Chemical & Processing
Oil & Gas
Pharma Biotech
Infrastructure & Design

Risk Management in Downstream
- Ram K Goyal, Bahrain Petroleum Company, Bahrain
- Vinod Menon, Bahrain Petroleum Company, Bahrain
The paper highlights the need for a major change in process safety and risk management practices in downstream industry, particularly in the wake of the continuing stream of incidents of fires, explosions and releases of toxic substances from refineries worldwide despite availability of a major pool of smart designers, operators, planners, inspectors and engineers, IIT-graduates and other highly qualified personnel at its command.

In the media-dominated modern times, news of the fires and explosions in our industry travels at lightning speed. Images of smoke-filled skies and fireballs get repeated exposure on television screens. Public’s tolerance of our process incidents is wearing thin. We need a paradigm shift in our approach to process safety and risk management to stay in business.

In the wake of the continuing stream of incidents of fires, explosions and releases of toxic substances from our facilities and operations, the media and the general public have begun to seriously ask us: Why are we failing to prevent these tragic incidents from occurring? We are supposed to be the smart designers, operators, planners, inspectors, and engineers; we have terabytes of computing power at our finger tips; we have access to all kinds of sophisticated materials of construction; we use space-age automation and control systems; we have IIT-graduates and other highly qualified personnel at our command… and yet these incidents occur!

The industry cannot ignore this diminishing tolerance for spills, fires and explosions. And the decisions related to penalties arising from such an event to be imposed on the offending company are no longer being limited to be taken by market forces and regulatory and judiciary agencies hitherto charged with this task.

In the US, the Executive branch of the government intervened directly in the oil spill incident in the Gulf of Mexico. The offending company’s CEO was called to the White House and had to immediately set up a USD 20 billion separate account to deal with the clean-up and compensations. The adverse impact in the marketplace is also extremely severe; see Figure 1 which shows a company losing almost 50 per cent of its market value as a result of just two highly-publicised process safety events: an explosion and fire in one of its refineries and a massive oil spill from one of its platforms in the Gulf of Mexico.

Compliance-based Approach has Largely Failed
It appears that mere compliance with the laws of the country you are operating in, and following what is sometimes referred to as RAGAGEP (Recognised and Generally Accepted Good Engineering Practices) are not sufficient to prevent the low-probability-high-consequence events that make headlines on news channels. The regulations as drafted are all excellent (see Table 1 for some examples) and go a long way in reducing the likelihood and consequences of process safety events; however they are not deemed sufficient in the light of our recent experiences. Just prior to the terrible Vizag fire of August 2013, the company had fully implemented a detailed PSM (process safety management) system. The Richmond Refinery (in California) was in full compliance of all federal, state, and municipal regulations prior to the fire of August 2012, the Texas City refinery had passed all audits prior to the tragic event of 2005… the evidence piles on.

We need a major shift in our approach to process safety: we must develop a better understanding of the FLEXA risks we face (FLEXA is an insurance term that means Fire, Lightning, Explosion, and Aircraft/Act of God), we have to stop confusing between personnel safety performance and process safety performance, we have to take all fire incidents very seriously, we have to infuse knowledge-based decisions in our process safety management rather than rely on mere sound-bites and cheerleading, and we have to return to basics of intrinsic safety. Only then we stand a chance.

Remodel the Consequence Scale of Your Risk Matrix
In qualitative risk management, most practitioners rely on a ‘Risk Matrix’ that defines the likelihood or probability of a loss event on the Y-axis and the consequential cost on the X-axis; the resulting risk space is then divided into various categories ranging from Very Low to Very High. In a traditional matrix, the consequence axis was dominated by potential ‘property damage’ and ‘business interruption’ losses associated with the event under consideration. In the modern context, we need to highlight the environmental impact and ‘reputation losses’ that can far outweigh any direct dollar losses. In the US, the refining business has led a stifled life over the past several decades, initially due to stringent environmental regulations and uncertain refining margins. The impact has been so severe that there have been no new refineries built in the US since the mid-70’s. In the current context, several new factors have added to the burden carried by the refining business in the US (see Figure 2). Their plants are getting old, their experienced workforce is retiring or leaving for the more lucrative upstream business, and the public’s expectation of performance increases day by day. The public simply wants to use the fossil fuels they produce; it doesn’t want to see them, hear from them or smell them. So a refinery is expected to operate very quietly, with zero flaring and zero discharges, and with no incidents.

Process Safety vs Personal Safety
In the 1920’s, W H Heinrich, who was an engineering superintendent in a travelers’ insurance company, presented accidents data in the form of a triangle with three sections, the top representing the highest severity. He concluded that for every one serious accident (fatality or major injury) there were 29 injury accidents and 300 accidents where no injury resulted. For decades to follow, the 1-29-300 ratio was known as the Heinrich Triangle of Accidents (also sometimes referred to as the Heinrich Pyramid of Accidents).

Further enhancements to the Triangle were provided by a safety professional in the USA, Frank Bird, who in the 1970’s analysed almost two million incident records. More refined ratios between the minor and major events were determined. Also, a further lower level was added to the triangle to represent ‘at risk’ behavior of workers contributing to all near misses and incidents. The idea developed from there was that if in a company you were able to reduce the number of at-risk behaviors of your workforce you will see a corresponding reduction in the number of loss events occurring in your company. It was postulated that the beneficial impact of reducing the bottom of the triangle will propagate proportionately all the way to the apex of the triangle. That is to say, reducing the number of at-risk acts of the workforce will reduce the number of high-consequence events in the industry. The concept is visually presented in Figure 3.

At the heart of the Heinrich Triangle (and all others that followed subsequently) was the assumption that personal safety and process safety are a complete homogeneous mix in that one cannot and should not be thought of as anything different from the other; these were not to be treated as two separate concepts. What was good for enhancing personal safety was surely good for enhancing process safety. And as a corollary, if a company had shown an excellent personal safety record then surely the company could be assumed to have an equally excellent record of process safety. This myth was busted once and for all with the BP Texas City event of 2005. We learnt the painful lesson that the linkage between personal safety and process safety was rather tenuous. Achieving an injury-free record did not mean that everything was rosy at the process safety front also; and vice versa.

In terms of the Heinrich Triangle, what it means is that there is a very particular and specific class of at-risk behaviors that contribute to process safety events. These are represented as various polygons floating in the overall pool of at-risk behaviors in Figure 3. If we simply reduce the overall pool of at-risk behaviors then there is no guarantee that process safety events will also reduce as a result. One could easily imagine a situation where you can reduce the base of the triangle without affecting the polygons at all. Hence if you intend to reduce the likelihood of process safety disasters in your company, you need to reduce the size of the polygons or eliminate the polygons altogether.

There is No Such Thing as a ‘Small Fire’
Traditionally, we have reported refinery fires by using severity scales calling some fires as minor or small while others major or significant. For example, fires with direct damage of less than USD 1000 were labeled as ‘Non-reportable fires’ and those above USD 1000 as ‘Reportable Fires’. Even the recently issued American Petroleum Institute’s recommended practice (API RP754) categorises fires in Tier 1 and Tier 2 Process Safety Events, depending upon damage cost. In the refining business, we need to get away from that mindset. We need to etch it onto our hearts and brains that there is no such thing as a small fire. The Chevron Richmond Refinery fire did not result in any significant injury to any plant personnel, yet the public outcry would have us believe otherwise. Every fire in a refinery, no matter how ‘small’ it is, must be properly investigated at the highest level, preferably personally by the CEO or the Managing Director or the Director of operations. The entire workforce, including all contractors, need to fully appreciate that in the context of refinery operations there is no such thing as a small fire.

Knowledge-based PSM (Process Safety Management)
It can be successfully argued that lack of technical knowledge on the part of personnel involved has been a root cause or a causal factor in almost all process safety events on record in our industry. As a result of a recent loss of containment incident in a US refinery, they identified 66 corrosion mechanisms that can occur in a typical refinery. Ask your people how many of these 66 they are intimately familiar with. The Board Rooms and the CEOs are demanding to know the answer to a simple question: Can it happen again to us, or can it happen to us in one of our other facilities? And they don’t want a wishy-washy answer full of ifs and buts. They are demanding a simple YES or NO. And if the answer is YES, they are asking what it would take to convert the answer to NO. Well, you need people who know what needs to be known to achieve a zero loss-of-containment record. What is the corrosion mechanism? Is the material above auto-ignition temperature? Can we quickly isolate the source if a leak is detected? In this context, to some extent, the traditional Hazops have also failed us. A company CEO, during his site visits, casually asked his middle managers: “What are the top five hazards or risks that you see in your facility?” Most could not answer and those who did were just shooting from the hip. None of the traditional PHA methods insist that the findings need to be disseminated to all personnel in such a manner that the team’s conclusions make sense to them and that they can all at least understand the major risks identified and assessed for their areas of operation.

Intrinsic Safety Principles – Back to Basics
We need to emphasise the basic principles of intrinsic safety to all our personnel.
  • Procure the right asset through life-cycle cost analysis (not the lowest cost at the time of purchasing, but one that gives the lowest overall cost of ownership from ‘cradle to grave’).
  • Install it correctly ensuring compliance with all construction and erection standards (use Process Safety Management principle of Pre-Start-up Safety Reviews – PSSR).
  • Operate it within safe operating parameters using basic principles of operational excellence.
  • Maintain the equipment with optimum mix of various types of maintenance (breakdown, preventive, and predictive) and track performance through plant condition monitoring instrumentation.
  • Inspect the equipment at specified intervals governed by principles of risk-based inspection, equipment inspection history, on-line gauging, and other techniques.
  • Carry out safe disposal of the asset at the end of its life to ensure that there are no environmental or third-party liability issues that could crop up at a later date.

Concluding Remarks
The basic recipe is simple: do not let the hydrocarbons and toxic materials come out of the pipes and vessels in which these are supposed to be contained in. The Boardrooms have to have the Vision that it is doable and are therefore willing to open the purse strings. The engineers and operators then have to turn this Vision into Reality.

Learning lessons from past incidents is extremely cost effective. Do not let past incidents go to waste. There is a wealth of information in many of the incident investigation reports. The Jaipur IOC incident investigation report is one of the best. It is freely available from the internet; study it thoroughly. This report should be made a compulsory reading for all chemical engineering students worldwide.