"The safety report should demonstrate that the Operator has used information and data that are suitable and sufficient for risk analysis".
A key requirement of the regulations is that information provided about the site and its hazardous substances is suitable and sufficient for a risk assessment. Table 1 provides some examples of where such information may be found. When considering this part of the safety report the assessor should ask if it provides answers to the following questions:-
The site description must describe the location and type of each storage system and provide information on the maximum inventories of all distilled spirit and the conditions (temperature and pressure) under which it is stored. It is important that the report adequately addresses the requirements of Schedule 1 of COMAH and considers all substances qualifying under the aggregation rules. The hazard from each qualifying substance must be assessed.
The safety report should describe plant and plant operations so that failures and errors having severe consequences can be identified. The detail provided needs to be sufficient to enable Assessors to determine if the accident analysis is thorough and complete. In addition to a full description of the storage facility and any associated control and shutdown systems, the safety report should describe the associated equipment subject to the requirements of COMAH. This may include import and export lines, pressurising systems for vessels, failure modes of equipment such as transfer pumps, flow control valves, level control devices and venting systems.
The standard of maps and plans is likely to vary from one report to another, but all the information needed to determine risk should be present. Maps and plans should clearly show the location of all significant distilled spirit inventories and populated areas at risk from the installation. Particular attention should be given to elevated structures such as railway viaducts and high rise buildings that may be at risk from buoyant releases such as the smoke plume from a pool fires, or even the flames themselves when tilted by a strong wind.
Some accidents at the maturation warehouses have the potential to affect the natural environment, and in particular aquatic systems, SSSI's or SBI's that may lie some considerable distance from the site but are connected to it by a water course.
In addition to assessing the consequences of fire, the safety report should describe the potential effects of contaminated fire fighting water run-off. In this context the location of bulk storage tanks with respect to watercourses is particularly important.
Vapour cloud explosion hazards should not be discounted, particularly if the vapour from a spill can be confined by the nearby structures and plant. In addition to unexpected releases, inadequate purging prior to hot work which can result in an explosion with major accident consequences or the potential to initiate a major accident, may need to be addressed.
The information in a safety report must be sufficient to enable the Assessor to deduce the approximate source term for each major accident. In other words, sufficient information should be given to allow the Assessor to determine 'how much, for how long and from where?' Assessors should take the view that any containment system or item of plant can fail and release its contents, therefore the safety report should provide:-
A safety report that fails to supply all of this information, is unlikely to comply with the assessment criteria.
The assumptions referred to here do not relate to mathematical modelling of an accident, but are connected with the operation of a site. For example, if the Operator assumes that an alarm will be seen immediately, or that a hardware failure will be detected immediately, the control room must be permanently manned and the instruments that would detect the failure in question should have a status indicator. Even then, the possibility of a delay before remedial or emergency action is taken should be considered. Of particular concern are failures that would allow a large release of distilled spirit to go unnoticed.
Any reliability assumptions about the following should be justified:-
ROSOVs to terminate a release.Key documents that the safety report relies on should be available to the Assessor, ideally by being included as an annex to the main report. Fault tree analysis, for example, should not be based on failure probabilities given in a confidential report unless the company is prepared to provide HSE with a copy.
The minimum requirements in this respect is references to published work. An Operator's failure to provide any supporting evidence should be considered a failure to comply with the criteria.
Source documents are targets for the follow-up inspection to validate the report, but Assessors should bear in mind their right to request further information from an Operator to help them assess his safety report.
The safety report should provide information on the methods and models used to predict the consequences of major accidents. If a well known computer program such as PHAST has been used, then only details of the input data and the version number are required. If an in-house computer program is used to calculate the consequences of accidents, then the physics on which the predictions are based should be described or reference made to a published article.
A safety report should present wind rose data (wind speed, wind direction and atmospheric stability) for the site in order to establish the frequency and direction of adverse atmospheric conditions. This is particularly important for pool fire hazard.
Operators should demonstrate awareness of the changes in accident consequences with weather conditions by presenting results for different atmospheric stability and wind speed. They should recognise that the wind direction can vary over 360oC and that D5 and F2 do not necessarily encompass the full range of consequences of an accident.
High-pressure releases of distilled spirits should be considered where appropriate because spray jets can form significant vapour clouds capable of giving rise to a flash fire followed by a spray jet fire. The orientation of jets is often an important factor. Releases from evaporating pools tend to be passive and treating them as dense may be conservative. The rate of dispersion varies with wind speed and category. D5 is usually the most appropriate weather condition for daytime accidents involving dispersion. The consequences of pool fires should be evaluated for a variety of wind speeds.
Operators should not reduce the frequency of an event or the severity of the consequences of an accident on the grounds of the presence of a safety system. For example, the Operator should not claim that a release will be terminated early by a shutdown system that may fail on demand. Nor should he discount an initiating event on the grounds that a permit-to-work system precludes the necessary conditions.
Ideally, the safety report should quantify the consequences of events with an without safety features operating so that their 'value' can be assessed and balanced against their reliability.
A safety report should present the entire chemical, physical, toxicological and eco-toxicological information that is needed to calculate risk to people and the environment. Toxicity data should also be provided for any toxic substances produced by combustion if appropriate.
| Initiator | Method of model |
|---|---|
| Aircraft impact | AEA methodology |
| Seismic event | British geological survey data |
| Lightning strike | Electricity council data and methodology, BS 6651: 1999 |
| Severe environmental
conditions:-
Abnormal rainfall |
Historical data plus reasoned argument |
| Flooding | Site and met office data plus reasoned argument |
| Subsidence | Historical data plus reasoned argument |
| Land slip | Historical data plus reasoned argument |
| Fire or explosion at adjoining plant | Site environs information plus relevant data where relevant |
| Missile from off-site | Site environs information plus relevant data |
| Hazardous substance pipeline rupture | Site environs information plus relevant data |
| Collapse of high voltage cable | Site environs information plus relevant data |
| Impact by out of control road or rail vehicle | Site environs information plus relevant data |
| Other |
J.P. Byrne, "The calculation of aircraft risk in the UK", prepared by AEA Technology plc for the Health and Safety Executive 1997. Contact Research Report 150/1997
The method of measuring the frequency of accidents caused by off-site events should be fit for purpose. In other words it should be proportionate to the level of risk. Thus, if a site is located far away from any airport or flight path (military or civil), then it is acceptable for the safety report to refer to the background crash rate for the UK. On the other hand, if the site is located close to a busy airport then a much more detailed assessment of aircraft impact should be carried out.
Public Register of COMAH Establishments
