European Best Practice for industrial Disaster Risk Management (iDRM) Christian Jochum...
-
Upload
moris-flowers -
Category
Documents
-
view
214 -
download
0
Transcript of European Best Practice for industrial Disaster Risk Management (iDRM) Christian Jochum...
European Best Practice for industrial Disaster Risk Management (iDRM)
Christian Jochum ([email protected])
InWEnt Senior Advisor (www.inwent.org)
Director of Centre, European Process Safety Centre (www.epsc.org)
Chairman, German Commission on Process Safety (www.kas-bmu.de)
India, September 2010
Professional Profile Christian Jochum
– Born 1943 in Frankfurt a.M./Germany
– PhD in Chemistry, certified Safety Engineer
– Honorary Professor at Frankfurt University
– 28 years experience in large chemical/pharmaceutical company (Hoechst AG)
• 1969 – 1979 Pharmaceutical research and pilot plant operations• 1979 – 1997 Safety department (Site and Corporate Safety Director and „Major
Accident Officer“ since 1987)
– EHS – and crisis management consulting for different types of businesses and administration since 1997
– Commission on Process Safety (formerly Major Hazard Commission) at the German Federal Minister for the Environment (Chairman since 1998)
– European Process Safety Centre (Rugby/UK): Director of Centre since 2007
– InWEnt Senior Advisor since 2009
2
EPSC (European Process Safety Centre)
• Industry funded association of major chemical companies in Europe.• Approx. 40 contributing enterprises• Dedicated to sharing and improving best practice in Chemical Process
Safety• Study groups on
– Safety Critical Systems (inc. IEC 61511)– Buncefield type facilities overfill protection– Layer of Protection Analysis (LOPA)– Auditing– Process Safety Incident and KPI reporting– ATEX– Senior Management Commitment
• Work in conjunction with European Commission on implementation and upgrading Seveso 2 Directive
• Partnerships with CEFIC (European Chemical Industry Council) and U.S. Center for Chemical Process Safety (CCPS)
www.epsc.org
3
• Mandated by the Federal Emission Control Act
– Advises government as well as plant operators and state and local authorities on process safety
– 32 members with different professional and educational background representing different stakeholders (“Round Table”)
– Any group needs “allies” to win votes
– Consensus intended, but majority decisions possible
• About 55 guidelines issued on different topics, e.g.
– Land Use Planning (Safety distances)
– Risk evaluation and perception
– Emergency Planning
– Industrial parks
– Provisions against terrorist attacks on chemical plants
• All publications of the Commission are available (partly in English) at
• www.kas-bmu.de
Commission on Process Safety (Kommission fuer Anlagensicherheit [KAS])
4
Outline
11 iDRM Approach in EuropeiDRM Approach in Europe
Best Practice of Emergency ManagementBest Practice of Emergency Management33
Risk Management PrinciplesRisk Management Principles22
ConclusionsConclusions44
5
The drivers for Process Safety and industrial Disaster Risk Management (iDRM) in Europe are
•Lessons learnt (Bhopal, Seveso, Toulouse, Texas City, Buncefield, ...)
•Ethical dimension (Responsible Care (R))
•Seveso 2, OSHA PSM
•National Standards•Industry benchmarking (Major Hazard record of industry)
•Economics (Business Continuity)
6
iDRM basic principle
Crisis management assessment should cover all parts of emergency- and crisis- management ...
• identify hazards comprehensively
... pursuing the goal to define and train as much as possible in advance
• avoid or control risks
• communicate remaining risks
• mitigate consequences
• remediate damages
• restore trust
7
Outline
11 iDRM Approach in EuropeiDRM Approach in Europe
Best Practice of Emergency ManagementBest Practice of Emergency Management33
Risk Management PrinciplesRisk Management Principles22
ConclusionsConclusions44
8
9
HAZARDS
RISK REDUCE
RESIDUAL RISK MANAGE
RISK Analyze/Assess
DISCONTINUE ACTIVITY
RISK TOLERABLE
YES
NO
RISK REVIEW REQUIREMENTS
WHEN
& WHO
WHAT
& HOW
SIMPLIFIED RISK MANAGEMENT PROCESS
DETERMINE
IDENTIFY
IS
? RISK BE
REDUCED CAN
?
YES
NO
PreventionThis map is common, you will see it again
Risk is a combinationof HAZARD Severity and FREQUENCY or LIKELIHOOD
Mitigation
Risk Review Requirements
The risk review process has to be determined• by all relevant stakeholders/departments of the
organisation• in writing (company guideline)• shared with authorities etc.• defining the risk review team (multi-disciplinary
including operator level)• defining milestones for and different levels of risk
review (e.g. Design phase, pre-commissioning, pre-start up, changes, etc)
10
What the client ordered
How the project mgr. understood it
How it was planned by the engineer
How it was implemented by the technicians
How the consultant interpreted it
How it was documented
How it was eventually built
What was chargedTo the client
What the client really wanted
What was subject of the service agreement
Design, Build and Operate
11
Hazard Identification
All hazards have to be identified comprehensively and systematically ...
• eg. „classical“ EHS-hazards, loss of production, ... Operation hazards
Operation hazards
Network hazards
Network hazards
Environmental hazards
Environmental hazards
• eg. failure of utilities, supplies, transportation ...
• eg. natural hazards, adjacent plants and traffic ways, ...
• eg. densely populated areas/buildings, natural reserves, ...Environmental vulnerability
Environmental vulnerability
• eg. plant vulnerability, neighbourhood/environment sensitivity, company image, ...
Terrorist threats
Terrorist threats
... by e.g. “What if”, checklists, HAZOP, FMEA etc.
12
Risk Assessment
Risk is a combination of hazard Severity and Likelihood or frequency, often expressed as R=f(S,L)
• Severity may be determined by • Gas dispersion in combination with criteria for human effects such as:
• ERPGs (Emergency Response Planning Guidelines)• AEGLs (Acute Exposure Guideline Levels)
• Explosion Overpressure and Fire radiation effects using tools such as:• TNO methodology• FLACS
• Likelihood may be estimated by• expert opinion/experience• databases for failure frequencies• (semi-) quantitative assessments (risk graph, fault or event trees etc.)• Assessment of safety barriers and mitigation (e.g. “bow tie” diagram, Layer of
Protection Analysis = LOPA)
13
‘Bow Tie’ Diagram
14
Release
1a 1b 1c
1a 2a
3a 3b 3c
4a
Initiating Event 1
Initiating Event 2
Initiating Event 3
Initiating Event 4
Prevention Mitigation
No consequence
Consequence A
Consequence B
Consequence C
M1 M2LOPs / LODsLOPs / LODs
Plant Emergency Response
Physical Protection e.g. Relief Devices
Safety Instrumented System preventative action
Critical Alarms and Operator intervention
Basic Process Control System, Operating Discipline / Supervision
Plant Designintegrity
Community Emergency Response
The LOPA “Onion”
15
16
Initiating Event
EstimatedFrequency
f i = x
PFD 1 = y 1
success
Impact EventFrequency,f3 = x * y 1 * y 2 * y 3
Safe Outcome
Safe Outcome
Safe Outcome
success
success
PFD 2 = y 2
PFD 3 = y 3
IPL 1 IPL 2 IPL 3
f1= x * y 1
f2=x * y 1 * y 2
Impact EventOccurs
IPL - Independent Protection LayerPFD - Probability of Failure on Demandf - frequency, /yr
Key :Arrow representsseverity and frequency ofthe Impact Event if laterIPLs are not successful
ImpactEvent
Severity
Frequency
Protection Layer Concept
LOPA criteria -1-
Initiating events• Control system failures
• Human error
• Piping and equipment failures
• Interruption of utilities (e.g. Cooling)
Independent layers of protection• Basic Process Control System (possibly)
• Alarm and operator response
• Relief systems
• Safety Instrumented Systems
• Other qualifying Safety Related Protection Systems
• Need to independent, effective, tested, audited
LOPA criteria -2-
Conditional Modifiers• Weather conditions
• Probability of ignition
• Probability of ignition leading to explosion
• Probability that person(s) will be exposed
• Probability that an exposed person will suffer a particular harm
• May be difficult to justify and evaluate
Mitigation (right hand side of bow tie)• Fire protection
• Emergency Response
• Water curtains
• Secondary and tertiary containment
• etc
‘Tolerable’ frequencies for events
• What risk can we tolerate?– Frequency for an event of a given severity (injury, environmental insult
etc.)• Users need to specify but aim to meet or exceed (do better than) regulator
requirements • The chosen tolerability becomes the target for risk management
sometimes called ‘Risk Governance’ for the company (usually Individual or Societal Risk)
• Data and guidance available for injury/fatality and environmental effects
19
Likelihood of ‘n’ fatalities from a tank explosion
per tank per yearRisk Tolerability
10-4/yr - 10-5/yrTolerable if
ALARPTolerable if
ALARPTolerable if
ALARP
10-5/yr - 10-6/yrBroadly
acceptable Tolerable if
ALARPTolerable if
ALARP
10-6/yr - 10-7/yrBroadly
acceptableBroadly
acceptableTolerable if
ALARP
10-7/yr - 10-
8/yrBroadly
acceptableBroadly
acceptableBroadly
acceptable
Fatalities (n) 1 2-10 11-50
Tolerability Data (Fatalities) (Buncefield LOPA Guidance Dec 2009, final report from U.K. HSE)
ALARP = As Low as Reasonably Practicable
20
1.E-12
1.E-11
1.E-10
1.E-09
1.E-08
1.E-07
1.E-06
1.E-05
1.E-04
1.E-03
1.E-02
1 10 100 1,000 10,000
(N) Number of Potential Fatalities
Fre
qu
enc
y o
f N
or
mo
re S
erio
us
In
juri
es
Government or Corporate Evaluation Criteria
Business Evaluation Criteria
Example Risk Evaluation Criteria
21
Categories for Environmental Risk (U.K. Environment Agency)
Categ. Definitions
6 Catastrophic
• Major airborne release with serious offsite effects • Site shutdown • Serious contamination of groundwater or watercourse with extensive loss of aquatic life
5 Major • Evacuation of local populace • Temporary disabling and hospitalisation • Serious toxic effect on beneficial or protected species • Widespread but not persistent damage to land • Significant fish kill over 5 mile range
4 Severe • Hospital treatment required • Public warning and off-site emergency plan invoked • Hazardous substance releases into water course with ½ mile effect
3 Significant
• Severe and sustained nuisance, e.g. strong offensive odours or noise disturbance • Major breach of Permitted emissions limits with possibility of prosecution • Numerous public complaints
2 Noticeable
• Noticeable nuisance off-site e.g. discernible odours • Minor breach of Permitted emission limits, but no environmental harm • One or two complaints from the public
1 Minor • Nuisance on site only (no off-site effects) • No outside complaint
Heading and introduction from Section 3.7 in “IPPC H1: Integrated Pollution Prevention and Control (IPPC) and Environmental Assessment and Appraisal of BAT”, Version 6 July 20 22
CategoryAcceptable if
frequency less than
Acceptable if Reduced as Reasonably Practical and
frequency between
Unacceptable if frequency above
6
Catastrophic
10-6 per year 10-4 to 10-6 per year 10-4 per year
5 Major 10-6 per year 10-4 to 10-6 per year 10-4 per year
4 Severe 10-6 per year 10-2 to 10-6 per year 10-2 per year
3 Significant 10-4 per year 10-1 to 10-4 per year 10-1 per year
2 Noticeable 10-2 per year ~ 10+1 to 10-2 per year ~10+1 per year
1 Minor
All shown as acceptable
- -
Typical Environmental Tolerability Criteria
23
TOLERATED EVENT FREQUENCY(Target)
PER YEAR SINGLE FATALITY (e.g.)
10-5
(per year)
INITIATING EVENT FREQUENCY
PER YEAR CONTROL SYSTEM LOOP FAILS
10-1
PROBABILITY OF IGNITION (e.g.)
PROBABILITY Quantity, M.I.E., site factors
10-1
PROBABILITY OF EXPOSURE
PROBABILITY 100% 10-0
INDEPENDENT LAYER OF PROTECTION 1
PROBABILITY OF FAILURE ON DEMAND
Basic Process Control System
10-1
INDEPENDENT LAYER OF PROTECTION 2
PROBABILITY OF FAILURE ON DEMAND
Safety Instrumented System
<10-2
Example for Risk Calculation
24
Land Use Planning example from Netherlands
- Individual Risk (fatality) 10-6 1/a- In addition Societal Risk as criterion- Definition of thresholds for overpressure, heat radiation and toxicity
http://www.sfk-taa.de/publikationen/andere/DNV_14102005.pdf
10-3
10-5
10-7
10-9
10-11
1 10 100 fatalities
Frequency in 1/a
Societal Risk not acceptable
Societal Risk acceptable
25
Risk Assessment has to be adopted to the needs
LEVEL 1: PROCESS HAZARDS ANALYSIS
Should be done by plant based people
They then have a better understanding of the risks and possibly how they may be reduced
LEVEL 2: RISK REVIEW
Specialist help from e.g. Process Engineering or Process safety function at site – should include Plant based people in the team
LEVEL 4: QUANTITATIVE RISK ASSESSMENT
Specialist help from external expertise. Owner needs to define scope and data and critique the outcome.
Level 1: PROCESS HAZARD ANALYSIS
Level 2:RISK REVIEW
L4:QRA
LEVEL 3: ENHANCED RISK REVIEW
Specialist help from e.g. Process Engineering or Process Safety function within Corporate – should include Site and Plant based people in the team
Level 3ENHANCED RISK
REVIEW
26
Measuring Process Safety Performance: Process Safety Indicators (PSI) reporting levels
Tier 1
Tier 2
Tier 3
Tier 4Operating Discipline & Management System
Performance Indicators
Leading Indicators
Lagging IndicatorsLOPC Events of
Greater Consequence
LOPC Events of Lesser Consequence
Challenges to Safety Systems
Tier 1
Tier 2
Tier 3
Tier 4Operating Discipline & Management System
Performance Indicators
Leading Indicators
Lagging IndicatorsLOPC Events of
Greater Consequence
LOPC Events of Lesser Consequence
Challenges to Safety Systems
Large loss of primary containment (LOPC) event
Small loss of primary containment event
Challenges to thesafety system
Operating discipline & management system
27
Thresholds for Loss of Containment becoming a PSI
2000 kg (recommended)
Thresholds (8h rule applies)100 kg5 kg
Health Hazards1 2
Physical Hazards
Environmental Hazards
All categories
Acute Toxic
Carcinogenic, Reproductive, Mutagenic
STOT single exposure
All categories
1
all other categories
Not G
HS classified
substances
GHS classified
2000 kg (recommended)
Thresholds (8h rule applies)100 kg5 kg
Health Hazards1 2
Physical Hazards
Environmental Hazards
All categories
Acute Toxic
Carcinogenic, Reproductive, Mutagenic
STOT single exposure
All categories
1
all other categories
Not G
HS classified
substances
GHS classified
Cefic (European Chemical Industry Council) suggestion based on GHS classification
28
Outline
11 iDRM Approach in EuropeiDRM Approach in Europe
Best Practice of Emergency ManagementBest Practice of Emergency Management33
Risk Management PrinciplesRisk Management Principles22
ConclusionsConclusions44
29
Important: ability to react fast!
The bigger a corporation, the higher the expectations even for small sites
Management of Remaining Risks
Communicate remaining risks• to staff (operating procedures, training, drills, …)• to external stakeholders (customers, neighbours, authorities – but careful
regarding security risks!)
Mitigate consequences• Internal emergency planning (above all organisation, equipment, drills) • Cooperation with external services (neighbouring plants, public services)
30
Crisis Management Systems: can the unpredictable be planned?
Define as much as possible in advance, because ... • ... crisis always happen at the wrong time and place • ... your regular organisation is not sufficient to handle crisis • ... all resources of the whole company have to be available in
due time • ... public, media and authorities expect professional handling
of crisis, too
31
Emergency Response
The basic principle: the faster and more effective the initial response, the smaller the consequences for men, environment and economy.
• Provide the infrastructure for fast response (fire brigade, emergency control room, availability of key personnel, etc.)
• Encourage immediate reporting of incidents (not to wait until own efforts failed ...), do not blame for false alarms
• If the fire brigade is (partly) staffed by operators be aware of the risks of understaffed production
• Better start with a higher level of alarm (worst case assumption) and grade it down later than vice versa
• Notify and involve public fire brigades and authorities as soon as possible
• Analyse every incident and the response to improve the emergency organisation without blaming anyone
32
Mock Drills
Major incidents hopefully become less frequent. This makes drills even more important ...
• ... to train seldom used procedures • ... to reduce mental stress during incidents• ... to optimise emergency- and crisis- management• ... to make sure that necessary resources are
available
33
Emergency Response
The basic principle: the faster and more effective the initial response, the smaller the consequences for men, environment and economy.
• Provide the infrastructure for fast response (fire brigade, emergency control room, availability of key personnel, etc.)
• Encourage immediate reporting of incidents (not to wait until own efforts failed ...), do not blame for false alarms
• If the fire brigade is (partly) staffed by operators be aware of the risks of understaffed production
• Better start with a higher level of alarm (worst case assumption) and grade it down later than vice versa
• Notify and involve public fire brigades and authorities as soon as possible
• Analyse every incident and the response to improve the emergency organisation without blaming anyone
34
incidentincidentdispatchof task forces
emergency call
fire alarm system
Emergency Response Workflow: Example Industrial Park Frankfurt-Hoechst (Sanofi-Aventis/Infraserv Höchst)
dark page
Notification to local and state authorities
warning procedures
Emergency response management group
Emergency Response Workflow: Example Industrial Park Frankfurt-Hoechst (this and following slides: courtesy of Infraserv Höchst and Sanofi-Aventis)
Categorisation of the incidentEmergency Manager
automatedtelephonemessages
sirensradio announcementsby police dep.
safety regulations
Integrated Command Centre Hoechst Industrial park (Frankfurt/Germany)
37
Integrated Dispatch and Command Center
24 hours crewed by 5 Dispatchers
ELR Arbeitsplatz39
Site Fire Brigade with 2 Fire Stations within the Industrial Park
Warning Procedures – Warning of Neighborhood
Warning of affected areas by
17 external sirens in 4 groups
Radio announcements
Automated telephone messages to hospitals, day care centers or schools
Crisis management group Operational Structure
Scene of Incident
Emergency Manager
Fire Brigade (site)
Environmental control
Site Security
Plant Manager
Occupational Physician
Police
Public Fire Brigade
Emergency Response Committee
Site Incident Manager
Emergency Manager 2
Fire Brigade (site)
Occupational Physician
Environmental Protection
Site Security
Plant Safety
Company Representative(company affected by incident)
Communications
Toxicology
Public Fire Brigade
Police
SecretaryEmergency Manager3-5
Additional Experts
Documentation
The Role of Authorities
The cooperation between authorities and companies at an incident depends on their cooperation before the incident.
• Open communication about risks and safety measures on a regular basis (e.g. in a local or regional committee) builds up trust which is urgently needed during emergency response
• Authorities need to know about the possible scenarios for major accidents to do their own preparations
• Authorities should have clear rules about their responsibilities in handling major incidents to avoid conflicts between the different agencies (e.g. labour safety, environment, civil protection, police etc.)
• Mitigation of consequences should come first, legal prosecution of individuals responsible for the incident later
43
Neighbours, Journalists and Environmentalists
The basic issue: Neighbours and the general public share the risks of industrial sites, but not necessarily the benefits.
• Communication of relevant risks has to be done openly and in an adequate form (“not scientific”) prior to incidents (e.g. “neighbourhood councils”, brochures, ...)
– to build up trust in the competence of the company to handle risks
– to enable the neighbours to react adequately during an incident
• The response of neighbours etc. to incidents is strongly influenced by the company´s response to requests and complaints prior to the incident
• Fast and open information after an incident is crucial
• Fears and worries of neighbours etc. have to be taken seriously even if they are based on emotions rather than science
• On the long term, conflicts with neighbours etc. endangers the “licence to operate”
44
Crisis Communication
Sometimes crisis communication becomes a crisis of communication!
45
Outline
11 iDRM Approach in EuropeiDRM Approach in Europe
Best Practice of Emergency ManagementBest Practice of Emergency Management33
Risk Management PrinciplesRisk Management Principles22
ConclusionsConclusions44
46
Conclusions
– Investing in safe and eco-efficient plants pays off at least on the long term
– The (remaining) risks of industrial plants can be assessed and are the basis for scenarios for emergency planning
– The knowledge and experience of the operators should be used by all means
– Risks should be communicated as well as benefits to all stakeholders, esp. the neighbours
– The resources for emergency response (manpower, equipment, communications, organisation etc) have to be planned in advance and readily available in case of an incident. People usually accept the risk of a chemical/pharmaceutical plant, but not incompetence in handling it
– Authorities should involve themselves actively in emergency planning, balancing this out with their law enforcement duties
– Combined efforts will definitely lead to safer and more accepted plants, as the figures from Germany may show
47
Development of Accidents in Germany since 1950
„Arbeitsunfälle“ = occupational accidents
„Wegeunfälle“ = acc. on the way to work
83,12
109,18
98,65
54,51
34,9
21,13 20,4516,79 15,78 14,93
8,96
18,0813,92
8,165,85 5,42 5,37 5,31 5,01 4,96
0
20
40
60
80
100
120
1950 1960 1970 1980 1990 2000 2001 2003 2004 2005
Arbeitsunfälle
Wegeunfälle
Thank you for your attention!
... and special thanks to Richard Gowland, EPSC Technical Director, who contributed a number of slides