions, use of the traditional HAZOP parameters and guidewords would be appropriate:
Table 6: Traditional HAZOP key words
| Parameters | Guideword |
|---|---|
|
Flow |
No |
|
Temperature |
More |
|
Pressure |
Less |
|
Composition |
As well as |
|
Phase |
Reverse |
|
Level |
Other than |
For other types of operations, the previously listed types of energetic stimuli provide a more suitable set of parameters, while a set of generic incident-type headings for each type of stimulus provides a suitable set of guidewords. An example set of guidewords is shown in the table below.
Table 7: HAZOP key words for explosives hazards
| Parameter | Guidewords |
|---|---|
|
Impact/friction |
Falling object |
|
Fire/thermal effects |
Fire inside building |
|
Electrical effects |
Static discharge |
|
Overpressure/fragment attack |
Communication |
|
Chemical attack |
Contamination |
|
Electromagnetic radiation |
RF radiation |
To take a concrete example: the members of a HAZOP team might start by taking the first parameter and guideword listed to prompt thought about how objects might potentially fall onto explosives material. For example, such an incident might occur if there were an overhead crane in the building and the crane failed for some reason - such as mechanical failure, human error, etc. Other types of overhead fixtures and fittings, such as light fittings, may also have the potential to collapse onto explosives material, though the energy imparted in such events may not inevitably initiate the explosives. These types of events can therefore be regarded as "dangerous occurrences", i.e. events in which explosives material is unintentionally exposed to energetic stimuli but the probability of initiation is less than unity. The Operator should aim to identify all potential incidents that could be classed as dangerous occurrences.
It is important that the Operator should consider human error as part of the hazard identification exercise. Here a series of "what if" type questions might be asked in regard to process instructions:
The potential for malicious action should also be considered, particularly at those sites where explosives buildings are not alarmed and linked to an effective response force.
The Operator should then list the measures in place to guard against the identified dangerous occurrences. These measures may be either engineered or procedural. For instance, to take the previous example of the falling crane, the engineered safeguards may consist of such measures as intrinsically safe design, fail-safe mechanisms, crash nets to catch falling objects. The procedural safeguards may comprise measures such as regular inspection and maintenance of equipment and training of staff in safe operating techniques, or procedures prohibiting the use of the crane while explosives are in the building.
Failure to list these safeguards would be indicative of a lack of thoroughness in the performance of the hazard identification exercise. A failure to list these safeguards would also hinder the Assessors in the further stages of the evaluation procedure when judgements concerning accident likelihood would need to be made.
The Operator should also list all measures designed to mitigate the consequences of any accidents that may occur. Again these measures may be either engineered or procedural. Examples of engineered measures include design features such as interlocks, frangible roofs and blast panels, protective earth mounds, etc.; while examples of procedural measures include quantity-distance prescriptions, man limits, minimal quantities for sensitive explosives, emergency plans and evacuation procedures, etc.
Public Register of COMAH Establishments
