1. European Best Practice for industrial Disaster Risk Management (iDRM) Christian Jochum (chr.jochum@t-online.de) InWEnt Senior Advisor (www.inwent.org) Director of Centre, European Process Safety Centre (www.epsc.org) Chairman, German Commission on Process Safety (www.kas-bmu.de) India, September 2010

2. Professional Profile Christian Jochum –Born 1943 in Frankfurt a.M./Germany –PhD in Chemistry, certified Safety Engineer –Honorary Professor at Frankfurt University –28 years experience in large chemical/pharmaceutical company (Hoechst AG) 1969 – 1979 Pharmaceutical research and pilot plant operations 1979 – 1997 Safety department (Site and Corporate Safety Director and „Major Accident Officer“ since 1987) –EHS – and crisis management consulting for different types of businesses and administration since 1997 –Commission on Process Safety (formerly Major Hazard Commission) at the German Federal Minister for the Environment (Chairman since 1998) –European Process Safety Centre (Rugby/UK): Director of Centre since 2007 –InWEnt Senior Advisor since 2009 2

3. EPSC (European Process Safety Centre) Industry funded association of major chemical companies in Europe. Approx. 40 contributing enterprises Dedicated to sharing and improving best practice in Chemical Process Safety Study groups on –Safety Critical Systems (inc. IEC 61511) –Buncefield type facilities overfill protection –Layer of Protection Analysis (LOPA) –Auditing –Process Safety Incident and KPI reporting –ATEX –Senior Management Commitment Work in conjunction with European Commission on implementation and upgrading Seveso 2 Directive Partnerships with CEFIC (European Chemical Industry Council) and U.S. Center for Chemical Process Safety (CCPS) www.epsc.org 3

4. Mandated by the Federal Emission Control Act –Advises government as well as plant operators and state and local authorities on process safety –32 members with different professional and educational background representing different stakeholders (“Round Table”) –Any group needs “allies” to win votes –Consensus intended, but majority decisions possible About 55 guidelines issued on different topics, e.g. –Land Use Planning (Safety distances) –Risk evaluation and perception –Emergency Planning –Industrial parks –Provisions against terrorist attacks on chemical plants All publications of the Commission are available (partly in English) at www.kas-bmu.de Commission on Process Safety (Kommission fuer Anlagensicherheit [KAS]) 4

5. Outline 1 1 iDRM Approach in Europe Best Practice of Emergency Management 3 3 Risk Management Principles 2 2 Conclusions 4 4 5

6. The drivers for Process Safety and industrial Disaster Risk Management (iDRM) in Europe are Lessons learnt (Bhopal, Seveso, Toulouse, Texas City, Buncefield,...) Ethical dimension (Responsible Care (R)) Seveso 2, OSHA PSM National Standards Industry benchmarking (Major Hazard record of industry) Economics (Business Continuity) 6

7. iDRM basic principle Crisis management assessment should cover all parts of emergency- and crisis- management... identify hazards comprehensively... pursuing the goal to define and train as much as possible in advance avoid or control risks communicate remaining risks mitigate consequences remediate damages restore trust 7

8. Outline 1 1 iDRM Approach in Europe Best Practice of Emergency Management 3 3 Risk Management Principles 2 2 Conclusions 4 4 8

9. 9 Prevention This map is common, you will see it again Risk is a combination of HAZARD Severity and FREQUENCY or LIKELIHOOD Mitigation

10. Risk Review Requirements The risk review process has to be determined by all relevant stakeholders/departments of the organisation in writing (company guideline) shared with authorities etc. defining the risk review team (multi-disciplinary including operator level) defining milestones for and different levels of risk review (e.g. Design phase, pre-commissioning, pre- start up, changes, etc) 10

11. What the client ordered How the project mgr. understood it How it was planned by the engineer How it was implemented by the technicians How the consultant interpreted it How it was documented How it was eventually built What was charged To the client What the client really wanted What was subject of the service agreement Design, Build and Operate 11

12. Hazard Identification All hazards have to be identified comprehensively and systematically... eg. „classical“ EHS-hazards, loss of production,... Operation hazards Network hazards Environmental hazards eg. failure of utilities, supplies, transportation... eg. natural hazards, adjacent plants and traffic ways,... eg. densely populated areas/buildings, natural reserves,... Environmental vulnerability eg. plant vulnerability, neighbourhood/environment sensitivity, company image,... Terrorist threats... by e.g. “What if”, checklists, HAZOP, FMEA etc. 12

13. Risk Assessment Risk is a combination of hazard Severity and Likelihood or frequency, often expressed as R=f(S,L) Severity may be determined by Gas dispersion in combination with criteria for human effects such as: ERPGs (Emergency Response Planning Guidelines) AEGLs (Acute Exposure Guideline Levels) Explosion Overpressure and Fire radiation effects using tools such as: TNO methodology FLACS Likelihood may be estimated by expert opinion/experience databases for failure frequencies (semi-) quantitative assessments (risk graph, fault or event trees etc.) Assessment of safety barriers and mitigation (e.g. “bow tie” diagram, Layer of Protection Analysis = LOPA) 13

14. ‘Bow Tie’ Diagram 14

15. Plant Emergency Response Physical Protection e.g. Relief Devices Safety Instrumented System preventative action Critical Alarms and Operator intervention Basic Process Control System, Operating Discipline / Supervision Plant Design integrity Community Emergency Response The LOPA “Onion” 15

16. 16 Protection Layer Concept

17. LOPA criteria -1- Initiating events Control system failures Human error Piping and equipment failures Interruption of utilities (e.g. Cooling) Independent layers of protection Basic Process Control System (possibly) Alarm and operator response Relief systems Safety Instrumented Systems Other qualifying Safety Related Protection Systems Need to independent, effective, tested, audited

18. LOPA criteria -2- Conditional Modifiers Weather conditions Probability of ignition Probability of ignition leading to explosion Probability that person(s) will be exposed Probability that an exposed person will suffer a particular harm May be difficult to justify and evaluate Mitigation (right hand side of bow tie) Fire protection Emergency Response Water curtains Secondary and tertiary containment etc

19. ‘Tolerable’ frequencies for events What risk can we tolerate? –Frequency for an event of a given severity (injury, environmental insult etc.) Users need to specify but aim to meet or exceed (do better than) regulator requirements The chosen tolerability becomes the target for risk management sometimes called ‘Risk Governance’ for the company (usually Individual or Societal Risk) Data and guidance available for injury/fatality and environmental effects 19

20. Likelihood of ‘n’ fatalities from a tank explosion per tank per year Risk Tolerability 10 -4 /yr - 10 -5 /yr Tolerable if ALARP 10 -5 /yr - 10 -6 /yr Broadly acceptable Tolerable if ALARP 10 -6 /yr - 10 -7 /yr Broadly acceptable Tolerable if ALARP 10 -7 /yr - 10 - 8 /yr Broadly acceptable Fatalities (n)12-1011-50 Tolerability Data (Fatalities) (Buncefield LOPA Guidance Dec 2009, final report from U.K. HSE) ALARP = As Low as Reasonably Practicable 20

21. 1.E-12 1.E-11 1.E-10 1.E-09 1.E-08 1.E-07 1.E-06 1.E-05 1.E-04 1.E-03 1.E-02 1101001,00010,000 (N) Number of Potential Fatalities Frequency of N or more Serious Injuries Government or Corporate Evaluation Criteria Business Evaluation Criteria Example Risk Evaluation Criteria 21

22. Categories for Environmental Risk (U.K. Environment Agency) Categ.Definitions 6Catastrop hic Major airborne release with serious offsite effects Site shutdown Serious contamination of groundwater or watercourse with extensive loss of aquatic life 5Major Evacuation of local populace Temporary disabling and hospitalisation Serious toxic effect on beneficial or protected species Widespread but not persistent damage to land Significant fish kill over 5 mile range 4Severe Hospital treatment required Public warning and off-site emergency plan invoked Hazardous substance releases into water course with ½ mile effect 3Significan t Severe and sustained nuisance, e.g. strong offensive odours or noise disturbance Major breach of Permitted emissions limits with possibility of prosecution Numerous public complaints 2Noticeabl e Noticeable nuisance off-site e.g. discernible odours Minor breach of Permitted emission limits, but no environmental harm One or two complaints from the public 1Minor Nuisance on site only (no off-site effects) No outside complaint Heading and introduction from Section 3.7 in “IPPC H1: Integrated Pollution Prevention and Control (IPPC) and Environmental Assessment and Appraisal of BAT”, Version 6 July 20 22

23. Category Acceptable if frequency less than Acceptable if Reduced as Reasonably Practical and frequency between Unacceptable if frequency above 6 Catastroph ic 10 -6 per year10 -4 to 10 -6 per year10 -4 per year 5 Major 10 -6 per year10 -4 to 10 -6 per year10 -4 per year 4 Severe 10 -6 per year10 -2 to 10 -6 per year10 -2 per year 3 Significant 10 -4 per year10 -1 to 10 -4 per year10 -1 per year 2 Noticeable 10 -2 per year~ 10 +1 to 10 -2 per year~10 +1 per year 1 Minor All shown as acceptable -- Typical Environmental Tolerability Criteria 23

24. TOLERATED EVENT FREQUENCY (Target) PER YEARSINGLE FATALITY (e.g.) 10 -5 ( per year) INITIATING EVENT FREQUENCY PER YEARCONTROL SYSTEM LOOP FAILS 10 -1 PROBABILITY OF IGNITION (e.g.) PROBABILITYQuantity, M.I.E., site factors 10 -1 PROBABILITY OF EXPOSURE PROBABILITY100%10 -0 INDEPENDENT LAYER OF PROTECTION 1 PROBABILITY OF FAILURE ON DEMAND Basic Process Control System 10 -1 INDEPENDENT LAYER OF PROTECTION 2 PROBABILITY OF FAILURE ON DEMAND Safety Instrumented System  <10 -2 Example for Risk Calculation 24

25. Land Use Planning example from Netherlands - Individual Risk (fatality) 10 -6 1/a - In addition Societal Risk as criterion - Definition of thresholds for overpressure, heat radiation and toxicity http://www.sfk-taa.de/publikationen/andere/DNV_14102005.pdf 10 -3 10 -5 10 -7 10 -9 10 - 11 1 10 100 fatalities Freque ncy in 1/a Societal Risk not acceptable Societal Risk acceptable  25

26. Risk Assessment has to be adopted to the needs LEVEL 1: PROCESS HAZARDS ANALYSIS Should be done by plant based people They then have a better understanding of the risks and possibly how they may be reduced LEVEL 2: RISK REVIEW Specialist help from e.g. Process Engineering or Process safety function at site – should include Plant based people in the team LEVEL 4: QUANTITATIVE RISK ASSESSMENT Specialist help from external expertise. Owner needs to define scope and data and critique the outcome. Level 1: PROCESS HAZARD ANALYSIS Level 2: RISK REVIEW L4: QRA LEVEL 3: ENHANCED RISK REVIEW Specialist help from e.g. Process Engineering or Process Safety function within Corporate – should include Site and Plant based people in the team Level 3 ENHANCED RISK REVIEW 26

27. Measuring Process Safety Performance: Process Safety Indicators (PSI) reporting levels Large loss of primary containment (LOPC) event Small loss of primary containment event Challenges to the safety system Operating discipline & management system 27

28. Thresholds for Loss of Containment becoming a PSI Cefic (European Chemical Industry Council) suggestion based on GHS classification 28

29. Outline 1 1 iDRM Approach in Europe Best Practice of Emergency Management 3 3 Risk Management Principles 2 2 Conclusions 4 4 29

30. Important: ability to react fast! The bigger a corporation, the higher the expectations even for small sites Management of Remaining Risks Communicate remaining risks to staff (operating procedures, training, drills, …) to external stakeholders (customers, neighbours, authorities – but careful regarding security risks!) Mitigate consequences Internal emergency planning (above all organisation, equipment, drills) Cooperation with external services (neighbouring plants, public services) 30

31. Crisis Management Systems: can the unpredictable be planned? Define as much as possible in advance, because...... crisis always happen at the wrong time and place... your regular organisation is not sufficient to handle crisis... all resources of the whole company have to be available in due time... public, media and authorities expect professional handling of crisis, too 31

32. Emergency Response The basic principle: the faster and more effective the initial response, the smaller the consequences for men, environment and economy. Provide the infrastructure for fast response (fire brigade, emergency control room, availability of key personnel, etc.) Encourage immediate reporting of incidents (not to wait until own efforts failed...), do not blame for false alarms If the fire brigade is (partly) staffed by operators be aware of the risks of understaffed production Better start with a higher level of alarm (worst case assumption) and grade it down later than vice versa Notify and involve public fire brigades and authorities as soon as possible Analyse every incident and the response to improve the emergency organisation without blaming anyone 32

33. Mock Drills Major incidents hopefully become less frequent. This makes drills even more important...... to train seldom used procedures... to reduce mental stress during incidents... to optimise emergency- and crisis- management... to make sure that necessary resources are available 33

34. Emergency Response The basic principle: the faster and more effective the initial response, the smaller the consequences for men, environment and economy. Provide the infrastructure for fast response (fire brigade, emergency control room, availability of key personnel, etc.) Encourage immediate reporting of incidents (not to wait until own efforts failed...), do not blame for false alarms If the fire brigade is (partly) staffed by operators be aware of the risks of understaffed production Better start with a higher level of alarm (worst case assumption) and grade it down later than vice versa Notify and involve public fire brigades and authorities as soon as possible Analyse every incident and the response to improve the emergency organisation without blaming anyone 34

35. incident dispatch of task forces emergency call fire alarm system Emergency Response Workflow: Example Industrial Park Frankfurt-Hoechst (Sanofi-Aventis/Infraserv Höchst)

36. dark page Notification to local and state authorities warning procedures Emergency response management group Emergency Response Workflow: Example Industrial Park Frankfurt-Hoechst (this and following slides: courtesy of Infraserv Höchst and Sanofi-Aventis) Categorisation of the incident Emergency Manager automated telephone messages sirens radio announcements by police dep. safety regulations

37. Integrated Command Centre Hoechst Industrial park (Frankfurt/Germany) 37

38. Integrated Dispatch and Command Center 24 hours crewed by 5 Dispatchers

39. ELR Arbeitsplatz 39

40. Site Fire Brigade with 2 Fire Stations within the Industrial Park

41. Warning Procedures – Warning of Neighborhood Warning of affected areas by 17 external sirens in 4 groups Radio announcements Automated telephone messages to hospitals, day care centers or schools

42. Crisis management group Operational Structure Scene of Incident Emergency Manager Fire Brigade (site) Environmental control Site Security Plant Manager Occupational Physician Police Public Fire Brigade Emergency Response Committee Site Incident Manager Emergency Manager 2 Fire Brigade (site) Occupational Physician Environmental Protection Site Security Plant Safety Company Representative (company affected by incident) Communications Toxicology Public Fire Brigade Police Secretary Emergency Manager3-5 Additional Experts Documentation

43. The Role of Authorities The cooperation between authorities and companies at an incident depends on their cooperation before the incident. Open communication about risks and safety measures on a regular basis (e.g. in a local or regional committee) builds up trust which is urgently needed during emergency response Authorities need to know about the possible scenarios for major accidents to do their own preparations Authorities should have clear rules about their responsibilities in handling major incidents to avoid conflicts between the different agencies (e.g. labour safety, environment, civil protection, police etc.) Mitigation of consequences should come first, legal prosecution of individuals responsible for the incident later 43

44. Neighbours, Journalists and Environmentalists The basic issue: Neighbours and the general public share the risks of industrial sites, but not necessarily the benefits. Communication of relevant risks has to be done openly and in an adequate form (“not scientific”) prior to incidents (e.g. “neighbourhood councils”, brochures,...) –to build up trust in the competence of the company to handle risks –to enable the neighbours to react adequately during an incident The response of neighbours etc. to incidents is strongly influenced by the company´s response to requests and complaints prior to the incident Fast and open information after an incident is crucial Fears and worries of neighbours etc. have to be taken seriously even if they are based on emotions rather than science On the long term, conflicts with neighbours etc. endangers the “licence to operate” 44

45. Crisis Communication Sometimes crisis communication becomes a crisis of communication! 45

46. Outline 1 1 iDRM Approach in Europe Best Practice of Emergency Management 3 3 Risk Management Principles 2 2 Conclusions 4 4 46

47. Conclusions –Investing in safe and eco-efficient plants pays off at least on the long term –The (remaining) risks of industrial plants can be assessed and are the basis for scenarios for emergency planning –The knowledge and experience of the operators should be used by all means –Risks should be communicated as well as benefits to all stakeholders, esp. the neighbours –The resources for emergency response (manpower, equipment, communications, organisation etc) have to be planned in advance and readily available in case of an incident. People usually accept the risk of a chemical/pharmaceutical plant, but not incompetence in handling it –Authorities should involve themselves actively in emergency planning, balancing this out with their law enforcement duties –Combined efforts will definitely lead to safer and more accepted plants, as the figures from Germany may show 47

48. Development of Accidents in Germany since 1950 „Arbeitsunfälle“ = occupational accidents „Wegeunfälle“ = acc. on the way to work

49. Thank you for your attention!... and special thanks to Richard Gowland, EPSC Technical Director, who contributed a number of slides