Next Generation Risk Management Robert Schumacher, Robin Pitblado and St&le Selmer-Olsen Det Norske Veritas, N-1322 H~vik , Norway

T%e management of safety, quality and environmental issues covers a complex set of interrelated issues of con- cern to society and industry. Traditionally an engineer- ing approach has been adopted for the management of risk; the development of technical standards, operations and requirements. Recent&, industry leaders have be- gun to realize that real progress will be made only through effective risk management systems. i%is paper presents a few of the key requirements for improving risk management and risk analysis. By improving the way risk analysis is used for decision support, improving hazard identvication exercise, while incolporating site specific properties of design, condition, operation and management into an analysis, it is possible to improve the value of current risk management techniques.

DECISION SUPPORT REQUIREMENTS

Quantitative Risk Analysis (QRA) is one of the tools that has been used successfully in the past by planning authori- ties and business managers [ I , 21 to aid in the difficult de- cision making processes required for plant engineering and siting. There is, however, considerable room for improve- ment [ 31. Existing process Risk Analysis techniques do not in full measure address each of the four primary areas of decision difficulty [ 41, namely;

complexity knowledge and uncertainty multiple objectives and different perspectives.

In the case of siting a specific plant or designing a unit extension, decision-makers must consider many issues such as different design concepts, values held by different com- munity groups, varying economic impacts, different courses of action, and so forth. QRA would benefit greatly by addressing the needs of decision makers to structure the complex information in a more understandable manner.

Most of the variables that go into a QRA are uncertain. Nonetheless, modeling the effects of uncertain variables on the decisions to be made is generally given only cursory attention. In addition, in the hazard identification phase of QRA, knowledge of the mechanisms for dealing with dif- ferent potential hazards is limited by the resources avail- able to gather such information. Changes in the QRA ap- proach to identify important sources of uncertainty plus quantifying the effect would help decision makers allocate the appropriate resources for gathering knowledge and de- veloping solutions.

A decision-maker may be interested in attaining multiple objectives. Notwithstanding, progress in one direction may

hinder progress in others. Cost-Benefit Analysis (CBA) us- ing results of QRA has had limited success in the process industry [ 51. It suffers from considerable weakness espe- cially with regard to siting evaluations. This is due to redis- tribution of wealth issues, the exigency for dollar assess- ment of human life, the overstatement of costs and the fail- ure to highlight intangible benefits. The ability to supply different decision makers such as authorities, management, public, and employees with balanced perspectives on safety, environment, economy and society is a challenge for today’s risk manager.

Different perspectives may lead to different conclusions if more than one person is involved in the decision-making process. Difference of opinions as to the values and uncer- tainties used in an analysis can lead to disagreement in the results. Currently, QRA does not easily lend itself to resolve these differences. The involvement of persons with differ- ent backgrounds at different phases of an analysis by mak- ing the process more understandable can help avoid prob- lems of acceptance.

HAZARD IDENTIFICATION COMPLETENESS AND RELEVANCE

DNV has completed a research project in the area of hazard identification. They came to the conclusion that fur- ther research into the use of advanced expert systems for hazard identification does not meet the general require- ments of engineers and managers who are responsible for designing or operating a process plant. The knowledge re- quired to create an expert system is either too specific to be applied to anything but the plant it is designed for or too general to be of relevant use to a specific plant. In ad- dition, the direct results of using existing and planned ex- pert systems in a hazard identification are difficult to com- municate and are not decipherable by experts requiring in- formation in order to make decisions.

Future efforts should focus on improving the quality and efficiency of team based multidiscipline hazard identifica- tion techniques and in organizing methods to achieve structured results. One technique “undervalued” by indus- try is the What-If technique. The What-If Checklist method is well known, but has been virtually displaced by HAZOP and, due to lack of development, has acquired a slightly tarnished image as a “cheap” alternative. Nonetheless, with some improvement it does provide significant means to improve the hazards management process through im- proved results structure, better audibility of process and depth of study, wider range of use, more efficient use of knowledge and improved cost effectiveness.

Improvements made in the What-If technique are rela- tively simple. The basis is the creation of a What-If ques-

Process Safety Progress (Vol. 16, No.2) Summer, 1997 69

Damage to

Equipment

Rec. 1 6 lsolatron

:2:s *I FIGURE 1 Example of influence diagram.

tion database. Questions in the database are arranged within modules. The modules can be set up by the user depending on his needs. A module can be a hazard type (work environment, fire, ignition, etc.), a hazard control measure (passive fire protection, alarms, work permits, etc.), a specific type of equipment item (pressure vessel, crane, flange, etc), or a specific type of operation (unload- ing, jetting, replacement, etc.). In addition, each question in each module is cross-referenced to a knowledge source, to the type of plant it is applicable to, to the type of hazard it represents, and to the importance of the question. In this way, the scope of hazard identification study can be built up by choosing the modules used and the desired cross- references.

Once the first What-If team sessions are completed, the results of the study are easily incorporated into influence diagrams which are used by the team to check the extent of their discussion and to communicate the results to the management. An example of an influence diagram is shown in Figure 1.

An influence diagram is a graphical representation of the influence of one parameter on another. Figure 1 dis- plays the dropped object hazards that were discussed in the hazard identification session plus the references to the rec- ommendations made to control those hazards. It is easier to identify omitted hazards or show where control mea- sures are lacking on a diagram such as Figure l as op- posed to a list of HAZOP logsheets. This has been proven to substantially improve communication within the hazard identification team as well as to management responsible for making the decisions afterward.

MAKING RISK ANALYSIS MORE SITE SPECIFIC

Risk analysis for the process industry has been unbal- anced in its execution almost since the earliest studies. The imbalance is related to the difference in site specificity in the treatment of consequences and frequencies. These are equivalent in their effect on the final risk result. Currently, risk based decisions are more likely to be biased by failure rate data, than by inaccurate consequence modeling.

The treatment of consequences has always been event- case site specific. Releases of hazardous materials are mod- eled using consequence software. The analysis considers the fluid properties, hole size, inventory, and blowdown and isolation capabilities, ambient weather conditions, and

factors affecting the transport mechanisms and ultimate im- pact.

In contrast to this highly site specific approach, the fre- quency analysis tends to be generic. The early basis for historical data is well set out in the Rijnmond Report [I]. Historic data has several features which commend it well. For instance:

Historical data is found in real experience from ac-

The rich variety of real complex failure modes, and

Over time, the available historical data set has in-

tual process plant operations

human and organizational factors are included

creased in size, thus making it more robust

The negative factors of historical data are:

Because it is historical it may no longer reflect the

Engineering design or operational management

In any loss of containment event there are factors which are inherently predictable and unpredictable. The basic generic data set has been compiled by analysis of com- pany records and public accident records. These are a mix- ture of failure frequencies (e.g. for vessels, pipes, seals, etc.) and failures on demand for safeguards (e.g. excess flow valves, non-return valves, relief and blowdown systems).

While this is effective and does embody the advantages listed above, it does assign the same failure frequency for every similar sized item, regardless of fluid conditions, ser- vice environment, and quality of operation and process safety management system. At an operating level, this is clearly untrue.

Several techniques have been developed to modify fail- ure frequencies, the most well known being fault trees. However, fault trees are expensive to produce. In order to save costs, several analysts have proposed using frequency multiplication modifiers [ a.

current situation

changes may make data inappropriate

Modifiers based on mechanisms have been developed in the nuclear industry as well [ 71. Other systems have been developed to try to account for the quality of safety man- agement systems in use on individual sites [ 81.

The future in QRA is to make the frequency domain as site specific as the consequences domain is today. Risk re- sults will incorporate the specific failure mechanisms of most concern, model these explicitly, and demonstrate the effectiveness of safeguards, management systems, niechan- ical integrity programs, etc. By explicitly modeling the un- certainty associated with the estimation of these mecha- nisms, it will be possible to prioritize whether detailed modeling of the mechanisms is required or not. This will enhance risk-based decision making and link the risk anal- ysis much more closely to the safety management ap- proach employed in Europe (the Seveso Directive and amendments) and partially in the USA through OSHA 1910.

CONCLUSIONS

A classical business management model is shown in Fig- ure 2. Obviously the model is very general and can be re- lated to any business parameter including; revenue, ex-

70 Summer, 1 9 7 Process Safety Progress (~01.16, No.2)

Policy and Objectives

rganization, I I Responsibiliti

and Resources \

Planning and Implementation

FIGURE 2 Business management model.

pense, catastrophic loss, employee injury, etc. The focus of business managers has generally been on revenue and ex- penses. Losses were relegated under an insurance um- brella or “happened by chance”. In recent years the tradi- tional business model has been explicitly applied to the management of safety aspects by European industry [ 91 and others throughout the world. Safety is one of the im- portant variables in the value adding equation.

Today, personnel risks, environmental risks and prop- erty risks are being managed more efficiently by industry. An important key to managing these risks comes in the identification of the hazard. An unidentified risk can not be managed or is in effect only managed by chance. Once identified, the risks can be assessed through qualitative or

quantitative means. Measures to control the risk can then be differentiated. Where it is not possible or desirable to control the risks further, means of recovery can be defined.

Each phase of this process as it functions in practice to- day can be improved. It has been shown in this paper that risk management in the future can be improved by ad- dressing the needs of decision-makers, improving hazard identification processes and incorporating site specific pa- rameters in the assessments.

LITERATURE CITED

1. Rijnmond Public Authority, “A Risk Analysis of 6 Po- tentially Hazardous Industrial Objects in the Rijnmond Area,” Netherlands (1982).

2. Hong Kong Government, “Tsing Yi Island Risk Assess- ment,” Hong Kong (1989).

3. Ramsay, C., “Overview of QRA Strengths and Weak- nesses,” presented at Risk 2000 Seminar, London (1993).

4 . Clemen, R. T., Making Hard Decisions, PWS-KENT, California (1991).

5. Fleischman, A. B., et al., “The Use of Cost Benefit Analysis in Evaluating the Acceptability of Industrial Risks,” London (1989).

6. Kolluru, R., et aL, Risk Assessment and Managment Handbook, McGraw Hill, New York (1996).

7. Thomas, H. M., “Pipe and Vessel Failure Probability,” Reliability Engineering, 2 : 83- 1 24, (1 98 1 ).

8. Hurst, N. W., et al., J. Hazardous Materials, 26:159-186 (1991).

9. IChemE, “Safety Management Systems,” Rugby, UK (1994).

Thispaper (49F) waspresented at the Fijth World Congress of Chemi- cal Engineering, held in Sun Diego, Cal$ornia, on July lG, 1996.

Process Safety Progress (Vol.16, No.2) Summer, 1997 77