RISKworld RISKworld RISKworld RISKworld RISKworld ... · [email protected] Note 1 Awarded by...

RISKworld RISKworld RISKworld RISKworld RISKworld RISKworld

Satisfaction (almost) guaranteed

It is over a year since Risktec joined theTÜV Rheinland Group (TRG) and inaddition to the Risktec core businesscontinuing to grow and develop, anumber of the benefits of being part ofTRG are being realised. New Risktecoffices in Abu Dhabi and the Houstonenergy corridor have recently opened,utilising shared office space with groupcompanies. Moreover, a steady flow ofwork has passed between groupcompanies, extending the range ofservices provided to our clients.

Risktec’s Managing Director, Alan Hoy,commented, “Our priority is to deliverour high standard of services to ourestablished clients, and it is very pleasingto see that our regular client surveys areconfirming that our standards are beingmaintained at a very high level. Wehave also worked closely withcolleagues across TRG to respond toenquiries and explore how Risktec cancontribute to the development of thegroup. These interactions have confirmedthe close alignment in business valuesand we are confident that the decisionto join TRG was the right one”.

We hope you find the articles in thislatest edition of RISKworld to beinteresting and thought provoking. Weare particularly pleased that Lee Allford,from the European Process Safety

Centre, has contributed an article basedon his MSc research project. Lee wasrecently awarded an MSc withDistinction in Risk and SafetyManagement1 and won the Risktec beststudent prize in 2012.

The wide range of topics in this editionillustrates the ever growing challengesof demonstrating and assuring safeoperation. To achieve this requiresexpertise across a wide spectrum, from adetailed understanding of highlycomplex technical systems through tothe critical importance of effectivesafety leadership. The increased focuson security brings new and evolvingchallenges and the possible conflict withsafety requirements. Rigorous, yetproportionate, assessment of risk isinvaluable to help operators ofpotentially hazardous facilities operatesafely and remain constantly vigilant tochanging circumstances.

A thorough understanding of risks,which are well managed by competentorganisations, will help ensure “it willnever happen here”.

Contact: Alan Hoy (Warrington)[email protected]

Note1 Awarded by Liverpool John Moores University in partnership with Risktec

RISKTEC SOLUTIONS Launch - Sept 2001 Projects - 3898 Clients - 965 Employees - 269 Offices - 16

RISKworldRISKworldissue 27 spring 2015 the newsletter of risktec solutions limited

In This IssueWelcome to Issue 27 of RISKworld.If you would like additional copiesplease contact us, and feel free topass on RISKworld to other peoplein your organisation. We would alsobe pleased to hear any feedback youmay have on this issue orsuggestions for future editions.

Contact: Steve Lewis (Warrington)[email protected]

ContentsIntroductionAlan Hoy brings us up to date withdevelopments at Risktec and introducesthe articles in this edition.

Integral safety leadersWhen is the whole greater thanthe sum of the parts? When youstart thinking like an integral safetyleader. Steve Lewis explains.

Process safety auditingAre process safety audits lulling us into afalse sense of security and have we setour expectations too high? Lee Allfordhas the answers.

Black and white safetyThe right mix of risk-based andprescriptive safety can be difficult toachieve. Steve Pearson asks whetherever-increasing black and white codesand standards are tipping the balance.

CybermenAnna Holloway and Nigel Stanleytake a look at the newest threat torail safety – hacking of controlsystems. Should we be worried andwhat can we do about it?

Functionally safeHow do you apply good practice toageing electronic systems withoutbreaking the bank? Katy Skipworthhas a cunning plan.

the techni c of96%

ical ate r lients

they 97%

of clients 6%

sultants other red to pa

us rom alue fvd ed vreceie vahy

e v clients belieof%

or g good personnel knowledge

c of96%

ood ery vas our e of

lients 99.6

cons comgood

y

s ’RisktecStatistics

early custo y twice er voage reva are

busine do us as view

omer satisfaction surears f yr last three

ss with easy to s

ey v surout 500 responses to from ab

wou

esponses to

us recommend ld


2

Put yourself in the mind of a line managerresponsible for the safety of personnel. Youhave been warned of many deficiencies in apart of the business, including a strongindication that a significant accident has aworryingly high potential. How do youbegin to think about this problem?

It is not easy, the problem is complex.There is a great deal to think about –technology, procedures, competency andcost, just to start. Einstein once said, “Youcannot solve a problem from the samethinking that created it.” But how can youlearn to see the world anew? Would an‘integral theory’ of safety leadership help?

Integral theoryKen Wilber, an American philosopher andwriter, published the Integral Theory in1997 (Ref. 1). He asserted that each of thedozen most influential schools ofconsciousness, such as cognitive science,neuropsychology and eastern traditions,has something irreplaceably important tooffer our understanding of consciousness.What he created was a general ‘whole’model sophisticated enough toincorporate the essentials of each of them.

Integral simply means comprehensive,balanced and inclusive. It helps make surethat nothing gets left out. A useful theorywill change perspectives, which will thenlead to the implementation of newstrategies, actions and behaviours. Integraltheory helps those who are ready to use it.It would be a mistake to force it on anyone.

An integral model for safetyAn integral model for safety, based onWilber’s integral theory, focuses on thefour perspectives of safety performance,or ‘quadrants’, as shown in Figure 1. Thefour quadrants – which are the four basicways of looking at anything – turn out tobe fairly simple: they are the inside and theoutside of the individual and the collective.

The right side is the objective, outside,external view. It is observable andmeasurable. It is how we act, our ‘doing’.Most organisations in the high hazardindustries are dominated by technicalpeople such as engineers, scientists andaccountants, and so it is not surprising thatthey understand this side of the model.However, they sometimes struggle to understand the left side because it is the

subjective, internal view – you cannotreliably observe or measure what is in theminds of people. It is how and what wethink, our ‘being’. Arguably the greatestopportunity for improvement in safetyperformance would appear to stem fromthis left side…but let’s take a closer look.

The upper right quadrant is the domain ofbehaviour. It is all the things that you seethe individual doing or working with.Improvements in this area come fromworking with individuals to modify theirbehaviour. Having a well developedbehavioural-based safety programme iscrucial to success in this domain.

The lower right quadrant is the domain ofsystems. It includes organisational structures,procedures, formal and informal processes,metrics and rewards. A robust and effectivesafety management system is critical here.Change in this domain is driven by goodmanagement.

The upper left quadrant is the domain ofintention, the view from the ‘interior’ ofthe individual, their consciousness, theirself. It is the language of “I” and includesthe values and commitment the individualbrings to all situations. Improvements in thisarea come from working with individuals,through leadership and coaching. Changein this area is typically perceived as difficultand requiring time. In reality a change inintention, such as commitment to safety,can happen in an instance – the “aha”light-bulb moment.

The lower left quadrant is the domain of shared values, the view from the interior ofthe group. It is the language of “we” andincludes the shared perceptions, norms andstandards of the group. It is here we find theethics, morale and sense of justice that iscommonly held by the group. Positivechange in this domain, such as creating a ‘just’safety culture, has its origin in leadership. Thisquadrant is itself often labelled as ‘culture’,but a broader interpretation is that cultureembodies all four quadrants – the whole.

The integral leaderOur overall safety performance will only be asgood as our least developed quadrant and howwell all four quadrants work together. Anysolution that does not genuinely succeedacross all four worlds will be inherentlylacking. When the line manager we introducedearlier starts to look through the integrallens, thinking about issues in each quadrant,everything has the potential to come intofocus. With focus comes clarity and withclarity comes better decisions. The intent is tobe as all-inclusive and caring as possible.

ConclusionBeing receptive and open minded to anintegral approach presents many possibilitiesfor improvement in safety performance and,ultimately, transformation – for you and yourorganisation. If you feel it has some potential,just try it and see.

Contact: Steve Lewis (Warrington)[email protected]

References1. An Integral Theory of Consciousness, Ken Wilber, February 1997.

The Integral Safety Leader: Thinking about the Whole

BEHAVIOURINTENTION

SHARED VALUES SYSTEMS

Actions Competencies Skill Training Decisions

Beliefs Values

Attitudes Commitment

Empowerment

Shared perceptions Norms

Justice & fairness Ethics

Morale

Organisation Resources Procedures Information Metrics

Individual

Collective

DOING How we act

BEING How and what we think

Inte

rnal

External

Figure 1 — An integral model for safety

d RISKworld RISKworld RISKworld RISKworld RISKworld RISKworld R

3

In the wake of recent major accidents,several investigation reports havepublically criticised the effectiveness ofinternal auditing of process safety. Recentresearch (Ref. 1) sheds light on whetherprocess safety practitioners and thoseindividuals at the front line of auditingshare the view that internal process safetyaudits provide a false sense of security.

The research was conducted in 2014 aspart of an MSc in Risk and SafetyManagement offered by Risktec, andcanvassed facts and opinion, unattributed,using online survey software. It targetedabout 70 process safety professionalsworking for operators of major hazardfacilities who are also company membersof the European Process Safety Centre(EPSC), which sponsored the research.

One of the later sections of the surveyinvited responses to statements related toprocess safety auditing which speak tocommonly voiced criticisms or are simplycontentious (see Figure 1).

HighlightsThe headline survey finding is thataround 86% of respondents believedinternal auditing to be effective. A lessemphatic but still sizeable majority ofrespondents believed that audits didoffer more than supported self-assessment, underpinned by the viewthat audits provide a level of probingwhich uncovers major hazard risks thatthe site has hitherto been unaware.

Greater polarisation was seen to thesuggestion that there was too high anexpectation of process safety auditing,that there were too few success storiesrelated to auditing (e.g. risk reductionactions as a result of auditing) and thatimmediate, tangible hazards crowded outlatent, multi-causal process safety risks.

The survey contained a couple ofquestions related to hypothetical scenariosfollowing an audit. The first was an auditfollowed by a major accident. About 30%of respondents agreed that this was anaudit failure. The flip side is that about70% of respondents disagreed that thisscenario amounted to audit failure. Anaudit by its nature is both a sample andsnapshot and offers no guarantee of

avoiding major accidents. However, anaudit programme should reduce thelikelihood of a major accident occurring.That this view is not necessarily shareduniversally outside the process safetycommunity is in part corroborated byabout 60% of respondents who believethat audit expectation is too often higherthan the audit can realistically deliver.

One question which looked to the futureproposed that virtual or remote auditingwould replace an on-site audit. In otherwords, the auditor would be distant to theplant under audit and modern technologywould present the plant and its peopleand processes to a remotely located auditteam. Almost 95% of respondentsdisagreed with this notion.

ConclusionsThe research highlighted auditorcompetence and senior managementcommitment to the audit process as areasfor improvement.

Practitioners believe internal auditing bycompetent auditors is effective andreduces the potential for a major accident,but also feel that too often theexpectation of what an audit can

realistically deliver is too high. Just becausean audit shows good process safety resultsyesterday, it is no guarantee that a majoraccident cannot happen tomorrow. Thisreinforces the need for managers not tobe complacent when receiving positiveaudit reports but to maintain a sense ofchronic unease and ask, “Is there anythingwe’re overlooking and what else do weneed to do?”

References1. Internal auditing of process safety – a false sense of security? MSc dissertation, Lee Allford, 2014

Contact: Lee Allford (Rugby, UK)[email protected]

Internal auditing of process safety – a false sense of security?

Figure 1 – Process safety internal auditing survey results

��

��

��

��

��

��

��

��

��

��

��

�

��

��

��

��

��

�

��

��

��

��

�

��

��

��

��

�

what extent do you agree with the statements?ety, to Thinking about internal auditing of process saf

0%Pe

rcen

tage

of R

espo

nden

ts

��

��$��

�!��$Im

med

iate

& ta

ngib

le h

azar

ds te

nd to

�� #��

��

��

��"��

��

��

��

��Th

ere

is a

sho

rtag

e of

inte

rnal

Disagree100%

Agree

75%

50%

25%

��

��#��

�#

��!��

#��

��

��!��

��

��

��

�#

��!��

#��

��

��!��

��

��#��

��

��!

��

��

� ��

��

$��

��$��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

�

��

��

��

��

��

�

��

��

��

��

�

��

��

��

��

�

��

��

��

��

��

��

��

��

��

��

��

�

��

��

��

��

��

�

��

��

��

��

�

��

��

��

��

�

LEGENDS OF RISKTEC

…we got Gold again, of course.t lesurt iThe aud

No. 2 OF RISKTEC

again, of course.e in…rts a

27


4

In NASA’s heyday, the safety of the spaceshuttle was assured by a strict adherenceto ‘Flight Rules’. These were black andwhite rules that identified precisely whataction should be taken under specificcircumstances. For example, ifinstrumentation suggested a fuel cell hadfailed, the launch was cancelled. Noargument, even if instrumentationmalfunction was suspected. Theirpurpose was “to protect against thetemptation to take risks” (Ref. 1).

Continuous improvement? Flight Rules were developed over thecourse of the shuttle programme, andtook into account lessons learned fromboth real and simulated failures. As such,they grew in number steadily, and whilstthey undoubtedly saved lives they werealso responsible for an increasing rate ofaborted missions. Although it seemschurlish to argue with such an approachin the context of the hazards of spaceflight, as evidenced by the Challengerand Columbia disasters, it illustratesnicely one of the potential pitfalls ofblack and white safety improvement.

Black and white safetyComing back to earth, the major hazardindustries face a somewhat parallelsituation as standards mature. Lessonslearnt are continuously reflected inupdated or new regulations, codes andstandards, both from recognisedprofessional institutions and operators,for everything from nuts and bolts, tocranes, to blowout preventers. Themajority, like Flight Rules, are black andwhite – there are no shades of grey forcircumstances where the consequences offailure are limited or infrequent (orboth). Inevitably, compliance ratchets thecosts throughout the life cycle and foreach new project.

In the nuclear industry, which is arguablythe most mature (and most expensive),this vicious circle is broken to some extentby classifying equipment according to itsimportance to safety and tailoringrequirements to avoid gold-plating.

Maritime classification societies and theIMO, on the other hand, have introducedrisk-based rules and goal-based standards

respectively in recent years, which inprinciple provide more flexibility andsteer away from blind compliance.

ALARP thinkingIn the UK, the principle of reducing risksALARP (As Low As ReasonablyPracticable) adds into the mix a legalimperative for continuous improvement.In a nutshell, for new equipment theALARP principle requires compliance withrelevant codes and standards andadoption of good practice elsewhere as aminimum, together with consideration ofoptions for improvement, which can onlybe discounted if the time, trouble andcost are grossly disproportionate to thebenefit. If these improvements aresubsequently enshrined in updatedstandards or deemed to be relevant goodpractice, this becomes the new baseline.

The problem is compounded when moreand more preferential requirements areadded into standards by well intentionedtechnical authorities – something that isquite common in large operators withtheir own engineering standards. Thestandards can become complex, difficultto comply with and may even lead todesign solutions where the associatedsafety risk is actually higher than asimpler, cheaper design based oninherent safety thinking. Moreover, it is

difficult to see how raising standards adinfinitum is sustainable, economicallyspeaking.

Quite clearly, the solution to thisconundrum is to think hard about thepotential applicability of standards andmake clear the distinction betweenessential and nice-to-have requirementsin varying circumstances. At a high levelthis could take the form of specifyingwhen certain standards as a whole apply(and when they don’t). At a moredetailed level, within standardsthemselves, there is plenty of scope forspelling out any relaxations or offeringalternative risk-based avenues ofcompliance.

ConclusionIn a world where spiralling costs in thename of safety are a recipe for projectcancellations, the clear message tooperators and professional bodies is tobuild risk-based flexibility into otherwiseblack and white standards.

References1. Chris Hadfield, An Astronaut’s Guide to Life on Earth.

Contact: Steve Pearson (Warrington)[email protected]

Prescriptive safety: Have we gone too far?


5

Cyber security issues have pervaded almostall aspects of life as daily data breachesand hacked websites testify. In the railsector, where previously isolated controlsystems have become connected to theinternet, we have seen a new challengeemerge for engineers tasked withensuring system reliability, availability,maintainability, safety and now security(RAMSS).

There are very good reasons forconnecting control systems to the internet.Operating costs can be kept lower andreliability and performance can be greatlyimproved by providing more timelyinformation and instruction formaintenance. There is also a safety benefitfrom a reduction in human error.

Unfortunately the commercial drive forinternet protocol (IP) enabled systems hasbrought in security risks, with systems nowbeing exposed to hackers across theinternet. Hacking control systems is thenew and growing pursuit of hobbyisthackers, those with malicious intent andnation states alike. As more and more IPenabled and connected, commoditisedhardware is used, cyber related risk needsto be considered; it is now a given that anycurrent or future rail system may useproducts vulnerable to cyber attack.

Box 1 - Managing Control SystemCyber Risk

• Accept that cyber risk is now a part of everyday rail engineering activity

• Become cyber aware and take an interest in cyber related security issues

• Get a thorough understanding of the control systems in your domain and ensure that they have been cyber security risk-assessed and incorporated in the safety case

• Ensure control system vendors are able to provide evidence of a detailed third-party cyber security evaluation of their products

The reality of cyber riskProbably the first time the public wasmade aware of control system hackingwas in 2010 when the Stuxnet computerworm was widely reported to have

infected nuclear facilities in Iran. Atechnician plugged a worm infected USBstick into a control system PC. This adverselyimpacted the site’s centrifuges and theirability to enrich uranium. Over the pastyear other control systems have beenhacked due to weak system passwords orsimply because control systemadministration interfaces had no firewallor authentication mechanism in place.

Cyber risk and rail systemsThose responsible for infrastructure aretaking cyber risk seriously: the UKGovernment’s 2010 National Security Strategyrated cyber attacks a ‘Tier One’ threatalongside terrorism, war and pandemicdisease. Rail engineers need to take anequally serious approach to cyber risk.

In the UK, with the move to unifiedcontrol systems and regional operationalcentres, the impact of a successful cyberattack can have national implications.How might cyber security affect othersystems such as power, passengerinformation, asset condition monitoring,train door control, ticketing barriers andescalators for example?

Managing system riskRAMSS rail engineers have a key part toplay in managing cyber security risk, seeBox 1. They need to ensure that theadvantages delivered by new technologyand networks are not outweighed bycyber risk. Engineers should know enough

about cyber security issues to ask pertinent questions of system suppliers andimplementers, and in turn seek expertadvice if they have any doubt over thesafety and reliability of a system.

As such, cyber security is becoming an everincreasing requirement for inclusion inengineering safety cases. A safetyjustification for a technical system shouldconsider the impact of cyber security riskand demonstrate that safeguards are inplace to control this to an acceptable level.Safety cases lacking in this area areincomplete.

ConclusionWith many rail networks across the worldundergoing a transformation byintroducing IP enabled systems, cyber riskhas become a reality. Control systemsacross these rail networks are potentiallyexposed to cyber attack. To counter this,RAMSS rail engineers need to ensure thatsuch systems are security risk-assessedand any weaknesses are mitigatedproportionately, alongside othertraditional risks. After all, who wants tobe headline news in the next hackingscandal?

Contact: Anna Holloway (London)

[email protected]

Nigel Stanley, OpenSky,

a TÜV Rheinland company

[email protected]

Cyber Risk for the Rail Engineer

d RISKworld RISKworld RISKworld RISKworld RISKworld RISKworld R

6

UK Principal Office Wilderspool Park Greenall’s Avenue Warrington WA4 6HL United Kingdom Tel +44 (0)1925 611200 Fax +44 (0)1925 611232

EuropeAberdeenAlderley EdgeAshfordBristolCrawleyDerbyEdinburghGlasgowLondonThe Hague

Middle EastAbu DhabiDubai Muscat

North AmericaCalgary Houston (South East)Houston (Energy Corridor)

For further information, including office contact details, visit: risktec.com or email:[email protected]

The requirement for identification,specification and maintenance of SafetyInstrumented Systems (SIS) is containedthroughout legislation, with the industry-wide good practice standard being IEC61508, Functional safety of electrical/electronic/ programmable electronic safetyrelated systems. SIS are specific electrical orelectronic systems that prevent or mitigatethe effect of a hazard.

Practical problemsFor sites with legacy SIS in place there is aburden of responsibility on the siteoperator to demonstrate these systems arebeing managed actively and are fit forpurpose. However, there are a number ofpractical difficulties:

1. Requirement for quantitative or semi- quantitative assessment – previous assessments may have been qualitative only, therefore the additional data requirements and techniques involved may be unfamiliar.

2. How to assess all the relevant faults for each system? The list of potential faults

leading to the hazardous event can be extensive.

3. Some requirements of IEC 61508 may be difficult and expensive to retrofit to existing systems or to demonstrate retrospectively.

A proportional approach These difficulties may be overcome byadopting the proportional approachdescribed in Box 1. Using this high level,order of magnitude methodology allows aresult to be obtained using a relativelysimple methodology. The first and secondstages are applied to screen out low riskhazards, leaving only the significant risks.These are assessed using Layers ofProtection Analysis (LOPA) to revealwhether the existing SIS is required toprovide a Safety Integrity Level (SIL) ratedsafety function. The assessment can belargely based upon existingdocumentation and can quickly identifyany weaknesses in protection.

The fifth step is a review of whether theoverall risk can be regarded As Low As

Reasonably Practicable (ALARP), or if thereare further, or alternative safeguards thatcould be put in place.

ConclusionA high level approach is often sufficient toidentify any weaknesses in legacy safetyinstrumented systems. Where weaknessesare identified through LOPA, applying anALARP review can often highlight simpleprocedural or non-electrical/electronicengineering controls, thus avoidingunnecessarily onerous SIL requirementsaltogether.

Contact: Katy Skipworth (Edinburgh)

[email protected]

Functional Safety: A Proportional Approach to Legacy Safety Systems

Box 1 – Case study: Assessment of legacy plant

The client company operates sites with multiple legacy Safety Instrumented Systems (SIS) that required assessment to demonstrate that they are fitfor purpose. Risktec developed a simple, high level order of magnitude assessment to determine whether these systems were required to provide aSIL rated safety function, and whether other simple, non-SIS safeguards would be more appropriate. The stages of the methodology are:

Stage 1 - Identify HazardsA hazard identification exercise was carried out, utilising existing documentation including HAZOPs, HAZIDs, safety reports, etc.Stage 2 – Screen HazardsA simple risk matrix was applied to the identified hazards to assign likelihood and consequence scores. Where possible, existing hazard assessmentdocuments were used to facilitate this stage. A screening exercise was then used to identify major accident hazards to be carried forward forfurther assessment. The majority of hazards were discounted at this stage.Stage 3 - Identify Safety ControlsFor each major accident hazard, all existing prevention and mitigation safety measures were identified, not just the legacy SIS. Key data werederived from existing information sources, operational procedures and site walkdowns. Stage 4 - Determine SIL RequirementThe LOPA desktop technique was used to identify any risk shortfalls and the associated SIL requirements to address those shortfalls. This alsoidentified the reliability and integrity requirements of the legacy SIS.Stage 5 – Review ALARPEach shortfall was reviewed using a ‘Hierarchy of Protection’ strategy to identify additional risk reduction measures to be implemented. Thisavoided the use of a complex SIL-rated system in favour of a more appropriate or simpler technology option.

Identify Hazards

Screen Hazards

Identify SafetyControls

Determine SIL

Review ALARP

RISKworld RISKworld RISKworld RISKworld RISKworld ... · [email protected] Note 1 Awarded by...

Documents

Transcript of RISKworld RISKworld RISKworld RISKworld RISKworld ... · [email protected] Note 1 Awarded by...