"The safety report should identify all potential major accidents and define a representative and sufficient set for the purpose of risk assessment."
This criterion reminds Assessors that they need to check that:-
Ideally, the Operator should summarise, in a proportionate way, the results of hazard studies, the methods used and the expertise of the team involved. The scope of the studies and the HAZID process used should also be described. To provide a convincing demonstration that the list of MAs is complete, the process needs to be systematic, ie each plant and its operational sequences should be considered in turn, including the possibility of interactions. Assessors should judge the completeness and adequacy of the way these issues are dealt with by asking the following questions:-
The report should explain how major accidents have been identified and demonstrate that no important scenarios have been overlooked. When the method of identifying accidents is not systematic or transparent it will be much more difficult to convince the assessor of its completeness. Simple lists of accidents without evidence to show they are comprehensive may be appropriate in some cases, depending of the scale of the risk to off-site populations, but generally Operators will need to demonstrate that no major accident has been overlooked. Assessors should take into account the scale of the hazards when making a decision on this issue (proportionality).
The accident analysis should identify all potential off-site initiators of major accidents and an indication of their likelihood (see Table 1). On-site accident initiators such as overfill of a storage vessel or a pipe break require a more detailed frequency assessment in order to demonstrate the adequacy of installed safeguard systems.
The majority of LPG sites are unlikely to store other hazard substances, but the accident analysis should not be restricted to the bulk storage vessels. It should include tanker transfers, vaporisers, cylinder filling plant and stacks of cylinders. Leaks, Operator error and fire engulfment should all be addressed.
There is no requirement to repeatedly describe the consequences of accidents that have a similar impact on employees, local populations and the environment. The safety report does not have to describe the consequences of all the major accident hazards, but just to identify them. Instead it may define a representative set of accidents that includes the most severe plant failures and consider all possible consequence (eg fireball, jet fire, flash fire, etc). In other words, the consequence analysis can be based on a reduced set of accidents that are representative of the hazards from the site.
The Assessor must be satisfied that the accidents considered dominate the risk and encompass the complete spectrum of severity. Table 2 identifies plant items that contain, or are connected to, a large inventory of LPG and lists the most obvious potential accidents or failure modes. While it may not be completely exhaustive for all installations, it can be used as a check list to assess the completeness of the accident analysis. If there are any unexplained omissions that would significantly change the predicted risks posed by the site, it may be deemed to fail to comply with the assessment criteria.
The safety report should determine the consequences of essentially identical accidents in very similar plant if the consequences are likely to be different. For example, if a pipe failure can release gas at say 20 kg/s and failure of a cylinder filling machine can also give rise to a 20 kg/s release, the safety report should consider both failures because they may have different consequences. The safety report should also consider failures occurring at the 'worse locations' which may be on pipelines through a congested area where the possibility of a VCE can not be ruled out. A safety report that fails to address the 'worst case' consequences of representative accidents does not meet the assessment criteria.
Failures of LPG storage systems can give rise to a variety of thermal radiation/explosion hazards that must be addressed in the safety report. For example, the consequences of failure of a large storage tank that should be considered are fireball, jet fire, flash fire and VCE (if possible). Some of these events are more probable than others, but those contributing little to the total risk should not be ignored.
Some accidents at an installation can cause other failures in that they may have as severe or even more severe consequences. The safety report must recognise this possibility and address it by postulating accidents in 'worst case' locations. Of particular concern are:-
The site description should be detailed enough to enable the Assessor to identify the most hazardous locations for component failures and hence determine if the accidents considered are 'worst case'.
"The safety report should demonstrate that a systematic process has been used to identify all foreseeable major accidents."
In order to judge compliance with this requirement of the regulations, Assessors can ask the following questions:-
Identification of all major accident scenarios is a very important requirement of the regulations and a safety report that fails in this respect may be considered deficient. Systematic approaches to accident identification include HAZOP, event tree analysis and failure modes and effects analysis. However, the regulations do not specifically require their application. An Operator may be able to demonstrate that all major accidents have been identified without resort to formalised methods by providing a detailed description of the plant and by systematically addressing the hazards from each part in turn.
A major release of a flammable gas can result in different types of fire depending on the source and time to ignition. A safety report must consider all possible types of fire (fireball, jet fire, flash fire, etc) and the potential for an explosion. If failure of pipework is identified as a major accident and the report only considers a fireball and jet fire event, the Assessor would be justified in requesting further information on flash fires and explosion potential.
"The hazard identification methods used should be appropriate for the scale and nature of the hazards."
Hazard studies employing HAZID techniques are widely used in the chemical industry and can be carried out at various stages during the lifecycle of a plant. They are systematic way of managing hazard over time, from the business requirement stage through to demolition and disposal. HAZID techniques seek to identify hazards in an absolute or relative way. Relative methods use checklists or hazard indices based on experience and lessons from incidents. Absolute methods are based on deviations from design intent eg HAZOP. Details can be found in Lees (1996), Kletz (1999) and CCPS (1989).
Methods (listed in increasing proportionality) that might be used include:-
Whatever approach is used, it must be documented as part of the safety report, or separately - in which case the main findings should be summarised in the report. As proportionality increases, and particularly in the case of new novel plant, some use of absolute methods is normally required. Both type of method need to consider 'common cause/mode' failures such as loss of power, or other services.
In order to test compliance with this criterion the Assessor can ask the following questions:-
The safety report should describe and justify the method used to identify major accident hazards. Assessors who are not convinced that all accident scenarios have been identified may deem the report 'non compliant'. However, use of a formalised accident identification process is not essential and an approach that is not completely systematic, but is seen as 'fit for purpose' is acceptable.
In the main, accidental releases of LPG from high pressure storage systems give rise to fires and possibly explosions, but the hazard ranges associated with them do not always extend off-site. The minimum level of detail in the risk assessment depends on the scale of the risks. In general, the safety report for a site near to a busy shopping centre will need to contain more information than one in an isolated location.
| Plant items | Comment |
|---|---|
|
Completeness of Hazard identification Vessel failure Spill of liquid LPG Pipe failures Vaporiser failure Failures on cylinder filling plant Road tanker/filling operation Cylinder stack |
|
|
Comprehensiveness of accidents Vessel failure Catastrophic failure Localised failure above liquid level Localised failure below liquid level Overfilling Pressure relief valve discharge BLEVE Pipeline Rupture of high pressure line Puncture of high pressure line Leaks on high pressure line Vaporiser Rupture of pipe work Cylinder filling station Leaks cylinder stack Fire engulfment - BLEVE Road Tanker
|
|
|
Potential for escalation Jetflame impingementConfined explosion overpressure (VCE) Missiles from explosions Thermal radiation flux Spreading pool fire Missiles from cylinder stack fire |
Public Register of COMAH Establishments
