Embed Size (px)
DESCRIPTION
safety
Citation preview
The challenge of accounting for ‘atypical’ scenarios
– the work of the EPSC ‘Scenarios Group’.
Richard Gowland – Technical Director EPSC.
Rare major accidents which change the
world of Process Safety
• Events which we did not predict
– The event itself
– The phenomenon or ultimate consequence which we ‘got wrong’
• Because:
– It never happened yet or before
– It happened before but we did not know
– It happened before and we decided that we were well protected
Atypical Scenarios and NATECH
Hazards
• Concept of ‘atypical scenarios’
– An event which cannot always be captured by
standard risk analysis processes and
common Hazard Identification (HAZID)
techniques.
• Includes Worst case Scenarios and
Scenarios initiated or affected by Natural
phenomena (NATECH events)
Stating the problem
• SRA report from N. Paltrinieri – “Conclusions: … the hazard factors which led to the
major accidents of Toulouse (2001) and Buncefield (2005) could have been identified by experts and inspectors if early warnings had been heard and considered in the HAZID process.”
• This is not just about typical incidents caused by process control or human error – there is no reason to forget Natural events as initiators.
• Concept of ‘atypical scenarios’ – An event which cannot always be captured by
standard risk analysis processes and common Hazard Identification (HAZID) techniques.
Atypical Scenarios • Events we did not imagine
• Events when we under-estimated consequence – Leading to using inadequate or to few independent
degrees of protection
• Events where we considered the initiators to be much lower in frequency than ‘real world’
• Events where the initiating event disabled all the protection – the common cause failure was the initiating event itself
• Events where all protection failed – Managing the protection
Maintaining a ‘sense of vulnerability’
‘Uncertainty’
Consequence Analysis/Credible
Scenarios
• Hazard and Risk Management can be
– Rule based
– Risk Based
– ….
– A mixture
We have different methods of
Identifying hazards – ‘HAZID’
• HAZOP
• What If?
• FMEA
• Check lists
– Pro active (what might go wrong?)
– Reactive (applying learning from incidents)
We choose one or more to help us to find hazards
Taking one of the favourites as an example –
HAZOP of a ‘node’…
• Starts with describing the parameters for normal operation (Flow, Temperature, Pressure, phase, level etc.)
• Lists possible deviations from normal parameters
• Lists possible causes
• Lists consequences
• Lists ‘safeguards’ ( may be prevention or mitigation)
• Requires decision – tolerate or make a change?
Questions:
Are the Hazards identified dominated by ‘credible’ events
Do multiple failures or NATECH issues get covered?
Consequences
• Major accident history seems to tell us that:
– we may be able to predict the ‘deviations’ but we
missed or underestimated the consequence.
– We missed some crucial initiators
– Or other ‘assumptions’ or ‘guarantees’ were not
correct
• Phenomena chosen was wrong? (Buncefield)
• Event not seen as credible? (Texas City)
• Protection systems not available (Buncefield, Bhopal)
• Protection systems not adequate for event (Fukushima)
Can we take advice?
• video
Known
Unknown
Unknown
Known
Known
Known
Unknown
Unknown
Known Unknown U
nknow
n
Know
n
Knowledge A
ware
ness
“Known/unknown” table from the statement of Donald Rumsfeld relating to the
absence of evidence linking the government of Iraq with the supply of weapons of mass
destruction to terrorist groups
Fitting our tools to this matrix
• Known – Known – Design standards, Checklists etc.
• Known – Unknown – HAZOP and other techniques
• Unknown – Known – Ensuring known events are not forgotten or
consigned to the box – they should have known better/it cannot happen here.
• Unknown – Unknown – What if?
– What else?
– If found - consigned to the ‘incredible/too difficult’ box
Known Knowns
• We know what can go wrong and we plan
to prevent it
• Relies on:
– ‘Corporate Memory’
– Company or industry standards
– deterministic legislation
Known Unknowns
• Something which our procedures tell us to
consider
• We attempt to use HAZOP or other
structured brainstorming techniques to
predict
Unknown Knowns
• Things which some of us know but not
everyone
• Things we have forgotten
• Failures in corporate memory
– e.g barriers which were placed in software,
but 10 years later a programmer did not
understand purpose and ‘cleaned up’ the
operating program – removing the protection.
‘Unknown Unknowns’
• The things we don’t know that we don’t know:
• Candidates to examine
• Buncefield
• Texas City
• Fukushima
• From the viewpoints: – The event phenomenon (Fire/explosion) which were
discounted
– The initiators we think cannot be predicted • Unusual weather
• Tsunami
• But – are they really ‘unknown unknowns’?
What can we do?
• Enforce the protection for ‘known knowns’
• Find a way to move ‘known unknowns’ (atypical scenarios) into the ‘known known’ field – At least we need to add ‘atypical’ scenarios to our risk
studies
• Deal with the ‘learnings’ and corporate memory to convert ‘unknown knowns’ into ‘known knowns’
• We are left with ‘unknown unknowns’ –where we may be vulnerable and perhaps ill equipped.
Unknown Unknowns?
• Is it too easy to say that an event really was an unknown unknown? – And as a result we can be excused for omitting it from our study
or failing to protect adequately?
– Take Buncefield: Large leaks of gasoline leading to a Vapour Cloud Explosion had occurred at least 7 times during the last 50 years:
• Houston Tx 1962
• Baytown Tx 1977
• Newark NJ 1983
• Napoli 1985 (It)
• St Herblain (Fr)
• Jacksonville (Fl) 1993
• Laem Chabang (Thai) 1999
• Conclusion: This was not an ‘unknown unknown’ –even if detonation had not occurred there would have been a deflagration – which is bad enough…. Note that EPA RMP REQUIRES that VCE is modelled for ALL Flammables
Unknown Unknowns?
• Is it too easy to say that an event really was an ‘unknown unknown’? – And as a result we can be excused for omitting it from
our study or failing to protect adequately?
– Take Texas City: • 80 significant hydrocarbons releases in 2 years
• AMOCO Safety regulations stated that ‘New Blow Down Stacks which vent hydrocarbons to the atmosphere are not permitted’
• Formally stated plans to replace atmospheric blow down stack had been in place 10 years but continually deferred
• Conclusion: This was not an ‘unknown unknown’
‘Unknown Unknowns’ ?
Fukushima – was it an ‘unknown unknown’?:
• The Indian Ocean Tsunami (12/2004) produced waves up to 15 M high
• There are early warning systems
• Japan’s methodology for assessing tsunami risks was behind international standards
• Studies in the early 2000s had indicated that the hazards of Tsunamis had been underestimated and recommendations were not followed up by TEPCO
• Fukushima protection was designed for a 1960s tsunami close to the Chilean coast (3.1 M). Later TEPCO increased the protection for an event of 5.7 M
• IAEA recommended Best Practice is to take account of and allow for the scale of a possible tsunami event occurring once in 10,000 years
• Historical documents indicated that since 1498 there have been 12 tsunamis with amplitude of more than 10 metres and 6 which were more than 20 metres – this means that there could have been 6 events in 500 years which would have overwhelmed all the control and protection systems at Fukushima
• A simplified cost/benefit analysis for reducing the frequency of catastrophe from 1 per 1000 years to 1 per 100,000 years would indicate that added protection would be very cost effective
• In the event of a deficiency, there is no enforced requirement to retrofit protection
•The Indian Ocean Tsunami (Dec 26 2004) produced
waves up to 15 Metres high
•There are early warning systems
Worst Cases
• Are we imaginative enough?
• Do our Hazard Identification tools cover everything we need? - what about worst cases?
• Are we sure that the WORST CASE has never happened? (Buncefield)
• Are we sure that the worst initiating event has never happened? (Fukushima)
• Is our thinking dominated by ‘predictable’ initiators?
• When we protect for ‘predictable’ or ‘credible’ scenarios – what is the added cost for protection against the Worst Cases?
A personal view: I express the possibility that if we go
through a HAZOP, its primary output is about credible
events since it really focuses on a process deviation, one
cause, safeguards and outcomes in each line of study.
• Concentrating on this approach might be limiting our imagination about the worst cases.
• Are worst case scenarios dominated by catastrophic failures of containment?
• If a worst case scenario is about catastrophic failures ….. Do I decide that I cannot do anything except minimise the frequency (e.g. by testing and inspecting) and add in mitigation.
• Do I routinely consider worst cases which can occur because of multiple failures of protection systems?
• If a worst case (or close to worst case) can be prevented by safeguards and protective layers do I actually study this properly?
• Is it possible to imagine the worst case and then work backwards to see what has to happen (alignment of the holes in the ‘Swiss cheese’)? REVERSE THE HAZOP – starting with Worst Case Consequences and working backwards to find what has to be true for the even to occur?
Conclusion • Can do better in predicting and managing atypical and
worst case scenarios:
• There are actually very few ‘unknown unknowns’ – Don’t rely too much on HAZOP
– Structure your PHA to list worst cases
• Worst Case should not be confined to the emergency plan – It can be imagined
– What can initiate it?
– What has to fail for it to happen and are there common causes – fast track to disaster?
– When we assess the safeguards: How rigorous is the evaluation of effectiveness (e.g. relief and containment systems, human factors)
• Do we address the conditions or events which would disable several safeguards simultaneously? (e.g. flood, power failure, management failure, multiple alarms leading to a halt in the process control system)
• Protecting against the worst case is not always ‘too difficult’ or too expensive
Thank you
