&

SA
F E T Y AT
W GOOD PRACTICE
GUIDELINES
O
H

R
LT

K
• HEA

AC T
HSWA

MAJOR HAZARD FACILITIES:

Safety Assessment
July 2016
This guideline offers advice on how
to conduct a safety assessment that
meets the requirements of the Health
and Safety at Work (Major Hazard
Facilities) Regulations 2016.

ACKNOWLEDGEMENTS

In recognition of the valuable contribution made towards the development of this guideline, WorkSafe
New Zealand (WorkSafe) would like to thank the members of the guidance group and those who provided
input and feedback during reviews and consultation.

WorkSafe would also like to acknowledge the following organisations for providing information used
to develop this guideline:
>> Health and Safety Executive (UK)
>> National Offshore Petroleum Safety and Environmental Management Authority (Australia)
>> Safe Work Australia
>> WorkSafe Victoria (Australia).
SAFETY ASSESSMENT
KEY POINTS:

Operators of designated upper tier

major hazard facilities must conduct
a safety assessment.

Operators of designated lower tier major

hazard facilities must conduct a safety
assessment for the purposes of preparing
and implementing the major accident
prevention policy.

A safety assessment is a documented,

comprehensive, and systematic
investigation and analysis of all health
and safety risks associated with major
incident hazards.

Operators must engage with workers,

and consult with the emergency services
organisations and certain government
agencies and consider their advice and
recommendations.
TABLE OF CONTENTS

01 INTRODUCTION 4
1.1 Purpose and scope of this guideline 5
1.2 What is a safety assessment? 5
1.3 How you can use this guideline 6
1.4 How this guideline fits into the suite of guidelines 6
1.5 Worker engagement, participation and representation practices 8

02 SAFETY ASSESSMENT OVERVIEW 10

2.1 Expected outcomes 11

2.2 The safety assessment process 11
2.3 Engagement and consultation 14
2.4 Review of safety assessment 14

03 MAJOR INCIDENT AND MAJOR INCIDENT

HAZARD IDENTIFICATION 16

3.1 Select the right technique 17

3.2 Major incident identification 18
3.3 Identify the major incident and major incident pathways 20
3.4 Identify all specified hazardous substances 21
3.5 Understand the hazardous substances properties and how
they could cause harm 22
3.6 Identify major incident hazards over the facility life cycle 23

04 SAFETY ASSESSMENT 25

4.1 Likelihood analysis 26

4.2 Consequence estimation 28
4.3 Risk assessment 30
4.4 Risk evaluation 32
 05 CONTROLS 35
5.1 Identify controls 36
5.2 Demonstration of adequacy 37
5.3 What is reasonably practicable? 37
5.4 Safety-critical elements 42
5.5 Develop performance standards for controls 43
5.6 Critical operating parameters 44

06 APPENDICES 45

6.1 Appendix A: Risk criteria 46

6.2 Appendix B: More information 50
6.3 Appendix C: Glossary 52

TABLES

1 Overview of duties under the MHF Regulations 5

2 Steps of the safety assessment process 12
3 Some considerations for identifying major incident hazards during
the facility life cycle 24
4 Typical considerations during likelihood analysis 26
5 Typical considerations during consequence estimation 28
6 Hazard/control register 41
7 Hazard/control register that does NOT help demonstration 41
8 Performance standards for controls 43
9 An interpretation of the risk ranges (refer to Figure 7) 47

FIGURES

1 Overview of major hazard facilities guidelines 7

2 Worker engagement, participation and representation at a glance 9
3 Safety assessment process 13
4 Hierarchy of controls 36
5 Example bow-tie showing an ammonia release at storage 40
6 Safe operating window and critical operating parameters 44
7 The broad risk regions 47
 GOOD PRACTICE GUIDELINES // MAJOR HAZARD FACILITIES: SAFETY ASSESSMENT

01/
INTRODUCTION

IN THIS SECTION:
1.1 Purpose and scope of
this guideline
1.2 What is a safety assessment?
1.3 How you can use this guideline
1.4 How this guideline fits into
the suite of guidelines
1.5 Worker engagement,
participation and
representation practices

4
 SECTION 1.0 // INTRODUCTION

This guideline will help an operator conduct a safety

assessment to understand all the risks to health and safety
associated with potential major incidents and explain how
those risks are reduced so far as is reasonably practicable.

1.1 PURPOSE AND SCOPE OF THIS GUIDELINE

The Health and Safety at Work (Major Hazard Facilities) Regulations 2016 (the MHF Regulations)
identify the facilities to which the MHF Regulations apply. The status of a facility depends on the
types and quantities of specified hazardous substances present or likely to be present, among
other factors.

Table 1 presents an overview of the different types of facility and the corresponding obligations
imposed by the MHF Regulations. The focus of this guideline is on the safety assessment.

DUTIES EXISTING PROPOSED DESIGNATED DESIGNATED

FACILITY FACILITY LOWER TIER UPPER TIER
MAJOR HAZARD MAJOR HAZARD
FACILITY FACILITY

Notification

Design notice (For a proposed

facility that may exceed the upper
threshold only)

Major accident prevention policy

(MAPP)

Safety management system (SMS)

Emergency plan

Safety assessment

Safety case

Table 1: Overview of duties under the MHF Regulations

1.2 WHAT IS A SAFETY ASSESSMENT?

A safety assessment is a comprehensive and systematic investigation and analysis of all health
and safety risks associated with major incident hazards and major incidents. It demonstrates
how those risks will be reduced so far as is reasonably practicable. Any deficiency in the safety
assessment process may make it difficult to demonstrate that controls are adequate and that
risk has been reduced so far as is reasonably practicable.

A safety assessment generally follows the hazard identification process although some
duplication between the two processes may be necessary. Hazard identification determines
the hazards and causes of major incidents and starts to identify the range of controls that
provide protection against a major incident occurring. Knowledge of hazards and their

5
 GOOD PRACTICE GUIDELINES // MAJOR HAZARD FACILITIES: SAFETY ASSESSMENT

consequences is necessary for the safety

Grey boxes contain examples. These expand
assessment but only worthwhile if it informs
on the content of the section and help in
and improves decision making and seeks to
providing further clarification.
reduce risk so far as is reasonably practicable.

A systematic safety assessment employs a

1.4 HOW THIS GUIDELINE FITS
logical, transparent and repeatable process.
INTO THE SUITE OF GUIDELINES
This enables you as the operator to compare
the range of incidents and identify which are Figure 1 describes how the suite of major
the key contributors to the overall risk profile hazard facilities good practice guidelines (GPG)
of the MHF. interacts. The expanded detail is a simplification
of the content described in this guideline.
1.3 HOW YOU CAN USE THIS This guideline contains advice on:
GUIDELINE
>> what a safety assessment should cover
This guideline is for you as an MHF operator, >> selecting the right technique
process safety engineer, manager, and worker >> major incident and major incident
of MHFs. It is for all facilities designated as hazard identification
MHFs and is non-industry specific.
>> risk assessment
For operators of lower tier major hazard >> identifying controls
facilities (LTMHF) this guideline will help you >> performance standards.
carry out a safety assessment proportionate
to your major incident hazards. This will This guideline forms part of a set of guidance
inform the major accident prevention policy that includes information on:
(MAPP) and safety management system >> Emergency planning
(SMS). While you are not required to carry >> Major accident prevention policies
out a safety assessment to the standard of >> Notifications and designation
Regulation 38, use this guideline to help you
>> Safety cases
complete a proportionate safety assessment.
>> Safety management systems.
For operators of upper tier major hazard
facilities (UTMHF) this guideline will help HOW THE SAFETY ASSESSMENT LINKS
you with conducting the safety assessment TO THE SMS
required by the MHF Regulations. The SMS is the system by which the MHF’s
Some industries have guidelines that deal hazards and risks can be effectively managed.
with specific problems faced in their working The safety assessment needs to be integrated
environments, such as the petroleum or into the SMS with review and improvement
electricity sectors. When carrying out a safety processes to enable you to understand the
assessment or how to do a job safely, make impact on the system and any changes to
sure you check any industry specific guidance. the safety of the facility.

Coloured boxes summarise sections of the Regulation 39 requires the SMS to manage
MHF Regulations or the Health and Safety all aspects of risk control in relation to major
at Work Act 2015 (HSWA). incidents at the facility.

6
 SECTION 1.0 // INTRODUCTION

MHF: Notifications and

Designation (Guideline)

Notification and
design notice

Designation

All designated MHFs

Comply with general duties

under the Health and Safety
at Work Act 2015

LTMHF duties UTMHF duties

Prepare and Establish and MHF: Major

MHF: Major implement major implement Accident Prevention
Accident accident prevention a safety Policy and Safety
Prevention policy management Management
Policy and system Systems (Guideline)
Safety
Management
Systems Establish and
(Guideline) implement a safety
management system
Prepare an MHF: Emergency
emergency Planning
plan (Guideline)
MHF:
Emergency Prepare an
Planning emergency plan
(Guideline)
Conduct MHF: Safety
a safety Assessment
assessment (Guideline)

For help with risk assessing

major incident hazards

Prepare and
MHF: Safety Cases
submit safety
(Guideline)
cases

KEY

Operator
WorkSafe
LTMHF Lower tier major hazard facility
UTMHF Upper tier major hazard facility

Figure 1: Overview of major hazard facilities guidelines

7
 GOOD PRACTICE GUIDELINES // MAJOR HAZARD FACILITIES: SAFETY ASSESSMENT

HOW THE SAFETY ASSESSMENT LINKS 1.5 WORKER ENGAGEMENT,

TO THE EMERGENCY PLAN PARTICIPATION AND
The MHF must have an emergency plan that REPRESENTATION PRACTICES
effectively addresses all health and safety
Both you, as the operator, and workers have
consequences of a major incident occurring.
general health and safety duties of care.
The plan must be specific to the facility’s
Figure 2 shows your twin duties to engage
major incident hazards identified in the
with workers and to have effective worker
safety assessment.
participation practices.
The safety assessment will feed directly into
For certain duties under the MHF Regulations
emergency planning. So it is vital to make
you must engage with, and make sure there
sure the safety assessment covers all possible
is participation of, workers and any worker
areas of impact, and all possible hazards,
representatives who are:
to make sure the emergency plan covers
>> identifiable at the time
all identified major incidents.
>> working, or likely to be working, at the MHF.
Regulation 31 requires the emergency plan
These are stronger requirements than the
to be specific to the facility and the major
twin duties placed on a person conducting
incident hazards identified in the safety
a business or undertaking (PCBU) under
assessment.
HSWA. The set of workers the duties apply to
also differ. The twin duties under HSWA only
HOW THE SAFETY ASSESSMENT LINKS apply to workers who carry out work for the
TO THE SAFETY CASE business or undertaking. In comparison, the
The safety assessment is a key part of duties under the MHF Regulations apply to
any safety case. It is a comprehensive and any identifiable worker ‘working, or likely
systematic investigation and analysis of all to be working,’ at the MHF.
health and safety risks associated with major For more information, see WorkSafe’s
incident hazards and major incidents. The GPG Major Hazard Facilities: Major
safety assessment should identify: Accident Prevention Policy and Safety
>> the nature of each major incident Management Systems and WorkSafe’s GPG
and hazard Worker Engagement, Participation and
>> hazards and conditions that could Representation, which:
lead to a major incident >> describes a PCBU’s two duties:
>> the risk (likelihood and consequence) –– to engage with workers
of each hazard causing a major incident –– to have effective worker
>> its potential magnitude, and the severity participation practices
of health and safety consequences >> provides practical advice on how to
in the event of a major incident engage on health and safety matters
>> the range of controls considered >> describes effective worker participation
>> the implemented controls practices, including representation,
>> the rejected controls (and the reasons). with examples.

Schedule 7 requires the safety case include

a summary of the safety assessment.

8
 SECTION 1.0 // INTRODUCTION

RELATED DUTIES OF A PERSON CONDUCTING A BUSINESS OR UNDERTAKING (PCBU)

Duty to engage Duty to have participation practices

(can include worker representation)

Provide reasonable
Engage with workers
opportunities for workers

+
on health and safety
to participate effectively in
matters that will – or
improving health and safety
are likely to – affect them.
on an ongoing basis

Ask questions

Share Information

WORKER
ENGAGEMENT,
PARTICIPATION AND
PCBU WORKERS
REPRESENTATION

Identify risks

Suggest Ideas

…effective worker participation is vital to managing health and safety issues successfully
in the workplace1.

The best results are achieved when a PCBU and its workers work together to manage risk,
improve health and safety at work, and find solutions.

Figure 2: Worker engagement, participation and representation at a glance

1
The Report of the Independent Taskforce on Workplace Health & Safety: He Korowai Whakaruruhau (2013)
http://hstaskforce.govt.nz

9
 GOOD PRACTICE GUIDELINES // MAJOR HAZARD FACILITIES: SAFETY ASSESSMENT

02/
SAFETY
ASSESSMENT
OVERVIEW

IN THIS SECTION:
2.1 Expected outcomes
2.2 The safety assessment process
2.3 Engagement and consultation
2.4 Review of safety assessment

10
 SECTION 2.0 // SAFETY ASSESSMENT OVERVIEW

Go through the safety assessment process in a systematic

way to identify all major incident hazards and controls.

The safety assessment should cover: >> identification of maintenance and

>> the whole MHF and all activities on-site monitoring requirements

>> routine or abnormal operations >> the critical operating parameters identified
for the selected controls
>> any off-site hazard that could reasonably
impact on the site, leading to a major >> the reasons for deciding which controls to
incident. implement with a documented justification
of any potential control considered not be
reasonably practicable
2.1 EXPECTED OUTCOMES
>> a description of how the identified controls
The safety assessment should demonstrate
prevent or minimise the major incidents
you are reducing risks of major incidents
and major incident hazards
so far as is reasonably practicable and there
>> demonstration of the adequacy of controls
is ongoing review.
for each major incident, so far as is
The outcomes of a robust safety assessment reasonably practicable
process should be:
>> an implementation plan for controls not
>> a list of all identified major incidents/ yet in place
scenarios
>> a description of how you will review and
>> the criteria and methods used to continually update the safety assessment
identify the major incident hazards
>> the path by which the major incident
and major incidents
hazards could lead or have led to a
>> an assessment of the cumulative major incident.
effects of the major incidents:
Use safety assessment tools and techniques
–– incidents that could reasonably
appropriate to your facility. Make sure you
lead to initiating further incidents
can explain and justify your choice.
–– multiple incidents from one
common hazard 2.2THE SAFETY ASSESSMENT
–– the exposure of one person or group PROCESS
of people to several hazards.
Table 2 summarises the steps to take when
>> identification of consequences for each
conducting one type of safety assessment
major incident without controls
and describes some matters to consider when
>> analysis of risk (likelihood and consequence) undertaking each step. Note that this list is an
for each major incident (with current example of an approach. It is not exhaustive,
controls and then with planned controls) and there may be other matters to consider
>> identification of the local community at each step.
potentially affected by the consequences
of any major incident

11
 GOOD PRACTICE GUIDELINES // MAJOR HAZARD FACILITIES: SAFETY ASSESSMENT

STEP CONSIDER

Prepare facility >> Establish scope: whole or part of facility, include routine and non-routine
description to activities, on and off-site hazards.
establish context >> Linkages between the facility description and hazard identification.

Gather input data/ >> Facility design limits/standards.

documentation >> Incident reports from facility or similar facilities.
>> Up-to-date facility drawings, plans and maps.
>> Existing studies (eg fire studies, hazard studies, mechanical integrity studies
and consequence modelling).
>> Data on specified hazardous substances/hazardous substances, safety
properties, quantities, locations, safety data sheets (SDS).
>> Current plant condition, maintenance history.

Select hazard >> Appropriateness of hazard identification techniques (eg quantitative

identification or qualitative).
technique

Establish required >> Composition of the hazard identification team, worker engagement
hazard identification and participation.
team and >> Competence and expertise of the hazard identification team.
competency >> Competency and independence of the facilitator.

Determine hazard >> Appropriateness of hazard identification timing.

identification timing >> Sufficient time allocation for hazard identification.
>> Availability of team members.

Conduct assessment >> Presentation tools, format of meetings, worker involvement.

(see Figure 3) >> Method of documenting the safety assessment.

Documentation >> Capturing all hazard identification actions.

>> Justification and documentation of discarded hazard identification scenarios.
>> Activities and decisions are traceable and reproducible.
>> Documentation and recording process of the sessions (for audit purposes).

Track remedial >> Method for tracking and closure of remedial actions and committed
actions further actions.

Update hazard >> Compiling findings into a register.

register

Monitor and review >> Revise safety assessment as necessary, for example, if there are changes
to the facility, process or new controls identified.

Table 2: Steps of the safety assessment process

12
 SECTION 2.0 // SAFETY ASSESSMENT OVERVIEW

Hazard identification

Major incident hazards Add to site hazard register

Consequence assessment Likelihood assessment

Evaluate risk

Identify existing controls

Identify Are any

YES
as safety- controls safety-
critical critical elements?
element

NO

Identify any additional controls

that could be implemented

Is implementing
YES Plan
additional controls
reasonably implementation
practicable?

> Specific
> Measurable
NO > Appropriate
> Realistic
> Timely

Is risk
Stop reduced so far as
NO YES Develop performance
process is reasonably practicable standards for controls and
or activity and does risk meet
safety-critical elements
until further any internal risk
controls criteria?
can be
identified
Integrate performance
standards into SMS

Monitor performance Make sure performance

and review where standards are met throughout
failures are identified the life of the MHF

Figure 3: Safety assessment process

13
 GOOD PRACTICE GUIDELINES // MAJOR HAZARD FACILITIES: SAFETY ASSESSMENT

2.3ENGAGEMENT AND Regulation 38 requires the operator to

CONSULTATION engage with, and have regard to any advice
and recommendations given by workers, and
As well as your general duties under HSWA,
consult with emergency services, WorkSafe,
you have specific engagement duties under the
or any government department or agency
MHF Regulations. You must engage with, and
with a regulatory role in relation to MHFs.
make sure there is participation of, workers and
any worker representatives identifiable, and
consider their advice and recommendations. 2.4 REVIEW OF SAFETY
You should involve workers working or likely ASSESSMENT
to be working at the time, at all stages of the
safety assessment process. There should be You must review the safety assessment on

a team approach, accountability and roles an ongoing basis. Whether this review is

assigned, and a clear plan established regarding continuous or periodic depends on your SMS.

who does what. An elected and trained health Continually review residual risks and determine
and safety representative (HSR) could be if the risk should be re-evaluated.
assigned to the project.
Review and, as necessary, revise the safety
The assessment process will benefit if a assessment when:
cross-section of workers attends workshops, >> ongoing review indicates a change or
with sufficient resources allocated to them. proposed change to the MHF could:
Consider using workers who have insight
–– create a major incident hazard that
into the risks, and could directly influence
had not been previously identified
and advise on controls. You may choose to
use workers to lead hazard identification –– increase the likelihood of a major

workshops. Consider appointing external incident

facilitators for the hazard identification –– increase the magnitude or severity

and risk analysis processes. of the consequences from a major
incident.

CONSULT WITH EMERGENCY >> a control no longer minimises the risk

SERVICES, WORKSAFE, AND so far as is reasonably practicable
LOCAL AUTHORITIES >> a new major incident hazard, or risk

You must consult with the Police, Ambulance, associated with that hazard, is identified

and New Zealand Fire Service emergency >> the results of engagement with workers
services and WorkSafe. Use the information indicate that a review is necessary
and recommendations they provide to inform >> a HSR requests a review because the
the safety assessment process. HSR reasonably believes that grounds for

For more information on consulting with the review exist (which may affect the health

emergency services see WorkSafe’s GPG and safety of workers) and you have not

Major Hazard Facilities: Emergency Planning. adequately conducted a review

>> there is a change of operator.

14
 SECTION 2.0 // SAFETY ASSESSMENT OVERVIEW

For UTMHFs, where reviews result in a

significant change to the level of risk
identified, you may also need to revise
the safety case. For more information see
WorkSafe’s GPG Major Hazard Facilities:
Safety Cases.

Example 1: Monitoring and review

Company X reviews control performance
results at a monthly safety meeting, which
includes maintenance and operations
workers, a HSR and the site manager.
Control performance results are grouped
for presentation. The SMS performance is
also reported at this meeting. If issues are
identified with a control’s performance,
then the safety assessment is reviewed.

Company X has also established linkages

in its systems that require review of the
safety assessment if an incident occurs
at the facility or one like it. Incident
investigation triggers a review of the safety
assessment, as does reporting a near miss
event and activation of the emergency plan.
Management of change (MoC) also triggers
a review of the safety assessment.

Regulation 35 requires the operator to

review and, as necessary, revise the safety
assessment in particular circumstances.

15
 GOOD PRACTICE GUIDELINES // MAJOR HAZARD FACILITIES: SAFETY ASSESSMENT

03/
MAJOR INCIDENT
AND MAJOR
INCIDENT
HAZARD
IDENTIFICATION

IN THIS SECTION:
3.1 Select the right technique
3.2 Major incident identification
3.3 Identify the major incident
and major incident pathways
3.4 Identify all specified
hazardous substances
3.5 Understand the hazardous
substances properties and
how they could cause harm
3.6 Identify major incident hazards
over the facility life cycle

16
 SECTION 3.0 // MAJOR INCIDENT AND MAJOR INCIDENT HAZARD IDENTIFICATION

The safety assessment must identify all potential major

incidents and the major incident hazards which can
cause or contribute to them.

3.1 SELECT THE RIGHT multiple methods – but only use those most
TECHNIQUE relevant and best suited to the MHF:

Apply hazard identification and safety >> Audit findings and pending issues
assessment methodology suited to your >> Bow ties
operation and the major incident hazards >> Chemical reactivity hazard matrix
considered. For a UTMHF, justify your
>> Concept hazard analysis
reasons for technique selection in the
>> Event tree analysis (ETA)
safety case as well.
>> Failure modes and effects analysis (FMEA)
Hazards vary depending on the industry
>> Failure modes, effects and criticality
and operation. Hazards in complex chemical
analysis (FMECA)
operations will be different from those
for storage operations. Various hazard >> Fault tree analysis (FTA)
identification and assessment techniques >> Fire and explosion study
exist that can be used successfully. Multiple >> Hazard and operability study (HAZOP)
techniques are usually required to adequately
>> Hazard Identification (HAZID)
identify and assess all the major incident
>> Historic records of incidents both at the
scenarios. Make sure techniques:
facility and within industry, including near
>> are fit for the complexity and scale
misses
of the MHF
>> Human reliability analysis (HRA)
>> are chosen with meaningful engagement
>> Job safety analysis (JSA)
and participation by appropriately
skilled and knowledgeable workers >> Layers of protection analysis (LOPA)

>> consider any external conditions >> Process hazard analysis

or facility-specific attributes >> Repair history
>> clearly document the relationships between >> Risk-based inspection (RBI) outputs
the major incidents, hazards, and controls >> Scenario based hazard identification
>> show the reason for the safety assessment, >> Task analysis
in particular your choice of controls
>> ‘What if’ analysis
>> generate outputs you can use in further
Be alert to common cause failures, possible
safety assessments and integrate in
knock-on scenarios and any external conditions
the SMS.
which may affect the potential for a major
Identify hazards systematically using current incident to occur.
information. Listed below are some of the
commonly used techniques for hazard Regulation 38 requires the operator
identification and risk assessment at different to document all aspects of the safety
stages of an MHF’s life cycle. Expect to apply assessment.

17
 GOOD PRACTICE GUIDELINES // MAJOR HAZARD FACILITIES: SAFETY ASSESSMENT

Example 2: Chemical warehouse Example 4: Using multiple techniques

An operator of a warehouse decided to Processing facilities usually commission
map stock movement within the warehouse a number of hazard studies through the
and analyse what could go wrong at each various phases of design, construction,
step. They checked the systemic hazards commissioning and operation. Some of
(eg power failure, lightning strike, major these assessments are:
incident from another facility) and assessed >> task-based (eg lighting burners)
the non-routine tasks.
>> hazard-based (eg hazardous area
The operator must ensure the task/condition assessments)
interaction has been thoroughly explored >> process-based (eg HAZOPs and safety
when using this approach. For example, integrity level (SIL) assessments)
when opening in the morning, is there a
>> based on an assessment of conditions
risk that toxic vapours from a leak have
and known failure mechanisms (eg as
accumulated overnight?
part of an RBI system).

The operator’s challenge is to include all

Example 3: With similar multiple facilities
of these studies in a detailed understanding
An operator has several simple storage
of all aspects of risks to health and safety.
facilities (eg LPG or ammonia), with each
facility built to similar standards and A common approach is to divide the
undertaking similar tasks. They choose to process into natural operating units (or
define a representative set of major hazards management units) and conduct a process
and potential major incidents. These will hazard analysis, using the results of all the
be validated by workshops at each site. above mentioned studies. The operator
This allows significant technical input in needs some method of checking for
constructing the representative set. However, consistency and for ensuring that areas
the operator must ensure the process ‘at the interface’ are covered. Areas of
incorporates site-specific features and lesser apparent risk (eg as dangerous
external conditions, such as the presence of goods management in the warehouse, or
threats from outside the facility boundary. service systems) are also included, as they
can often potentially involve specified
There is also the assumption the tasks are
hazardous substances and develop into
performed the way envisaged by head
major incidents.
office, which may not be the case. If the
workshop attendees do not understand
the assumptions behind the representative 3.2 MAJOR INCIDENT
set, they may not detect how what they IDENTIFICATION
do on-site may cause or contribute to the
The intent of the safety assessment is
major incident. The composition of the
to focus on the high-consequence, low-
workshop team is an important success
probability events. The hazard identification
factor for this approach.
must identify all major incidents and all
major incident hazards that could occur
at the facility, including those relating
to the security of the MHF.

18
 SECTION 3.0 // MAJOR INCIDENT AND MAJOR INCIDENT HAZARD IDENTIFICATION

Major incident is defined in Regulation 9, The definition of major incident is not limited to
and has the following qualities: uncontrolled events which only cause or have
the potential to cause multiple fatalities. This is
>> they result from an uncontrolled event
because the MHF Regulations cover substances
(ie unplanned or involving the failure
with a variety of hazardous properties, some
of one or more controls)
of which cannot cause fatalities.
>> they involve or potentially involve specified
hazardous substances. This includes events There are incidents that do not involve or
initiated by other circumstances that may potentially involve specified hazardous
knock-on to specified hazardous substance substances, but that do potentially expose
storage or handling facilities multiple people to a serious risk to their health
or safety. These incidents do not have to be
>> they expose multiple people to a serious
included in the safety assessment and safety
risk to health and safety (at least two, and
case as they do not meet the definition of a
often more than two people, including
major incident. However, you still have the
those in the area surrounding the facility)
primary duty of care to make sure workers
>> the risk emanates from an immediate or
and others are not at risk from work carried
imminent exposure (which excludes long-
out at the facility. Adequately manage these
term cumulative impacts such as some
risks via the SMS and emergency plans
types of cancer) to:
prepared for the facility.
–– one or more of those substances as a
Major incident hazards are defined as those
result of the event
hazards that could cause or contribute to
–– the direct or indirect effects of the event.
causing a major incident or uncontrolled event.
Occurrences that may be classified as a major The intent is for the facility to fully understand
incident include: and control the chain of events (major incident
>> escape, spillage or leakage of a substance pathways) that may lead to a major incident.
(eg damage, overfill, decay) Identifying the potential major incidents
>> implosion (eg vacuum from steam requires some creativity, technical expertise,
condensation) and familiarity with the plant and equipment.
>> explosion (eg boiling liquid expanding Major incident hazard identification should be
vapour explosion (BLEVE), vapour performed in teams. It is important teams:
cloud explosion) >> understand what constitutes
>> fire (eg loss of containment which a major incident
could lead to fire, pool fire, jet fire, >> are composed of an appropriate variety
flash fires, fireball). of people

The uncontrolled event which may lead to >> are aware of the properties of the specified
a major incident has a spectrum of possible hazardous substances
consequences. If any of the possible >> are aware of how the hazardous substances
consequences of the event may lead to are used
serious risk to health and safety of multiple >> are familiar with the activities that occur
people, then the event leading to the serious within the processes, operation and
risk must be classed as a major incident. maintenance of the facility
Serious risk includes risk leading to death.
>> are aware of plant and industry incident
history

19
 GOOD PRACTICE GUIDELINES // MAJOR HAZARD FACILITIES: SAFETY ASSESSMENT

>> challenge assumptions and existing norms

>> A tsunami impacting an above-ground
of design and operation
tank located 100km inland on a hill
>> think beyond the immediate experience (diminishingly small likelihood).
of the facility
>> A BLEVE of an underground LPG
>> look only at potential and ignore any tank (burying the tank, however,
consideration of likelihood or existing introduces other loss of containment
controls at this stage. mechanisms which must be proven
to be under control).
3.3 IDENTIFY THE MAJOR >> A specified hazardous substance,
INCIDENT AND MAJOR INCIDENT known to decompose exothermically
PATHWAYS at temperatures over 200°C, is stored
Include all identified major incident hazards in full sunlight away from fire risk
with a credible pathway linking to a major material. The team could not establish
incident. If the mechanism cannot be a mechanism where the specified
established, the incident can be safely hazardous substance would
removed from further consideration. approach 200°C.
Do not delete it entirely, as including it >> Opening a drain line on a vessel that
demonstrates a comprehensive inquiry. could contain volatile components
This is not the same as establishing a very was considered a possible cause of
low likelihood of the incident occurring. low temperature and thus brittle
fracture at one facility. However, flash
Example 5: Appropriately rejected calculations showed the temperature
potential major incident scenarios would not fall low enough, even with
>> Hydrogen sulphide is present in a the most volatile composition and
waste gas stream at a facility, and for highest pressure conditions.
environmental reasons the waste stream
is sent to a thermal oxidiser. When Example 6: Inappropriately rejected
conducting the safety assessment, the potential major incident scenarios
facility investigated whether a leak
>> Catastrophic failure of a storage tank
from a hole in the duct to the thermal
was rejected because the tank was
oxidiser could lead to a major incident.
designed to New Zealand Standards.
The facility carefully considered the
It had pressure safety valves, pressure
maximum possible concentration of
alarms and high-level alarms and
hydrogen sulphide, pressure in the
shutdowns. However, the potential for
duct and toxic exposure criteria. They
a major incident still existed, so the
concluded people would not be put at
hazard should not have been rejected.
serious risk unless they put their head
in the hole in the duct (which was >> Electrical failure, resulting in loss

several metres above-ground level). of control of reaction and potential

runaway reaction, release and explosion,
>> Release of a very small quantity of a
was rejected because of a back-up
toxic material may only cause irritation
power supply. The major incident hazard
rather than hospitalisation or fatality
still exists, even with that back-up.
(inventory/toxicity combination
insufficient).

20
 SECTION 3.0 // MAJOR INCIDENT AND MAJOR INCIDENT HAZARD IDENTIFICATION

>> The hazard of incompatible materials >> Stress corrosion cracking prevention
mixing in a storage warehouse was may require maintenance of water
rejected because procedures state they concentration within a certain range.
must not be stored together. Procedural
controls do not remove the potential Example 8: Understanding how the
major incident. equipment is designed to fail
These potential major incidents have been Engineers may design equipment with the
inappropriately rejected based on the intent that it shall ‘leak before break’, giving
selected controls. These major incidents the operators time to either isolate or remove
can still occur. the items before there is sufficient quantity to
cause a major incident. The incident pathway
Regulation 38 requires the safety is not eliminated, but the probability of major
assessment identify hazards and conditions incident is reduced. Examples include:
that could lead to a major incident. >> LPG hoses are designed to leak before
breaking. The hose can be safely taken
VALIDATE THE MAJOR INCIDENT PATHWAYS out of service without a major incident
even if it does leak.
The objective is to gain a detailed
understanding of what can go wrong. >> LPG hoses tend to creep as they
This helps you assess which controls are deteriorate. Spraying the hose connection
necessary, and what performance indicators with paint allows detection of this creep
and standards are required. Use work done and removal before any leak takes place.
at this stage later in the likelihood analysis
and consequence estimation. It is reasonable 3.4 IDENTIFY ALL SPECIFIED
to focus effort in understanding the major
HAZARDOUS SUBSTANCES
incidents of highest concern.
Consider all specified hazardous substances
Example 7: Understanding corrosion in the safety assessment, including:
as an initiator >> products
A HAZOP team identified the potential for >> by-products
corrosion to cause a loss of containment.
>> intermediates
It is necessary to further understand this
hazard as there are various approaches >> raw materials

available to control it: >> waste.

>> Regular pre-emptive maintenance It does not matter whether they are held
to prevent corrosion. in storage, in process, or being transferred
>> Corrosion from erosion may be or otherwise handled.
controlled by velocity. This includes small isolated quantities that
>> Internal corrosion from acid attack may may be excluded from the notification
be controlled by regulation of pH and requirement. For more information, see
monitoring of coupons. WorkSafe’s GPG Major Hazard Facilities:
>> External ‘under insulation’ corrosion Notifications and Designation.
occurs more often in dead legs
and cannot occur above certain
temperatures.

21
 GOOD PRACTICE GUIDELINES // MAJOR HAZARD FACILITIES: SAFETY ASSESSMENT

Example 9: Inclusion of small quantities of Example 10: Understanding the properties

specified hazardous substances of specified hazardous substances
A small hydrogen cylinder serving an online Workers at facilities should be aware of
process gas chromatograph is an example the properties of the hazardous substances
of a small quantity that would have no and how those properties may lead to a
influence on the threshold calculations. major incident if not properly managed.
However, because of its location inside Some of the consequences are not obvious.
the plant, it may need to be included in For example:
the safety assessment if it could initiate >> Sodium chlorate is stable as a solid and
an incident that could in turn escalate to soluble in water. However, when mixed
a major incident. Similar cylinders in an with other materials such as organics
adequately ventilated laboratory area (eg pesticides and herbicides) or acids,
remote from the process areas of the facility there is a risk of fire and explosion.
may not need to be considered at all.
>> Hydrogen peroxide is a strong oxidiser
and can react violently with reducing
3.5UNDERSTAND THE agents. It also decomposes to oxygen
HAZARDOUS SUBSTANCES and water naturally (or promoted by
PROPERTIES AND HOW THEY conditions), which can cause fire on
COULD CAUSE HARM contact with a flammable material.
>> Material left in storage for prolonged
Identify and understand the properties of
periods or as intermediate products may
the hazardous substances. These properties
result in unwanted product formation.
may include:
Depending on the product, this could
>> toxicity
cause instability, increased toxicity
>> flammability or increased internal pressure (ie the
>> explosivity intermediate bulk containers (IBC)
>> degradation behaviour ‘bulges’ and potentially ruptures).

>> chemical reactivity and interactions >> Ammonia is a toxic material and also
soluble in water to form an alkaline
>> incompatibilities
solution. At high pressures and
>> physical state
temperatures ammonia is capable of
>> concentrations forming an explosive mixture with air.
>> solubility >> If chlorpyrifos is heated above 90°C
>> properties at temperatures and pressures it decomposes. Above 130°C there
that may occur at the facility. is an exothermic decomposition
(runaway reaction).
The properties need to be understood at the
conditions encountered in the facility during
both normal and abnormal operations. These
properties will have a significant impact on
what, if and how a major incident will occur.

22
 SECTION 3.0 // MAJOR INCIDENT AND MAJOR INCIDENT HAZARD IDENTIFICATION

Example 11: Understanding toxicity 3.6 IDENTIFY MAJOR INCIDENT

exposure mechanisms – the Bhopal incident HAZARDS OVER THE FACILITY
In December 1984, toxic gas was released
LIFE CYCLE
from a vent stack from Union Carbide’s facility The major incident hazards that must be
in Madhya Pradesh, India. This happened identified by the safety assessment are those
after a runaway reaction likely occurred in a which involve specified hazardous substances.
tank after methyl isocyanate (MIC) came into As such, they will only exist from some
contact with water. MIC is a highly toxic point during the commissioning of the plant
irritant to mucous membranes. onwards. However, major incident hazards
>> MIC reacts readily with many substances, need to be identified as early in the project life
including water, and itself. cycle as possible, as there is a greater ability to
implement some controls early in the project.
>> It has a low boiling point.
>> It has a high vapour pressure. Consider how the nature of the major incident
hazards change during different stages of the
This combination of properties resulted operational life of the facility. Table 3 sets out
in emergency venting of a huge amount some considerations when identifying major
of MIC, and the gas affected hundreds of incident hazards.
thousands of people, as well as having
lasting environmental damage.

Example 12: Understanding minimum

amount likely to cause harm
For an ammonia release to expose a
person to serious risk to their health and
safety, the ammonia must be in a sufficient
concentration to cause harm. Lesser
amounts cause nuisance and irritation.
While all releases are undesirable, it is
necessary to focus efforts on preventing
leaks/releases of sufficient size to cause
a major incident.

Consequence modelling of small releases

found that 50 kg was needed for the
immediate danger to life and health
threshold (IDLH) to be reached at
distances over 2 metres.

23
 GOOD PRACTICE GUIDELINES // MAJOR HAZARD FACILITIES: SAFETY ASSESSMENT

ENGINEERING / COMMISSIONING OPERATING MAINTENANCE DECOMMISSIONING

DESIGN

>> Choice of >> Start-up >> Chemical >> Physical hazards >> Draining and
process procedures hazards (eg (eg dropped emptying of
technology >> Plant change flammable, objects, vehicle dangerous goods
>> Choice of process poisonous, collisions) >> Hazardous waste
equipment >> Loss of corrosive) >> Chemical disposal
>> Quality of containment >> Process hazards (eg >> Disassembling
materials issues (because hazards (eg welding, acid of equipment
>> Infrastructure of pumping, temperature, cleaning) >> Transportation
considerations equipment pressure and >> Site security and disposal etc
(eg transport, testing and flow changes) >> Electrical (eg >> Loss of expertise
communications, other process >> Fire and equipment, and plant
occupied start-up explosion (eg rating, static knowledge if in
buildings) activities) heat radiation, electricity, receivership etc
>> Construction >> Emergency overpressures, grounding, >> Shut-down
standards preparedness thermal flux) surges) requirements
>> Compliance with >> Initial fill prior to >> Procedures >> Permit-to-work >> Hauling and
legislation start-up related (eg system (eg for demobilisation
>> Checking fail normal high pressure
>> Process hazards >> Lock off of facilities
safes and operations, lines, mechanical
(eg temperature,
monitoring operating and electrical
pressure and
outside design systems)
flow changes) >> Hauling,
envelopes >> Coordination/
>> Electrical (eg mobilization &
positioning of >> Plant and notification with
equipment,
equipment and process operations re
rating, static
facilities changes maintenance
electricity,
grounding, >> Pressure >> Human factors activities
surges) testing and >> Required >> Depressurising
>> Firefighting maintenance controls and and cooling
equipment coordination their critical of hydraulics,
>> Simultaneous operating pneumatics,
>> Certifications
operations parameters and thermal
>> Factor of safety
involved in pre- equipment
used in the
commissioning before repair
design

Table 3: Some considerations for identifying major incident hazards during the facility life cycle

Note: Some stages may overlap, with considerations starting in one and continuing into another,
or being relevant through multiple stages.

24
 04/
SAFETY
ASSESSMENT

IN THIS SECTION:
4.1 Likelihood analysis
4.2 Consequence estimation
4.3 Risk assessment
4.4 Risk evaluation

25
 GOOD PRACTICE GUIDELINES // MAJOR HAZARD FACILITIES: SAFETY ASSESSMENT

A safety assessment must involve a comprehensive

and systematic investigation and analysis of all risks to
health and safety associated with all major incidents.

Likelihood analysis and consequence estimations are generally considered at the same time as
the hazard identification for developing controls against the hazard leading to a major incident.
After finding out likelihood and consequence, risk can be assessed.

Regulation 38 requires the safety assessment to involve a comprehensive and systematic

investigation and analysis of all aspects of risks to health and safety associated with all
major incidents that could occur in the course of the operation of the facility.

4.1 LIKELIHOOD ANALYSIS

To determine the likelihood of each potential major incident, assess:
>> the likelihood of the initiating event
>> how well the control performs, or is likely to perform (ie its effectiveness).

An assessment of effectiveness may include:

>> Functionality: The ability of the control to address a particular hazard.
>> Availability: Assessing the control for the proportion of time it is actually capable
of performing (operating time plus standby time).
>> Reliability: Whether the control will be functional when required.
>> Survivability: How likely the control is to continue to be effective, if required, after a major
incident has been initiated.
>> Independence: The control is not dependent on other controls functioning.
>> Maintenance: Whether the controls functionality can be maintained (eg availability of parts,
access, training and knowledge).
>> Monitoring: Whether it is possible to monitor the control is fully functional or impaired, and
how this could be done.

Table 4 lists typical data sources and matters to consider while carrying out likelihood analysis.

LIKELIHOOD ANALYSIS – DATA SOURCES CONSIDER

Historic incidents, incidents, near misses >> Reliability and relevance of data
>> References for the data
>> Statistical significance based on population sample size

Manufacturer’s or technology provider’s >> Failure frequencies based on manufacturer or provider’s

database experience, adjusted for local environmental conditions

Fault tree, event tree, cause consequence >> Estimation of failure frequencies
diagrams

26
 SECTION 4.0 // SAFETY ASSESSMENT

LIKELIHOOD ANALYSIS – DATA SOURCES CONSIDER

Standard databases and literature >> Suitability of data for the given conditions
>> Referencing the source of data (eg generally used
sources for obtaining information on standard failure
frequency rates, Health and Safety Executive (HSE),
DNV GL, OREDA, Chlorine Institute literature)
>> Statistical relevance of the data source in the literature

Safety alerts/bulletins >> Alerts from WorkSafe and various regulatory agencies
and institutes (eg HSE, Chemical Safety Board, Chlorine
Institute, American Petroleum Institute, Centre for
Chemical Process Safety)

Experiences and other sources >> Based on the experience and expertise of the workers
involved in the likelihood analysis process
>> Failure frequency database or incident database
maintained by the industry

Table 4: Typical considerations during likelihood analysis

Standard tools and techniques for the analysis include fault trees, event trees, LOPA and bow-tie
analysis. These have all been used successfully. Common mistakes are to:
>> claim benefit from controls that are not truly independent
>> misapply the techniques
>> fail to:
–– involve workers to gain realistic views/assumptions of the situation
–– validate analysis with audit findings, previous incidents, repair history, modifications
and worker changes
–– define likelihood criteria clearly
–– consider performance under all operating conditions
–– validate the current performance of existing controls.

It is also important to consider the influence of human factors on likelihood and include them
in the safety assessment. This may be achieved by identifying the possible human factors at
play and managing those factors within the SMS. Quantitative human factor assessment tools
are available, for example human error assessment and reduction technique (HEART), and can
be incorporated into the analysis of identified incident scenarios if appropriate or required.

Example 13: Human factor analysis

ABC Chemical Company recognised the ability of the operators to respond to alarms was
potentially affected by factors such as fatigue and workload. They implemented the following
systems to promote performance:
>> fatigue management plan
>> drug and alcohol policy
>> leadership/supervision training for supervisors.

They also examined the workload during critical periods and introduced:
>> additional resources for planned start-ups and shutdowns
>> an alarm reduction system focused on removing alarm flooding.

27
 GOOD PRACTICE GUIDELINES // MAJOR HAZARD FACILITIES: SAFETY ASSESSMENT

Likelihood is either expressed qualitatively as a rating or given a numerical value as a frequency

per annum. You must understand and document the basis of the assessment (the assumptions
and event pathway).

4.2 CONSEQUENCE ESTIMATION

CONSEQUENCE MODELLING (NO CONTROLS)

Any major incident has a range of potential consequences. You must identify the worst credible
consequence of a major incident where no controls are in place. The basis of this calculation
(inventory, external conditions, etc) should be clearly documented and discussed.

The intent is to understand and be prepared for the worst major incident. Premature focus on the
associated risk misses the opportunity to decide the consequence is not to be tolerated (as has
been decided by many oil companies about locating temporary maintenance building near vents
after the Texas City incident).

CONSEQUENCE ESTIMATION PROCESS CONSIDER

Modelling software selection and >> Industry recognised model

validation >> Appropriateness of modelling software
>> Limitations of modelling software
>> Validity of software
>> Independent validation of consequence modelling
>> Selection of appropriate ‘probit’ equations

Modelling assumptions and >> Isolatable sections – documentation of omissions or

considerations exclusion of parts (referenced to up-to-date piping and
instrumentation diagrams)
>> Storage, pipelines and process inventory
>> Modelling scenarios
>> Weather data
>> Topography
>> Exposure times

Alternative assessment process >> Use of appropriate qualitative or semi-quantitative

measures relevant to situation

Table 5: Typical considerations during consequence estimation

Example 14: Consequence analysis of a warehouse fire

ABC Warehousing is a MHF storing pesticides, flammable liquids, a small amount of
flammable gases and general merchandise in separate stores. They concluded a fire at the
warehouse could:
>> generate a toxic plume, with possible rain-out of toxic material at the edges
>> generate significant heat, potentially affecting neighbours
>> generate projectiles and possibly fireballs
>> generate significant quantities of contaminated fire-water run-off that would need
to be contained.

28
 SECTION 4.0 // SAFETY ASSESSMENT

They concluded nearby neighbours (up to >> if the fire is caught early enough
500 m) could be affected. The number of (small fires are easily extinguished).
people affected would depend on the time
The nature of the (toxic) smoke plume
of day. The nearest sensitive receptor was
depends on:
a residence 1 km away and unlikely to be
>> wind speed and direction
affected by any event at the warehouse.
A nearby office building, however, had >> fire temperature (there are different
significant amounts of glass facing the stages of a fire, with different
facility that could be particularly vulnerable temperature profiles)
to heat. The facility chose to commission >> the nature of the burning chemicals.
modelling to establish the potential and
The operator realised that weather
recommend options to minimise potential
conditions and inventory had the greatest
impact in the event of a fire.
impact on the consequence zone. The time
of day also significantly influenced how
SENSITIVITY ANALYSIS many people were likely to be affected.
The actual consequence of an event will As the operator cannot control the weather,
be the result of a number of factors and is it was decided to focus on preventing the
unlikely to be the worst case. It is important incident, and ensuring fast communications
to understand which factors are important and response if an incident did occur.
and how the consequence severity varies
with variation in those factors (a sensitivity CONSEQUENCE MODELLING
analysis). This allows you to understand the WITH CONTROLS
performance requirements when planning for
Assessing consequences with controls
an emergency, and identifies additional risk
represents the most likely consequence.
minimisation methods.
All facilities benefit from being aware of
For more information on emergency planning, the most likely consequence when deciding
see WorkSafe’s GPG Major Hazard Facilities: priorities. You should control the most likely
Emergency Planning. events and the worst events. They can be
different major incidents.
Example 15: Warehouse fires
ABC Warehousing understood the ferocity USING THE CONSEQUENCE
of the fire depends upon: MODELLING
>> the nature of the stored chemicals
A common mistake is to commission
(eg flammable liquids ignite easily)
consequence and risk modelling from a
>> how the chemicals are stored consultant, fail to validate the results and fail
(combustible materials add to fire load, to use the information in emergency planning,
high racking may inhibit sprinkler systems, in both locating equipment and offices and
and packages of flammable liquids may in identifying potential knock-on events.
burst with heat, ignite and spread fire When commissioning modelling, consider if it
throughout the bund compound) would be worthwhile to complement fatality
>> how long it takes to detect the fire calculations with distances to injury or even
(automatic versus manual detection) distances to irritation/nuisance to understand
fully the potential consequences. This may

29
 GOOD PRACTICE GUIDELINES // MAJOR HAZARD FACILITIES: SAFETY ASSESSMENT

improve understanding of the potential

The escalation potential may warrant
consequences and aid implementing
specific analysis and control of the initiating
effective controls.
event, rather than using the generic initiator
Assess the level of consequence arising of ‘fire’, ‘loss of control system’ and ‘fails to
from a major incident for all populations intervene (error)’.
exposed to that incident (both near and far
field populations). Make sure to assess and
4.3 RISK ASSESSMENT
categorise the exposure as chronic or acute
(rather than the potential effects). Depending on whether you choose
qualitative, quantitative or both techniques,
Regulation 38 requires the safety risk assessments may be expressed by a
assessment determine the risk associated position on a risk matrix, a numerical value of
with each hazard, including the likelihood individual risk per annum or similar. The risk
and consequences of each major incident. assessment may be used to justify rankings
and priorities for further work and the need
KNOCK-ON EVENTS for additional controls.

Make sure you have addressed any potential Types of risk assessments include:
credible events that may act as a knock-on >> quantitative risk assessments – all risks
event. Assessing effect ranges allows you to are quantified by using recognised data
find out if it is reasonably foreseeable for one and are numerically expressed
major incident to escalate and cause another.
>> semi-quantitative risk assessments –
Major incidents may also be triggered by
risks associated with a major incident
significant process safety events associated
are generally quantified by using industry
with non-specified hazardous substances
specific or site data
that knock-on or affect systems storing or
handling specified hazardous substances. >> qualitative risk assessments – assessment
of risk from subjective, considered opinion
Example 16: Knock-on events based on operating experience.
>> A small fire in a drum decanting operation There is no specified quantitative risk level
could spread to an adjacent large drum that is acceptable, so do not interpret ranking
store by a common drain system. as a requirement to conduct a quantitative
>> A boiler ruptures when the drum level risk assessment. Also, meeting any of the
reduces below the fire line. Projectiles quantitative risk criteria does not necessarily
damage the adjacent control room, prove that you have reduced risk so far as is
leading to a loss of control of a reasonably practicable.
production unit processing specified
Risk matrices can be useful tools, but need
hazardous substances.
to be simple, relevant, and used by skilled
>> A rupture of a large nitrogen storage assessors. They should not be the only risk
vessel causes local evacuation and analysis technique employed. The best results
prevents operators from responding are when a risk matrix is used where controls
to a dangerous process excursion. are in place, to test whether the remaining risk
is acceptable. Appendix A: Risk criteria offers
further detail on risk matrices.

30
 SECTION 4.0 // SAFETY ASSESSMENT

Example 17: Quantitative risk assessment

ABC Company conducted a quantitative risk assessment, which considered an ammonia
release from one of three identical tanks at their premises as well as releases from transfer
pumps, piping and other items of equipment. The analysis used industry data on equipment
failure rates to calculate likelihood, and consequence modelling of expected releases to
determine the extent of the consequences. The results were combined on a site map to show
individual risk of fatality at specific points by a risk contour.

ABC Company used these results to satisfy land use planning requirements and internal
risk tolerability targets. It does not, of itself, establish the risk has been reduced so far as is
reasonably practicable.

Example 18: Qualitative risk assessment

ABC Company considered an ammonia release from one of three identical tanks at their
premises (Incident 1). Based on incidents at similar facilities, they decided the likelihood was
‘not likely to occur’, while the consequence was that a number of fatalities were possible.

CONSEQUENCE

Insignificant Minor Moderate Major Catastrophic

1 2 3 4 5

Near miss, One or more One or more One or more Significant

LIKELIHOOD
First Aid Lost Time significant fatalities number of
Injury (FAI) Injuries (LTIs) LTIs fatalities
or one or
more Medical
Treatment
Injuries (MTI)

Possibility of
5 repeated events
(1 x 10-1 per year)

Possibility of
4 isolated incidents
(1 x 10-2 per year)

Possibility
of occurring
3
sometimes
(1 x 10-3 per year)

Not likely to occur

2 Incident 1
(1 x 10-4 per year)

Rare occurrence
1
(1 x 10-5 per year)

KEY
Low risk Moderate risk Significant risk High risk

The company used the relative placement on the matrix to prioritise risk reduction projects.
Potential major incidents in the significant or high-risk category had to be documented and
their management explained to senior officers of the company.

31
 GOOD PRACTICE GUIDELINES // MAJOR HAZARD FACILITIES: SAFETY ASSESSMENT

The risk to individuals and workgroups >> Consider risk in concert: the evaluation
from both individual and collective events of the consequences of major incidents
(total risk) needs to be considered for all occurring in quick succession
populations exposed to or affected by those (eg an earthquake followed by tsunami).
events (near and far field). >> Consider risk by location: It may be useful
You can use risk matrix to represent the to consider whether the major incident
relative consequence and likelihood of an risk is concentrated in specific locations
incident. Determine the level of risk acceptable or roles. In these cases, additional controls
to the organisation collaboratively, engaging may be prudent to reduce the likelihood
with workers and consulting other key or consequence, and reduce risk.
stakeholders. Where the determination of cumulative
risk from multiple scenario is necessary,
Regulation 38 requires the safety
a quantitative risk assessment tool (eg
assessment be conducted using assessment
Quantitative Risk Assessment) other than, or
methods (including quantitative or
as well as a risk matrix, may be appropriate.
qualitative, or both) that are suitable for
The risk matrix method may underestimate
the hazards and major incidents being
the likelihood of an event by taking credit
considered.
of a barrier that could be a causal factor
for a failure event in another scenario.
RISK RANKING

The MHF Regulations do not require the 4.5 RISK EVALUATION

risks to be ranked or otherwise placed into a
Risk evaluation is the decision the risks
category. It is, however, very common to do
have been reduced so far as is reasonably
so. Ranking allows you to prioritise resources
practicable. Compare the level of risk found
in a coherent and traceable way. Many
during the risk assessment with any chosen
organisations have also set up governance
risk criteria for the facility or with the
structures around what they determine to be
standards declared in the objective. This is
acceptable or unacceptable, and specified
often a good predictor of whether risk could
required courses of action accordingly.
practicably be reduced further (but does not
prove the risk has been reduced so far as is
CONSIDER CUMULATIVE RISK
reasonably practicable). The risk evaluation
Consider all potential major incidents and has three possible outcomes:
hazards cumulatively, as well as individually,
>> well below criteria: further risk reduction
in the safety assessment. You can consider
is probably impracticable, but still carry
cumulative risk in a number of ways:
out an assessment to make sure risk is
>> Consider risk in aggregate: If there are reduced so far as reasonable practicable.
a large number of different hazards and
>> sufficiently close to or above criteria:
potential major incidents at a facility, the
seriously investigate further controls
total risk may be significant even if the
to reduce risk.
risk arising from each individual hazard
>> well above criteria: further controls
or major incident is low.
need to be found or continued operation
questioned.

32
 SECTION 4.0 // SAFETY ASSESSMENT

Example 19: Analysis of cumulative risk

Hazard identification identified there were six possible mechanisms that could lead to a major
incident from a batch polymerisation reactor:
>> reactor overfill
>> high pressure
>> runaway reaction – excess reactant added
>> runaway reaction – excess catalyst
>> runaway reaction – agitator failure
>> agitator seal failure.

The safety assessment determined that each hazard individually was in the significant risk
zone on a risk matrix. However, the one operator responsible for this area is exposed to the risk
presented by all of them since he spends the shift close to the reactor. Therefore, cumulatively,
the likelihood of the operator being exposed to a major incident is sufficient to increase the risk
faced by that operator into the high-risk zone.

CONSEQUENCE

Cumulative risk to operator

LIKELIHOOD

Individual risks

KEY
Moderate risk Significant risk High risk

After reviewing this situation, the company decided to relocate the operator’s control console
to a central control room.

You will need to complete risk evaluation several times during the safety assessment process:
>> Before the controls are considered to determine the level of risk of the major incident hazard
without controls in place.
>> After the existing controls are considered to determine the current level of risk of the major
incident hazard and whether the risk is acceptable and has been reduced so far as is practicable.
>> After additional controls are identified to determine whether the additional controls reduce
the risk so far as is practicable.

It is very unusual for an operator to complete a safety assessment without a risk reduction plan
or list of items that are “on watch”. These could undergo changes in technology or other means
that may move risk reduction from impractical to reasonably practical.

33
 GOOD PRACTICE GUIDELINES // MAJOR HAZARD FACILITIES: SAFETY ASSESSMENT

Example 20: Qualitative risk evaluation

The ranking on the risk matrix determined
by ABC Company in Example 18 can be
compared with their internal risk criteria.
These state that any risk classified as a high
risk must be reviewed to ensure that all
potential controls have been identified
and implemented where practicable.
In addition, any high-risk items must
be approved by management for the
risk to remain without alteration.

Example 21: Risk evaluation:

Implementation of additional controls
ABC Chemical Company identified during
the risk assessment that an additional
control (high-level trip) should be
considered to protect against overfilling
of the storage vessel. The risk of overfilling
was considered high during the assessment.
This additional control was selected on the
basis that:
>> it was considered essential to provide
protection given that manual control
is insufficient
>> the control was judged to have a
significant risk reduction potential
>> the proposed solution is known and
of reliable technology
>> it was higher on the hierarchy of controls
than alternative controls.

An alternative control was to use a smaller

tanker and have the supervisor check that
sufficient volume was available in the vessel
before unloading. This was rejected on the
basis that:
>> it was lower on the hierarchy of controls
than the high-level trip
>> it was likely to be ineffective and
possibly subject to human error
>> even though lower cost, the cost benefit
ratio was higher.

34
 05/
CONTROLS

IN THIS SECTION:
5.1 Identify controls
5.2 Demonstration of adequacy
5.3 What is reasonably
practicable?
5.4 Safety-critical elements
5.5 Develop performance
standards for controls
5.6 Critical operating parameters

35
 GOOD PRACTICE GUIDELINES // MAJOR HAZARD FACILITIES: SAFETY ASSESSMENT

The safety assessment process must identify existing

controls that prevent or limit the effects of a major incident
hazard. The safety assessment must also consider whether
there are further controls that could be implemented
to reduce the risk so far as is reasonably practicable.

5.1 IDENTIFY CONTROLS

MOST
EFFECTIVE Elimination
The safety assessment must include the
range of controls you decide to implement. Minimisation

The safety assessment should identify those Substitution

controls that are absolutely necessary to avoid (wholly or partly)
a major incident. They should be reliable and
Isolation/preventing
fail-safe. Some will already be defined and contact or exposure to risk
some will be identified in the course of the
Engineering controls
safety assessment. (eg mechanical devices
or processes)
A control, in relation to a risk to health and
safety, means a measure to eliminate or Administrative controls
minimise the risk. Controls that eliminate (eg methods of work,
processes or procedures
or minimise the risk of a major incident
designed to minimise risk)
occurring (ie impact on either likelihood
or consequence) are sometimes referred Personal protective
equipment (PPE)
to as preventative controls. Those which LEAST
EFFECTIVE
minimise the magnitude and severity of the
consequences if a major incident occurs are
Figure 4: Hierarchy of controls
referred to as mitigative. Controls may also
be described by other terms, such as:
Base the selection of controls on what is
>> active or passive
reasonably practicable to reduce the risk.
>> engineering The safety assessment must identify existing
>> organisational controls and potential controls. Consider
>> administrative or physical recognised and generally accepted good

>> hardware or software. engineering practice, good practice, emerging

technologies, published codes of practice
There are usually a range of controls available. and industry standards, as well as what is
In selecting controls, consider the hierarchy currently present.
of controls.

36
 SECTION 5.0 // CONTROLS

To identify controls, you need to understand >> Critical operating parameters have been
what needs to happen for the control to identified for safety-critical elements,
be effective, and manage that control in its compliance with which is necessary to
entirety. For example, an alarm without an avoid a major incident.
operator to notice its activation and respond, >> Existing performance standards for
has no safety benefit. A procedure only has a adopted controls have been considered (or
safety benefit if it is technically adequate and devised if absent).
workers are competent in its use. Engineering
>> You can show the adopted controls are
standards are only of benefit if they deal with
capable of maintaining operation within the
the issue at hand and are applied.
identified safe operating window.
>> Record identified controls rejected during
5.2DEMONSTRATION OF
the safety assessment, and the reason why
ADEQUACY
they were rejected (ie the justification of
The MHF Regulations are an example of a why they are not reasonably practicable).
proactive, performance-based regime, where
The safety assessment will have identified
a general expectation for performance is set in
what could and should be done to minimise
HSWA but you select the best way to achieve it.
and control risks. The onus is now to adopt
HSWA requires a performance standard and implement those controls. The means of
of ‘so far as is reasonably practicable’. implementing and maintaining the effectiveness
You must demonstrate the identified controls of the adopted controls is via the SMS.
eliminate or, if it is not reasonably practicable
to eliminate, minimise risks so far as is An assessment of whether doing something
reasonably practicable. is reasonably practicable must be carried
out in accordance with Section 22 of HSWA.
Consider the following factors: Regulation 30 requires the controls in the
>> The assessment includes both controls event of a major incident occurring, minimise
that eliminate and minimise risks. the magnitude and severity of its health and
>> The full range of operating and start-up/ safety consequences to people on-site and
shut-down conditions. off-site, so far as is reasonably practicable.

>> All identified hazards that could lead

to a major incident should have at least 5.3 WHAT IS REASONABLY
one reliable control which acts to limit or PRACTICABLE?
prevent their occurrence. Where necessary,
multiple controls are implemented. In determining what is ‘reasonably practicable’
you are expected to exercise judgement,
>> The hierarchy of controls has been applied
considering the five factors specified in
in understanding effectiveness (eg wearing
Section 22 of HSWA, namely:
PPE and applying administrative controls are
less effective than engineering solutions). >> the likelihood of the hazard or risk
concerned occurring
>> Control independence has been considered
and correctly accounted for (particularly
important in quantitative assessments).

37
 GOOD PRACTICE GUIDELINES // MAJOR HAZARD FACILITIES: SAFETY ASSESSMENT

>> the degree of harm that might result from The massive explosion that occurred at
the hazard or risk (eg fatality, multiple the Buncefield Fuels Terminal in the UK in
injuries, medical or first aid treatment, 2005 significantly changed what that sector
long-or short-term health effects) ‘knows, or ought reasonably to know’ about
>> what the person concerned knows, the hazards or risks at this type of facility.
or ought reasonably to know, about: As a result, it is now reasonable to expect
that controls to prevent similar tank overflows
–– the hazard or risk
would be more robust than before.
–– ways of eliminating or minimising
the risk The final consideration is to weigh up the
cost of additional controls against the
>> the availability and suitability of ways
extent of risk reduction that could actually
to eliminate or minimise the risk
be obtained. This is similar to the process
>> the cost associated with available ways
many operators go through each year when
of eliminating or minimising the risk.
deciding which improvement projects to
This includes whether the cost is grossly
add to next year’s investment plan and
disproportionate to the risk. In other words,
which to defer. For many possible projects/
controls should be implemented unless the
improvements, qualitative comparisons are
risk is insignificant compared with the cost
sufficient. However, more detailed quantitative
of implementing the controls.
comparisons are often undertaken for more
important or high-cost projects.
Example 22: Identifying what is reasonably
practicable and recording this information Although the cost of eliminating or
Using an ammonia plant (UTMHF) as an minimising risk is relevant in determining
example, the identification and assessment what is reasonably practicable, there is a clear
steps may have identified the area with the presumption in favour of safety ahead of
highest likelihood of a loss of containment cost. Only consider cost after identifying the
is the tanker loading area. It is reasonable extent of the risk and the available ways of
to expect the operator has thought about eliminating or minimising the risk.
the controls needed for this area. The safety The costs of implementing a particular control
case should be able to explain this. may include costs of purchase, installation,
The operator and MHF designers may maintenance, and operation of the control
also have concluded the worst case and any impact on productivity as a result
scenario (ie major incident with the highest of the introduction of the control.
consequence) is catastrophic failure of the A calculation of the costs of implementing
large ammonia storage tank. Therefore it is a control should consider any savings
reasonable to expect that more effort is put from fewer incidents, injuries and illnesses,
into the design and controls for this part of potentially improved productivity and
the MHF because of the high-consequence reduced staff turnover.
should this failure occur. The information in
the safety case should demonstrate that this
worst case scenario has been addressed.

38
 SECTION 5.0 // CONTROLS

Where the cost of implementing controls is Table 6 is a mock-up derived from Figure 5
grossly disproportionate to the risk, it may that shows specific controls listed for specific
be that implementing them is not reasonably hazards. However, tables showing a list of
practicable and therefore not required. This hazards in one column and a list of controls
does not excuse you from doing anything in another column (such as the mock-up in
to minimise the risk so far as is reasonably Table 7) do not help demonstrate that controls
practicable. Instead use a less expensive way reduce the risk of all identified hazards. They
of minimising the likelihood or consequence. do not clearly show which controls act for
which hazards and whether all hazards have
Safety cases submitted by UTMHFs may
an identified control.
contain examples where you’ve made similar
comparisons of alternative controls before The second aspect is the level of risk that
deciding which to adopt for specific risk remains after you have decided it is not
scenarios. reasonably practicable to do any more.
One means of gauging the validity of these
The safety assessment should provide
decisions is by comparing the final risk with
the information needed to make these
a suitable published benchmark.
judgements. Therefore much of the reasoning
behind your selection of controls may already Numerical evaluation of risk is only as good
be presented in the safety case (ie in the as the data you use in the evaluation of
summary of the safety assessment). The extra likelihood and consequences, both of which
information required to make a convincing are subject to much uncertainty.
demonstration will depend on the amount of
Appendix A: Risk criteria provides examples
detail included in the summary.
of criteria that can be used in relation to major
For more information on safety cases, incidents. These are not exhaustive and you
including the safety assessment summary, may choose to use criteria different from these
see WorkSafe’s GPG Major Hazard Facilities: examples. Whatever criteria are used, you
Safety Cases. will have to justify the criteria as suitable
and appropriate to the specific facility.
DO CONTROLS MINIMISE RISK SO FAR AS IS
REASONABLY PRACTICABLE?

The first component of a demonstration

showing you’ve eliminated or minimised a
risk so far as is reasonably practicable is to
show you’ve addressed each hazard and
potential major incident with specific controls.
The use of bow-tie diagrams is one clear
graphic means of doing this (see Figure 5
for an example). This shows there are controls
in place for each hazard that could lead to
a major incident. It is also possible to show
this in tabular form (eg database printout
or spreadsheet).

39
40
0612 0610 0605
NDT Equipment Natural
Equipment Inspection specification ventilation of
corrosion programme and design storage area
to ABC
CRITICAL standards 0613
Maintenance Unignited Gas detection
error (eg ammonia in storage
0600 Inhalation
fitting too release – area
Trade of ammonia
hard, wrong inhalation
qualified fumes
component of ammonia 0632
workers PPE available
– not fit for fumes
service
0631
0610
Medical
Equipment
Leak from assistance
specification 0610
flange/ Component available
and design Valve and
seal gasket failure onsite
to ABC flange fitting
failure standards 0620
Emergency
CRITICAL plan 0632
PPE available
CRITICAL Ammonia
0617 Ammonia mixing with
0631 Generation
Onsite Storage area release at 0622 nearby
0618 Medical of chlorine
vehicle is protected storage Emergency store of
Speed limits assistance
collides with (chained isolation valve hypochlorite
on site available
storage tank off/vehicle
onsite
barriers) 0604
Gas detection
0629
0616 Relocate 0621
Dropped
Lifting gear equipment Ignition control
object Storage tank
inspection, requiring
(lifting over punctured
maintenance fitting 0624
storage tank)
and testing 0635 Ammonia Foam
CRITICAL Escalation to
Hot work Hot work release and generation
other vessels
permit ignition capabilities
GOOD PRACTICE GUIDELINES // MAJOR HAZARD FACILITIES: SAFETY ASSESSMENT

0606 0619
Pressure 0625
Overfilling of ABC operating 0636 Separation
valve relief Overpressure
storage tank procedures for Furnace Separation distance
filling tank CRITICAL distance

0630
Tank
External heat designed KEY
source for 50°C
(eg sun) service (as Hazard Hazard pathway Major incident Outcome
per design
standards)

Figure 5: Example bow-tie showing an ammonia release at storage (control colour as per the hierarchy of controls)
 SECTION 5.0 // CONTROLS

MAJOR INCIDENT: AMMONIA RELEASE AT STORAGE (ABC CHEMICAL COMPANY)

CAUSE: Component failure

HAZARD CONTROLS EFFECTIVENESS

Equipment corrosion >> Non-Destructive Testing (NDT) inspection program >> High
>> Equipment specification and design to ABC standards >> Medium

Maintenance error (eg >> Trade qualified workers >> Low

fitting tightened too far, >> Valve and flange fitting training >> Medium
wrong component – not
fit for service)

Leak from flange/seal – >> Equipment specification and design to ABC standards >> Medium
gasket failure >> Valve and flange fitting training >> Medium

CAUSE: Storage tank puncture

HAZARD CONTROLS EFFECTIVENESS

On-site vehicle collides >> Storage area is protected (chained off/vehicle barriers) >> High
with storage tank – restricted access
>> Speed limits on-site >> Low

Dropped object (lifting >> Lifting gear inspection, maintenance and testing >> Medium
over storage tank) >> Relocate equipment requiring lifting >> High

Table 6: Hazard/control register

MAJOR INCIDENT: AMMONIA RELEASE AT STORAGE (ABC CHEMICAL COMPANY)

HAZARD CONTROLS

>> Dropped object (lifting over storage tank) >> ABC operating procedures for filling tank
>> Equipment corrosion >> Equipment specification and design to ABC
>> External heat source (eg sun) standards
>> Leak from flange/seal – gasket failure >> Lifting gear inspection, maintenance and testing
>> Maintenance error (eg fitting tightened too far, >> NDT inspection program
>> wrong component – not fit for service) >> Pressure relief valves
>> On-site vehicle collides with storage tank >> Relocate equipment requiring lifting
>> Overfilling of storage tank >> Speed limits on-site
>> Storage area is protected (chained off/vehicle
barriers) – restricted access
>> Tank designed for 50°C service (as per design
specification)
>> Trade qualified workers
>> Valve and flange fitting training

Table 7: Hazard/control register that does NOT help demonstration

41
 GOOD PRACTICE GUIDELINES // MAJOR HAZARD FACILITIES: SAFETY ASSESSMENT

COULD MORE OR BETTER CONTROLS –– uninterruptable power supplies

BE USED? –– a process logic controller or other
An alternative way to demonstrate the electronic control system where
controls in place at the facility will minimise its malfunction could contribute
risk so far as is reasonably practicable is to substantially to a major incident)
show that additional or alternative controls >> detect smoke, fire, accumulations of
are not justified. flammable (and other hazardous) gases,
leakages of flammable liquids, and other
You can use systems like LOPA or SIL
events that may require an emergency
reviews to determine acceptable risk levels
response
and whether they will be met. To ensure
these types of systems remain useful, it’s >> give warning of an emergency by audible
important to include a testing schedule into and, where necessary, visual alarm
the system. Testing and recalibrating allows systems. Alarms which are for process
for continual improvement. control purposes and do not alert of
an emergency may not necessarily
Additional or alternative controls can be
be safety-critical elements
included in these analyses and their effect
>> limit the extent of an emergency, including:
on the final risk estimated. There are also
techniques for estimating the probability –– measures to combat fire and explosions.
of failure on demand (PFD) of procedural For example:
controls, such as HRA. There is published ›› inert-blanketing in tanks
data available for the PFD of procedural ›› integrity of equipment located
tasks, depending on their complexity, in hazardous area zones
frequency of use and environmental factors2.
›› auto and manually operated
deluge systems
5.4 SAFETY-CRITICAL ELEMENTS
›› foam-systems
A safety-critical element is defined in the MHF ›› fire-water supply and distribution
Regulations as any part of a facility or its plant systems
(including a computer program) that:
›› natural and forced ventilation
>> has the purpose of preventing, or limiting systems
the effect of, a major incident and
›› explosion hatches/doors
>> the failure of which could cause or
›› emergency shut-down systems
contribute substantially to a major incident.
›› facilities to monitor and control
The ‘and’ that links the two parts of the the emergency and for organising
definition means that something is a safety- evacuation
critical element on the basis of its ‘purpose’
>> protect workers from explosion, fire, heat,
and its contribution to causing a major incident.
smoke, hazardous gas, or fumes during
Some safety-critical elements could be plant any period while they may need to remain
or systems that: at the facility during an emergency
>> could cause a major incident if it >> ensure safe evacuation of all workers
failed, including: to a place of safety
–– particular safety features of primary >> provide safe means of escape in the event
containment, vessels, and pipe work that arrangements for evacuation fail.

2
See Layers of Protection Analysis, Simplified Process Risk Assessment, Center for Chemical Process Safety, American
Institute of Chemical Engineers, 2001.

42
 SECTION 5.0 // CONTROLS

Information on safety-critical elements can also be found in the GPG Major Hazard Facilities:
Safety Cases.

5.5 DEVELOP PERFORMANCE STANDARDS FOR CONTROLS

The MHF Regulations require that the SMS specifies the performance standards that apply. In
relation to a control, a performance standard is the acceptable level of response against a target,
or the required level of performance, for the control to be considered effective in managing the
risk. Performance standards may include both the current required level of performance and also
a target level to be achieved within a specified timeframe.

The performance standards are the parameters against which controls are assessed to make sure
they reduce risk so far as is reasonably practicable.

In developing these standards you should consider what level of performance is reasonable
to achieve from each control. It is important the parameters set in the performance standard
are specific (well defined and not open to wide interpretation), measurable, appropriate, realistic
and timely (SMART).

Performance standards are required for each control to make sure the effectiveness of that
control is tested and that a control failure is detected and remedied. The overall effectiveness
of the control can be judged by measuring its performance against the standard.

For more information on performance monitoring of controls and SMS elements see WorkSafe’s
GPG Major Hazard Facilities: Major Accident Prevention Policy and Safety Management Systems.

Example 23: Performance standards for controls

General standards to measure performance may be set up for completion of testing, calibration
or maintenance of controls within a fixed timeframe.

CONTROL PERFORMANCE STANDARD EFFECTIVENESS MEASURE

PSV Pop test pressure Within + or - 2% of set pressure

98% function at set pressure

Operating procedure Compliance check 0 major deviations

≤1 minor deviation

Table 8: Performance standards for controls

For the pressure safety valve in the table above, the corrective action in the event of failure
(ie not relieving at the set pressure) may be:
>> replacement
>> recalibration
>> reset.

This depends on the valve and service. The root cause of a trend of failures should also be
investigated. The second effectiveness measure may be reported to management, while the
first is used primarily as a guide for maintenance workers to determine what action to take in
response to failure.

43
 GOOD PRACTICE GUIDELINES // MAJOR HAZARD FACILITIES: SAFETY ASSESSMENT

5.6CRITICAL OPERATING Example 24: Critical operating parameters

PARAMETERS Typical COPs might include:
Critical operating parameters (COPs) are the >> maximum operating pressure of a
upper or lower performance limits of any pressure vessel
equipment, process or procedure that, if not >> maximum and minimum operating
complied with, could result in a major incident. temperature
COPs define the safe operating window, where
>> minimum metal temperature (cold brittle
any operation outside the safe operating
facture)
window could undermine the safe operation of
the facility. >> facility minimum manning level
>> voltage requirements
The purpose of identifying a COP is to
make sure more robust monitoring of that >> the number of fire pumps available

parameter occurs. Define COPs for those >> maximum reactant addition rate for
parameters where there is a high reliance on a reactor
a worker to respond to a process or manage >> minimum cooling water flow rate for
an activity appropriately. Make sure that COP a reactor
documentation is continuously available to
>> maximum rpm of a high-speed turbine
workers and that it provides clear guidance as
to how people should respond if a deviation >> maximum number of pallets to be stored

occurs. In the event that a COP is exceeded, an in a specific area

investigation, including risk assessment, should >> maximum height or number of vertically
be conducted and outcome documented. stacked pallets in a storage area.

Generally, the main difference between a COP

and a performance standard is that COPs are
continuously monitored and managed, while
performance against a performance standard
is generally periodically assessed (and
included in the audit component of the SMS).

Monitor COPs to minimise any excursions

outside the safe operating window.

Known unsafe or
uncertain zone

COP never
Buffer zone exceed limit
operating window
Known safe
COP range

Troubleshooting
zone

Normal Maximum
operating zone normal
operating limit

Figure 6: Safe operating window and critical

operating parameters

44
 06/
APPENDICES

IN THIS SECTION:
6.1 Appendix A: Risk criteria
6.2 Appendix B: More information
6.3 Appendix C: Glossary

45
 GOOD PRACTICE GUIDELINES // MAJOR HAZARD FACILITIES: SAFETY ASSESSMENT

6.1 APPENDIX A: RISK CRITERIA >> an upper region where ALARP has not been
demonstrated and risk is unacceptable
Comparison of estimated risk levels against set
>> a middle region where risk is tolerable
criteria may be useful as part of demonstrating
if ALARP is demonstrated through
the overall adequacy of controls, although it is
arguments based on relevant good
unlikely that adequacy can be demonstrated
practice, additional risk reduction methods
solely by this means. This appendix provides
and grossly disproportionate costs for
a brief discussion of the types of risk criteria
further risk reduction
that have been adopted internationally. These
>> a lower region where risk is broadly
approaches may be useful for applying to
acceptable and does not need further
individual MHFs, to specific aspects of major
reduction because relevant good practice
incident risk at MHFs (eg the off-site risk),
is applied.
or to particular sections of individual MHFs
(eg if a purely qualitative approach proves Although the broad risk ranges appear
insufficient in particular areas). compatible with HSWA’s performance
standard of ‘so far as is reasonably
GENERAL BASIS practicable’, the interpretation does not
incorporate the continuous improvement
Risk criteria can provide a basis for judging
aspects contained within the MHF Regulations.
the tolerability of risks that have been
This means that at the lowest risk band, some
assessed, and for deciding the urgency or
risks may remain not reduced, even where
priority with which any identified hazard
it may be reasonably practicable to further
or risk should be addressed.
reduce the risk.
However, all risk assessment is subject to
An interpretation of the broad risk ranges,
uncertainty, and hence use of rigid risk
which manages or reduces all risks and
criteria may be inappropriate. A possible
includes consideration of continual
alternate approach is provided by the UK HSE
improvement, is shown in Table 9 and
framework for the tolerability of risk and it’s
described in more detail below.
‘as low as reasonably practicable’ (ALARP)
concept. This is based on broad ranges of The overall demonstrations you make need
risk, rather than on specific criteria. The HSE’s to consider hazards and risks in all regions,
policy document Reducing Risks, Protecting and may need to specifically show that:
People – HSE’s decision-making process >> there are no hazards or risks currently in
(2001) presents the risk tolerability framework. the upper region, and any hazards or risks
This represents risk on an inverted triangle as that may arise in the upper region in the
increasing from a broadly acceptable region, future will be immediately and effectively
through a tolerable region, to an unacceptable dealt with
region (see Figure 7). This broad framework >> all hazards and risks in the middle and
is used in HSE’s permissioning guidance, lower regions have had all reasonably
Guidance on ‘as low as reasonably practicable’ practicable risk reduction measures applied
(ALARP) decisions in control of major accident
>> there are suitable and reliable processes
hazards (COMAH) and provides for the
for continuing to manage hazards and
following broad risk ranges:
risks at all levels and for achieving
continual improvement.

46
 SECTION 6.0 // APPENDICES

Risk must be reduced regardless of cost

Unacceptable region unless extraordinary circumstances apply

Risk tolerable only if reduction cost is

Tolerable if ALARP region grossly disproportionate to gain achieved
Risk tolerable if all reasonably
practicable steps to reduce it are taken Risk tolerable if reduction cost exceeds
improvement achieved

Must make sure risk is managed to remain at this

Broadly acceptable if ALARP region
level, and reduced further if reasonably practicable

Figure 7: The broad risk regions

Upper region Unacceptable risk Take prompt action to reduce risk regardless of cost, unless
extraordinary circumstances apply.

Middle region Tolerable risk Implement controls so far as is reasonably practicable, considering
the available measures, relevant good practice, cost etc.

Lower region Broadly Manage risks at this level so far as is reasonably practicable and
acceptable risk continuously try and reduce risk further.

Table 9: An interpretation of the risk ranges (refer to Figure 7)

RISK MATRICES

A risk matrix categorises the risk of individual major incidents, based upon the judgement of
an assessment team about the order of magnitude of the likelihood and consequence of the
incident occurring. Typical risk matrices for hazardous industrial facilities range in size from 3 x 3
to 5 x 5. Typically, this has likelihood on the Y axis and consequence on the X axis of the matrix.
The frequency or likelihood scale should be one order of magnitude per row or column.

Risk increases diagonally across the matrix and bands of broad risk levels can be established
on the matrix, perpendicular to the direction of risk increase. These bands broadly relate to the
risk bands in Figure 7, and can be used to show areas where risk is intolerable/unacceptable and
where risk is tolerable, subject to all practicable measures being taken and subject to continuous
improvement. The broad risk bands can also be related to the urgency of action required.

In general, preventative controls (left hand side of a bow-tie diagram) lead to a decrease in
the likelihood of an incident occurring, which usually means a decrease in the Y coordinate on
the matrix. Mitigative controls (right hand side of a bow-tie diagram) lead to a decrease in the
consequence of an incident if it occurs, which usually means a decrease in the X coordinate on
the matrix.

47
 GOOD PRACTICE GUIDELINES // MAJOR HAZARD FACILITIES: SAFETY ASSESSMENT

However, note the risk matrix approach—while >> Individual risk is the frequency at which
it may be useful in ranking risks and to support an individual may be expected to sustain a
a demonstration of adequacy—is unlikely to given level of harm from the realisation of
be sufficient on its own for many facilities. For specified hazards. The purpose of criteria
example, separate and additional analysis of based on this risk measure is to ensure that
the effects of alternate controls is likely to be no single person is overexposed to risk.
needed, as a risk matrix is often too coarse Risk assessment results using this measure
a tool to distinguish between options. It may are often based on risk ‘contour’ plots.
also be difficult to fully address cumulative >> Societal risk is the relationship between
risk using matrices alone. the frequency of occurrence of major
If using risk matrices, give clear definitions for incidents and the number of people
the matrix and any categorisation used within suffering from a specified level of harm in
it, and show what action or significance is a given population from those incidents.
attributed to each position on the matrix, and The purpose of criteria based on this risk
whether the matrix is applicable to an incident, measure is to control risk to society as a
or to an individual scenario which leads to the whole. Risk assessment results using this
incident. You should check the risk matrices, measure are often based on frequency-
and any risk criteria implied through their use, consequence graphs.
are consistent with commonly adopted risk These criteria may in principle be applied to
criteria, such as any quantitative risk criteria. any exposed population, on-site or off-site,
although for a variety of reasons the actual
QUANTITATIVE RISK ASSESSMENT AND
levels of risk tolerability may vary between
QUANTITATIVE CRITERIA
the different exposed groups. Risk tolerability
Quantitative approaches to risk assessment values for individuals exposed to major
have different strengths and weaknesses. They incident hazards should relate in a sensible
allow a more precise and consistent approach manner to levels of risk from other industrial
to defining the likelihood, consequence and and non-industrial activities.
severity of a major incident but the results can
In the case of off-site risk to the general
vary significantly depending on assumptions
population, a set of ‘interim’ criteria have
made for the calculations. They can also be
been used in a number of cases in Victoria,
resource-intensive, may lack transparency, may
for example, in relation to land use planning
be difficult for a non-specialist to understand
(Interim Victorian Risk Criteria – Risk
and may give a misleading sense of accuracy
Assessment Guidelines, prepared for the
of risk estimates.
Altona Chemical Complex and the Victorian
If you choose to conduct a Quantitative Risk Government, by DNV Technical, October
Assessment (QRA), then the results may be 1988). The criteria do not have legal status
used by comparison with predetermined but can provide guidance on values.
criteria or for comparing different options
Comparison with a benchmark such as the
as part of the overall demonstration of
Victorian risk criteria are a straightforward
adequacy. There are two main types of
exercise if you use QRA in the formal safety
quantitative risk measure that may be
assessment. QRA is not mandatory and you
used to define risk criteria:
can use alternative qualitative assessment

48
 SECTION 6.0 // APPENDICES

techniques such as risk matrices. Since most >> Most established criteria relate specifically
matrices show a consequence band of one to fatality rates but the MHF Regulations
fatality on one axis, and some form of numerical do not require any specific form of criteria.
frequency (or likelihood) estimate on the other It may be appropriate to consider measures
axis, it is usually possible to determine what of risk related to lower levels of harm, for
sort of fatality rate you consider to be ‘High’, example, serious injury.
‘Medium’ or ‘Low’ on-site risk.

POTENTIAL LOSS OF LIFE AND COST

BENEFIT OF CONTROLS

Societal risk can also be expressed as a

‘Potential Loss of Life’ (PLL), which is the
number of fatalities that may be expected to
occur each year, averaged over a long period.

Such calculations are often controversial as

they appear to require a value to be placed
on life, but these calculations are commonly
used internationally and may aid decision
making in regard to adopting controls for
major incident hazards.

OTHER ISSUES

Other issues to consider in relation to risk

criteria include the following:
>> Quantitative criteria for risk to persons
on-site have not been established and
would need to be set and justified by any
operator proposing to use QRA methods.
>> Hazards (and therefore possibly risks)
must be assessed both individually and
cumulatively, and hence the adopted
criteria will need to be applicable to
hazards both individually and cumulatively.
The risk matrix approach considers hazards
and risks individually, while the interim risk
criteria apply to all hazards cumulatively.
Therefore, a combination of criteria may
be needed.

49
 GOOD PRACTICE GUIDELINES // MAJOR HAZARD FACILITIES: SAFETY ASSESSMENT

6.2 APPENDIX B: MORE INFORMATION

NEW ZEALAND
ENVIRONMENTAL PROTECTION AUTHORITY
For information about how to manage hazardous substances visit the Environmental Protection
Authority’s website www.epa.govt.nz or call 0800 376 234.

NEW ZEALAND LEGISLATION

To access all legislation including Acts and regulations visit the New Zealand Legislation website
www.legislation.govt.nz

INTERNATIONAL
EUROPEAN COMMISSION (EUROPE)
For information and guidance about the European Seveso-Directives industrial accident policy
visit the commission’s website www.ec.europa.eu/environment/seveso/

HEALTH AND SAFETY EXECUTIVE (UK)

For information and guidance about the UK’s Control of Major Accident Hazards (COMAH)
Regulations and what HSE expect from ALARP demonstrations visit the HSE’s website www.hse.
gov.uk/comah/ and www.hse.gov.uk/risk/expert

NATIONAL OFFSHORE PETROLEUM SAFETY AND ENVIRONMENTAL MANAGEMENT

AUTHORITY (AUSTRALIA)
For guidance to assist with a risk assessment of major accidents visit the National Offshore
Petroleum Safety and Environmental Management Authority’s (NOPSEMA) website
www.nopsema.gov.au

SAFE WORK AUSTRALIA (AUSTRALIA)

For guidance to assist with preparing an effective safety case that meets Australia’s Work Health
and Safety Regulations visit Safe Work Australia’s website www.safeworkaustralia.gov.au

WORKSAFE VICTORIA (AUSTRALIA)

For guidance to assist with a safety assessment of a MHF visit WorkSafe Victoria’s website
www.worksafe.vic.gov.au

FURTHER READING

For information and guidance about health and safety or to contact the High Hazard Unit visit
WorkSafe’s website www.worksafe.govt.nz or call 0800 030 040.

Related WorkSafe publications:

>> Hazardous Substances in Transit Depots
>> Introduction to the Health and Safety at Work Act 2015
>> Major Hazard Facilities: Emergency Planning
>> Major Hazard Facilities: Major Accident Prevention Policy and Safety Management Systems
>> Major Hazard Facilities: Notifications and Designation
>> Major Hazard Facilities: Safety Cases
>> Worker Engagement, Participation and Representation

50
 SECTION 6.0 // APPENDICES

A Guide to the Control of Major Incident Hazards Regulations 1999

Health and Safety Executive www.hse.gov.uk/comah/

Good Practice and Pitfalls in Risk Assessment

Health and Safety Executive – Health & Safety Laboratory

Guidelines for Integrated Risk Assessment and Management in Large Industrial Areas
International Atomic Energy Agency www.iaea.org/index.html

Guidelines for Quantitative Risk Assessment ‘Purple Book’ TNO

Committee for the prevention of disasters http://content.publicatiereeksgevaarlijkestoffen.nl/
documents/PGS3/PGS3-1999-v0.1-quantitative-risk-assessment.pdf

Guidance Note: Control Measures for a Major Hazard Facility

WorkSafe Victoria www.worksafe.vic.gov.au

Guidance Note: Hazard Identification at a Major Hazard Facility

WorkSafe Victoria www.worksafe.vic.gov.au

Guidance Note: Risk Assessment

National Offshore Petroleum Safety and Environmental Management Authority (NOPSEMA)
www.nopsema.gov.au

Guidance Note: Safety Assessment for a Major Hazard Facility

WorkSafe Victoria www.worksafe.vic.gov.au

Guide for Major Hazard Facilities – Safety Assessment

Safe Work Australia www.safeworkaustralia.gov.au

Guide for Major Hazard Facilities – Safety Case: Demonstrating the Adequacy of Safety
Management and Control Measures
Safe Work Australia www.safeworkaustralia.gov.au

Hazardous Industry Planning Advisory Paper No.4 – Risk Criteria for Land Use Safety Planning
(HIPAP 4)
Former NSW Department of Planning www.planning.nsw.gov.au

How to Determine What is Reasonably Practicable to Meet a Health and Safety Duty
Safe Work Australia www.safeworkaustralia.gov.au

HSE’s Land Use Planning Methodology

Health and Safety Executive www.hse.gov.uk

Layers of Protection Analysis, Simplified Process Risk Assessment

Centre for Chemical Process Safety, American Institute of Chemical Engineers

Beer, T. & Ziolkowski, F. (1995). Environmental Risk Assessment: An Australian Perspective,

Supervising Scientist. (Report 102). Canberra, Australia.

Hutchison R.B., Perera J., Witt H.H. (1996) Preliminary Environmental Risk Ranking ANSTO Safety
and Reliability. Risk Engineering Seminar Munro Centre for Civil and Environmental Engineering,
University of NSW.

Suarez, A. & Kirchsteiger, C. A. (1998) Qualitative Model to Evaluate the Risk Potential of Major
Hazardous Industrial Plants. EUR 18128 EN

51
 GOOD PRACTICE GUIDELINES // MAJOR HAZARD FACILITIES: SAFETY ASSESSMENT

6.3 APPENDIX C: GLOSSARY

TERM BRIEF EXPLANATION

Accepted safety case A safety case which WorkSafe has accepted under Regulation 48.

Amended safety case If WorkSafe has initially rejected a safety case or revised safety case under
Regulation 48, an operator may amend the safety case and resubmit it for
acceptance. This is an amended safety case.

Change or proposed Defined in the MHF Regulations. It means a change or proposed change of any
change at a MHF kind, including:
>> a change to any plant, structure, process, hazardous substance or other
substance used in a process, (including the introduction of new plant, new
structure, new process or new hazardous substance)
>> a change to the quantity of specified hazardous substances that are present
or likely to be present at the facility
>> a change to the operation, or the nature of the operation, of the facility
>> a change to the facility’s SMS
>> an organisational change at the facility (including a change in its senior
management).

Control A measure to eliminate or minimise, so far as is reasonably practicable, the risk

of a major incident occurring; or to minimise so far as is reasonably practicable,
the magnitude or severity of a major incident, as described in Regulation 30.

Critical operating The upper or lower performance limits of any equipment, process or procedure,
parameters compliance with which is necessary to avoid a major incident.

Designated transfer Defined in Regulation 11 of the Hazardous Substances (Classes 1 to 5 Controls)

zones Regulations 2001.

Designation A formal decision made by WorkSafe that a facility is or will be either an LTMHF
or an UTMHF for the purposes of the MHF Regulations.

Emergency An incident at a MHF requiring activation of the emergency plan.

Environmental A government agency responsible for certain regulatory functions concerning

Protection Authority New Zealand’s environmental management.
(EPA)

Facility Defined in the MHF Regulations, means the whole area under the control of the
same person where specified hazardous substances are present in 1 or more
places. Two or more areas under the control of the same person and separated
only by a road, railway, inland waterway, pipeline, or other structure are treated
as 1 whole area for the purposes of this definition.

Facility emergency An area where designated personnel co-ordinate information, develop strategies
control centre (FECC) for addressing the media and government agencies, handle logistical support for
the response team, and perform management functions. A centralised support
facility allows emergency managers and staff to contend with incident issues
more effectively.

Facility emergency The person in charge of managing an emergency for the facility and has overall
controller (FEC) responsibility for all functions performed by facility personnel during an emergency.

Failure of a control This means if the control:

>> is a positive action or event: the non-occurrence or the defective occurrence
of that action or event
>> consists of a limitation on an operational activity, process or procedure: the
breach of that limitation.

52
 SECTION 6.0 // APPENDICES

TERM BRIEF EXPLANATION

GHS The Globally Harmonized System of Classification and Labelling of Chemicals,

Fifth revised edition, published by the United Nations.

Greenfield An area of land, or some other undeveloped site earmarked for commercial
development.

Hazard A situation or thing that could harm someone, and includes a person’s behaviour.
For example, an unguarded machine, hazardous substances etc.

Hazard identification The systematic and comprehensive process of identifying hazards.

Isolated quantity Defined in the MHF Regulations, means a quantity of a hazardous substance
where its location at the facility is such that it cannot on its own initiate a major
incident elsewhere at the facility.

Knock-on effects Secondary events (such as toxic releases) triggered by a primary event (such
as an explosion), resulting in an increase in consequences or in the area of an
impact zone over the initial event.

Local authority A territorial authority within the meaning of section 5(1) of the Local
Government Act 2002.

Local community This is defined in the MHF Regulations as:

(a) meaning, at a minimum, all persons within a 1 km radius of any point on the
perimeter of a MHF, and
(b) including all persons in an area which might be affected by a major incident
occurring at a MHF.

The words ‘at a minimum’ mean the 1 km radius does not mark the extent of
the definition. Paragraph (b) may extend the scope of the definition well beyond
1 km in some circumstances.

Lower threshold Defined in the MHF Regulations, the quantity specified in column 4 of table 1 or
quantity column 3 of table 2 of Schedule 2, and calculated in accordance with Part 3 of
the MHF Regulations.

Lower tier major Defined in the MHF Regulations, a facility that WorkSafe has designated as
hazard facility an LTMHF.
(LTMHF)

Major hazard facility Defined in the MHF Regulations, a facility that WorkSafe has designated as
(MHF) an LTMHF or a UTMHF.

Major incident Defined in the MHF Regulations as an uncontrolled event at a MHF that involves,
or potentially involves, specified hazardous substances, and exposes multiple
persons to a serious risk to their health and safety (including a risk of death)
arising from an immediate or imminent exposure to:
>> 1 or more of those substances as a result of the event
>> the direct or indirect effects of the event.

Major incident hazard Defined in the MHF Regulations, a hazard that has the potential to cause
a major incident.

Major incident The process or sequence by which the major incident hazard develops into a
pathway major incident. Depending on the incident process model adopted, this includes
how the initiators, contributing factors, enabling conditions, system failures and
mechanisms come together into the incident.

53
 GOOD PRACTICE GUIDELINES // MAJOR HAZARD FACILITIES: SAFETY ASSESSMENT

TERM BRIEF EXPLANATION

Near miss A situation where a worker or any other person is exposed to a serious risk to
their health and safety, even if no harm was incurred.

Notifiable event This is defined in HSWA as:

>> the death of a person
>> a notifiable injury or illness
>> a notifiable incident.

Notifiable incident Defined in HSWA, generally an incident that exposes workers or other people to
a serious risk to health or safety. It must be reported to WorkSafe, or the relevant
designated agency.

Notification The notification to WorkSafe required by MHF Regulations 12, 13, and 17.
Notification is required if specified hazardous substances are present or likely
to be present at a facility in a quantity equal to or exceeding the lower threshold
quantity or if there is a proposed new operator.

Off site Defined in the MHF Regulations, this means not on site.

Officer Defined in HSWA, in summary it means a person that exercises significant

influence over the PCBU’s management. For example, the CEO, a director,
or a partner in a partnership.

On site Defined in the MHF Regulations, this means at or in a facility.

Operator Defined in the MHF Regulations, the PCBU who manages or controls a facility or
a proposed facility, and has the power to direct the whole facility be shut down.

Person conducting Defined in HSWA, generally any legal person running a business or undertaking.
a business or For example, includes a limited liability company, partnership, trust, incorporated
undertaking (PCBU) society, etc.

Pipeline Defined in Regulation 2 of the Health and Safety in Employment (Pipelines)

Regulations 1999.

Proposed facility Defined in the MHF Regulations. It is an existing workplace that is to become
a facility or a facility that is to be built in the future.

Qualitative risk A relative measure of risk based on ranking or separation into descriptive
assessment categories such as low, medium, high.

Quantitative risk The use of data to determine risk. Requires calculations of two components of
assessment risk; the consequence of the hazard, and the likelihood that the hazard will occur.

Risk The likelihood of a specific level of harm occurring from a hazard.

Risk assessment This involves considering what could happen if someone is exposed to a hazard
and the likelihood of it happening.

Safety assessment Defined in the MHF Regulations, the general process by which the operator of
a MHF systematically and comprehensively investigates and analyses all aspects
of risks (including decisions around which controls to implement) to health and
safety associated with all major incidents that could occur in the course of the
operation of the MHF.

Safety case Defined in the MHF Regulations, generally a written presentation of the
technical, management and operational information covering the hazards and
risks that may lead to a major incident at a UTMHF, and their control. It provides
justification for the measures taken to ensure the safe operation of the facility.

54
 SECTION 6.0 // APPENDICES

TERM BRIEF EXPLANATION

Safety management Defined in the MHF Regulations, generally a comprehensive integrated system
system (SMS) for managing all aspects of risk control at a MHF and used by the operator as the
primary means of ensuring safe operation of the MHF.

Safety-critical Defined in the MHF Regulations, means any part of a facility or its plant (including
element a computer program):
>> that has the purpose of preventing, or limiting the effect of, a major incident; and
>> the failure of which could cause or contribute substantially to a major incident.

Specified hazardous Defined in the MHF Regulations, these are table 1 or 2 hazardous substances.
substances

Structure Defined in HSWA, means anything that is constructed, whether fixed, moveable,
temporary, or permanent; including:
>> buildings, masts, towers, frameworks, pipelines, quarries, bridges, and
underground works (including shafts or tunnels)
>> any component of a structure
>> part of a structure.

Table 1 The table of categories of hazardous substances in Schedule 2 of the MHF

Regulations.

Table 1 or 2 Defined in the MHF Regulations, this means:

hazardous substance >> hazardous substances specified in column 1 of table 2 of Schedule 2
>> categories of hazardous substances referred to in column 1 of table 1 of
Schedule 2.

Table 2 The table of named hazardous substances in Schedule 2 of the MHF Regulations.

Threshold quantity Defined in the MHF Regulations, means the lower threshold quantity or the
upper threshold quantity.

Transit depot Defined in Regulation 3 of the Hazardous Substances (Classes 1 to 5 Controls)

Regulations 2001.

Union Is an organisation that supports its membership by advocating on their behalf.

The Employment Relations Act 2000 gives employees the freedom to join
unions and bargain collectively without discrimination. Workers can choose
whether or not to join a union.

A union is entitled to represent members’ employment interests, including health

and safety matters.

Upper threshold Defined in the MHF Regulations, means the quantity specified in column 5 of
quantity table 1 or column 4 of table 2 of Schedule 2, and calculated in accordance with
Part 3 of the MHF Regulations.

Upper tier major Defined in the MHF Regulations, means a facility that WorkSafe has designated
hazard facility as a UTMHF.
(UTMHF)

Worker Defined in HSWA, generally a person who carries out work in any capacity
for a PCBU. It covers almost all working relationships, including employees,
contractors, sub-contractors, and volunteer workers.

55
 GOOD PRACTICE GUIDELINES // MAJOR HAZARD FACILITIES: SAFETY ASSESSMENT

TERM BRIEF EXPLANATION

Worker In relation to a worker, means:

representative >> the health and safety representative for the worker
>> a union representing the worker
>> any other person the worker authorises to represent them (eg community or
church leaders, lawyers, occupational physicians, nurses, respected members
of ethnic communities).

Workers can ask a worker representative to raise health and safety issues with
a PCBU on their behalf.

Workplace Defined in HSWA, generally a place where work is carried out for a PCBU,
including any place where a worker goes, or is likely to be, while at work.

56
DISCLAIMER

WorkSafe New Zealand has made every effort to ensure the information contained in this publication
is reliable, but makes no guarantee of its completeness. WorkSafe may change the contents of this
guideline at any time without notice.

This document is a guideline only. It should not be used as a substitute for legislation or legal advice.
WorkSafe is not responsible for the results of any action taken on the basis of information in this
document, or for any errors or omissions.

ISBN: 978-0-908336-36-4 (online)

Published: July 2016 Current until: 2018

PO Box 165, Wellington 6140, New Zealand

www.worksafe.govt.nz

Except for the logos of WorkSafe, this copyright work is licensed under a Creative Commons
Attribution-Non-commercial 3.0 NZ licence.

To view a copy of this licence, visit http://creativecommons.org/licenses/by-nc/3.0/nz/

In essence, you are free to copy, communicate and adapt the work for non-commercial purposes,
as long as you attribute the work to WorkSafe and abide by the other licence terms.

WSNZ_2253_July 2016
WorkSafe New Zealand
Level 6
86 Customhouse Quay
PO Box 165
Wellington 6140

Phone: +64 4 897 7699

Fax: +64 4 415 4015
0800 030 040
www.worksafe.govt.nz
@WorkSafeNZ ISBN: 978-0-908336-36-4 (online)