icheme_tce_uncovering the unknown
TRANSCRIPT
-
7/28/2019 IChemE_TCE_Uncovering the Unknown
1/4
28 www.tcetoday.com march 2013
tce SAFETY
unknow
n
Unco
veringthe
EPA/StefanRousseau/POOL
Planning for the unexpected isnot easy, says Richard Gowland
-
7/28/2019 IChemE_TCE_Uncovering the Unknown
2/4
march 2013 www.tcetoday.com 29
CAREERS tceSAFETY
about and can plan to prevent or control
known unknowns events which we canpredict even if they have not occurred yet
unknown knowns events which have
occurred but we have failed to remember and
study (eg loss of corporate memory)
unknown unknowns events which we
have so far failed to predict or which have
been dismissed as unrealistic.
For example, PHA and HAZOP fits well into
the task of finding the known knowns andknown unknowns as long as our thinking
is sufficiently open to considering worst
consequences.
The unknown knowns and unknown
unknowns seem to present problems which
may expose weaknesses. There is no excuse
for failures in corporate memory or failing to
apply learning experiences from well-known
events. If we really think a worst imaginable
event can be described as never happened
yet, can we be sure?
The fact that events or initiators similar
to the examples here had happened in thememorable or recorded past seems to have
been overlooked. They seem to fit neatly
into the unknown knowns category. Have
we forgotten? Did we fail to research? Did
we discount as being not applicable or
not realistic? In the last case, at least we
considered it and hopefully based decisions
on technical factors such as process,
protective barriers and mitigation.
We are left with unknown unknowns which
might be the final resting place of the real
failures. It seems unreasonable to be criticised
for the occurrence of something we could notpossibly have imagined. If it was really true
that we could not possibly have imagined it,
I might be sympathetic. I suspect that these
cases would be very rare.
them, eliminate where possible, and provide
sufficient control and protection for the risks
that remain. These processes serve us well
when the possible scenarios are identified,
although worst cases sometimes present
special challenges. The challenge remains
in identifying allpossible scenarios. Majoraccident examples such as Texas City and
Buncefield show us that we either did not
identify and anticipate the events which
actually occurred or we assumed that they
were so unlikely as to be of an acceptable
likelihood or had never happened or even,
not worth comprehensive study. Were these
atypical scenarios?
The same pattern emerges from studies of
the Fukushima Nuclear Power plant tragedy
in Japan where large-amplitude tsunamis had
been experienced several times in the last
500 years, but advice from the InternationalAtomic Energy Agency on protection against
these events seems to have been discounted
by industry and government1.
finding and dealing with
atypical scenariosHazard identification methods such as
process hazard analysis (PHA), hazard
and operability (HAZOP) and what if
studies are quite effective when sufficient
creativity identifies what we can call atypical
scenarios. The other tools such as fault tree
analysis, layer of protection analysis, andquantitative risk assessment can then address
a complete set of scenarios to help manage
risk comprehensively. The studies carried out
with hazard identification and risk assessment
tools appear in some cases to come up short
where worst cases are concerned. Efforts
seem to be dominated by credible events.
EPSC has a working group which has
looked to find best practices which offer an
improvement in scenario development and
addresses these missing atypical scenarios.
The results of the work are encouraging and
offer a way ahead. It builds on strengthening
and enhancing the tools we already use byadding dimensions which appear to have
been missed in the past. EPSCs report3
describes practical steps which when properly
applied will close some of the gaps in process
risk management systems.
If we categorise events as follows4, we
might see how hazard identification and
management processes can be used for each:
known knowns events which we know
The studies carried out with hazard identification and riskassessment tools appear in some cases to come up short whereworst cases are concerned. Efforts seem to be dominated bycredible events.
RoyalChilternAirSupportUnit
ARE events like the fire and explosions
at Texas City and Buncefield and
the inundation of the Fukushima
nuclear power plant so unusual that they
somehow escaped the risk management
process of the responsible operators?
Trying to make sense of these eventsleads me to ask some questions: Do we
have the right tools? Is our thinking and
risk management dominated by credible
scenarios to the point where worst imaginable
cases are consigned to the negligible
frequency risk category? Do we spend
enough effort on exploring possible causes
of worst cases and managing them? Are we
complacent about our hazard identification
and management processes?
If these serious events had been viewed
as realistically possible, in each case, a fairly
simple examination of the possible causesand the degree of protection provided
would have revealed the gaps, which were
well documented by official and unofficial
reports after the event. In the cases of Texas
City and Fukushima, if we think of these as
warning signs, some of the signs, such as
near-misses, emerged prior to the event but
follow-up recommendations were not fully
implemented1. Also, there was plenty of
evidence that serious events in operations in
relevant industries or the natural environment
had occurred with significant frequency in the
fairly recent past. But somehow, the lessons
from these events had been overlooked,
forgotten or discounted.
In 2004, the European Process Safety Centre
(EPSC) raised the concern that although the
overall number of process safety incidents
was falling, those which did occur seemed
to be very severe. This resulted in a move
towards a more accurate means of recording
incidents, an added severity metric, and
managing the precursors more effectively.
As part of this move EPSC held a series of
face-to-face meetings with members, which
included process safety incident reporting
through support of the new AmericanPetroleum Institute Incident Indicators
(API RP754)2; the CEFIC Responsible Care
process safety incident system; loss of primary
containment programmes; safety critical
systems; leading indicators; and ultimately
a group which researched the subject of
atypical scenarios.
Our risk management processes aim to
identify potential hazardous events, analyse
(Left): The sun tries to break through the thick
cloud and smoke as foam is sprayed on one
of the fuel storage tanks at the Buncefield oil
depot in Hemel Hempstead, UK, 2005;
(Above): A risk assessment might not have
predicted the scale of fire-water overflow
seen at Buncefield
-
7/28/2019 IChemE_TCE_Uncovering the Unknown
3/4
30 www.tcetoday.com march 2013
tce SAFETY
www.csb.gov
TEPCO
The unknown knowns andunknown unknowns seemto present problems which
may expose weaknesses.There is no excuse for
failures in corporatememory or failing to applylearning experiences fromwell-known events.
(Above): The appearance of reactor buildingsat Fukushima Daiichi nuclear power station
after the tsunami;
(Below): Destruction following the BP Texas
City explosion
where are we now?Process hazard analysis is often driven by
a questionnaire which embodies much of
the learning experience of the company.
A more detailed formal examination of
worst cases within the analysis has been
shown to yield good results. This includes
a strict requirement to cover relevant
events from history from the industry and
predefined worst cases. As an example, the
US Environmental Protection Agency Risk
Management Plan (RMP) requires that vapour
cloud explosion is included in studies for any
flammable material5. This is a simple but vitalrequirement even if the physical properties,
conditions of use and environment make it
unlikely. Its recognised that the apparent
detonation which occurred at Buncefield may
not have been predictable. However, even
a deflagration model would have predicted
extensive damage on and off site. Was this
missed?
HAZOP studies are frequently carried
out in the steady state and reliance is often
dominated by credible versus worst cases.
Furthermore, worst cases may be consigned
to the mitigation offered by emergency plans.
These are missed opportunities which might
be helped by starting with the worst cases and
working backwards through a HAZOP process
to determine root causes and what has to be
true or fail for the worst case to occur.Risk assessments such as LOPA and QRA
will not be fully effective if they are not
presented with the scenarios to study. There
is an opportunity to make a much more
strict inclusion of potential events from the
technology and history which might not be
known by todays generation of operations.
conclusionsWe might conclude that we sometimes fail to
identify some significant scenarios through
limitations of our methods or we might be
unaware of events which have happened inthe past and could apply to us.
So-called unknown unknowns are in many
cases to be found in history or in a more
creative approach to worst-case scenarios and
their management.
Members of the EPSC scenarios group
all have a formal approach to hazard
identification in their project management,
normal operations, and management of
change.
The hazard identification method of choice
is usually built into the process hazard
analysis and HAZOP methodologies, although
member practices are not identical. WhereHAZOP is concerned, all members carry out
studies in the steady state, but HAZOP is not
always conducted for startup and shutdown
phases. These critical phases are not always
overlooked but are covered by detailed
instructions which include potential hazards
and their consequences. The predominant
cases in these studies are credible and from
learning experiences and rely very much
on the discipline and creativity of a properly
constituted and competent team.
-
7/28/2019 IChemE_TCE_Uncovering the Unknown
4/4
march 2013 www.tcetoday.com 31
CAREERS tceSAFETY
Whilst efforts to study worst cases may
occur in HAZOP, events seem to show that we
are not always successful. Indeed, even when
a worst-case scenario is considered, HAZOP
may not be the best method to study it. If this
is true, the bow tie has potential to become
the method of choice.What comes out of this and a review of
company practices would be an approach
which says we need to gain consistency from
our hazard identification practices by:
addressing steady state comprehensively, eg
HAZOP or failure mode and effects analysis
(FMEA), or what if;
ensuring that complementary startup and
shutdown studies are included in hazard
identification (and study); and
including worst cases at an early stage.
There is also much to be gained from critical
task analysis and human error analysis inpredicting atypical events and managing
them better. They should exploit the known
knowns, known unknowns, unknown
knowns and use a creative approach to
imagine the unknown unknowns, which
can be studied with bow tie analysis and
perhaps, controversially, a reverse HAZOP
approach where we start with the worst-case
consequence and work out what can initiate
or fail for the full impact to be realised.
There are very few unknown unknowns.
Certainly, the three major events described
here are not unknown unknowns.
Furthermore, we may imagine that the
likelihood of all the holes in the Swiss cheese
aligning is very unlikely or unimaginable for
these eventsbut can we be sure? tce
Richard Gowland ([email protected]) is
technical director of EPSC
further reading1. Studies on Fukushima, The Carnegie
Endowment for International Peace.
2. API RP754: Process Safety Performance
Indicators for the Refining and Petrochemical
Industries.
3. EPSC Report 34,Atypical Scenarios (forEPSC members only).
4. Nicola Paltrinieri, N, Tugnoli, A, Bonvicini,
S, Cozzani, V,Atypical Scenarios Identification
by the DyPASI Procedure: (Application to
LNG), Universit di Bologna.
5. Kleindorfer, P, Belke, J, Elliott, M, Lee, K,
Lowe, R, Feldman, H, Accident Epidemiology
and the US Chemical Industry: Accident
History and Worst Case Data from RPM-info,
Risk Analysis, vol 23 no 5, 2003.
Whilst efforts to study worstcases may occur in HAZOP,events seem to show that weare not always successful.Indeed, even when a worst-case scenario is considered,HAZOP may not be the bestmethod to study it.
Wanttoknowmore?
RichardGowlandpresentsatcewebinar
on26Marchat09:00GMT
.
Registernowatwww.tcetoday.com/webinars
www.4scl.co.uk
FunctionalSafety
Training
Safety InstrumentedSystemsfor the process industry sectorIEC 61511 / 61508 Functional Safety
Wednesday & Thursday Course22nd & 23rd May 2013
Bookings:Email: [email protected]
Online: www.4scl.co.uk
Tel: +44 (0) 1582 462 324
All courses are
non-residential
and held at
The Danubius Hotel
Regents Park
18 Lodge Road
St. Johns Wood
London
NW8 7JT
4-sight Consulting
51 Cowper Road,
HARPENDEN, AL5 5NJ