.

.

Annex 2

National legislation for a major hazard control system must provide for:

• a clear statement that the employer will ensure the safety of the plant, workers, people in the vicinity of the plant, and the environment
• designation of a competent authority or competent authorities to implement the system
• establishment of criteria for identification of major hazard installations by the competent authorities
• obligation of the employer to identify such installations and notify the competent authorities
• obligation of the employer to set up and maintain a documented system of major hazard control and prepare a safety report
• obligation of the employer to make available to the competent authorities all information required to assess the safety of the installations
• obligation of the employer to carry out the technical and organizational measures required by the competent authorities to ensure safety of the installations
• obligation of the employer to report to the competent authorities all major accidents and investigate their causes
• rights and duties of workers and their representatives
• powers of the competent authorities to inspect major hazard installations
• obligation of the competent authorities to ensure that on-site and off-site emergency plans for protection of workers, the public, and the environment outside the installations have been established and are kept up-to-date
• obligation of the competent authorities to establish a siting policy.

Hazardous substances may present hazards of flammability, toxicity or explosivity.

Hazardous substances may be gases, liquids or solids.

Gases can spread easily and, if flammable, may mix with the surrounding air to become explosive. If heavier than ambient air, they form clouds that stay close to the ground; if lighter than ambient air, they lift off and disperse more rapidly. The most important physical property is their density relative to that of ambient air.

Liquids may evaporate and give off dangerous fumes. As long as a flammable or toxic substance is in liquid form it cannot explode or enter the human body by respiration. Non-vaporizing liquids are much less dangerous than gases or liquefied gases. The important physical properties are atmospheric boiling point, viscosity, specific weight (lighter or heavier than water), and vapour pressure. Generally, substances stored as liquids, which become gases when released under atmospheric conditions (liquefied gases), can be very dangerous when they mix with ambient air to form large clouds. Substances stored in gas form are seldom present in very large quantities.

Solids can be inhaled or react violently only if they are in finely powdered form and mix with air to form a dust cloud borne by the wind. Substances in the form of solid blocks or gravel seldom cause major accidents. The relevant physical properties are the size and shape of particles and specific weight.

The most important chemical properties of hazardous substances are flammability and reactivity. Once ignited, all flammable substances present similar hazards. For a specific study and analysis of the properties, further data would be required on the flashpoint, ignition temperature, explosion limit, ignition energy, and heat of combustion. Such data are not required for determining threshold quantities. The reactivity should be taken into account to avoid contact with reactive substances, including the selection of fire-fighting agents.

The toxicological properties of hazardous substances are difficult to quantify, determine, and take into account. Each toxic substance poses specific threats to the human body, but it is difficult to obtain accurate data on them. Data are usually ascertained from experiments on rats. The toxicological properties are characterized by the results of such experiments in the form of "LC 50 values" (Lethal Concentration 50 per cent). The LC 50 value of a gas is the concentration in mg/I which kills 50 per cent of a number of rats inhaling it for four hours.

The hazardous substances that have caused most of the major accidents are flammable substances (liquefied petroleum gas, liquefied natural gas, petroleum products) and toxic substances (chlorine, ammonia).

Liquefied petroleum gas (LPG) is a mixture consisting mainly of propane (C₃H₈) and butane (C₄H₁₀). It is stored and transported at ambient temperature in pressurized tanks ranging in size from 5 kg bottles for household use to spheres of up to 5,000 kilolitres at pressures between 8 and 17 bars, depending on the constitution of the mixture and temperature. When refrigerated, it can be kept at lower pressures. Large quantities may be stored under atmospheric pressure in tanks cooled to temperatures below -40 C.

Liquefied natural gas consists mainly of methane (CH₄). It is stored under atmospheric pressure in very large refrigerated tanks (100,000 kilolitres or more) at temperatures below -160 C.

Petroleum products include crude oil, naphtha, petrol, aviation turbine fuel, diesel oil, and fuel oil. In refineries and petrochemical factories, very large quantities of different petroleum products may be present, mostly in cylindrical tanks under atmospheric pressure at ambient temperature. The larger tanks are usually floating-roof tanks.

Chlorine (Cl₂) is a toxic gas produced in large quantities by electrolysis of sodium chloride (common salt). It is used for bleaching and production of plastics. It is heavier than air. It is stored and transported in liquefied form in pressurized tanks at ambient temperature or refrigerated at -30 C under atmospheric pressure. It is most commonly transported in one-ton, cylindrical containers. Pressures are similar to those of LPG.

Ammonia (NH₃) is a toxic gas that can be ignited under certain circumstances. It is used in very large quantities in fertilizer production and in smaller quantities for refrigeration purposes. As a gas at ambient temperature, it is lighter than air, but when released at low temperature or cooled down by evaporation it may form toxic clouds that are heavier than the surrounding air and cling to the ground. it is stored and transported in liquefied form either under atmospheric pressure at temperatures around - 40 C or under pressure at ambient temperature. Pressures are similar to those of LPG.

.

An important obligation placed on employers by the ILO Prevention of Major Industrial Accidents Convention, 1993 (No.174), is that they must establish and maintain a documented system of major hazard control for each major hazard installation. The documented system must contain information on:

The documented system requires that all important aspects of major hazard control, including the decision-making process, be recorded and documented. It consists of a large number of files containing records of past decisions and the reasons and arguments for the decisions, which can be retrieved, when needed (for instance, when installation modifications are discussed or accidents are investigated. The purpose is to increase management's awareness of the hazards involved in the processes and operations and ensure better supervision by it. All documents on safety management must be readily available for future reference to enable the company to follow a consistent safety policy.

Awareness raising

Managers have to verify all provisions in the plant before documenting them and making themselves responsible for their correctness. In the process, they become aware of the potential hazards in the plant processes and weaknesses and omissions in safety organization measures. This results in more attention being paid to safety by top management and better supervision of safety measures at all levels of the organization.

Supervision

Both the management and the competent authorities must supervise the safety of the operations. In the absence of detailed legal requirements and regulations, inspectors would need to refer to the safety report and the documented system. They do not need to have detailed, specialized knowledge of all aspects of the operations. They should limit themselves to checking whether the actual conditions and provisions in the plant correspond with what is noted in the safety report and the documented system.

- Confidentiality

Some of the information in the documented system may be of a confidential nature (details of process control, process conditions, work methods) which if disclosed to competitors might be detrimental to the company. Management cannot give this as a reason for refusing access to such essential information to the competent authorities. Inspectors of the competent authorities must have access to this information to enable them to check whether the employer has fully compiled with the obligation to set up the documented system. However, they must be placed under oath not to divulge the information to third parties.

.

The ILO Prevention of Major Industrial Accidents Convention, 1993 (No.174), requires that employers of major hazard installations draw up safety reports based on the documented system of major hazard control (Annex 4). The safety report must remain in the installation as a reference document of the company.

The purpose of the safety report is to provide information on the hazards associated with the installation and the measures taken to control them. Workers and their representatives must have access to it. It may be used to inform other concerned parties, such as the fire and rescue authorities, police, local government authorities, medical services, environmental protection authorities, and the public living or working near the plant site. It can also be used to inform customers and suppliers or for public information purposes. It must be submitted or made available to the competent authorities.

The safety report should contain the following information:

• an introduction to the company's activities, particularly regarding the specific site and installation, including a statement on management's commitment to safety
• the reasons for identifying the plant as a major hazard installation
• descriptions of the installations and processes, hazardous substances and their characteristics, and safety organization
• hazard identification, analysis, and assessment
• provisions for controlling the hazards and the measures taken
• emergency plans.

The top management of the company must express clearly and publicly its commitment to the safety of workers, the plant, and the environment. This statement must guide decision making at all levels.

Installations, processes, and hazardous substances

The safety report should describe the installations, processes, and hazardous substances in a clear and concise way so that technically trained inspectors without specialized knowledge can comprehend the processes and the potential hazards and methods of controlling them. Proper descriptions are also necessary for understanding hazard analysis and assessment and the adequacy of the measures taken to control the hazards. The safety report should not contain detailed technical information, such as process and instrumentation diagrams or reports of hazard and operability studies (HAZOP), which are included in the documented system of major hazard control.

Descriptions of the installations and processes may be written separately or combined. For batch processes, where a number of processes are carried out in the same installation, it is logical to describe the installation first and then the processes using hazardous substances. Where the installation is designed and built exclusively for one continuous process, the descriptions of the installation and processes should be combined.

Safety organization

The description of safety organization must include allocation of duties and responsibilities, place of the safety officer in the safety organization, training and instruction of personnel, consultations with and information to workers, safety committee, workers' council, updating of operating instructions and manuals, maintenance of installations, inspection and testing, emergency plans, and accident reporting and investigation.

The safety report must mention the methods employed in identifying, analysing, and assessing hazards, and the control measures taken based on hazard assessment. Often, it describes the measures taken to ensure plant safety, but not the hazards that exist. Employers are inclined to state that no hazards remain as adequate control measures have been taken. The competent authorities need to know what the hazards are in order to verify the, adequacy of control measures. The safety report must always indicate what could happen if the measures were not taken and everything went wrong.

Hazard assessment has been traditionally carried out based on the knowledge and experience gained with similar installations. The knowledge and experience are seldom recorded systematically, being obtained through trial and error and "sound engineering practice". These methods are no longer acceptable for major hazard installations.

Existing major hazard installation

When the major hazard installation was built, hazard assessments by the employers should have been included in the safety report. If there are no records of hazard assessments, management must carry out its own assessments based on its present knowledge and operating experience.

Where records of hazard assessments exist, they may be referred to in respect of operating experience: number of operating hours; criteria for events (personal injury, man-hours lost, property damage); description of accidents, their causes, and consequences; and measures taken to prevent a recurrence of the events.

Where the competent authorities find the hazard assessments insufficient to ensure safe operations, they may require new assessments to be made on the installation units (parts of the installation) considered to be most dangerous. Generally, the hazard and operability study (HAZOP) is the most suitable type of analysis as it gives insights into the nature, magnitude and causes of potential hazards and the measures necessary for their prevention or reduction.

New major hazard installation

For a new major hazard installation, more detailed and systematic studies are required since no operating experience is available. Any one of a number of ,procedures and methods may be used, provided it leads to a clear understanding of the nature and magnitude of the hazards, and the measures by which they can be controlled and the remaining risks rendered acceptable. Some of the more commonly used methods are given here:

Index systems, such as the Dow Fire and Explosion Index and the Mond Index, indicate the magnitude of the risks caused by different installation units. Taking into consideration the properties of the hazardous substances, the quantities of the substances that might cause an accident, and the operating conditions, the installation units can be classified into groups according to the increasing magnitude of the hazard. Preventive measures can then be directed towards the installation units presenting the greatest hazards.

Fault tree analysis can be used when it is known that one specific, unwanted occurrence - called top event - is the all-important risk and all other hazard can be disregarded. Going back in time from the top event, an analysis is made of all the conditions that can lead to the event. For each condition, the probability of occurrence is calculated or assumed. From this the probability of the top event can be calculated. Besides the top event probability, the analysis results also show which conditions contribute most to the risk. By taking measures to reduce the probabilities associated with these conditions, the total risk may be reduced to an acceptable level.

Event tree analysis is the opposite of fault tree analysis. Starting from one specific fault or failure - the initial event - and going forward in time, an analysis is made of the effects and consequences of the event under all conceivable conditions. Assigning probabilities to all conditions enables calculation of the probabilities of all possible final events. The final events may range from those having no influence on the plant processes to those leading to a major accident. Event tree analysis can be used to design measures for reducing the probabilities of an initial event or subsequent sequential events leading to a major accident.

The hazard and operability study (HAZOP) is a systematic and detailed study of an installation by a group of experts. Each element of the installation is scrutinized and all possible malfunctions of the elements and their causes and consequences are analysed using guide words. The study results in a report recommending specific improvements in the safety of the installation. It may be carried out for large or small installation units. It is usually conducted at the early stages of design of the installation and repeated during construction, after start-up of the plant, and at regular intervals during its operation. Details of HAZOP studies are given in the ILO publication, Major hazard control: A practical manual.

The adequacy and appropriateness of control measures can be assessed in relation to the hazards. The description of the hazards should therefore precede the description of the control measures.

Major hazards should be controlled through organizational and technical measures. As safety problems are often of an organizational nature, organizational measures must take priority. They include introduction of a work permit system, drills and exercises, instruction and training of operating personnel, inspection and maintenance procedures, recording and reporting procedures, and consultations with workers. Technical measures include detection and alarm systems, physical separation of installation units that might interact dangerously with each other, and automatic shutdown system, flare system, scrubber system, and fire-fighting system.

Emergency plans should be established to deal with the consequences of major accidents. It is often impossible to assess the magnitude of an accident at the moment it occurs. Besides, the emergency organization services for a major accident are also part of the normal plant organization services required to respond to smaller accidents.

Incidents

A chemical factory is operated according to standards prescribed in detail in its operating manuals. Any situation deviating from the standards is called an incident.

Small incidents like the malfunctioning of instruments, simple failure of apparatus, variations in process conditions beyond operational limits, errors or omissions of operators, and non-compliance with product standards can be corrected by operating staff. Such incidents should be recorded in the log book of the watch and investigated by the supervisor as part of normal operations.

For large incidents like machinery breakdowns, leaks and spillages, and accidental slips or falls of operators, the assistance of regular works services such as maintenance personnel or first-aid staff is required. These incidents may cause physical injury, property damage, and loss of working time and production. They must be registered more formally and investigated thoroughly.

Works emergency services

If the incident goes beyond the capacity of the regular production and maintenance services, the works emergency services (fire brigade, ambulance) are called in to assist. The operating manuals and general instructions indicate how these services can be called in. The works emergency services have their own instructions on how to proceed and whom to contact.

On-site emergency plan

The works emergency services should he able to deal with all local incidents, even quite serious ones. Standard operating procedures are no longer valid for major incidents such as large releases of hazardous substances, explosions or large fires, or if an incident started locally escalates. An on-site emergency plan must be prepared to deal with such situations. It will be activated when normal production routines are interrupted to such an extent that decisions beyond the scope of operating manuals must be taken. The normal plant organization then ceases to function and an emergency organization comes into action.

The emergency organization and its workings are described in the emergency plan. It should contain procedures for evacuating workers, including a system of accounting for them outside the endangered area, method of requesting outside assistance (medical, rescue, fire or environmental protection specialists), the role of selected plant officials and workers during an emergency, and the location, use, and maintenance of all emergency equipment.

.

A major hazard installation is generally a very complex installation where precisely controlled processes are carried out according to specific standards and procedures established by the management or designer of the installation and processes, which are recorded in operating manuals and company standards. These standards are usually not mentioned in national legislation or regulations. In the case of conventional industrial operations, the competent authorities usually provide precise guidelines and regulations on basic occupational safety and health standards.

The inspector must study all available information on the installation before the actual inspection visit. The safety report in which the management has laid down the standards to which the plant is built and operated is an essential part of such information. Additional information may be obtained from the operating licence, documented system of major hazard control, and preliminary discussions with the management.

Reference can also be made to previous inspection records, company correspondence on safety matters, and records of accidents and measures taken as a consequence.

The first important aspect to check is the extent of management's commitment to safety. Is there a written safety policy statement by top management and has it been made known to all employees? The inspector will check conditions in the installation against the policy statement.

As a rule, the inspector will inform the management of the plant in advance of a planned inspection visit. On arrival at the installation, the inspector may collect further information from the management, safety officer and workers' representatives. The inspector should take the initiative in deciding which parts of the installation will be visited and in what order. Whenever the inspector finds it necessary to alter the itinerary, changes must be made.

During the visit, the inspector will be accompanied by a company employee, usually the safety officer, who will explain the safety regulations. A representative of the workers' organization may also accompany the inspector. The inspector must comply with safety regulations, such as wearing a safety helmet, shoes, and other protective clothing. If access to parts of the operation is denied for safety reasons, the inspector must make sure that unsafe operations are not being carried out there.

On the first visit, the inspector will concentrate on the essential parts of the installation and the parts where major accidents are most likely to occur: control room, storage area, loading installation, fire station, emission prevention systems.

Housekeeping is an indicator of management's commitment to safety. The inspector will make a quick round of the central production area to check on housekeeping. A disorderly and poorly maintained installation can never be safe. The inspector will also inspect outlying parts of the plant site which the management and safety officers are apt to visit infrequently, particularly storage areas of hazardous substances and emission prevention systems.

At the end of the visit, the inspector will provide a summary of findings to company representatives. The inspector's recommendations will be confirmed later in writing. The inspection report will be written soon after the inspection visit. Any short-comings will be notified to the company for remedial action. Corrective action must be directed towards the basic causes of short-comings.

If just a few items in the installation are found to be not functioning properly, the safety officer or department supervisor should be informed. The safety officer or department supervisor will not only ensure that the deficiencies are rectified, but also check similar apparatus which were not inspected in order to take remedial measures. However, if several deficiencies are noticed, it would appear that the safety officer or the department supervisor is not serious about plant safety. The inspector's report should then be addressed directly to the management for action. But should the general standards of housekeeping and safety show that the management itself is not sufficiently committed to safety, the inspector will report this to a superior so that the Chief Inspector or the Director-General of Inspection can take up the matter with top management.

.

Few accidents are attributed to a single cause. Modern installations and processes are designed and built so that no single failure or operating error can cause an accident. The investigation must establish all the causes of the accident and its consequences.

For effective preventive measures to be taken, the investigators must establish the following:

• facts: what happened, when, where, in what sequence, and what actually the persons concerned did
• circumstances: weather, lighting, temperature, noise, dust
• conditions: operating pressures, organizational arrangements, maintenance, housekeeping.

The investigators should introduce themselves to the management, clarify their mandate, intentions, and method of working, and advise whom they wish to meet and the purpose of their report. They should find out whether other investigations are also being conducted. If possible, arrangements should be made for cooperation among all parties involved in the investigation. If a common report can be prepared with the consensus of all investigators, it will be much more valuable than several separate, possibly contradictory ones.

The investigators should reach the accident scene a!> quickly as possible and record all relevant facts and circumstances observed (position of equipment, materials, persons, physical objects; extent of damage; tracks, marks or other traces left by moving parts).

The investigators should make sketches 'and tables of dimensions and distances of the accident site, to be later worked out as technical drawings. They should note in the technical drawings all the safety measures needed. If possible, they should take photographs from all angles and ensure that the photographs show objects of known dimensions. Samples should be taken of the substances involved in the accident and evidence that may disappear should be impounded.

The investigators should interview the victims, eye witnesses, those who may have noticed something specific during the accident, and those who may have knowledge about the circumstances, operations, conditions, work methods or other relevant aspects. Six key questions should be asked: who, what, where, when, how, why. The investigators should try to put the interviewees at ease. The interviewees should be explained the purpose of the investigation and, if possible, reassured that their testimony will not be used against them or their colleagues. They should not be interrupted or influenced in their thinking. They should be allowed to express their feelings and ask for clarifications and further details. The investigators should make notes of the discussions. A tape recorder can be used, but never without their agreement. The tape recording cannot replace handwritten notes.

The report must contain:

• a short description of what happened (not the investigation or the conclusions drawn from it)
• a chronological account of the events leading up to the accident (not details of the investigation)
• a structured account of the investigation, collection of facts, and conclusions
• relevant facts and analyses
• a short, clear summary of the conclusions and recommendations
• sketches, charts, and diagrams to support and clarify the report
• supporting material (such as accident report forms) which clarify or illustrate important aspects of the accident (as annexes).

The report should be concise, well-written, and clear as it will provide the basis for future preventive measures.