GUIDE FOR MAJOR HAZARD

FACILITIES: SAFETY CASE:

DEMONSTRATING THE ADEQUACY
OF SAFETY MANAGEMENT AND
CONTROL MEASURES

MARCH 2012

Safe Work Australia is an Australian Government statutory agency established in 2009. Safe Work
Australia consists of representatives of the Commonwealth, state and territory governments, the
Australian Council of Trade Unions, the Australian Chamber of Commerce and Industry and the
Australian Industry Group.
Safe Work Australia works with the Commonwealth, state and territory governments to improve
work health and safety and workers compensation arrangements. Safe Work Australia is a
national policy body, not a regulator of work health and safety. The Commonwealth, states and
territories have responsibility for regulating and enforcing work health and safety laws in their
jurisdiction.
ISBN 978-0-642-33388-9 [PDF]
ISBN 978-0-642-33389-6 [RTF]
Creative Commons

Except for the Safe Work Australia logo this copyright work is licensed under a Creative Commons
Attribution-Noncommercial 3.0 Australia licence. To view a copy of this licence, visit
http://creativecommons.org/licenses/by-nc/3.0/au/
In essence, you are free to copy, communicate and adapt the work for non commercial purposes,
as long as you attribute the work to Safe Work Australia and abide by the other licence terms.
Contact information
Safe Work Australia
Phone: +61 2 6121 5317
Email: [email protected]
Website: www.safeworkaustralia.gov.au

Page 2 of 31

MARCH 2012

Table of Contents

1.

INTRODUCTION ....................................................................................................... 4

2.

DEMONSTRATIONS OF ADEQUACY ..................................................................... 5

2.1
2.2

3.

Features of successful demonstrations.......................................................................... 5

Core concepts ............................................................................................................... 5

PLANNING AND PREPARATION ............................................................................ 7

3.1
3.2
3.3
3.4

4.

What demonstrations are required? ............................................................................... 7

Workforce requirements ................................................................................................ 7
Health and Safety Representatives ............................................................................... 8
Project and technical issues .......................................................................................... 8

THE DEMONSTRATION PROCESS ........................................................................ 9

5.

DEMONSTRATION OF CONTROL MEASURE ADEQUACY ................................ 10

5.1
5.2
5.3
5.4
5.5
5.6

6.

What is reasonably practicable? .................................................................................. 10

Do controls minimise risk so far as is reasonably practicable?..................................... 11
Could more or better controls be used? ....................................................................... 14
Use of examples in demonstration............................................................................... 14
Use of industry codes and standards ........................................................................... 15
Are control measures adequate? ................................................................................. 16

DEMONSTRATION OF COMPREHENSIVE AND INTEGRATED SMS ................. 17

6.1
6.2

Does the SMS support control measures?................................................................... 17

Demonstrating that the SMS supports control measures ............................................. 17

7.

OUTPUTS ............................................................................................................... 19

8.

REVIEW AND REVISION ....................................................................................... 20

APPENDIX A WHS REGULATIONS............................................................................ 21

APPENDIX B DEFINITIONS ........................................................................................ 24
APPENDIX C RISK CRITERIA .................................................................................... 26
APPENDIX D FURTHER INFORMATION.................................................................... 31

Page 3 of 31

MARCH 2012

1.

INTRODUCTION

To obtain a licence to operate a major hazard facility (MHF), operators are required to submit a
safety case which demonstrates how the facility will be operated safely.
The purpose of this guidance material is to assist operators of MHFs to demonstrate that the
content of their safety case will achieve the safe operation of the MHF through a satisfactory safety
management system and adequate control measures. Use of this guidance material will enable
MHF operators to submit a safety case to the regulator that satisfactorily demonstrates:
that the facilitys safety management system (SMS) will control risks arising from major
incidents and major incident hazards
the adequacy of the measures to be implemented by the operator to control risks
associated with the occurrence and potential occurrence of major incidents.
This Guide forms part of a set of guidance material for MHFs that includes information on:
Notification and Determination
Safety Assessment
Safety Management Systems
Developing a Safety Case Outline
Preparation of a Safety Case
Information, Training and Instruction for Workers and Others at the Facility
Providing Information to the Community
Emergency Plans.
What do the Regulations require?
The operator of a determined MHF must establish a safety management system for the operation
of the major hazard facility and provide the regulator with a completed safety case for the MHF
within two years after determination of the MHF. The safety case must include a summary of the
safety management system for the MHF.
Further details of the requirements under the WHS regulations are set out in Appendix A.
Relevant definitions are set out in Appendix B.

Page 4 of 31

MARCH 2012

2.

DEMONSTRATIONS OF ADEQUACY

Demonstrations in a safety case provide all stakeholders with assurance that the operator is
achieving safe operation of the facility by using adequate control measures and satisfactory
management systems. In particular, they provide regulators with some of the evidence necessary
to support the issuing of a licence to operate the MHF. The regulator will usually verify some of the
data provided in the safety case demonstrations to confirm the validity of the arguments made by
the operator. Periodically, and following major changes to the facility or its operations, the
demonstrations must be reviewed to ensure safe operation is being maintained. Such a review
may also be triggered by a new state of knowledge e.g. following incidents.
There are two sets of circumstances in which safety cases, and the demonstrations they contain,
need to be prepared. These are:
when the safety case is being prepared for a new MHF, for example:
o a green field facility that will be a MHF
o an existing facility that will become a MHF after modifications that will increase the
quantity of Schedule 15 materials on site to above threshold quantities
o a facility that has been determined to be a MHF by the regulator under regulation 541
when a safety case is reviewed and revised as part of an application for licence renewal.

2.1

Features of successful demonstrations

The following factors are critical for successful demonstrations in a safety case:
a clear understanding of the means and criteria the operator uses to decide when risk has
been reduced so far as is reasonably practicable, or alternatively, how the operator decides
that it is not practicable to carry out further risk reduction steps
access to information about, or people with knowledge of, hazards and effective control
measures that are available to deal with them
historical data and records that show how well specific control measures function
understanding of the specific safety management system (SMS) elements needed to
ensure ongoing effectiveness and reliability of each specific control measure
historical performance data and records that show how well the supporting SMS elements
function.

2.2

Core concepts

The safety case must include information sufficient for the purpose of demonstrating that
the control measures adopted at the facility are adequate, and that the SMS is
comprehensive and integrated for all aspects of the adopted control measures.
The information needs to be transparent and detailed for it to be understood by others, and
for the regulator to decide whether it is satisfied with the adequacy of the control measures
and the effectiveness of the SMS. A convincing case could include detailed examples, as
well as describe the approach taken and the overall results.
Adopted control measures must be shown to eliminate or reduce, so far as is reasonably
practicable, the risk to health and safety, and be effective and reliable across the range of
circumstances and conditions likely to be encountered at the facility. This will demonstrate
that the control measures are adequate.
To demonstrate that the SMS is comprehensive and integrated for all aspects of the control
measures, it needs to be shown to fully support and maintain the performance of the control
measures within an integrated management framework.

Page 5 of 31

MARCH 2012

The effort to make the demonstrations should be proportionate to the risk, with the majority
of the analysis and assessment on hazards that contribute most to the risks of a major
incident and the potential major incidents which have the highest consequences.
In deciding to issue a MHF licence, the regulator must be satisfied that:
o the application has been made in accordance with the Regulations
o the safety case for the facility has been prepared in accordance with Division 3 of Part
9.3 of the Regulations
o the operator is able to operate the major hazard facility safely and competently
o the operator is able to comply with any conditions that will apply to the licence.
The approach that each operator employs in making the required demonstrations should
reflect the nature of the facility, its culture and its risks. Depending on the circumstances, it
may include:
o comparison with standards, codes and industry practices (see Section 5.5 of this
guidance)
o analysis of the risks, benefits and costs of alternative control measures
o assessment of the adequacy of control measures and their performance indicators
o comparison with benchmarks for risk and for management performance
o comparison with best practice management system frameworks
o judgement by affected groups such as workers and stakeholders
o demonstration of past and planned improvements.
A combination of approaches to demonstration is likely to be necessary.

Page 6 of 31

MARCH 2012

3.

PLANNING AND PREPARATION

3.1

What demonstrations are required?

The safety case must demonstrate:

that the major hazard facilitys safety management system will, once implemented, control
risks arising from major incidents and major incident hazards
the adequacy of the measures to be implemented by the operator to control risks
associated with the occurrence and potential occurrence of major incidents.
These two demonstrations are separate. However, common to both demonstrations is the need to
make sure that all aspects are covered and that there are no gaps. For demonstrations to be
convincing they need to show that control measures and the SMS function well i.e. can be relied
on to consistently do the job they are meant to do.
Control measures are usually selected and adopted at the end of a hazard identification, safety
assessment and control measure selection process. This demonstration addresses two aspects of
control measures, which are:
showing that control measures in place at the site were selected correctly to address all the
hazards identified
showing that control measures can be relied upon to do the job for which they were
selected.
A facilitys SMS is usually developed in parallel with the hazard identification, safety assessment
and control measure selection process. The SMS is intended to manage the safety of all aspects of
operation at the facility, not just major incident prevention. However, the SMS demonstration is
limited to showing that all aspects that need to be managed to ensure ongoing effectiveness and
reliability of control measures are covered.
There is no prescribed form for these demonstrations. Operators should use a means that is
appropriate and meaningful to the facility and to the operator's safety culture. In addition, the
demonstrations need to be conveyed in a way that the regulator can understand from an external
perspective.

3.2

Workforce requirements

Key persons in the workplace must be consulted before this component of the safety case can be
written. This is to ensure that a clear picture of the actual performance of the SMS and control
measures elements is obtained. Operators may choose to gain this by conducting formal workshop
sessions.
Better results will be obtained from these workshops if persons with a broad range of functions and
skills (e.g. plant operators, maintenance, technical and safety specialists) are all involved and
participants understand the methodology and process to be followed before the workshops are
held.
The Regulations require the operator of a MHF to consult with workers in relation to the
preparation of the safety case outline, the establishment and implementation of the SMS, and the
preparation and review of the safety case. Health and safety representatives should also be
consulted as they are entitled to represent workers in matters relating to work health and safety.

Page 7 of 31

MARCH 2012

3.3

Health and Safety Representatives

Health and Safety Representatives (HSRs) do not need to be involved in writing the
demonstrations or participating in any workshops that contribute to them. They should, however,
be consulted about the process that is to be followed and who will be involved in any workshops
that are to be held.

3.4

Project and technical issues

Control measure selection and SMS review and/or revision need to be settled before the
demonstration can be completed. The methodology to be used for the two demonstrations should
be determined early in the process.
Newly determined MHFs (i.e. those preparing the first safety case for the facility) are required
under regulation 551 to prepare a safety case outline and submit it to the regulator for review within
three months of the facility being determined to be a MHF (refer to the Guide for Major Hazard
Facilities: Safety Case Outline). The general method used to demonstrate how the objectives
specified in regulation 561(4)(a) and (b) will be met is to be outlined in the safety case outline.
The project planning for safety case preparation at a new MHF should allow sufficient time for any
workshops and the subsequent review and write-up of the outcomes. Generally, the write-up will
often involve detailed and significant discussion of a number of representative examples and may
take more time than initially expected.
Facilities reviewing and revising their safety case for licence renewal purposes may choose to
submit a reviewed and revised outline to the regulator. Any change to the demonstration process
should be noted and appropriate time should be allowed for reviewing and strengthening the
demonstrations.

Page 8 of 31

MARCH 2012

4.

THE DEMONSTRATION PROCESS

Demonstrations are connected to control measures and the operator needs to show the following:
the control measures in place at the facility are capable of reducing the risk posed by each
hazard so far as is reasonably practicable
it is not reasonably practicable to use more or better control measures to reduce risk further
the control measures in place perform their intended function effectively and reliably
the operator has a SMS in place that works to ensure that all control measures will continue
to perform effectively whenever needed.
To address the first component, the operator needs to show that it is using a valid and appropriate
means of evaluating risk and whether risk reduction is achieved so far as is reasonably practicable.
The Guide for Major Hazard Facilities: Safety Assessment discusses a number of different
approaches operators can take for estimating risk and the extent of risk reduction achieved by
selected and possible alternative control measures.
The first demonstration in the safety case should show that the approach taken by the operator
(qualitative or quantitative) to assess risk is appropriate and robust. The demonstration should then
show that the risk, with controls in place, has been reduced so far as is reasonably practicable. An
approach often used for this is to compare the controlled risk with recognised risk criteria.
The demonstration also needs to show, by example at least, that it is not reasonably practicable to
use more or better alternative control measures. An approach used by some is to compare the
control measures in place with those required by industry codes or corporate standards. However,
this assumes that the decision as to reasonable practicability reflects control measures applying
when the code or standard was developed and does not take into consideration new or facilityspecific knowledge.
Once it has been demonstrated that the controls are capable of reducing risk so far as is
reasonably practicable, historical performance data is usually needed to show individual control
measures at a facility consistently do what they are supposed to do. This forms the basis of the
second demonstration, as consistent good performance of control measures does not happen by
accident.
A number of elements of the SMS need to be functioning effectively to maintain the controls
performance. For example, instrumented and mechanical control systems need to be regularly
inspected and tested, while training is needed to ensure procedural control measures are always
carried out correctly. The second demonstration needs to show that the necessary SMS
components are in place for every risk control measure and that these systems are also
consistently effective and reliable.

Page 9 of 31

MARCH 2012

5.

DEMONSTRATION OF CONTROL MEASURE ADEQUACY

5.1

What is reasonably practicable?

Regulation 556 specifies that the operator of a MHF must implement control measures to
eliminate, so far as is reasonably practicable, the risk of a major incident occurring or, if that is not
reasonably practicable, minimise that risk so far as is reasonably practicable. In determining what
is reasonably practicable the operator is expected to exercise judgement, taking into account the
five factors specified in Section 18 of the Work Health and Safety Act, namely:
the likelihood of the hazard or risk concerned occurring
the degree of harm that might result from the hazard or the risk e.g. fatality, multiple
injuries, medical or first aid treatment, long- or short-term health effects
what the person concerned knows, or ought reasonably to know, about the hazard or risk
and any ways of eliminating or minimising the risk
the availability and suitability of ways to eliminate or minimise the risk
the cost associated with available ways of eliminating or minimising the risk, including
whether the cost is grossly disproportionate to the risk (in other words, control measures
should be implemented unless the risk is insignificant compared with the cost of
implementing the measures).
Using an ammonia plant as an example, the identification and assessment steps may have
identified that the area with the highest probability (likelihood) of a loss of containment is the tanker
loading area. It is reasonable to expect that the operator of this facility would have thought about
the controls needed for this area and that the safety case should be able to explain this.
The operator and facility designers may also have concluded that the worst case scenario (i.e.
major incident with the highest consequence) is catastrophic failure of the large ammonia storage
tank. Therefore it is reasonable to expect that more effort is put into the design and controls for this
part of the facility because of the high consequence should this failure occur. The information in the
safety case should demonstrate that this worst case scenario has been addressed.
The massive explosion that occurred at the Buncefield Fuels Terminal in the UK in December 2005
significantly changed what that industry sector knows, or ought reasonably to know about the
hazards or risks at this type of facility. As a result, it is now reasonable to expect that control
measures to prevent similar tank overflows would be more robust than before, and it is notable that
many similar facilities, both overseas and in Australia, have responded accordingly.
The final considerationweighing up the cost of additional controls against the extent of risk
reduction that could actually be obtainedis similar to the process many operators go through
each year when deciding which improvement projects to add to next years investment plan and
which to defer. For many possible projects/improvements, qualitative comparisons are sufficient.
However, more detailed quantitative comparisons are often undertaken for more important or highcost projects. Safety cases submitted by operators may contain examples where operators have
made similar comparisons of alternative control measures before deciding on which to adopt for
specific risk scenarios.
The safety assessment should provide the information needed to make these judgements, and
therefore much of the reasoning behind the operators selection of control measures may already
be presented in the safety case i.e. in the summary of the safety assessment documentation
required under regulation 561(2)(b). The extra information required to make a convincing
demonstration will depend on the amount of detail included in the summary.

Page 10 of 31

MARCH 2012

5.2

Do controls minimise risk so far as is reasonably practicable?

The first component of a demonstration is to show that each hazard and potential major incident
has been addressed with specific control measures. The use of bow-tie diagrams is one clear
graphical means of doing this (see Figure 1 for an example). This shows that there are control
measures in place for each hazard that could lead to a major incident. It is also possible to show
this in tabular form (e.g. database printout or spreadsheet).
Table 1 is a mock-up derived from Figure 1 that shows specific control measures listed for specific
hazards. However, safety cases submitted with tables showing a list of hazards in one column and
a list of control measures in another column (such as the mock-up in Table 2) do not help
demonstrate that control measures reduce the risk of all identified hazards, as it is not clear which
controls act for which hazards and whether all hazards have an identified control.

Page 11 of 31

MARCH 2012

0605
Equipment
corrosion

0612

0610

NDT inspection
program

Equipment specification
and design to ABC
standards

Critical
Maintenance error (e.g.
fitting tightened too
hard, wrong component
- not fit for service)

0600
Trade qualified
personnel

Leak from
flange/seal gasket failure

Equipment specification
and design to ABC
standards

0610

Critical

Natural ventilation
of storage area

0613
Gas detection in
storage area
Unignited ammonia
release - inhalation
of ammonia fumes

0607
Valve and
flange fitting

Component
failure

Dropped object
(lifting over
storage tank)

Overfilling of
storage tank

External heat
source (e.g.
sun)

0617
Storage area is protected
(chained off / vehicle
barriers - restricted access

0616
Lifting gear inspection,
maintenance and
testing

0606
ABC Operating
procedures for
filling tank

Ammonia
release at
storage

0618
Speed limits on
site
0629
Relocate equipment
requiring lifting

PPE (Breathing
Apparatus)
available

0631
Medical assistance
available on-site

0622
Emergency
isolation valve

0632

0604

Storage tank
punctured

Gas Detection

Critical

0619
Pressure relief
valves
Critical

Inhalation of
ammonia fumes

0620
Emergency
Response Plan

Critical
Onsite vehicle
collides with
storage tank

0632

Overpressure

Ammonia mixing
with nearby store
of hypochlorite

PPE (Breathing
Apparatus)
available

0631

Generation of
chlorine

0631
Medical
assistance
available on-site

0635
Hot work

0621

Hot work permit

Ignition Control

0630
Tank designed for 50C
service (as per design
standards)

Furnace

0636
Separation
distance

Ammonia
release and
ignition

0633
Control

Hazard
Pathway

Escalation to
other vessels

0625
Separation
distance

Bow-Tie Key

Hazard

0624
Foam generation
capabilities

Major
Incident

Outcome

Figure 1: Example of bow-tie graphic showing an ammonia release at storage

Page 12 of 31

JANUARY 2012

Major incident: Ammonia release at storage (ABC Chemical Company)

Cause:

Component failure

Hazard

Control measure

Functionality

Equipment corrosion

NDT inspection program

High

Equipment specification and

design to ABC standards

Medium

Maintenance error (eg fitting

tightened too far, wrong
component - not fit for service)

Trade qualified personnel

Low

Valve and flange fitting training

Medium

Leak from flange/seal - gasket

failure

Equipment specification and

design to ABC standards

Medium
Medium

Valve and flange fitting training

Cause:

Storage tank puncture

Hazard

Control measure

Functionality

On-site vehicle collides with

storage tank

Storage area is protected

(chained off/vehicle barriers) restricted access

High
Low

Speed limits on site

Dropped object (lifting over
storage tank)

Lifting gear inspection,

maintenance and testing

Medium
High

Relocate equipment requiring

lifting

Table 1: Example of hazard/control measure register

Major incident: Ammonia release at storage (ABC Chemical Company)
Hazards

Control measures

Dropped object (lifting over storage tank)

ABC operating procedures for filling tank

Equipment corrosion

Equipment specification and design to ABC

standards

External heat source (eg sun)

Leak from flange/seal - gasket failure
Maintenance error (eg fitting tightened too far, wrong
component - not fit for service)

Lifting gear inspection, maintenance and testing

NDT inspection program
Pressure relief valves

On-site vehicle collides with storage tank

Relocate equipment requiring lifting

Overfilling of storage tank

Speed limits on site

Storage area is protected (chained off/vehicle
barriers) - restricted access
Tank designed for 50C service (as per design
specification)
Trade qualified personnel
Valve and flange fitting training

Table 2: Example of control measure register (does NOT help demonstration)

Page 13 of 31

JANUARY 2012

The second aspect is the level of risk that remains after the operator has decided that it is not
reasonably practicable to do any more. One means of gauging the validity of these decisions is by
comparing the final risk with a suitable published benchmark such as the Victorian interim off-site
risk criteria or NSW Department of Plannings risk criteria for land use safety planning (HIPAP 4).
HIPAP 4 addresses off-site risk. For on-site risks, the criterion for neighbouring industry in HIPAP 4
could be used as an initial target.
It is worth noting that community expectations have advanced since the Victorian criteria were
proposed in the 1980s and some European jurisdictions now apply tougher criteria. In addition,
numerical evaluation of risk is only as good as the data used in the evaluation of likelihood and
consequences, both of which are subject to much uncertainty.
Appendix C provides examples of risk criteria that can be used in relation to major incidents. These
are not exhaustive and operators may choose to use criteria different to these examples. Whatever
criteria are used, the operator will have to justify the criteria as suitable and appropriate to the
specific facility.

5.3

Could more or better controls be used?

An alternative way of demonstrating that the control measures in place at the facility will minimise
risk so far as is reasonably practicable is to show that additional or alternative control measures
are not justified.
One means of doing this is using Layers of Protection Analysis (LOPA). LOPA estimates the
likelihood of an initiating hazard leading to a major incident after allowing for the probability of
failure on demand (PFD) of the various control measures that are in place to prevent that specific
hazard occurring. If the consequence of the incident is known (e.g. potential number of fatalities),
the product of the consequence and the estimated likelihood (allowing for the control measures)
gives an estimate of the risk posed by the initiating hazard (in units such as fatalities per year).
Note that, for LOPA to work properly, the control measures need to be independent.
A related technique used for instrumented control measures (such as a low temperature trip
system) is a safety integrity level (SIL) review. There are two parts to a SIL review. First, a SIL
analysis (similar to a LOPA) determines how low the PFD of the instrumented control system
needs to be to reach a desired risk level. Then a SIL verification of the particular hardware
components that make up the instrumented control system is conducted to confirm that the
required PFD will be obtained. One factor that can strongly affect the PFD of instrument systems is
the frequency with which they are inspected, tested and re-calibrated.
Additional or alternative control measures can be included in these analyses and their effect on the
final risk estimated. There are also techniques for estimating the PFD of procedural control
measures, such as Human Reliability Analysis, and there is published data available for the PFD of
procedural tasks, depending on their complexity, frequency of use and environmental factors.1

5.4

Use of examples in demonstration

The MHF regulations do not specify any particular technique to evaluate the risk reduction
achieved by control measures. What is specified is that:
under regulation 555(2), the operator must conduct a detailed assessment of all aspects of
risks to health and safety associated with all potential major incidents, including the range
of control measures considered and the control measures the operator decides to
implement

See Layers of Protection Analysis, Simplified Process Risk Assessment, Center for Chemical Process
Safety, American Institute of Chemical Engineers, 2001.

Page 14 of 31

JANUARY 2012

under regulation 561(4)(b), the operator must demonstrate in the safety case the adequacy
of the measures to be implemented by the operator to control risks associated with the
occurrence and potential occurrence of major incidents.

This usually involves an explanation of the methodology used by the operator and an appropriate
number of explained examples to illustrate that the methodology led to reducing the risk so far as is
reasonably practicable. The examples should cover a range of operations throughout the facility,
including the highest likelihood and highest consequence events.
For a fuel terminal, the regulator may expect the demonstration to include the tanker loading facility
and the tank overflow scenario that occurred at Buncefield in 2005 (see Section 5.1), as well as
some other scenarios where incidents have been known to occur, such as transfer line failures. For
a more complex manufacturing facility, examples might be expected to include any reactor areas,
any separation process such as distillation, major storage areas (vessels or tanks) and any major
product or raw material handling areas. The key areas in a less complex utilities facility, such as a
water treatment plant, may be the main chlorine storage area, unloading of chlorine and dosing
equipment (injectors and/or evaporators).
The philosophy behind this approach is that:
if fully explained examples show that the operator has minimised the risk so far as is
reasonably practicable for those hazards, and
if the operator applied the same methodology systematically throughout the facility and its
full range of operations
then the operator, regulator and stakeholders can all be assured that the necessary risk reduction
has been achieved throughout the facility.

5.5

Use of industry codes and standards

Some operators have used their compliance with industry standards or codes of practice as the
prime means of demonstrating adequacy of control measures. These documents may be
Australian Standards, equivalents from overseas organisations, international industry practices
(such as those from the American Petroleum Institute) or company-specific standards. This
approach assumes that those who developed the code or standard did all the necessary thinking to
select the necessary control measures for the operators situation or, if a possible control measure
is not specified in the code or standard, it must not be practicable to put it into practice.
These assumptions need to be tested if standards and codes are being considered for justification.
The following are examples where additional control measures have been justified in excess of
those in codes or standards:
A Process Safety Leadership Group set up in the UK following the Buncefield incident in
December 2005 made a number of recommendations for design and operation of fuel
terminals that have not yet been incorporated in AS 1940: The storage and handling of
flammable and combustible liquids. Many multinationals in this industry sector are also
developing new corporate standards for their affiliates. Regulators may expect facilities in
this sector to consider these in addition to AS 1940 or equivalent standards.
A facility using liquid chlorine, situated on a hillside above a residential area, should
carefully consider the need for additional controls over and above the standard separation
distances, etc. in AS/NZS 2927: The storage and handling of liquefied chlorine gas.
Some large LPG storage sites have justified control measures that are additional to those
specified in AS/NZS 1596: The storage and handling of LP Gas, such as passive fire
protection and automatic isolation.
Nevertheless, codes and standards are a valuable source of information for hazards and control
measures. Many operators have conducted a gap analysis between their facility and relevant
Australian and international codes or standards as part of their hazard identification and control

Page 15 of 31

JANUARY 2012

measure selection processes. Any gap is taken as a warning that a hazard may have been missed
or its significance underestimated. However, the absence of any gaps does not automatically mean
that further risk reduction is not practicable (using the full range of practicability considerations in
Section 5.1).
Therefore, it is recommended that any operator relying on compliance with codes or standards for
the demonstration should:
show that a full gap analysis has been done
justify any gaps, if found
explain fully why it is not reasonably practicable to further reduce the risk of:
o the highest consequence scenario
o the most likely (or most frequent) initiating hazard
o any other scenarios where incidents have been known to occur, similar to the use of
fully explained examples in Section 5.2.
If this analysis shows that further risk reduction is not practicable in those cases, it would then be a
reasonable assumption that compliance with the code or standard would be equally satisfactory in
other cases at the facility, and the demonstration would be considered sound.

5.6

Are control measures adequate?

The final requirement of the demonstration to meet regulation 561(4)(b) is that the control
measures are adequate i.e. are meeting their performance targets.
If the operator is making this demonstration in a safety case to support an application for licence
renewal, the operator should have several years of actual performance monitoring data to draw on.
The number of control measures on the hazard register will depend on the size and complexity of
operations at the facility. For a simple facility it may be possible to include the performance data of
all control measures. This may be presented in tabular or chart form. The demonstration and the
case for licence renewal would be strengthened if the data were to show an improving trend over
time.
Some aggregation of the performance data may be necessary for facilities with larger numbers of
control measures (e.g. number of PSV releases or fail to danger test results as a percentage of
the total number of PSVs on-site or in an area). However, for a convincing demonstration, highlevel performance data should be backed up by detailed data of a sample of control measures. The
demonstration would be helped if the control measure sample corresponded with the fully
explained examples (discussed in Section 5.4).
If the safety case is for a new MHF, there may be little actual performance data available at the
time of preparing the safety case. In this case, the argument for adequacy of controls may have to
rely on publicly available data such as PFD data for similar hardware, or by analogy with affiliated
facilities within the operators organisation. The demonstration will be more convincing if the
information is linked to fully explained examples, with an explanation of why the operator expects
the control measures to perform adequately.

Page 16 of 31

JANUARY 2012

6.

DEMONSTRATION OF COMPREHENSIVE AND INTEGRATED SMS

6.1

Does the SMS support control measures?

The other demonstration required by regulation 561(4) is that the SMS manages all the things
needed for the control measures to control the risks arising from a major incident or a major
incident hazard. As noted in Section 4, consistent good performance of control measures does not
happen by accident. A number of SMS elements need to be functioning effectively to maintain the
controls performance.
A first step in demonstrating that all necessary aspects of control measure management are
covered would be to list all the SMS elements that need to function well to support each control
measure on the operators hazard register. While this may sound daunting, this task can be made
manageable. For example, all instrument control systems need to be regularly inspected and
tested, and therefore a common system (called various names such as Critical Function Testing)
would apply for all such instrument controls. Some other systems that would be important for
instrument controls are:
a management of change (MoC) system, for any changes to the controls such as alarm or
trip set point changes
a system such as a defeat of critical equipment system, for whenever an important
instrument control is temporarily taken off-line (and later returned to service).
The same or similar safety management systems may apply to other important equipment or
hardware such as pressure relief valves or fire protection equipment.
Procedural control measures (i.e. when safe operation requires that workers carry out specific
tasks in a specified manner and/or sequence) need a different set of support systems. The
procedures need to be documented in a formal operating procedures system (hard copy or
electronic). The personnel need to be trained in what they are expected to do and not permitted to
carry out the procedure(s) until certified as competent. Changes to the operating procedures, or
changes that might impact on them, need to be managed by a MoC system. Training will probably
be part of a wider personnel system that includes formal role descriptions, recruitment and training
plans.
There should also be some other common systems such as performance, monitoring and auditing
to provide ongoing assurance that the control measures and support systems are functioning well.
These are typical elements of any comprehensive and integrated management system that has
been established consistent with recognised systems such as AS 4804: Occupational health and
safety management systems General guidelines on principles, ISO 9000 Quality Management
Systems, systems and supporting techniques, or the system produced by the Center for Chemical
Process Safety.
Many SMS elements are needed to support the control measures at most MHFs. However,
because most of these apply in common to a lot of control measures, the total number of SMS
elements that would be the subject of regulation 561(4) is not excessive.

6.2

Demonstrating that the SMS supports control measures

To demonstrate the matters required by regulation 561(4), the safety case needs to show:
all the necessary aspects of control measures are being managed by SMS elements
the elements are part of a comprehensive system that works together well
the SMS elements are all functioning well i.e. working as they are supposed to and meeting
their performance standards.

Page 17 of 31

JANUARY 2012

As discussed above in Section 6.1, it should not be difficult to confirm and then show in the safety
case that all necessary aspects of control measure management are covered in the facilitys SMS.
For most operators, the second aspect (comprehensiveness and integration) would be covered in
the summary of the SMS in the safety case that is required under regulation 561(2)(d). Most
operators include a description of the overall system and how it was developed, to show an overall
systematic approach rather than an amorphous collection of randomly related procedures (refer to
the Guide for Major Hazard Facilities: Safety Management Systems).
The third aspect (functionality of the specific SMS elements) is dealt with by a summary of SMS
auditing results and other performance monitoring data, as discussed in Section 5.6. As for control
measures, the demonstration (and the case for licence renewal) would be strengthened if the data
were to show an improving trend over time.

Page 18 of 31

JANUARY 2012

7.

OUTPUTS

The format of demonstration information in the safety case can vary, depending on the approach
taken by the operator. For ease of future revision, safety cases may be written with the
methodology for various safety duties (such as hazard identification) and high-level results in the
body of the safety case with detailed results in appendices. It would therefore make sense for
operators to explain the methodology for determining adequacy of control measures in the body of
the safety case, probably as one aspect of the safety assessment methodology, and include
results of control measure assessment in an appendix. Operators may include detailed tables of
control measure assessment (rated under headings such as Effectiveness, Reliability, Survivability,
Maintainability, etc.) in their appendices.
Operators that use fully explained examples to strengthen their demonstration normally include the
examples as a stand-alone section of the safety case. This section could also contain other
information used to support the demonstration argument, such as an explanation of why the
operator believes compliance with a particular code or standard equates with reducing risk so far
as is reasonably practicable at their particular facility.
As mentioned previously, performance monitoring results can also have an important role in
demonstrating the effectiveness of control measures and SMS elements, especially for licence
renewal applications. Depending on the amount of performance monitoring data available, this
data can also be presented in the safety case. Alternatively, for a large quantity of data, a summary
of the monitoring and/or auditing process and a summary of results and conclusions could be
presented in the body of the safety case and detailed results in an appendix.

Page 19 of 31

JANUARY 2012

8.

REVIEW AND REVISION

There are no review and revision requirements for new operators relating to demonstration.
However, review and revision requirements relate to renewal of a MHF licence.
Any changes identified as necessary in the hazard register and lists of control measures and
supporting SMS elements will make it necessary to revise the demonstration information. Naturally
if incident investigations or performance monitoring results provide a new state of knowledge, then
the operator must reconsider the effectiveness of a control measure or some aspect of safety
management, and any adequacy assessment must be reviewed and revised.
The operators assessment of control measures, and reasons for considering them to be reliable,
are a valuable source of information to regulators when preparing for annual inspections at the site.
Operators could ask similar questions when conducting internal audits e.g. What sort of reliability
or PFD (or testing frequency to justify that PFD) was assumed in the control measure assessment?
Do incidents, inspection and maintenance records validate these assumptions? If not, the
demonstration should explain what action is being taken to remedy this situation.

Page 20 of 31

JANUARY 2012

APPENDIX A WHS REGULATIONS

Regulation
558

Requirement
Safety management system
(1) The operator of a determined major hazard facility must establish a safety
management system for the operation of the major hazard facility, in accordance
with this regulation.
(2) The operator of a determined major hazard facility must implement the safety
management system for the major hazard facility, so far as is reasonably
practicable.
(3) The safety management system must:
(a) provide a comprehensive and integrated system for the management of all
aspects of risk control in relation to the occurrence and potential occurrence
of major incidents at the major hazard facility; and
(b) be designed to be used by the operator as the primary means of ensuring the
safe operation of the major hazard facility.
(4) The safety management system must:
(a) be documented; and
(b) state the operator's safety policy, including the operator's broad aims in
relation to the safe operation of the major hazard facility; and
(c) state the operator's specific safety objectives and describe the systems and
procedures that will be used to achieve those objectives; and
(d) include the matters specified in Schedule 17; and
(e) be readily accessible to persons who use it.

560

Safety case must be provided

561

The operator of a determined MHF must provide the regulator with a completed
safety case for the MHF within 24 months after the facility was determined to be an
MHF.
Content (of safety case)
(1) The operator must prepare the safety case in accordance with the safety case
outline prepared or altered under this Division.
(2) A safety case must contain the following:
(a) a summary of the identification conducted under regulation 554, including a
list of all major incidents identified;
(b) a summary of the safety assessment conducted under regulation 555;
(c) a summary of the major hazard facility's emergency plan;
(d) a summary of the major hazard facility's safety management system;
(e) a description of any arrangements made in relation to the security of the
major hazard facility;
(f) a description of the consultation with workers that took place under regulation
575 in the preparation of the safety case;
(g) the additional matters specified in Schedule 18.

Page 21 of 31

JANUARY 2012

(3) The safety case must include any further information that is necessary to ensure
that all information contained in the safety case is accurate and up to date.
(4) A safety case must demonstrate:
(a) that the major hazard facility's safety management system will, once
implemented, control risks arising from major incidents and major incident
hazards; and
(b) the adequacy of the measures to be implemented by the operator to control
risks associated with the occurrence and potential occurrence of major
incidents.
(5) The operator must include in the safety case a signed statement that:
(a) the information provided under subregulations (1) and (2) is accurate and up
to date; and
(b) as a consequence of conducting the safety assessment, the operator has a
detailed understanding of all aspects of risk to health and safety associated
with major incidents that may occur; andThe operator must prepare the
safety case in accordance with the safety case outline prepared or altered
under the regulations.
(c) the control measures to be implemented by the operator:
(i) will eliminate the risk of a major incident occurring, so far as is reasonably
practicable; and
(ii) if it is not reasonably practicable to eliminate the risk of a major incident
occurringwill minimise the risk so far as is reasonably practicable; and
(iii) in the event of a major incident occurringwill minimise its magnitude
and the severity of its health and safety consequences so far as is
reasonably practicable; and
(d) all persons to be involved in the implementation of the safety management
system have the knowledge and skills necessary to enable them to carry out
their role safely and competently.

563

(6) If the operator is a body corporate, the safety case must be signed by the most
senior executive officer of the body corporate who resides in [this jurisdiction].
Review

570

The operator of a determined major hazard facility must review and as necessary
revise the major hazard facilitys safety case after any review is conducted under
regulation 559.
Safety case review

575

The operator of a licensed MHF must review and as necessary revise the safety
case after any review is conducted under regulation 569.
Operator of MHF must consult with workers
(1) For the purposes of section 49(f) of the Act, the operator of a determined major
hazard facility must consult with workers at the major hazard facility in relation to
the following:
(a) the preparation of the safety case outline for the major hazard facility;
(b) the preparation, testing and implementation of the major hazard facility's
emergency plan;

Page 22 of 31

JANUARY 2012

(c) the establishment and implementation of the major hazard facility's safety
management system;
(d) the conduct of a review under regulation 559;
(e) the implementation of the workers' safety role under regulation 574(1);
(f) the preparation and review of the major hazard facility's safety case.
(2) For the purposes of section 49(f) of the Act, the operator of a licensed major
hazard facility must consult with workers at the major hazard facility in relation to
the following:
(a) the testing and implementation of the major hazard facility's emergency plan;
(b) the implementation of the major hazard facility's safety management system;
(c) the conduct of a review under regulation 569;
(d) the implementation of the workers' safety role under regulation 574(2);
(e) a review of the major hazard facility's safety case. The operator of a
determined MHF or a licensed MHF must consult with workers at the MHF in
relation to matters concerning the safety case and the SMS.

Page 23 of 31

JANUARY 2012

APPENDIX B DEFINITIONS
Adequacy, for the purposes of Chapter 9 of the WHS Regulations, means suitable for achieving
the objective of eliminating or reducing the likelihood of a major incident occurring or the magnitude
and severity of consequences of a major incident if it did occur.
Control measure, in relation to a risk to health and safety, means a measure to eliminate or
minimise the risk.
Demonstration means a logical, coherent case or argument to show convincingly that the
requirements of regulation 561(4)(a) and (b) are being achieved at the MHF. This will usually
involve some text to state the case, backed up by some evidence to support the case such as
documentation from technical analyses, incident/data trends, observation of the performance of
equipment, management systems and control measures, records of tests and drills, real-time
information, electronic media and other data.
Facility means a workplace at which Schedule 15 chemicals are present or likely to be present.
Major hazard facility (MHF) means a facility:
at which Schedule 15 chemicals are present or likely to be present in a quantity that
exceeds their threshold quantity
that is determined by the regulator under Part 9.2 to be a major hazard facility.
Major incident at a major hazard facility is an occurrence that:
results from an uncontrolled event at the major hazard facility involving, or potentially
involving, Schedule 15 chemicals
exposes a person to a serious risk to health and safety emanating from an immediate or
imminent exposure to the occurrence.
An occurrence includes any of the following
o an escape, spillage or leakage
o an implosion, explosion or fire.
Major incident hazard means a hazard that could cause, or contribute to causing, a major
incident. (This may include any activity, procedure, plant, process, substance, situation or other
circumstance).
Operator
in relation to a facility, means the person conducting the business or undertaking of
operating the facility, who has:
o management or control of the facility
o the power to direct that the whole facility be shut down
in relation to a proposed facility, means:
o the operator of a proposed facility that is an existing workplace
o the person who is to be the operator of a proposed facility that is being designed or
constructed.
Safety assessment is the process by which the operator of a major hazard facility systematically
and comprehensively investigates and analyses all aspects of risks to health and safety associated
with all major incidents that could occur in the course of the operation of the major hazard facility.
Schedule 15 chemical means a hazardous chemical that:
is specified in Schedule 15, table 15.1 of the WHS Regulations
belongs to a class, type or category of hazardous chemicals specified in Schedule 15, table
15.2 of the Regulations.

Page 24 of 31

JANUARY 2012

Threshold quantity, in relation to a Schedule 15 chemical, means:

the threshold quantity of a specific hazardous chemical as determined under clause 3 of
Schedule 15
the aggregate threshold quantity of 2 or more hazardous chemicals as determined under
clause 4 of Schedule 15 (regulation 5).

Page 25 of 31

JANUARY 2012

APPENDIX C RISK CRITERIA

Risk criteria
Comparison of estimated risk levels against set criteria may be useful as part of an overall
demonstration of adequacy of control measures, although it is unlikely that adequacy can be
demonstrated solely by this means. This appendix provides a brief discussion of the types of risk
criteria that have been adopted nationally and internationally. These approaches may be useful for
application to individual MHFs, to specific aspects of major incident risk at MHFs (e.g. the off-site
risk), or to particular sections of individual MHFs (e.g. if a purely qualitative approach proves
insufficient in particular areas).
General basis
Risk criteria can provide a basis for judging the tolerability of risks that have been assessed, and
for deciding the urgency or priority with which any identified hazard or risk should be addressed.
However, all risk assessment is subject to uncertainty, and hence use of rigid risk criteria may be
inappropriate. A possible alternate approach is provided by the UK Health and Safety Executives
(HSE) framework for the tolerability of risk and its As low as reasonably practicable (ALARP)
concept. This is based on broad ranges of risk, rather than on specific criteria. The HSEs policy
document Reducing Risks, Protecting People HSEs decision-making process (2001) presents
the risk tolerability framework. This represents risk on an inverted triangle as increasing from a
broadly acceptable region, through a tolerable region, to an unacceptable region (see Figure 2).
This broad framework is used in HSEs permissioning guidance, Guidance on as low as
reasonably practicable (ALARP) decisions in control of major accident hazards (COMAH) and
provides for the following broad risk ranges:
an upper region where ALARP has not been demonstrated and risk is unacceptable
a middle region where risk is tolerable if ALARP is demonstrated through arguments based
on relevant good practice, additional risk reduction methods and grossly disproportionate
costs for further risk reduction
a lower region where risk is broadly acceptable and does not need further reduction
because relevant good practice is applied.
Although the broad risk ranges appear compatible with the Work Health and Safety Act
performance standard of so far as is reasonably practicable, the interpretation does not
incorporate the continuous improvement aspects contained within the Regulations. This means
that at the lowest risk band, some risks may remain not reduced, even where it may be reasonably
practicable to further reduce the risk.
An interpretation of the broad risk ranges, which manages or reduces all risks and includes
consideration of continuous improvement, is shown in Table 3 and described in more detail below.

Page 26 of 31

JANUARY 2012

Figure 2: The broad risk regions

Risk must be reduced regardless of cost

unless extraordinary circumstances apply

Unacceptable region

Risk tolerable only if reduction cost is

grossly disproportionate to gain achieved

Tolerable region
Risk tolerable if all reasonably practicable steps
to reduce it are undertaken

Broadly acceptable region

Upper region

Unacceptable risk

Middle region

Tolerable risk

Lower region

Broadly acceptable risk

Risk tolerable if reduction cost exceeds

improvement achieved

Must ensure that the risk is managed to

remain at this level, and/or reduced further
if reasonably practicable

Prompt action must be taken to reduce

risk regardless of cost, unless
extraordinary circumstances apply
Risk reduction measures must be
implemented so far as is reasonably
practicable, taking into account the
available measures, relevant good
practice, cost etc
Risks must be managed and, so far as
reasonably practicable, continuously
reduced

Table 3: An interpretation of the risk ranges (refer to Figure 2)Error! Reference source not
found.Error! Reference source not found.
The overall demonstrations the operator has to make through the safety case need to consider
hazards and risks in all regions, and may need to specifically show that:
there are no hazards or risks currently in the upper region, and any hazards or risks that
may arise in the upper region in the future will be immediately and effectively dealt with
all hazards and risks in the middle and lower regions have had all reasonably practicable
risk reduction measures applied

there are suitable and reliable processes for continuing to manage hazards and risks at all
levels and for achieving continual improvement.

Page 27 of 31

JANUARY 2012

Risk matrices
A risk matrix categorises the risk of individual major incidents, based upon the judgement of an
assessment team about the order of magnitude of the likelihood and consequence of the incident
occurring. Typical risk matrices for hazardous industrial facilities range in size from 3 x 3 to 5 x 5.
Typically, this has likelihood on the Y axis and consequence on the X axis of the matrix. It is
recommended that the frequency or likelihood scale should be one order of magnitude per row or
column.
Risk increases diagonally across the matrix and bands of broad risk levels can be established on
the matrix, perpendicular to the direction of risk increase. These bands can be seen to broadly
relate to the risk bands in Figure 2, and therefore can be used to show areas where risk is
intolerable/unacceptable and where risk is tolerable, subject to all practicable measures being
taken and subject to continuous improvement. The broad risk bands can also be related to the
urgency of action required.
In general, preventative control measures (left hand side of the bow-tie diagram in Figure 1) lead to
a decrease in the likelihood of an incident occurring, which usually means a decrease in the Y
coordinate on the matrix. Mitigative control measures (right hand side of the bow-tie diagram in
Figure 1) lead to a decrease in the consequence of an incident if it occurs, which usually means a
decrease in the X coordinate on the matrix.
However, operators should note that the risk matrix approachwhilst it may be useful in ranking
risks and to support a demonstration of adequacyis unlikely to be sufficient on its own for many
facilities. For example, separate and additional analysis of the effects of alternate control measures
is likely to be needed, as a risk matrix is often too coarse a tool to distinguish between options. It
may also be difficult to fully address the requirement for cumulative consideration of hazards using
risk matrices alone.
Operators who use risk matrices should give clear definitions for the matrix and any categorisation
used within it, and should show what action or significance is attributed to each position on the
matrix. Operators should check that their risk matrices, and any risk criteria implied through their
use, are consistent with commonly adopted risk criteria, such as the (quantitative) interim Victorian
risk criteria (see the next section).
QRA and quantitative criteria
Quantitative approaches to risk assessment have different strengths and weaknesses. They allow
a more precise and consistent approach to defining the likelihood, consequence and severity of a
major incident but the results can vary significantly depending on assumptions made for the
calculations. They can also be resource-intensive, may lack transparency, may be difficult for a
non-specialist to understand and may give a misleading sense of accuracy of risk estimates.
If an operator chooses to conduct a Quantitative Risk Assessment (QRA), then the results may be
used by comparison with pre-determined criteria or for comparing different options as part of the
overall demonstration of adequacy. There are two main types of quantitative risk measure that may
be used to define risk criteria:
Individual risk is the frequency at which an individual may be expected to sustain a given
level of harm from the realisation of specified hazards. The purpose of criteria based on this
risk measure is to ensure that no single person is overexposed to risk. Risk assessment
results using this measure are often based on risk contour plots.
Societal risk is the relationship between the frequency of occurrence of major incidents
and the number of people suffering from a specified level of harm in a given population
from those incidents. The purpose of criteria based on this risk measure is to control risk to
society as a whole. Risk assessment results using this measure are often based on
frequency-consequence (FN) graphs.

Page 28 of 31

JANUARY 2012

These criteria may in principle be applied to any exposed population, on-site or off-site, although
for a variety of reasons the actual levels of risk tolerability may vary between the different exposed
groups. Risk tolerability values for individuals exposed to major incident hazards should relate in a
sensible manner to levels of risk from other industrial and non-industrial activities.
In the case of off-site risk to the general population, a set of interim criteria has been used in a
number of cases in Victoria e.g. in relation to land use planning (Interim Victorian Risk Criteria
Risk Assessment Guidelines, prepared for the Altona Chemical Complex and the Victorian
Government, by DNV Technica, October 1988). The criteria do not have legal status but provide
guidance on values. These values are as follows:
Risk must not exceed 10 per million per year at the boundary of any new facility.
If risk exceeds 10 per million per year at the boundary of an existing facility, risk reduction
measures must be taken.
If risk off-site is between 0.1 and 10 per million per year, all practicable risk reduction
measures are to be taken and residential developments are to be restricted.
Risk levels below 0.1 per million per year are broadly tolerable.
A plot of cumulative number of fatalities, from all potential incidents, against frequency
remains in the low or medium region.

1.00E+00

1.00E-01

1.00E-02

1.00E-03
Frequency
Per Year

HIGH

1.00E-04
MEDIUM

1.00E-05
LOW

1.00E-06

1.00E-07
1

10

100

1000

Number of Fatalities
LOW: Risk acceptable and tolerable. Must be managed.
MEDIUM: Risk tolerable, not necessarily acceptable. Must be reduced SFAP.
HIGH: Risk unacceptable and intolerable. Must be reduced immediately.

Legend: Societal Risk FN (dashed line); Victorian Interim Risk Criteria (solid lines)

Figure 3: Example societal risk FN graph with Victorian Interim Risk Criteria

Page 29 of 31

JANUARY 2012

Comparison with a benchmark such as the Victorian risk criteria is a straightforward exercise when
an operator uses QRA in its formal safety assessment. However, QRA is not mandatory under the
Regulations and most operators use alternative qualitative assessment techniques such as risk
matrices. Since most matrices show a consequence band of one fatality on one axis, and some
form of numerical frequency (or likelihood) estimate on the other axis, it is usually possible to
determine what sort of fatality rate the operator considers to be High, Medium or Low on-site
risk. While there are no equivalent Victorian on-site risk criteria, in the past a fatality risk of 10-3 per
year has been considered as the limit of tolerability for the high hazard environment of a congested
off-shore oil platform. The risk for a less congested on-shore facility should be much lower than
this. It is likely that the regulator would challenge an operator if it appeared from the risk matrix that
a risk of 10-3 per year or higher was considered low risk, or in the lower end of medium risk.
These criteria are offered for reference purposes only, so it is not mandatory that they be met.
However, if operators choose to meet different criteria, it is important that whatever criteria are
adopted is justified as appropriate.
Potential loss of life and cost benefit of control measures
Societal risk can also be expressed as a Potential Loss of Life (PLL), which is the number of
fatalities that may be expected to occur each year, averaged over a long period. The number
should be small: if 100 people are each exposed to a risk level of 10 in a million per year, the PLL
is 0.001.
The PLL is a useful basis for cost-benefit analyses of risk reduction measures, via the Implied
Cost of Averting Fatality (ICAF):
ICAF = cost of measure/(initial PLL reduced PLL)
Such calculations are often controversial as they appear to require a value to be placed on life, but
these calculations are commonly used internationally and may aid decision making in regard to
adopting control measures for major hazards. For example, a low ICAF for a proposed risk
reduction measure implies that the measure is highly effective because the cost is low compared to
the risk reduction achieved. Conversely, a high ICAF implies a relatively ineffective risk reduction
measure, indicating that the money should be diverted to an alternative.
Other issues
Other issues to consider in relation to risk criteria include the following:
Quantitative criteria for risk to persons on-site have not been established for Victorian
industry and would need to be set and justified by any operator proposing to use QRA
methods.
Hazards (and therefore possibly risks) must be assessed both individually and
cumulatively, and hence the adopted criteria will need to be applicable to hazards both
individually and cumulatively. The risk matrix approach considers hazards and risks
individually, whilst the Victorian interim risk criteria apply to all hazards cumulatively.
Therefore, a combination of criteria may be needed.
Most established criteria relate specifically to fatality rates but the MHF regulations do not
require any specific form of criteria. It may be appropriate to consider measures of risk
related to lower levels of harm e.g. serious injury.

Page 30 of 31

JANUARY 2012

APPENDIX D FURTHER INFORMATION

References
Layers of Protection Analysis, Simplified Process Risk Assessment, Centre for Chemical Process
Safety, American Institute of Chemical Engineers, 2001.
Australian Standard, AS 1940:2004 The storage and handling of flammable and combustible
liquids.
Australian Standard/New Zealand Standard, AS/NZS 2927:2001 The storage and handling of
liquefied chlorine gas.
Australian Standard/New Zealand Standard, AS/NZS 1596:2008 The storage and handling of LP
Gas.
Australian Standard/New Zealand Standard, AS/NZS 4804:2001 Occupational health and safety
management systems General guidelines on principles, systems and supporting techniques.
Australian Standard/New Zealand Standard, AS/NZS ISO 9000:2006 Quality management
systems Fundamentals and vocabulary.
Australian Standard, AS IEC 61511.1 to 3:2004 Functional safety Safety instrumented systems
for the process industry sector.
Australian Standard, AS 4024.1:2006 Safety of machinery.
General
COMAH Safety Report Assessment Manual. UK HSE Hazardous Installations Directorate,
January 2003.
Reducing Risks, Protecting People HSEs decision-making process, UK HSE, HSE Books, 2001.
HIDs approach to As low as reasonably practicable (ALARP) decisions. UK HSE Hazardous
Installations Directorate, SPC/Permissioning/09.
Guidance on As low as reasonably practicable (ALARP) decisions in control of major accident
hazards (COMAH). UK HSE Hazardous Installations Directorate, SPC/Permissioning/12.
Specific topics
Risk criteria for land use planning in the vicinity of major industrial hazards, UK HSE, 1989.
Fire, Explosion and Risk Assessment Topic Guidance, UK HSE Hazardous Installations
Directorate Offshore Division, February 2003.
Good practice and pitfalls in risk assessment. UK HSE Health & Safety Laboratory, Research
Report 151, 2003.
Hazardous industry planning advisory paper No.4 Risk Criteria for Land Use Safety Planning
(HIPAP 4) (January 2011) Former NSW Department of Planning..
Environmental Risk Assessment: An Australian Perspective, Supervising Scientist Report 102, T
Beer & F Ziolkowski, Canberra, 1995.

Page 31 of 31

JANUARY 2012