Beyond design basis

I have written a couple of times about the “controls fail” scenario in safety management studies (here and here).  It has sometimes been not well understood so the post promoted a bit of discussion, and it was also a topic of keen discussion at the SMS Facilitators Forum in May.  Hence I was pleased to see that a similar concept receives brief but important consideration in Andrew Hopkins’ book Disastrous Decisions on the Deepwater Horizon well blowout.

(As an aside, I used to refer to the “all controls fail” case, until a few people pointed out that for a well-designed installation with multiple effective protection measures the worst plausible scenario might not be ALL controls fail.  In fact that is a very desirable position if you have the luxury of being able to achieve it through design.  Changing the design is not an option for existing pipelines though so they may really be vulnerable to ALL controls failing, including the final barrier of wall thickness.)

But back to Hopkins, who reports on initiatives from the US Nuclear Regulatory Commission after the Fukushima accident in which the tsunami that damaged the plant was much greater than it was designed for.  An NRC task force recommended that design and risk assessment should consider how the system would respond to beyond-design-basis events in which all the defences have failed.  Clearly this is similar to an SMS “controls fail” case in that it encourages consideration of how the installation would cope with worst case scenarios.

In a sense the Australian pipeline industry has been leading even the US nuclear industry in this aspect of risk management.  It will be interesting to see whether the concept eventually spreads to the oil and gas and other hazardous industries as Hopkins recommends.

Advertisements
This entry was posted in Pipeline design, Risk assessment. Bookmark the permalink.

3 Responses to Beyond design basis

  1. Richard McDonough says:

    Pete,

    I think the concept of “beyond design basis” when thinking about “all controls fail”. There has always been a slight tension in my mind with the “all controls fail concept”, as the SMS process requries us to define threats with sufficient detail so that we can identify effective controls. If we have done this absolutely rigorously, then we should not need to carry out “all controls fail”. To me, the concept of “beyond design basis” or acknowledging that our threat definition may be imperfect or incomplete provides a more logical entry to the “all controls fail” analysis.

    Cheers

    Richard

    • Richard McDonough says:

      Pete,

      See correction update below.

      I think the concept of “beyond design basis” when thinking about “all controls fail” IS USEFUL. There has always been a slight tension in my mind with the “all controls fail concept”, as the SMS process requries us to define threats with sufficient detail so that we can identify effective controls. If we have done this absolutely rigorously, then we should not need to carry out “all controls fail”. To me, the concept of “beyond design basis” or acknowledging that our threat definition may be imperfect or incomplete provides a more logical entry to the “all controls fail” analysis.

      Cheers

      Richard

  2. petertuft says:

    I never had a problem with the original “controls fail” concept but I know others did so if an alternative interpretation helps make it more logical and understandable then that’s a good thing.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s