Criterion 3.4 "The safety report should contain estimates of the probability (qualitative or quantitative), of each major accident scenario or the conditions under which they occur, including a summary of the initiating events and event sequences (internal or external), which may play a role in triggering each scenario."
Criterion 3.4 is about the completeness of the accident analysis and the quantification of probabilities. It focuses on whether the various sequences of events that may lead to an initiation of a major accident have been identified and the likelihood of those events quantified in an appropriate way.
There are many factors which could influence the likelihood of a major accident occurring on an explosives installation. These factors include: the inherent sensitivity of the explosives present; the types of processes undertaken (which will determine the types and amounts of energy to which the explosives may be potentially exposed); and the engineered, procedural and managerial safeguards in place, of which safety culture and training and supervision of staff are important aspects.
The depth of analysis needs to be proportionate. Those Operators who are compliant with the QD prescriptions and other normally accepted control measures (i.e. compliance with industry standards, HSE guidance and approved codes of practice), need only give semi-quantitative descriptors of likelihood for each of the identified major accident scenarios (such a scheme was previously shown in Table 2). Operators who are non-compliant should give quantitative estimates of risk.
Assessments of accident likelihood are notoriously difficult. Analysts commonly find that insufficient data are available to allow objective estimates for accident probabilities to be derived, and that these probabilities must often be based on subjective judgement to some degree. However, it is important that subjective judgement, if used, should be applied in a well-structured way, should be technically informed and based on all available evidence.
In order to form a judgement on these issues, Assessors might ask the following questions:
Assessors should expect to see all events leading to a major accident identified and the likelihood of each event sequence determined. There is a requirement to demonstrate that the risks of the dominating sequences are ALARP. The greater the risks to people off-site, the more reliable must be the quantification.
In general, the likelihood of an explosives event arising within an explosives installation can be analysed as the product of three probabilities:
An explosives event may also occur as a result of an auto initiation. This type of incident would result from a failure to stabilise/desensitise sensitive types of explosives - for example, a failure to incorporate stabiliser into a nitrate-ester-based propellant or a failure to ensure that sensitive compounds such as nitrocellulose have been sufficiently wetted.
The likelihood of dangerous occurrences is normally expressed as an annual probability or a yearly frequency, i.e. the chance per year of the occurrences arising, whereas conditional probabilities are dimensionless and simply express the chance that a specified outcome would occur given the occurrence of a mishap.
The Operator should address both the frequency of dangerous occurrences arising and the associated conditional probabilities of explosives involvement and initiation. However, only semi-quantitative estimates of likelihood need be considered for sites which are QD-compliant and conform to accepted standards. These semi-quantitative assessments may be expressed by words such as "incredible", "unlikely", "possible", etc. However, the Operator should broadly define any terms used (following a scheme similar to that shown in Table 2). The Assessors should expect to see a scheme such as that summarized in the following tables:
Table 8: Likelihood of a mishap arising (chance per year)
| Likelihood | Occurrence during operational life | Expected frequency band (per year) |
|---|---|---|
|
Frequent |
Likely to occur a number of times in a year |
F > 10 |
Table 9: Explosion probability definitions 2
| Category | Likelihood of explosives involvement |
|---|---|
|
Likely |
Explosives more likely than not to be exposed to energetic stimuli given occurrence of incident Explosives may exceptionally be exposed to energetic stimuli given occurrence of incident Extremely unlikely for explosives to be exposed to energetic stimuli given occurrence of incident |
Table 10: Explosion probability definitions 3
| Category | Likelihood of initiation |
|---|---|
|
Likely Incredible |
Explosives more likely than not to initiate given exposure to stimuli Explosives may exceptionally initiate given exposure to stimuli Explosives extremely unlikely to initiate given exposure to stimuli |
Judgements on whether a particular event is likely, unlikely, incredible, etc., must be based on a consideration of the physical properties of the explosives, the safeguarding measures in place to prevent the event from occurring and the mitigating measures in place to minimize the consequences of any mishap or incident. The Operator may refer to historical accident data to support assessments of accident likelihood.
The number of categories should be sufficient to give the appropriate level of demonstration. Further details are available in a published paper by Middleton and Franks 2001.
In the case of a semi-quantitative assessment, the Operator could base estimates of accident likelihood on identified lines of defence (LOD), i.e. safeguarding and mitigating measures. The LOD concept is based on the observation that a defence can be expected to have a low failure probability, provided it satisfies three simple criteria:
The LOD should be conservatively designed to possess a substantial capability margin over the maximum perceived demand. The design, manufacture and installation of the LOD must be to appropriate quality-assurance standards and these processes should be subject to appropriate managerial controls. The LOD must be subject to regular and appropriate inspection, test and maintenance (or audit of managerial controls).
The LOD must not fail as a result of the failure of a single active component or a simple human error - this is referred to as the "single failure criterion" (SFC). However, the SFC need not be satisfied with regard to failure of passive components or wilful human actions such as gross rule violation.
If the safety function of the LOD depends on positive action within half an hour of the occurrence of the mishap, then this action must be initiated by automatic (and redundant) mechanisms. If the action can be delayed by half an hour without prejudice to the safety function, then human initiation is acceptable.
Any system, which meets the above criteria can be designated a "strong" LOD. The failure probability for such a system would be expected to be below 10-3 year-1 (i.e. less than 1 in 1000 chance per year). Systems which do not satisfy these criteria might still be claimed as "weak" LODs, provided there is good evidence that they are effective.
A process may be made very robust against mishaps and hence to have a very low major accident potential by implementation of multiple LODs. However the LODs must be diverse, thereby ensuring that common mode failure cannot cause failure of all the component safeguarding measures.
In general the Assessors should expect to see at least one strong LOD for every identified major accident scenario plus additional arguments to demonstrate that risks have been reduced ALARP. A simple list of LODs would not necessarily be sufficient to demonstrate ALARP.
Criterion 3.4.1
"The safety report should demonstrate that a systematic process has been used to identify events and event combinations, which could cause major accident hazards to be realised."
Here reference should be made to Criterion 3.3 and how it was met by the safety report. Essential for the identification of major accident hazards is a detailed description of the site and all of its operations.
The Operator should give due consideration to the following: the probability of mishaps occurring on the installation; the conditional probability that explosives would be exposed to energetic stimuli in the event of a mishap; and the conditional probability that explosives would initiate, given exposure to the energetic stimuli.
At this stage, the Operator should also consider the consequences of any explosives events that might occur. The aim should be to show that low consequence events, involving no more than a few grams of explosives, and which may occur from time to time, are unlikely to cause injury due to in situ measures, such as remote working or use of shields and personal protective equipment.
The Operator should then identify any systems which may be regarded as safety critical. A safety critical system comprises any item of equipment or procedure whose failure would immediately result in a major explosives event, posing a risk of serious injury, death or an unacceptable contamination of the environment.
Criterion 3.4.2
The safety report may not specifically use the term "safety critical events", but these events are those that dominate the risk at different distances from danger areas.
To identify the risk-dominating events, the Operator should first assess the likelihood and approximate consequences of all the potential major accidents identified. These may be grouped into consequence bands as indicated below.
The accident at the top of each band is the safety critical event for the consequences of that particular level of severity. The report should identify a set of representative accidents for more detailed consequence analysis.
A safety report need not necessarily identify accidents in this way, provided it ranks accidents appropriately.
Criterion 3.4.3
"Estimates of, or assumptions made about, the reliability of protective systems and the times for operators to respond and isolate loss-of-containment accidents, etc., need to be realistic and adequately justified."
Operators should not assume that all protective systems will unfailingly perform perfectly or that operatives will always be 100% reliable. For example, an Operator needs to consider what would happen if an automatic drowning system failed on demand, or if an operative failed to activate a manually-operated drowning system.
"The methods used to generate event sequences and estimates of the probabilities of potential major accidents should be appropriate and have been correctly used."
In general, major accident may arise in several different ways. In some cases a number of faults may need to occur simultaneously or in a particular sequence. A site Operator might thus choose to use a technique such as fault tree or event tree analysis to set out the various sequences of events - including those necessary for a minor incident to escalate into a major accident – in a logical framework. Each of the basic events in the tree will have an associated probability. An example fault tree is shown below which outlines some of the potential causes of fire-induced explosions on trucks transporting explosives on site.
In the above example, it is postulated that a fire could break out on a truck as a result of an electrical fault (e.g. an electrical short circuit), a mechanical fault (e.g. a binding brake) or the involvement of the truck in a road traffic accident. Fire might then spread to the explosives load if the passive fire protection on the vehicle were breached and fire-fighting action proved ineffective. Should the load ignite, then, depending on the types of explosives present, the load might detonate. In addition to these possibilities, there is also a chance that an explosion could occur as a result of a "spontaneous" ignition should the load contain explosives that have been badly designed, manufactured or unsafely packaged.
Logic tree analysis is labour intensive and requires reliable failure probability data and experience in their application. An Operator may adopt a much simpler approach. For example, accident sequences may be broken down into three components – a mishap, a control system failure and an operative failure, and the likelihood of the accident determined as the product of the probability of the three component failures. Whilst this approach may be acceptable, Assessors should be aware that it can potentially hide a number of failure events. There may be numerous ways that a control system can fail or an operative can respond incorrectly. Since the probabilities of these failures are usually additive, the Assessors need to be convinced that the analysis is complete and not unduly optimistic. The following questions may help the Assessors reach a conclusion on this issue.
If a dangerous situation can occur following a series of errors by operatives or control equipment failures, the Operator will need to identify each of these in order to satisfy the Assessors that the probability estimate for the event is reasonable. If a breakdown of the individual events and probabilities is not provided, the Assessors may be justified in requesting further information from the Operator.
The fact that most failure probabilities are not single values, but distributed about a mean should be accounted for in risk analysis. If there is no information on the probability distribution, it must be concluded that the upper figure is just as likely as the lower figure.
Q35: Does the safety report show that site-specific factors have been taken into account in the methods used to generate event sequences and estimates of the probabilities of potential major accidents?
Assessors should be careful not to accept accident analysis from an Operator's core safety report if the report in question does not take account of site-specific information on accident initiators and their probability of occurrence.
Where the Operator employs fault tree, event tree or some other form of logic tree analysis to assess the probability of an event, the Assessors should expect to see numerical or qualitative (as appropriate) estimates for the likelihood of the basic events appearing in the logic tree. The values assigned should be justified by reference to historical date wherever possible. Where values are assigned on the basis of subjective judgement, then the reasons for any assumptions made should be clearly explained.
Criterion 3.4.5
"The safety report should provide adequate justification for event probabilities that are not consistent with historical or relevant generic industry data."
Taking post-war historical experience in the UK explosives industry as a guide, the Assessors might expect to see values for major accident rates specified in the table below:
Table 11: Historical explosion frequency data
|
Manufacture or processing operations, except those involving modern blasting agents. Manufacture or processing of modern blasting agents Storage in non-alarmed stores on civil sites Storage in alarmed stores on civil sites1 |
Typically 10-2 per process-building-year
10-3 per storage-building-year 10-4 per storage-building-year |
1 Of recent years all security-attractive explosives have been held in secure stores, which are alarmed and linked to an effective response force.
Were an Operator to claim accident rates significantly better than those listed above, the Assessors should expect to see a detailed justification. Failure rate data from the Operator’s own and long-established database can usually be accepted.
