Peter Waite

Technical Report

14 July 2011

Thirty Years of Risk Assessment

By Eur Ing P J Waite MA MSc C Eng C Math MIGEM FIMA CDipAF Development of Methods to Control Major Accidents in the Process Industries 1981 to 2011

INTRODUCTION
This report is based upon a recent paper presented at the meeting to celebrate the thirtieth anniversary of the Safety & Reliability Societyi. References to my previously published papers are given in end notes other references are given as footnotes. I commenced my career in Chemical Engineering and Process Safety by studying the potential hazards from accidental releases of dangerous materials, principally liquefied natural gas (LNG) but the methods were applicable to all volatile hazardous fluids. I helped to develop mathematical models of liquid spill, spread and vaporisationii then dispersioniii. I then became involved in the whole quantitative risk analysis process and managed many studies on refineries and plants producing and handling LNG, LPG, other liquid hydrocarbons, petrochemicals, chlorine, ammonia, sodium cyanide, titanium dioxide, aluminium tetrafluoride and others. I also carried out environmental risk assessments on mining projects. As I became more involved with investigation of accidents I became aware of the key role played by human factors and safety management in the accident sequence and the underlying causes. This led to projects studying safety management, leadership and the role of human factors in both preserving plant integrity and also in the causation of accidents. I led several research projects for the HSE examining how to ensure safety management was maintained or improved during business re-organisation in the nineties and how to assess the impact of changes to operating arrangements on the safety of plant in a systematic method.

STATUS OF PROCESS SAFETY METHODS IN 1980

Prior to my involvement in Process Safety many techniques had been developed. Amongst them the most comprehensive approach was defined in the ICI six stages of Hazard Studies (see for example Reference1) which encompassed hazard identification, frequency assessment, consequence analysis and risk assessment and the management of process safety during projects. I used many of the principles of the ICI approach when I assisted with the production of the IChemE guideiv. Specific techniques for the process industries had been developed and guidance was available such as the HAZOP guide2. Other techniques were adopted from elsewhere, such as Fault and Event Tree

R D Turney Identification and Control of Accident Sources on Chemical Plant World Conference on Chemical Accidents, Rome 1987 (earlier internal ICI and other publications) 2 CISHEC/8906/1000, CIA, Guide to Hazard and Operability Studies. 1977 (First paper on HAZOP H.G. Lawleys 1974 paper presented at AIChE Prevention Symposium) pg. 1

Peter Waite Technical Report 14 July 2011 Analysis3. Trevor Kletz was also writing on Human Factors but describing it in terms of the lessons to be learned from accidents and the need to simplify plants (e.g. C&I paper4). The first edition of Frank Lees encyclopaedic work5 was available as a reference to many of the techniques then available together with some example data on failure frequencies. Together with the Yellow Book6 it provided sufficient information to perform some straightforward risk assessments but it was preferable to use more realistic accident consequence models such as Cox & Carpenter7. Former colleagues at Cremer & Warner, AEA SRD, Shell Research, TNO and universities in USA developed consequence models for vapour cloud dispersion, fires and explosions which were in use for hazard analysis studies for the purposes of siting new process plant, plant layout studies, emergency planning but not yet advising on control of development near existing plants. Software to help perform Quantitative Risk Analysis was being developed and had been used to assess the safety impacts of LNG import terminals in the USA8, Belgium9, Netherlands10, Germany11, as well as Canvey in the UK12 and an LNG export facility in Western Australia13. Fault tree and event tree analysis had been developed for use in other industries and was being applied although published data on component failure rates was sparse, some companies had compiled internal data books and others borrowed relevant data from the nuclear industry (e.g. WASH140014). There were also some proprietary data bases that could be accessed fort a fee, such as the SRD Databank but much of the data for this was also collected from the nuclear industry. There were some attempts at abstracting failure rates from historical records, notably pressure vessel failure rates15 but systematically collected data for process safety was not available until the late 1980s and offshore oil and gas remains the best served area for application specific data. Two major risk assessment projects had been carried out in the late 1970s which established the approach used for Quantitative Risk Assessments in the 1980s and 1990s; the Canvey Reports16 and the Rijnmond (COVO) Report17

T. Kletz (1983) HAZOP & HAZAN- Notes on the Identification and Assessment of Hazards Institution of Chemical Engineers 4 T. Kletz (1978) Chemistry & Industry 6 May 1978 page 278, "What you don't have, can't leak" 5 Lees Loss Prevention in the Process Industries First Edition 1980 6 TNO (Yellow Book) "Methods for calculation of physical effects", published by CPR 14E [Commission for the Prevention of Disasters caused by Hazardous Materials] 7 Further Development of a Dense Vapour Cloud Dispersion Model R A Cox & R J Carpenter 1979, Battelle Institut Symposium Schwere Gase Frankfurt. 8 Cove Point LNG Terminal Risk Assessment SAI (1977) 9 Zeebrugge Cremer & Warner Report for Clients 10 Emshaven Cremer & Warner Report for Clients 11 Wilhelmshaven Cremer & Warner Report for Clients 12 HSE Canvey - An Investigation of Potential Hazards from Operations in the Canvey Island/Thurrock Area and nd Canvey (2 Report) - A Review of Potential Hazards from Operations in the Canvey Island/Thurrock Area Three Years After Publication of the Canvey Report (1981) HSE Books 13 Withnell Bay, Western Australia, Cremer & Warner Report for Clients 14 WASH 1400 Reactor Safety Study An Assessment of Accidental Risks in US Commercial Nuclear Power Plants (1975) N Rasmussen Report for US Nuclear Regulatory Commission 15 Smith, T.A. and Warwick, R.G. (1981), A survey of defects in pressure vessels in the UK for the period 19621978 and its relevance to nuclear primary circuits. SRD report R203. pg. 2

Peter Waite Technical Report 14 July 2011 ACMH reports18 (commissioned following the Flixborough disaster in 1974 and the subsequent inquiry19) mapped the way forward for regulation of process safety for the UK in terms of Notification of Hazardous Installations, Demonstration of Safety (Safety Case or Report) and Planning Controls through Land Use Planning, a system that remains in place today and has been adopted by the European Union (Seveso Directives20). Although I was not involved in the original developments in the 1960s and 1970s I have been involved in the developments in Quantified Risk Assessment and Process Safety generally since 1981.

CONSEQUENCE ANALYSIS
In the 1970s there had been development of both simple Consequence Analysis models and more complex two and three dimensional finite difference solutions to the Navier Stokes and conservation equations. One of my first tasks was to carry out comparisons of some of the available models of each type with field scale dispersion trials21. Some of this work was published by the client22. My analysis at this time was focussed on trying to assess the impacts of the Worst Case Credible scenarios, or Real Foreseeable Events as they were sometimes called. Nowadays they might be referred to as Design Base Accidents or the basis for survivability criteria and use a consequence not exceeded at a specified frequency derived from a risk analysis. During the course of this work there were some refinements to the simple modelling methods which led to published papers on Spill Spread and Vaporisationv and Dispersion Modelling. I also managed the work of specialist subcontractors performing 3D CFD modelling and developed enhancements of simple box modelsvi. Much of this work was for the second Canvey Inquiry on behalf of British Gas Corporation. At this time (the early 1980s) I was responsible for the conversion of consequence model programs run on the early Apple microcomputers, which involved coding specialist mathematical subroutines for numerical methods that had been in library folders on the mainframes (e.g. the NAG library) but were not available on microcomputers.

QUANTITATIVE RISK ANALYSIS

Early QRA Experience In 1981 it was unusual to perform full Quantitative Risk Analysis (QRA), even on new projects but Cremer and Warner had produced QRA studies for LNG facilities and some other facilities as referenced above. Only a few regulators around the world (mainly in north-west Europe) even considered QRA and most relied at best on consequence based separation distances (based on a representative worst case) but more frequently on standard industry code separation distances which were often designed to protect plant rather than people and did not consider major accidents.

Canvey Report, see 12 Study of Six Potentially Hazardous Industrial Objects in the Rijnmond Area (COVO Report) 1982 Published by D Reidel 18 Advisory Committee on Major Hazards HSC First Report 1976, Second Report 1979, Third Report 1984 19 Health and Safety Executive, The Flixborough Disaster : Report of the Court of Inquiry,1975 20 EU Directives 82/501/EEC (Seveso 1) and 96/82/EC (Seveso 2) 21 Maplin Frenchman Flats and Thorney Island (Journal of Hazardous Materials, 16 (1987) 22 The simulation of dense vapour cloud dispersion using wind tunnels and water flumes C I Bradley and R J Carpenter in IChemE Symposium Series no. 80, International Symposium on Loss Prevention and Safety Promotion in the Process Industries, 1983 pg. 3
17

16

Peter Waite Technical Report 14 July 2011 One of my early projects was a comparison of simple QRA methods with the defined scenario consequences approachvii in the form of the US Federal Standard (49 CFR Part 193 of 1980). This used the consequences of a ten minute release from the largest pipe on site to determine the safe separation distance to residential and other areas. For the relatively simple gas-liquids separation, storage and export facility it was relatively simple to carry out consequence modelling for a range of scenarios with off-site effects and calculate the risk to people from each, enabling individual risk and societal risk to be calculated manually. (This work was done before spreadsheets were available to make this easier). Using published criteria for thermal radiation (from the US Standard) and risk (from the Netherlands and UK) it was shown that given a good choice of representative worst case event, and use of consistent consequence models, the code and risk base approaches might agree. This was then used to settle a dispute between the State Government and the Operator over the required separation distances. Risk Criteria Inevitably this leads to a discussion of risk criteria for both individual and societal risk on which I published a paperviii with David Hagon. There were two Royal Society discussions23 and early versions of the HSE Discussion Document on Tolerability of Risk24 derived from the ACMH reports referred to above, which set the basis for risk criteria in the UK and the development of the ALARP (As Low as Reasonably Practicable) approach. The UK experience with major accident related regulation and risk criteria was described in a paperix that I co-authored with Professor Beveridge which was presented as a keynote paper at an Irish IChemE meeting which may have influenced the Irish approach to the Seveso Directives. In another paperx we discussed the various international criteria relating to risk. Plant Layout and Siting A practical approach to plant layout and siting was developed by myself and colleagues at Cremer and Warner in the mid-eighties. The concept was to define Real Foreseeable Accidents i.e. those that might have a significant chance of happening within the lifetime of a small number of plants and therefore should be designed not to cause fatalities or a high chance of escalation. This was in essence similar to the 10-4 per year criterion specified first for Norwegian Offshore installations (survivability of safety critical functions) in the late eighties (NPD Regulations) and later applied onshore to protect escape routes and give a criteria for design loads that tanks, vessels, pipework and their supports should be able to withstand to avoid escalation. I used these ideas together with QRA to develop Guidance on the layout of gas plants for Total Oil in the late eighties, initially for development of the St Fergus Plant but later generalised for worldwide use. This gave specific advice on spacing between process trains, storage, control room, administrative buildings and adjacent plants (from view point of risk of domino between plants containing dangerous materials and protection of both workforces). Although this client work was never published in the open literature by Cremer & Warner, it was used to establish the Total company standards. In the early 1990s secured a major QRA study for Cremer & Warner involving the hazard identification, risk assessment and emergency planning advice for the Petrobras Refinery at Cubatao (RPBC). This work was required as a condition of IMF funding for improvements and new units at
Risk Assessment, Report of a Royal Society Study Group, The Royal Society, London 1983 Risk: Analysis, Perception and Management, The Royal Society, London, 1992 24 Tolerability of Risk, HSE Discussion Paper now superseded by Reducing Risk Protecting People, HSE pg. 4
23

Peter Waite Technical Report 14 July 2011 the refinery, to ensure that the refinery did not impose unnecessarily high risk on neighbouring populations and the layout took account of major accidents that could affect the workforce. The results were presented at a joint IChemE / Royal Society of Chemistry Safety Professionals Meetingxi. I was Project Director, involved in much of the delivery and main technical reviewer for this study which involved several months of HAZOP, qualitative risk assessments with the refinery staff, detailed QRA and interpretation for layout and emergency response planning. In the late 1980s and 1990s it was normal to present a full QRA study in support of a planning application for a new process plant or an extension to an existing site, mainly to demonstrate to the Local Planning Authority that the risks to neighbours were being managed and were not intolerable. The QRA would also assist the HSE in that it would define the presence of major hazards and present data that they could use in their own assessments. The QRA reports we prepared also contained initial information on safety management systems and emergency response issues. These were prepared in advance of the Safety Case under Seveso 125 and anticipated the requirement for a preconstruction Safety Report under Seveso 226. I wrote several papers with colleagues on the role of QRA in the submission of planning (permitting) applications for facilities with major accident potentialxii. Since 1999 it is a formal requirement throughout the EU to give information on the potential major accidents and show that all measures necessary have been taken to prevent them and mitigate the consequences of those that may still occur. In order to do this some forma of risk assessment is normally required. Recent Developments There are now several different approaches to the assessment of process safety or technical risk. As well as QRA we have access to formal methods for Levels of Protection Analysis (LoPA), Safety Integrity Level (SIL) Assessment and various Qualitative or semi-Quantitative Risk Assessment Methods. At Entec my team developed a structured approach to assessments in advance of the preConstruction Safety Report (during Detailed Design) with the ability to provide information to inform the permitting, licensing or planning application stage at the end of Front End Engineering Design (FEED) as well as influencing the design itself prior to sign off of the FEED project design: HAZOP with opportunity for Risk Ranking and identifying scenarios with high risk; LoPA (Levels of Protection Analysis) identifying whether protection measures are adequate (are there sufficient independent measures to reduce risk and where these are instrument control loops what reliability is required). This may involve a semi-quantitative risk assessment, using a risk assessment matrix to define the residual risk levels from scenarios leading to major accident hazards and to identify the risks which require reduction; SIL (Safety Integrity Level) Assessment27 to verify that the design proposed meets the required reliability for the safety critical instrument control loops; Quantification of residual risks arising from scenarios ranked as high, taking care to ensure that these are the risks from all potential incidents leading to the defined scenario (i.e. leaks from all the equipment in a particular section not just a single point of failure), including, where necessary summing the risks from all scenarios that may affect a particular receptor.

25 26

Control of Industrial Major Accident Hazards Regulations (CIMAH) 1984 in the UK implemented Seveso 1. Control of Major Accident Hazards Regulations (COMAH) 1999 in the UK implemented Seveso 2. 27 See IEC 61508 and IEC 61511 pg. 5

Peter Waite Technical Report 14 July 2011 Where necessary, discussing measures to reduce the risks further to satisfy the requirement to reduce risks to as low as reasonably practicable (ALARP). Analysis of scenarios contributing significantly to residual risks and discussion of prevention and mitigation measures feeds directly into the Safety Report (Case). Developments in the Vicinity of Major Accident Hazards I have been involved in advising on planning developments in the vicinity of Major Accident Hazards (now COMAH Installations in the UK) and Major Accident Pipelines since 1982 when the first DoE Planning Circular was issued on this issue, subsequently updated with DoE Circulars 11/92 and 04/00 on the introduction of Planning Controls under amendments to Seveso 1 and then the introduction of Seveso 2. The HSE advise the Local Planning Authorities in the UK on this through a system known as PADHI28. This is based on earlier work by the HSE on the use of QRA in Land Use Planning29. The PADHI system uses the maximum inventories of the most dangerous materials that could be on a site under the terms of its Hazardous Substance Consent to determine Land Use Planning Zones around the site in which various categories of development being advised against in each zone. Restrictions become less severe with increasing distance from the site. The zones are generally calculated on a precautionary basis although, in some cases, have been developed using a cautious best estimate of quantified risk. In many cases these zones are larger than necessary because the operator does not process or store hazardous substances in the quantities allowed by the consent, or does not use the most dangerous substances within the generic categories of substance. I have advised developers on how to approach operators with proposals for amendments to the Hazardous Substance Consent that will reduce the size of the Consultation Zones and therefore allow development to proceed by changing the HSE advice. In some cases it has been possible to get operators to accept conditions for certain fixed safety measures (such as improved bunding) to reduce the PADHI Zones. In some cases the HSE will continue to advise against but, if the Local Authority understands the level of risk, it is balanced by other benefits and the risk is not intolerable, then HSE do not follow up their advice with a request for an Appeal. I have been involved in redesigning development so that societal as well as individual risk is limited and within limits of tolerability. Recent work (2009-2011) has involved advising London Thames Gateway Development Corporation, London Development Agency and others on the policy for developments near gas holders and gas pipelines in congested areas such as East Lon don where there is a shortage of land for housing and other development and a need for regeneration to be balanced against the residual risks posed by major hazards. The work has included demonstration of the risk reductions that can be achieved by improving the integrity of installations, for example by relaying pipelines in thick wall pipe, as described in codes such IGE/TD130. (I had a small role in updating the previous edition). It is also possible to advise on protective measures for the developments to reduce the risks to their occupants but clearly the most effective protection is obtained by separation and layout to facilitate safe evacuation rather than the provision of strengthened shelter which may not protect against all events.

Planning Advice for Development near Hazardous Installations, HSE, September 2009 Risk Criteria for Land Use Planning in the vicinity of Major Hazards, Health & Safety Executive HMSO 1989 Quantified Risk Assessment: Its input to Decision Making. Health & Safety Executive HMSO 1989 (now PADHI) 30 Steel Pipelines and Associated Installations for High Pressure Gas Transmission IGEM/TD/1 Edition 5 2008 pg. 6
29

28

Peter Waite

Technical Report

14 July 2011

SAFETY CASES
At Cremer & Warner I was very concerned that the Safety Case should be a useful tool for management and not just a regulatory checklist to satisfy. In that regard I was proposing a document that demonstrated that not only was there a design and management system to ensure safety but they were both properly maintained and kept up to datexiii. Papers on the use of Safety Casesxiv repeated the theme that Safety Cases or Reports should not just be submitted to regulatory authorities but also useful to management and as a training source, emphasising what was necessary to maintain the asset(s) in a safe condition My papers also emphasised how Safety Cases at different stages would have different uses and the discipline of preparing a safety case, or justification early could reduce overall costs as well as risksxv. The Concept Safety Evaluation approach for offshore projects was developed in the early 1990s and formed the justification for selection of designs such as the Scott Field Development (Amerada Hess) for which I performed early comparative risk assessments at the Concept Stage. Other Industries have also adopted the Safety Case approach. In 2000 I was asked to lead an Entec team providing Expert Reports to the Ladbroke Grove Rail Inquiry31 and I also gave Oral Evidence on behalf of the Inquiry based on the experiences of the Process Industries with Safety Cases and Accident Investigation. The main thrust of the evidencexvi was that both the preparation of Safety Cases and the Investigation of Accidents should be learning processes which lead to improvements in safety. The evidence on Safety Cases explored the philosophy that the Safety should provide the arguments that demonstrated the operation was safe, supported by evidence (policies, management systems, processes, audits, reviews and analysis), discussion of challenges to the argument or evidence, and the rebuttal of those challenges. This approach to a case or argument is based on the ideas of Toulmin32.

INTEGRITY MANAGEMENT
Large companies, particularly oil and gas majors and multinational chemical companies have combined Health, Safety and Environment management systems (HS&E), some of which also include Security (HSSE). These incorporate Process Safety, Loss Prevention (Asset and Production) and Environmental Risk Management covering People, Process and Plant issues in a comprehensive manner. The underlying theme is to prevent the process fluids being released to the environment or the environment entering (contaminating) the process. Thus the fundamental requirement is to maintain the integrity of containment and control over the processes. Corporate and regulators requirements may overlap and it is important to ensure that both are covered but minimise the duplication of effort. The assurance of integrity in this comprehensive sense involves not only the preparation and review of a safety case and environmental statement but also assurance that security and all occupational health & safety requirements are met, plus ensuring that there are no technical problems associated with delivery of the project or maintenance of an existing asset. I was involved for three years (2005-2008) with the overall assurance of safety, environmental and technical issues on the BP DF1 Project (Decarbonised Fuel or Pre-Combustion Carbon (Dioxide) Capture and Storage) involving production of hydrogen and carbon dioxide from natural gas,

31 32

The Ladbroke Grove Rail Inquiry: Part 2 Report, The Rt Hon Lord Cullen, 2001 Toulmin S, Reike R and Janik A (1979) An Introduction to Reasoning, New York: Collier Macmillan pg. 7

Peter Waite Technical Report 14 July 2011 separation, hydrogen fuelled combined cycle gas turbine electricity generation and export of carbon dioxide for compression and use for enhanced oil recovery offshore. In order to manage the Assurance Process I developed the Claims Argument Evidence approach, using commercial software to show how the technical studies supported the projects claims on Safety, Environmental and Technical Issues. I used this to support the BP internal (but independent of the project) peer review for Project Sanction. I also participated in the Peer Review of the Ichthys Project for Amec in 2010, one of the largest offshore floating production and processing facilities.

HUMAN FACTORS
General I became interested and involved with the subject that is now known as Human Factors through investigation and study of past major accidents. Part of my initial training at Cremer & Warner was to research previous accidents and their underlying causes. I came to understand that the causes of accidents are generally individual responses shaped by management and culture. The responses can be at any stage of a project and by all types of staff involved. Major Accident Investigation I entered the Process Safety profession too late to be directly involved with either Flixborough or Seveso but there was a wealth of information available on both within both the library of Cremer & Warner and the personal recollections of staff. Together with the understanding of the implications of the Advisory Committee on Major Hazards Reports this enabled us to respond to major accidents in the 1980s and 1990s. I was involved in a minor support role to the Cremer & Warner teams for the Kings Cross (1987)33 and Piper Alpha (1988)34 major accident inquiries. I was then the lead independent investigator (on behalf of Texaco) of the 1994 Pembroke Cracker Explosion and Fire35 then assisted in the preparation of their mitigation statement in response to the HSE prosecution and the presentation made to a meeting of the Institution of Petroleum Refinery Managers and the HSE on the underlying causes and lessons learned. At the Ladbroke Grove Inquiry I led the team preparing evidence on behalf of the Inquiry concerning the Railway Industrys use of Safety Cases, their Safety Management Systems, Accident Investigation performance and the use of Group Standards. I presented the Oral evidence on Safety Cases and Accident Investigation, as well as participating in a group workshop on QRA. I have also been commissioned to examine other accidents such as BHP Blast Furnaces (2), Pembroke Refinery Hydrogen Leak and fire 2003, ICL Plastics (Stockline) LPG Explosion, Glasgow 200436 and a gas distribution network pipe failure and explosion in Edinburgh (2005) There are a variety of common themes running through accidents such as: complacency, operators fitting the facts to their own model of what should be happening (misleading instrument readings), well intentioned deviations from procedures, and informal modification of plant or process which are all closely related to human factors.
33 34

Investigation into the Kings Cross Underground Fire, Desmond Fennell OBE QC Published by HMSO 1988 The Public Inquiry into the Piper Alpha Disaster, Cullen, The Honourable Lord, HM Stationery Office, 1990 35 The Explosion and Fires at the Texaco Refinery, Milford Haven, 24 July 1994 (Incident Report) HSE 1997 36 The ICL Inquiry Report: Explosion at Grovepark Mills, Maryhill, Glasgow 11 May 2004 by Brian Gill 2009 pg. 8

Peter Waite Technical Report 14 July 2011 I have recently presented a paperxvii on one type of accident cause, misunderstanding of instruments, or lack of information which has led to several major accidents, including Three Mile Island, Pembroke Cracker, Texas City, Buncefield and many more. Human Factors Techniques There have been many approaches to assessing the impact of Human Factors on Major Accident Risks. The original edition of Lees 5 gave the chances of operators choosing an incorrect action or failing to notice a warning according to whether they were undertaking a routine operation or working under stress in an emergency for example. One of the earlier methods of predicting human error rates, THERP37 was developed in the nuclear industry. There are now more sophisticated methods of human error rate prediction such as SHERPA38 HEART and JHEDI39. These are used in fault tree analysis and similar methods to establish the likelihood of incidents (top events) and the main contributors to them. This enables the most important areas (those contributing most to risk to be targeted for risk reduction). However this has been seen as a mechanistic or numerical approach to what is a softer set of problems involving leadership, organisation and culture. Therefore a number of qualitative approaches have been developed and are now advocated by the HSE40 and Energy Institute41 to ensure that the human factor contribution to the risk of major accidents can be reduced. Although I was aware of the contribution of human factors to major accidents through study and minor involvement in accident investigation in the eighties and early nineties it was not until my deep involvement with the 1994 Pembroke Cracker Incident that I was able to contribute to the development of techniques to assess and improve the contribution of human factors to safety. One of the key steps is ensuring that safety critical equipment and processes (or tasks) are identified and addressed correctly. This means that the design should take account of the operators likely actions and information needs, not only in the physical layout but also in the provision of adequate information to understand what is happening during upset conditions as discussed in Waite (2010)xvii. Designers should ensure that provisions are made for information on process flows and liquid levels in vessels, particularly when the latter are outside normal operating limits but within what the operators expect to be the capacity of a vessel. The lack of this information has led to a misinterpretation of the physical situation and major accidents including, Three Mile Island, Pembroke, Texas City and others. This is a proper topic for consideration by a HAZOP team as well as human factors specialists during assessment of safety critical tasks and maintenance or test frequencies for safety critical equipment.

Swain, A.D. & Guttmann, H.E., Handbook of Human Reliability Analysis with Emphasis on Nuclear Power Plant Applications. 1983, NUREG/CR-1278, USNRC. 38 Embrey, D. E. (1986) SHERPA: A systematic human error reduction and prediction approach. Paper presented at the International Meeting on Advances in Nuclear Power Systems, Knoxville, Tennessee. 39 Kirwan, B. (1996) The validation of three human reliability quantification techniques - THERP, HEART, JHEDI: Part I -- technique descriptions and validation issues. Applied Ergonomics. 27(6) 359-373; and, Kirwan, B. (1997) The validation of three human reliability quantification techniques - THERP, HEART, JHEDI: Part II - Results of validation exercise. Applied Ergonomics. 28(1) 17-25. 40 HSE Onshore Human Factors: http://www.hse.gov.uk/humanfactors/index.htm and Offshore: http://www.hse.gov.uk/offshore/humanfactors.htm 41 Energy Institute HF Tools: http://www.energyinst.org/technical/human-and-organisational-factors/humanfactors-top-ten pg. 9

37

Peter Waite Technical Report 14 July 2011 I have also been the Project Director for various research and development projects, sponsored by the HSE, with the aim of developing systematic methods to examine the human aspects of preventing major accidents. The principal output of this work was a systematic method for the assessment of HF issues in the control of abnormal situations and pre-cursors to major accidents. This was published as an HSE Contract Research Report Staffing Assessment42 along with a further research report on a method for assessing the Standard of Supervision43 of shift teams managing major hazard processes. Although this does not provide direct input to QRA it enables an assessment to be made of the potential impact of human factors issues on the ability of an organisation to manage the risk from major hazard processes. I consider that assessment of human factors is absolutely necessary in process safety assessments, but it is not amenable to treatment in quantified risk assessment. Assessment of the likelihood of failure of technical systems by QRA is complemented by qualitative assessment of the standards of Managing human failures, Staffing Levels, Management of Fatigue and shift work, Safety critical communications, Human factors adopted in design, Procedures, Competence, Management of Organisational change, Organisational culture, and Maintenance, inspection and testing in order to ensure that major accident risks are reduced ALARP.

RISK MANAGEMENT
Corporate Governance and ethical behaviours. Comprehensive consideration of risks for projects and enterprises is becoming more common. I started considering business risks alongside safety risks in the 1990s when Corporate Governance became an issue with the Cadbury44 and Turnbull45 reports. I published a paperxviii with my then manager on a systematic method for assessing all types of risk. Shell International developed a risk assessment matrix as a basis for risk management across several areas including safety, environment, technical and financial issues. This allows prioritisation of control and mitigation against events which impact on different aspects in a consistent and holistic approach. A similar approach to risk management was developed in Australia and New Zealand46 developed by IRM and others47 and the latest development is a set of international standards issued by BSI48. Recent work has included development of risk assessment models for organisations involved in multiple projects where risks common to a number of projects could present a more significant risk to the organisation as whole than is apparent from the risk assessment for individual projects. Current work is addressing the management of the whole range of risks faced by a North Sea Operator with projects for new developments, tie-backs to existing platforms and renovation of assets whilst operating multiple platforms.

Assessing the safety of staffing arrangements for process operations in the chemical and allied industries Prepared by Entec UK Ltd for the Health and Safety Executive CONTRACT RESEARCH REPORT 348/2001 43 Different types of supervision and the impact on safety in the chemical and allied industries Assessment Methodology and User Guide Prepared by Entec UK Ltd. for the Health and Safety Executive RR292 44 Financial Aspects of Corporate Governance Committee Sir Adrian Cadbury December 1992 45 Financial Reporting Council Internal Control Revised Guidance For Directors On The Combined Code October 2005 [Internal Control: Guidance for Directors on the Combined Code (The Turnbull guidance) was first issued in 1999] 46 Risk Management Standard AS/NZS 4360:2004 47 A Risk Management Standard Institute of Risk Management 2002 48 ISO 31000 Risk Management Principles pg. 10

42

Peter Waite

Technical Report

14 July 2011

ADVICE TO REGULATORS
Techniques for assessing process safety have largely been generated by industry, consultants or academia, however the public expects that the process industry will be controlled by competent regulators working to enforce regulations that are suitable and sufficient to ensure the safety of the public. In many situations the public expect no threat to their personal safety from industrial activities although it is widely recognised that this goal cannot be achieved. Nevertheless the public should be able to expect that they are protected against all foreseeable events and that they will be offered some level of protection in extreme events. World Bank Following the Bhopal tragedy in 1984 there was increased global awareness of the potential for catastrophic accidents from process plant. The EU and the UK in particular had been preparing regulations on the identification (notification) and regulatory control of plant with major accident hazard potential. The World Bank immediately recognised that in its role as funding agency for industrial development it may have a role in promoting developments exporting risk to developing countries where local regulation might not be sufficient to ensure the risk was controlled to tolerable levels. Therefore the officers responsible sought advice from Cremer & Warner on the development of Guidelines for Developments with Major Accident Potential. A colleague and I developed the text of guidance along with an officer of the bank49 which was based on the UK CIMAH Regulations50 implementing the original EC Seveso Directive51. This work was followed by presentations to the World Bank and USA Regulators in Washingtonxix Major Accident Investigation Entec was appointed to assist Lord Cullens Inquiry into the Ladbroke Grove Rail Accident which occurred in 1999. I led the production of reportsxvi and evidence on Safety Management Systems, The Use of Safety Cases, Accident Investigation and the Role of Group Standards in a Safety Regime. I also participated in a workshop on the use of QRA in the Rail Industry. This work was inspired by the opinion of the instructing lawyers that the Rail Industry could learn from the Process Industrys experience and the fact that Railtrack had called in DuPont to advise on safety following the accident. I gave the oral evidence on Safety Cases and Accident Investigation over about one and half days. This contributed significantly to Lord Cullens recommendations on the future of Rail Safety in the UK. Response to Consultation The HSE circulate requests for comments on proposed regulations and options within them prior to final submission to Parliament for approval. Following the Buncefield explosion and fire in 2005 the HSE proposed revisions to their approach to Land Use Planning advice for developments in the vicinity of COMAH establishments (PADHI)52. The HSE had not taken account of explosion risks in their land use planning advice around highly flammable bulk liquids storage prior to Buncefield. Following the accident it was considered prudent ton include consideration of overpressure from vapour cloud explosions as well as thermal radiation from pool fires. However there remained uncertainty about the mechanism for generating the high overpressure. Even when further research
World Bank 1985 Guidelines for the Assessment of Major Accident Hazards Control of Industrial Major Accident Hazards (CIMAH) Regulations 1984 HSE 51 EC Directive 81/ / Control of Industrial Major Accident Hazards 52 HSE CD211 Proposals for revised policies for HSE advice on development control around large-scale petrol storage sites. 2007 pg. 11
50 49

Peter Waite Technical Report 14 July 2011 identified a potential mechanism there was no easily available method for making generic predictions for such events. Therefore a precautionary approach was proposed based on Buncefield as a credible worst case event which would generally advise excluding any occupied buildings within the area that had been subjected to heavy building damage at Buncefield. I responded in both a personal capacity and on behalf of clients with an argument in favour of this new inner protection distance and some extension of the existing inner, middle and outer zones but no change to generic advice within these zones. At the same time HSE was also consulting on the use of societal risk criteria53, particularly where some populated areas were subject to risk from several COMAH sites and increasing development around some sites, even following the individual risk based LUP advice. My response discussed the anomaly at present in the UK approach whereby a consequence based Consultation Zone and levels of advice is used for flammable liquids storage and gas storage but all other COMAH establishments have risk based advice. This anomaly will cause some problems if there is a move to introduce more societal risk based criteria into the regime. Ireland Ireland has generally followed the UK approach on the regulation of major accident hazards but has not given such detailed guidance and advice on how to satisfy the requirements of the Seveso 2 Directive (COMAHDS Regulations54 in Ireland). There is an Irish equivalent to PADHI28 which is based on risk of fatality and slightly different frequencies but the philosophy is similar. However the Irish Version55 allows more use of QRA in particular for flammable and highly flammable liquids. Unlike the UK the major hazards regulation regime and advice for land use planning has not been extended to major hazard pipelines (PSR56 1996) and upstream oil and gas facilities (as covered in the UK by specific regulations (OSC57, PFEER58, MAR59). This left a gap in regulatory oversight of the Corrib Project. At the first Oral Hearing (Planning Inquiry) the Inspector was led to adopt both: a precautionary approach (separation between housing and the pipeline should be large enough to protect residents against fatal injury even in the event of a full bore rupture at design pressure, notwithstanding the design of the pipeline incorporated thick walled pipe for which there is no record of full bore rupture); and the UK HSE risk based approach for major hazard pipelines, rather than the risk criteria adopted by HSA for COMAH establishments in Ireland.

I was commissioned by Department of Communications, Energy and Natural Resources (currently the Economic, Environmental and Safety Regulator for upstream oil & gas in Ireland) to review the Shell Plan of Development and Environmental Assessment as part of their approvals process for the project. I was also called upon to give written and oral evidence to the reconvened oral hearing in 2010. My reportxx to the Department was used to grant consent to construct the development (and the pipeline in particular) and the conditions that were set as part of the consent. I have recently
HSE CD 212 Proposals for revised policies to address societal risk around onshore non-nuclear major hazard installations 2007 54 HSA Control of Major Accident Hazards involving Dangerous Substances Regulations 1999 amended 2006 55 HSA Policy & Approach of the Health & Safety Authority to COMAH Risk-based Land-use Planning 2010 56 HSE Pipelines Safety Regulations 1996 57 HSE Offshore Installations (Safety Case) Regulations 2005 58 HSE The offshore installations (prevention of fire and explosion, emergency response) regulations 1995 59 HSE The offshore installations and pipeline works (management and administration) regulations 1995 pg. 12
53

Peter Waite Technical Report 14 July 2011 been notified that I am the preferred independent safety reviewer, on behalf of the Department, for the construction phase of the Corrib development as part of a team of environmental and other specialists advising the Department on the conformance with the Plan of Development, Environmental Statement and conditions attached to the approval. Following this assignment I directed the Entec commission to assist the Commission for Energy Regulation (CER) with the preparation of information to support the introduction of a new Petroleum Safety Framework for upstream activities resulting in the publication of the Phase A Review of Existing Safety Regulation of the Upstream Oil & Gas Industry in Ireland60. The next stage of development of the Petroleum Safety Framework is now underway and I have been commissioned to assist the Consultancy advising the CER on the high level design of the framework. Particular areas that I have examined are: the application and interpretation of ALARP (As Low As Reasonably Practicable); risk metrics and criteria; continuous improvement in safety and regulation of safety; and, information to the public without inhibiting dialogue between regulator and regulated.

CONCLUSION
Risk analysis has developed over the last three decades from being a calculation of the impact of a given design of plant to an integral part of process design. The early risk analysis gave the risk foot print which could be used to identify and improve the parts of a plant contributing most to risk or identifying whether the plant would impose an intolerable risk on the surrounding area. The design could be modified and the analysis repeated to determine whether risk criteria could then be met. However the analysis usually relied upon generic failure rates of pipelines and vessels or other equipment. It is now possible to define in advance the reliability requirements of protective systems, using techniques such as LoPA and SIL assessment, so that provided the equipment is designed and selected correctly risk criteria will be met. However the actual level of residual risk is still reliant on the base assumptions made in a QRA or SIL verification on continuing inspection, maintenance and testing to ensure that reliability of control and ultimately containment is maintained. This brings in the requirement for another skill set to ensure that management and operators perform the functions expected. Although many of these factors have been known since the investigation into the Flixborough Disaster, it is only in the last twelve years that formal systems and regulators attention have been brought to bear on these human factor aspects. The development of comprehensive risk management systems allows safety, environmental and technical risk to be considered alongside other business risks. However, the recent events in the Mexican Gulf and Japan have shown that loss of integrity can have such a large impact that outweighs any business risk.

60

http://www.cer.ie/en/petroleum-safety-reports-and-publications.aspx?article=bb6f9bb2-c072-4743-a4a57ebb93fce053 pg. 13

Peter Waite Technical Report 14 July 2011 Future Developments? Process Safety following Texas City and Macondo is seen as one of the most important topics for the oil, gas and chemical industries to address. However it is recognised that organisations must address and manage a range of risks and commercial operations have to remain solvent to invest in safety. Nevertheless these events show how important process safety is to the survival of even the largest companies. These and other threats to an organisations survival need to be identified and managed. The challenge for Process Safety Professionals will be to influence the senior managers and investors within the process industries of the critical importance of reducing major accident risks and advising on how to do this cost effectively whilst demonstrating to the public and regulators that all measures necessary have been taken to prevent accidents but recognising that risk cannot be eliminated entirely. The Process Safety specialist will also need to be fully aware that not all scenarios giving challenges to the integrity of plant can be predicted, even in a statistical manner. The evidence from the recent impact of the Japanese tsunami on nuclear power plant shows that the emphasis on inherent safety needs to be maintained in case even the passive defences are overcome.

REFERENCES (Authored or co-Authored)

Thirty Years of QRA, P J Waite presented at Thirty Years of Risk Assessment Are we there yet?, Safety & Reliability Society, London, October 2010. ii The Spread and Vaporisation of Cryogenic Liquids on Water, P J Waite, W A Wakeham, R J Whitehouse and E B Winn, Journal of Hazardous Materials, 8 (1983). iii Further Development of a Dense Vapour Cloud Dispersion Model, Carpenter English Waite iv D Scott & F Crawley Process Plant Design and Operation (Guidance for Safe Practice). I.Chem.E 1992 Techniques for Loss Prevention (Chapter 6) by P J Waite v See (ii) above vi The calibration of a simple model for dense gas dispersion using the Thorney Island Phase 1 trials data, R J Carpenter, R P Cleaver, P J Waite and M A English in Journal of Hazardous Materials, 16 (1987). vii Risk Assessment for an LPG Storage and Export Terminal R M Pitblado & P J Waite in Symposium on siting, engineering and management of Hazardous Industries, Melbourne Australia, April 1983 viii Testing the Reasonableness of Risk Criteria. D.O. Hagon, P.J. Waite and R. Sylvester-Evans. Reliability '85 (July 1985). ix Recent UK Experience on Safety Legislation. G.S.G. Beveridge and P.J. Waite. One-day Seminar, Safety and Loss Prevention in the Process Industries. I.Chem.E. (Irish Branch, Southern Centre), and Institute of Engineers, Ireland, 1st November 1984, Cork. x Safety and Loss Prevention - International Comparisons. G.S.G. Beveridge and P.J.Waite. Multi-stream '85, I.Chem.E. Symposium, Series No. 94, April 1985. xi QRA of a South American Refinery at Management of Risk & Risk Acceptability Joint Royal Society of Chemistry & IChemE Meting: Register of Health & Safety Specialists. Register of Eco-Audit Specialists and Safety & Environment Registers, Annual Meeting 7 November 1996 at Royal Society of Chemistry. P J Waite xii Environmental Safety Assessments of Major Hazards. D.E. Shillito and P.J. Waite. The Fifth International Environmental and Safety Conference, September 1985. The Uses of Hazard and Risk Analysis in the Chemical Industry. P.J. Waite and R. Sylvester-Evans. World Conference on Chemical Accidents, Rome, July 1987. Process Safety and Risk Assessment in Public Decision Making. P.J. Waite and D.E Shillito. In CHEMECA 88. Institution of Engineers Australia, Conference in Sydney, August 1988. Technical Assessment of Industrial Planning Applications. M.S. Pratt and P.J. Waite. Environmental Aspects of Obtaining Industrial Planning Permission Seminar, London, 14th December 1988. xiii Safety Cases: Objectives, Use and Content. Peter Waite. Chemistry and Industry, 2nd February 1987.
i

pg. 14

Peter Waite
xiv

Technical Report

14 July 2011

The Uses of Hazard and Risk Analysis in the Chemical Industry. P.J. Waite and R. Sylvester-Evans. World Conference on Chemical Accidents, Rome, July 1987 Safety Cases for UK Offshore Installations. Offshore Mechanics and Arctic Engineering Conference. Calgary, Canada, July 1992. P J Waite. xv Life Cycle QRA Presented at 8th Annual European Summer School on Major Hazards, 13th-17th September 1993, Christ's College, Cambridge. IBC Technical Services, P J Waite. Determining the Extent to which Incorporating Risk Assessment into the Concept Evaluation Stage Can Help Minimise Risks and Costs, IIR Conference, London, 18th-19th September 1995 P J Waite. xvi Ladbroke Grove Rail Inquiry Expert Advice for Part 2 October 2000, A: Railway Safety Case Regime, Peter Waite & Philip Brabazon, and D - Accident Causes and Responses, Peter Waite xvii Repeated Accident Causes - Can We Learn? Peter Waite, Process Safety and Environmental Protection NW Branch IChemE Hazards XXI, Manchester 2010 xviii Corporate Governance and Business Risk by P J Waite and G Llewellyn. Info RM (Journal of the Institute of Risk Management) September/October 2000. xix Presentation to the World Bank and others on Major Accident Hazards P Waite and R Sylvester-Evans, 1985 xx Statutory Assessment of Pipeline Design re: Application for Consent to Construct a Pipeline (Section 40 of the Gas Act, 1976, as amended): Corrib Pipeline. Report for Department of Communications, Energy and Natural Resources. P J Waite Entec Report January 2011. See http://www.dcenr.gov.ie/NR/rdonlyres/FE59FCF9-C2A14DB6-B7E1-A7238EBDC86E/0/EntecReport.pdf

pg. 15