RISK CONCEPTS IN DANGEROUS GOODS TRANSPORTATION

TABLE OF CONTENTS

	Page
SUMMARY	v
INTRODUCTION	1
HISTORICAL DEVELOPMENT OF REGULATIONS	2
REVIEW OF REGULATORY DIFFICULTIES	4
a. Unclear Purpose	4
b. Levels of Risk	6
c. Methods of Evaluating Changes	10
d. Parties at Risk	11
e. Underlying Deficiency	12
DEVELOPMENT OFANANALYTICAL FRAMEWORK	16
a. Risk Identification: Phase I	21
b. Risk Evaluation: Phase II	27
c. Risk Reduction: Phase III	29
IMPLEMENTATION	31
CONCLUSIONS	32
RECOMMENDATIONS	34

NATIONAL TRANSPORTATION SAFETY BOARD

WASHINGTON, D. C. 20591

SPECIAL. STUDY

Adopted: January 27. 1971

RISK CONCEPTS IN DANGEROUS

GOODS TRANSPORTATION REGUIATIONS

SUMMARY

The movement of dangerous goods through transportation channels has been the object of concern by private industries and governmental representatives for almost a century. Their movement creates risks, over which private and public control efforts have been exercised in various ways. A major control effort has been the development of Federal regulations prescribing conditions under which these goods may be offered for transportation and moved by the carrier.

Serious difficulties exist under these regulations. The regulations lack clarity and uniformity of stated purpose. Their development was not supported by consistent analytical approaches for determining the safety value of changes. They permit the existence of unrecognized variations in the level of risk and resultant cost of precautionary measures among modes and commodities. Neither the hazards or risks nor the scope of the consequences to be countered by the regulations are clearly delineated. The adequacy of the weight given to risk reduction for each segment of the populations at risk, as these regulations were developed, is uncertain. Trade-offs between alternative regulatory changes addressed to specific problems can not be identified or assessed. These difficulties arise from the lack of a uniform framework for analyzing the problems created by the movement of dangerous goods in our transportation systems. The scheme of the regulations focuses on the inherent nature of the dangerous commodities and their containment, rather than the risks created by dangerous goods movements in the transportation system.

Following the creation of the Department of Transportation in 1967, the initiative for promulgating changes in most of these regulations has been shifting from the regulated to the regulators. If difficulties existing under present regulations are to be satisfactorily resolved, the approaches under which current regulations were developed require reexamination. This need has been given cognizance by the Department of Transportation, but the new approaches suggested to date do not appear to fully resolve the difficulties described.

This study examines the salient approaches underlying the development of the existing regulations, describes the difficulties created thereby, and discusses the needs which must be met by new approaches. The study

- v -

includes an example of a type of framework which might be employed for effectively guiding the risk identification, risk evaluation, and risk reduction processes addressed to dangerous goods transportation.

The National Transportation Safety Board concludes that adoption of a risk-based framework for future dangerous goods regulations is necessary, desirable and feasible, and should be developed and implemented without undue delay.

The recommendations of the Safety Board appear on page 34.

INTRODUCTION

. . . we have simply outgrown the old scheme of things."

With these remarks, the Director, Office of Hazardous Materials characterized the status of Department of Transportation Dangerous Articles Regulations in May f69_1/ The observation is still valid. There is a question whether existing dangerous goods controls are as effective as possible, and whether precautions may be excessive in some cases.

In 1970, 70 firemen were injured, the business district of Crescent City, Illinois was virtually destroyed, and the rail line was out of service for approximately 3 days, after a train accident involving more than 250,000 gallons of propane in tank cars. A tank truck transporting liquefied oxygen exploded adjacent to a hospital after a routine delivery, taking the life of the driver and a bystander, and injuring 30 persons. The crew of a cargo aircraft was incapacitated shortly after landing by fumes from a material, usually classified as flammable, which had escaped from its container. A pleasure boat, passing by a barge being loaded with a volatile fuel, was suddenly engulfed by flames, with the loss of three lives. An explosion and fire, following a 30-inch products pipeline leak, injured four repair workers.

Each incident occurred despite the private and regulatory dangerous goods safety controls currently in effect under "the old scheme of things." No reliable source of data is available to indicate the full extent of the losses occurring under the existing regulations, and losses will not be known until the recently announced Department of Transportation (DOT) reporting system is operational, but it is evident they are substantial.

Losses occurring in connection with transportation of dangerous goods and incidents such as these confront the regulators with a need to make a continuing series of decisions: Do existing regulations provide a known level of safety, or should they be changed? If they are changed, how will the level of safety be affected? The same questions occur each time the regulators, on their own initiative or at the request of a petitioner, consider any change to the present regulations.

The many difficulties associated with development of answers to these questions are examined in this study. To understand these difficulties fully, a review of the historical development of the existing regulations which led to these difficulties is helpful.

________________________
1/ A Study of Transportation of Hazardous Materials, National Academy of Sciences, National Research Council, May 1969, pp. 13-16.

- 1 -

- 2 -

HISTORICAL DEVELOPMENT OF REGULATIONS

Origins of the present scheme of the regulations can be traced to the late 1800’s. It was during this period that rail carriers initiated the first organized efforts to improve the safety of increasing movements of goods considered to represent a danger to their employees or equipment, or the cargo they were transporting. One of the pioneering steps in this effort was the creation of the Bureau for the Safe Transportation of Explosives and Other Dangerous Articles by the American Railway Association (ARA). Continuing problems in this area of rail transportation prompted Congressional passage in 1908 of the first practical Federal legislation providing for Federal jurisdiction over the regulation of the transportation of explosives and other dangerous articles in interstate commerce.

This Act adopted the then existing framework of classifications of dangerous articles (§834a) upon which subsequent regulations were structured. This commodity-oriented regulatory framework still prevails. The Act also designated shippers, carriers, and the Interstate Commerce Commission, as the parties vested with the responsibility for assuring transportation of these goods with "no appreciable danger to persons or property". This requirement was initially interpreted in the context of then existent "best known practicable means" for securing safety in transit, which in turn established the levels of safety attained by the first regulations adopted.

Significantly, this legislation also provided for the procedural handling of the safety matters by the Interstate Commerce Commission, which prior to that time had been charged principally with economic regulation. It was natural for the Commission to apply its traditional adversary procedural approach to its new responsibilities. Under these procedures, the initiative for changing or improving regulations lay largely with parties having an interest in a single product, or a single container or other package. The record contains relatively few instances of changes made upon the Commission’s own motion. Thus, the body of regulations as it exists today grew item by item utilizing the basic concepts and framework first given cognizance in the 1908 Act. As new products, containers and modes emerged, each was accommodated by the then existing scheme of the regulations. While the regulations were changed from time to time over the years, the underlying approaches and framework of the regulations remained intact.

An important aspect of past development of safety measures was the relatively low level of research activity required to sustain the unsophisticated level of the safety control activities -- both voluntary and regulatory --needed to satisfy the demands of the interested parties. Until 1968, essentially no research funds were budgeted by the regulators of this transportation. By considering matters at issue on an ad hoc basis for largely single mode use, there was little need for more than arriving at a consensus of expert judgments for the three parties with direct interest in the problem, namely the shippers, the carriers, and their suppliers.

________________________
* Funding to support expansion of staff capabilities and research in this safety program area was sought from time to time by the regulators, but these efforts met with little success over the years.

- 3 -

During World War II, two aspects of the approaches described above underwent a change in one of the modes. The regulatory jurisdiction over marine bulk flammable goods transportation was assigned to the Coast Guard, which then began to exercise the primary initiative for regulatory changes, and to institute meaningful enforcement efforts in this safety area. The nature of the regulations which resulted suggests the ad hoc approach and the consensus of experts continued to provide the basis for regulatory changes .

The creation of the Department of Transportation in 1967 resulted in significant changes in the administration of these regulations. Regulatory authorities for each mode began meeting together regularly to exchange views, and important new rulemaking procedures were developed. Regulatory staffs grew in numbers and expertise, and initiatives for regulatory changes began shifting from the shippers, carriers and suppliers to the regulators. Regulatory changes, once published at quarterly or less frequent intervals, have occurred with increasing frequency. A general effort to overhaul the old ICC regulations completely, was announced in August 1968. Pertinent research was initiated by different agencies within the Department. Increasing emphasis has been directed at the consequences of accidents, by considering not only the nature but the degree of hazard of the dangerous commodity being analyzed by the regulators. Changes based on a subjective hazard rating scheme were developed and initiated by one of the modes.

The rate at which recent changes have been occurring, in itself, suggests the existence of problems with the ICC-oriented regulations. Despite these changes, however, resolution of some of the fundamental difficulties appears not yet to have occurred. Wider understanding of these difficulties is required before their successful resolution can be expected to occur. To this end, a review of these difficulties follows.

- 4 -

REVIEW OF REGULATORY DIFFICULTIES

The legacy of the earlier regulatory approaches has contributed to current regulatory difficulties in several important areas. Analysis of the current regulations applicable to dangerous goods transportation reveals serious difficulties attributable to the original regulatory philosophies and approaches. The principal difficulties are:

the absence of a clear, uniform objective or purpose among the Department of Transportation’s modal regulations;

discrepancies in apparent levels of risk permitted by regulation among the modes and among commodities;

the inadequacy of methods or criteria for determining and comparing the merits of proposed changes in the regulations, both before and after they are promulgated; and

the approaches to the weighing of the needs and interests of all parties at risk; including bystanders who have no adversary representatives.

Unclear Purpose

An examination of the stated objectives of the regulations governing the surface transportation of dangerous goods illustrate the first problem. For rail and highway transportation, we find the stated purpose of these regulations to be:

§ 173.1 Purpose of the regulations in Parts 170 - 189. (a) To promote the uniform enforcement of law and to minimize the dangers to life and property incident to the transportation of explosives and other dangerous articles by common carriers engaged in interstate or foreign commerce, the regulations in Parts 170 - 189 are prescribed to define these articles for transportation purposes, to state the precautions that must be observed by the shipper in preparing them for shipment by rail freight, rail express, rail baggage, highway, or by carrier by water.

For marine transportation, the stated purposes of the regulations involving dangerous goods safety differ from section to section, though all involve dangerous goods considerations. For example, for tank vessel regulations, the purpose is stated to be:

§ 30.01 - 1 Purpose of regulations. (a) The rules and regulations in this subchapter are prescribed for all tank vessels in accordance with the intent of the various statutes administered by the Coast Guard and to provide for a correct and uniform administration of the vessel inspection requirements applicable to tank vessels.

- 5 -

For cargo and miscellaneous vessels, the Purpose reads:

§ 90.01 - 1 Purpose of regulations. (a) The purpose of the regulations in this subchapter is to set forth uniform minimum requirements for cargo and miscellaneous vessels, as listed in Column 5 of Table 90.05 - 1(a), in accordance with the intent of Title 52 of the Revised Statutes and acts amendatory thereof or supplemental thereto, as well as to implement various International Conventions for Safety of Life at Sea and other treaties which affect the merchant marine. The regulations are necessary to carry out the provisions of law affecting cargo and miscellaneous vessels and such regulations have the force of law.

For Marine transportation or storage of explosives and other dangerous articles or substances, and combustible liquids on board vessels, the purpose reads:

§ 146.01 - 1 Purpose of regulations. The purpose of the regulations in this subchapter is to promote safety in the handling, stowage, storage and transportation of explosives or other dangerous articles or substances, and combustible liquids, as defined herein, on board vessels on any navigable waters within the limits of the jurisdiction of the United States including its territories and possessions excepting only the Panama Canal Zone and to make more effective the provisions of the International Convention for the Safety of Life at Sea, 1960, relative to the carriage of dangerous goods.

The purpose of regulatory requirements for certain bulk dangerous cargoes is:

§ 151.01 - 1 Purpose of regulations. (a) The purpose of the regulations in this part is to set forth uniform minimum requirements for unmanned tank barges, whether being navigated or not, used for the transportation of those liquids or liquefied gases in bulk which have dangerous characteristics within the definitions listed in § 146.03 - 8 of this chapter, or which have flammability or combustibility characteristics within the scope of Title 46, United States Code, section 391(a), and within the definitions in §§ 30.10 - 15, 30.10 - 22, and 30.10 - 39 of this chapter.

(Note: This section also contains the classifications and other related sections containing definitions for these classifications.)

Neither liquid nor gas pipeline regulations contain a statement of purpose comparable to the preceding citations.

A lack of focus on consistent regulatory objectives or purposes among the modes can be expected to create barriers to equitable regulatory

- 6 -

treatment between the modes and dangerous commodities moving in these modes. These inequities exist, as illustrated below; discrepancies among the stated purposes cited, and the absence of a stated purpose for the newest set of regulations (pipelines), do contribute to the difficulties in arriving at relatively comparable levels of safety in dangerous goods transportation among the modes. Note, for example, the distinction between 49 CFR 173.1 ("minimize the dangers") and 46 CFR-146.01-1 ("promote safety") with regard to the level of safety being sought by the regulators of the respective modes. Comparison of these stated purposes with the statutes discloses additional differences. Title 18, Chapter 49, Section 832 of the U. S. Code suggests these goods should be transported with "no appreciable danger to persons or property."

The sources of the regulations were often, initially, voluntary industry standards. The adoption of the pre-existing scheme of voluntary control measures when regulations were first instituted, and the manner in which the regulations were amended prior to the creation of DOT, unquestionably veiled the need to reexamine critically the purpose of the regulations. As regulatory initiatives continue to shift toward the regulators, the need for clarity of purpose will increase in importance.

Levels of Risk

The transportation of dangerous goods creates risks. These risks are dependent upon the set of circumstances in which the goods are being moved. The aggregate of the individual risks for such movements constitutes the level of risk for these movements. The level of safety for such movements is related to the level of risk, rather than individual risks or hazards or losses.

When the ICC adopted its first dangerous goods regulations, the levels of risk then existing were implicitly accepted under the new regulations. There was no need to determine the absolute or relative levels of risk at that time. When major dangerous goods accidents occurred, the risks were implicitly presumed to be excessive and remedial regulatory changes initiated. The ICC’s case-by-case adversary approach did not require or mechanically produce a comparative risk level determination. Changes were of relatively limited scope, usually affecting only one matter at a time, and the manner in which the changes were screened by the Bureau of Explosives, minimized the need for evaluation by the regulator. So long as a consensus could be obtained by the Bureau, there was no need to measure risk level changes.

As trucking services expanded, an important new party of interest entered the regulatory picture. Acting directly with the ICC, the trucking industry stimulated a new body of truck-oriented regulatory changes, along with new philosophies about levels of risk posed by highway transportation of dangerous goods. This new competitive economic force acting upon all the modes (and commodities) created subtle new pressures toward higher risk as the growing

- 7 -

drive for increased unit payloads began spreading within the trucking industry and between the modes. It was such competition that led to innovations such as the jumbo tank cars, the lighter steels in MC 330 cargo tanks, jumbo tank ships, and increasingly larger pipelines.

As these developments were occurring, intense competitive pressures grew among modes and industries. Still dealing with the regulators on a case-by-case basis, shippers and carriers promoted new, larger containers which were incorporated into regulations by the ICC, largely on the basis of their technical feasibility as assessed by expert opinion. Again, there was no documented effort to determine the changes in risk levels, with the result that, though they occurred, they went unnoted. It was not until the accident experience began to accumulate, as in the accidents at Laurel, Mississippi, Crete, Nebraska, and Crescent City, Illinois, that these changes in the level of risks became evident.

An outstanding example of such an unsuspected increase in risk and enlargement of the scope of catastrophe allowed by the regulations is found in the accidents which followed the introduction of Specification 112A type jumbo tank cars for shipment of liquefied petroleum gas (LPG). Liquefied petroleum gas is normally a gas at ambient temperatures. This requires that it be liquefied to permit economical transportation. This "liquid" will boil inside the tank car tank as heat energy is added into the "liquid." The boiling will cause the pressure inside the tank to rise if the gas which is "boiled off" is confined within the tank. This heat energy can originate with the sun, or a nearby fire. Safety valves are used to relieve excessive pressures and to prevent explosive ruptures of these tanks. When sufficient heat is added to a load of liquefied petroleum gas in a tank, the tank can explode in the same manner as a steam boiler. Unlike the steam boiler condition, however, large fires can result from the explosive rupture of a tank car tank loaded with liquefied petroleum gas.

Tank car tanks used to transport liquefied petroleum gas were once of smaller capacity and insulated on the outside to retard the flow of heat to the lading in the tank. These cars were involved in accidents from time to time, and some of them burned, but explosive rupture was rare and the consequences of such ruptures were of limited magnitude.

Regulatory changes made in response to the desire for economies of scale then allowed the liquefied petroleum gas tank car size to be increased threefold, and permitted the external insulation to be eliminated. Allegedly, safety valve capacities were increased to compensate for removal of the insulation. No operational requirements were adopted to limit the bunching of the jumbo cars into large shipments.

Following the regulatory changes, jumbo cars were put into service in great numbers. These cars often moved in multiple-car shipments. The involvement of jumbo cars in accidents has produced accidents of much larger scope as fire, fed by the contents of one of the cars, rapidly heats the contents of the adjacent cars, resulting in pressure increases which the

- 8 -

safety valves cannot relieve, and subsequent explosive ruptures and fires of far larger proportions. Losses in such events have greatly increased compared to losses involving the smaller cars, reflecting the increase in risk levels these decisions unknowingly allowed.

Variations in the level of risk among the modes also developed. An analysis of selected data in the table below illustrates differences in "packaging requirements" for a major dangerous commodity (anhydrous ammonia) among the modes.

SELECTED MODAL "PACKAGING" DATA

ANHYDROUS AMMONIA

MODE	All (+ air)	Highway	Rail	Pipeline	Marine
	(cylinders)
	a/b/	c/	d/ u/	e/	f/
Working Pressure	300	265	225	No set	250
(lowest)				limits
	b/	c/	d/		g/
Max. allowable	54	56	57	Not	57
filling density,%.				applicable
	h/	i/	j/		1/
Safety device	Bureau of	CGAS-l.2	AAR	No line safety	Based on
capacity formula	Explosives		Append A	valves required	CGAS-l.2

Periodic retest	m/	k/	o/	p/
- Period, years	10	5	10	None	Discretionary

	m/	n/	o/	p/
- Pressure, psi	700	397.5	337.5	Required	Discretionary

				q/
- Test/working	2.33	1.50	1.50	1.14
pressure

Retirement	Fail	Fail	Fail	None	Fail
criteria	retest	retest	retest		retest

a/173.304 (DOT4)	g/151.50-30(e)	m/173.34(e)
b/178.48 - 2	h/173.34(d)	n/173.33(e)(2);see 177.824(f)
c/173.315 (MC330)	i/178.337 - 9(a)(2)	o/173.31(c) table 1
d/173.314 (105A300W)	j/179.200-18(a)(1)	p/151.04-5(c)(2)
e/See 195.106	k/173.33(e)(1)	q/195.406 Test pressure/by
f/151.05 (Tank barge)	l/54.15-25(c)	max.operating pressure +10%

The mode with the lowest safety value setting permits the highest filling density, while the smallest "package" with the highest minimum working pressure has the lowest filling density limit. Retest requirements for the smallest

- 9 -

"package" are the most stringent, while there are no retest requirements for the mode which carries massive continuous flows of the commodity. Retesting of the largest single "package" (tank barges) is not routinely required. The mode with continuous flows and the potential for the largest spills has the lowest test-to-working pressure ratio. The mode with the potential for the largest spills does not require excess pressure-relief valves in its lines. Criteria for determining when a container has reached the end of its useful life in service are set forth clearly only in the retest requirements; if corrosion or fatigue creates conditions conducive to failure between retests, how would these conditions be detected? Variations in retest periods suggest different risks among the modes as regulatory maintenance requirements differ. What level of risk should be selected for multimodal shipments? Are the modes being treated inequitably, as these differences in risk seem to indicate, or are the differences justified by differences in the hazards or loss potential in the transportation systems in each mode? If the risks and risk level are in fact different, what are the economic penalties for such differences? The amendments to the regulations which have introduced these differences did not document the changes in the risks or in the levels of risk, so there are no clear answers to these questions in the record of these proceedings.

Another example of a different type of difference in regulatory requirements occurs in the control of low temperature brittleness of vehicle tank materials. Jumbo anhydrous ammonia tank car tanks are not required to employ steels which remain tough at low temperatures. Cargo tanks for highway transportation of anhydrous ammonia must be made of steel which passes toughness tests at -30ö F. This difference affects risks. In an accident at Crete, Nebraska, in 1969, a jumbo tank car tank loaded with anhydrous ammonia was struck on the end by a portion of another car while the tank was at a temperature of about 40 F. The blow did not puncture the tank, but because the steel sustained a brittle fracture, one entire end of the tank was shattered into eight pieces. About 30,000 gallons of liquefied anhydrous ammonia was suddenly released, with the result that six townspeople died and 28 were injured from ammonia inhalation. The existence of this hazard in one mode and not in another suggests that the risks from transportation of anhydrous ammonia in the two modes are different, and that the overall level of risk may be different for the two as a result of this factor.

Another view of this problem can be illustrated by the following data:

There were 106 deaths in reported motor vehicle tanker accidents involving gasoline in the period 1965-67 2/,

There were no deaths in reported motor vehicle accidents involving radioactive commodities during this same period.

Cause of each of the 106 fatalities cannot be separated into collision, fire or other categories, but the overall differences in fatalities

________________________
2/ Krasner, L. M., Motor Vehicle Standards for Transportation of Hazardous Materials, Factory Mutual Research Corporation, January 1970, p. 18.

- 10 -

seem to suggest risks are higher for one commodity class than the other. Are differing exposure factors wholly responsible for the seeming differences, or are the levels of risk, in fact, different? How can the analyst determine the answer to this question?

With these as examples of the variations in risks and in levels of risk which seem to exist under present regulations, the difficulties which exist for the regulators and the regulated under competitive economic pressures are evident. This leads to the next difficulty of the present regulatory approach.

Methods for Evaluating Changes

Another facet of the difficulties posed by varying levels of risk in the present regulations is the absence of a uniform method to evaluate future changes. The regulatory agencies are constantly confronted by this problem.

For example, amendment to 49 CFR 178.358, issued July 17,. 1970, by the Federal Railroad Administration, permits shipment of certain Class B poisons in tank car lots. In the absence of a method for systematically identifying and evaluating the risks, the change (originally proposed by the producers to ICC) was authorized principally on the basis of (1) the "accident-free" experience of limited operations over a 4-5- year period under special permits;* (2) a nonobjective comparison of "hazards" from these materials with the "hazards" posed by even more dangerous materials already authorized; (3) the fact that very few punctures have been experienced with this type of car in rail service; and (4) the assumption that aggregating shipments into tank car lots will reduce the overall dangers from transportation of these materials in drums because of reduced frequency of exposure and reduction in accidents due to fewer containers.

Also considered, without doubt, were the real difficulties confronting the regulatory agency in justifying a decision to withdraw the special permits, if the agency suspected an increase in risk levels. In the absence of an accepted method for demonstrating such reservations, a decision to withdraw the permits would be vigorously contested in view of the successful experience to-date under the permits.

Significantly, there will be no predicted effects against which to measure whether the decision produced the anticipated level of risk if there were an accident. Thus, there is no basis for determining whether the regulation was a success. The need for methods to assist the regulators in their decision-making processes is a real and continuing one.

Some specific questions about regulatory change require a level-of-risk approach:

how can the level of risk for a new commodity be compared to existing commodities, to avoid over--or under--regulation?

________________________
* Special permits are individual waivers (or exemptions) of regulatory requirements granted to applicants for reasons deemed by the regulators to be adequate to justify the action. (49 CFR 170.13)

- 11 -

• how can the level of risk for a given commodity among the modes be determined to avoid inequities in regulatory treatment among the modes?

• how can the level of risk for a given commodity and shipment size within a single modal system be determined for different containers to assure a consistent level of safety?

These questions are of safety and economic importance to the regulators and regulated industries; without mutually acceptable methods for analyzing these issues, continued controversy can be anticipated.

The questions are of interest to the public, also. This leads to the next difficulty under the existing regulatory scheme.

Parties at Risk

Traditional adversary proceedings of the ICC encouraged the parties-of-interest in regulatory matters to come forward with their views in such controversies. The competing interests of these parties were relied upon to precipitate an informative exchange of views by these parties and regulatory decisions were made principally from this record. Views of the regulatory staffs were set forth during many proceedings, but there appears to have been little effect in these records in distinguishing between the parties-in-interest and parties-at-risk in these proceedings. Implicit awareness of the "public interest" or "parties-at-risk" undoubtedly entered into such decisions, but recognition accorded the needs of additional groups at risk has only recently been increasing under the new DOT procedures, and has yet to be documented for analysis and review.

The concept that regulations should be structured to accommodate dangers from dangerous goods during "conditions normally incident to transportation," which prevailed for many years, stands as silent testimony to this problem. In the absence of an effective spokesman, in the regulatory processes, how can and should the interests of all parties-at-risk-- including travelers occupying the same pathways and bystanders--be identified, weighed, and accommodated?

A study let by the Office of Hazardous Materials to investigate information needs of the involved parties will provide some of the answers needed, but a suitable method for evaluating these "parties-at-risk" and their interests is not included in that study.

Who is to represent these interests? Unquestionably, all parties to past and present proceedings to change the dangerous goods regulations consider the public interest, but upon whom does the burden for representing these interests fall? Under the present regulatory scheme, this responsibility must be borne by the regulators, because the other parties must, by their nature, give priority to representing their own interests. This situation underscores the urgency of the problem that methods for identifying, evaluating, and presenting the interests of the nonoperative parties at risk in future regulatory changes, as a part of a formal decision, do not yet exist.

- 12 -

Currently available statistical data do not identify the segment of the population at risk to which each of the casualties in dangerous goods accidents belongs. The involvement of bystanders, as suggested by the examples on page 1, and major incidents such as the Berlin, New York, Crete, Nebraska, and Texas City, Texas disasters, appears sufficiently large to warrant development of improved analytical methods for determining their needs during the evaluation of regulatory changes.

Underlying Deficiency

Existence of these difficulties with the existing regulatory scheme suggests the basis for the existing scheme itself may be deficient.

The scheme of the regulations is now structured on the evaluation of the inherent nature and degree of the hazards posed by these dangerous commodities.3/ By structuring the regulations on the dangerous properties of these individual commodities, and focusing largely on preventing the escape of the commodities from their containers, the interactions of other elements of the transportation system which affect the risk, such as changes in the probability of an incident, the severity of its consequences or the populations at risk, are not systematically evaluated. The development of regulatory measures designed to assure that transportation of these dangerous goods does not expose persons or property to an appreciable danger requires that such efforts focus on the transportation system in which these (and other) goods are moving, and all its constituent elements, not just two (dangerous cargo and its containers) elements of this system. This is the underlying deficiency; the difficulties cited previously are symptoms of this difficulty.

This approach:

• has not been conducive to development of a conceptual framework within which the efforts to develop safety measures could be organized .

• has not lent itself to development of decision rules for determining the safety value of new regulatory efforts.

• does not lend itself to effective identification or quantitative evaluation of relative risk created by the movement of these goods in different transportation systems, or in different ways in the same system.

• does not facilitate application of new analytical tools used in other fields, such as aerospace, biomedical, and computer fields. Especially, it does not facilitate transfer to other commodities of the advances in the field of atomic energy safety analyses, which contributed to the development of the regulations now applicable to radioactive materials.

________________________
3/ For a discussion of this hazard evaluation approach, see McConnaughey, W. E., Welsh, M. E., Lakey, R. J. and Goldman, R. M., Hazardous Materials Transportation, Proceedings of the Merchant Marine Council, May 1970.

- 13 -

The fact that the absence of an overall framework of risk analysis fragments decisions is shown by the problems faced in countering the recent large-scale LPG tank car accidents. The Laurel, Mississippi, accident, as reported by the Safety Board, involved hazards and recommendations over the whole spectrum of risks. The countermeasures available were clearly seen to be not limited to the prevention of the escape of the LPG; Possible countermeasures also included changes to limit the occurrence of derailment, changes to limit the dynamics of collision, changes to limit the scope of the explosion, and changes to reduce the risk of the whole event occurring in a populated area. After this accident, the railroad involved, for a time, reduced the speed of its trains moving this commodity to 15 miles per hour, to reduce the possibility of derailment.

The question of whether it was more effective to limit the number of large LPG tank cars which could be moved together in a train, or to consolidate trains under more stringent operating safeguards was widely discussed in the industry. These questions of trade-offs to reduce the overall risk could not be discussed in quantitative terms because the concept of overall risk determination was not present.

Various proposals for regulatory changes are now passing through the regulatory decisionmaking process. The technical feasibility of these changes and their cost will certainly be argued by those regulated. The manner in which the proposed changes will operate by reducing or eliminating hazards is known, but the degree by which the risk from certain hazards will be reduced cannot be under consideration. Also, the composite reduction in overall level of risk which will be experienced by those at risk cannot be estimated for the various countermeasures, because no method for preparing risk or risk level estimates is in use. This means that in making the regulatory decision, the cost and technical feasibility will be very evident, but the benefit in reduced risk will be visible only qualitatively, if at all.

This approach to developing regulatory countermeasures is an improvement over the manner in which regulatory changes authorizing the large uninsulated tank cars were first approved, because the technical changes include trade-offs, involving the entire system, rather than simply the containers and the commodity, as before. However, the basis for a good decision that compares the costs directly with the benefit in terms of reduced risk to the public, other properties, and other systems is still not present.

A conceptual basis conducive to rational, objective risk level determinations and decisionmaking is a clear requirement for effective control of risks created by transportation of dangerous goods--present and future. New conceptual approaches are required for the development of an appropriate analytical framework for risk level determinations to support future private and public policy, investment, and regulatory decisions in this safety problem area.

- 14 -

Recognition of regulatory problems by the Department of Transportation was publicized in 1968.4/ The commodity-by-commodity and package-by-package approach of the existing regulations was cited, and consequences of the resultant focus on commodities instead of hazards were discussed. However, the announcement, when analyzed, seems to indicate that the new focal point--hazards--would be commodity-oriented, and the performance standard approach suggested seems to indicate continuing reliance on the containment concept of the package-by-package approach. Furthermore, it indicated that regulatory changes would continue to be made within the existing framework of regulatory concepts of classification, labeling, etc. Subsequent proposals and amendments, such as the refined corrosive definitions, adoption of the U. N. labeling system, and packaging changes, have been refinements of existing concepts or, as with the recent reduction in safety valve settings for certain commodities, more restrictive technical changes intended to counter unacceptable accident experience. When the regulators raised substantive issues concerning the level of safety, as with HM-6-A concerning liquid pipeline safety measures,5/respondents’ replies followed the traditional pattern of relying primarily on the "good past accident record", and the existing standards which were alleged to have brought it about, rather than focusing on means for identifying and quantifying the possible changes in risk which might be occurring.

For example, one of the stated program objectives of the Office of Hazardous Materials is the development of a regulatory system which "is based upon more technically standardized criteria, and encompassing all transportation modes." Complete revision of the present regulations is involved "to convert them from the existing engineering approach to a performance standard system." A systems analysis plan for managing the transition to an all-mode performance system is to be developed, based on failure history, field inspections, and conversion of special permits to permanent regulations.

These desires for improving flexibility under the regulations through performance standards are commendable, but the performance standard approach does not resolve the causal factors underlying the difficulties with the present regulations described earlier. It provides the regulations with uniform form but not uniform substance, especially with regard to levels of risk. It continues to focus on the dangerous commodity and its containment in the system, rather than on the risk level created by the movement of the commodity in the systems. It does not provide an organized search for high-risk conditions in the systems. It may create an additional class of risk when translating system operational parameters to equipment testing requirements, in that tests may not appropriately reflect the dangers they are designed to identify. Thus, while the performance standard approach is a valuable improvement in the form of the regulations, it appears to leave unresolved the serious difficulties described in this study.

A conference convened by the National Academy of Sciences in 1969 focused on the development of performance standards for controlling the hazards from

________________________
4/ Hazardous Materials Regulations Board Docket HM-7, Notice 68-5, August 21,1968.
5/ Hazardous Materials Regulations Board Docket HM-6-A, Request for Public Advice; Advance Notice of Proposed Rulemaking, April 18, 1969.

- 15 -

transportation of these commodities. However, with this mission, no new unifying purpose or conceptual framework suitable for identifying and quantifying risks in such transportation emerged from the conference, although many problems and useful ideas were documented for the first time in the report of the conference.

Therefore, it appears that resolution of the problem of identifying, quantifying, and uniformly evaluating the risks in dangerous goods transportation, when changes in regulations are contemplated, continues to elude the regulators, and that the need for new concepts which will lead to their resolution is real and continuing.

- 16 -

DEVELOPMENT OF AN ANALYTICAL FRAMEWORK

The movement of a shipment of dangerous goods through a transportation system creates risks which would not otherwise exist in relation to that system. Risk is viewed here as the probability that hazards existing in the system will cause an event to occur which will result in some loss. A hazard is considered to be a real or potential condition, characteristic, or set of circumstances which can cause injury or death, or damage to or loss of property or equipment, or cause an event which will lead to these losses. Thus risks are dependent upon the existence of hazards, and the probability that the hazards will be activated to cause loss, and the magnitude of the loss.

Risks vary at successive points in a transportation system as different hazards are encountered. The composite of these individual risks constitutes the level of risk for that system. Both the individual risks and the level of risk for a specific transportation system change when a dangerous commodity, with its added hazards, is moving in the system. It is the identification of this incremental change in the system risks and risk levels which concerns all parties effected by such risks and risk levels. The regulators, who are responsible for the promulgation of regulatory changes, need to determine:

what effect the introduction of the dangerous commodity has on the risk level for that system,

how this risk level compares with the risk levels for other systems or other dangerous commodities, and

should the risk level be reduced by regulatory change.

The distinction between hazards, risks, and level of risk is pertinent to the resolution of the difficulties with the existing regulations. Hazards constitute only one facet of risk, the others being the probability of the hazard precipitating an event resulting in loss, and the size. of the loss. Risks, in turn, must be aggregated to identify the level of risk for a particular system. Thus, level of risk, which incorporates both the hazards present in a system, and the risks resulting from the presence of these hazards, provides the most comprehensive means for determining whether the system is acceptable as it exists, or whether action should be taken to reduce the level of risk to acceptable levels, and for assessing the effects of change in one component on the balance of the system. Consideration of only the hazards or risks provides only a portion of the information required for a rational risk acceptance decision.

- 17 -

This assumes that rational level acceptance decisionmaking is desirable, is feasible, and would in fact occur. Risk level acceptance can be voluntary, as with a carrier employee, or involuntary, as with a bystander. The likelihood that these risk level acceptance decisions would be rational is much greater for the voluntary risk takers than the involuntary risk takers in freight transportation. Voluntary risk taking is predominantly economically oriented while involuntary risk taking often involves unawareness of the risk and noninvolvement in the decision process. Involuntary risk takers do not make discrete, identifiable risk - taking decisions, but rather rely on their political institutions to act on their behalf in establishing risk levels. Voluntary risk level determinations are already an implicit decision factor in such transportation each time a package, a vehicle, a carrier, or a route selection is made by a participant in the movement of dangerous goods through the transportation system. For these reasons, adequate identification of the risk levels now being assumed could reasonably be expected to lead to the rational assumption of new or changing identifiable risk levels with relative ease by the voluntary risk takers. However, controversies occur when the risk acceptance decisions impacting involuntary risk takers are made unilaterally by the voluntary risk takers.* Such decisions may be the best decision in terms of the trade-off between economic and technical feasibility and levels of risk, but unless a method exists for demonstrating the basis for the decision and its protective value, it is subject to challenges and controversy.

Until satisfactory predictive analytical methods or accident data to support these decisions are developed, the present methods and data will continue to be controversial and contested matters. It is the development of acceptable analytical methods which constitutes the greatest compulsion of a change from the present regulatory approach to a risk - based framework.

Development of methods for quantifying the risk levels created by the movement of dangerous goods in transportation systems appears to be technically feasible. Within the Department of Transportation the Coast Guard has produced a noteworthy study of a model containing approaches to development of an analytical framework and methods which bear on this problem.6/

* An example of the magnitude such controversies can attain occurred in connection with the Department of Defense’s disposal plans for the rocket warheads containing lethal "nerve gases," which was carried to Congress.

________________________
6/ Unpublished study "Estimating the Damages Presented to Ports and Waterways from the Marine Transportation of Hazardous Cargoes: An Analytical Model." 12 December 1969.

- 18 -

Use of technologies and approaches developed in other safety problem

areas should be transferable to this problem area. For example, analytical concepts which have emerged from aerospace programs bear on this risk-based approach. One of these concepts emphasized a system design approach sometimes termed "hazard prevention". 7/ Another safety program area, dealing with chemical propellants, also emphasizes the "hazard prevention" concept. - These approaches differ from the traditional "accident prevention" approach to improved safety by analyzing the system to minimize hazardous conditions or designs which create the possibility of undesired system failures, rather than basing changes on analysis of the causes of accidents after failures occur.

Analysis of the risks created by introducing dangerous goods into a transportation system can utilize similar methods for identifying the hazards present, and predicting the likelihood of these hazards precipitating an undesired system failure event, with its undesired consequences. By preparing an analysis of the probability of and losses from consequences of such events on a uniform basis for all events in all modes and multimodal transportation system, comparable risk level identifications could be developed. After these risk levels have been identified on a comparable basis, regulatory decisions will be facilitated, and regulators could begin to resolve the difficulties with the present regulatory scheme cited previously.

Development of a framework for dangerous good analysis based on risk requires consideration of:

• undesired transportation system failure events which result in appreciable losses;

• comparative probabilities of such events occurring;

• comparative losses from such events;

• resultant risk level rankings; and

• risk reduction activities.

These considerations suggest development of a framework for analysis which might take the form shown on the following page.

________________________
7/ MIL-STD 882, Department of Defense Military Standard, System Safety, Program for Systems and Associated Subsystems and Equipment.

8/ DOD/NASA Chemical Propulsion Information Agency Publication No. 194, May 1970.

(Pages 19-20) Overview of large chart:

- 21 -

The system Definition and other steps suggested by the Risk

Framework described can be expected to result in the benefits customarily derived from a scientifically disciplined systematic approach to a problem area, such as (1) better conceptual grasp of the intrinsic problems; (2) delineation of methods and data gaps, with improved structuring of research activities; and (3) evolution of problem measurement techniques. Brief discussion of this example of a risk-based framework suggests approaches that might be taken to achieve these ends.

Risk Identification Phase I

The first requirement of the activities described is the identification of the risks involved. Means to develop manageable limitations on the variety of risks to be considered is first required to make any approach feasible. These means must limit the alternatives to be considered in an organized manner which will not overlook risk possibilities of significance, but will allow minor, insignificant risks to be dismissed if they fail to meet the criteria established to distinguish between the two categories. One approach is suggested in the framework described .

a. System Definition

Definition of the transportation system to be analyzed would take into consideration all the system factors, including:

- Human

- Equipment

- Cargo

- Pathway

- Environment 9/

Each of these factors in turn would consist of several elements, depending upon the system selected. For example, the pathway for waterborne traffic might be found to consist of a channel, subsurface hazards, navigation aids, warning signals, channel intrusions, etc. Pipeline corridors might consist of the right of way, unstable or reactive subsurface conditions, pipeline markers, corridor intrusions, etc. Railroad pathways might consist of the roadbed, right-of-way, subsurface hazards, track signals, rail crossing signals, grade

_____________________
9/ Environment is frequently considered to be a transport system factor. Its use here is uncertain; it does not become a factor until a spill dissipates to the atmosphere. Population surrounding a pathway might be considered a pathway element or an environmental element, with compelling justification for either choice. This becomes, then, a system definition decision.

- 22

crossings, etc. Viewed together in a systems context, the commonality of elements in different modal systems becomes evident and takes on analytical value for exploring comparative risk levels among the modes.

The system definition sets the limits on the scope of the problem to be analyzed with regard to dangerous goods transportation. One of the principal practical deficiencies of the current inherent hazard basis is the limitless number of possibilities confronting the analysts. By undertaking the analysis of the risks due to dangerous goods within a specific system, the analyst can limit the size of the problem he is examining to manageable proportions without neglecting any of the key elements in the system.

b. Delineation of Undesired Events

After the system has been defined in terms of its principal factors and elements, the next step will be the delineation of undesired system failure events, when the dangerous commodity is being transported in the system. Such events are not system failures like power outages, but rather events resulting in losses attributable to dangerous commodities, which might be described in terms of container punctures, cargo mixing, energy transfers, internal container reactions, etc. A group of such undesired events, or perhaps several classes of undesired events would be documented for that system and the cargo or classes of cargoes being transported in the system.

This step permits the analyst to achieve three objectives:

1) It defines and provides visibility for the classes of undesired events which the safety regulations will address .

2) It provides a practical screening process for identifying the more important events which should receive initial attention.

3) It generates an inventory of undesired events among the modes which should lead to identification of the commonality of modal problem areas and to clarification of intermodal problems .

Probably the most significant value of this step is the visibility it provides for those undesired events which should be analyzed and controlled. Analysis of this inventory of events and the resultant indications of the directions the regulators and the regulated should be moving would tend to unify the regulatory activities among the modes, even without further analysis.

- 23 -

The performance test criteria 10/ in regulations for the transportation of radioactive materials were formulated by considering a somewhat similar approach 11/, and utilizing experimental, analytical, and experience data. No other explicit application of this approach has been discerned for other dangerous goods in regulations of the modes .

Past accident experience can be useful in building this inventory of undesired events. For example, a perceptive analysis of the existing modal and international regulations could isolate many of the undesired events previously addressed in the regulations, which should be incorporated in such an inventory of undesired events. Such an analysis might also suggest inputs for a catalog of known component relationships and failures which could be utilized in the analysis of probable system failures, described later. This shortcut approach might be utilized during the initial development of possible system failures to be analyzed, although it must be recognized that this "working back from the answer" would not serve to expose unexpected but significant system failures or component failure relationships. It is the predictive needs - - the "safe first time" concept underlying this risk identification process - which requires analytical development of the list of undesired events for each system to assure consideration of unexpected events.

c. Risk Analysis

Each undesired event must then be analyzed in terms of:

1) the probability of its occurrence; and 2) the possible and probable resultant losses to provide a basis for the risk level determination of the occurrence for the movement of the commodity in the system. This constitutes another area of departure from existing approaches, in that it views danger not in terms of the nature of the hazard or the nature and degree of hazard, posed by the commodity, but rather as a risk which is a function of the probability of system failure (p_f) and the severity of the losses from the system failure involving dangerous goods (s_f). Mathematically, this relationship can be described as:

Risk = f(p_f, s_f)

The relationship between this expression and the risk-taking decision approach for businesses, suggested by game theory, is of interest. The principal difference is the substitution of a penalty concept (sf) in the event of a failure, versus the concept of net gain or reward in the event of success in business or a game.

________________________
10 / 49 CFR 173.398; lATA Restricted Articles Regulations, Annex 1-5.
11/ For a brief discussion of this approach, see Gibson, R. The Safe Transportation of Radioactive Materials, p.95, Pergamon Press, London, 1966.

- 24 -

Probability aspects might be remarkably similar for both. The purpose of introducing these relationships here is again to illustrate the benefits which might be derived by applying concepts from other risk problem areas to the problem of risk in dangerous goods transportation.

1. Probability of occurrence

Development of the probability of the occurrence of the undesired event is required to establish one aspect of the quantified level of risk determination for the transportation of the dangerous goods. If this undesired event is viewed in terms of a system failure, and the system failure analyzed, approaches to the development of the probability of the failure will be facilitated.

System failures are dependent upon the presence of hazards in the system, and upon activation of these hazards in a manner which will produce failure of the system. Thus, to determine the probability of the occurrence of a system failure event which will result in loss, both the hazards and likelihood of their activation must be identified. Hazard identification and probability of system failure can be approximated using existing methods such as Fault Tree Analysis used in other safety program areas.12/ These system safety tools have made such analyses possible in. the aerospace industry, with the resultant attainment of levels of system and component safety thought impossible 15 years ago. (These methods may, in time, emerge as one of the major technological benefits of the space programs.)

Application of these analytical tools to dangerous goods transportation problems should pose no conceptual difficulty, and will serve other valuable purposes. Definition of the functional relationships of system components during such analyses leads to identification of the combinations of system component failures ("critical path") necessary to precipitate the undesired system failure. This feature merits emphasis.

One of the consistent findings in the post-facto investigations of accidents by the Board is that there is no single cause of a transportation accident of any kind. Delineation of events before, during, and after the accident inevitably discloses that prior to the system breakdown, with its resultant losses, there occurred a chain of events in which a series or combination of system component failures or deficiencies led to an irreversible event and certain system failure and losses. These hazards, or component failures and deficiencies, or causal factors, can usually be discovered if sufficient facts about an accident are logically reassembled .

________________________
12/ The Boeing Company, Fault Tree for Safety, D6-53604, Nov., 1968 .

- 25 -

It is the discovery of causal factors before the irreversible event which constitutes the main thrust of the risk identification process under the risk-based concept.

The application of such methods could be expected to lead to the identification of gaps in existing knowledge or technology, before accidents rather than afterward. It could also be of value in identifying near-miss as well as accident data reporting requirements, by highlighting the sensitive system components whose malfunctions or failures should be monitored in service. It would thus give valuable direction to research programs, and could lead to more effective cross-modal applications of findings for accident, near-miss, and component failure reports.

Finally, application of these methods would provide feedback to the undesired events inventory. Systematic examination of system component failure relationships during the probability analysis should lead to the discovery of unanticipated, undesired events, which are not otherwise discernible before accidents occur.

2. Consequences of Occurrences

Concern for safety in dangerous goods transportation also increases in direct proportion to the severity of the losses resulting from an undesired event. Therefore, this factor must be accommodated in the risk identification and evaluation processes .

Consideration of the losses from an undesired event must include:

- populations at risk

- properties at risk

- systems at risk

These elements of risk involved in dangerous goods incidents have, unquestionably, always been considered implicitly, in varying degrees, during development of existing regulations. Documentation of these considerations is lacking, and therefore a reliable review of the quality of these past efforts is not possible. The content of the regulations, however, suggests that these efforts produced mixed results. The relatively equal regulatory treatment of almost all green label gases in cylinders, for example, suggests that considerations other then the severity of the potential losses were controlling considerations in the development of existing regulations. More recently, the responses by industry to proposals for regulatory changes, as in HMRB Docket HM - 6 - A for example, also support this indication.

Development of a framework for analyzing and methods for evaluating the potential losses from undesired events would contribute to appropriate consideration of this facet of risk.

- 26 -

Research into the risk elements and the classification of loss modes is needed to refine these concepts. For example, the populations-at-risk and the nature of their exposure must be clearly understood before the consequences of an undesired event can be adequately evaluated. Some populations-at-risk, such as bystanders or emergency personnel, face risks after an occurrence which are similar for several modes; these similarities need to be explored more systematically.

The parties-in-interest in the regulatory proceedings usually differ from the population-at-risk. Determination of the population-at - risk is required before the role and interests of each can be established for consideration and analysis. Until these needs are clarified, regulatory safety measures will lack focus and cannot consider the proper degree of protection required, by each segment of the population-at-risk.

The relatively narrow view of properties-at-risk and systems-at-risk, as evidenced by the scope of coverage for assignment of loss values to dangerous goods accident reports for example, also requires re-examination. Properties, such as structures over transportation pathways, are at risk, as are cargoes moving in the same transport equipment with dangerous goods. Yet consideration of losses is probably different for these two classes of property-at-risk. The consequences of system losses were illustrated at Crescent City when the water supply system was damaged, and the use of the rail line lost for almost 3 days.

Methods for considering all three elements at risk during the appraisal of the consequences need to be developed.

Appraisal of the consequences of the undesired events, or transportation system failures, is complex. Where past applications of systems safety to other programs dealt with relatively predictable consequences, because of the relatively stable operator, equipment, pathway or locational considerations, the ever-changing nature of these elements during the transport of dangerous goods raises complexities not yet encountered in other safety programs. The variety and range of consequences of an accident involving dangerous goods are dependent upon many variables, such as the nature of the dangerous cargo, the emergency responses to the accident, and the location of the accident, among others. However, by considering the system through which a dangerous goods shipment moves, and examining the nature and degree of the hazards posed by the commodity or commodities in the shipment, the most extreme credible potential losses from failure could be estimated for that system. By examining the accident history of shipments causing this type of loss or losses, a reasonable estimate can also be developed for the probable losses from failure of the system in terms of death, injury, or otherwise for alternative consequences from a specific failure or type of failure.

- 27 -

The inherent hazard classification concepts of the present regulations should not stifle the approach to the development of classes of losses to be used in this step of analysis. The Coast Guard’s hazard guide 13/ suggests one alternative set of classes for consideration of the consequences. The framework presented in this study suggests another set which might be desirable. A new classification theory might follow such efforts.

At this time, there appears to be no method for predicting the losses from individual undesired events with a high degree of confidence, without specifying rigid system constraints. Therefore, an approach to rating the severity of the losses will have to be developed. Several approaches might produce the desired results. For example, the use of an estimated "average probable losses" factor might be adequate for the intended purposes. Another might be based on cost of making all risk-takers whole again. Determination of losses would probably require an initial judgmental consensus on the values of life or disabling injury to be utilized for the rating process, but this should not be permitted to become a fatal defect in the approach.

The analysis of losses from each of the undesired events for the system selected would produce a "failure severity rating" for each event analyzed. Approximation of the relative severity rating of each undesired event is the purpose to which these technical development efforts should be addressed. This rating should consider the range of possible as well as probable losses for each class of consequence, in combination, for each event. Graphic or mathematical correlations of the ranges of effects for each class might be used to relate them to an overall failure severity rating for the event.

Determinations of the magnitude of the possible and probable losses for each class of losses must utilize uniform measurements, based on the losses attributable to the dangerous commodity, in the event, and not the entire event during which these losses occur. This is required to permit valid comparisons among different events and systems. Development of methods and measurements for these estimates, which will often involve incremental losses, will require research. Clearly, better yardsticks than fatalities per year or fatalities per ton-mile transported are required for this purpose.

Risk Evaluation: Phase II

The failure severity ratings, based on losses from undesired events, could be linked to the failure probability ratings based on the same events.

________________________
13/ Evaluation of the Hazard of Bulk Water Transportation of Industrial Chemicals. A Tentative Guide, Publication 1465, National Academy of Sciences, National Research Council, Washington, D.C. 1966.

- 28 -

If the methods developed are internally consistent in terms of units, bases of measurement and otherwise, for probability and loss ratings, the resultant ratings should permit development of direct comparisons among the systems considered and the events within these systems. However, these two factors must be combined to describe the overall level of risk created by the addition of dangerous goods movement to the transportation system.

a. Level of Risk

A method for combining these two ratings, which reflects their weighted individual impact on the level of risk for the events in different modes, or for all the events in a mode will have to be developed. Customary indicators of risk levels such as total fatalities, or fatalities per year or per total tonnage transported, while perhaps indicative of risk levels, appear to be unsuitable because they can not reflect the probability consideration involved. Therefore, new approaches are needed.

One feasible approach might be a scaled rating system, similar to the Richter scale for earthquakes, which are natural "undesired events." Others might be developed through appropriate research.

The number of undesired events and the effects of multiple probability combinations suggests extensive calculations to arrive at some of these composite ratings. In aerospace safety program areas, the use of the computer has enabled related and highly complex problems to be successfully examined. These techniques should be investigated to ascertain if they can be transferred in substantial degree to the dangerous goods risk level determination processes .

b. Risk Level Decisions

After identification of comparative transportation risk levels, one of two decisions is made for each specific system. Either the risk level is accepted, or it is not accepted and alternative corrective measures are considered. The decisionmaking criteria need to be better understood. Investigation of the criteria upon which such decisions should be made warrants attention, because of the apparent differences in the levels of risk accepted today for the transportation of dangerous goods in different quantities and in different transportation systems. For example, the level of risk involved in the transportation of radioactive materials would seem to be lower than that created by the transportation of fuels by several orders of magnitude, based solely on the number of fatalities involved in radioactive materials versus fuel transportation accidents. What criteria should apply to any future regulatory changes which affect this relationship?

- 29 -

Over the extended period of time regulations have been in effect, the regulated shipper and carrier industries have committed substantial resources to the standards and practices required by these regulations. Injustices which could result from abrupt changes in these regulations and established regulatory concepts underlie widespread fear of change. These real concerns require continuing attention.

Change must not be stifled if risk level reduction is commensurate with the effort, but neither should changes be made subjectively or solely on an intuitive basis. Any beneficial change creates new expenses or savings; the ability to consider comparative risk levels before and after the change in the regulations should be of value in establishing needed criteria for deciding whether or not the change is warranted.

Risk Reduction: Phase III

The Risk Reduction phase constitutes the action phase of the framework. During this process, the development, planning, organization, and control of the measures required to reduce the dangerous goods transportation risk levels to acceptable levels would be conceived, tested, and implemented. Detailed consideration of this phase is beyond the scope of this study, but general concepts relating to the risk concept merit comment.

The decision to reduce a known risk level may be implemented in several ways. The most direct action is to prohibit movement of dangerous goods through the system. For example, certain dangerous commodities are considered so dangerous now that they may not be moved in any common carrier transportation system (liquid nitroglycerine). Quantity limits are imposed for transportation in critical pathways such as the Hudson River Tunnels into Manhattan. New analytical methods might suggest other diversions from certain transportation systems for classes of commodities creating unacceptable risk levels.

The decision to reduce a known risk level may also be implemented by the development of:

- improved system components

- improved system controls

- improved emergency responses

Improvement of system components to reduce the predicted component failure rate can be facilitated within the analytical framework described. By isolating the key components which must be made more reliable, this effort can concentrate on the most productive effort to achieve improved system safety.

- 30 -

The development of system controls, both regulatory and voluntary, includes the development of rules, compliance checks, and enforcement actions. The system controls can focus on reduction of the probability of either component failure or system failure. System design, fabrication, testing, start up, maintenance, and other aspects of the system operation are some of the areas on which system controls development might focus. The system control efforts stress the prefailure and failure phases of the undesired events, and thus are similar to accident prevention measures in the traditional sense. Under the broader risk concepts, the system controls contemplated extend a step beyond the traditional accident prevention concepts, because they would feed back into the probability estimate of system failure and the resultant effects on the overall transportation risk level. This would permit reasonable preaccident evaluation of the validity of the system controls proposed, rather than require a test in the crucible /of accident experience involving the public for this evaluation.14/ Further, by identifying and monitoring key component malfunctions or failures which might have --but didn’t -- cause system breakdowns, hazards throughout the system could be addressed on a continuing basis before a catastrophe.

A third area of risk reduction, addressed to minimizing the severity of the losses from a system failure, centers on the development of improved emergency responses. The range of these responses is now imprecisely focused and quite broad. The development of these response mechanisms and techniques could be effectively focused by the results from the risk evaluation process. It should be possible to develop alternative emergency plans, depending upon the circumstances surrounding a particular incident, based on predicted loss modes and severity under these circumstances. The risk identification and evaluation phases could delineate the possible or probable problems to which emergency response development should be addressed. By thus organizing the emergency response development effort, problems caused by proliferating private and public response agencies, plans and systems would be substantially reduced. A central repository of the emergency response plans could be facilitated and more readily utilized in emergencies.

_______________________
14 / See page 11 of the Safety Board’s report on the Laurel, Mississippi, Railroad Accident.

- 31 -

IMPLEMENTATION

The implementation of the risk - based approach will quickly identify numerous areas where data, methods, and information will have to be developed to permit the broad, successful application of the approach to all dangerous goods transportation. The resources required to implement the suggested approaches successfully have not been determined: this would have to be developed as the methods research progresses. Because other programs have borne the burden of much of the technological development costs, results in this field should be much less costly. Neither the cost nor benefits can now be reliably ascertained; however, the difficulties with present regulations clearly justify the initial efforts.

Implementation of the approach through transfer of existing technologies appears to be most promising in the probability aspects of the analytical efforts. The initial inventory of undesired events could be started without delay by researching the existing regulations for all modes.

The development of the concepts relating to losses and the system failure severity ratings may be more difficult. Here, too, an inventory of recorded consequences of such undesired events is a possible starting point, with development of appropriate classifications of loss modes and severity rating techniques to be based initially on an analysis of these findings.

It is evident that the risk - based conceptual framework will have to be developed and implemented gradually. This suggests that bulk dangerous goods transportation systems, which prima facie pose highest transportation risk levels and involve fewer complexities than systems carrying multiple cargoes, are the logical first candidates for application of the new approach. Pipeline transportation, particularly, might lend itself well to the initial efforts. Leadership for this undertaking could be provided by the Department of Transportation through its Assistant Secretary for Safety and Consumer Affairs. Public support for the undertaking, in the form of special task groups established by interindustry groups, standards organizations, professional organizations and groups representing emergency personnel, for example, would contribute to success of the effort.

One further aspect of this implementation effort warrants comment. As the new analytical methods are implemented, their impact is likely to be felt in other areas of freight transportation safety, such as packaging of nonhazardous shipments, vehicular design, pathway limitations, operational controls, etc. Thus their implementation must not be considered solely in the light of improved dangerous goods transportation safety, but in the broader context of improved freight transportation safety .

- 32 -

CONCLUSIONS

Movement of dangerous goods in transportation systems creates certain risks. Approaches upon which present regulations are based have resulted in apparent inequities and serious difficulties under these regulations, as described herein. Performance standards, while helpful, will not resolve these difficulties. Therefore the Board concludes that a new basis is required for these regulations. This new basis must provide for the effective resolution of difficulties with the existing regulations and meet future needs for efficient equitable regulation of all transportation systems and all dangerous commodities .

The Board believes that risk - based concepts can provide a responsive logical framework for development of the objectives, approaches, and analytical methods required to overcome the difficulties with existing regulations, and to improve these dangerous goods transportation regulations and safety. A risk - based framework can provide a systematic, uniform basis for the identification and evaluation of risks posed by movement of dangerous goods through modal and intermodal transportation systems. It can accommodate consideration of both the probability and consequences of undesired system failure events. It can aid in identifying potentially catastrophic system failures. It can provide for identification of risk levels on a comparative basis for a commodity in different modal or intermodal systems, or for different commodities in the same system. It can provide a means for equitable comparison of risk levels among modes and among commodities useful for private and public policy decisions about acceptable risk levels, modal selection and investment criteria, system control requirements, emergency responses, and research and development efforts. Probable benefits from improved analyses are likely to occur in other freight transportation safety program areas as the development of the framework and application of analytical methods progress.

The costs of the effort to develop and implement the risk - based framework for evaluation and action are not determinable at this time; neither are the costs of inability to evaluate the probable results of regulation, with their resultant economic inefficiencies and dislocations, or waste under the present regulations, but it is believed that they are substantial. The need for a sound basis for determining the degree of waste might, in itself, justify the effort; the other difficulties with the regulations amplify the need. Much of the technology needed to implement the effort, once framed, has been developed in other safety or analytical program areas and should be transferable without serious conceptual difficulty to this safety program area. A number of practitioners are probably available at present from the aerospace industry. Therefore, implementation costs should be modest when compared either to total safety expenditures or to the potential

- 33 -

safety and economic benefits in both domestic and international

trade. The degree of these benefits is not determinable until the framework is established; however, it is clear that the avoidance of losses such as those of the examples could finance a substantial study effort.

For these reasons, the Board concludes that adoption of a risk-based framework for guiding future dangerous goods regulatory actions is necessary and desirable, and must replace the present only partially analytical methods which treat problems in isolation and prevent comparative judgments. Such a framework is feasible, and should be developed and implemented without undue delay.

- 34 -

RECOMMENDATIONS

The Safety Board recommends that:

1. The Secretary of the Department of Transportation initiate the development and adoption of a risk - based framework for evaluation and planning of dangerous goods transportation safety regulations or programs in the Department, by a project leading to development of the analytical methods for risk identification and evaluation required for its implementation through a designated organization within the Department.

2. The modal administrators in the Department of Transportation require application of such a framework as it develops and use of risk - based analytical methods in the formulation of the dangerous goods regulatory programs, including special permits, in each mode, for both intra- and intermodal shipments at the earliest possible date. It appears that risk-based methods should be used first on bulk shipments.

3. The Secretary consider the formation of an advisory group or groups bringing together, under the auspices of an organization such as the National Academy of Sciences, representatives of the point of view of all parties - at - risk, including the population along pathways of movement, to assist the Department of Transportation in the development of the risk identification and risk evaluation aspects of the risk-based framework and analytical methods. The use of existing advisory groups should be considered, where they include the point of view of all major segments of the population - at-risk.

4. Technical advisors representing the point of view of a party - at - risk, or other parties (including academic institutions and non - federal public agencies) having a clear and continuing interest in dangerous goods transportation safety, be required to have experience or capabilities in systems safety analysis techniques or be in training in such techniques in order to serve on such advisory groups.

5. Each private organization or agency whose activities require an interest in industry or code standards affecting the safe transportation of dangerous goods begin to develop and employ risk - based concepts and methods to the maximum extent feasible in its projects, to gain experience in the use of techniques, and to assist the Department of Transportation by providing points of experience able to deal with DOT use of risk - based evaluation concepts.

- 35 -

6. The Department of Transportation organization managing this project publish, at not over semiannual intervals, reports of the progress in the development of risk-based methods of evaluating regulations and programs, and their application to specific dangerous goods systems .

BY THE NATIONAL TRANSPORTATION SAFETY BOARD:

/s/

JOHN H. REED________________________

Chairman

/s/

OSCAR M. LAUREL_____________________

Member

/s/

FRANCIS H. McADAMS_________________

Member

/s/

LOUIS M. THAYER____________________

Member

/s/

ISABEL A. BURGESS___________________

Member

January 27, 1971

71992