7/28/2019 IChemE_TCE_Uncovering the Unknown

1/4

28 www.tcetoday.com march 2013

tce SAFETY

unknow

n

Unco

veringthe

EPA/StefanRousseau/POOL

Planning for the unexpected isnot easy, says Richard Gowland

7/28/2019 IChemE_TCE_Uncovering the Unknown

2/4

march 2013 www.tcetoday.com 29

CAREERS tceSAFETY

about and can plan to prevent or control

known unknowns events which we canpredict even if they have not occurred yet

unknown knowns events which have

occurred but we have failed to remember and

study (eg loss of corporate memory)

unknown unknowns events which we

have so far failed to predict or which have

been dismissed as unrealistic.

For example, PHA and HAZOP fits well into

the task of finding the known knowns andknown unknowns as long as our thinking

is sufficiently open to considering worst

consequences.

The unknown knowns and unknown

unknowns seem to present problems which

may expose weaknesses. There is no excuse

for failures in corporate memory or failing to

apply learning experiences from well-known

events. If we really think a worst imaginable

event can be described as never happened

yet, can we be sure?

The fact that events or initiators similar

to the examples here had happened in thememorable or recorded past seems to have

been overlooked. They seem to fit neatly

into the unknown knowns category. Have

we forgotten? Did we fail to research? Did

we discount as being not applicable or

not realistic? In the last case, at least we

considered it and hopefully based decisions

on technical factors such as process,

protective barriers and mitigation.

We are left with unknown unknowns which

might be the final resting place of the real

failures. It seems unreasonable to be criticised

for the occurrence of something we could notpossibly have imagined. If it was really true

that we could not possibly have imagined it,

I might be sympathetic. I suspect that these

cases would be very rare.

them, eliminate where possible, and provide

sufficient control and protection for the risks

that remain. These processes serve us well

when the possible scenarios are identified,

although worst cases sometimes present

special challenges. The challenge remains

in identifying allpossible scenarios. Majoraccident examples such as Texas City and

Buncefield show us that we either did not

identify and anticipate the events which

actually occurred or we assumed that they

were so unlikely as to be of an acceptable

likelihood or had never happened or even,

not worth comprehensive study. Were these

atypical scenarios?

The same pattern emerges from studies of

the Fukushima Nuclear Power plant tragedy

in Japan where large-amplitude tsunamis had

been experienced several times in the last

500 years, but advice from the InternationalAtomic Energy Agency on protection against

these events seems to have been discounted

by industry and government1.

finding and dealing with

atypical scenariosHazard identification methods such as

process hazard analysis (PHA), hazard

and operability (HAZOP) and what if

studies are quite effective when sufficient

creativity identifies what we can call atypical

scenarios. The other tools such as fault tree

analysis, layer of protection analysis, andquantitative risk assessment can then address

a complete set of scenarios to help manage

risk comprehensively. The studies carried out

with hazard identification and risk assessment

tools appear in some cases to come up short

where worst cases are concerned. Efforts

seem to be dominated by credible events.

EPSC has a working group which has

looked to find best practices which offer an

improvement in scenario development and

addresses these missing atypical scenarios.

The results of the work are encouraging and

offer a way ahead. It builds on strengthening

and enhancing the tools we already use byadding dimensions which appear to have

been missed in the past. EPSCs report3

describes practical steps which when properly

applied will close some of the gaps in process

risk management systems.

If we categorise events as follows4, we

might see how hazard identification and

management processes can be used for each:

known knowns events which we know

The studies carried out with hazard identification and riskassessment tools appear in some cases to come up short whereworst cases are concerned. Efforts seem to be dominated bycredible events.

RoyalChilternAirSupportUnit

ARE events like the fire and explosions

at Texas City and Buncefield and

the inundation of the Fukushima

nuclear power plant so unusual that they

somehow escaped the risk management

process of the responsible operators?

Trying to make sense of these eventsleads me to ask some questions: Do we

have the right tools? Is our thinking and

risk management dominated by credible

scenarios to the point where worst imaginable

cases are consigned to the negligible

frequency risk category? Do we spend

enough effort on exploring possible causes

of worst cases and managing them? Are we

complacent about our hazard identification

and management processes?

If these serious events had been viewed

as realistically possible, in each case, a fairly

simple examination of the possible causesand the degree of protection provided

would have revealed the gaps, which were

well documented by official and unofficial

reports after the event. In the cases of Texas

City and Fukushima, if we think of these as

warning signs, some of the signs, such as

near-misses, emerged prior to the event but

follow-up recommendations were not fully

implemented1. Also, there was plenty of

evidence that serious events in operations in

relevant industries or the natural environment

had occurred with significant frequency in the

fairly recent past. But somehow, the lessons

from these events had been overlooked,

forgotten or discounted.

In 2004, the European Process Safety Centre

(EPSC) raised the concern that although the

overall number of process safety incidents

was falling, those which did occur seemed

to be very severe. This resulted in a move

towards a more accurate means of recording

incidents, an added severity metric, and

managing the precursors more effectively.

As part of this move EPSC held a series of

face-to-face meetings with members, which

included process safety incident reporting

through support of the new AmericanPetroleum Institute Incident Indicators

(API RP754)2; the CEFIC Responsible Care

process safety incident system; loss of primary

containment programmes; safety critical

systems; leading indicators; and ultimately

a group which researched the subject of

atypical scenarios.

Our risk management processes aim to

identify potential hazardous events, analyse

(Left): The sun tries to break through the thick

cloud and smoke as foam is sprayed on one

of the fuel storage tanks at the Buncefield oil

depot in Hemel Hempstead, UK, 2005;

(Above): A risk assessment might not have

predicted the scale of fire-water overflow

seen at Buncefield

7/28/2019 IChemE_TCE_Uncovering the Unknown

3/4

30 www.tcetoday.com march 2013

tce SAFETY

www.csb.gov

TEPCO

The unknown knowns andunknown unknowns seemto present problems which

may expose weaknesses.There is no excuse for

failures in corporatememory or failing to applylearning experiences fromwell-known events.

(Above): The appearance of reactor buildingsat Fukushima Daiichi nuclear power station

after the tsunami;

(Below): Destruction following the BP Texas

City explosion

where are we now?Process hazard analysis is often driven by

a questionnaire which embodies much of

the learning experience of the company.

A more detailed formal examination of

worst cases within the analysis has been

shown to yield good results. This includes

a strict requirement to cover relevant

events from history from the industry and

predefined worst cases. As an example, the

US Environmental Protection Agency Risk

Management Plan (RMP) requires that vapour

cloud explosion is included in studies for any

flammable material5. This is a simple but vitalrequirement even if the physical properties,

conditions of use and environment make it

unlikely. Its recognised that the apparent

detonation which occurred at Buncefield may

not have been predictable. However, even

a deflagration model would have predicted

extensive damage on and off site. Was this

missed?

HAZOP studies are frequently carried

out in the steady state and reliance is often

dominated by credible versus worst cases.

Furthermore, worst cases may be consigned

to the mitigation offered by emergency plans.

These are missed opportunities which might

be helped by starting with the worst cases and

working backwards through a HAZOP process

to determine root causes and what has to be

true or fail for the worst case to occur.Risk assessments such as LOPA and QRA

will not be fully effective if they are not

presented with the scenarios to study. There

is an opportunity to make a much more

strict inclusion of potential events from the

technology and history which might not be

known by todays generation of operations.

conclusionsWe might conclude that we sometimes fail to

identify some significant scenarios through

limitations of our methods or we might be

unaware of events which have happened inthe past and could apply to us.

So-called unknown unknowns are in many

cases to be found in history or in a more

creative approach to worst-case scenarios and

their management.

Members of the EPSC scenarios group

all have a formal approach to hazard

identification in their project management,

normal operations, and management of

change.

The hazard identification method of choice

is usually built into the process hazard

analysis and HAZOP methodologies, although

member practices are not identical. WhereHAZOP is concerned, all members carry out

studies in the steady state, but HAZOP is not

always conducted for startup and shutdown

phases. These critical phases are not always

overlooked but are covered by detailed

instructions which include potential hazards

and their consequences. The predominant

cases in these studies are credible and from

learning experiences and rely very much

on the discipline and creativity of a properly

constituted and competent team.

7/28/2019 IChemE_TCE_Uncovering the Unknown

4/4

march 2013 www.tcetoday.com 31

CAREERS tceSAFETY

Whilst efforts to study worst cases may

occur in HAZOP, events seem to show that we

are not always successful. Indeed, even when

a worst-case scenario is considered, HAZOP

may not be the best method to study it. If this

is true, the bow tie has potential to become

the method of choice.What comes out of this and a review of

company practices would be an approach

which says we need to gain consistency from

our hazard identification practices by:

addressing steady state comprehensively, eg

HAZOP or failure mode and effects analysis

(FMEA), or what if;

ensuring that complementary startup and

shutdown studies are included in hazard

identification (and study); and

including worst cases at an early stage.

There is also much to be gained from critical

task analysis and human error analysis inpredicting atypical events and managing

them better. They should exploit the known

knowns, known unknowns, unknown

knowns and use a creative approach to

imagine the unknown unknowns, which

can be studied with bow tie analysis and

perhaps, controversially, a reverse HAZOP

approach where we start with the worst-case

consequence and work out what can initiate

or fail for the full impact to be realised.

There are very few unknown unknowns.

Certainly, the three major events described

here are not unknown unknowns.

Furthermore, we may imagine that the

likelihood of all the holes in the Swiss cheese

aligning is very unlikely or unimaginable for

these eventsbut can we be sure? tce

Richard Gowland (rtgowland@aol.com) is

technical director of EPSC

further reading1. Studies on Fukushima, The Carnegie

Endowment for International Peace.

2. API RP754: Process Safety Performance

Indicators for the Refining and Petrochemical

Industries.

3. EPSC Report 34,Atypical Scenarios (forEPSC members only).

4. Nicola Paltrinieri, N, Tugnoli, A, Bonvicini,

S, Cozzani, V,Atypical Scenarios Identification

by the DyPASI Procedure: (Application to

LNG), Universit di Bologna.

5. Kleindorfer, P, Belke, J, Elliott, M, Lee, K,

Lowe, R, Feldman, H, Accident Epidemiology

and the US Chemical Industry: Accident

History and Worst Case Data from RPM-info,

Risk Analysis, vol 23 no 5, 2003.

Whilst efforts to study worstcases may occur in HAZOP,events seem to show that weare not always successful.Indeed, even when a worst-case scenario is considered,HAZOP may not be the bestmethod to study it.

Wanttoknowmore?

RichardGowlandpresentsatcewebinar

on26Marchat09:00GMT

.

Registernowatwww.tcetoday.com/webinars

www.4scl.co.uk

FunctionalSafety

Training

Safety InstrumentedSystemsfor the process industry sectorIEC 61511 / 61508 Functional Safety

Wednesday & Thursday Course22nd & 23rd May 2013

Bookings:Email: training@4scl.co.uk

Online: www.4scl.co.uk

Tel: +44 (0) 1582 462 324

All courses are

non-residential

and held at

The Danubius Hotel

Regents Park

18 Lodge Road

St. Johns Wood

London

NW8 7JT

4-sight Consulting

51 Cowper Road,

HARPENDEN, AL5 5NJ