Accident Investigations – more

The previous post received a comment from Adrian Amey which made me realise that I had not properly explained one of my key points.  So rather than just reply to the comment I thought I should write another post.

There is in fact some technical information around on both the Varanus Island and Belgian failures.  (I would like to make it available through this blog but I’m not sure if it’s in the public domain and don’t want the risk of being sued.)  I think Adrian and I have seen the same documents and we draw the same conclusions about the immediate causes of the failures.

But those documents show only the immediate technical cause. What I’m interested in, and what everybody in the industry and the public should be interested in, is the broader context of the human and organisational failures that lead to the physical cause arising in the first place. The physical failures don’t occur spontaneously – they happen because people made mistakes of commission or omission, and they made those mistakes within organisations that have systems and cultures that affect the likelihood of human error or oversight.

To protect against failures we need to understand the organisational cultures that promote or prevent them. That’s what I want to see in accident investigations.

More specifically, the Varanus Is incident was a corrosion failure.  What the world should be told is how the corrosion was allowed to progress to the point where the pipeline failed.  What processes and cultures within Apache failed to find and fix it it in time?  How did the regulatory systems fail in their oversight role?  Simple questions, but the answers can be very complex.

Similarly the Belgian incident was a mechanical damage failure, possibly compounded by what might have been an inappropriate response to an initial leak (the pipe did not rupture immediately the damage was done and a number of the fatalities were among the people investigating the leak).  But we have been told little or nothing about the systems that were in place to prevent unauthorised activity over the pipeline and to supervise activity that had been authorised.  How effective were those systems?  Why did they fail?  What could have been done better in response to the initial leak?  How appropriate was the emergency response?  Was the regulatory regime adequate?  Again, simple questions that are likely to have complex answers.

It is very fortunate that there are so few pipeline catastrophes.  But when they occur we should take every opportunity to learn as much as possible from them so that the rate of failures can be pushed ever closer to zero.

Just looking at the immediate physical causes will miss all the really important lessons that could be learned.

Advertisements
This entry was posted in Eng'g philosophy, Incidents. Bookmark the permalink.

3 Responses to Accident Investigations – more

  1. Anonymous says:

    Peter,

    The work over the pipeline was authorised – however it was undertaken without informing the operator and hence there was no inspector. To compound the problem the contractor decided that deeper road base stabilisation than authorised was required and made a decision without seeking approval. The final nail in the coffin was that the road base blending machine was large, and the operator probably had no knowledge that he had hit the pipe. Consequently when the leak occurred it took some time for the link to be made between an approval and the time delayed failure that occurred because the control room needed to increase the pressure.

    Australia has a few similar cases where there was authorisation to do work close to the pipeline, and the contractor started work without appreciating that the work was not permitted unless the inspection was in place.

    Many pipeline failures have relatively simple causes – the cause of the Varanus Island failure is relatively simple – while the organisation has some blame, the cause can be sheeted to the responsible person either not being competent, or not accepting the responsibility that is required of him being responsible. In the case of the Belgium incident the responsible person is the approver of the work and had he undertaken a much greater interest in the work approved (and had a basic mistrust of contractors) he would have hounded the contractor to ensure his people were on site at the time.

    While the organisational issues are important, if the organisation transfers responsibility to an individual, then the individual must accept the responsibility (and the organisation must ensure that the responsibility is recognised and implemented to the extent required.

    I’d like to see more consideration of individual responsibility – because no matter what the organisation does, the person charged with making the decision is usually the initial point of failure.

  2. petertuft says:

    Individual responsibility is part of it, but only part. If we rely on individuals to do the right thing all the time, with no further checks and balances, then incident rates will be higher than they need to be because no-one is perfect – in fact most of us are very imperfect. I also don’t think the courts would accept the individual responsibility argument and absolve the organisation.

    There is a well-known Swiss Cheese model of failure prevention, first presented by UK safety guru Jim Reason. To prevent disasters we need multiple layers of protection because no single protection is absolutely reliable. Reason likened the layers of protection to slices of Swiss cheese, which has large holes in it. If you have enough layers of cheese (or protection) the holes won’t line up and nothing will get through.

    Individual responsibility is one layer. Organisational structure (supervision etc) and the organisational culture (“the way we do things around here”) are more layers. All of these sit on top of the physical and procedural protections that AS 2885 mandates.

    There are always lessons to be learned. In Belgium, the fact that the work was authorised should have alerted the operator to a possible need to increase patrol frequency in that area to keep an eye on the contractor, since contractors regularly start work without waiting for the pipeline inspector. I believe that there was a delay of a few days between the mechanical damage and the rupture. If correct, then the pipeline operator failed to notice that unauthorised work had taken place over the line and hence was unable to check for possible pipe damage as a result. I would hope that in an equivalent “I” (Industrial) location class in Australia no operator would allow either of these oversights – I think you are saying the same thing.

  3. Pingback: Varanus Island report | Pipelines OZ

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s