CIVL4170 Risk Analysis Lecture 7&8 Notes

Lecture Overview

• Steps in Risk Management (ISO31000 Framework):
  • Step 1: Establish the Context
  • Step 2: Risk Identification
  • Step 3: Risk Analysis
  • Step 4: Risk Evaluation
  • Step 5: Risk Treatment
• Focus: Risk Identification, Analysis, and Treatment (building upon Week 3's content).

Example Risk Assessment: Road Tanker Filling at a Depot

• Scenario: Assessing risks associated with filling a road tanker at a tanker depot.
• Depot Details:
  • Receives petrol and diesel via underground pipeline from a local refinery.
  • Pumps fuel from underground tanks into road tankers.
  • Employs 20 workers in an office building.
  • Has four truck loading bays, allowing simultaneous loading of four trucks.
  • Equipped with spill kits at each loading bay.
  • Utilizes mobile plant on-site.
• Safety Features:
  • Operators present.
  • Manual emergency stop button to halt flow to the loading bay.
  • Overflow bunds to divert fuel into safe storage.
  • Emergency clean-up equipment available.

Product Information

• Unleaded Petrol:
  • Solubility in Water: Nil
  • Specific Gravity: 0.73-0.75
  • Relative Vapour Density (air = 1): 3.5
  • Vapour Pressure: 67 kPa at 37.8^\circ C
  • Flash Point: -40^\circ C
  • Flammability Limits: 1.4 - 7.4%
• Diesel:
  • Solubility in Water: Nil
  • Specific Gravity: 0.82-0.85
  • Relative Vapour Density (air = 1): >1
  • Vapour Pressure: <0.1 kPa at 20^\circ C
  • Flash Point: >61.5^\circ C

Risk Assessment Scope Definition

• Project Name: Fuel transfer from bulk storage tank in tank farm to road tanker for transport to customer.
• Category:
  • In Scope: As described above
  • Out of Scope: Activities carried out on tank when out-of-service (e.g. cleaning, major refurbishment work etc). The process of loading the tanks from the ships
• People:
  • Involved: Operators, maintenance teams, tanker drivers, potentially impacted on- and off-site personnel.
  • Excluded: Unauthorized persons/trespassers, ship personnel.
• Locations:
  • Included: Tank farm (Brisbane, Australia), plant tank bund areas, gas dispersion and blast zones, control room.
  • Excluded: Areas outside bund and gas dispersion/blast zones.
• Equipment:
  • Included: Tanks, piping, valves, instruments, control systems, bunds, road tankers.
  • Excluded: Equipment used for tank/tanker maintenance or cleaning.
• Activities:
  • Included: Filling, emptying, maintaining tanks/piping/instrumentation, on-site driving, connecting and filling road tankers.
  • Excluded: Activities carried out on tank when out-of-service (e.g. cleaning, major refurbishment work etc). The process of loading the tanks from the ships
• Timeframes:
  • Continuous: 24/7, 365 days/year, including shift handover considerations (typical tanker filling ~1 hour).
  • Excluded: Potential major upgrades to tank, control system or site infrastructure in the future. Excludes decommissioning
• Environmental Considerations:
  • Included: Brisbane climatic and environmental conditions (cyclones, heavy rain, strong winds, lightning, floods).
  • Excluded: Extreme cold/snow/icing events, bushfires, earthquakes, tsunamis.
• Scenarios:
  • Included: Loss of containment of liquid leading to fire/explosion, causing fatalities, environmental contamination, and asset losses.
  • Excluded: Sabotage, minor injury or asset damage scenarios.
• Other Assumptions:
  • Road tankers are in roadworthy condition, all people able to communicate in English, only petrol and diesel pumped into tankers.

Step 2: Risk Identification (HAZID)

• Hazard: Potential source of harm, often an energy source that, if uncontrolled, causes damage.
• Description of Hazard: Detailed information about the hazard (drop-down list).
• Description of Unwanted Event Scenario: Describes the initial loss of control or containment (the "knot" or "top event").
• Description of Causes: Details about the threats that could release the hazard.
• Description of the Consequence: The outcome or impact of an unwanted event.

Step 2: Risk Identification - Example Solutions

• Hazard Ref: Mechanical - moving vehicles or parts
  • Description of Hazard: Large road tankers maneuvering onsite.
  • Description of Unwanted Event Scenario: Unwanted contact between vehicle and operator.
  • Causes: Driver error, driver illness, poor visibility, poor directions.
  • Consequences: Operator/worker hit resulting in severe injury/fatality.
• Hazard Ref: Mechanical - moving vehicles or parts
  • Description of Hazard: Large road tankers maneuvering onsite.
  • Description of Unwanted Event Scenario: Uncontrolled contact between vehicle and pipework/storage tanks (major loss of containment).
  • Causes: Driver error, driver illness, poor visibility, poor directions.
  • Consequences: Major loss of containment of fuel.
• Hazard Ref: Mechanical - moving vehicles or parts
  • Description of Hazard: Mobile road tankers connected to fixed plant.
  • Description of Unwanted Event Scenario: Uncontrolled movement of vehicle during filling, disconnecting pipes (major loss of containment).
  • Causes: Handbrake not applied/faulty, driver error.
  • Consequences: Major loss of containment of fuel.
• Hazard Ref: Chemical - toxic, flammable/explosive
  • Description of Hazard: Petrol which is flammable and explosive.
  • Description of Unwanted Event Scenario: Overfilling tanker causing a major loss in containment.
  • Causes: Inlet/outlet valve failure, blocked outlet pipe, faulty level sensors.
• Hazard Ref: Chemical - toxic, flammable/explosive
  • Description of Hazard: Petrol which is flammable and explosive.
  • Description of Unwanted Event Scenario: Leak in feed/outlet line or tank causing major loss in containment.
  • Causes: Corrosion, fracking, external damage, loosened flange.
• Hazard Ref: Pressure - air, spring, liquid
  • Description of Hazard: External fire or extreme temperatures.
  • Description of Unwanted Event Scenario: Overpressurizing tank.
  • Causes: Excessive external heat, failed pressure relief/vent equipment.
  • Consequences: Vapour releases resulting in a vapour cloud explosion causing multiple fatalities/injuries, severe equipment damage and onsite environmental damage.
• Hazard Ref: Electrical - contact or arcing
  • Description of Hazard: Static electricity.
  • Description of Unwanted Event Scenario: Uncontrolled build-up of static electricity contacts petrol vapour.
  • Causes: Incorrect material selection, poor grounding/earthing.
  • Consequences: Static electricity contacts fuel vapour in top of tanker tanks causing it to explode.
• Hazard Ref: Environmental conditions – weather/climate
  • Description of Hazard: Lightning Strikes.
  • Description of Unwanted Event Scenario: Ignition of vapour during filling.
  • Causes: Lightning strike on filling facility.
  • Consequences: Explosion in tank farm, destroying tank causing potential multiple fatalities/injuries, severe equipment damage and onsite environmental damage.
• Hazard Ref: Gravity - falling or things falling
  • Description of Hazard: Falling objects.
  • Description of Unwanted Event Scenario: Overhead piping, fittings etc fall.
  • Causes: Corrosion, wear and tear, damage, incorrect fitment.
  • Consequences: Person injured when struck by objects falling from height.
• Hazard Ref: Human capability – slips, lapses, errors
  • Description of Hazard: Mixing of incompatible liquids.
  • Description of Unwanted Event Scenario: Petrol pumped into diesel tanker.
  • Causes: Connection error, misidentification of liquid/tank.
  • Consequences: Contaminated inventory that if undetected could be sold to customers causing damage to vehicles.
• Hazard Ref: N/A
  • Description of Hazard: Liquid spills into bund.
  • Description of Unwanted Event Scenario: Liquid Spills into bund and ignites causing a pool fire OR vaporizes to form a vapour cloud that explodes.
  • Causes: n/a
  • Consequences: Multiple fatalities/serious injuries, equipment damage and onsite environmental damage.

Recap Week 3

• A failed preventative (arresting) control CAN be a cause of an unwanted event, but a mitigating control CANNOT.
• A mitigating control mitigates the potential consequence AFTER the unwanted event. It does not impact the occurrence of the unwanted event.
• Example:
  • Unwanted event: Person is exposed to rain
  • Preventative Control: Towel
  • Mitigating control: Raincoat
• Hazard descriptions should be specific, e.g., "Electrical equipment" is good but not 100% perfect and better than "Electrical energy" or "Use of equipment requiring 240V electricity"
• Unwanted event descriptions should also be specific, e.g., "Arc flash from electrical equipment or pump in confined space" is good. Could also be argued it's a consequence
• Multiple unwanted events are possible related to the use of equipment requiring 240V.
• Some hazards and unwanted event scenarios are less easy to describe.
• Brainstorming, open communication, revision, and quality checks are crucial.
• Focus is on the overall quality and spread of hazards/unwanted events, not whether one or two could have been described a bit better.

Step 3: Risk Analysis

• Determining impact and estimating likelihood gives an overall risk ranking.

Risk Ranking Matrix

• Likelihood: Rare, Unlikely, Moderate, Likely, Almost Certain
• Impact (Reputation/OH&S/Asset Damage/Environment/Legal): Minor, Moderate, Serious, Major, Catastrophic
• Matrix Example: (simplified, see slide 14 for full matrix)
  • Catastrophic & Almost Certain = 50 (Unacceptable Risk)
  • Minor & Rare = 2 (Broadly Acceptable)
• Risk Rating Categories:
  • 15-50: High
  • 10-14: Significant
  • 4-9: Medium
  • 1-3: Low
• Risk Acceptance Criteria:
  • Unacceptable: Operations do not continue until risk is reduced.
  • ALARP Band 1: Action as a high priority to reduce risk. Assign senior manager responsible.
  • ALARP Band 2: Action to reduce risk where possible. Assign manager responsible to monitor and review.
  • Generally Acceptable: Manage with regular monitoring and review.
  • Tolerable Risk (only if risk reduction is impracticable or it's cost is grossly disproportionate to improvement gained).

Step 3: Risk Analysis - Example Solutions

• Builds upon the hazards and unwanted events identified earlier.
• Each scenario is assessed for potential impact across various categories (People, Assets, Environment, Reputation).
• An estimated likelihood is assigned to each scenario.
• The overall risk rank is then determined based on the impact and likelihood.
• Examples: (abbreviated, see slide 17/18 for full examples)
  • Mechanical - moving vehicles or parts: Potential for fatality (Major Impact), Moderate Likelihood = Significant Overall Risk
  • Chemical - toxic, flammable/explosive: Overfilling tanker (Catastrophic Impact), Likely Likelihood = Very High Overall Risk
  • Pressure - air, spring, liquid: Overpressurising tank (Catastrophic Impact), Unlikely Likelihood = Very High Overall Risk

Step 4: Risk Evaluation

• Informed by the advice at the bottom of the Risk Ranking Matrix.
• May involve additional risk assessment tools (LOPA, Bowtie analysis).
• Evaluate your risks and consider controls required to effectively manage the risk
• Consider monitoring and review to ensure effectiveness.

Step 4: Risk Evaluation - Example Solutions

• Builds upon the risk analysis conducted in Step 3.
• Each risk is evaluated based on its overall risk rank.
• A determination is made as to whether the risk is acceptable, tolerable, or unacceptable.
• Examples: (abbreviated, see slide 20/21 for full examples)
  • Mechanical - moving vehicles or parts (Significant Risk): Tolerable if actioned as a high priority and industry-recognized risk controls measures are implemented.
  • Chemical - toxic, flammable/explosive (Very High Risk): Unacceptable – Operations do not to continue until risk is reduced. Risk treatment considerations should include inherently safe design and defense in depth analyses.

Step 5: Risk Treatment

• Critical step where the level of risk treatment is determined and how risks will be addressed.
• Consider inherently safer design options first.
• Specify what controls are needed.
• Ensure specified controls are actual controls (measuring something is NOT controlling it).

Step 5: Risk Treatment - Inherently Safe Design

• Requires engineers to adopt a critical thinking approach to challenging design assumptions using questions such as:
  *Why are we doing this?
  *Do we really have to perform this activity? If so, in this way?
  *What is the aim?
  *Can we eliminate, minimise, or substitute the hazardous material/activity?
  *Can we moderate or simplify the process to reduce severity and improve detection and management of unwanted deviations?

Step 5: Risk Treatment - Hierarchy of Controls

• Elimination (most effective)
• Substitution
• Engineering Controls
• Administrative Controls
• PPE (least effective)

Step 5: Risk Treatment - Control Options

• Aim is to stay within safe operating/working conditions.
• Layers of Protection/Defense in Depth:
  • Automated control systems that respond to unsafe situations (independent from worker).
  • Activated to mitigate the consequences of unwanted event scenarios.
  • Fast response of trained/skilled people to mitigate accident consequences.
  • External public emergency personnel.

Step 5: Risk Treatment - What is a Control?

• A control is an object and/or human action that, of itself, will arrest or mitigate an unwanted event sequence.
• Sensors, training, alarms, and signage ALONE are generally not complete controls.
• A sensor, combined with an alarm AND an automated action OR an operator action IS a control.
• A traffic light combined with an operator response (i.e. driver stopping at a red light) IS A CONTROL
• A boom gate at a rail crossing is a control because: There is a measurement (oncoming trains) AND a decision (to halt road traffic) AND an action (lowering a physical barrier to block road traffic)

Step 5: Risk Treatment - Example Solutions

• Follow a systematic approach: first ISD followed by HOC.
• Sometimes there is a bit of overlap between ISD and controls
• Various ways to write it down clear/concise.
• Examples:
  • Mechanical - moving vehicles or parts (Significant Risk):
    • ISD: Front and rear cameras in trucks that cover blinds spots
    • DID:
      • Engineering controls: Design in walkways to separate human and vehicle traffic, Install bollards/barriers to protect walkways, Restrict Vehicle Speeds, Traffic light system to direct vehicle movements
      • Administrative controls: (To be determined, could be driver training or route planning)
      • PPE: (To be determined, could be high-vis clothing)
  • Mechanical - moving vehicles or parts (Very High Risk):
    • ISD: Spark free electronics/intrinsitically safe wiring, Front and rear cameras in trucks that cover blinds spots
    • DID: (elimination, substitution, engineering, administrative, PPE) - Install bollards/barriers to protect walkways, Restrict Vehicle Speeds, Bund to capture and redirect spill to safe storage, LEL detection and shutdown system, Fire detection and mitigation system
  • Mechanical - moving vehicles or parts (Very High Risk):
    • ISD: Minimise slope of fill area, Engagement/tension sensor on coupling with interlock, Spark free electronics/intrinsitically safe wiring
    • DID: (elimination, substitution, engineering, administrative, PPE) - Bund to capture and redirect spill to safe storage, Lower Expolosion Limit (LEL) dectection and shutdown system, Fire detection and mitigation system, Regular inspections of vehicles, Pre-start-up checks of flanges, joints, valves, connections to tanker, Pre-start check of condition of tanker, verification of alarms
  • Petrol which is flammable and explosive:
    • ISD: Consider minimising tank volume, Spark free electronics/intrinsically safe wiring
    • DID: (add sub-headings were possible: elimination, substitution, engineering, administrative, PPE) - High level alarms and operator action, High level Safety Instrument System (SIS), LEL dectection and shutdown system Fire detection and mitigation system, Regular inspections of pipe work, Pre-start-up checks of flanges, joints, valves, connections to tanker , Pre-start check of condition of tanker, verification of alarms
  • Petrol which is flammable and explosive:
    • ISD: select non-corrosive pipe material, minimise joints in pipe work, use secure couplings
    • DID: (add sub-headings were possible: elimination, substitution, engineering, administrative, PPE) - Phsyical barriers to protect pipework ,LEL dectection and shutdown system ,Fire detection and mitigation system, Regular inspections of pipe work, Pre-start-up checks of flanges, joints, valves, connections to tanker