Published in 2007, Nassim Nicholas Taleb's book The Black Swan achieved almost overnight fame (a circumstance that is, in itself, something of a black swan). He defined a black swan event as having the following attributes.
- It is unpredictable;
- It has a massive impact; and
- After the fact we develop explanations to make the event appear less random, and more predictable, than it was.
A black swan is not the same as bad luck. Therefore the fact that such an event can occur does not justify lack of effort in reducing risk nor does it justify fatalism; it merely states that, no matter how good our risk management programs may be, bad events will occur.
Taleb's book was written about financial markets, but its concepts can be applied to almost any type of system, including process facilities. For example, the three parameters listed above apply almost perfectly to the Deepwater Horizon/Macondo event:
- It was a surprise;
- Its impact on the offshore oil and gas industry was profound; and
- By now, pretty much everyone can explain what happened, thus removing the element of surprise from their thinking. We have all become experts, even Monday morning quarterbacks..
Taleb attributes our inability to anticipate black swans to our tendency to focus on those things that we know, and to pay relatively less attention to what we don't know. We cannot "think the unthinkable". We are also too prone to categorize - a failing of most incident investigations as discussed by Dean Gano in his book Apollo Root Cause Analysis.
At his web page Taleb notes that the Japanese Nuclear Commission had, in the year 2003, set the following goal:
The mean value of acute fatality risk by radiation exposure resultant from an accident of a nuclear installation to individuals of the public, who live in the vicinity of the site boundary of the nuclear installation, should not exceed the probability of about 1//10^6 per year (that is, at least 1 per million years).
The Fukushima-Daiichi nuclear power plant catastrophe occurred eight years later.
Taleb goes on to state,
I spent the last two decades explaining . . . why we should not talk about small probabilities in any domain. Science cannot deal with them. It is irresponsible to talk about small probabilities and make people rely on them, except for natural systems that have been standing for 3 billion years (not manmade ones for which the probabilities are derived theoretically, such as the nuclear field for which the effective track record is only 60 years).
He is equally scathing about estimates of consequence. He believes that the consequences of events such as Fukushima-Daiichi will usually be much more serious that estimated in the risk management models.
Basically, what he is saying is that, no matter how good our risk management systems may be, bad events are going to occur, and some of those events will be very bad. And some of those events will be unpredictable no matter how effective our hazard analysis programs may be.
Which takes us to the right hand side of the bow tie.
Bow Tie analysis has gained widespread recognition in recent years as a means of identifying and then controlling hazardous events. On the left side of the bow tie diagram are the events or threats that could create an unsafe condition. A series of barriers or control measures are provided so as to reduce the likelihood of the event occurring. On the right side of the diagram are the barriers that reduce the severity of the event's impact should the worst happen. (Basically, a bow time diagram is a fault tree followed by an event tree.)
Most process safety work tends to take place on the left side of the diagram, i.e., identifying how a hazardous event could occur and then putting in place barriers to prevent that occurrence. Implicit in this focus is an assumption that we can realistically predict virtually all of the events that may occur and can thus prevent the incident from taking place. However, if it is accepted a black swan may fly in then more attention should be given to the right hand side of the diagram.
Another, more subtle, reason for increasing the effort to do with the right side of the bow tie analysis is that many of the hazard identification methods are showing diminishing returns. For example, when the HAZOP technique was introduced 50 years ago it was instrumental in identifying many single-contingency, high consequence events that could be eliminated with modest expenditure. But we are now, to some extent, victims of our own success, and our analytical techniques are challenged in areas such as:
- Imprecision in defining terms;
- Multiple contingencies;
- Complexities and subtle interactions;
- Dynamic conditions;
- Common cause events;
- Knowledge of safe operating limits;
- Lack of quantification;
- Team quality;
- Personal experience;
- Confusion with design reviews;
- False confidence;
- Equipment orientation;
- Interfaces; and
- Human error.
Difficulties such as those listed above emphasize the need for paying attention to the right hand side of the bow tie.
No matter how effective our hazards analysis programs are unexpected events will occur, and some of those events will be serious. Therefore increased emphasis needs to be placed on managing those events when they occur, i.e., on the right hand side of the bow-tie diagram.