Total Loss Prevention Developing Identification and Assessment Methods for Business Risks

Total Loss Prevention Developing Identification and Assessment Methods for Business Risks
Authors: John Evans, Senior Consultant, and Geeta Thakorlal, FIChemE Head Consultant, Granherne Ltd, Leatherhead, UK KT22 7LH. Email john.evans4@granherne.com, Geeta.thakorlal@granherne.com. Aim Over the past 20 years the standards and methods for the safety assurance of major industrial sites have undergone major change. The understanding of hazards, and of the risks from such sites has grown enormously, and risk assessment has become a key tool in many industries. The paper explores whether the current industry guidance is complete at all levels in respect of financial loss. It also reviews how such techniques interrelate with other approaches to loss prevention, such as the straight-forward application of codes, value of the asset and insurance. The aim is to discover if and how formal guidelines should be developed specifically for loss prevention, including business, management and design issues. It highlights gaps in assessment methods that could be remedied to provide means of identifying and rapidly assessing business risk in major hazard sites, or indeed within industry generally. Introduction When engineers reviewed offshore designs following Piper Alpha, one of the lesson learnt was that fire pumps had little benefit in reducing the risk to staff for unmanned platforms, and so it became the practice to assess, but generally to refrain from such provision. It became the norm to describe such assets as having a burn down philosophy, and to avoid providing safety systems where the risk balance was negative, i.e. maintenance visits exposed operators to more risk than the benefit from the systems during the period when it was manned. The level of asset loss for unmanned platforms was highly variable, depending on whether they were single wellheads, part of a network feeding a central complex, or whether they were where flow lines were manifolded. Each would require roughly the same number of visits, and thus the safety ALARP arguments were identical. At what stage therefore, does the asset loss threat become important? How effective are the fire-fighting systems, what loss do we need them to protect against, and what methods are there to show that money is spent wisely? Much work on improving the techniques of safety assessment has occurred in the UK in the past two decades, primarily as a result of Flixborough, Piper Alpha and Kings Cross. It is fair to say that the thrust of all the standards written to date are mainly focussed on safety. In contrast one can show the impact of accidents with low human impact but high financial loss in the following list:-

Total Loss Prevention Developing Identification and Assessment Methods for Business Risks

1. 2. 3. 4.

5.

Longford, Sale, Victoria, Australia 25 September 1998. 2 dead. State of Victoria gas supplies interrupted for 2 weeks. A$ 1.3 billion class action brought by industrial and domestic users, largely unsuccessful (ref: www.corrs.com.au); Hatfield Rail Crash 17 October 2000. 4 dead. Entire UK rail network suffered delays for a year while checks to track were undertaken. North Sea - Cormorant Alpha 11 April 1989. No fatalities. A riser fire at the platform caused the downtime of 9 other platforms for 11 months. Total lost production over 30 million barrels. (ref. HSE Report OTH 94 458) Seveso, Italy 9th July 1976. No fatalities directly attributable. A release of 2 kg of ultra toxic tetrachlorodibenzo[b,e][1,4]dioxin (TCDD) caused the evacuation of a wide area north of Milan (and ultimately required its decontamination). A key incident that changed the regulation of major hazard facilities across Europe. NE USA and Canada, also Italy. August 2003. No direct fatalities. Power surges in the electrical grids led to the loss of power to more than 100 million people. Consequences are still being evaluated.

If one includes the power cuts in Auckland, New Zealand in early 1998 the statistics are that 5 times in the past 5 years entire countries have suffered major disruption from single incidents, involving relatively small, but critical, direct asset loss. It brings home the realisation that developed societies are highly dependent on engineered systems, and that these failures are far from rare. Particular impacts of these incidents include: Beyond boundary consequences of failures; Major disruption of communities, to national level; Revealed sensitivity of a major supporting infrastructure to a single type of failure; Product or type design fault, leading to remedial work on all other units of a similar type, with consequential loss of service in the interim; Changes to national, and international, legislation; Claims against the company, with long term negative impact until legal proceedings are resolved; Damages far exceeding the actual physical cost of the accident; and Contributory factor in the demise of a company owning the risk.

These impacts are of a different character to those of safety. Each would be significant to the company or the community involved. In addition safety and risk assessments do not highlight these risks because the safety impact is low or indirect. The classical approach to managing risks with a purely physical loss is insurance, and yet the above examples show that companies place at risk themselves, and on occasion their insurers. One would expect that governments and companies are very aware of societal impact, and working to avoid such effects, yet how are such efforts expressed in systematic guidance? Current frameworks on risk assessment provide a large part of a structure for systematically assessing loss, but specific advice on loss is needed. It is necessary too to bring into the

Total Loss Prevention Developing Identification and Assessment Methods for Business Risks

discussion the other parties besides the Loss Prevention Engineer who make loss prevention decisions. Before detailing methods, it is worth noting that there is a distinction between the ways organisations view safety and financial risk. Risky Behaviour? It is generally accepted that where something is unsafe, the hazard will be revealed and eliminated. Businesses do not always view financial risk in the same way. Risk is sometimes seen as an indicator of potential profit, for example, volatile shares may move higher in a positive direction as well as a negative. Risk can be factored into price. The insurance industry would not exist but for risk: acquiring business (= premiums, = risk) is as necessary as minimising exposure. In the design industry, risk ownership is an issue that affects the client-contractor relationship. Contractors are not paid to work outside their particular box, and so there may be a disincentive to raising commercial loss issues that they would have to solve at their own expense, but for which they may not be measured against, i.e the client does not look at these as a success metric.. Collaboration also occurs, when commerce appreciates where the common good is more important than individual interests. There are common standards and goals, including those on loss prevention. On the other hand, if a company feels that to collaborate would weaken its intellectual property, or there are issues of confidentiality, techniques or information may not be shared. All these matters affect how one should develop a standard for loss, and who would want to participate. Risk Assessment and Standards The history of engineering standard development is in many ways the history of accidents. Where standards are based on this type of experience, and are re-active, they are generally expressed as codes for particular engineered features. There has also been a growth in systems assessment - techniques to pro-actively avoid or reduce hazards. A history of engineered standards can be summarised as: Railways reactive (latterly pro-active); Boilers - reactive; Pressure vessels reactive ; Explosives - reactive; Onshore major hazards - reactive - proactive Nuclear and aerospace proactive - reactive; Offshore major hazards reactive proactive; Programmable electronic systems pro-active.

Total Loss Prevention Developing Identification and Assessment Methods for Business Risks

In the last decade and a half, not only have proactive standards grown in prominence, they are now working with prescriptive standards to provide greater understanding of the effects of hazards and mitigation. The new version of API 521 Guide to Relief and Depressuring Systems, includes awareness of vessel heat up issues found during experiments for risk assessment. The scope of safety standards has also expanded to include environment and business issues. Standards are works in progress, where knowledge goes through cycles of discussion, agreement and consultation. There are gaps, and better ideas in the offing. Towards a Standard on Loss Protection Many of the standards currently in existence have elements that could be re-used within Guidelines for Loss Protection. These include: ISO 9001, Quality Management System Requirements; BS 5760: Reliability of Systems, Equipment, Components and Parts; ISO 17776: Offshore Production Installations Guidelines on Tools and Techniques for Hazard Identification and Risk Assessment

At an even higher level, since pure financial loss is a core business issue, the aspect of corporate governance is relevant, and so the discussion commences with accountancy and audit concerns. Corporate Behaviour The Turnbull report relates risk management to corporate governance. This report, to the UK Institute of Chartered Accountants, specifies the need for Effective financial controls [that] ensure that the company is not unnecessarily exposed to avoidable financial risks. Later it goes into more detail and states the boards deliberations should include consideration of the following factors: The nature and extent of the risks facing the company; The extent and categories of risk that it regards as acceptable for the company to bear; The likelihood of the risks concerned materialising; The companys ability to reduce the incidence and impact on the business of the risks that do materialise; and The costs of operating particular controls relative to the benefit thereby obtained in managing the related risks.

These statements show a direct link between engineering concerns and the business as a whole. Policy The starting point for organisation-wide guidance on loss prevention is ISO 9001, Quality Management System Requirements. ISO 9001 requires policy to be set to state the companys position regarding loss, which should include all the types of loss that could be suffered. For

Total Loss Prevention Developing Identification and Assessment Methods for Business Risks

many companies considering direct costs will be nothing new, but when considering wider aspects for some it might be the first time that they appreciate how much their customers will miss them if they go! ISO 9001 then requires corporate criteria/ goals, and a management system. The criteria for loss protection are best based on those in ISO 17776 - Offshore Production Installations Guidelines on Tools and Techniques for Hazard Identification and Risk Assessment. Criteria ISO 17776 is a standard written for offshore oil and gas, but the concepts within risk criteria, HAZID, assessment and so on - are applicable to onshore, and to other major hazard industries. Most of the document is slanted towards safety issues, and to a lesser extent environmental, but Table A.1 states how criteria can be set for safety, environmental and asset loss. (This is the only place in which loss is discussed in detail in the document.) Most major oil and gas companies have principles for risk management. They also have risk acceptability criteria / matrices that cover safety, environment and loss, and that are allied to those contained within ISO 17776. They provide details about what constitutes a frequent accident, and the limits of each loss band. They are effective means of rapidly ranking and managing risks, however, there is, no advice as to the types of loss to be considered. Where risks breach criteria there should be a strategy for managing such potential losses. As with Longford, it may not be possible to avoid being in a position where there are potential extreme losses. It may also not be possible to reduce these to within criteria. Assurance for Individual Facilities Hazard avoidance in design selection is the most effective way to reduce risk. Thus the assurance process requires that there be a means of reviewing a facility or a design, picking out the main causes of loss and eliminating as many risks as possible. Of course, doing so for loss prevention would be allied to the HAZID process, but there needs to be subtle differences to ensure that the aspects relating to commercial impact are thoroughly revealed. These may include: Opco, partner, country and 3rd party issues; Insurance coverage; Customer requirements; Ability to design to reduce the business impact of loss, or domino interactions between the elements of facilities; Dependencies between system elements (e.g. power supplies); Dependence on other facilities; Means of mitigating loss; Criticality of the operation locally to the business unit in the area; Criticality of the operation to the regional commerce; Cost and Effects of business interruption on cash flow;
5

Total Loss Prevention Developing Identification and Assessment Methods for Business Risks

Direct impacts to ability of neighbours and upstream / downstream facilities to continue operations; Contractual liabilities; Clean up and reputation impact on accident; and Refit costs in a constrained construction environment.

(with acknowledgement to Shells FIREPRAN standard / Business Continuity Institute) A loss prevention identification session could identify the critical points where loss would impact the companys operations significantly. There may be a balance to be found. Cheaper, less reliable, plant may well be fit for purpose in non-critical applications. Once again, considering such issues is part of the fabric of company operations, but loss prevention management enables them to be considered in a balanced, integrated way, so that unrevealed risk can be noted, and the costs of over-engineering reduced. Where a supplier implements a loss prevention identification scheme, there will also be the need to address type risk, such as that incurred by car manufacturers, who are occasionally required to recall cars to improve certain design faults. In these cases revealed design faults in a single instance of a supplied item then obligates the company to notify and remedy the design fault in all other supplied instances of that item. Aircraft manufacturers and airlines are particularly vulnerable to this type of risk, because the impact can be expensive to fix and affect operations globally, and one can think of other areas, such as offshore wind farms, where maturing technologies bring a burden of development risk (see also. BS 5760). Risk Management Risk management will include those risks that the company wishes to manage directly, and those that it wishes to share with other organisations. The criteria for internalising or sharing risk will determine the guarantees that companies are prepared to give to their customers. Loss prevention risks may inspire corporate lawyers to corral the companys exposure to risk, develop requirements for contractors and qualify their commitments to customers. Interface management, which is a feature of ISO 9001, is therefore a critical element of loss prevention management, too. Designing to Prevent Loss During a design process, ISO 17776, adapted for loss prevention, will be directly applicable to reducing losses on a plant. In addition, since reliable plant does not fail, needs less intervention for maintenance, and has greater redundancy against upset, BS 5760 Reliability of Systems, Equipment and Components, provides many of the design selection processes that one would apply to loss prevention management.

Total Loss Prevention Developing Identification and Assessment Methods for Business Risks

Cost Benefit Assessment Where there are competing designs, each with its own reliability, turndown and potential loss profile it will be necessary to compare the CAPEX, OPEX and loss potential costs of each. Although this is widely practised in at least a semi-quantitative way, the classes of accident costs should be expanded. They may include: Loss of asset; Business interruption; Loss of market; Breach of regulation and fines; Effects to neighbours, reputation, share price; Clear up and clean up; Excess on insurance and increased premiums (or even reluctance to accept risk at all); Recall liabilities; Waste disposal; Restitution of facility, in a constrained construction area.

(Of the above, it is only the asset cost that usually is covered by insurance). The importance of the other costs can be appreciated in the following example. If the CAPEX of a plant is paid off over, say, 2 years and an accident causes 10% CAPEX loss, but interrupts production for 6 months, then the business interruption impact alone will be about 2.5 times greater than the CAPEX loss, which is equivalent to the cost of 2.4 months lost production. It is useful to compare these accident losses with those used in ALARP type arguments, as described in Reducing Risks Protecting People (the so-called R2P2 document) - the UK HSEs decision making process. If the above example is applied to a 200 MMSCFD plant, costing $200 Million, the accident, lets say in a process unit, might cause the death of up to 2 operators. (Usually the process units are sited far enough away from office buildings to avoid non-operator fatalities.) A safety ALARP argument might apply some value per life (1 million in R2P2), and so determine the human cost of the accident as 2 million ($3.5 million). The direct CAPEX and business interruption costs are 10% x 200 + 25% x 200 million respectively, or $70 million. If only asset loss is insured, then $50 million will be lost, even before claims come in. Thus asset / production loss ALARP arguments are far more powerful than the cost per life approach for typical hydrocarbon facilities. They are also less emotive. Direct losses are not the whole cost. The property damage loss from the Longford incident is given as $ 187 Million in Marsh Risk Consultings review of losses in the hydrocarbon industries, and although the class action claim was unsuccessful, this does not mean that the $1.3 billion damages sought by the downstream companies and domestic users were not actually incurred. One can estimate the effects of a number of accidents to build up a loss profile of an entire facility. The result would be similar to an F-N curve (in effect a Frequency Dollar curve). Such a curve has been generated for a sample offshore project, using information in the UK

Total Loss Prevention Developing Identification and Assessment Methods for Business Risks

HSEs UKCS Update to the Risk Overview (report 94 458). The disparity between human and asset losses can be seen to be extreme.
Figure 1 Comparison of Human Value per Life and Asset Loss
1.0E+00

1.0E-01

Likelihood over Project Life

1.0E-02

1.0E-03

1.0E-04

Asset Loss Human 'Cost'

1.0E-05

1.0E-06 0 50 100 Cost of Accident 150 200

Preliminary calculations from cost of accident assessment programs generate results close to those found from experience by insurance companies (and also those quoted in ref 5), so there is some credibility to such methods. The next step is then to evaluate the benefit from mitigating devices (or strategies) and so compare the actual improvement with the cost of implementation. Figure 2 Value of Spend to Mitigate Accidents - Sample
1.0E+00

0.1
1.0E-01

1 10

Accident Frequency / year

1.0E-02

1.0E-03

1.0E-04

It is worth spending up to 0.1 Million to avoid an accident with a frequency of 6.4 x 10-4/year that has a cost impact of 10 million.

1.0E-05

1.0E-06 0.01

0.1

10

100

1000

Accident Cost - Millions (any currency)

Total Loss Prevention Developing Identification and Assessment Methods for Business Risks

The chart above allows engineers to relate accident frequencies and costs, and the cost of mitigating systems, to provide justification where such systems have either been included or excluded. It should be noted that this does not necessarily mean more fire fighting. Spend must be shown to reduce risks. Audit and Review, Due Diligence and Acquisition Many of the comments so far have been directed at new facilities. The methods of assessment are equally applicable to existing plant and to circumstances where a company is considering acquiring an asset. Applying such a methodology to due diligence is an extremely effective way to avoid risks that are not otherwise obvious. Conclusions The conclusions that this paper draws from a review of available techniques is that: The means of assessing the loss to companies from their operations exist, or are readily adaptable from existing techniques; Although not discussed here the timescales required for such assessment have been found to fit within the project development lifecycle, so a picture of the loss profile can be provided quickly; Such profiles establish the need for loss prevention engineering, or otherwise, more robustly than ALARP arguments, engineering judgement, or the application of codes; The use of these techniques would enable standards such as ISO 17776 to be applied more effectively; Equally, improvements to standards to address the issue of loss prevention are needed; The consideration of Loss Prevention should be promoted to a corporate level concern that then cascades into systems, operations and design. The range of losses for each corporation should be identified; Relevant expertise within companies should be invited to collaborate, internally, to collate the techniques that work, and to spread best practice; Relevant expertise within companies should be invited to collaborate externally, to create a new standard on Loss Prevention, or to elaborate the consideration of Loss within existing standards, to augment risk based arguments; There should be specific guidance on:o Types of loss; o Risk management; o Cost benefit assessment; to ensure consistency and repeatability; A standard on Loss Prevention should include statements on interface management so that Invitations to Tender and specifications for contractors should include statements about the links between engineering and risk; and

Total Loss Prevention Developing Identification and Assessment Methods for Business Risks

Owners or insurance companies should produce more documents relating to the cost of accidents so that assessment information for future facilities is more accurate. This should include incurred losses that were not insured.

Application The costs of changing methods to include the concerns above, and of operating a formal system can be minimised, by: Having an ISO 9001 management system, on to which the above systems would readily attach; Facilitating meetings to discuss such issues formally.

The meetings would need to be supported with data and techniques, either internal or generic industry, for estimating failures and consequences, and for relating these to value of spend. Regulatory Issues So far the discussion above relates to companies, and suggests ways of integrating the ways individuals in an organisation can work in harmony. The accidents previously listed show that a companys actions can have a regional economic impact. Thus the observations are also applicable at a national planning level to ensure that developed societies are underpinned by robust industrial facilities and utilities. References 1. The Institute of Chartered Accountants Internal Control, Guidance for Directors on the Combined Code (The Turnbull Report) 2. ISO 9001:2000 Quality Management System Requirements 3. ISO 17776 - Petroleum And Natural Gas Industries Offshore Production Installations Guidelines On Tools And Techniques For Hazard Identification And Risk Assessment 4. ISO 13702 - Standard for Control and Mitigation of Fires and Explosions on Offshore Production Installations - Requirements and Guidelines. 5. F.P. Lees, Loss Prevention in the Process Industries, 2nd Edition, Butterworth Press 6. BS 5760: 1998 Reliability of Systems Equipment Components and Parts 7. FIREPRAN Manual Shell EP 95 0350. 8. Reducing Risks, Protecting People The UK HSEs Decision Making Process 9. HSE Report - OTH 94 458 Update of the UKCS Risk Overview 10. OIL Ltd 1997 Annual Report. 11. Large Property Damage Losses in the Hydrocarbon Chemical Industries a 30 Year Review, Marsh Risk Consulting. February 2001 (19th Edition). 12. www.corrs.com.au 13. Risk Model, Granherne internal software. 14. Business Continuity Institute.

10