Criterion 3.1 "The safety report should clearly describe how the Operator uses risk assessment to help make decisions about the measures necessary to prevent major accidents and to mitigate their consequences."
The purpose of this criterion is to help the Assessor determine if the Operator's approach to risk assessment is suitable and sufficient i.e. (proportionate and systematic). Since this can only be properly assessed after the safety report has been read, it is probable that Assessors will need to return to this criterion at the end of the assessment process. To this end the following questions and answers may prove useful:-
This is an important point because the Operator must demonstrate a risk-based approach to his activities and to the production of the safety report. Failure to provide adequate evidence on this point may be viewed as a failure to comply with both the Management and the COMAH Regulations. The section of the safety report dealing with the major accident prevention policy (MAPP) will inform the Assessor on this issue.
Companies that manage their business with the aid of risk assessment might refer to the use of risk assessment in areas of safety management such as COSHH, the identification of procedures for dealing with spills, the permit to work system, fork-lift truck operations and segregation of hazardous substances. In these cases there may be reference to one or more formalised methods of determining risks such as event tree, fault tree and FMEA, and the use of risk assessment will probably not be confined to major accident analysis, but be detectable throughout the report. Assessors should not forget that risk does not necessarily involve quantification and that qualitative risk assessment has its place in the demonstration of safe operation.
Examples of non-quantified approaches that are acceptable include:-
The Operator should describe the extent, to which the Company relies on recognised standards and good practices and demonstrate that the standards appropriate. He should describe the methods used to determine risks and give details of the competence and expertise of the people carrying out the risk assessment. In addition he should describe how the significance of the results of risk assessment are determined and the basis on which they are implemented.
Since the regulations call for a risk assessment, the safety report should describe the approach adopted. If a QRA has been undertaken, the information that should be presented includes:-
If a non-quantified approach is adopted because the risks are low, the basis for demonstrating that the residual risks are both tolerable and ALARP should be given. One or more of the following is acceptable if supported by well reasoned argument:-
Operators should summarise the criteria used to judge when risks are tolerable. Ideally this should appear near the beginning of the report so that the Assessor can make the following judgements:-
The way Operators demonstrate that all necessary measures have been implemented is likely to depend on their approach to risk assessment. Most will not base their report on QRA and will be able to satisfy the requirements of the regulations by demonstrating compliance with good practice and adherence to standards and regulatory guidance. If a significant number of off-site casualties are predicted as a consequence of the worst accidents, other more quantitative approaches may be required.
For example:-
or
or
Assessors should not expect to see detailed cost benefit calculations in a COMAH safety report, but Operators should list possible practical improvements and justify why they are not implemented.
Fundamental to the demonstration that "all necessary measures" have been taken to reduce the risk from the site, is evidence to show that risks are ALARP. An Operator, who fails to provide this evidence, fails to comply with the regulations.
Demonstrating that risks are ALARP is easier if operational risks are quantified in some way, but risk quantification is not an essential requirement of the COMAH regulations. Operators should describe how they decide when risks are ALARP and show that that additional safety measures are not justified on cost grounds, but Assessors should not expect to see detailed cost benefit analysis arguments in a safety report. They should use their knowledge and expertise to make professional judgements about the adequacy of existing safety measures and the acceptability of the absence of additional safety systems that might be grossly disproportionate to implement.
The safety report should convince the Assessor that the Operator understands risk assessment and routinely uses it to reduce risks at all levels and in all aspects of site operations. The complexity of such uses and level of detail given in the safety report should be proportionate to the risks involved.
The tone of the safety report and the way it is written will be a reliable indicator of the Operator's use and understanding of risk assessment. Assessors should look to the MAPP for evidence of a risk assessment culture rather than the accident analysis that may have been carried out by a consultant.
When making a judgement about compliance of the safety report with this criterion, Assessors should pose the following questions:-
Risk assessment should consider all types of operator error that can result in a major accident (fire) or a dangerous situation. The Operator should describe the role operatives play in controlling hazard and show that their potential errors are identified. He should also describe measures that have been taken to reduce their probability and how they are accounted for in the major accident analysis. The safety report should demonstrate that his systems and procedures are fit for purpose and incorporate adequate attention to human factors. This may be described in the management section dealing with staff training, competence assessment, and the way incidents and near misses are dealt with.
Accounting for human error in risk assessment is not straightforward because some human reliability literature data are not universally applicable. Assessors should primarily be concerned with checking that human reliability is included in the analysis rather than with the accuracy of the data used.
Inclusion of human factors in risk assessment does not only mean identifying poor fork lift truck driving or poorly controlled hot work as potential fire initiators. Events such as, corner cutting, unauthorised absence, and even sabotage may warrant consideration. Errors at the design and construction stage of storage vessels should not be overlooked.
Examples of the types of event which may warrant consideration are:-
In practice many safety reports will not address human factors as thoroughly or with as much rigour as engineering issues. This can be understood in the light of traditional approaches to safety and safety reports, but cannot be justified where human reliability plays a critical role.
The following are examples of common omissions in safety reports:-
The potential for an operator to override designed safety features has not been covered.
There should be some mention of 'violations' or 'breaking the rules' as well as 'human error'.
The hazard analysis process failed to identify anything more than errors of omission (the operator failing to act).
Most safety reports need to consider errors of commission (an operator making an action but the wrong one), or decision making errors.
The role of people other than as front-line operators (eg maintainers, supervisors) is not considered.
Many human failures are the result of actions, omissions and decisions taken by other people including designers and managers. For example, the potential for a maintenance error on a safety related system may not be addressed in the RA process.
There was no consideration of the possibility of a hardware failure with a simultaneous human error.
Some appreciation that when the hardware of a protective system fails the operator may also not respond in the intended manner.
The operator is being asked to do a critical task that would probably be more reliably done automatically.
There appears to be undue reliance on an operator to identify and respond rapidly to an alarm condition.
If so, we would need some justification of the human error probability included. This should be justified in relation to the specific design of the system interface they have on site rather than a generic value taken from a table.
There is reliance on 'heroic' acts by operatives to recover situations eg going back to the control room when suffering from effects of toxic gas.
Data tells us that human failures contribute up to 80% of industrial accidents. Even in oil refineries, which are highly capitalised and automated, the figure is 50%. The implications of this run throughout the safety report and through many of the assessment criteria, so they will need to be considered by several members or all of the assessment team.
The safety report should consider in a rigorous and proportionate way how operators may contribute to the initiation of a major accident (see Criterion 3.4.4). It should also describe the part operators play in controlling hazards and risks. If an operative is required to take certain actions following an alarm, the risk analysis will need to make assumptions about the likelihood that the correct action is taken. For example, if the economic consequences of emergency shutdown are great, the operator may very well hesitate or fail completely to press the button.
If a task is critical to the prevention of a major hazard and an unrealistically high level of human reliability has to be assumed to make the risks ALARP, this may not be acceptable as it places an undue burden on the operator. Instead automatic control and protection systems can be used to reduce the reliance on the operator to intervene correctly. To achieve the required reliability it may be necessary to build redundancy and diversity into the control systems.
Not all safety reports will need to quantify human reliability. The focus should be on demonstrating the quality of the training and supervision. If a human reliability figure is used in a fault tree, the Assessor should check that the top event is not sensitive to the value adopted.
In the context of operator error and how the company ensures that it is minimised, the safety report should:-
This criterion deals with the Operator's limitation of accident analysis in the safety report and can be judged by reference to the following:-
Operators are obliged to demonstrate that low frequency events with severe consequences are adequately controlled - that all necessary measures have been taken to prevent their occurrence. However, most safety reports are unlikely to determine the consequences and frequency of very improbable accident initiators such as a meteor strike, simultaneous multiple failures of reliable systems, and terrorist activity. It is essential that the risk dominating accidents be dealt with comprehensively and that accidents such as lightning strike or aircraft impact should not be discounted.
In general an Operator will present consequence analysis for some but not all warehouses on his site. Provided the risks do not vary greatly, such an approach is acceptable, but the reasons for not considering fires in a particular warehouse should be given.It is reasonable for the Operator to reduce the number of release cases by defining a scale of event that will not lead to a MA. For example, the consequence assessment may show that any failure resulting in a release smaller than that equivalent to a 10 mm diameter hole does not produce a hazard to on-site or off-site populations. This provides a basis for defining major accident hazards. However, Operators may need to take account of smaller flammable releases into confined spaces, which might ignite and explode and trigger a more severe accident. The Operator should also consider any known or foreseeable changes to the sensitivity of the surrounding environment, eg future dwellings which may be built nearer to the site boundary as these can affect the appropriate degree of proportionality. Such changes should be also considered whenever the risk assessment is reviewed.
In situations where this 'protection' based approach is not sufficiently limiting, ie the hazard ranges from very small releases extend into population, a risk based approach may be needed. This requires the contribution to the residual risk of releases of different sizes to be considered so that a justifiable 'cut-off' can be decided. All contributions to release likelihood need to be taken into account otherwise, the 'cut-off' may be overly optimistic.
It is reasonable for Operators to describe in detail the consequences of only a relatively small number of warehouse fires/explosions, provided all significant accident initiators are identified and ranked according to the risk they pose. The consequences of fires in different warehouses and at different times of the year should be determined, particularly where inventories change significantly. The Operator should demonstrate that the risks are ALARP, but he has discretion on the way this is done subject only to the requirement that the results are convincing.
A safety report may describe the consequences of a representative set of accidents, provided account is taken of all major accidents. In particular it should describe the risk from all accidents that the Company has taken measures to prevent occurring. The frequency determinations do not necessarily have to involve the application of formalised methods such as fault tree analysis. Reference to appropriate source material/documents, industry standards etc. is likely to be the norm.
The safety report should also demonstrate that risks from accidents, for which no preventative measures are taken are tolerable. In general these will be low probability events initiated by an off-site event such as aircraft impact or an earthquake.
Incredible accidents are not clearly defined in this context, and Assessors are expected to use common sense and professional judgement about events that can be neglected. Examples include meteor strike, terrorist activity and simultaneous failure of several diverse and redundant safety systems.
Most warehouse safety reports are unlikely to present a detailed quantification of the probability of fire or explosion. It is acceptable for the accident analysis to quote historical data and the results of surveys of the causes and probability of fire in warehouses. Assessors should expect Operators to demonstrate that the risks at his site are tolerable on account of adequate management systems and installed safeguards
Assessors should recognise that the COMAH regulations do not call for a full QRA. Frequency evaluation for highly improbable accidents does not need to be as detailed as that for risk dominating sequences and can be based on historical data, industry standards and regulatory guidance, etc. However, the statement - 'the probability of this accident is judged to be less than 10-6' is not acceptable if they are not backed with supporting evidence. A poorly documented or sparsely detailed frequency analysis that appears somewhat optimistic may be judged as failing to comply with the assessment criteria.
Operators are obliged to demonstrate that low frequency events with severe consequences are adequately controlled, ie that all measures necessary have been taken to prevent their occurrence. If precautions have been taken to reduce the probability of an accident, then the consequences of the event must be assessed so that they can be balanced against the precautions.
If the Operator has not attempted to quantify accident frequencies, but builds a case based on terms such as high, medium and low probability, he should rank the accidents according to their perceived severity. Without any quantification it is difficult to determine if an accident that kills a few people with "medium likelihood" is worse than one that kills many people with "very low likelihood". In such cases, the Operator should determine that both risks are tolerable.