MIHAPNo 3

Major Industrial Hazards
Advisory Paper No. 3
Hazard Identification, Risk

Assessment and Risk Control
May 2003 Consultation Draft Version A
ft
ra
D
n
tio
ta
ul
ns
Co
Hazard Identification, Risk Assessment and Risk Control MIHAP No.3 May 2003
Major Industrial Hazards

Advisory Paper No. 3
Hazard Identification, Risk

Assessment and Risk Control
May 2003 Consultation Draft Version A
ft
ra
D
n
tio
ta
ul
ns
Co
i PlanningNSW
Acknowledgments
The Major Hazards Unit gratefully acknowledges the substantial assistance of the relevant documentation published by
the following organisations:
The Major Hazards Division of the Victorian WorkCover Authority;

The Chemical Hazards Emergency Management Unit of the Queensland Department of Emergency Services;
The Major Accident Hazards Bureau; and
The UK Health and Safety Executive.
ft
ra
D
n
tio
ta
ul
ns
Crown copyright 2003

Department of Urban and Transport Planning
Henry Deane Building

20 Lee Street
Co
Sydney, NSW, Australia 2000
www.planning.nsw.gov.au
Printed May 2003
ISBN 0 7347 0426 7
02-093C
Disclaimer. Any representation, statement, opinion

or advice, expressed or implied in this publication is
made in good faith but on the basis that the State of
New South Wales, its agents and employees are not
liable (whether by reason of negligence, lack of care
or otherwise) to any person for any damage of loss
whatsoever which has occurred or may occur in
relation to that person taking or not taking (as the
case may be) action in respect of any representation,
statement, or advice referred to above.
ii PlanningNSW
Contents
Summary vii
1 Introduction 1
1.1 Background 1
1.2 Purpose and Scope of this Advisory Paper 1
1.3 Process Overview 2
1.4 Communications with the Major Hazards Unit 4
2 Relevant Regulatory Instruments 5

2.1 Introduction 5
2.2 Summary of Relevant Sections of the Control of
Major Hazard Facilities Act 200X 5
2.3 Summary of Relevant Sections of the Control of
ft
Major Hazard Facilities Regulation 200X 5
ra
3 Planning and Preparation 6
3.1 Scope and Purpose of Hazard Identification and Risk Assessment 6
D
3.2 Information Requirements 6
3.3 Demonstration Requirements 7
n
3.4 Team Based Approaches 8
3.5 Choice of Methodologies 10
tio
3.6 An Appropriate Level of Detail 11

3.7 Management of Information 14
ta
4 Hazard Identification 16
4.1 Terminology 16
ul
4.2 Major Accidents 17

ns
4.3 Hazard Types 17

4.4 Hazard Identification Techniques 18
4.5 Demonstration Requirements for Hazard Identification 22
Co
4.6 Aggregation of Hazardous Scenarios 24

4.7 Worst Case Scenario 24
iii PlanningNSW
5 Risk Analysis 25
5.1 Uncertainty in Risk Assessment 25
5.2 Multi-Level Risk Assessment 26
5.3 Screening Tools 26
5.4 Risk Ranking Tools 27
5.5 Qualitative Methodologies 28
5.6 Semi-Quantitative Methodologies 29
5.7 Quantitative Methodologies 30
5.8 Consequence Analysis 31
5.9 Likelihood Analysis 57
5.10 Sensitivity Analysis 65
5.11 Risk Estimation and Presentation of Results 65
6 Control Measures 69
6.1 Identifying and Understanding Controls 69
6.2 Criticality of Controls 74
ft
6.3 Investigation of Alternative Control Measures 75
ra
6.4 Reviewing Alternative Control Measures 76
6.5 Linking Control Measures to the Safety Management System 77
D
7 Risk Assessment and Communication 82
7.1 Summary of Criteria for Risk Assessment 83
n
7.2 Risk Communication 86

tio
8 Review and Revision 87
Example Form/s 89
Hazard Identification Word Diagram 90
ta
Hazard and Risk Register 91

ul
Example of a Partially Completed Hazard and Risk Register 92
Appendix 1 Example Major Accidents 93

ns
Appendix 2 Example Risk Matrix Consequence and Likelihood Categories 95
Appendix 3 Models for Consequence Analysis 99

Co
Appendix 4 Methods for Estimating Likelihood 103
Appendix 5 Sample Hazard Identification Word Diagram 104
Glossary and Acronyms 105
References and Bibliography 107

Additional Information 111
iv PlanningNSW
Table of Figures
1 Process Overview 3
2 Example Flowchart for Risk Screening and
Risk Management at Major Hazard Facilities 13
3 Example Hazard Register Database 14
4 Comprehensive Hazard Identification 23
5 Calculation of Risk 25
6 Example Risk Matrix (Refer to MIHAP No. 2) 28
7 Consequence Analysis 31
8 Example Flowchart for Management of Risk
to the Biophysical Environment 49
9 Example Event Tree 58
10 Example Fault Tree [HIPAP No. 6] 60
11 Reliability Bath Tub Curve 62
12 Examples of Iso-Risk Contours 67
13 Example F-N Curve 68
ft
14 Structuring Hazard Identification Findings 71
ra
15 Illustration of Critical Operating Parameters (CCPS 1992) 80
16 Applying ALARP 82
D
Table of Tables
1 Possible Applications of Safety in the Process Lifecycle 11
n
2 Hazard Types 17
tio
3 Guidance Table on Implementation of

Hazard Identification Techniques 19
4 Example Hazard Identification Techniques 20
ta
5 Example Human Error Potential Values

(based on Hunns and Daniels 1980 and Kletz 1991) 64
ul
6 Examples of Risk Presentation Tools 66

7 Example Hierarchy of Control Measures 70
ns
8 Example Control Measures 72

9 UK HSE Example Control Measures 73
Co
10 Factors in Selecting or Rejecting Control Measures 77

11 Example Control Measure Performance Indicators and Standards 79
12 NSW Individual Fatality Risk Criteria for Existing Facilities 84
13 Consequence Categories: Injury and Fatality 96
14 Consequence Categories: Environment 97
15 Likelihood Categories 98
16 Effects of Heat Radiation 102
17 Effects of Explosion Overpressure 102
v PlanningNSW
Summary
Overview
Failures at Major Hazard Facilities (MHFs) have the potential to cause major
accidents arising from the storage, handling or processing of significant quantities of
dangerous chemicals. Typically, MHFs include large-scale operations such as
refineries, chemical complexes, LPG depots and chemical factories.
The overall framework for control of MHFs in NSW is consistent with the provisions
of the National Standard for the Control of Major Hazard Facilities (National
Standard) and with approaches adopted in other jurisdictions. The objective of this
framework is to protect people, property and the environment. The Operator is
expected to take all measures necessary to prevent major accidents and minimise
their effects on people and the environment.
The NSW framework is administered by the Major Hazards Unit (MHU) of
ft
PlanningNSW. For a number of years, PlanningNSW has taken an active role in
ensuring that planning aspects of risks to people, property and the environment
ra
from potentially hazardous industrial developments are taken into account in
development assessment and approval.
D
Scope
n
This paper is one in a series of several Major Industrial Hazards Advisory Papers
(MIHAPs) developed by the MHU. It has been developed to assist Operators of
tio
MHFs in meeting their obligations with respect to hazard identification, risk

assessment and risk control.
Key Messages
ta
The key messages for Operators with respect to hazard identification, risk
assessment and risk control described in this paper are:
ul
Hazard identification, risk assessment and risk control are fundamental to the
prevention of major accidents. If they are seriously deficient, then subsequent
ns
stages (e.g. safety reporting, safety management, etc.) will be deficient.

Hazard identification is the basis for understanding what can go wrong at a major
hazard facility and for controlling risks.
Co
Risk control measures critical to safe operation are only understood if there is a
clear link between identified hazards, accident scenarios and the risk
assessment.
Analysis of risk requires an understanding of the consequences and likelihood of
major accidents.
There are a range of systematic and structured techniques that can assist
Operators in hazard identification and risk assessment. The techniques selected
by the Operator must be fit-for-purpose and based on the nature of the activities
and materials handled.
vii PlanningNSW
Risk assessment is the basis for prioritisation and management of risks, and
focuses Operator effort on major risk contributors and critical risk control
measures.
Critical risk control measures must be managed through a safety management
system (SMS).
Effective hazard identification, risk assessment and risk control processes must
be implemented. These must be documented, integrated, systematic,
comprehensive and routinely reviewed.
Consultation at all stages of the process is vital to the successful prevention of
major accidents.
Demonstration Requirements
The key messages are complimented by the following specific requirements, which
are critical for ensuring the success of each stage in the process.
Hazard Identification
For the hazard identification stage, the Operator should be able to demonstrate that:
Appropriate hazard identification techniques have been used to comprehensively
identify the hazards at the facility, and the related potential major accidents, for
the complete range of normal and abnormal operating modes - Comprehensive
and systematic hazard identification is the first and most important step in any
ft
hazard analysis.
The Operator must be able to show that: appropriate personnel were involved; up-
ra
to-date and accurate information was used; an appropriate range of techniques were
employed; human factors were considered; the findings of previous studies were
D
reviewed; and the lessons learned from previous accidents and near misses
were considered.
Risk Analysis and Assessment
n
For the risk analysis (including consequence and likelihood analysis) and risk
assessment stages, the Operator should be able to demonstrate that:
tio
Appropriately validated methods have been used for the analysis and
assessment of consequences, likelihood and risks, with comprehensive
documentation of
ta
the results (including assumptions) This technical advisory paper presents

examples of current best practice approaches (cross-referenced to more detailed
ul
explanations) and provides guidance on which are the more appropriate to use in
different circumstances. Techniques appropriate to the nature of the facility and
the identified hazards are to be used.
ns
Locational and land use factors, including the potential for knock-on effects have
been considered during the consequence analysis.
Human factors have been systematically considered Human factors are relevant
Co
to all stages.
The likelihood of each step in the cause-consequence chain is understood.
The risk assessment has been made against all relevant criteria, in particular
identifying areas in which further risk reduction is essential or desirable.
Risk Control Measures
In evaluating the existing (and proposed) risk control measures (particularly those
critical to safe operation), the Operator should be able to demonstrate that:
The hierarchy of controls has been considered, with measures to eliminate
hazards given the highest priority, and that the way in which other control
measures impact on risk levels is understood - A range of control measures
viii PlanningNSW
should be considered, and a clear rationale developed as to why control

measures have been selected. Control measures must be related to specific
hazardous events not only to generic hazards.
Appropriate performance standards and indicators, and appropriate procedures
for review and revision of control measures, have been established to ensure
their adequacy, reliability and availability - Existing (and proposed) critical control
measures (including relevant safety performance standards and indicators and
critical operating parameters) must be clearly linked to hazards. The findings are
a key input to the Operators Safety Improvement Program (SIP), which is
described in MIHAP No. 5.
The Operator must develop, implement and maintain a comprehensive and
integrated SMS (Refer to MIHAP No. 4 Safety Reporting), and critical control
measures should receive the highest level of ongoing management commitment and
effort to ensure they are maintained.
Review and Revision
The Operator should be able to demonstrate that:
The hazard identification and risk assessment (including documentation) is kept
up-to-date For example, through updating and re-submission of the Safety
Report, which is to occur at intervals of not more than 5 years (Refer to MIHAP
No. 5 Safety Reporting). A review and up-date may also be initiated by
significant modifications to plant, procedures, etc. (Refer to MIHAP No. 4
ft
Safety Management Systems) or following a significant accident or near miss
(Refer to MIHAP No. 9 Accident Reporting and Investigation).
Other Important Links
ra
The hazard identification, risk assessment and risk control processes are central to
D
the overall framework (Refer to Figure 1) and the Operator should be able to
demonstrate that:
Fully documented systematic and structured processes have been developed
n
and are being maintained The policies, procedures, responsibilities, etc. for
tio
hazard identification, risk assessment and risk controls are an important aspect
of the SMS for an MHF (Refer to MIHAP No. 4 Safety Management Systems),
and should be routinely reviewed (Refer to MIHAP No. 11 Safety Auditing).
Although information management methods (such as hazard and risk registers),
ta
options for presenting risk results and example forms are included in this paper,
MIHAP No. 5 Safety Reporting includes greater detail on the documentation
that must be submitted to the MHU as part of the Safety Report.
ul
The risk assessment findings have been integrated into training programs (Refer
to MIHAP No. 6 Training and Education) The findings of the risk assessment
ns
should be used to enhance the understanding of hazards, risks (particularly major

risk contributors) and control measures (particularly critical control measures)
throughout the organisation.
Co
The risk assessment findings have been integrated into emergency planning and
response procedures (Refer to MIHAP No. 7 Emergency Planning) The findings
of the risk assessment should be used to ensure site specific events are
considered during exercises and to ensure that emergency response (including
evacuation) procedures are appropriate and effective.
The risk assessment findings have been used to develop information for community
consultation purposes (Refer to MIHAP No. 10 Stakeholder Consultation).
ix PlanningNSW
Hazard Identification, Risk Assessment and Risk Control: MIHAP No. 3 May 2003
1 Introduction
[Note: This draft is based on preliminary proposals for a NSW regulatory framework.
These have no statutory force and may change significantly before finalisation. This
should be carefully borne in mind when reviewing the regulatory and administrative
sections]
1.1 Background
The National Occupational Health and Safety Commission (NOHSC) declared a
National Standard for the Control of Major Hazard Facilities (National Standard) in
1996, the objective of which is to prevent major accidents and near misses, and to
minimise the effects of any major accidents and near misses (National Standard
Section 2.1) at major hazard facilities (MHFs).
Meeting the objective of accident prevention starts with the facility Operator
identifying and assessing hazards and implementing control measures to reduce the
ft
likelihood and effects of a major accident (National Standard Section 2.1 (a)). To
identify, assess and control major accident hazards, the Operator must consider the
ra
protection of people (both on- and off-site), property and the environment.
In NSW, the objectives and relevant requirements of the National Standard, and other
D
equivalent international best practice systems developed for the control of MHFs,
have been introduced under the Control of Major Hazard Facilities Act 200X and the
Control of Major Hazard Facilities Regulation 200X. The regulatory framework for
n
control of MHFs in NSW is administered by the Major Hazards Unit (MHU) of
PlanningNSW (formerly the Department of Urban Affairs and Planning).
tio
Major Industrial Hazards Advisory Paper (MIHAP) No. 1 Overview and Definitions
provides additional background on the National Standard and the relevant NSW
legislation. It is recommended that this document be read in conjunction with
lta
MIHAP No. 1. [To be prepared]
1.2 Purpose and Scope of this Advisory Paper

su
The purpose of this advisory paper is to provide practical implementation advice

(ie. an explanation of what to do and how to do it) on the hazard identification, risk
n
assessment and risk control processes for MHFs. This MIHAP is primarily intended
for Operators of MHFs.
Co
Meeting the objective of accident prevention starts with the facility Operator
identifying and assessing hazards and implementing control measures to reduce the
likelihood and effects of a major accident. The hazard identification, risk assessment
and risk control processes, which are included under Section/s [To be Inserted] of the
Control of Major Hazard Facilities Act 200X and clause/s [To be Inserted] of the Control
of Major Hazard Facilities Regulation 200X (Refer to Section 2), build upon the
requirements proposed by the NOHSC in Section 6 of the National Standard.
1 PlanningNSW
The scope of this document is limited to the provision of practical technical guidance
on the expectations of the MHU with respect to:
Identification of hazards and initiating events that could lead to a major accident;
Identification of the type, likelihood and consequences of major accidents;
Analysis and assessment of major accident risks;
Identification of measures to control major accident risks (consistent with the
hierarchy of controls); and
Risk communication.
Hazard identification, risk assessment and risk control identification are central to the
process for control of MHFs (Refer to Figure 1). Several additional MIHAPs may need
to be consulted to address related issues that are outside the scope of this MIHAP. In
particular, both MIHAP No. 4 and MIHAP No. 5 should be consulted at an early stage.
The findings of the hazard identification, risk assessment and risk control process are
a key input to the Operators Safety Improvement Program (SIP), which is described in
MIHAP No. 5 Safety Reporting. Other documentation relating to the hazard
identification, risk assessment and risk control process that must be submitted to the
MHU as part of the Safety Report is also outlined in MIHAP No. 5, together with the
relevant assessment criteria.
Guidance on Safety Management Systems (SMS) for MHFs (which are important for
ensuring implementation and ongoing management of the identified control
ft
measures) is provided in MIHAP No. 4.
1.3 Process Overview ra

D
Figure 1 provides a simplified overview of the process for control of MHFs in NSW
and identifies each of the relevant MIHAPs. The elements most relevant to MIHAP
No. 3 are enclosed by the dark shaded box.
n
The terms used in Figure 1, and elsewhere in the document, are defined in the
tio
Glossary at the end of this document.

lta
n su
Co
2 PlanningNSW
Figure 1: Process Overview
No. 1
Notification
Definitions
Classification &
Prioritisation
Regulatory Framework
MHF
No. 2
Consultation with
Community
No. 10 No. 10
Hazard Identification
Consultation with
Risk Assessment
Employees & Reps
Safety Reporting
Risk Reduction
ft
and Control No. 5
No. 8
No. 3
ra
Land Use
Safety Emergency Safety Auditing
Planning
D
Risk No. 11
Criteria No. 7
n
Training and
Safety
Education
tio
Management
Site Security Systems No. 6
No. 4
lta
Accident Reporting
Change to Facility and Investigation
or Systems
No. 9
su
Review
n
Co
Yes Significant No
Risk Increase?
3 PlanningNSW
1.4 Communications with the Major Hazards Unit

[To be Inserted]
ft
ra
D
n
tio
lta
n su
Co
4 PlanningNSW
2 Relevant Regulatory
Instruments
2.1 Introduction
[This will be finalised, once the regulatory framework has been determined]
A summary description of other regulatory instruments relevant to the control of
MHFs is included in Major Industrial Hazards Advisory Paper No. 1 Overview and
Definitions. [To be prepared]
2.2 Summary of Relevant Sections of the Control

of Major Hazard Facilities Act 200X
ft
Section X (y) [To be Inserted]
ra
D
n
2.3 Summary of Relevant Sections of the Control

tio
of Major Hazard Facilities Regulation 200X

clause X (y) [To be Inserted]
lta

su

Schedule X [To be Inserted]
n
Co
5 PlanningNSW
3 Planning and Preparation
3.1 Scope and Purpose of Hazard Identification and

Risk Assessment
The first stage of any project is to decide the scope and purpose of the study. The
boundary of the study must be determined at the commencement of the study as this
affects the information collection exercise and the team requirements. The particular
boundaries to be determined include the physical limits of the study the extent of
the site and the processes included in the study. How far does the study extend along
the transportation routes for the goods inwards, the goods outwards and any waste
streams from the facility?
The purpose of the study must also be determined at the outset to give assistance in
determining the level of detail and documentation required for the study. A study
undertaken by site management to develop their safety management system may not
have the same documentation requirements as a study undertaken to assist in
ft
obtaining approval for a new development.
3.2 Information Requirements ra

D
Preparation for undertaking a Hazard Identification study and to assess and control
risks associated with a facility requires identification of the documents and information
n
required and definition of the method of managing the information, particularly as the
quantity of information can be considerable.
tio
MIHAP No. 5 Safety Reporting contains guidance on the requirements for safety
reports of major hazard facilities. This advisory paper should be consulted at an early
stage of the assessment process to ensure that the information required for
lta
production of the safety report is obtained. The information required will vary
depending on the stage of the hazard identification and risk assessment process and
the particular tools used to identify hazards and assess risks.
su
It is important that Hazard Identification and Risk Assessment be based upon a

comprehensive and accurate understanding of operations. To achieve this, up to date
information must be readily available to the study team and documented throughout
the process, regardless of the type of facility, stage of the facilitys lifecycle or the
n
reasons for undertaking the study. MIHAP No. 5 - Safety Reporting includes a
Co
description of the process safety information that should be up-to-date and accurate
prior to commencing Hazard Identification and Risk Assessment.
The information required usually includes:
Site map and facility description. This will need to be included in the study report
to define the bounds of the study and to give the reader a good understanding of
the site and processes without excessive technical details.
Surrounding land uses and environmental attributes and data, including
meteorological data, geological data, as well as any relevant location issues, such
as environmentally sensitive areas and current plans for development of the
surrounding area.
6 PlanningNSW
Material and process information, including the physical, chemical and toxicological
nature of all hazardous materials at the site, descriptions of the processes
undertaken at the site, inventory of the process plant, and process conditions
through each part of the process.
Accurate and up-to-date engineering information, including the engineering details
of plant items and safety systems, e.g. equipment design specifications, process
flow diagrams, piping and instrumentation diagrams, site/plant layout drawings,
etc.
Site management details, e.g. safety management system information, equipment
condition, incident records, etc.
Previous safety and risk studies can be used where they are relevant to the facilities
on the site. There is no need to reproduce existing analyses but it is necessary to
ensure that they are relevant to the specific facility, up-to-date and appropriate for this
study.
Note 1: Sample Information Requirements for a Water Treatment Facility

MSDS for chlorine, sodium hypochlorite and ferric chloride.
Process flow diagrams for the facility.
Site plan showing the location of the chlorination facility in relation to the
office block and other site facilities.
ft
Area map (or possibly an up-to-date aerial photograph) showing the
ra
surrounding land uses.
Meteorological data for the site including wind rose, wind strengths and
atmospheric stability.
D
Location and details of nearby environmentally sensitive areas (e.g. natural
watercourses, bush land, etc.).
n
tio
3.3 Demonstration Requirements

MIHAP No. 5 - Safety Reporting describes in detail the objectives and outcomes that
the documentation generated by these processes must demonstrate. The documents
lta
and information obtained must be able to support the demonstration. This

requirement includes demonstration that:
Appropriate people have been used, and employee participation was appropriate
su
during all stages.

Systematic and structured processes have been followed and assumptions have
been fully documented.
n
The balance between qualitative, semi-quantitative and quantitative techniques is

Co
appropriate to the nature of the facility and its hazards.

Appropriate hazard identification techniques have been used to comprehensively
identify the hazards at the facility, and the related potential major accidents, for the
complete range of normal and abnormal operating modes.
There is a clear and understood link between identified hazards, accident
scenarios, and control measures, and control measures have been related to
specific hazardous events not only to generic hazards.
All identified representative scenarios have been assessed using methods that are
appropriately validated and that the results are comprehensively documented,
including all assumptions.
7 PlanningNSW
The consequence analysis has taken into account locational and land use factors
and the potential for knock-on effects.
Human factors have been systematically considered.
An assessment has been made against all relevant criteria, in particular identifying
areas in which further risk reduction is essential or desirable.
A hierarchy of controls has been considered, with measures to eliminate hazards
given the highest priority, and that there is an understanding of how other control
measures impact on risk levels.
A range of control measures has been considered, and that there is a clear
rationale as to why control measures have been selected. This will require a
balanced assessment of potential alternative control measures.
There is a valid demonstration of the overall adequacy and reliability of the control
measures
Appropriate performance standards and indicators have been established for
control measures and there are appropriate procedures for review and revision of
control measures.
The demonstration requirements are to be undertaken to a level that is fit for the
purpose of the demonstration. Extensive detail is not required on very low risk
processes but is required for high risk processes.
ft
3.4 Team Based Approaches
ra
There are a number of considerations in planning for the hazard identification, risk
assessment and risk control processes. To be successful, it is essential that the right
people are involved at all stages of the process. Amongst these people are plant
D
operators, plant supervisors, maintenance personnel, process engineers, design
engineers and line management. These stakeholders should be consulted and
involved during:
n
Development of methodologies for hazard identification and risk assessment.

tio
Implementation of hazard identification and risk assessment methodologies.

Consideration of alternative or additional risk controls.
Before starting the hazard identification, risk assessment and risk control process, all
lta
personnel involved must be suitably trained in the methodologies that they will be
using (see MIHAP No. 6 Training and Education). It is likely that different teams and
individuals will be used at different stages of the analysis and each persons training
su
must be appropriate to the needs of the study in which they are involved.
During the hazard identification process, a team approach is often used. Appropriate
team leadership is critical to ensuring that the study team contributes effectively to
n
the process. The role of the leader is to facilitate the process being undertaken and to
harness the expert knowledge of the team members. The leader should ensure that
Co
the team comprehensively examines each hazard or scenario, without skipping over
important facts or dwelling too long on irrelevant issues. The specific role of the study
leader will vary, depending on the type of study being undertaken, but often will
involve preparation tasks, definition of the scope of the study, and documenting
findings. The study leader must be trained and experienced the specific type of study
being undertaken and experience in workshop facilitation is also valuable. Lees
(1996a) presents an extensive discussion of the role of the team leader in HAZOP
studies, although the points made are relevant to other team based hazard
identification and risk assessment processes.
8 PlanningNSW
Team based approaches are likely to be required during other phases of the risk
assessment and risk control process, e.g. identification of control measures and
determination of adequacy. A core team of one or two persons may drive the overall
process, drawing on the expertise and knowledge of others as required and acting as
focal points for the study. The skills of this core team will need to include the ability
to write technical prose, to effectively consult with other people within and outside
the organisation and an understanding of the requirements of the study.
The importance of consultation and involvement cannot be underestimated at all
stages of the study. Potential consequences of inadequate consultation or
involvement include:
Incomplete hazard identification, due to incomplete appreciation of operations.
Each work group will have a different perspective on operations, and as such, will
tend to identify somewhat different sets of hazards.
Misleading study results, due to incorrect assumptions regarding the
effectiveness of control measures, the process conditions during accident
scenarios, etc.
Adoption of inappropriate or sub-optimal control measures, due to a lack of
understanding of all facets of their impact on operations.
Involvement and consultation with plant operators and maintenance personnel is
especially important, since these employees are most directly involved in operations,
the hazards that may arise and the use of controls to prevent or mitigate these
ft
hazards. Furthermore, involvement and consultation of these employees enhances
their understanding of hazards and control measures.
ra
While it may not always be necessary to involve senior management in the conduct
of hazard identification and risk assessment process, it is important that they take
D
responsibility for the processes that are to be used. This will help ensure that
sufficient and appropriate resources are made available at all stages of the process.
Management should also sign off on the findings of the process, to help ensure that
n
recommendations, corrective actions and any further studies that are required are
completed in a timely manner.
tio
The specific personnel utilised during the study are likely to change, as people with
different experience or skills are required at different stages. Depending on the
choice of methodology used for hazard identification and risk assessment, the study
lta
team may require people with technical expertise, meeting facilitation skills,
management of the process and knowledge of the site and operations at various times.
su
Note 2: Example Study Team Members for Various Tasks
Planning Hazard Identification Risk Assessment

n
A series of meetings with: Workshops involving: Documents prepared by Risk

Co
Engineer with input from:

Site Manager Plant Supervisor Maintenance Engineer
Plant Supervisor Plant Operators Plant Supervisor
Personnel Representative Process Engineer Site Manager
Safety Advisor Maintenance Engineer Plant Operators
Regulatory Affairs Manager Facilitator Process Engineer
Minute Secretary
9 PlanningNSW
3.5 Choice of Methodologies

There is a wide range of techniques available for performing Hazard Identification
and Risk Assessment, each with strengths and weaknesses. Further details of
some of these methods are presented later in this document. The methods used
will differ between Operators, with the basis for selection influenced by a number
of factors, including:
The type and complexity of the processes being studied
For simple processes, relatively coarse Hazard Identification tools such as What-
If Studies, process checklists or brainstorming may be appropriate. For more
complex processes with a large number of interacting subsystems, more
systematic and comprehensive tools such as HAZOP or FMECA, may be required.
The types of hazards that are to be identified
Different techniques are better at identifying different types of hazard.
Techniques such as HAZOP and FMECA are best at identifying process hazards
such as process upsets and equipment failures, but may be weak in identifying
other types of hazards such as human errors or external effects and influences.
Techniques such as What-If tend to be broader, and are useful for identifying
hazards associated with natural and man made external effects and influences.
Task Analysis is a Human Factors Hazard Identification tool that is focussed on
identifying hazards that result from human errors.
The level of risk associated with the hazards being assessed
ft
Generally, coarse and conservative Risk Assessment techniques should be
ra
applied initially, and more complex and detailed techniques used to analyse
those hazards identified as having high risk. Hazards identified to be a low risk
generally do not warrant detailed Risk Assessment. This approach is consistent
D
with the Multilevel Risk Review Process presented in the National Code of
Practice for the Control of Major Hazards Facilities (NOHSC 1996), where
detailed studies are only required after coarse studies find the level of risk
n
exceeds defined criteria.
The types of hazards that need to be assessed
tio
Specific Risk Assessment techniques have been developed for assessing the
likelihood of failure in specific types of systems. Some are useful when analysing
systems consisting of mechanical equipment, others are suited to electrical
lta
equipment and others can be used to analyse systems that rely on human
intervention. The appropriate technique depends on the type of system failures
being studied. Similarly, specific techniques have been developed for analysing
the consequences of specific types of incident, and therefore should be chosen
su
carefully to ensure that they are fit for purpose.

The stage of the project lifecycle
As shown in Table 1, as a facility moves through the project lifecycle, there will
n
be different stimuli for performing Hazard Identification and Risk Assessment.

This will be based on an ever increasing amount of information and knowledge
Co
on which to base such studies, and changing uses for the findings. For example,
during the initial design of a facility, decisions about the siting and layout of a facility
can be changed relatively easily, hence specific studies of the available options
should be performed at this point in the lifecycle. Later in the lifecycle, once the
plant is operating, insight into new hazards will be gained through operator feedback,
incident and near miss investigations, and plant monitoring. The techniques best
suited to assessing these hazards may differ from those used during design.
10 PlanningNSW
Table 1: Possible Applications of Safety in the Process Lifecycle
Design Commissioning Operation Modification Decommissioning
Concept Safety Construction Safety Troubleshooting Management of Decommissioning

Evaluation Studies Change Plan
Preliminary Hazard Pre-Startup Safety Site Observation HAZOP

Analysis Reviews
Hazard and Operability Operator Feedback What-If Study

Study (HAZOP)
Quantitative Risk Plant and Process Design Review

Analysis (QRA) condition monitoring Studies
Fire Safety Study Levels of Protection Levels of Protection

Analysis Analysis
Inherent Safety Incident Root

Analysis Cause Analysis
ft
Periodic/Retrospective
HAZOP
ra
D
Although each of the techniques listed in the above table may be valuable, there is no
need to apply all techniques to each analysis. Those techniques which are most
applicable to meet the needs of the analysis should be used. Other techniques that
n
are not listed in the table may be used where they meet the needs of the analysis.
tio
3.6 An Appropriate Level of Detail

The depth, and level of detail, of the hazard identification, risk assessment and risk
lta
control identification processes must be appropriate to the facility being considered.

The basic principle is that the level of detail should be sufficient to address the
complexities of the facility and to assess whether the controls and safeguards are
su
adequate to manage the risks to people (both on- and off-site), property and the
environment. Various hazard/risk screening and management methods exist to ensure
an appropriate level of detail is applied at each stage. An example model, developed
n
specifically for this MIHAP, is provided below.

Co
3.6.1 Example Risk Screening and Risk Management

Methodology
An example flowchart of the risk screening and risk management process for Major
Hazard Facilities is provided as Figure 2. There are two main parts to this process: (i)
Assessment and management of off-site fatality risk using land use safety criteria for
existing industrial developments (Refer to Section 7.1.1); and (ii) Assessment and
management of major accident risks to people (on- and off-site), property and the
environment using site specific criteria (Refer to Section 7.1.2).
11 PlanningNSW
Assessment of Off-Site Fatality Risk

To assess the off-site fatality risk against the relevant land use safety criteria for
existing industrial developments, the overall screening and assessment process in
Figure 2 is based on determining worst case accident scenarios for each of the facility
sections (see Sections 5.2 and 5.3 for screening scenarios). Each of these worst case
scenarios is first assessed for potential off-site consequences. If significant
consequences would not occur off-site then quantitative analysis of the risk is not
required for those sections of the facility.
However, if the off-site consequences of the worst case scenario for a section of the
facility are significant, an assessment must be undertaken of the likelihood of each of
the scenarios in that section that could pose an off-site risk. This initial likelihood
analysis does not need to be extremely accurate. For example, if an analysis revealed
that the likelihood of each of the 10 scenarios identified at a particular facility is more
than an order of magnitude below the criteria likelihood, then the cumulative risk
criteria will clearly not be exceeded.
If the initial likelihood analysis shows that the scenario likelihood is significant relative
to the PlanningNSW criteria level, the scenario frequency must be fully analysed. All
the scenarios can be summed to produce location specific risk contours. These
contours can be used to demonstrate that the relevant PlanningNSW criteria are met.
Assessment and Management of Major Accident Risks
ft
For assessment and management of major accident risks at the major hazard facility,
it is proposed that a risk matrix (see Figure 6) be used in the hazard identification
ra
sessions to initially categorise the consequences, likelihood and risk in a qualitative
fashion.
If the risk of a scenario is categorised as Low, a simple Hazard Register (such as a
D
hazard identification word diagram refer to Appendix 6) may be used to list the
initiating events, scenarios, consequences, and prevention and mitigation controls.
n
If the risk of a scenario is categorised as Intolerable, actions must be undertaken to
eliminate or reduce the risk of the scenario to within the ALARP region. Risks in the
tio
ALARP region are to be recorded in a more detailed Hazard Register (and may need
to be supported with a semi-quantitative analysis of the consequences and/or
likelihood). This detailed Hazard Register should identify the controls used to prevent
lta
each of the initiating events and the controls used to prevent each of the potential
consequences of the scenarios. It should also identify the link/s to the relevant
sections of the safety management system (including performance standards for
critical control measures).
n su
Co
12 PlanningNSW
Figure 2: Example Flowchart for Risk Screening and Risk Management at Major
Hazard Facilities
Define the scope of the hazard identification process
Divide facility into sections (eg. water treatment, warehouse, production plant)
Identify and list representative scenarios of potentially hazardous incidents for each facility section
ASSESSMENT OF OFF-SITE FATALITY RISK USING LAND USE ASSESSMENT AND MANAGEMENT OF
SAFETY PLANNING CRITERIA FOR EXISTING FACILITIES MAJOR ACCIDENT RISKS
Identify representative worst case accident Develop site risk matrix and criteria (eg.
scenario for each facility section 'Intolerable', 'ALARP' and 'Low' risk)
(Re-) Estimate likelihood and

Determine consequences to people off site
consequences of all accident scenarios
from worst case accident
(including potential for propagation)
and record information on site
hazard/risk register
No
No No
Potential Last
for off-site section of
fatalities? plant? (Re-) Assess risk using site risk matrix
ft
Yes Yes
Identify all scenarios, within all plant sections, with

potential to cause fatality off site
ra Is risk
Is risk in
in the
the
'intolerable'
'intolerable'
region?
region?
No
N o
D
Yes
Estimate consequences and
likelihood for each relevant scenario Develop action plan to mitigate risk and to
n
re-assess risk after implementation of
risk control measure/s
Estimate cumulative likelihood for all
tio
scenarios with the potential to cause off-site fatality
*Including
performance Is
Is scenario
scenario No
N o Scenario
indicators/ risk
risk in
in is in
standards and 'ALARP'
'ALARP' ' 'Low'
lta
critical operating region?

region? region
parameters
Is the maximum Yes Yes
Yes
cumulative likelihood
less than 0.5 x 10 - 6 p.a?
Identify critical Identify critical
su
control measures* control measures*

Cumulative off-
site fatality risk
No complied with
Consider for further risk
land use safety reduction measures and
n
Refine likelihood analysis planning criteria implement where justified

and assess total off-site for existing
fatality risk against land use industrial
Co
safety planning criteria for facilities

existing industrial facilities Ensure all critical control measures
are integrated into Safety
Management System
Identify critical
control
N
Noo Document entire process and outcomes.
Are criteria measures
Maintain control measures through
exceeded?
safety management system
(Refer to MIHAP No. 4) and
monitor performance
Yes
Yes (Refer to MIHAP No. 11).
Repeat assessment process at
Develop action plan to mitigate appropriate intervals.
risk and re-assess risk after
implementation of risk
control measures.
13 PlanningNSW
3.7 Management of Information

The Hazard Identification, Risk Assessment and Risk Control processes can generate
large amounts of information, both quantitative and qualitative, that must be
systematically recorded. With the advent of relatively inexpensive data management
tools such as databases (LotusNotes, Microsoft Access, Crystal Reports Generator),
an electronic database is most likely to be appropriate for recording the information.
A Hazard Register (also called a Safeguards Register or Accident Register) is one tool
that can be used to assist with managing and presenting this information. The Hazard
Register can record information in a linked and structured manner, and can assist with
meeting many of the demonstration requirements outlined below. It also can serve as
a useful internal communication and management tool. A simple example of a Hazard
Register is a Hazard Identification Word Diagram, an example of which is included in
Appendix 6. This type of Hazard Register may be sufficient for a small, simple facility
with relatively few hazards, however for larger more complex facilities, a spreadsheet
or relational database based tool may be required. Figure 3 shows an exam ple of
such a tool.
Figure 3: Example Hazard Register Database
ft
ra
D
n
tio
lta
n su
Co
14 PlanningNSW
One of the most important structural features of an MHF hazard register is the
demonstration of a clear linkage between each identified initiating event, control
measure (Including the associated performance indicator/s and standard and critical
operating parameters Refer to Section 6.5) and specific elements of the SMS (Refer
to Section 3.3). Any hazardous scenarios that are aggregated for screening purposes
(Refer to Section 4.6) and subsequently identified as presenting a potentially
significant major accident risk, should be disaggregated to ensure that the individual
controls relating to each initiating event can be clearly identified (and tracked through
to the SMS). MIHAP No. 4 provides additional information on the ongoing
management of control measures through the SMS.
The example hazard register provided above is structured by location, with various
scenarios grouped according to their location. Hazard registers can be structured in
any fashion that meets the specific needs of the Operator. For example, the Hazard
Register might be grouped by hazardous material or to match the management
structure of the facility. The advantage of using such a database is that the data can be
searched or reported using any of the fields. Hazard registers are also useful for
training and education of operators, engineers and maintenance personnel.
ft
ra
D
n
tio
lta
n su
Co
15 PlanningNSW
4 Hazard Identification
Hazard Identification is the first step in the analysis. Hazard Identification provides the
scenarios that can be assessed for consequences and for likelihood. The list of
scenarios must cover all of the potential hazards and initiating events on the site.
Hazard Identification is often described as the most important step in a risk
assessment, since what has not been identified will not be evaluated and cannot be
managed (CCPS 2000). From Hazard Identification, an Operator should gain a
comprehensive understanding of what hazards exist, the range of accidents that these
hazards could lead to and what outcomes these accidents have the potential of
causing (see case example below from USEPA).
Note 3: USEPA Prevention of Reactive Chemical Explosions Case Study:

Waste Fuel/Oxidiser Reaction Hazards
The accident at Chief Supply Corporation in Oklahoma, 1997, shows that
inappropriate mixing of organic fuels and oxidisers can lead to fire or explosion
ft
events. One worker was killed and two injured when an explosion occurred in a
mixing vessel following introduction of oxidising materials before the vessel had
ra
been sufficiently filled with fuels (www.epa.gov/ceppo/pubs/accsumma.html). The
site and surrounding areas were evacuated as the subsequent fire escalated to
other stored materials on the site. The factors contributing to the incident included
D
a failure to fully evaluate and control hazards from mixing inappropriate materials,
failures in operating procedures and other controls for filling the vessel, and a failure
to train operators in correct use of operating procedures. Through not appreciating
the potential hazard associated with mixing of incompatible materials, the hazard
n
was not managed.

tio
In many cases, particularly for existing facilities, an Operator may also gain additional
understanding of the control measures already in place to manage hazards.
lta
4.1 Terminology
su
There are a number of different terms used when describing the purpose and findings
of Hazard Identification and Risk Assessment. Different organisations, and sometimes
even different people within an organisation, use these terms differently. To
n
effectively communicate the purpose and findings of the process, an Operator must
define and adopt consistent terminology. While this need not be the same as the
Co
terminology adopted in this advisory paper (see Glossary and Acronyms), in

communication with the regulator, Operators should use terminology consistent with
this advisory paper to facilitate communication which is more effective, and less prone
to misunderstanding.
16 PlanningNSW
4.2 Major Accidents

There have been a number of major accidents around the world, some of which are
summarised in Appendix 2. Lees (1996b) contains detailed summaries of these and
other major accidents. While the immediate causes of major accidents are rarely the
same, a contributory factor in nearly all is poor Hazard Identification, Risk Assessment
or Risk Control processes. It is therefore important that Operators learn both the
specific technical lessons as well as the systemic lessons from these events, in
particular, the importance of comprehensive Hazard Identification, Risk Assessment
and Risk Control. A number of major accidents have shown that double jeopardy,
where two or more protection systems fail, cannot be used as a basis for rejecting
hazards as non-credible events. In many major accidents, seemingly unrelated
systems suffered a common mode failure, or control measures that had been assumed
to be highly effective were either malfunctioning or had been deliberately disabled.
4.3 Hazard Types

While the specific hazards present at a facility vary between facilities, it is likely that
most hazards will fit into the following categories. Furthermore, most Operators will
need to manage hazards corresponding to each category, although the risk associated
with each category may differ significantly.
ft
Table 2: Hazard Types
Hazard Definition
ra
D
Process hazards Hazards associated with the physical and chemical nature of
the manufacturing process. Examples include pressure and
temperature excursions caused by reaction kinetics, level
n
excursions caused by the movement of fluids, and the effects

of process chemistry on plant equipment. All modes of
tio
operation need to be considered when identifying process

hazards, including start-up, routine and emergency shutdown,
normal operations, and foreseeable abnormal operations. For
lta
batch and semi-batch plants, each stage of batch operation

must be addressed separately since the process hazards are
likely to change from stage to stage.
su
Biological and Hazards associated with the use of biologically active material
radiological such as infectious material or medical waste and
radioactive materials.
n
External hazards Hazards associated with the environment that surrounds the
manufacturing process. Examples include both persistent and
Co
extreme weather conditions (e.g. flooding or bushfire),

unstable geological conditions, and hazards originating from
adjoining hazardous facilities, roadways or railways.
Height hazards, Hazards associated with working at heights and associated with
mechanical equipment and materials used at heights. Mechanical hazards
hazards and transportation are associated with the use of machinery,
including rotating and hazards moving machinery. Transportation
hazards are associated with the movement of equipment and
people. Examples include the use of forklift trucks, conveyor
systems and truck loading and unloading.
17 PlanningNSW
Radiological hazards could pose risks to off-site personnel but such risks are regulated
by ARPANSA for Commonwealth facilities and the EPA for NSW state facilities such
as hospitals, universities and sterilisation facilities. Similarly, biological hazards are
under the jurisdiction of the Health Department of NSW.
Although some of the general principles included in this paper may be appropriate for
the assessment of transport risks, the estimation and assessment of risk for
off-site pipelines, road, rail and sea transport requires a slightly different approach
to the one used for fixed major hazard facilities. The estimation and assessment of
off-site transport risk is outside the scope of this paper.
4.4 Hazard Identification Techniques

Factors which the Hazard Identification should take into consideration include:
Chemical, physical and hazardous properties of dangerous goods and combustible
liquids
Manufacturing and transport processes, structures, plant, systems of work and
activities involving these materials
Physical location and arrangement of areas, structures and health and safety
systems
Any other structures, plant, systems of work and activities that could interact with
ft
those goods or liquids
Reactions between the goods/liquids and other substances or articles they may
ra
come into contact with
Previous incidents involving those goods and liquids.
D
To achieve this, a number of different Hazard Identification techniques may be
required. There are a large number of Hazard Identification Techniques, some suited
to specific types of operations, and others used to identify specific types of hazard.
n
Lees (1996a) contains a comprehensive overview of many of these techniques,
and a summary of the usefulness of some of these techniques is provided in Table 3,
tio
which can assist in initial choice of hazard identification and risk assessment
techniques for a facility.
lta
n su
Co
18 PlanningNSW
Table 3: Guidance Table on Implementation of Hazard Identification Techniques
Technique Site selection/ Design stage Operational stage Modifications to

early design of new plants of new and existing plants
stage existing plants
Process System
Checklist
Safety Audit/
Review
Process Hazard
Analysis (PHA) 2
Hazard Operability
Studies
What If Checklist
Failure Mode and
ft
Effective Analysis
ra
Fault Tree Analysis
Event Tree Analysis

D
Cause Consequence
Analysis
n
Human Reliability
tio
Analysis

lta
Best suited
Could be used
Least suited (not advised)
n su
Co
2
The definition of PHA differs in various locations. In the USA, and in this table, a PHA is a high level
examination of the hazards of a facility and the associated controls. In NSW, a PHA is a Preliminary Hazard
Analysis, which is a more detailed document which quantifies the off-site risk of a facility and assesses the
compliance with specific
19 PlanningNSW
Table 4: Example Hazard Identification Techniques
Technique Summary Skills and Information Required
HAZOP A Hazard and Operability Study was developed primarily Skills in meeting facilitation, and
for application to chemical process systems. It is a highly training and experience in HAZOP
structured technique that delivers a detailed understanding study facilitation for the meeting
of the possible deviations from design intent, particularly leader. The information includes
those associated with process upsets and the operation of P&IDs, flowsheets, site layouts
the process. HAZOP is less suitable for identification of and details flowsheets, site
hazardous scenarios associated with external events. layouts and details on packaged
Also, since HAZOP analyses a process using a section by items.
section approach, it may not identify hazards associated
with the interactions between different nodes.
HIPAP No. 8 (DUAP 1995) describes the HAZOP
methodology in greater detail.
Checklists There are many hazard checklists available, covering a Skills are required in attention
widw range of types of operation. These can be an effective to detail and perseverance in
way of capturing and passing on the experience of others, obtaining information. The
and therefore are a valuable Hazard Identification tool. information varies depending on
ft
However, as discussed in Lees (1996a), checklists the checklist chosen for use.
should only be used as a final check that nothing has
ra
been neglected or missed by other studies. They should not
be used as the sole tool in a Hazard Identification process,
since they may not cover all types of hazard, particularly
D
facility-specific hazards, and they tend to suppress any
lateral thinking.
n
Historical There are a number of publicly accessible databases that Skill in literature searching
tio
records of contain summaries of accidents and near misses that have and in analysis of accident records
incidents occurred in hazardous processes around the world. for relevance to the facility. The
These provide valuable information since they provide information required is a good
insight into how incidents can actually arise. searching facility, both internet
lta
The information in these sources should be considered and library based and access
during Hazard Identification, in addition to the Operators to the various databases.
own site, company and industry history. However,
su
historical data alone cannot be relied on, since the range

of incidents that has actually occurred may not be the
entire range of possible incidents, particularly when
considering major incidents.
n
Co
What-If and Similar to HAZOP, this structured technique identifies Skills in meeting facilitation and
Structured potential deviations, upsets and external hazards general knowledge of the site
What-If at the facility using a set of pre-prepared and operation. The information
(SWIFT) customised what-if questions. The questions are includes site layouts, equipment
often based on the experience of others, hence this drawings, procedures and control
technique has some of the same benefits as a checklist system details.
approach. An advantage of this approach over HAZOP
is that hazards associated with interactions between
sections of the plant may be more readily identified,
however in general this tool delivers results that are
less detailed than HAZOP.
20 PlanningNSW
Technique Summary Skills and Information Required
Task This technique was developed specifically to identify Skills include experience
Analysis hazards associated with human factors, procedural errors interviewing people, training and
and the man-machine interface. The technique can be experience in task analysis.
applied to working environments such as control rooms, or Information required includes
to specific jobs such as start-up of shutdown processes. detailed layouts of controls and
Types of hazard identified may include procedure failures, equipment, detailed descriptions
human resources issues, hazardous human errors and of tasks to be undertaken and
incorrect responses to alarms. Task Analysis is therefore other operational factors.
of particular benefit when areas of a facility have a low
fault-tolerance, and human error can easily take a plant out
of its safe operating envelope.
FMECA Failure Modes, Effects and Criticality Analysis (FMECA) Skills include training and
and FMEA and Failure Modes and Effects Analysis (FMEA) are experience in FMEA or FMECA.
highly structured techniques. They are most often applied Workshop facilitation is also
to a complex item of mechanical or electrical equipment, useful. The information required
which contains a number of sub-systems and components. includes detailed drawings
The overall system is broken down into a set of related of the equipment being studied
sub-systems, and each of these as a set of smaller including layouts, mechanical
sub-systems, and so on down to component level. Failures assembly and electrical wiring.
of individual systems, sub-systems and components are
ft
then systematically analysed to identify potential causes
(which stem from failures at the next lower-level system),
and to determine their possible effects (which are potential
causes of failure in the next higher-level system). The
technique is most often used to analyse the level of safety ra
D
achievable by safety critical mechanical or electrical plant
items such as firewater pumps, gas detection devices or
trip systems.
n
tio
Fault Tree Fault tree analysis is useful in identifying combinations Skills include analytical thinking
and Event of equipment failures nd human failures that can lead ability, training and experience in
Tree to an accident. It uses a logic diagram to systematically fault tree and event tree analysis.
Analysis work from an accident back to the range of initiating The information required includes
lta
events that have the potential to lead to the accident. the detailed description of the
As well as being a useful Hazard Identification tool, a fault operation of the equipment or
tree can be used to estimate the likelihood or probability process, including fault diagnosis
su
of accidents event occurring. The method is further and repair.

described in Rasmussen (1975) and CCPS (1992).
Event tree analysis is primarily a tool used in consequence
n
analysis, frequency analysis and risk summation, but it can

also be valuable in the Hazard Identification process. The
Co
technique systematically works from an accident forward

to the range of consequences that may result, with the end
result a logic diagram showing the potential consequences
of an accident, and the event sequences required to
produce them.
Brain- Typically a relatively unstructured group process, Skills include workshop

storming brainstorming can be effective at identifying obscure facilitation and training in the
hazards of a type that may be overlooked by the more technique of brainstorming.
systematic methods. It can be used to complement other Information needs vary
techniques, but should not be used as a replacement. depending on the process.
21 PlanningNSW
4.5 Demonstration Requirements for Hazard Identification

The objective of Hazard Identification is to ensure that so far as reasonably
practicable, the Operator is aware of all hazards and initiating events that could lead
to an accident. Identification of ALL hazards and initiating events is difficult to
achieve and the Operator must recognise that no single HAZID technique is perfect
to identify all the hazards and initiating events.
Hazard identification is the first and most important step in any hazard analysis and
involves the comprehensive identification of possible conditions that could lead to a
hazardous incident. This comprehensive and systematic process is critical to the
success of the hazard analysis as any hazard not identified at this stage is excluded
from further analysis.
To demonstrate that an appropriate degree of hazard identification has been
undertaken, an Operator must be able to show that:
Appropriate personnel were involved in the Hazard Identification process, and
that an appropriate amount of time was allowed for the imaginative anticipation
of hazardous scenarios.
The Hazard Identification process was based on up-to-date and accurate
information.
The strengths and weaknesses of the techniques used are understood, and
therefore, that an appropriate range of techniques have been employed. As
ft
shown in Figure 4, a single technique may not identify all hazards and initiating
events in all facilities. Some may be identified by a number of Hazard
ra
Identification techniques, while others may only by identified through the use of
one specific technique. More details on a number of different techniques are
D
provided in Section 4.4.
Human factors have been considered. Examples of relevant human factors
include: memory limitations, visual acuity limitations, information processing
n
problems (leading to misunderstood instructions), distraction, fatigue, decision-

making biased by experience and knowledge, rigid problem solving,
tio
susceptibility to following group behaviour, etc. These can all adversely influence
human actions and decisions leading to the possible creation of hazards.
The findings of previous Hazard Identification studies have been reviewed and
lta
where necessary, additional hazards documented to reflect the hazards captured

in these studies.
The benefits of hindsight have been fully exploited. This includes learning from
su
both near misses and accidents within the direct experience of the Operator, as
well as those from the wider spectrum of relevant operations. Hazards and
initiating events cannot be dismissed as non-credible simply because they have
not yet occurred, nor because the control measures are so effective that it
n
seems inconceivable that the hazard could ever be realised.

Co
22 PlanningNSW
Figure 4: Comprehensive Hazard Identification
As highlighted in Section 4.2, hazards and initiating events cannot be dismissed due
to the perceived effectiveness of control measures, or due to the belief that a
double jeopardy scenario (ie. a scenario arising from the failure of two, or more,
control measures) would be required for a hazard to be realised. A key purpose of
Hazard Identification is to help identify critical control measures, which an Operator
ft
can then ensure remain effective. History has shown that many accidents have
resulted from Operators incorrectly assuming that control measures are always
available.
ra
D
Note 4: A Cautionary Example
[Wong W., 2002, How Did That Happen? Engineering Safety and Reliability]
n
The effectiveness of any hazard analysis depends entirely on the experience and
creative imagination of the team doing the investigation. The procedures only
tio
impose a disciplined structure to the work.

The Concord supersonic airliner that crashed at Paris in 2000 is a good example
of this. During take-off a fuel tank in the wing was ruptured. The escaping fuel
lta
was ignited and then the plane caught on fire and crashed. The engineers had
considered all failure modes in the design and the fuel tank should not have
ruptured. The event that was not foreseen was the possibility that an object
could strike the underside of the fuel tank and cause a hydraulic wave to be
su
transmitted to the upper side of the fuel tank. It was the reflected hydraulic wave
that then caused the underside of the fuel tank to rupture. If the fuel tank had not
been completely full there would not have been a reflected hydraulic wave. For
n
take-off on a long journey the tanks were of course full. No one had thought of
this possibility; it just demonstrates how much imagination is needed to ensure
Co
that all failure modes are identified.

Making provisions to avoid the hazard by design solved the problem. The tyres
were redesigned to avoid bursting and shedding large enough debris to cause
damage to the fuel tanks. The fuel tanks were lined with a material that could
absorb hydraulic shock waves and self-seal if punctured.
23 PlanningNSW
4.6 Aggregation of Hazardous Scenarios

In order to limit the effort spent in assessing hazardous scenarios, it may be
beneficial to initially perform a relatively coarse Hazard Identification. Such an
approach will tend to aggregate hazardous scenarios together into clusters. These
clusters can then be screened on a risk basis, and more detailed Hazard
Identification can then be undertaken for those clusters of hazardous scenarios
assessed to represent a high or uncertain level of risk. Screening could be based on
the worst case consequences of accidents, or by using a risk matrix, such as that
discussed in Section 5.3.
Where the Operator is confident that the risk is low, the cluster representation may
be sufficient to demonstrate the adequacy of the control measures. For example,
for a small inventory, low pressure drainage vessel, it may be adequate to cluster
together all possible corrosion mechanisms within a single initiating event of
Internal corrosion, based on an understanding that the consequences of a leak are
likely to be low, and the fact that the vessel is rarely in service. Conversely,
corrosion mechanisms in a high pressure reactor may need to be broken down in
more detail, since the consequences of a release are likely to be severe, and the
likelihood may be higher due to elevated temperatures and aggressive process
chemistry. Taking this type of approach will help Operators appropriately allocate
resources to the Hazard Identification process; directing more resource towards
high risk hazards while still ensuring that low risk hazards are adequately identified.
ft
As with all types of Risk Assessment, Operators should use conservative best
estimates when screening hazard clusters, to ensure that uncertainty does not
ra
result in an inadequate identification of high-risk hazardous scenarios.
D
4.7 Worst Case Scenario
The worst case scenario (also termed the bounding case scenario) defines the upper
n
boundary for the range of credible hazardous scenarios that must be identified. It
must not be defined simply as the largest event within the capacity of existing
tio
protection systems, on the basis that events worse than this cannot be managed. It
must also be recognised that consequences that extend furthest from the facility
may not be the worst case, once the effect of these consequences on people,
lta
plant and the environment are considered. Furthermore, although local communities
and other stakeholders may be very sensitive to information regarding high severity,
low likelihood accidents, this is not a valid argument for failing to consider such
accidents. The Operator should consider all available information, including historical
su
incident records, in deriving the worst case scenario. The worst case scenario
should reflect any foreseeable factors that could exacerbate the severity of an
accident, including abnormal process conditions, out of hours manning levels, and
n
the potential for control measures to be disabled or rendered inoperable by the

accident.
Co
24 PlanningNSW
5 Risk Analysis
Whereas Hazard Identification obtains information about what can happen, the
purpose of Risk Analysis is to determine how likely accidents are to occur and to
determine the magnitude and effects of these accidents on people, plant and the
environment. The objectives of the Risk Analysis are to:
Enhance site personnel understanding of hazards and risks;
Identify major risk contributors;
Enable decisions on risk reduction measures to be made using appropriate
criteria and justification;
Identify areas of concern for community consultation, critical safety management
system controls and emergency plans; and
Achieve an acceptable level of on-site and off-site risk (e.g. ALARP or better).
As shown in Figure 5, risk represents a combination of these two factors, although
the rules used to combining them may vary from hazard to hazard, and between
Operators. In most quantitative risk assessments, the calculation of risk is defined
ft
as the product of likelihood and consequence severity. However, this is not
necessarily the case in qualitative assessments.
Figure 5: Calculation of Risk
ra
D
Likelihood Consequence
Analysis Analysis
n
tio
lta
Risk
su
Risk Analysis is generally undertaken after Hazard Identification has been

completed, although some iteration between the two processes may be required.
For example, the screening process used to assess the consequences of the worst
n
case scenario for comparison with off-site criteria will require consequence
assessment before all the hazardous scenarios are fully recorded. It is necessary to
Co
assess the risk of the scenario to determine the degree of detail required for
recording of the scenario.
5.1 Uncertainty in Risk Assessment

All Risk Assessments require assumptions and thus the results will contain
uncertainty. Wherever possible, assumptions should reflect reality as closely as
possible. However, where uncertainty remains, assumptions should be made that
err of the side of conservatism. Such assumptions are known as conservative best
estimates, and ensure that assumptions do not result in the underestimation of risk.
Such underestimation of risk could result in inadequate risk management.
25 PlanningNSW
5.2 Multi-Level Risk Assessment

The Risk Assessment process should employ methodologies that are appropriate to
the nature and extent of hazards and risks. This means that the tools used must be
selected according to the Operators current understanding about the level of risk,
and the nature of the hazards. It is unlikely that an Operator will be able to rely on a
single tool to meet all of the Risk Assessment requirements. Instead, a variety of
tools will most likely be required.
To make optimum use of available resources, Operators should identify the types of
study that will be required before following any particular route. Operators may use
a Risk Ranking tool to perform a preliminary evaluation of risk, and to screen
hazards.
The results of Risk Ranking will indicate where risks are high, and greater attention
should be given to these areas during the risk assessment process. Where there is
insufficient knowledge to accurately perform this evaluation, conservative best
estimates should be used. More detailed studies may be needed to reduce the
uncertainty, and the results of the Risk Ranking should point towards the types of
study required. Some iteration between Risk Ranking and detailed Risk Assessment
may be required, whereby the ranking is reviewed to see if any hazards have
increased in rank following additional study and thus warrant more detailed study.
Using the multi-level approach, where more simple and conservative techniques
ft
deliver the Operator sufficient understanding of the risk and the options for its
control, then further detailed Risk Assessment may be limited to testing and
ra
confirming the assumptions. However, where substantial uncertainty remains, the
risk is high, or the Operator wishes to review a range of options in greater detail,
then further effort is justified and more detailed assessments may be desirable. At
D
each level, the Operator should compare the potential cost of performing more
detailed Risk Assessment against the increased understanding of risk. Generally,
greater assessment effort will result in a more detailed quantitative, accurate and
n
robust understanding of risk, thereby allowing a more justifiable and rational basis
for decision-making. At the lowest level of risk, qualitative analysis tools can be
tio
used, while as the level of risk increases, semi-quantitative and ultimately fully
quantitative tools must be used.
lta
5.3 Screening Tools

Examples of other processes for determination of level of detail in the analysis
su
described in Section 3.6 are provided below. The screening tools can be based on
consequences, likelihood or risk.
An example of a risk-based screening tool is the preliminary screening tool
n
presented in Multi-Level Risk Assessment (DUAP 1997). This may be a suitable tool
Co
to screen hazardous scenarios for those requiring more detailed Hazard

Identification and those cases with sufficiently minor consequences not to warrant
further risk assessment. This technique can also be used to screen, from more
detailed study, those hazardous scenarios that do not pose significant risk. The
underlying assumptions employed are conservative, and primarily consider the
consequences of accidents in the absence of control measures. As such, the
screening is based on the consequences of accidents, not the risk of accidents.
26 PlanningNSW
An example of a hazard based screening tool can be found in Applying SEPP 33

(DUAP 1997). These screening thresholds are based on the potential for incidents
involving the materials to have significant consequences off site. Likelihood
screening tools include fault trees which are described in Section 5.9.
Other techniques that may be useful as screening tools are hazard indices. A
number of such tools exist, including the Dow Fire and Explosion Index, ICIs Mond
Index, the Substance Hazard Index, the Material Hazard Index, Dows Chemical
Exposure Index and the SARA Title III Threshold Planning Quantity Index. Further
information on these techniques can be found in CCPS (1992). More recently, Khan
et. al. (2001) developed a more comprehensive screening and ranking tool, the
Safety Weighted Hazard Index, which gives greater consideration to control
measures when determining the hazard index.
The Purple Book procedure (CPR18E 1999) for the determination of which plant
sections require quantified risk assessment uses a number of factors to produce a
numerical value. When the value is above a threshold, quantified risk is required.
The factors that are included in the assessment are the quantity of a material
present, a limit value for each material based on its intrinsic hazard, factors for the
process conditions, the likelihood of release and the distances from the facility to
the site boundary. This procedure is a risk based methodology as it uses factors
related to the material properties and the likelihood of release.
ft
5.4 Risk Ranking Tools
ra
Risk ranking tools can be used to develop a better understanding of the risks, and
the level of Risk Assessment warranted. One such tool that may be useful for Risk
D
Ranking is a risk matrix. Figure 6 presents an example of a Risk Matrix, based on the
Tertiary Classification method presented in MIHAP No. 2. Some Operators may
already have their own Risk Matrices, and these may suitable for using in Risk
n
Ranking, provided the consequence and likelihood ranges adequately span the full
range of scenarios to be ranked. AS/NZS 4360:1999 (Standards Australia 1999) also
tio
presents a Risk Matrix that may assist Operators with Risk Ranking, although
effects on the environment and property are not explicitly addressed in this
standard.
lta
Risk Matrices are able to provide a relatively rapid understanding the risk profile of
the facility, and can be used based on qualitative judgement alone, or can be refined
using more detailed quantitative information, such as consequence results
su
generated by screening tools. By allowing direct comparison of risks to people,

environment, property and economic impact, Risk Matrices can be a very effective
tool for comparing a wide range of different types of accidents. However, Risk
Matrices have limitations. It is not easy to incorporate the effects of risk reduction
n
measures. For example, using the matrix in Figure 6, a two orders of magnitude
Co
change in a Remote accident scenario may not change its assessment. Nor is it
easy to use to assess cumulative risk, particularly where a large number of accident
scenarios exist. For example, the cumulative risk of ten separate scenarios that fall
into the Remote/Severe category may be considered Moderate or High risk.
Middleton and Franks (2001) present some approaches that can help manage these
issues. However, in many cases, to adequately address these limitations, more
detailed methods are likely to be required.
27 PlanningNSW
Figure 6: Example Risk Matrix (Refer to MIHAP No. 2)
Likelihood Category Consequence Category

Insignificant Minor Severe Major Catastrophic
Almost Certain
>1.0 per year Moderate High Extreme Extreme Extreme
Occasional
> 0.1 < 1.0 per year Moderate High Extreme Extreme Extreme
Possible
> 0.01 to < 0.1 per year Low Moderate High Extreme Extreme
Unlikely
> 10-4 to < 0.01 per year Low Moderate High Extreme Extreme
Remote
> 10-7 to < 10-4 per year Low Low Moderate High Extreme
Extremely Unlikely
< 10-7 per year Low Low Low High High
ft
ra
Another tool for determining the level of risk assessment required is the
D
Approximate Risk Integral. Developed by Hirst and Carter (2000), this technique
uses the worst case scenario to characterise the entire societal risk profile of a
facility. The characterisation is based upon the societal risk profile of accidents at
n
similar types of facility, and can be used to determine whether the societal risk from
a facility is broadly negligible, potentially tolerable, or most likely intolerable. These
tio
findings can then be used as a basis for deciding whether qualitative, semi-
quantitative or quantitative methodologies should be used for further Risk
Assessment.
lta
5.5 Qualitative Methodologies

su
Qualitative methodologies should incorporate:

Formalised hazard identification, using tools as listed in Section 4.4, such as
Hazard Identification Checklists and Hazard Identification Word Diagrams.
n
Generalised consequence analysis of the key risk contributors to demonstrate

that such consequences are kept within site boundaries. This analysis could use
Co
the results of the Screening and Risk Ranking process.

Evaluation of the risks against the relevant qualitative criteria. This could be using
a Risk Matrix as shown in Figure 6.
Demonstration of the adequacy of the technical and management controls to
ensure ongoing safety of the facility.
28 PlanningNSW
Risk Matrices, such as that shown in Figure 6, are one of the more common
qualitative Risk Assessment tools. Risk Nomograms, discussed in WorkSafe MHD
(2002b), are another tool that can be used. One advantage of this technique over
Risk Matrices is that risk reductions delivered by additional control measures can be
more accurately measured, since risk is presented as a continuous scale, rather than
in discrete cells of a matrix. However, the development of Risk Nomograms is not a
straightforward matter, and Operators should ensure they clearly understand the
principles involved before considering such an approach.
5.6 Semi-Quantitative Methodologies

Semi-quantitative methodologies would be applied where preliminary risk estimates
(such as obtained using a Risk Matrix), fall within the middle (ALARP) zones and one
or more risk contributors have been identified that have consequences beyond the
site boundaries, but with a low frequency of occurrence. Semi-quantitative
methodologies, in addition to containing all the elements of qualitative
methodologies, should include sufficient quantification of risk contributors to
demonstrate that all relevant risk criteria will be met. In particular:
Appropriate modelling tools should be used to calculate the consequences of all
events with the potential for harmful off-site effects or serious danger or harm to
people, property or the environment.
ft
There should be an estimate of likelihood for each event confirmed by the
consequence modelling to have significant off-site effects, using appropriate
ra
failure data and techniques, such as fault and event trees or workshop
discussions.
Where no fully quantified risk assessment is required for the facility, there should
D
be an indicative estimate of the off-site risk, taking into account the cumulative
impact of all hazardous scenarios for the facility.
The study must demonstrate that, in principle, all relevant risk criteria will be met.
n
This includes the PlanningNSW criteria for off-site risk and the facilitys criteria for
tio
on-site risk. Where this cannot be demonstrated by semi-quantitative

methodologies, fully quantitative methodologies may be required.
Semi-quantitative methodologies would normally be applied to relatively low risk
lta
facilities where Hazard Identification, Screening and Risk Ranking had identified one
or more events with off-site consequences but where their consequences and
likelihood were low. For higher risk facilities, or when the likelihood of such events
is not low, fully quantitative methodologies should be carried out.
su
To determine what should be quantified when using a semi-quantitative

methodology, a conservative approach needs to be adopted. For a first estimate,
quantification could be carried out on any component that has off-site consequences
n
at a frequency that may contribute to exceeding risk criteria.

Co
Semi-quantitative assessments tend to use the same techniques for estimating the
consequences of accidents as would be used in quantitative assessment. However,
the likelihood assessment is often qualitative and risk contours are not produced.
The analysis only needs to be sufficiently detailed to conservatively demonstrate that
there are no combinations of likelihood or consequences that could lead to any
relevant risk criteria being exceeded. For example, the analysis could show that
there are no events with significant offsite consequences, or that any off-site
consequences occur at such a low frequency that the risk could be regarded as
negligible.
29 PlanningNSW
5.7 Quantitative Methodologies

Full Quantitative Risk Analysis (QRA) is advisable whenever the nature of an activity
creates a significant potential for major accidents. Examples of such activities would
include large-scale manufacture of chemicals, petroleum refining, and storage and
distribution terminals involving large quantities of dangerous goods. Fully
quantitative methodologies should also be used where less detailed methodologies
cannot sufficiently demonstrate that all relevant criteria can be met.
The QRA should provide numerical estimates of the severity of the consequences
of accidents, and the likelihood of these consequences occurring. The specific
methodologies for calculating these estimates will vary, depending on types of
hazards being assessed. A range of potential methodologies for making these
estimates are discussed in Sections 3.5 and 5.9. The QRA methodology should then
integrate these estimates to provide a quantified estimate of risk, possibly in the
form of indices, tables, graphs or risk contour plots. It is important that the study
also includes a sensitivity analysis covering assumptions and data used which, if
varied, could significantly affect the results.
Fully quantitative methodologies tend to be quite complex, since they take account
of a large number of variables, including changing meteorological conditions and non-
uniform population distributions. They also potentially include a large number of
accident scenarios, each with many potential consequences. A number of software
tools are available to assist with some or all of the calculations that may be required.
ft
The Purple Book (1999) has been published by Dutch Regulatory authorities as a
ra
guide to performing QRA, and contains an extensive list of such tools. While these
tools can help reduce the time required for QRA, as well as improve the accuracy of
the results, it is important for Operators to understand that the accuracy and
D
usefulness of such tools depends heavily on the knowledge and skill of the user and
the accuracy of the input data. These tools should not be used as a black box. The
user must understand the intended purpose, suitability and limitations of any tools
n
being used. PlanningNSW makes no warranty as to the suitability of any of these
tools for any study that may be undertaken. Each Operator must rely on their own
tio
judgement.
The continual upgrading of software tools for QRA can result in some apparent
contradictions. If a QRA is updated to account for improved controls and mitigation
lta
measures; and is run on a newer version of the software, it is possible for the
calculated risk levels to actually increase. As is recommended in the TNO Purple
Book, the existing and new risk levels should be compared using the same version
of the software, which will give an improved understanding of the reasons for the
su
changes in risk levels.

QRA has the potential for being misused due to misunderstanding the process
n
limitations. It is important that QRA is not used of itself to demonstrate that a

relaxation of safety practices can be justified. In common with any other type of
Co
study, the QRA analysis process can be manipulated. However, this provides a false
sense of security to management, poor decisions may be made and risk reduction
opportunities missed. The best use of QRA is as an objective tool to study risks and
contribute to reducing risks to ALARP.
30 PlanningNSW
5.8 Consequence Analysis

Consequence analysis involves the analysis and quantification of the potential of
accidents to cause injury or fatalities, damage to property or damage to the
biophysical environment. The consequence of an incident is estimated independently
of its likelihood.
It is important to draw a distinction between the physical consequences of accidents
and their effects on people, property and the environment. Consequences are the
physical phenomena associated with the incident, for example thermal radiation
intensity, explosion overpressure or concentration of a toxic substance. Effects
describe the consequences upon people, property and the biophysical environment.
Event trees (see section 5.9) are one of the ways for enumerating the range of
possible consequences following release of a dangerous material. An example is
where a release of LPG may result in a jet fire, flash fire, pool fire or BLEVE depending
on the circumstances of the release. As well as listing the possible consequences,
event trees enable identification of the control measures that act to prevent the
consequences and can be used to estimate the likelihood of the scenarios.
Consequence analysis should be undertaken separately for each accident scenarios to
estimate the effects of each outcome on people, property and the biophysical
environment. However, resource limitations may not permit detailed analysis of all
possible cases. Judgement is required to select those cases that would provide a
ft
satisfactory indication of the consequences of the incident. The analysis should
attempt to be as accurate and realistic as possible, however, simplifying assumptions
ra
will have to be made. Where this is the case, it is usually appropriate to employ a
degree of conservatism.
D
Figure 7: Consequence Analysis
n
Consequence Analysis
tio
Representative
scenarios of potentiality
hazardous incidents
lta
su
Physical Models Effect Models

n
Co
Discharge models Effects of exposure to:

Dispersion models Heat radiation
Fire and explosion Explosion overpressure
models Toxic materials
Presentation of
consequence results
(including magnitude
and effects)
31 PlanningNSW
The types of accidents most commonly contributing to a QRA are fires, explosions
and toxic releases. The consequences of these can be estimated quantitatively in
terms of thermal effects, explosion overpressure effects and toxic effects. In some
cases, the dispersion and effects of hazardous materials of other types such as
polluting substances, radioactive materials and infectious materials will also need to
be considered.
Since, in general, consequences become less severe with increasing distance from
the source, it is usual to express consequences as the distance to a specified
consequence level. For example, the results of a consequence calculation might be
the distance to the thermal radiation intensity likely to cause fatality, or the distance
to the level of explosion overpressure that would produce building damage.
A large number of mathematical models have been developed to estimate the
consequences of various types of incidents. These models require inputs of the
conditions preceding the release such as:
physical and chemical properties of the released material;
storage or operating conditions prior to the release;
size and orientation of the release orifice; and
assumptions regarding factors such as meteorological conditions and ignition sources.
Some of the major types of models are discussed in the following sections. Depending
on the type of incidents to be modelled, the analyst would need to use a selection of
ft
the types of models described. A more detailed discussion, with references to provide
further information, is presented in Appendix 4: Models for Consequence Analysis.
5.8.1 Discharge Models

ra
Most hazardous incidents of concern are the result of hazardous material escaping
D
from containment. This may, for example, be from a crack or hole in a vessel or
pipework, or it may be due to complete failure of a vessel. It may also be from a
relief valve or a valve which has failed or been left open. There are a large number of
n
mathematical discharge models that can be used to estimate the rate of release of
tio
hazardous gases, liquids or a mix of both, and the amount released. For a pure
substance leaking from a pipe or vessel, it is often assumed that the hole in the pipe
or vessel is similar to a circular orifice. This enables standard equations of flow to be
used to estimate the total flow rate of material from the pipe or vessel.
lta
Note 5: Example Discharge Calculation

su
Natural gas at 2 bar and 20C is modelled as escaping from a vessel through a 25-mm diameter orifice. The release
rate from the vessel can be estimated by the following calculation, provided the release is assumed to be the
isothermal flow of an ideal gas with no losses due to friction:
n
Where G = mass flow rate

Co
CD = coefficient of discharge
A0 = orifice cross section area
A1 = cross section area upstream of orifice
v1 = volume per mass of fluid upstream of orifice
v2 = volume per mass of fluid in the orifice vena contracta
P1 = pressure in the vessel
P2 = pressure in the vena contracta
Using this equation, the flow rate of natural gas can be calculated to be approximately 0.21 kg/s.
32 PlanningNSW
5.8.2 Dispersion Models

Dispersion models are used to estimate concentration/time profiles of flammable or
toxic gases at various distances downwind from the point of release. In some
instances, it may also be necessary to model the dispersion of particulates (e.g.
smoke). The calculation of dispersion is complicated by a number of factors
including the potential for rainout or entrainment of liquid droplets and the potential
for a boiling pool of liquid to form on the ground. For such cases, specialised
modelling software should be used.
Once material has escaped from containment, the extent of a vapour cloud of the
material needs to be estimated. Vapour cloud behaviour is determined by a variety
of factors including:
the density of the gas relative to air;
the rate of release over time;
the orientation of the release (vertical, down, horizontal, etc.);
the amount of air entrainment at the point of release;
wind speed; and
weather stability.
Clouds that are less dense than air tend to rise, limiting the harm they can inflict.
Dense clouds stay at low levels for a considerable distance downwind and may
pose a much greater hazard. Many hazardous substances are either denser than air
ft
(e.g. LPG or chlorine) or behave as if they are much denser due to their low
temperature on release (eg. LNG or ammonia).
ra
It is also necessary to consider whether the release will be an instantaneous puff, a
continuous plume or a time-varying release, as this will have a significant effect on
D
the concentration profile over time. Weather conditions such as wind velocity and
stability affect the extent of dilution with air, and the cloud velocity.
5.8.2.1 Toxic Releases
n
The greatest potential for far field effects on people is generally associated with the
tio
release and dispersion of toxic gas or vapour. However, toxic concentrations in the
air can also result from:
vapours from toxic liquids;
lta
reactions of materials giving off toxic vapours or gases;

the evolution of toxic combustion products or toxic products of thermal
decomposition;
su
liquid spills entering watercourses or contaminating land and ground water; or

spills of solids (particularly powders and dusts) being blown or washed into
water or onto land.
n
Complex dispersion models are available to estimate the concentration/time profiles

of airborne toxic material, as discussed in Section 5.8.2.
Co
33 PlanningNSW
Note 6: Example Toxic Release Calculation

A vessel containing 5 tonnes of ammonia leaks through a 25 mm valve.
Assumptions:
The ammonia does not ignite. In some concentrations, it is possible for
ammonia to burn.
The wind blows in a constant direction.
The area can be modelled as a flat plain with a constant surface roughness.
This is obviously not correct as the equipment and plant will not be evenly
distributed over the site and off the site up wind. However, to relax this
assumption requires computational fluid modelling which is usually not
warranted for general risk assessments.
Data requirements:
Wind speed and stability (5 m/s and Stability Class C for this example)
Release orientation (horizontal for this example)
Temperature of released ammonia
Release rate of ammonia, based on a 25 mm diameter hole, assumed to
be sharp edged and round
Surface temperature (20 C)
ft
Air temperature (25 C)
ra
The result of this calculation will be a chart showing the maximum concentration
of ammonia as a function of distances downwind. When calculating toxic effects
on people, probits are often used, which calculate the toxic dose, rather than use
D
concentrations as a surrogate for dose. (See Section 5.8.4.4 for discussion of
probits)
n
tio
lta
n su
Co
5.8.2.2 Deposition of Particulates

The dispersion of particulate material such as smoke or a powder in an air stream is
difficult to predict. The particulates, if extremely fine, act similarly to a gas or vapour.
Heavier or larger particles will tend to be deposited closer to the source, whereas
very large or heavy particulates will not be entrained into an air stream.
34 PlanningNSW
Due to the uncertainties that usually exist on the particle size that exists in accident
situations, the assessment of deposition of particulate materials is usually
undertaken in a qualitative fashion.
If dioxins are produced in specific scenarios, deposition analysis is required in more
detail as the dioxins can deposit on other particulates in the gas stream and thus be
deposited with the other particulates. Ausplume, developed by the Victorian EPA
does deposition calculations using the dry deposition algorithm adopted by the US
EPA model ISC3 (USEPA, 2002). The US EPA model allows the user to specify
settling velocity categories, mass fractions, and reflection coefficients for sources of
large particulates that experience settling and removal of the pollutant as it is
dispersed and transported downwind. Release of radio nuclides into the air can also
require analysis of deposition. There are specific models that have been developed
to estimate the behaviour of radio nuclides in air streams, such as PC-Cosyma.
5.8.3 Fire and Explosion Models

Modelling of the consequences of releases of flammable material will require
modelling of both potential fires and explosions.
5.8.3.1 Fires
Industrial facilities may contain a number of sources of ignition such as:
hot surfaces of pipelines or vessels;
electrical equipment;
ft
welding activities;
ra
naked flames; and
static electricity.
D
If a release of flammable or combustible material is ignited, a fire and/or explosion
will result.
Depending on the physical properties of the hazardous material, the mode of
n
release and the time of ignition, the types of fires of greatest concern are pool fires,
jet fires, flash fires, fireballs and warehouse fires. These can give rise to high levels
tio
of thermal radiation. In addition, the potential for the evolution of toxic combustion
products or toxic fumes due to thermal decomposition may need to be addressed.
Thermal radiation intensity is determined by factors such as:
lta
the rate and efficiency of burning

the heat of combustion
the size and orientation of the flame
su
the fraction of radiation transmitted through the atmosphere

There are a number of different types of fire that may result from accidents. Brief
n
descriptions of some of these follow, while Appendix 4 (Appendix 4: Models for

Consequence Analysis) contains references to further information regarding the
Co
nature and effects of various types of fire.

Pool Fires
A pool fire occurs if a flammable or combustible liquid accumulates in a pool on the
ground and vapours caused by evaporation are subsequently ignited. The resultant
fire covers the whole pool area.
The thermal radiation from pool fires tends to attenuate rapidly with distance from
the flame surface, and so thermal effects are relatively localised. There is often
significant potential, however, for escalation to incidents with more severe
consequences, since pool fires can cover large areas and engulf adjoining plant and
equipment. Combustion products from pool fires may be toxic and their dispersion
from the fire may need to be considered.
35 PlanningNSW
A variation on pool fires which may need to be considered is fires involving flowing
flammable liquids. In such cases, both thermal radiation and direct involvement in
the fire may result.
Note 7: Example Pool Fire Calculation

Hexane leaking from a tank in a bunded area (7 m x 6 m) is ignited. Pool fire
calculations can calculate the distance from the fire that is dangerous.
Assumptions:
The entire area of the bund can be modelled as a circular bund with
an area of 42 m2.
The pool fire covers the entire bund area.
The quantity of the hexane spilt into the bund is sufficient to cover the
entire bund surface.
The shape of the fire is a tilted cylinder. This is one of the most common
model assumptions.
Data requirements:
Wind speed (5 m/s for this example)
Heat of combustion of hexane
ft
Surface emissivity of hexane fires

ra
Air humidity (70%) this affects the heat transmission through the air
D
Of this data, the heat of combustion, the surface emissivity and the wind strength
are the primary determinants of the result, with the other parameters affecting
n
the result only slightly.
The result of the pool fire calculation is a chart of heat radiation intensity vs.
tio
distance from the fire. For conservative results, the chart is given for distances
directly downwind.
lta
n su
Co
36 PlanningNSW
Jet Fires
A jet fire occurs when a flammable liquid or gas, under some degree of pressure, is
ignited after release, resulting in the formation of a long stable flame. Jet flames can
be very intense and can impose high heat loads on nearby plant and equipment.
Consideration of the potential for jet fires often leads to recommendations regarding
spacing to limit heat radiation incident on critical plant and equipment. Where appropriate
separation is not possible, special protection systems, such as mounding, may be
required.
Note 8: Example Jet Fire Calculation

Natural gas leaking from a vessel is ignited. Jet fire calculations can calculate the
distance from the fire that is dangerous.
Assumptions:
The shape of the fire is a circular truncated cone. Other models may assume
that the jet fire is ellipsoidal.
Data requirements:
Release rate of methane, as calculated in the Example discharge calculation
Wind speed (5 m/s for this example)
ft
Direction of jet (raised at an angle of 45 for this example)
Heat of combustion of methane

Surface emissivity of methane fires
ra
D
Air humidity (70%) this affects the heat transmission through the air
n
Of this data, the jet orientation, the heat of combustion, the surface emissivity
and the wind speed are the primary determinants of the result, with the other
tio
parameters affecting the result only slightly.

The result of the jet fire calculation is a chart of heat radiation intensity vs. distance
from the fire. For this example, the chart is given for distances directly downwind.
lta
n su
Co
37 PlanningNSW
Flash Fires
A flash fire occurs when a cloud of flammable gas mixed with air is ignited. If the
cloud is sufficiently large and sufficiently constrained, it is also possible that the
flame may accelerate to a sufficiently high velocity for a vapour cloud explosion
(VCE) to occur. Though very brief, a flash fire can seriously injure or kill anyone in the
burning cloud. Its effects are confined almost entirely to the area covered by the
burning cloud. Incident propagation, sometimes called domino effects, can occur
through ignition of materials or structures within the cloud, although this is less
likely than from a fire with a longer duration, such as a pool or jet fire.
Note 9: Example Flash Fire Calculation

Natural gas leaking from a vessel is ignited after the gas cloud has fully formed.
Flash fire calculations can calculate the distance from the fire that is dangerous.
Assumptions:
The wind does not change direction during the scenario
The area can be modelled as a flat plain with a constant surface roughness.
This is obviously not correct as the equipment and plant will not be evenly
distributed over the site and off the site up wind. However, to relax this
assumption requires computational fluid modelling which is usually not
warranted for general risk assessments.
ft
The extent of the flammable gas cloud will be the extent of the flash fire.
In some assessments, conservatism requires that the gas cloud be
ra
considered to extend to half the Lower Flammable Limit to account for
local fluctuations in concentrations.
D
Data requirements:
Wind speed and stability (5 m/s and Stability Class C for this example)
n
Release orientation (horizontal for this example)
tio
Flammability limits of methane

Temperature of released methane
Release rate of methane, based on a 150 mm diameter hole, assumed to
lta
be sharp edged and round

su
Of this data, the release rate, release orientation, flammability limits, wind speed
and wind stability are the primary determinants of the result, with the other
parameters affecting the result only slightly.
n
The result of the flash fire calculation is a plot of the site area that would be
Co
covered by the flash fire.
38 PlanningNSW
Note 9: Example Flash Fire Calculation continued
50% LFL
ft
LFL
ra
D
n
tio
lta
n su
Co
39 PlanningNSW
Fireballs
Fireballs can occur when large quantities of flammable gases are released suddenly
and ignited, resulting in a rising ball of flame. The thermal radiation intensity at the
surface tends to be very high, and although the duration is short (of the order of
seconds), injurious levels of thermal radiation can be experienced at considerable
distances from the fire. When modelling fireballs, consideration of both the thermal
radiation and the duration is required.
Note 10: Example Fireball Calculation

A vessel containing 5 tonnes of propane suddenly fails with immediate ignition of
the released material.
Assumptions:
The release energy results in very good mixing of the propane with the
surrounding air
The material is not sufficiently constrained to explode rather than burn
Data requirements:
Mass of propane (5 tonnes)
Initial phase and pressure of material (saturated liquid at 10 bar gauge for
this example)
ft
Flame emissivity of propane in a fireball. This is different to the surface
ra
emissivity in a pool fire due to the very high turbulence generated in the
fireball.
D
Air humidity (70%)
The results of the calculation are the maximum extent of heat radiation intensities
n
from the fireball. However, due to the short lifetime of fireballs (a number of
seconds), a probit analysis is often used to estimate the effects on people (see
tio
Section 5.8.4.1 for discussion of probit analysis)

lta
n su
Co
4.5 kW/m2
12.5 kW/m2
37.5 kW/m2
40 PlanningNSW
BLEVE
Many fireballs are due to the phenomenon known as a boiling liquid expanding vapour
explosion or BLEVE. These mostly involve liquefied flammable gases stored under
pressure.
Most BLEVEs occur due to a storage vessel being subjected to flame impingement
above the liquid level. Hot spots can develop resulting in substantial weakening of the
metal to such an extent that it is no longer capable of containing the internal pressure.
Internal pressures would also typically be higher than usual during such events due to
the high temperatures. The inventory of the vessel when it BLEVEs may be reduced
due to operation of pressure relief valves prior to the vessel rupture.
If the vessel fails, the pressurised contents escape rapidly and expand forming a large
cloud of vapour and entrained liquid. If ignited, a large fireball may result. Casualties can
be due to thermal radiation, blast effects and projectiles. As with modelling of fireballs,
BLEVE modelling requires consideration of both the thermal radiation and the duration.
Warehouse Fires
The possibility of fires in stores containing dangerous goods may need to be considered.
The consequences of such fires are often complex due to the variety of goods that
may be stored in the same building. Of particular concern is the possibility of the
evolution of toxic fumes, although explosions, fire and pollution of the biophysical
environment may also be important. The potential for contaminated firewater runoff
from the site should also be considered. (Such an incident occurred in the Rhine River
ft
following a fire in a pesticide warehouse. The contaminated firewater caused fish kills
and rendered the water unusable for many kilometres downstream.)
ra
The nature of possible consequences needs to be considered carefully with particular
regard given to interactions between the various substances present. Such analysis
D
will often lead to recommendations for the segregation of incompatible materials.
5.8.3.2 Explosions
n
The three types of explosions are physical energy, chemical energy and nuclear
energy (not discussed here). Physical energy includes pressurised gases, strain
tio
energy in metals and electrical energy. Chemical energy includes combustion of a

flammable material, detonation of explosives and a runaway chemical reaction.
Explosions cause damage or injury by a pressure wave that is created by rapid
lta
expansion of gases or by projectiles that are thrown from the explosion (see Section
5.8.4.3). The magnitude of the pressure wave is usually expressed in terms of blast
overpressure. However, in order to predict accurately the destructive capacity, it is
necessary to consider the rate of increase/decrease in pressure as the wave passes.
su
Explosions involving flammable gases are often of particular concern in industrial

facilities. These can occur if a mixture of flammable gas and air within the flammable
range is ignited. The magnitude of overpressure developed from VCEs is strongly
n
influenced by factors such as:

Co
degree of confinement;
elevation of cloud;
the size of the cloud;
degree of turbulence;
the combustion properties of the gas; and
the location of the ignition source relative to the cloud.
Explosions may also occur as a result of catastrophic rupture of a pressurised vessel.
If a mild steel vessel is pressurised to bursting, the burst pressure will be typically 4
times the design pressure of the vessel. This is the worst case and vessels can
rupture at lower pressures if the temperature is higher, particularly in fire conditions.
41 PlanningNSW
Explosions resulting from ignition of dust clouds can cause major damage to
equipment. Detonation of explosive materials such as TNT or ANFO can result in both
overpressure and projectiles. The extent of the damage from such explosions
depends on the type of explosive, the degree of confinement, the mass of explosive
and the elevation.
Note 11: Example Explosion Calculation

A vapour cloud containing 10 tonnes of propane ignites and explodes due to the
degree of confinement in that section of the plant.
Possible models for estimating the consequences:
TNT equivalence model
The explosion of the propane is likened to an explosion of an equivalent quantity of
TNT. For this model the TNT equivalence of the material is required along with the
location of the explosion either on the ground or elevated.
The equation used is:
where HTNT =4.7 x 106 J kg-1 is the heat of combustion of TNT without air, m is the
ft
mass in the cloud at the time of the explosion, X is the explosion efficiency and
is the ground reflection factor, set to 1 for an air burst, and 2 for a ground burst.
Data requirements for TNT model:
Mass of propane (10 tonnes)
ra
D
TNT equivalent of propane (30% (Lees 1996, p17/145))
Location of explosion at ground level
n
The output of the calculations is a chart of overpressure as a function of distance

from the centre of the explosion.
tio
lta
n su
Co
3
A mixture of Ammonium Nitrate and Fuel Oil typically diesel fuel.
42 PlanningNSW
Note 12: Other Explosion Models

TNO multi-energy model
This models a vapour cloud explosion using the TNO multi-energy method. There
are four sections to the calculation:
1. Total volume of the cloud. This is calculated by:
where the properties of the fuel are as follows: m is the total mass of
flammable material, Vspecific is the specific volume, and cStoichiometric is the
stoichiometric concentration.
2. The mass of fuel in a given confined volume i is calculated by:
where fconf,i is the fractional confined volume.

The mass of fuel in the remaining unconfined cloud is calculated as:
ft
ra
3. The distance scaling factor is calculated for each volume (confined or
unconfined) using:
D
n
tio
where Pa = atmospheric pressure.

4. For each volume (either confined or unconfined) a set of equally spaced
locations are considered, and the overpressure calculated using a look up
lta
table based on the scaled distance to a given point.

The overpressure at any point is then calculated using the sum of the contributions
to the overpressure at that point.
su
Baker-Strehlow Explosion Modelling

This method uses graphs of:
n
Co
and as a function of
for nine possible flame speeds, where R is the distance of interest, Timpulse is the
impulse, vsound is the speed of sound, and E is the explosion energy.
To obtain the overpressure and impulse at a given distance, it is necessary to
calculate the value of x for that distance, then use lookup tables (that correspond
to the graphs) to derive an estimate of the value of y and y for each flame speed.
The values of y and y for the actual flame speed are obtained by interpolation,
and then y is converted to an overpressure and y to an impulse.
43 PlanningNSW
5.8.4 Effects of Hazardous Incidents

In order to quantify risk, it is necessary to convert the physical consequences of a
hazardous incident into information relating to what effects those consequences
have upon people, property and the environment. This is termed the effect of the
hazardous incident and can be done in a number of ways.
The most easily understood method involves the selection of a particular
consequence level to represent an adverse outcome. For instance, it may be
proposed that a specific thermal radiation level or toxic concentration represents
fatality, in which case any person receiving the specified quantity or greater is
assumed to be killed, whilst those receiving a smaller quantity are assumed to
survive.
However, this method is somewhat limited in that it does not take into account the
varying susceptibility of people. Also, the technique is not applicable in certain
circumstances, especially if one is considering either very long or very short periods
of exposure.
To overcome this, a more sophisticated approach can be adopted, such as a Probit
method which allows the prediction of the probability of an adverse outcome
(usually fatality or injury) given a knowledge of exposure conditions including the
time varying heat radiation level or toxic vapour concentrations. This approach takes
account of the variations in human susceptibility, but also has some limitations and
is more difficult to use. In particular, the data used to derive probit equations is
ft
subject to a degree of uncertainty. Reliable data on the effects on humans is rarely
available, and so data based on experiments on animals is often used, especially for
toxic exposures.
ra
D
Note 13: Probit Analysis
The range of susceptibility in a population to a harmful consequence can be
n
expressed mathematically using a criterion in the form of an equation which
expresses the percentage of a defined population which will suffer a defined
tio
level of harm (e.g. fatality) when it is exposed to a specified dangerous load. This
is a Probit equation which has the form:
lta
Where: Y is the probit (or probability measure); a, b and n are constants; C is the
su
concentration; and T is the exposure time.

A probit of 5 corresponds to a 0.5 probability. A probit of 2.67 corresponds to a
probability of 0.01. A table, as presented in Lees (1996), is used to convert probit
n
values to probability values.

Co
In making a decision on the most appropriate method, it is essential that the analyst
has a good understanding of the relationships between dose and effects, and that
the limitations are also recognised.
44 PlanningNSW
5.8.4.1 Heat Radiation Effects

A large amount of information exists and a number of charts and tables are available
to provide an estimate of the effects of exposure to thermal radiation. Most of these
charts and models refer to exposure of bare skin. The effects can be modified for
the presence of clothing and the benefits of sheltering or evacuation. However, for
most risk assessments, the conservative assumption that people are not at all
protected is made, as it is difficult to justify assumed levels of protection to all
people.
Fire damage estimates for the various types of fires are based upon correlations
with recorded incident radiation flux and damage levels. A table of radiation effects
is included in Appendix 4. For heat radiation effects with a relatively short duration,
such as those associated with fireballs and BLEVEs, thermal radiation Probits, such
as that developed by Eisenberg (1975) may be a more appropriate tool.
5.8.4.2 Explosion Overpressure Effects
Explosion effect models predict the effects of blast overpressure on people and
structures. Explosions are hazardous to people due to blast overpressure, collapsing
buildings and projectiles.
Explosion effects are determined by correlating damage produced with the
overpressure resulting from the explosion. A table of the effects of overpressure
resulting from explosions is also included in Appendix 4.
ft
The effects on people will depend on whether people are located inside or outside
buildings. Generally, people are more susceptible to injury when located inside, as
ra
the buildings can collapse or the windows can be blown in.
5.8.4.3 Projectiles
D
In addition to overpressure, explosion incidents can also produce a significant hazard
in the form of high momentum projectiles. Their consideration is particularly
important with regard to the potential for incident propagation, and in the prediction
n
of maximum effect distances, since fragments are often projected well beyond the
thermal radiation or blast overpressure effect zones.
tio
Holden & Reeves, (1985) developed estimates of projectile distances from

examining the results of BLEVEs. Its a probabilistic technique for assessing spread
of fragments - useful for discounting fragment knock-on events during the QRA
lta
processes. It provides a guide to types of failure (how many fragments), trajectories,

what is different between bullets and spheres etc.
However, the analysis is dated and subject to significant uncertainties. In most
su
instances, the discussion of projectiles ejected from explosions is undertaken in a

qualitative discussion. This would need to be expanded for assessment of an
explosive manufacturing facility or other high explosion potential facilities.
n
In some facilities, the potential for knock-on or domino incidents following an

explosion could require additional quantitative analysis of the possibility of
Co
projectiles causing an accident to escalate.

5.8.4.4 Toxic Effects
Analysis of the effects of exposure to toxic substances is an extremely complex
science. Toxic substances can affect people in many different ways and the
seriousness of the exposure will be highly dependent on the sensitivity of the
individual and on the duration of the exposure. The analysis of effects on other
species and on ecosystems is even more complex than for humans, and knowledge
is often even more limited.
45 PlanningNSW
Effects can range from fatality or injury (e.g. damage to respiratory or nervous system,
emphysema, initiation of a cancer, etc.) to irritation of eyes, throat or skin, through to a
nuisance effect. Effects can also be classified as acute, chronic or delayed. The toxic
effects are frequently specific to conditions at the time of release.
The estimated dose to which an organism is exposed must be translated into an effect.
This should be done using quantitative dose-effect functions relating the level of
exposure to probability of fatality, injury etc. However, these functions are only available
for relatively few chemicals and usually relate to short-term effects of acute exposures.
Detailed information on the long-term effects of acute exposures is very limited.
For non-carcinogenic chemicals, it is generally accepted that adverse effects will arise
only when a threshold value or level of concern is exceeded. However, very little
information on dose-effect relationships is available. Consequence analysis, even in
the absence of detailed dose-effect information for these chemicals, can provide
insight into whether particular threshold values may be exceeded.
There are a number of comprehensive sources of toxicological data that cover a large
range of chemicals. Information on the concentrations of hazardous substances that
can cause serious injury or death have been published in sources such as AlChE
(1988) and Sax and Lewis (1989). Electronic databases are also available, and include:
Immediately Dangerous to Life and Health Documentation: http://www.cdc.gov/
niosh/idlh/idlhview.html
International Chemical Safety Cards: http://www.cdc.gov/niosh/ipcsneng/
ft
nengsyn.html
Emergency Response Planning Guidelines: http://www.bnl.gov/scapa/.htm
ra
The analysis of toxic material effects is particularly difficult in the case of smoke from
fires which may involve multiple and uncertain components. It is difficult to assess
D
what effects such combinations of toxins might have. In such cases, conservative
assumptions about the toxins involved and their concentration may be appropriate.
A Probit approach may be used where information exists for specific substances.
n
Such an approach enables the number of fatalities/injuries to be estimated through the

consideration of both toxic gas concentration and the duration of exposure. However,
tio
the results need to be used with caution as probit equations are largely based on data
derived from animal population responses and the extrapolation to human response is
not straightforward (Refer to TNO Green Book for a discussion of this process).
lta
For both human and other species exposures, where data are limited, dose-effect
calculations may be difficult to estimate with any degree of confidence. In such cases,
estimation of the duration and exposure to defined levels of concern such as time-weighted
su
average (TWA), short term exposure limit (STEL), immediately dangerous to life and health
(IDLH), Emergency Response Planning Guidelines (ERPGs), etc. may be appropriate.
n
Note 14: Example Probit Equation for Ammonia

Co
There are a number of probit equations that have been developed for estimating
the probability of fatality from exposure to ammonia. For example (DCMR Steering
Committee 1984):
Y= -9.82 + 0.71 ln(C2 t) Where: C is in ppm and t is in minutes
Using this equation, for a person exposed to 5,000 ppm for 46 minutes, the
probability of fatality is 0.5. Similarly, if a person is exposed to 10,000 ppm, the
period for a 0.5 probability of fatality drops to 11 minutes.
The probit equation can be used to estimate the probability of fatality for a person
who is exposed to a changing concentration of a toxic material, such as could
occur if a vessel bursts and a cloud of vapour drifts with the wind.
46 PlanningNSW
Note 15: Concentration Criteria

TWA (Time-Weighted Average) exposure limits are published by NOHSC (1995).
The values given are normally 8-hour time weighted averages for a working lifetime.
Shorter exposure period limits are also specified: Short Term Exposure Limit (STEL).
IDLH (Immediately Dangerous to Life and Health) are concentration values published
by NIOSH. They are the maximum airborne concentration of a substance to which
a healthy male worker can be exposed for as long as 30 minutes and still be able to
escape without loss of life or irreversible organ system damage.
ERPGs (Emergency Response Protection Guidelines) are guidance concentrations
determined by American Industrial Hygiene Association based on the following
descriptors:
ERPG-3 is the maximum airborne concentration below which, it is believed, nearly
all individuals can be exposed for up to 1 hour without experiencing or
developing life threatening health effects.
ERPG-2 is the maximum airborne concentration below which, it is believed, nearly
all individuals can be exposed for up to 1 hour without experiencing or
developing irreversible adverse health effects or symptoms which could
impair an individuals ability to take protective action.
ERPG-1 is the maximum airborne concentration to which nearly all individuals
could be exposed for up to 1 hour without experiencing other than mild
transient health effects or perceiving a clearly defined objectionable
ft
odour.
ra
The analysis of such information will necessarily be qualitative due to the lack of
D
knowledge. Such assessments must provide details of the consequence estimation
process and the description of the response of the environment to the estimated
consequences. In many cases it will be possible to use very conservative data to
n
show that the consequences of an accident are minor. Where the consequences are
not obviously minor, sufficient details must be provided to enable the reader to follow
tio
all the reasoning of the assessment.
5.8.5 Consequences and Effects of Releases to the

Biophysical Environment
lta
Risk to the biophysical environment includes damage to flora and fauna, as well as
indirect risks to humans, for example through materials entering the human food chain
(e.g. deposition onto home grown crops) or contaminating soil, groundwater or
su
surface waters used for drinking or swimming. The overall approach to estimating risk
to the biophysical environment is the same as that for estimating risk to human safety
and, as far as possible an analysis of the consequences (including magnitude and
n
effects) of hazardous material releases to the biophysical environment should be

included. However, both in terms of material concentrations (Refer to Section 5.8.5.1),
Co
and the effects on particular species and ecosystems (Refer to Section 5.8.5.2), full
quantification may not be possible or warranted in all cases. It is recognised that in-
depth or quantitative approaches are not always possible with environmental risks due
to limited availability of environmental data.
It is important to recognise that the types of environmental accidents that need to be
considered are those that have the potential to cause severe, widespread, long-term
or even permanent damage to ecosystems. An occurrence is interpreted by
PlanningNSW to have constituted serious danger or harm to the environment if it
results in one or more of the effects listed below:
47 PlanningNSW
permenant or long-term damage to terrestrial habitats:

0.5 ha or more of a habitat of environmental or conservation importance
protected by legislation
10 or more hectares of more widespread habitat, including agricultural land.
significant or long-term damage to fresh water and marine habitats:
10 km or more of river or canal;
1 ha or more of lake or pond;
2 ha or more of delta; and/or,
2 ha or more of a coastline or open sea.
significant damage to aquifer or underground water;
1 ha or more.
Typical accident scenarios that may potentially lead to serious damage or harm to the
environment include:
Fires that lead to effects from smoke plumes and/or fire fighting water run-off;
Off-site releases of liquid or entrained solid materials from spills or discharges; and
Release of toxic gases or dust clouds that extend off site.
Predicting an ecosystems response to a toxic material is difficult because of the large
number of dependent and independent variables constituting and inherent to a natural
ecosystem. These include population-level factors such as density, immigration,
ft
growth and mortality and community-level factors such as diversity, relative
dominance and distribution. There are ways however, to simplify the complex
ra
structure of an ecosystem. For example, determination and analysis of key species
may facilitate prediction of the effect of the toxic material/s on dependent species
(Refer to Section 5.8.5.2). In addition, knowledge of physio-chemical parameters of
D
the toxic material/s may make an analysis of fate and transport possible.
Nevertheless, ecosystem-level analysis is an inherently complex undertaking.
n
Various models can be used to evaluate ecosystem risk. These include models of fate,
transport, exposure and effects as well as integrative models. However, the
tio
applicability of the models is usually restricted to specific conditions and, in many

cases, the quantification by models of the transport and fate of some contaminants in
the environment is not yet possible. A review of available models is given in Pastorok,
lta
et al. (2001). The understanding of these matters is, however, developing rapidly and
reference should be made to the relevant scientific literature when undertaking an
analysis of risk to the biophysical environment.
su
Other ecosystem models focus on population density, food chains, bioenergetics and
toxico-kinetics. The diverse models for both individual species and population groups
have advantages and disadvantages that must be defined and tailored to meet specific
circumstances. It is essential to use an orderly and justifiable approach in developing
n
and selecting an appropriate ecosystem model. Refining and improving available

Co
models are critical aspects of developing precise models for each particular situation
in nature. Models should not be used for situations where they have questionable
validity or to predict effects for conditions appreciably different from those for which
the models were originally developed.
The example approach described below in Sections 5.8.5.1-5.8.5.2 (and Figure 8) has
been adapted from PlanningNSWs Best Practice Guidelines for Contaminated Water
Retention and Treatment Systems, and the UK HSEs Guidance on the Environmental
Risk Assessment Aspects of COMAH Safety (1999a) and Guidance on Interpretation
of Major Accident to the Environment (MATTE) for the Purposes of the COMAH
Regulations (1999b).
48 PlanningNSW
Figure 8: Example Flowchart for Management of Risk to the Biophysical Environment
Identify materials/s and

representative accident
scenarios
(RE-) ESTIMATE CONCENTRATION/S OF MATERIAL/S RELEASED TO BIOPHYSICAL ENVIRONMENT
Quantity of Pathway Physical and Physical and Estimate

material/s analysis chemical chemical representative
properties of characteristics of
released concentration
released receiving
at source materials profile/s
environment
ANALYSE EFFECTS UPON ALL RELEVANT RECEPTOR/S
Identify Determine criteria Conc. No

No
relevant concentration/s for all exceed
receptors relevant receptor/s criteria?
Yes
ft
Assess attributes Analyse effects (eg. area, affected
ra
of receiving and recovery time), including
environment indirect effects upon humans
D
(Re-) Estimate likelihood
n
- Likelihood of leak/spill/fire;
- System availability/reliability
tio
- Intensity-frequency-duration
rain; etc
*Including: performance
indicators/ standards and
critical operating parameters
lta
Assess
Estimate risk/s
attributes of
receiving
environment Identify critical
control
su
measures*
Determine Yes
Yes
Risk/s
n
acceptable
risk acceptable?
Ensure all critical control
criteria measures are integrated
Co
into Safety Management

No System
Develop action plan to mitigate

risk and to reassess risk after Document entire process
implementation of risk control and outcomes.
measure/s Maintain control measures
through safety management
systems (Refer to MIHAP No. 4)
and monitor performance
(Refer to MIHAP No. 11).
Repeat assessment process at
appropriate intervals.
49 PlanningNSW
Note 16: Other Screening Techniques: Two Examples of Hazard Index Approaches
Hazard indices are commonly used as screening tools to assist with determining the level and extent of a risk
assessment (Refer to Section 5.3). Two examples of hazard indices specifically developed for screening releases
to the aquatic environment are provided below.
Where an Operator intends to use these, or other hazard index, approaches as screening techniques, it must be
demonstrated that they are consistent with the definition of a major accident (i.e. including the interpretation of
serious danger or harm) to the biophysical environment.
Example 1: The Ecological Harm Measure (EHM) [Haddad, Mullins, Maltz, Ecological Risk Assessment and the
Planning Process].
(EHM)i = [((PEL)i x (XOI)i ) / ((EQL)i x (XOI)i(ref))] x (EFV)i / (EEV) x 100
Where: (EHM)i = Ecological Harm Measure for chemical (i). The EHM is a derived measure of
ecological harm analogous to the consequence magnitude derived in a QRA. In its
simplest form, this quotient includes components to represent the predicted
ecological level of the contaminant (e.g. concentration) and the ecological quality
level for that contaminant (e.g. regulatory or other acceptable levels), the magnitude
of the impact, and socio-economic factors such as values and foregone values of
the ecosystem.
(PEL)i = Predicted ecological levels for chemical (i).
(XOI)i = Extent of impact for chemical (i).
(EQL)i = Ecological quality level for chemical (i).
ft
(XOI)i(ref) Extent of impact used as a reference.
(EFV)i =
(EEV) =
Ecosystem foregone value for chemical (i).
Ecosystem existing value. ra
D
A factor of 100 is applied to normalise the EHM value and bring it close to 1 for major environmental accidents
(assuming foregone benefits of 10%, extent of impact of 10% and PEL = EQL).
n
Example 2: The Environmental Hazard Index (HI) [Suarez, Kirchsteiger, 1998, A Qualitative Model to Evaluate the
Risk Potential of Major Hazardous Industrial Plants].
tio
HI = Am x Tox x (Sol/Vol + Con + BD + BA)

Where: HI = Hazard Index
lta
Am = Amount stored or transported (tonnes)

Tox = Acute toxicity score LC 50 Score
High Less than 100 mg/kg 1
su
Low More than 100 mg/kg 0

Sol = Water solubility score
n
Water Solubility (ppm) Score

Co
More than 10,000 3

Between 100 and 10,000 2
Less than 100 1
Vol = Volatility (vapour pressure) score
Volatility (mm Hg) Score
More than 78 3
Between 25 and 78 2
Less than 25 1
50 PlanningNSW
Con = Consistency (or viscosity) score

BD = Biodegradation score
Persistence in the Score
environment
Very persistent 4
Persistent 3
Slowly persistent 2
Moderately persistent 1
Readily persistent 1
BA = Bioaccumulation score BCF Log POW Score
>4000 <6 7
1000-3999 5 5.9 3
700-3999 4.5 4.99 2
300-699 4 4.99 1
Less than 300 Less than 4.00 0
ft
5.8.5.1 Concentration/s of Toxic Material/s in the Biophysical Environment
ra
The effects on the biophysical environment (Refer to Section 5.8.5.2), as well as the
indirect effects to people, are directly related to the resulting concentration profile of
toxic material/s in each environmental compartment (i.e. air, water and/or soil). These
D
concentration profiles depend on the:
Quantity (and possibly the rate) of material/s released at the source;
n
Pathways by which the material/s may travel from the source of release to each
relevant receptor;
tio
Physical and chemical properties of the material/s released (e.g. density, solubility,
degradation rate); and
Physical and chemical properties of the receiving environment (e.g. volume of
water body, soil permeability).
lta
Quantity of Material/s Released at the Source

For each representative accident scenario identified with the potential to cause
su
serious danger or harm to the biophysical environment, the quantity of toxic material
that may be released at the source (and possibly the rate of release) should be
estimated. This may require the use of discharge models (Refer to Section 5.8.1) for a
n
discrete set of representative release cases (For example, pipework failures could
occur with leak sizes varying from pin-hole leaks to full bore ruptures It is usual to
Co
select a limited number of hole sizes to represent the full range).

In some cases, a mixture of chemicals may be released. Such a situation might arise
as the result of an uncontrolled reaction (as occurred at Seveso in 1976 Refer to
Appendix 2), or a fire (e.g. as fumes/particulates and/or in contaminated fire fighting
water). In these cases, there may be a need to select a representative mixture (or
mixtures) for further analysis. Such an approach should consider the presence of
combustion or reaction products, including those not normally present in the process,
and any other materials mobilised during the accident (e.g. non-combustible materials
present in a fire that subsequently contaminate fire fighting water). Although the
materials produced in a fire or reaction should be readily identifiable, it is recognised
that there will generally be some uncertainty concerning the quantities produced (and
estimates should err on the side of conservatism).
51 PlanningNSW
Note 17: Example Approaches for Chemical Mixtures

Two relatively simple approaches are proposed in Guidance on the Environmental
Risk Assessment Aspects of COMAH Safety (1999a) for chemical mixtures:
Instead of trying to consider the full mixture of chemicals, choose a suitable
representative marker as an indicator of environmental effects. The
precautionary principle should govern the selection of the marker.
Review information on accidents to see what the effects have been and
where they occurred. Use this information to identify any similarities with
the situation of concern which may enable a judgement to be made on its
likely effects.
The results from adopting either of the above approaches will be subject to
uncertainty and the assessor should ensure that this is properly recognised in making
any decisions concerning the predicted risks.
There will be some circumstances in which the use of a marker as a surrogate for
the full suite of chemicals is not suitable. For example, judging the effect of particular
isomers on the basis of information on effects from that species of compounds is
unlikely to be justifiable. Interactions between chemicals may also result in markedly
different overall environmental effects from those associated with single chemical
releases. It is therefore important explicitly to consider possible antagonistic or
synergistic effects of mixtures of chemicals on the environment.
ft
Pathway Analysis
ra
For each representative accident scenario identified with the potential to cause
serious danger or harm to the biophysical environment, the pathway/s (both on- and
off-site) whereby the toxic material/s can travel from the source of release to each
D
relevant receptor (e.g. humans, fauna, flora) should be identified. The pathway
analysis is an input to both the consequence analysis (i.e. in estimating the quantity of
n
material that is released via each pathway) and the likelihood analysis (i.e. in
estimating the likelihood of release via each pathway).
tio
For airborne materials (gases/vapours and particulates), a discussion of dispersion and

deposition modelling is included in Section 5.8.2.1 and Section 5.8.2.2, respectively.
For waterborne materials (e.g. contaminated fire fighting water, spillages of solids and
lta
liquids with subsequent wash-down by rain, releases due to inundation of the site
from local or broad area flooding, etc.) and liquid spillages, an estimate of the
concentration profile in the receiving waters will need to consider issues such as
physical dispersion (e.g. dilution at the source and/or receptor), physical losses (to
su
other environmental compartments) and degradation of the material/s (see Properties

of Released Material/s below). In this case, the pathway analysis should consider
(HSE, 1999a and PlanningNSW, 1994):
n
Secondary containment design, position, capacity, condition;

Co
Procedures and equipment for removing spillages, storm water or fire

fighting water from bunds, sumps, etc.
Flow of spilled material across surfaces (e.g. sealed roads, etc.) and their condition;
Distances between sources and pathways;
Site layout and drainage, capacity and condition of drains, etc.;
Barriers, e.g. interceptors and sumps;
Geographical/geological/hydro-geological features that may impede/facilitate
material escape;
Effects of varying weather conditions (e.g. intensity, frequency and duration of
rain);
52 PlanningNSW
Rate of application, and total volume, of fire fighting water;

Locations of pumps, valves, pipework, etc.;
Availability of treatment plants (on- and/or off-site) and their suitability and
treatment capacity; and
Volumes of process and waste waters handled and stored on site.
Note 18: Pathway Analysis: A Simplified Example

A 20 m3 tank is located in a bunded area with a retention capacity of 22 m3. Two
representative credible release scenarios have been identified: (i) a minor leak/
overflow of up to 2 m3; and, (ii) loss of the entire tank contents. Rainfall data and
procedures for removal of storm water from the bund indicate that 5 m3 of storm
water is present 20% of the time and that there is a 0.01 probability of the operator
leaving the bund drain valve open. Any material that escapes the bund is assumed
to be discharged directly into a nearby river via a concrete lined channel (ie. In this
simplified example, none of the released material is assumed to enter other
environmental compartments such as the air, soil or groundwater).
In determining the concentrations of materials in the nearby river, a range of
scenarios might be considered. Initially, the concentration profile and effects might
be evaluated for the worst case scenario (viz. loss of the entire tank contents via
the open bund drain valve and concrete channel). If this is found to have the potential
to cause serious danger or harm, then other combinations of spill/leak scenario
ft
and pathway should be evaluated, such as:
Overflow of bund due to presence of storm water and loss of entire tank
ra
contents (3 m3 release of aqueous mixture).
Minor leak/overflow and release to river via open bund drain valve (2 m3
release).
D
Even in this simplified example, it is clear that probabilistic techniques, such as
event tree analysis, can be extremely useful for determining the potential
combinations of spill/leak scenario and pathway Refer to PlanningNSWs Best
n
Practice Guidelines for Contaminated Water Retention and Treatment Systems for
tio
further information. Example event trees for an on-site, and off-site, pathway analysis
are also included in the UK HSEs Guidance on the Environmental Risk Assessment
Aspects of COMAH Safety (1999a).
lta
Physical and Chemical Properties of Released Material/s

Physical and chemical properties of the toxic material/s, such as solubility in water and
su
density, may be important for the pathway analysis and estimation of the
concentration profiles. The degradation of the toxic material/s through exposure to
light, oxidation, reduction or biochemical processes may also be important when
n
considering the ecosystems recovery time (Refer to Section 5.8.5.2).

Physical and Chemical Characteristics of the Receiving Environment
Co
The potential for serious danger or harm from releases to the biophysical
environment is dependent on the physical and chemical characteristics of the
receiving environment (e.g. surface waters, groundwater, soil, etc.), as much as the
nature and quantity of the materials received.
For a release into a water body, the capacity to absorb and dilute the toxic material
load is an important factor. The relevant physical and chemical characteristics include:
the volume of the water body; rates of flow in streams and currents (which may vary
depending on weather conditions); extent of mixing and of tidal flushing (if relevant);
the buffering capacity of the water; and, absorptive/adsorptive capacities
(groundwater). The depth of the waters and seasonal weather patterns (e.g. drought)
53 PlanningNSW
may be significant in some cases. These characteristics will influence the

concentrations of the toxic material/s in the receiving waters and the durations over
which such concentrations, and hence exposure of organisms to the material/s, are
maintained.
For a release into the soil, physical properties such as soil permeability, organic carbon
content and depth of groundwater table are important.
5.8.5.2 Effects on the Biophysical Environment
Understanding the effects to the environment of a major accident requires
consideration of the:
range of species present and their vulnerability/sensitivity to the toxic material/s;
extent of the area affected; and
resilience and resistance of the ecosystem. Factors that affect the recovery of an
ecosystem from environmental stress include:
the severity of the stress;
reversibility of effects;
rate of effectiveness of stress removal;
frequency and duration of ecosystem disturbance;
resilience of ecosystems structure and function;
extent of alteration;
ft
compensatory interaction of multiple species;
kinetic balance of the system;

complexity of the system;
temporal and spatial variability;
ra
D
availability of regenerating units; and
rate of re-establishment of the biological and physical habitat.
n
Each of these factors (viz. sensitivity/area/duration) are evident in PlanningNSWs
definition of serious danger or harm to the environment. These factors are also
tio
evident in the consequence categories commonly used in risk matrices. For example,
the following consequence categories were developed for the example risk matrix in
Section 5.4 (Refer to MIHAP No. 2):
lta
Consequence Category Description

su
Catastrophic Extensive, persistent or irreversible damage to

ecosystem function.
Major Widespread moderate-long term ecosystem damage.

n
Severe Short term damage impairing local ecosystem.

Co
Minor Minor biological effects across limited area on site.
Insignificant On-site release immediately contained and readily

cleaned up with on-site or locally available technology.
54 PlanningNSW
Similarly, Wright (1993) has proposed the following consequence categories (Refer to
Appendix 3 for additional examples):
Consequence Category Description
Catastrophic Irreversible alteration to one or more eco-systems or

several component levels. Effects can be transmitted,
can accumulate. Loss of sustainability of most
resources. Life cycle of species impaired. No recovery.
Area affected 100 km2.
Very Serious Alteration to one or more eco-systems or component

levels, but not irreversible. Effects can be transmitted,
can accumulate. Loss of sustainability of selected
resources. Recovery in 50 years. Area affected 50 km2.
Serious Alteration/disturbance of a component of an ecosystem.

Effects not transmitted, not accumulating or
impairment. Loss of resources but sustainability
unaffected. Recovery in 10 years.
Moderate Temporary alteration or disturbance beyond natural

viability. Effects confined<5000 m2, not accumulating
ft
or impairment. Loss of resources but sustainability
unaffected. Recovery temporarily affected.
ra
Recovery < 5 years
Not Detectable Alteration or disturbance within natural viability. Effects

D
not transmitted, not accumulating. Resources not impaired
n
As with human toxins, the analysis of effects may be appropriately focused on a

comparison of the estimated concentration-time profile in the air, water or soil (Refer
tio
to Section 5.8.5.1) against threshold or criteria values (e.g. LC50 data, critical loads,
dose-response relationships, no observable effect levels, etc.) that are applicable to
the range of species present. Previous accidents might also provide some insight into
lta
the effects of a release to the biophysical environment.

Species and ecosystems have different susceptibilities to different chemicals. When
judging the importance of a particular chemical concentration in the environment it is
su
necessary to consider more than one species to obtain an appreciation of the overall
environmental impact. The data used, including the species chosen, should be
justified.
n
In many situations it will be possible to eliminate some scenarios of release incidents

because the concentrations in the environment can be shown to be too low to cause
Co
serious danger or harm. This may be done by comparing predicted environmental

concentrations with concentrations associated with particular effects. For example, if
the predicted environmental concentrations are found to be less than concentration
criteria which are based on continuous exposures to pollutants over long time periods,
then the postulated accident scenario is probably not a major accident.
Typically, reference values of contaminant concentrations, such as LC50, the Lethal
Concentration to 50% of the target population of the specific organism, are used to
determine the area of effect when estimating environmental risks. However, it is also
important to evaluate other potentially damaging effects such as the effect of
changing Biological Oxygen Demand (BOD), increasing/decreasing pH, etc.
55 PlanningNSW
Cumulative and synergistic effects of toxic material/s from various sources may
need to be considered when analysing the potential effects. The existing condition
of the receiving environment may also be a relevant consideration. Existing
degradation may make the system more vulnerable to impact (ie. effects may be
observed at lower concentrations), whilst on the other hand, the immediate effects
may not be as severe if extensive damage has already occurred in the past.
The Australian and New Zealand Environment and Conservation Council (ANZECC)
have published Australian and New Zealand Guidelines for Fresh and Marine Water
Quality (2000). The primary objective of these guidelines is: To provide an
authoritative guide for setting water quality objectives required to sustain current, or
likely future, environmental values [uses] for natural and semi-natural water
resources in Australia and New Zealand. These guidelines, which provide an
understanding of effects, offer guidance on sediment quality, and contain detailed
advice on water monitoring and assessment, also include trigger values:
If concentrations of contaminants are below the specified trigger values: there is
unlikely to be any concern;
If the concentrations are above the trigger values: the guidelines show how site
specific criteria can be developed; and
If the concentrations are above the site-specific criteria: the guidelines
recommend that alternative management options be considered.
Although these guidelines are aimed at ensuring that water quality is maintained for
ft
fishery and agricultural purposes, rather than avoiding significant harm from a major
accident, the provision of concentrations for various contaminants provides some
data on levels of concern.
ra
Other sources of threshold or criteria values include, for example, material safety
D
data sheets, reference books on dangerous substances (e.g. Sax, 1989), and
databases such as IRIS (Integrated Risk Information System), CHRIS (Chemical
Hazard Response Information System), HSDB (Hazardous Substances Data Bank), etc.
n
When factoring the recovery rate into the analysis, a distinction should be drawn
between natural unassisted recovery and assisted recovery (e.g. if response plans
tio
include clean-up and restoration procedures).
5.8.6 Results of Consequence Analysis

lta
Consequence analysis results can be used in a number of ways. Firstly, they provide
an extension of the Hazard Identification process in that it leads to a better
understanding of the potential hazards at the facility.
su
Secondly, consequence analysis may lead to recommendations for the elimination

of hazards or the reduction of consequences. It may also lead to the conclusion that
the likelihood of particular events should be minimised due to their severity.
n
Opportunities should always be taken where there are technically feasible

alternatives that will not adversely affect the economic viability of the project. This is
Co
the basis of reducing risk As Low As Reasonably Practicable (ALARP).

Depending on the purpose of the Risk Assessment, these recommendations may
cover issues such as:
the choice of the location of the facility
the technology in use
plant layout
vessel design and operating conditions
the use of alternative less hazardous materials
reduction of inventories
56 PlanningNSW
Consequence analysis should provide an indication of the potential for accident

propagation following an accident, and should indicate whether there is adequate
separation between major vessels and critical plant areas. The capacity and adequacy
of mitigating control measures may also be addressed. The consequence analysis may
then be repeated to estimate the effect of the implementation of the
recommendations.
The results of the consequence analysis should also be used as inputs into other
safety studies being prepared for the site. For instance, the consequence analysis
should identify incident scenarios where an emergency response is required and
consider whether emergency plans provide protection to people both off-site and on-
site, and to the biophysical environment. Fire system design should also draw on the
consequence analysis, including analysis of contaminated fire fighting water run-off
and containment.
Any event trees developed as part of the hazard identification and consequence
analysis processes may also used for subsequent parts of the study. They form an
essential basis for the analysis of likelihood and estimation of risk.
5.9 Likelihood Analysis

Likelihood analysis complements the consequence analysis and both are used in the
estimation of risk levels for any facility. Likelihood analysis can use site historical data,
ft
generic failure rate data, fault trees, event trees, workshops, Delphi techniques,
assessment of human failures, and reliability and availability estimates. These
ra
techniques are discussed in this section, along with their advantages and
disadvantages.
D
A prerequisite for the analysis of the likelihood of hazardous incidents and their effects
is a proper understanding of the terms probability, likelihood and frequency.
Definitions
n
A probability is dimensionless and is a representation of the chance of something

tio
occurring. No time period is specified. For example, given that a flammable release has
occurred, one may be interested in the probability of ignition. Wherever a number of
outcomes are possible, the sum of the probabilities of each outcome must be equal to one.
A likelihood is an expression of the chance of something occurring in the future.
lta
It must be expressed in terms of a specific time period. For example, it might be

estimated that the likelihood of catastrophic vessel failure is one chance in a million
per year (or 1 x 10-6/year). The selection of the time period is arbitrary, but likelihoods
su
are most often expressed per year or per hour of operation.

Frequency is similar to likelihood, but refers to historical data on actual occurrences.
For instance, incident records may indicate that the frequency of failure of a particular
n
item of equipment was twice per year. Failure frequency data are often used as a
basis for predicting the likelihood of similar occurrences in the future.
Co
Logic Models
The likelihood of particular outcomes of hazardous incidents can be estimated using
specific experience of the hazardous incident frequency. However, as the frequency of
many high consequence accidents is very low, the historical data is unreliable or
sparse. In this situation, logic models are required to estimate the likelihood of specific
incidents. The most well known logic models are fault trees and event trees.
Logic models have some advantages over the use of historical data as they allow for
the consideration of:
specific operating conditions
organisational factors
57 PlanningNSW
maintenance programs
operator capabilities
manual/automatic intervention systems
other technical, organisational and operational safety controls
Event Trees
An event tree starts with a single incident (e.g. release of LPG from a pipe) and the
subsequent event sequence possibilities are represented by branching of the tree, leading
to a number of possible final outcomes (e.g. pool fire, jet fire, flash fire, BLEVE, etc).
Any point in the event tree can be characterised by a particular consequence and an
associated likelihood. Hence, event trees are important for both consequence and
frequency analysis. To obtain likelihoods within the tree, conditional probabilities need
to be determined wherever branching occurs. These probabilities may be available
directly, or they may need to be estimated using an analytical method such as a fault
tree.
As an example, to estimate the likelihood of a release of LPG leading to a flash fire,
the analyst may have to estimate:
the frequency or likelihood of a pipe containing LPG failing,
the probability of protection systems failing and thus allowing a sizeable quantity of
LPG to be released,
the probability of an ignition source to be present in the vapour cloud.
ft
Subsequent to the release, other factors that may need to be determined in order to
ra
estimate the likelihood of the various outcomes are meteorological condition
probabilities, ignition probabilities for releases in various directions, and the probability
of explosion upon ignition, rather than a flash fire.
D
Figure 9: Example Event Tree
n
Gas detectors Operator Early Delayed

trigger automatic isolates ignition ignition
tio
solution manually
Flash fire
Yes
lta
No
Safe dispersal
su
Yes
Flash fire
Release of
flammable gas
n
No
Co
Safe dispersal
No
Yes
Jet fire
Note: For simplicity No

probabilities Yes
are not shown Flash & jet fire
No
No
Safe dispersal
58 PlanningNSW
Fault Trees
One of the most commonly used logic models for the estimation of the likelihood of
a hazardous incident is fault tree analysis.
Fault trees use logic similar to that of event tree analysis. However, the starting
point is the top event of interest and the analyst works down in order to identify the
sequences of events required to produce that final event. The technique is useful
both for the quantification of particular likelihoods or probabilities, and as a method
for identifying which event sequences and causal factors could lead to a hazardous
incident. It is also useful for identifying the major contributors to the likelihood of the
top event.
A completed fault tree, such as that shown in Figure 10, should consist of a series
of basic events connected through intermediate events to the top event. Below the
top event, and below every intermediate event, a gate is shown which explains
how the lower events can lead to the higher event. The most important types of
logic gates are OR and AND gates. An OR gate indicates that any one of the
lower events is sufficient to lead to the higher event. An AND gate indicates that
all of the lower events are required to lead to the higher event. The rules for gate-by-
gate fault tree calculation are as follows:
Gate Input Pairing * Calculation for Output Units
ft
OR PA OR PB P (A OR B) = 1 (1 PA)(1-PB)
ra
= PA + PB - PAPB
~ PA + PB (When PA
and PB are small)
D
FA OR FB F (A OR B) = FA + FB per unit time
n
PA OR FB Not permitted NA
tio
AND PA OR PB P (A AND B) = PAPB
FA OR FB Unusual pairing, reform to FA and PB NA

lta
PA OR FB F (A AND B) = FAPB per unit time

su
* PX = Probability of event X (dimensionless).

FX = Frequency of event X (per unit time usually per hour or per year).
n
Co
59 PlanningNSW
Figure 10: Example Fault Tree [HIPAP No. 6]
VESSEL FAILURE DUE TO

OVERPRESSURE
AND
Failure of pressure High pressure in

relief system vessel
AND
OR AND
Failure of operator to
Relief valve capacity Relief valve Relief
Pressure
valve capacity
rises Relief valve capacity
respond to high
inadequate fails closed inadequate inadequate
pressure alarm
OR
ft
Automatic pressure Manual outlet valve
Relief valve capacity
ra
control system fails closed whilst vessel
D inadequate
on-line
OR
n
tio
Controller fails
Relief valve capacity
Control valve fails
inadequate
lta
Common errors in fault tree construction and presentation include:

Incorrect selection of the top event (A potentially critical error given that fault
trees are normally constructed from the top event down);
su
Insufficient discrimination between intermediate events and/or inconsistent or

ambiguous intermediate event titles (Causing potential difficulties in
interpretation and verification);
n
Use of incorrect logic gates (i.e. Using an OR gate instead of an AND gate,
and vice versa);
Co
Omission of human factors (Refer to Section 5.9.4);

Dimensional inconsistencies (See rules above);
Failure to consider alternative operating modes; and
Failure to record assumptions and data sources.
Other Logic Models
There are a number of different techniques that can be used to estimate the
likelihood of accidents and their consequences. Brief descriptions of some of these
follow, while Appendix 5 (Appendix 5: Methods for Estimating Likelihood) contains
references to further information regarding the estimation of the likelihood of
accidents and their consequences.
60 PlanningNSW
5.9.1 Sources of Failure Data

The likelihood of potentially hazardous incidents arising out of hazards previously
identified may be determined either from generic or specific historical plant failure
data. The use of actual historical data is preferred in most instances as it is seen to
be true. However, there are difficulties in demonstrating that the chosen historical
data was correctly recorded and that it is relevant to the situation being assessed.
There is no simple way of specifying which sources of failure data are the most
appropriate for a given hazard analysis. However, the quality of the data, the
statistical significance of errors in the data used and the appropriateness of the
circumstances to which the data are applied is crucial to the validity of the
conclusions of the Risk Assessment. These aspects in particular should be well
understood and should be clearly documented.
Failure data are usually presented in one of two forms, depending on the nature of
the equipment and the way it is used. For equipment in continuous use, it is usually
expressed as failures per unit time (e.g. failures per million hours, failures per year).
Systems or components which are not normally in use, but which are called upon to
act infrequently (e.g. protective systems) may have their failure rates expressed as
probability of failure upon demand.
Generic failure data are those which have been collected from a wide range of
sources representing many item-years of operation. Most generic failure data are
available at the component level (transistor, flange, electric motor winding, etc).
ft
However, data may be available for subsystems such as pump-motor combinations,
closed control loops, gas detection systems, refrigeration systems etc.
ra
Because of the large population of items included of any particular type, generic
data can give a good first estimate of the likelihood of failure of similar items.
D
However, generic data may not provide enough information for a complete analysis
of a specific plant operating under specific circumstances.
The use of specific plant failure data derived from an organisations own records would
n
usually be preferable to generic data, provided that the item population and time
tio
period of data collection are sufficiently large. If applied to other plant within the
organisation or extrapolated to other similar plants, these may still be better than
generic data because specific plant data may reflect more relevant design, construction,
operation, maintenance and other management practices. Unfortunately, such data
lta
are rarely available, except in very large organisations. Section 5.9.2 discusses other
factors that should to be considered when using plant specific failure data.
In cases where plant specific data are not available, it may be appropriate to modify
su
the best data available in order to reflect the operational and organisational practices
of the company concerned. This will always involve some degree of judgement, although
more formal techniques are available to assess an Operators overall safety performance,
n
which may help with making such modifications. It is essential to document the
base data as well as the modification factor and the reasons for the modification.
Co
5.9.2 Reliability and Availability

These characteristics of engineered plant equipment can have a significant effect of
the likelihood of accidents. The use of generic failure data implies that the reliability
and availability of the system being studied is comparable to those of the population
used to develop the data.
Therefore, as part of a QRA, it may be necessary to review past and predict future
values of these properties, particularly when logic models such as fault trees are
being used to determine accident likelihood based on initiating event frequency and
the effectiveness of critical control measures. Lees (1996a) contains a comprehensive
summary of techniques that can be used to analyse and quantify these characteristics.
61 PlanningNSW
Reliability can be considered to be the ability of an item to perform a required function

under stated conditions for a stated period of time. Traditionally, the failure behaviour
of an equipment item or system containing a series of components has been
described as exhibiting three stages:
Early failures, due to factors such as defective equipment, incorrect installation,
uninformed user etc.
Random failures, occurring during the useful life of equipment. These failures are
often caused by random fluctuations of load that exceed the design strength of the
equipment, and tend to occur at a lower overall rate that early or wear-out failures.
Wear-out failures, which occur as the equipment reaches the end of its lifecycle.
This behaviour is often referred to as a bath-tub curve (see Figure 11).
Figure 11: Reliability Bath Tub Curve
ft
ra
D
n
tio
The understanding of equipment reliability developed since the mid 1970s has
lta
revealed this to be a somewhat limited appreciation of the wider spectrum of possible

lifecycle models, but it is introduced here for the purposes of illustration. What is
important is that Operators understand that equipment reliability is unlikely to be
constant through its lifecycle, and that historical measurements of reliability may not
su
be representative of future reliability. Any assumptions made about equipment

reliability must therefore be clearly documented.
Availability is a measure of the fraction of time that an item is in service (uptime)
n
compared with the total time that the item is required to be in service. That is:
Co
62 PlanningNSW
It provides a measure of the fraction of plant operating time that an item can be
expected to be in service. Reliability is a measure of the probability of an item not
functioning correctly, assuming that it is in service. Factors that can influence
availability include testing and calibration tasks that require plant to be taken offline
and expected repair times for known failure modes. Therefore, the performance of a
control measure will depend upon both the reliability and availability. For example, a
gas detection system may be considered highly reliable if it has never required
breakdown repairs, but if it spends a significant amount of time performing internal
calibrations that prevent it from monitoring ambient conditions, then its availability will
be reduced, and its overall performance compromised.
5.9.3 Other Data Requirements

Other frequency and likelihood data that may be required to perform a Risk
Assessment include:
meteorological data, such as the probabilities of the occurrence of particular wind
and weather conditions;
natural event data, such as the likelihood of flooding, earthquakes, cyclones, etc.;
external events data, such as the likelihood of aircraft impact or events on
neighbouring sites; and
population presence data, if societal risk calculations are to be undertaken.
Much of these data is specific to the location of the facility and can be obtained from
ft
local sources.
ra
5.9.4 Human Factors
The Operator of a MHF must ensure that human factors that have been identified in
D
the Hazard Identification are adequately considered in the likelihood analysis. The
depth of assessment that is required may vary according to the hazards complexity,
uncertainty and level of contribution to risk, and in some cases may necessitate that
n
the operator use personnel with specific human factors knowledge.
The potential for people to make errors that leads to an accident or for people to make
tio
less than optimal decisions in an accident scenario are well known. In some facilities,
the potential for human factors to affect the overall level of safety is significant and
thus explicit consideration of the potential for human errors may be required.
lta
Whilst traditional engineering safety assessment techniques, such as FMEA and

FMECA generally focus on engineering systems, it is possible to extend these
techniques to look at human systems. When doing so, the Operator should evaluate
su
and evaluate each human factor that has been identified and the likelihood of it
occurring. For example, how likely would a person fail to notice a low-flow alarm?
What effect could this have, and how critical is this effect?
n
In this way, failures in human performance are analysed for effects on the system in
much the same way as failure of physical components. It is important to include
Co
human errors (eg. arising from poor design, or overload etc.) as well as deliberate (rule
violation) behaviour in this analysis, and to integrate the analysis into the related
engineering safety assessment.
There are a number of techniques that have been developed specifically to estimate
the likelihood of human error occurring. These include:
Human Error Assessment and Reduction Technique (HEART): Williams (1988)
Techniques for Human Error Rate Prediction (THERP): Swain and Guttman (1983)
Systematic Human Error Reduction and Prediction Approach (SHERPA):
Embrey (1986)
Generic Error Modelling System (GEMS): Reason (1987)
63 PlanningNSW
These techniques are based on the assumption that the probability of a human error
occurring under a set of particular circumstances can be estimated and applied to
calculate risk. It is important to recognise that past experience in their use is greatly
beneficial, as expert judgement is required to implement the methodologies.
Simplified Human Error Potentials (HEPs), based on generic situations, may be used
in QRA. Table 5 contains some examples of HEP values:
Table 5: Example Human Error Potential Values

(based on Hunns and Daniels 1980 and Kletz 1991)
Type of Behaviour Human Error Probability
Extraordinary errors: of the type difficult to conceive 10-5 (1 in 100,000)

how they could occur: stress free, powerful cues
initiating for success.
Error in regularly performed, commonplace, simple 10-4 (1 in 10,000)

tasks with minimum stress (e.g. Selection of a key-
operated switch rather than a non key-operated switch).
Errors of commission1 such as operating wrong 10-3 (1 in 1,000)

button or reading wrong display. More complex task,
ft
less time available, some cues necessary (e.g. selection
of a large-handled switch rather than a small switch).
Errors of omission2 where dependence is placed on

situation cues and memory. Complex, unfamiliar task
ra 10-2 (1 in 100)
D
with little feedback and some distractions (e.g. failure
to return manually operated test valve to proper
configuration after maintenance).
n
Highly complex task, considerable stress, little time 10-1 (1 in 10)

tio
to perform it. e.g. during abnormal operating conditions,

the operator reaching for a switch to shut off an
operating pump fails to realise from the indicator
display that the switch is already in the desired state
lta
and merely changes the status of the switch.
Process involving creative thinking; unfamiliar Greater than 10-1

su
complex operation where time is short, stress is high.
1
Errors of commission are errors in which the person performs extra steps that are incorrect or
n
performs a step incorrectly. They also include errors where a person performs a sequence of steps in
the wrong order or performs a step too quickly or too slowly. Errors of commission often reflect
Co
inadequate training and/or procedures, poor instruction or job aids, or a person being unaware of the
risks/hazards associated with equipment or the environment.
2
Errors of omission are instances where a person fails to perform one or more steps in a procedure.
They can be caused by people being confused or having communication problems. Distraction or
diversion of attention is also often the source of these errors. An inadequate mental model of a
complex system can lead to errors of omission when the system experiences a malfunction. They are
particularly prevalent in maintenance tasks.
It is important that the generic nature of these values is recognised. As with all
assumptions made during Risk Assessment, HEP values should be chosen
conservatively, and where risk levels exceed relevant criteria, more detailed methods
of analysis may be required.
64 PlanningNSW
5.10 Sensitivity Analysis

The Operator should be aware of the uncertainties involved in Risk Assessment,
particularly those introduced through assumptions that have been made. It should be
possible to estimate the uncertainty in the final results and to understand the
sensitivity of the results to various critical assumptions. It is important that the study
also includes a sensitivity analysis covering assumptions and data used which, if
varied, could significantly affect the results. Areas where sensitivity analysis may be
required include:
The reliability and availability of protective devices such as trips and shutdown
systems, and their effect upon accident likelihood.
Process conditions, and the effect increases beyond nominal or typical levels have
upon the consequences of accidents.
Gas detection system effectiveness and the impact of less reliable detection upon
the likelihood of more severe consequences.
Transient offsite population densities and the changes this causes in societal
risk estimates.
The results of sensitivity analyses may indicate that more detailed investigation is
required to reduce the level of uncertainty associated with assumptions that have
been made. For example, to reflect the continuous variations in vessel inventory, it
may be assumed that storage vessel inventories are 50% of maximum allowable
ft
inventory. However, should the likelihood of escalation be significantly higher when
vessel inventories are above 50%, then it may be necessary to determine the fraction
ra
of time inventories are above 50%, and the effect that this has on the overall risk.
D
5.11 Risk Estimation and Presentation of Results
Accidents can have a wide range of outcomes. The outcomes can take many forms,
n
particularly in the case of effects on the biophysical environment. Consequently, the

risks associated with accidents can be expressed in a number of different ways.
tio
In some cases, such as human fatality risk from fire and explosion, the risk from each
event can be identified at any point in the affected area. For each point in the area
affected, the risk from each final like outcome (e.g. fatality, injury, irritation) can be
lta
calculated and, by summation, the total risk at each point can be determined. Hence,
the distribution of risk around the facility can be calculated.
Similarly, the total risk at a particular location due to a number of facilities can be
su
calculated by the summation of the risks from each individual facility. If the population
in the affected areas is combined with the likelihood and consequence information for
particular points, estimations of societal risk can be made.
n
Where the risk is calculated by the summation of risk from multiple sources (or
Co
facilities), it is still important to identify the major risk contributors. Identification and
ranking of major risk contributors assists with demonstrating the relevance of existing,
or proposed, control measures (Refer to Section 6). Ideally, major risk contributors
should be ranked and presented in a tabular format.
For other cases, the defined adverse outcome could be a toxic concentration, a
system failure or an effect on an ecosystem or species. Where a number of events
contribute to the same outcome, summation is possible. For any facility or activity,
however, there may be a number of risks which need to be analysed, understood and
managed. It is not always possible or appropriate to try to reduce all risks to simplified
comparable measures.
65 PlanningNSW
The large amount of information on the likelihood and consequences of various

hazardous events must be integrated into a presentation that reflects the goal of the
hazard analysis and the measures of risk that are of interest. Risk measures may be
presented as quantitative measures such as indices, tables, graphs or risk contour
plots, or as qualitative indicators such as risk matrices or nomograms. They may also
be representative of discrete risk contributors at a facility, such as the failure of a
specific piece of plant or equipment, or of the cumulative risk from all comparable risk
contributors at a facility. Additionally, they may provide a measure of the individual risk
or societal risk; that is, the risk at a specific location, or the risk to a defined
population. Different presentation tools are better suited for different purposes, and
the Operator should ensure that appropriate tools are used. Table 6 lists some
examples of qualitative and quantitative tools that can assist with presenting different
types of risk. Some of these tools have been presented earlier in this document, while
others are discussed further below.
Table 6: Examples of Risk Presentation Tools
Individual Risk Societal Risk
Discrete Risk Matrices Risk Matrices

contributors Risk Nomograms Risk Nomograms
Effect vs. distance plots
ft
Individual Risk Values
Cumulative risk Risk iso-contours

Histograms
raF-N curves
Risk Integrals
Potential Loss of Life
D
n
Individual fatality or injury risk measures represent the likelihood of a specified level of
tio
harm at a specified location. No account is taken of whether or not anyone is actually

present at that location. It includes the likelihood of the injury or fatality occurring in a
specified time period and the type of injury likely to occur, e.g. individual fatality risk at
lta
a certain location might be one chance in a million per year.

Quantitative measures of individual risk are commonly presented as iso-contours that
connect points of equal individual risk around the facility (see Figure 12). Using this
su
presentation, areas of high exposure can be readily identified. Individual risk levels
should, as far as possible, include all contributors to injury and fatality from fires,
explosion and toxicity, even where there are uncertainties in correlating some
n
consequences such as exposure to toxic concentrations.

Co
66 PlanningNSW
Figure 12: Examples of Iso-Risk Contours
Superimposed on an aerial photo Superimposed on a topographic map
In many instances, it is appropriate in the analysis to account for variations in the

duration of exposure to that risk. It may also be appropriate to account for variations in
peoples vulnerability to the hazard and their ability to take evasive action when
exposed to the hazard. By convention, and as a conservative measure, risk contours
ft
are usually plotted on the basis that the individual is exposed for the full duration of
the hazardous incident and no account is taken of evasive action or protection by
ra
clothing, buildings etc. It is essential that the analyst understands the basis of the risk
calculations and that assumptions used are internally consistent. It is also essential
that these assumptions be clearly documented.
D
Societal risk is a measure of risk to a defined population that could be affected, usually
in terms of injury or fatality. It takes account of the number of people in the affected
n
area, the nature and scale of incidents that contribute to particular risk levels at
particular points and the outcomes of these incidents in terms of injury and fatality. It
tio
is often expressed as the likelihood of specified number of fatalities or the expected

number of fatalities per unit of time (e.g. the Potential Loss of Life PLL associated
with a facility could be 3 x 10-3 p.a. This corresponds to one fatality every 330 years
but does not provide information on the numbers of people that could be killed in a
lta
single event.).
Quantitative measures of societal risk can be presented as a graph, called an F-N
curve (see Figure 13), which is a plot of cumulative frequency (F) versus number of
su
fatalities (N). This curve shows graphically the potential for accidents on the facility to
kill a large number of people in a single incident. F-N curves have potential for a lack of
clarity of meaning and Operators must ensure that the indicator used is meaningful to
n
the audience and assumptions documented.

Co
Property damage risk indicators show the potential of incidents to cause damage to
buildings and structures on-site and off-site, usually as a result of fire, explosions and
missiles. This is usually expressed as the likelihood and intensity of heat flux or
explosion overpressure incident at various points around the facility, and may be
presented as tables or risk contours of heat radiation or explosion overpressure. Table
13 and Table 14 in Appendix 4 (Appendix 4: Models for Consequence Analysis) list
threshold quantities for different levels of property damage as a result of heat
radiation and explosion overpressure.
67 PlanningNSW
Figure 13: Example F-N Curve
ft
ra
D
n
tio
lta
In some cases, more simple plots of consequence versus distance, or consequence

footprints superimposed on facility layout drawings may be sufficient. This type of
approach is particularly useful for demonstrating that consequences cannot reach
su
certain receptors, regardless of the estimated likelihood of their occurrence.

The assessment of the ultimate effects from toxic releases into natural ecosystems is
difficult, particularly for atypical accidental releases. In many cases it may not be
n
possible to establish the final effects. For risk to the biophysical environment,
generally the focus is on toxicity effects on whole systems or populations rather than
Co
on individual plants and animals. Data are often limited and factors affecting the
outcome variable and complex. There may be no immediate loss of plants or animals
or other observable effects from a single release, but there may be cumulative and
synergistic effects. The form of presentation of risk to the biophysical environment
must necessarily be selected on a case-specific basis. In many cases, the likelihood of
identified concentrations occurring in the air, water or soil may be the appropriate risk
indicator. Qualitative indicators may also be appropriate in certain circumstances.
68 PlanningNSW
6 Control Measures
Control measures are the systems that reduce the risk associated with accidents by
eliminating, preventing, reducing or mitigating the associated hazards and
consequences. They are the means by which the Operator ensures safe operation.
6.1 Identifying and Understanding Controls

The Hazard Identification process will assist with the identification of control
measures. Control measures may also be identified during the risk estimation and
assessment processes, and is particularly relevant for individual high risk scenarios
or scenarios that are major contributors to cumulative risk. For high risk scenarios,
alternative or additional control measures may also be identified. Operators should
also review control measures following completion of the Risk Assessment, in order
to determine if further potential control measures need to be identified. Checklists
of typical control measures may be able to assist with this, but should not be
relied on solely. The specific nature of each hazard must be considered when
ft
identifying control measures.
Once identified, control measures must be understood. There must be a clear link
ra
between control measures and the initiating events, accidents and consequences
which they are intended to manage. Generalised risk controls (e.g. training) may be
D
necessary, however are insufficient to adequately control accident scenarios. Tools
that can assist with documenting these linkages include Hazard Registers, Bow Tie
diagrams, fault trees and event trees.
n
To adequately understand a control measure, the Operator must also have a

comprehensive understanding of the nature and scale of the initiating events,
tio
accidents and consequences that the control measure is intended to manage, and
the effect that the control measure will have on these factors. This understanding
provides the basis for defining performance indicators and standards for control
lta
measures, and for defining those control measures that are critical to safe operation.
Control measures can be categorised according to a hierarchy of controls. Various
hierarchies of control have been developed (e.g. HSE, NOHSC, and WorkCover).
su
Operators may also benefit by categorising control measures as either hardware

controls (engineered systems) or software controls (management systems, people or
procedures).
n
Co
69 PlanningNSW
Table 7: Example Hierarchy of Control Measures
Hierarchy Explanation
Elimination Something that removes a hazard completely. While this is clearly the
most effective type of control measure, it is often not practicable to
eliminate hazards. For example, if a toxic material is an essential raw
material, then removal is most likely not possible.
Substitution Using a less hazardous material to meet the same need as a highly
hazardous material.
Intensification Reducing the total inventory of a hazardous material.
Prevention Something that prevents accident scenarios from occurring or

significantly reduces the likelihood.
Reduction Control measures that reduce the magnitude of the consequences,

usually by detecting an unwanted condition and acting to stop the
scenario. They do not directly combat the consequences of an
accident.
ft
Mitigation Control measures that directly combat the consequences of an
accident by reducing their effects on people, plant and the
ra
environment. While the least preferred type of control measure, well
designed mitigation control measures are essential for safe
operation, since they provide the absolute last line of defence.
D
* Based on HSE Hierarchy of Control
n
It is important that the human component is sufficiently considered when designing

tio
and implementing control measures. Errors made in the design and implementation of
control measures, whether engineered safety devices, individual procedures and
tasks, or the overall SMS, can result in control measures being unable to fulfil their
intended role or achieve the level of performance required for full effectiveness. In
lta
addition, these areas may introduce further hazards that may cause or contribute to
major accidents.
It is important that people designing or implementing control measures look beyond
su
behavioural response issues and consider also modifying possible problem areas at
their source (for example, by creating less error prone environments and less error
prone activities).
n
Where the control measures involve people, then human capacity and limitations must
be carefully and demonstrably considered. For example, if an employee is required to
Co
perform a task that constitutes a control measure (such as isolating a piece of

equipment within a specified time during an emergency), it must be clear that the
employee would be able and willing to do this under the conditions that may prevail.
6.1.1 Identification of Control Measures

As well as identifying hazards, the Hazard Identification process can also assist with
the identification of control measures. This is particularly the case when studying an
existing facility, and the people involved in the process have a comprehensive
understanding of the systems in place to manage risk. These links between hazards
and control measures are valuable to understanding risk, and to demonstrating the
adequacy of control measures. It is therefore important to document these links, and
70 PlanningNSW
not simply record hazards and controls in an unstructured manner. A Hazard Register,
as discussed in Section 3.7, is a tool that can help record this information in a
systematic and structured manner.
The type of structure used to record control measures may vary between Operators,
and possibly from plant to plant for a single Operator. More rigorous structures may
be required for high-risk accident scenarios, to facilitate the detailed Risk Assessment
such scenarios warrant, while simple structures may be suitable for low risk hazards.
Figure 14 shows examples of different structures that can be used. In the
unstructured case, hazardous scenarios, controls and consequences are listed,
however the sequence in which control measures function is not documented. In a
highly structured case, such as a Bow Tie diagram4, this sequence is recorded, and the
reliance upon some control measures for managing multiple hazards can be more
clearly determined.
Figure 14: Structuring Hazard Identification Findings
Unstructured
Hazards Control Outcomes

Internal coorosion Permit to Work Unignited gas cloud
Maintenance work Vessel inspection Localised fire
ft
Nearby fire High pressure trip Explosion
Overpressure Relief valves
Electrical classification
ra
Gas detection & isolation
Deluge
Vessel design standard
D
n
Highly structured (Bow Tie)

tio
Overpressure High press.

trip
lta
Relief
valves Unignited gas
cloud
Nearby Electrical
Deluge
fire classification
su
Localised fire
Large scale
Internal Vessel Vessel design Gas detection
release from
corrosion inspection standard & isolation
reactor
n
Maintenance Permit to
Explosion
Co
work Work
4
The bow tie diagram, initially developed by Shell, can be thought of as a linked fault tree (the left-hand side) and
an event tree (the right-hand side) based on a specific scenario. The two sides of the bow tie have different
features, which need to be recognised if they are used. The left-hand side does not contain a sequence. E.g.
the control feature could fail before or after the initiating event. In more complex bow tie diagrams, there is
the possibility for branches to be linked using and or or gates. By comparison, the right-hand side is simpler.
It is sequential and the scenario develops along only one of the routes. The control measures are listed in the
bow tie diagram but it is failure of the control measure that allows the sequence to develop.
71 PlanningNSW
In terms of a bow-tie diagram, prevention controls are located to the left of the initiating
event, and can be considered to be proactively managing risk. Elimination, substitution
and intensification controls are not explicitly included in the Bow Tie Diagrams but
affect the possible initiating events and the potential accidents. Controls of type
reduction and mitigation are located to the right of the initiating event, and can be
considered to be reactively managing risk. Adopting a hierarchy of controls can
improve the understanding of control measures by helping an Operator analyse, and if
necessary, adjust, the balance between proactive and reactive control measures.
Table 8: Example Control Measures
Type Technical Controls Operational Controls
Elimination Physical barriers between Inherently safe process

incompatible materials, such as concept
mounding of LPG bullets. Plant design procedures
Removal of hazardous materials
Inherent design features, layout
Substitution Substitution by less Systems to prevent

hazardous materials incompatible materials on
the site at the same time.
ft
Intensification Smaller process and Improved logistics and
ra
storage vessels stocks management
Prevention Process control systems Operating procedures

D
and instructions
Instrumented protective Maintenance and systems
isolation procedures
n
Interlocking devices Personnel skills and training

tio
Condition monitoring Plant inspection, equipment

test, maintenance, repair
Impact barriers and crane Design procedures
lta
safety devices
Pressure relief valves and Management of Change
bursting disks
su
Materials specifications, Permit to Work

corrosion allowance
Secondary containment of Raw material quality
n
hazardous substances quality specifications

Co
Reduction Gas detection systems Plant surveillance

Shutdown, isolation, Spill containment
depressurisation systems and clean-up procedures
Bunding, drainage and other Electrical area
containment systems classifications
Mitigation Plant evacuation alarms Emergency communications

Fire suppression and Land-use planning and
cooling systems buffer zones
Passive fire protection systems Emergency planning
and procedures
72 PlanningNSW
The Health and Safety Executive of the United Kingdom, publish a list of types of
controls and extensive descriptions of the factors relevant to those controls for Major
Hazard Facilities (http://www.hse.gov.uk/hid/land/comah/level3/). The list of controls is
given in Table 9.
Table 9: UK HSE Example Control Measures
Controls
Active / Passive Fire Protection

Alarms / Trips / Interlocks
Control Room Design
Control Systems
Corrosion / Selection of Materials
Design Codes - Buildings / Structures
Design Codes - Jetties
Design Codes - Pipework
Design Codes - Plant
Drum / Cylinder Handling
ft
Earthing
Emergency Isolation
Emergency Response / Spill Control
Explosion Relief
ra
D
Hazardous Area Classification / Flame proofing
Inerting
n
Inspection / Non-Destructive Testing (NDT)
Leak / Gas Detection
tio
Lifting Procedures
Maintenance Procedures
Operating Procedures
lta
Permit to Work Systems

Plant Layout
su
Plant Modification / Change

Procedures
Quench Systems
n
Raw Materials Control / Sampling

Co
Reaction / Product Testing

Reliability of Utilities
Relief Systems / Vent Systems
Roadways / Site Traffic Control / Immobilisation of Vehicles
Secondary Containment
Segregation of Hazardous Materials
Site Security
Training
Warning Signs
73 PlanningNSW
Layer of Protection Analysis

Layer of Protection Analysis (LOPA) is a semi-quantitative Risk Assessment
methodology that combines the efficiency of qualitative techniques with the
objectivity of quantitative techniques, and can deliver an Operator valuable
understanding of the effectiveness of control measures. It is relatively quick to
implement, and simple to understand, yet provides objective measurements of the
level of residual risk and the need for additional control measures. The Centre for
Chemical Process Safety (CCPS) has published a comprehensive book (CCPS 2001) on
the application of LOPA, and only a brief summary of the technique is provided here.
The technique uses simplifying rules to evaluate initiating event frequency,
independent layers of protection, and the magnitude of the consequences to provide
order-of-magnitude estimates of residual risk. Where unacceptable residual risk is
found, the technique helps define the level of performance required from additional or
alternate control measures to meet all relevant criteria. These requirements can then
be used as performance specifications when designing or purchasing new control
measures.
6.2 Criticality of Controls

While multiple layers of defence is the preferred approach to managing hazards, it is
important that Operators recognise that some layers are more important than others.
ft
A key output from the Risk Assessment process should be the identification of those
control measures that are critical to safe operation. These critical control measures
ra
should receive the highest level of ongoing management attention to ensure that they
are not degraded.
There is a range of methods available for identifying critical control measures.
D
These include:
Team judgement of criticality. While the objectivity of this approach can be
n
improved by using rule sets, it tends to be divorced from the other parts of the
Risk Assessment process. Unless teams are well facilitated, key contributory
tio
factors to criticality may be overlooked. It may also be difficult to demonstrate

objectivity in the selection process, unless extensive notes are made of the
discussion leading to each decision.
lta
Last lines of defence / first lines of attack philosophy. In terms of a bow tie
diagram, this approach defines critical control measures as the right most proactive
control measures, and the left most reactive control measures. Provided accurate
bow tie diagrams are prepared for each incident scenario, this approach should
su
ensure that all hazards have at least one critical control measure. However, in
some cases, the last line of defence may not be the most effective layer, and
focussing management attention on these controls would not be the most
n
effective way of managing risk.

LOPA risk reduction factors. As part of LOPA, each control measure is credited
Co
with a certain level of risk reduction. Those credited with the largest reductions are
most likely to be critical.
74 PlanningNSW
Operators may already have their own methodologies for identifying critical control
measures, or may develop techniques that build upon Risk Assessment results.
Whatever technique is adopted, some of the factors that should be considered when
determining control measure criticality are:
The hierarchy of controls. Prevention is better than mitigation, hence critical control
measures will tend to be biased towards prevention.
The number of layers of protection. Where there are few control measures, one or
more of those controls is likely to be critical; in the extreme, if there is only one
control it will almost certainly be critical.
If a control measure is highly effective, it is more likely to be a critical control.
Control measures for the most likely causes of accidents are more likely to be
critical than those for less likely causes.
Control measures that prevent a number of causes of accidents are more likely to
be critical than those for single causes.
The more severe the potential consequences of an accident, the more likely that
associated control measures will be critical.
At a minimum, documentation on each critical control measure should cover:
The purpose of the control (clearly linked to the identified hazard/s, initiating event/
s and possible consequences);
How the reliability and availability of the control measure will be maintained and
ft
monitored through the SMS (Refer to Section 6.5.1 Performance Indicators),
including actions to be taken in the event of a non-compliance;
ra
Responsibilities for maintenance and monitoring of the control measure; and
The minimum performance requirements for the control measure (Refer to Section
D
6.5.2 Performance Standards).
6.3 Investigation of Alternative Control Measures

n
tio
There are a number of reasons for an Operator to search for alternative control
measures. One of the more compelling and straightforward of these is when Risk
Assessment has shown that risk levels exceed some relevant criteria. Other relatively
straightforward reasons to look for alternative control measures include:
lta
Where there is evidence that an existing control is not performing as well as

required, possibly due to deficiencies in design, degradation of performance, or
deliberate disablement.
su
When there is a modification proposed for the facility.

Where existing control measures are to be replaced due to old age.
Where an Operator becomes aware of improved technology for managing pre-
n
existing hazards.
Co
Somewhat less obvious reasons to look for alternative control measures include:
Where new operating conditions have arisen without any modification to plant
being made.
75 PlanningNSW
Where Risk Assessment has shown that while risk levels do not exceed any
relevant criteria, they are not negligible and can therefore potentially be further
reduced.
Where the knowledge of the basis for safe operation has been lost, and the
reasons why existing control measures were adopted are no longer part of
corporate memory.
One often overlooked reason for Operators to look for alternative control measures is
where the knowledge of the basis for safe operation has been lost, and the reasons
why existing control measures were adopted are no longer part of corporate memory.
For Operators of existing facilities, there may be control measures that were reviewed
in the past without full records of the decisions that were made. Some of these
decisions may even have been made before the Operator was responsible for the
facility. For existing control measures, an Operator should determine those past
decisions that need to be recorded and reviewed, in order to maintain the integrity of
the control measures into the future. Given the large number of decisions and control
measures for some facilities, it may not be practicable to revise all past decisions.
However, understanding the basis of existing control measures, even those that
cannot practicably be revised (e.g. site location and layout), is still important for
maintaining safe operation. The Operator should identify the critical areas that require
detailed review and those areas where less detailed review may suffice.
ft
6.4 Reviewing Alternative Control Measures
ra
A number of factors contribute to determining the reasonable number of existing and
alternative control measures for an Operator to review, including:
D
The nature of the risk profile. As discussed previously, the review of alternative
control measures should be focussed on those areas with the highest level of risk.
Those hazards that dominate the risk profile of the facility may warrant the review
n
of a greater number of alternatives than those that contribute relatively little to the
overall risk profile.
tio
The scale and complexity of the facility. For larger and more complex facilities,
there are likely to be more hazards, and therefore, more control measures
required. It would therefore be appropriate for the Operator of such as facility to
lta
review a wider range of options than an Operator of a small and simple facility with
relatively few hazards.
The rate of development of new control measures. Hazards for which new and
potentially improved control measures are rapidly being developed may require
su
more thorough review than those areas where fewer potential advances have
been made.
n
Alternatives should include both proven technology and newly developed techniques.
The Operator should not dismiss an alternative without consideration on the grounds
Co
that it is unproven. Rather, they should evaluate new technologies and practices to
determine if they are suitable.
The following table, based on material developed by WorkSafe MHD (2002c), lists
some factors and issues that should be considered when reviewing alternative control
measures. WorkSafe MHD (2002c) provides further discussion on each of these
factors.
76 PlanningNSW
Table 10: Factors in Selecting or Rejecting Control Measures
Factor Issues
Existing controls Are there controls clearly linked to each hazard, or are there
some hazards having no (or insufficient) control measures?
Does the number of controls reflect the level of severity of
the hazards?
Effectiveness of Functionality
alternative Is it sufficient to control the hazard in the intended manner?
Does it suppress the hazard completely, prevent escalation or
simply mitigate effects?
Reliability
Is the reliability of the alternative, and of all control measures
in combination, appropriate to the level of risk presented by
the associated hazards?
Can function testing detect failures, and will failures once
detected be able to be rectified sufficiently promptly?
Availability
ft
Is the control system off-line for testing, calibration or
maintenance for an unacceptable fraction of the time?
Survivability
ra
Is the control measure able to function as intended during the
D
types of accidents it is intended to reduce or mitigate?
Hierarchy of Have control measures that eliminate the hazard been

control measures adopted first if practicable, followed by measures to
n
substitute, intensify, prevent, reduce then mitigate?

tio
Balance of Does the hazard have an appropriate balance of different

control measures types of control measure (i.e. hardware and software
controls)?
lta
Are the control measures associated with individual causes

independent of each other, or can some or all be disabled by
the same mechanism?
su
6.5 Linking Control Measures to the Safety

n
Management System
Co
If control measures are to reduce risks to As Low As Reasonably Practicable (ALARP),

the Operator must establish, implement and maintain a comprehensive and integrated
Safety Management System for those control measures. To achieve this, the Safety
Management System must define:
Performance indicators for measuring the effectiveness of control measures, and
the means by which performance indicators will be measured;
The standards or levels that these performance indicators much attain to ensure
safe operation, and the systems through which adherence to performance
standards is to be maintained; and
Critical Operating Parameters that define the safe operating envelope for the facility.
77 PlanningNSW
These concepts are central to maintaining safe operation, and are discussed in further
detail below. Other aspects of control measures that the Safety Management System
must manage include:
Assigning responsibility for maintaining the effectiveness of control measures;
Specifying the correct use of control measures, and ensuring the competency of
employees responsible for working with them;
Safely controlling all work (including maintenance) upon control measures;
Managing proposed changes to control measures;
Maintaining the corporate knowledge of the reasons for adopting or rejecting
control measures, and the design basis for adopted control measures;
Safely handling any identified failure of control measures; and
Identification of those control measures critical to safe operation of the facility.
These and other key concepts are discussed further in MIHAP No. 4 - Safety
Management Systems.
6.5.1 Performance Indicators

Control measure performance indicators enable the Operator to measure,
monitor and test the effectiveness of the adopted control measures. They help
identify and therefore prevent potential future failures in control measures.
They also provide insight into how well the Safety Management System is monitoring
ft
and maintaining control measures, and therefore provide an indication
of the performance of the Safety Management System, as well as the control
measures themselves.
ra
Performance indicators may be expressed in quantitative or qualitative terms,
D
and can be defined for various levels. High-level indicators tend to address
overall performance issues, whereas low-level performance indicators tend
to relate to specific control measures or even sub-elements of control measures.
n
There are many different types of performance indicator that can be defined for each
control measure. Table 11 gives some examples of both high-level and low-level
tio
control measure performance indicators that may be relevant to a facility.

In some cases it may be possible to combine low-level indicators to produce higher-
level indicators.
lta
Performance indicators, particularly lower level ones, may vary over the lifecycle of
the facility. For example, a particular control measure may have different performance
indicators for its procurement, installation, commissioning, operation and
su
decommissioning. Performance indicators should be specified with clear definition of

who is responsible ensuring they are measured, how, where and when they are to be
measured, and how often they must be measured. Any failure to measure a
n
performance indicator on schedule can itself be used as a higher-level performance

indicator for the effectiveness of part of the Safety Management System.
Co
6.5.2 Performance Standards

Control measure performance indicators should generally include a target
performance level that the Operator either aims to achieve in order to ensure
safe operation, or in some cases, must achieve to avoid unsafe operation.
These can be considered as performance standards for the control measures, against
which measurements of the performance indicator can be compared.
Table 11 provides some examples of high and low level performance standards.
78 PlanningNSW
Table 11: Example Control Measure Performance Indicators and Standards
Level System Performance Indicator Performance Standard
High Incident & Near Reporting rates > 10 near misses

Level Miss Reporting reported per year
Preventative Number of overdue < 1 % of total
Maintenance tasks maintenance tasks
Emergency Number of drills > 2 per year
Planning
Low High pressure Pressure at which Within 10 kPa of set

Level trip system system acts point
Diesel fire pump Voltage of starter battery 13.2 0.2 V
Plant shutdown Time for operator to < 3 minutes
procedure complete
The derivation of performance standards for control measures should be described

and justified. In the simplest cases, performance standards may be taken from
ft
relevant industry standards, practices, or codes. In such cases, the Operator must
show that these are appropriate to the specific facility and the specific application of
ra
the control measure. Alternately, performance standards may be adopted from
manufacturers recommended standards for supplied components. Again, in these
cases, the Operator must demonstrate that these standards are appropriate to the
D
specific case. In more complex cases, the Operator may need to derive the
performance standard for a control measure based on assumptions regarding control
measure performance that have been made in the Risk Assessment. For example, if a
n
fault tree used in the Risk Assessment assumed that a particular system would
operate 99.9% of the time, then the performance standard for that system must
tio
reflect this, and ongoing measurement of the performance indicator should support it.
Control measure performance standards may be either soft or hard targets. A soft
target is a desirable long-term goal, the breaching of which can be tolerated to a certain
lta
extent or under certain conditions. A hard target on the other hand is one that must be
achieved within a prescribed timeframe or where there is zero tolerance for any
breaches. For example, the example performance standard for a preventative
maintenance system shown in Table 11 would most likely be a soft target. If it were
su
exceeded, operations would most likely not need to stop. However, it would indicate
that additional resources may be required to push performance back to acceptable
levels. Conversely, the example performance standard for a diesel fire pump would
n
most likely be a hard target, which if violated would mean that operations must not
continue until performance was restored, or equivalent, alternate control measures
Co
instated. Soft targets can generally be exceeded for a defined period, provided
potentially affected areas are monitored. Hard targets will generally relate to critical
control measures that must be fully functional to maintain safe operation.
Regardless of the type of control measure, performance indicators and standards
should consider the following:
They should measure the features of the control measure that define its
functionality, availability, reliability and survivability.
There should be comprehensive reporting of findings, particularly the reporting
of failures.
They should clearly define the steps that should be taken in the event of a
detected failure in a control measure.
79 PlanningNSW
6.5.3 Critical Operating Parameters

Critical operating parameters are process or other variables that can be measured near
instantaneously, as opposed to performance indicators, which are usually tracked over a
period of time. Critical operating parameters define the safe operating envelope for the
facility, and breaches of this envelope should be immediately apparent to the Operator
through violation of target levels of one or more of these parameters.
Note 19: USEPA How to Prevent Runaway Reactions Case Study:

Phenol-Formaldehyde Reaction Hazards
An explosion occurred in a phenolic resins production unit in Ohio in 1997. One
worker was killed and four others injured. The explosion was caused by a runaway
reaction, which generated excessive pressure and temperature in a reactor that
had been charged with raw materials and catalyst and then heated too quickly,
against standard operating procedures.
As with performance indicators, critical operating parameters have target values that
should not be violated. A single critical operating parameter may have both soft and
hard target values. Soft targets should define the normal operating envelope (see
Figure 15). Violation of a soft target should provide warning that one or more control
measures have failed to maintain operations within that envelope. Targets must only
ft
be considered as soft when there are additional control measures in place that will
restore safe operation, and the process is still in a known safe, albeit abnormal and
ra
undesirable operating zone. For example, the set points for high and low level alarms
may be soft target levels, if trip systems or other protective devices are in place to
restore safe plant condition from beyond these points, and the process can safely
D
operate with somewhat higher or lower than normal levels. Hard targets should be
defined above the level of soft targets, but they must still be below the level of any
known unsafe or uncertain operating zone. Hard targets should never be exceeded,
n
even where there are additional control measures in place that can restore safe
operation from levels above these targets. For example, the set point for a high
tio
pressure trip may be set as a hard target, even though a pressure relief valve is
installed that should protect the plant should the trip fail.
lta
Figure 15: Illustration of Critical Operating Parameters (CCPS 1992)

n su
Co
80 PlanningNSW
By ensuring that the Safety Management System continuously monitors the critical
operating parameters for the facility, the Operator should be able to detect control
measure failures and implement corrective actions before these failures lead to
accidents. Performance indicators and standards can provide lead indication of control
measure failure. Critical operating parameters tend to provide lag indication of control
measure failures, but still provide lead indication of the potential for accidents.
Note 20: Example Control: Isolation Systems

Isolation systems are one of the important controls to prevent accidents. Many
major accidents have occurred through failure of the isolation system.
Process and storage equipment or pipework containing large quantities of hazardous
material require protective systems for isolation and shutdown in the event of a
loss of containment, in order to limit the quantity of material that might be released.
Isolation and shutdown systems are designed to prevent potentially dangerous
conditions from escalating to a release, or to mitigate releases. They form only one
part of the hierarchy of measures, and should not be used to mitigate poorly designed
or operated equipment, or as a substitute for control measures higher in the
hierarchy. Isolation and shutdown systems may include systems that:
Close valves thereby limiting available inventory for release;
Shut down power to motors, compressors, pumps etc.;
Blowdown or vent material safely in order to relieve pressure;
ft
Cool the contents of equipment; and
Purge material.
ra
The number, type, response speed and effectiveness of isolation and shutdown
systems depends upon the scale of the hazard posed by the material and the
D
potential for dangerous conditions to arise. The procedures for using these systems
are just as important as the hardware and should form part of the emergency
response plan for a facility. Isolation valves and trips may be manual, remote operated
n
or automatic devices. Common features of isolation and shutdown systems include:
Classification as safety critical with corresponding testing, inspection
tio
and maintenance requirements.

Normally single function, i.e. purely for emergency purposes.
Fail-safe design, e.g. fail closed, back-up power/air supplies.
lta
Remain closed once operated until manually reset.

Effective leak tightness.
Designed with consideration of survivability, and protection against external
su
hazards such as fire and explosion.

n
Co
81 PlanningNSW
7 Risk Assessment and

Communication
When assessing risks, particularly risks associated with major accidents, it is unlikely
that an Operator will be able to demonstrate that risk has been eliminated or reduced
to negligible levels. Instead, the Operator will have to demonstrate that the risks are
tolerable, on the basis that they are acceptably low, and cannot be cost effectively
further reduced. Risks that meet these criteria are often considered to be As Low As
Reasonably Practicable, or ALARP.
ALARP is a principle that may be applied in relation to the degree of risk reduction that
may be sought from a particular activity. For example, this principle is a basic
requirement of the UK Health and Safety at Work Act, 1974. It has been described by
the UK Health and Safety Executive (HSE) in the following terms: In weighing the
costs of extra safety measures the principle of reasonable practicability (ALARP)
applies in such a way that the higher or more unacceptable a risk is, the more,
proportionately, an employer is expected to spend to reduce it.
ft
Risk levels and the concept of ALARP (see Figure 16) were developed by the HSE
ra
(1992 & 2001). Above a certain level, a risk is regarded as intolerable and is forbidden
whatever might be the benefit. Below such levels, an activity is allowed to take place
and in pursuing any further safety improvement account can be taken of the cost. The
D
HSE suggests the limit of tolerable risk to a worker is 10-3/year, the limit of tolerable
risk to a member of the public is 10-4/year. The risk to a member of the public that
might be regarded as acceptable, as opposed to tolerable, is taken to be 10-6 per year.
n
Figure 16: Applying ALARP

tio
lta
n su
Co
82 PlanningNSW
In a NSW Occupational Health and Safety context, the Courts have given
consideration to the term reasonably practicable when used as part of a legal
defence. Comment has been made that reasonably practicable is a narrower term
than physically possible, implying that a computation must be made in which the
quantum of risk is placed on one scale and the sacrifice involved in the measures
necessary for averting the risk (whether in money, time or trouble) is placed on the
other; and that if it be shown that there is a gross disproportion between them - the
risk being insignificant in relation to the sacrifice - the defendants discharge the onus
on them.
The Courts have noted that the greater the magnitude of the risk and the greater the
gravity of the harm, should the event occur, the higher is the duty to take precautions,
even if these are expensive or difficult to adopt.
Without necessarily endorsing the HSE criteria or attempting to establish specific
criteria for MHFs, the broad ALARP principle is endorsed in these guidelines. It should
be noted that, irrespective of numerical risk criteria, the broad aim should be to avoid
avoidable risk.
7.1 Summary of Criteria for Risk Assessment

There are essentially two sets of complimentary criteria for assessment of existing
MHFs. Firstly, the individual fatality risk should be assessed against the land use
ft
safety planning criteria established by PlanningNSW (Refer to Section 7.1.1).
Secondly, the risks to people (on- and off-site), property and the environment should
7.1.1 Risk Criteria for Land Use Safety Planning ra

be assessed against site specific criteria (Refer to Section 7.1.2).
D
PlanningNSW has established land use safety planning criteria that are applicable to
proposed and existing facilities in NSW. The criteria that are applicable to proposed
n
facilities are described in detail in MIHAP No. 8. The land use safety planning criteria
applicable to existing MHFs are included in Table 12 below.
tio
Risk Assessment relying solely upon fatality risk criteria may not accurately represent
the risk associated with a facility. Reasons for this include:
Society is concerned about risk of injury as well as risk of death.
lta
Fatality risk levels may not entirely reflect variations in peoples vulnerability
to risk. Some people may be affected at a lower level of hazard exposure
than others.
su
Some accidents may only have the potential to cause property or environmental
damage, and not represent a risk to people.
Therefore, for new facilities, PlanningNSW have established additional land use safety
n
planning risk criteria for injury, property damage and environmental damage. These are
Co
summarised in MIHAP No. 8.
83 PlanningNSW
Table 12: NSW Individual Fatality Risk Criteria for Existing Facilities
Principles Interpretation
The 1 x 10-6 individual fatality risk An existing facility that imposes an

level is an appropriate criteria within individual fatality risk greater than 1 x 10-6
which no intensification of residential on any residences (or greater than 0.5 x 10-6
development should occur. on any sensitive developments) would not
be permitted to modify the process without
specific case-by-case consideration by
PlanningNSW.
Safety updates/ reviews and risk An existing facility that imposes an

reduction at facilities where individual fatality risk greater than 10 x 10-6
resultant levels are in excess of the on any residences (or greater than 5 x 10-6
10 x 10-6 individual fatality risk level on any sensitive developments) would be
should be implemented to ensure required to undertake safety updates
that operational and organisational and reviews with the aim to reduce
safety measures are in place to the risk levels below this value.
reduce the likelihood of major
hazardous events to low levels.
A target level is to be established
ft
on an area basis.
Intensification of hazardous An existing facility that is in a complex of

activities in an existing complex
accommodating a number of
ra
hazardous industries would not be able
to increase their risks if the individual
D
industries of a hazardous nature fatality risk on any residences is greater
should only be allowed if the than 1 x 10-6 (or is greater than 0.5 x 10-6
resultant 1 x 10-6 individual fatality on any sensitive developments)
n
risk level is not exceeded by the
proposed facility and subject to
tio
cumulative risk threshold

considerations.
Mitigating the impact on existing An existing facility that imposes an

lta
residential areas from existing individual fatality risk greater than 1 x 10-6
hazardous activities (in addition to on any residences (or greater than 0.5 x 10-6
safety review/ updates) should on any sensitive developments) would
su
essentially include specific area- be required to ensure that appropriately

based emergency plans. Emergency detailed emergency plans are developed for
planning should be on the basis of all credible accident scenarios.
consequences for credible
n
scenarios with emphasis on areas

within the 1 x 10-6 risk contour.
Co
84 PlanningNSW
7.1.2 Example Site Specific Criteria

In assessing the acceptability of risks posed by a facility on people (on- and off-site),
property and the environment, quantitative and qualitative criteria can be used.
The use of quantitative risk criteria has both strengths and weaknesses. It allow a
more precise and consistent approach to defining the acceptability of risk, however
tends to require resource-intensive Risk Assessment tools which may be difficult for a
non-specialist to understand. These arcane techniques can thus generate suspicion in
the public or nearby residents who will most likely be unaware of the details of the
techniques. Furthermore, the use of quantitative risk criteria may give a misleading
sense of accuracy of the Risk Assessment tools employed.
Qualitative risk assessment tools, such as risk matrices, can also be used. In risk
matrices, the risk level is determined based on the cell into which the risk is allocated
(see Figure 6 for an example risk matrix). Since risk increases diagonally across the
matrix, bands of broad risk levels can generally be established on the matrix,
perpendicular to the direction of risk increase. These bands broadly correlate to the
risk bands in Figure 16 with Low risk levels in the broadly acceptable region, both
Moderate and High risk levels within the ALARP band, and Extreme risk levels in the
intolerable region.
However, Operators should note that the risk matrix approach, whilst it may be useful
in ranking risks and in support of the demonstration of adequacy, is unlikely to be
sufficient on its own for many facilities. Generally, risk matrices are too coarse a tool
ft
to distinguish the benefits when reviewing alternative controls, and are not well suited
to fully addressing cumulative risk. Operators who use risk matrices should give clear
ra
definitions for the indices on the matrix and show what action or significance is
attributed to each position on the matrix. Operators should also check that any risk
criteria superimposed on a risk matrix are broadly consistent with the land use safety
D
planning risk criteria presented Section 7.1.1 and in MIHAP No. 8.
It is important for Operators to note that while assessment against quantitative or
n
qualitative risk criteria may support the demonstration that risks are reduced to
ALARP, it is unlikely that a full demonstration can be made solely on the basis of risk
tio
assessment and comparison with risk criteria. However, they can assist with this
demonstration, as well as help to determine the urgency of actions required and the
criticality of control measures.
lta
Another method of estimating risk is the Potential Loss of Life (PLL). This is an
estimate of risk to society rather than individuals as it represents the number of
fatalities expected to occur each year, averaged over a long period. The PLL is a useful
su
basis for cost-benefit analyses of risk reduction measures, via another measure
known as the Implied Cost of Averting Fatality:
ICAF = cost of measure / (initial PLL reduced PLL)
n
Such calculations are often controversial as they can be seen to place a monetary
value on human life. However, the ICAF is not a value of a life, as no-one can be
Co
compensated for the loss of their life but is an estimate of the value placed on slightly
changing the risk levels to a large number of people. The use of ICAF values are
common in many areas of industry and government, and may be suitable for
application to decision-making in regard to optional control measures for major
hazards. For example, a low ICAF for a proposed risk reduction measure implies that
the measure is highly effective, because the cost is low compared to the risk
reduction achieved. Conversely, a high ICAF implies an ineffective risk reduction
measure, where the cost may be better diverted elsewhere.
85 PlanningNSW
7.2 Risk Communication

The ongoing management and use of the information developed during Hazard
Identification and Risk Assessment is of fundamental importance to ongoing safe
operation. All key findings should be disseminated throughout the workforce, to
ensure that all employees understand the hazards and risks associated with the
facility, the control measures in place to manage these risks, and their roles in the
event of an accident.
Within the workforce of a facility, the focus should be on the control measures that
prevent or mitigate accidents. The workforce have the ability to affect the
effectiveness of the control measures and through understanding the potential for
accidents to occur if the control measures are degraded, an appropriate focus on
maintain the control measures can be held.
For neighbouring workplaces, the focus of risk communication can be on the
emergency plan and the actions that could be required by the personnel on the
neighbouring sites. This will provide the neighbouring workplaces with an
understanding of their interaction with the facility in the event of a major incident.
Local residents will have concerns regarding any routine emissions from the site as
well as the potential for catastrophes. Their concerns will be related to their on-going
health and enjoyment of their homes. The level of understanding of the technical
issues that may exist at the facility will vary enormously and will require various levels
ft
of information. Communication that addresses these issues may require expertise
from public relations experts.
ra
Government agencies require communication in accordance with the appropriate
regulations. MIHAP No. 5 contains a description of the Safety Report that is required
D
of Major Hazard Facilities. Regular communication with the regulator during the
process of developing the Safety Report is recommended to enable specific guidance
to be provided on the level of detail that may be required.
n
tio
lta
n su
Co
86 PlanningNSW
8 Review and Revision

Despite the significant investment in undertaking a Hazard Identification and Risk
Assessment process, it will be necessary to keep the documentation up to date. The
Safety Report required for submission to the regulator must be updated and re-
submitted (also termed revalidation) at intervals of not more than 5 years.
Other triggers for a facility to update the hazard assessment include:
A change to the plant, processes, operating procedures or quantities of hazardous
materials,
Introduction of new plant, processes or operating procedures,
A change to the Safety Management System,
Following a significant incident at the facility.
The advantages in keeping the assessment up to date are many. The understanding
by personnel of the hazards of the facility and their associated controls is maintained.
Enquiries from local residents, emergency services or nearby workplaces can be
handled expediently and using up-to-date information.
ft
When reviewing a Risk Assessment, the following issues should be considered:
ra
New technology for reducing or eliminating risk;
New lessons from incidents on site or elsewhere;
Changes to the Safety Management System;
D
Changes to data (e.g. toxicity, failure rates etc.);
Updated computer software;
n
Changes in perception of particular risks; and

tio
Changes in neighbouring land-use and in local populations.

When preparing for revalidation of a hazard analysis and risk assessment, the prior
study must be critically examined to assess its ability to be updated. Where a previous
study was inadequate in its methodology, it will be necessary to redo the study.
lta
Where a previous study did not consider some sections of plant, the study will be able
to be extended, rather than repeated. One set of criteria for assessing a previous
study included an assessment of the completeness of the following (Frank & Whittle
su
2001):
(i) Identification of the hazards of the process;
(ii) The identification of any previous incident which had a likely potential for
n
catastrophic consequences in the workplace;

Co
(iii) Engineering and administrative controls applicable to the hazards and their
interrelationships such as appropriate application of detection methodologies to
provide early warning of releases; and
(iv) Consequences of failure of engineering and administrative controls.
87 PlanningNSW
Some of the aspects of a deficient study are the following (taken from a more
complete list in Frank & Whittle 2001):
Inadequate team and/or facilitator expertise;
Failure to identify or document all credible hazards associated with the process;
Important initiating events not captured;
Failure to address all operating modes (e.g. start-up, shut-down); and
Claiming ineffective safeguards when evaluating likelihoods (e.g. claiming operator
intervention when, in reality, the scenario would develop too quickly for effective
intervention).
When undertaking a review and update of a study it is essential to identify all the
changes to the facility since the last study. Such changes can include changes that
have been made to P&IDs, changes to operating instructions, changes to control
philosophies, changes in raw materials, changes in staffing levels or training
programs, changes to adjacent land uses and changes to the maximum achievable
throughput. Compiling a list of the changes since the previous study was completed
requires the knowledge of numerous people in the facility as well as detailed records.
Auditing of the process and outcomes of the risk assessment is also required to
provide the Operator with assurance that the information contained in the risk
assessment has been implemented. Auditing can provide assurance that the
information used in the risk assessment is accurate and can provide early warning that
systems are less effective than anticipated or are falling into disrepair. As with all
ft
audits, a balance must be sought between internal audits using people familiar with
the processes and the operating history and external audits using fresh eyes and
ra
independent views. (See MIHAP No. 11 for more details on Safety Auditing).
D
n
tio
lta
n su
Co
88 PlanningNSW
Example Form/s
ft
ra
D
n
tio
lta
n su
Co
89 PlanningNSW
Hazard Identification Word Diagram
Functional / Initiating Event/s Consequence/s Prevention / Protection Measure/s

Operational Area
90 PlanningNSW
Example of a Partially Completed Hazard and Risk Register
Facility Section or Operation: Plant A
Scenario Description: Loss of Containment from Pump P101 Reference No.: PA-LOC1
Material/s (Max. Quantities): Material A (X kg in pump and connecting pipework)
Description of Potential Consequences (Including Magnitude and Effects) Existing Control Measures
Risk Rating
Perf. Description of Likelihood of
Ref. No.
Desc. of Potential Effects (On-Site and Off-Site) and Consequence Rating: Critical COP
Initiating Type and Std Potential Effects (On-Site
Control SMS Data Action/s
Event Magnitude Biophysical Description No. and Off-Site) and Likelihood
People Property Measure Ref. Sheet
Environment Economic Impact Rating
(Yes/No) No.
Seal leak Unignited release Injury to (and None identified None identified Minor disruption Automatic gas detection No S. 3-3 - - Seal leak = 1 x 10-3 per yr.
(without of Material A to hospitalisation) of [INSIGNIFICANT]. [INSIGNIFICANT]. to operations until and isolation system in S. 5-1
ignition) atmosphere. up to 5 on-site stand-by pump is Plant A. Frequency of release (without
personnel at brought on-line ignition) with existing control
Max. downwind production office [INSIGNIFICANT]. Etc. Etc. Etc. Etc. Etc. measures = 1 x 10-4 per yr
PA-LOC1-1
distance to ground [MINOR] (See attached event tree).
LOW
level conc. of 100
ppm = 25 m. Detectable odour Probability of wind direction
Etc. Etc. Etc. Etc. Etc.
at nearest (towards production office) =
Max. downwind residence [NA]. 0.2.
distance to ground
level conc. of 10 Total (approx.) likelihood ~ 2 x Refer to
ppm = 250 m. 10-5 per yr [REMOTE]. Figure 6
Seal leak (with Etc. Etc. Etc. Etc. Etc. Etc. Etc. Etc. Etc. Etc. Etc.
immediate
ignition)
Note: Critical control measures are
only associated with major accident Cross-reference to documentation on
hazards. Although the gas detection specific critical control measure
and isolation system is not a critical performance standards and critical
control measure in this case, it may be operating parameters
Etc.
Etc.
critical for a different scenario or
initiating event.
91 PlanningNSW
Hazard and Risk Register
Facility Section or Operation:
Scenario Description: Reference No.:
Material/s (Max. Quantities):
Initiating Description of Potential Consequences (Including Magnitude and Effects) Existing Control Measures
Risk Rating
Description of Likelihood
Ref. No.
Event Type and Desc. of Potential Effects (On-Site and Off-Site) and Consequence Critical COP
Magnitude Rating: Perf. of Potential Effects (On-
Control SMS Data Action/s
Description Std Site and Off-Site) and
People Biophysical Property Economic Measure Ref. Sheet
No. Likelihood Rating
Environment Impact (Yes/No) No.
92 PlanningNSW
Appendix 1: Example Major Accidents

Location and Date Summary
Longford (Australia), The low temperature brittle failure of a heat exchanger in a gas
1998 separation plant led to a fire and several explosions that killed
2 and injured another 8 people. The immediate cause of the
incident was the loss of flow of the heating medium in the
heat exchanger, when the pumps that circulated this fluid
stopped. Plant operators were not aware of the hazard this
represented, nor did they react correctly to warning signs. An
operating instruction highlighting this hazard was not longer
available and HAZOPs on the plant had been deferred. A near
miss occurred 1 month prior to the accident and had very
similar causes.
Pasadena (USA), A major fire and series of explosions occurred within a

1989 polyethylene plant at a chemical complex, and resulted in 23
fatalities. The release was caused through the use of
inappropriate isolation procedures and human factors
ft
(ergonomics). The consequences of the release were a large
vapour cloud explosion and fire, which later escalated to two
ra
other explosions in separate parts of the plant. The severity of
the consequences and the escalations were exacerbated by
the plant layout and the vulnerability of fire-fighting systems to
D
fire and blast damage.
Piper Alpha, 1988 This accident resulted in the loss of 167 lives and destruction
n
of an entire offshore platform. It began with a small leak in a
condensate pump system. A combination of operational,
tio
design and equipment failures enabled this release to escalate

into a major fire and a series of explosions. Many of the
underlying causes that led to the disaster had been present
(and in some cases evident) for many months prior.
lta
Bhopal (India), 1984 Following a release of highly toxic methyl-isocyanate via a vent
stack, over 2000 people were killed at a large shanty town
su
adjoining a chemical plant. The release was caused by water

ingress to the system, which caused a reaction that generated
sufficient pressure to lift a relief valve. Leading up to the
accident, a range of systems and equipment that could have
n
prevented the accident had either been malfunctioning, or

Co
were taken out of service, including a system for scrubbing the

release. These factors were disregarded because the plant
was shut down. In the years leading up to the accident, there
had been significant reductions in the workforce and the
shanty town was not present when the plant was built.
However, there had been no significant change to site control
measures despite these changes. The local community was
not adequately informed about the potential hazards of the
facility and the emergency response procedures.
93 PlanningNSW
Location and Date Summary
Three Mile Island An operational upset at a nuclear power station threatened to

(USA), 1979 release radioactive material into the local community. The
accident was caused by control system design faults, human
factors and incomplete investigations of previous near misses.
Seveso (Italy), A bursting disc on a chemical reactor ruptured, releasing a
1976 cloud containing among other things, TCDD. The cloud settled
out downwind, and in the coming days, farm animals died and
people became ill. It took over 2 weeks before the health risk
caused by the release was recognised by officials, over 700
people were evacuated. The release was caused by a runaway
reaction. Operational errors and inadequate design of
protective systems were identified as contributory factors,
however probably the most important lesson from this accident
was the way in which the emergency situation was managed.
Flixborough (UK), A pipe installed as a temporary bypass failed, releasing a large

1974 cloud of cyclohexane that exploded and killed 28 persons. Due
to the perceived urgency of the need to bypass a reactor, and
the fact that there had been significant organisational change,
the modification was not adequately designed and constructed.
ft
Not only was the hazard not identified during the modification,
it was not recognised during subsequent operations despite
ra
warning signs.
Sandoz (Germany) Water used to extinguish a major fire at a Sandoz warehouse

1986 in Basel, carried approximately 30 tonnes of a fungicide
D
(containing mercury) into the Upper Rhine. Fish were killed
over a stretch of 100 km.
n
tio
lta
n su
Co
94 PlanningNSW
Appendix 2: Example Risk Matrix

Consequence and Likelihood
Categories
ft
ra
D
n
tio
lta
n su
Co
95 PlanningNSW
The following tables summarise a number of different approaches that have been taken to define the consequence and likelihood categories for risk matrices.
Table 13: Consequence Categories: Injury and Fatality

1 2 3 4 5 6 7 8
AS/NZS 4360: 1999 Insignificant Minor Moderate Major Catastrophic
- No injuries - First aid treatment - Medical treatment required - Extensive injuries - Death
AS/NZS 3931:1998 Minor Severe Major Catastrophic
- Minor injury - Severe injury - Few fatalities - Many fatalities

- Minor occupational illness - Severe occupational illness
AS2885.1:1997 Minor Severe Major Catastrophic
- No injuries - Hospitalising injuries - Few fatalities - Many fatalities
UNEP IE/PAC Tech. Unimportant Limited Serious Very Serious Catastrophic

Report No. 12
- Temporary slight discomfort - A few injuries - A few serious injuries - A few (>5) deaths - Several deaths (>20)
- Long-lasting discomfort - Serious discomfort - Several (20) serious injuries - Hundreds of serious
injuries
Sandia National Negligible Marginal Critical Catastrophic

Laboratories
- None to minor injuries requiring none or only little immediate medical attention - Mendable injury that may require surgery, - One employee death - More than one employee death
hospitalisation, outpatient treatment,
- Less than 2 lost worker days - Permanent worker disability - Significant public injuries
moderate or less rehabilitation
including irreversible injuries
- Severed limb, permanent paralysis or hospitalisation
- Injury resulting in two or more worker days
lost - Minor injuries off site
- No off-site effect
Industry Example 1 Low Minor Moderate Major Critical
- Low level short-term subjective - Objective but reversible - Moderate irreversible disability - Single fatality - Short or long term health effects leading to multiple fatalities
inconvenience or symptoms disability/impairment
- Impairment (<30%) to one or - Severe irreversible disability - Significant irreversible human health effects to >50 persons
- No measurable physical effects - Medical treatment injuries requiring more persons or impairment (>30%) to one
hospitalisation or more persons
- No medical treatment
Industry Example 2 Limited Minor Severe Major Disaster Catastrophe
- First aid treatment - Casualty treatment - Serious injury - Fatality - Multiple fatalities (internal) - Multiple fatalities
(internal and external)
Industry Example 3 Notable Event Significant Event Highly Significant Serious Event Extremely Serious Catastrophic
- 1 Minor injury - Recordable or single - Multiple MTC - Disability casualty - 1 Fatality - Multiple fatalities
MTC
- First aid - 1 LWC - Multiple LWC
Industry Example 4 Minor Moderate Major Catastrophic
- Localised first aid treatment - Medical treatment required - Extensive injuries - Fatality(s) or permanent serious disability(s)
- Permanent part disability
Industry Example 5 Level 0 Level 1 Level 2 Level 3 Level 4 Level 5
- No health effect/injury - Slight health effect/injury - Minor health effect/injury - Major health effect/injury - Single fatality - Multiple fatalities
96 PlanningNSW
Table 14: Consequence Categories: Environment
1 2 3 4 5 6 7 8
AS/NZS 4360: 1999 Minor Moderate Major Catastrophic

- On-site release immediately - On-site release contained with - Off site release with no - Toxic release off site with
contained outside assistance detrimental effects detrimental effect
AS/NZS 3931:1998
AS2885.1:1997 Minor Major

- No loss of containment - Major enviro. damage
UNEP IE/PAC Tech. Unimportant Limited Serious Very Serious Catastrophic
Report No. 12 - No contamination - Simple contamination - Simple contamination - Heavy contamination - Very heavy contamination
- Localised effects - Localised effects - Widespread effects - Localised effects - Widespread effects
Sandia National Negligible Marginal Critical Catastrophic
Laboratories - Clean up = <US$50,000 - Clean up = US$50k-1M - Clean up = US$1M-10M - Clean up = >US$10M
- Small spills or spills that do not - Minor soil contamination with - Sig. soil contamination - Ground water or surface water
immediately enter into the soil nearly no potential for - Likely long term migration of in immediate danger of
- Contamination that is quickly contaminant migration contamination off site or to contamination
and readily cleaned up with on- water source (Does not pose
site or locally available tech. short term threat to off-site or
endangered animals/fauna)
Industry Example 1 Low Minor Moderate Major Critical
- No lasting effect - Minor effects on biological or - Moderate effects on biological - Serious effects with some - Very serious environmental
- Low level impacts on biological physical environment or physical enviro. but not impairment of ecosystem effects with impairment of
or physical environment - Minor short term damage to affecting ecosystem function function (e.g. displacement of a ecosystem function
small area of limited - Moderate short-medium term species) - Long term widespread
- Limited damage to minimal
area of low significance significance widespread impacts (e.g. oil - Relatively widespread medium- effects on significant
spill causing impacts on long term impacts environment (e.g. unique
shoreline) habitat, National Park)
Industry Example 2 Limited Minor Severe Major Disaster Catastrophe
- Limited environmental damage - Environmental licence breach - Minor Tier 2, AUS$250,000 - Tier 2 penalty or marine oil spill - Significant persistent - Gross persistent
- Tier 3 penalty AUS$1500 - Minor marine oil spill - Tier 2 and/or third party claim environmental damage environmental damage
and/or media - Tier 1 penalty, AUS$1,000,000 - Large marine oil spill
- Large 3rd party claim
Industry Example 3 Notable Event Significant Event Highly Significant Serious Event Extremely Serious Catastrophic
- Very minor pollution - Minor local pollution - Evident pollution - Significant local pollution - Major local pollution - Extremely severe pollution
- Local concern
Industry Example 4 Minor Moderate Major Catastrophic
- Event with no adverse effects - Some (temporary) adverse - Long term effects - Event with major impact on environment
effects - Provokes actions from - (Potential) revoking of licence
- Exceed licence levels authorities
Industry Example 5 Level 0 Level 1 Level 2 Level 3 Level 4 Level 5
- No effect - Slight effect - Minor effect - Localised effect - Major effect - Massive effect
97 PlanningNSW
Table 15:
: Likelihood Categories
1 2 3 4 5 6 7 8 9
AS/NZS 4360: 1999 Rare Unlikely Possible Likely Almost Certain

May occur in exceptional circumstances Consequence could occur Consequence might occur Consequence will probably Consequence expected to
at some time at some time occur in most occur in most
circumstances circumstances
AS/NZS 3931:1998 Incredible Improbable Remote Occasional Probable Frequent
<0.000001 per year 0.000001-0.0001 per year 0.0001-0.01 per year 0.01-0.1 per year 0.1-1.0 per year >1.0 per year
AS2885.1:1997 Hypothetical - Improbable Remote Unlikely Occasional Frequent
'Theoretically possible' (but has never occurred on a similar pipeline) to 'examples of this type of event have historically Very unlikely to occur Not likely to occur in the Expected to occur several Expected to occur typically once per year or more
occurred' (but not anticipated for the pipeline in this location) within the life of the life of the pipeline, but times in the life of the
pipeline possible pipeline
UNEP IE/PAC Tech. Report Improbable - Quite Probable - Catastrophic
No. 12 Less than once per 1,000 Once per 100-1,000 years Once per 10-100 years Once per 1-10 years More than once per year
years (0.001-0.01 per year) (0.01-0.1 per year) (0.1-1.0 per year) (>1.0 per year)
(<0.001 per year)
Sandia National Laboratories Incredible Extremely Unlikely Unlikely Likely
<0.000001 per year 0.000001-0.0001 per year 0.0001-0.01 per year >0.01 per year
Industry Example 1 Rare Unlikely Possible Likely Almost Certain
Consequence may occur under exceptional circumstances Consequence could occur Consequence should occur Consequence will probably Consequence expected to
0.00001-0.001 at some time at some time occur in most occur in most
0.001-0.01 per year Possible history of near circumstances circumstances
miss History of near miss 1.0-10 per year
0.01-0.1 per year 0.1-1.0 per year
Industry Frequency of Very Rare Rare Infrequent - Frequent
Example 2 initial Roughly 1 in every 100 1 every 10 years 1 per year to 1 per day
condition years (0.1 per year) (1.0-365 per year)
(0.01 per year)
Probability of Conceivable Remotely Possible Unusual Almost Certain
identified 1 in 10,000 chance 1 in 1,000 chance 1 in 100 chance 1 in 10 chance
consequence
(0.0001) (0.001) (0.01) (0.1)
Industry Example 3 Extremely Unlikely Very Unlikely Unlikely Likely Almost Certain
<0.000001 per year 0.000001-0.0001 per year 0.0001-0.01 per year 0.01-1.0 per year 1.0-10 per year
Industry Example 4 Rare Unlikely Likely Almost Certain
Practically impossible Not likely to occur Known to occur Common repeating
'It has happened before' occurrence
Industry Example 5 Levels A-B Level B Level C Levels D-E

Never heard of in industry Has occurred in the Has occurred within Occurs > once a year in
Has occurred in the industry industry Company facilities Company facilities
Occurs > once per year at
Company facility
98 PlanningNSW
Appendix 3: Models for

Consequence Analysis
The modelling of the consequences of hazardous incidents is a complex field requiring
a substantial degree of expertise. The intention of this appendix is to provide a basic
understanding of the range of issues involved and to direct those interested towards
more detailed reference material. The references included have been selected because
they are authoritative and widely available. They do not necessarily cover specialised
detail nor do they necessarily represent the latest developments or techniques.
AlChE (2000) provides a good overview of the range of consequence models available.
The TNO Yellow Book (1997) provides more detailed descriptions of some of the
models.
Discharge Models
Discharge models are often the first stage in developing consequence estimates. Their
purpose is to allow the rate of release and the amount released to be estimated.
ft
It is important to correctly determine the phase of the discharge as this affects the
flow rate. The release could be in the form of a gas, liquid or two-phase mixture. The
ra
behaviour of the contents of the vessel and the discharge rate depend on a number of
factors such as the properties of the material and the temperature and pressure within
the vessel immediately before release.
D
Some examples of discharge phenomena are as follows:
a) vapour discharges may result from:
n
a hole in equipment containing gas under pressure;

tio
a valve discharge of vapour only;

evaporation or boil-off from a liquid pool.
b) liquid discharges may result from:
lta
holes in atmospheric storage tanks or other atmospheric storage vessel or pipes

under liquid head;
holes in process equipment containing pressurised liquids below their normal
su
boiling point.
c) two-phase discharges may result from:
a hole in equipment in the region of a gas/ liquid interface;
n
a hole in pressurised process equipment containing a liquid above its normal

boiling point;
Co
a relief valve discharge under certain conditions (possibly a foaming liquid, a

runaway reaction or because the vessel it relieves has been moved and the
valve is no longer at the top of the vessel).
Gas and liquid discharge calculations are well understood and are readily available from
standard references such as Perry et al. (1997) and Coulson et al. (1999). Further
information is available from TNO (1997), Cremer and Warner (1982), and AlChE
(1996).
99 PlanningNSW
The total amount of material released is usually determined by the amount of material
stored in any single vessel or interconnected vessels plus the net ingress of material
into the system, for instance, due to fluids being pumped from elsewhere.
In many situations, it is necessary to estimate the flash fraction of an initial liquid
discharge, and the extent of entrainment of liquid droplets, for instance from
pressurised liquefied gases. Methods for estimating flash fractions are presented in
the TNO Yellow Book (1997), Lees (1996) and AlChE (1996).
Dispersion Models
The analysis of the dispersion of gases and particulates in air and contaminants in
water bodies often plays a central role in consequence calculations. Because the
effects of hazardous materials on people and the environment are dependent upon the
concentration/time exposure profiles, these profiles must be considered in order to
properly estimate effects.
In order to make the calculations manageable, however, rather than calculating the
exact concentration/time profiles, it is often appropriate to make simplifying
assumptions. For instance, the maximum ground level concentration of a toxic gas
might be assumed to exist throughout the duration of the event instead of more
rigorously analysing the time varying concentration. For flammable clouds, it may be
sufficient to estimate the maximum dimensions of the cloud which is within
ft
flammability limits.
The exact methodology adopted will depend upon the needs of the particular
ra
circumstances and judgement will have to be exercised by the analyst in order to
decide upon the appropriate degree of detail.
D
Vapour cloud behaviour is determined predominantly by the density of the gas relative
to air, the rate of release over time and weather conditions. It is convenient to classify
the clouds according to whether they are heavier than, the same density as or lighter
n
than air (negative, neutral or positive buoyancy).

tio
Clouds with positive buoyancy tend to rise. In most circumstances, this tends to limit
the harm they can inflict.
Dense clouds stay at low levels for a considerable distance downwind and pose a
lta
much greater hazard. In some instances, dense clouds can travel upwind because of a
combination of topographical features and gravitational forces.
Gases with Neutral or Positive Buoyancy
su
Gases of neutral or positive buoyancy may be assumed for dispersion calculations

under a number of circumstances:
for gases with density similar to that of air;
n
for small puffs of dense gas that dilute rapidly at the point of release to a neutral
buoyancy; and
Co
in a dense gas dispersion model after neutral buoyancy of the dispersing cloud has
been achieved.
The Pasquill-Gifford model is the commonly used model for dispersion estimates. The
model is described in Pasquill and Smith (1983), TNO (1997) and Lees (1996).
In cases where the release is a high velocity turbulent jet rather than a plume, more
sophisticated analysis is required. The dispersion of a neutral, buoyant or dense jet is
discussed in AlChE (2000).
100 PlanningNSW
Dense Gases
Substances included in the dense gas category include those with molecular weight
heavier than air, liquefied gases at cryogenic temperatures and liquefied gases stored
under pressure and which become more dense than air due to a fall in temperature
upon release.
The behaviour of dense gas clouds is characterised by an initial slumping and horizontal
spreading due to the force of gravity.
A number of models have been developed for consequence modelling of dense gas
dispersion. The mathematics which describe the dispersion process is complex and
hence the models are usually incorporated into computer programs. Reviews of some
models for dense gas dispersion are provided in AlChE (1996) and Daish et al. (1998).
Particulates
The dispersion characteristics of particulates such as toxic dusts or smoke may also
need to be analysed. Lees (1996) provides a list of further references on the dispersion
of particulates in air.
Fires
ft
The thermal radiation incident at various points away from the fire is governed by the
ra
heat flux at the flame surface and the flame geometry. The surface heat flux is in turn
governed by the burning characteristics of the particular material under the particular
physical conditions. The heat flux at any particular point can be estimated using the
D
'view factor method' which is described in TNO (1997). The various types of fires are
described briefly in Section 5.8.3.1 with further information available in TNO (1997).
n
Fire damage estimates are based upon correlations with recorded incident radiation
flux and damage levels. A table of radiation effects is included in Table 16.
tio
Explosions
lta
The modelling of explosions is a complex and rapidly developing science. In terms of

calculating risk, blast overpressures are the most important consequences, although
projected fragments should also be considered.
su
The simplest and most often used technique of calculating overpressures is the well
documented TNT Equivalence Model, described in Lees (1996). However, more
sophisticated models are available, some of which are detailed in AlChE (2000).
n
Information on explosion fragments is presented in TNO (1997) and Holden (1988).

More detailed information on explosion characteristics and modelling is contained in
Co
Lewis and von Elbe (1987) and Vinnem (1999).
101 PlanningNSW
Table 16: Effects of Heat Radiation
Heat Radiation Effect

[kW/m2]
1.2 Received from the sun at noon in summer

2.1 Minimum to cause pain after 1 minute
4.7 Will cause pain in 15-20 seconds and injury after 30 seconds
exposure (at least second degree burns will result)
12.6 Significant chance of fatality for extended exposure. High chance
of injury
After long exposure, causes the temperature of wood to rise to a
point where it can be readily ignited by a naked flame
Thin steel with insulation on the side away from the fire may reach
a thermal stress level high enough to cause structural failure.
23 Likely fatality for extended exposure and chance of fatality for
instantaneous exposure
Spontaneous ignition of wood after long exposure
Unprotected steel will reach thermal stress temperatures which
can cause failures
ft
Pressure vessel needs to be relieved or failure will occur
ra
35 Cellulosic material will pilot ignite within one minute's exposure
Significant chance of fatality for people exposed instantaneously
D
Table 17: Effects of Explosion Overpressure
n
tio
Explosion Effect
Overpressure
3.5 kPa (0.5 psi) 90% glass breakage

lta
No fatality and very low probability of injury from overpressure.

7 kPa (1 psi) Damage to internal partitions and joinery, but can be repaired
Probability of injury is 10%. No fatality
su
14 kPa (2 psi) House uninhabitable and badly cracked

21 kPa (3 psi) Reinforced structures distort
n
Storage tanks fail

Co
20% chance of fatality to a person in a building

35 kPa (5 psi) House damaged beyond repair
Wagons and plant items overturned
Threshold of eardrum damage
50% chance of fatality for a person in a building and 15% chance
of fatality for a person in the open
70 kPa (10 psi) Threshold of lung damage

100% chance of fatality for a person in a building or in the open
Complete demolition of houses
102 PlanningNSW
Appendix 4: Methods for Estimating

Likelihood
The likelihood of accidents and their consequences can be estimated using generic or
specific failure data, either directly, or as input into logic sequence models.
Open literature is the most common source of generic failure data. However, detail is
often lacking and important information such as failure mode and process conditions
are often missing, and it is often possible to find data that varies widely due to this.
Much of the data have been generated in the nuclear and aerospace industries and the
conditions of operation may be different from, for example, process industries.
Examples of failure data sources are Lees (1996), CCPS (1989), Committee for the
Prevention of Disasters (1999) and IAEA (1988a).
Data are also available from published Risk Assessments of Major Hazard Facilities,
such as sections of Environmental Impact Statements and Land Use Safety Studies.
Where specific failure data are not available, the likelihood of particular equipment
failures or hazardous incidents may be estimated using logical sequence models.
These techniques analyse the modes of failure and sequence of events that lead to
ft
hazardous incidents. The most commonly used methods are fault tree analysis and
event tree analysis.
ra
Random number techniques, such as Monte Carlo simulation, use a fault tree or similar
logic model as a basis. The probability of each contributing failure is expressed as a
range of probabilities. The severity of the 'top event' is expressed as a function of the
D
probability of various events. In this way it is possible to differentiate the effect of each
contributing factor to the top event.
n
Common cause failure (CCF) analysis is particularly useful in assessing the causes of
dependent failures in plants where system redundancy has been increased to improve
tio
reliability. CCF investigates the factors that create dependencies among components
and identifies those most likely to lead to a CCF. A quantitative CCF evaluates the
probability of occurrence of each postulated CCF event. The method has been
lta
described in Mosleh (1988) and AlChE (1992).

External events analysis estimates the frequency of external events that can trigger a
major incident. In evaluating external initiating events, the likelihood of the triggering
su
event must be combined with the probability of failure associated with that event.
Flood zone maps, earthquake zones,
The likelihood of people making mistakes is referred to as Human Error. Some
n
examples are provided in Table 5. For more details see Kletz (1991) and CCPS (1994).
Co
103 PlanningNSW
Appendix 5: Sample Hazard

Identification Word Diagram
Functional/ Possible Possible Prevention/
Operational Area Initiating Events Consequences Protection Measures
Rail or road tanker loading Tanker overfill Spillage of fuel with Tanker overfill
bays for flammable liquids pool fire if ignited protection
Regular inspection/
Flexible hose failure Possible propagation to maintenance of hoses
involve entire tanker
Driver uncouples hose contents or other tankers Drive-away protection
before isolating through brake
Ground contamination interlocks or boom gates
Driver fails to disconnect
before driving off Water course pollution Control of ignition
via drainage system sources
Collision Remote isolation
ft
Pollution via fire fighting systems
water
ra
Adequate bunding/
drainage systems
D
Foam monitors /
deluges
n
Adequate emergency
egress routes
tio
lta
n su
Co
104 PlanningNSW
Glossary and Acronyms

ALARP As Low As Reasonably Practicable.
BLEVE Boiling Liquid Expanding Vapour Explosion.
Concept Safety Evaluation An overall assessment of the inherent safety
levels of a facility at the early stages of design. The
assessment typically considers the basic features of the
proposed facility (including layout, process design, etc.) and
considers a range of alternatives.
Consequence The direct outcome of an accident. Usually, accidents will have
a number of potential consequences, only some of which will
actually occur following an accident. The magnitude of the
consequence in a modelled scenario is usually expressed as
the distance to a particular gas concentration, heat radiation
flux, overpressure, etc.
Construction Safety A risk assessment approach, discussed further in HIPAP No. 7,
Studies used to identify and manage potentially hazardous incidents
ft
during demolition, construction, and commissioning.
COP Critical Operating Parameter.
Design Review
Studies
ra
A design review study is used to compare the current condition
of the facility against the original design intention and any
D
subsequent changes in knowledge, codes or standards. This
may be undertaken as part of a proposed modification or in
light of changes at the facility.
n
Effect The effect of an incident on people, property or the environment.

tio
Environment Components of the earth, including:

a. land, air and water, and
b. any layer of the atmosphere, and
lta
c. any organic or inorganic matter and any living organism, and

d. human-made or modified structures and areas,
and includes interacting natural ecosystems that include
su
components referred to in paragraphs (a)(c).

ERPG Emergency Response Planning Guideline.
n
Escalation An indirect outcome of an accident. Escalations can be

considered as separate accidents that are initiated by the
Co
consequences of other accidents.

FMEA Failure Modes Effect Analysis.
FMECA Failure Modes, Effect and Criticality Analysis.
GEMS Generic Error Modelling System.
Hazard An intrinsic property of a material or a physical situation with
the potential to cause harm to people or the environment.
HAZOP Hazard and Operability Study.
HEART Human Error Assessment and Reduction Technique.
105 PlanningNSW
HEP Human Error Potential.

HSE Health and Safety Executive (UK).
ICAF Implied Cost of Averting Fatality.
IDLH Immediately Dangerous to Life and Health.
Incident All undesired events, including major accidents and near misses.
Initiating Event A specific postulated occurrence capable of leading to the
realisation of a hazard.
LOPA Layer of Protection Analysis.
Major Accident An occurrence (including a major emission, loss of containment,
fire, explosion or release of energy or projectiles) resulting from
uncontrolled developments in the course of the operation of a
major hazard facility and leading to serious danger or harm,
whether immediate or delayed, to people or the environment.
MHF Major Hazard Facility.
MHU Major Hazards Unit of PlanningNSW.
MIHAP Major Industrial Hazards Advisory Paper.
MSDS Material Safety Data Sheet.
ft
Near Miss Any occurrence which, but for mitigation effects, actions or
systems, could have escalated to a major accident.
NOHSC
Operator
ra
National Occupational Health and Safety Commission.
An employer, occupier or person who has management or
D
control of a facility.
PLL Potential Loss of Life.
n
Pre Startup Safety Reviews A review of the status of all previous
safety assessments prior to startup of a plant or a modified
tio
section of plant. Often checklist based, the review ensures that

all safety assessments have been completed and the actions
resulting from them have been closed out. The review
generally also includes a site inspection, to provide an
lta
additional independent check that startup can occur.

QRA Quantified Risk Assessment.
su
Risk The likelihood of an undesired event with specified

consequences occurring within a specified period or in
specified circumstances.
n
Serious Danger Refer to MIHAP No. 1 Overview and Definitions.

or Harm
Co
SHERPA Systematic Human Error Reduction and Prediction Approach.

SIP Safety Improvement Program.
SMS Safety Management System.
STEL Short-Term Exposure Limit.
THERP Techniques for Human Error Rate Prediction.
TWA Time-Weighted Average.
VCE Vapour Cloud Explosion.
106 PlanningNSW
References and Bibliography

1. American Institute of Chemical Engineers /CCPS 1988, Guidelines for Safe
Storage and Handling of High Toxic Hazard Materials, Centre for Chemical Process
Safety, AIChE, New York.
2. American Institute of Chemical Engineers 1996, Guidelines for Use of Vapour
Cloud Dispersion Models, 2nd edn, Center for Chemical Process Safety AIChE,
New York.
3. Australian and New Zealand Environment and Conservation Council 2000,
Australian and New Zealand Guidelines for Fresh and Marine Water Quality,
Australian and New Zealand Environment and Conservation Council.
4. Center for Chemical Process Safety (CCPS) 1989, Process Equipment Reliability
Data, AIChE, New York.
5. Center for Chemical Process Safety (CCPS) 1992, Guidelines for Hazard Evaluation
Procedures, 2nd edn, AIChE, New York.
6. Center for Chemical Process Safety (CCPS) 1992, Plant Guidelines for Technical
Management of Chemical Process Safety, AIChE, New York.
7. Center for Chemical Process Safety (CCPS) 1994, Guidelines for Preventing
ft
Human Error in Process Safety, AIChE, New York.
ra
8. Center for Chemical Process Safety (CCPS) 2000, Chemical Process Quantitative
Risk Analysis, 2nd edn, AIChE, New York.
D
9. Center for Chemical Process Safety (CCPS) 2001, Layers of Protection Analysis:
Simplified Process Risk Assessment, AIChE, New York.
10. Committee for the Prevention of Disasters 1999, Guidelines for Quantitative Risk
n
Assessment Purple Book, CPR 18E, Sdu Uitgevers, Den Haag.

tio
11. CONCAWE Ad-Hoc Risk Assessment Group 1984, Methodologies for Hazard
Analysis and Risk Assessment in the Petroleum Refining and Storage Industry,
Fire Technology, vol. 20, no. 3.
lta
12. Coulson and Richardsons Chemical Engineering 1999, 6th Edn, Oxford,
Butterworth Heinemann.
13. Cremer & Warner 1979, Risk Analysis of Six Potentially Hazardous Objects in the
su
Rijnmond Area: A Pilot Study, report to Rijnmond Public Authority.

14. Daish, N.C., Carissimo, B., Jagger, S.F., Linden, P.F., Britter, R.E. 1998, SMEDIS:
Scientific model evaluation of dense gas dispersion models, Proceedings of the
n
5th International Conference on Harmonisation within Atmospheric Dispersion

Modelling for Regulatory Purposes, Rhodes, May 1998. pp. 54-61.
Co
15. DCMR Steering Committee 1984, Study into the Risks from the Transportation of
Liquid Chlorine and Ammonia in the Rijnmond Area. Selection of Probit Equations
for Acute Toxic Gas Exposure, memo to DNV Technica F291.
16. Dutch Directorate of Labour 1997, Methods for the Calculation of the Physical
Effects of the Escape of Dangerous Liquids and Gases (TNO Yellow Book), 3rd
Edn, Dutch Directorate of Labour, Ministry of Social Affairs.
17. Eisenberg N.A., Lynch C.J. and Breeding R.J. 1975, Vulnerability Model: A
Simulation System for Assessing Damage Resulting from Marine Spills, Enviro
Control Inc., US Coast Guard Report CG-D-B5-75.
107 PlanningNSW
18. Embrey, D.E. 1986, SHERPA A Systematic Human Error Reduction and
Prediction Approach, International Topical Meeting on Advances in Human
Factors in Nuclear Power Systems, USA.
19. Frank, W.L. & Whittle, D.K. 2001, Revalidating Process Hazard Analyses, CCPS,
AIChE, New York.
20. Green, A.E. & Bourne, A.J. 1972, Reliability Technology, Wiley, Chichester.
21. Haddad S., Mullins D., Maltz A., Ecological Risk Assessment and the Planning
Process.
22. Health and Safety Executive 1978, Canvey: An Investigation of Potential Hazards
from Operations in the Canvey Island/Thurrock Area, HSE, HMSO, UK.
23. Health and Safety Executive 1981, Canvey: A Second Report: A Review of
Hazards from Operations in the Canvey Island/Thurrock Area Three Years after,
HSE, HMSO, UK.
24. Health and Safety Executive 1999a, Guidance on the Environmental Risk
Assessment Aspects of COMAH Safety Reports, COMAH Competent Authority,
December.
25. Health and Safety Executive 1999b, Guidance on Interpretation of Major Accident
To The Environment (MATTE) for the Purposes of the COMAH Regulations, UK
Dept of Environment, Transport and Regions.
ft
26. Hirst, I.L. and Carter, D.A. 2000, A Worst Case Methodology for Risk
Assessment of Major Accident Installations, Process Safety Progress, 19 (2).
ra
27. Holden, P.L. 1988, Assessment of Missile Hazards: Review of Incident Experience
Relevant to Major Hazard Plant, SRD R477.
D
28. Holden, P.L. and Reeves, K.L. 1985, Fragment Hazards from Failures of
Pressurised Liquefied Gas Vessels, The Assessment and Control of Major
Hazards, IChemE.
n
29. Health and Safety Executive 1992, The Tolerability of Risk from Nuclear Power
tio
Stations, .HSE Books.

30. Health and Safety Executive 2001, Reducing Risks, Protecting People, HSE
Books.
lta
31. Hunns, D.M and Daniels, B.K. 1980, The Method of Paired Comparisons,
Proceedings 6th Symposium on Advances in Reliability Technology, Report NCSR
R23 and R24, Atomic Energy Authority.
su
32. Institute of Electrical and Electronic engineers 1975, IEEE Guide for General
Principles of Reliability Analysis of Nuclear Power Generating Station Protective
Systems (ANSI), IEEE, 345 East 47th Street, New York, NY 10017.
n
33. International Atomic Energy Agency 1988a, Component Reliability Data for Use in
Probabilistic Safety Assessment, IAEA, Vienna.
Co
34. International Atomic Energy Agency 1988b, Guidelines for Integrated Risk
Assessment and Management in Large Industrial Areas, IAEA-TECDOC-994, IAEA
Vienna.
35. International Atomic Energy Agency December 1993 and December 1996 (Rev.1),
Manual for the Classification and Prioritisation of Risks Due to Major Accidents in
Process and Related Industries, International Atomic Energy Agency, Inter-Agency
Program on the Assessment and Management of Health and Environmental Risks
from Energy and Other complex Industrial Systems, IAEA-TECDOC-727 and IAEA-
TECDOC-727 (Rev.1), Vienna.
108 PlanningNSW
36. Khan, F.I., Husain, T. & Abbasi, S.A. 2001, Safety Weighted Hazard Index
(SWeHI): A New, User-friendly Tool for Swift yet Comprehensive Hazard
Identification and Safety Evaluation in Chemical Process Industries, Process
Safety and Environmental Protection, 79 (B2).
37. Kletz, T. 1991, An Engineer's View of Human Error, 2nd edn, IChemE.
38. Lees, F.P. 1996, Loss Prevention in the Process Industries, 2nd edn, Butterworth-
Heinemann.
39. Lewis, B. & von Elbe, G. 1987, Combustion, flames and explosions of gases,
Academic Press.
40. Mackay, D., Paterson, S. & Joy, M 1983, Application of Fugacity models to the
Estimation of Chemical Distribution and Persistence in the Environment, Fate of
Chemicals in the Environment, Swann, R.L. & Eschenroeder, A. (eds), ACS
Symposium Series No. 225.
41. Middleton, M. and Franks, A. 2001, Using Risk Matrices, The Chemical Engineer.
42. Mosleh, A. 1988, Procedures for Treating Common Cause Failures in Safety and
Reliability Studies, US Nuclear Regulatory Commission, NUREG/CR-4780,
Washington DC.
43. National Occupational Health and Safety Commission 1995, Exposure Standards
for Atmospheric Contaminants in the Occupational Environment, 1003(1995).
ft
44. National Occupational Health and Safety Commission 1996, National Code of
Practice for the Control of Major Hazards Facilities, [NOHSC:2016(1996)], AGPS
ra
[AusInfo Cat.No.96 0172 4], ISBN:0 644 45926 3.
45. New South Wales Department of Urban Affairs and Planning 1994, Best Practice
Guidelines for Contaminated Water Retention and Treatment Systems, Sydney.
D
46. New South Wales Department of Urban Affairs and Planning 1995, Hazard and
Operability Studies, Hazardous Industry Planning Advisory Paper No. 8 (HIPAP No.
n
8), Sydney.
tio
47. New South Wales Department of Urban Affairs and Planning 1997, Applying SEPP
33; Hazardous and Offensive Development Application Guidelines.
48. New South Wales Department of Urban Affairs and Planning 1997, Multi-Level
Risk Assessment, Sydney.
lta
49. NUREG 1983, PRA Procedures Guide: A Guide to the Performance of Probabilistic
Risk Assessment for Nuclear Power Plants, 2 vols, NUREG/CR-2300, US Nuclear
Regulatory Commission, Washington DC.
su
50. Pasquill, F. & Smith, F.B. 1983, Atmospheric Diffusion, Ellis Horwood, London.
51. Pastorok, R.A., Bartell, S.M., Ferson, S. & Ginzburg, L.R. 2001, Ecological
n
Modelling in Risk Assessment: Chemical Effects on Populations, Ecosystems, and

Landscapes, Lewis Publishers.
Co
52. Perry, R.H., Green, D.W. & Maloney, J.O. (eds) c1997, Perry's Chemical
Engineers' Handbook, 7th Edn, New York : McGraw-Hill.
53. Rasmussen, N.C. 1975, Reactor Safety Study Report, WASH 1400, U.S.
Department of Commerce.
54. Reason, J.T. 1987, Generic Error-Modelling System (GEMS), A Cognitive
Framework for Locating Common Human Error Forms, New Technology and
Human Error (Ed. J. Rasmussen, K. Duncan & J. Leplat).
55. Sax, N.I. and Lewis, D.J. 1989, Dangerous Properties of Materials, 7th Edn, van
Nostrand Reinhold.
109 PlanningNSW
56. Schller, J.C.H., Brinkman, J.L., van Gestel, P.J. and van Otterloo, R.W. 1997,
Methods for Determining and Processing Probabilities, CPR12E, 2nd edn.
57. Standards Australia 1999, Risk Management, AS/NZS 4360:1999, ISBN 0 7337
2647 X.
58. Suarez A., Kirchsteiger C., 1998, A Qualitative Model to Evaluate the Risk
Potential of Major Hazardous Industrial Plants, European Commission Joint
Research Centre, EUR 18128 EN.
59. Swain A.D., Guttman H.E. 1983, Handbook of Human Reliability Analysis with
Emphasis on Nuclear Power Plant Application, NUREG/CR-1278.
60. USEPA 2002, information on Industrial Source Complex Models, on website http://
www.epa.gov/scram001/userg/regmod/isc3v1.pdf.
61. van den Bosch, C.J.H. and Weterings, R.A.P.M. 1997, Methods for the Calculation
of Physical Effects, CPR14E (parts 1 and 2), 3rd edition.
62. Vinnem, J.E. 1999, Offshore Risk Assessment/Principles, Modelling and
Applications of QRA Studies, Dordrecht ; Boston : Kluwer Academic Publishers.
63. Williams, J.C. 1988, A Data-Based Method for Assessing and Reducing Human
Error to Improve Operational Performance, Proceedings of the IEEE 4th
Conference on Human Factors and Power Plants, pp. 436-450.
64. WorkSafe MHD 2002a, Human Factors Under the Occupational Health and Safety
ft
(Major Hazards Facilities) Regulations, Melbourne.
65. WorkSafe MHD 2002b, Safety Assessment under the Occupational Health and
ra
Safety (Major Hazards Facilities) Regulations, Melbourne.
66. WorkSafe MHD 2002c, Control Measures and Performance Indicators under the
D
Occupational Health and Safety (Major Hazards Facilities) Regulations, Melbourne.
67. Wong W. 2002, How Did That Happen? Engineering Safety and Reliability,
Professional Engineering Publishing, UK.
n
68. Wright N.H., 1993, Development of Environmental Risk Assessment (ERA) in

tio
Norway, Norske Shell Exploration and Production.

lta
n su
Co
110 PlanningNSW
Additional Information
Other Publications
Major Industrial Hazards Advisory Papers (MIHAPs):
No. 1 - Overview and Definitions
No. 2 - Notification, Classification and Prioritisation
No. 3 - Hazard Identification, Risk Assessment and Risk Control
No. 4 - Safety Management Systems
No. 5 - Safety Reporting
No. 6 - Training and Education
No. 7 - Emergency Planning
No. 8 - Land Use Safety
No. 9 - Accident Reporting and Investigation
ft
No. 10 - Stakeholder Consultation
No. 11 - Safety Auditing
Electronic copies are available at: www.planning.nsw.gov.au ra

D
n
tio
lta
n su
Co
111 PlanningNSW

MIHAPNo 3

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

MIHAPNo 3

Uploaded by

Copyright:

Available Formats

Major Industrial Hazards

Advisory Paper No. 3

Hazard Identification, Risk

Major Industrial Hazards

Hazard Identification, Risk

The Major Hazards Division of the Victorian WorkCover Authority;

Crown copyright 2003

Henry Deane Building

Sydney, NSW, Australia 2000

Disclaimer. Any representation, statement, opinion

2 Relevant Regulatory Instruments 5

3.6 An Appropriate Level of Detail 11

4.2 Major Accidents 17

4.3 Hazard Types 17

4.6 Aggregation of Hazardous Scenarios 24

7.2 Risk Communication 86

8 Review and Revision 87

Hazard and Risk Register 91

Example of a Partially Completed Hazard and Risk Register 92

Appendix 1 Example Major Accidents 93

Appendix 2 Example Risk Matrix Consequence and Likelihood Categories 95

Appendix 3 Models for Consequence Analysis 99

Appendix 4 Methods for Estimating Likelihood 103

Appendix 5 Sample Hazard Identification Word Diagram 104

Glossary and Acronyms 105

References and Bibliography 107

3 Guidance Table on Implementation of

5 Example Human Error Potential Values

6 Examples of Risk Presentation Tools 66

8 Example Control Measures 72

10 Factors in Selecting or Rejecting Control Measures 77

MHFs in meeting their obligations with respect to hazard identification, risk

stages (e.g. safety reporting, safety management, etc.) will be deficient.

the results (including assumptions) This technical advisory paper presents

should be considered, and a clear rationale developed as to why control

should be used to enhance the understanding of hazards, risks (particularly major

MIHAP No. 1. [To be prepared]

1.2 Purpose and Scope of this Advisory Paper

The purpose of this advisory paper is to provide practical implementation advice

1.3 Process Overview ra

Glossary at the end of this document.

Figure 1: Process Overview

1.4 Communications with the Major Hazards Unit

2.2 Summary of Relevant Sections of the Control

2.3 Summary of Relevant Sections of the Control

of Major Hazard Facilities Regulation 200X

clause X (y) [To be Inserted]

clause X (y) [To be Inserted]

3 Planning and Preparation

3.1 Scope and Purpose of Hazard Identification and

3.2 Information Requirements ra

It is important that Hazard Identification and Risk Assessment be based upon a

Note 1: Sample Information Requirements for a Water Treatment Facility

3.3 Demonstration Requirements

and information obtained must be able to support the demonstration. This

during all stages.

The balance between qualitative, semi-quantitative and quantitative techniques is

appropriate to the nature of the facility and its hazards.

Development of methodologies for hazard identification and risk assessment.

Implementation of hazard identification and risk assessment methodologies.

Note 2: Example Study Team Members for Various Tasks

Planning Hazard Identification Risk Assessment

A series of meetings with: Workshops involving: Documents prepared by Risk