risk assessment friend or foe?

Risk Assessment – Friend or Foe?

LEARNING FROM 35 YEARS IN MAJOR HAZARD RISK CONTROL

IAN TRAVERS LTD. PROCESS SAFETY CONSULTANCY WWW.IANTRAVERS.CO.UK

Ian Travers Process Safety [email protected]

IOSH –Hazardous Industries Group

What is Risk Assessment ?


Purpose:

To determine the consequences of a adverse or harmful incident, what the initiating events for such an incident are and to then determine the control and mitigation measures required to reduce the likelihood of the event to an acceptable level.

So what’s the (my) problem?

•Risk assessment findings are used as if the conclusions are absolute, and a guarantee of absence of risk / harm

•Considerations and uncertainties are lost once a conclusion is reached –what’s not taken forward is as important as what is

•Risk matrices fix risk at a set point forever (or until it goes wrong)•Confusing terminology such as TIF ALARP and risk of 1 x 10-6/yr which

can’t be easily understood by non-specialists•What the risk value depends upon is soon forgotten•Many organisations need to hire in expert help on risk assessment so

may not own the conclusions or be able to challenge the findings


Why is it difficult?


Consider the ‘risk’ depicted in these two illustrations.What’s the difference in risk between the two?

Try to answer – is this situation safe?

When ‘is it safe?’ is not obvious we have to determine risk using agreed methods


• How could it go catastrophically wrong?• Where / when will most likely go wrong?• What controls or systems are needed to prevent a

major incident?• Which of these controls are most important? • Which are most vulnerable to failure?• Have we got sufficient controls in place?

Problem 1


Hazards are generic Controls have to be context based

Risks are context based

Many paths to harm

Loss of Control Outcome

Hazards/Threats

Preventive Barriers

Mitigation Barriers


Step by step assessment to ‘is it safe?’


Identify the consequences to be

avoided

Model the extent and severity

Identify the hazard(s) which can give rise to

harm

Identify the way each initiating event can lead to

a loss of control

Identify all the initiating events which can lead to a

loss of control

ImpactPotential

Harm

Decide if the risk is acceptable

How and where can things go wrong?


How and where can things go wrong?


Major Accident

Scenarios

1. Ship offloading &

Product Transfer to

Bulk Tanks

2. Static Storage (no

product movement)

3. Road Tanker

Filling

4. External Events

1a. Ship-shore

connection

1b. Pipelines to bulk

tanks (including

pumps, valves &

flanges)

1c. Storage Tanks

2a. At tank

2b. Within bund from

equipment

3a. At loading gantry

3b. Within tank

bund(s)

a. Fire / Explosion on vessel in

dock

c. Fire / Explosion in premises

adjacent to Depot

b. Aircraft Impact

d. Seismic event

e. Lightning

3c. Storage Tank

f. Flooding

h. High Winds

3a. Ship bunkering

Where can things go wrong?

How can things go wrong?


1. Loss of

Containment during

ship offloading into

storage tanks

1a. Ship-Shore

Connection

1b. Pipeline / equipment

failure between quay and

storage tanks

1c. LoC at Storage

Tanks

Hose Failure

Coupling Failure

OverpressureMechanical

Failure

ImpactWear / Tear /

Abrasion

OverpressureMechanical

Failure

Incorrect

Connection /

Torque

Pipeline failure Flange FailureValve / Pump

Failure

Overpressure

Mechanical

Failure

Impact

Corrosion

Erosion

Structural

support

failureOverpressure Impact

Incorrect

Connection /

Torque

Incorrect

Gasket

Overpressure ImpactOverpressure

Seal /

Gasket failure

Corrosion

Corrosion Impact OverpressureStructural

support

failure

Over Filling

Filling

Wrong

Tank

Failure in

Level

Control

Undersized

Vents

Excessive

filling rate

Valve /

Flange

accidentally

opened

Ship movement

Floating

roof

failure

How else could it go wrong?More of?

Less of?

None of?

Different type of?

Different temperature?

Different viscosity?

Different pH?

Different route?


Step by step assessment to ‘is it safe?’


Identify protective measures / barriers in place to prevent the loss of control

Layers of Protection Layers of Protection

Identify mitigation measures / barriers in place to prevent or limit the consequences

Control & Mitigation Measures

Physical barrier to

protect against

impact

High voltage cables

routed at height

Barrier Type: Attributes

1 Passive Hardware The barrier works by virtue of its presence Act2 Active Hardware All elements in the barrier are executed by

technology

Detect Decide Act

3 Active Hardware

& Human

(predominately

hardware)

The barrier is a combination of human behaviour and

technological execution

Techology

Detects &

Alarm

Human

decide

Human

Initiates

response

4 Active Human The barrier consists of human actions, often

interacting with technology

Human

observation

Human

evaluation

Human acts

(including

acting

through

techology)5 Continuous The barrier is always operating Continuous

FunctionPressure relief valve

Automatic high level

shut down system

High pressure alarm

and human response

to reduce operational

pressure

Earth bonding

Cooling systems

Visual inspection

and mechanical

calibration


How often & How Bad?

Identify protective measures / barriers in place to prevent the loss of control


Identify mitigation measures / barriers in place to prevent or limit the consequencesHow

often?

How bad?




Courtesy of HSE 1

How Reliable?


Barrier Type: Attributes

1 Passive Hardware The barrier works by virtue of its presence Act2 Active Hardware All elements in the barrier are executed by

technology

Detect Decide Act

3 Active Hardware

& Human

(predominately

hardware)

The barrier is a combination of human behaviour and

technological execution

Techology

Detects &

Alarm

Human

decide

Human

Initiates

response

4 Active Human The barrier consists of human actions, often

interacting with technology

Human

observation

Human

evaluation

Human acts

(including

acting

through

techology)5 Continuous The barrier is always operating Continuous

Function

How do things fail?


Nicely:• Predictably

• Steadily

• According to engineering calculations and design lives

• Provide early warning of failure

• Allow for recovery

Unhelpfully:• Erratically

• Without warning or previous mal-function

• Early

• Allowing for no recovery

How do things fail?


Nicely? Unhelpfully?


How Reliable?

Safety Critical guide questions:

Does the barrier lie on the critical path to a major accident e.g. is this a major hazard initiator should it fail?Does the control measure / barrier directly relate to controlling process conditions e.g. temperature, pressure, flow, level which could directly lead to a loss of containment? Does the control measure / barrier guard against another important loss of containment failure mechanism, e.g. corrosion, stress, impact?How essential is the control or mitigation measure in preventing a loss of containment e.g.o Essential?o Important?o Moderately relevant?o Marginal?o Supplementary / adjunct to a more important control measure?

Vulnerability guide questions:

Does the control measure / barrier fail in a predictable and well understood way and time in the plant lifecycle?

Does the control measure / barrier provide any early warning, of failure e.g. leak before fail, excess vibration to flag up a potential component failure?

Is there is opportunity to recover the loss of containment, e.g. limit the extent of release, rapidly shut down the system or to capture or contain the release through bunding or other secondary containment measures?

Does the correct functioning of the control measure rely partly or wholly on human intervention?

Is the barrier last in line in the hierarchy of control measures e.g. if it fails there will be a loss of containment?

Criticality & Vulnerability

How do control measures fail and how important are they?




Determine the reliability (performance) of each barrier


Determine the frequency of each

initiating event

Determine the frequency of loss

of control

Determine the frequency of the cedible outcomes

Is it safe – risk acceptability?




Expected

>10-2/y

Unexpected 10-2-10-3/y

Unlikely

10-3-10-4/y

Very Unlikely

10-4-10-5/y

Remote

10-5-10-6/y

Extremely Remote

10-6-10-7/y

Negligible

<10-7/y

Insignificant

No causalitiesMinor

Minor injury

SignificantOne serious

injury

Serious1 onsite

fatality or

several

serious

injuries

Severe2-10 onsite

fatalities or 1

offsite fatality

Major11-50

fatalities

Likeliho

od

Consequences

Broadly Acceptable

Intolerable

Tolerable if ALARP

(Big) Problem 2




Uncertainty Uncertainty Uncertainty Uncertainty UncertaintyX X X =X


Determine the frequency of each

initiating event

Determine the frequency of loss

of control

Determine the frequency of the cedible outcomes



Expected

>10-2/y


Unlikely

10-3-10-4/y

Very Unlikely

10-4-10-5/y

Remote

10-5-10-6/y

Extremely Remote

10-6-10-7/y

Negligible

<10-7/y

Insignificant

No causalitiesMinor

Minor injury


injury

Serious1 onsite

fatality or

several

serious

injuries

Severe2-10 onsite

fatalities or 1

offsite fatality

Major11-50

fatalities

Likeliho

od

Consequences

Broadly Acceptable

Intolerable

Tolerable if ALARP



Expected

>10-2/y


Unlikely

10-3-10-4/y

Very Unlikely

10-4-10-5/y

Remote

10-5-10-6/y

Extremely Remote

10-6-10-7/y

Negligible

<10-7/y

Insignificant

No causalitiesMinor

Minor injury


injury

Serious1 onsite

fatality or

several

serious

injuries

Severe2-10 onsite

fatalities or 1

offsite fatality

Major11-50

fatalities

Likeliho

od

Consequences

Broadly Acceptable

Intolerable

Tolerable if ALARP

The chance of a fatal accident during tank filling is between 1 in every 10000 and 1 in 100,000 years but only if the calculations on event frequencies and the reliability of the control measures is correct and proving that all this works as intended every day that hazard is present at the facility.

Friend or Foe?Definitely a friend

But a very dangerous friend if we forget what uncertainty lies within

And we must find better ways to communicate the outcomes of risk assessments and the uncertainties associated with ‘single point’ conclusions that are seen as fixed forever.



Thank youAny Questions?

For more information contact:[email protected]

www.iantravers.co.uk

risk assessment friend or foe?

Documents