European Best Practice for industrial Disaster Risk Management (iDRM) Christian Jochum...

European Best Practice for industrial Disaster Risk Management (iDRM)

Christian Jochum ([email protected])

InWEnt Senior Advisor (www.inwent.org)

Director of Centre, European Process Safety Centre (www.epsc.org)

Chairman, German Commission on Process Safety (www.kas-bmu.de)

India, September 2010

Professional Profile Christian Jochum

– Born 1943 in Frankfurt a.M./Germany

– PhD in Chemistry, certified Safety Engineer

– Honorary Professor at Frankfurt University

– 28 years experience in large chemical/pharmaceutical company (Hoechst AG)

• 1969 – 1979 Pharmaceutical research and pilot plant operations• 1979 – 1997 Safety department (Site and Corporate Safety Director and „Major

Accident Officer“ since 1987)

– EHS – and crisis management consulting for different types of businesses and administration since 1997

– Commission on Process Safety (formerly Major Hazard Commission) at the German Federal Minister for the Environment (Chairman since 1998)

– European Process Safety Centre (Rugby/UK): Director of Centre since 2007

– InWEnt Senior Advisor since 2009

2

EPSC (European Process Safety Centre)

• Industry funded association of major chemical companies in Europe.• Approx. 40 contributing enterprises• Dedicated to sharing and improving best practice in Chemical Process

Safety• Study groups on

– Safety Critical Systems (inc. IEC 61511)– Buncefield type facilities overfill protection– Layer of Protection Analysis (LOPA)– Auditing– Process Safety Incident and KPI reporting– ATEX– Senior Management Commitment

• Work in conjunction with European Commission on implementation and upgrading Seveso 2 Directive

• Partnerships with CEFIC (European Chemical Industry Council) and U.S. Center for Chemical Process Safety (CCPS)

www.epsc.org

3

• Mandated by the Federal Emission Control Act

– Advises government as well as plant operators and state and local authorities on process safety

– 32 members with different professional and educational background representing different stakeholders (“Round Table”)

– Any group needs “allies” to win votes

– Consensus intended, but majority decisions possible

• About 55 guidelines issued on different topics, e.g.

– Land Use Planning (Safety distances)

– Risk evaluation and perception

– Emergency Planning

– Industrial parks

– Provisions against terrorist attacks on chemical plants

• All publications of the Commission are available (partly in English) at

• www.kas-bmu.de

Commission on Process Safety (Kommission fuer Anlagensicherheit [KAS])

4

Outline

11 iDRM Approach in EuropeiDRM Approach in Europe

Best Practice of Emergency ManagementBest Practice of Emergency Management33

Risk Management PrinciplesRisk Management Principles22

ConclusionsConclusions44

5

The drivers for Process Safety and industrial Disaster Risk Management (iDRM) in Europe are

•Lessons learnt (Bhopal, Seveso, Toulouse, Texas City, Buncefield, ...)

•Ethical dimension (Responsible Care (R))

•Seveso 2, OSHA PSM

•National Standards•Industry benchmarking (Major Hazard record of industry)

•Economics (Business Continuity)

6

iDRM basic principle

Crisis management assessment should cover all parts of emergency- and crisis- management ...

• identify hazards comprehensively

... pursuing the goal to define and train as much as possible in advance

• avoid or control risks

• communicate remaining risks

• mitigate consequences

• remediate damages

• restore trust

7

Outline





8

9

HAZARDS

RISK REDUCE

RESIDUAL RISK MANAGE

RISK Analyze/Assess

DISCONTINUE ACTIVITY

RISK TOLERABLE

YES

NO

RISK REVIEW REQUIREMENTS

WHEN

& WHO

WHAT

& HOW

SIMPLIFIED RISK MANAGEMENT PROCESS

DETERMINE

IDENTIFY

IS

? RISK BE

REDUCED CAN

?

YES

NO

PreventionThis map is common, you will see it again

Risk is a combinationof HAZARD Severity and FREQUENCY or LIKELIHOOD

Mitigation

Risk Review Requirements

The risk review process has to be determined• by all relevant stakeholders/departments of the

organisation• in writing (company guideline)• shared with authorities etc.• defining the risk review team (multi-disciplinary

including operator level)• defining milestones for and different levels of risk

review (e.g. Design phase, pre-commissioning, pre-start up, changes, etc)

10

What the client ordered

How the project mgr. understood it

How it was planned by the engineer

How it was implemented by the technicians

How the consultant interpreted it

How it was documented

How it was eventually built

What was chargedTo the client

What the client really wanted

What was subject of the service agreement

Design, Build and Operate

11

Hazard Identification

All hazards have to be identified comprehensively and systematically ...

• eg. „classical“ EHS-hazards, loss of production, ... Operation hazards

Operation hazards

Network hazards

Network hazards

Environmental hazards

Environmental hazards

• eg. failure of utilities, supplies, transportation ...

• eg. natural hazards, adjacent plants and traffic ways, ...

• eg. densely populated areas/buildings, natural reserves, ...Environmental vulnerability

Environmental vulnerability

• eg. plant vulnerability, neighbourhood/environment sensitivity, company image, ...

Terrorist threats

Terrorist threats

... by e.g. “What if”, checklists, HAZOP, FMEA etc.

12

Risk Assessment

Risk is a combination of hazard Severity and Likelihood or frequency, often expressed as R=f(S,L)

• Severity may be determined by • Gas dispersion in combination with criteria for human effects such as:

• ERPGs (Emergency Response Planning Guidelines)• AEGLs (Acute Exposure Guideline Levels)

• Explosion Overpressure and Fire radiation effects using tools such as:• TNO methodology• FLACS

• Likelihood may be estimated by• expert opinion/experience• databases for failure frequencies• (semi-) quantitative assessments (risk graph, fault or event trees etc.)• Assessment of safety barriers and mitigation (e.g. “bow tie” diagram, Layer of

Protection Analysis = LOPA)

13

‘Bow Tie’ Diagram

14

Release

1a 1b 1c

1a 2a

3a 3b 3c

4a

Initiating Event 1

Initiating Event 2

Initiating Event 3

Initiating Event 4

Prevention Mitigation

No consequence

Consequence A

Consequence B

Consequence C

M1 M2LOPs / LODsLOPs / LODs

Plant Emergency Response

Physical Protection e.g. Relief Devices

Safety Instrumented System preventative action

Critical Alarms and Operator intervention

Basic Process Control System, Operating Discipline / Supervision

Plant Designintegrity

Community Emergency Response

The LOPA “Onion”

15

16

Initiating Event

EstimatedFrequency

f i = x

PFD 1 = y 1

success

Impact EventFrequency,f3 = x * y 1 * y 2 * y 3

Safe Outcome

Safe Outcome

Safe Outcome

success

success

PFD 2 = y 2

PFD 3 = y 3

IPL 1 IPL 2 IPL 3

f1= x * y 1

f2=x * y 1 * y 2

Impact EventOccurs

IPL - Independent Protection LayerPFD - Probability of Failure on Demandf - frequency, /yr

Key :Arrow representsseverity and frequency ofthe Impact Event if laterIPLs are not successful

ImpactEvent

Severity

Frequency

Protection Layer Concept

LOPA criteria -1-

Initiating events• Control system failures

• Human error

• Piping and equipment failures

• Interruption of utilities (e.g. Cooling)

Independent layers of protection• Basic Process Control System (possibly)

• Alarm and operator response

• Relief systems

• Safety Instrumented Systems

• Other qualifying Safety Related Protection Systems

• Need to independent, effective, tested, audited

LOPA criteria -2-

Conditional Modifiers• Weather conditions

• Probability of ignition

• Probability of ignition leading to explosion

• Probability that person(s) will be exposed

• Probability that an exposed person will suffer a particular harm

• May be difficult to justify and evaluate

Mitigation (right hand side of bow tie)• Fire protection

• Emergency Response

• Water curtains

• Secondary and tertiary containment

• etc

‘Tolerable’ frequencies for events

• What risk can we tolerate?– Frequency for an event of a given severity (injury, environmental insult

etc.)• Users need to specify but aim to meet or exceed (do better than) regulator

requirements • The chosen tolerability becomes the target for risk management

sometimes called ‘Risk Governance’ for the company (usually Individual or Societal Risk)

• Data and guidance available for injury/fatality and environmental effects

19

Likelihood of ‘n’ fatalities from a tank explosion

per tank per yearRisk Tolerability

10-4/yr - 10-5/yrTolerable if

ALARPTolerable if

ALARPTolerable if

ALARP

10-5/yr - 10-6/yrBroadly

acceptable Tolerable if

ALARPTolerable if

ALARP

10-6/yr - 10-7/yrBroadly

acceptableBroadly

acceptableTolerable if

ALARP

10-7/yr - 10-

8/yrBroadly

acceptableBroadly

acceptableBroadly

acceptable

Fatalities (n) 1 2-10 11-50

Tolerability Data (Fatalities) (Buncefield LOPA Guidance Dec 2009, final report from U.K. HSE)

ALARP = As Low as Reasonably Practicable

20

1.E-12

1.E-11

1.E-10

1.E-09

1.E-08

1.E-07

1.E-06

1.E-05

1.E-04

1.E-03

1.E-02

1 10 100 1,000 10,000

(N) Number of Potential Fatalities

Fre

qu

enc

y o

f N

or

mo

re S

erio

us

In

juri

es

Government or Corporate Evaluation Criteria

Business Evaluation Criteria

Example Risk Evaluation Criteria

21

Categories for Environmental Risk (U.K. Environment Agency)

Categ. Definitions

6 Catastrophic

• Major airborne release with serious offsite effects • Site shutdown • Serious contamination of groundwater or watercourse with extensive loss of aquatic life

5 Major • Evacuation of local populace • Temporary disabling and hospitalisation • Serious toxic effect on beneficial or protected species • Widespread but not persistent damage to land • Significant fish kill over 5 mile range

4 Severe • Hospital treatment required • Public warning and off-site emergency plan invoked • Hazardous substance releases into water course with ½ mile effect

3 Significant

• Severe and sustained nuisance, e.g. strong offensive odours or noise disturbance • Major breach of Permitted emissions limits with possibility of prosecution • Numerous public complaints

2 Noticeable

• Noticeable nuisance off-site e.g. discernible odours • Minor breach of Permitted emission limits, but no environmental harm • One or two complaints from the public

1 Minor • Nuisance on site only (no off-site effects) • No outside complaint

Heading and introduction from Section 3.7 in “IPPC H1: Integrated Pollution Prevention and Control (IPPC) and Environmental Assessment and Appraisal of BAT”, Version 6 July 20 22

CategoryAcceptable if

frequency less than

Acceptable if Reduced as Reasonably Practical and

frequency between

Unacceptable if frequency above

6

Catastrophic

10-6 per year 10-4 to 10-6 per year 10-4 per year

5 Major 10-6 per year 10-4 to 10-6 per year 10-4 per year

4 Severe 10-6 per year 10-2 to 10-6 per year 10-2 per year

3 Significant 10-4 per year 10-1 to 10-4 per year 10-1 per year

2 Noticeable 10-2 per year ~ 10+1 to 10-2 per year ~10+1 per year

1 Minor

All shown as acceptable

- -

Typical Environmental Tolerability Criteria

23

TOLERATED EVENT FREQUENCY(Target)

PER YEAR SINGLE FATALITY (e.g.)

10-5

(per year)

INITIATING EVENT FREQUENCY

PER YEAR CONTROL SYSTEM LOOP FAILS

10-1

PROBABILITY OF IGNITION (e.g.)

PROBABILITY Quantity, M.I.E., site factors

10-1

PROBABILITY OF EXPOSURE

PROBABILITY 100% 10-0

INDEPENDENT LAYER OF PROTECTION 1

PROBABILITY OF FAILURE ON DEMAND

Basic Process Control System

10-1

INDEPENDENT LAYER OF PROTECTION 2

PROBABILITY OF FAILURE ON DEMAND

Safety Instrumented System

<10-2

Example for Risk Calculation

24

Land Use Planning example from Netherlands

- Individual Risk (fatality) 10-6 1/a- In addition Societal Risk as criterion- Definition of thresholds for overpressure, heat radiation and toxicity

http://www.sfk-taa.de/publikationen/andere/DNV_14102005.pdf

10-3

10-5

10-7

10-9

10-11

1 10 100 fatalities

Frequency in 1/a

Societal Risk not acceptable

Societal Risk acceptable

25

Risk Assessment has to be adopted to the needs

LEVEL 1: PROCESS HAZARDS ANALYSIS

Should be done by plant based people

They then have a better understanding of the risks and possibly how they may be reduced

LEVEL 2: RISK REVIEW

Specialist help from e.g. Process Engineering or Process safety function at site – should include Plant based people in the team

LEVEL 4: QUANTITATIVE RISK ASSESSMENT

Specialist help from external expertise. Owner needs to define scope and data and critique the outcome.

Level 1: PROCESS HAZARD ANALYSIS

Level 2:RISK REVIEW

L4:QRA

LEVEL 3: ENHANCED RISK REVIEW

Specialist help from e.g. Process Engineering or Process Safety function within Corporate – should include Site and Plant based people in the team

Level 3ENHANCED RISK

REVIEW

26

Measuring Process Safety Performance: Process Safety Indicators (PSI) reporting levels

Tier 1

Tier 2

Tier 3

Tier 4Operating Discipline & Management System

Performance Indicators

Leading Indicators

Lagging IndicatorsLOPC Events of

Greater Consequence

LOPC Events of Lesser Consequence

Challenges to Safety Systems

Tier 1

Tier 2

Tier 3

Tier 4Operating Discipline & Management System

Performance Indicators

Leading Indicators

Lagging IndicatorsLOPC Events of

Greater Consequence

LOPC Events of Lesser Consequence

Challenges to Safety Systems

Large loss of primary containment (LOPC) event

Small loss of primary containment event

Challenges to thesafety system

Operating discipline & management system

27

Thresholds for Loss of Containment becoming a PSI

2000 kg (recommended)

Thresholds (8h rule applies)100 kg5 kg

Health Hazards1 2

Physical Hazards

Environmental Hazards

All categories

Acute Toxic

Carcinogenic, Reproductive, Mutagenic

STOT single exposure

All categories

1

all other categories

Not G

HS classified

substances

GHS classified

2000 kg (recommended)

Thresholds (8h rule applies)100 kg5 kg

Health Hazards1 2

Physical Hazards

Environmental Hazards

All categories

Acute Toxic

Carcinogenic, Reproductive, Mutagenic

STOT single exposure

All categories

1

all other categories

Not G

HS classified

substances

GHS classified

Cefic (European Chemical Industry Council) suggestion based on GHS classification

28

Outline





29

Important: ability to react fast!

The bigger a corporation, the higher the expectations even for small sites

Management of Remaining Risks

Communicate remaining risks• to staff (operating procedures, training, drills, …)• to external stakeholders (customers, neighbours, authorities – but careful

regarding security risks!)

Mitigate consequences• Internal emergency planning (above all organisation, equipment, drills) • Cooperation with external services (neighbouring plants, public services)

30

Crisis Management Systems: can the unpredictable be planned?

Define as much as possible in advance, because ... • ... crisis always happen at the wrong time and place • ... your regular organisation is not sufficient to handle crisis • ... all resources of the whole company have to be available in

due time • ... public, media and authorities expect professional handling

of crisis, too

31

Emergency Response

The basic principle: the faster and more effective the initial response, the smaller the consequences for men, environment and economy.

• Provide the infrastructure for fast response (fire brigade, emergency control room, availability of key personnel, etc.)

• Encourage immediate reporting of incidents (not to wait until own efforts failed ...), do not blame for false alarms

• If the fire brigade is (partly) staffed by operators be aware of the risks of understaffed production

• Better start with a higher level of alarm (worst case assumption) and grade it down later than vice versa

• Notify and involve public fire brigades and authorities as soon as possible

• Analyse every incident and the response to improve the emergency organisation without blaming anyone

32

Mock Drills

Major incidents hopefully become less frequent. This makes drills even more important ...

• ... to train seldom used procedures • ... to reduce mental stress during incidents• ... to optimise emergency- and crisis- management• ... to make sure that necessary resources are

available

33

Emergency Response

The basic principle: the faster and more effective the initial response, the smaller the consequences for men, environment and economy.

• Provide the infrastructure for fast response (fire brigade, emergency control room, availability of key personnel, etc.)

• Encourage immediate reporting of incidents (not to wait until own efforts failed ...), do not blame for false alarms

• If the fire brigade is (partly) staffed by operators be aware of the risks of understaffed production

• Better start with a higher level of alarm (worst case assumption) and grade it down later than vice versa

• Notify and involve public fire brigades and authorities as soon as possible

• Analyse every incident and the response to improve the emergency organisation without blaming anyone

34

incidentincidentdispatchof task forces

emergency call

fire alarm system

Emergency Response Workflow: Example Industrial Park Frankfurt-Hoechst (Sanofi-Aventis/Infraserv Höchst)

dark page

Notification to local and state authorities

warning procedures

Emergency response management group

Emergency Response Workflow: Example Industrial Park Frankfurt-Hoechst (this and following slides: courtesy of Infraserv Höchst and Sanofi-Aventis)

Categorisation of the incidentEmergency Manager

automatedtelephonemessages

sirensradio announcementsby police dep.

safety regulations

Integrated Command Centre Hoechst Industrial park (Frankfurt/Germany)

37

Integrated Dispatch and Command Center

24 hours crewed by 5 Dispatchers

ELR Arbeitsplatz39

Site Fire Brigade with 2 Fire Stations within the Industrial Park

Warning Procedures – Warning of Neighborhood

Warning of affected areas by

17 external sirens in 4 groups

Radio announcements

Automated telephone messages to hospitals, day care centers or schools

Crisis management group Operational Structure

Scene of Incident

Emergency Manager

Fire Brigade (site)

Environmental control

Site Security

Plant Manager

Occupational Physician

Police

Public Fire Brigade

Emergency Response Committee

Site Incident Manager

Emergency Manager 2

Fire Brigade (site)

Occupational Physician

Environmental Protection

Site Security

Plant Safety

Company Representative(company affected by incident)

Communications

Toxicology

Public Fire Brigade

Police

SecretaryEmergency Manager3-5

Additional Experts

Documentation

The Role of Authorities

The cooperation between authorities and companies at an incident depends on their cooperation before the incident.

• Open communication about risks and safety measures on a regular basis (e.g. in a local or regional committee) builds up trust which is urgently needed during emergency response

• Authorities need to know about the possible scenarios for major accidents to do their own preparations

• Authorities should have clear rules about their responsibilities in handling major incidents to avoid conflicts between the different agencies (e.g. labour safety, environment, civil protection, police etc.)

• Mitigation of consequences should come first, legal prosecution of individuals responsible for the incident later

43

Neighbours, Journalists and Environmentalists

The basic issue: Neighbours and the general public share the risks of industrial sites, but not necessarily the benefits.

• Communication of relevant risks has to be done openly and in an adequate form (“not scientific”) prior to incidents (e.g. “neighbourhood councils”, brochures, ...)

– to build up trust in the competence of the company to handle risks

– to enable the neighbours to react adequately during an incident

• The response of neighbours etc. to incidents is strongly influenced by the company´s response to requests and complaints prior to the incident

• Fast and open information after an incident is crucial

• Fears and worries of neighbours etc. have to be taken seriously even if they are based on emotions rather than science

• On the long term, conflicts with neighbours etc. endangers the “licence to operate”

44

Crisis Communication

Sometimes crisis communication becomes a crisis of communication!

45

Outline





46

Conclusions

– Investing in safe and eco-efficient plants pays off at least on the long term

– The (remaining) risks of industrial plants can be assessed and are the basis for scenarios for emergency planning

– The knowledge and experience of the operators should be used by all means

– Risks should be communicated as well as benefits to all stakeholders, esp. the neighbours

– The resources for emergency response (manpower, equipment, communications, organisation etc) have to be planned in advance and readily available in case of an incident. People usually accept the risk of a chemical/pharmaceutical plant, but not incompetence in handling it

– Authorities should involve themselves actively in emergency planning, balancing this out with their law enforcement duties

– Combined efforts will definitely lead to safer and more accepted plants, as the figures from Germany may show

47

Development of Accidents in Germany since 1950

„Arbeitsunfälle“ = occupational accidents

„Wegeunfälle“ = acc. on the way to work

83,12

109,18

98,65

54,51

34,9

21,13 20,4516,79 15,78 14,93

8,96

18,0813,92

8,165,85 5,42 5,37 5,31 5,01 4,96

0

20

40

60

80

100

120

1950 1960 1970 1980 1990 2000 2001 2003 2004 2005

Arbeitsunfälle

Wegeunfälle

Thank you for your attention!

... and special thanks to Richard Gowland, EPSC Technical Director, who contributed a number of slides

European Best Practice for industrial Disaster Risk Management (iDRM) Christian Jochum...

Documents

Transcript of European Best Practice for industrial Disaster Risk Management (iDRM) Christian Jochum...