The paper provides an illustration of how some control measures are identified as “critical control measures” and how examples of identifying “critical events” related to “critical control measures” from incidents, monitoring programs and annual reviews of performance measures lead to continuous improvement of safety and a high degree of assurance that Major Hazard Incidents can be prevented.

1. “Critical Events”
Applying Continuous Improvement to
Incident Reporting
Nigel Cann
General Manager
Australian Vinyls

2. Buncefield

3. Texas City

4. Flixborough
1 June 1974
•Modification Control
•Use suitably trained,
educated and
responsible people
•Know what you don’t
know

5. Seveso
July 1976
• Understanding safe
state to leave
reactions
• Multiple layers of
protection
• Automated Reaction
stop systems for
exothermic systems

6. Piper Alpha
6 July 1988
•Good functioning Permit to
Work System including
monitoring
•Never defeat Safety
Systems
•Understand the hazards,
their consequences and fit
appropriate control measures

7. Longford
25 September 1998
Sale
Barry Beach
Marine Terminal
Long Island Point
Fractionation Plant,
Crude Oil Tank Farm
and Liquids Jetty
Longford
Gas & Oil Processing
Port
Phillip
Bay
c
Melbourne
Altona
Monotower
Sub-sea Well Oil Platform
Gas Platform
Concrete Structure
Barracouta Marlin
Snapper
Gooding
Compression (GTC)
c
c
• “cold temperatures”
• Training needs to
impart and refresh
knowledge.
• Must identify other
hazards and provide
relevant training.
•Corporate
knowledge must be
captured and kept
alive

9. All of these introduced Major
Hazards Legislation
• In Victoria, Australia
– Occupational Health and Safety (Major
Hazard Facilities) Regulations 2000
– Victoria giving effect to the National Code
of Practice for Major Hazard Facilities

14. Occupational Health and Safety (Major Hazard
Facilities) Regulations 2000
• 302 Identification of major incidents and
hazards
• 303 (1) …must conduct a comprehensive and
systematic safety assessment…
• 304 (1) … must adopt control measures
which…
• 306 (1) … must review, and as necessary
revise…

15. The Deming PDCA Model
PlanAct
DoCheck
What Major Incidents
can occur?

16. What Major Incidents
can occur?
PlanAct
DoCheck
What Hazards exist that
can cause those Incidents?

17. What Major Incidents
can occur?
What Hazards exist that
can cause those Incidents?
PlanAct
DoCheck
What Control Measures
can be used to manage
and contain those
hazards?

18. What Major Incidents
can occur?
What Hazards exist that
can cause those Incidents?
What Control Measures
can be used to manage
and contain those
hazards?
PlanAct
DoCheck
What Safety
Management
System (SMS)
Maintains those
Control
measures?

19. What Major Incidents
can occur?
What Hazards exist that
can cause those Incidents?
What Control Measures
can be used to manage
and contain those
hazards?
What Safety
Management
System (SMS)
maintains those
control
measures?
The Deming PDCA Model
PlanAct
DoCheck
How does the
Operator maintain
SMS performance
by reviewing KPI’s
and SOP’s?

20. Australian Vinyls
STRIPPING
COLUMN
DEGASSER
AUTOCLAVES
STEAM
ADDITIVES
VCM TANKER
CHARGE WATER
VCM GAS
HOLDER
LIQUID VCM STORAGE
VCM RECOVERY
PLANT
BAGGING AND
PALLETIZING
BULK SUPPLY
SLURRY
TANK
STORAGE
SILO
FLUID BED DRYER
CENTRIFUGE
PACKAGED SUPPLY

21. Plan
Government
Level
Acts Regulations Codes of Practice and
other guidance
Commonwealth 7 7 20
Victorian State 18 29 28
Local Laws 2

22. Plan
• Safety Management Systems should
not exist!
• Identify a framework
– ISO 9000 & 14000 series
– API 9100
– AS/NZS 4801
– AS ISO/IEC 17025

23. Maintaining performance via a SMS
• Top Down
• Permit to Work System
• Induction procedures
• Control of Third Parties
• Auditing program
• Purchasing procedures
• Recruiting processes
• Personnel and
organisational change
processes
• Engineering
Modification controls
• Emergency Response
Procedures
• Incident Investigation
processes
• Bottom up
– Identified control
measures must be
managed
– Set Performance
Standards
– Put in place Monitoring
Systems
– AUDIT
– Draw conclusions and
take action to close the
loop.

24. • Need to develop robust system
– Eg HAZOP keywords
• Be systematic in identifying Incidents
– Recommend use of LOC
• Use of Databases and “Bow ties”
Hazard Identification and
Safety Assessment

25. The Laverton Resin Plant

26. Hole >
150mm
in Storage
Tank
HAZARD
S
• Working wrong
tank
•Corrosion
•Vehicle Hits it
•Flange breaks
•Overpressure
•Fire under tank
•Bullet Hole
•Overfilling
•Wrong Material
Tank
Design
Control
Measures
Control
Measures
Hazard & Control
Measure
Identification
•Permit to
Work
•Barriers
•Speed
Limit
•Signs
•Stand by
•Security
•Bunds

27. How does a Control Measure
become CRITICAL?

28. Control Measure CRITICALITY

29. Hole >
150mm
in Storage
Tank
HAZARD
S
• Working wrong
tank
•Corrosion
•Vehicle Hits it
•Flange breaks
•Overpressure
•Fire under tank
•Bullet Hole
•Overfilling
•Wrong Material
Tank
Design
Control
Measures
Control
Measures
Hazard & Control
Measure
Identification
•Permit to
Work
•Barriers
•Speed
Limit
•Signs
•Stand by
•Security
•Bunds

30. Hole >
150mm
in Storage
Tank
HAZARDS
• Working wrong
tank
•Corrosion
•Vehicle Hits it
•Flange breaks
•Overpressure
•Fire under tank
•Bullet Hole
•Overfilling
•Wrong Material
Tank
Design
•Relief
Valves
•Gasholder
Venting
Procedure
•High
Pressure
Alarms
•Return to
Service
Procedure
Control
Measures
Control
Measures
Hazard & Control
Measure
Identification

31. Draw a “Bow-Tie”
Hole > 150mm
in Storage
Tank
Tank
Design
Vessel
exceeds
pressure
Relief
Valves
Procedure
for venting
to
gasholder
High
Pressure
Alarms
Procedure
for Return
to Service
Vessel out
for
Maintenance
Air in
Vessel
Supports
Earthquake
designed
Vehicle
impacts
supports
Speed LimitRoad BarrierPTW
Vehicle
needs to
access
area

32. Draw a “Bow-Tie”

33. Derive Performance Measures
– No failure on demand
– No failure on testing.
– As received from duty, pop test to
be within 10% of setting
– Inspection and test to be no more
than 3 months overdue

34. Leading Indicator Monitoring

35. Latent Unsafe ConditionsDecision-
Makers
Latent Unsafe ConditionsLine
Management
Latent Unsafe ConditionsPre-
Conditions
Active FailuresProductive
Activities
Active Failures
and
Latent Unsafe Conditions
Defences
The Reason “Swiss Cheese” Model:
Stages to an Accident
Accident & InjuryAccident & Injury

36. Investigation of Critical Events

37. Operator failed to detect significant
Reaction Temperature Deviation

38. Operator failed to detect significant
Reaction Temperature Deviation
• 16 Actions that resulted
1. Resolve persistent Panel Alarms that should not be there
2. Generate list of Critical Alarms
1. Review list of Critical Alarms to see what is on DCS
2. Review list of Critical Alarms on DCS
3. Review High Pressure Alarm Recipe settings
1. Set appropriate High Pressure Limits for S1 A/C’s
2. Change High Pressure Limits for S1
4. Check S2 Agitator Motor Current settings in DCS
3. Review Trip 18 conditions on DCS
4. Reinforce the importance of the Panel with CRO’s

39. Operator failed to detect significant
Reaction Temperature Deviation
5. Specify Temperature Deviation alarm sensitivity at either
end of phase 6
1. Change Temperature Deviation Alarm Sensitivity at either end of
phase 6
6. Check DCS for S2 Temperature Deviation Alarms
1. Put Temperature Deviation Alarm on DCS
7. Alarm Controller Output of 09 Valves
8. Assess Effectiveness and Completeness of changes to
DCS alarms

41. Suggestions for other
Industries
• Flammable, Toxic or
Radioactive Materials
– LOC

42. Suggestions for other
Industries
• Complex Machinery
– Catchpoints
– Energy Sources
– Access Points
– Cleaning

43. Suggestions for other
Industries
• Electricity
– Distribution
– HV Switching
– Working at Heights

44. Suggestions for other
Industries
• Public Transport, Logistics,
Port Operations
– Third Party collisions
– Single vehicle collisions
– Derailing
– Lifting operations etc

45. SUMMARY