Category: Process Safety

The Precautionary Principle – care required!

In a number of spheres, from environmental issues to public heath there is a growing tendency for the precautionary principle to be adopted in decision making. At one level, this is understandable. When faced with a clearly life-threatening situation it is better to be safe than sorry by choosing not to do something. If a grizzly bear is known to be in the vicinity then it may be wise to stay indoors until the threat has passed (or someone else has dealt with it).

However, I would argue that the use of the precautionary principle when it comes to complex risk decisions is a cop out by decision-makers. The principle is too often employed with an over-riding focus on a single issue e.g. climate change or an epidemic, and thereby over-simplifies the problem. What is neglected (intentionally or unintentionally) is the fact that every decision has consequences. The benefits of any particular course of action always incurs a cost. When it comes to risk, any decision always entails a trade-off between a cost and a benefit. The benefit has to outweigh the cost and not just marginally but there has to be a sense of proportion. In other words, the price we’re prepared to pay must be worthwhile – we don’t pay any price for a marginal increase in benefit.

The precautionary principle inherently neglects these inevitable trade-offs and the principle of gross disproportion. It also tends to be employed when there is a high degree of uncertainty over the outcome. It’s attractive in this regard because all sorts of exaggerated claims can be made about the consequences of carrying on as normal without the ability to prove or disprove them. Fear is a powerful ally.

Engineers need to do better than revert to the precautionary principle when faced with difficult and complex problems.

 

 

 

 

 

Fukushima

Some notable and sobering quotes from “The Offical Report of The Fukushima Nuclear Accident Independent Investigation Commission” published by the National Diet of Japan and chaired by Kiyoshi Kurokawa (2012).

  1. It was a profoundly man-made disaster – that could and should have been foreseen and prevented.
  2. What must be admitted – very painfully – is that this was a disaster “Made in Japan.” Its fundamental causes are to be found in the ingrained conventions of Japanese culture: our reflexive obedience; our reluctance to question authority; our devotion to ‘sticking with the program’; our groupism; and our insularity.
  3. The regulators should have taken a strong position on behalf of the public, but failed to do so. As they had firmly committed themselves to the idea that nuclear power plants were safe, they were reluctant to actively create new regulations.
  4. We have concluded that—given the deficiencies in training and preparation—once the total station blackout occurred, including the loss of a direct power source, it was impossible to change the course of events.
  5. In spite of the fact that TEPCO and the regulators were aware of the risk from such natural disasters, neither had taken steps to put preventive measures in place. It was this lack of preparation that led to the severity of this accident.
  6. The Japanese nuclear industry has fallen behind the global standard of earthquake and tsunami preparedness, and failed to reduce the risk of severe accidents by adhering to the five layers of the defense-in-depth strategy.
  7. The power supply system was especially poor from a defensive
    perspective, and suffered from a lack of redundancy, diversity and independence.
  8. A third issue was the arbitrary interpretation and selection of a probability theory. TEPCO tried to justify the belief that there was a low probability of tsunami, and used the results of a biased calculation process as grounds to ignore the need for countermeasures.

Some flawed thinking

I recently came across a Safety Integrity Level (SIL) review of a high level trip on a production separator.  Neither the relief valve nor the pressure control valve to flare off the top of the separator are sized for multiphase relief in the event that the liquid outlet should become blocked and the vessel overfill.  These protective devices will therefore not stop the vessel overpressuring, especially as the upstream pressure from the wells is several times the design pressure of the separator.  So you would think that the high level trip is quite important and intuitively should have a high SIL requirement.

The trip was assessed by Layer of Protection Analysis (LOPA).  And this is where the flawed thinking arises.  In the assessment, the worst case consequence was assumed to be an overpressure less than the corrected hydrotest pressure of the vessel on the basis that the relief valve and the pressure control valve would open allowing partial pressure relief.  So credit is implicitly being taken of protective layers acting to limit the consequence.  That’s bad enough logic, but then it is further compounded by claiming a probability of failure on demand (PFD) of 1 in 100 for the relief valve as an independent protective layer (IPL), in effect taking double credit for the relief valve.  The end result is a low SIL requirement.

A correct assessment of the situation needs to start with the unmitigated consequence in the absence of any layers of protection – what’s the worst case pressure the vessel can experience and will it rupture? How often is this event likely to happen based on failure of the liquid level control.  Then move on to consider what IPLs actually exist which fully mitigate the consequences. Clearly, if the relief valve and the pressure control valve are undersized for a blocked liquid outlet no credit can be taken for them. Even though they may act to limit the extent of the overpressure, their failure to act (which is assessed in LOPA) results in the worst case consequence and this needs to be considered in setting the SIL requirement for the high level trip.

LOPA is a simplified technique which can’t handle IPLs providing partial protection.  There are other tools to evaluate this such as fault trees.

Always guard against the tendency to “bend” the rules of a particular technique beyond the bounds of its validity and end up with flawed thinking about an issue. It might be more painful to use a more sophisticated technique but the answer will be robust.

The need to get uncomfortable with the current reality

I’ve been chairing some Safety Integrity Level (SIL) assessments recently for an offshore asset in the North Sea of late 1980’s vintage.  There have been multiple changes over the years with several subsea tiebacks added.  Nothing out of the ordinary in that per se. However, what I’ve found intriguing is the preservation of past design standards alongside current standards on the one platform.  For example, the high pressure/low pressure (HP/LP) interfaces on the original production separators are only protected by the downstream relief valve on the low pressure separator, and there is only a control valve at the interface – no independent shutdown valve to isolate the segments and no low level trip on the upstream vessel to prevent gas blowby.  It’s 2019 with no apparent attempt to incorporate lessons learned from the Grangemouth Hydrocracker explosion in 1987: http://www.hse.gov.uk/comah/sragtech/casebpgrang87b.htm

Alongside this design, there are several high integrity pressure protection systems (HIPPS) protecting the HP/LP interface between the subsea systems and topsides reception facilities.  These use a mixture of reactive and permissive type voted pressure trips acting on multiple shutdown valves to protect against failures which could result in the downstream relief valves being overwhelmed.   Each subsequent subsea tieback seems to incorporate increasingly complex shutdown logic to accomplish the same protection.  It took me the best part of a day to get to grips with the logic  protecting one HP/LP interface – this may suggest it’s too complicated, which can be counter-productive in the long run.  

This illustrates one of the challenges with managing change on old assets – simultaneously justifying the acceptance of outdated and vulnerable safety systems alongside the adoption of overly complex ones and thinking risk has been satisfactorily reduced as low as reasonably practicable. 

Sometimes it’s worth taking time out to step back from the details of one specific system and to experience some discomfort about the reality of the situation to think more clearly about the overall design – is the protection in the right place, to the correct standard, and of appropriate complexity?