I have written a couple of times about the “controls fail” scenario in safety management studies (here and here). It has sometimes been not well understood so the post promoted a bit of discussion, and it was also a topic of keen discussion at the SMS Facilitators Forum in May. Hence I was pleased to see that a similar concept receives brief but important consideration in Andrew Hopkins’ book Disastrous Decisions on the Deepwater Horizon well blowout.
(As an aside, I used to refer to the “all controls fail” case, until a few people pointed out that for a well-designed installation with multiple effective protection measures the worst plausible scenario might not be ALL controls fail. In fact that is a very desirable position if you have the luxury of being able to achieve it through design. Changing the design is not an option for existing pipelines though so they may really be vulnerable to ALL controls failing, including the final barrier of wall thickness.)
But back to Hopkins, who reports on initiatives from the US Nuclear Regulatory Commission after the Fukushima accident in which the tsunami that damaged the plant was much greater than it was designed for. An NRC task force recommended that design and risk assessment should consider how the system would respond to beyond-design-basis events in which all the defences have failed. Clearly this is similar to an SMS “controls fail” case in that it encourages consideration of how the installation would cope with worst case scenarios.
In a sense the Australian pipeline industry has been leading even the US nuclear industry in this aspect of risk management. It will be interesting to see whether the concept eventually spreads to the oil and gas and other hazardous industries as Hopkins recommends.