risk assessment friend or foe?
TRANSCRIPT
Risk Assessment – Friend or Foe?
LEARNING FROM 35 YEARS IN MAJOR HAZARD RISK CONTROL
IAN TRAVERS LTD. PROCESS SAFETY CONSULTANCY WWW.IANTRAVERS.CO.UK
Ian Travers Process Safety [email protected]
IOSH –Hazardous Industries Group
What is Risk Assessment ?
IAN TRAVERS LTD. PROCESS SAFETY CONSULTANCY WWW.IANTRAVERS.CO.UK
Purpose:
To determine the consequences of a adverse or harmful incident, what the initiating events for such an incident are and to then determine the control and mitigation measures required to reduce the likelihood of the event to an acceptable level.
So what’s the (my) problem?
•Risk assessment findings are used as if the conclusions are absolute, and a guarantee of absence of risk / harm
•Considerations and uncertainties are lost once a conclusion is reached –what’s not taken forward is as important as what is
•Risk matrices fix risk at a set point forever (or until it goes wrong)•Confusing terminology such as TIF ALARP and risk of 1 x 10-6/yr which
can’t be easily understood by non-specialists•What the risk value depends upon is soon forgotten•Many organisations need to hire in expert help on risk assessment so
may not own the conclusions or be able to challenge the findings
IAN TRAVERS LTD. PROCESS SAFETY CONSULTANCY WWW.IANTRAVERS.CO.UK
Why is it difficult?
IAN TRAVERS LTD. PROCESS SAFETY CONSULTANCY WWW.IANTRAVERS.CO.UK
Consider the ‘risk’ depicted in these two illustrations.What’s the difference in risk between the two?
Try to answer – is this situation safe?
When ‘is it safe?’ is not obvious we have to determine risk using agreed methods
IAN TRAVERS LTD. PROCESS SAFETY CONSULTANCY WWW.IANTRAVERS.CO.UK
• How could it go catastrophically wrong?• Where / when will most likely go wrong?• What controls or systems are needed to prevent a
major incident?• Which of these controls are most important? • Which are most vulnerable to failure?• Have we got sufficient controls in place?
Problem 1
IAN TRAVERS LTD. PROCESS SAFETY CONSULTANCY WWW.IANTRAVERS.CO.UK
Hazards are generic Controls have to be context based
Risks are context based
Many paths to harm
Loss of Control Outcome
Hazards/Threats
Preventive Barriers
Mitigation Barriers
IAN TRAVERS LTD. PROCESS SAFETY CONSULTANCY WWW.IANTRAVERS.CO.UK
Step by step assessment to ‘is it safe?’
IAN TRAVERS LTD. PROCESS SAFETY CONSULTANCY WWW.IANTRAVERS.CO.UK
Identify the consequences to be
avoided
Model the extent and severity
Identify the hazard(s) which can give rise to
harm
Identify the way each initiating event can lead to
a loss of control
Identify all the initiating events which can lead to a
loss of control
ImpactPotential
Harm
Decide if the risk is acceptable
How and where can things go wrong?
IAN TRAVERS LTD. PROCESS SAFETY CONSULTANCY WWW.IANTRAVERS.CO.UK
Major Accident
Scenarios
1. Ship offloading &
Product Transfer to
Bulk Tanks
2. Static Storage (no
product movement)
3. Road Tanker
Filling
4. External Events
1a. Ship-shore
connection
1b. Pipelines to bulk
tanks (including
pumps, valves &
flanges)
1c. Storage Tanks
2a. At tank
2b. Within bund from
equipment
3a. At loading gantry
3b. Within tank
bund(s)
a. Fire / Explosion on vessel in
dock
c. Fire / Explosion in premises
adjacent to Depot
b. Aircraft Impact
d. Seismic event
e. Lightning
3c. Storage Tank
f. Flooding
h. High Winds
3a. Ship bunkering
Where can things go wrong?
How can things go wrong?
IAN TRAVERS LTD. PROCESS SAFETY CONSULTANCY WWW.IANTRAVERS.CO.UK
1. Loss of
Containment during
ship offloading into
storage tanks
1a. Ship-Shore
Connection
1b. Pipeline / equipment
failure between quay and
storage tanks
1c. LoC at Storage
Tanks
Hose Failure
Coupling Failure
OverpressureMechanical
Failure
ImpactWear / Tear /
Abrasion
OverpressureMechanical
Failure
Incorrect
Connection /
Torque
Pipeline failure Flange FailureValve / Pump
Failure
Overpressure
Mechanical
Failure
Impact
Corrosion
Erosion
Structural
support
failureOverpressure Impact
Incorrect
Connection /
Torque
Incorrect
Gasket
Overpressure ImpactOverpressure
Seal /
Gasket failure
Corrosion
Corrosion Impact OverpressureStructural
support
failure
Over Filling
Filling
Wrong
Tank
Failure in
Level
Control
Undersized
Vents
Excessive
filling rate
Valve /
Flange
accidentally
opened
Ship movement
Floating
roof
failure
How else could it go wrong?More of?
Less of?
None of?
Different type of?
Different temperature?
Different viscosity?
Different pH?
Different route?
IAN TRAVERS LTD. PROCESS SAFETY CONSULTANCY WWW.IANTRAVERS.CO.UK
Step by step assessment to ‘is it safe?’
IAN TRAVERS LTD. PROCESS SAFETY CONSULTANCY WWW.IANTRAVERS.CO.UK
Identify protective measures / barriers in place to prevent the loss of control
Layers of Protection Layers of Protection
Identify mitigation measures / barriers in place to prevent or limit the consequences
Control & Mitigation Measures
Physical barrier to
protect against
impact
High voltage cables
routed at height
Barrier Type: Attributes
1 Passive Hardware The barrier works by virtue of its presence Act2 Active Hardware All elements in the barrier are executed by
technology
Detect Decide Act
3 Active Hardware
& Human
(predominately
hardware)
The barrier is a combination of human behaviour and
technological execution
Techology
Detects &
Alarm
Human
decide
Human
Initiates
response
4 Active Human The barrier consists of human actions, often
interacting with technology
Human
observation
Human
evaluation
Human acts
(including
acting
through
techology)5 Continuous The barrier is always operating Continuous
FunctionPressure relief valve
Automatic high level
shut down system
High pressure alarm
and human response
to reduce operational
pressure
Earth bonding
Cooling systems
Visual inspection
and mechanical
calibration
IAN TRAVERS LTD. PROCESS SAFETY CONSULTANCY WWW.IANTRAVERS.CO.UK
How often & How Bad?
Identify protective measures / barriers in place to prevent the loss of control
Layers of Protection Layers of Protection
Identify mitigation measures / barriers in place to prevent or limit the consequencesHow
often?
How bad?
IAN TRAVERS LTD. PROCESS SAFETY CONSULTANCY WWW.IANTRAVERS.CO.UK
How often & How Bad?
IAN TRAVERS LTD. PROCESS SAFETY CONSULTANCY WWW.IANTRAVERS.CO.UK
Courtesy of HSE 1
How Reliable?
IAN TRAVERS LTD. PROCESS SAFETY CONSULTANCY WWW.IANTRAVERS.CO.UK
Barrier Type: Attributes
1 Passive Hardware The barrier works by virtue of its presence Act2 Active Hardware All elements in the barrier are executed by
technology
Detect Decide Act
3 Active Hardware
& Human
(predominately
hardware)
The barrier is a combination of human behaviour and
technological execution
Techology
Detects &
Alarm
Human
decide
Human
Initiates
response
4 Active Human The barrier consists of human actions, often
interacting with technology
Human
observation
Human
evaluation
Human acts
(including
acting
through
techology)5 Continuous The barrier is always operating Continuous
Function
How do things fail?
IAN TRAVERS LTD. PROCESS SAFETY CONSULTANCY WWW.IANTRAVERS.CO.UK
Nicely:• Predictably
• Steadily
• According to engineering calculations and design lives
• Provide early warning of failure
• Allow for recovery
Unhelpfully:• Erratically
• Without warning or previous mal-function
• Early
• Allowing for no recovery
How do things fail?
IAN TRAVERS LTD. PROCESS SAFETY CONSULTANCY WWW.IANTRAVERS.CO.UK
Nicely? Unhelpfully?
IAN TRAVERS LTD. PROCESS SAFETY CONSULTANCY WWW.IANTRAVERS.CO.UK
How Reliable?
Safety Critical guide questions:
Does the barrier lie on the critical path to a major accident e.g. is this a major hazard initiator should it fail?Does the control measure / barrier directly relate to controlling process conditions e.g. temperature, pressure, flow, level which could directly lead to a loss of containment? Does the control measure / barrier guard against another important loss of containment failure mechanism, e.g. corrosion, stress, impact?How essential is the control or mitigation measure in preventing a loss of containment e.g.o Essential?o Important?o Moderately relevant?o Marginal?o Supplementary / adjunct to a more important control measure?
Vulnerability guide questions:
Does the control measure / barrier fail in a predictable and well understood way and time in the plant lifecycle?
Does the control measure / barrier provide any early warning, of failure e.g. leak before fail, excess vibration to flag up a potential component failure?
Is there is opportunity to recover the loss of containment, e.g. limit the extent of release, rapidly shut down the system or to capture or contain the release through bunding or other secondary containment measures?
Does the correct functioning of the control measure rely partly or wholly on human intervention?
Is the barrier last in line in the hierarchy of control measures e.g. if it fails there will be a loss of containment?
Criticality & Vulnerability
How do control measures fail and how important are they?
How often & How Bad?
IAN TRAVERS LTD. PROCESS SAFETY CONSULTANCY WWW.IANTRAVERS.CO.UK
Layers of Protection Layers of Protection
Determine the reliability (performance) of each barrier
Determine the reliability (performance) of each barrier
Determine the frequency of each
initiating event
Determine the frequency of loss
of control
Determine the frequency of the cedible outcomes
Is it safe – risk acceptability?
IAN TRAVERS LTD. PROCESS SAFETY CONSULTANCY WWW.IANTRAVERS.CO.UK
Expected
>10-2/y
Unexpected 10-2-10-3/y
Unlikely
10-3-10-4/y
Very Unlikely
10-4-10-5/y
Remote
10-5-10-6/y
Extremely Remote
10-6-10-7/y
Negligible
<10-7/y
Insignificant
No causalitiesMinor
Minor injury
SignificantOne serious
injury
Serious1 onsite
fatality or
several
serious
injuries
Severe2-10 onsite
fatalities or 1
offsite fatality
Major11-50
fatalities
Likeliho
od
Consequences
Broadly Acceptable
Intolerable
Tolerable if ALARP
(Big) Problem 2
IAN TRAVERS LTD. PROCESS SAFETY CONSULTANCY WWW.IANTRAVERS.CO.UK
Layers of Protection Layers of Protection
Determine the reliability (performance) of each barrier
Uncertainty Uncertainty Uncertainty Uncertainty UncertaintyX X X =X
Determine the reliability (performance) of each barrier
Determine the frequency of each
initiating event
Determine the frequency of loss
of control
Determine the frequency of the cedible outcomes
Is it safe – risk acceptability?
IAN TRAVERS LTD. PROCESS SAFETY CONSULTANCY WWW.IANTRAVERS.CO.UK
Expected
>10-2/y
Unexpected 10-2-10-3/y
Unlikely
10-3-10-4/y
Very Unlikely
10-4-10-5/y
Remote
10-5-10-6/y
Extremely Remote
10-6-10-7/y
Negligible
<10-7/y
Insignificant
No causalitiesMinor
Minor injury
SignificantOne serious
injury
Serious1 onsite
fatality or
several
serious
injuries
Severe2-10 onsite
fatalities or 1
offsite fatality
Major11-50
fatalities
Likeliho
od
Consequences
Broadly Acceptable
Intolerable
Tolerable if ALARP
Is it safe – risk acceptability?
IAN TRAVERS LTD. PROCESS SAFETY CONSULTANCY WWW.IANTRAVERS.CO.UK
Expected
>10-2/y
Unexpected 10-2-10-3/y
Unlikely
10-3-10-4/y
Very Unlikely
10-4-10-5/y
Remote
10-5-10-6/y
Extremely Remote
10-6-10-7/y
Negligible
<10-7/y
Insignificant
No causalitiesMinor
Minor injury
SignificantOne serious
injury
Serious1 onsite
fatality or
several
serious
injuries
Severe2-10 onsite
fatalities or 1
offsite fatality
Major11-50
fatalities
Likeliho
od
Consequences
Broadly Acceptable
Intolerable
Tolerable if ALARP
The chance of a fatal accident during tank filling is between 1 in every 10000 and 1 in 100,000 years but only if the calculations on event frequencies and the reliability of the control measures is correct and proving that all this works as intended every day that hazard is present at the facility.
Friend or Foe?Definitely a friend
But a very dangerous friend if we forget what uncertainty lies within
And we must find better ways to communicate the outcomes of risk assessments and the uncertainties associated with ‘single point’ conclusions that are seen as fixed forever.
IAN TRAVERS LTD. PROCESS SAFETY CONSULTANCY WWW.IANTRAVERS.CO.UK
IAN TRAVERS LTD. PROCESS SAFETY CONSULTANCY WWW.IANTRAVERS.CO.UK
Thank youAny Questions?
For more information contact:[email protected]
www.iantravers.co.uk