EPA/Stefan Rousseau/POOL

tce

SAFETY

nk r i no ng th wn e

Un

co ve

28

www.tcetoday.com march 2013

Planning for the unexpected is not easy, says Richard Gowland

CAREERS SAFETY tce

Royal Chiltern Air Support Unit

RE events like the fire and explosions at Texas City and Buncefield and the inundation of the Fukushima nuclear power plant so unusual that they somehow escaped the risk management process of the responsible operators? Trying to make sense of these events leads me to ask some questions: Do we have the right tools? Is our thinking and risk management dominated by credible scenarios to the point where worst imaginable cases are consigned to the negligible frequency risk category? Do we spend enough effort on exploring possible causes of worst cases and managing them? Are we complacent about our hazard identification and management processes? If these serious events had been viewed as realistically possible, in each case, a fairly simple examination of the possible causes and the degree of protection provided would have revealed the gaps, which were well documented by official and unofficial reports after the event. In the cases of Texas City and Fukushima, if we think of these as warning signs, some of the signs, such as near-misses, emerged prior to the event but follow-up recommendations were not fully implemented1. Also, there was plenty of evidence that serious events in operations in relevant industries or the natural environment had occurred with significant frequency in the fairly recent past. But somehow, the lessons from these events had been overlooked, forgotten or discounted. In 2004, the European Process Safety Centre (EPSC) raised the concern that although the overall number of process safety incidents was falling, those which did occur seemed to be very severe. This resulted in a move towards a more accurate means of recording incidents, an added severity metric, and managing the precursors more effectively. As part of this move EPSC held a series of face-to-face meetings with members, which included process safety incident reporting through support of the new American Petroleum Institute Incident Indicators (API RP754)2; the CEFIC Responsible Care process safety incident system; loss of primary containment programmes; safety critical systems; leading indicators; and ultimately a group which researched the subject of atypical scenarios. Our risk management processes aim to identify potential hazardous events, analyse

them, eliminate where possible, and provide sufficient control and protection for the risks that remain. These processes serve us well when the possible scenarios are identified, although worst cases sometimes present special challenges. The challenge remains in identifying all possible scenarios. Major accident examples such as Texas City and Buncefield show us that we either did not identify and anticipate the events which actually occurred or we assumed that they were so unlikely as to be of an acceptable likelihood or had never happened or even, not worth comprehensive study. Were these atypical scenarios? The same pattern emerges from studies of the Fukushima Nuclear Power plant tragedy in Japan where large-amplitude tsunamis had been experienced several times in the last 500 years, but advice from the International Atomic Energy Agency on protection against these events seems to have been discounted by industry and government1.

(Left): The sun tries to break through the thick cloud and smoke as foam is sprayed on one of the fuel storage tanks at the Buncefield oil depot in Hemel Hempstead, UK, 2005; (Above): A risk assessment might not have predicted the scale of fire-water overflow seen at Buncefield

finding and dealing with atypical scenarios

Hazard identification methods such as process hazard analysis (PHA), hazard and operability (HAZOP) and what if studies are quite effective when sufficient creativity identifies what we can call atypical scenarios. The other tools such as fault tree analysis, layer of protection analysis, and quantitative risk assessment can then address a complete set of scenarios to help manage risk comprehensively. The studies carried out with hazard identification and risk assessment tools appear in some cases to come up short where worst cases are concerned. Efforts seem to be dominated by credible events. EPSC has a working group which has looked to find best practices which offer an improvement in scenario development and addresses these missing atypical scenarios. The results of the work are encouraging and offer a way ahead. It builds on strengthening and enhancing the tools we already use by adding dimensions which appear to have been missed in the past. EPSCs report3 describes practical steps which when properly applied will close some of the gaps in process risk management systems. If we categorise events as follows4, we might see how hazard identification and management processes can be used for each: known knowns events which we know

The studies carried out with hazard identification and risk assessment tools appear in some cases to come up short where worst cases are concerned. Efforts seem to be dominated by credible events.

about and can plan to prevent or control known unknowns events which we can predict even if they have not occurred yet unknown knowns events which have occurred but we have failed to remember and study (eg loss of corporate memory) unknown unknowns events which we have so far failed to predict or which have been dismissed as unrealistic. For example, PHA and HAZOP fits well into the task of finding the known knowns and known unknowns as long as our thinking is sufficiently open to considering worst consequences. The unknown knowns and unknown unknowns seem to present problems which may expose weaknesses. There is no excuse for failures in corporate memory or failing to apply learning experiences from well-known events. If we really think a worst imaginable event can be described as never happened yet , can we be sure? The fact that events or initiators similar to the examples here had happened in the memorable or recorded past seems to have been overlooked. They seem to fit neatly into the unknown knowns category. Have we forgotten? Did we fail to research? Did we discount as being not applicable or not realistic? In the last case, at least we considered it and hopefully based decisions on technical factors such as process, protective barriers and mitigation. We are left with unknown unknowns which might be the final resting place of the real failures. It seems unreasonable to be criticised for the occurrence of something we could not possibly have imagined. If it was really true that we could not possibly have imagined it, I might be sympathetic. I suspect that these cases would be very rare.
march 2013 www.tcetoday.com 29

tce
TEPCO

SAFETY
Furthermore, worst cases may be consigned to the mitigation offered by emergency plans. These are missed opportunities which might be helped by starting with the worst cases and working backwards through a HAZOP process to determine root causes and what has to be true or fail for the worst case to occur. Risk assessments such as LOPA and QRA will not be fully effective if they are not presented with the scenarios to study. There is an opportunity to make a much more strict inclusion of potential events from the technology and history which might not be known by todays generation of operations.

conclusions
We might conclude that we sometimes fail to identify some significant scenarios through limitations of our methods or we might be unaware of events which have happened in the past and could apply to us. So-called unknown unknowns are in many cases to be found in history or in a more creative approach to worst-case scenarios and their management. Members of the EPSC scenarios group all have a formal approach to hazard identification in their project management, normal operations, and management of change. The hazard identification method of choice is usually built into the process hazard analysis and HAZOP methodologies, although member practices are not identical. Where HAZOP is concerned, all members carry out studies in the steady state, but HAZOP is not always conducted for startup and shutdown phases. These critical phases are not always overlooked but are covered by detailed instructions which include potential hazards and their consequences. The predominant cases in these studies are credible and from learning experiences and rely very much on the discipline and creativity of a properly constituted and competent team.
www.csb.gov

(Above): The appearance of reactor buildings at Fukushima Daiichi nuclear power station after the tsunami; (Below): Destruction following the BP Texas City explosion

where are we now?

Process hazard analysis is often driven by a questionnaire which embodies much of the learning experience of the company. A more detailed formal examination of worst cases within the analysis has been shown to yield good results. This includes a strict requirement to cover relevant events from history from the industry and predefined worst cases. As an example, the US Environmental Protection Agency Risk Management Plan (RMP) requires that vapour cloud explosion is included in studies for any flammable material5. This is a simple but vital requirement even if the physical properties, conditions of use and environment make it unlikely . Its recognised that the apparent detonation which occurred at Buncefield may not have been predictable. However, even a deflagration model would have predicted extensive damage on and off site. Was this missed? HAZOP studies are frequently carried out in the steady state and reliance is often dominated by credible versus worst cases.

The unknown knowns and unknown unknowns seem to present problems which may expose weaknesses. There is no excuse for failures in corporate memory or failing to apply learning experiences from well-known events.
30 www.tcetoday.com march 2013

Re
Whilst efforts to study worst cases may occur in HAZOP, events seem to show that we are not always successful. Indeed, even when a worst-case scenario is considered, HAZOP may not be the best method to study it. If this is true, the bow tie has potential to become the method of choice. What comes out of this and a review of company practices would be an approach which says we need to gain consistency from our hazard identification practices by: addressing steady state comprehensively, eg HAZOP or failure mode and effects analysis (FMEA), or what if; ensuring that complementary startup and shutdown studies are included in hazard identification (and study); and including worst cases at an early stage. There is also much to be gained from critical task analysis and human error analysis in predicting atypical events and managing them better. They should exploit the known knowns , known unknowns , unknown knowns and use a creative approach to imagine the unknown unknowns , which can be studied with bow tie analysis and perhaps, controversially, a reverse HAZOP approach where we start with the worst-case consequence and work out what can initiate or fail for the full impact to be realised. There are very few unknown unknowns . Certainly, the three major events described here are not unknown unknowns . Furthermore, we may imagine that the likelihood of all the holes in the Swiss cheese aligning is very unlikely or unimaginable for these eventsbut can we be sure? tce

W CAREERS SAFETY an d gi tt ste o G r n n 2 owl o k ow 6 Man n ar d pr ow at c e w m w h a sen w t t

Ri ch ar .tc et

tce

Richard Gowland (rtgowland@aol.com) is technical director of EPSC

09 s a or e? : od 00 G tce ay M we T .c om . bin ar /w eb in ar s

further reading
1. Studies on Fukushima, The Carnegie Endowment for International Peace. 2. API RP754: Process Safety Performance Indicators for the Refining and Petrochemical Industries. 3. EPSC Report 34, Atypical Scenarios (for EPSC members only). 4. Nicola Paltrinieri, N, Tugnoli, A, Bonvicini, S, Cozzani, V, Atypical Scenarios Identification by the DyPASI Procedure: (Application to LNG), Universit di Bologna. 5. Kleindorfer, P, Belke, J, Elliott, M, Lee, K, Lowe, R, Feldman, H, Accident Epidemiology and the US Chemical Industry: Accident History and Worst Case Data from RPM-info , Risk Analysis, vol 23 no 5, 2003.

Whilst efforts to study worst cases may occur in HAZOP, events seem to show that we are not always successful. Indeed, even when a worstcase scenario is considered, HAZOP may not be the best method to study it.

Functional Safety Training

Safety Instrumented Systems
for the process industry sector IEC 61511 / 61508 Functional Safety Wednesday & Thursday Course 22nd & 23rd May 2013
All courses are non-residential and held at The Danubius Hotel Regents Park 18 Lodge Road St. Johns Wood London NW8 7JT

Bookings:

Email: training@4scl.co.uk Online: www.4scl.co.uk Tel: +44 (0) 1582 462 324

4-sight Consulting 51 Cowper Road, HARPENDEN, AL5 5NJ

www.4scl.co.uk
www.Fauske.com

march 2013 www.tcetoday.com

31