M

CIVL4170 Risk Analysis Lecture 7&8 Notes

Lecture Overview

  • Steps in Risk Management (ISO31000 Framework):
    • Step 1: Establish the Context
    • Step 2: Risk Identification
    • Step 3: Risk Analysis
    • Step 4: Risk Evaluation
    • Step 5: Risk Treatment
  • Focus: Risk Identification, Analysis, and Treatment (building upon Week 3's content).

Example Risk Assessment: Road Tanker Filling at a Depot

  • Scenario: Assessing risks associated with filling a road tanker at a tanker depot.
  • Depot Details:
    • Receives petrol and diesel via underground pipeline from a local refinery.
    • Pumps fuel from underground tanks into road tankers.
    • Employs 20 workers in an office building.
    • Has four truck loading bays, allowing simultaneous loading of four trucks.
    • Equipped with spill kits at each loading bay.
    • Utilizes mobile plant on-site.
  • Safety Features:
    • Operators present.
    • Manual emergency stop button to halt flow to the loading bay.
    • Overflow bunds to divert fuel into safe storage.
    • Emergency clean-up equipment available.

Product Information

  • Unleaded Petrol:
    • Solubility in Water: Nil
    • Specific Gravity: 0.73-0.75
    • Relative Vapour Density (air = 1): 3.5
    • Vapour Pressure: 67 kPa at 37.8^\circ C
    • Flash Point: -40^\circ C
    • Flammability Limits: 1.4 - 7.4%
  • Diesel:
    • Solubility in Water: Nil
    • Specific Gravity: 0.82-0.85
    • Relative Vapour Density (air = 1): >1
    • Vapour Pressure: <0.1 kPa at 20^\circ C
    • Flash Point: >61.5^\circ C

Risk Assessment Scope Definition

  • Project Name: Fuel transfer from bulk storage tank in tank farm to road tanker for transport to customer.
  • Category:
    • In Scope: As described above
    • Out of Scope: Activities carried out on tank when out-of-service (e.g. cleaning, major refurbishment work etc). The process of loading the tanks from the ships
  • People:
    • Involved: Operators, maintenance teams, tanker drivers, potentially impacted on- and off-site personnel.
    • Excluded: Unauthorized persons/trespassers, ship personnel.
  • Locations:
    • Included: Tank farm (Brisbane, Australia), plant tank bund areas, gas dispersion and blast zones, control room.
    • Excluded: Areas outside bund and gas dispersion/blast zones.
  • Equipment:
    • Included: Tanks, piping, valves, instruments, control systems, bunds, road tankers.
    • Excluded: Equipment used for tank/tanker maintenance or cleaning.
  • Activities:
    • Included: Filling, emptying, maintaining tanks/piping/instrumentation, on-site driving, connecting and filling road tankers.
    • Excluded: Activities carried out on tank when out-of-service (e.g. cleaning, major refurbishment work etc). The process of loading the tanks from the ships
  • Timeframes:
    • Continuous: 24/7, 365 days/year, including shift handover considerations (typical tanker filling ~1 hour).
    • Excluded: Potential major upgrades to tank, control system or site infrastructure in the future. Excludes decommissioning
  • Environmental Considerations:
    • Included: Brisbane climatic and environmental conditions (cyclones, heavy rain, strong winds, lightning, floods).
    • Excluded: Extreme cold/snow/icing events, bushfires, earthquakes, tsunamis.
  • Scenarios:
    • Included: Loss of containment of liquid leading to fire/explosion, causing fatalities, environmental contamination, and asset losses.
    • Excluded: Sabotage, minor injury or asset damage scenarios.
  • Other Assumptions:
    • Road tankers are in roadworthy condition, all people able to communicate in English, only petrol and diesel pumped into tankers.

Step 2: Risk Identification (HAZID)

  • Hazard: Potential source of harm, often an energy source that, if uncontrolled, causes damage.
  • Description of Hazard: Detailed information about the hazard (drop-down list).
  • Description of Unwanted Event Scenario: Describes the initial loss of control or containment (the "knot" or "top event").
  • Description of Causes: Details about the threats that could release the hazard.
  • Description of the Consequence: The outcome or impact of an unwanted event.

Step 2: Risk Identification - Example Solutions

  • Hazard Ref: Mechanical - moving vehicles or parts
    • Description of Hazard: Large road tankers maneuvering onsite.
    • Description of Unwanted Event Scenario: Unwanted contact between vehicle and operator.
    • Causes: Driver error, driver illness, poor visibility, poor directions.
    • Consequences: Operator/worker hit resulting in severe injury/fatality.
  • Hazard Ref: Mechanical - moving vehicles or parts
    • Description of Hazard: Large road tankers maneuvering onsite.
    • Description of Unwanted Event Scenario: Uncontrolled contact between vehicle and pipework/storage tanks (major loss of containment).
    • Causes: Driver error, driver illness, poor visibility, poor directions.
    • Consequences: Major loss of containment of fuel.
  • Hazard Ref: Mechanical - moving vehicles or parts
    • Description of Hazard: Mobile road tankers connected to fixed plant.
    • Description of Unwanted Event Scenario: Uncontrolled movement of vehicle during filling, disconnecting pipes (major loss of containment).
    • Causes: Handbrake not applied/faulty, driver error.
    • Consequences: Major loss of containment of fuel.
  • Hazard Ref: Chemical - toxic, flammable/explosive
    • Description of Hazard: Petrol which is flammable and explosive.
    • Description of Unwanted Event Scenario: Overfilling tanker causing a major loss in containment.
    • Causes: Inlet/outlet valve failure, blocked outlet pipe, faulty level sensors.
  • Hazard Ref: Chemical - toxic, flammable/explosive
    • Description of Hazard: Petrol which is flammable and explosive.
    • Description of Unwanted Event Scenario: Leak in feed/outlet line or tank causing major loss in containment.
    • Causes: Corrosion, fracking, external damage, loosened flange.
  • Hazard Ref: Pressure - air, spring, liquid
    • Description of Hazard: External fire or extreme temperatures.
    • Description of Unwanted Event Scenario: Overpressurizing tank.
    • Causes: Excessive external heat, failed pressure relief/vent equipment.
    • Consequences: Vapour releases resulting in a vapour cloud explosion causing multiple fatalities/injuries, severe equipment damage and onsite environmental damage.
  • Hazard Ref: Electrical - contact or arcing
    • Description of Hazard: Static electricity.
    • Description of Unwanted Event Scenario: Uncontrolled build-up of static electricity contacts petrol vapour.
    • Causes: Incorrect material selection, poor grounding/earthing.
    • Consequences: Static electricity contacts fuel vapour in top of tanker tanks causing it to explode.
  • Hazard Ref: Environmental conditions – weather/climate
    • Description of Hazard: Lightning Strikes.
    • Description of Unwanted Event Scenario: Ignition of vapour during filling.
    • Causes: Lightning strike on filling facility.
    • Consequences: Explosion in tank farm, destroying tank causing potential multiple fatalities/injuries, severe equipment damage and onsite environmental damage.
  • Hazard Ref: Gravity - falling or things falling
    • Description of Hazard: Falling objects.
    • Description of Unwanted Event Scenario: Overhead piping, fittings etc fall.
    • Causes: Corrosion, wear and tear, damage, incorrect fitment.
    • Consequences: Person injured when struck by objects falling from height.
  • Hazard Ref: Human capability – slips, lapses, errors
    • Description of Hazard: Mixing of incompatible liquids.
    • Description of Unwanted Event Scenario: Petrol pumped into diesel tanker.
    • Causes: Connection error, misidentification of liquid/tank.
    • Consequences: Contaminated inventory that if undetected could be sold to customers causing damage to vehicles.
  • Hazard Ref: N/A
    • Description of Hazard: Liquid spills into bund.
    • Description of Unwanted Event Scenario: Liquid Spills into bund and ignites causing a pool fire OR vaporizes to form a vapour cloud that explodes.
    • Causes: n/a
    • Consequences: Multiple fatalities/serious injuries, equipment damage and onsite environmental damage.

Recap Week 3

  • A failed preventative (arresting) control CAN be a cause of an unwanted event, but a mitigating control CANNOT.
  • A mitigating control mitigates the potential consequence AFTER the unwanted event. It does not impact the occurrence of the unwanted event.
  • Example:
    • Unwanted event: Person is exposed to rain
    • Preventative Control: Towel
    • Mitigating control: Raincoat
  • Hazard descriptions should be specific, e.g., "Electrical equipment" is good but not 100% perfect and better than "Electrical energy" or "Use of equipment requiring 240V electricity"
  • Unwanted event descriptions should also be specific, e.g., "Arc flash from electrical equipment or pump in confined space" is good. Could also be argued it's a consequence
  • Multiple unwanted events are possible related to the use of equipment requiring 240V.
  • Some hazards and unwanted event scenarios are less easy to describe.
  • Brainstorming, open communication, revision, and quality checks are crucial.
  • Focus is on the overall quality and spread of hazards/unwanted events, not whether one or two could have been described a bit better.

Step 3: Risk Analysis

  • Determining impact and estimating likelihood gives an overall risk ranking.

Risk Ranking Matrix

  • Likelihood: Rare, Unlikely, Moderate, Likely, Almost Certain
  • Impact (Reputation/OH&S/Asset Damage/Environment/Legal): Minor, Moderate, Serious, Major, Catastrophic
  • Matrix Example: (simplified, see slide 14 for full matrix)
    • Catastrophic & Almost Certain = 50 (Unacceptable Risk)
    • Minor & Rare = 2 (Broadly Acceptable)
  • Risk Rating Categories:
    • 15-50: High
    • 10-14: Significant
    • 4-9: Medium
    • 1-3: Low
  • Risk Acceptance Criteria:
    • Unacceptable: Operations do not continue until risk is reduced.
    • ALARP Band 1: Action as a high priority to reduce risk. Assign senior manager responsible.
    • ALARP Band 2: Action to reduce risk where possible. Assign manager responsible to monitor and review.
    • Generally Acceptable: Manage with regular monitoring and review.
    • Tolerable Risk (only if risk reduction is impracticable or it's cost is grossly disproportionate to improvement gained).

Step 3: Risk Analysis - Example Solutions

  • Builds upon the hazards and unwanted events identified earlier.
  • Each scenario is assessed for potential impact across various categories (People, Assets, Environment, Reputation).
  • An estimated likelihood is assigned to each scenario.
  • The overall risk rank is then determined based on the impact and likelihood.
  • Examples: (abbreviated, see slide 17/18 for full examples)
    • Mechanical - moving vehicles or parts: Potential for fatality (Major Impact), Moderate Likelihood = Significant Overall Risk
    • Chemical - toxic, flammable/explosive: Overfilling tanker (Catastrophic Impact), Likely Likelihood = Very High Overall Risk
    • Pressure - air, spring, liquid: Overpressurising tank (Catastrophic Impact), Unlikely Likelihood = Very High Overall Risk

Step 4: Risk Evaluation

  • Informed by the advice at the bottom of the Risk Ranking Matrix.
  • May involve additional risk assessment tools (LOPA, Bowtie analysis).
  • Evaluate your risks and consider controls required to effectively manage the risk
  • Consider monitoring and review to ensure effectiveness.

Step 4: Risk Evaluation - Example Solutions

  • Builds upon the risk analysis conducted in Step 3.
  • Each risk is evaluated based on its overall risk rank.
  • A determination is made as to whether the risk is acceptable, tolerable, or unacceptable.
  • Examples: (abbreviated, see slide 20/21 for full examples)
    • Mechanical - moving vehicles or parts (Significant Risk): Tolerable if actioned as a high priority and industry-recognized risk controls measures are implemented.
    • Chemical - toxic, flammable/explosive (Very High Risk): Unacceptable – Operations do not to continue until risk is reduced. Risk treatment considerations should include inherently safe design and defense in depth analyses.

Step 5: Risk Treatment

  • Critical step where the level of risk treatment is determined and how risks will be addressed.
  • Consider inherently safer design options first.
  • Specify what controls are needed.
  • Ensure specified controls are actual controls (measuring something is NOT controlling it).

Step 5: Risk Treatment - Inherently Safe Design

  • Requires engineers to adopt a critical thinking approach to challenging design assumptions using questions such as:
    *Why are we doing this?
    *Do we really have to perform this activity? If so, in this way?
    *What is the aim?
    *Can we eliminate, minimise, or substitute the hazardous material/activity?
    *Can we moderate or simplify the process to reduce severity and improve detection and management of unwanted deviations?

Step 5: Risk Treatment - Hierarchy of Controls

  • Elimination (most effective)
  • Substitution
  • Engineering Controls
  • Administrative Controls
  • PPE (least effective)

Step 5: Risk Treatment - Control Options

  • Aim is to stay within safe operating/working conditions.
  • Layers of Protection/Defense in Depth:
    • Automated control systems that respond to unsafe situations (independent from worker).
    • Activated to mitigate the consequences of unwanted event scenarios.
    • Fast response of trained/skilled people to mitigate accident consequences.
    • External public emergency personnel.

Step 5: Risk Treatment - What is a Control?

  • A control is an object and/or human action that, of itself, will arrest or mitigate an unwanted event sequence.
  • Sensors, training, alarms, and signage ALONE are generally not complete controls.
  • A sensor, combined with an alarm AND an automated action OR an operator action IS a control.
  • A traffic light combined with an operator response (i.e. driver stopping at a red light) IS A CONTROL
  • A boom gate at a rail crossing is a control because: There is a measurement (oncoming trains) AND a decision (to halt road traffic) AND an action (lowering a physical barrier to block road traffic)

Step 5: Risk Treatment - Example Solutions

  • Follow a systematic approach: first ISD followed by HOC.
  • Sometimes there is a bit of overlap between ISD and controls
  • Various ways to write it down clear/concise.
  • Examples:
    • Mechanical - moving vehicles or parts (Significant Risk):
      • ISD: Front and rear cameras in trucks that cover blinds spots
      • DID:
        • Engineering controls: Design in walkways to separate human and vehicle traffic, Install bollards/barriers to protect walkways, Restrict Vehicle Speeds, Traffic light system to direct vehicle movements
        • Administrative controls: (To be determined, could be driver training or route planning)
        • PPE: (To be determined, could be high-vis clothing)
    • Mechanical - moving vehicles or parts (Very High Risk):
      • ISD: Spark free electronics/intrinsitically safe wiring, Front and rear cameras in trucks that cover blinds spots
      • DID: (elimination, substitution, engineering, administrative, PPE) - Install bollards/barriers to protect walkways, Restrict Vehicle Speeds, Bund to capture and redirect spill to safe storage, LEL detection and shutdown system, Fire detection and mitigation system
    • Mechanical - moving vehicles or parts (Very High Risk):
      • ISD: Minimise slope of fill area, Engagement/tension sensor on coupling with interlock, Spark free electronics/intrinsitically safe wiring
      • DID: (elimination, substitution, engineering, administrative, PPE) - Bund to capture and redirect spill to safe storage, Lower Expolosion Limit (LEL) dectection and shutdown system, Fire detection and mitigation system, Regular inspections of vehicles, Pre-start-up checks of flanges, joints, valves, connections to tanker, Pre-start check of condition of tanker, verification of alarms
    • Petrol which is flammable and explosive:
      • ISD: Consider minimising tank volume, Spark free electronics/intrinsically safe wiring
      • DID: (add sub-headings were possible: elimination, substitution, engineering, administrative, PPE) - High level alarms and operator action, High level Safety Instrument System (SIS), LEL dectection and shutdown system Fire detection and mitigation system, Regular inspections of pipe work, Pre-start-up checks of flanges, joints, valves, connections to tanker , Pre-start check of condition of tanker, verification of alarms
    • Petrol which is flammable and explosive:
      • ISD: select non-corrosive pipe material, minimise joints in pipe work, use secure couplings
      • DID: (add sub-headings were possible: elimination, substitution, engineering, administrative, PPE) - Phsyical barriers to protect pipework ,LEL dectection and shutdown system ,Fire detection and mitigation system, Regular inspections of pipe work, Pre-start-up checks of flanges, joints, valves, connections to tanker