Click for next page ( 40


The National Academies | 500 Fifth St. N.W. | Washington, D.C. 20001
Copyright © National Academy of Sciences. All rights reserved.
Terms of Use and Privacy Statement



Below are the first 10 and last 10 pages of uncorrected machine-read text (when available) of this chapter, followed by the top 30 algorithmically extracted key phrases from the chapter as a whole.
Intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text on the opening pages of each chapter. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

Do not use for reproduction, copying, pasting, or reading; exclusively for search engines.

OCR for page 39
MAJOR CONSIDERATIONS IN FORMULATING AN INSPECTION PROGRAM REI^TIONSHIP OF INSPECTION TO SAFETY Offshore drilling and production rights are granted to presumably experienced and competent operators following approval of the operator by the MMS. The public has a right to expect that such facilities will be operated with due regard for the safety of life, property, and the environment. The MMS inspection program was established to further this end. Nevertheless, the primary responsibility for safety lies with the operator. This is both an explicit and implicit condition of his lease. Therefore, the thrust of the MMS inspection program should be oversight to ensure that the operator has established and is following practices that will result in safe operations. This is different from the MMS undertaking to inspect every piece of equipment for proper functioning and give it a Seal of approval." Accepting oversight as the thrust of the MMS inspection program, it is pertinent to explore the relationship of inspection to safety. This chapter of the report examines the issue to highlight different approaches to thinking about safety that the committee believes will be useful in evaluating alternative inspection programs. Compliance versus Performance A key question is, "What is the actual relationship between inspection and the safety of offshore platforms?" It is a truism that inspection contributes positively to safety, but it is widely accepted by safety professionals that too much inspection, the wrong kind of inspection, or the wrong attitude about inspection can detract from safety. A related point is the maxim, often cited in the manufacturing sector, that quality and reliability cannot be "inspected in." At best, inspection can only verify the quality and reliability that has been "built in." Thus, if designers and manufacturing engineers were to rely too much on inspection to catch built in defects, then the quality of the product inevitably declines, along with the spirit of the manufacturing organization. Similarly, the committee believes that inspections will not ensure the safety of an offshore platform if proper equipment, operational procedures, and training have not been built-in. Inspection can only provide confidence that the safety that has been built-in is being realized. Inspection can provide confidence that effective procedures are being followed to ensure the proper functioning of equipment (particularly safety devices) and that the operating practices and safety 39

OCR for page 39
40 attitudes, of the operator reinforce the designed safety measures. With too much reliance on inspection however, there is a danger that complacency can eventually set in, and that the goal of operators can subtly shift from "operating a safe facility to Passing the safety inspection." When this happens, the resulting outlook could be termed a "compliance mentality,n one that is preoccupied with satisfying regulatory requirements, as opposed to a "performance mentality," which focuses on safe and effective operation. The performance mentality regards compliance with regulations and passing inspections as an incidental and natural by-product of safe operations. The compliance mentality equates safety to satisfying the regulations, i.e., passing inspections. Evidence of the compliance mentality has been seen often in many industries. For example, it is seen when an automobile manufacturer defends an unsafe location of a gas tank by saying that this location satisfies all applicable government requirements. It is seen in the launch of an Atlas-Centaur rocket during an electrical storm, its destruction by lightning, and the subsequent explanation that the launch criterion (viz., that visible lightning strikes must be at least five miles away) had been met. The compliance mentality essentially is an abandonment of responsibility and judgment on the part of the operator and the passing of that responsibility to the regulating agency and its inspectors. In the case of OCS platforms a failure to recognize this responsibility can lead to an attitude on the part of the OCS operator that "This may not be the best equipment/procedure/ decision, but it does satisfy the inspection requirements; therefore, if something goes wrong I am blameless." In much the same way, an inspector may fail to look for blatant safety problems because he has come to believe that, "My job is only to verify that all items on the checklist are OK As long as I've done that job well, I can't be criticized if something goes wrong.n These attitudes have been stated in an extreme fashion, but they can arise at different times and to different degrees among operators and inspectors in any industry. The compliance mentality can corrupt both operators and the inspection organization. It can confuse the tool of the inspectionnamely, following the PINC listwith its objective, which is improved safety. It insinuates a notion that "compliance equals safety." But no checklist can be completely comprehensive, nor can any inspector be completely knowledgeable about a facility. Indeed, those who live and work aboard the facility generally have a better understanding of its history, quirks, and problems, and thus a more accurate sense of where the hazards lie, than a visiting inspector with a checklist. Clearly it is necessary to have regulations, inspections to enforce the regulations, and checklists to facilitate the inspections. The inspections and checklists must be updated regularly and modified to reflect emerging problems. But when they become the end rather than the means, the ability of operators and inspectors to make intelligent, responsible judgments is weakened, and safety is threatened. How Much Inspection? If more inspection does not necessarily equal greater safety, then how much inspection is the "right" amount-that is, how much will optimize the operator's safety performance? Figure 3-1 illustrates the question graphically. The illustration, while generic and simplistic, facilitates discussion. The committee defines a safety attitude as being "a state of mind, forced or otherwise, which is receptive to the generation of criteria or elements known to be associated with good safety performance." Elements commonly associated with a safe offshore working environment are written workplace procedures, regular inspections, safety meetings, training programs, protective clothing, environmental protection program, accident/incident investigation procedures, emergency response procedures, fire fighting capability, and training and life-saving equipment.

OCR for page 39
41 1t 1t a - cn 11 oh - Total Safety - / INSPECTION b Total Safety . - , ~ c , Maximum Safety Cost of Inspections INSPECTION - Maximum Net Valued . Cost of _ Inspections _: Optimal Amount of Inspection - - INSPECTION FIGURE 3-1 Relation of safety to inspection.

OCR for page 39
42 Figure 3-la plots the amount of inspection against the degree of safety attained. It suggests that, as inspection increases in both thoroughness and frequency, safety also increases and approaches a maximum value, which we might call Total safety," in which preventable accidents never occur. However, there is a saturation effect, or a "law of diminishing returns, at play between inspection and safeW performance so that additional increments of safety are increasingly difficult and expensive to obtain. This is the "first-order" part of the relationship. Figure 3-lb shows a second-order effect in the relationship. As the amount of inspection is increased further, the degree of safety performance obtained from the operator actually begins to decline. This illustrates the compliance mentality effect described earlier. The point of "maximum safety" is therefore reached at a certain level of inspection, which is less than an "all out" effort. Figure 3-lb also includes a line representing the cost of inspectionboth the direct cost to the government and the direct and indirect cost to the operator. In Figure 3-lc, units of "Value to Society" are substituted on the safety axis to reflect the total cost savings of accidents avoided, including the societal value of lives saved and productivity maintained. The difference between the value curve and the cost curve now represent the net societal benefit gained from inspection. The greatest difference between these curves then represents the maximum net benefit. The point where this maximum is reached represents the optimal amount of inspection, even if it does not provide Total safety," or even "maximum safety." Conceptually, therefore, there exists an optimal amount of inspection. Inspection activity is not a case of "more is better." To find that optimal point in practice, of course, is not a mathematical exercise. In practice the optimal amount of inspection must be established by trial and error, by experience and judgment, and by analysis of results over time. Inspecting for Operational Safety Accepting the premise that at some point more inspection does not necessarily yield greater safety, and that there is some optimal amount of inspection that provides society with the greatest return on its investment, there still remains the question of the optimal content of inspections. The PINC list is hardware-oriented, and current MMS inspection practice requires inspectors to concentrate on witnessing many tests of equipment. But, historically, as was described in the section on "Safety Performance Record," accident events have tended to be related to human error and to poor operating and maintenance practices, rather than to failures of specific devices. A more effective inspection program would therefore focus more intently on human factors in place of some of the hardware tests. In regard to the area of human factors; experience in various industries indicates that operational safety can be increased by improving the following: . Management attitudewhen the attitude of supervisors and operating management encourages safety consciousness, accidents decrease. This attitude is reflected in awareness programs and individual discussions of the safe way to perform an operation, shutting in production where necessary, and setting realistic time targets to accomplish objectives. Housekeepingmany accidents are traceable to poor housekeeping. Where oil spills are cleaned up, equipment is properly protected and lubricated, parts and tools are neatly stored, and trash is properly handled? accidents are less frequent. Trainingaccidents decrease when workers are formally trained in the safe manner to perform the operations required of them, and in the correct use of tools. Communicationin a safe operation, near misses as well as accidents are analyzed and discussed. Workers are encouraged to raise questions about potential hazards in safety meetings. Even brief observation of operations at a facility in any industry can give a clear impression of the degree to which attention is paid to these aspects of operational safety. The conscientiousness

OCR for page 39
43 and general competency of workers, cleanliness and orderliness of the facility, and communicativeness of operator personnel are all readily apparent to the alert observer. To a large extent the impressions will be subjective and describable only in a relative sense (e.g., excellent, good, average, below average, nonexistent), but through the eyes of a properly trained inspector they can provide important information. If MMS inspections are to enhance safety on the OCS they must encourage proper attitudes toward safety. The present MMS inspection program does not include a structured qualitative assessment of the four attributes listed above. Evaluations by several inspectors (especially during spot inspections) over a period of time could be used to establish a profile of all the operators on the OCS as well as for each individual facility. Given the specific hardware orientation of the PINCs and the lack of a structured human factors assessment system, MMS inspectors might find it difficult to issue an INC when a facility is deficient in one of the attributes listed above (although such deficiencies could be addressed under PINC G-400~. However, even a post-inspection discussion of deficiencies with the supervisor could be productive. Once a profile was established for a facility, the MMS could review the profile with the operator's manager responsible for auditing the operator's safety program and the performance of the supervisors. MMS should also mount programs to provide positive motivation for operators to "think safety" that are broader and more publicized than the SAFE recognition program currently in place. The question arises as to how to handle the operator or supervisor who does not correct such deficiencies. The imposition of fines and penalties based on subjective judgments would be extremely difficult. As was often stated to the committee, the MMS cannot "legislate that individuals change their attitude." However, the operator is responsible for safety, and his response to human factors safety deficiencies could be encouraged through direct action such as shut-in of equipment located in areas where poor housekeeping is chronically evident, or equipment that workers have not been adequately trained to operate. More wide-ranging and frequent invocation of PINC G-400 is also an option. ADVANCES IN SAFETY RISK ASSESSMENT AND MANAGEMENT Over the past two decades a set of methodologies and techniques has emerged designed to assist system designers, developers, and managers in assessing and managing the safety risks of any complex system. This new activity, generally known as "risk assessment and management," is employed explicitly within a number of private industries and public enterprises engaged in the development and operation of complex systems. The nuclear power, chemical processing, and commercial aerospace industries are examples in the private sector; the U.S. Air Force is a public-sector example. Risk assessment consists of identifying potential failure scenarios associated with the system, and assessing quantitatively the probability of occurrence of such scenarios. Risk assessment is an engineering function analogous to stress analysis. The results of risk assessment are inputs to the risk management function, whose objective is to make optimal design and operating tradeoffs between costly risks and benefits, and to institute a system of quality assurance or quality control to ensure that these are decisions implemented. In the industries noted above, risk assessment is a formal process carried out by safety engineers, systems engineers, operations analysts, and other specialists using a variety of mathematical, statistical, and analytical tools. (Some of the most widely used are probabilistic risk assessment, failure modes and effects analysis, hazard analysis, and trend analysis.) The safety specialists report to line managers who are attuned to the significance and value of the analytic results. What was once a very uncertain process of guesswork and supposition has become an accepted, precise science that increases the confidence with which complex, technology-intensive systems of many kinds are designed, built, and operated.

OCR for page 39
44 The committee believes that some elements of this discipline are applicable to oil and gas drilling and production operations on the OCS. At the simplest level, the tools do not require extensive professional training to use. They can be employedafter some familiarizationby nonspecialists to identify in an objective way the items of equipment, operational procedures, facilities, and operators that should be accorded inspection priority. They can also be used to verify regulatory and inspection requirements and to discover failure modes that have not previously been recognized. The value and utility of these tools is enhanced by the collection of suitable types and amounts of data regarding the safety and operating history of OCS facilities. (The current MMS Offshore Information System [OIS] data system collects only some of the requisite data.) The limited data base on the performance of OCS systems available to undertake risk analyses was noted in a Massachusetts Institute of Technology (MIT) review of risk analysis in offshore safety and environmental management, which covered U.S., British, and Norwegian government policy (MIT, 1986~. This report pointed out that most applications of risk analyses have focused on structural design, onboard oil processing, and fire safety concerns, but not on platform operations. Chapter 7 elaborates on how the activity of the existing MMS inspection force can be redirected to utilize some of these tools and techniques to improve the inspection program. CONFORMANCE WITH FEDERAL LAW Apart from the adequacy of an inspection program in promoting safety, and the availability of new approaches to risk assessment and management, another important consideration relates to how well the inspection program and the regulatory process that it serves conform to federal law. The broad mandate of the OCSLA implies that the MMS has the responsibility to protect against any events or conditions involving a serious threat to life, property, and the environment. In this context, compliance with the literal requirement of the OCSLA relating to a mandatory annual inspection and unannounced spot inspections can be regarded as, at best, setting a floor for the inspection process; but compliance is not necessarily fully responsive to the need to protect against major threats. The nation's willingness to accept hazards to the public and to the environment has declined sharply since the time when the OCSLA was last amended. Even the most rigorous compliance with its literal provisions is not likely to be considered good stewardship or management in the event of an accident, especially if it becomes evident that practical and reasonably available preventive measures were not required by regulators or taken by operators. In that light, the question of "how safe is safe enough" becomes important. Appendix F discusses modern safety goals and standards, and approaches used to meet those goals.