This is the first in a series of essays by FLOW board member Rick Kane on the vital issues of risk management and the responsibilities of public officials under the public trust doctrine. The issue has special meaning in light of the risks posed by the twin Enbridge pipelines that convey 23 million gallons of petroleum products through the Straits of Mackinac daily. Rick is the former Director of Security, Environment, Transportation Safety and Emergency Services for Rhodia, North America. He is certified in environmental, hazardous materials, and security management, and is a graduate of the University of Michigan and University of Dallas.
Managing Risk and the Public Trust
Every day, we manage risk in our personal lives and for our families. I wonder what the weather will be like today; what should I wear, or do I need to prepare differently for my trip? There are consequences for not preparing, like getting wet, but the weather forecaster helps by providing the probability for rain and threat of severe weather. We listen, assess the risks, consider alternatives, and make a decision.
Envisioning scenarios, forecasting, and assessing risk are management activities performed in a variety of organizations. If the risks are too high, we take action to reduce them or, better yet, implement an alternative that eliminates the risk entirely. Alternatives analysis is a known but underutilized approach. Too often, organizations reduce risk by making incremental changes and not by using an alternative that could eliminate it. “It is not acceptable to harm people when there are reasonable alternatives - - - - It is not acceptable to harm the environment when there are reasonable alternatives.” In her book, Making Better Environmental Decisions, An Alternative to Risk Assessment, scientist and risk expert Mary O'Brien promotes alternatives - not just accepting risk assessments and incremental risk reduction strategies, i.e. identify and implement risk elimination alternatives.
For the big risks, we depend on elected officials and government regulators to take action in the best interest of public safety, environmental protection and economic interests. The Public Trust Doctrine is an important legal principle that they are required to apply to protect the waters of the Great Lakes. Risk and alternatives assessments are vital inputs needed to reach appropriate decisions under public trust law.
The Public Trust Doctrine holds that government has a solemn obligation to protect the waters of the Great Lakes in perpetuity for public use and enjoyment. The state serves as a trustee and is accountable for managing the waters for the benefit of current and future generations. Any private, public, or commercial existing or proposed use, diversion, or discharge cannot cause harm by materially reducing the flow, changing the levels, or polluting the waters. Those who seek to use, continue to divert, or alter the waters have the burden of proof to show they will not impair, pollute, or cause harm, or the proposed action is not permitted. Under the public trust, the waters can never be controlled by or transferred to private interests for private purposes or gain. Public rights cannot be alienated or subordinated by our governments to special private interests. This means that all reasonable private use and public uses may be accommodated so long as the public trust waters and ecosystem are not harmed and paramount public right to public uses are not subordinated or impaired.
For government officials, it is a duty to comply with the Public Trust Doctrine and ensure that the principles are followed. Citizens should understand public trust and hold their elected officials accountable for protecting the waters of the Great Lakes on their behalf and for future generations.
It Takes All Kinds
Growing up in the chemical industry, working in the private, government and non-government sectors taught me that a balance between the sectors is required to obtain feasible and acceptable outcomes. Private companies cannot be relied upon to self-regulate as not all of them have everyone’s best interest in mind. But private sector technical experts are positioned to identify feasible, safer technologies and alternatives. They may also need to be pushed to implement them by shareholders and regulators. Elected officials and government regulators can ensure that the competitive field is level for industry players and that companies are following the rules.
But there are cases where rules go too far, resulting in unintended consequences. Professional societies and standard-setting organizations provide direction to scientists, engineers, and member professionals on ethics and best practices that they should be applying on the job; strong, ethical professionals make strong organizations. And non-government organizations (NGOs) promote public, social, and long-range goals, but there must also be a balance and analysis for unintended consequences.
Taking a systems or macro/micro view is also very important in assessing risk and alternatives. Limiting the boundaries of study or scope prematurely can result in flawed and fatal conclusions. Here is an example that affected a large part of the world.
When Things Go Wrong, and Hindsight Is 20/20
Risk management involves the use of simple to very complex methodologies. However, they all depend on a proper definition of the scope of study, the system, relevant facts, key assumptions, and taking action to fill in important information gaps. Flawed assessments result when the scope of studies are too limited, methodologies are inappropriately modified or faulty, biased assumptions are used. O'Brien’s book provides an excellent overview on where risk assessments can go wrong.
The Daiichi Nuclear Power Plant Disaster was the second worst in history, just behind the April 1986 Chernobyl disaster. We use the Fukushima incident in teaching risk and process safety management. The Daiichi nuclear reactors were located on the Japanese coast and designed to withstand an earthquake and tsunami. The actual earthquake was larger than the safety design basis and the tsunami higher. The earthquake/tsunami triggered a number of failures that all had the same origin, in risk analysis terminology, “a common cause failure” – the earthquake/tsunami.
For safety, the reactors had a “layered or defense-in-depth” design to enable a safe shutdown in emergencies. But:
- 1st line - electrical supply from off-site to power the cooling water pumps, this supply was lost in the initial earthquake.
- 2nd line - emergency generators installed with the electrical switchgear in the basement, which flooded along with the generator fuel tanks when the tsunami hit.
- 3rd line – the battery back-up system did not have enough capacity to enable completion of the shutdown.
- And the emergency response was delayed because the company and country thought they could handle the incident on their own and did not want to admit how bad things really were.
In hindsight, the consequences of a nuclear meltdown were known, but could a better assessment have been done for the threat of locating the facility near the coast in an earthquake, tsunami prone area? What about the vulnerability analysis on the emergency shutdown systems and consideration of common cause failures? Was the “worst-case scenario” analysis faulty or biased for some reason? Today, parts of the area are still uninhabitable, although some residents have recently begun to return even when warned that radiation levels are still above safe levels. What next as this disaster continues?
Acceptable risk levels are based on the stakeholder’s tolerance for the risk. For example, for some citizens, an acceptable flood risk might be once every 500 years, while the acceptable risk of a human fatality from an industrial accident might be less than the probability from natural causes, say one in one million.
Risk assessments may be required to comply with federal, state, and/or local laws, insurance company policies, or company procedures. There are ethical principles: you cannot impose risk on someone else, and elected officials and government regulators have a duty to protect constituents and the environment. If you cannot live with a risk because the consequences are too high, then you must identify and implement an acceptable alternative. A Michigan high-risk and controversial example is the Enbridge pipeline.
Here are key terms in risk management:
- Risk is a measure of human injury, environmental damage, or economic loss in terms of the likelihood that an incident will occur (probability) and the magnitude of the injury or loss (consequence).
Risk = Probability x Consequence
- Probability can be further defined as a function of the threat, an event with the potential to cause loss or damage and the vulnerability, which is any weakness in the system or asset, that can be affected or exploited by accidental, natural, or man-made causes resulting in the harm. Thus, risk can then also be defined as:
Risk = Threat x Vulnerability x Consequence
- Toxicological Risk Assessments for human health and living organisms define threat and vulnerability in terms of exposure and dose-response assessments to a harmful substance.
- An Exposure assessment covers the most significant sources of environmental exposures, population potentially exposed, and concerns about cumulative or multiple exposures.
- For a dose-response assessment, a dose-response curve for the route and level of exposure observed is developed and compared to the expected human or living organism exposure in the environment.
- Risk assessments follow a stepwise process and can be a qualitative, judgement-based analysis, or a complex quantitative mathematical analysis.
- Scope, System Boundaries, Macro/Micro, and Dynamics- When conducting a risk assessment, the definition of the scope (subject of study), system boundaries, and dynamics are extremely important. Events occurring outside of the boundaries and transitions affect risk. Major risks can be transient and occur during take-off and landing, start-up and shutdown, transition from one physical state to another, movement from one place to another, under certain weather conditions, and so on. AIChE, Center for Chemical Process Safety
- The risk assessment process is known as Hazard Identification & Risk Assessment (HIRA, shown below). If the level of risk after one pass is not acceptable, risk reduction measures are added, and the process is repeated until an acceptable level of risk level is achieved; if not, a better alternative is pursued, and the current approach abandoned.
The Enbridge Pipeline - Line 5 Across the State of Michigan
Enbridge’s Line 5 is a 66-year-old pipeline that transports crude oil and natural gas liquids (NGLs) across the State of Michigan from Superior, Wisconsin to Sarnia, Ontario. From Superior to St. Ignace, Michigan, Line 5 is a 30-inch pipeline but divides into two 20-inch pipelines which then pass along the bottom of the Straits of Mackinac and merge back into a 30-inch pipeline west of Mackinaw City to Sarnia. Many studies have been conducted on the 20-inch pipelines at the Straits covering environmental and economic risks, pipeline mechanical integrity, structural modifications, failure modes, and numerous legal issues. And recently, the State of Michigan signed a new agreement for a study on replacing the twin pipelines with a new pipeline and tunnel under the Straits. Information can be found at on the FLOW and Michigan Pipeline Safety Advisory Board websites.
The Streetlight Effect
The streetlight effect, or the drunkard's search principle, is a type of observational bias that occurs when people only search for something where it is easiest to look. Both names refer to a well-known joke:
A policeman sees a drunk man searching for something under a streetlight and asks what the drunk has lost. He says he lost his keys, and they both look under the streetlight together. After a few minutes, the policeman asks if he is sure he lost them here, and the drunk replies no, and that he lost them in the park. The police officer asks why he is searching here, and the drunk replies, "this is where the light is."
The risk analyses have primarily focused on the twin 20-inch pipelines and consequences of a crude oil release. However, the system risk must include the entire pipeline and products transported. The design, fabrication and protection technologies of 30-inch pipelines above and below the Straits are at lower standards than the 20-inch pipelines. There have been at least 29 leaks in Line 5 and a history of ongoing repairs and patching. The replacement of the 30-inch pipeline would be a huge expense and most likely be implemented after a tunnel project is started. The risks and lack of discussion (unknowns to the public outside of the Straits) were previously noted by FLOW. Living Along Enbridge Line 5 in Michigan. In only looking at the problem as being under the Straits, consider the allegory "The Street Light Effect."
A Confined Scope– assessments with scopes that are too narrowly defined restrict the consideration of alternatives and opportunities to eliminate risk. There are continuing strong arguments that feasible alternatives to Line 5 exist and that the pipeline can be decommissioned on a priority basis. This analysis is beyond the scope of this article, but details can be found at: FLOW Alternatives Report 2015
Poor System Definition - system boundaries for Line 5 risk assessments have been limited to the 20-inch pipelines, as this is where the State of Michigan has authority and control over the Mackinac Straits bottomlands, i.e. the system study boundary is being set where there is legal control, not where the full existence of risk occurs. This in turn establishes a crude oil release as the primary threat because the consequences of a natural gas liquids (NGLs), (a mixture of largely propane with some ethane and butane), release would be small in comparison. Thus, this is a legally defined system and not one based on Line 5 system risk to human safety, the ecosystem, and economy. An NGL release poses a major risk to human safety and infrastructure along the entire Line 5 route. The risk is not transparent to the citizens of Michigan (only looking under the streetlight); they are not provided information on known unknowns and a consideration of possible unknown unknowns.
In terms of the risk equation- Risk = Threat x Vulnerability x Consequence
What are the consequences, threats, and vulnerabilities outside of the Straits? For example, the impact of an NGLs leak.
Consequences - Line 5 travels near several populated areas: Ironwood, Manistique, Engadine, Naubinway, St. Ignace, Mackinaw City, Indian River, West Branch, Linwood, Bay City, Vassar, and Marysville, Michigan, and it transports NGLs about 20-30% of the time. NGLs are a liquid under Line 5 operating conditions but would flash into a vapor cloud if a leak occurred. According to the Dynamic Risk Assessment Systems, Inc. study contracted by the Michigan Pipeline Safety Advisory Board (MPSAB), a large underwater release under the Straits could create a flame envelope of just under one mile. But what if you are living or traveling near Line 5 upstream or downstream of the Straits? A ground level release and fireball could be much larger as the pipeline pressure is higher and distance between emergency shutoff valves greater.
For a crude oil release, Line 5 crosses nearly 400 streams and wetlands and runs near many other sensitive public and environmental areas. Studies conducted for the state designate 74 water-crossing locations as “prioritized,” indicating sensitive areas vulnerable to a spill and including endangered species habitats and sites near drinking-water intake pipes. Some of the waterways include the renowned AuSable, Sturgeon, Manistique, and Rapid rivers, and the Upper Peninsula’s Lake Gogebic.
Defining the system in terms of legally controlled boundaries results in the risk to areas outside of the Straits being overlooked. In addition, the December 2018 Enbridge-State agreement enables threat to continue until at least 2024 as tunnel studies are conducted, and beyond if a tunnel project is launched. Meanwhile, the threats outside of the Straits continue.
Vulnerability to failures outside of the Straits have many known unknowns and possible unknown unknowns due to different operating conditions, design and maintenance and inspection programs, and environmental exposure conditions. For the public, there should be many questions, but unfortunately, with the focus on only the Straits, under the street light, citizens do not know that they should be asking safety questions.
Here Are Some Starting Questions
What are the risks for a release upstream or downstream of the Straits, especially for NGLs? What is the safety risk to populated areas from a fireball and the lakes and rivers to a crude oil spill? What are the plans to mitigate the risks now, with and without a tunnel project?
Based on the agreement signed by the State, current operations at the Straits can continue to 2024 and beyond with minimal additional monitoring and on-site emergency response. Why are “extraordinary” emergency response measures not required to counter the extreme consequences that would occur at the Straits? This is a normal requirement in other high consequence, non-mitigated risk situations.
What are the plans for the entire pipeline system, especially outside of the Straits where the design and mechanical integrity is known to be less than at the Straits? Should citizens expect a segment by segment replacement as was done on Line 6B/78 in southern Michigan?