"The safety report should identify all potential major accidents and define a representative and sufficient set for the purpose of risk assessment."
This criterion reminds Assessors that they need to check that:-
Ideally, the Operator should summarise, in a proportionate way, the results of hazard studies, the methods used and the expertise of the team involved. The scope of the studies and the HAZID process used should also be described. To provide a convincing demonstration that the list of MAs is complete, the process needs to be systematic, i.e. each plant and its operational sequences should be considered in turn, including the possibility of interactions. Assessors should judge the completeness and adequacy of the way these issues are dealt with by asking the following questions:-
The report should explain how major accidents have been identified and demonstrate that no important scenarios have been overlooked. When the method of identifying accidents is not systematic or transparent it will be much more difficult to convince the assessor of its completeness. Simple lists of accidents without evidence to show they are comprehensive may be appropriate in some cases, depending of the scale of the risk to off-site populations, but generally Operators will need to demonstrate that no major accident has been overlooked. Assessors should take into account the scale of the hazards when making a decision on this issue (proportionality).
The accident analysis should identify all potential off-site initiators of major accidents and an indication of their likelihood (see Table 1). On-site accident initiators such as hose coupling failures, overfilling of bulk storage tanks, lifting or movement operations may require a more detailed frequency assessment in order to demonstrate the adequacy of installed safeguard systems.
Some incidents are characterised by an insignificant failure that, if not quickly attended to, escalates to an event of major proportion. Thus the accident identification process should not be restricted to vessel and pipeline failures, but should address all plant items on which failures have the potential to initiate a major accident. Ground inclination and common drainage systems that can convey a spill a considerable distance and /or result in running pool fires or drain fire/explosions should not be forgotten.
There is no requirement to repeatedly describe the consequences of accidents that have a similar impact on employees, local populations and the environment. The safety report does not have to describe the consequences of all the major accident hazards, but just to identify them. Instead it may define a representative set of accidents that includes the most severe plant failures and consider all possible consequence (e.g. fireball, jet fire, flash fire, etc). In other words, the consequence analysis can be based on a reduced set of accidents that are representative of the hazards from the site.
The Assessor must be satisfied that the accidents considered dominate the risk and encompass the complete spectrum of severity. Table 2 identifies plant items that contain, or are connected to, large inventories of distilled spirit and lists the most obvious potential accidents or failure modes. While it may not be completely exhaustive for all installations, it can be used as a check list to assess the completeness of the accident analysis. If there are any unexplained omissions that would significantly change the predicted risks posed by the site, it may be deemed to fail to comply with the assessment criteria.
The safety report should determine the consequences of essentially identical accidents in very similar plant if the consequences are likely to be different. For example, if a transfer pipe failure can release distilled spirit at say 20 kg/s in one area of the site while a hose rupture on a road tanker can result in a similar release in a different location. Both failures should be considered in the safety report because they may have different consequences. The safety report should also consider failures occurring at the 'worse locations' which may be on pipelines through a congested area where the possibility of a VCE can not be ruled out. A safety report that fails to address the 'worst case' consequences of representative accidents does not meet the assessment criteria.
Failures of transfer systems can give rise to a variety of thermal radiation/explosion hazards that must be addressed in the safety report. For example, the consequences of failure of a large storage vessel that should be considered are poolfire, jet fire, flash fire and possibly a VCE. Some of these events are more probable than others, but those contributing little to the total risk should not be ignored.
The toxic effects of the combustion products arising from wooden casks must be included in the report. Large pools of alcohol can give rise to high concentrations some considerable distance away.
Some accidents at an installation can cause other failures in that they may have as severe or even more severe consequences. The safety report must recognise this possibility and address it by postulating accidents in 'worst case' locations. Of particular concern are:-
The site description should be detailed enough to enable the Assessor to identify the most hazardous locations for component failures and hence determine if the accidents considered are 'worst case'.
Although Operators need to demonstrate the use of a systematic approach to accident identification, Assessors are likely to find that few safety reports present the results of formalised methods such as cause-consequence diagrams or failure modes and effects analysis. An alternative approach that some Operators may adopt involves listing each item of plant and identifying all its failure modes that would give rise to a major accident hazard. Individual thermal radiation, or explosion hazards are then identified by reference to the following list:-
The accidents that distilled alcohol storage facilities can suffer fall into seven main categories:-
The different consequences of loss of containment accidents depend on the sequence of events leading to the fire, explosion or toxic cloud release. A fireball will only result from a massive and rapid release of alcohol vapour and immediate ignition of the release. BLEVE will only occur where flame impingement occurs on a storage vessel or road tanker. A tank fire typically occurs as a result of an internal ignition or burn back and subsequent roof failure, while a flash fire may follow a large release of vapour that disperses and then encounters a source of ignition. Releases into confined spaces with ignition sources may result in explosion.
The stabilised flow rate out of a pipeline is function of the pump characteristics associated with the transport activity. If the whisky is vaporising, the time sequence of the release should be used to determine the most appropriate dispersion analysis (quasi-instantaneous or continuous release). Delayed ignition of a vaporising release into a congested volume may result in an explosion that produces a dangerous side-on pressure at some distance. Either calculations or reference to an authoritative source should be presented if the possibility of a VCE is discounted.
"The safety report should demonstrate that a systematic process has been used to identify all foreseeable major accidents."
In order to judge compliance with this requirement of the regulations, Assessors can ask the following questions:-
Identification of all major accident scenarios is a very important requirement of the regulations and a safety report that fails in this respect may be considered deficient. Systematic approaches to accident identification include HAZOP, event tree analysis and failure modes and effects analysis. However, the regulations do not specifically require their application. An Operator may be able to demonstrate that all major accidents have been identified without resort to formalised methods by providing a detailed description of the plant and by systematically addressing the hazards from each part in turn.
Operators that have not used a formalised structured method to identify major accidents should provide evidence that no sequence has been overlooked. For example if overfill is identified as a major accident scenario, there may be half a dozen ways in which this can occur as result of equipment failures and human error. The safety report should address each one and show that all necessary measures have been taken to prevent the accident occurring. If sequences are overlooked, the report must be deemed to fail to comply with the regulations, however, the depth of the accident analysis need only be proportionate to the scale and nature of the hazards and associated risks.
"The hazard identification methods used should be appropriate for the scale and nature of the hazards."
Hazard studies employing HAZID techniques are widely used in the chemical industry and can be carried out at various stages during the lifecycle of a plant. They are systematic way of managing hazard over time, from the business requirement stage through to demolition and disposal. HAZID techniques seek to identify hazards in an absolute or relative way. Relative methods use checklists or hazard indices based on experience and lessons from incidents. Absolute methods are based on deviations from design intent e.g. HAZOP. Details can be found in Lees (1996), Kletz (1999) and CCPS (1989).
Methods (listed in increasing proportionality) that might be used include:-
Whatever approach is used, it must be documented as part of the safety report, or separately - in which case the main findings should be summarised in the report. As proportionality increases, and particularly in the case of new novel plant, some use of absolute methods is normally required. Both type of method need to consider 'common cause/mode' failures such as loss of power, or other services.
In order to test compliance with this criterion the Assessor can ask the following questions:-
The safety report should describe and justify the method used to identify major accident hazards. Assessors who are not convinced that all accident scenarios have been identified may deem the report 'non compliant'. However, use of a formalised accident identification process is not essential and an approach that is not completely systematic, but is seen as 'fit for purpose' is acceptable.
In the main, accidental releases of distilled spirit give rise to fires and possibly explosions, but the hazard ranges associated with them do not always extend off-site. The minimum level of detail in the risk assessment depends on the scale of the risks. In general, the safety report for a site near to a busy shopping centre will need to contain more information than one in an isolated location.
| Plant item failure | Accident scenarios | ||||
|---|---|---|---|---|---|
| Storage Tank | Cold
catastrophic failure
Pool fire |
Hot
catastrophic failure
BLEVE |
Hole in
vessel wall
Spigot flow |
Flammable
head space
Internal explosion |
|
| Transfer Pipework/ Road Tanker Loading and Unloading | Rupture
Pool fire |
Puncture
Pool fire |
Small
hole
Flash fire |
||
| Maturation
Warehouse |
Leaking
casks
Pool fire |
||||
| Casks/ Cask Storage Area | Flammable
head space
Internal explosion |
||||
Public Register of COMAH Establishments
