Major hazard incidents

DET NORSKE VERITAS
Major Hazard Incidents
Arctic Offshore Drilling Review
National Energy Board
Report No.: NEB 2010-04/DNV Reg. No.: ANECA 851
February 2011

DET NORSKE VERITAS
Report for National Energy Board
Major Hazard Incidents - Arctic Review
MANAGING RISK
Date : February 2011 Page i
Executive Summary
On 11 May 2010 the National Energy Board (Board) announced that it would conduct a review
of Arctic safety and environmental offshore drilling requirements (the Arctic Review). The
Arctic Review will examine the best available information concerning the hazards, risks and
mitigation measures associated with offshore drilling activities in the Canadian Arctic and
measures to both prevent and respond to accidents and malfunctions.
Investigations conducted into previous major accidents reveal that systemic or organizational
deficiencies lead or contributed to those accidents. Understanding whether there are any trends,
such as specific management system failures which put an organization at greater risk for a
catastrophic event, would be of interest in the context of the Arctic Review.
In November 2010 the Board contracted Det Norske Veritas (DNV) to conduct a comparative
analysis of major accidents in order to identify trends related to root cause(s) and contributing
factors.
The major accidents selected for the assessment includes: Ocean Ranger 1982, Chernobyl 1986,
Piper Alpha 1988, Westray 1992, Longford 1998, Columbia 2003 and Texas City 2005.
The assessment of each accident includes a context and synopsis of the event, key findings and
an analysis. The key findings are summarized from the information obtained from the official
investigation or inquiry reports which were supplied to DNV by the NEB. The list of reports
provided is included in the Reference section at the end of this report.
In order to be able to identify trends and conduct a direct comparison of the findings from the
various accidents, the key findings were categorized on the basis of the NEB Management and
Protection Program Evaluation and Audit Protocol. The protocol is used by the NEB to assess
the adequacy and effectiveness of companies’ management and protection programs.
The assessment of these accidents indicated that, although formal safety programs or
management systems had been developed, they were not effectively implemented or reviewed on
a regular basis to monitor their adequacy and effectiveness. Also, for most of the incidents an
adequate hazard identification and risk assessment process had not been followed. The relevance
of these issues become important because the basic responsibility for the safe operation of any
activity lies with management of the organization which must ensure all the applicable programs
and systems are implemented, reviewed and updated on a regular basis to reflect any required
improvements.
In addition, in most cases the applicable regulatory oversight was not comprehensive or focused
enough to ensure gaps were identified and the required corrective and preventive actions were
developed and implemented.

DET NORSKE VERITAS
MANAGING RISK
Date : February 2011 Page ii
Table of Contents
EXECUTIVE SUMMARY .......................................................................................................i
OCEAN RANGER 1982...........................................................................................................1
Context .................................................................................................................................1
Synopsis Of The Event.........................................................................................................2
Key Findings ........................................................................................................................3
Analysis................................................................................................................................7
CHERNOBYL 1986................................................................................................................10
Context ...............................................................................................................................10
Synopsis Of The Event.......................................................................................................11
Key Findings Of The Insag-7 Report.................................................................................12
Analysis..............................................................................................................................14
PIPER ALPHA 1988...............................................................................................................17
Context ...............................................................................................................................17
Key Findings ......................................................................................................................19
Analysis..............................................................................................................................22
WESTRAY 1992 .....................................................................................................................25
Context ...............................................................................................................................25
Key Findings ......................................................................................................................26
Analysis..............................................................................................................................28
LONGFORD 1998 ..................................................................................................................31
Context ...............................................................................................................................31
Key Findings ......................................................................................................................33

DET NORSKE VERITAS
MANAGING RISK
Date : February 2011 Page iii
Analysis..............................................................................................................................35
COLUMBIA 2003...................................................................................................................38
Context ...............................................................................................................................38
Synopsis of the event..........................................................................................................38
Key Findings ......................................................................................................................39
Analysis..............................................................................................................................41
TEXAS CITY 2005 .................................................................................................................44
Context ...............................................................................................................................44
Synopsis of the event..........................................................................................................45
Key Findings ......................................................................................................................46
Analysis..............................................................................................................................49
REFERENCES........................................................................................................................51
Appendices
Appendix A - Management and Regulatory Comparison Tables
Appendix B - NEB Management and Protection Program Evaluation and Audit Protocol

DET NORSKE VERITAS
MANAGING RISK
Date : February 2011 Page iv
List of Figures
Figure 1 Structural components and working areas of the Ocean Ranger..................................2
Figure 2 - RBMK Reactor, Source: OECD NEA .....................................................................11
Figure 3 Pipeline Connections of the Piper Field.....................................................................17
Figure 4 Piper Alpha platform: simplified east elevation........................................................18
Figure 5 Southwest 2 Section of the mine, showing the location of the equipment at the
time of the explosion.................................................................................................................26
Figure 6 Gas Pipelines ..............................................................................................................31
Figure 7 Lean oil / Rich oil circulation.....................................................................................32
Figure 8 Tower overfill and blowdown drum hydrocarbons release........................................44
Figure 9 Heating of feed in the splitter tower...........................................................................45

DET NORSKE VERITAS
MANAGING RISK
Date : February 2011 Page 1
OCEAN RANGER 1982
Context
The Ocean Ranger was the largest self-propelled semi-submersible offshore drilling unit owned
by Ocean Drilling and Exploration Co (ODECO) when launched in 1976. In 1980 its registry
was transferred to the United States which made it subject to regulations of the International
Maritime Organization. When the Ocean Ranger began to drill off the east coast of Canada in
November 1980, for Mobil Oil Canada Ltd. (Mobil), the drilling operation was governed by the
conditions of the permits issued to Mobil by the Government of Canada and the Government of
Newfoundland & Labrador. However, Canada Oil and Gas Lands Administration (COGLA) and
the Newfoundland and Labrador Petroleum Directorate (the Petroleum Directorate) relied on the
certificate issued by the American Bureau of Shipping and the U.S. Coast Guard to attest to the
safety of the marine operations of the rig.
The drilling operations and in fact all operations on the rig and even the rig itself were under the
control of the toolpusher, the senior ODECO person on the rig. All the crew, except Mobil
personnel and Mobil-contracted personnel, reported directly or indirectly to the toolpusher.
Mobil always had a drilling foreman on the rig whose responsibility was to represent Mobil’s
interests by monitoring the operation to ensure that drilling was completed as expeditiously and
economically as possible.
On February 15th
, 1982, the Ocean Ranger with 84 crew members on board capsized and sank in
a fierce storm in the area of the Hibernia oil field on the Grand Banks of Newfoundland. There
were no survivors. It was determined that the rig sank after seawater entered its ballast control
room through a broken porthole and caused an electrical malfunction in the ballast panel
controlling the rig's stability. Two other rigs in the area, the Sedco 706 and the Zapata Ugland,
survived the storm.
The Ocean Ranger accident together with similar tragedies such as the Alexander Kielland in
1980 and the Glomar Java Sea in 1983, focussed concern on and raised questions about the
reliability of the technology involved in offshore drilling operations under adverse environmental
conditions and the adequacy of the regulatory agencies whose function is, at least in part, to
ensure these operations are carried out safely.

DET NORSKE VERITAS
MANAGING RISK
Figure 1 Structural components and working areas of the Ocean Ranger
Synopsis of the event
On February 1982, Mobil was operating the Ocean Ranger and two other semi-submersible
drilling units. On Saturday February 13, a series of weather forecasts were received. They
identified a developing storm with high speed winds, heavy seas, flurries and freezing spray
anticipated by Sunday night.
On Sunday, drilling operations continued until 4:30 p.m. at which time the crew started to
disconnect from the wellhead and hang-off due to the fast approaching storm. There was little
communication between the Ocean Ranger and Mobil personnel onshore; however an internal
radio communication describing the breaking of a portlight (window) and water in the ballast
control room was overheard by the Sedco 706 and a stand-by vessel, both of which were in the
area.
The radio conversation continued stating the control panel was wet and discharging shocks, the
valves were opening and closing on their own which required the assistance of an electrical
technician. By 10:00 pm, platform staff contacted personnel located onshore to provide a status
update on the incident. They reported that the ballast control system had no problem and all
equipment was functioning normally. There was no report from the Ocean Ranger that the rig
was experiencing difficulties other than the weather conditions.
At 1:00 a.m. on February 15th, the senior drill foremen on the Ranger notified onshore Mobil
personnel of a listing of the rig to the port side and requested that the Coast Guard be alerted.

DET NORSKE VERITAS
MANAGING RISK
Attempts to isolate the problem and to implement countermeasure to address the list were
ineffective. A mayday call was sent out from the Ocean Ranger requesting immediate assistance.
A request for assistance was sent to helicopters under contract with Mobil, stand-by vessels for
the Ocean Ranger and two near-by drilling units. The last communication at 1:30 a.m. indicated
that the crew was going to lifeboat stations. At 3:28 a.m., it was reported from the nearby rig
Sedco 706 that the Ocean Ranger had disappeared from the radar.
The Royal Commission on the Ocean Ranger Marine Disaster stated in its Report:
“The failure of the crew to adopt and follow a proper and prudent operational practice – closing
deadlights in storm conditions – allowed the first link in the chain of events to be forged. In
attempting to remedy the problem caused by the ingress of water into the ballast control room,
the crew, because the lack of understanding of the ballast system as a whole, reactivated the
panel as part of the maintenance process and unintentionally allowed water to enter the port
pontoon. Then, in attempting to remedy the port forward list of the rig by pumping out forward
tanks, they failed to realize the possibility that one or more valves to ballast tanks were open,
and actually increased the forward list by unintentionally pumping out of the tanks. The crew did
not understand the proper function of the manual control rods and inserted them in a mistaken
attempt to close the valves. This resulted in the opening of up to 15 ballast tank valves, which
allowed ballast water to gravitate forward and accelerated the rate of forward trim.” 1
The crew tried to evacuate using the lifeboats, however only one launched but was damaged
under the storm conditions. The stand-by vessel took approximately one hour to get to the scene
and did not have the appropriate equipment to rescue the men. All 84 crew members of the
Ocean Ranger lost their lives in the accident.
Key Findings
The capsizing of what was then the largest self-propelled semi-submersible started with the
breakage of a small porthole that escalated through a series of events which eventually resulted
in the accident. The Royal Commission Report identified the following deficiencies:
1. Exposed Location of Ballast Control Room
 The location of the ballast control room was within the wave-splashing range of the
ocean.
2. Weakness caused by Portlights in the column
 Portlights with inadequate glass strength were located in the columns of the drill rig.
1
From The Royal Commission on the Ocean Ranger Marine Disaster Report

DET NORSKE VERITAS
MANAGING RISK
 An operator was required to observe draft marks on outer legs by opening the deadlight
which led to the habit of leaving the deadlight open at all times.
3. Lack of protection from flooding in Ballast Control Room
 There was a lack of watertight protection on the control panel as the ballast control room
was considered a dry zone.
4. Lack of an adequate manual system for the ballast valves
 the rig had a mechanical backup system to manually control the ballast valves from the
ballast control room and bypass the panel in case of electrical failure. There was no
diagram or instructions to operate the system. The operator was not formally trained on
either system.
5. Vulnerability of the chain lockers to flooding
 The locker rooms located at the top of the four outer legs were used to store wire rope
and anchor chains. These were vulnerable to flooding due to large open entry holes
without weather-tight covers and no permanently installed means of pumping out water.
6. Lack of evacuation procedures during emergencies in the Marine Operating Manual
 Mobil’s contingency plan and emergency procedures specified procedures in case of oil
spills, iceberg encroachment, severe weather, loss of a supply vessel or crash of a
helicopter, but did not provide contingency procedures for the evacuation of the rig. In
addition, there was no copy of the plan available on board the Ocean Ranger and ODECO
personnel were not familiar with it. Also, ODECO’s Emergency Procedures Manual was
different from Mobil’s with variances in procedures, criteria for cessation of drilling, and
site responsibilities.
7. Lack of manuals and technical information regarding the ballast control room
 The location of the tank level sensors at the end of the tank instead of the center may
have led to misinterpretations of the ballast tank levels. Conversion tables provided in the
Booklet of Operating Conditions were used for the rig’s stability. The tables were
accurate only under level conditions and did not contain corrections which would apply
to sloping tanks. The water pumping system could not pump from the forward tanks as
the forward list created a vertical distance that exceeded the suction available.
8. Lack of adequate marine training for the key personnel.
 Ballast operators were not formally trained nor did they have to pass tests to determine
whether they understood the systems and their operation. After their regular 12-hour
work shift was completed, personnel interested in becoming ballast control operators
were permitted to spend time in the ballast control room and complement this experience
with private studies.

DET NORSKE VERITAS
MANAGING RISK
 The formal training policy of ODECO followed the general drilling industry approach
where inexperienced employees could learn “from the bottom up”. This required a
minimum of 80 weeks of experience on the rig before a crew member could be recruited
to train as a ballast operator. The actual practice was to identify candidates to train for the
position and promote them without the minimum requirements identified above. With the
basic understanding on how to operate the control panel and complete daily calculations
and stability logs, a candidate could be appointed as full-time operator. In addition, no
specific training for abnormal conditions was provided.
 The organizational structure and roles and responsibilities on the rig were organized
similarly to those on land-based rigs. The marine operations that involved stability and
safety of the rig were considered support operations instead of primary core operations as
it would be on a ship. While the rig was lifting its anchor and moving, it was the master
who was in command, but when the rig was moored on location, it was the toolpusher
who was in command even though he had no marine certification or knowledge of the
principles of stability.
 The master also had specific roles and responsibilities, but did not have proper training to
operate the ballast control systems. In addition, he had no crew under his direct and
exclusive control. The master’s presence was mainly to ensure compliance with the
requirements of the Certificate of Inspection.
 The scope of emergency training was not specified by regulations which stipulated only
the test frequency for emergency response systems. The emergency drills conducted were
not sufficiently thorough to ensure that the systems were effective. The supervisors in
charge and the crew typically had no marine training, and lifeboats were rarely lowered
to the sea during exercises making real-life evacuations that much more difficult.
9. Lack of knowledge of the operation of the ballast control system led directly to the disaster
 The control panel operated electric solenoids which, using compressed air, controlled
valves in the pontoons. These valves, located along the pontoons, controlled the trim of
the rig with the use of water. If the supply of electricity or compressed air was lost, all
remotely operated valves closed automatically. This fail-safe mechanism was to ensure a
valve would never be left open unintentionally if a power failure should occur. If power
was lost the ballast valves and pumps could be operated manually from the pump rooms.
The valves could also be controlled with the insertion or removal of brass rods into the
solenoid valves. The rig operator on duty at the time of the incident appeared to believe
that inserting brass rods in the solenoids would close the valves, not open them.
10. Inadequate interpretation of weather forecasting and weather reporting procedures

DET NORSKE VERITAS
MANAGING RISK
 Misunderstandings existed between NORDCO (Newfoundland Oceans Research and
Development Corp.), Mobil and ODECO regarding terminology used in weather
forecasts. However, operational decisions were based on weather conditions as they
occurred not on weather forecasts.
11. Inadequate lifesaving equipment
 The primary lifesaving equipment for the rig included 4 fibreglass lifeboats, 10 life rafts,
127 life preservers, 25 buoyant work vests, 15 life rings with lines and a helipad. The
evidence indicated that only the lifeboats and life preservers were actually used.
 Not all of the four lifeboats were available to the crew. At the time of the loss, although
one of the new Watercraft lifeboats was installed, it is not known whether it was
provisioned and fully operable and the other was stored on deck awaiting installation.
Also, it is not known whether the crew received instructions in the operation of the
Watercraft lifeboats since the release mechanism on the Watercraft lifeboats differed
from that on the Harding lifeboats. A Harding lifeboat located on the stern was launched
during evacuation with 30 or more crew members on board, but it was badly damaged
which led to its capsize. The Watercraft lifeboat located on the stern was not recovered.
The Harding lifeboat located on the bow and the uninstalled Watercraft lifeboat were
recovered, but neither showed any signs of having been occupied.
 In 1979, the U.S. Coast Guard had directed ODECO to replace the existing lifeboats with
davit-launched life rafts or an acceptable substitute. ODECO had not replaced or changed
the existing lifeboats, and opted to install two additional lifeboats rather than davit-
launched life rafts. The deployment method for the 20-person life rafts required them to
be thrown overboard and entered from the water, an impractical mode of escape during
severe storm conditions.
 There were no full-immersion survival suits designed to resist cold water and
hypothermia on board. These suits were not a regulatory requirement at the time, but in
June of 1981 COGLA had recommended that survival suits be installed on all MODUs
and support craft operating on the East Coast of Canada and in the Arctic. The industry
and COGLA did not move quickly in implementing this recommendation.
12. Inadequate Standby Vessel capability
 The stand-by vessels and helicopters which were called for assistance provided regular
supply and support to the rig. They were not equipped with gear for rescue attempts.
Only one lifeboat was encountered with a number of occupants in it. All occupants
perished, some from exposure, and some while trying to climb onto the supply boat
during a rescue attempt using improvised life ring lines.

DET NORSKE VERITAS
MANAGING RISK
13. Communications issues
 A combined public address and intercom system was used for communicating onboard
and for sounding the fire and rig abandonment alarm. In the event of a loss of power,
these systems were inoperative. A telephone system was the backup to the public address
system however no units were installed in the ballast control room or pump rooms. The
manual ballasting operations, which could be performed in the pump rooms, would have
had to be coordinated from the ballast control room where the ballast control gauges were
located, but the failure of the public address system and the lack of a telephone system
between these locations would have made this activity difficult.
14. Regulatory issues
 At the time of the accident, both Federal and Provincial governments had policies that
applied to the offshore industry in regards to the local labour content. The efficiency and
safety of the drilling contractor’s operation depended on the skills of its crew. The
requirement to replace the regular crew with local residents could increase inefficiencies
and risk to the operation. The Ocean Ranger Inquiry Panel suggested that the rate of
phase in of local residents ought to be controlled to ensure acceptable standards of safety
are not compromised. The Panel also indicated that there was no evidence that the
insistence by the Provincial Government of the hiring of local residents caused or
contributed in any way to the loss of the rig and its crew.
 COGLA and the Newfoundland Petroleum Directorate had made the incorrect
assumption that ODECO would comply with the 1979 Certificate of Inspection issued by
the U.S. Coast Guard. However, the U.S. Coast Guard never monitored or followed-up
on the conditions attached to the certificate. Canadian authorities did not conduct
regulatory oversight of the foreign registered unit even though it could have done so
under the drilling permit issued to the operator.
Analysis
Policy and Commitment - ODECO’s career management policy focused on growth through
experience without formal training. Employees could acquire various qualifications through
exposure to various job activities. This industry approach was not supported by sufficient
training measures which showed a lack of commitment to formally improve employees and
overall company performance in the area of safety.
Planning - The chain of events which resulted in the loss of the Ocean Ranger resulted from a
coincidence of severe storm conditions, design inadequacies and a lack of knowledgeable human
intervention. Human error, lack of knowledge of the vulnerability of the rig and its ballast

DET NORSKE VERITAS
MANAGING RISK
control system and a mistaken reaction to the malfunction of the equipment compounded the
design shortcomings and led directly to the disaster.
Implementation - The organizational command on board changed depending on the activities
being carried out by the rig. When the rig was moored on location, it was the toolpusher who was
in command even though he had no marine certification or knowledge of the principles of
stability. The master, who was in command while the rig was lifting its anchor and moving, was
responsible for the ballast system during drilling operations but did not have proper training to
operate the ballast control systems and had no crew under his direct and exclusive control. In
effect, the offshore drilling semi-submersible was regarded as an industrial operation in a marine
setting with no marine training for its crew.
The Mobil representative onboard had little influence as he had no decision powers with respect
to the rig activities.
The company failed to provide the required specific training for key positions. The emphasis of
on-the-job training was not complemented with formal training. Emergency training was not
mandatory and did not ensure evacuation procedures were well understood by the crew. Poor
knowledge of the systems and wrong assumptions made by the workers during the emergency
were contributing factors to the disaster.
Overall guiding documentation was not reviewed or revised on a regular basis. The crew relied
on experience in order to perform its duties. There was a lack of manuals, technical information,
adjusted calculation charts for the ballast control room, and proper emergency procedures.
Evacuation procedures were not posted nor enforced by managers.
Under normal operation the ballast control panel had a level of uncertainty where operators were
not fully aware of the effects of actions taken. Inaccurate measurements required for stability
could compromise the safety of operations. Measures taken during abnormal situations were not
understood due to lack of training and knowledge of the system. The lack of a secondary
communication system between the ballast control room and the pump room prevented
coordination of manual operations in case of complete electrical failure.
The lack of applicable evacuation exercises did not allow awareness of the operation and practice
of the evacuation plan and safety equipment.
Checking and Corrective Actions - Non compliances and corrective actions identified by
regulatory authorities were not immediately addressed. The addition of appropriate “on-load”2
release life rafts and survival suits could have saved lives.
2
Mechanism that allows boarding on the ship and release at any time

DET NORSKE VERITAS
MANAGING RISK
The draft marks, which were attached to the four corner columns and were up to 200 ft. away
from the ballast control room, were monitored visually through the portlights located in the
ballast control room. This was a difficult task during normal operations and impossible during
bad weather or heavy seas. No action was taken to improve the monitoring methods although
remote reading gauges were commercially available and were being used on other similar
drilling rigs.
Management Review – The Ocean ranger had been operating off the East Coast of Canada for
more than one year before the tragedy. No established process was in place to conduct a
management review of the operations to ensure the applicable programs and systems had been
developed, implemented and improved when required. A management system with regular
monitoring could have identified shortcomings and prevented the development of undocumented
practices.

DET NORSKE VERITAS
MANAGING RISK
CHERNOBYL 1986
Context
The Chernobyl Nuclear Power Plant was located in Pripyat, Ukraine which was part of the Union
of Soviet Socialist Republics (USSR) at the time of the incident. The explosion of one of the
RBMK3
reactors resulted in the emission of a plume of radioactive graphite and debris over an
extensive area, including Pripyat. The plume eventually drifted over large parts of the western
Soviet Union, Belarus, the Ukraine and also much of Europe.
On April 26th
, 1986, the Chernobyl Unit 4 suffered a nuclear accident during experiments to see
if after steam was shut off from the turbine, the still rotating generator would create enough
power before auxiliary motors could be brought online in the event of loss of external power
sources. The disaster and its consequences are considered the worst nuclear plant accident in
history.
The first report on the incident from the International Nuclear Safety Advisory Group (INSAG)
suggested that the accident occurred due to a low probability coincidence of a number of
violations of rules and procedures by the operating staff and those responsible for authorizing the
test (INSAG-1). After the INSAG-1 report was published in September 1986, considerable
analysis by various international experts led to new insights into the physical characteristics of
the RBMK reactor and also into some details of the progression of the accident. Those insights
led to a need to revise some of the details of the scenario presented in INSAG-1 and to alter
some important conclusions. The results of these additional investigations were released in the
INSAG-7 report which was published in 1992.
3
Soviet light water cooled graphite moderated reactor

DET NORSKE VERITAS
MANAGING RISK
Figure 2 - RBMK Reactor, Source: OECD NEA
On April 25th
, 1986, an experiment was scheduled at the Chernobyl Nuclear Power Plant to test
whether, in the event of a loss of external power, the reactor core could be cooled down using the
rotational momentum of the steam turbine to generate electricity to run the main cooling water
pumps until the back-up diesel generators could take over. The experiment was to take place
following a normal shutdown procedure, and was not anticipated to compromise the safety of the
reactor.
At 01:06 a.m. on that day, operators started the reduction of the reactor power output from 3200
MW using 31 manual control rods4
. When the reactor reached half of the output, a series of
control measurements were performed. This was followed by the disconnection of the
emergency core cooling system (ECCS) as part of the procedure to avoid interference with the
test. At that point, a request was received from the Kiev electrical grid controller to postpone
further reduction of Chernobyl's power output to meet demand. The test was postponed until
23:10, close to the shift change.
On April 26th
at 00:05 a.m., the power level was lowered to 720 MW, which was within the safe
region for the test. However, the power continued to decrease and resulted in a precipitous drop
in power output to 30 MW, well below the minimum safe level established for the test. Measures
4
Graphite rods inserted into the reactor core to flatten the power distribution

DET NORSKE VERITAS
MANAGING RISK
to increase the power and avoid a reactor shutdown were taken and as a result, thermal power
started increasing and stabilized at 200 MW, and preparations for the test continued.
Subsequently, two additional water circulation pumps were activated which led to overcooling
and a reduction in steam generation. A variation in the flow rate of feed water and removal of
control rod were used to stabilize the core temperature and steam generation, and maintain power
to start the test. At this point, the reactor was in an extremely unstable configuration and clearly
outside its safe operating envelope.
The test was initiated though the closure of the turbine emergency stop valves and the shut-down
of water circulating pumps powered from the turbine generator which was being run down. The
expected reduction in steam quantity did not occur and instead, steam began to increase. The
emergency button was pressed and the emergency and manual control rods started to move down
into the core; however, their insertion from the top of the core concentrated reactivity at the
bottom.
A sharp increase of pressure in the reactor and a failure of the automatic power controller and
measuring system and subsequent rupture of a fuel channel resulted in explosions from steam
and fuel vapours.
One specific thermal-hydraulic feature of the test was the increased initial coolant flow rate
through the reactor over the rated level. During the test, the steam quality was at the minimum
level and the coolant temperature at the core inlet was below boiling point. These combined
effects had a direct impact on the failure of the test.
Key Findings of the INSAG-7 Report
The first investigation report’s conclusion (INSAG-1) focused on operator errors. A subsequent
revision, based on new information relevant to the accident (INSAG-7), helped clarify
deficiencies in design features, operator’s actions and the overall safety framework at the plant.
1. The plant fell well short of the safety standards in effect when it was designed and even
incorporated unsafe features.
 Control rod position led to conflict with the simultaneous requirement to maintain
shutdown capability and appropriate value of the power coefficient5
. These design
features made the plant vulnerable to human errors.
 The control room did not have necessary instrumentation to monitor the Operating
Reactivity Margin (ORM)6
parameter.
5
The Power coefficient of reactivity is the ratio between the total reactivity change produce and the change in power causing it.
Under normal operation, the power coefficient remained negative.

DET NORSKE VERITAS
MANAGING RISK
 The configuration of control rods controlled the minimum ORM required for safe
operation and it was not incorporated into the reactor’s protection system.
 The layout made it difficult to detect unsafe reactor conditions.
2. Insufficient attention to independent safety review and analysis
 INSAG indicated that the design and operation of Chernobyl Unit 4 as well as other
RBMK reactors should have received a great deal more attention through an independent
technical review and safety analysis. It was felt that the improved understanding derived
from the review, coupled with a regime requiring independent and formal approval for
changes to safety related aspects of design and operating procedures, would have gone a
long way towards averting the accident altogether.
3. Inadequate and ineffective exchange of important safety information both between operators
and between operators and designers
 There was a widespread view that the operating conditions that triggered the positive
scram effect7
could never occur.
 Insertion of safety rods worsened the conditions because of the positive power
coefficient. It was known to designers that there were potential issues operating the
reactor with low power and a positive coefficient but the operating restrictions were not
communicated to the operators.
 Two previous reactor incidents8
identified the existence of design problems and potential
for accidents; however, no thorough analysis was performed to understand their
significance and they were ignored.
4. Inadequate understanding by operators of the safety aspects of their plant
 The developer of the testing programs had a poor understanding of the characteristic and
potential behaviour of the reactor under the planned operating conditions.
 Operators were not aware of the potential consequences of operating under the test
conditions.
5. Insufficient respect on the part of the operators for the formal requirements of operational
and test procedures
 There was no formal prohibition to operating or testing the reactor at power levels below
700 MW.
 The prescribed test procedure required a minimum of 700 MW of power; however, the
test was initiated at 200 MW due to inability to restore the power. The procedure was not
6
ORM is expressed in terms of the number of equivalent control rods of nominal worth remaining within the core. Its importance
was in the number of control elements in the core adequate for manoeuvring to keep the power distribution balanced
throughout.
7
Insertion of positive reactivity by the manual and emergency control rods
8
Leningrad nuclear power plant in 1975 and Ignalina plant in 1983

DET NORSKE VERITAS
MANAGING RISK
strictly followed and instead, the test conditions were modified to adjust to the prevailing
conditions without any evaluation of the contemplated changes.
 Poor quality of operating procedures and instructions and their conflicting character
resulted in additional load to operation personnel and managers.
6. An insufficient regulatory regime that was unable to counter pressures for production
 At the time of the accident, USSR did not have a dedicated operating organization and a
strong regulatory regime with all the necessary enforcement powers. Areas like design,
operation safety analysis, training requirements, safety culture and regulatory
enforcement were ineffective.
 Regulations did not require the plant manager to obtain approvals for the test from the
general designer and regulatory body.
 The basic design of the RBMK reactors was approved despite the lack of conformity to
many requirements for nuclear power plants.
7. A general lack of safety culture in nuclear matters, at the national level as well as locally
 The unnecessary disabling of three components of the reactor protection for an extended
period during the test, are indicative of an absence of safety culture.
 INSAG-7 confirmed the view that safety culture had not been instilled in nuclear power
plants in the USSR prior to the Chernobyl accident. Many of the requirements seem to
have existed in regulations, but these were not enforced. Many other necessary features
of safety culture did not exist at all.
Analysis
Policy and Commitment – INSAG-7 did not indicate that there were any policy statements in
place for the Chernobyl plant, but the report does indicate there was a general lack of safety
culture at both the operating and regulatory regime.
Planning - Poor attention was given to identification of risk and the vulnerability of the design of
the reactor led to the incorrect analysis of the operational safety. The existence of the positive
scram effect had been understood prior to the accident but design and procedural changes were
not implemented. There was a widespread view that the conditions under which the positive
scram effect would be important would never occur. However they did appear in almost every
detail in the course of the actions leading to the accident.
The regulatory regime in the USSR at the time of the incident was ineffective in many important
areas, such as analyzing the safety of the design and operation of plants, in requirements for
training and in the enforcement of regulations. The basic design of the RBMK reactors was
approved despite the lack of conformity to many of the USSR’s design requirements for nuclear
plants.

DET NORSKE VERITAS
MANAGING RISK
Lack of planning was evident with respect to the test as it was supposed to be completed by the
day shift, but was eventually performed by night shift who had minimal time to prepare for and
conduct the test. During the delay (approximately 11 hours) and during the test, three
components of the reactor protection system had been purposely disabled.
Implementation – The organizational structure, roles and responsibilities was not discussed in
INSAG-7. It was pointed out that when the reactor power could not be restored to the intended
level of 700 MW, the operating staff modified the test procedure on an ad hoc basis and initiated
the test at the 200 MW level. This was done without any formal approvals or evaluation of the
consequences of not following the original test procedures.
Designers were aware of the positive scram effect on the reactor and did not change the design to
correct the problem. Also, the related procedural measures which were recommended by the
Chief design engineer for RBMK were not included in plant operating instructions.
In general operating procedures and instructions were of poor quality and conflicting character
which included a deficient system for emergency shutdown, which laid the basis for the positive
scram effect and increased reactivity.
The data acquisition system was designed to provide guidance to operators on steady state
control of power density distribution; however it was incapable of recording data under unstable
conditions, and did not provide important data for investigation and learning opportunities.
Inadequate operational controls were implemented by the operating staff who mistakenly
believed that as long as the lower limit on ORM was satisfied, no matter what the rod
configuration was, the demands of safety were met. There was no effective facility in the control
room for informing the operators that there was a requirement to maintain a certain control rod
configuration in order to maintain the minimum ORM. No procedure for proper rod positioning
was applied during the test which led to the destruction of the reactor.
Checking and Corrective Actions – Previous incidents at the Leningrad and Ignalina plants were
not adequately reviewed and the significance of the events was not fully understood by
designers, operators or regulators and the information was essentially ignored.
No independent technical review or safety analysis was conducted for the Chernobyl Unit 4 or
any other of the RBMK reactors. A competent safety analysis would have helped create an
environment of attention to safety as a primary objective and would underlie the importance of
the effective transfer of the knowledge gained through safety analysis to operators.

DET NORSKE VERITAS
MANAGING RISK
Management Review – Management failed to implement an effective system to assess the initial
or continuing suitability of plant design or operating procedures and to make sure the procedures
in place were not violated. Also, it failed to assess the effectiveness of the protection systems and
the possibility of conflicting design objectives to maintain shutdown capability and appropriate
values of the power coefficient which made the plant unduly reliant on sound operator action and
increased exposure to the possibility of operator error.

DET NORSKE VERITAS
MANAGING RISK
PIPER ALPHA 1988
Context
The Piper Alpha was an oil platform operated by Occidental Petroleum Ltd, located in a North
Sea oil field, 177 km north-east of Aberdeen. The platform started production late 1976. Piper
Alpha gathered gas and transported oil to shore by pipeline to the oil terminal at Flotta. In 1978,
to comply with the gas conservation policy, it started pumping surplus gas to a Manifold
Compression Platform, a platform named MCP-01.
Piper was linked by 3 gas pipelines to the other platforms and by an oil pipeline to the terminal at
Flotta. Claymore started production after Piper in 1977, 22 miles west from Piper and it was also
operated by Occidental. Tartan was located 12 miles south-west from Piper and 18 miles from
Claymore and was operated by Texaco North Sea UK Ltd. MCP-01 was located 34 miles to the
north-west from Piper and was operated by Total Oil Marine. Flotta oil terminal received the oil
from Piper, Claymore and Tartan.
Figure 3 Pipeline Connections of the Piper Field
On July 6, 1988, a catastrophic fire engulfed the Piper platform killing 165 out of 226 on board,
and 2 located on a rescue vessel. The fire was initiated by a condensate gas leak in the

DET NORSKE VERITAS
MANAGING RISK
compression module, which exploded. The damage soon escalated and the fire enveloped the
platform, resulting in its structural failure and collapse.
The Cullen Inquiry concluded the permit-to-work system and shift turnover communication
protocol were not properly followed which led to the incident. In addition, the incident
highlighted the deficiencies of design guidelines and practices, the failure to adjust to new
conditions and changes, issues with risk management, maintenance and inspection.
On the morning of July 6, 1988, injection condensate pump A’s pressure safety valve (PSV 504)
was removed to be recertified. The valve was not located close to the pump; it was 15 ft above
the floor, and was not visible from the pump. The condensate line was sealed with a blind flange,
but the flange was not fully tightened. An open work permit was created but there was a failure
in the permit hand-over system between shifts. As a result, the night shift lead production
operator was not aware that the PSV had been removed.
When the second condensate pump B tripped and could not be restarted, the night shift lead
production operator and maintenance lead hand assumed it would be safe to restart pump A and
the pump was switched on. Pressurized gas condensate flowed into the system and a leak
initiated at the less than leak-tight blind flange location. Since the flange was located in the
module above the pump, it was not visible to the workers. A high pressure gas leak noise was
heard in several areas and was followed by high level gas alarms before the gas cloud found an
ignition point and the first explosion occurred.
Figure 4 Piper Alpha platform: simplified east elevation

DET NORSKE VERITAS
MANAGING RISK
The explosion blew through the firewall panels C&D, which were not designed to withstand
blasts, and destroyed the control room located close to module B. The platform emergency
shutdown was pressed but not the other 3 buttons for the gas pipelines connected to the other
platforms. A projectile from the blast ruptured a condensate line creating a fire.
With the control room destroyed, no communication or order to evacuate was issued. The fire
prevented access to the single lifeboat location. The automatic fire-fighting system, driven by
both diesel and electric pumps was under manual control due to Piper Alpha procedures when
divers were in the water. The majority of personnel who were not on the night shift gathered in
the D deck galley of the fireproof accommodation block and waited for further instructions.
The intensification of the fire impaired the strength of some pipes; the Tartan platform gas riser
burst and a second major explosion engulfed the platform. Claymore platform stopped pumping
after the second explosion while Tartan continued pumping because managers either had no
authority or had not received communication from the Occidental control room to shut in
production.
The Tharos fire-fighting vessel began to pull back from the platform due to the intensity of the
fire that started to affect its structure when the Claymore gas riser ruptured. This rupture
contributed to the accelerating deterioration of both the platform and the Module (D) where the
fireproofed accommodation block was located. The entire platform, including the Module (D),
slipped into the sea.
Key Findings
The platform was originally designed to send oil to shore. In order to accommodate new
production and regulatory requirements, modifications were made without a comprehensive
assessment of new operating conditions. The platform design, including the absence of blast
walls, unplanned platform network growth and non observance of procedures all contributed to
the disaster.
1. Poor design and layout
 The design of the platform was an integral part of the event’s sequence. Flaws included
the layout of the units, the location of the control room close to the production modules,
the location of the radio room, the pipe distribution, running cables through modules,
fireproofing, control mechanisms, spark arrestors, the deluge system and the lack of
redundancy for loss of electrical power, equipment, and emergency and communication
systems.
 The layout of the Piper Alpha platform was faulty and generally, did not take into
account safety in the design philosophy.

DET NORSKE VERITAS
MANAGING RISK
 Firewalls were designed to resist fire and not blast pressure and as a result, there was
insufficient protection of critical equipment against blast projectiles and poor fire
insulation.
2. Failures to comply with Occidental's Permit to Work (PTW) procedures
 There was a failure to follow the permit to work system which led to unsafe practices
such as the re-commissioning of equipment still under maintenance. The pressure safety
valve was not put back in place when the work could not be completed at the end of the
shift.
 The crew did not follow procedures when they completed the fitting of the blind flange.
The flange was not properly adjusted and the lead operator in charge did not ensure the
inspections were completed as required in the procedures.
 In addition, the work situation and the status of the job was poorly communicated at the
shift handover.
3. Inadequate training and competence
 The decision to promote personnel to Offshore Installation Manager (OIM) positions
without sufficient experience and knowledge of the platform was evident during the
emergency when the OIM was incapable of providing the proper orders.
 Poor training in emergency situations and poor assessment of the risk associated with
major hazards contributed to a number of deaths.
 The contractor supervisor had not received any formal training in the PTW system.
4. Inadequate monitoring
 Safety was mainly managed through the implementation of the permit-to-work system
and the absence of feedback was taken as an indication that all was going well. There was
no systematic monitoring or verification of the PTW system.
 The records of operator’s logs were used to monitor the platform activities however
maintenance work was not registered in logs.
 Management failed to adequately review and monitor safety procedures.
5. Inadequate written procedures
 The Piper Alpha procedures required that the firefighting system be left in manual mode
while divers were in the water despite an earlier audit recommendation that the procedure

DET NORSKE VERITAS
MANAGING RISK
be changed. The procedure for other platforms indicated that the system be put in manual
mode only when the divers were in proximity to the platform suction piping.
 The PTW procedures did not address lock-out or tagging of equipment for maintenance
work.
6. Inadequate accident investigation
 Management failed to investigate all equipment failures.
 Superficial responses were adopted when safety issues arose.
 Management failed to apply the lessons learned from the investigations into previous
accidents.
7. Lack of emergency preparedness
 The design of the platform network (Piper Alpha, Claymore, Tartan, and MCP-01)
eventually created a physically interdependent system which was conceived without the
development of integrated emergency preparedness and response procedures necessary in
case of an emergency.
 The platform personnel and management were not prepared for a major emergency even
though the safety policies and procedures were in place. Issues included failure to provide
the proper training, lack of emergency exercises and no proper planning of alternative
evacuation routes.
 During the event, about 100 men moved to the fireproofed accommodation block to await
further instructions that were never received.
8. Lack of formal hazard analysis
 Management ignored previous audits that warned that the platform could not survive
prolonged exposure to high-intensity fires with grave consequences for the platform and
its personnel. Management assumed, base on qualitative opinions rather than a formal
analysis, that the probability of occurrence of such an event was low.
9. Lack of management of change
 Over time, new platforms were introduced to accommodate new needs. The physical
interdependency between the four platforms had grown without preplanning and
emergency shutdown systems were not adapted to match the new design.
 The decision to continue production in Phase 1 mode with high-pressure levels during
maintenance work likely led to equipment strain. Also, personnel did not have sufficient
work experience in this operation mode.

DET NORSKE VERITAS
MANAGING RISK
 Management did not examine the safety implications of changes made to equipment and
activities.
10. Prioritization of production over safety
 Economic pressures and the prioritization of production over safety were evident in
decisions that directly affected the course of the disaster. Examples include:
o the use of a pump which was scheduled for overhaul to avoid stopping
production, and
o delays in closing the valve from connecting platforms due to the high cost of a
shut down. It would have taken several days to restart production after a stop.
 At the time of the accident there was confusion as to which agencies had overall
responsibility for monitoring and enforcing safety regulations.
 The focus on compliance with regulatory requirements was an ineffective way to assess,
monitor and manage safety performance as the emphasis was not in the actual level of
safety but on satisfying regulations.
Analysis
Policy and Commitment. - Occidental’s general policies stated health and safety as a priority and
there was a structure and a comprehensive system of audits. However, the safety system were not
implemented and managed effectively.
Planning. - Several studies looked into hazards associated with prolonged high pressure fires and
the potential impact on the platform and its personnel. The studies included scenarios that could
lead to the weakening of the structural steel supports and various means of fire-fighting were
looked at. A number of safety measures were implemented which included installation of
isolation valves, blowdown and flare systems, deluges and new means of fire-fighting.
However, poor attention was paid to the risk associated with prolonged exposure to high pressure
gas fires. Also, fireproofing of the gas riser was not considered and overall deluge protection was
limited. Management considered the probability of this type of accident very low and felt it was
not a major concern to be addressed.
New production requirements lead to design changes which were made over time without the
proper analysis of hazards associated with these changes. The platform system growth was
initiated without proper planning and there was a failure to adapt the design of the overall system
which proved to be catastrophic.

DET NORSKE VERITAS
MANAGING RISK
Implementation. - Occidental counted on its individual organizational structures to implement
safety management and protection programs. However, roles and responsibilities were not
clearly understood due to poor communication, deficiencies in training, and inexperience due to
temporary promotions.
Even though training was provided, personnel did not have a clear understanding on how to react
in case of emergency. Emergency evacuation drills were not enforced by platform management
and onshore safety staff did not provide effective monitoring of the emergency training.
The downsizing of trained personnel resulted in a significant loss of technical expertise and
experience. Plant operators must have current knowledge and understanding of the design and
operating parameters of individual pieces of equipment, and they need to understand the
consequences of operating such equipment outside these parameters. Particular aspects of
equipment operation require constant operator knowledge reinforcement, which was not
embedded in procedures for verifying the completeness and quality of an operator’s knowledge.
The communication problem appeared to be generalized. The methods of communication were
not clearly identified and activities were performed without a clear understanding of the
interdependencies among components. This situation was evident during shift handovers and
between operation and maintenance work.
A relevant part of the accident was the failure of the Permit-to-Work system. The system
contained procedures that were subject to personal interpretation and were not generally
followed. Previous accidents pointed to deficiencies in the documentation controls associated
with the Permit-to-Work system, but problems were not corrected.
The platform was operating under abnormal conditions which lead to increased risks that could
have been mitigated through the use of experienced operation control personnel. Some of the
deficiencies included: personnel not fully aware of the complexity of the system, poorly trained
and inexperienced personnel allowed in the operation, insufficient number of people operating
the system, inadequate supervision of production and maintenance crews, poor emergency
training and poor evacuation planning.
Checking and Corrective Actions. - A culture that focused on production over safety led to
compromises to the integrity of the platform. Maintenance and inspections of safety features
appeared to be a low priority. In addition, the failure of the Permit-to-Work system and the lack
of adequate monitoring did not ensure written procedures were followed.
Shortcomings in the implementation of safety policies affected the circumstance of the events.
Corrective and preventive actions should have provided the appropriate level of safety required.
Failure to learn from previous accidents, to provide proper training in case of a major

DET NORSKE VERITAS
MANAGING RISK
emergency, to retrofit design and address fireproofing deficiencies and to revise procedures and
communications protocols were an integral part of the system breakdown.
Occidental operated a comprehensive system of audits; however the system was not adequately
implemented to ensure the safety and emergency procedures were followed in an effective
manner.
Management Review. - Evidence suggests that flaws in the quality of the management system
impacted the adequacy and effectiveness of its implementation. Management reviews were
superficial and did not take into account recommendations from assessment reports and previous
accidents. The decisions and actions taken by management directly compromised the safety of
the platform and its crew.

DET NORSKE VERITAS
MANAGING RISK
WESTRAY 1992
Context
Westray was an underground coal mine located at Plymouth, Pictou County, Nova Scotia owned
by Curragh Resources Inc. The coal seams in the Pictou County coalfield included the Foord
seam that Westray attempted to mine. The coal field had a history of being gassy and permeable,
relative to Western Canadian coals.
Any drilling activity that disturbs the Foord seam leads to releases of methane. Depending on the
concentration of methane in the air mixture, the ignition reaction can propagate spontaneously
throughout the mixture in an extremely dangerous manner. Even though previous studies
indicated that there were high concentration levels, the feasibility study for the mine stated that
“methane will not be a limiting factor in the mine ventilation requirements”. The official opening
of the mine was on 11 September 1991.
On May 9th
1992, an explosion occurred in the depths of the Westray coal mine, killing 26
miners. An excessive accumulation of methane in the southwest section of the mine found an
ignition source that rapidly propagated and caused a coal-dust explosion and devastation in
seconds. The mine ceased operations at the moment of the explosion and never re-opened.
The result of inadequate ventilation permitted the accumulation of undetected methane gas as a
fuel source for the explosion on May 9th
. The most probable source of ignition was the cutting
mechanism or picks of the continuous miner that caused sparks of sufficient intensity to light the
gas.
The ignition triggered a rolling flame which propagated into the southwest sections consuming
all of the oxygen and leaving behind high quantities of carbon monoxide. The main flame did not
initially develop into a methane explosion, although it increased in intensity.
The flame continued to propagate until a combination of running equipment, location of an
auxiliary fan and a change in direction of the tunnels created the right conditions which triggered
a methane explosion. The shock wave resulted in an increase in pressure and turbulence, which
caused dust particles to become airborne9
and eventually generated a full-blown coal-dust
explosion.
9
Airborne dust is particle or Particulate Matter (PM), made up of tiny solid particles or liquid that floats in the air. Additionally,
if enough coal dust particles are dispersed within the air in a given area, under certain circumstances it can cause an explosion
hazard.

DET NORSKE VERITAS
MANAGING RISK
The explosion spread through the entire mine causing devastation and the death of 26 miners.
Figure 5 Southwest 2 Section of the mine, showing the location of the equipment at the time
of the explosion
Key Findings
1. Organization and management
 The senior staff management ran the mine at their discretion and disregarded
contributions and suggestions by others. Also, the managers’ qualifications were in
serious question.
 The foremen and overmen10
had little or no opportunity to perform their day-to-day
duties as set out in the Coal Mine Regulation Act. Instead, they just followed the orders
of the mine general manager.
2. Training
 Training proposals seemed to have been formulated to satisfy the inspectorate and the
board of examiners. However, insufficiently trained personnel were working at the mine
and there was poor monitoring of the training requirements.
10
“overman” means an employee who holds a third class certificate as a mine
official and who is appointed as an overman;

DET NORSKE VERITAS
MANAGING RISK
 Training in safe underground practices was inadequate. Insufficient safety orientation
was given to the miners. They generally accepted to perform unsafe tasks or to take
shortcuts in their work without a proper understanding of the danger involved.
3. Hazardous operating conditions
 Coal-dust accumulations were at hazardous levels. Still, no enforcement or systematic
underground stone dusting was performed.
 Methane conditions were unacceptable, excessive underground gas levels were routine
and recurring. Under those conditions, every worker should have been withdrawn from
the mine to comply with relevant regulations. Management chose to ignore the hazardous
conditions and the potential impact on workers.
 The safety approach was focused on reduction of safety issues that had a direct impact on
production. Also the incentive bonus scheme was based on production and it was not
conducive to safety in the workplace.
 The length of the shifts (12 hours) increased the risk of injury and accident to the workers
due to mental and physical fatigue and was in violation of the Coal Mine Regulation Act.
 Illegal and unsafe practices were condoned by management. Practices like storing and
refuelling vehicles underground, use of torches, altering of safety equipment, the lack of
lockout systems, the presence of non-flameproof equipment underground, and of the
permanency of temporary repairs were all dangerous practices.
 The regulating, control and the monitoring of the main airflow were inadequate and
poorly planned. Factors that made it impossible to remove high levels of methane from
the working area of the mine included:
o The lack of monitoring of the barometric pressure.
o The lack of a water gauge to monitor conditions of the mine from the surface.
o Improper sizing of ducting and poor airflow.
o The shut-down of ventilation fans due to maintenance without any provision for
the safety of the workers.
o The relocation of machine-mounted methanometer monitor heads away from their
correct location and interference with the equipment set points.
 The environment monitoring system was ineffective. Deficiencies in the installation and
maintenance of the equipment combined with the lack of sufficient and accurate

DET NORSKE VERITAS
MANAGING RISK
monitoring stations, inexperience of personnel responsible for the operation of the system
and the lack of independence from production personnel rendered the system ineffective.
 Communication of safety issues was discouraged; management had an aggressive and
authoritarian attitude toward employees. The open-door policy was in contradiction with
their behaviour.
 Management’s attention was diverted away from main safety concerns which should
have included mining conditions, ground control requirements, and the adverse roof and
rib conditions which made the mine difficult to operate.
 The company lacked a effective disaster plan, including an emergency procedure manual
and call-out list.
o The Westray mine rescue teams were well trained and proficient in rescue duties;
however, the company was not prepared for a disaster of any proportion due to a
lack of safety equipment, tools and testing devices required for safety rescue
operations.
o Rescue operation roles were not clearly defined.
4. The Department of Natural Resources failed to carry-out its statutory duties and
responsibilities. This failure was shared with the Department of Labour with regard to the
coordination of several aspects of the mine regulations. Examples included:
 Little or no communication between departments.
 Poor enforcement of regulatory provisions including the lack of a final mine plan that
addressed issues of safe and efficient mining.
 Issuance of a mining lease and approvals without confirmation that issues had been
addressed.
 Inspectors had inadequate training and the mine’s plan was not routinely reviewed
therefore, inspection did not revealed safety problems that might have encouraged the
company to make changes.
Analysis
Policy and Commitment- Company policies were established to enforce safe practices and to
provide stewardship but were not implemented by management.

DET NORSKE VERITAS
MANAGING RISK
Planning- The inherent hazards associated with the mine were poorly mitigated at the planning
stage. Feasibility studies were disregarded, designed control measures were inadequate and the
mine plan for safe and efficient mining was incomplete at the time the explosion occurred.
Implementation- The organizational structure had more than a physical separation between
executives in Toronto and managers at the mine. The management hierarchy was not effectively
followed as programs were implemented without the required approvals.
The employee handbook outlined the roles and responsibilities of every position. However,
employees were not made aware of their responsibilities. Also, there were conflicts between
statutory responsibilities and assignments as production was the main concern.
Due to the lack of proper planning, changes to operations were made based on how the situations
developed. Changes were not properly communicated and did not follow a management of
change process to analyze effects and implications on safety.
The challenging work environment and new set of specific conditions required a rigorous
training program to keep pace with technologies in mining operations. Only a small portion of
the required training took place despite miners’ complaints. Miners were insufficiently trained
with no proper certification of competence to work under Westray conditions and there was poor
monitoring from regulatory bodies. Education, training and supervision are essential to a
comprehensive and ongoing training program to maintain safe operations of any mines.
The existence of adequate communications at all levels was not part of day-to-day operations.
Employees were hampered by insufficient experience, training, technical and management
support.
All procedures set out in detail in the Operation and Maintenance Employee Handbook became
pointless when management ignored them.
Procedures were often not followed, illegal practices were promoted, the environmental
monitoring system was ineffective and poor management-worker relations were part of a system
driven by production targets and little attention to safety.
Checking and Corrective Actions- The absence of safety ethics was obvious at every step of the
operation. For example, surveillance and monitoring programs for: mine conditions, standard
practices, the environmental system, and, safety and occupational health were not properly
executed or were disregarded.
Managers at the mine were aware of the hazardous conditions and the history of fire-related
accidents; however, no incident investigations to identify causes and non-compliance issues or to

DET NORSKE VERITAS
MANAGING RISK
develop corrective and preventive actions were implemented. Instead, a multitude of illegal
practices were used to cope with adverse conditions.
Data that was being collected was not the correct data and no records were maintained of the
data collected and no assessment or tend analysis was completed using any data collected.
Management Review- The policies and procedures were never promoted and enforced. During
the short life of the mine, the mine was not subject to routine reviews to verify the suitability of
the mine plan. The plan was incomplete and changes required to adjust to the conditions faced
during the development phase were not properly addressed.

DET NORSKE VERITAS
MANAGING RISK
LONGFORD 1998
Context
At Longford, Esso Australia Resources Ltd. (Subsidiary of Exxon) operates three gas processing
plants and one crude oil stabilisation plant to process gas and oil from wells in the Bass Strait.
The plants were the main provider of natural gas to domestic and industrial users in the state of
Victoria.
Figure 6 Gas Pipelines
On September 25, 1998, an explosion occurred at Longford Gas Plant, killing 2 workers and
injuring 8. The explosion was a result of the ignition of gas and volatile liquid released from a
heat exchanger that suffered a brittle fracture due to a sudden change in temperature.
It took 3 days to completely stop the fire, and the supply of gas to Victoria was halted for several
days. After the accident, it was found that procedures were not effective, practices were
developed informally, communication was poor at the management level and personnel lacked
training. Also, through the years the plants had undergone modifications with no hazard
assessment performed on the oldest Gas Plant 1 (GP1).

DET NORSKE VERITAS
MANAGING RISK
The morning of the accident on Friday September 25, 1998, an increase in flow from the Marlin
Gas Field triggered an automatic shutdown of the pumps known as GP1201, which in turn
caused an overflow of condensate in the absorber and stopped the circulation of the lean oils.
The pumps stayed off for four hours. Notwithstanding the loss of lean oil flow, cold rich oil and
cold condensate continued to flow causing the heat exchanger GP905 to drop in temperature and
become extremely cold (-48o
C).
When the pumps restarted operations there was a flow of warm oil into the cold GP905. The
higher temperature of lean oil flowing into the cold reboiler caused stress in the vessel resulting
in the initiation of a brittle fracture at one end. A large volume of gas and volatile liquid was
released, the vapour subsequently ignited, and a series of explosions and a fire followed. Two
employees were killed and eight were injured.
Figure 7 Lean oil / Rich oil circulation
As a result of the fire and plant interconnections, all three gas plants were shut in and the supply
of gas to industrial, commercial and domestic customers in the State of Victoria was interrupted
and was only restored 19 days after the accident.

DET NORSKE VERITAS
MANAGING RISK
Key Findings
1. Lack of procedures for abnormal operations
 No procedures to contend with increased flow from the wells were developed. The
increase in flow from the Marlin Gas Field led to high levels of condensate in the
Absorber B which allowed condensate to enter the rich oil stream. As a consequence, the
level in the Oil Saturated Tank rose and the level controller closed a level control valve to
restrict the flow from the GP1201 pumps. The low flow cause the automatic shutdown of
the lean oil pumps.
2. Use of defective equipment
 In the process, a non-return valve on the discharge of the GP1201A pump remained stuck
partially open, allowing cold vapour to flow back through the pumps into the lean oil
circuit.
3. Lack of knowledge and training
 Vapour in the circuit made the effort to restart the pumps unsuccessful; giving indications
that cold temperature would ensue downstream from the absorbers. This was not
suspected or detected by operating personnel.
 The plant personnel did not realize the danger associated with operating vessels not
designed for cold temperatures and actions to prevent the flow of rich oil and condensate
from the absorber were not taken.
4. Inadequate isolation
 Escalation of the fire was due to design limitations of the emergency shutdown in Gas
Plant 1. There were no proper isolation and depressurisation systems capable of isolating
the plant completely. This weakness was recognized in previous risk assessments
conducted on gas plants 2 and 3 but no action was taken to correct the situation.
5. Failure to learn the lessons of past accidents/incidents
 A cold temperature incident occurred a month earlier, with similar characteristics, as a
result of a repair in the GP1201A pump. The valves did not shut off tightly which
allowed a drop in temperature as gas expanded. This accident did not lead to a disaster
because the shut down of the lean oil system was done in a controlled manner.
 The incident reporting system was not being used as defined. Process upsets were rarely
reported as an incident unless they were accompanied by personal injuries or damage to
property. The consequence of this practice and the failure to report to the appropriate
parties made it difficult to learn from process upsets.

DET NORSKE VERITAS
MANAGING RISK
6. Inadequate management systems and procedures
 The Operation Integrity Management System (OIMS) and supporting manuals was a
complex management system which was difficult to comprehend by managers and
operation personnel. As a result, the knowledge of OIMS requirements by personnel was
deficient.
 Operating procedures were also deficient and either failed to conform to system manuals
or were absent. Deficiencies were found in training systems, documentation, data and
communication systems.
7. Poor management of change
 Esso’s focus on costs savings led to issues such as the management of change philosophy
not being properly addressed when reducing personnel and changing roles for operators
and supervisors. Knowledge and expertise from employees was lost and no assessment to
evaluate the new conditions was done.
 The relocation of plant engineers to Melbourne deprived operation personnel of
engineering expertise gained through interaction, and prevented engineers from gaining
field activity knowledge.
8. Inadequate assessment of needs and risk
 The failure to identify hazards and conduct a HAZOP study of the Gas Plant 1
contributed to the disaster.
 No HAZOP studies were undertaken to evaluate the impact of modifications on the
plants. Some of the modifications did not work as planned and informal practices evolved
to cope with the difficulties. These issues eventually led to the by-passing of the
automatic process controls.
 The safety efforts were more focused on minimizing the number of minor injuries and not
on controlling major hazards.
9. Alarm overload
 Operators were often working in “Operation in alarm mode”. Over time this led to a
tolerance to the alarm conditions and the protective purpose of the system was lost.
10. Poor monitoring
 There was no evidence that any system existed for regular monitoring of operating
conditions or operator practices.

DET NORSKE VERITAS
MANAGING RISK
 Operators did not keep up to date control room logs. Log book entries were not subject to
examination either by plant management or by management in Melbourne.
 The engineering group did not undertake off-site monitoring or surveillance of ongoing
process conditions, although they were available for assistance. At the time of the
accident there was no experienced engineer on site.
11. Inadequate communication Protocols
 There was poor communication in the exchange of information at shift handovers.
 The self-regulatory regime covering Esso’s operation at Longford fell short of industry
best practices. This regime was less stringent than for its facilities upstream and
downstream of Longford.
 Audits by the company and regulator failed to identify problems at the plant.
Analysis
Policy and Commitment- Even though the company had established policies and an Operation
Integrity Management System, these documents were complex and difficult to comprehend. The
deficiencies in improving the performance of the plant translated into a lack of leadership and
commitment demonstrated by a lack of procedures. For a system to work, the appropriate
corporate culture is essential.
Planning- At the time of the accident, no hazards identification and comprehensive HAZOP
study had been done. It is clear that even if a plant has been subjected to a comprehensive
HAZOP study, some hazards could have likely remained undetected. However its
implementation protects against major hazards and helps prepare appropriate strategies for the
management of unanticipated hazards.
The safety controls resulted in risk management being aimed at reducing high-frequency, low
consequence personal injuries and poor attention to reducing low-frequency, high-consequence
catastrophes. A balance is required to control either end of the risk spectrum.
Implementation- Structural Reorganizations and reduction of personnel had resulted in a
significant loss of engineering and operational capability.
The changes made to roles and responsibilities, and the promotions granted to operators and
supervisors without appropriate competence were done to the detriment of safety, and increased
overall risk and vulnerability to a major incident.

DET NORSKE VERITAS
MANAGING RISK
Esso’s Management of Change Philosophy stated that all changes and modifications required a
risk assessment; in practice, this requirement was not followed and not clearly defined in OIMS.
Management of change assessment should have been followed for upgrades and implementations
to the plant, relocation of the engineering department outside of the plant, reduction of personnel,
and changes in roles and responsibilities. The purpose of the assessment is to determine the
impact of the proposed change on the safe operation of the facility.
The downsizing of personnel resulted in a significant loss of technical expertise and experience.
Plant operators must have current knowledge and understanding of the design and operating
parameters of individual pieces of equipment, and they need to understand the consequences of
operating such equipment outside these parameters. Particular aspects of equipment operation
require constant operator knowledge reinforcement, which was not embedded in procedures for
verifying the completeness and quality of an operator’s knowledge.
Communication breakdown occurred at all levels. A well defined communication system must
ensure communication between management and staff, between engineering and operations, and
between shifts.
Entry information on control room logs was not examined by either operators or the engineering
department. Time logs were not properly kept; information was not registered unless injuries or
damage to property were involved. Proper documentation controls provide opportunities to learn
from past experiences and reinforce knowledge of areas that require attention.
Overall, conditions under normal operations did not provide for a safe operation environment.
Procedures were not updated which lead to the development of informal practices to
accommodate new conditions. Operators worked in a continuous alarm mode environment,
thereby minimizing the purpose and effectiveness of the control systems. Also, procedures for
upsets or abnormal operations were not developed and little or no training was in place to ensure
that analysis of upset information could be completed in a timely manner.
Checking and Corrective Actions- 70% of the process data was recorded on paper charts and the
remaining 30% was stored in an electronic database. This information assisted operators to
understand plant conditions, however, it was not used to evaluate plant performance or perform
trend analysis. The monitoring of processes was undertaken almost exclusively by operators and
plant supervisors as a result of the relocation of plant engineers. Ongoing analysis and evaluation
of trends by qualified engineers is recommended as it helps to detect and prepare appropriate
responsive actions to diminish the likelihood of upsets.
Process data was rarely reviewed. There was no system in place for stamping, storing and
preserving records. Once used, records were discarded by operators who focused on immediate

DET NORSKE VERITAS
MANAGING RISK
production requirements. A record management system assists in keeping historical information
for process review or for accident investigation and analysis.
Results from internal audits were inconsistent with the findings from the inquiry. The audit
process failed to identify deficiencies in the implementation of Esso’s own systems in regards to
management, training, operating procedures, documentation, data and communication.
Management Review- Evidence suggests that some of the management system failings were part
of informal practices becoming standard operating practices without being subject to,
supervision, review and correction. Structured supervision of operations by management could
have stopped the development of these practices. Monthly visits by senior management failed to
identify shortcomings in the management systems.

DET NORSKE VERITAS
MANAGING RISK
COLUMBIA 2003
Context
Columbia was the first space-rated Orbiter of its kind and slightly differed from Orbiters
Challenger, Discovery, Atlantis and Endeavour. It generally flew science missions and serviced
the Hubble Space Telescope. Mission STS-107 was an intense science mission that required a
seven-member crew and was launched from Complex 39-A on January 16th
, 2003 at 10:39 a.m.
Eastern Standard Time.
At 81.7 second after launch, a large piece of insulating foam came off from the external tank and
struck the leading edge of Columbia’s left wing. The foam strike had no impact on the 16-day
mission. During re-entry which started on February 1st
, the pre-existing damage allowed
superheated air to penetrate and destroy the wing, causing the Orbiter to fall out of control and
disintegrate.
An examination of NASA’s11
organizational, historical and cultural factors underwent scrutiny to
analyze their contributions to the accident. The investigation Board found parallel similarities to
the Challenger12
disaster which occurred 17 years earlier.
The STS-107 launch countdown was scheduled to be 24 hours longer than normal due to loads
and inspections requirements. Once those were finalized, the mission started with the ignition of
the Solid Rocket Boosters. With deviations within design margins the ascent went as planned
and the shuttle positioned in orbit.
Post-launch photographic analysis showed that pieces of insulating foam separated from the
external tank 81.7 seconds after launch and a large piece struck the left wing. Concerns
surrounding the amount of damage, led the Intercenter Photo Working Group Chair to request
high-resolution images of the Orbiter in-orbit to be obtained by the Department of Defence.
A Debris Assessment Team was formed to conduct a formal review and a request for imaging of
the wing was made to the Space Shuttle Program manager for further analysis, however the
request was declined. The team used a mathematical modelling tool instead and concluded that
localize heating damage would likely occur during re-entry. After a presentation to the Mission
Management Team the issue was declared irrelevant and the request of imagery was not pursued.
11
National Aeronautics and Space Administration
12
January 28th
, 1986, the shuttle Challenger explodes 73 seconds into its launch, killing all seven crew members.

DET NORSKE VERITAS
MANAGING RISK
The de-orbit preparation and re-entry procedures started on February 1st
. As Columbia descended
into the atmosphere, heating reached its peak level and signs of debris being shed were sighted.
Minutes later Columbia was disintegrating.
The crew of seven astronauts was killed and debris of the $4 billion spacecraft were widely
scattered over Texas.
As a result, NASA grounded the shuttle fleet for two and a half years.
Key Findings
Conflicts between cost, efficiency and safety had an impact on the failures of NASA’s
organizational system along with NASA’s capacity to react to technical issues. Management
practices overseeing the space shuttle program were the cause of the accident.
1. Engineering decisions had a large impact on the incident. With the existence of
normalization13
, flying with flaws became acceptable and routine.
 Evidence that the design was not performing as expected was reinterpreted as acceptable,
which diminished perception of risk throughout the agency.
 Technical deviations were accepted rather than eliminated.
 Engineering analysis was incomplete and inadequate.
 The thermal protection system was normalized even before the shuttle launch began.
 Incidents were analyzed independently and not as part of a structural problem with mixed
signs not regarded as warnings of danger.
 Launch of a previous mission (STS-112) also had damage from foam. It was categorized
as an event with low probability and no serious consequences. Even with this precedent,
NASA did not perform a test of the type “What would happen if”.
 No steps to improve imagery analysis were taken.
 Fixes for the foam issue were under development but there was no rush to implement
them.
13
Re-interpretation and acceptance of technical deviation

DET NORSKE VERITAS
MANAGING RISK
 With little investigation, management was convinced that a foam strike was not a major
concern.
2. In response to political mandates, NASA leaders took actions that created systemic
organizational flaws.
 Political, schedule and budgetary limitations affected the shuttle program’s organization,
its structure and structure of its system,
Culture - allowing flying with flaws was defined as routine
Structure - blocking information flow up the hierarchy
Safety system - weakened, unable to critically analyze and intervene as the last
line of defence.
 Over a decade of downsizing shuttle workforce, outsourcing including safety oversight
and delay of upgrading to make the shuttle safer and extend its life.
 Extended work hours to meet deadlines on International Space Station Node 2 was in
conflict with other programs.
 Safety units with unclear roles and responsibilities and built-in conflict of interest.
 Official classifications of risk were downgraded over time.
 Overconfidence, with “can do” approach and treating an experimental vehicle as if it
were operational. A false sense of confidence was gained based on the success of
previous launches.
3. Post-launch foam strike critical decision making sequence dealt with the assumption that,
even if the foam strike had been discovered, nothing could have been done.
 Engineers jumped into the assessment of the problem with no direction from their
management,
 Decision-making at management levels was decentralized, loosely organized and with
little form, while this helped to develop ideas, the lack of structure had a negative impact
in this case.
 Worries of engineers did not change risk assessments and they did not have enough data
to prove their concerns. Engineers’ concerns were not listened to and request for imagery
was declined and they were put in a situation that instead of having to prove it was safe to
fly, they were asked to prove that it was unsafe to fly.

DET NORSKE VERITAS
MANAGING RISK
 The organizational structure and hierarchy blocked effective communication of technical
problems. As a result many signals of danger were missed.
 An informal chain of command and decision making process was allowed to develop and
operated outside of the organization’s rules.
 Changes in roles and responsibilities were transferred to contractors, which increased the
dependence on the private sector for safety functions and risk assessment while
simultaneously reducing the in-house capability to identify safety issues.
 Safety representatives were present in various teams. However, rather than actively
participate in the analysis, they listened and concurred.
 Management was not able to recognize that under unprecedented conditions, when lives
are on the line, flexibility and democratic processes should take priority over
bureaucracy.
Analysis
Policy and Commitment – NASA’s policy dictates that safety programs should be placed high
enough in the organization and be vested with enough authority and seniority to maintain
independence. However, over time it became reactive, complaisant and dominated by unjustified
optimism.
Planning – Hazard analysis processes were applied inconsistently across systems, sub-systems
and components. The analysis was based on components and elements instead of considering the
shuttle as a whole. NASA was lacking a consistent, structured approach for identifying hazards
and assessing risks.
The assessments contained subjective and qualitative judgements that identified large hazards as
acceptable risks to take. Ineffective controls to reduce an increasing list of waived concerns and
issues with critical components increased the risk.
Implementation – NASA’s philosophy called for a centralized policy and oversight at
headquarters and decentralized execution of safety program at the enterprise, program and
project level. The shuttle program was unable to simultaneously manage both the centralized and
decentralized systems.

Major hazard incidents

Recommended

Recommended

More Related Content

Similar to Major hazard incidents

Similar to Major hazard incidents (20)

Recently uploaded

Recently uploaded (20)

Major hazard incidents