Case Studies for Final ENGG 404

(M1.07) Sunrise Propane Explosion:

 Illegal truck to truck transfer resulting in loss incident. Standard Operating Procedures (SOP) not
followed. Compromised safety to speed up the process. Explosion of gas that leaked caused facility to
explode as well
 Truck to truck transfers were a frequent & routine operating practice at the facility

(M10.05) Piper Alpha Rig:

PEAP:

 Without sound leadership, the control of risks breaks down & unacceptable events occur

Immediate Causes:

• 2 condensate pumps – one shut down for maintenance and blanked off, not known to the night
crew.
• No work permits, or lockout permits were known of.
• Unknown reason for why second pump shutdown automatically
• Crew attempted to start first pump, condensate spewed out and vapour cloud exploded
• No fire water available
• Major failure in gas line

Basic Causes

• Heavy pressure on production

• No risk analysis
• Minimizing downtime of equipment in maintenance
• Poor inspection by authorities

(M10.03) Bhopal UCC Pesticide Plant:

PEAP:  People: 2500 immediate fatalities (25000+ total fatalities) & 100,000+ offsite injuries
 Environment: Vapour cloud of methyl isocyanate (MIC) released
 Assets: ***
 Production: ***

Safety features of plant

• Refrigeration system – not on

• Vent gas scrubber with caustic neutralizer – not on
• Water-spray popes that could be used to control some quantities of escaping gas – not on
 Case Studies for Final ENGG 404

• Flare tower for burning small amount of gas – not on

Parts under maintenance

• Flare system – repair pipe

• Refrigeration system – refrigerant drained
• Nitrogen pressure system on tanks developed faults
• Popes were flushed with water before repairs
• Leaking valves and “open” valves allowed water to flow into MIC tank (500 kg)

Water reacted with MIC in presence of metallic impurities. Rapid release of vapours through relief valve
system. Scrubber system was meant to deal with MIC gas alone, not mixed with liquid. It failed to
operate. Flare was down for maintenance and refrigeration was out of commission. Water sprinklers
didn’t provide enough water to neutralize the gases. The gas bypassed all the safety measures.

Immediate Cause

• Water being able to mix with MIC

Basic Causes

• Human factors: Plant losing money (running at 40% capacity), low morale, safety rules and
permits not being effectively enforced, best employees leaving, manning cut by half, no
maintenance supervisor on second and third shirt, not a computerized plant, and rumors of
sabotage upset brining systems under control.
• Organizational Factors: Bhopal was an unprofitable plant in an unimportant division of the
corporation, operating under 40% capacity, plant was up for sale, 8 plant managers in 15 years
(many from non-chemical industry backgrounds), 10 major areas of concern that were not
corrected (5 contributed to the incident), no contingency plans for dealing with major incidents
and management system was of a poor quality.
• Technological Factors: Large storage of MIC, non-computerized plant, tank was not under
positive nitrogen pressure for 2 months (allowed metallic impurities enter and act as a catalyst),
plant design and piping system allowed a pathway for wash water to back into tank during
flushing operation, scrubber system designed for vapour only and no radio communication
system for operating staff.
• Poor government in Bhopal: local government allowed for urban development near plant, lack
of community awareness and emergency preparedness.

Latent causes

• Lack of management and government attention

• Good Design not maintained by management, completed breakdown in risk management
system and program
 Case Studies for Final ENGG 404

***(M10.04) Exxon Valdez Crude oil Tanker:

 Lessons in Complacency and Leadership
 2 MOC occurred: Change of path in order to miss ice & change of ship captain

PEAP: People: No people injured however birds & otters died

Environment: 11 million gallons of oil spilled
Assets: Exxon paid fishing industry $75 million & clean up costs of $1.28 billion
Production: ***

(M10.09) Flixborough Nypro Works Explosion:

*** KEY Lessons from this case study:
1) Know your Limitations
2) Ask for Help
PEAP: People: 28 deaths, 100s injured (36 serious)
Environment: Damage to surrounding houses & shops (~2000 homes) fire burned for 10 days
Assets: Destruction of plant ($48 million in 1975) replacement value today ($3.6 billion)
Production: $120 million, Plant was never rebuilt (litigation costs +$60 million)
Situation:
• Reactor #5 had crack
• A replacement vessel or repairs on #5 would require long production outage
• It was decided to bypass it and continue
Concern
• Not a bad thing to bypass a reactor, it’s how it was done.
• Bypass Dog-leg piping (not a straight pipe), bellows (expansion joints) and support was installed
by unexperienced chemical engineer. He thought management expected him to be able to do
the job.
• No qualified mechanical engineer on site
• Considered routine plumbing
• Bellows not designed for thrust movement
• Design standards for bellows ignored
• Inadequate vertical and external support (scaffolding)
• Inadequate concern with failure cause of reactors
• Inadequate concern with incidents at other locations with similar technologies.

Basic causes
Engineering and design factors
• Available manufacturers literature on the bellows noted that only straight
connections were safe
Job factors
• No mechanical engineer of sufficient calibre on site when bypass was designed
• Senior management previously advertised for mechanical engineer – should have
had temporary solution
Personal Factors
• Chemical engineer was in charge
• Completed the temporary design for the bypass
• He thought he knew enough and was driven to satisfy his manager
 Case Studies for Final ENGG 404

Latent causes
• RME 2 (RAMR) – No one recognized the hazard of installing an inadequately designed popping
spool
• RME 4 (MOC) – There was no formal review process to examine, analyze, and assess the change
in the piping system before it was being implemented.

(M 10.10) STS-51L Challenger 1986-01-28 & STS-107 Columbia 2003-02-01:

STS-51L Challenger
 Significant tension between management & engineers about what the data was saying about risk of
launch
*** Key lessons from Challenger: (Main ones from prof)
1) Maintain Sense of Vulnerability
2) Combat Normalization of Deviance
 Combat Normalization of deviance with empowerment & accountability
 Combat Complacency with Vigilance
Other key lessons:

Challenger was delayed 6 times. Engineers at contractors who worked on O-rings told NASA officials that
launch spoke against launches under 54F. Night before contractors had a call with NASA and told them it
will be too cold and that they shouldn’t launch. Contractors engineers did not sign off on the launch.
Contractor management made the decision to sign off on the launch because of an attitude of asking
engineers to prove that the O-rings would fail, and it would be unsafe to launch. Engineers consulted
their data but could not prove 100% that their would-be failure. There were 9 cases of primary O-Ring
failing but not secondary O-ring. NASA management and contractor management saw that secondary O-
ring was enough. O-rings expand and seal the cylinders. When temperature is too low, and the O-rings
cannot expand and seal the cylinders.
Immediate Causes:

• O-rings fail to seal solid rocket booster hot gases at joint due to low temperatures
• Temperature was out of their normal launch range
• Pre-flight leak tests caused more damage by puncturing O-ring seal
• Rubber O-ring seal failed, burned away, and caused solid rocket combustion gases to escape and
impinge on the LOx and H2 rocket tanks
 Case Studies for Final ENGG 404

Latent Causes

• Recommendation by engineering firm to NASA were overridden

• NASA did not learn from previous O-rings failing (primary failed, secondary remained)
• Large pressure model on NASA to get job done fast
• Technical recommendations not heeded
• Inadequate quality control procedures for determining O-ring quality
• Workers fatigue due to overtime hours to get job done ASAP
• Lack of commination among employees
• Time over safety
• Pressure on cost and schedule

STS-107 Colombia

Immediate Causes
• Heat resistant tiles were damaged by insulation impact

Latent Causes:
• Decision to launch despite known hazard (outside temp range)
• Management pressure on cost and schedule
• Failure to investigate previous incidents (previous issues with primary O-ring failing)
• Failure to do risk assessment/abide by risk assessment
• Failure to check and correct gaps in the risk management program

Vigilance combats complacency

• Proactive planned inspections
• Address Sub standard conditions and practices
• Report safety information and performance data upwards and across the organization without
distortion
• Learn lessons from the investigation and analysis of incidents

Lessons Learned from Challenger: Fundamentals of Teamwork:

1) Training
2) Communication
3) Ownership of Responsibility/Accountability
4) Trust
5) Maintaining sense of Vulnerability
6) Courageous self-leadership & Supervisory leadership
 Case Studies for Final ENGG 404

(M 10.11) BP-Macondo Oil Field & Deepwater Horizon Rig (DWH):

 Management had a good record for OHS but not process safety. Made decisions based on
cost/schedule
PEAP: People: 11 deaths, 16 serious injuries
Environment: Large impact on marine environment & fisheries
Assets: Total loss of Rig ($350MM) & fines, clean-up costs & litigation in the 10s of billions $
Production: DWH was a drilling rig & not a production rig, did not secure the well for a
production rig to tap into the reservoir
Technical Causes
• Damaged annular on the blowout preventer (BOP) – chunks of rubber seal found in drilling mud
• Inoperative control pod on the BOP
• Damaged hydraulic line and weak battery on the BOP
• The BOP could not be activated
• Pressure test to determine mud and plug integrity was inaccurate
• Premature removal of mud before plugs were completed and set
Management of Change
• Differences of opinion on how to seal the well
o Transocean manager vs the BP manager
o BP manager suggested a faster solution
Through formal audits, driven by a robust PE&CI program, senior leadership would have discovered that
• Critical changes were being made without adequate and thorough reviews
• Process safety risks were not being managed to any great degree, certainly not as thorough as
the risks for occupational health and safety
The Latent Causes
 Process safety risks associated with drilling operations were not properly considered, evaluated, &
managed. Testimonies show that when deadline pressures were on, process safety was not considered

Four Key Lessons on Professionalism from the BP-DWH loss incident

1) We have good risk management programs. We mist commit ourselves by applying PDCA
(planned and tangible actions with meaningful engagement and meaningful outcomes) as
demonstrated through real activities (planned inspections, MBWA, and follow up) to make
safety real.
2) When we make safety a value and manage safety as a value, as opposed to managing it as a
shifting priority, we shape our organization into the desired safety culture
3) When we actively analyse for and manage hazards in the workplace, we reduce risk tolerance
4) Not only must we implement our risk management programs, we must improve our
management effectiveness and express that we cannot tolerate any short cutes on life saving
rules and triggers and critical procedures and work practices.
Westray (A watershed incident)
 Methane triggered a coal dust explosion in nova scotia 1992
 26 deaths
Immediate causes:
• Substandard work Practices:
o Poor housekeeping WRT build up of coal dust in mine
o Continuation of mining despite inoperable methane detection devices
o Storage of fuel & re-fueling of vehicles underground
o Inadequate follow up by NS government inspectors to address regulatory deficiencies
 Case Studies for Final ENGG 404

• Substandard Conditions:
o Inadequate ventilation system design & capability
o Thick layers of coal dust with unacceptably high levels of combustible matter
o Inadequate system to warn of high methane levels
Basic Causes:
Engineering & design Factors:
• Poor regulating control of maintaining air flow (inadequate technical design)
Job factors:
• Workers not engaged in day-to-day decision making, just follow orders (organizational
factor)
• Unqualified personnel & poor employee training (inadequate training)
• Poor compliance to best industry practices & legislated safety requirements (inadequate
job procedures)
Personal factors:
• Fear of retaliation from workers (perceived mental or psychological stress)
Latent Causes:
• Associated with weaknesses in MLCA, PE&CI, DC&S, O&P, EC&T

Elliot Lake Algo Mall roof Collapse:

 2012 roof collapse killed 2 people
 Engineer claimed building was structurally sound
 Inspecting engineer made changes to report after partner signed off on it
 Changes were made at the request of mall owner, so he wouldn’t have issues when he applied for
refinancing of the mall

The following Pressures from client cause engineer to make such decisions:
• Money (Reduce costs for client)
• Might lose client
• Might get fired

Immediate Causes:
• Substandard work practices:
o Engineer completed deficient inspections of the mall
o Engineer didn’t read past inspection reports by other engineers
o Engineer didn’t inspect ceiling beam welds
• Substandard Conditions:
o Water leaking through roof-top parking deck
o Welds in ceiling beams of mall were corroded
Basic Causes:
Engineering & design factors:
• Original mall design allowed for water to infiltrate through roof (inadequate technical
design)
Job Factors:
• Municipal officials chose not to enforce their own bylaws (organizational factors)
• Inadequate maintenance of rooftop parking deck
Personal Factors:
• Engineer was more concerned about pleasing the mall owner (improper motivation)
 Case Studies for Final ENGG 404

Latent Causes:
• Municipal officials & mall owner prioritized profit over safety (MLCA)