This website uses non-intrusive cookies to improve your user experience. You can visit our cookie privacy page for more information.

Judith Hackitt CBE, Chair HSE

Speech to Foster Wheeler

Process Safety: Past, Present and Future

Thursday, 21 October 2010

First of all, may I thank you and Janice Crawford in particular for the invitation to speak today. The title of my talk this afternoon: Past, Present and Future is about making connections between events of the past, the knowledge we have today about the changing shape of industry and the world economies and the challenges of the future which we have to face and address. My proposition to you is that if we can make some of those connections and recognise some of the weak links that exist today we can rise to the challenges and develop better, more sustainable solutions for the future than perhaps we have done in the past.

In part I am speaking to you today as Chair of HSE – and I will speak about some of the work we have been doing particularly in relation to the major hazard industries – on and offshore. Our strategy refers to this work as ‘preventing catastrophe’ – but it is very much about process safety in design, engineering and production. Applying process safety thinking during the conception and design phases is particularly relevant to emerging energy technologies including Carbon Capture and Storage which I will refer to again, later. But my interest in this subject goes beyond my role as Chair of HSE.

Like many of you here today, I am an engineer – a chemical engineer. I am on the Council of the Institution of Chemical Engineers and I chair the Institution’s International Safety Centre which is very much focussing on process safety. But I also belong to the generation of engineers whose attitudes to process safety was shaped by Flixborough.

For those of you from a different generation let me just remind you what happened at Flixborough. On a Saturday afternoon in June 1974 there was a large explosion at the Nypro site in the North East of England. 28 workers were killed in the explosion and a further 36 suffered injuries. The numbers of casualties would have been many more if this incident had occurred on a weekday rather than a Saturday. There were a further 53 reported injuries to members of the public in the neighbourhood and there was considerable damage to offsite property.

Three months before the explosion it had been discovered that there was a vertical crack in the fifth of a series of reactors in the process and the crack was leaking cyclohexane. After shutting down to investigate the problem the decision had been taken to remove the leaking reactor and to install a bypass connecting reactors 4 and 6.

On the afternoon of the 1st of June that bypass system ruptured resulting in a large leak of cyclohexane which formed a vapour cloud and exploded. All 18 people in the control room were killed when windows shattered and the roof collapsed. Fires burned onsite for over 10 days. Let's consider the causes:

So when I graduated from University in 1975 and joined my first employer - Exxon - I went through rigorous training in process safety management. I don't suppose for one minute that it was any different in Shell, BP, ICI, Dupont or many other large oil and chemical companies or indeed in major engineering organisations such as Foster Wheeler. Flixborough had been a huge wake-up call to industry and the lessons were being learned far and wide. Everyone was committed to the principle that: "it must never happen again".

The result was that process changes, plant modifications and new plant design came in for intense scrutiny with detailed reviews by multidisciplinary teams, full Hazop reviews and much more. The whole process encouraged us all to think about what was the worst case scenario and what could be done to prevent/mitigate it. There is no doubt that performance across the whole industry improved as a result.

However, as you sit here you might already be considering the things that went wrong at Flixborough and thinking: "But didn’t similar failures result in Texas City and Buncefield, even in the Gulf of Mexico?”.

But before I come onto that, I just want to say something about the worst industrial disaster which has ever occurred which was Piper Alpha, in July 1988. Not, in fact, the Transocean incident in the Gulf in April. Of the 226 people on the Piper Alpha platform at the time of the incident 165 died and also two rescue workers on a standby vessel.

Piper Alpha was a large fixed platform located - 190km North East of Aberdeen. It was originally installed for the production of crude oil and was later converted to gas production. Because the platform was originally designed for crude oil production the location of key operations and the siting of firewalls were built to a set of design criteria which were compromised when the platform converted to gas production. The Cullen inquiry into the disaster concluded that the initial cause of the explosion and fireball which engulfed Piper Alpha had been a condensate leak which was the result of maintenance work being carried out simultaneously on a pump and related safety valve. The maintenance and safety procedures were found be inadequate - as were the arrangements for refuge and evacuation of personnel and key aspects of the design of the facility were not fit for the purpose for which they were being used.

But one of the key factors about Piper Alpha which people tend to overlook is that the safety of the installation was compromised from the day it was put into a different service from that which it was designed for.

When I was at school, I was never a great fan of history lessons. That's probably one of the reasons why I became an engineer rather than a classicist, but I am now convinced that history needs to be a fundamental part of every engineer and manager's training. Because when we forget the lessons of the past, history has a horrible habit of repeating itself.

No one in Aberdeen and no engineer who was around at the time will ever forget the tragedy of Piper Alpha – but bad memories do fade.

For instance, how easy would it be – in the euphoria of seeing 33 miners rescued in Chile last week – to forget, or not even recognise in the first place, the fundamental problems that caused them to be buried underground for 69 days in the first place? The real achievement of the magnificent engineers who worked so hard to rescue these men will only be fully realised when all of the lessons to do with mining safety standards and working conditions have been learned and fully implemented across Chile and beyond.

Fortunately we do learn lessons from many incidents. But sometimes we can become complacent.

We reassure ourselves that lessons have been learned, that new control systems will prevent those sequences of events from happening again. Complacency starts to creep in to people's thinking. With the passage of time a number of other factors also have an effect:

So that’s the lessons we can learn from the past. The history is important but now let’s take a look at how that links to the nearer past and indeed the present.

In 2004, HSE became increasingly concerned about the general decline in the integrity of fabric, structures, plant and systems of assets in the North Sea offshore oil and gas sector. Our response was a programme of inspections, known as KP3, which ran between 2004 and 2007.
KP3 revealed concerns which fell into three basic categories:

In April 2008 HSE hosted a conference in London for all of the major hazards industries which we entitled “Leading from the Top”. We invited chief executives and senior managers from the nuclear industry, from onshore major hazards, offshore, the rail industry and power generation and we had over 200 attendees.

We talked about the need for leadership and about the importance of process safety management. Not only process safety management by the technical experts but a fully integrated process where those at the top understand what it means, pay the subject attention and ask the right questions so that they can be confident that it is being managed at all levels throughout the organisation.

It also made them consider how poorly informed decisions at boardroom level can have unforeseen, catastrophic consequences. The circumstances surrounding the Texas City disaster serving as a case in point.

There, the asset was treated as a classic profit centre with management driving hard towards the target of 10% on investment each year. They were very successful in this ambition with the facility ranking as BP’s best performing out of its 18 US plants and accordingly it received plaudits all round – so on the face of it everything was rosy. The problem was, however, that the capital investment needed to maintain the asset integrity of the refinery operating was also high. One of the routes to achieving 10% ROCE was cutting capital expenditure by deferring projects. This, as we now know, had a dramatic impact on the repair and maintenance programme at the site.

That conference also reinforced the need to share experiences. It is crucial that these stories, both of good and bad practice, are told thus ensuring that the lessons are learned more broadly.

Perhaps one of the areas which we have not yet opened up and thought about sufficiently is the role of those who design, engineer and build these facilities.

Organisations like yourselves operate throughout the world. You will be designing and installing petrochemical facilities, chemical plants, energy technologies and much more. I have absolutely no doubt that innovation is a key part of what you do. I am equally sure that you are diligent in ensuring that you design and build process plant to be operated safely – you design safety in.

But think about some of the things I’ve highlighted from the past:

It is also conceivable that today, some of your records for projects you have been involved in in the past are better than those of the current owner/operator. That’s not just conceivable but I would suggest quite possible if that process plant has changed ownership once, twice or even more.

Indeed, HSE itself has found that its records contain more design information for some sites than the dutyholders they regulate hold themselves.

With the mention of HSE, perhaps this is a useful staging point for me to say something about its role.

The Health and Safety Executive is Great Britain's regulator for workplace health and safety and its mission is to prevent death, injury and ill health to those at work and those affected by work activities.

We are an organisation of some 3,500 people and we regulate heath and safety in practically all workplaces throughout Great Britain. This includes:

To support these, we have our own group of specialist inspectors that represent the broadest range of engineering disciplines - such as Offshore Wells, mechanical, chemical and electrical engineers. As well as investigating the causes of incidents when things go wrong, our inspectors also spend a significant proportion of their time working with organisations through the provision of advice and guidance. The regulator and the innovators have different but closely related roles to play but the goal is the same: to enable the identification of potential risks to ensure safety in design and operation is present in all workplaces.
A current example of us doing this is the part we are playing in the introduction of emerging energy technologies, such as Carbon, Capture and Storage (CCS).

Let’s consider the challenges of CCS. CO2 has for many years found itself a variety of applications in industrial processes. But never before have these processes been brought together on this scale as a continual series of processes to capture it from fossil fuel burning power stations and then store it permanently under the sea.

The proposed method will produce several 'interfaces': capture, compression, transport, injection and intermediate storage all of which we need to develop our understanding of further. The existing regulatory framework we use – Health and Safety at Work Act - is sufficiently flexible to mean that it can cover the whole CCS process. But this still requires the risks to be identified and for the appropriate control and mitigatory measures to be implemented.

Although a major release of pure CO2 into the atmosphere is to be avoided at all costs because in high densities it can act as an asphyxiant. There are other factors that have to be considered as well. These include:

One simple but stark illustration of dealing with CO2 relates to escape routes for personnel on North Sea installations in the event of a CO2 release during the injection phase. Traditionally, for the oil and gas sector, down has been the right answer when dealing with the conventional threat of a loss of containment of oil and gas but what about CO2, which is heavier than air and will - on a calm day - accumulate on the sea's surface rendering a marine response impossible.

But these are not problems that will 'stop the show', solutions are available and can be implemented.

It is essential that engineers create inherently sustainable solutions, and to do that requires risk education to be integral to the training and development of every engineer. Engineers need to learn without endangering their own health and safety or that of others so that innovation and new technology delivers real sustainable benefits.

Even in today's fast moving world, much of the hardware solutions that engineers design will last for many years. So safety in design is not just about ensuring that your project will do the job it was designed for now or even for the next 10 years. Major engineering projects have to last for decades. But in a world where priorities are constantly changing it is also inevitable that at some point in the future another engineer will come along with a bright idea on how to modify and improve what you've done. And that, is a good thing - continued improvement and innovation - provided that your successor understands the design principles and limitations of your design and doesn't compromise them through the modification.

This is easier said than done in today's environment of changes in corporate ownership and outsourcing and contracting, but it is hugely important.

Following one major incident – the Hatfield Rail Disaster in 2000 (10th anniversary was last Sunday) – Lord Cullen the chair of the subsequent board of inquiry said: "Education of engineers should deliver professionals who understand their professional responsibilities for the safety of the public, including the need to act on safety critical defects, and who can apply the principles of risk management".

To this end HSE has itself been engaged in some important work looking at the integration of risk concepts into undergraduate engineering courses.

It may sound contradictory or incompatible to expect those charged with the task of finding and implementing solutions to expend time and effort exploring what can go wrong. But repeatedly, as I know and as we have already seen, accidents have shown that there has been a failure to: either understand how to manage risk, or to take the opportunity to do so. It is therefore essential that safety-critical professionals such as engineers are educated and encouraged to assess and manage risks and then get on with the creative solution.

Several universities already offer specialist courses. But it remains a concern for me that in all engineering disciplines – safety in every aspect of every part of an engineer’s role is not regarded as fundamental and integral.

Risk is part of everyday life and an essential responsibility of every practicing professional engineer, risk education needs to be integrated into students' study. More specifically, the management of risk should be viewed as a thread. Rather like the writing in a stick of rock that runs through everything a professional engineer designs and the judgments and decisions they make.

Understanding of risk, inherent safety in design and throughout the lifecycle of any process, machine or equipment has to be part of the DNA of every engineer. Bolting it on as an afterthought is not an option - neither is leaving it to someone else to think about.

Engineers in the 21st century have challenges to face and solutions to find to some of the most difficult issues our planet has ever faced. Arguably, there have never been more exciting or challenging times. Failure to tackle them is not an option. But failure of the solutions we engineer to tackle them is not an option either.

So that now leaves us facing the future:

There is no doubt that now is a good time to be an engineer. Our skills and our ingenuity are needed now, throughout the world, more than ever to tackle the challenges that lie ahead.

Perhaps the most important skill of all for the future will be to think in multiple dimensions - to find solutions which do not solve one problem only to create a problem or downside in another dimension.

Generating power that creates carbon dioxide emissions is clearly not a sustainable solution. Likewise, agricultural processes which increase food production and housing which provides shelter is not sustainable if the people who reap the 'benefits' are placed at risk from flooding or harm to health as a result.

But let me leave you with perhaps some personal challenges. Foster Wheeler prides itself on being the first contractor to establish a single health, safety, environment and quality management system that provides the controlling mechanisms necessary to assure a unified approach to management control.

Your organisation is publically committed to: ensuring health and safety takes a high priority in all its activities, complying with relevant regulations, standards and codes of practice.

I think that’s good – but could there be more?

What about:

You have the history, you have worldwide presence today and I am sure you aspire to provide some of those solutions for the future. You are part of a much bigger sustainable solution that goes way beyond your own organisation.

Thank you.

Words: 3,653 (Check against delivery)

Updated 2010-10-29