Archives of Personal Papers ex libris Ludwig Benner, Jr.
   - - - - - -Last updated on Saturday, August 8, 2009
[Personal Archives]   [ Investigation Research Roundtable ]   [ E-mail comments to Host ]

PROCEEDINGS OF

An Exploratory Forum on

RISK CONCEPTS
IN
DANGEROUS GOODS
TRANSPORTATION
REGULATIONS

Sponsored By


TRANSPORTATION ASSOCIATION
OF AMERICA

June 22, 1971
Hotel Sonesta

Washington, D. C.


(Substantive excerpts from the Proceedings)

Comments about this document www.iprr.org/lib/TAAcomments.html



HONORABLE JOHN H. REED

Chairman
National Transportation Safety Board

President Hammond, on behalf of the National Transportation Safety Board, I want to thank you for inviting us to participate in this Forum and explain the Board’s recent study on Risk Concepts in Dangerous Goods Transportation. I have always been impressed with the leadership which the Transportation Association of America has demonstrated within the private sector of transportation. I am particularly gratified when TAA acts to take the lead so directly in a matter which has been recommended by the Safety Board.

As we all know, the attention to hazardous materials regulation and the degree of scientific effort in such regulation is increasing sharply. The organization of hazardous materials effort was greatly improved by placing the functions of different administrations under the Department of Transportation in 1967. Very broad scale analyses, including the assistance of such groups as the National Academy of Science, are now underway. I believe that the representative attendance at this Forum today illustrates the broad interest which has been directed to this subject in recent years.

The role of the Safety Board in the investigation and cause determination of accidents—and in initiating actions to prevent accidents – is now well known in the transportation industry.

The special study on the concepts of risk is an example of another Board function; namely, the authority to conduct special studies in safety wherever they appear to be necessary.

The Board always seeks to assist those receiving our recommendations to understand what is being recommended. Whenever possible we are pleased to elaborate on recommendations, explore alternatives, or just provide more references if that is all that is needed. This is the fourth meeting held recently in the furtherance of Board recommendations. To give you an idea of our activities the other three meetings were concerned with compatibility of standards in highway transportation, design of locomotive cabs for crash survivability, and schoolbus safety.

Since its inception in 1967 the Safety Board has issued accident reports in 15 major accidents in surface transportation that involved hazardous materials. These included three highway accidents, four railroad accidents, six marine accidents, and two pipeline accidents. We currently have in process another six accident reports involving hazardous materials. In addition, we have originated three special studies on hazardous materials problems and have participated in the DOT Task Force, which reviewed the organization of hazardous materials efforts in 1970.

The drawing together of such experience to find problems with basic concepts is a normal approach at the Safety Board. We do not look merely at individual accidents and attempt to correct the problems which are evident. Rather, we try to find the larger significance of numbers of accidents over the entire field of regulation and voluntary action. What general principles may emerge from a number of accidents? Are there new ways of attacking old problems? Can regulations be developed which will not only prevent the next accident, but also prevent new and unknown types of accidents from occurring?

The major goal of safety effort is to prevent loss of life and property damage, before accidents occur, by adopting the most effective safety measures. Of course, the predominant approach in today’s safety regulation is derived from accident experience.

When an accident occurs it is proof that a hazard exists which might be countered by regulation. But the second approach—that of analyzing and preventing hazards—is gradually becoming better known. You will see the effects of that better approach in this study, which is to be explained.

You will also note in this study the Safety Board’s interest that those who regulate safety are aware of, and concerned with, the question of who will suffer when accidents do occur. In the transportation of hazardous materials it often happens that the risks of transportation are borne by bystanders who might not even be aware that a risk is present.

Another question of great significance is where to apply the resources available to obtain the best safety results. That is a problem—not only in hazardous materials regulation but in all phases of transportation safety.

The broad interest in this study, which has justified the assemblage of viewpoints under TAA sponsorship, is most encouraging. Here we are sitting down together in a constructive manner to consider a new approach. No one, to my knowledge, has attempted to sidestep the questions raised by this study. Rather, in this type of meeting, industry and government are seeking to reach a similar understanding of what is being proposed. There will be an opportunity for candid discussion this afternoon and I want you to know that the Safety Board is as interested in your point of view as we are in presenting our own.

We do not suggest that this study is a complete solution to the problem and are certainly prepared to entertain varying opinions.

I believe that the deliberations of both sides are certain to cast light on this question and lead eventually toward improved regulations. Whether or not these recommendations find support or inspire more questions, the TAA will have performed a most important service in assembling this group for discussion.

I now suggest that we proceed with the business at hand.





HENRY H. WAKELAND, Director

Bureau of Surface Transportation Safety
National Transportation Safety Board

Chairman Reed has pointed out the background of experience from which this study came and I’d like to go into that a little bit more soon, but first I’d like to say a bit about our procedure for developing studies of this nature.

As a result of discovering that there were some general conceptual problems in safety regulation, we created a staff of four intermodal specialists whose field is largely that of theory in technical safety methods and in safety management. These four specialists are housed in the Director’s Office in very close relationship. In fact, if they were any closer they would be in a closet I

The theory seems to be working. When they are able to talk with each other, go to lunch with each other very easily, face the problems that they are handed, they will come up with theories and approaches which are larger than the skills that they bring to the task individually. That has happened in this case. Two of our specialists are here, Mr. Ludwig Benner who is a hazardous materials expert with a strong bent toward systems engineering and Mr. Emerson Harris who is a systems safety specialist who came to us from NASA. These gentlemen originated many of the ideas in this study. It was really necessary at the Bureau level only to define the problem, to put in the words “risk concepts” and our excellent staff men have created this concept. It brings together many of the factors which are found in safety board studies in several fields over the last two or three years.

Now, if you have read very many studies of this kind, either those produced by private sources or by government, you are well aware of one strong bent that scholars have in such studies, that is this. It is quite easy in considering such a subject to decide very learnedly that because some advanced or esoteric technique exists, that it ought to be applied immediately and completely across the whole field. To be perfectly truthful , that is how we begin. We look at our stock of techniques. We look at the problem and then we try to determine whether it is worthwhile to apply these techniques or whether it is not. In this situation the seemingly esoteric is well justified by the problems which will be described. Some day, we think, this kind of systematic approach will become, not an esoteric looking chart in the back of a study, but the commonplace approach to the organization of this forum of safety control. And I think you will also may be able to appreciate at the end of our discussion this afternoon that this kind of an approach applies beyond hazardous materials. It may well be a general approach for many of the problems in the whole field of transportation safety.

I want to discuss the sequence in which we realized that this problem existed and what the dimensions of analysis were that were required to approach it. Then I would like to say a little bit about how the development of a practical approach to risk levels -- quantified, numerical, objective risk levels - how that could resolve some of your immediate practical problems.

The first practical problem I’m thinking of, of course, is the one that you have been discussing recently, the question of procedure in contacts between regulated industry and the regulating agency. Then a few comments about the importance of the flexibility which is provided for industry in general through a workable, objective risk level concept of regulation. There is an implication in this study, ladies and gentlemen, that risk levels, not detailed regulation of individual problems, might be the eventual basis of hazardous materials standardization, specification, regulation. We do not carry the study that far. I simply say this: that there is an implication of the possibility in the future.

Part of the significance of the absence of the framework of risk was realized by us first when we studied the question of the use of air space above and below highways. This we did in 1968 and we reported in a 1969 study. As you know, the Federal Highway Administration has recently received a great increase in applications for the use of this space from those who are interested in the economic benefits. FHWA is getting them now at the rate of — the last figure I heard was about 400 per year. In 1968, the hazards of this type of operation were fairly well controlled by FHWA rules as far as protection of the highway user was concerned. No one could drop flames on the vehicles; no one could place a powder plant above or below the highway, that sort of thing. But in 1969 we recommended a full scale study of the hazards and sources of potential catastrophe to those who were in the buildings arising from the highway.. The air space concept envisioned schools, playgrounds, auditoriums, public buildings, restaurants, above and below the highways.

While we were doing this study we realized that there was little, if any, basis for the quantification of the risks that might be incurred. We knew the risks were there. If you want a recent example, consider the truck explosion at Waco, Georgia which made a hole in the ground 20 feet deep, 100 feet in diameter and killed one person 200 yards from the scene of the explosion. Envision that, for example, occurring underneath one of the restaurants over the Illinois Turnpike near or west of Chicago.

But we could not quantify these risks. The proportion of the highways that were already incurring this risk was very small, at the time that we undertook this study. We suspected that there would be almost no accident losses to demonstrate to the public that a hazard existed until a great many more buildings of this nature had been built. By that time, by the time the losses became visible, the numbers of buildings constructed and whose economic characteristics were already established, would be quite large. So we would have a frozen situation that we couldn’t counter. The key to that situation was the ability to predict reliably, believably, the hazard and loss situation that would eventuate.

In this situation, it was quite impossible to employ the well known method of counting the accidents, proving that the change to reduce accidents would be justified, and then justifying the improvement later by showing that a reduction in the accidents had actually occurred. This is the method which is most used today, but not quite, that method amounts experimenting on the public. We want to be able to predict instead of waiting for accidents to demonstrate the hazard.

When we realize that the patterns of hazardous materials accidents tend to be unique, when we see that the accidents are both catastrophic and unusual, we can see that it is impractical to await the occurrence of accidents to demonstrate and justify safety changes. There are only a few loss situations in hazardous materials where there are enough accidents to show necessity. A few that come to mind immediately are poisoning in the home; accidents to tank trucks; the occurrence of accidents to fuel tanks in automobiles. Those are matters where there may be sufficient statistical background to develop the problem, but there are not very many such accidents. Mostly it appears that we have a few catastrophes, not enough to predict from past statistics. Therefore we must analyze in advance.

There are successful examples of this almost predictive approach. I want to take off into far space by pointing out that the Apollo Project is one such example. It would have been completely impossible to work out the safety factors in the Apollo Mission by a process of measuring the numbers of accidents and determining by cost benefit analysis which accidents were most economical to be prevented. Instead the Mission and the space craft design and the necessary operations by humans were carefully analyzed and decisions were made on the basis of analysis of possible modes of failure which could be countered by additional expense to prevent them. So, in essence, this “concepts of risks” study discusses that approach on a very much broader basis. Incidentally, it is actually somewhat more advanced, this approach, than that which was used in the Apollo Project.

The Safety Board’s next experience of significance for this problem came from the two railroad accidents which many of you know of, the LPG tank car accident at Laurel, Mississippi and the anhydrous ammonia tank car accident which occurred at Crete, Nebraska. These accidents occurred only about a month apart, early in 1969. They involved the same general type of tank car, the specification 112—A. The cause of the railroad crash was completely different in these two accidents. The mechanism of tank failure which produced the catastrophic results was also completely different in the two cases. In the Laurel case, a derailment following a broken wheel resulted in fire which burned fifteen 30,000 gallon tank cars of LPG. Under the influence of fire, the heating of one tank car from fire in the next car, several of the cars ruptured. There were both longitudinal and circumferential ruptures. Major parts of the tank were projected through the air at distances of as much as 1600 feet. It was a rocket propulsion type of action. The pieces which were returned to the scene from 1600 feet away weighed up to ten tons. Ten tons rocketed through the air for 1600 feet. In that accident 54 residents were substantially destroyed, there were two fatalities, 33 hospitalizations and property damage exceeded $3 million.

In the accident at Crete, Nebraska, a derailment initiated by track irregularities — you know how frequent track irregularities are — resulted in the end of one tank car being struck by the coupler of another. This occurred on a day when the temperature was four degrees Fahrenheit. The entire end of the tank car shattered in the brittle failure mode, and the shattering extended along the sides. It broke into eight pieces, resulting in almost complete release of the whole load of approximately 30,000 gallons of liquid ammonia. Six townspeople were killed, and 53 were injured as a result of exposure to the cloud of ammonia. Almost all the fatalities and injuries in these two accidents were suffered by bystanders — those innocent people who had little, if anything to gain from the transportation.

The Safety Board report interpreted both of these accidents in very broad terms. In the report of the Laurel accident, the Board pointed out that the property damage alone would have more than paid for the full-scale fire tests of the tanks which would have revealed the rocketing hazard. Such tests would have revealed also that large increase in LPG carried in one tank meant that a large increase has occurred in the risk to those along the right—of—way.

There have been at least four other incidents of this type of tank car rocketing with these specification 112—A tank cars, the latest one having been the spectacular accident at Crescent City, Illinois. The pictures of that accident show the ball of fire rising to the order of 300 to 400 feet above the scene. In that accident, of course, the persons who were injured were firemen. So this is a continuing problem.

The Safety Board, in the Laurel, Mississippi accident said this: “In effect, the tests were made at Laurel, Mississippi. This procedure, of course, involves far higher costs to the public, not only in dollars but in death, disability and suffering.” This was, if you will, testing on the public.

In its report of the accident at Crete, the Board said: “The accident at Crete was, in effect, a low temperature crash test which disclosed the need for control of low temperature brittleness of tank material. This test was also performed at very high human and economic costs)’

You see, this report of the Crete accident had recalled the previous 112—A accident at Laurel and compared it with the one at Crete. The tank cars were of similar design except that one was carrying anhydrous ammonia, the other was carrying LPG.

Continuing to quote, “Both these tests, Laurel and Crete,. were performed long after the tank cars had gone into service and after the pattern of rates and other economics of the use of these cars had been fixed. Under these circumstances, the correction of the existing cars may now be very costly to accomplish. There is also a danger that changes to cars, not yet built, which would have seemed reasonable before the economic pattern was established, may now be regarded as costly, and profit-reducing and therefore questionable improvements.”

Now, you all know that the words “profit-reducing”, ”costly” are part of your stock in trade. It is one of the things that concerns you most, when you are discussing whether regulations are needed.

In the Crete case the Board summarized the effects of testing of this one type of tank car. The Board pointed out that the testing by service use had now resulted in eleven fatalities, 152 injuries and approximately $5,300,000 in property damage.

Would anyone doubt that this sequence of accidents has actually been a very costly failure of the regulatory process? Almost certainly the tests which would have revealed these problems, the shortcomings, would have cost far less than $5,300,000. In fact, the present — 1972 —budget of FRA — seeks from Congress the sum of $500,000 for work on this type of tank car. And we are not yet at the end of this type of accident, since the cars still have the same characteristics, they are still carrying the same materials, and they are running in the same environment with almost the same unchanged patterns of movement and risks. There have been some changes adopted by FRA.

So again, the Safety Board’s experience produced illustrations of the short—comings of the general framework of analyzing risks. The thing that struck us most when we discussed the significance of these two accidents was that all of those persons who were discussing what ought to be done to save these tank cars for future use were talking only in terms of technical feasibility of the things that might be done. They were not talking in terms of the risk level.

None of these changes that have been proposed, though, for these tank cars are of a scope which would adversely affect the economics of the cars. It just seems impractical now, yet, at the same time, no one has argued that the older, completely insulated, and smaller cars were uneconomical. And no one, if they had known that these type of accidents would occur, no one would have argued that it was economically necessary to incur these added risks. A great deal of the reason for the change was ignorance.

In all the fields of movement of hazardous materials today there are economic pressures for increased concentration of large quantities of hazardous materials, higher speeds of movement, longer usage of equipment, more sophisticated and unusual movement techniques. The problem of analysis as the safety will continue to be a problem in prediction. The size of the accidents will continue to make it wasteful to use accident experience as the basis for proving what changes are necessary.

It is significant, too, that Congress and the public are now requiring far greater attention to safety in economic decisions than was formerly the case. The Natural Gas Pipeline Safety Act was passed by Congress to control a hazard in which not more than 30 fatalities per year being incurred. In Alaska, the building of the pipeline, through completely uninhabited territory has been delayed by considerations of the damage to the natural environment. You all remember the controversy that was created by plans to move nerve gas to the coast and to dispose of it by dumping it at sea.

No one was really able to analyze the risk levels in these matters, or the changes in risks that would be created by the different possible alternatives, so the arguments went right into the higher political levels. The movement was actually considered and really almost decided by Congress. But Congress didn’t know what the risk levels were, either. None of us knew, because we couldn’t analyze them. So another loss from the ignorance of risk levels is this — that the movement of hazardous materials may be inhibited by non—analytical decisions, owing to the fears that are developed, where we cannot say objectively what the risk level may be.

Now, our two speakers, Ludwig Benner and Emerson Harris will explain not only many of the other additional aspects of these problems, but also the creative development of this framework in which the degree of risk level can be determined. You all know that this is not a completely worked out method for practical application tomorrow or the day after tomorrow. It is a logical development of the problem, an arrangement of the problem in which there is a good possibility of developing risk level based judgment if certain localized problems of analysis can be handled. We’ll talk about those this afternoon.

The Safety Board’s general policy is not to point out in every detail how to do a thing, but instead to point out what needs to be done. So we are showing here one method by which the framework of this type of risk level decision making can be structured. It may be the only framework. At least the relationships (if you’re looking at the chart) the relationships that are found among elements in that chart are fairly well fixed. Logically they are related and they constitute one workable approach.

More than that, if we can work out a scheme of this nature, it is potentially an objective approach, in the sense that everyone who is working with that framework may come up with the same result, assuming that they are employing the same elements. Now, that is one of the points in the discussion of procedure for regulation which has concerned you recently. Although you are talking about “procedure” in contacts with the government, it is possible may be dealing with the question, really, of who knows how to make the judgments in this problem in the long run. If there were objective risk levels, understandable in the same way by both the regulators and the regulatee, if there were language for the statement of the individual elements that go to make up this risk level, I think the contacts between government and industry would be found to be substantially broader and more frequent than they are.

The study also points out that many of the existing regulations are based on detailed construction and design standards. There is no doubt that you have a practical problem in that the design standard method tends to place strictures on innovation. If the risk levels produced by any given type of construction could be analyzed, there is a theoretical possibility that the regulation itself could be based on the risk level. This would require a greater accuracy in the determination of risk level for the entire system than we now think is possible, but such regulation would not restrict changes. For reasons that will be discussed during the technical presentation, the changes in the risk level can be analyzed with much greater accuracy than can be the absolute value of the risk which is incurred. But if such regulation were to become possible, manufacturers could chose their own type of shipping containers, they could choose their routes of movement, the timing of movement, to attain a certain risk level. I don’t think that anyone would object to this type of flexibility provided that the levels of risk could be definitely established.

One other concern that may be present on the part of industry is this: that the greater analysis of these matters means, or will tend to mean, greater regulation. That is not necessarily the case at all. We know from our studies that at present the differences in losses, the differences in risks, for goods transportation among the different modes of transportation, vary by a range of more than 100 to one, almost a thousand to one. Now this implies that there actually do exist wide differences in the degree of risk. It implies that it may be economical for some agencies to increase their risk a little bit while others greatly reduce their risks.

I think, if you will read the report of the Atomic Energy Commission for 1970 you will find that the total number of fatalities arising from the full use of all the materials which are in their categories, including ordinary industrial accidents, amounted to a total of two fatalities. That is an exceedingly good record. It may be that there is a little overkill going on in the safety area in that field. We can never say that it is wrong to save lives, but, nevertheless, it is not implied that the determination of the risk level will always result in greater pressure to further reduce the risk.

So, much of the problem in hazardous materials regulation arises from the fact that we don’t know the risk level. It will not be easy to change. Yet at some stage in history we must begin to change, we must begin to make these determinations simply because it is wasteful both in lives and in money to continue in the present variegated, unorganized pattern. Perhaps now is the time to begin.


LUDWIG BENNER, JR.

Hazardous Materials Specialist
National Transportation Safety Board

I’m going to just briefly try to recapitulate the highlights of the study as it was published. I know it is pretty difficult reading and I suspect some of you nodded a few times before you got to the end of it, so I think it would be worthwhile to highlight some of the features of the study for you.

First of all, the study implicitly acknowledges that the movement of these goods is essential to our economy. I think it is very important to understand that this is one of the basic premises from which the study proceeds.

Second, the study implicitly recognizes that there is a very substantial investment in present regulations, and that changes to these regulations must be rational.

Third, the study also recognizes that changes of the nature and magnitude we are suggesting will take a considerable time to perfect.

And finally, the study implicitly recognizes that if we are going to make changes in our approaches they very clearly must be a bona fide improvement over the existing approaches.

With that in mind, I’d like to highlight some of the things that the study does NOT call for. First of all, I think it should be made clear that the study does not call for the junking of all present regulations and experience. There has been some concern communicated to me that the study implies old is bad, and that the new, therefore, must be good. I want to emphasize that the study in no way suggests that all the old regulations and experience that we have managed to accumulate over the years should be discarded.

Second, the study does not call for a full—blown, complete new scheme to be perfected before any changes in the approaches are reflected in regulatory changes. We can’t hope to achieve a perfection of the new scheme immediately. It is simply too broad, as I’m sure you’ll appreciate.

Third, the study does not call for the invention of a whole new kit of tools to be used in the analysis that would be required for these approaches. A great many of the needed tools are available and will be discussed. We are calling for the application of existing analytical tools rather than the creation of a whole new kit of tools.

Fourth, the study does not lay the burden of the development effort on a single party. Although the recommendations were addressed primarily to the Secretary of Transportation, the recommendations conceived that the Department of Transportation would provide a focal point and the leadership required for the effort. The development of the framework and methods recommended is not intended to be a one-man show.

Fifth, the study does not call for vast expenditures for massive programs to be launched and we’ll discuss that in greater detail as we proceed.

And finally, this study does not call for the adoption of the framework that was presented in the study. I call your attention to the title of that framework. It is an example of the type of framework that could be developed. With these thoughts in mind, then, let’s highlight some of the things the study DOES call for.

First of all, the study suggests a change from the case—by—case approach, which appears to have prevailed in the past, to a more comprehensive, comparative approach whereby we can make analytical comparisons of the risks that exist both among the modes and among different commodities.

The study calls for the application of the best available analytical tools and logic to these hazardous materials safety problems with which we are all confronted.

The study also calls for improved organization of the systematic search for interrelated hazards and risks when hazardous materials are moved in transportation systems.

The study also calls for the identification of specific safety goals toward which all of us can work, and against which the success of our efforts can be measured.

The study also calls for the visibility of these safety goals and also for visibility of the analytical efforts.

The study calls for a greater emphasis on the predictive approaches, rather than the prevailing “safer next time” approach.

The study calls for equitable regulatory treatment for each of the modes, and for all the commodities in terms of the risks associated with dangerous goods transportation. Those of you who are faced with competitive pressures will recognize the need for this equitability.

The study calls for a broader representation of parties at risk for the inputs that are fed into the regulatory decision-making process.

The study calls for an improved learning process. The last recommendation of the study, which calls upon the Department of Transportation to make semi-annual reports describing the progress of this effort, is directed toward that end.

And, finally, the study calls for change. Industry is faced with changes day-by-day as it tries to improve or maintain competitive position, as it tries to improve the level of safety at which it is operating, and as it tries to respond to the numerous pressures that fall upon all decision makers. Government, too, must respond to evolving conditions. Giving a clear purpose and direction to these changes, in the most effective and equitable manner at our disposal, really summarizes what the study calls for.

That, very briefly, is a summary of the principal points on which the study is focused.

I would also like to highlight one other facet of the study that, in my view, warrants your careful attention. This is in the understanding of what we mean by the terms “risk” and “hazard” which you will hear very frequently during the balance of the day. As stated in the study, we have used “risk” as the probability that hazards existing in the system will cause an event to occur which will result in some loss. I would highlight these four words for you: “probability”, “hazards”, “events”, and “losses”. The study describes “hazards” as used in the study, to be a condition or a set of circumstances, and I would distinguish that from an event.

And finally, this study does not call for the adoption of the framework that was presented in the study. I call your attention to the title of that framework. It is an example of the type of framework that could be developed. With these thoughts in mind, then, let’s highlight some of the things the study DOES call for.

First of all, the study suggests a change from the case—by—case approach, which appears to have prevailed in the past, to a more comprehensive, comparative approach whereby we can make analytical comparisons of the risks that exist both among the modes and among different commodities.

The study calls for the application of the best available analytical tools and logic to these hazardous materials safety problems with which we are all confronted.

The study also calls for improved organization of the systematic search for interrelated hazards and risks when hazardous materials are moved in transportation systems.

The study also calls for the identification of specific safety goals toward which all of us can work, and against which the success of our efforts can be measured.

The study also calls for the visibility of these safety goals and also for visibility of the analytical efforts.

The study calls for a greater emphasis on the predictive approaches, rather than the prevailing “safer next time” approach.

The study calls for equitable regulatory treatment for each of the modes, and for all the commodities in terms of the risks associated with dangerous goods transportation. Those of you who are faced with competitive pressures will recognize the need for this equitability.

The study calls for a broader representation of parties at risk for the inputs that are fed into the regulatory decision—making process.

The study calls for an improved learning process. The last recommendation of the study, which calls upon the Department of Transportation to make semi—annual reports describing the progress of this effort, is directed toward that end.

And, finally, the study calls for change. Industry is faced with changes day—by—day as it tries to improve or maintain competitive position, as it tries to improve the level of safety at which it is operating, and as it tries to respond to the numerous pressures that fall upon all decision makers. Government, too, must respond to evolving conditions. Giving a clear purpose and direction to these changes, in the most effective and equitable manner at our disposal, really summarizes what the study calls for.

That, very briefly, is a summary of the principal points on which the study is focused.

I would also like to highlight one other facet of the study that, in my view, warrants your careful attention. This is in the understanding of what we mean by the terms “risk” and “hazard” which you will hear very frequently during the balance of the day. As stated in the study, we have used “risk” as the probability that hazards existing in the system will cause an event to occur which will result in some loss. I would highlight these four words for you: “probability”, “hazards”, “events”, and “losses”. The study describes “hazards” as used in the study, to be a condition or a set of circumstances, and I would distinguish that from an event.



EMERSON R. HARRIS

System Safety Specialist
National Transportation Safety Board

The subject that I would like to discuss with you is Systems Analysis for the purpose of risk identification. Rather than keep you here all day, since systems analysis is a monumental subject, I have constrained my comments and information to the essential points of the bask techniques.

I should like to begin first by making a point, and secondly, by reinforcing a point that already has been made. The point that I wish to make is that a prerequisite for any systems analysis is an accurate system description. This assures that everyone is addressing the same system or is working to the same baseline. Further, a system description develops an understanding within the analytical activity of the interior and exterior system interfaces, the system elements, and the interaction between those elements.

The point that I would reinforce is that once the decision has been made to undertake a system analysis, some determination must be made as to what is to be achieved by the analysis or what is wanted to be learned about the system. In other words, analysis goals must be established to give the effort focus and direction.

A case in point could be the subject of today’s meeting. One analysis goal might be the identification and evaluation of system risks. This would be the risk from a system standpoint and not from an individual commodity standpoint. This goal in turn would be reinforced by a secondary goal which might be to establish the standards necessary to minimize those risks.

Having developed a system description and established the goals, the next problem is to select the methods or analytical tools that will be effective to use for the accomplishment of these goals.

I would like to describe three basic analysis methods for you. These techniques were originated in the 1962—1965 time period and since have undergone a considerable amount of refinement, expansion, contraction and modifications to solve unique problems. I will not go into all these variations but rather stay within the basic concept to describe the techniques.

These methods were selected originally for their ease of adaptability and flexibility. It is interesting to note that the first of these methods leads easily into the next as the system complexity increases. This means that the methods all overlap. This also means that the data developed to support the first analysis generally is useful for much of the second, and the data from the second supports the third. This is a distinct advantage.

The three techniques that I plan to discuss today are the hazard analysis which is used for the relatively simple system; the logic tree or commonly referred to as fault tree analysis which is applied to the complex system; and finally, system simulation which is the most sophisticated technique of all three. Once again, I emphasize the point that there are many variations, many adaptations of these three basic methods.

Beginning with the hazard analysis, this analysis starts with the identification of the energy sources in the system; for example, electrical, mechanical, pneumatic, hydraulic, and environmental which include the thermal, vibration and shock loads to which the commodities will be exposed during transportation. Next, the system features which have been incorporated to control these energy sources are identified, listed and assessed. These would be such items as shock attenuators, grounding devices, procedures or operating controls and in fact, the whole package.

Once this has been completed, it becomes possible to evaluate the sensitivity of the commodity to the residual energy sources to which the product will be exposed during shipment. From this, the exposure can be determined, together with the probability of an accident. Having determined the risk, it then is possible to translate this data into the public at risk, the commodities at risk, external facilities at risk, or the carrier system at risk. This enables the controls or standards to be identified that are needed to reduce the peak risks, such as a constraint on a transportation method. For example, there are some transportation systems that lust should not carry some commodities. A case in point, it would not be practicable to ship a quart of nitroglycerine on a Greyhound bus. This is of course a ridiculous proposition but it is the kind of general constraint I am describing.

Other constraints could be in the area of commodity loading, handling, or tiedown and include all the techniques with which you all are well familiar. Finally there is the individual commodity packaging including shock mounting, insulating or protective packaging and this whole technology of packaging engineering.

There are many applications of this technique that have been used successfully in the past and are currently in use. Most of my experience has been in the area of delicate space instruments and solid rocket motor shipments.

The next method is the logic tree, or the fault tree technique. The reference to a tree is because when completed, the analysis data is arrayed diagrammatically to form the general pattern of a tree.

The analysis begins with the selection of an undesired event which is the occurrence that is to be prevented. This undesired event may be viewed as a postulated accident which cannot be allowed to happen, and could well be one or more of the peak risks identified previously by the hazard analysis .

Once the undesired event has been selected, those events and conditions which could cause the top event to occur are determined and displayed below that top event in the sequential order of their occurrence. These events are then interconnected by the use of logic symbols to explain their relationship to each other event and to the top event.

Once this has been accomplished, the critical failure path is identified and attention is focused on the specific hazard.

You can see perhaps on this example of a tree that the critical path is marked in red. This analysis will be available to anyone interested in examining it.

Once the hazard is identified, those events and conditions which can activate the hazard and cause the postulated accident to occur are identified. These would include for example, a system failure, a human error, conditions external to the system or combinations of these.

From this data, it is possible to identify the controls necessary to reduce the likelihood or probability of the hazard activation.

For example, by changing the system in some fashion to add a safety device or interlock, changing the operation methods through procedural changes, the additional warning signs or placards, and so forth, these controls in turn can be developed into standards.

Some examples of successful use of these techniques are weapons systems, as I have just shown you. I have another fault tree of a NASA system which will be available to look at. This technique also was used on the 747 aircraft and you may be interested to know that it was restricted mostly to the application on the control systems rather than the whole airplane. Also, a special adaptation of this method was used by one contractor to develop a statistical analysis for evaluating the risks involved in shipping certain AEC hazardous materials.

We have one example that I am especially proud of wherein the technique was used to perform a diagnostic analysis within our own organization. This was the case of the Marjorie McAllister accident where a seagoing tug was lost at sea, with all hands. No wreckage was found. One of our systems oriented Naval background engineers, by using this technique was able to reproduce the accident mechanism. I have a copy of that analysis with me and you can see this follows the pattern of what must have occurred for that accident to have happened. This requires intimate systems knowledge of that particular vessel and requires little more than a general understanding of the technique. I think this analysis took him a day and a half to do, by the time he got through polishing it, maybe it took up to two days.

The third method or technique, the most sophisticated concept of the three, is system simulation. This involves the development of a computer model of the system. This program, in turn, is modified so that hazards and stresses are programmed into the model . The impact of these is measured on the total model and from these can be developed the hazards and the risks. This is not the method one would apply to a simple system, but rather to a complex system where all the interactions of the system elements are not understood. This method does have several advantages. Once the model is built, the computer run takes a very short time (minutes) to complete. It’s predictive in nature, flexible and can be expanded or contracted to accommodate any type of situation or any type of system. There also are some disadvantages. The method requires continuous updating of the model to reflect .the configuration changes in the system, because if you don’t keep it up—to-date, it’s like yesterday’s newspaper, it has little value. You are working a different system than is currently in operation out in the field. Finally, the model is expensive to create. There are many applications of this technique today in the area of risk forecasting.

Once standards have been developed, these three methods continue to be useful for standard validation. For example, to determine that the standard actually controls what needs to be controlled, that the standard is not too stringent and yet that the standard is sufficiently restrictive.

These, then are the methods that have been proven and are well established over a period of time.

Summarizing, I would like to reemphasize the three critical steps. One, there must be a system description; two, there must be a determination of what is to be achieved with the analysis; and three, there must be a selection of the proper analytical tools to be used in achieving the established goals. The hazard analysis may be sufficient and may do an adequate job in some cases, yet as a system becomes more complex, the logic tree or the fault tree possibly will be required. Third case, the system may ultimately in the future become so sophisticated that system simulation is required. The point I am suggesting is that once the first analysis is begun, as system complexity and sophistication increases, you are ready to advance on into the ensuing techniques to solve the more difficult problems of the future.



WILLIAM F. BLACK, Chief

Hazardous Materials Branch
Bureau of Railroad Safety
Federal Railroad Administration

Let me say at the outset that the comments that I am going to make are essentially my own; they do not necessarily represent the thinking of the Administrator, the Administration, DOT, or anyone else.

I think that a very good point has been made (I believe Mr. Benner made it) and that is that all of us have different concepts of risk. Let me give you some examples. Although we do it in dribs and drabs, we manage to kill approximately 56,000 people a year on the nation’s highways. But no single accident causes a great public uproar and in fact there has even been some question as to whether the National Safety Council accomplishes anything by predicting the number of people who will die on a given July 4th weekend. When a new aircraft is certified, such as the 747, you risk placing 350 people in an airplane which someday will make an unforeseen emergency landing, with disastrous results. This is one level of risk and every time we get on an airplane we understand that it may crash, but we accept that risk.

When it comes to the transportation of hazardous materials, at least over the past few years, we have a different emotional attitude. There are some who would say that we should have no risk, i.e., no death and no injury. In reality, this is impossible. Oh, it can be done in a limited way and I’ll give you a very quick example. We can guarantee tomorrow morning that henceforth and from now on there will be no one killed in the railroad transportation of chlorine. We will ban the commodity from rail transportation. It will not be transported, but what will be the effect? Chlorine is used as a useful commodity for water purification. Without this commodity we would have some real problems. The result would be that our safety regulation banning chlorine would be the worst overall public safety regulation we could issue.

Hazardous materials are needed in our economy. I do not think anyone is going to argue that they are needed in the quantities that are produced and transported. Utilizing anhydrous ammonia, we are able to increase our crop yields and feed our people who likewise are ever increasing in number. Without anhydrous ammonia we would have reduced crop yields and since the United States cannot buy what it needs in terms of food from external sources, we would have hunger. To feed our population, we need anhydrous ammonia.

So let’s talk about risk for a moment. Our number one problem is we don’t have a clearly defined risk for all hazardous commodities. Sometime ago several of the people in the Department participated in a little “ad hoc” study in that they rated the top 25 Hazardous Materials that they thought were the most hazardous. Ten people were surveyed, and they developed ten different lists. When we took a look at these lists we noted that people who had had particular adverse experiences with a given chemical, named that particular chemical as a high risk item. For example, ammonium nitrate was thought by several to be quite hazardous and I’m sure those people were thinking of Texas City. I am sure that if we talk to the average person who uses ammonium nitrate and suggested that it was quite hazardous, he would not agree with us.

Let us talk about risk management. There is some considerable risk management in our existing regulations. About 60 years ago, the railroad transportation of explosives was a very hazardous business. People were killed regularly and in a very short period of time some 147 people lost their lives due to the rail transportation of high explosives. On account of these accidents, the railroads banded together and set up an organization to come up with some concepts to answer the question: How are we going to handle explosives? I believe we are now somewhere in the neighborhood of the forty—fifth or fiftieth year in which there has been no person killed in the rail transportation of high explosives.

I submit to you that there must be something pretty good in those regulations to result in such an admirable record, and under no conditions can you ignore such experience.

Now we want to analyze the transportation of other hazardous commodities, and this is where I think there are some techniques in this risk study which we can use. We have a different attitude towards different chemicals. For example, let’s take gasoline. The average person who owns a lawn mower, an outboard motor boat, or other gasoline powered device has very little concept of how dangerous gasoline is. For this reason we have numerous fires resulting in personnel injuries and deaths around lawn mowers and pleasure boats. But probably no one would suggest that gasoline possesses the same hazard to the public as phosgene, yet I suggest to you that it may very well have even a higher hazard, at least in terms of adverse experience. Thus, the ability to perform an analytical approach so as to put some benchmarks on different types of hazards is needed, and I think that this risk study is certainly a good step in that direction.

There is another problem that we run into and that is the emotionalism that we have when certain commodities are to be transported, particularly those commodities which either have an unwanted side effect, such as having been used for military chemical warfare, or which have received adverse publicity in the user end. In such cases a certain amount of emotion clouds the regulatory effort. If risk analysis can eliminate such emotionalism, then we will be closer to better regulations.

One of the examples which the study brings out and which I think is certainly worth mentioning is the transportation of radioactive material. The Atomic Energy Commission was in an enviable position. Radioactive material being new and under complete AEC control, the Atomic Energy Commission could package and transport at a predetermined level of safety —— whatever level was desired. And although I have heard some criticism of the general packaging scheme of our Hazardous Materials Regulations, I suggest to you that the Atomic Energy Commission followed essentially the same scheme by deciding that if radioactive material was to be used in commerce and transported by common carrier, there was very little the AEC could do to control the problems of carriage. The AEC was not about to rebuild the railroads, and was not about to engage in a large private carrier trucking operation, so instead the AEC and the International Atomic Energy Agency developed packaging benchmarks. As to whether or not they are too high, too low, adequate or inadequate, that’s for you to decide. However, to my knowledge, no person has been killed in the transportation of radioactive material which has been under the control of the Atomic Energy Commission, or its licensees in the United States. This certainly indicates that the use of a packaging standard to assure safety in transportation can result in very high level of public safety.

Take a look at some of the other chemicals that we are transporting. When you think of the sheer volume of material that must move in the United States and the need for it to move economically, and safely, you must recognize a series of trade-oFfs. And let me suggest one additional problem. You realize that this material has to be transported on existing transportation networks, be they rail, the highway, inland marine, tanker, pipeline, or aircraft. Then you have to come up with some consideration for how the hazardous material can fit into the existing system. I was pleased to hear Mr. Benner indicate that we are not planning to unk all the existing systems, because in fact we couldn’t. If we want to move hazardous material, it’s going to have to be transported primarily over a common carrier network. Even when you use a private carrier motor vehicle, the operation is subject to the public action such as the motorist behind and the motorist ahead. I don’t think anyone would suggest that because we are handling hazardous material we are going to rebuild the nation’s highways or rebuild the nation’s railroads. These are not practical approaches.

So we have to deal with those things which we can control. Certainly we would like to transport hazardous materials through the area of least risk. This gets to be a very difficult problem area. Let me suggest one such problem. If you use railroad branch lines, which theoretically are through less densely populated areas, you will have achieved a certain minimizing of public risk. However, branch line railroad trackage is in lower state of maintenance repair than is main line trackage (in fact the best trackage in the United States is intercity trackage which is used by passenger trains). So that if you want to reduce the number of instances of hazardous materials accidents caused by track failure, it looks like intercity trackage may be the best bet. Thus, we have to balance out factors of population and track condition. The same thing is true of the highway system.

Permit me to suggest to you another example as to how we have to look at the total picture. One of the things the Department has just begun doing, and again our friends at the National Transportation Safety Board suggested this approach to us, is collecting Hazardous Materials accident information. A few years ago we knew very little about exactly what the accident picture was. All of us involved in the program had specific thoughts, but no one had facts. Starting the first of this year we have been collecting hard accident data. Hopefully when we can analyze enough of this data we will begin to see some trends suggesting meaningful corrective actions. This accident data collection is an important input into any risk analysis system. You first have to know what is happening, before you can take meaningful and valid corrective action!

One of the interesting things that I have noticed is in transportation by liquid pipelines. There are two basic reasons why liquid pipelines lose product. One is from corrosion, which results in a very small loss of product and usually causes only very minor property damage. The second reason is from external attack; attack by someone or something else, such as digging by road construction equipment, or puncture by another pipeline construction operation. Knowing this, you can think in terms of how do you go about the job of maintaining safety in liquid pipeline transportation. Do you require the pipeline to operate at lower pressure, or to have thicker pipe? Or perhaps do you decide that the existing pipe standard is adequate and head in a different regulatory direction. This new direction might be in attempting to get pipelines located in areas where people will be less likely to dig them up, such as a common utility corridor. Or perhaps your new safety standard would speak in terms of putting a barrier between the pipeline and the surface. That’s a possibility. Or you might develop standards framed in terms of pipeline rights-of—way to try to stop people from digging them up. Or you might require increased aerial patrol. In analyzing any Regulatory Program, you must be prepared to develop a concept of “trade—off”

In the transportation of hazardous materials, there are very few ingredients that any of us can control, except by general regulatory means. The railroads and trucking companies are private, capital corporations; the same is true of the airlines and the marine operators. Likewise the shippers and the packagers are private entities. The use of the chemicals themselves, essentially, is in the hands of the private consumer. So we have to try to come up with a regulatory method to control those things which we can handle. I feel that the use of risk analysis or systems approach can assist us in determining where we are going to have failures, even to isolate those failures over which we have little control, with the hope that we can find some method of controlling them in the future. But I do feel that before we take the existing body of regulations and condemn it, we do recognize some very important things concerning our current Hazardous Materials Regulatory Program.

Let us examine the average death rate by railroad, due to the transportation of hazardous material

Over the last thirty years there have been a little over one and a quarter persons killed per year. The worst year that we have ever had — and we had it twice, 1959 and 1969, we had ten people killed in the rail transportation of hazardous materials. I’m sorry I don’t have comparable highway figures because I am sure they would probably show the same trend and would be extremely low. While I do not want to minimize even a single death, or injury, I believe that this record is quite good and demonstrates low risk. Concerning liquid pipelines, and bear in mind that these pipelines handle hazardous materials at all times, the death rate averages in the neighborhood of about 12 to 15 people, annually. Usually the person who is killed is the person who has dug up the line. These deaths are regrettable and I don’t for a minute say this rate is acceptable, but I do suggest that we consider this rate before we scrap the Regulations that we have and go to something new.

I guess in essence what I am saying is that I share your enthusiasm for this risk study. I certainly hope that the Department of Transportation, the National Transportation Safety Board and the people here can utilize it, and can develop some of the tools which we are going to need in order to do the job. Until and unless we have these tools, I would like very clearly to emphasize experience. Yes, I recognize the potential of the catastrophic accident. For several years the International Atomic Energy Agency discussed this concept of maximum creditable accident. To an engineer, the term has almost no meaning because you cannot design against something which is unknown. A maximum creditable accident can be whatever you want it to be. It could be a 727 crashing into Shea Stadium about the sixth inning of a Mets double header. That’s a creditable accident that can occur. Instead, we have to talk in terms of real accident of hazardous material by all modes in the United States has been very good. There is no question it can be made better. It can be made more efficient and safer, and to do that we must come up with some benchmarks. One thing that I heard this morning and which interested me is the term —— reproducible benchmarks. By utilizing these, we can analyze our regulatory scheme so that we can reduce inequities and improve safety.

In conclusion, let me mention that one of the parts of the study which I enjoyed was all the different legal admonitions towards the safe transportation of dangerous goods in the United States. I’m sure that those different words, which are quoted in the report, have definite and distinct meaning for the lawyers. Just let me state that having worked with the Hazardous Materials Regulations Board, the Office of Hazardous Materials, and the staffs of the other three modes, I honestly believe that all of these people have a very clear and very definite concept of what they are doing. And it is not at cross purposes to one another. All deeply feel that they want to make the transportation of hazardous material as safe as is possible. But they do want to permit it to be transported. I sincerely hope that the NTSB risk study is going to develop some analytic tools that we can use. I certainly hope that it will take the emotionalism out of the regulatory scheme, and by that the use of these tools we’ll be able to come up with some real feeling for just how good, or how bad a job is being done to promote the safe transportation of hazardous materials



F. C. SAACKE

Industrial Relations
Air Reduction Company, Inc.

I have been asked to comment on the proposal by the National Transportation Safety Board in their Special Study NTSB—STS—71—1 titled “Risk Concepts In Dangerous Goods Transportation Regulations” wherein they conclude:

..... that adoption of a risk—based framework for future dangerous goods regulations is necessary, desirable and feasible, and should be developed and implemented without undue delay.”

My interest in this Special Study arises from the inference that the interests of the public, the “parties—at—risk”, are not being adequately considered by the regulated parties; as well as from the stated desire of the NTSB to see that levels of risk are estimated in numerical terms and that safety analyses are based on a framework for risk—based regulations such as the so—called Systems Analysis techniques.

Now I have not undergone formal training in Systems Safety Analysis techniques, but next month will complete my 40th year spent in the systematic analysis of the characteristics of my company’s industrial products and in the establishment and enforcement of suitable controls to prevent accidents involving these products.

To achieve these controls, we go through the following procedures:

  1. Examining the nature of our products.
  2. Determining the hazards involved; that is, the possibilities of accidents or the ways in which accidents can occur.
  3. Determining the risk, and if I may use definition used by Mr. Benner, first determining the probabilities of accidents; that is, the frequency with which the various modes of accidents can occur (including the checking of one’s estimates against accident records and reports).
  4. Determining the severity of the potentials for injury to all exposed people (both public and employees) as well as the potentials for damage to equipment and property.
  5. Developing instructions and regulations for the safe processing, handling, packaging, storing, transporting and using (as well as the misusing) of our products to reduce the risks involved and to prevent accidents.

Our company, of course, has not been alone among the “regulated” parties in searching out hazards and in establishing reliable means of reducing or avoiding risks.

In addition, the Compressed Gas Association has provided an excellent forum for the identification and systematic analyses of these hazards and risks.

Of course, I must admit that on occasions our crystal ball has fogged up a bit. But the oversights have been rare, were usually minor in nature, and when identified have led promptly to modifications of engineering designs and transportation or maintenance procedures.

Despite our objective being the avoidance of all accidents, I think it is overoptimistic to expect that accidents can always be avoided. We don’t have to have accidents! But we probably will never prevent individuals from making errors - any more than we can keep them from smoking — or drinking.

I feel we have every right to judge our industry’s safety performance as good, or even ex cellent, on the basis that we have anticipated hazards and reduced the risks appropriately wherever excessive risks were evident.

But in this SPECIAL STUDY, the NTSB seems to be no longer confident of the DOT’s ability to regulate the Transportation modes by the use of these past analytical techniques.

I can well understand the DOT’s feelings of awe in the face of the magnitude of their assigned responsibilities and the laudable desire to approach their problems with a fresh point of view. But everything new isn’t always desirable.

Over a period of years, the systematic approach to Safety Analysis has grown from the old “brain storming” sessions to what is now called SYSTEMS SAFETY ANALYSIS by educators who feel they have to put a handle, a title, on their analytical techniques.

Unfortunately, the system can become so complex that it can impair the user’s judgment.

Conclusions can lead to non—productive controls if in reaching the conclusions one establishes a critical path to failure that deviates slightly from a true path. And these deviations are easy to develop while preoccupied with the maze of detail inherent in the application of this Systems Analysis technique.

I have no criticism of Systems Safety Analysis as a technique. But I do feel that in the effort to sell a systematic approach to safety analysis, there has been an overemphasis on the system in the effort to infer Novelty and Improvement and a loss of judgment in the attempt to structure the analytical approach by an insistence on procedural details.

To criticize Systems Safety Analysis techniques is a little like criticizing love and motherhood; because this technique has been responsible for some outstanding accomplishments.

But these accomplishments have been largely in the field of repetitively produced commodities and in 100% reliability of function where characteristics like temperature, pressure, flow, weight, etc. are accurately measurable; that is, quantifiable.

When I first read this Study, my immediate reaction was “Let them struggle under the burden of their own complexity - and maybe — maybe they’ll have less time to issue new regulations .

But this is just wishful thinking. Truly, if the procedure is burdensome, as I think it can be the results can be, equally burdensome, which we, the “regulated”, are highly desirous of avoiding.

When the ICC was regulating the transportation of Hazardous Materials, the specifications emphasized engineering requirements rather than performance requirements. This practice was followed because it was felt that the originators of new materials or methods of transportation should help future shippers who, may possibly, have less analytical experience or engineering guidance, to avoid errors that could cause accidents or injuries.

However, when the DOT took over the responsibilities of the ICC in the field of Transportation of Hazardous Materials, it made a point of emphasizing their desire to reestablish the rules on a performance basis. And performance oriented rules would allow the originators of new shipping practices greater freedom of choice.

But while performance oriented rules leave the shipper with more flexibility, they also leave him with greater responsibilities and, actually with the possibility of an increase in the probability of accidents.

While the DOT and the NTSB do not seem to recognize this possibility, the Special Study does state “while the performance standard approach is a valuable improvement in the form of the regulations, it appears to leave unresolved the serious difficulties described in this Study.”

The Special Study has made the point that Parties—At—Risk are not recognized sufficiently in the hearings incident to regulatory discussions. Because the Parties—At—Risk if they took part in the proceedings would rely almost wholly upon the emotional desire to avoid any increase in risk to themselves and to their families, they would almost universally oppose any new transportation of dangerous commodities. Thus, whoever represents the interests of the Parties—At—Risk must do so in the name of progress but with a full awareness of the need to protect them in a practical manner.

The NTSB concludes that, because the “ regulated” . .give priority to representing their own interests”, the burden for representing these interests must be borne by the regulators. And yet our law courts have recognized that the protection of the public is a primary responsibility (or interest) of the regulated.

The risks to the public have always been of major concern to the regulated. If on occasion they fail to evaluate properly a level of risk, the failure can be corrected by appropriate industrial and regulatory action, the trade—off practice, rather than by condemnation of the present framework of regulatory controls.

I have already recorded my belief in the desirability of a systematic approach to Safety Analysis. But the judgment to avoid unnecessary and incorrect analyses is equally important if one’s limited time is to be spent effectively. And the value of experience and judgment, in my estimation, are more important than the value of formal training in Systems Safety Analysis techniques .

I cannot disagree with the desire of the NTSB to evaluate levels of risk. But the efforts expended in the past to evaluate individual risks seem to demonstrate that, while risks can be measured numerically if we make enough assumptions or gather enough statistical data and qualify individual risks properly, . . it is not possible mathematically to integrate or summarize these individual risks into a level of risk.

Certainly, it would be helpful if one were able to evaluate levels of risk.

I have long regretted our country’s lack of statistical data on accident frequency and hazard severity; that is, on the possibility and probability of transportation accidents, the types of accidents, and the extent of the risk involved.

But it seems there are enough problems already facing the DOT in their desire to evaluate risks without taking on the impossible task of summarizing these variable risks into a level of risk, and in quantitative terms.

Furthermore, I do not believe that we can combine such risks to develop a level of risk without making unjustifiable assumptions that will cost the regulated dearly in terms of unnecessary regulation, lost opportunities, and higher transportation costs.

Is the DOT ready to use Systems Safety Analysis techniques to establish transportation regulations where levels of risk may not be quantifiable?

Is the NTSB justified in making a recommendation to adopt such techniques without the DOT or the NTSB having first demonstrated its ability to establish an integrated level of risk in one such field.

By far the more questionable part of this proposal is the intent to quantify the level of risk by determining the aggregate of the individual risks.

Mathematically, it cannot be done except by the arbitrary assignment of numbers. And since one cannot reason with arbitrary assignments and because I think present methods of establishing regulations and adequate, it leaves this “regulated” party no recourse but to object to all of the proposed recommendations of the Special Study.

( End of Morning Session)


AFTERNOON SESSION


Mr. Wakeland :

During the lunch period Guy Cohen gave us a terrific rundown on the NASA methods including the use of failure mode and effect analysis, as opposed to the method that we described here which employs fault tree analysis. Now those two techniques are basically different, but Guy concluded that the use of risk quantification was not particularly valuable under the approach that NASA was using. A question and his answer to that question brought this point home again. Now I noticed that he said that the basic method that was used in the judgment area, was to seek to eliminate the hazard and to do it very early in the program so that there was no need to worry about the different probabiIities of the various types of failure which could be classified by a fault tree analysis and made analyzable. Now the thing that occurred to me was this, that the situation which he described, that of eliminating hazards very early in the program, is one which might have been useful in the railroad industry, for example, about 1840 but it is not particularly valuable right now. We discussed the question of whether fault tree analysis was valuable in determining the trade—offs among various methods of solving problems. I would just like to ask Guy to comment on his view of the relative value of failure mode and effects analysis and fault tree analysis for this type of situation.

Mr. Cohen : The question is quite a valid one and in trying to make the point I really neglected to talk about the value of numerics in one specific area and that is as Henry just indicated, in the area of design trade-offs. Here we are talking about, for example, the need to make an engineering design change. You are looking at two or three or four alternate paths that you can use, different types of approaches to make the necessary change. Now if you then want to use a numerical assessment either in the reliability sense or in a safety sense for each of those design paths, then this can be a valuable tool. But here you get away from the question of accuracy of absolute values and you are in the area of relative values of one design approach over another. In this particular area it can and is used as a very valuable tool. But we limit, generally, the use of numerics to such design trade—offs. Now the point that Henry is making in terms of the fact that in the railroad industry today they are essentially in the step by step change world, is certainly very valid and very true and therefore, the use of some sort of numerical assessment like this can be a valuable one. But again, the word of warning here is, use it as a relative assessment, not as an absolute assessment, and in this area it is, in fact, very appropriate.

Mr. Hoffman: Henry Wakeland indicated to me after this morning’s session that the Safety Board people would like to present in slightly more detail an explanation of the chart in the report itself and the two charts that have been distributed.

Mr. Wakeland : I want to direct your attention to Page 19 (Reproduced on the next page) of the report, which is the framework for analysis that Mr. Benner referred to in his part of the presentation. I just want to describe some of the more general things about this chart, which will illustrate what we are talking about. On the left side of the chart we have the section which says, “Define transportation system to be analyzed” and feeding into that block are the “system factors”, namely, “human”, “equipment”, “cargo, “pathway”, “environment”. This means simply that you must know how the transportation system is supposed to operate and how it is configured and what all of the technical relationships between these factors in that system are.

The next block to the right “Delineate undesired system failure events”. These are the very bad events which cause losses to people and property which must be stated for the purpose of being


- 31 —

( Page 32 contains a reduced version of the FRAMEWORK example.)

able to configure the system to guard against them. Now, notice that the selection of these undesired events is essentially different than the approach explained to you during lunch today in which the modes of failure were assumed to occur and then the results which flowed from those failures were analyzed. This proposed approach says, prevent certain matters from occurring.

Now a typical selection for this type of undesired event is shown in this fault tree diagram which is Exhibit A. This fault tree diagram does not happen to relate to hazardous materials but it shows the undesired event approach. This is a fault tree analysis of the sinking of the towing vessel Marjorie MacAllister. Up at the very top of this chart under the word “towing” is the word “loss of buoyancy, vessel sinks”. That is an analytical way to state the undesired event. First, you select that undesired event. This is the same kind of undesired event in the chart on page 19. From that point then we branch in the analysis. The upward branch, in line across the top of the chart, includes the whole section which is called “Probability of Occurrence”. The lower section of it is titled “Consequences of Occurrence”. The consequences, then, are analyzed in one portion and the probability of the occurrence are analyzed in the other branch. Then the two elements are brought together again in the block which says, “Determine System Risk Level Ranking”. At that point we determine what the system risk level is.

If you will look back to Page 23 at the bottom, we have the section on Risk Analysis which describes the statement of quantifiable level of risk with an equation. Risk = f (pf,sf) That means the risk is a function of the probability of failure and the severity of the failure. Numerically that results in a ratio which sounds exactly like an accident loss, as will be shown. First, the probability of failure is in terms of failures per degree of exposure, such as failures per hour of operation, failures per trip, failures per mile. Then, the severity is in terms of the bad events which occur, dollar losses, human fatality. So the ratio that results numerically, in terms of its dimensions, is the same as a loss rate. It would be, for example, fatalities per trip. So that number — fatalities per trip — is the point used for judgment. To determine the system risk level ranking, the analysis results in a number, fatalities per trip, then when you want to determine what change has been made by some proposed change that you want to analyze, you go through the analysis. In the upper half you work through the part which develops the probability of the occurrence, such as this fault tree analysis. Let me go back to that just a minute.

This fault tree diagram describes the configuration and the possible critical path for an undesired event of the towing vessel Marjorie MacAllister. This fault tree was created without considering what happened in the accident. This charting was done on an engineering basis by persons with engineering training who looked at the way the vessel was designed and the operating rules. Anyone with a minimum of training can do this type of fault tree analysis. It is being done in the aircraft field on all kinds of subsystems. As Emerson Harris indicated, this actual fault tree was charted by a Coast Guard Commander who is now assigned to the Board. He worked on it about two days. If he had been trained in advance he could probably have done it in half a day. Now the point about the fault tree diagram is this, that it can be subjected to probability analysis in each of the elements. Notice the heavy lines. On the left side some lines are heavy, some are light. The heavy lines show judgments of the most probable source of failures which occurred in the sinking of the Marjorie MacAllister. All these probabilities can be quantified or estimated on a quantifiable basis. So, when consequences of occurrence, probability of occurrence are quantified the risk level comes out in system level ranking.

As I indicated earlier, the absolute value of the probability of this risk is not particularly accurate with this system and that is why, as Guy Cohen indicated, the reliability and safety methods which sought to determine the reliability of the whole Mission were not employed by NASA. Nevertheless, when you are making a design change, for example, when you have a tank car that causes a catastrophic accident and you are trying to determine what change ought to be made that is most economical, you can determine how much effect on the risk the various


- 33 -

Alternative changes that can be made in each box will produce. Then, when you know what the different levels of risk from alternative combinations of change are, you can compare them with the amount of money that it would cost to change each one and you can make your decision. It still requires a value judgment, but it is done with the risk level alternatives in front of you.

I should mention one other thing. For the ordinary reader, the one who does not digest this whole fault tree thing, we have an Events and Causal Factors diagram, which is Attachment B. Now you’ll notice that Attachment B has roughly one third or one fourth as many blocks and elements in it as does Attachment A. The Events and Causal Factors diagram describes exactly what happened in the accident, except that it leaves out all of the possibilities of failure which were charted in the fault tree diagram, but determined to be very improbable and probably not contributing to this particular accident. So, you see, the accident is shown in simple form. There are still, roughly, fifteen causal factors involved in this sinking but it is far easier to understand their relationship. So either of these charts is relatively simple to construct with minimum training.

Mr. Hoffman: Now, I promised at this point that we would turn the program over to your questions, your comments or the written questions. In line with that, I’d like to first note that we are privileged to have with us today a representative of another government agency. We have heard a good deal today about the Atomic Energy Commission. We have heard a good deal about the no—accident history of transportation of nuclear materials. Since we are privileged to have with us a representative of that agency, I asked him if he would like to make a few statements and give us the benefit of his views with respect to what we have been talking about. I’d like, therefore, to introduce William A. Brobst who is Chief of Transportation, United States Atomic Energy Commission in Washington.

WILLIAM A. BROBST : Well, there have been a number of comments attributed to the Atomic Energy Commission systems analysis program for looking at hazards and I guess the first thing I want to say is what that program is not. It is not a systems analysis program. It is not even a complete system. We have looked at some of the fragments of the total hazard system in transporting radioactive materials, and we have used a very simple systems analysis approach in looking at these fragments. But we have not analyzed the total system. The comment was made that there is a high degree of conservativism in our approach, that we are really overkilling, that we have standards which greatly over compensate the actual hazards involved. When compared to the total danger from other hazardous materials, that comment is basically valid. Our standards are primarily based upon the potential effects and generally neglect any consideration of probability of those effects. However, the danger to the public must really be assessed in terms of the potential hazard if the material gets out, and the probability that that hazard will exist at all. The consequences of a 747 crashing into Kennedy Stadium during the World Series are phenomenally horrendous, but the probability is extremely low.

In looking at the inherent hazard of the material, we are talking about radioactive materials. Now everybody talks that radioactive materials and radiation death, and the blue glow, and all of this emotionalism. In many people’s minds radioactive materials are the worst of all possible hazards. We don’t really happen to think so, but we were forced to factor in one thing that hasn’t been discussed much here today, but must be. That one thing affects very adversely the public acceptance of the degree of quantification of the danger and that is human emotion. Human emotion says that gasoline is not very dangerous. Everybody has a can of it in his basement and you see trucks around all the time and none of them have killed you yet, so obviously it is not very hazardous. But gasoline in transportation kills 50 people each year! Radioactive materials are emotionally something quite different and, as a result, we have had to go far beyond the historic types of safety precautions for the degree of hazard purely because of the emotional reaction of people who


- 34 -

didn’t know. We looked back at the inherent hazard of radioactive materials and at the amount of this hazard. In other words, as Ludi Benner put it in the NTSB report, we looked at the seriousness of the release of the material. We recognized that there is absolutely nothing that the Atomic Energy Commission can do about the transportation environment. We feel it absolutely mandatory to have a viable nuclear industry and the only way to do this is to move this material in normal commerce. So we just accept whatever accident rates happen to occur.

We went then, from this, to try and categorize the degrees of hazards. The first category involved very, very low hazards — wristwatch dials some of the little trace amounts that if they got out it really wouldn’t matter. Amounts that wouldn’t kill anybody or injure anybody or result in any significant property loss at all. The next category, slightly higher in potential hazard, was material that, if it got out, certainly would be a nuisance; it would have to clean up. It might be on the order of hazard comparable to a drum of acid or a drum of pesticide leaking or spilled. It might, under some conceivable circumstances, injure somebody; e.g., cause some lost time injury. It certainly wouldn’t kill anybody and it certainly wouldn’t be a big accident. That was the second category, which we call Type A.

The third category involves a significant potential hazard. If this material got out it could conceivable kill somebody. It would probably cause some significant dollar losses; tens of thousands of dollars to clean it up, comparable to any other large transportation accident. We call that the Type B category. Then we had even bigger stuff, way over here. The maximus, credibilis, horribilus type of thing that people talk about where there is a tremendous inherent hazard and if the material gets out a lot of people could be seriously exposed. We set up packaging those categories as benchmarks, saying that each category would be handled differently in terms of packaging integrity. We have no control over the probability of accidents, but only the probability of release in an accident. We set the system up as an absolute system; taking the upper two categories and setting up our packaging standards so that under no circumstance in a serious transportation accident would anything ever get out.

Well, fine, then; you don’t even really have to worry about probabilities anymore. But this assumption is not totally valid. It is really not valid because that probability of release is really not zero. It is subject to packaging errors on the part of a manufacturer who might have a good quality assurance program. It is subject to errors in maintenance of reuseable packaging, and subject to errors in operations. “Gee, I was sure I put that gasket in, boss!” It was a beautiful package, the system was there, but it failed to operate as designed because of a human error. At the present time, our regulations do not really make much of a provision for this. We are looking at it in terms of failure mode analysis and, a result, we have already developed a number of our quality assurance requirements in both operations and manufacture of packages.

One big difference from what Mr. Cohen had described earlier is that we didn’t have the same cost restraints that many of you do. Because this was an exotic program, there was lots of money in the early days when the standards were set. The early thinking was that if a failure was possible, it must be prevented —— at any cost , because the public would just not accept one single radioactive atom getting out. The AEC is a very image—conscious agency, for obvious reasons. Nuclear energy itself is under a great deal of attack these days. When these standards were set, in the early days, when the AEC was paying the whole bill, overkill standards were not as great a financial problem as you all are facing with greater volumes of hazardous materials.

Not only has no one ever been killed in 25 years of transporting radioactive materials, as Mr. Black pointed out. Neither has anyone been injured, at leapt not by the radioactive nature. A couple of drums of thorium oxide fell on a guy up in Detroit and injured two of his toes, but that’s not really a radiation injury. No one has even been exposed to levels of radiation that are of a couple of orders of magnitude below the injury level. Nobody, in 25 years! Now you’ll


- 35 -

say, “Well, that sure is a beautiful safety record. What did it cost?” Well, it has cost a lot of money. We do have a very good safety program. We do have a very good accident record. That makes for lousy statistics, by the way and makes it a little difficult in trying to evaluate how packages would really fare in accidents. But we have some plans for some studies to try and get a better feel for the probability of release from packages if the accidents do occur. I don’t know how far we are going to be able to go toward quantifying these things and we are very interested in what you fellows come up with.

I think this type of approach, of starting over again, is what we all need, not just for radioactive materials but for other hazardous materials as well.

Mr. Hoffman : It is good to have been able to have the AEC represented. I should have also indicated that Bill has seen this from at least one other side of the fence that I’m aware of. I think many of you may know that he worked with and for the Office of Hazardous Materials in the very early days of DOT and I think spent a couple of years there before he went back to AEC where I think he had come from.

Now lest anybody feel slighted, I would like to give or offer the same opportunity to any other group, organization - governmental or private, or individual who might like to have an opportunity to just give us his general reactions or comments with respect to anything we have spoken about today.

I see Bob Lenhard indicating he would like to say a few words. It gives me a great deal of pleasure to introduce Robert E. Lenhard, Managing Director of Compressed Gas Association, Inc. in New York City.

ROBERT E. LENHARD

My comments aren’t going to be questions per se but I would just like to make a few observations based on all that has been presented today and what is also in the report. I think when we talk about regulations most of us tend to think about government regulations and really those regulations which various governmental agencies at the Federal or State level put out ore only a part of the package. The companies that are represented here today and also that represent industry totally, those that aren’t here, have many internal regulations which govern the transportation and handling the use of their products. These regulations, if you added them all up, I would hazard a guess, are far more extensive than all of the government regulations put together. The safety record that has been developed in this country is really as a result of the combination of those two, not just one or the other.

Now one conclusion : think you can draw from this is that the best way that we have collectively of getting good regulations is to get those regulations by the effective cooperation of both government and industry. That’s one of the very good points of a session of this kind, I think, because it indicates a desire to .achieve that cooperation.

Another point that I think is of interest —— and Bill Brobst of AEC mentioned his statistics were lousy —— I think we would have to say that the statistics on accidents for industry as a whole, either those that are in the hands of government or those that are in the hands of industry collectively, are probably equally lousy. I think the efforts that the DOT is making now to collect industry statistics is a very substantial step in the right direction and will ultimately give us the opportunity to analyze the accidents that we have had. But, unfortunately, we don’t have that tool right with us. One of the things that concerns me about the program that we have in this report is the suggestion that it be computerized. If you try to put into a computer program a lot of facts, many of which are not known, that is a lot of supposed facts, if you put in a lot of misconceptions,


- 36 -

you are going to get a lot of misconceptions back out of that program as well. And so I am very concerned at this stage of the game about doing that.

Another point that I think we should look at is that when we look at our past experience, and we look at the possibilities, we find out that we know a tremendous amount more today collectively than we did ten years ago or even five years ago. There seems to be a feeling that whenever we find a supposed cause of an accident, that we take steps to change the design of whatever the equipment was involved in the accident to prevent a repetition. But we sometimes lose consideration of the fact that there are many pieces of equipment in existence and it seems to be that we either have to change everything across—the-board or change nothing. I think we should give a lot more consideration, at any given point in time, to making a change applicable to equipment that is going to be constructed from the time on rather than always insisting that the change not only be made to new equipment but that everything else behind it be corrected. The economy, I think, just won t stand an across—the—board correction in every application we come to.

We also have the problem in investigating accidents, that because of the legalities involved, we have difficulty in getting a true assessment of the facts because sometimes points that come up in a true assessment of the facts will be used legally against the people who are involved in the accident. We have found in investigating accidents that unless you get there first, and that sometimes means within the first five or ten minutes, you have difficulty in learning all of the facts. So if we could do something about getting a truer technical assessment of what has happened I think it would be helpful too.

I sort of am concerned about the implication that industry only looks at its past history. I’ve been involved in safety work, not only with the CGA, but in industry for many years before I came with the CGA as well. And I’m sure that we might not have called it a system but we certainly have looked at all the potential hazards that we could recognize, not just the accidents that have physically occurred in the past.

The last comment I want to make is that we could have the best regulations in the world but if they are not enforced or implemented among the people whom they affect, they are not going to do any good. In the compressed gas industry, for example, we have requirements that certain types of cylinders be tested every five years. Now there is a proposal that cylinders that meet certain qualifications, with the commodities that are contained in them, be retested every ten years. Yet from what I have heard and observed, we have instances where cylinders are marked with a new test date and they are never subjected to the test. Well, a failure to follow a regulation of this kind brings about a potential series of accidents sometime ahead of us. It might be five years, ten years, who knows. The point I am making is that the regulation itself is no good unless it is followed.

Mr. Hoffman: Bob, you used the term “the effective cooperation of government and industry”. I want to take advantage of that to give a brief commercial about the TAA Ad Hoc Committee on Hazardous Materials because that’s exactly why that Committee was formed. Essentially, we felt that there was not an adequate level of effective cooperation between government and industry. Initially when we said industry, we meant a group of transportation users emanating from the User Panel of TAA. We then decided that it would be an Ad Hoc Committee because we wanted to make it clear that you do not have to a member of TAA or a member of any of its Panels or make any contribution to TAA in order to join or become active or interested in the work of its Ad Hoc Committee. As we moved along with that Committee we concluded that there were enough points of common interest with carriers of all modes so that we then invited the carriers, the carrier organizations, and ultimately we also invited the transportation equipment manufacturers, primarily the car companies, the companies that are manufacturing tank cars and other types of equipment used for the transportation of hazardous materials.


- 37 -

I think so far the reaction we have gotten has been an excellent one. I think we have recognized a number of common problems, essentially non—technical problems. I don’t think that the Ad Hoc Committee is either the right place or the right group for attempting to solve the technical problems. I don’t think, for example, that that Committee can determine whether the specifications for 3—A cylinders are adequate. I don’t think they are attempting to do that. I think their concern is with the type of thing that we are discussing today. Their concern is with the procedures used by the DOT. Their concern is with the response of industry. One of the things we have found is that the people of one organization, or one industry, were not talking effectively to the people of other industries and what we hope to do with this Ad Hoc Committee is to create some forum, some method whereby the members of one industry could talk to the members of another industry and know what we were thinking and what we were planning. Not really to present a common front to DOT, but at least to offer to DOT in one place, by pressing one button so to speak, the technical expertise that we felt they needed.

So, with that brief message I would hope that those of you who have not previously heard of the Ad Hoc Committee or those who have heard about it and have taken no action, would get in touch either with TAA or with me and we’ll be very happy to include you in our deliberations and to have the benefit of your counsel and your advice. But I think we have so far demonstrated that there is room for some sort of a committee or organization or forum of that type.

Now, as there is no one else seeking to be heard, we will proceed to the business of getting the members of the Panel to answer the questions which have been submitted. They have been asked to eliminate duplications.

Q. I have three questions that are essentially the same. Are we overreacting to two or thr ee bad situations? You have said there are really too few accidents to study. Isn’t this some indication that the present method is working rather well? If Mr. Black is correct there is nothing safer in our society than the transportation of dangerous goods. What then is the purpose of these suggestions? Are we not rather moving in the direction of absolute safety as attempted by NASA? If so, what value is there to relative value trade—offs? You have stated that when attempting to evaluate hazards there were not enough instances to draw up probabilities. In the written report catastrophic accidents such as Laurel, Crescent City, Crete used as examples, there are really few of these over the last ten years. Is this enough data on which to develop a statistical analytical system?

A (Mr. Wakeland) Those questions all have approximately the same answers. First, society’s need to control hazardous material does not depend only on the past record. As I pointed out, we are increasing the risks by reason of the concentration of goods, the concentration of the amounts of hazardous materials in almost all of the modes. We are dealing with new hazards all of the time. I hear that often repeated figure of certain numbers of thousands of new materials that are being placed on the market regularly, all of which are potentially hazardous.

It is true that there are too few accidents to study from the statistical point of view. That is the reason why we need the type of hazard analysis preceding the occurrence of the accident which is described in the chart that you have on Page 19.

Is the present method working rather well? Someone suggests that the implication here is that if the present method is working rather well, why do we need it? Congress says we need protection against new hazardous materials and I think that is Congress’ view of the feelings of the public which govern what government does and which are part of the way that the public reacts to these accidents. We are not moving in a direction of absolute safety as attributed to NASA.


- 38 -

NASA did not attempt absolute safety. If you will recall the method that was used by NASA, was not that of attempting to describe all the undesired events and then cancel them out, the method was to find the failures which could occur and when these were all catalogued they finally found some which could not be removed. And then they had a selection to make in the chart which Guy Cohen showed us, in which they would either retain that hazard or they would correct it. So many hazards are retained in the NASA system and in Apollo the use of high pressure oxygen, on that fateful occasion, was one of those which was retained.

One tremendous advantage of this system of recording the hazards and analyses is simply that the reasoning is documented. We do not know, in the case of these accident examples that we have given, namely the two major types of weakness in the regulation for the type 112-A tank cars, we do not know what reasoning was employed in selecting those regulations. We do not know why the much larger amounts of material was allowed to be assembled; we do not know why there was no effort to control low temperature brittleness.

When these things are documented people will have a different view of the types of decisions and judgments we make. There must be value trade—offs in correcting problems, such as those in this tank car situation, because there is only so much money available to be spent for these. So we must try to get at the most efficient and effective method.

In the method that we have here in the chart, on Page 19, the change in the total risk is determined for all the different methods of correcting or resolving a certain undesired event and then the one which is the least costly is selected and preferred. So you need value trade—offs because you haven’t got infinite money.

Q. Hank, let me ask one question with respect to your question, and at least see if I understand what you are saying, and hopefully clarify it for some people in the audience. My question is this, if you say is that all you really want to know is how did you arrive at the conclusion that the larger quantities of anhydrous ammonia were transported in the tank cars involved at Crete, all you really want to know is how did you allow at the conclusion to allow that. Suppose somebody could come along and say we didn’t document it, but we carefully considered the possibility of a brittle metal fracture at 8 degrees fahrenheit and we decided that it was very unlikely either that a high speed train would come along a curve at that particular point and with that particular temperature and would impact that particular car, or a car of that type, under those circumstances, and making a value judgment — although we didn’t document it — making a value judgment that we make on the basis of all of our experience and expertise, we decided not to have regulation that would prevent that type of accident. We decided to risk that type of accident. Would that be a satisfactory answer from your point of view?

A.

(Mr. Wakeland) There are essentially two processes by which a decision like that can be reached. One is by the so—called professional expert or star chamber type of approach inwhich the decision is supposedly made by the world’s collection of the best experts and we all are to believe in their decisions. The other process is the creation of the best possible analytical judgment, with allowable inspection of the process on the part of the rest of society. Now the first method is very often used today and the reason it is used is that the logic under which these matters can be described to others is not very clear. There is no risk value and I’ll explain the weak logic by discussing the point that you raise about the Crete case. You said that in the Crete case there is a very low probability that if we leave the low temperature brittleness in the car that a train will come around the corner, will go off the curve at that point at Crete and strike the end of the tank car directly and the tank car will break.


- 39 -

Now, in your example there are more sources of reductions in the probability of risk than actually occur in long term operations. What you are really concerned with is not one situation, but every condition in which the tank car might be struck on the end by any sort of object whatsoever in any environment when the temperature is below the critical temperature. So what we need to be able to document is, the conditions which we sought to correct against. When we have those conditions described we will be much better able to discuss them and justify them for the rest of society, and to answer the questions of Congressional Committees. Or questions of the local Congressman who wants to know why the people of his District had to die when the thing was regulated. You’ll be able to answer those questions by showing what was decided and you’ll be able to reach better decisions because you are forced by the process of writing down of this material, to be more logical.

If you are not to be logical, the alternative is to go into the star chamber kind of thing and that’s what produces these so-called procedural arguments. The argument is about how much can we talk with you on a given type of regulation. So if you have this objective method, even if it takes a lot of detail to do it, you are just ever so much better off in the long run.

Q What is NTSB’s goal in the long run in terms of risk level? If not, what is it?

A (Mr. Benner) Someone surely knows how to get at the heart of things here. You refer to goals called for by the study. I would suggest that the immediate goal of the study was to stimulate the development of a framework for analysis and analytical methods that would provide improved bases for arriving at regulatory decisions. I think more importantly, in the longer term, there is a fourfold objective of this study.

First of all, one of the reasons for trying to improve the analytical approaches is to try to assure that future regulatory changes do not permit an increase in the present levels of risk.

A second objective — and I think these are objectives that all of us should be striving for —a second objective is to first qualitatively and then quantitatively identify “peak” risk conditions, and try to ascertain how “peak” risk conditions existing in the present systems can successfully be reduced, or removed.

I think a third objective for all of us would be the gradual reduction in average risk levels over a period of time as we become more proficient and knowledgeable in this approach.

And finally, an objective that I personally feel is very significant is the discovery of the commonality of hazards that create unacceptable risk levels for goods we are moving today and those we are going to be moving tomorrow, so that we can more effectively adc4ress them on a cross—modal basis and have more equitable private and regulatory treatment of all risk levels in the future.

Q. Did the Failure Mode and Effects Analysis predict the fire that killed the three astronauts? If not, would this same problem trap industry in the modes of transportation?

A. (Mr. Harris) I would say no. The FMEA is postured on a single point of failure basis and goes into very little depth beyond that point. The Apollo 4 fire was not a result of a single point of failure. There were three or four failures, the fact that the system was leaking glycol; the fact that there was a bare lead; the fact that there was power on that lead, combined to cause the fire. The fact that there was pure oxygen in the capsule combined with the


- 40 -

other features to augment the seriousness of the fire. I would carry this further to say that the FMEA did not nor could it predict the Apollo 13 accident and I would consider that to be an accident because of the same type of reasoning.

Whether or not this could trap industry, I think if you were to seriously entertain entering into an FMEA type of analysis, you would find the types of data that you needed to perform the analysis would have to be practically generate from scratch. I would suggest that, by going the other way and identifying the peak risks and the systems problems, and scale these down to manageable proportions and then work it that way, you would avoid this data generation problem because you should have a tremendous amount of data available in your books and in your records. The best source of data is actual use history data and you have that. Much of the data that comes out of the space programs is postulated data, empirical data, test data and calculated numbers. These are the reasons that they have not experienced the success they might have had trying to quantify safety.

Q. How should risk be considered? What is the practical alternative of quantifying? What do you think DOT’s role is?

A (Mr. Saacke) I’m not going to try to advise what the DOT role should be. But I think I’d like to answer the intent of the other questions. Guy Cohen pointed out, and Luddy Benner detined risk as the determination of the probability of accidents and the potentials for injury and damage that could occur. Guy Cohen in his approach indicated that they listed all of the probabilities and the potentials and made a decision as to which ones they could eliminate and which ones they could live with. I think that in this case a need to evaluate risks is still with us. We are talking about evaluation but there seems to be a cross purpose here. Statements were made to the effect that levels of risk are needed because we have no experience in many future fields of endeavor, and that we don’t want to use the country as a guinea pig by waiting for accidents and using their accident rates to determine what we should do.

At the same time that these statements were made, formulas were produced which indicate that you can quantify the levels of risk in terms of a function constant by indicating the relations between the various risks and their probability and severity. And yet, such a function constant cannot be measured because sufficient accident data is admittedly not available. So I think we need to do a better job tabulating information on accidents and their probabilities and their potentials so that we can evaluate individual risks better. Then if it is still felt that an attempt should be made to quantify risks, I think it is something that could be done experimentally, to determine if it is practical. I have a personal feeling that it is not practical to quantify these levels. And some of the things other speakers have said have backed that up. I do think there might be areas where it could be helpful. But I think we should examine the possibilities first, rather than to state it is needed, it is feasible, and let’s do it as soon as we can.

As I say, I am not going to try to advise the DOT what their role is. I think they are doing very well as it is.

Q A year or so ago the Department of Transportation had a number of projects under way to systematize the evaluation of hazardous materials risks, including transportation environment, standards, and vehicle placarding information. Where is this program?

A ( Mr. Black) If! could just take about ten seconds to make one comment and then answer the questions. I think implicit in discussions today and at all other times is sort of an adversary role of industry versus DOT. I submit to you that the goals of the Department of Trans


- 41 -

portation and the goals of industry are essentially the same -- safety. So I would hope that we understand that we should not be adversaries. Sometimes the methodology may be a little bit different; but I know our goal is the same.

Actually, this is part of the overall program. Specific contracts have been let, and various concepts have been looked into, for example: vehicle placarding. We are much closer to a uniform, meaningful vehicle placarding system today than we were a year or two ago. However, the Department does not just wish to spring upon everyone a vehicle placarding system that may not be adequate and may have to be changed again. For this reason it takes some time, and there has been continuous consultation with members of the public, industry and everyone else on placards, on the transport environment, and on performance standards. So these are on-going programs.

As for performance standards, there will never be an end to the program on performance standards. There will always be an on—going program to get a little better performance standards, and to understand the transportation environment a little better. So I know this is part of a continuing DOT operation.

Both the Office of Hazardous Materials and the modes are receiving more funding in this area. As the NTSB report pointed out, up until recently there was very little funding for broad based studies of this nature. With the help of the National Transportation Safety Board, we have been able to make Congress aware of our needs for additional research effort and additional funding. So I think you are going to see some payoff in these programs.

Q Are there any or is the National Transportation Safety Board recognizing graduate study programs or projects going on in this area, specifically of risk concepts at any of the leading universities that have historically concerned themselves with transportation?

A (Mr. Wakeland) The answer is that this particular concept is of course, a detailed project that is not a subject for a whole course of study. But there are, I believe, five universities in the United States now where the techniques called System Safety are being taught by short or longer term courses. On of these is at George Washington University. There is a course given there starting about every two to three months. Guy Cohen is one of the instructors. At the University of Washington in Seattle; the University of Southern California; and the National Safety Council also teaches Systems Safety. There is one other school, Emerson, do you know it?

Mr. Harris : It started out at Texas A & M, but I don’t know how they are doing it now. The point is simply this —— the schools serve the community. When they put these courses in they are recognizing that there is a demand for this type of analysis among the transportation community and many other communities. The courses would not be given if they were not getting results.

Q Your proposal strongly depends on quantification of probabilities that today are handled on a judgmental basis. How do you expect such quantification to be achieved?

A (Mr. Benner) This is a “how to” question. I want to preface my comments by saying these are personal observations, because the Safety Board’s position is to point out problem areas and recommend approaches, rather than to specifically describe the steps to be taken to resolve them. Naturally we must have a good idea how to get the job done before we can suggest recommendations — and we do in this study — but the Board does not publish these “implementation instructions”. With that caveat, I’d like to try to answer the question.


- 42 -

My view is that quantifications will consist of a stepwise progression which will proceed along the following lines. First of all, these will be an expanded qualitative analysis of the conditions or hazards that must have existed in accidents, and these will be linked together through accident analyses of the type that the Safety Board is doing as in the Marjory McAllester report. These results can be linked with accident analyses along the same lines prepared by private individuals. This effort will then probably be extended to examining postulated accidents. I think in this manner the hazards that must exist in an accident would be identified qualitatively, and from this a qualitative display prepared which would be visible for examination and analysis by interested people in different disciplines. The next step, as I envision it would be judgmental rankings of these different hazards and resultant risks they create. This is where technical expertise and the benefits of past experience would be of great value. For example, I envision that this judgmental ranking would proceed about as follows: you compare two hazards and you say to yourself, “Is this one more likely to transition into an accident than that one?” and you rank them one or two. You would go through this process with each individual hazard and loss for the undesired event you are examining.

Pretty soon you find that there are some of these decisions that you can’t make with confidence, even in the light of your expert experience, and so you decide that maybe you had better do some testing or check failure records or something. This leads to the research required to bridge data gaps that would be identified in this visible analysis. I think as a result of the progressively more sophisticated and better focused research and testing efforts, the quantification of the probabilities that are involved in these matters would begin to take form. We are probably looking at a very substantial time frame before we reach the quantified stage of this progressive development.

Finally, someone mentioned computers earlier. I suspect that the data which would be generated would attain such proportions that it would become imperative to utilize computers for the analysis and application of the data. I would envision this to be quite some time into the future.

Q What did the McAllister analysis accomplish?

A (Mr. Harris) To me it accomplished a very basic purpose. The mission of the National Transportation Safety Board is to investigate accidents with the objective ultimately of preventing similar occurrances and similar accidents from happening in the future. This necessitates learning as much as we can about the accident itself.

Now while this analytical technique used here completely hypothesized the causes it has a certain amount of validity to it because the tug did sink. Now when you follow the discipline of the technique and lay out what had to occur for this to sink. You had to have the hull full of water, you had to have the ship capsize, and this opens up a lot of questions about the basic design of the ship, the amount of freeboard on the sides, the location and structure of the cabin, the arrangement of the cabin doors, some of the operating procedures and the whole thing. This bit of data and this line of thinking, together with other paralleling line of thinking can build a degree of evidence or a degree of concern, if you will, that ultimately will lead to design modifications and hopefully, prevent these things from happening in the future. I think it was a very valuable exercise.

- 43 -

Mr. Hoffman: I don’t know if the problem of disappearing or exploding supertankers has officially come to the attention of the Safety Board, but it sounds to me like if you could reconstruct the sinking of the Marjorie MacAllister you might be able to reconstruct the disappearance of some of these super tankers. Now I’m not inviting you to do so because I don’t represent that industry, but from a theoretical point of view, at least, perhaps you might want to comment on that.

Mr. Wakeland : Stanley, I’d like to add to that from the standpoint of what the Board did with these diagrams and its recommendations. This fault tree diagram, Attachment A, which Emerson was discussing, was used to analyze what happened in the accident. We then pointed that the existence of this fault tree diagram proved that since we used very little evidence to produce it, that this fault tree diagram could have been written by the designer of the vessel before the thing was ever built. If that had occurred he would have found that there was a critical path by which he could lose his vessel. And therefore what is the next stage? It is simply this: that fault tree analysis ought to be a standard method in the field of marine architecture. It is as simple as that. You can take one case, you don’t have to have a million cases to show that fault tree analysis or any other technique is worthwhile. You just have to show that in one case you can trace back and use logic and you could have prevented the thing from occurring. That is what the Board finally recommended to the Coast Guard and to the Marine architecture profession.

Mr. Hoffman : Bill, if I may, I’d like to ask you a question. You said something earlier to the effect that it would be good to use this system if that would take the emotion out of it. I think as a regulator you have some background with respect to emotion in making regulations, and sometimes the emotion finds itself up on the Hill. I think Hank alluded to the kind of response you sometimes have to deal with at the Congressional level. One thing that occurs to me is, that if in producing, or using this type of analysis, you end up more clearly than ever before articulating the reason why you decided to take a particular risk, and then it occurs and you get some irate Congressman who says come on down and tell us why you, as the regulator, did not do anything about this. And you say, “Well, we made an analysis and decided to take the risk.” Now you have articulated more clearly than ever before why you did not do a certain thing, or why you did not write a certain regulation. Now under which system do you think you might fare best?

A. (Mr. Black) You ask a person who is trained in science to answer a political question! Quite frankly, I do not care whether a scientific answer is satisfactory or not. Talking about utilizing the engineering approach, since you are desirous of knowing what you are doing, then even if it turns out that your answer isn’t what you would have liked to have gotten, I always feel you have benefited by having a scientific answer to a question. So, if you have a method by which you can categorize risk, analyze risk, determine probability, and decide that this risk will be taken care of, and this other risk will be assigned a low order of probability such that you will not bother with it further, and the second risk still occurs; I think you are benefited in that you at least performed the analysis.

Now as to whether your scientific answer is acceptable to someone else, that’s beyond my field.

Q. Is the procedure your company uses to identify product hazards and risks, including misuse, described in a single document that is available to interested parties?

A. (Mr. Saacke) The answer is yes. If you give me your card, I’ll be glad to send you a copy paper that I have given in one form or another on several occasions in discussing how to maintain product safety in aII of the departments of our company and how to prevent product liability


- 44 -

The paper is divided into sections so that the individuals in each department can restrict themselves to reading a page or two pertinent to their responsibilities. Now this is specifically product hazards and risks and is not necessarily transportation hazards.

Q. what further can as well be done and by whom relative to the tank cars you discussed? ~~ Does the FRA have authority to stop their use?

A Mr. Wakeland) This is one of the very practical questions that comes out of the new authority which FRA received under the Federal Railroad Safety Act of 1970. FRA could declare the existence of a hazard and, I forget the exact phraseology, but FRA can issue orders which will resolve hazards of a certain type. Of course, there are no examples of the use of this authority yet, to my knowledge. I may be wrong on that. But the question of exactly what it means, is something that would have to be resolved by legal decisions, challenges in the courts, interpretations by the Attorney General.

What further can be done relative to the tank cars? If you will refer back to Page 19 of the study again, you’ll see that in that chart the lower part of it deals with the consequences of the occurrence. This is the area where the chances are that most of the correction can be made on those tank cars. As far as I have been able to tell, most of the improvements that have been directed by FRA, however, have been in the area of reducing the probability of the occurrence. I do not recall in detail what changes have been proposed for the regulation by FRA. I think perhaps Bill Black could answer that question in this area better than I could.

A (Mr. Black) If you will examine Title III of the Railroad Safety Act, it references Public Ai. Law 86—710 which is the Hazardous Materials Act of 1961, and indicates that nothing in that law is set aside. So I must state that in the opinion of the Federal Railroad Administration any package, and a tank car is nothing but a very large package, which can be proven to be faulty, such as not being up to the level which we think it should be, can be ordered out of service. This would not be because it is railroad equipment, but rather because it is a faulty package. So the FRA can order out of service tank cars which are defective, and we have this right under Public Law 86—710.

The second part of the question asked: what have we done? We are not completely sure as to what should be done and what can be done. Industry is currently spending around $2 million on a research program and we have requested something in the neighborhood of about half a million dollars to determine what should be done and what can be done. The first thing we have to find out is the mode of failure. I don’t want to get technical and explain what it might be, but tank car accident behavior suggests that it is more than just a simple failure mode. If you trade off one failure mode for another, which would you rather have? For example, you might want your steel to give way easier, but to give way in such a manner that you don’t get “rocketing”. Or, on the other side, you might want the steel to hold together better, recognizing that you will have bigger and better “rockets” when it finally does fail. So we want to know a great deal in terms of physical sciences before we take action. We feel the answers are coming forward from the joint AAR—RPI studies and also the studies that we are conducting.

Mr. Wakeland : I’d just like to make one point about what Bill Black said with reference to the point of this study, which is that the economics of this tank car situation that Bill just explained are in terms of corrective measures on the existing 30,000 gallon tank cars, the design of which was erroneously allowed to develop an increased risk. Now catastrophies of this nature seldom occurred with the earlier, smaller, insulated tank cars. So the added risk was allowed and not detected. There is no way to trace the reasoning that was used for this regulation. If this method that we are describing here, with full documentation, is used, we think that hazards

-45 -

of this nature will be found before we are committed to the use of very large tank cars without the necessary hazards or very large tank vessels or large pipelines with thin walls. We think the added hazards will be able to be controlled before the error is manufactured in tens of thousands of pieces of equipment that can’t be changed later.

Q Mr. Black states that railroads, in the last 30 years, had 1 .28 fatalities per year involving hazardous materials. What is the risk concept goal and at what additional cost?

A (Mr. Wakeland) Risk concept control methods do not establish any particular goal. The ~ risk concept establishes numbers which can be judged to determine whether they are acceptable goals or not. The additional cost is determined by a completely separate analysis. Cost can then be weighed against the achievement of the level of risk by those who are making the decision, whether private industry or regulators. The thing to point out here is simply this, that if we have an objective, reproducible system of this nature, industry can itself analyze the risk level and present it as part of its proposal on a new type of system. Industry can make changes of their own and they can argue for their point of view on what the risk level ought to be. In other words, industry can take the initiative or the regulators can take the initiative. They will both have the facts.

Q Is there a project under study by FRA that might be a likely guinea pig for applying risk analysis to determine its pros and cons? If so, please describe the project briefly.

A. (Mr. Black) Well, I think there is an assumption that we have never applied such a tech— and I think that’s wrong. To my knowledge, I don’t think that we have ever schematically drawn out a risk chart, but many of the basic concepts have been used. One of the problems that we get into is that we have a system going, a very large system, worth many billions of dollars consisting of a nationwide railroad network and the equipment that moves on it. I’m not sure how much of this risk analysis concept can be used on an existing system.

We have literally hundreds of on—going projects in FRA dealing with aII of the components of the railroad system. AII of these projects have some sort of completion date, so that we can’t neglect most of them and work on only one or two, which is what this kind of in depth analysis might require. But I think there are several projects underway where we can apply, or attempt to apply, some of the principles of this risk analysis method. There is one principle that I think fits in here that we have always used. It may not be as scientific as many might like, but it is a concept that I think also fits in risk management. It is the concept of regulation by analogy. You’re not sure what you have in terms of hazard, but you are able to determine that the commodity is less hazardous than A, but presents more hazard to the public than item B. Thus you select a system utilizing concepts developed for items A and B. If you want to be very safe, you select the A system of transportation regulation for your product. Or, if you want to be a little bit more refined, you select just a little bit less than that level.

I think that you will find that a great number of the regulations promulgated by the Interstate Commerce utilized this method: While you were not exactly sure how a new commodity should be dealt with, but you determined that it had similar properties and similar hazards to another chemical that you felt was being shipped properly, you decided that in terms of public risk the two commodities are identical and therefore you determined that the new commodity could be packaged and transported in the same manner as the known product.


- 46 -

Mr. Hoffman: Bill, your analogy concept could be the basis for a whole new Forum. I am a little terrified by the hundreds of projects that reside at FRA, because FRA is only one of four operating administrations in addition to the Office of Hazardous Materials. Put them aII together and we have hundreds of projects raised to the fifth power, and it terrifies me.

Now, Governor Reed, who opened this Conference, has been kind enough to agree to give us some concluding remarks at the end of it. With that I’d like to call on Governor Reed.

(Governor Reed)

Thank you very much, Stan. Let me hasten to assure you that I’ll be extremely brief because I know some of you are getting ready to catch the five o’clock shuttle to New York and you will want to wind up his very productive day.

This morning I complimented Harold Hammond and his staff for an excellent job in preparing this Forum. I did neglect to mention, however, that the National Transportation Safety Board is delighted with the establishment of the TAA Ad Hoc Committee on Hazardous Materials and the able leadership that Stan Hoffman is giving this group. I know that this committee will do a great deal to forward the cause of safety in the transportation of these hazardous commodities. Certainly, this is important and it would indicate that the TAA is not going to be satisfied just with this Forum,but will press ahead for positive action.

I would like to comment on one question that came to the panel: What is the goal of the Safety Board in reference to the number of accidents and to the number of fatalities? Let me say that at the Board we feel our ultimate goal is zero accidents and zero fatalities. Now we are not naive enough to think that we are going to work ourselves out of business in a year or two. But we do believe it is important that our goal and the goal of the other agencies in DOT be the complete elimination of accidents. Once in awhile, in a particular mode, we will reach it as we did last year in regularly scheduled domestic air service where we experienced no fatalities. This was a tremendous record.

It lasted 18 months and then within a 24—hour period this great achievement was shattered with 50 deaths on the West Coast in a midair collision and 28 in New Haven, Connecticut, in the unfortunate Allegheny Airlines crash. So we can never relax. We must continue to work for improved safety. I know that every one of you engaged in the field recognizes the problems involved and I know, too, that you are going to put your shoulder to the wheel in the future as you have in the past.

I believe the scientific approach that has been developed by our NTSB staff will be something for you to build upon. We aII recognize the practicalities of the situation and know we are not going to accomplish everything in one fell swoop. We do have to set goals and develop procedures that will move us toward a higher level of safety. I am encouraged. In the years I have been working in this field I have seen definite progress. It is encouraging to see the kind of spirit and the dialog that has been developed here today.

I was pleased when Stan mentioned the importance of hard—hitting questions. Since these were nonattributable I thought someone might say the study was impractical. There was nothing along that vein. They were entirely constructive and we are delighted at the opportunity to share this session with you today and we’ll look forward to working with you in the future on any type of transportation safety problem.

It was a great pleasure to participate and we thank you very much for your fine cooperation.


- 47 -

Mr. Hoffman: Thank you very much, Governor. I would like to add my thanks to Harold Hammond, Willis Bixby and aII the members of the TAA staff who made this rather short—noticed conference a success. Also my thanks to the Panel members for their part in making this a profitable meeting.

I’d like also to thank aII of you for being here today and for sharing in this Forum. I’d like to see more of you at some of the future meetings of the Ad Hoc Committee, or at least hear from you and let us know that you are interested in what we are doing. Thank you very much.

On behalf of TAA, thank you again for participating in this fine meeting. The meeting is adjourned.

- 48 -

End