500 likes | 667 Views
European Best Practice for industrial Disaster Risk Management (iDRM). Christian Jochum (chr.jochum@t-online.de) InWEnt Senior Advisor (www.inwent.org) Director of Centre, European Process Safety Centre (www.epsc.org) Chairman, German Commission on Process Safety (www.kas-bmu.de)
E N D
European Best Practice for industrial Disaster Risk Management (iDRM) Christian Jochum (chr.jochum@t-online.de) InWEnt Senior Advisor (www.inwent.org) Director of Centre, European Process Safety Centre (www.epsc.org) Chairman, German Commission on Process Safety (www.kas-bmu.de) India, September 2010
Professional Profile Christian Jochum • Born 1943 in Frankfurt a.M./Germany • PhD in Chemistry, certified Safety Engineer • Honorary Professor at Frankfurt University • 28 years experience in large chemical/pharmaceutical company (Hoechst AG) • 1969 – 1979 Pharmaceutical research and pilot plant operations • 1979 – 1997 Safety department (Site and Corporate Safety Director and „Major Accident Officer“ since 1987) • EHS – and crisis management consulting for different types of businesses and administration since 1997 • Commission on Process Safety (formerly Major Hazard Commission) at the German Federal Minister for the Environment (Chairman since 1998) • European Process Safety Centre (Rugby/UK): Director of Centre since 2007 • InWEnt Senior Advisor since 2009
EPSC (European Process Safety Centre) • Industry funded association of major chemical companies in Europe. • Approx. 40 contributing enterprises • Dedicated to sharing and improving best practice in Chemical Process Safety • Study groups on • Safety Critical Systems (inc. IEC 61511) • Buncefield type facilities overfill protection • Layer of Protection Analysis (LOPA) • Auditing • Process Safety Incident and KPI reporting • ATEX • Senior Management Commitment • Work in conjunction with European Commission on implementation and upgrading Seveso 2 Directive • Partnerships with CEFIC (European Chemical Industry Council) and U.S. Center for Chemical Process Safety (CCPS) www.epsc.org
Commission on Process Safety (Kommission fuer Anlagensicherheit [KAS]) • Mandated by the Federal Emission Control Act • Advises government as well as plant operators and state and local authorities on process safety • 32 members with different professional and educational background representing different stakeholders (“Round Table”) • Any group needs “allies” to win votes • Consensus intended, but majority decisions possible • About 55 guidelines issued on different topics, e.g. • Land Use Planning (Safety distances) • Risk evaluation and perception • Emergency Planning • Industrial parks • Provisions against terrorist attacks on chemical plants • All publications of the Commission are available (partly in English) at • www.kas-bmu.de
Outline iDRM Approach in Europe 1 2 Risk Management Principles 3 Best Practice of Emergency Management 4 Conclusions
The drivers for Process Safety and industrial Disaster Risk Management (iDRM) in Europe are Lessons learnt (Bhopal, Seveso, Toulouse, Texas City, Buncefield, ...) Ethical dimension (Responsible Care (R)) Seveso 2, OSHA PSM National Standards Industry benchmarking (Major Hazard record of industry) Economics (Business Continuity)
iDRM basic principle Crisis management assessment should cover all parts of emergency- and crisis- management ... • identify hazards comprehensively • avoid or control risks • communicate remaining risks • mitigate consequences • remediate damages • restore trust ... pursuing the goal to define and train as much as possible in advance
Outline iDRM Approach in Europe 1 2 Risk Management Principles 3 Best Practice of Emergency Management 4 Conclusions
Prevention This map is common, you will see it again Risk is a combination of HAZARD Severity and FREQUENCY or LIKELIHOOD Mitigation
Risk Review Requirements The risk review process has to be determined • by all relevant stakeholders/departments of the organisation • in writing (company guideline) • shared with authorities etc. • defining the risk review team (multi-disciplinary including operator level) • defining milestones for and different levels of risk review (e.g. Design phase, pre-commissioning, pre-start up, changes, etc)
Design, Build and Operate How the project mgr. understood it How it was planned by the engineer How it was implemented by the technicians How the consultant interpreted it What the client ordered What the client really wanted What was charged To the client What was subject of the service agreement How it was documented How it was eventually built
Hazard Identification Operation hazards • eg. „classical“ EHS-hazards, loss of production, ... All hazards have to be identified comprehensively and systematically ... Network hazards • eg. failure of utilities, supplies, transportation ... Environmental hazards • eg. natural hazards, adjacent plants and traffic ways, ... Environmental vulnerability • eg. densely populated areas/buildings, natural reserves, ... Terrorist threats • eg. plant vulnerability, neighbourhood/environment sensitivity, company image, ... ... by e.g. “What if”, checklists, HAZOP, FMEA etc.
Risk Assessment Risk is a combination of hazardSeverity and Likelihood or frequency, often expressed as R=f(S,L) • Severity may be determined by • Gas dispersion in combination with criteria for human effects such as: • ERPGs (Emergency Response Planning Guidelines) • AEGLs (Acute Exposure Guideline Levels) • Explosion Overpressure and Fire radiation effects using tools such as: • TNO methodology • FLACS • Likelihood may be estimated by • expert opinion/experience • databases for failure frequencies • (semi-) quantitative assessments (risk graph, fault or event trees etc.) • Assessment of safety barriers and mitigation (e.g. “bow tie” diagram, Layer of Protection Analysis = LOPA)
Community Emergency Response Plant Emergency Response Physical Protection e.g. Relief Devices Safety Instrumented System preventative action Critical Alarms and Operator intervention Basic Process Control System, Operating Discipline / Supervision Plant Design integrity The LOPA “Onion”
LOPA criteria -1- Initiating events • Control system failures • Human error • Piping and equipment failures • Interruption of utilities (e.g. Cooling) Independent layers of protection • Basic Process Control System (possibly) • Alarm and operator response • Relief systems • Safety Instrumented Systems • Other qualifying Safety Related Protection Systems • Need to independent, effective, tested, audited
LOPA criteria -2- Conditional Modifiers • Weather conditions • Probability of ignition • Probability of ignition leading to explosion • Probability that person(s) will be exposed • Probability that an exposed person will suffer a particular harm • May be difficult to justify and evaluate Mitigation (right hand side of bow tie) • Fire protection • Emergency Response • Water curtains • Secondary and tertiary containment • etc
‘Tolerable’ frequencies for events • What risk can we tolerate? • Frequency for an event of a given severity (injury, environmental insult etc.) • Users need to specify but aim to meet or exceed (do better than) regulator requirements • The chosen tolerability becomes the target for risk management sometimes called ‘Risk Governance’ for the company (usually Individual or Societal Risk) • Data and guidance available for injury/fatality and environmental effects
Tolerability Data (Fatalities) (Buncefield LOPA Guidance Dec 2009, final report from U.K. HSE) ALARP = As Low as Reasonably Practicable
Example Risk Evaluation Criteria 1.E-02 1.E-03 1.E-04 1.E-05 Government or Corporate Evaluation Criteria 1.E-06 1.E-07 Frequency of N or more Serious Injuries 1.E-08 1.E-09 Business Evaluation Criteria 1.E-10 1.E-11 1.E-12 1 10 100 1,000 10,000 (N) Number of Potential Fatalities
Categories for Environmental Risk (U.K. Environment Agency) Heading and introduction from Section 3.7 in “IPPC H1: Integrated Pollution Prevention and Control (IPPC) and Environmental Assessment and Appraisal of BAT”, Version 6 July 20
10-3 Frequency in 1/a Societal Risk not acceptable 10-5 10-7 Societal Risk acceptable 10-9 10-11 1 10 100 fatalities http://www.sfk-taa.de/publikationen/andere/DNV_14102005.pdf Land Use Planning example from Netherlands - Individual Risk (fatality) 10-6 1/a - In addition Societal Risk as criterion - Definition of thresholds for overpressure, heat radiation and toxicity
Risk Assessment has to be adopted to the needs LEVEL 1: PROCESS HAZARDS ANALYSIS Should be done by plant based people They then have a better understanding of the risks and possibly how they may be reduced LEVEL 2: RISK REVIEW Specialist help from e.g. Process Engineering or Process safety function at site – should include Plant based people in the team Level 1: PROCESS HAZARD ANALYSIS LEVEL 3: ENHANCED RISK REVIEW Specialist help from e.g. Process Engineering or Process Safety function within Corporate – should include Site and Plant based people in the team Level 2: RISK REVIEW Level 3 ENHANCED RISK REVIEW LEVEL 4: QUANTITATIVE RISK ASSESSMENT Specialist help from external expertise. Owner needs to define scope and data and critique the outcome. L4:QRA
Measuring Process Safety Performance: Process Safety Indicators (PSI) reporting levels Large loss of primary containment (LOPC) event Small loss of primary containment event Challenges to the safety system Operating discipline & management system
Thresholds for Loss of Containment becoming a PSI Cefic (European Chemical Industry Council) suggestion based on GHS classification
Outline iDRM Approach in Europe 1 2 Risk Management Principles 3 Best Practice of Emergency Management 4 Conclusions
Management of Remaining Risks Communicate remaining risks • to staff (operating procedures, training, drills, …) • to external stakeholders (customers, neighbours, authorities – but careful regarding security risks!) Mitigate consequences • Internal emergency planning (above all organisation, equipment, drills) • Cooperation with external services (neighbouring plants, public services) Important: ability to react fast! The bigger a corporation, the higher the expectations even for small sites
Crisis Management Systems: can the unpredictable be planned? Define as much as possible in advance, because ... • ... crisis always happen at the wrong time and place • ... your regular organisation is not sufficient to handle crisis • ... all resources of the whole company have to be available in due time • ... public, media and authorities expect professional handling of crisis, too
Emergency Response The basic principle: the faster and more effective the initial response, the smaller the consequences for men, environment and economy. • Provide the infrastructure for fast response (fire brigade, emergency control room, availability of key personnel, etc.) • Encourage immediate reporting of incidents (not to wait until own efforts failed ...), do not blame for false alarms • If the fire brigade is (partly) staffed by operators be aware of the risks of understaffed production • Better start with a higher level of alarm (worst case assumption) and grade it down later than vice versa • Notify and involve public fire brigades and authorities as soon as possible • Analyse every incident and the response to improve the emergency organisation without blaming anyone
Mock Drills Major incidents hopefully become less frequent. This makes drills even more important ... • ... to train seldom used procedures • ... to reduce mental stress during incidents • ... to optimise emergency- and crisis- management • ... to make sure that necessary resources are available
Emergency Response The basic principle: the faster and more effective the initial response, the smaller the consequences for men, environment and economy. • Provide the infrastructure for fast response (fire brigade, emergency control room, availability of key personnel, etc.) • Encourage immediate reporting of incidents (not to wait until own efforts failed ...), do not blame for false alarms • If the fire brigade is (partly) staffed by operators be aware of the risks of understaffed production • Better start with a higher level of alarm (worst case assumption) and grade it down later than vice versa • Notify and involve public fire brigades and authorities as soon as possible • Analyse every incident and the response to improve the emergency organisation without blaming anyone
emergency call fire alarm system Emergency Response Workflow: Example Industrial Park Frankfurt-Hoechst (Sanofi-Aventis/Infraserv Höchst) incident dispatchof task forces
Categorisation of the incident Emergency Manager warning procedures Notification to local and state authorities safety regulations sirens radio announcements by police dep. Emergency response management group automated telephone messages dark page Emergency Response Workflow: Example Industrial Park Frankfurt-Hoechst (this and following slides: courtesy of Infraserv Höchst and Sanofi-Aventis)
Integrated Command Centre Hoechst Industrial park (Frankfurt/Germany)
Integrated Dispatch and Command Center 24 hours crewed by 5 Dispatchers
Site Fire Brigade with 2 Fire Stations within the Industrial Park
Warning Procedures – Warning of Neighborhood • Warning of affected areas by • 17 external sirens in 4 groups • Radio announcements • Automated telephone messages to hospitals, day care centers or schools
Scene of Incident Emergency Response Committee Emergency Manager Site Incident Manager Documentation Fire Brigade (site) Emergency Manager3-5 Secretary Environmental control Emergency Manager 2 Company Representative (company affected by incident) Site Security Communications Fire Brigade (site) Plant Manager Toxicology Occupational Physician Occupational Physician Additional Experts Environmental Protection Public Fire Brigade Site Security Public Fire Brigade Police Plant Safety Police Crisis management group Operational Structure
The Role of Authorities The cooperation between authorities and companies at an incident depends on their cooperation before the incident. • Open communication about risks and safety measures on a regular basis (e.g. in a local or regional committee) builds up trust which is urgently needed during emergency response • Authorities need to know about the possible scenarios for major accidents to do their own preparations • Authorities should have clear rules about their responsibilities in handling major incidents to avoid conflicts between the different agencies (e.g. labour safety, environment, civil protection, police etc.) • Mitigation of consequences should come first, legal prosecution of individuals responsible for the incident later
Neighbours, Journalists and Environmentalists The basic issue: Neighbours and the general public share the risks of industrial sites, but not necessarily the benefits. • Communication of relevant risks has to be done openly and in an adequate form (“not scientific”) prior to incidents (e.g. “neighbourhood councils”, brochures, ...) • to build up trust in the competence of the company to handle risks • to enable the neighbours to react adequately during an incident • The response of neighbours etc. to incidents is strongly influenced by the company´s response to requests and complaints prior to the incident • Fast and open information after an incident is crucial • Fears and worries of neighbours etc. have to be taken seriously even if they are based on emotions rather than science • On the long term, conflicts with neighbours etc. endangers the “licence to operate”
Crisis Communication Sometimes crisis communication becomes a crisis of communication!
Outline iDRM Approach in Europe 1 2 Risk Management Principles 3 Best Practice of Emergency Management 4 Conclusions
Conclusions • Investing in safe and eco-efficient plants pays off at least on the long term • The (remaining) risks of industrial plants can be assessed and are the basis for scenarios for emergency planning • The knowledge and experience of the operators should be used by all means • Risks should be communicated as well as benefits to all stakeholders, esp. the neighbours • The resources for emergency response (manpower, equipment, communications, organisation etc) have to be planned in advance and readily available in case of an incident. People usually accept the risk of a chemical/pharmaceutical plant, but not incompetence in handling it • Authorities should involve themselves actively in emergency planning, balancing this out with their law enforcement duties • Combined efforts will definitely lead to safer and more accepted plants, as the figures from Germany may show
Development of Accidents in Germany since 1950 „Arbeitsunfälle“ = occupational accidents „Wegeunfälle“ = acc. on the way to work
Thank you for your attention!... and special thanks to Richard Gowland, EPSC Technical Director, who contributed a number of slides