FEATURE

MANAGING MAJOR ACCIDENT HAZARDS

THROUGH SCE MANAGEMENT PROCESS

Syed Mohamed
Nasir Alhabshi

M
ost operating plants are classified as hazardous lead to a low probability and high consequence event
installations due to the handling of large quantities which requires a different approach from the occupational,
of flammable, explosive and toxic substances on or personal, safety management processes/programme.
site. The quantities are estimated to be above specified The basic reason for this is that while single failures can
threshold values as according to the Occupational Safety cause dangerous occurrences, major accidents do not
& Health Act 1994, Control of Industrial Major Accident generally happen as a result of failure of one piece of
Hazards (CIMAH) Regulations, 1996. equipment or one wrong action by an individual. Instead,
The safety report shall demonstrate to the Department they are epitomised by a series of failures of plant, personnel
of Occupational Safety & Health (DOSH) that, as an functions & processes as well as procedures.
operator of all hazardous facilities, operating units apply The key safety plant, systems and equipment required
strict measures to manage major accident hazards. to manage MAH are known collectively as SCEs. The
Process safety incident and other major accident concept of SCEs is perhaps easier to understand if they
hazard (MAH) prevention and mitigation require both are considered as barriers between the hazard and the
management and engineering approaches, right from consequence of the incident.
design to operations and maintenance throughout the
plant life-cycle. The two keys are managing soft and METHODS
hard barriers. Soft barriers are managing process safety MAHs are established from a Hazard Identification Study
information, engineering changes, permit to work and as well as Hazard and Operability Study (HAZOP). SCEs
safe operating while hard barriers are safety critical are identified by analysing these hazards and constitute
elements (SCEs). Here, we will discuss hard barrier or SCEs the means required to manage the associated risks. The
management process. concept of Safety Critical Elements is perhaps made easier
The initial processes are identification and establishment to understand if they are hard barriers between the hazard
of hazard via a Hazard Identification Study (HAZID) and and the consequence of the incident.
Hazard & Operability Study (HAZOP). SCEs are identified by In a major accident hazard, each barrier type is
analysing the hazards, and constitute the means required represented by one or more SCEs and is designed to
to manage the associated risks. stop and minimise the effects of a hazard. The concept of
The SCE management process has four main stages: barriers is widely recognised and applied for the MAH and
1. Identification of major accident hazards. SCE management process. The barrier types to be used are
2. Identification of safety critical elements involved in as follows:
managing major accident hazards. • Structural integrity
3. Identification of performance standards and assurance • Process containment
processes that ensure the continued suitability of the • Ignition control
safety critical elements. • Protection systems
4. Verification that all stages have been undertaken, non- • Detection systems
conformances have been identified, controlled and • Shutdown systems
closed-out and hence, major accident hazards are • Emergency response
being controlled. • Life saving
Through the diligent application of these stages, it is possible
to meet the requirements for MAH and SCE management Asset shall use these barrier types to indicate and group
process, offering a better way to control risk. together the SCEs identified for that particular asset.
For example, in the event of a hydrocarbon gas release
MAJOR ACCIDENT HAZARD (i.e. process containment barrier failing), the ignition control
Major Accident Hazard (MAH) is a typical hazard that can barrier should work to prevent a major accident. Even the

26 THE INSTITUTION OF ENGINEERS, MALAYSIA NOVEMBER 2019

 FEATURE

Figure 1: General overview of major accident hazard and safety critical element groups

occurrence of multiple barrier failures, such as process defined as any incident with a severity level of 5 as well as
containment and detection systems, will not necessarily scenarios considered to be more likely, but with a severity
lead to a major accident if subsequent barriers such as level 3 or 4, i.e. E4, D4 and E3 (see Figure 2, Typical Risk
mitigation (e.g. protection systems and shutdown systems) Matrix).
do not fail. However, a loss of process containment involving The above definition of MAH deliberately excludes
toxic gas can lead to a major accident event without other occupational hazards. MAH is identified through the use of
barrier fails should it is manned at that particular time. systematic identification processes, such as HAZID studies
Good barrier performance can be achieved through and quantified through techniques such as Quantitative
the adoption of well-written performance standards as well Risk Assessment (QRA). To follow best established industry
as assurance & verification procedures. These procedures practice, it is necessary to both identify and quantify MAH.
must be adhered to by personnel who are competent The MAH should be identified in a specific subsection of
in their defined roles in maintaining and assuring the the safety case together with the means used to prevent,
performance of SCEs for a specific asset. detect, control, mitigate, rescue or help recover from a
major accident (which effectively become the SCEs).
MAH IDENTIFICATION
This requirement for explicit identification of the MAH IDENTIFICATION OF SCE FOR GIVEN MAH
and SCEs as a separate sub-set of the asset risks is a Once the potential SCEs have been identified, the
characteristic of the MAH and SCEs management process, procedure starts at the top left-hand corner of the flowchart
as it deals specifically with the management of low (Figure 3). The flow process shown in the diagram relates to
frequency but high consequence hazards. both process as well as non-process systems.
Taking the framework of the safety case developed, the The rationale for excluding any SCE shall be properly
MAH (and subsequently, SCEs) are listed in the dedicated documented and approved at the appropriate level. All
subsection for an asset, called Hazard Effect Register. In SCEs are to be registered in the asset register system and
both cases, this dedicated subsection is required to identify shall be periodically reviewed to ensure completeness and
and quantify the MAH and the means of managing these adequacy.
hazards through the subsequent utilisation of SCEs. The petrochemical industry has had its fair share of
The severity of accidents is given in HSE Risk Ranking disasters. As a result, most countries require some form of
Matrix (RRM) as shown in Figure 3. Major accidents are safety management for their plants. The Bow-Tie Model or

NOVEMBER 2019 THE INSTITUTION OF ENGINEERS, MALAYSIA 27

 FEATURE
1 2 3 4 5
Severity Insignificant Minor Moderate Major Catastrophic
Minor Single Multiple
People Slight Injury
Injury
Major Injury
Fatality Fatalities
Minor Major Extensive
Asset Slight Damage Local Damage
IMPACT Damage Damage Damage
Minor Major
Environment Slight Impact Localised Impact
Impact
Massive Impact
Impact
Major Major
Limited Considerable
Reputation Slight Impact
Impact Impact
National International
Impact Impact

E Happens several
Almost times per year at E1 E2 E3 E4 E5
Certain location

Happens several
D
times per year in D1 D2 D3 D4 D5
Likely
LIKELIHOOD

company

C Incident has occurred

C1 C2 C3 C4 C5
Possible in our company

B Heard of incident in
B1 B2 B3 B4 B5
Unlikely industry

A
Remotely Never heard of in
A1 A2 A3 A4 A5
likely to industry
happen

Figure 2: Typical Risk Ranking Matrix

Bow-Tie Analysis is considered as the most comprehensive PERFORMANCE STANDARD FOR SCES
way for identification of SCEs associated with a given The Performance Standard shall include acceptance
hazard. criteria that the SCEs must be developed in detail to
THE BOW-TIE MODEL enable the practical verification that all barriers are
The Bow-Tie Analysis or method is simply a pictorial in place and effective. They are initiated during
representation of how the management of a hazard and the asset’s define phase and finalised with specific
its effects go towards minimising the consequence(s) performance requirements and assurance tasks
arising from a hazardous event. The Bow-Tie model (see during the execution phase as part of the detailed
Figure 4) was developed to meet the requirements for risk design.
assessment while integrating the understanding of how These are the SCE performance standards to be
accidents happen, based on the Swiss cheese model. used and maintained during the operation phase. The
Using the Bow-Tie methodology to identify barriers, performance standards should not be confused with either
essentially enables one to identify specific roles and the design specifications required to establish technical
functions of each barrier and to understand the possible integrity or the preventive maintenance strategy required
consequence of the failure of a barrier. for the maintenance of equipment, e.g. lubrication. They
specifically cover only the specific required to validate
LIMITATION OF BOW-TIES that SCEs perform the function necessary for the barrier
Bow-Ties are not the panacea for all risk management to be effective.
problems. If one wants to quantify the level of risk in absolute The development of Performance Standards is an
terms, then the Bow-Tie method will not help directly. To essential stage in the MAH and SCE Management
model complex inter-relationships between risk controls, Process. This is because it is necessary to gain confidence
there are better ways than using Bow-Ties. To identify that SCEs will fulfil their intended purpose when required.
individual safeguards for every line of every section of every This will be achieved by assessing SCEs against the
unit in a process facility, a HAZOP study is the solution. But relevant PS criteria, through assurance and verification
to remove the mystique of risk management and to obtain activities. All information related to a specific SCE (goal,
insights into risk controls that are easy to understand and functionality and specific acceptance criteria) are
communicate and, at the same time to realise some found in the PS and must be captured by the asset-
efficiency gains, there is no better method than the Bow-Tie. specific PMMS/SAP system.

28 THE INSTITUTION OF ENGINEERS, MALAYSIA NOVEMBER 2019

 FEATURE
Criticality is High
SCE
SCE (H) or 1*

RBI Criticality Class

Q2
Criticality is Medium Non-
Is the system or Yes
equipment identified
(M), Low (L), or 2 & 3 SCE
as safeguards/barriers
to manage Very High/
High Risk in HEMP/HER
PHA/HAZID studies? Has HSE impact SCE
(Major and
Yes Catastrophic)
ECA Criticality
Class 1/2
Q1
Is the system or No HSE impact Non-
equipment identified SCE
as MAH or MI Hardware No
group?
Yes

SIL >=1# SCE

No Q3 SIL Level
Has the system Non-
SIL > = a 1 or a 2, 0
or equipment SCE
Non- been subjected
SCE to a credible risk
assessment?

No Q4 SCE
in Petronas Risk
Yes
assessment Matrix
is the system or COF5 or 4 - as the case may be
equipment criticality # Non Production
at severity 5 or red
risk? (ie. risk is E3, E4, No
B4, A5, B5, C5, D5, E5)
Non-
SCE

Figure 3: Flowchart for Identifying SCEs

H-XX
The
Hazard

Threat
1
Barrier 1 Barrier 2

Consequence
Location/ 1
Unit of Recovery Recovery
Hazard: preparedness preparedness
Threat Top Measure Measure
Event
2
Barrier 1 Barrier 2

Escalation
Factor
Escalation 1
Control 1
Escalation
Factor 1
Escalation
Control 1

Figure 4: Bow-Tie Diagram

SUMMARY
It is important to note that the MAHs vary in severity and
Author's Biodata
probability throughout the life-cycle of the asset. This Syed Mohamed Nasir Alhabshi, who has over 20 years of experience
in the Oil & Gas industry, is the Technical Authority and Technical Safety
means that SCEs might change accordingly. To this end,
Lead for Package 6A and 11, PETRONAS RAPID Project.
the MAH and SCEs management processes require a full
periodic review.

30 THE INSTITUTION OF ENGINEERS, MALAYSIA NOVEMBER 2019