Download ADNOC-COPV5!01!2004 (Ver-1) - CoP on Control of Major Accident Hazards (COMAH)...
ABU DHABI NATIONAL OIL COMPANY
HEALTH SAFETY AND ENVIRONMENTAL MANAGEMENT MANUAL OF CODES OF PRACTICE VOLUME 5 : RISK ASSESSMENT AND CONTROL OF MAJOR ACCIDENT HAZARDS
CODE OF PRACTICE ON CONTROL OF MAJOR ACCIDENT HAZARDS (COMAH) ADNOC-COPV5-01
HSE MANAGEMENT MANUAL OF CODES OF PRACTICE Volume 5: RISK ASSESSMENT AND CONTROL OF MAJOR ACCIDENT HAZARDS COP ON CONTROL OF MAJOR ACCIDENT HAZARDS (COMAH) Document No: ADNOC-COPV5-01
Version 1 April, 2004 Page 2 of 48
RECORD OF REVISION Revision No.
Date
Section/Page
Reason
Copyright The copyright and all other rights of a like nature in this document are vested in Abu Dhabi National Oil Company (ADNOC), Abu Dhabi, United Arab Emirates. This document is issued as part of the Manual of HSE Codes of Practice (the “Manual”) and as guidance to ADNOC, ADNOC Group Companies and independent operators engaged in the Abu Dhabi oil & gas industries. Any of these parties may give copies of the entire Manual or selected parts thereof to their contractors implementing HSE standards in order to qualify for award of contracts or for the execution of awarded contracts. Such copies should carry a statement that they are reproduced by permission of ADNOC, and an explanatory note on the manner in which the Manual is to be used. Disclaimer No liability whatsoever in contract, tort or otherwise is accepted by ADNOC or any of its Group Companies, their respective shareholders, directors, officers and employees whether or not involved in the preparation of the Manual for any consequences whatsoever resulting directly or indirectly from reliance on or from the use of the Manual or for any error or omission therein even if such error or omission is caused by a failure to exercise reasonable care.
All administrative queries should be directed to the Manual of HSE Codes of Practice Administrator in:
Environment Health & Safety Division, Exploration & Production Directorate, Abu Dhabi National Oil Company, P.O.Box: 898, Abu Dhabi, United Arab Emirates. Telephone : (9712) 6023782 Fax: (9712) 6668089 Internet site: www.adnoc.com E-mail:
[email protected]
HSE MANAGEMENT MANUAL OF CODES OF PRACTICE Volume 5: RISK ASSESSMENT AND CONTROL OF MAJOR ACCIDENT HAZARDS COP ON CONTROL OF MAJOR ACCIDENT HAZARDS (COMAH) Document No: ADNOC-COPV5-01
Version 1 April, 2004 Page 3
CONTENTS Page I. PURPOSE ........................................................................................................... 4 II. DEFINITIONS ...................................................................................................... 4 III. EXISTING LAWS................................................................................................. 8 1. INTRODUCTION - NATURE OF A COMAH REPORT........................................ 9 2. KEY REQUIREMENTS OF COMAH PROCESS............................................... 12 2.1 Main Objectives ..................................................................................... 12 2.2 Key Requirements, Features and Contents ........................................ 12 2.3 When is a COMAH Report required ..................................................... 14 2.4 Responsibilities for preparing the COMAH Report ............................ 15 2.5 Project life cycle phases....................................................................... 15 2.6 Verification of COMAH reports............................................................. 16 3. DESCRIPTIVE INFORMATION......................................................................... 17 3.1 Local Environment ................................................................................ 17 3.2 Site Description ..................................................................................... 17 4. MANAGEMENT MEASURES TO PREVENT MAJOR ACCIDENTS ................ 18 4.1 HSE Management Systems (HSEMS) .................................................. 18 4.2 Screening of Hazards and Effects ....................................................... 18 4.3 Identification and Management of HSE Critical Activities/Tasks and HSE Critical Equipment and Systems (HSECES) ............................... 19 5. IDENTIFICATION OF MAJOR ACCIDENT SCENARIOS................................. 21 5.1 Processes, Areas on Site and Scenarios that could lead to a Major Accident ................................................................................................. 21 5.2 Prevention, Detection, Control, Mitigation and Recovery Systems.. 22 6. ON-SITE AND OFF-SITE EMERGENCY PLANS ............................................. 24 6.1 General Responsibilities ...................................................................... 24 6.2 Objectives Of Emergency Plans .......................................................... 24 6.3 On-site Emergency Plans ..................................................................... 25 6.4 Off-site Emergency Plan....................................................................... 25 6.5 Co-ordination of Off-Site Emergency Plans........................................ 26 7. CONSULTATION AND PROVISION OF INFORMATION................................. 27 7.1 Consultation With The Work Force (Employees & Contractors)....... 27 7.2 Provision Of Information To ADNOC................................................... 27 7.3 Provision Of Information To External Authorities .............................. 28 7.4 Provision Of Information To Neighbouring Facilities ........................ 28 7.5 Provision Of Information To The Public.............................................. 28 8. REVIEW REQUIREMENTS ............................................................................... 29 8.1 Periodic Review..................................................................................... 29 8.2 Review Due To Changes....................................................................... 29 8.3 Guidance On Levels Of Review............................................................ 30 REFERENCES ......................................................................................................... 32 Appendix 1 Use of QRA in COMAH Reports ....................................................... 33 Appendix 2 Guidance for preparing a Hazards and Effects Register ............... 35 Appendix 3 The Hazard Bow-tie Model................................................................ 44
HSE MANAGEMENT MANUAL OF CODES OF PRACTICE Volume 5: RISK ASSESSMENT AND CONTROL OF MAJOR ACCIDENT HAZARDS COP ON CONTROL OF MAJOR ACCIDENT HAZARDS (COMAH) Document No: ADNOC-COPV5-01
I.
Version 1 April, 2004 Page 4
PURPOSE The objective of this Code of Practice is to define the approach to the control of Major Accident Hazards (COMAH) on offshore and onshore Major Hazard Sites in the ADNOC Group. COMAH requires ADNOC Group Companies to demonstrate that: Major Accident Hazards in the operation of Group Company sites are identified and managed to risk levels which are either acceptable or are as low as reasonably practicable (ALARP) as defined in the document ADNOC Group Guideline ‘HSE Risk Management’ [1]. This includes hazards with ‘Major Accident Potential’ which may be introduced within the Major Hazard Site boundary e.g. from marine, road transport and air transport operations or third parties Note: Guidelines for the control of Major Accident Hazards from road, marine and air transport and operations outside Major Hazard Site boundaries are provided in separate HSE Codes of Practice i.e.: -
Road Transport Operations, Risk Assessment and Control [12]
-
Marine Transport Operations, Risk Assessment and Control [13]
-
Air Transport Operations, Risk Assessment and Control [14]
Major Accident Hazards that result from the operation of Group Company sites but whose effects may extend beyond the site boundary are identified and managed to risk levels that are either acceptable or are as low as reasonably practicable (ALARP). This includes emergency response planning
II.
DEFINITIONS Accident See incident. Within the ADNOC Group it has been agreed that terms accident and incident are synonymous ALARP
See "As Low As Reasonably Practicable".
As Low As Reasonably Practicable (ALARP) Means to reduce a risk to a level which is as low as reasonably practicable and involves balancing reduction in risk against the time, trouble, difficulty and cost of achieving it. This level represents the point, objectively assessed, at which the time, trouble, difficulty and cost of further reduction measures becomes unreasonably disproportionate to the additional risk reduction obtained.
[1] ADNOC Group Guideline ‘HSE Risk Management’, March 2000. [12] ADNOC Manual of Codes of Practice: ‘Code of Practice on Essential Features of Road Transport Operations, Risk Assessment and Control’, ADNOC-COPV4-06. [13] ADNOC Manual of Codes of Practice: ‘Code of Practice on Essential Features of Marine Transport Operations, Risk Assessment and Control’, ADNOC-COPV4-08. [14] ADNOC Manual of Codes of Practice: ‘Code of Practice on Essential Features of Air Transport Operations, Risk Assessment and Control’, ADNOC-COPV4-07.
HSE MANAGEMENT MANUAL OF CODES OF PRACTICE Volume 5: RISK ASSESSMENT AND CONTROL OF MAJOR ACCIDENT HAZARDS COP ON CONTROL OF MAJOR ACCIDENT HAZARDS (COMAH) Document No: ADNOC-COPV5-01
Version 1 April, 2004 Page 5
BAT Best Available Techniques. These are defined as the most effective and advanced stage in the development of activities and their methods of operation which indicates the practical suitability of particular techniques for providing in principle the basis for emission limit values designed to prevent, and where that is not practicable, generally to reduce emissions and the impact on the environment as a whole. COMAH Report The Control Of Major Accident Hazards Report is a report compiled by a Major Hazard Site Operator and submitted to ADNOC, as part of the HSEIA process, that demonstrates that the site operator has taken all steps necessary to prevent Major Accidents and to reduce their consequences. It is a facility or operationspecific demonstration of the HSE Management System in action, documenting that risks have been, or will be, reduced to ‘acceptable’ or ‘as low as reasonably practicable’ (ALARP) as defined in the ADNOC Group Guideline ‘HSE Risk Management’ [1]. HAZID - Hazard Identification. A study in the context of hazards and effects management. HAZOP - Hazard and Operability. A study in the context of hazards and effects management. Health Risk Assessment (HRA) The systematic identification of health hazards in the workplace and subsequent evaluation of health risks. This process takes existing control measures into account and identifies and recommends further preventive or control actions where appropriate. HSE Case
Similar to a COMAH Report
HSE Critical Of particular importance to preventing, controlling or mitigating the risks from Major Accident Hazards or occupational hazards with the potential for severe or catastrophic consequences (as defined in ADNOC Risk Management Guideline). It can apply to equipment, management systems, procedures, records, activities and tasks (and the competencies required for these tasks). HSE-Critical activities Activities that are important in preventing events with potential to cause serious harm to people, the environment or property or which can reduce the impact of such an event. Note: The definition of serious harm includes the critical, severe and catastrophic categories shown in the risk potential matrix in the ADNOC Risk Management Guidelines.
[1] ADNOC Group Guideline ‘HSE Risk Management’, March 2000.
HSE MANAGEMENT MANUAL OF CODES OF PRACTICE Volume 5: RISK ASSESSMENT AND CONTROL OF MAJOR ACCIDENT HAZARDS COP ON CONTROL OF MAJOR ACCIDENT HAZARDS (COMAH) Document No: ADNOC-COPV5-01
Version 1 April, 2004 Page 6
HSE Critical Equipment and Systems (HSECES) Parts of an installation and such of its structures, plant equipment and systems (including computer programmes) or any part thereof, the failure of which could cause or contribute substantially to; or a purpose of which is to prevent or limit the effect of a Major Accident or any accident with the potential for severe or catastrophic consequences (as defined in ADNOC Group Guideline ‘HSE Risk Management’ [1]. HSE Critical Integrity Task or Activity Activities such as design, construction, installation, commissioning, operation, modification, repair, inspection, testing or examination associated with assuring the integrity of a HSECES. HSEIA - Health, Safety and Environmental Impact Assessment. Systematic process of identifying HSE impacts of existing, new or substantially altered projects, and establishing mitigation requirements. This Code of Practice forms a component of the ADNOC Code of Practice on HSEIA and places requirements on new and existing operational sites with Major Accident Potential. HSEMS – Health Safety and Environment Management System The company structure, responsibilities, practices, procedures, processes and resources for implementing health, safety and environmental management. Incident An event or chain of events which has caused or could have caused fatality, injury, illness, and/or damage (loss) to assets, the environment, company reputation or third parties. Major Accident A Major Accident is an ‘Uncontrolled Occurrence’ in the operation of a site which leads to severe or catastrophic consequences to people, assets, the environment and/or company reputation (as defined in the ADNOC Group Guideline ‘HSE Risk Management [1]). The consequences may be immediate or delayed and may occur outside as well as inside the site. There will generally be a high potential for escalation. Note: Examples of ‘Major Accidents’ would include, but are not limited to: • loss of containment of flammable and/or toxic fluids leading to fire, explosion and/or toxic injury • events resulting in structural failure which could lead to further progressive collapse • loss of stability of mobile offshore installation • well blowouts
[1] ADNOC Group Guideline ‘HSE Risk Management’, March 2000.
HSE MANAGEMENT MANUAL OF CODES OF PRACTICE Volume 5: RISK ASSESSMENT AND CONTROL OF MAJOR ACCIDENT HAZARDS COP ON CONTROL OF MAJOR ACCIDENT HAZARDS (COMAH) Document No: ADNOC-COPV5-01
• • •
Version 1 April, 2004 Page 7
ships colliding with offshore installations or onshore jetties used for bulk loading explosive, flammable or toxic substances. service vessel colliding with or otherwise affecting offshore installations other external hazards affecting offshore and onshore sites e.g. accommodation/work barges alongside fixed installations, helicopters and aircraft, road/marine product tankers
The definition of ‘Major Accident’ specifically excludes ‘Occupational Accidents’ which have bounded, albeit possibly severe or catastrophic consequences. This means that one or more pedestrian fatalities resulting from a road accident on a site (however regrettable and tragic) would not be defined as a ‘Major Accident’. Similarly, one or more fatalities resulting from a fall from a scaffolding platform (again regrettable and tragic) would not be defined as a ‘Major Accident’. The purpose of this definition of ‘Major Accident’ is to identify ‘Major Hazard Sites’ for the purposes of this Code of Practice. ‘Major Hazard Site Operators’ will be required to prepare a COMAH Report and submit it to ADNOC. Major Accident Hazard A hazard that has the potential to result in a ‘Major Accident’ Major Accident Potential Where the conditions, substances and materials on a site, and the location of the site, are such that a ‘Major Accident Hazard’ is present and there is therefore the possibility of a ‘Major Accident’. Major Hazard Site Any process plant, storage facility, terminal, pipeline, offshore installation, drilling rig or any other facility handling or storing hazardous materials that has ‘Major Accident Potential’ at any time in the course of routine and/or non-routine operations. Major Hazard Site Operator The Group Company responsible for operating the ‘Major Hazard Site’. Note: Where the Group Company is a service contractor (Contracting Company) to an Operating Company e.g. NDC or NPCC working for ADMA-OPCO or ADCO, the Operating Company shall be defined as the ‘Major Hazard Site Operator’. Refer to Section 2.4. Occupational Accident An occupational accident arises from an ‘Occupational Hazard’. It may result in personal injury(s), illness(s) and/or fatality(s).
HSE MANAGEMENT MANUAL OF CODES OF PRACTICE Volume 5: RISK ASSESSMENT AND CONTROL OF MAJOR ACCIDENT HAZARDS
Version 1 April, 2004
COP ON CONTROL OF MAJOR ACCIDENT HAZARDS (COMAH) Document No: ADNOC-COPV5-01
Page 8
Occupational Hazard A hazard with the potential for causing ‘Occupational Accidents’ through slips, trips, falls, crushing, drowning, electrocution etc. Unlike a ‘Major Accident Hazard’, an Occupational Hazard does not have the potential for the loss of control and escalation that could lead to further major consequences. Occupational Hazards are identified and either eliminated, controlled or mitigated by the use of best practice HSE Management Systems, procedures, methods and techniques. QRA Quantitative Risk Assessment - see Appendix 1. Safety Management System An outline of the safety goals for a site and a description of how the site is managed to reach those goals. In ADNOC Group the SMS is incorporated within Group Company HSEMS. Substances Which Constitute a Major Accident Hazard A substance constitutes a hazard by virtue of its intrinsic chemical properties or of its temperature and pressure or some combination of these. A substance is a ‘Major Accident Hazard’ if, because of its intrinsic chemical properties, temperature, pressure and inventory, it has the potential to result in a ‘Major Accident’. Uncontrolled Occurrence An event that escalates, or has the potential to escalate, so that it is beyond the normal span of operations over which control can be exercised.
III.
EXISTING LAWS There are currently no specific UAE laws applicable to the control of Major Accident Hazards. However, laws on protection of the environment and people are relevant in that the consequences of a Major Accident Hazard may result in either adverse environmental impacts or effects on people. Relevant legislation includes: •
Federal Law No 24 of 1999 for the Protection and Development of the Environment.
•
Federal Law No 8 of 1980 re Regulation of Labour Relations.
A list of UAE Laws & Regulations is provided in Appendix 4 of ADNOC Manual Codes of Practice: ‘Codes of Practice on HSE Administration Systems’ [15].
[15] ADNOC Manual of Codes of Practice: ‘HSE Administration Systems’, ADNOC-COPV1-01
HSE MANAGEMENT MANUAL OF CODES OF PRACTICE Volume 5: RISK ASSESSMENT AND CONTROL OF MAJOR ACCIDENT HAZARDS COP ON CONTROL OF MAJOR ACCIDENT HAZARDS (COMAH) Document No: ADNOC-COPV5-01
1.
Version 1 April, 2004 Page 9
INTRODUCTION - NATURE OF A COMAH REPORT The nature of the oil, gas and petrochemical industry means there is the potential for Major Accidents to occur. On a world wide basis, there have been instances where Major Accidents have occurred, leading to substantial loss of life. The risks of such events happening within the ADNOC Group therefore need to be properly assessed and, where necessary, controlled. All ADNOC Group Companies must take all measures necessary to identify and prevent Major Accidents and limit their potential consequences to people, assets, environment or reputation at sites which they operate. Prevention and mitigation must be based on reducing risks to acceptable levels or to as low as reasonably practicable (ALARP). Internationally, process industry operators have adopted ‘HSE Cases’ as the documents which provide the details of major hazards and risk levels, and their prevention control and mitigation measures. Preparation of an HSE Case is often a statutory requirement for large projects, and the resulting reports are used by external regulatory bodies to decide on consent and/or approval for a particular project. An ADNOC COMAH Report is essentially the same as an HSE Case, with slight differences in contents to fit the ADNOC integrated HSEIA approach. Refer to ADNOC ‘Code of Practice on HSEIA Requirements’ [2]. Under the selfregulatory regime for the oil industry in Abu Dhabi, ADNOC assumes the role of regulator and uses ‘COMAH Reports’ (through the HSEIA process) to evaluate the acceptability, or otherwise, of proposed projects and existing Major Hazard Sites. In this context: •
A Major Hazard Site is any process plant, storage facility, terminal, pipeline, offshore installation, drilling rig or any other facility with Major Accident Potential.
•
A Major Accident Hazard is defined as a hazard that has the potential to result in Major Accidents.
From 1998 onwards, ADNOC required its Group Companies to conduct risk studies, as part of the HSEIA requirements, for new projects above a project value of US$ 27 million. The 1998 guidelines provided have now been superseded by new ADNOC requirements for HSEIA as detailed in the ADNOC ‘Code of Practice on HSEIA Requirements’ [2]. The changes include previous requirements but with improved structure and definition of individual HSEIA components. These include a COMAH Report as an integral component.
[2] ADNOC Manual of Codes of Practice: ‘Code of Practice on HSEIA Requirements’, ADNOC-COPV1-02.
HSE MANAGEMENT MANUAL OF CODES OF PRACTICE Volume 5: RISK ASSESSMENT AND CONTROL OF MAJOR ACCIDENT HAZARDS COP ON CONTROL OF MAJOR ACCIDENT HAZARDS (COMAH) Document No: ADNOC-COPV5-01
Version 1 April, 2004 Page 10
The COMAH approach is a systematic procedure for the identification and documentation of Major Accident Hazards and the risk levels of new projects and existing facilities and operations. It facilitates a preventative approach to risk management as appropriate risk control and mitigation measures can then be incorporated at an early stage in the design process. The main value of the COMAH approach for existing facilities and operations lies in the documentation of Major Accident Hazards with subsequent focus on control procedures, critical equipment and required competencies. The COMAH requirements are summarised as follows: 1. From 2004 onwards, ADNOC requires its Group Companies to assess all new projects or substantial modifications to existing operations for Major Accident Potential. A COMAH Report must be prepared for all projects /substantial modifications with Major Accident Potential. The COMAH Report must provide details of how Major Accident Hazards will be managed throughout the project/operation lifecycle. If no Major Accident Potential is identified then the Group Company must provide the rationale for arriving at this conclusion. 2. From January 2005 onwards ADNOC will extend the above approach to include all existing operational sites with Major Accident Potential i.e. not only new and substantial modification projects. Group Companies must review the sites that they operate and identify those sites with Major Accident Potential. A list of sites and a proposed schedule for production of COMAH Reports must be submitted to ADNOC. Each Major Hazard Site Operator will agree a program for the production and submission of COMAH reports with ADNOC EH&S Division. Agreed schedules may vary per Group Company, depending on risk profiles, complexity of issues, resources available and total workload to be undertaken. Companies with multiple sites must schedule their submissions of COMAH Reports to allow ADNOC sufficient time to review.
HSE MANAGEMENT MANUAL OF CODES OF PRACTICE Volume 5: RISK ASSESSMENT AND CONTROL OF MAJOR ACCIDENT HAZARDS
Version 1 April, 2004
COP ON CONTROL OF MAJOR ACCIDENT HAZARDS (COMAH)
Page 11
Document No: ADNOC-COPV5-01 Is the project, facility or operation on list (see HSEIA Section 2)? From EIA process Include accidental significant environmental impacts
No further action required
No
Yes Identify HSE Hazards & Effects Screen Hazards & Effects Register for hazards with Major Accident Potential
Are there hazards with Major Accident Potential?
No COMAH Report required
No
Yes Prepare COMAH Report
This is an iterative process for each of the four project phases
Provide a plan how actions are to be carried forward to next project phase(s)
Provide general inform ation: • Project, facility or operation description and background information • Summary of Group Company (or site) HSE Policy and HSEMS • Summary of Legal and Regulatory requirements • Objectives & scope of COMAH Report
Demonstrate rationale for no Major Hazards
Provide information on Major Accident Hazards: • Hazard identification methodology used • Hazard release scenarios • Analysis (likelihood and consequences) and assessment of risk • Demonstration of sufficiency of control, mitigation and recovery methods • Demonstration that risk is acceptable or ALARP • Demonstration that all HSE Critical Equipment and Systems are identified and that adequate management systems, procedures, competencies are in place to manage these • On- & off-site emergency response plans • Demonstration of controls for all hazards (Major, Medium and Low ) via HSEMS
Demonstrate how Medium/ Low Hazards are controlled via HSEMS
Provide plan how COMAH Report w ill be kept up to date
Incorporate COMAH Report in HSEIA Report
Is independent Verif ication required?
No
Present HSEIA to ADNOC for approval
Yes Provide IVR Present HSEIA to ADNOC for approval
Figure 1: Relationship between COMAH, EIA and HSEIA Process
Incorporate in HSEIA Report
HSE MANAGEMENT MANUAL OF CODES OF PRACTICE Volume 5: RISK ASSESSMENT AND CONTROL OF MAJOR ACCIDENT HAZARDS COP ON CONTROL OF MAJOR ACCIDENT HAZARDS (COMAH) Document No: ADNOC-COPV5-01
2.
KEY REQUIREMENTS OF COMAH PROCESS
2.1
Main Objectives
Version 1 April, 2004 Page 12
The production of a COMAH Report will assist Group Companies to identify any areas where action must be taken to reduce HSE risks and will be essential for training and familiarisation purposes. The COMAH Report will also provide ADNOC with a mechanism for ensuring best practice management of Major Accident Hazards across the Group:
2.2
Key Requirements, Features and Contents With reference to Figure 1, the COMAH Report has been fully integrated within and must be submitted through the HSEIA process. Refer to ADNOC ‘Code of Practice on HSEIA Requirements’ [2]. The COMAH Report must be prepared by suitably qualified, experienced and demonstrably competent persons. The COMAH Report must contain: a) A summary of the Group Company or site HSE Policy and HSEMS requirements. b) A summary of Legal and Regulatory requirements (Federal and National Law and ADNOC requirements). c) Objectives and scope of the COMAH Report. d) Project/site description (see Section 3). e) Description of the Hazard identification methodology used and link to the Hazard Register (see Section 4). f) An analysis (likelihood and potential consequences) of Major Accident Hazard releases and assessment of Major Accident scenarios (see Section 5). g) A demonstration that all foreseeable and credible Major Accident Hazards and effects have been identified and that sufficient control, mitigation and recovery measures are in place (or will be in place for new projects) such that risks to people, assets, environment and company reputation are either acceptable or as low as reasonably practicable (ALARP). This demonstration to be made using the criteria in the document ADNOC Group Guideline ‘HSE Risk Management’ [1] (see Section 5). h) A demonstration that all HSE Critical Activities/Tasks and HSE Critical Equipment and Systems (HSECES) have been identified. That the written management systems, procedures, competencies and training required to manage these are in place (see Section 4).
[1] ADNOC Group Guideline ‘HSE Risk Management’, March 2000. [2] ADNOC Manual of Codes of Practice: ‘Code of Practice on HSEIA Requirements’, ADNOC-COPV1-02.
HSE MANAGEMENT MANUAL OF CODES OF PRACTICE Volume 5: RISK ASSESSMENT AND CONTROL OF MAJOR ACCIDENT HAZARDS COP ON CONTROL OF MAJOR ACCIDENT HAZARDS (COMAH) Document No: ADNOC-COPV5-01
Version 1 April, 2004 Page 13
i) A demonstration that there is adequate provision for full and safe escape of all personnel from the facility in the event of a Major Accident. That Onsite and Off-site (where necessary) emergency response plans have been prepared, that they have been communicated to all stakeholders, that they have been tested and will continue to be tested periodically and that the necessary training/exercising has and will continue to be provided (see Section 6). Refer to ADNOC ‘Code of Practice on Crisis and Emergency Management’ [3]. j) A demonstration of how all hazards – occupational safety and health as well as Major Accident Hazards – are managed (or will be managed for new projects) under the site HSEMS including demonstration of a process to achieve continuous improvement (see Section 4). Refer to ADNOC Group Guideline ‘HSE Management Systems’ [4]. k) For projects - a plan for actioning/carrying forward recommendations to the next project phase and ultimately to the operations phase and HSEMS controls. l) An explanation of how the COMAH Report is to be kept up to date, including a definition of how the term “substantive change” (as used in Section 7.2 for when a revision of the COMAH Report is required) will be interpreted (see Section 8). The following requirements must be addressed when preparing a COMAH Report: • Set conditions for Major Hazard Sites that require a COMAH Report See Section 2.3. Major Accident Hazards include those that may cause accidental significant environment impacts. Refer to ADNOC ‘Code of Practice on Environmental Impact Assessment’ [5]. • Distinction between Major Hazard Site Operator and Contracting Company when defining responsibilities for preparing a COMAH Report. See Section 2.4. • Recognition of the lifecycle process in which the COMAH report must cover each of the typical lifecycle stages. See Section 2.5. • Major Hazard Site Operators must consult with engineering and operational specialists, the workforce, HSE personnel and other stakeholders during production of the COMAH report. Where predicted Major Accident effects extend beyond the site boundary, the Major Hazard Site Operator will need to consider the provision of Major Accident Hazards information to all people who are potentially affected, including both neighbouring facilities and members of the public, as well as relevant government departments and agencies, including the Police and Civil Defence Authority. Consultation is described in more detail in Section 7.
[3] ADNOC Manual of Codes of Practice: ‘Code of Practice on Crisis and Emergency Management’, ADNOC-COPV5-02 [4] ADNOC Group Guideline ‘HSE Management Systems’, January 2002. [5] ADNOC Manual of Codes of Practice: ‘Code of Practice on Environmental Impact Assessment’, ADNOC-COPV2-01
HSE MANAGEMENT MANUAL OF CODES OF PRACTICE Volume 5: RISK ASSESSMENT AND CONTROL OF MAJOR ACCIDENT HAZARDS COP ON CONTROL OF MAJOR ACCIDENT HAZARDS (COMAH) Document No: ADNOC-COPV5-01
2.3
Version 1 April, 2004 Page 14
•
Submission of the COMAH Report (as part of the HSEIA Report [2]) for approval by ADNOC, being the HSE regulator for the Abu Dhabi Oil & Gas industry. See Section 7.2.
•
The COMAH Report is a living document. It is the Major Hazard Site Operator's responsibility to ensure it is kept up to date. The site COMAH report must be submitted to ADNOC (as part of the HSEIA process) for independent review and approval at three stages during the design/construction, pre-operation process for new sites and also before de-commissioning/disposal. For operational sites, the COMAH Report must be submitted for initial approval and for review at 5 yearly intervals, or whenever there are substantive changes to the site design or operation that affect Major Accident Hazards. These review aspects are dealt with in Section 8.
•
Independent verification of the COMAH Report under certain conditions. See Section 2.6.
When is a COMAH Report required All ADNOC Group Companies that are defined as Major Hazard Site Operators must prepare COMAH Reports for relevant Major Hazard Sites. Also refer to the list in Section 2 of the ADNOC ‘Code of Practice on HSEIA requirements’ [2]. It is acknowledged that it may not always be easy to precisely define a "site", especially if there is no physical boundary segregating the installations. For the purposes of this Code of Practice, a single site is a site under the control of a single person who takes responsibility for the site, including HSE issues. Typically this individual will be the Site Manager or Plant Manager. Some sites, such as normally unattended offshore production facilities, may only have the potential for Major Accidents for brief periods. Nevertheless a COMAH Report must be prepared either for each of these sites, or they must be included within the COMAH Report for the complex. For mobile installations, there will be a section that refers to the installation and a section which is site location specific. The COMAH Report will address Major Accident Hazards which arise as a result of the installation/site location interface. It may be possible for Operating Companies and Contracting Companies to develop a template to assist in the preparation of COMAH Reports for similar classes of mobile installations, e.g. drilling rigs.
[2] ADNOC Manual of Codes of Practice: ‘Code of Practice on HSEIA Requirements’, ADNOC-COPV1-02.
HSE MANAGEMENT MANUAL OF CODES OF PRACTICE Volume 5: RISK ASSESSMENT AND CONTROL OF MAJOR ACCIDENT HAZARDS
Version 1 April, 2004
COP ON CONTROL OF MAJOR ACCIDENT HAZARDS (COMAH) Document No: ADNOC-COPV5-01
2.4
Page 15
Responsibilities for preparing the COMAH Report Group Companies are responsible for the preparation of COMAH Reports – which should consider all activities at the selected site – including contractor work. Some of these contractor activities may be executed by ADNOC Group Companies that provide services. The site COMAH Report should consider all contractor work – irrespective of whether this is performed by ADNOC or other service companies To illustrate this: It is the responsibility of the Operating Company to prepare and submit COMAH Reports for drilling operations. The Operating Company and ADNOC will agree how this is to be done on a case by case basis. Where the Group Company is a service contractor (Contracting Company) to an Operating Company e.g. NDC or NPCC working for ADMA OPCO or ADCO, the Operating Company shall be defined as the ‘Major Hazard Site Operator’ and: •
The Operating Company shall be responsible for the preparation of the COMAH Report and its submission, as part of the HSEIA Report, to ADNOC.
•
The Contracting Company shall be responsible for assisting the Operating Company in the preparation of the COMAH Report. This applies to issues concerning the provision, operation and integrity assurance of drilling rigs, construction barges and all other equipment supplied by the Contracting Company. It also applies to the competence assurance of the Contracting Company’s personnel and HSE Management issues relating in particular to roles and responsibilities, alignment of procedures, the management of interfaces and the emergency support provided by the Contracting Company to the Operating Company.
Further detail is provided in Section 5 of ADNOC ‘Code of Practice on HSEIA Requirements’ [2].
2.5
Project life cycle phases A COMAH Report for Major Hazard Sites must address the Major Accident Hazards in each of the life cycle phases. ADNOC identifies the following four project lifecycle phases and a COMAH submission is required for each of these: •
Phase 1: Conceptual design and Front End Engineering.
•
Phase 2: Engineering, Procurement and Construction (EPC)
•
Phase 3: Operation.
•
Phase 4: Decommissioning/disposal.
[2] ADNOC Manual of Codes of Practice: ‘Code of Practice on HSEIA Requirements’, ADNOC-COPV1-02.
HSE MANAGEMENT MANUAL OF CODES OF PRACTICE Volume 5: RISK ASSESSMENT AND CONTROL OF MAJOR ACCIDENT HAZARDS COP ON CONTROL OF MAJOR ACCIDENT HAZARDS (COMAH) Document No: ADNOC-COPV5-01
Version 1 April, 2004 Page 16
Further detail on these phases is provided in Section 3 of ADNOC ‘Code of Practice on HSEIA requirements’ [2]. The review requirements of the COMAH reports for each of the phases is addressed in Section 8.2 of this document.
2.6
Verification of COMAH reports Each COMAH Report must be subject to thorough quality assurance by suitably experienced and competent person(s) for correctness and full coverage. This must be completed prior to submitting the COMAH Report to ADNOC as part of the HSEIA Report. Depending on HSEIA subject and the parties involved in preparing the report, there are conditions in which this verification must be carried out by an independent party, who must produce an Independent Verification Report (IVR). Refer to Section 4.4 of ADNOC ‘Code of Practice on HSEIA Requirements’ [2] for further detail.
[2] ADNOC Manual of Codes of Practice: ‘Code of Practice on HSEIA Requirements’, ADNOC-COPV1-02.
HSE MANAGEMENT MANUAL OF CODES OF PRACTICE Volume 5: RISK ASSESSMENT AND CONTROL OF MAJOR ACCIDENT HAZARDS
Version 1 April, 2004
COP ON CONTROL OF MAJOR ACCIDENT HAZARDS (COMAH) Document No: ADNOC-COPV5-01
3.
DESCRIPTIVE INFORMATION
3.1
Local Environment
Page 17
The COMAH Report must contain details of the surrounding land covering the area that could be affected by an incident on the site. Land use (e.g. industry, agriculture, urban development, environmentally sensitive locations) must be identified together with the most significant features (e.g. hospitals, schools, mosques) especially those where high concentrations of people may be found. An appropriately scaled and annotated area map must be included. Reference may be made to relevant parts of the general description as provided in the HSEIA Report [2].
3.2
Site Description The COMAH Report must contain details of the site as a whole and its installations, particularly those of relevance to Major Accidents such as: • • • • • • •
Main storage facilities Process installations Inventory of hazardous substances including quantities, location and pressure/temperature conditions Key equipment (including vessels, pipes, loading/unloading facilities) Utilities and services Means of access and egress from the site for both normal and emergency purposes Areas where people may congregate such as control rooms, offices, workshops, canteens, contractor facilities and other occupied buildings.
An appropriately scaled and annotated site map must be included. The site must be described in sufficient detail to provide a clear picture of its purpose, location, activities, intrinsic hazards, services, technical equipment and methods for ensuring safe operation. On sites where hazardous material inventories change significantly over time, this must be noted and operating ranges given. The inventory of hazardous materials must include data on the hazardous properties of the materials such as flash points, auto-ignition temperatures, explosive and/or flammability limits, toxicity data, reaction and decomposition data relevant to assessing Major Accident Potential. Toxicity data must include persistence, acute and long-term effects, synergistic effects, ecotoxicity and bioaccumulation data where relevant. Reference may be made to relevant parts of the general description as provided in the HSEIA Report [2].
[2] ADNOC Manual of Codes of Practice: ‘Code of Practice on HSEIA Requirements’, ADNOC-COPV1-02.
HSE MANAGEMENT MANUAL OF CODES OF PRACTICE Volume 5: RISK ASSESSMENT AND CONTROL OF MAJOR ACCIDENT HAZARDS COP ON CONTROL OF MAJOR ACCIDENT HAZARDS (COMAH) Document No: ADNOC-COPV5-01
Version 1 April, 2004 Page 18
4.
MANAGEMENT MEASURES TO PREVENT MAJOR ACCIDENTS
4.1
HSE Management Systems (HSEMS) The COMAH Report is a document which primarily demonstrates how the HSEMS applies to a specific Major Hazard Site. It demonstrates how the Group Company’s HSEMS objectives are implemented in practice and how local risk management objectives are set and achieved. As the COMAH Report is a local demonstration of the Group Company HSEMS in action, it must therefore demonstrate that all HSE risks will be managed and controlled. This is achieved by including a summary of the site HSEMS in the COMAH Report as this defines or references the management controls for all HSE risks. However, the level of application of the hazards and effects management process in the COMAH report will be different according to the risk of each hazard, so that the document remains manageable and focused. Those hazards and effects which present lower level risks are not analysed in the report, but the controls are described or referenced in the site HSEMS (often referencing standard company procedures for control).
4.2
Screening of Hazards and Effects For COMAH Reports, it is important to ensure that all hazards and effects associated with the Major Hazard Site are identified and assessed. The process of identifying and assessing hazards and effects is progressed at different levels of detail throughout the development of a facility. The details of the findings of Hazard Identification studies (HAZIDs), Hazard and Operability studies (HAZOPs), Health Risk Assessments (HRAs), Environmental Impact Assessments (EIAs), Quantative Risk Assessment (QRA), etc. are retained in the project Hazard and Effects Register which is maintained up to date as the development progresses. When the COMAH Report is prepared this Register provides the information of what must be managed. For an existing facility or operation, it is necessary to create a Hazard and Effects Register (see Appendix 2) if it does not already exist. In doing this it is important to gain operational input from key staff in the identification of all hazards and effects. Checklists are available in the public domain to assist this process. When this has been done, the associated worst case consequences of the identified hazards and effects need to be assessed and ranked, using, for example, the Risk Matrix in the document ADNOC Group Guideline ‘HSE Risk Management’ [1]. In carrying out this ‘screening’ assessment, it is preferable to over-estimate potential consequences. This can be corrected later in more rigorous assessments. In terms of using a level of analysis commensurate with the associated consequence or risk, hazards and effects can be categorized as follows:
[1] ADNOC Group Guideline ‘HSE Risk Management’, March 2000.
HSE MANAGEMENT MANUAL OF CODES OF PRACTICE Volume 5: RISK ASSESSMENT AND CONTROL OF MAJOR ACCIDENT HAZARDS COP ON CONTROL OF MAJOR ACCIDENT HAZARDS (COMAH) Document No: ADNOC-COPV5-01
Version 1 April, 2004 Page 19
High Risk Those hazards and effects which could result in major consequences are typically associated with scenarios involving failure of process integrity or operational failures resulting, for example, in loss of life or extensive asset damage. In terms of the ADNOC Qualitative Risk Potential Matrix, these Major Accident Hazards and effects have the potential for level 4 or 5 consequences (Severe or Catastrophic) usually with a high potential for escalation. Major Accident Hazards must be subject to comprehensive analysis such as the hazard ‘bow-tie’ approach (see Appendix 3) and quantitative analysis where necessary (see Section 5 and Appendix 1). By definition, in a COMAH Report, there would be a number of consequences in the High Risk category since this is the reason why a COMAH Report is required. Medium Risk In the screening assessment, another group of hazards and effects can be identified which require defined procedures or controls because they could be associated with consequences which, although not major, are nevertheless significant. Such hazards require less formal analysis and use may be made of simple Hazard and Effects Register Sheets which make reference to the existing hazard management systems and generic procedures defined in the Group Company or site HSEMS. Low Risk The remaining hazards and effects have less serious consequences, and are also less complex and are typically managed through good work practices and competence
4.3
Identification and Management of HSE Critical Activities/Tasks and HSE Critical Equipment and Systems (HSECES) HSE Critical Activities are those which when performed satisfactorily contribute to control of hazards with severe or catastrophic consequences (as defined in the ADNOC Risk Management Guidelines). These HSE Critical Activities can be at all levels within the company as described below: •
HSE Critical Activities for which senior management is responsible relate to such things as establishing the HSE policy, strategy and objectives, external relations and reviewing the HSEMS
•
At a process or technical support level, the activities will relate to such things as design and technical integrity assurance, setting procedures and structures in place to manage risks.
•
At a supervisory level, the responsibilities will relate more to planning, execution and monitoring of work
•
Finally, at a task level, the responsibility for direct management of the control, mitigation or recovery measures will be HSE Critical
HSE MANAGEMENT MANUAL OF CODES OF PRACTICE Volume 5: RISK ASSESSMENT AND CONTROL OF MAJOR ACCIDENT HAZARDS COP ON CONTROL OF MAJOR ACCIDENT HAZARDS (COMAH) Document No: ADNOC-COPV5-01
Version 1 April, 2004 Page 20
All these HSE Critical Activities contain some element of the four steps of the Hazard and Effects Management Process, viz.: 1. Identify hazards and effects 2. Assess their significance 3. Provide Control for hazards and effects 4. Provide Recovery preparedness in the event that control is lost HSE Critical Equipment and Systems (HSECES) are those whose failure could cause or contribute to an accident with severe or catastrophic consequences or whose purpose it is to prevent or limit the effect of such an accident. The document ADNOC ‘Code of Practice on Identification and Integrity Assurance of HSE Critical Equipment and Systems’ [6] provides guidance on how HSECES must be managed. The HSECES identified in the COMAH Report will become the list of HSECESs required by the ADNOC ‘Code of Practice on Identification and Integrity Assurance of HSE Critical Equipment and Systems’ [6]. When building the COMAH Report there are no firm rules as to the order in which the identification of HSECES, HSE Critical activities and tasks or the assessment of Major Accident Hazards is undertaken. In practice, an iterative process between the two as the report is being built is the most efficient means. Identifying the barriers, controls and recovery preparedness measures using the hazard ‘bow-tie’ analysis (see Appendix 3) for the Major Accident Hazards helps clarification on which activities, tasks, equipment and systems will be HSE Critical. Care must be taken not to break down HSE Critical Activities or subactivities (tasks) to such a level that it becomes unmanageable. There is little to be gained in doing this unless the activities/tasks, equipment and systems relate to the control of Major Accident Hazards or occupational hazards with the potential for severe or catastrophic consequences.
[6] ADNOC Manual of Codes of Practice: ‘Code of Practice on Identification and Integrity Assurance of HSE Critical Equipment and Systems’, ADNOC-COPV6-01.
HSE MANAGEMENT MANUAL OF CODES OF PRACTICE Volume 5: RISK ASSESSMENT AND CONTROL OF MAJOR ACCIDENT HAZARDS
Version 1 April, 2004
COP ON CONTROL OF MAJOR ACCIDENT HAZARDS (COMAH) Document No: ADNOC-COPV5-01
Page 21
5.
IDENTIFICATION OF MAJOR ACCIDENT SCENARIOS
5.1
Processes, Areas on Site and Scenarios that could lead to a Major Accident The COMAH Report must describe the methods used and steps taken to identify and assess Major Accident Hazards. It must also include a detailed description of possible Major Accident scenarios, including the initiating causes, both internal and external to the site. The potential likelihood, extent and severity of each identified scenario must be determined at an appropriate level of detail to facilitate emergency response planning, and to allow the suitability of prevention and risk reducing measures to be judged. This Code of Practice does not prescribe a particular approach to hazard analysis and risk assessment. The degree of effort that is required from the site operator must be proportionate to the hazard and risk present. Quantified arguments might be a good way of limiting the scope of the COMAH Report by demonstrating that a particular event has an extremely low probability of occurrence, or that a particular consequence is relatively minor. Guidelines on the use of quantified risk assessment (QRA) in COMAH Reports are given in Appendix 1. Whatever approach is adopted, the process of analysis and assessment of Major Accident Hazards must achieve five objectives: a)
Identification of installations, or parts thereof, which are particularly relevant to Major Accidents.
b)
Identification of hazard sources, i.e. the conditions and events which threaten the safe operation of the establishment, installation or plant in all phases of operation (start-up, normal operation, shut-down, loading / unloading etc.) for the entire life cycle of the site. This includes Major Accident Hazards in adjacent facilities ( i.e. on sites not operated by the Group Company) but which have the potential to escalate and threaten the Group Company site.
c)
Assessment of the potential consequences and likelihood of a major accident.
d)
Assessment of the adequacy of prevention, control and mitigation measures.
e)
Demonstration of acceptability of risk or ALARP in accordance with ADNOC Group Guideline ‘HSE Risk Management’ [1].
The COMAH Report must present the main results of the assessment and main conclusions. The detailed source documents on which the Report is based must be retained as part of the site records and must be made available to ADNOC on request. The COMAH Report must make reference to these supporting documents, especially those that contain information on the assumptions made and the judgement criteria used. [1] ADNOC Group Guideline ‘HSE Risk Management’, March 2000.
HSE MANAGEMENT MANUAL OF CODES OF PRACTICE Volume 5: RISK ASSESSMENT AND CONTROL OF MAJOR ACCIDENT HAZARDS
Version 1 April, 2004
COP ON CONTROL OF MAJOR ACCIDENT HAZARDS (COMAH) Document No: ADNOC-COPV5-01
Page 22
The accident scenarios identified, their potential consequences and their expected likelihood must be clearly documented, since they will be used as the basis for inputs to on-site and off-site emergency plans and potentially for decisions regarding development of neighbouring sites. The need for both escape of personnel from affected areas and for evacuation of the site must be clearly documented for each scenario. In addition to the direct consequences of Major Accidents, there may be knockon effects, such as secondary events involving substances that are not hazardous under normal conditions, but which can become harmful to people or the environment during an incident. The COMAH Report must include such possibilities.
5.2
Prevention, Detection, Control, Mitigation and Recovery Systems. The COMAH Report must identify those systems, both procedural and equipment, that are in place to prevent, detect, control, or mitigate Major Accident Hazards or which otherwise protect people or aid their escape during a Major Accident. An assessment of the effectiveness of each system must be made, including its ability to continue functioning under foreseeable major accident conditions. Examples of hazard prevention, detection, control and mitigation systems that may need to be considered for inclusion in COMAH Reports are: •
Plant layout and separation distances.
•
Protection of pipe-racks, instrument cable trays, supports.
•
Protection of fired equipment against accidental explosion.
•
Vulnerability of control rooms etc during credible Major Accident scenarios.
•
Corrosion protection allowances for HSE critical equipment.
•
Protection against dropped objects for HSE critical equipment.
•
Integrity of containment including structural support for HSE critical process systems.
•
Insulation of hot surfaces.
•
Classification of hazardous areas and electrical equipment for use in flammable or explosive atmospheres.
•
Electrical earthing/grounding.
•
Emergency shut-down systems.
•
Safety integrity levels (SIL) for HSE critical instrumentation.
•
Fail safe design ( process plant and protective systems).
•
Provision of accessible block valves at battery limits.
•
Interlocks for HSE critical equipment.
HSE MANAGEMENT MANUAL OF CODES OF PRACTICE Volume 5: RISK ASSESSMENT AND CONTROL OF MAJOR ACCIDENT HAZARDS
Version 1 April, 2004
COP ON CONTROL OF MAJOR ACCIDENT HAZARDS (COMAH)
Page 23
Document No: ADNOC-COPV5-01
•
Well control equipment.
•
Overpressure protection and blowdown.
•
Emergency relief and venting, including explosion panels.
•
Inerting and suppression systems.
•
Devices to limit the scale or consequences of accidental releases; for example: scrubbing systems, water-spray vapour screens, secondary containment systems including bunds (dykes).
•
Drainage to handle spills/fire-fighting water.
•
Emergency utility provision (electrical power, instrument air).
•
Fire detection systems and alarms.
•
Fire and explosion protection (active and passive) including fire water supply, mains, pumps, sprinklers, deluge, foam, gaseous fire extinguishing systems, portable appliances.
•
Flammable and toxic gas detection and alarms (fixed systems and portable appliances).
•
Pipeline leak detection.
•
Emergency communication systems.
•
Emergency lighting systems.
•
Emergency equipment including breathing apparatus, and resuscitation and other emergency medical equipment.
•
Access for emergencies, helicopter/aircraft.
•
Integrity of evacuation and escape routes.
•
Evacuation and escape equipment including lifeboats, life rafts, lifebuoys, lifejackets.
•
Determination, location and integrity of ‘Place of Safety’ (a safe onshore or safe offshore location or vessel where medical treatment and other facilities for the care of survivors are available).
emergency
vehicles,
vessels
and
The Major Accident Hazard prevention, detection, control and mitigation systems identified will be listed as HSECESs as required by the document ADNOC ‘Code of Practice on Identification and Integrity Assurance of HSE Critical Equipments and Systems‘ [6] (see Section 4.3).
[6] ADNOC Manual of Codes of Practice: ‘Code of Practice on Identification and Integrity Assurance of HSE Critical Equipment and Systems’, ADNOC-COPV6-01.
HSE MANAGEMENT MANUAL OF CODES OF PRACTICE Volume 5: RISK ASSESSMENT AND CONTROL OF MAJOR ACCIDENT HAZARDS COP ON CONTROL OF MAJOR ACCIDENT HAZARDS (COMAH) Document No: ADNOC-COPV5-01
6.
ON-SITE AND OFF-SITE EMERGENCY PLANS
6.1
General Responsibilities
Version 1 April, 2004 Page 24
Operators of sites with Major Accident Potential must develop, test and implement emergency plans for the site, in accordance with the document ADNOC ‘Code of Practice on Crisis and Emergency Management’ [3]. All such sites require an On-site Emergency Plan. If potential Major Accident Hazard effects extend beyond the site boundary, then an Off-site Emergency Plan must also be prepared. A summary of the Emergency Plans must form part of the site COMAH Report for submission purposes, but must be prepared as a separate document to facilitate use. The Emergency Plans must cover the full range of possible Major Accidents identified in the COMAH Report, including reasonably foreseeable lowprobability, high-consequence events such as catastrophic vessel failure. Where relevant, the plans must also address long-term effects such as environmental damage and clean-up. The degree of planning must be proportional to the probability and potential severity of the accident occurring. It is the site operator's responsibility to ensure that the Off-site Emergency Plan includes adequate response to incidents that originate on its own site and reference any third party procedures e.g. adjacent operators, which may affect the site. The Emergency Plans must be kept up to date and a summary must be submitted for independent review and approval with the rest of the COMAH Report. They must be reviewed whenever there is a substantive change on the site (see Section 8). Note that a substantive change to the site includes anything that changes the predicted Major Accident scenarios or arrangements for emergency response, including availability of personnel or other resources.
6.2
Objectives Of Emergency Plans The objectives of the on-site and off-site emergency plans must be to: • Contain and control incidents so as to minimise the effects and to limit damage to persons, the environment and property. • Detail the emergency response measures necessary to protect persons, the environment and Company reputation from the effects of Major Accidents. • Communicate the necessary information to employees, contractors, the public, police, civil defence, other relevant government departments and agencies and ADNOC. • Provide for the restoration and clean-up of the environment following a major accident.
[3] ADNOC Manual of Codes of Practice: ‘Code of Practice on Crisis and Emergency Management’, ADNOC-COPV5-02
HSE MANAGEMENT MANUAL OF CODES OF PRACTICE Volume 5: RISK ASSESSMENT AND CONTROL OF MAJOR ACCIDENT HAZARDS COP ON CONTROL OF MAJOR ACCIDENT HAZARDS (COMAH) Document No: ADNOC-COPV5-01
6.3
Version 1 April, 2004 Page 25
On-site Emergency Plans The On-site Emergency Plan must contain:
6.4
1.
The organisation for emergency response including positions and contact details of persons authorised to set emergency procedures in motion and the person in charge of and co-ordinating the on-site mitigatory action.
2.
Position of the person with responsibility for liaison with external agencies, including ADNOC, police, civil defence authority and other relevant government authorities or agencies.
3.
For foreseeable conditions or events which could be significant in bringing about a major accident, a description of the actions that must be taken to control the conditions or events and to limit their consequences, including a description of safety/emergency equipment and the resources available. This includes foreseeable escalation from Major Accidents on adjacent facilities (i.e. on sites not operated by the Group Company) but which could threaten and require an emergency response from the site.
4.
Arrangements for limiting the risk to persons on site, including how alarms are to be given and the actions persons are expected to take on receipt of an alarm.
5.
Arrangements for training of personnel in the duties they will be expected to perform, and where necessary co-ordinating this with external agencies including other site operators.
6.
Arrangements and a schedule for testing of all aspects of the emergency plan including, where relevant, links to Plans of other Group Company sites.
Off-site Emergency Plan The Off-site Emergency Plan must contain: 1.
The organisation for emergency response including the positions and contact details of persons authorised to set emergency procedures in motion and of persons approved to take charge of and co-ordinate off-site actions.
2.
Position and contact details of the person with responsibility for liaison with external agencies regarding the off-site emergency plan.
3.
Arrangements for receiving early warning of incidents, and alert and callout procedures.
4.
Arrangements for co-ordinating resources necessary to implement the plan.
5.
Arrangements for providing assistance with on-site mitigatory action.
6.
Arrangements for off-site mitigatory action.
7.
Arrangements for providing third parties, including members of the public, with specific information relating to an incident including alarms and warnings and the behaviour that must be adopted.
HSE MANAGEMENT MANUAL OF CODES OF PRACTICE Volume 5: RISK ASSESSMENT AND CONTROL OF MAJOR ACCIDENT HAZARDS COP ON CONTROL OF MAJOR ACCIDENT HAZARDS (COMAH) Document No: ADNOC-COPV5-01
8.
6.5
Version 1 April, 2004 Page 26
Arrangements for provision of information to external agencies outside the United Arab Emirates in the event of a Major Accident with transboundary consequences.
Co-ordination of Off-Site Emergency Plans Where the COMAH Report identifies the potential for an incident to affect a neighbouring facility, the relevant Emergency Plans will incorporate the following: •
Notification procedures.
•
A co-ordinated response between the relevant facilities.
Additionally, the ADNOC Group Company that has identified the potential impact on a neighbouring facility is obliged to provide the relevant parts of their COMAH Report to the neighbouring facility, so that they may plan accordingly. Further details are given in the document ADNOC ‘CoP on Crisis and Emergency Management’ [3].
[3] ADNOC Manual of Codes of Practice: ‘Code of Practice on Crisis and Emergency Management’, ADNOC-COPV5-02
HSE MANAGEMENT MANUAL OF CODES OF PRACTICE Volume 5: RISK ASSESSMENT AND CONTROL OF MAJOR ACCIDENT HAZARDS
Version 1 April, 2004
COP ON CONTROL OF MAJOR ACCIDENT HAZARDS (COMAH) Document No: ADNOC-COPV5-01
Page 27
7.
CONSULTATION AND PROVISION OF INFORMATION
7.1
Consultation With The Work Force (Employees & Contractors) The document ADNOC ‘Code of Practice on Framework of Occupational and Operational Safety Risk Management [7] outlines requirements for work force involvement, consultation and provision of information regarding safety matters. To fulfil these requirements, an appointed representative (or representatives if this is more appropriate) of the work force must be involved in development of the COMAH report, both initially and in subsequent revisions. The extent and type of work force involvement will depend on the particular circumstances of the site and the experience and training of site personnel. Representatives will generally be expected to provide input to the process through: •
Commentary on accuracy of the report.
•
Highlighting where protective systems or procedures do not have the effects claimed.
•
Identification of unnecessarily technical language so it can be eliminated.
In order to do this they must:
7.2
•
Have access to a copy of the full COMAH Report
•
Be supplied with a summary of the key features of the COMAH Report, including a Remedial Action Plan with timescales for completion.
Provision Of Information To ADNOC Each site operator must submit a copy of the COMAH Report to ADNOC EH&S Division for approval via the HSEIA process [2] at least three months prior to the date by which approval is required. Refer to ADNOC ‘CoP on HSEIA Requirements’ [2]. The approval period will be five years, unless there is a requirement for review following substantive changes on the site. The level of detail in the COMAH Report must be sufficient for ADNOC, or an independent assessor(s), to assess the site with respect to Major Accident Hazards. This review will focus on how the site operator identifies and manages hazards on their site, so that risks to people are acceptable or ALARP and risks to the environment are controlled through use of the Best Available Techniques (BAT). The site operator must also supply ADNOC with copies of supporting documentation or other information related to the assessment of Major Accident Hazards on request.
[2] ADNOC Manual of Codes of Practice: ‘Code of Practice on HSEIA Requirements’, ADNOC-COPV1-02. [7] ADNOC Manual of Codes of Practice: ‘Code of Practice on Framework of Occupational and Operational Safety Risk Management’, ADNOC-COPV4-01
HSE MANAGEMENT MANUAL OF CODES OF PRACTICE Volume 5: RISK ASSESSMENT AND CONTROL OF MAJOR ACCIDENT HAZARDS
Version 1 April, 2004
COP ON CONTROL OF MAJOR ACCIDENT HAZARDS (COMAH) Document No: ADNOC-COPV5-01
7.3
Page 28
Provision Of Information To External Authorities Once the COMAH Report is approved by ADNOC via the HSEIA process, the site operator must provide a copy of any Off-site Emergency Plan to the police, Civil Defence Authority and other relevant government authorities and agencies. The site operator must supply the police, Civil Defence Authority and other relevant government departments and agencies with all information necessary for them to carry out their duties with respect to the Off-site Emergency Plan.
7.4
Provision Of Information To Neighbouring Facilities Where there is the potential for an incident on one site to initiate a Major Accident on another, the first site operator must supply all necessary information to the second to allow such possibilities to be included in the second site's COMAH Report. Both companies must include the event in their COMAH Reports and must demonstrate that all necessary measures have been take to prevent such an event and to limit its consequences.
7.5
Provision Of Information To The Public It is the site operator's responsibility to ensure that people outside the site boundary, who could be affected by an incident originating on the site, are informed of the appropriate actions they must take according to the Emergency Response Plan. People potentially impacted by an incident on a site must be informed, even if they are only present in the vicinity of the site on a short-term or temporary basis. Such information must be supplied in clear simple terms and in an appropriate language(s).
HSE MANAGEMENT MANUAL OF CODES OF PRACTICE Volume 5: RISK ASSESSMENT AND CONTROL OF MAJOR ACCIDENT HAZARDS COP ON CONTROL OF MAJOR ACCIDENT HAZARDS (COMAH) Document No: ADNOC-COPV5-01
8.
REVIEW REQUIREMENTS
8.1
Periodic Review
Version 1 April, 2004 Page 29
Site operators must review and update the COMAH Report at least once every five years. This update must include all minor changes to plant design or operation or to the HSE management system or emergency plans over the five year period. The updated document must be submitted to ADNOC EH&S Division with the changes highlighted for approval via the HSEIA process [2]. There is no requirement to resubmit the COMAH report for minor (non substantive) updates between the five yearly approval submissions.
8.2
Review Due To Changes For new sites and modifications to existing sites that involve substantive changes relevant to Major Accident Hazards, the operator must consult with ADNOC EH&S Division at an early stage to determine a schedule for submission of COMAH report information at key project phases. The objective is to avoid design or construction progressing too far, so that necessary changes become expensive or difficult. With reference to Section 2.5 and the document ADNOC ‘CoP on HSEIA Requirements’ [2], COMAH reports must be approved at four project phases which can be summarised as follows: (1)
Conceptual design and FEED stage - included is all work up to the decision to go to final design and / or tender.
(2)
At EPC - prior to construction.
(3)
Operational phase of a project - must be approved before normal operations begin.
(4)
Prior to decommissioning, deconstruction and disposal. Abandonment of wells will generally be covered by the COMAH report for a Major Hazard Site. The COMAH report must be reviewed and updated to take into account changed risk levels as a result of the abandonment.
It is expected that the COMAH report will develop through each of the project phases. The third submission (pre-operations) must be complete and address all issues raised in earlier reports. Prior submissions may have less detail and must focus on the specific activities of the project at each stage with respect to Major Accident Hazards. The earlier stage submissions must cover such aspects as: •
Hazard identification
•
Elimination of hazards by design
•
Avoidance of hazardous materials
•
Minimisation of hazardous inventories
[2] ADNOC Manual of Codes of Practice: ‘Code of Practice on HSEIA Requirements’, ADNOC-COPV1-02.
HSE MANAGEMENT MANUAL OF CODES OF PRACTICE Volume 5: RISK ASSESSMENT AND CONTROL OF MAJOR ACCIDENT HAZARDS
Version 1 April, 2004
COP ON CONTROL OF MAJOR ACCIDENT HAZARDS (COMAH) Document No: ADNOC-COPV5-01
•
Separation of plant
•
Segregation of people from hazards
•
Design standards
Page 30
Further guidance can be found in the document ADNOC CoP ‘Best Practice Note on Outline HSE Design Philosophy for Major Hazard Plant and Equipment’ [8]. Submissions at phases 1 and 2 above, as a result of substantive changes to a site with an existing COMAH report, can either be in the form of the full COMAH report with highlighted changes or in the form of a separate document. The site COMAH Report must also be reviewed and updated as necessary when new facts or new technical knowledge invalidates any part of the current approved COMAH Report. For modifications at existing sites, these requirements should be included, as necessary, in Management of Change procedures
8.3
Guidance On Levels Of Review The Group Company and site HSEMS Report must document how the Major Hazard Site Operator identifies a "substantive change" when the COMAH Report will require review and update. The definition of "substantive change" must include: •
Changes to the HSE management system that affect Major Accident Hazards.
•
Changes to the types or quantities of hazardous materials.
•
Process changes, in particular changes to HSE Critical Equipment and Systems (HSECES).
•
Changes to the nature of hazards and threats that could initiate a major accident.
•
Changes that would result in additions to or subtractions from the list of identified major accident scenarios.
Figure 2 outlines the review process and triggers in diagrammatic form.
[8] ADNOC Manual of Codes of Practice: ‘Best Practice Note on Outline HSE Design Philosophy for Major Hazard Plant and Equipment’, ADNOC-COPV5-04
HSE MANAGEMENT MANUAL OF CODES OF PRACTICE Volume 5: RISK ASSESSMENT AND CONTROL OF MAJOR ACCIDENT HAZARDS
Version 1 April, 2004
COP ON CONTROL OF MAJOR ACCIDENT HAZARDS (COMAH)
Page 31
Document No: ADNOC-COPV5-01
Responsibility of Group Company that initiates the project or operates the site New site with Major Accident Potential
Substantive change to Major Accident Potential of existing site (w ith exis ting COMAH Report)
Inform ADNOC EH&S Division and develop schedule for submission of COMAH Reports
Submit to ADNOC for approval Timing
Conceptual Design & FEED COMAH Report (Phase 1)
Substantive change of existing site that introduces Major Accident Potential
EPC COMAH Report (Phase 2)
Must be authorised via the HSEIA process before EPC contract award
Must be authorised via the HSEIA process before construction begins
Existing site (w ithout previous COMAH Report) w ith Major Accident Potential
Inform ADNOC EH&S Division and develop schedule for submission of COMAH Report
Operational COMAH Report (Phase 3)
Must be authorised via the HSEIA process before hazardous materials are introduced
Existing site (w ith previous COMAH Report) – Five years since last submission
Update existing Phase 3 COMAH Report
Updated Operational COMAH Report (Phase 3)
Must be authorised via the HSEIA process by the update due date
Decommissioning, deconstruction, removal and disposal
Inform ADNOC EH&S Division and develop schedule for submission of COMAH Report
Decommissioning & disposal COMAH Report (Phase 4)
Figure 2: COMAH Report submission
Must be authorised via the HSEIA process prior to decommissioning, deconstruction and disposal
HSE MANAGEMENT MANUAL OF CODES OF PRACTICE Volume 5: RISK ASSESSMENT AND CONTROL OF MAJOR ACCIDENT HAZARDS
Version 1 April, 2004
COP ON CONTROL OF MAJOR ACCIDENT HAZARDS (COMAH) Document No: ADNOC-COPV5-01
Page 32
REFERENCES 1.
ADNOC Group Guideline ‘HSE Risk Management’, March 2000.
2.
ADNOC Manual of Codes of Practice: ‘Code of Practice on HSEIA Requirements’, ADNOC-COPV1-02.
3.
ADNOC Manual of Codes of Practice: ‘Code of Practice on Crisis and Emergency Management’, ADNOC-COPV5-02
4.
ADNOC Group Guideline ‘HSE Management Systems’, January 2002.
5.
ADNOC Manual of Codes of Practice: ‘Code of Practice on Environmental Impact Assessment’, ADNOC-COPV2-01
6.
ADNOC Manual of Codes of Practice: ‘Code of Practice on Identification and Integrity Assurance of HSE Critical Equipment and Systems’, ADNOC-COPV601.
7.
ADNOC Manual of Codes of Practice: ‘Code of Practice on ‘Framework of Occupational and Operational Safety Risk Management’, ADNOC-COPV4-01
8.
ADNOC Manual of Codes of Practice: ‘Best Practice Note on Outline HSE Design Philosophy for Major Hazard Plant and Equipment’, ADNOC-COPV5-04
9.
ADNOC Manual of Codes of Practice: ‘Guideline on Risk Assessment and Quantitative Risk Assessment’, ADNOC-COPV5-03
10.
A Guide To The Control Of Major Accident Hazard Regulations, 1999 - HSE Books, ISBN 0 7176 1604 5.
11.
A Guide to the Offshore Installations (Safety Case) Regulations, 1992 (revised 1998) - HSE Books, ISBN 0717611655.
12.
ADNOC Manual of Codes of Practice: ‘Code of Practice on Essential Features of Road Transport Operations, Risk Assessment and Control’, ADNOC-COPV4-06.
13.
ADNOC Manual of Codes of Practice: ‘Code of Practice on Essential Features of Marine Transport Operations, Risk Assessment and Control’, ADNOC-COPV408.
14.
ADNOC Manual of Codes of Practice: ‘Code of Practice on Essential Features of Air Transport Operations, Risk Assessment and Control’, ADNOC-COPV4-07.
15.
ADNOC Manual of Codes of Practice: ‘Code of Practice on HSE Administration Systems’, ADNOC-COPV1-01
HSE MANAGEMENT MANUAL OF CODES OF PRACTICE Volume 5: RISK ASSESSMENT AND CONTROL OF MAJOR ACCIDENT HAZARDS COP ON CONTROL OF MAJOR ACCIDENT HAZARDS (COMAH) Document No: ADNOC-COPV5-01
Version 1 April, 2004 Page 33
APPENDIX 1 USE OF QUANTITATIVE RISK ASSESSMENT (QRA) IN COMAH REPORTS
HSE MANAGEMENT MANUAL OF CODES OF PRACTICE Volume 5: RISK ASSESSMENT AND CONTROL OF MAJOR ACCIDENT HAZARDS COP ON CONTROL OF MAJOR ACCIDENT HAZARDS (COMAH) Document No: ADNOC-COPV5-01
Version 1 April, 2004 Page 34
Use Of QRA In COMAH Reports Once hazards and hazardous events have been identified, their causes, consequences and probability can be estimated and the risk determined. Risk assessment may be on a qualitative or quantitative basis. Both involve the same steps. Qualitative methods may be adequate for risk assessments of simple facilities or operations where exposure of the workforce, public, environment or the asset is low. However, the application of quantitative methods is considered to be desirable when: • Several risk reduction options have been identified whose relative effectiveness is not obvious. • The exposure of the workforce, public, environment or the strategic value of the asset is high, and reduction measures are to be evaluated. • Equipment spacing allows significant risk of escalation. • Novel technology is involved resulting in a perceived high level of risk for which no historical data is available. • Demonstration of relative risk levels and their causes to the workforce is needed to make them more conscious of the risks. • Demonstration within the Group Company and to ADNOC that risks are acceptable or as low as reasonably practicable is required (in accordance with the numeric criteria in the ADNOC Group Guideline ‘HSE Risk Management’ [1]. • The application of QRA must not be limited to large complex expensive studies. It is a technique which can be used quickly and cheaply to help structure the solution to problems for which the solution is not intuitively obvious. Reference is also made to the ADNOC Manual of Codes of Practice: ‘Guideline on Risk Assessment & Quantative Risk Assessment (QRA)’ [9]. Quantitative Risk Assessment (QRA) may be defined as ‘The quantitative evaluation of the likelihood of undesired events and the likelihood of harm or damage being caused, together with the value judgements made concerning the significance of the results’. This procedure involves a series of specific stages, as follows: 1. Identification of undesired events. 2. Analysis of the mechanisms by which undesired events could occur. 3. Consideration of the extent of any harmful effects. 4. Consideration of the likelihood of the undesired events and the likelihood of specific detrimental outcomes. 5. Judgements on significance of the identified hazards and estimated risks. [1] ADNOC Group Guideline ‘HSE Risk Management’, March 2000. [9] ADNOC Manual of Codes of Practice:’ Guideline on Risk Assessment and Quantitative Risk Assessment’(QRA), ADNOCCOPV5-03
HSE MANAGEMENT MANUAL OF CODES OF PRACTICE Volume 5: RISK ASSESSMENT AND CONTROL OF MAJOR ACCIDENT HAZARDS COP ON CONTROL OF MAJOR ACCIDENT HAZARDS (COMAH) Document No: ADNOC-COPV5-01
Version 1 April, 2004 Page 35
APPENDIX 2 GUIDANCE FOR PREPARING A HAZARDS AND EFFECTS REGISTER
HSE MANAGEMENT MANUAL OF CODES OF PRACTICE Volume 5: RISK ASSESSMENT AND CONTROL OF MAJOR ACCIDENT HAZARDS COP ON CONTROL OF MAJOR ACCIDENT HAZARDS (COMAH) Document No: ADNOC-COPV5-01
Version 1 April, 2004 Page 36
Guidance for Preparing a Hazards and Effects Register 1.
INTRODUCTION This appendix provides guidance on recording the results of the analysis made of each hazard or effect present in a facility or operation in a Hazards and Effects Register.
2.
WHAT IS A HAZARDS AND EFFECTS REGISTER? A Hazards and Effects Register is a quality record which demonstrates that all the hazards and effects (in terms of the objectives established for COMAH Report) have been identified, are understood, and are being properly controlled. It demonstrates that the facility, 'as built' and 'as will be operated', or the operation 'as planned', is adequately controlled and that preparations are in place to handle any consequence that could result, if control is ever lost. It is kept current throughout the life-cycle of a project, eg from design, through operations to decommissioning. The purpose of the Hazards and Effects Register is to present in a clear and concise form, the results of the analysis made of each hazard or effect present in, or resulting from, the facility or operation.
3.
WHO SHOULD PREPARE THE HAZARDS AND EFFECTS REGISTER? Hazards and Effects can be identified and assessed by multi-disciplinary Working Groups with numbers drawn from relevant disciplines. Each group should meet as needed to assess one or more hazards or effects. Facilitation during the process of building the Hazards and Effects record is usually needed. The meetings should therefore be facilitated by a member of an HSE Management System team, or line person familiar with the Hazards and Effects Management Process (HEMP), and should be attended by personnel who are knowledgeable of the location, area or operation in which the hazards and effects are to be addressed (eg drilling rig, gas plant operations, maintenance, seismic survey, etc). The identification and analysis of some hazards and effects may require specialist input. Ideally Major Accident Hazards and effects for which control is largely provided by location, layout, design and provision of hardware should be identified and analysed and properly recorded during the design and construction stages of a project. For existing facilities, the current situation and condition may need to be re-assessed and recorded. Some hazards and effects, or event scenarios, may be such that risks can only be reliably evaluated by specialist structured analysis techniques. Appropriate specialists, in-house or contracted, may be needed to apply these techniques properly and cost effectively. A summary of the results of these analyses should be recorded in the Hazards and Effects Register in the same way as for other analysis results. No hazard analysis process can guarantee the identification and control of all hazards and effects, but a multi-discipline team has the potential to provide the best possible results. Additionally, when teams are actively involved in analysing their activities and tasks the improvement initiatives that result are much more likely to be ‘owned’ by them.
HSE MANAGEMENT MANUAL OF CODES OF PRACTICE Volume 5: RISK ASSESSMENT AND CONTROL OF MAJOR ACCIDENT HAZARDS COP ON CONTROL OF MAJOR ACCIDENT HAZARDS (COMAH) Document No: ADNOC-COPV5-01
Version 1 April, 2004 Page 37
The quality of the output from a team exercise comes not only from the experience and expertise of the team members but also from the association of ideas triggered by personal interactions. The role of the team leader is critical in facilitating this process. 4.
WHAT NEEDS TO BE RECORDED FOR EACH HAZARD OR EFFECT? Each hazard or effect identified as being encountered or involved with a facility or operation (subject to the scope and objectives established for the COMAH Report) should be recorded together with the associated assessments, control and recovery measures in place or required to be in place and an evaluation of risks. The form of recording is not as important as the need for completeness of the information recorded. Group Companies may choose to use a format that is compatible with their other management systems. Figure A2.1 below shows how the information for each hazard or effect may be presented.
FIGURE A2.1 - AN EXAMPLE OF A HAZARD REGISTER SHEET 4.1
Hazard description Describe the hazard (agent or effect) identified for which information is to be recorded by broad groupings (e.g. hydrocarbons, elevated objects, high pressure fluids, extreme temperatures, biological hazards, toxic substances, land take) and sub-groups, (e.g. high pressure gas, oil, LPGs, hot surfaces, specific bacteria or parasites). This information would be printed in boxes 1 and 2 of the report sheet shown in Figure A2.1.
HSE MANAGEMENT MANUAL OF CODES OF PRACTICE Volume 5: RISK ASSESSMENT AND CONTROL OF MAJOR ACCIDENT HAZARDS COP ON CONTROL OF MAJOR ACCIDENT HAZARDS (COMAH) Document No: ADNOC-COPV5-01
4.2
Version 1 April, 2004 Page 38
Assessment of hazard This describes where and when the hazard is most likely to be encountered and the possible hazardous events that could result from loss of control (in terms of the specific hazard's potential to cause harm, including ill health and injury, damage to property, plant or the environment, production losses, increased liabilities, or damage to reputation). This information would be printed in box 3 of the report sheet in Figure A2.1.
4.3
Top event Describe here the event or situation that represents the release of the hazard or deviation from defined control limits (continuous exposures or continuous discharges). If this event or situation can be prevented by active controls (see 4.5 - threat controls) no scenario can develop which could lead to a consequence or effect as defined by COMAH Report objectives. This information would be printed in box 4 of the report sheet in Figure A2.1.
4.4
Locations associated with hazard and acceptance criteria List the locations where the hazard (or effect) is present. For each location, define the acceptance criteria. Criteria may include a range of considerations or values that may be defined in both qualitative or quantitative terms. Acceptance Criteria also define what is deemed suitable and sufficient control of threats and suitable and sufficient recovery preparedness. For example in drilling operations a stipulated number of barriers or controls (usually 2 or 3) are required to be in place before an operation may proceed. This specified number of controls is the acceptance criterion for the particular hazard and location under review. To illustrate this point, an example set of acceptance criteria is provided in Table 1 below. This information would be printed in box 5 of the report sheet in Figure A2.1.
HSE MANAGEMENT MANUAL OF CODES OF PRACTICE Volume 5: RISK ASSESSMENT AND CONTROL OF MAJOR ACCIDENT HAZARDS
Version 1 April, 2004
COP ON CONTROL OF MAJOR ACCIDENT HAZARDS (COMAH)
Page 39
Document No: ADNOC-COPV5-01
TABLE 1 - AN EXAMPLE SET OF ACCEPTANCE CRITERIA Controls
4.5
Incorporate risk reduction measures zone hazards
Intolerable risk hazards
Low risk hazards
Threat Barriers
Minimum of 3 independent effective barriers to be in place for each identified threat
Minimum of 2 independent effective barriers to be in place for each identified threat
Minimum of 1 independent effective barrier to be in place for each identified threat
Recovery Preparedness Measures
Minimum of 3 independent effective recovery preparedness measures required for each identified consequence (including one to detect automatically occurrence of top event, and one other to prevent automatically further escalation)
Minimum of 2 independent effective recovery preparedness measures required for each identified consequence (one to detect occurrence of top event and other to prevent further escalation)
Minimum of 1 independent effective recovery preparedness measure required for each identified consequence
Escalation Factor Controls
Minimum of 2 independent effective control for each identified escalation factor
Minimum of 1 independent effective control for each identified escalation factor
Minimum of 1 procedure for each identified escalation factor
Threats and threat controls Identify and describe the possible causes of release of the hazard or deviation from control limits, resulting in the top event defined in 4.3. These are threats. Hazards, threats and top events are logically related. For example: hazard
threat
Top event
'oil under pressure' (in piping)
'corrosion'
'loss of containment'
‘elevated load’
‘inadequate sling strength’
‘fall to lower level’
‘oil in effluent water’
‘instrument failure’
‘exceeded control limits’
Describe the likelihood or frequency that the threats release the hazard. This may be done either quantitatively if sufficient data is available, by reference to incidents in similar facilities or operations or based on the judgement of experienced personnel. These likelihood(s) or frequencies should be expressed in terms which can be related to the acceptance criteria described in 4.4.
HSE MANAGEMENT MANUAL OF CODES OF PRACTICE Volume 5: RISK ASSESSMENT AND CONTROL OF MAJOR ACCIDENT HAZARDS COP ON CONTROL OF MAJOR ACCIDENT HAZARDS (COMAH) Document No: ADNOC-COPV5-01
Version 1 April, 2004 Page 40
For each threat describe the threat controls, commonly referred to as barriers. These are pro-active and prevent threats from releasing the hazard or causing deviation from control limits. Barriers include, guards or shields, separation, energy reduction or administrative controls, and specific controls, procedures, work instructions, design, competence, standards, control systems, etc. Any shortfalls in meeting acceptance criteria should be highlighted and recorded, see 4.10. A cross reference should be provided to the HSE-critical activities or tasks providing or maintaining these threat controls. This information would be printed in box 6 of the report sheet in Figure A2.1. 4.6
Consequences and risk assessment Describe the possible consequences or potential effects that could result if the hazard is released or control limits are exceeded. Consequences or effects are logical and credible outcomes of scenarios starting with the top event which follow different escalation sequences according to the availability and (in)effectiveness of recovery measures. Loss of containment (Top Event) of hydrocarbon gas could result in, for example, rapid detection, shutdown, limitation of volume, no ignition and consequently a minor release to the atmosphere. Alternatively it could result in, for example, failure or delay in detection, continued release, ignition, explosion and consequently major damage, injuries or fatalities, etc. This information would be printed in box 7 of the report sheet in Figure A2.1. Assess the risks associated with each of the possible consequences. As a minimum the worst case, most severe consequences should be determined both with all available recovery measures in place and working, and with all possible recovery measures not available or not working. The likelihood (probability or frequency) element of risk should also be assessed. Some risks or complex scenarios may require the application of structured review techniques by specialists, for example, health risk assessments, quantitative (safety) risk assessments or environmental assessments. However, many hazards can be adequately assessed by appropriately experienced staff by comparisons, reference to statistics or judgement. Risks may be expressed quantitatively, if the assessment method is quantitative, but for most hazards a qualitative risk assessment may be adequate. The ADNOC risk matrix is considered a useful way of presenting the risks for most hazards. Risks to people, assets, the environment and company reputation should be assessed separately. A leak or spill may be of little direct consequence for people, but may be of greater consequence for the environment. This information would be printed in box 7 of the report sheet in Figure A2.1.
4.7
Recovery preparedness measures Describe the recovery preparedness measures that are required to meet the acceptance criteria. These are the technical, operational and organisational measures which are needed to prevent a top event from developing further,
HSE MANAGEMENT MANUAL OF CODES OF PRACTICE Volume 5: RISK ASSESSMENT AND CONTROL OF MAJOR ACCIDENT HAZARDS COP ON CONTROL OF MAJOR ACCIDENT HAZARDS (COMAH) Document No: ADNOC-COPV5-01
Version 1 April, 2004 Page 41
hence mitigating the consequences or effects and recovering a degree of control. These recovery preparedness measures are essentially reactive as they respond to a situation which has occurred and are intended to block further development of the accident scenario and to provide for emergency management. Recovery preparedness measures include active systems which detect and abate incidents (for example, gas and fire detection, shutdowns, sprinkler systems, etc); passive systems which contain (or restrict) an incident and provide protection for people and essential equipment (for example, fire and blast walls, protective coatings, drain systems, tank bunds, catchment basins, etc); and operational and organisational systems for emergency management (for example, contingency planning, training, drills, Medevac, firefighting, oil spill response, etc). Any shortfalls in meeting acceptance criteria should be highlighted and recorded, see 4.10. A cross reference should be provided to the HSE-critical activities or tasks providing or maintaining these recovery measures. This information would be printed in box 8 of the report sheet in Figure A2.1. 4.8
Escalation factors and controls Describe the factors or conditions which could lead to loss of barriers or loss of recovery preparedness measures. These factors escalate the probability of a top event and/or escalate the likelihood or severity of consequences or effects if the top event occurs. Escalation factors include: •
abnormal operating conditions, for example, concurrent construction or maintenance, operating outside the design envelope, etc;
•
environmental variations, for example, high winds, waves, tides or rainfall;
•
failure of controls, for example, improper maintenance, damage as a result of another event (fire, explosion, etc) introduction of an ignition source, etc;
•
human error, for example, lapses, rule violations, etc; or
•
absence of controls (threat controls and recovery measures) due to technical feasibility, policy (burn-down philosophy) or excessive cost.
•
health and human factor aspects e.g. alcohol, drugs and inappropriate working schedules.
Describe for each escalation factor the controls that should be in place to 'stand-in' for the defeated barrier or recovery preparedness measure. Many escalation factor controls will be similar to threat controls, see 4.5. Other significant controls on escalation factors such as concurrent activities (production/drilling operations/construction/ maintenance), operations outside the design envelope, severe weather, etc are limitation of activities in accordance with the Manual of Permitted Operations (MOPO) and issue of permits to work (PTW), which are a means of implementing the MOPO. Escalation controls which are dependent on the MOPO should be highlighted for later verification of MOPO coverage. See note on MOPO – Secton 4.11.
HSE MANAGEMENT MANUAL OF CODES OF PRACTICE Volume 5: RISK ASSESSMENT AND CONTROL OF MAJOR ACCIDENT HAZARDS COP ON CONTROL OF MAJOR ACCIDENT HAZARDS (COMAH) Document No: ADNOC-COPV5-01
Version 1 April, 2004 Page 42
Any shortfalls in escalation controls should be highlighted and recorded, see 4.10. A cross reference should be provided to the HSE-critical activities or tasks providing or maintaining the escalation controls. This information would be printed in box 9 of the report sheet in Figure A2.1. 4.9
Reference documents List and number all the documents, procedures, standards, specifications, studies, assessments, etc used or referred to in developing the information entered for the hazard or effect being recorded. Barriers, recovery preparedness measures and escalation controls should be cross-referenced to these references. This information would be printed in box 10 of the report sheet in Figure A2.1.
4.10
Deficiencies Record all the shortfalls or deficiencies identified with respect to management of the hazard or effect being recorded as noted in 4.5, 4.7 and 4.8. These shortfalls should later be collated in the COMAH Report summary of shortfalls and remedial actions and an action plan, priority rating, action party and timing assigned and agreed. Typical types of shortfalls are summarised in Table 2.
4.11
Manual of Permitted Operations (MOPO) Having identified and evaluated hazards, and put in place controls and recovery measures to maintain risk levels to acceptable or ALARP, it is vital to understand the limits of safe operation, i.e. where the ‘operating envelope’ is. When should the decision be made to stop? It is crucial that an operation be stopped in time to avoid all types of losses whether human, environmental or asset related. This understanding of where the ‘operating envelope’ is can be greatly assisted if we consider the effect that threats and escalation factors have upon the risk of the operation. Threats and escalation factors include: •
Multiple activities such as any combination of maintenance, production, construction, production, drilling, well work-over or other operations taking place concurrently
•
External influences such as inclement weather
•
Inactive safeguards such as the testing of an emergency system or the bypassing of a control system
In all such cases we wish to understand how the risk of the operation is increased and what additional measures are needed to manage the increased risk such that it still remains acceptable or ALARP. The MOPO is aimed at doing just this; at showing where the boundary of the ‘operating envelope’ is. It is imperative that the MOPO be a permitted operations manual and not a prohibited operations manual since the latter leads to the possible interpretation that anything not specifically prohibited is allowed. This is certainly not the intention
HSE MANAGEMENT MANUAL OF CODES OF PRACTICE Volume 5: RISK ASSESSMENT AND CONTROL OF MAJOR ACCIDENT HAZARDS COP ON CONTROL OF MAJOR ACCIDENT HAZARDS (COMAH) Document No: ADNOC-COPV5-01
Version 1 April, 2004 Page 43
TABLE 2 - TYPICAL SHORTFALL TYPES Shortfall Type
Comments
•
Shortfall in meeting external standards
Includes codes, legislation, industry standards
•
Shortfall in meeting current company standards
Includes procedures, guidelines, company standards, specifications, work instructions
•
Area for improvement in the medium to long term
Often related to controls assessed as ineffective
•
Implementation shortfall
Often related to controls assessed as ineffective
•
Consider for lateral application in the company
An area for improvement that the review team thinks would benefit other activities
•
Also applies to the corporate HSE MS
A hazard shortfall that may have resulted due to a shortfall in the corporate management system
•
Failure to meet threat control or consequence recovery acceptance criteria
Any time there is a failure to meet acceptance criteria
•
Failure to meet risk tolerability criteria
Any consequence that plots in the intolerable area on the risk matrix
•
Area requiring further and / or more rigorous analysis
The review team cannot properly assess the hazard; for example, effect of H2S release on nearby village.
This information would be printed in box 11 of the report sheet shown in Figure A2.1.
HSE MANAGEMENT MANUAL OF CODES OF PRACTICE Volume 5: RISK ASSESSMENT AND CONTROL OF MAJOR ACCIDENT HAZARDS COP ON CONTROL OF MAJOR ACCIDENT HAZARDS (COMAH) Document No: ADNOC-COPV5-01
APPENDIX 3 THE HAZARD BOW-TIE MODEL
Version 1 April, 2004 Page 44
HSE MANAGEMENT MANUAL OF CODES OF PRACTICE Volume 5: RISK ASSESSMENT AND CONTROL OF MAJOR ACCIDENT HAZARDS
Version 1 April, 2004
COP ON CONTROL OF MAJOR ACCIDENT HAZARDS (COMAH)
Page 45
Document No: ADNOC-COPV5-01
The Hazard ‘Bow-Tie’ Model 1
INTRODUCTION The Hazard 'Bow-tie' Model describes the basic Hazard - Top Event Consequence sequence and is shown in Figure A3.1 below. This highlights the point that it is the hazard that can have undesirable consequences and must be managed. This involves understanding both causation, ie how the hazard may be released, as well as consequence, i.e. what could possibly result if the hazard is in fact released.
FIGURE A3.1 - HAZARD ANALYSIS - THE ‘BOW-TIE’ Escalation factor
Control of escalation factor
Control of escalation factor
Threat 1
H A Z A R D
Consequence 1 Barriers to prevent threat
Threat 2
Escalation factor
Recovery preparedness measures Top event
Threat 3
Consequence 1
Consequence 1
Figure A3.1: Hazard Analysis – The ‘BOW-TIE’ The model states that for a hazard at a location there are a number of causes (threats) that will release the hazard (top event) and that if a hazard is released that there are a number of possible outcomes (consequences). To manage the hazard fully requires that all threats are suitably and sufficiently controlled (barriers) and that suitable and sufficient measures are in place for all consequences possible and foreseeable (recovery preparedness measures). 2
THE TERMS USED IN THE ‘BOW-TIE’ MODEL The starting point of the Hazard ‘Bow-Tie’ Model is the hazard; where the term hazard is used it also includes environmental effects and agents affecting the health. This generally involves identifying the potential for harm (some form of energy) to people, assets, the environment and reputation. Once the hazard has been identified its significance in terms of risk must be assessed and reviewed. Is the operation necessary? Can the hazard be eliminated?
HSE MANAGEMENT MANUAL OF CODES OF PRACTICE Volume 5: RISK ASSESSMENT AND CONTROL OF MAJOR ACCIDENT HAZARDS COP ON CONTROL OF MAJOR ACCIDENT HAZARDS (COMAH) Document No: ADNOC-COPV5-01
Version 1 April, 2004 Page 46
Assuming that there is no alternative and that the hazard is an intrinsic part of the operation, then the hazard must be managed. Firstly, by considering the causation path to the point where the hazard could first be released, and then by consideration of the range of possible consequences through to the worst case scenario. The causation path relates to release mechanisms, or threats, such as erosion, corrosion, human error (competence), physical causes, etc. The first consequence of a released hazard is termed the 'top event' from reference to Quantitative Risk Assessment techniques. For example, for a hydrocarbon hazard the top event is often loss of containment. To reduce the probability of this top event occurring each and every 'threat' should be controlled by putting into place effective and appropriate 'threat barriers' or 'controls', as shown in Figure A3.2.
EXCESSIVE PRESS URE
Threat
System Strength Tested
Automatic High Pressure Shutdown
Pressure Relief Valve
Barriers
Loss of Containment
Top Event
Figure A3.2 - Control of a threat Many environmental effects and health hazards can be considered in the same way. In this case, the top event is often a deviation from defined control limits, for example, exceeding environmental discharge limits, or exceeding occupational health exposure limits. Environmental effect can be seen as a 'top event', often the result of an activity whose significance (in terms of potential harm to the environment) was not properly considered or controlled at the outset. Example - deforestation leads to erosion, which in turn leads to silting of streams and damage to aquatic life. What was the root cause of the impact or effect? How can the lessons from this causation sequence be used to prevent a recurrence? Potential damage to the company's reputation can be addressed in the same way. On the consequence side of the 'Bow-tie', i.e. once the hazard has been released, what are the potential consequences or effects? These can be seen as a series of possible outcomes or events of increasingly lower probability of occurrence. Such consequences will include at one end a top event and at the other a disastrous event in terms of human and/or environmental loss or damage, asset loss, damage to the corporate reputation or some combination.
HSE MANAGEMENT MANUAL OF CODES OF PRACTICE Volume 5: RISK ASSESSMENT AND CONTROL OF MAJOR ACCIDENT HAZARDS
Version 1 April, 2004
COP ON CONTROL OF MAJOR ACCIDENT HAZARDS (COMAH)
Page 47
Document No: ADNOC-COPV5-01
In considering this chain of events, measures aimed at reducing the probability and mitigating each consequence should be considered. These are termed 'recovery preparedness measures' or more simply 'Recovery Measures', as shown in Figure A3.3.
Loss of Containment
Top Event
Leak Detection and Alarm
Blowdown Facilities
Ignition Sources Control
Ventilation
EXPLOSION
Recovery Preparedness Measures
Consequence
Figure A3.3 - Recovery preparedness for a possible consequence It is then important to consider those conditions that can prevent barriers or recovery preparedness measures from being effective, ‘escalation factors’, eg safeguard systems being out of action. Controls, or ‘escalation factor controls’, can be put in place to ensure that the probability of the escalation factor affecting the barrier or recovery preparedness measure is minimised, as shown in Figures A3.4 and A3.5.
EXCESSIVE PRESSURE
System Strength Tested
Automatic High Pressure Shutdown
Pressure Relief Valve
Barrier
Barrier
Barrier
Procedure
Administration
Control
Control
Loss of Containment
Down for Maintenance
Root Valve Closed
Escalation Factor
Escalation Factor
Figure A3.4 - Escalation factors in causation and their control
HSE MANAGEMENT MANUAL OF CODES OF PRACTICE Volume 5: RISK ASSESSMENT AND CONTROL OF MAJOR ACCIDENT HAZARDS COP ON CONTROL OF MAJOR ACCIDENT HAZARDS (COMAH) Document No: ADNOC-COPV5-01
Loss of Containment
Leak Detection and Alarm
Blowdown Facilities
Ventilation
Recovery
Preventive Maintenance
Procedural
Control
Control
Sensor Failure
Down for Maintenenace
Escalation Factor
Escalation Factor
Ignition Sources Control
Version 1 April, 2004 Page 48
EXPLOSION
Recovery
Figure A3.5 - Escalation factors in recovery preparedness and their control