Criterion 3.6 "Do the findings and conclusions in the safety report demonstrate that the measures adopted to prevent and mitigate major accidents make the risks ALARP?"
The findings and conclusions from the predictive risk analysis should summarise the relationship between hazards and risks and demonstrate that the measures adopted to prevent and mitigate major accidents make the risks ALARP.
The assessment team must come to an agreed view on whether the report meets the requirements of criterion 3.6. Guidance is provided in SRAM Part 2 Chapter 1 for this purpose. The predictive assessor needs to form their own view on how the report meets this criterion so as to contribute into the team's overall conclusions. The assessment guidance is repeated here and expanded upon where relevant for low pressure gas holder sites.
Most safety reports will not present particularly reliable accident probabilities and in many cases the degree of uncertainty attached to consequence predictions will be unknown. This is relatively unimportant if the scenario is not risk dominant, but when it is, or could be, uncertainties should be offset by extra conservatism. Risk calculations based on optimistic assumptions and highly uncertain data should be treated with great caution, but Assessors should bear in mind the following typical levels of uncertainty:-
Table 6 : Typical uncertainties in consequence modelling
| Hazard | Typical parameter value | Approximate level of uncertainties |
|---|---|---|
| Fireball:
Mass |
100% of release |
0 - 50% |
| Jet fire:
Mass release rate |
Supersonic jet calculation |
+-30% |
| Flash fire:
Mass |
100% of release |
0 - 50% |
| VCE:
Volume of congested area |
Actual volume |
+-30% |
Irrespective of the mix of argument, semi-quantitative evidence and quantitative analysis used to determine risk, an Assessor should have confidence in the results and concur with the conclusions presented in the safety report.
While the probabilities of worst case scenarios that are not risk dominating do not need to be quantified precisely, the calculation of their consequences should be reasonably reliable so that the emergency services can plan an appropriate response. In this context overly pessimistic predictions are almost as bad as grossly optimistic predictions. The information that emergency planners may require for each accident scenario and for twelve different wind directions is:-
This information should be supplemented with additional guidance on differences caused by time of year, time of day (night), day of the week and the presence of rain.
Assessors are required to judge if the risk quantification, risk reduction measures and residual risk meet all the assessment criteria. In effect, they need to take a view on the reliability/accuracy of the predicted hazard ranges and risks and hence upon the acceptability of the predictive analysis. The following set of questions may aid this process:-
There are several ways, in which the results of a risk assessment can be presented including:-
In order to judge the acceptability of a safety report that presents the results of a QRA, the Assessor may have to make reference to HSE guidance on the tolerability of risk. Since this is expressed in terms of individual risk of death, risk of death is the most useful end point for a risk calculation. However, this does not imply that other representations of risk are unacceptable, merely that they are more difficult to interpret.
A safety report that presents only a table of hazard range and relative likelihood does not comply with the assessment criteria.
It is a requirement of the regulations that Operators demonstrate that all necessary measures have been taken to make residual risks ALARP. The process of "demonstration" is not clearly defined in the regulations, but is interpreted to mean, "justify by well founded arguments or reference to reliable data". In this context Assessors should expect to see risk dominant sequences broken down into a series of events and failures with the probability of each one estimated (either qualitatively or quantitatively as appropriate) by reference to historical data, a respected authority, or by formalised methods such as fault tree analysis. The Operator should be able to show that there is redundancy and diversity in control systems, that operator error is fully accounted for and that the more common initiating events will not progress to a major accident. All of this should be supported by sound arguments about the absence of further measures that could be introduced to reduce the risks still further.
If the Operator presents a risk assessment based on good practice, industry standards and compliance with HSE recommendations, then it is still possible to show that the residual risks are ALARP by use of cost benefit analysis. In this case, the Operator should list additional safety features that could be incorporated and show that their cost far outweighs the reduction in risk.
The Assessor should check that the accumulated probability of death of the off-site individual most at risk from all accident sequence is less than 10-4. If it is not, it is probable that either the safety systems on the plant are deficient (i.e. risks are not ALARP), or that the accident analysis is overly conservative. In either case the Assessor should reflect his concerns in his assessment report.
Situations may occasionally arise when the safety report fulfils the requirements of the regulations, but the Assessor feels that the societal risk from the installation is uncomfortably high. In such cases, the safety report should not be deemed deficient, but the Assessor should convey his/her feelings to the Assessment Manager for the safety report.
The Operator should systematically examine the risk dominant accident sequences and identify additional measure that would reduce the residual risk. He should also justify why none of them have been implemented. Such arguments remove the grounds for rejecting the safety report and open up the possibility of a dialogue about which improvements would be cost effective.
The level of quantification expected for the various types of risk assessment are dealt with by other criteria. The number of failure cases and the depth of analysis increases with proportionality. For a QRA of a complex site a few hundred different MAs may need to be analysed. The presentation of the quantitative arguments may need to be coupled with cost benefit analysis in order to provide the justification that all measures necessary have been taken.
If quantitative arguments are used the methods, assumptions and the criteria adopted for decision making should be explained. For example in the case of fatality risks to people off-site it is common practice [HSE, 1992] for the maximum tolerable level of individual fatality risk to be set at 10-4 per year and for the broadly acceptable level to be set at 10-6 per year. The corresponding figures for workers are 10-3 and 10-6. There are no commonly agreed criteria for lower severity levels, however, HSE have published harm criteria for LUP purposes for a variety of substances, i.e. the 'dangerous dose' level, which is equivalent to a 1% chance of fatality when a healthy person receives the dose.
The safety report should demonstrate that a systematic and sufficiently comprehensive approach to the identification of risk reduction measures has taken place.
Where proportionality indicates that a site could rely on qualitative ALARP demonstration, operators may refer to relevant standards or guidance on good practice to support their demonstration that adequate safety and reliability have been incorporated and that by the measures provided have reduced the risks to as low as is reasonably practicable (ALARP). In making this demonstration operators need to consider the particular circumstances of their site and the consequences of identified major accidents both on and off site and decide whether there is anything further which is reasonably practicable before they can complete their demonstration of ALARP. Focus should be placed on preventing major accidents but the risks off-site in particular can be reduced by mitigation measures to reduce their consequences.
Where proportionality indicates that something more than a qualitative demonstration is required, the safety report should show that a systematic assessment of additional risk reduction measures has been carried out. In some circumstances there may be risk reduction measures that are reasonably practicable in addition to existing published industry good practice.
Determination of whether risks have been reduced ALARP involves an assessment of the benefits arising from the reduction in risk achieved by particular measures, an assessment of the cost in time, money or trouble of implementing those measures and a comparison of the two. Where there is deemed to be a 'gross disproportion' between the two i.e. The risk reduction being insignificant in relation to the cost then such measures can be ruled out as not reasonably practicable.
Operators often refer to standards in their risk assessment. These may be a failure frequency, an HSE guidance document or a plant design and operating standard. In each case, the Assessor should consider if the standard is applicable to the Operator's plant and if it is appropriate, given that HSE guidance and standards are updated from time to time. British Standards are revised at regular intervals and while not all the data in the standard may change, a major accident somewhere in the world can lead to a revision of failure frequencies of certain plant items.
At five-year updates HSE expects Operators to carry out a reappraisal of the risks from their operations and to examine if recent technological advances offer opportunities for risk reduction.
The main conclusions on the measures necessary to control risks should adequately take account of the sensitivity of the results of the analysis to the critical assumptions and data uncertainties.
One of the purposes of the risk assessment in a COMAH safety report is to demonstrate that sufficient control measures are in place to reduce the risks from the installation to a tolerable level. This is possible if the Operator has accounted for uncertainty in both the frequency and consequences of accidents. Considerable uncertainty is tolerable in the frequency and consequences of accidents that are, beyond a shadow of doubt, not risk dominating, but Operators should present sensitivity studies that show their predictions for safety critical events are not seriously in error. Assessors can ask the following questions to test compliance with this criterion:-
The extent of a flash fire envelope and the volume of a congested plant enveloped by a cloud of methane depends on the weather conditions assumed for the dispersion process. Since the magnitude of the hazard is inversely proportional to wind speed under both D and F stability, it is important that the consequences are evaluated at typical low wind speeds (F2 and D5). Input data for most other accident scenarios are fairly well defined, with the exception of emissive power. Assessors should check that values used in the accident consequence analysis are close to those shown in Table 6 and applicable to the local weather conditions experienced at the site location.
A safety report that fails to mention uncertainties in the risk estimates should be considered deficient. Individual uncertainties attached to calculated hazard ranges should to be estimated by discussion of both model inadequacies and imprecise input data. The safety report should justify the results, if necessary by reference to confidence levels. Assessors can find uncertainty information in Table 6.
With regard to uncertainty in the reliability of containment and control systems, it is reasonable to assume that standards that have been developed over many years provide adequate protection. However, if a site makes use of new technology, for which an historical database is not available, then the safety report should discuss uncertainty attached to failure probabilities.
Operators who base their safety report on QRA, should take account of the potential for protective devices not to function e.g. remotely operated shut off valves and excess flow devices may fail to operate effectively when called upon. The Operator should recognise that other protective systems may also fail and should describe the measures in place to show that his ranking of risk is not seriously flawed.
One particular area of concern is seal failure and lift decouplement as a result of low temperature and general corrosion. Gas holders should be equipped with a reliable seal water temperature control system that prevents freezing in winter. Depending on the design (electrical heating or central heating system), the safety report should quantify uncertainties in the predicted failure frequency and factor these into the final risk assessment. Since seal failure is relatively common, it is essential that it is fully addressed in the safety report.
Most risk assessments, even those not based on quantification, make use of a variety of input data which have uncertainties attached to them. Operators should describe the effect uncertainties can have on their predictions and demonstrate, by reasoned arguments, or quantitatively, that even under worst case assumptions the risks are ALARP.
The conclusions drawn from the risk analysis with respect to emergency planning should be soundly based.
A safety report does not need to describe the off-site emergency plan, but it should provide guidance for the Local Authority on the severity of the risk dominant accidents. This information should be presented in an easy to assimilate form such as a table that summarises accident probability and likely numbers of casualties in three severity groups (mild burns or superficial injuries, hospitalisation and fatalities) for at least two weather conditions. It should also indicate the number of people likely to be made homeless by the effects of explosions. The information should be tabulated for a representative range of weather conditions and for all wind directions.
The safety report should also indicate any significant differences in the numbers of casualties due to seasonal changes, the accident occurring at week end, at night or on function days. In addition to the consequence information, it should present probability data in order that emergency planners can tailor their resources around the accidents presenting the greatest risk.
The on-site emergency plan for an unmanned site is managed and operated remotely, but its important aspects include: -
Of particular concern is whether the Operator will detect the occurrence of a major escape of gas and be able to take appropriate steps remotely to minimise its consequences. Assessors should be convinced that remote monitoring of all safety related parameters is adequate and protected by redundant and diverse equipment.
In the event of a major accident the emergency services will want to know where to deploy their staff in order to bring relief to the maximum number of people in the shortest time. Depending on the accident, the consequences could be mainly down wind (flash fire) or isotropically distributed around the site (fireball). In each case the maximum distance out to which people are likely to be injured is of vital importance.
Public Register of COMAH Establishments
