Lessons From Longford by Andrew Hopkins

Excerpts from Lessons from Longford
Excerpts from
LESSONS FROM LONGFORD By Andrew Hopkins
Prepared by Keith Spence
10 July, 2000
Page 1
gw_group/keith/word/safety/longford.doc
Chapter 1: Introduction
Things happened on that day that no one had seen at Longford before. A steel cylinder sprang a leak that let liquid hydrocarbon spill onto the ground. A dribble at first, but then, over the course of the morning it developed into a cascade ... Ice formed on pipework that normally was too hot to touch. Pumps, that never stopped, ceased flowing and refused to start. Storage tank liquid levels that were normally stable plummeted ... I was in Control Room One when the first explosion ripped apart a 14-tonne steel vessel, 25 metres from where I was standing. It sent shards of steel, dust, debris and liquid hydrocarbon into the atmosphere. These are the words of the operator whom Esso blamed for the accident at its gas plant at Longford, Victoria on 25 September 1998.
The themes of this book

A number of themes or issues are woven through this book and it is worth flagging them now so that they will be recognised when they appear. Practicable preventability - the Commission found the accident to have been practicably preventable. Are accidents in technologically complex environments ultimately inevitable or are they realistically preventable? Cause - accident analyses abound with references to causes and contributing factors. Sometimes there are indirect causes and contributing factors. We read of root causes, immediate causes, real causes, ultimate causes and main causes. What do all these mean? The book adopts a particular definition of cause and uses it as consistently as possible. Operator error - operator error is frequently the first explanation provided for an accident. But this is merely the starting point for analysis. As soon as we ask why the operator made the error in question we begin our journey back along the chains of causation. From a prevention point of view it is better to focus on factors further back along the causal chains which put operators in a position where it is possible for them to make critical errors. Market forces and government regulation - when we extend the causal network far enough, market forces and cost cutting pressures are almost invariably implicated. Many accident investigations stop short of these factors, or at least do not include them systematically in the analysis This book seeks to extend the causal analysis as widely as possible and stresses the role of government regulation in counteracting the tendency of market forces to push organisations towards accidents. Organizational analysis - the report of the Royal Commission focused overwhelmingly on the technical causes of the explosion. This book adopts the reverse approach. It devotes as little attention as possible to the technical causes, and focuses on organisational or management system causes, on the principle that if we can get the organisational factors right the technical causes of accidents will not come into play. A focus on organisational rather than technical causes offers the best opportunity for generalisation i.e. the best opportunity for learning that can be transferred from one enterprise or industry to another. High reliability organisations - social scientists have recently been studying organisations which function with high reliability. One of the central research findings is that high reliability organisations are characterised by collective mindfulness about the possibility of disaster. Many of Esso's failures will turn out to be failures of mindfulness.
10 July, 2000
Page 2
Chapter 2: Operator Error

Esso argued that control room operators and their supervisors on duty at the time made a number of crucial errors. But more than this, Esso claimed that the operators had been properly trained and there was therefore no excuse for their errors.
Problems with the theory of operator error

The theory of operator error is not just a device for protecting the interests of companies which suffer major accidents; it is a widely adopted style of explanation. Sophisticated accident analysts, however, consistently resist this style of explanation, for at least two reasons. First, it is often unjust, and second, it generates very few insights into how accidents may be prevented.
Active failures and latent conditions

Human beings inevitably make errors and errors by operators must be expected. Thus, rather than focusing on the operators who make the errors, modern accident analysis looks for the conditions which made the errors possible. From this perspective errors are seen as consequences rather than principal causes (Reason, 1997:10). Reason has developed this idea by distinguishing between active failures and latent conditions as follows: Active failures are the errors and violations committed at the sharp end' of the system by pilots, air traffic controllers, police officers, insurance brokers, financial traders, ships' crews, control room operators, maintenance personnel and the like. Such unsafe acts are likely to have a direct impact on the safety of the system. Latent conditions are to technological organisations what resident pathogens are to the human body. Like pathogens, latent conditions (such as poor design, gaps in supervision, undetected manufacturing defects or maintenance failures, unworkable procedures, clumsy automation, shortfalls in training, less than adequate tools and equipment) may be present for many years before they combine with local circumstances and activate failures to penetrate the system's many layers of defences. Reason also points out that not all major accidents are triggered by active failures. In some cases latent failures lead directly to disaster when certain local circumstances occur, without any error by front line operators.
The real" causes

The report of the Royal Commission made a distinction between immediate and real causes. Immediate causes referred to the sequence of technical events, starting with the process upset, which culminated in the rupture of the heat exchanger and the escape of inflammable gas. But the report identified the real causes as the inadequate knowledge and training of the operators, which prevented them from taking appropriate preventive action as the accident sequence developed.
Conclusion
The catastrophic failure of the heat exchanger was triggered by operator error. In fact several staff at Longford participated in the faulty decision to re-warm the metal heat exchanger which had become brittle with cold. But in no sense can these men be blamed for their decision since not even their senior managers understood the danger inherent in the situation. The fact is that none of the men concerned had been properly trained about the dangers of cold metal embrittlement and the company had not developed procedures to deal with this danger. Operator error has proved to be an unsatisfactory explanation here, just as it has in so many other major accident investigations. Nor is it sufficient to explain what happened in terms of
10 July, 2000
Page 3
Excerpts from Lessons from Longford inadequate training. There are more deep-seated reasons for this training failure. The root causes or latent conditions will be explored in later chapters, generating a number of important lessons which are relevant to high hazard industries in general.
10 July, 2000
Page 4
Chapter 3: The Failure to Identify Hazards

Managing safety in any enterprise, large or small, starts with hazard identification. Esso had introduced its workforce to the idea with its strategy of stepback five by five.
HAZOP
The standard hazard identification process in the petrochemical industry is the hazard and operability study or HAZOP. It involves systematically imagining everything that might go wrong in a processing plant and developing procedures or engineering solutions to avoid these potential problems. In the case of existing plant, retrospective HAZOPs were to be carried out as needed. Esso had carried out retrospective HAZOPs in 1994 and 1995 of all these facilities, except gas plant 1. One hint as to why Esso seemed so unconcerned about conducting the HAZOP on gas plant 1 was provided by one of its consultants. This man was asked whether an efficient and astute operator would want to review older plant from time to time to gauge the extent to which it departed from modern standards. His reply was that the general principle was - 'if it ain't broke, don't fix it. He noted that this had applied to gas plant 1 in that it had operated for nearly 30 years without a problem. This view is completely at odds with the philosophy of safety management in relation to rare but catastrophic events. The fact that a major accident has not happened in the past provides no guarantee for the future. But illogical though this witness's position may be it does provide some insight into the kind of thinking which may have Ied to the indefinite deferment of the HAZOP of gas plant 1. Did the lack of a HAZOP contribute to the accident? The Commission came to the view that the failure to conduct the HAZOP indeed contributed to the explosion.
An interactive, multiple failure

For reasons to be discussed in later chapters, operators ignored various alarms and failed to take effective action to control the upset. This complexity led one Esso witness to describe the sequence of events as an interactive, multiple failure scenario. He noted that HAZOP methodology has an inherent weakness that precludes the identification of interactive, multiple failure scenarios that weakness being that it can deal with only one thing at a time. The view is that a normal accident occurs when there are unanticipated multiple failures in the equipment, design, or operator actions. The normal accident cannot be prevented because it is not possible to create faultless systems. There is, however, a crucial logical flaw in this final step. It is not necessary to predict the entire accident sequence in order to be able to avoid it. The fact is that had any one of the errors or malfunctions in a system accident not occurred, the accident would not have occurred. This was the position taken by the Royal Commission.
The absence of procedures

As noted above the Commission's view was that a HAZOP would have identified the need for written procedures for dealing with the loss of warm oil flow, as well as procedures for plant shutdown and restart which occur infrequently and may present special dangers not faced during normal plant operation. The absence of start up and shutdown procedures was contrary to Exxon policy and Esso management could provide no explanation to the Commission for their failure to comply with the parent company requirements in this respect. The Commission concluded that the lack of proper operating procedures, therefore, contributed to the occurrence. This provides a context for the Commissions conclusion about inadequate training as a real cause. An immediate cause of the accident was the lack of
10 July, 2000 Page 5
Excerpts from Lessons from Longford operator training on how to handle the failure of warm oil flow. This in turn was a consequence of the lack of appropriate procedures in which operators might have been trained. The absence of procedures stemmed from the failure of the company to carry out the relevant HAZOP. And the failure to conduct the HAZOP was attributable to concern about resources. Where the emphasis is placed depends on one's purposes, but in the context of this chapter, it is the failure to conduct a HAZOP which constitutes the root cause.
The hazards of interconnectedness

One of the obvious lessons from Piper Alpha for Esso concerned the importance of being able to isolate plant quickly and effectively. But this was not a matter Esso attended to. The emergency shutdown procedure did not effectively isolate gas plant 1. Gas plants 2 and 3 were not damaged in the fire but before they could be restarted they had to be totally isolated from gas plant 1. There were numerous interconnecting pipes and, as the Commission observed, to identify all of the isolation points that would be required to effect a safe restartwas a complex task which involved an intimate knowledge of the plant. Gas plants 2 and 3 were built after gas plant 1. However, no study was done at the time they were built to identify the hazards, which might result from the interconnection of these plants and the ways in which this might threaten the supply of gas to Victoria.
The hazards of change

Processing plants evolve and grow over time. Such modifications inevitably introduce new hazards, and pessimists conclude that accidents are inevitable in such contexts. However, those who are committed to accident prevention draw a different conclusion, namely, that it is important that every time physical changes are made to plant these changes be subjected to a systematic hazard identification process. There were two other management of change failures which contributed to the accident which I mention here because they will be relevant in later chapters. Part of the mixture entering gas plant 1 was a light hydrocarbon condensate. This liquid must be separated and specially treated. In 1992 a pipeline was installed to transfer excess quantities of condensate from gas plant 1 to gas plant 2 and in subsequent years further modifications were made to this system to improve the efficiency of the production process. But the transfer of condensate required certain parts of gas plant 1 to be operated at lower than design temperature and this contributed to the process upset which initiated the accident sequence in ways which will be discussed in a later chapter. A second relevant change was the relocation to Melbourne in 1992 of all the engineering staff who had previously worked at Longford, leaving the Longford operators without the engineering backup to which they were accustomed. Esso did not systematically attempt to identify the hazards involved in relocating its on-site engineers.
Exxon's hands-off approach

Esso's numerous failures raise the question of the role of the parent company, Exxon, in ensuring that hazards are properly identified. Exxon promulgated a variety of guidelines and hazard identification procedures to Esso Australia and other affiliated companies and provided advice and information. But it did not exercise any detailed oversight of Esso's activities. Its approach was ultimately laissez-faire, leaving responsibility for safety in Esso's hands.
Conclusion
Managing major hazards requires that those hazards first be identified. They then require that specific managernent plans be developed for each such hazard. It must also be understood that any significant change has the potential to introduce new hazards and the management of change must therefore include hazard identification processes. Furthermore, it makes good sense for the head office of a company to take direct responsibility for the prevention of rare but catastrophic events.
10 July, 2000
Page 7
Chapter 4: Ignoring Alarms - Necessary Violations?

Meeting the gas order
For various reasons it was difficult for operators to maintain the process within the specified limits and the result was that there were frequent alarms. Ironically, it was easier at times to maintain the quality of the outgoing gas by allowing processing to occur outside the specified limits, that is, with some part of the system in alarm. Operators quickly cancelled the audible alarm but the visual alarm lights were less obtrusive and easier to live with. Here then are the beginnings of a more complete explanation: the operators' understanding was that operating in alarm mode was sometimes necessary to meet the gas order for the day. It is particularly important to note here that the condensate transfer system, which had been installed in gas plant 1 in 1992, required the system to operate outside its normal temperature limits when condensate transfer was occurring. One alarm, in particular, was frequently ignored,
Alarm overload
The alarm problem was compounded enormously by the sheer number of alarms which operators were expected to deal with - at least three or four hundred a day. Given a situation of such extraordinary overload it was inevitable that operators would become de-sensitised and that alarms would not be properly attended to. Given the extraordinary situation of alarm overload, operators clearly needed to be highly selective in the alarms they attended to. There was no written guidance available from the company. So how did they decide? Here is what one operator said on the subject We become used to those that are requiring action straight away rather than those that may not necessarily require immediate action. And how did they learn which is which? By observation of how other operators treated that alarm, you pick up the correct measures to be taken in certain instances. These are revealing statements. They suggest that operators have evolved amongst themselves a set of working rules to deal with the chaotic situation they faced. These rules enabled them to distinguish between alarms which needed attention and those which could be tolerated or ignored, and enabled them, moreover, to respond to important alarms in a way which would allow them to continue meeting production targets. There is no reason to think that these were the optimal rules. Indeed they proved in the end not to be, since failure of the operators to control the level of condensate allowed accident sequence to develop. But, until 25 September 1998, the rules had worked. This culture was a natural and necessary adaptation to the otherwise impossible alarm overload situation, which the operators faced.
The sociology of informal work practices

It is important to understand that Longford operators were not unusual in developing their own informal work procedures which differed from formal requirements. One situation in which informal rules evolve is when workers modify the system to achieve goals quite different from those originally intended by the system designers. A second circumstance in which the informal rules diverge from the formal is when abnormality has been normalised. Alarms are particularly susceptible to this process of normalisation. They are supposed to be warnings of abnormality, but if they occur in circumstances which are known to be normal, and hence tolerable, operators will quickly develop their own informal rules about how to deal with them, rules which diverge from what is formally expected. A related situation in which tacit rules emerge is where workers encounter events unforeseen by the designer of the formal rules, which require that the rules be adjusted in order to get the job done. Various writers have suggested that this divergence of informal procedures from
Excerpts from Lessons from Longford those formally laid down may well be inevitable. Reason speaks of 'necessary violations where non-compliance is essential in order to get the job done.
Formalising the informal

The inevitable tendency for the formal and informal to diverge was dealt with, not by trying to bring informal practices into line with formal requirements - an impossible task - but by modifying the formal practices, in a sense to bring them into line with the informal. Where the need for constant adjustments to operating procedures is acknowledged, organisations can prevent rule-violating procedures from developing - they can function as self-correcting organisations, as Bourrier (1998) calls them. However, it is obvious that this is only possible where organisations are willing to commit abundant resources. It is clear that high reliability depends on a degree of redundancy. High reliability organisations (HROs) function with more people, and particularly more people with technical expertise, than are necessary to get the job done in the normal course of events. But when the course of events is not quite normal, when difficulties arise, this additional expertise swings into action. This is one of the features of HROs which make them so reliable and safe.
The absence of engineering expertise at Longford

Esso was a company for which reliability was vital. The consequences of loss of production were potentially catastrophic, from a financial point of view. In order to achieve high reliability, abundant engineering resources were needed to monitor and modify procedures to ensure that operators were not forced to improvise in ways that might ultimately prove to be disastrous. It is clear that, had engineering staff been working with operators on a daily basis, the practice of operating the plant in alarm for long periods could not have developed in the way it did. Not only would engineers on site have inhibited the development of a culture tolerant of alarms, but, according to one expert witness at the inquiry, the presence of engineers with a detailed familiarity with the plant would have led to a different outcome on the day of the accident.
Surveillance from afar?

In transferring its engineers to Melbourne it was not Esso's intention to leave the Longford operators entirely to their own devices. Engineers were meant to carry out plant surveillance from a distance. In principle this would have been possible by examining the continuously recorded data on temperature, condensate levels and so on. However, much of the information was recorded on charts, which were not sent to Melbourne for analysis but simply thrown away. On the day of the accident, 30 per cent of these recording systems were not working, either because they contained no paper or because the recording pens had run out of ink. It is clear that this situation had been allowed to develop because engineers in Melbourne were not in fact monitoring the plant from afar.
10 July, 2000
Page 9
Chapter 5: Communication: Problems and Solutions

Routine reporting
A two-tier reporting system was in routine use at Longford. The bottom tier was constituted by the control room 109s, filled in by operators at the end of every shift. Management's failure to read operator logs might not have mattered if the warnings they contained had found their way into the second reporting tier - the shift supervisors' reports. But these were filled out without reference to the control room logs and did not contain references to safety-related matters. Supervisors' reports were maintained on computers and were widely available, but by this stage the warnings had already been filtered out and effectively lost.
Communication between shifts

It is widely recognised that safety and efficiency in round-the-clock operation depends on good communication between shifts. For this reason Esso required its operators and shift supervisors to have face-to-face contact at shift hand-over. The operators' logs were intended to facilitate communication between shifts about problems currently being experienced. Unfortunately, this communication was less than adequate.
Esso's incident-reporting system

In addition to its routine reporting system Esso maintained a reporting system for non-routine incidents. An incident was explained in Esso's Safety Management Manual as an unplanned event that caused or could have caused injury damage to personnel, property or the environment. Esso required all incidents, no matter how minor, to be reported to a supervisor and recorded on a hard copy incident form. An incident report was the key trigger for a thorough-going incident investigation. The definition of incident is wide enough to encompass serious process upsets such as leaks and unexpectedly cold temperatures. But such matters almost never found their way into the incident reporting system and therefore failed to trigger any incident investigation. Even process upsets serious enough to lead to temporary shutdown of the plant failed to enter the reporting system. Nor were any of the process upsets, which operators recorded in the control room logs, reported in this way. Management's view was that it was up to the operators to report matters if they thought they had an escalation potential'. But in practice, neither operators nor staff seemed to have considered the escalation potential of process upsets. If the incident reporting system was not used, on the whole, to report serious process upsets, what was it used for? Its primary use was to report incidents which caused, or had the potential to cause routine Iost-time injuries to individuals - 'slips trips and falls, as they were referred to at various points in the proceedings.
Designing a reporting system to avert disaster

Any company, which faces major hazards is likely to have an e-mail system or something similar which can greatly facilitate the flow of information up the hierarchy. The suggestions which follow depend largely on this kind of technology. Triggers - the starting point is an incident or near-miss reporting system. But if this is to have any chance of gathering relevant warning signs, management must put considerable thought into specifying what sorts of things should be reported: what are the warning signs at this workplace that something might be about to go disastrously wrong? Once identified, these signs must be treated as triggers to action, and management must specify what kind of action is required and who is responsible for taking the action. Here are some examples of the kinds of events which management might decide need to be treated as warning signs: certain kinds
10 July, 2000 Page 10
Excerpts from Lessons from Longford of leaks; certain kinds of alarms; particular temperature, pressure or other readings; certain maintenance problems; and machinery in a dangerous condition. Routine reports - management should also consider whether anyone on site is required to fill out an end-of-shift report. If so, might these reports contain warning information, which should be entered into the reporting system? Worker initiatives - workers on site should be encouraged to report not only matters which management has specified but also any other matters about which they are concerned. In some circumstances they will be reluctant to make reports for fear of reprisals. Management will need to find ways to overcome this fear. Management will need to carry out the suggested work, whether or not it seems necessary from an accident prevention point of view, so as to demonstrate good faith. Feedback - it is not enough that people make reports or pass information up the line. The outcome must be fed back in the form of a written response to the person who made the initial report. This will improve the morale of reporters and they will be motivated to take the reporting process more seriously Feedback is important, not only to ensure that reporters take the process seriously, but also to obligate those to whom they report to act on reports conscientiously. Feed forward - to be truly effective the process must not terminate at this point. The next step is to require the person who initially raised the matter to indicate whether the action taken is satisfactory in his or her view. Where the initiator is not satisfied the matter should cycle through the System again until such time as the initiator is satisfied, or alternatively, some senior manager of the company is prepared to over-ride the concerns of the initiator, in writing. Escalation - reporting systems must specify a time by which management must respond, and people making reports should be able to some extent to specify how urgent the matter is and therefore how quickly they require a response, e.g. within a day, within a week, within a month. The initial response may of course be to explain that more time is needed to deal with the matter. If the person to whom the report is made does not respond within the required time the system must escalate, that is, send the message further up the corporate hierarchy. CEO response - whether this whole system works depends, ultimately, on whether the person at the top of the information chain, the CEO, is committed to making it work Auditing - such systems must be carefully audited, that is, tested to see if they are capturing the intended information. One such test is to track some of the information flows which have occurred to see whether bad news, or at least news of problems, is being entered into the system and responded to.
Anonymity, confidentiality and immunity from discipline

A feature of the kinds of warning signs which I have described above is that they do not involve any obvious fault or mistake on the part of any one person and certainly not on the part of the reporter. They are impersonal indicators of danger. However, where incidents reflect badly on the reporter or on some other individual who might be in a position to retaliate against the reporter, there are obvious disincentives to reporting. If the system depends on this kind of information it must be designed to overcome these disincentives, In addition to mandatory systems, various countries, including Australia, operate a voluntary and confidential aviation incident lofting scheme, where people are encouraged to report not just specified incidents but anything of concern. The confidential nature of these voluntary schemes is seen as vital to their success in the aviation industry. In any industrial activity where processes are continuously monitored and recorded, the data can, in principle, be searched for instances of abnormality. When such instances are found, operators can be asked for more information about the circumstances. Such an approach would seem to be readily applicable to industries like gas processing.
10 July, 2000
Page 11
Chapter 6: Esso's Approach to Safety

Esso's safety record
Esso regarded itself as a safety conscious company. Following standard industry practice, it used lost-time injury frequency rate as its principal measure of safety performance, and in terms of this measure Esso's level of safety was enviable. The previous year, 1997, had passed without a single lost-time injury and Esso had won an industry award for this performance. It had completed thirteen million work hours without a lost-time injury to an Esso employee and assisted its contractor workforce to achieve more than 3 million work hours free of lost-time injury. Moreover, Esso's performance had been sustained; its LTI statistics for the whole period from 1990 to 1998 had been well ahead of the industry average. Reporting the number of hours worked without lost-time injury puts enormous pressure on workers not to spoil the tally by reporting an injury, and the greater the number of hours free of injury the greater the pressure not to report. Of course, there are good reasons to get injured workers back on the job as quickly as possible, and effective and legitimate claims/injury management may convert what are potentially lost-time injuries into injuries without lost-time. But it is clear that this injury/claims management process means that the recorded LTI rate is a thoroughly misleading indicator of the extent of injury. To overcome this problem Esso keeps data on total recordable injuries, defined as injuries which require medical treatment, or which prevent the injured person from performing any part of their normal duties. In May 1998 just four months before the Longford accident, the company had gone six months without a single recordable injury.
Measuring safety in hazardous industries

Quite apart from the issues of under-reporting discussed above, measuring safety in terms of lost-time injuries or total recordable injuries is inherently problematic in hazardous industries. To understand why, we need to make a distinction between on the one hand, high frequency/low severity events such as slips, trips and falls, which result in injury to single individuals and, on the other hand, low frequency/high severity incidents such as explosions and major fires, which may result in multiple fatalities. LTI data are largely a measure of the number of routine industrial injuries. Explosions and major fires, precisely because they are rare, do not contribute to the LTI figures in the normal course of events. LTI data are thus, at best, a measure of how well a company is managing minor hazards. They tell us nothing about how well major hazards are being managed. Moreover, firms normally attend to what is being measured, at the expense of what is not. Thus a focus on LTIs can lead companies to become complacent about their management of major hazards. This is exactly what seems to have happened at Esso. Clearly, the lost-time iniurv rate is the wrong measure of safety in any industry which faces major hazards. An airline would not make the mistake of measuring air safety by looking at the number of routine injuries occurring to its staff. Baggage handling is a major source of injury for airline staff, but the number of injuries experienced by baggage handlers tells us nothing about flight safety. The challenge then is to devise new ways of measuring safety in industries, which face major hazards - ways which are quite independent of lost-time injuries. Positive performance indicators (PPIs) are sometimes advocated as a solution to this problem. Examples of PPIs include the number of audits completed on schedule, the number of safety meetings held, the number of safety addresses given by senior staff and so on. The main problem with such indicators is that they are extremely crude measures and are unlikely to give any real indication of how well major hazards are being managed. Perhaps because the prevention of major accidents is so absolutely critical for nuclear power
10 July, 2000
Page 12
Excerpts from Lessons from Longford stations, it is this industry, at least in the United States, which has taken the lead in developing indicators of plant safety which have nothing to do with injury or fatality rates. The indicators include: number of unplanned reactor shutdowns (automatic, precautionary emergency shutdowns), number of times certain other safety system's have been automatically activated, number of significant events (carefully defined) and number of forced outages. There is wide agreement in the industry that these are valid indicators, in the sense that they really do measure how well safety is being managed. Certain features of these indicators are worthy of comment. First, they are negative indicators, in the sense that the fewer, the better. The point is that measures of failure are fine as long as the frequency of failures is sufficient to enable us to talk of rates. Second, these indicators are 'hard, in the sense that it is relatively clear what is being counted. A shutdown is a shutdown. This is not true of positive indictors such as number of audits. Audits are of varying quality, from external, high-powered investigations to the internal, tick-a-box exercises. Third, the indicators described above are industry-specific. Whereas LTI rates have the advantage that they can be used to compare safety in different industries, indicators such as the number of reactor shutdowns cannot be used in this way. But being industry-specific means that they are common to all nuclear power stations and can therefore be used to make comparisons between power stations. This is their particular strength. The model works in the nuclear industry because the industry body is powerful enough to mandate the collection of relevant data and to prevent under-reporting. Whether it can work in other hazardous industries probably depends on the strength of their industry associations and the depth of concern in the industry to avoid disaster.
The culture of safety

Let us return to Esso's case to consider in more detail how its approach to safety was distorted by its focus on LTIs. The key to its approach was the creation of a safety culture. Prior to the accident, the Company's safety adviser argued that safety performance has been achieved through an unwavering commitment and dedication from all levels in the organisation to create a safety culture which is genuinely accepted by employees and contractors as one of their primary core personal values. The aim is to create a mindset that no level of injury (not even first aid) is acceptable. Esso's safety theme, Let's get real ... all injuries are preventable, was explicitly aimed at achieving this mindset. Esso draws an interesting implication from this. Since safety is about a mindset, it is something which the individual must cultivate 24 hours a day. A number of features of this conception of safety culture deserve comment. First, it sees a culture as a matter of individual attitudes - attitudes which can be cultivated at work, but which in the final analysis are characteristics of individuals, not the organisations to which they belong. Second, in Esso's view culture is about attitudes and values. An alternative conception is that culture is about practices. Note that practices are characteristics of groups or organisations. They are essentially collective practices. Reason argues, quoting an organisational anthropologist, that this is a more useful concept when thinking about safety culture. Changing collective values of adult people in an intended direction is extremely difficult, if not impossible. Values do change, but not according to someone's master plan. Collective practices, however depend on organisational characteristics like structures and systems and can be influenced in more or less predictable ways by changing these. Reason suggests that the practices which make up a safety culture include such things as effective reporting systems, flexible patterns of authority and strategies for organisational learning. These are clearly organisational, not individual, characteristics. Third, in Esso's conception of a safety culture, the role of management is to encourage the right mindset among the workers. It is the attitudes of workers which
Page 13
10 July, 2000
Excerpts from Lessons from Longford are to be changed, not the attitudes of senior management. Fourth, a presumption which underlies Esso's approach is that accidents are within the power of workers to prevent and that all that is required is that they develop the right mindset and exercise more care in the way they do their work.
It is clear therefore that Esso's safety culture approach, in principle, ignores the latent conditions which underlie every workplace accident and focuses instead on the workers' attitudes as the cause of the accident. But creating the right mindset is not a strategy which can be effective in dealing with hazards about which workers have no knowledge and which can only be identified and controlled by management. Many major hazards fall into this category. There is an interesting implication here. If culture, understood as mindset, is to be the key to preventing major accidents, it is management culture rather the culture of the workforce in general which is most relevant. What is required is a management mindset that every major hazard will be identified and controlled and a management commitment to make available whatever resources are necessary to ensure that the workplace is safe. In short, if culture is the key to safety, then the root cause of the Longford accident was a deficiency in the safety culture of management.
An example of LTI distortion: maintenance

The issue of maintenance provides an important illustration of the subtle way in which Esso's focus on LTIs distracted attention from the risk of major accident. Maintenance staff had been progressively reduced at Longford, over the period from 1992 to 1998, as a cost-cutting measure. Operators were told that maintenance cuts would continue 'until they hurt. This meant that routinely there was a backlog of work orders - items which had been reported and were waiting to be repaired. To deal with this Esso had introduced a system for deciding an order of priority. Workers resented this system. They resented, in particular, the fact that items which they regarded as a high priority to fix might not be so regarded by the management committee. To summarise, Esso's maintenance cutbacks had generated a maintenance backlog problem which made it necessary to introduce a prioritisation process. This involved a risk assessment to establish how urgent the matter was. The way safety was understood at Esso necessarily influenced the maintenance risk assessment process, with the result that maintenance which might have been necessary from a plant safety point of view ended up with a low priority, thus endangering the plant. This is exactly what happened in the case of TRC3B, the automatically operated valve which controlled the level of condensate.
10 July, 2000
Page 14
Chapter 7: Auditing
In the widely available video of a lecture on the Piper Alpha disaster Appleton makes the following comment - when we asked senior management why they didn't know about the many failings uncovered by the inquiry, one of them said I knew everything was all right because I never got any reports of things being wrong". In my experience [Appleton said], ... there is always news on safety and some of it will be bad news. Continuous good news - you worry.
Esso auditing
Evidence was given at the Royal Commission that Esso's auditing process was defective In the very same way that auditing at Piper Alpha was. Just six months prior to the explosion, Esso's health and safety management system (called OIMS - Operational Integrity Management System) was audited by a team from Esso's corporate owner, Exxon. The auditing team was presumed to have an arm's length relationship with Esso and therefore to be in a position to provide an accurate evaluation of the system. Longford was one of about 11 sites in Victoria visited by the auditing team. Esso's managing director reported to the inquiry that the audit had shown that most of the eleven elements of the safety management system were functioning at level three or better/which meant that: the system is functioning; procedures for key tasks are documented; adjustments to system process steps have been made to ensure completeness and to ensure the system is functioning as intended; ongoing verification measures indicate that the system is working as intended; results and outputs are being measured; and priority system objectives are satisfied.
The managing director went on to tell the inquiry that since the assessment was conducted by personnel external to Esso, he felt confident that these results represented an independent and unbiased assessment of the state of Esso's OIMS systems. He also noted that an internal review in May 1998, four months before the explosion, highlighted a number of positive results, among them, six months without any recordable injuries ... high levels of near-miss reporting ... and major risk reduction projects. Taken at face value these statements indicate that the reports being received at the most senior level of the corporation contained consistently goods news. This is precisely the situation which led Appleton to say continuous good news - you worry. Esso's executive committee, including its directors, met periodically as a corporate health, safety and environment committee. The results of the external audit had been presented to this committee two months prior to the explosion. The meeting was expected to take two hours and the agenda shows that just thirty minutes were allocated for a presentation to this committee about the external audit. The presentation consisted of a slide show and commentary. It included an overview of positive findings followed by a list of remaining challenges. The minutes of this meeting record that the audit concluded that OIMS was extensively utilised and well understood within Esso and identified a number of Exxon best practices within Esso. Improvement opportunities focussed on enhancing system documentation and formalising systems for elements 1 and 7. Notice that the 'challenges mentioned by the presenter have become improvement opportunities' in the minutes. Note also that the meeting minutes describe this half-hour period as a presentation of findings to the executive committee. There is no indication that executive committee members probed these findings
10 July, 2000 Page 15
Excerpts from Lessons from Longford in any detail, nor made any decisions or issued any directions as a result of what they were told. The committee is portrayed in the minutes as a fairly passive recipient of a summary report, not as a group of directors and managers actively controlling safety in their company. Earlier chapters have already described some of the bad news which a good audit might have been expected to pick up. First, although accident investigators quickly highlighted the fact that a HAZOP had not been carried out on gas plant 1, the external audit failed to notice this. Second, it was no secret that operators had grown accustomed to managing the plant for long periods without responding to alarms triggered by abnormal circumstances. A thorough-going audit should have detected this. Third, a thorough audit should have picked up the fact that the near miss reporting system was not being used to report significant gas processing problems. The Exxon audit did not pick this up.
It was not just that the audit missed things it should have picked up; its principal conclusion was wrong. Remember that the central finding of the audit, as summed up in the executive committee minutes was that OIMS was extensively utilised and well understood within Esso. The Commission found otherwise: OIMS, together with all the supporting manuals, comprised a complex management system. It was repetitive, circular and contained unnecessary crossreferencing. Much of its language was impenetrable. These characteristics made the system difficult to comprehend by management and by operations personnel. The Commission gained the distinct impression that there was a tendency for the administration of OIMS to take on a life of its own, divorced from operations in the field. Indeed it seemed that in some respects, concentration upon the development and maintenance of the system diverted attention from what was actually happening in the practical functioning of the plants at Longford.
Auditing at BHP Coal

It is worth contrasting the Esso audit with an audit done by BHP Coal in Queensland in 1996, in the aftermath of the 1994 Moura explosion. The Iesson which BHP learnt from this was the need for high-powered auditing by very senior people, organisationally remote from the site being audited. The team presented the audit findings in detail in a half-day briefing to the chief executive officer of BHP, the parent company of BHP Coal. The remarkable thing about this audit, then, was that it succeeded in conveying bad news to the very top of the corporate hierarchy. The summary message was not simply that all is well, but rather that things are not good enough.
The purposes of auditing

This comparison provokes some reflections on the purpose of safety auditing. It is notable that whatever else auditors say they are doing, they are almost invariably on the lookout for hazards. The theory of safety auditing is, however, quite different. Theoretically, the aim of safety auditing is not to identify uncontrolled or inadequately controlled hazards - it is to identify strengths and weaknesses in safety management systems. This approach Iends itself to providing summary evaluations of how well safety is being managed. This was the real purpose of the Exxon audit. This kind of evaluation serves various purposes. It enables firms to identify elements in their management systems which need attention, thus facilitating improvement. It also enables comparisons to be made. It is worth pointing out that an audit whose purpose is to identify hazards which have been missed does not lend itself to this score card approach. BHP's audit did not rate each site, nor did it seek to compare them. It was focused on specific catastrophic risks and probed in some detail to find out how well these risks were being managed. It asked: what kinds of things
10 July, 2000 Page 16
Excerpts from Lessons from Longford might go wrong here and what have you done to control these risks? A rigorous audit needs to examine the hazard identification strategy and make some effort to seek out hazards which may have been missed, so as to be able to make a judgment about how effectively hazard identification and control is being carried out. Identifying unrecognised hazards is clearly a dramatic way of demonstrating deficiencies in management's hazard identification system.
10 July, 2000
Page 17
Chapter 8: The Regulatory Environment

The move to self-regulation of occupational health and safety has generated considerable concern in some quarters. This chapter addresses these issues and considers in some detail the new safety case approach recommended by the Commission.
Self-regulation
In principle, self-regulation is quite distinct from deregulation. The latter involves retreat by government and an abandonment of the field to the market. Self-regulation differs from this in two fundamental respects. First, although it is up to the enterprise to work out how to achieve a safe workplace, governments provide a legislative framework to achieve this outcome and remain willing to take enforcement action as necessary. For this reason, some authors prefer to describe the process as co-regulation, involving both government and enterprise. Second, employees are an integral part of any enterprise and self-regulation therefore requires active employee participation. While self-regulation and deregulation are quite distinct in principle, it is clear that without active employee involvement and without a commitment by the State to ensuring safe outcomes, self-regulation runs the risk of degenerating into deregulation. Selfregulation is often assumed to be the optimal regulatory style for large employers who have their own health and safety expertise. Interestingly, the findings of the Royal Commission call into question whether the regime of self-regulation which has developed in Australia
What is a safety case?

The essence of the new approach is that the operator of a major hazard installation is required to make a case or demonstrate to the relevant authority that safety is being or will be effectively managed at the installation. Under the safety case approach it must lay out its procedures for examination by the regulatory authority. This is a major departure from previous practice. But one core element in all cases is the requirement that facility operators systematically identify all major incidents that could occur, assess their possible consequences and likelihood and demonstrate that they have put in place appropriate control measures as well as appropriate emergency procedures. But the difference is that operators are required to demonstrate to the regulator the processes they have gone through to identify the hazards, the methodology they have used to assess the risks and the reasons why they have chosen one control measure rather than another. If this reasoning involves a cost-benefit analysis, the basis of this analysis must be laid out for scrutiny.
Lessons from offshore

A safety case regime has been in operation for offshore petroleum production since the mid1990s. It is instructive to examine the experience in Bass Strait for insights relevant to the new onshore regime. Employee involvement - the first lesson is the importance of employee participation. Conflict of interest - a second issue which the offshore regime raises is the possibility that a regulatory authority might be caught in a conflict of interest. The DNRE is responsible for encouraging the development of the State's natural resources. At the same time it is responsible for ensuring offshore safety, which may involve imposing considerable costs on facility operators and occasionally interrupting production.
Conclusion
The regime in question had evolved in recent years in a self-regulatory direction and it allowed Esso to operate the Longford facility in a manner which fell short of industry best practice. The Commission recommended that the existing regime be replaced with a safety case approach which would prescribe in detail how safety was to be managed at major hazard facilities. The central feature of the approach is that facility operators are required to demonstrate to the authorities that they are managing safety effectively.
10 July, 2000
Page 18
Chapter 9: An Absence of Mindfulness

The causal analysis in this book has been carried out at several levels. Nevertheless, most of the contributing factors identified were organisational failures, for which Esso's management is ultimately responsible.
The mindfulness of high reliability organisations (HRO)

Typical HROs - modern nuclear power plants, naval aircraft carriers, air traffic control systems - operate in an environment where it is not possible to adopt the strategy of learning from mistakes. Since disasters are rare in any one organisation the opportunities for making improvements based on one's own experience are too limited to be made use of in this way. Moreover, even one disaster is one too many. Management must find ways of avoiding disaster altogether. The strategy which HROs adopt is collective mindfulness. The essence this idea is that no system can guarantee safety once and for all. Rather, it is necessary for the organisation to cultivate a state of continuous mindfulness of the possibility of disaster. Worries about failure are what give HROs much of their distinctive quality. HROs exhibit prideful wariness and a suspicion of quiet periods. HROs seek out localised small-scale failures and generalise from them. One consequence of this approach is that maintenance departments in HROs become central locations for organisational learning. The preoccupation of HROs with failure means that they are willing to countenance redundancy - the deployment of more people than is necessary in the normal course of events so that there are enough people on hand to deal with abnormal situations when they arise. If HROs are pre-occupied with failure, more conventlonaI organisations focus on their success. They interpret the absence of disaster as evidence of their competence and of the skillfulness of their managers. The focus on success breeds confidence that all is well.
Esso's lack of mindfulness

It must already be apparent from this discussion that Esso did not exhibit the characteristics of a mindful organisation. The withdrawal of engineers from the Longford site in 1992 was very clearly a retreat from mindfulness. Communication failure between shifts is another aspect of Esso's lack of mindfulness. A further matter noted above was the critical nature of maintenance activity an opportunity for organisational learning. This was not how maintenance was viewed at Esso. Maintenance staff were cut till it hurt and the result was a maintenance backlog. Maintenance was then prioritised in a way which did not pay attention to the possibility that breakdowns might have causal chains or perhaps chains of consequence that are long and wind deep inside the system. An active and effective incident reporting system is the hallmark of a mindful organisation. Esso's reporting system was quite inadequate in this respect. Organisations mindful of the possibility of failure would take every opportunity to identify hazards. Esso's failure to carry out the HAZOP of GP1 was thus a failure of mindfulness. So, too, were the company's various failures to conduct the risk assessments of change which its own guidelines required it to do and the failure to carefully assess the hazards of interconnectedness. On top of all of this, safety auditing, an ideal opportunity to focus on the possibility of failure, was turned into an opportunity to celebrate success.
10 July, 2000
Page 19
Learning the lessons from elsewhere

Mindfulness about the possibility of failure extends to learning Lessons from elsewhere. Lessons from Exxon - there were, for instance, lessons from the parent company, Exxon, which Esso failed to learn. Instances of brittle fracture had occurred in other Exxon plants and had led Exxon to express particular concern about this problem. Lessons from Piper Alpha - the Piper Alpha fire also offered lessons which Esso failed to learn. 0ne such lesson was the need to be able to isolate plant or production units so that a fire at one could not be fed by oil or gas from another. Another lesson from Piper Alpha was that high quality auditing should be conveying at least some bad news to the top of the organisation. Lessons from Moura - finally, there were the lessons from the Moura mine disaster, directly applicable to Longford, about communication failure, incident reporting, the need to focus on catastrophic risks and yet again, the failure of auditing. It seems, however, that although BHP and Esso/Exxon had interests in both industries, this did not facilitate the transfer of learning from one industry to the other.
Explaining the absence of mindfulness

Why are some organisations mindful and others not? To answer this question, consider for a moment the kinds of organisations which have been identified as high reliability organisations. Nuclear aircraft Earners and air traffic control authorities are not profit-making operations. The point is that there are particular conditions which facilitate high reliability functioning. These do not apply for most commercial organisations, and in their absence, the drive to enhance economic efficiency becomes the enemy of mindfulness. The evidence is that this is the explanation for Esso's failure to be mindful. cost-cutting pressures led Esso to remove its engineering staff from Longford, cost-cutting pressures led it to postpone indefinitely the crucial HAZOP of gas plant 1 and cost-cutting pressures led to the maintenance cutbacks which contributed to the accident. Moreover, this concern about costs had been effectively communicated to the workforce to the extent that an operator was able to tell the inquiry: I would go so far as to say I faced a dilemma on the day, standing 20 metres from the explosion and the fire, as to whether or not I should activate ESD 1 (Emergency Shutdown 1), because I was, for some strange reason, worried about the possible impact on production.
The lessons of Longford

For companies seeking to be mindful, the lessons which emerge from this analysis are as follows: Operator error is not an adequate explanation for major accidents. Systematic hazard identification is vital for accident prevention. Corporate headquarters should maintain safety departments which can exercise effective control over the management of major hazards. AlI major changes, both organisational and technical, must be subject to careful risk assessment. Alarm systems must be carefully designed so that warnings of trouble do not get dismissed as normal (normalised). Front-line operators must be provided with appropriate supervision and backup from technical experts. Routine reporting systems must highlight safety-critical information. Communication between shifts must highlight safety-critical information. Incident-reporting systems must specify relevant warning signs. They should provide feedback to reporters and opportunity for reporters to comment on feedback. Reliance on lost-time injury data in major hazard industries itself a major hazard. A focus on safety culture can distract attention from the management of major hazards.
Page 20
10 July, 2000
Excerpts from Lessons from Longford Maintenance cutbacks foreshadow trouble. Auditing to be good enough to identify the bad news and to ensure that it gets to the top. Companies should apply the lessons of other disasters.
For governments seeking to encourage mindfulness: A safety case regime should apply to all major hazard facilities.
A corrective conclusion
To bring back the human dimension, I close with the thoughts of the operator whose words began this book. I am thankful that I escaped the fate of several others, thrown through the air like rag dolls. I'm glad ... because my bones weren't shattered, my skin scalded by freezing cold liquid and then flames so hot they cooked flesh to the bone ... Yeah, I'm lucky. Very, very Lucky. My wife and children didn't have to endure the torture of eulogies, of burials, of unsaid goodbyes. I'm lucky because they didn't have to wonder if I was going to live through the night. They didn't have to see me comatose, only awake to a new world of pain and scarring, both physical and mental ... While I'm not facing a lifetime of corrective surgery to mitigate disfigurement, I can't work in a place where I once thought I would spend the next 27 years of my life. I cannot doff my hardhat to a company that blamed me for the deaths of two of my workmates, the burning of five others, the destruction of half a billion dollars of gas plant, and wish them well. I cannot respect a company that would gladly have me face the tearful, bewildered stare of a workmate's bereaved family, while the directors of that company seek refuge in the judicial cocoon of their legal advice.
10 July, 2000
Page 21

Lessons From Longford by Andrew Hopkins

Uploaded by

Copyright:

Available Formats

Lessons From Longford by Andrew Hopkins

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Lessons From Longford by Andrew Hopkins

Uploaded by

Copyright:

Available Formats

Excerpts from Lessons from Longford