Criterion 3.3 "The safety report should identify all potential major accidents and define a representative and sufficient set for the purpose of risk assessment."
This criterion reminds Assessors that they need to check that:-
Ideally, the Operator should summarise, in a proportionate way, the results of hazard studies, the methods used and the expertise of the team involved. The scope of the studies and the HAZID process used should also be described. To provide a convincing demonstration that the list of MAs is complete, the process needs to be systematic, ie each plant and its operational sequences should be considered in turn, including the possibility of interactions. Assessors should judge the completeness and adequacy of the way these issues are dealt with by asking the following questions:-
Q: Is the approach the Operator has adopted to identify all major accidents suitable and fit for purpose?
The report should explain how major accidents have been identified and demonstrate that no important scenarios have been overlooked. When the method of identifying accidents is not systematic or transparent it will be much more difficult to convince the assessor of its completeness. Simple lists of accidents without evidence to show they are comprehensive may be appropriate in some cases, depending of the scale of the risk to off-site populations, but generally Operators will need to demonstrate that no major accident has been overlooked. Assessors should take into account the scale of the hazards when making a decision on this issue (proportionality).
Q: The accidents considered should include those initiated by off-site events.
The accident analysis should identify all potential off-site initiators of major accidents and an indication of their likelihood (see Table 2). On-site accident initiators such as hose coupling failures, overfilling, lifting or movement operations may require a more detailed frequency assessment in order to demonstrate the adequacy of installed safeguard systems.
Q: Have all possible sources of major accident hazard been identified?
Many HFL sites store a range of hazardous substances and most will have pipe work and equipment containing materials with the potential to produce a minor hazard that is capable escalation. Some HFL incidents are characterised by an insignificant failure that, if not quickly attended to, escalates to an event of major proportion. Thus the accident identification process should not be restricted to vessel and pipeline failures, but should address all plant items on which failures have the potential to initiate a major accident. Ground inclination and common drainage systems that can convey a spills considerable distance and /or result in a running pool fire or drain fire/explosion should not be forgotten.
Q: Are the accidents addressed in the safety report representative of the full spectrum of major hazards presented by the installation?
There is no requirement to repeatedly describe the consequences of accidents that have a similar impact on employees, local populations and the environment. The safety report does not have to describe the consequences of all the major accident hazards, but just to identify them. Instead it may define a representative set of accidents that includes the most severe plant failures and consider all possible consequence (eg pool fire, jet fire, flash fire, etc). In other words, the consequence analysis can be based on a reduced set of accidents that are representative of the hazards from the site.
Q: Does the 'representative sample' of major accidents include the risk dominating accidents?
The Assessor must be satisfied that the accidents considered dominate the risk and encompass the complete spectrum of severity. Table 2 identifies plant items that contain, or are connected to, a large inventory of HFLs and lists the most obvious potential accidents or failure modes. While it may not be completely exhaustive for all installations, it can be used as a check list to assess the completeness of the accident analysis. If there are any unexplained omissions that would significantly change the predicted risks posed by the site, it may be deemed to fail to comply with the assessment criteria.
Q: Are the descriptions of accidents in the safety report sufficiently comprehensive to allow the adequacy of the methods for preventing major accidents and for limiting their consequences to people and the environment to be assessed?
The safety report should determine the consequences of essentially identical accidents in very similar plant if the consequences are likely to be different. For example, if a transfer pipe failure can release HFL at say 20 kg/s in one area of the site while a hose rupture on a road tanker can result in a similar release in a different location, the safety report should consider both failures because they may have different consequences. The safety report should also consider failures occurring at the 'worse locations' which may be on a major transfer pipe through a congested area where the possibility of a VCE can not be ruled out. A safety report that fails to address the 'worst case' consequences of representative accidents does not meet the assessment criteria.
Q: Have all the potential consequences of each of the reduced accident set been considered?
Failures of HFL systems can give rise to thermal radiation, explosion, and in certain cases, toxic hazards, that must be addressed in the safety report. For example, the consequences of failure of a large HFL storage vessel that should be considered are pool fire, jet fire, flash fire, and possibly a VCE. Some of these events may be more probable than others, but those contributing little to the total risk should not be ignored.
The toxic effects of certain HFL's and the combustion products from fires must be included in the report. Large pools of low boiling point toxic liquids can give rise to dangerous concentrations some considerable distance away and combustion of any flammable liquid containing, nitrogen, chlorine or sulphur will produce a hazardous smoke plume. In general such plumes are highly buoyant and have little impact off site, but in a high wind, people in high rise buildings close to the site can be exposed to dangerous concentrations of HCl, NO2, HCN or SO2.
Q: Has the potential for escalation been properly addressed?
Some accidents at an installation can cause other failures in that they may have as severe or even more severe consequences. The safety report must recognise this possibility and address it by postulating accidents in 'worst case' locations. Of particular concern are:-
The site description should be detailed enough to enable the Assessor to identify the most hazardous locations for component failures and hence determine if the accidents considered are 'worst case'.
Types of Accident suffered by HFL Storage sites
Although Operators need to demonstrate the use of a systematic approach to accident identification, Assessors are likely to find that few safety reports present the results of formalised methods such as cause-consequence diagrams or failure modes and effects analysis. An alternative approach that some Operators may adopt involves listing each item of plant and identifying all its failure modes that would give rise to a major accident hazard. Individual thermal radiation, explosion or toxic hazards are then identified by reference to the following list:-
The accidents that HFL storage facilities can suffer fall into eight main categories:-
The different consequences of loss of containment accidents depend on the sequence of events leading to the fire, explosion or toxic cloud release. A fireball will only result from a massive and rapid release of HFL vapour and immediate ignition of the release. BLEVE will only occur where flame impingement occurs on pressurised plant such as storage vessels and certain types of tankerage. A tank fire typically occurs as a result of an internal ignition or burn back and subsequent roof failure, while a flash fire may follow a large release of vapour that disperses and then encounters a source of ignition. Releases into confined spaces with ignition sources may result in explosion.
Failures of large diameter transfer pipe work or large high pressure import or export lines can result in releases of liquid with varying severity depending on the time to isolation, the nature of surface at the failure location, the degree of containment available and the presence of ignition sources. Guillotine failure of a pressurised pipeline will result in an initially high flow rate as the pressurised pipeline relaxes. Depending on the vapour pressure of the fluid a large flammable cloud may be produced, which if ignited, behaves like a fireball. Burn back then results in a pool fire or jet fire.
The stabilised flow rate out of a long pipeline is function of the pump characteristics associated with the transport activity. If the liquid is toxic and vaporising, the time sequence of the release should be used to determine the most appropriate dispersion analysis (quasi-instantaneous or continuous release). Delayed ignition of a vaporising release into a congested volume may result in an explosion that produces a dangerous side-on pressure at some distance. Either calculations or reference to an authoritative source should be presented if the possibility of a VCE is discounted. A safety report should not overlook the possibility of jet flame impingement on a storage vessel and subsequent escalation of the accident.
Criterion 3.3.1 "The safety report should demonstrate that a systematic process has been used to identify all foreseeable major accidents."
In order to judge compliance with this requirement of the regulations, Assessors can ask the following questions:-
Q: Is it obvious that all major accident scenarios have been identified?
Identification of all major accident scenarios is a very important requirement of the regulations and a safety report that fails in this respect may be considered deficient. Systematic approaches to accident identification include HAZOP, event tree analysis and failure modes and effects analysis. However, the regulations do not specifically require their application. An Operator may be able to demonstrate that all major accidents have been identified without resort to formalised methods by providing a detailed description of the plant and by systematically addressing the hazards from each part in turn.
Q: Does the Operator provide evidence that all major accident hazards have been addressed.?
Operators that have not used a formalised structured method to identify major accidents should provide evidence that no sequence has been overlooked. For example if overfill is identified as a major accident scenario, there may be half a dozen ways in which this can occur as result of equipment failures and human error. The safety report should address each one and show that all necessary measures have been taken to prevent the accident occurring. If sequences are overlooked, the report must be deemed to fail to comply with the regulations, however, the depth of the accident analysis need only be proportionate to the scale and nature of the hazards and associated risks.
Criterion 3.3.2 "The hazard identification methods used should be appropriate for the scale and nature of the hazards."
Hazard studies employing HAZID techniques are widely used in the chemical industry and can be carried out at various stages during the lifecycle of a plant. They are systematic way of managing hazard over time, from the business requirement stage through to demolition and disposal. HAZID techniques seek to identify hazards in an absolute or relative way. Relative methods use checklists or hazard indices based on experience and lessons from incidents. Absolute methods are based on deviations from design intent eg HAZOP. Details can be found in Lees (1996), Kletz (1999) and CCPS (1989).
Methods (listed in increasing proportionality) that might be used include:-
Whatever approach is used, it must be documented as part of the safety report, or separately - in which case the main findings should be summarised in the report. As proportionality increases, and particularly in the case of new novel plant, some use of absolute methods is normally required. Both type of method need to consider 'common cause/mode' failures such as loss of power, or other services.
In order to test compliance with this criterion the Assessor can ask the following questions:-
Q: Does the safety report describe a hazard identification process that instils confidence in its completeness?
The safety report should describe and justify the method used to identify major accident hazards. Assessors who are not convinced that all accident scenarios have been identified may deem the report 'non compliant'. However, use of a formalised accident identification process is not essential and an approach that is not completely systematic, but is seen as 'fit for purpose' is acceptable.
Q: Is the depth and detail of the accident analysis commensurate with the scale of the hazard?
The safety report should consider the potential for domino effects, but Assessors should recognise that many accidents do not give rise to a hazard range that extends off-site. In such cases the risk to the public can be quite low and the risk assessment need not be as detailed as that for a site with much more severe accident potential.
If an uncontained vaporising pool resulting from a release of the whole contents of a HFL storage vessel gives rise to a pool fire that does not produce any fatalities off-site, irrespective of weather conditions, the safety report need not evaluate the consequences of smaller pool fires.
Table 2: HFL Storage Facility Major Accident Scenarios.
| Plant item failure | Accident scenarios | |||||
|---|---|---|---|---|---|---|
| Storage tank | Cold
Catastrophic Failure
Pool fire |
Hot
Catastrophic failure (pressure vessel)
BLEVE |
Polymerisation
reaction
(pressure vessel) Internal explosion |
Hole in
Vessel wall
Spigot flow Pool fire |
Flammable
head space
Internal explosion |
Overfilling
or Over extraction
Pool fire |
| Transfer pipe work | Rupture
fireball |
Puncture
jet fire |
Small hole
jet fire |
|||
| Export/ Import line | Rupture
fireball |
Puncture
fireball |
Small hole
jet fire |
|||
| Inventory management , level control and tank venting systems | Overfill
flash fire |
Wrong
product delivery
exothermic reaction |
Loss of
pressure conservation
Tank over pressure failure |
|||
| Pumps | Disintegration
fireball |
Leak
jet fire |
Loss of
control
Overheat on dry running |
|||
