2 - Hazard Identification and Risk Assessment




Step A - Preliminary Hazard Analysis


Step B - Identification of hazard sources and evaluation of consequences of major accidents


Consequence assessment


Step C - Prevention, Control and Mitigation measures




Presentation of hazard analysis and risk assessment

Go Sub Index Introduction


The safety report should demonstrate that the operator has identified the major accident hazard and assessed the risks associated with the installations and other activities in the establishment. The safety report should present the results of the hazard analysis and risk assessment performed by the operator, the extent of which should be commensurate to the risk. In general the hazard analysis should document the identification of hazard sources, the relative likelihood of major accident and their consequences.


There exist several approaches to hazard analysis and risk assessment (either qualitative or quantitative), each of which can give sound insights into the safety situation if used consistently. It is beyond the scope of the present guidance to attempt to describe or evaluate these methodologies, examples of which can be found in various references listed in the annexes of this document.


The choice of the specific technique may be site-specific or risk-specific. In any case the effort implied should be proportional to the extent of possible damage. Quantified arguments might be a convenient way of limiting the scope of the safety report by demonstrating either that an adverse event has a very remote probability of occurring or that a particular consequence is relatively minor. Quantified arguments in the context of risk assessment does not necessarily mean quantification of risk in terms of chance of death. Social or environmental harm could be considered. Quantification of consequence and / or event frequency could be in several cases a sufficient basis for judgment.


Whatever the approach adopted, the hazard analysis should achieve the four objectives of

  1. identification of the safety relevant sections (installations or parts of an installation);

  2. identification of the hazard sources;
  3. assessment of the consequences of potential major accidents, and
  4. assignment and assessment of adequacy of the prevention, control and mitigation measures.


Usually the hazard analysis involves an iterative process to ensure that the safety objectives are fully met. A possible outline of the procedure is presented here:

Step A
focuses on identification and analysis of the sections that have a major accident potential without however excluding the remaining sections from receiving the appropriate safety attention. The sections posing a significant major accident potential because of the substances handled or processed are thus identified as safety relevant sections.

Step B
aims at identifying those hazard sources which may cause a major accident in the safety relevant sections. In addition, the conditions under which a major accident could occur and the consequences of those accidents, should be determined.

Step C
aims at assessing the prevention, control and mitigation measures assigned.

A Risk Assessment can be used to determine the likelihood of the major accidents and demonstrate that adequate measures have been taken to protect man, property and the environment. Available techniques for risk assessment based on qualitative methods, semi-quantitative criteria or fully quantitative methods are referred to in Annexes D.2, D.3, D.4 and D.5.

Go Sub Index Step A - Preliminary Hazard Analysis


A Preliminary Hazards Analysis (PHA) should identify the safety relevant sections of the establishment. These sections are characterized by the quantity and the intrinsic properties of dangerous substances and/or the processes involved and hence constitute the parts of the establishment requiring more detailed hazard analysis. The PHA can be accomplished using a variety of hazard screening methods; examples are listed in Annex D.2.


Lessons from past incidents and operating experience can make a significant contribution to the selected hazard screening method and to its results. A relevant list of accidents in similar storage or process facilities is considered useful.


Section identification can be by the use of Hazard Index methods, the identification of threshold criteria such as a fraction of the qualifying quantity of the dangerous substance in Annex I of the Directive, or other suitable methods. The criteria should take into account the physical and chemical properties of the substance and the accident consequence potential of the process conditions. Therefore threshold criteria may result in values well below the limits in the directive. This procedure should consider all parts of the establishment capable of generating conditions for a major accident.


The choice of the PHA methodology should be explained in the safety report and the criteria used for the decision clearly discussed.

Go Sub Index Step B - Identification of hazard sources and evaluation of consequences of major accidents

Identification of hazard sources


Hazard sources may be defined as conditions or events which threaten the safe operation of the establishment, installation or plant. Such sources should be identified in all phases of operation (start-up, normal operation, shut-down, loading/unloading etc.).


Hazard sources may be linked with:

  • operation i.e. human errors during operations, testing and maintenance, malfunctions and technical failures of equipment, failures of containment, physical or chemical process parameters beyond prescribed limits, faults in utility supplies, etc.;

  • external events i.e. impact of neighboring activities, transport, natural hazards, etc.;
  • security i.e. unauthorized interventions;
  • other causes related to design, construction, and safety management i.e. design inadequacy, design errors, inadequacy of operational procedures, equipment or process modifications, inadequate work permit system, inadequate maintenance, etc.


Hazard source identification is a crucial step in the analysis. The safety report should outline the principles and procedures followed to determine the hazard sources. Whatever system is adopted for hazard identification, accident databases should be consulted and lessons learnt from past incidents incorporated. Hazard sources which have already resulted in an accident should be considered credible where the processes and conditions are analogous.


Identification of hazard sources is best carried out by a team whose members have a range of skills, technical/professional knowledge gained from safety inspections, from the operation of establishments/installations of this or comparable types and insights gained from modeling techniques (see also Annex B).

Operational Hazard Sources


Depending on the extent of the consequences of the potential major hazards, the sources of hazard may be determined by simple means such as checklists, or by more complex methods such as HAZOP, FMEA, etc. Reference to different methods can be found in Annex D.3.


Where checklists are used they should not be regarded as exhaustive. As a minimum, checklists, should consider the following aspects:

  1. physical and chemical process parameters limits;

  2. hazards during specific operation modes (i.e. start up / shut down);
  3. failure of containment;
  4. malfunctions and technical failures of equipment and systems;
  5. knock-on effects from other equipment;
  6. faults of utilities supply;
  7. human factors involving operation, testing and maintenance;
  8. chemical compatibility and contamination;
  9. the build-up of electrostatic charge and other ignition sources.


The above factors should be investigated with respect to the part they could play in possible accidents i.e. toxic gas releases, explosions, releases of flammable substances with or without ignition, major fires, runaway reactions and hazardous releases to the environment. The relevant contents of the Safety Report and reference to the most commonly used hazard identification methods for use with exothermic or runaway reactions can be found in Annex B, whereas reference to techniques for evaluating accident developments (i.e. cause-consequence diagrams, event trees - fault trees techniques etc.) can be found in Annex D.5.


The choice of the hazard identification techniques used should be explained in the safety report and the assumptions clearly discussed.

External Hazard Sources


External activities or events are an important source of hazard. The safety report should identify those sources relevant to the site and discuss their possible impact. Again, historical data will provide a useful indication of the likelihood and impact of such events. Where required by the competent authority the concern of accidents arising from "domino" effects should be considered in the report. A list of possible external hazard sources, relevant studies and analysis methods can be found in Annex C.

Plant security


The consequences arising from unauthorized actions at the site should be considered.

Other sources related to design, construction and safety management


Other hazard sources are related to the management of whole life cycle of the establishment and its plants (i.e. design, construction, installation, commissioning, decommissioning, equipment or process modifications, work permit system, maintenance, etc.). The safety report should discuss the measures taken to control such hazards (see also Section 3). Alternatively the safety report should refer to other document describing the Major Accident Prevention Policy and the Safety Management System.

Go Sub Index Consequence assessment


Assessment of accident consequences to people and environment is essential in several steps of analysis, and the safety report should summarize and document the conclusions of such analysis:

  1. Consequence assessment constitutes an indispensable part in the systematic hazard analysis to help establish technical/organizational safeguards to prevent major acci-dent ha-zards and to mitiga-te the conse-quences of accidents. Such assessment can be based on judgment, qualitative or simplified models, unless accurate quantification is required;

  2. Consequence assessment describes the outcomes of selected accident scenarios to provide information for general major accident hazard control, emergency planning (internal and external) and for land use planning around establishments. Such assessment should then be based on appropriate quantitative models.

There exist a number of different means to accomplish such a task consistently. Relevant information on these matters can be found in the literature (Annex D.5) with insights also into environmental parameters (fauna, flora, air, soil, surface and ground water) and available impact analysis methods (Annex D.6).


All the assumptions made and references to computer codes and experimental results used for the assessment should be adequately explained and documented in the safety report.

Go Sub Index Step C - Prevention, Control and Mitigation measures


Hazards should be possibly avoided or reduced at source through the application of inherently safe practices. When risk remain, then risk principles such as ALARA (As Low As Reasonably Achievable) can be used in determining the level of measures required. The measures should:

  1. prevent a malfunction from arising in the establishment;

  2. prevent the occurrence of abnormal operation which could lead to a major accident;
  3. mitigate the effects of major accidents on persons or the environment.


Prevention, control and mitigation measures may include:

  • process control system including back ups;

  • fire and explosion protection systems;
  • devices for limiting the size of accidental releases i.e. scrubbing systems, water spray;
  • vapour screens, emergency catchpots or collection vessels, emergency shut-of valves;
  • alarm systems including gas detection;
  • automatic shut down systems;
  • inerting systems;
  • fail-safe instrumentation;
  • emergency venting including explosion panels;
  • fast shut-down and other emergency procedures;
  • special precautions against unauthorized actions related to the plant security (addressed in confidential reports available to CA on request).

Assessment of prevention, control and mitigation measures


The assessment of the prevention, control and mitigation measures should be made in conjunction with the overall risk assessment of the establishment. The safety report should discuss general criteria assumed (i.e. best available technology, good engineering practice, quantitative risk criteria), should give the reason why a method of presentation has been selected over and above other possible options and in particular should describe:

  1. the criteria used to decide the degree of redundancy, diversity and separation required for the prevention, control and mitigation measures;

  2. the reliability of components and systems and the efficiency of organizational measures;
  3. the functional calculations needed to confirm the capability of the measures to cope with the design-basis accidents (design criteria and load assumptions according to the relevant good engineering practice; time and order in which the measures become effective in relation with the process/accident evolution and the man-machine interface etc.);
  4. feedback from measures to the system as a whole;
  5. compliance with relevant national regulations and relevant codes of practice.


Such assessment might be made by adopting either qualitative or probabilistic reliability analysis techniques and criteria. Reference to relevant reliability and availability techniques can be found in Annex D.4.

Go Sub Index Documentation


The safety report should contain a detailed description of the safety relevant sections and of the systems and components which are important for safety. The description need not duplicate requirements under section 1 and can be included in an annex to the safety report. The description should allow easy identification of:

  1. those parts of the process or installation containing dangerous substances and their location;

  2. those parts of the establishment involving hazardous processes;
  3. elements serving safety relevant functions i.e. prevention, control and mitigation measures; and
  4. elements capable of initiating a major accident.

Such description should allow a better understanding of the hazard analysis, clearly describing the relationship between the hazard sources and their prevention, control and mitigating measures, including test, maintenance and inspection systems and relevant documentation.


The description should make clear reference to other parts of the establishment to allow identification of interactions. Where necessary, reference should be made to other documents available to the competent authorities on request (e.g. P&I diagrams). Components, processes and control parameters important for safety can be listed in a separate annex to the safety report.

Go Sub Index Presentation of hazard analysis and risk assessment


The safety report should present the main results and arguments of the hazard analysis and risk assessment. The original assessments should be accessible to the competent authority on request. The safety report should refer to documents available on the hazards analysis and risk assessment performed. In particular, documents which contain information on the assumptions made, and the judgment criteria adopted should be clearly referenced.


The accident scenarios identified in the hazard analysis, their consequences and likelihood should be clearly documented so they might be used for preparing the basis for further decisional processes (e.g. external emergency planning and land use planning).

Go Top

  Section 3 - Information concerning the Major Accident Prevention
                      Policy and Emergency Planning


Major Accident Prevention Policy and Safety Management Systems


Measures of protection and intervention to limit the consequences of an accident


Organization of alert and intervention

Go Sub Index Major Accident Prevention Policy and Safety Management Systems


It has become increasingly clear that the root causes of industrial accidents may lie deeply in the management aspects. Therefore the management of safety to man and the environment should receive the due attention in the safety report.


Safety management may be defined as the aspect of the overall management function that determines and implements the safety policy. This will involve a whole range of activities, initiatives, programs, etc., focused on technical, human and organisational aspects and referring to all the individual activities within the organisation, which tend to be formalised as Safety Management Systems (SMS).


The safety report should either include or refer to a written statement describing the Major Accident Prevention Policy (MAPP) and related Safety Management Systems (SMS) of the operator to cope with the major accident hazards of the specific establishment. The SMS should cover that part of the overall management system which includes the structure of the organisation, responsibilities, practices, procedures, processes and resources for determining and implementing the MAPP (Annex A).


Details on the elements of SMS can be found in a separate guidance note developed by the European Commission in conjunction with a Technical Working Group.

Go Sub Index Measures of protection and intervention to limit the consequences of an accident


The analysis of major accident hazards in the previous sections included consideration of various prevention, control and mitigation measures as part of the overall risk assessment of the establishment. The Safety Report should also clearly include information which identifies any key mitigation measures, resulting from the analysis, which are necessary to limit the consequences of major accidents, as referred to in Annex II, part V of the Directive (see Annex A), namely:

  • description of the equipment installed in the plant to limit the consequences of major accidents;

  • organization of alert and intervention;
  • description of mobilizable resources, internal or external;
  • summary of elements described above necessary for drawing up the internal emergency plan.

Description of equipment


A description of equipment installed in the plant to limit the consequences of major accidents shall be provided. This should include an adequate description of the circumstances under which the equipment is intended for use.

Go Sub Index Organization of alert and intervention


The organisation for alert and intervention should be adequately described. This should include:

  1. organisation, responsibilities, and procedures for emergency response;

  2. training and information for personnel and emergency response crews;
  3. activation of warnings and alarms for site personnel, external authorities, neighbouring installations, and where necessary for the public;
  4. identification of installations which need protection or rescue interventions;
  5. identification of rescue routes, escape routes, emergency refuges, sheltered buildings, muster points and control centres;
  6. provision for shut-off of processes, utilities and plants with the potential to aggravate the consequences.

Description of mobilizable resources


The report should contain an adequate description of all relevant resources which will need to be mobilized in the event of a major accident. This shall include:

  1. activation of external emergency response and co-ordination with internal response;

  2. mutual aid agreements with neighbouring operators and mobilisation of external resources;
  3. resources available on-site or by agreement (i.e. technical, organizational, informational, first aid, specialized medical services, etc.).

Summary of elements for the internal emergency plan


The report should include a summary of elements described above which are necessary for the preparation of the internal emergency plan to deal with major accidents or foreseeable conditions or events which could be significant in bringing about a major accident. It may be useful to include or refer to the internal emergency plan which has been drawn up to comply with Article 11 of the Directive. A list of relevant references can be found in Annex D.7

Go Top

  Annex A - Article 9 and Annexes II & III of the Directive 96/82/EC

Article 9 and Annexes II & III of the Directive 96/82/EC of Council Directive 96/82/EC, on the control of major-accident hazards involving dangerous substances


Article 9 - Safety report


Annex II of the Directive


Annex III of the Directive

Go Top

  Annex B - Hazardous Reactions and References


Description of the chemical process


Past runaway events and accident causation factors


Identification of the hazard and risk assessment



When hazardous reactions1 are involved within the processes of an installation the safety report should contain sufficient information to demonstrate that the operator has identified the major accident hazards and assessed the risks associated with the process. This should include:

  • Description of the chemical process;

  • Consideration of relevant past events;
  • Hazard identification and risk assessment including consequence evaluation of major accidents and the assessment of the preventive, controlling and mitigation measures;

1 There are two main types of hazardous reactions: planned reactions that during their operation become unstable and go out of control and unwanted (often decomposition) reactions. In addition to their relevance in processes, the latter may be relevant to the storage and transport of substances, where the need for control and preventive measures may not otherwise be foreseen.

Go Sub Index Description of the chemical process

The following issues should be addressed if relevant, and referenced data should be available related to:

  1. the chemistry involved:

    • type of reactions, for example complex, autocatalytic, secondary etc.;
    • stoichiometry of reaction and heat generation rates at relevant (e.g. runaway) conditions;
    • properties of reagents including thermal instability, decomposition, impurities etc.
  2. the reactors and processes involved:
    • design parameters (e.g. pressure and temperature) of the reactors and associated equipment, and where available reliability data;
    • flow charts or P&Is involving the processes;
    • normal/safe, abnormal and emergency operations, conditions and procedures including parametric sensitivity for exothermic reactions;
    • control of reactants quality and impurities;
    • control and safety back-up systems;
    • maintenance programs and procedures;
    • procedures for safety critical modifications and reviews of the processes;
    • training programs and safety instructions.

Go Sub Index Past runaway events and accident causation factors

It is not unusual for accidents initiated by runaway reactions to be accompanied by severe and irreversible consequences e.g. fatalities, damage requiring plant demolition and abandonment. In addition, industrial experience has shown that runaways are as likely to occur in medium/small sized 'non-major' hazards sites, as in major hazards sites. Hence the selection of a suitable methodology for the relevant hazards to be identified can be assisted by the inputs provided by the analysis of past events.

Among the most frequent immediate and underlying causes identified in past accidents specific to runaway reactions are:

  • insufficient knowledge of the process chemistry;

  • insufficient evaluations and reviews;
  • incorrect operational procedures e.g. mischarging or reactants;
  • lack of mixing;
  • low quality of reactants;
  • safety critical modifications that are unauthorized, insufficiently hazard studied or not documented;
  • inadequate reactor maintenance;
  • insufficient reactor operating instructions, procedures and training.

Go Sub Index Identification of the hazard and risk assessment

SR should outline the principles and procedures followed to identify the hazards involved in runaway reactions. Hazard identification and risk assessment are particularly important and is best carried out by a team of qualified people such as chemical engineers and chemists, using various methods. Screening methods shall be addressed related to:

  1. classification of reacting system;

  2. hazard testing;
  3. risk assessment accompanied by preventive and mitigation measures.

A. Classification of reacting system

The reacting system classification can contribute the recognition of hazards already identified in similar systems. Several criteria may be used i.e. Arrhenius and Non - Arrhenius reactions, homogeneous and heterogeneous runaways, combinations of initiating events including reactant accumulation, loss of cooling, external heating, solvent evaporation etc.

B. Hazard testing

Hazard testing is important and should be performed using various screening methods for the evaluation of the characteristic parameters of runaway. Hazard identification methods may require data on:

  • chemical formulas;

  • hazardous mixtures of substances;
  • list of dangerous reactions;
  • calculation of the Oxygen balance;
  • several established indices e.g. CHETAH indices;
  • accident analysis of relevant past events;
  • thermochemical parameters.

An indicative list of possible thermochemical parameters to be evaluated and the methods to be used for this is given below:


  • onset temperature and heat of reaction for the exotherm and for secondary exotherms;

  • decomposition of reagents i.e. the decomposition temperatures for the production of gases and the loss of weight during thermal decomposition (thermogravimetry);
  • adiabatic2 heat generation rates under relevant (e.g. runaway) conditions;
  • gas generation rates under relevant (e.g. runaway) conditions;
  • pressure effect;
  • range of standard operating conditions e.g. safety temperature;
  • impurities of reactants.

Hazard Identification Methods:

  • thermal analytical methods e.g. DSC / DTA;

  • isothermal, isoperibolic, dynamic, adiabatic and pseudo-adiabatic calorimetric methods;
  • runaway reaction simulation using computer models;
  • established indices e.g. Dow index.

Operators should make the best use of available hazard data and if not sufficient laboratory and desk top tests should be performed to estimate the extent of hazard. In scaling up from laboratory to real size, uncertainties and necessary extrapolations involved in the reaction parameters should be also considered.

2 Tests must be adiabatic with respect to reactor contents; heat loss from the contents to the wall can be very important.

C. Risk assessment - preventive and mitigation measures

Risk assessment is essential to evaluate the likelihood of runaway and the severity of its potential consequences. The extent of risk analysis and the intensity of the preventive and mitigation measures should be commensurate to the risk involved. Simple models of hazard identification may not be always sufficient. A list of typical failure modes may be helpful.

There exist several approaches to perform risk assessment. The choice of a particular technique may be process-specific. Although detailed assessment using for example CHETAH indices is advisable in several cases, it cannot be considered always necessary unless otherwise sustained by cost-effective analysis. Simple screening techniques on the other hand, can be sufficient only when combined together with the scale and frequency the usual batch operations are performed, and thus could constitute an adequate basis for discussion criteria to whether further assessment is needed.

Inherently safer design includes substitutions, intensification and attenuation. A viable process would require the implementation of prevention and control measures such as sensors, trips, alarms, control systems, and protective and mitigation measures such as reactor emergency reliefs, crash cooling, reaction inhibition, secondary containment, etc.

Design reactor relief regulations applying in all circumstances are not common. Not venting may be acceptable when risk has been reduced to an acceptable level. The necessity of some measures, e.g. explosion vents, may sometimes need to be balanced against cost or environmental and technical constrains.

Emergency plans should consider among others injury to key emergency personnel. Re-examination of the measures taken in established processes may be needed when hazards are not adequately identified. Audits can contribute to this by providing considerable inputs and are expected to be triggered by the legal requirement of updating the Safety Report of installations involving hazardous reactions.