GUIDE FOR MAJOR HAZARD FACILITIES SAFETY CASE: DEMONSTRATING THE ADEQUACY OF SAFETY MANAGEMENT AND CONTROL MEASURES MARCH 2012 Safe Work Australia is an Australian Government statutory agency established in 2009. Safe Work Australia consists of representatives of the Commonwealth, state and territory governments, the Australian Council of Trade Unions, the Australian Chamber of Commerce and Industry and the Australian Industry Group. Safe Work Australia works with the Commonwealth, state and territory governments to improve work health and safety and workers’ compensation arrangements. Safe Work Australia is a national policy body, not a regulator of work health and safety. The Commonwealth, states and territories have responsibility for regulating and enforcing work health and safety laws in their jurisdiction. ISBN 978-0-642-33388-9 [PDF] ISBN 978-0-642-33389-6 [RTF] Creative Commons Except for the logos of Safe Work Australia, SafeWork SA, WorkCover Tas, WorkSafe WA, Workplace Health and Safety QLD, NT WorkSafe, Work Cover NSW, Comcare and WorkSafe ACT, this copyright work is licensed under a Creative Commons Attribution-Noncommercial 3.0 Australia licence. To view a copy of this licence, visit http://creativecommons.org/licenses/by-nc/3.0/au/ In essence, you are free to copy, communicate and adapt the work for non commercial purposes, as long as you attribute the work to Safe Work Australia and abide by the other licence terms. Contact information Safe Work Australia Phone: +61 2 6121 5317 Email: [email protected] Website: www.safeworkaustralia.gov.au WORKSAFE Western Australia TTAABBLLEE OOFF CCOONNTTEENNTTSS 1. INTRODUCTION 2 2. DEMONSTRATIONS OF ADEQUACY 3 2.1 Features of successful demonstrations 3 2.2 Core concepts 3 3. PLANNING AND PREPARATION 5 3.1 What demonstrations are required? 5 3.2 Workforce requirements 5 3.3 Health and Safety Representatives 6 3.4 Project and technical issues 6 4. THE DEMONSTRATION PROCESS 7 5. DEMONSTRATION OF CONTROL MEASURE ADEQUACY 8 5.1 What is reasonably practicable? 8 5.2 Do controls minimise risk so far as is reasonably practicable? 9 5.3 Could more or better controls be used? 12 5.4 Use of examples in demonstration 13 5.5 Use of industry codes and standards 14 5.6 Are control measures adequate? 15 6. DEMONSTRATION OF COMPREHENSIVE AND INTEGRATED SMS 16 6.1 Does the SMS support control measures? 16 6.2 Demonstrating that the SMS supports control measures 17 7. OUTPUTS 18 8. REVIEW AND REVISION 18 APPENDIX A – WHS REGULATIONS 19 APPENDIX B – DEFINITIONS 22 APPENDIX C – RISK CRITERIA 24 APPENDIX D – FURTHER INFORMATION 29 GUIDE | SAFETY CASE: DEMONSTRATING THE ADEQUACY OF SAFETY MANAGEMENT AND CONTROL MEASURES 1 1. INTRODUCTION To obtain a licence to operate a major hazard facility (MHF), operators are required to submit a safety case which demonstrates how the facility will be operated safely. The purpose of this guidance material is to assist operators of MHFs to demonstrate that the content of their safety case will achieve the safe operation of the MHF through a satisfactory safety management system and adequate control measures. Use of this guidance material will enable MHF operators to submit a safety case to the regulator that satisfactorily demonstrates: that the facility’s safety management system (SMS) will control risks arising from major incidents and major incident hazards the adequacy of the measures to be implemented by the operator to control risks associated with the occurrence and potential occurrence of major incidents. This Guide forms part of a set of guidance material for MHFs that includes information on: Notification and Determination Safety Assessment Safety Management Systems Developing a Safety Case Outline Preparation of a Safety Case Information, Training and Instruction for Workers and Others at the Facility Providing Information to the Community Emergency Plans. WHAT DO THE REGULATIONS REQUIRE? The operator of a determined MHF must establish a safety management system for the operation of the major hazard facility and provide the regulator with a completed safety case for the MHF within two years after determination of the MHF. The safety case must include a summary of the safety management system for the MHF. Further details of the requirements under the WHS regulations are set out in Appendix A. Relevant definitions are set out in Appendix B. 2 GUIDE | SAFETY CASE: DEMONSTRATING THE ADEQUACY OF SAFETY MANAGEMENT AND CONTROL MEASURES 2. DEMONSTRATIONS OF ADEQUACY Demonstrations in a safety case provide all stakeholders with assurance that the operator is achieving safe operation of the facility by using adequate control measures and satisfactory management systems. In particular, they provide regulators with some of the evidence necessary to support the issuing of a licence to operate the MHF. The regulator will usually verify some of the data provided in the safety case demonstrations to confirm the validity of the arguments made by the operator. Periodically, and following major changes to the facility or its operations, the demonstrations must be reviewed to ensure safe operation is being maintained. Such a review may also be triggered by a new state of knowledge e.g. following incidents. There are two sets of circumstances in which safety cases, and the demonstrations they contain, need to be prepared. These are: when the safety case is being prepared for a new MHF, for example: a ‘green field’ facility that will be a MHF an existing facility that will become a MHF after modifications that will increase the quantity of Schedule 15 materials on site to above threshold quantities a facility that has been determined to be a MHF by the regulator under regulation 541 when a safety case is reviewed and revised as part of an application for licence renewal. Features of successful demonstrations 2.1 The following factors are critical for successful demonstrations in a safety case: a clear understanding of the means and criteria the operator uses to decide when risk has been reduced so far as is reasonably practicable, or alternatively, how the operator decides that it is not practicable to carry out further risk reduction steps access to information about, or people with knowledge of, hazards and effective control measures that are available to deal with them historical data and records that show how well specific control measures function understanding of the specific safety management system (SMS) elements needed to ensure ongoing effectiveness and reliability of each specific control measure historical performance data and records that show how well the supporting SMS elements function. Core concepts 2.2 The safety case must include information sufficient for the purpose of demonstrating that the control measures adopted at the facility are adequate, and that the SMS is comprehensive and integrated for all aspects of the adopted control measures. The information needs to be transparent and detailed for it to be understood by others, and for the regulator to decide whether it is satisfied with the adequacy of the control measures and the effectiveness of the SMS. A convincing case could include detailed examples, as well as describe the approach taken and the overall results. Adopted control measures must be shown to eliminate or reduce, so far as is reasonably practicable, the risk to health and safety, and be effective and reliable across the range of circumstances and conditions likely to be encountered at the facility. This will demonstrate that the control measures are adequate. GUIDE | SAFETY CASE: DEMONSTRATING THE ADEQUACY OF SAFETY MANAGEMENT AND CONTROL MEASURES 3 2. DEMONSTRATIONS OF ADEQUACY To demonstrate that the SMS is comprehensive and integrated for all aspects of the control measures, it needs to be shown to fully support and maintain the performance of the control measures within an integrated management framework. The effort to make the demonstrations should be proportionate to the risk, with the majority of the analysis and assessment on hazards that contribute most to the risks of a major incident and the potential major incidents which have the highest consequences. In deciding to issue a MHF licence, the regulator must be satisfied that: the application has been made in accordance with the Regulations the safety case for the facility has been prepared in accordance with Division 3 of Part 9.3 of the Regulations the operator is able to operate the major hazard facility safely and competently the operator is able to comply with any conditions that will apply to the licence. The approach that each operator employs in making the required demonstrations should reflect the nature of the facility, its culture and its risks. Depending on the circumstances, it may include: comparison with standards, codes and industry practices (see Section 6.5 of this guidance) analysis of the risks, benefits and costs of alternative control measures assessment of the adequacy of control measures and their performance indicators comparison with benchmarks for risk and for management performance comparison with best practice management system frameworks judgement by affected groups such as workers and stakeholders demonstration of past and planned improvements. A combination of approaches to demonstration is likely to be necessary. 4 GUIDE | SAFETY CASE: DEMONSTRATING THE ADEQUACY OF SAFETY MANAGEMENT AND CONTROL MEASURES 3. PLANNING AND PREPARATION What demonstrations are required? 3.1 The safety case must demonstrate: that the major hazard facility’s safety management system will, once implemented, control risks arising from major incidents and major incident hazards the adequacy of the measures to be implemented by the operator to control risks associated with the occurrence and potential occurrence of major incidents. These two demonstrations are separate. However, common to both demonstrations is the need to make sure that all aspects are covered and that there are no gaps. For demonstrations to be convincing they need to show that control measures and the SMS function well i.e. can be relied on to consistently do the job they are meant to do. Control measures are usually selected and adopted at the end of a hazard identification, safety assessment and control measure selection process. This demonstration addresses two aspects of control measures, which are: showing that control measures in place at the site were selected correctly to address all the hazards identified showing that control measures can be relied upon to do the job for which they were selected. A facility’s SMS is usually developed in parallel with the hazard identification, safety assessment and control measure selection process. The SMS is intended to manage the safety of all aspects of operation at the facility, not just major incident prevention. However, the SMS demonstration is limited to showing that all aspects that need to be managed to ensure ongoing effectiveness and reliability of control measures are covered. There is no prescribed form for these demonstrations. Operators should use a means that is appropriate and meaningful to the facility and to the operator’s safety culture. In addition, the demonstrations need to be conveyed in a way that the regulator can understand from an external perspective. Workforce requirements 3.2 Key persons in the workplace must be consulted before this component of the safety case can be written. This is to ensure that a clear picture of the actual performance of the SMS and control measures elements is obtained. Operators may choose to gain this by conducting formal workshop sessions. Better results will be obtained from these workshops if persons with a broad range of functions and skills (e.g. plant operators, maintenance, technical and safety specialists) are all involved and participants understand the methodology and process to be followed before the workshops are held. The Regulations require the operator of a MHF to consult with workers in relation to the preparation of the safety case outline, the establishment and implementation of the SMS, and the preparation and review of the safety case. Health and safety representatives should also be consulted as they are entitled to represent workers in matters relating to work health and safety. GUIDE | SAFETY CASE: DEMONSTRATING THE ADEQUACY OF SAFETY MANAGEMENT AND CONTROL MEASURES 5 3. PLANNING AND PREPARATION Health and Safety Representatives 3.3 Health and Safety Representatives (HSRs) do not need to be involved in writing the demonstrations or participating in any workshops that contribute to them. They should, however, be consulted about the process that is to be followed and who will be involved in any workshops that are to be held. Project and technical issues 3.4 Control measure selection and SMS review and/or revision need to be settled before the demonstration can be completed. The methodology to be used for the two demonstrations should be determined early in the process. Newly determined MHFs (i.e. those preparing the first safety case for the facility) are required under regulation 551 to prepare a safety case outline and submit it to the regulator for review within three months of the facility being determined to be a MHF (refer to the Guide for Major Hazard Facilities: Safety Case Outline). The general method used to demonstrate how the objectives specified in regulation 561(4)(a) and (b) will be met is to be outlined in the safety case outline. The project planning for safety case preparation at a new MHF should allow sufficient time for any workshops and the subsequent review and write-up of the outcomes. Generally, the write-up will often involve detailed and significant discussion of a number of representative examples and may take more time than initially expected. Facilities reviewing and revising their safety case for licence renewal purposes may choose to submit a reviewed and revised outline to the regulator. Any change to the demonstration process should be noted and appropriate time should be allowed for reviewing and strengthening the demonstrations. 6 GUIDE | SAFETY CASE: DEMONSTRATING THE ADEQUACY OF SAFETY MANAGEMENT AND CONTROL MEASURES 4. THE DEMONSTRATION PROCESS Demonstrations are connected to control measures and the operator needs to show the following: the control measures in place at the facility are capable of reducing the risk posed by each hazard so far as is reasonably practicable it is not reasonably practicable to use more or better control measures to reduce risk further the control measures in place perform their intended function effectively and reliably the operator has a SMS in place that works to ensure that all control measures will continue to perform effectively whenever needed. To address the first component, the operator needs to show that it is using a valid and appropriate means of evaluating risk and whether risk reduction is achieved so far as is reasonably practicable. The Guide for Major Hazard Facilities: Safety Assessment discusses a number of different approaches operators can take for estimating risk and the extent of risk reduction achieved by selected and possible alternative control measures. The first demonstration in the safety case should show that the approach taken by the operator (qualitative or quantitative) to assess risk is appropriate and robust. The demonstration should then show that the risk, with controls in place, has been reduced so far as is reasonably practicable. An approach often used for this is to compare the controlled risk with recognised risk criteria. The demonstration also needs to show, by example at least, that it is not reasonably practicable to use more or better alternative control measures. An approach used by some is to compare the control measures in place with those required by industry codes or corporate standards. However, this assumes that the decision as to reasonable practicability reflects control measures applying when the code or standard was developed and does not take into consideration new or facility-specific knowledge. Once it has been demonstrated that the controls are capable of reducing risk so far as is reasonably practicable, historical performance data is usually needed to show individual control measures at a facility consistently do what they are supposed to do. This forms the basis of the second demonstration, as consistent good performance of control measures does not happen by accident. A number of elements of the SMS need to be functioning effectively to maintain the controls’ performance. For example, instrumented and mechanical control systems need to be regularly inspected and tested, while training is needed to ensure procedural control measures are always carried out correctly. The second demonstration needs to show that the necessary SMS components are in place for every risk control measure and that these systems are also consistently effective and reliable. GUIDE | SAFETY CASE: DEMONSTRATING THE ADEQUACY OF SAFETY MANAGEMENT AND CONTROL MEASURES 7 5. DEMONSTRATION OF CONTROL MEASURE ADEQUACY What is reasonably practicable? 5.1 Regulation 556 specifies that the operator of a MHF must implement control measures to eliminate, so far as is reasonably practicable, the risk of a major incident occurring or, if that is not reasonably practicable, minimise that risk so far as is reasonably practicable. In determining what is “reasonably practicable” the operator is expected to exercise judgement, taking into account the five factors specified in Section 18 of the Work Health and Safety Act, namely: the likelihood of the hazard or risk concerned occurring the degree of harm that might result from the hazard or the risk e.g. fatality, multiple injuries, medical or first aid treatment, long- or short-term health effects what the person concerned knows, or ought reasonably to know, about the hazard or risk and any ways of eliminating or minimising the risk the availability and suitability of ways to eliminate or minimise the risk the cost associated with available ways of eliminating or minimising the risk, including whether the cost is grossly disproportionate to the risk (in other words, control measures should be implemented unless the risk is insignificant compared with the cost of implementing the measures). Using an ammonia plant as an example, the identification and assessment steps may have identified that the area with the highest probability (likelihood) of a loss of containment is the tanker loading area. It is reasonable to expect that the operator of this facility would have thought about the controls needed for this area and that the safety case should be able to explain this. The operator and facility designers may also have concluded that the worst case scenario (i.e. major incident with the highest consequence) is catastrophic failure of the large ammonia storage tank. Therefore it is reasonable to expect that more effort is put into the design and controls for this part of the facility because of the high consequence should this failure occur. The information in the safety case should demonstrate that this worst case scenario has been addressed. The massive explosion that occurred at the Buncefield Fuels Terminal in the UK in December 2005 significantly changed what that industry sector ‘knows, or ought reasonably to know’ about the hazards or risks at this type of facility. As a result, it is now reasonable to expect that control measures to prevent similar tank overflows would be more robust than before, and it is notable that many similar facilities, both overseas and in Australia, have responded accordingly. The final consideration—weighing up the cost of additional controls against the extent of risk reduction that could actually be obtained—is similar to the process many operators go through each year when deciding which improvement projects to add to next year’s investment plan and which to defer. For many possible projects/improvements, qualitative comparisons are sufficient. However, more detailed quantitative comparisons are often undertaken for more important or high-cost projects. Safety cases submitted by operators may contain examples where operators have made similar comparisons of alternative control measures before deciding on which to adopt for specific risk scenarios. The safety assessment should provide the information needed to make these judgements, and therefore much of the reasoning behind the operator’s selection of control measures may already be presented in the safety case i.e. in the summary of the safety assessment documentation required under regulation 561(2)(b). The extra information required to make a convincing demonstration will depend on the amount of detail included in the summary. 8 GUIDE | SAFETY CASE: DEMONSTRATING THE ADEQUACY OF SAFETY MANAGEMENT AND CONTROL MEASURES
Description: