Industrial Process Safety

Lessons from major accidents and their application in traditional workplace safety and health

Graham D. Creedy, P. Eng, FCIC, FEICFormerly Senior Manager, Responsible Care®

Canadian Chemical Producers’ Association (now Chemistry Industry Association of Canada)

gcreedy@canadianchemistry.ca

System Safety Society Spring EventMay 26, 2011

2

Overview

• How I got into this• The evolution of the philosophy of

industrial safety and prevention of major accidents

• Some key insights and concepts• How these apply to management of

workplace safety in various sectors and at different levels of the organization

3

Some history

• 1984 Bhopal accident is wake-up call to chemical industry

• Industry responsibility to understand and control hazards and risks

• Responsible Care launched in Canada– Principles, codes, commitment, tools, support,

progress tracking, verification• Major Industrial Accidents Council of

Canada 1987-1999

4

Source: US Bureau of Labor Statistics (www.bls.gov/iif)0.0 2.0 4.0 6.0 8.0 10.0 12.0

ServicesFinance, insurance & real estateWholesale & retail tradeTransportation & public utilitiesPetroleum and coal productsChemicals and allied productsPrinting & publishingPulp & paperTextiles & apparelFood & food productsTransportation equipmentElectronic and electrical equipmentIndustrial machinery & equipmentPrimary metal industriesConstructionMiningAgriculture, forestry & fishing

Safety Performance by Industry Sector Injuries & illnesses per 200,000 hours worked (2002)

5

Relative risks of fatal accidents in the work place of selected occupations

Fishers (as an occupation) 35.1 Timber cutters (as an occupation) 29.7Airplane pilots (as an occupation) 14.9Garbage collectors 12.9Roofers 8.4Taxi drivers 8.2Farm occupations 6.5Protective services (fire fighters, police guards, etc.) 2.7“Average job” 1.0Grocery store employees 0.91

Chemical and allied products 0.81Finance, insurance and real estate 0.23

Sanders, R.E, J. Hazardous Materials 115 (2004) p143, citing Toscano (1997)

6

CIAC websitewww.canadianchemistry.ca

Staff contact: Stephanie Butler613-237-6215 x 245

Chemistry Industry Association of Canada Member Performance

7

Serious/ Disabling/ Fatalities

Medical Aid Case

Property Loss/ 1st AidTreatment

Near Misses

Unsafe Behaviors/ Conditions

Incident Pyramid:1

30

10

600

10,000

A “proactive” approach focuses on these categories, but be careful – you may miss the really serious ones!

8

Terminology

• Process hazard– A physical situation with potential to cause

harm to people, property or the environment

• Risk (acute)– probability x consequences of an undesired

event occurring

9

They thought they were safe• “Good” companies can be

lulled into a false sense of security by their performance in personal safety and health

• They may not realise how vulnerable they are to a major accident until it happens

• Subsequent investigations typically show that there were multiple causes, and many of these were known long before the event

BP Deepwater Horizon

10

Why and how defences fail

• People often assume systems work as intended, despite warning signs

• Examples of good performance are cited as representing the whole, while poor ones are overlooked or soon forgotten

• Analysis of failure modes and effects should include human and organizational aspects as well as equipment, physical and IT systems

11Flixborough, Bhopal, Pasadena

Process safety management• Recognition of seriousness of consequences

and mechanisms of causation lead to focus on the process rather than the individual worker

• Many of the key decisions influencing safety may be beyond the control of the worker or even the site – they may be made by people at another site, country or organization

• Causes differ from those for personnel safety

• Need to look at the whole – materials, equipment and systems – and consider individuals and procedures as part of the system

• Management system approach for control

12

Scope (elements of process safety management)1. Accountability2. Process Knowledge and Documentation3. Capital Project Review and Design Procedures4. Process Risk Management5. Management of Change6. Process and Equipment Integrity7. Human Factors8. Training and Performance9. Incident Investigation10. Company Standards, Codes and Regulations11. Audits and Corrective Actions12. Enhancement of Process Safety Knowledge

CCPS: Guidelines for Technical Management of Chemical Process Safety

13

Functions of a management system

Planning Organizing

Leadership

Controlling Implementing

Measurem

ent

Results

Structure

Direction

CCPS: Guidelines for Technical Management of Chemical Process Safety

14

Features and characteristics of a management system for process safety

PlanningExplicit goals and objectives Well-defined scopeClear-cut desired outputsConsideration of alternative achievement mechanismsWell-defined inputs and resource requirementsIdentification of needed tools and training

OrganizingStrong sponsorshipClear lines of authority Explicit assignments of roles and responsibilitiesFormal proceduresInternal coordination and communication

ImplementingDetailed work plansSpecific milestones for accomplishmentsInitiating mechanisms

ControllingPerformance standards and measurement methodsChecks and balancesPerformance measurement and reportingInternal reviewsVariance proceduresAudit mechanismsCorrective action mechanismsProcedure renewal and reauthorization

CCPS: Guidelines for Technical Management of Chemical Process Safety

15

Examples of PSM management systems concerns at different organizational levels

CCPS: Guidelines for Technical Management of Chemical Process Safety

Planning

PlanningOrganizing

Planning

Organizing

Organizing

ImplementingImplementing

ControllingControllingControlling

Strategic Managerial Task

16

Self-assessment of Current Status Process Safety Management

Requirements to Achieve the ESSENTIAL Level

For each survey question, indicate the level of awareness and use at the site by marking the appropriate box, based on the following: A Widespread and comprehensive use wherever significant hazard potential exists. B Moderate use, but coverage is uneven from unit to unit or not comprehensive in view of potential

hazards. C Appropriate personnel are aware of this item and its application, but little or no actual use. D Little awareness or use of this item. Mark the box labeled "Help" if this is an item where you are in urgent need of guidance. We’ll have a team member contact you with advice on how and where to get the information or help.

Want Current Status Help A B C D 1. Accountability: Objectives and Goals

(a) Are responsibilities clearly defined and communicated, with those responsible held accountable?

(b) Is there a system for control of contractor operations? 2. Process Knowledge and Documentation (a) Are the safety, health and environmental hazards of materials on site

clearly defined?

(b) Is there current comprehensive documentation covering the process operating basis, including both normal and abnormal conditions?

3. Process Safety Review Procedures for Capital Projects (a) Are all project proposals for new or modified facilities subjected to

documented hazard reviews before approval to proceed?

(b) Are systems established to ensure that the facility is built as designed? (c) Is there an effective link between design modifications and operating

procedures?

4. Process Risk Management (a) Is there a system, conducted by competent personnel, to identify and

assess the process hazards from materials present at this site?

(b) Are corrective actions defined and implementation followed up? (c) Are the above items formally documented?

A page from the Site Self-Assessment Tool

17

020

4060

80100

120140

160

2002(137 sites)

2003(141 sites)

2004(134 sites)

2005(143 sites)

2006(139 sites)

2007(145 sites)

2008(129 sites)

Excellent

Enhanced

Essential

Almost at Essential

"In Progress"

Use of self-assessment tool for collective progress reporting and action

As of August 29, 2008 compared with past five years (some site changes)

Target for meeting Essential level: June 30, 2003

18

Process-Related Incident Measure (PRIM) 2007 Findings: All Elements

PRIM INCIDENT CAUSE ANALYSIS 1998/1999 TO 2007

05

10152025303540

PSM Element Possibly Involved

Inci

dent

s A

naly

zed

98/9920002001200220032004200520062007

19

Assessing an organization’s safety effectiveness

• What is the safety policy and culture (written, unwritten)?

• How are the following handled?– Establishing what has to be done

• Benchmarking• Communicating• Assigning accountabilities

– Ensuring that it gets done• Monitoring and corrective action• Evidence (documentation) and audit process• Resourcing – not only for ideal but for anticipated

conditions• Balancing with other priorities

• How are exceptions handled?

20

Consider targets in groups

• Those who:– Don’t care

– Don’t know (and perhaps don’t know that they don’t know)

– Did know, but may have forgotten or could have gaps in application (and perhaps don’t realize it)

21

Excellent guidance exists – but how is it being used?

22

The New Product Introduction Curve

• Can be applied to adoption of new ideas• Categories differ by ability and more importantly, motivation

Innovators

Early Adopters

Early Majority

Laggards

Late Majority

Per

cent

ad

optio

n

23

Accountability

• Management commitment at all levels

• Status of process safety compared to other organizational objectives such as output, quality and cost

• Objectives must be supported by appropriate resources

• Be accessible for guidance, communicate and lead

24

Management of Change

• Change of process technology• Change of facility• Organizational changes• Variance procedures• Permanent changes• Temporary changes

25

Process and Equipment Integrity

• Design to handle all anticipated conditions, not just ideal or typical ones

• Make sure what you get is what you designed (construction, installation)

• Test to make sure the design is indeed valid• Make sure it stays that way

– Preventative maintenance– Ongoing maintenance– Review

• Be especially careful of automatic safeguards

26

• Consider operator as fallible human performing tasks in background

• Design for error tolerance, not just prevention– detection– correction

Buncefield, UK

27

Realization of significance of sociocultural factors in human thought processes and hence in behaviours

28

Human behaviour aspects• People, and most organizations, don’t

intend to get hurt (have accidents)• To understand why they do leads us

eventually into understanding human behaviour, both at the individual and organizational level, and involves:– Physical interface

• Ergonomics– Psychological interface

• Perception, decision-making, control actions– Human thought processes

• Basis for reaching decisions• Ideal versus actual behaviour

– Social psychology• Relationships with others• Organizational behaviour

Familiarity to engineers

More

Less

29

Human behaviour modes• Instead of looking at the ways in which people can fail, look at how they

function normally:

• Skill-based– Rapid responses to internal states with only occasional attention to

external info to check that events are going according to plan– Often starts out as rule-based

• Rule-based– IF…, THEN…– Rules need not make sense – they only need to work, and one has

to know the conditions under which a particular rule applies• Knowledge-based

– Used when no rules apply but some appropriate action must be found

– Slowest, but most flexible

30

Reason’s “Cheese Model” James Reason, presentation to Eurocontrol 2004

31

Active and latent failures

• Active– Immediately adverse effect– Similar to “unsafe act”

• Latent– Effect may not be noticeable for some time, if at all– Similar to “resident pathogen”. Unforeseen trigger conditions

could activate the pathogens and defences could be undermined or unexpectedly outflanked

32

A Classic Example of a Latent Failure

• Hazard of material known, but lack of awareness of potential system failure mode leads to defective procedure design through management decision

Epichlorhydrin fire,Avonmouth, UK

33

Danvers, MA, Nov 2006 Solvent explosion at printing ink factory

US Chemical Safety Board

And another

• Hazards known, but defences compromised by apparently benign change

• Latent error in procedure design creates vulnerability to likely execution error

34

And another

• Hazard of material not obvious (despite history)

• Latent error allowed dust to accumulate, creating conditions for subsequent events

Scottsbluff, NE 1996

Port Wentworth, GA 2007

35

Lessons from other fields• Aerospace and nuclear show how significant

human and organizational aspects can be even where the obvious signs of failure are technical in nature

• Finance shows:– Relevance of such factors without technical

distractions– How fast a system can deteriorate once controls are

relaxed– How wrong risk assessments can influence bad policy

decisions

36

“The relevance of organizational factors has also been graphically and tragically revealed in the inquiry reports of recent UK transportation and offshore oil disasters.

Prior to ..., senior managers in all the organizations propounded the pre-eminence of safety. They believed in the efficacy of the regulatory system, in the adequacy of their existing programs, and in their confidence of the skills and motivation of their staff.

The inquiry reports reveal that their belief in safety was a mirage, their systems inadequate, and operator errors and violations commonplace.

The inquiry reports stated that ultimate responsibility lay with complacent directors and managers who had failed to ensure that their good intentions were translated into a practical and monitored reality. Moreover, the weaknesses so starkly revealed were not matters of substantial concern to the regulatory authorities before the accidents.” HSC, 1993

Relevance of organizational factors

37

Factors that can influence likelihood of failure

• Organizational culture– “the way we do things around here – when no-one is

looking”– increasingly being recognized as one of the most

important factors in major accidents – perceived balance between output, cost and safety is

heavily dependent on this culture, and influences whether personnel work in a certain way because they believe the company and their co-workers feel it is the right way to do things, or whether they are simply “going through the motions.”

38

Standard of Safety

Time

In general, safety gets better as society learns more

39

Standard of Safety

Time

But the rate of improvement is not steady

x 10

40

Standard of Safety

Time

In fact, the curve can be one of periodic rapid gains followed by gradual but increasing declines

x 100

Note how the rate of decay can be expected to increase due to normalization of deviance

41

People

Systems

Tribal

Chaotic

Operational Excellence

Bureaucratic

Strong

Weak Strong

Organizational Culture ModelJames W. Bayer, Senior VP Mfg, Lyondell Chemical Company

42

• Demographic effects– Less staff– Experienced cohort leaving or left– Skills transfer senior > (middle) > junior– Replacements understand the way something is done,

but not why it is done that way, the potential consequences of doing it differently and how to detect and recover from undesired actions

• “We are starting to see lowered standards of design and supervision that fifteen years ago would have been unthinkable in the chemical industry” (Challenger, 2004)

Preservation – or loss – of corporate memory

43

• What does an organization’s investigation of its failures reveal about its:– Culture– Management system?

44

• Knowledge– Never realized problem could occur (benchmarking error)

• was it treated as a unique deficiency?• was there a broader review of the benchmarking process to find if there are

other areas where knowledge could be deficient? • Policy

– Thought situation would be acceptable but didn’t realize full implications until it happened

• Does it appear to be acceptable now?• Was review of policy and accountability limited or broad in scope?

• System design– Even if everything had been done as intended, problem would still have

occurred• How comprehensive was analysis of system deficiencies and practicality of

solutions?• How effective is action plan and follow through? • Was review of system design limited or broad in scope?

• System execution (management system error)– Problem occurred because someone or something did not perform as

intended• Did analysis consider why execution not as intended?• Was corrective action appropriate and balanced?• Was review of system execution limited or broad in scope?

45

Dealing with a Safety (or Engineering) Problem• Finding out who you’re dealing with

– Where is the organization on the curve? (generally, and re the specific issue or problem)– Where are the people you’re dealing with on the curve? (generally, and re the issue or

problem)• Finding out what to do

– “Benchmark” – don’t try to reinvent the wheel unless you’re sure there isn’t one already (or you’ve time and it’s fun to do so)

– Find out what others are doing about it– Read the instructions– Identify/define the issue– If it’s likely to be regulated, check with government agencies, trade associations, web,

internet– If not regulated but likely good industry practice, check suppliers, other users of same

material or item, other users of similar items, other industry contacts – but test the info!!! (cross-check, ask if it makes sense)

– Check standard reference works, (Lees, CCPS, etc)• Doing it

– Try to think of all situations that are likely to occur (process, eqpt, people)– “KISS”, keep it user-friendly, show basis for decisions if practical to do so– Follow up afterwards to see how it’s working

46

Questions?