Criterion 3.4 "The safety report should contain estimates of the probability (qualitative or quantitative), of each major accident scenario or the conditions under which they occur, including a summary of the initiating events and event sequences (internal and external), which may play a role in triggering each scenario."
Criterion 3.4 is about the completeness of the accident analysis and the quantification of probabilities. It focuses on initiators - have all of them been identified and whether the methods used to determine accident sequence probabilities are appropriate.
The depth of the analysis of the event sequences, which determine the likelihood of realising each major accident scenario needs to be proportionate. At the lowest level of proportionality - provided it is demonstrated that a plant is designed, built and operated to current standards - it will usually suffice for qualitative descriptors of likelihood to be assigned to each MA. For example, the CIA's guidance on emergency planning for chlorine installations gives the following frequency categories:-
| Extremely unlikely | < | 10-6/year |
| Very unlikely | 10-6 to 10-5 | |
| Unlikely | 10-5 to 10-4 | |
| Quite unlikely | 10-4 to 10-3 | |
| Somewhat unlikely | 10-3 to 10-2 | |
| Fairly probable | 10-2 to 10-1 | |
| Probable | > | 10-1 |
In more complex situations a satisfactory demonstration under Schedule 4 may require the consideration of the conditions under which events occur, their likelihood, and how the events interact so that the likelihood of certain major accidents can be estimated. This will require consideration of the whole causation/outcome sequence.
In order for Assessors to form a judgement on these issues, they should ask the following questions:-
Assessors should expect to see all events producing a major accident hazard identified and the frequency of each event sequence determined. There is a requirement to demonstrate that the risk from risk dominating sequences is ALARP. The greater the risk to people off-site, the more reliable must be the quantification.
For single event initiators such as aircraft impact and earthquake, probabilities based on historical data are acceptable. But it may not be sufficient for the Operator to use data from published sources for event sequences involving say component failure and Operator error, without justifying their suitability. The safety report should justify the absence of further redundancy and diversity and show that all necessary measures have been taken to minimise Operator error.
Fault tree analysis is not essential to determine accident probability and companies are much more likely to use argument based on the following:-
It is acceptable for the safety report to refer to world-wide failure data on methane storage vessels built and operated to equivalent standards, and deduce that the failure frequency of storage vessels on the Operator's site is similar. Failure rates/probabilities given in a British Gas safety report dealing with methane are therefore likely to be industry standards and as reliable as any other. However, the origin of all probabilities quoted in a safety report should be given so that, where necessary, Assessors can make judgement on their suitability.
All events/initiators identified in Table 3 should be considered even if some of them are not applicable to the plant in question.
Some events such as aircraft impact, earthquake, dropped load, etc are capable of damaging any item of plant, but a safety report need only consider the event once unless a different hazardous substance can be released, or the severity of the release varies significantly.
The types of fire that may follow a release of methane are usually obvious and the safety report should calculate the thermal radiation hazard range in each case. The only area of ambiguity concerns VCEs and whether there is sufficient containment or flame accelerating structures to give rise to an explosion. This is a difficult question for the Assessor, particularly as some safety reports may not adopt worst case assumptions. If gas can be released into a confined or congested area, the Assessor may need to consult the MSDU topic specialist about the likelihood and severity of an explosion.
The frequency of accidents that have severe consequences for local populations need to be determined more precisely than accidents that have only on-site effects and at worst can impact a small number of plant Operators. This implies that the frequency of severe accidents resulting in a large release of gas should be determined more reliably than the frequency of flange leaks on low pressure pipe work, which have less severe consequences. Coarse industry standard estimates are adequate for these.
If the safety report has not adopted a QRA approach, but has ranked accidents in terms of their severity and likelihood, the level of detail in the consequence analysis for accidents at the top of the list should be greater than that for accidents at the bottom of the severity list.
Accidents that are the result of multiple failures should not be assigned a frequency unless details of the analysis of the mode and probability of each of the failures that comprise the accident sequence are provided. For example, a safety report that simply states that the frequency of over filling of a methane bullet is 'f' on the basis of historical data should be judged as containing insufficient detail. However, it is acceptable for the frequency of single events such as rupture of a high pressure supply line to be based solely on historical data.
Since high pressure gas bullets are usually built in groups of six or more, a failure on one is likely to effect the others. For example, a jet fire may impinge on a neighbouring vessel and cause it to explode. The overpressure and missiles from the explosion are likely to damage other vessels and pipe work and escalate the accident still further. A safety report should consider all possible consequences of an event, particularly those involving escalation. and determine the probability of each knock-on effect. It is acceptable for the frequency of the initiating event such as rupture of a high pressure supply line to be based on historical data.
If the site also has a low pressure gas holder, then the probability of failures of the high pressure storage system affecting it (e.g. missile) should be determined.
If a safety report does not predict the frequency of one or more major accidents, it must describe the conditions under which the accidents can occur. It must then show that the installed safeguards ensure that those conditions are very unlikely ever to arise. This demonstration is only possible for certain systems which have been designed to be intrinsically safe. A system that depends on operators and a mixture of active and passive control systems is always at risk from human and equipment failures.
Sites storing large quantities of methane in high pressure bullets can never be completely intrinsically safe because there are a whole range of events that can cause complete loss of containment. While a major accident would not necessarily follow such an accident, the probability of ignition of the gas cannot be discounted. However, certain accident sequences may be very improbable on account of the design or location of the plant.
Criterion 3.4.1 "The report should demonstrate that a systematic process has been used to identify events and event combinations, which could cause MAHs to be realised."
Here reference should be made to Criterion 3.3 and how it was met by the safety report. Essential for the identification of major accident hazards is a detailed description of the site and all its components, with particular emphasis on those containing or connected to large volumes or high-pressure sources of methane. The safety report should consider each of these in turn, identifying release scenarios and potential consequences (fireball, jet fire, explosion). It should also provide an estimate of the frequency of each event. It is not necessary for the safety report to quantify the consequences of all of these, but a sufficient and representative set must be identified. Assessors may find the following questions useful when judging the completeness of the accident scenarios considered.
It is more important for the Assessor to be satisfied with the completeness of the accidents considered than for the report to use a formalised methodology to identify accident scenarios. If the accident analysis deals with each item of plant in turn and identifies all initiators and all types of fire/explosion, then it can be considered systematic. However, if by reference to Tables 2 and 3, the Assessor can identify scenarios that have been overlooked, the report is deficient. The seriousness of the omission depends on whether the consequences to the public are worse than those from other accidents that are dealt with and whether the risk from the event in question is ALARP.
If for example a safety report failed to examine the consequences of a leak on a pressure regulator resulting in a confined explosion that generated missiles capable of damaging a high pressure bullet, then the safety report should be considered as failing to meet the criteria.
The accident sequence identification and analysis in a safety report should consider the failure of all automatic and manually operated safety systems and evaluate the consequences in each case. For example it should consider sequences consisting of:-
It may use QRA to demonstrate that the probability of such accidents is very low, but their consequences must be determined.
Table 3: Accident initiators requiring consideration in a safety report
| Off-site events | Operator error | Abnormal load | Arson or sabotage | Inadequate management | Loss of service |
|---|---|---|---|---|---|
| Aircraft impact | system opened | impact by vehicle | fire | corrosion | Loss of electricity. |
| Seismic event | filled when not closed | impact by missile | explosion | erosion | loss of compressed air |
| Subsidence | system over pressurised | impact by dropped load | valve opened | vibration | loss of nitrogen |
| Extreme environmental conditions abnormal rain fall abnormal snow fall very low temperature high temperature flooding gale force winds lightening strike |
containment degraded. | internal temperature or pressure outside design limit. | safety system degraded. | cyclic load | |
| Vehicle/train impact | excess load | external temp/ pressure outside design limit. | contamination | inadequate materials or specification. | |
| Land slip | failure to respond correctly to an alarm. | pressurisation. | control system degraded. | failure of process controls. | |
| Explosion | incorrect valve action. | under pressure | containment system degraded. | hidden defect in containment system. | |
| Fire | failure to detect dangerous situation. | ||||
| Missile | |||||
| Pipeline rupture |
Criterion 3.4.2 "All safety critical events and associated initiators should be identified."
Safety critical events are those that dominate the risk at different distances from the plant. For high pressure gas storage systems, the event with the greatest hazard range is usually a fireball resulting from immediate ignition of an instantaneous release to atmosphere of the whole contents of the gas vessel(s). The safety critical events for shorter distances are those occurring most frequently and giving rise to that particular hazard range. The questions below will help Assessors determine if safety critical events are dealt with appropriately.
Some safety reports may not make use of the term 'safety critical event', but all safety reports will calculate the consequences of only a small fraction of the total accidents a site can suffer. These must be chosen carefully in order to ensure they dominate the risk at increasing distance from the site.
The first step in the identification of these risk-dominating events is the quantification of frequency and approximate consequences of all major accidents. These may be grouped into consequence bands as indicated below. The accident at the top of each band is the safety critical event for consequences of that particular level of severity. However, this method should be used with caution since the consequence categories may be quite broad. For example, if a consequence category is defined as one or more off-site fatalities, the most frequent may cause 2 fatalities and would be classed as the SCE, whereas a less frequent event that could cause 200 fatalities would not be identified as a SCE but may be unacceptable and require further risk reduction. It is suggested that the events should also be reviewed qualitatively (i.e. by visual inspection) to identify unusual or high consequence events which should be added to the list of SCEs. In addition, events which in themselves might be low risk, but could escalate to give a more serious event, should be included.The non-QRA approach would group accident according to likelihood and consequences.
The frequency of all accidents in a band can be added together to provide an estimate of the overall frequency of a particular level of consequences. The safety report should then identify a set of representative accidents and frequencies for more detailed consequence analysis.
A safety report that fails to analyse accidents in this way may not be complying with the assessment criteria. However, approaches that are not based on quantification, but never the less rank accidents appropriately, should not be rejected out of hand.
The safety report should list the safety critical events for each group of accidents that have similar consequences. In general these will form the reduced set that are analysed in depth in the report as indicated above where 5 safety critical accidents are used to represent the risk from the site.
Since safety critical accidents dominate the risk from an establishment, the safety report should demonstrate that the risk they pose is ALARP, paying particular attention to control measures. The Assessor must be convinced that any failure probability used in the analysis is reliable, and that further control measures to reduce the probability of undesired events are not justified.
Plant controlled by systems that contain diversity and redundancy tend to have a low failure probability, but if a single failure can precipitate a major accident, it is reasonable to conclude that the risk may not be ALARP. This principle does not apply to containment systems where rupture of a pipe or vessel can result in major accident. In this case the risk is likely to be ALARP if the containment is correctly designed, fit for purpose and operated within its design limits. The report should demonstrate that risks are ALARP by showing either that accident frequencies are tolerably low or that a further reduction in frequency would be exorbitantly expensive and not justified on cost-benefit grounds.
Criterion 3.4.3 "Estimates of, or assumptions made about, the reliability of protective systems and the time for operators to respond and isolate loss-of-containment accidents, etc need to be realistic and adequately justified."
Operators should not base their accident analysis on the assumption that all protective systems will perform perfectly and operators are 100% reliable. For example, if a high pressure feed pipe is fitted with a slam shut safety valve, ROSOV, the safety report should consider the consequences of it failing to isolate a failure on that line. Similarly, if a pipe is fitted with a manually operated shut-off valve, the safety report needs to consider what would happen if it was not closed in the event of a failure down stream. The following questions are designed to provide guidance on this criterion:-
Operators should not use failure probabilities taken from standard references in their accident analysis without showing that they are applicable to the plant and conditions in question. The Assessor should be particularly concerned about the data used in the determination of the frequency of safety critical accidents.
For example if the general rate of failure is f, an Operator can only claim a similar failure rate if equipment on his site is inspected and maintained to the same standard as the population to which the failure data applies.
If the Operator determines accident likelihood on the basis of historical data or some other method that does not involve a calculation of accident frequency, the Assessor should be convinced that the probabilities are applicable to the plant in question. This implies that good evidence should be presented to show that the plant is designed, operated and maintained to appropriate standards and that the operators controlling it are adequately trained.
A safety report that does not examine the consequences of prolonged releases (20minutes or more), on the basis that a valve will be closed and the release terminated within a shorter period should be deemed to contain an optimistic accident consequence analysis.
The safety report may claim that control room Operators will notice an illuminated alarm indicator immediately or will respond to an emergency perfectly and close valves in a matter of seconds. Such assumptions may be optimistic, but their presence does not necessarily signify that the safety report is deficient if the consequences of much longer response times are determined.
Since all safety/control systems can fail, Operators should take the view that methane can escape from its containment system and that releases of 100% of the inventory of storage vessels must be considered in a safety report irrespective of the complexity of the safeguards.
Criterion 3.4.4"The methods used to generate event sequences and estimates of the probabilities of potential major accidents should be appropriate and have been used correctly."
The conventional methods of determining the frequencies of accidents involving multiple failures are fault tree and event tree analysis or a combination of the two. They are labour intensive and require reliable failure probabilities and experience in their application. Many safety reports adopt a much simpler approach. For example, accident sequences may be broken down into three components - an initiating event, a control system failure and an operator failure. The frequency of the accident is then determined by assigning probabilities to the components and multiplying them together. While this approach may be acceptable, Assessors should be aware that it can hide a large number of events/failures that are not being quantified. There may be a dozen ways the control system can fail and several ways in which the operator can respond incorrectly. Since the probabilities of these alternatives are usually additive, the Assessor needs to be convinced that the analysis is not optimistic. The following questions may help the Assessor to reach a conclusion on this issue:-
If a dangerous situation can occur following a series of operator and control equipment failures, the Operator will need to identify each of these in order to satisfy the Assessor that his calculated event probability is reasonable. If a break down of the individual events and probabilities is not provided, the Assessor is justified in requesting further information from the Operator.
Accident consequences should not be reduced on the grounds that the probability of the wind blowing in a particular direction is low if very similar consequences arise when the wind is blowing in any direction. Nor should risk be based on the probability of a failure in a particular location when failures over a whole range of other locations may have similar consequences. The Assessor must decide the weight attached to such omissions.
The fact that most failure probabilities are not single values, but distributed about a mean should be accounted for in risk analysis. If there is no information on the probability distribution of the probability, it must be concluded that the upper figure is just as likely as the lower figure.
An analogous situation that Assessors may encounter in safety reports that are not based on QRA is when the Operator justifies safe operation by reference to a standard. It is possible that different standards call for higher safety margins or are based on different assumptions. In such cases, in the absence of information to the contrary, the most demanding should be adopted or complied with.
Assessors should be careful not to accept accident analysis from an Operator's 'core safety report' if the safety report in question does not take account of site specific information on accident initiators and initiator probability. For example, a core safety report may give a frequency for aircraft impact based on a background crash rate for the whole of the UK. This would not be applicable to a site located close to a busy airport. Likewise the presence of a railway line running along a site boundary increases the probability of an accident caused by a derailment.
In general, off-site accident initiators tend to be site specific, but differences in site management, operation and competence (training) of the staff can also significantly affect accident frequency.
Criterion 3.4.5 "The safety report should provide adequate justification for event probabilities that are not consistent with historical or relevant generic industry data."
Many risk assessments in safety reports make use of industry standard probabilities for events such as pipe rupture, cold catastrophic failure of vessels, Operator response time etc. The Assessor should compare these data against those given in the table below and request the Operator to explain the reasons for any significant difference.
Table 4 : Typical failure frequencies
|
Event |
Probability/Frequency |
|---|---|
|
High pressurise gas transmission line rupture |
5 x 10-4/km.yr |
|
Lightning strike |
1 x 10-7/yr |
|
Severe earthquake capable of rupturing pipework |
1 x 10-6/yr - 1 x 10-7/yr |
|
Sudden catastrophic failure of vessels |
3 x 10-6/yr |
|
Failure of a ROSOV on demand |
3 x 10-2 |
|
Failure of an excess flow control valve on demand |
1.3 x 10-2/yr |
|
Failure of an automatic shutoff valve to close |
1 x 10-2/demand |
|
Failure rate of small bore gas pipework |
6 x 10-5/m |
|
Frequency of sparking of zone 1 equipment |
1 x 10-4/item |
Generic or industry standard failure probabilities for valves, pumps, etc are based on appropriate operation under an industry standard maintenance regime, which may be different from that prevailing at a site. Use of such data in risk calculations in a safety report should therefore be justified. Assessment of the justification can be via the following questions: -
Failure rate data from the Operator's own and long established data base can usually be accepted, but if data are based on experience in another industry (eg nuclear), the Operator must justify their use in accident analysis by reference to operating conditions, maintenance regimes, etc. If this justification is not present, the Assessor may reach the conclusion that the risk assessment is optimistic. In practice most natural gas bullets are operated by British Gas which has comprehensive failure rate data based on in-house experience.
The mean failure frequency of plant components should be increased when they are used under conditions that are different from their design operating conditions. Similarly, the mean failure rate of a component should be increased if it is assumed to apply to another similar, but not identical, component. The increase depends on whether the new conditions make more or less demands on performance. Failure to recognise such reliability changes can result in an optimistic risk assessment, particularly if the data is used to quantify the frequency of a safety critical sequence.
This problem is unlikely to arise because British Gas operates most high pressure bullet sites and it has developed equipment and systems for this purpose over many years, such that they are able to define appropriate standards.