“No matter how bad things are, you can always make things worse.” — Randy Pausch
The term “worst case” lacks rigor. Let’s stop using it.
“Worst case” doesn’t really mean what we think it means and it confuses people. More often than not, the term is an obstacle to good analysis, not an aid.
What do we think “worst-case scenario” means?
A quick review turns up several definitions of “worst-case scenario”, all very similar: “the most unpleasant or serious thing that could happen in a situation”, “the worst possible future outcome”, and “any situation or conclusion which could not be any worse; the worst possible outcome”.
They have three things in common. First, they are all speculative about outcomes that may happen in the future. Second, they all suggest that the analyst will recognize what all possible outcomes are and will know that nothing worse could happen. Third, they presume to know that of all possible outcomes, there is agreement on what the worst thing that could happen is.
It is possible to look at a finite set of potential outcomes and rank them from best to worst. There is nothing about the term “worst-case scenario,” however, that suggests that analysts are being asked to rank a finite, predefined set of potential outcomes. Instead, a PHA team is asked to speculate about what the worst case would be.
You needn’t have spent much time with a bunch of engineers to know that they have incredibly active imaginations. No matter how bad someone imagines the outcome to be, someone else can imagine something worse. At what point do we reach “the worst”?
Without trying very hard, all hazards can become fatal hazards with the potential for multiple fatalities.
Office supplies, for instance. Consider the scenario where someone goes to the office supply cabinet and gets a box of paper clips. On the way back to their cubicle, they drop the box of paperclips, which spills open, scattering one hundred #1 paper clips across the freshly polished linoleum floor. Before they get a chance to pick them up, someone else comes walking down the hallway, fails to see the spilled paper clips on the floor, slips and falls, hits the back of their head on the corner of a desk, and dies.
Clearly, paper clips are a fatal hazard.
“But that’s not credible!” some may argue. What’s not credible? That paper clips could be spilled on the floor? That someone could slip on paper clips spilled on the floor? That when someone slips, they could fall in such a way as to die? We have all witnessed spilled paper clips and we have all witnessed people falling. Every year, the Bureau of Labor Statistics reports fatalities, including fatalities from falls at the same level. In 2017, the last year for which the BLS has reported data, there were 174 fatalities from falling at the same level—more than 3% of all workplace fatalities. That is over 40% more than died from fires and explosions, combined. So, what exactly does “credible” mean?
For some, credible means “possible” or “not impossible.” By this definition, a scenario like “a swarm of zombies attacked the plant” is not credible. On the other hand, a facility being swarmed by insects is not impossible, hence credible by this definition.
For some, credible means something that has happened, as in “if it happened once, it could happen again.” I have worked with a plant that was once struck by an aircraft. As unlikely as that is to happen again, personnel at that plant consider any hazard review that does not consider being struck by an airplane as incomplete.
I have also worked with a plant where a shift leader once inadvertently opened the wrong drain valve, mistakenly sending flammable solvent into a storm water sewer. Meanwhile, an electrical crew was removing downed wires over a quarter mile away. The wires scraped across the edge of a sewer culvert, creating a spark that ignited the solvent floating on the storm water. A flame front accelerated down the sewer and blew a series of manhole covers into the air. One of those manhole covers happened to strike the lone operator in the area when it came down, seriously injuring him. Had anyone suggested this scenario during a PHA as worthy of serious consideration before it happened, they would have been laughed out of the room. Now that it has actually happened, by this definition, it is a credible scenario.
The EPA and Worst Case
When the EPA promulgated the Risk Management Planning (RMP) rule, in 40 CFR 68, it required that the owner or operator of a stationary source consider a “worst case release scenario.” To address questions about what exactly they meant by that, the EPA went to great pains to define the conditions of a worst case. Any reasonably imaginative person could look at the EPA worst case and imagine a release that would be even worse. At the same time, there is almost universal agreement that the EPA worst cases are not especially credible.
The RMP worst case scenarios are not intended to be credible. They are intended to assure that event consequences posed by different stationary sources are compared on an equal basis. They are intended to assure that hazards are not trivialized. There is a reason that the guidance for the RMP rule is called the “Guidance for Off-Site Consequence Analysis” and not the “Guidance for Off-Site Risk Analysis”.
Even the EPA tacitly acknowledges this by including a framework for developing alternate release scenarios, scenarios that are “more likely to occur than the worst-case release scenario.”
The effect is that stationary sources covered by the RMP rule develop the worst-case release scenarios required by the EPA. However, those scenarios are not used in any serious assessment of the hazards of a site, or in any evaluation of the risks of those hazards.
Catastrophic meteor strikes are not just possible, they’ve happened. As recently as 2013, the Chelyabinsk meteor that exploded over Russia had an airburst equivalent to about 500 kTons, around 30 times greater than that of the Hiroshima bomb.
Most bolides (meteors, asteroids) that enter the earth’s sky explode in the upper atmosphere, where the solids are vaporized, posing no threat to human activity on the earth’s surface. However, bolides about the size of a barn can make it close enough that either the airburst or the crater would have an effect.
Why doesn’t every plant in the world have an anti-meteor task force? Bolides the size of a barn or bigger strike the earth about once every 40 years. Typically, a once-every-40-year event will get the attention of a HazOp team. However, the event usually will not affect the entire world—the affected area is more like 100 square miles. The surface of the earth is about 200 million square miles, meaning that the likelihood an asteroid strike affecting a particular plant is 0.0000000125 per year. Not credible.
Doing Good Analysis
We really need to stop talking about “worst-case scenarios” when we do a process hazard analysis.
Modifying the term to “worst credible case” is no better. It simply shifts the lack of rigor from “worst” to “credible”. For it to mean anything, the term “credible” must be defined.
Neither “could happen” nor “has happened” adequately define “credible.” They don’t take likelihood into account. A risk assessment, however, requires that we consider likelihood as well as consequence if the assessment is to be meaningful. Personally, I recommend considering the consequences that are most likely and their associated likelihoods before venturing further down the distribution tail. However, even when venturing further out along the distribution, it is important to adjust the estimates of likelihood accordingly.
Don’t let what is possible or what has happened overwhelm a discussion that should be about risk—consequences and likelihood. Feel free to ask, “Is that a paperclip? A meteor?” If it is, acknowledge that it’s possible, but then move on. There are credible hazards that need your attention.
This blog is based on an earlier version, “Meteors and Black Swans: Worst Case Scenarios”, posted on 10-Nov-2016 by Elsevier in Chemicals & Materials Now!