In this edition of ‘Andy’s Almanac,’ Andy Bartlett, Sphera’s solution consultant for Operational Risk Management, discusses the so-called ‘Swiss cheese’ model and how it could apply to helping companies plan for natural disasters.
Listen to parts one, two, three and four.
The following transcript was edited for style, length and clarity.
James Tehrani:
Welcome to the SpheraNOW podcast, a program focused on safety, sustainability, and productivity issues. I’m James Tehrani, Spark’s editor and chief. Today is part five of Andy’s Almanac on accidents. Andy Bartlett, Sphera’s solution consultant for operational risk management, returns to the program, and we’ll be discussing the Swiss Cheese Model and process safety barriers, and how process safety measures could potentially help companies deal with natural disasters. Thank you so much for joining me today, Andy, how’re you doing?
Andy Bartlett:
I’m doing fine. Thanks for the intro, James. Looking forward to another chat.
James Tehrani:
Perfect. Well, let’s get into it. I know we’ve touched on the Swiss Cheese Model before, but do you want to fill our listeners in on what that means exactly for process safety and why it’s so important?
Andy Bartlett:
Well, it’s a way of illustrating, a picture’s worth a thousand words, on what hazards are being realized in the company. So if you know what your process safety status is, then you can address those items that are making your process safety less than you would like to have. So being able to address the risks and resolve major accident hazards before they create the possibility of a disaster, or damage the assets, the environment, this way illustrates it. And having technology that takes the concept of the Swiss cheese into a program that is visible to all in the facility, helps everybody look at risk in the same way and know what each other is talking about.
James Tehrani:
Sure. And it’s interesting, I can’t remember who I was talking to about this, but we were talking about how masks kind of are sort of a barrier for COVID-19. In the year of COVID-19, obviously, you wear a mask and it’s sort of a barrier to help protect you. And then if you wear a second mask, it’s almost like a second barrier and it sort of acts like the Swiss Cheese Model where there’s one protection and then a second protection. Is that right? Do I have the analogy correct?
Andy Bartlett:
If you want to compare the Swiss Cheese Model to preventing the spread of COVID, you have to recognize that no single intervention will stop the spread of COVID. Physical distinction is one barrier. Masks would be a second barrier, hand hygiene, and not coughing on people, avoid touching your face. And if it’s crowded, don’t go into those places that’s crowded. Wait for the crowds to come down. Those are personal responsibilities that could help you not catch COVID.
Andy Bartlett:
And then there’s the testing, which is another barrier. The tracking of testing, of people who’ve been tested. Meeting outdoors, ventilation, and of course special air filtration if you have to work inside just like you have for other office protection. Financial support for the people who need to put these measures in place, the money’s not always there and the government has to step in sometimes. And then if somebody does catch COVID, there’s the quarantine and isolation barrier. And then the last barrier of all which we see, especially here in the UK, being very effective is the vaccine.
James Tehrani:
Of course.
Andy Bartlett:
So that’s what a Swiss cheese would look like. And of course, if the hazard, which is COVID-19, does not reach you the patient or possible patient, then you’ve been successful with those barriers in place. If you have caught COVID, then obviously some of those barriers have been less than adequate.
James Tehrani:
Definitely. And I don’t want to go down a rabbit hole with this, but you taught me something when you sent me a link, I don’t know, a month or so ago when you explained that it should be called the Emmental cheese model because there’s different types of Swiss cheese. I had no idea.
Andy Bartlett:
Yeah. There’s two Swiss cheeses that have holes in them. I forget the name of the other one. The cheeses that don’t have holes in them in Switzerland, are called ‘blind’ cheeses. So that was something I looked up. And I guess that the Swiss cheese that we all see, Emmental, in the shops, is in the UK, and of course that Professor Reason would be familiar with when he came up with this metaphor. So it’s been around since… I forget the date of the book now. But when I was studying for my degree, I saw the very basic model. My question was, what do the slices represent? As I got further into my degree, of course, I became aware of what barriers were.
Andy Bartlett:
And then, later on, the question today, what do the holes represented? And as we’ve gone through the COVID one… But in process safety, the holes or the failures, depending on the industry… In the oil and gas industry, you’d have one set of safety-critical elements, which are the real name for the holes. And the pharma industry would have another set. The mining industry would have another set. But they will all use the basic model, which is a barrier to prevent an incident occurring or an incident becoming worse, or the response to an incident to make the handling of the incident better. So that’s where it is.
James Tehrani:
Very interesting stuff. And I know this is kind of a difficult transition because we’ve been having a light conversation so far, but we do want to kind of explore incidents. And one area that we don’t talk enough about that I think is important is when climate change and sustainability-related issues can actually lead to safety hazards and perhaps incidents. And I know we were discussing before the program started that there was an incident in the Gulf Coast that you thought kind of fit the bill for that. Do you want to explain that situation?
Andy Bartlett:
Yeah, let’s start with when refineries or chemical plants, or facilities that have major accident hazards were built. Some of them were designed over 50 years ago where climate change wasn’t a consideration. And maybe in that particular area, the hundred-year flood had not appeared. However, today we have incidents happening where floods have damaged a facility, such as a refinery. The one that we’re going to use as an illustration here where flood water came in, structural damage to foundations, vessels starting to collapse. Control rooms being overcome with water, so the place where the humans were going to be controlling it was no longer viable. Pressure vessels leaking due to the vessel becoming misaligned with its pipework due to the foundation collapse, so that would be under process containment barrier. The structural integrity barrier we talked about first, the failure of the structure. And then ignition control during these storms if you’ve got vapor in the air from this misalignment in the process containment. Thunderstorms, lightning strikes come into play here-
James Tehrani:
So that could lead to a fire, right?
Andy Bartlett:
Yeah. That could lead to a fire. The gas detection systems, the power supply to them could have been damaged, the wiring, and therefore not being able to detect what’s happening. And then your protection system, the damaged firewater ring main, that could collapse the piping that brings the firewater. And of course, you might think, “Oh, I’ve got a fire going, I’ve got lots of water,” but floating oil on fire on top of water is one of the biggest hazards in this type of event. And as we saw at Buncefield in the UK, where there was a lot of damage there, the firewater spread the hydrocarbons way beyond the facility.
Andy Bartlett:
Then the emergency shut down system, you press the button to shut down a flow of oil or hydrocarbon or a chemical, whatever, but the valves might no longer be in the right place for handling the emergency. Your emergency power system. As the substations get flooded, the generators that the emergency power system is based on could become flooded. And of course, then at the end on the lifesaving equipment, rescue facilities, well, were they designed to handle this type of flood?
Andy Bartlett:
So when you map all this to a barrier model, Swiss cheese barrier model, you start to see, well, these are places in my facility that I maybe need to take a look at. And this would be after the fact. But when you start to say, “Right, I’m going to spend my money rebuilding my system, I would need to be looking at what barriers I need to maintain. Where I need to spend my money first?” And of course, putting in place flood walls or drainage channels around the facility to take the water somewhere else. And lightning shunts, which divert lightning strikes away from equipment and down into the ground.
James Tehrani:
It seems like what you’re mentioning here is a perfect example of how a risk pathway develops. So you’ve gone from one major storm and then you’ve had about six or seven different potential incidents that came from that one storm. It’s really fascinating when you think about how this all originates and how it can spread into more potential damage to the organization and safety-related issues for the people.
Andy Bartlett:
Yeah. And then you look at the environment, you’ve got the fire and explosion. You’ve got to get in there and fight that, within flood conditions very difficult. You’re going to have atmospheric emissions, which downwind of the facility, people are going to have to be moved. And if they’re suffering from a hurricane or tropical storm at the same time, they’ll all be buttoned down inside their storm shelters. And then the worst thing of all, of course, is the liquid spill. What do you do with this floating hydrocarbon? Where do you divert it to? How do you get rid of it? It all requires plans to be in place.
Andy Bartlett:
And part of the whole process safety model is you define your major accident hazard list and you say, “How am I going to deal with them? How can I mitigate them?” So if you look at the typical list of major accident hazards, it always has fire and explosion at the top. And then you got earthquakes, natural disaster, flooding. That’s another one where I’ve been in a place where the refinery suffered from a small earthquake. Luckily it didn’t do too much damage because it was built to withstand that earthquake because that was recognized in the design.
James Tehrani:
So are there a lot of plants that were built long ago that didn’t take in consideration earthquakes and things like that?
Andy Bartlett:
Well, I don’t know of any that didn’t take into consideration earthquakes, but I do know plants that didn’t really take into effect the effects of flooding and as the location… And you’ll find this in several places in the world where housing and office buildings have encroached on what was an Island of a refinery or chemical plant. And now, when natural disasters happen, the effect on that facility will be passed on to the surrounding houses and office buildings. And it’s only by luck that we don’t get these bigger disasters, but you only have to look at Bhopal, Seveso in Italy, where the people who lived next to a facility suffered from the effect of the facility not having a good process safety program.
James Tehrani:
Sure. And is it reasonable to say that as climate change becomes a bigger and bigger problem for the world, that we could potentially see more of these extreme weather events that could lead to more potential risk for the oil and gas industry and other industries, for that matter?
Andy Bartlett:
I was reading an article about a safety case, which in the UK is required to be handed into the HSE, the equivalent of OSHA here. And now they’re saying, “Go back and revisit your safety case and take into effect the environmental part of it.” And what we used to call safety-critical elements, they’re now calling SECE, which is Safety and Environment Critical Elements. So for each barrier, you need to look at what are the environmental parts of the safety case that would affect the major accident hazards.
Andy Bartlett:
And again, what pathways would build when you start to look at the environmental… As we’ve just described on this one, the effect of releasing hydrocarbons in a liquid form, even if they’re not on fire, chemicals if they’re not on fire, can affect the surrounding people. And if it gets into the groundwater, can affect the drinking water. If it gets into the sea, can affect the wildlife there, if it gets into rivers. So all of these need to be examined now that we know climate change is making changes. We need to say, “Ok, let’s go back and look at our major accident hazards and see what environmental items we need to add, what we need to re-examine?” And redo our safety case to try and prevent these from realizing.
James Tehrani:
That’s fascinating. So that’s a recent development where they added the environmental part of it for the critical elements?
Andy Bartlett:
Yeah. I found an article from 2015 where it talks about this happening, but I’m not quite sure having not been in this country if that was the exact date they brought it in. But I do know there was changes made in 2015 to the advice given by the UK HSC.
James Tehrani:
So when you were starting your career, how much were you taking into consideration the… I know you mentioned that the rain wasn’t really thought of very highly, but other environmental aspects, how much of that were you thinking about when you were doing your evaluations and investigations back then? And is it something that you would consider looking more into nowadays than you would back then?
Andy Bartlett:
Well, I would say in the industrialized West flaring from facilities, especially in Europe and the UK, was always frowned upon. You have to try not to flare because that was going to create fall out-
James Tehrani:
And flaring is when you light the gas, right?
Andy Bartlett:
Yes. Yes. In any hydrocarbon facility, you have to have a release point and the flare systems have improved over the years to where they can recover most of the waste gasses, but I’ve worked in facilities where the flares were gigantic. But over time, people have recognized that is not the way we want it to be. And they’re also in the power plants in the UK, the fumes from the systems are being cleaned before they’re released in the atmosphere. They’re being cooled so they don’t have an effect on the area around them. But I think that today it is unacceptable to build a facility without taking into account what is the effect on the environment because as we’ve just talked about, you also need to look at what would the environment effect, if it wasn’t as expected, be on the facility itself? So there’s two points. You’ve got the environment on the facility and you’ve got the environment of the outside of the facility. What’s the effect from the facility?
Andy Bartlett:
So all of this needs to be looked at when you do your safety case. And of course, when you’re going to design a plant, you’ve got to go to the local authorities and say, “Ok, I want to build this plant.” And of course, now there’s a big environmental consideration. And I know in the States they have the environment control people who will say, ‘Right, you can do this, you can’t do that.’ So everybody’s aware of it, but what I’m looking at is to say, ‘Ok, so for incidents that occurred in previous facilities, let’s put them into a barrier model and see what actually happened, which barriers failed, and what have they done since then to keep these barriers intact, to have mitigation measures in place?’
James Tehrani:
Sure. And do you want to take us through… I know corrosion could potentially be a big problem. And if there’s an extreme weather event, I could see corrosion in a plant leading to potential incidents. So can you take us through a few examples of how barriers could help with dealing with corrosion issues?
Andy Bartlett:
Yeah. So I did a paper on this some time ago where if you want to look at corrosion, the structural integrity barrier, the support legs, can be attacked by corrosion. And of course, one of the routines is to have the inspection department, the asset integrity people, go round and check these on a regular basis. Piping and vessel corrosion, there’s lots of incidents out there where piping has corroded and your release vessels have corroded and failed. Electrical junction boxes on your ignition control and conduit systems where corrosion’s got out of control. And of course, after you’ve had one of these flood events, you need to go back and dry everything out before you put it back in service. Otherwise, you’re going to get corrosion.
Andy Bartlett:
Detection systems, the sensor heads can corrode. Sprinkler systems can be blocked with rust and should be checked and tested regularly. And valve shafts, emergency shut down valves, that they tend to be open. And the tests… The problem with testing emergency shut down valves is you normally have a pump test that just moves the shaft a little bit to say, “OK, that circuit’s working OK,” but they need to be protected to make sure they don’t corrode. Emergency response, when you’re going down escape ladders on an offshore platform, those ladders get washed by the sea, they corrode. You’ve got to, again, inspect and maintain. And lifesaving equipment, corrosion could happen to that as well.
Andy Bartlett:
So the model for all barriers is that there is a barrier, so process containment. You have a safety-critical element, which is your piping system. What’s your critical equipment is pipe integrity. Then you have risk control systems, which is inspect, test, maintain. And that’s for everything in a facility. And then your integrity performance standard. So the performance standard will be written to say, “All right, we expect this to do this during its normal life. During an emergency, we expect it to have to hold up.” So that’s the model. And if your performance standard is not performed correctly, one of the risk control systems fails, you can get a deviation to your barrier, which will feed into your major accident hazard. One thing could cause a major accident hazard. You don’t have to have a pathway. So pathways tell you what’s happening overall, but if you have a big failure, then you could have an incident without the pathway at all, building just on one incident. So if it’s a-
James Tehrani:
Do you have a guesstimate of what percentage of incidents are major accident hazards, I should say, that are based on one incident versus a pathway? Is that less typical or more typical?
Andy Bartlett:
No, I don’t have any data on that, but it’s a good question. I’ll have to go and have a look at that in some of the databases I’ve got. But if you look at the IOGP Report 544, it’s got a good outline of what barriers, what safety-critical elements, would be expected to see in a facility. But the regulators, their job is to make sure that the facilities have gone through the safety case, or are in the States something similar, and come up with a plan to prevent major accident hazards being realized.
James Tehrani:
So how much does management of change play into this? It seems that, I mean when you have an extreme weather event per se… I mean, it’s obviously a sudden change in how you deal with that. So is that a big factor in all this, is being able to deal with that management of change with barriers?
Andy Bartlett:
Oh, I would call management of change a management system that is in place to prevent major accident hazards being realized. So if you’ve had a weather event that wasn’t in your plan, it wasn’t considered, then anything you do to make changes to prevent the next one would have to go through a rigid management of change process.
James Tehrani:
I see. And are there any important issues involving barriers that we haven’t discussed today that you think are important for our listeners to know about?
Andy Bartlett:
Well, I like to put it this way, when the manager comes into work on a morning and he sits at his desk and he gets a cup of coffee and he starts to look at the screen and say, “OK, what barriers are in play today?” He wants to see an all-green screen. He doesn’t want to see any red areas in his facility or orange areas. So when those barriers do come into play, he would want to know what are you doing to mitigate them? So I don’t know if that answers your question, but-
James Tehrani:
It’s interesting, I was actually wondering about that. When you do see these screens, how often do you see all green versus amber or other colors on there?
Andy Bartlett:
Well, during a working day, you will be doing work. And the minute you issue a hot work permit, then you are opening up your ignition barrier. Your ignition control barrier, sorry. The ignition control barrier is to recognize when you have the potential for ignition. So if you’re doing hot work, then you have opened up that ignition control barrier. What you don’t want is a detection system barrier saying, “Oh, I’ve got a gas release in that area.” And of course, then the decision has to be made, I got to stop the hot work until I find out what’s causing the gas release. The process contaminant has opened up. So that’s why a barrier is there, to let us know that our process safety is in place and it’s being managed correctly.
Andy Bartlett:
And of course, this has all been seen by management and the people out there issuing permits. If they’ve got an electronic system, they’d be able to see what the barriers are. So the question I would ask, “Oh, do I really want to issue a permit in this area that’s orange and make it go to red?” And if you’re the person out there actually doing the work, you’re the guy on the tools, you want to hope that somebody is looking at this so they’re not putting you in danger right at the front line.
James Tehrani:
Of course. Well, it’s always fascinating stuff coming from you, Andy. I really appreciate your time. It was a really interesting conversation today.
Andy Bartlett:
Thanks, James. I enjoyed talking about it. It interests me a lot and of course in my job, it interests me because I’m helping clients getting involved with this and seeing what can be done to make it better.
James Tehrani:
Great stuff. Thank you. Thank you so much, Andy. I really appreciate your time.
Andy Bartlett:
OK James, talk to you again. Bye.