The paper provides an illustration of how some control measures are identified as “critical control measures” and how examples of identifying “critical events” related to “critical control measures” from incidents, monitoring programs and annual reviews of performance measures lead to continuous improvement of safety and a high degree of assurance that Major Hazard Incidents can be prevented.
5. Seveso
July 1976
• Understanding safe
state to leave
reactions
• Multiple layers of
protection
• Automated Reaction
stop systems for
exothermic systems
6. Piper Alpha
6 July 1988
•Good functioning Permit to
Work System including
monitoring
•Never defeat Safety
Systems
•Understand the hazards,
their consequences and fit
appropriate control measures
7. Longford
25 September 1998
Sale
Barry Beach
Marine Terminal
Long Island Point
Fractionation Plant,
Crude Oil Tank Farm
and Liquids Jetty
Longford
Gas & Oil Processing
Port
Phillip
Bay
c
Melbourne
Altona
Monotower
Sub-sea Well Oil Platform
Gas Platform
Concrete Structure
Barracouta Marlin
Snapper
Gooding
Compression (GTC)
c
c
• “cold temperatures”
• Training needs to
impart and refresh
knowledge.
• Must identify other
hazards and provide
relevant training.
•Corporate
knowledge must be
captured and kept
alive
8.
9. All of these introduced Major
Hazards Legislation
• In Victoria, Australia
– Occupational Health and Safety (Major
Hazard Facilities) Regulations 2000
– Victoria giving effect to the National Code
of Practice for Major Hazard Facilities
10.
11.
12.
13.
14. Occupational Health and Safety (Major Hazard
Facilities) Regulations 2000
• 302 Identification of major incidents and
hazards
• 303 (1) …must conduct a comprehensive and
systematic safety assessment…
• 304 (1) … must adopt control measures
which…
• 306 (1) … must review, and as necessary
revise…
15. The Deming PDCA Model
PlanAct
DoCheck
What Major Incidents
can occur?
16. What Major Incidents
can occur?
PlanAct
DoCheck
What Hazards exist that
can cause those Incidents?
17. What Major Incidents
can occur?
What Hazards exist that
can cause those Incidents?
PlanAct
DoCheck
What Control Measures
can be used to manage
and contain those
hazards?
18. What Major Incidents
can occur?
What Hazards exist that
can cause those Incidents?
What Control Measures
can be used to manage
and contain those
hazards?
PlanAct
DoCheck
What Safety
Management
System (SMS)
Maintains those
Control
measures?
19. What Major Incidents
can occur?
What Hazards exist that
can cause those Incidents?
What Control Measures
can be used to manage
and contain those
hazards?
What Safety
Management
System (SMS)
maintains those
control
measures?
The Deming PDCA Model
PlanAct
DoCheck
How does the
Operator maintain
SMS performance
by reviewing KPI’s
and SOP’s?
22. Plan
• Safety Management Systems should
not exist!
• Identify a framework
– ISO 9000 & 14000 series
– API 9100
– AS/NZS 4801
– AS ISO/IEC 17025
23. Maintaining performance via a SMS
• Top Down
• Permit to Work System
• Induction procedures
• Control of Third Parties
• Auditing program
• Purchasing procedures
• Recruiting processes
• Personnel and
organisational change
processes
• Engineering
Modification controls
• Emergency Response
Procedures
• Incident Investigation
processes
• Bottom up
– Identified control
measures must be
managed
– Set Performance
Standards
– Put in place Monitoring
Systems
– AUDIT
– Draw conclusions and
take action to close the
loop.
24. • Need to develop robust system
– Eg HAZOP keywords
• Be systematic in identifying Incidents
– Recommend use of LOC
• Use of Databases and “Bow ties”
Hazard Identification and
Safety Assessment
26. Hole >
150mm
in Storage
Tank
HAZARD
S
• Working wrong
tank
•Corrosion
•Vehicle Hits it
•Flange breaks
•Overpressure
•Fire under tank
•Bullet Hole
•Overfilling
•Wrong Material
Tank
Design
Control
Measures
Control
Measures
Hazard & Control
Measure
Identification
•Permit to
Work
•Barriers
•Speed
Limit
•Signs
•Stand by
•Security
•Bunds
29. Hole >
150mm
in Storage
Tank
HAZARD
S
• Working wrong
tank
•Corrosion
•Vehicle Hits it
•Flange breaks
•Overpressure
•Fire under tank
•Bullet Hole
•Overfilling
•Wrong Material
Tank
Design
Control
Measures
Control
Measures
Hazard & Control
Measure
Identification
•Permit to
Work
•Barriers
•Speed
Limit
•Signs
•Stand by
•Security
•Bunds
30. Hole >
150mm
in Storage
Tank
HAZARDS
• Working wrong
tank
•Corrosion
•Vehicle Hits it
•Flange breaks
•Overpressure
•Fire under tank
•Bullet Hole
•Overfilling
•Wrong Material
Tank
Design
•Relief
Valves
•Gasholder
Venting
Procedure
•High
Pressure
Alarms
•Return to
Service
Procedure
Control
Measures
Control
Measures
Hazard & Control
Measure
Identification
31. Draw a “Bow-Tie”
Hole > 150mm
in Storage
Tank
Tank
Design
Vessel
exceeds
pressure
Relief
Valves
Procedure
for venting
to
gasholder
High
Pressure
Alarms
Procedure
for Return
to Service
Vessel out
for
Maintenance
Air in
Vessel
Supports
Earthquake
designed
Vehicle
impacts
supports
Speed LimitRoad BarrierPTW
Vehicle
needs to
access
area
33. Derive Performance Measures
– No failure on demand
– No failure on testing.
– As received from duty, pop test to
be within 10% of setting
– Inspection and test to be no more
than 3 months overdue
38. Operator failed to detect significant
Reaction Temperature Deviation
• 16 Actions that resulted
1. Resolve persistent Panel Alarms that should not be there
2. Generate list of Critical Alarms
1. Review list of Critical Alarms to see what is on DCS
2. Review list of Critical Alarms on DCS
3. Review High Pressure Alarm Recipe settings
1. Set appropriate High Pressure Limits for S1 A/C’s
2. Change High Pressure Limits for S1
4. Check S2 Agitator Motor Current settings in DCS
3. Review Trip 18 conditions on DCS
4. Reinforce the importance of the Panel with CRO’s
39. Operator failed to detect significant
Reaction Temperature Deviation
5. Specify Temperature Deviation alarm sensitivity at either
end of phase 6
1. Change Temperature Deviation Alarm Sensitivity at either end of
phase 6
6. Check DCS for S2 Temperature Deviation Alarms
1. Put Temperature Deviation Alarm on DCS
7. Alarm Controller Output of 09 Valves
8. Assess Effectiveness and Completeness of changes to
DCS alarms
44. Suggestions for other
Industries
• Public Transport, Logistics,
Port Operations
– Third Party collisions
– Single vehicle collisions
– Derailing
– Lifting operations etc
Hierarchy of Controls:
Eliminate
Prevent
Reduce
Mitigate
Reliance is a combination of how good is the Control measure at reducing the risk and how much confidence operators/maintainers have in its ability.
Inherent Risk is a relative term assuming no controls! A pool of liquefied flammable gas is more inherently dangerous than a pool of 25% caustic Soda.
MIC – how big is the bang, what damage can it do, how many people will be affected directly, indirectly.
We can describe an incident or an accident as involving latent unsafe conditions that are waiting for the influence of an active failure.
At the top end Decision Makers drive for performance over safety – Longford – or fail to act to put in appropraite rules (NSW currently?)
Line Managers don’t apply Management Systems on site at a working level, fail to monitor and correct. Focus on Slips, Trips and falls rather than MHI presusers.
The Active failures play a part. A worker makes a mistake, an unexpected deviation from raw material input, maintenance done on the wrong piece of equipment, no systems to check for corrosion etc.
Finally defences are weakened – alarm overload, untrained emergency response, trip fails due to poor maintenance, fire system leaks or valve left closed…
All these precursers can prevent MHI’s.
Andrew Hopkins – “if only for…”