recent_analysis_on_the_risk_management_and_safety.doc

Developments in Safety Science and TechnologyPASMAN Hans J.* Retired from TNO and Delft University of Technology in the Netherlands. Recently Research Professor at the Mary Kay OConnor Process Safety Center, Dept. Chemical Engineering, Texas A&M University, College Station TX, USA. ()Abstract: Ten years of ISSST symposia will be marked and some general trends noted. For improving safety one has to know where are the risks and how large are these in order to think of adequate risk reducing countermeasures and prioritize in realizing these. In the first part of the paper the present state of the art of risk assessment will be briefly reviewed and the weaknesses and shortcomings shown. It will be concluded that model improvements and better approaches to hazard identification can be made, however the experimental validation of consequence models shall need a massive, concentrated effort without which no major improvement seems possible. In the field of Safety Science and Technology beside the technical aspects human factor, organization and management developed strongly the last decennia. The latest developments are in improving safety culture. By recent accidents it is shown that to withstand the daily pressure of costs and time, management needs better performance indicators on safety and secondly the attitude shall become such that a high safety level is seen as profit making. The attitude to safety should be by conviction; otherwise safety measures may degrade to a paper exercise. The author refers in the paper also to his previous contributions to this symposium series which now is in existence for ten years.Keywords: risk analysis; consequence models; human factor; safety management; safety culture1 IntroductionTen years have passed since the first International Symposium on Safety Science and Technology took place. The awareness that safety has to start with the design of a machine, a building, a chemical plant, a transportation route, an off-shore platform, a dam for hydro-electric power, an airplane et cetera has risen during that time considerably. The choices a designer makes are determining for a great deal what the outcome will be in case during its life time the item will be struck by disaster. The built-in inherent safer technical solutions and the resilience a construction will have are appearing in the moments of large stresses, fires, explosions or exposure to toxic substances. A designer needs therefore information, much information as we shall see, from the side of safety science and can put that in safe technology as the name of this series of symposia suggests.However, usually not everything can be put in a design by the simple fact that the design team may not have a complete picture in mind what events can happen which will threaten its creation and its users during its lifetime of 20, perhaps even 50 years. Even more often competition puts pressure on cost, so one selects the cheapest solutions and does not regard safety unless regulation puts strict requirements. It means that the user of the equipment has to get safety in mind as well, in order to avoid unnecessary injuries and may be even death, and also all kinds of other damage to equipment, structure, environment etc. The largest and longest lasting damage can be the one to reputation and image which is imponderable, and which cannot like other damage been expressed in financial loss easily, but as history has shown, can mean a large blow to a company and even in due time to its disappearance.In those 10 years also awareness has risen that for an industrial operation or other large scale activity such as a station, a traffic choke point safety is to be given much attention during the stages of construction and commissioning resulting finally in operation. This is not only for the sake of the people somehow involved in the process itself, the workers in the first place, but also by-passers, nearby inhabitants or wider environment. In part operational safety boils down again in technical provisions as for alarming, fire fighting, communications, escape routes, but also many dos and donts for the workers, and other users. So safety has many technical aspects, but quite often even more important, is also building on organization, manifesting itself in a safety management system with many specific activities, such as auditing and as a whole based on by regulation and supported by procedures. Technical and organizational sides of safety act to a certain extent as communicating vessels. Once, one is aware of a safety aspect a provision can be made either technical or organizational or both depending on possibilities. A technical solution is often preferable since one invests one time in thinking and material although the item of course should be maintained, but this is not always possible or only in a limited way. An organizational solution has to be learned by newcomers all the time and is less easily becoming part of a system and can erode over time. We see this all in the street traffic in which we daily participate.In these symposia the contributions from the side of the present author (see Table 1; later in the text designated as HJP followed by the symposium year) were mostly inspired by the major risks adhering to the production, storage and transportation of hazardous materials. However the way process industry increased its safety level is representative for many sectors of industry. In Fig. 1 the evolution is shown. At first and still continuing there are the improvements of technical safety by improved design and introduction of best available technology but shortly after, human and safety management aspects start to play a major role. Right now focus comes on safety culture as we shall see later.As expressed in the 1998 paper (HJP 1998), safety is seen by many as additional cost to a project, not as a gain or as an investment which will yield interest. In fact the first paper provided the instruments to calculate the costs and gains. These are however still rarely used since many think, well, an accident is just bad luck. As we shall see in this lecture it is a matter of attitude and culture to change that view. If we all would invest in safety we shall benefit from it as a society and increase quality of life. There are already so many natural hazards to fight against as earthquake and flooding, that we shall do our utmost to avoid hazards by technical faults and wrong operation.The HJP 2000 lecture contained as the central theme that prevention is better than protection. We shall try to avoid add-on protection and instead rely on inherently safer concepts as set out above. However application of this concept did not become very common for a variety of reasons: lack of knowledge, overview and insight and psychological inertia being significant contributors.Table 1 Lecture titles of present author in ISSST events in the last ten years1998BeijingSafety will save costs, but how much is the question!2000BeijingHierarchy of concepts for risk reduction in chemical plant2002TaiAnAdvances in Process Safety Engineering2004ShanghaiSome Recent Developments in Process Safety Tools2006ChangshaDo we spend enough on safety?Fig. 1 Improvement of safety level in American and European process industry and the contributing factors1In HJP 2002 the theme was the same but the lecture provided some practical tools to perform a risk analysis and to determine the effect of risk reduction measures. The method is called the Layer of Protection Analysis (LOPA). Although this is generally applicable the example is for a chemical plant. The attractiveness is to analyze with a multidisciplinary team the risks in a semi-quantitative or quantitative way thereby focussing on a particular incident scenario and determining the adequacy of independent functioning defence layers coming in action one by one. The use of this tool and the fields of application are further growing.In HJP 2004 the application of the LOPA tool was demonstrated with an example from chemical industry, while it was shown too how small disturbances in a process or small defects can help much to identify accident precursors and their cause. We shall see now how an accident in the United States obliges chemical companies to introduce and maintain metrics to that end, so that one can monitor its safety level.The HJP 2006 lecture was dedicated to a large part to an improvement of risk analysis methodology with the aim of establishing a tool for cost-benefit analysis. As we shall see in this lecture we are not there yet at all. The EU ARAMIS project provided an improvement but will certainly not be the last word. It also made a start with measuring safety culture.The last two years have shed some new light on these problems, which will be presented below. In particular the part on safety culture can help to improve the safety level.2 Risk Analysis, Outcome Variability To know where and to what extent there is potential for disaster one has to determine risks. Risk assessment including risk reduction helps to improve safety, but also land use planning, licensing and emergency planning. Despite the use of risk analysis methodology by universities, industry and consultants for some 30 - 40 years and in nuclear industry even longer there are still severe shortcomings. For application in the process industry the European Union sponsored some projects starting in the late eighties. The first benchmark exercise performed an analysis on an ammonia plant in Greece, Amendola et al.2 in 1992 with 11 teams from various countries calculating the risk by dispersion of an ammonia cloud after an incidental release. The spread in outcomes appeared to become an Achilles heel of risk analysis. In Figs. 2a and b results are shown of the dispersion calculation given a certain scenario and of the individual risk as a function of distance to the risk source. The risk figures are in principle averaged over the affected surface area, but some models did not have the capability to calculate that value and only produced the centreline value. Variability in scenarios, failure rates, vulnerability models etc. has not been included in the results shown yet. Ten years later in 2002 in a next EU project ASSURANCE by Lauridsen et al.3 a similar exercise with 7 experienced teams has been performed on an ammonia storage plant with loading/unloading operations; this time the plant was located in Denmark. The teams were asked to do a complete risk analysis so that all variability factors were included. Although spread in results had decreased compared with the previous exercise, the root problems of spread had not been solved. Individual risk contours differed by at least a factor 3 in radius, which expressed in area is a very large spread; group risk (F-N curves) differed over 2 orders of magnitude. In Table 2 the relative importance of various contributing sources of uncertainty are summarised.Fig. 2 EU benchmark exercise 1992 to investigate uncertainty limits in risk assessment2Left: Application of various gas dispersion models on a liquid ammonia guillotine pipe fracture release scenario. Plotted is the calculated ammonia concentration as a function of distance 15 minutes after the release, weather class 1. Right: Calculated individual risk as a function of distance. At 1000 m distance a spread in outcomes was found over 5 orders of magnitude even with a common vulnerability model for people.Table 2 Qualitative assessment of the importance of various factors to the uncertainty in the calculated risk(the more stars the more important) in project ASSURANCE in 20023Factor Importance Differences in the qualitative analysis * Factors relating to frequency assessment: Frequency assessments of pipeline failures * Frequency assessments of loading arm failures * Frequency assessments of pressurised tank failures * Frequency assessments of cryogenic tank failures * Factors relating to consequence assessment: Definition of the scenario * Modelling of release rate from long pipeline * Modelling of release rate from short pipeline * Release time (i.e. operator or shut-down system reaction time) * Choice of light, neutral or heavy gas model for dispersion * Differences in dispersion calculation codes * Analyst conservatism or judgment * Table 3 Calculation results of loss of containment effects of hazardous substances with various models(Some example outcomes from Ditali et al., 2006 with results added of TNO EFFECTS 5.54)Release caseVariable calculatedEFFECTS 4PHASTGASPEFFECTS 5.5Toluene confined poolMax evap. Rate/ (kgs-1)10.21Toluene unconf. poolMax evap. Rate/(kgs-1)3.5Max. pool area/ m2200599510422000LNG on waterMax evap. Rate/ (kgs-1)166273-197147-32Avg 169.5Max. pool area/ m23871451-1520804-1256385STERADPHASTInt-HSEEFFECTS 5.52-Phase jet fireSurface Emissive Power/ (kWm-2)23015118481DISPGASPHASTEFFECTS 5.5Dispersion dense gas (10 wgt% H2S) Vertical max. dist. 100 ppm H2S/ m625275367 (1695)Hor. max. dist. 100 ppm H2S/ m150205372The largest contribution to uncertainty appeared to be the variety in the definition of the scenarios. Uncertainty in failure frequencies of pipes, tanks, valves etc. are a known problem from the beginning of risk analysis. The bulk of the data in data banks is proprietary. The Dutch Purple Book (in the series of Coloured Books5) offers a basic set. The influence of management effectiveness and safety culture does however not reflect in these figures. The figures assume best practice maintenance.A third category causing spread concerns consequence models (release rates, evaporation, dispersion and the probit damage models). Ditali et al.6 in 2006 have shown examples of how outcomes of pure physical models of release, vaporisation and dispersion can differ with at least a factor 2. In Table 3 because of reasons of space a small part of their results is reproduced as typical example while results of a next version of TNO EFFECTS 5.54 are added, not making the overall picture better. Damage probit parameters are also object of much discussion.Summarising: choices, complexity, available computing time, limited knowledge and experience will contribute all to unavoidable spread in risk analysis results. It will be clear that in case of land use planning or licensing the disagreement in model outcomes will cause much debate and friction amongst planners from both private and public parties. As to be expected there will be different interests hence providing fertile grounds for lawyers, while competent authorities under pressure become uncertain and will try to delay decision or eliminate the risk source and with that the activity. Therefore improvements shall be made.3 Risk analysis, treatment of uncertainty Physical models and system models used in risk analysis are embedded in computer software programs. For a reliable and reproducible answer programmes shall be transparent, verifiable and robust. Transparent means it shall be more than just a black-box. Insight in model assumptions and limitations, which inputs and equations are used where and other information shall be easily obtained. Verifiable means sources of input values (references) shall be traceable, as also the choices made and the reasons why. Robustness has to do with reproducibility. The outcome shall not be dependent on the team performing the calculation. Reliability of software forms a sector of science in itself. The requirements are simple, but not easily satisfied.Much has already been written about uncertainty in risk analysis. Pat-Cornell7 presented in 1996 an overview. Main division is in aleatory uncertainty by variability of a known quantity as a result of randomness, and epistemic uncertainty which stems from lack of knowledge on e.g. mechanisms. The first can be treated by objective, classical statistics, the second only by a Bayesian approach of probability as belief (subjectivity) and can include beside classical statistical information other evidence such as expert opinion. Aggregation of the latter in to a distribution is a challenge; there are many hooks and eyes. The classical treatment provides the use of confidence intervals (the selection of which is the only subjective element), but most analysts suffice to produce a mean and unfortunately do not bother about confidence intervals. Reliability engineering methods to determine failure rates from observed failure times and the corresponding confidence interval are standard (see Red Book, Colored Books5) and already described clearly by Buffham et al.8 in 1971, see Fig. 3. The use of the confidence interval is recently emphasized by Modarres9. Hopefully a new generation will arrive and do use the available techniques.Fig.3 Two-sided confidence limits for ratio of true to estimated mean life, for constant failure period as a function of number of failures nf in a time T terminated test with replacement and application of the 2 -distributionIn the graph m = T/ nf ; = estimated mean life; there are 2nf degrees of freedom; limits follow from where 1-a is the interval mid-area.Fig.4 Representation of societal risk not as the usual F-N curve of all possible scenarios a risk source can produce (Frequency of exceedance of N fatalities versus the number of fatalities, N), but as a location specific value in a 5050 m2 area indicated by colour (red = above the norm; orange a factor 10 below, yellow 100 below, light green periphery safe and green very safe)This value is integratedover all risk sources present in th