Improving Occupants Safety in High Rise Buildings

December 22, 2020

Building Adaption & Conservation

December 23, 2020

Health & Safety Management

Chapter 1; Introduction

The notion that accidents just happen has been discredited by a wealth of evidence and theories, suggesting that indeed the current prevailing view posits accidents are caused by; mainly as a result of the interplay between several elements and hierarchies inherent in sociological and technical systems, particularly so in contemporary society that is characterised by increased inter-connectedness, reliability and complex automation (Song and Ying, 2011; Oakley, 2003). There are accordingly several accident causation models, theories and associated accident investigation models (Katsakiori et al., 2009). Some of the most common theories include: The Multiple Causation Theory; the Epidemiological Model; the Haddon Matrix Model; Sequence of Events Theory (Oakley, 2003); Man-made disasters; Normal Accident Theory; High-Reliability Organisation Theory (Saleh et al., 2010).

The multiplicity of accident causation models and investigation techniques is indicative of two things, firstly the criticality and centrality of safety to human systems and discourse (Song and Ying, 2011), secondly the increasing appreciation of the notion of the utility of learning from disasters and accident events (Santos-Reyes and Beard, 2009) insofar as accident prevention and safety promotion are concerned (Saley and Pendley, 2012). Whilst the existence of multiple theoretical paradigms could be taken to suggest the prevalence of strong disagreements regarding the phenomenology of accidents and disasters, there are multiple points of convergence between the different theories insofar as what the initiating events of accidents are, the diversity of agency as well as groups and individuals who influence and/or contribute to accident causation and prevention, accident precursors and accident pathogen (Saley and Pendley, 2012). Moreover there are context-specific (in regard to technology, organisation, systems and operational environment) differences nature/type and pattern of accident precursors with some accidents mainly caused by failures, absence of or inadequacies of human elements whilst others caused by failures in technical and structural systems among other (Antao and Soares, 2008).

According to Katsakiori et al., (2009), there has been a gradual evolution of accident causation theory characterised by movement of opinion and practice from the previously prevalent sequence of events focused techniques and models to the now emerging representation of accident causation in terms of whole system event-a shift that has correspondingly caused a movement in accident investigation techniques from investigation of single immediate cause to a recognition of the influence of several causes. This study takes the latter format in the investigation of an explosion that occurred in the early hours of Sunday the 11^th December 2005 at the oil storage and transfer depot in Buncefield, Hemel Hempstead (MIIB, 2008). The evaluation of the investigation approach and techniques employed subsequent to the major incident was effected through archival research of published reports and published literature, with the use of two specific accident investigation techniques-Barrier Analysis and Events and Causal Factors Analysis.

Overall and Specific Objectives of the Study

The overall objective of the investigation was three-pronged: 1) Examination of what went wrong; 2) Evaluation of informational deficiencies pertaining to the incident: 3) Evaluation of the utility of systematic approaches to the investigation of accidents, especially in regard to their efficacy in helping organisations and individuals learn from disasters. In this respect, the following key parameters are subjected to be considered;

What human, technical and organisational factors were precursors to the incident
Determine the effectiveness of the approach and techniques used to investigate the incident
Determine informational deficiencies linked to the incident
Evaluate the utility of systematic approaches of accident investigation insofar as their efficacy in helping organisations and individuals learn from disasters
To that end, the techniques that were used in the investigation belong to a wider-group of investigation techniques that fall under the so called Management Oversight and Risk Tree (MORT) technique-an investigation framework that decidedly structured and is posited to have utility insofar as the comprehensive assessment of organisational management failures and inadequacies that make up or influence accident precursors (Santos-Reyes et al., 2009). The two techniques that were chosen for evaluation the Buncefield incident were Barrier Analysis (BA) and the Events and Causal Factors Analysis Techniques (ECFA)

What follows is a conceptual look into MORT, BA and ECFA for the purpose of providing justification for the choice of the accident investigation techniques chosen and the findings subsequent to the use of the techniques in respect to the Buncefield incident.

Brief of the Accident

Buncefield accident-a major petrochemical industry accident, occurred at the fifth largest oils storage and transportation site in the United Kingdom on the morning of 11^th December 2005 (MIIB, 2008). The site of the incident, better described as a tank farm close to M1 motor in Hemel Hempstead, Hertfordshire, had three operating sites: one which was a joint venture between Total UK Ltd and Chevron Ltd, known as Hertfordshire Oil Storage Limited (HSOL); the second site was also a joint venture between BP Oil and Shell Oil, the British Pipeline Agency Ltd (BPA); and the third site operated by BP Oil UK Ltd (HSE, 2014b).

According to the MIIB (2008) transportation of fuel to the site was effected through 3 different pipelines (Finaline; M/B pipeline; and T/K pipeline), all of which delivered fuel in batches to several storage tanks situated within a walled area, otherwise known as a bund. Just before 7 PM on Saturday the 10^th December, a delivery of unleaded petrol into HOSL’s tank 912 located in bund A was started (HSE, 2014b). The delivery process continued through the night into the morning, and just before 6 AM the 6 million litre capacity of tank 912 had long been exceeded (HSE, 2014b). As result of the malfunctioning of designed safety systems in the said tank, petrol started to flow out of the said tank with estimates holding up to 300 tonnes of petrol escaped from the tank (MIIB, 2008). Because of the prevailing environmental conditions at the site at the time, it is thought 10 % of the escaped petrol turned into vapour, which on mixing with the cold air reached concentrations that were enough to make it flammable (HSE, 2014b; MIIB, 2008).

The petrol vapour cloud was of such proportions that it spread further than the boundaries of the tank farm to the nearby estate car park. Investigations by the HSE (2014b) assert an alarm was subsequently raised by members of the public off the site and by tanker drivers, following which the fire alarm button was activated and the firewater pump started. Investigations further posit the firewater pump provided the spark that ignited the vapour cloud, an explosion and a fire that spread to more than 20 oil storage tanks across the Buncefield tank farm (MIIB, 2008). The resulting inferno burned for 5 days and is reputed as having been the biggest peace-time fire incident in the United Kingdom, albeit no fatalities were involved, more than 40 people were injured with considerable damage to property and surrounding businesses occurred (HSE, 2014b).

Chapter 2; Literature Review

Accident Investigation Techniques

According to Martin and Walters (2001) there are three reasons for conducting an investigation subsequent to an accident: the determination of direct and indirect precursors of the accident; establishment of ways for prevention of recurrence of similar accidents; and documentation of facts of the incident for legal and regulatory purposes. Indeed it is well established that there are safety management concerns and issues attached to every incident and accident, reason why investigation especially so in the context of the petrochemical industry where there are serious social issues linked to accidents and major incidents (Cheng et al., 2013).

The understanding of the precursors to an accident or incident (including so called ‘near-misses’) is critical to safety, be it in organisational or societal settings, to which end several different methods and techniques have been developed to help the achievement of better safety management across the board (Doytchev and Szwillus, 2009).

There are a number of accident investigation techniques that can be used for the investigation of root causes to accidents including (See Oakley, 2003):

The Management Oversight and Risk Tree (MORT) technique
Events and Causal Factors analysis (ECFA)
Barrier Analysis (BA)
Change Analysis (CA).
Specialised and computerised investigation techniques such as time loss analysis, human factors analysis, integrated accident event matrix, failure modes and effects analysis, and the design criteria analysis.

Lyons et al., (2004) identify up to 35 different accident investigation techniques, all of which are aimed at identifying not only errors and weaknesses inherent in work as well as in personnel who carry out work. They are all aimed at two things, improving reliability as well as safety across all industries, sectors and organisations.

Besides their utility insofar as helping organisations and individuals establish the anatomy of accidents and disasters as well as learn from such events, accident investigation techniques have grown in popularity and use in legal and regulatory management of disasters including the area of litigation where they are increasingly helping judicial officers and litigants not only re-construct accidents but also predict the outlook of accident event (Vestrucci, 2013). This is particularly so in regard to the Fault Tree Analysis technique, where it is possible to predict the outlook of an accident’s undesirable event (also known as Top Event) from analysis of external events, component failures and human errors (Vestrucci, 2013).

According to Kim and Yoon (2013), the multiple accident causation models that exist are founded on the notion that accidents have components. These components form what literature conceptualises as the anatomy of an accident (Vestrucci, 2013), which whilst different from one accident or near miss context to another broadly conform to one cross-cutting characteristic in that they almost always include not only human failures but also technical failures and external intrusions (Kim and Yoon, 2013). Indeed in virtually all accident and near-miss events human failure have some, which explains the growing recognition and popularity of the notion that there is no such a thing as “act of God” because even in situations and circumstances like natural disasters, there is a significant influence of anthropological factors and/or human failures represented in the form of lack of cognition, oversight, mistakes let alone the limitations in human capacity to comprehensively understand the workings of systems that comprise social settings (Borodcizc, 2005).

Evidence albeit varying shows that in respect to major accidents that occurred in the United States and the European Union, maintenance issues were linked to nearly half of all the major accidents in general with lack of barrier maintenance accounting for 50 % of accidents, but also with significant influence of deficient design, organisation and resource management, as well as deficient planning, scheduling and fault diagnosis (Okoh and Haugen, 2014). Moreover as argued by Kim and Yoon, (2013), the components of systems and the components of accidents for that matter have interesting interactions with the various modes of interaction having implication for safety and accident prevention or the mitigation of the number and frequency of accidents.

Accident investigation techniques whilst numerous as highlighted by Vestrucci (2013) can be grouped into a number of broad categories based on the theoretical paradigms on which they are based. According to Kontogiannis (2012), most of the widely used accident investigation techniques are taken on a systems outlook where emphasis is given to the so called organisational archetypes (organisational dynamics) that not only lead to the erosion of preventive barriers but also a movement away from safe process and safe margins. The viable system model that is built on the systems theory for instance conceptualises organisational processes and human factors in accident causation and investigation (Kontogiannis, 2012).

Other investigation techniques are designed for specific identification of a particular set of accident components as represented by human error identification techniques such as the human factors analysis and classification technique (Baysari, 2009). According to Lyons et al., (2004), categorisation of accident investigation techniques is based on the purpose for which they are designed and the principle outlook of accident analysis they conform to. Evidence suggests there are up to 5 broad categories, albeit with those technique that are descriptive and data gathering in nature feeding into more sophisticated ones. The categories include: data collection techniques whose main scope includes collection of information on tasks, goals, incidents and the like; task description techniques that use data collected by data collection techniques; techniques that are aimed at simulation of the accident or incident; human error identification and error analysis techniques and human error quantification techniques (Lyons et al., 2004). The two techniques that will be used to evaluate the incident at Buncefield tank farm belong to fourth category, the error identification and error analysis technique group of accident identification techniques. They are all based on systems theory conceptualisation of accidents.

For the purpose of this study and because of its utility for the investigation of accident in the context as happened at Buncefield tank farm, the MORT technique and two other closely linked techniques (BA and ECFA) were employed. The following section briefly explains what they are.

Management Oversight and Risk Tree (MORT) Technique

According to the NRI (2009), the MORT technique encompasses a number of structured, logical and systemic accident investigation techniques that include the Barrier Analysis technique (TRAC, 1995a) and the Events and Causal Factors Analysis technique (TRAC, 1995B). The MORT framework by design is aimed at ensuring there is no oversight insofar as the identification of causal factors (precursors) to accidents in organisations, and is represented in the form of chart that enables the identification of specific factors linked to an accident as well as the identification of failures in management that allow accident precursors to not only emerge, but also incubate and exist within organisations (USDoE, 1992).

The MORT technique according to Reyes-Santos et al., (2010) is essentially a structured checklist that is represented in the form of a so called fault-tree, whose purpose is the investigation of all aspects of organisational management for potential causes of an accident. The MORT techniques has accordingly been conceptualised as a particularly effective approach for the identification of root causes of organisational accidents (Ferjencik and Kuracina, 2008). As argued by Oakley (2003) the technique is founded on a number of accident causation theories, all of which posit the influence of organisational processes, systems, activities and cultures in accident causation either because of the ineffective of these or lack thereof but also because, complexity inherent in not only organisational structures but also system, process and technology are such that organisations usually have some influence insofar as accident root causes are concerned, either because the context provides precursors or allows faults and problems to incubate and develop to the extent that a trigger event subsequently cause the collapse of the entire system or even organisation.

The purpose of MORT is three-fold: the identification of safety-related oversights, as well as errors and omissions that are precursors to an incident or accident occurring (Ericsson, 2005). The design and the operation of the technique make for a situation where most observers describe the technique as mainly reactionary but it also has proven utility as a proactive evaluation technique as well as a tool for the control of hazards mainly because of its functionality insofar as tracing and identification of all causal factors to an accident (Ericsson, 2005).

Barrier Analysis and Events and Causal Factors Analysis

As conceptualised by the NRI (2009) MORT is both a stand-alone systematic technique but it does also included accident investigation techniques that have subsequently been developed to investigate root causes in specific organisation processes and system. Two of the main accident investigation techniques that are linked to MORT according to TRAC (1995a; 1995b) are barrier analysis and the Events and Causal Factors analysis technique. The former investigates root causes inherent in the flow of energy between multiple phases and objects that are typical of an organisation, whilst the latter takes this process a little further by investigation the logical sequence of events and root causes through highlighting the relationship between events as well as the relationship between events and causal factors (TRAC, 1995b). Barrier Analysis accident investigation technique is founded on the notion that there are a number of controls and devices for the protection of not only people but also equipment and the environment, and they mainly take three forms: physical barriers that would have to be breached before an accident occurs; managerial barriers that encompass not only the organisation of processes, supervision of tasks as well as in-built controls that encompass policies, procedures, methods of communication among other things; and cognitive barriers that include customs and the like (IET, 2012).

The ECFA is at times conceptualised as a technique that charts the course for the movement of energy from one organisational object to another, a process that involves the breaching of barriers between the different components in an organisation (TRAC, 1995b). To which end it is quite common for ECFA to be used in tandem with the barrier analysis technique, specifically for the analysis of energy precursors and the movement of unwanted energy that is lined to accident causation from one component to another (TRAC, 1995a). However ECFA still does have utility as a stand-alone investigation technique in contexts where specific causal relationships need to be investigated and charted, especially in accidents that occur in highly complex organisations or in system and process that involve advanced automation and interconnectivity.

Chapter 3; Research Methodology

3.1 Research Paradigm

There are a number of reasons that inform research undertakings, some studies are conceptualised for the purpose of improving social understanding of phenomena and issues and how they come about as well as explaining why they are the way they are whilst some studies are designed for the purpose of finding answers to specific questions. The former descripts what is classified as pure research while the latter denotes what is classed as applied research. This study fits the mould of studies that belong to the applied research group of studies, mainly because it sought to find reasons as to why an explosion occurred at Buncefield tank farm.

According to Krauss (2005) most research is value-laden, which explains the importance of an investigator not only acknowledging their standpoints and biases but more importantly take steps to ensure they are minimised so as to ensure the quality and validity of their study is not compromised. To that end, it is critical for the philosophical foundation/ontology (research paradigm) as well as the epistemological foundation and the methodology of a research study to be clearly defined and justified (Krauss, 2005). Ontology and epistemology are very closely linked.

Most if not all research is undertaken from either of two ontological/epistemological frameworks, the objectivist school of thought (also known as positivist research paradigm) and the subjectivist school of thought (also conceptualised as the constructivist paradigm) (Cousins, 2002). The former paradigm denotes inquiry that is designed in such a way that the study is independent of the researcher and knowledge created by direct observation and verification of phenomena whilst the latter paradigm approaches knowledge creation from a standpoint that holds that subjective meanings to social phenomena exist and there is close interaction between the researcher and the study object(s) albeit the level and nature of the interaction is managed in such a way that the researcher’s values, ethics and philosophies do not distort the reality being observed (Cousins, 2002).

This study was accordingly designed on the principles and philosophical standpoints that fall under the constructivist school of thought, as the researcher approached from the perspective that whilst accidents and disasters are real, they are a construct of subjective meanings attached to various factors and more so the existence of multiple subjective standpoints do not only influence the understanding of the phenomenon of accidents but indeed plays a part in either providing precursors to it or triggering the event.

3.2 Research methodology

According to Krauss (2005), there are two main epistemological foundations to research, quantitative methodology and qualitative methodology with the distinction between the two paradigms mainly philosophical in scope rather than methodological. Literature posits a choice of either method (methodology) is moderated by the ontological assumptions taken by or held by a researcher mainly due to the influence of underlying belief system of a researcher (Dobson, 2002). Whilst there are some major differences between the quantitative and qualitative paradigms in research, not least as evidenced by the different assumptions held by either school of thought insofar as conceptualisation of reality and how knowledge is created, the two schools are not mutually exclusive (Krauss, 2005). Indeed a so called ‘third’ methodological paradigm dubbed ‘mixed methods’ research has emerged and is gaining utility especially in organisational research. Because of the ontological and epistemological standpoints taken by the research as well as its fit with the research objectives, this investigation was conducted based on the qualitative methodological standpoint.

Aside from its fit with the philosophical assumptions and research objectives, a number of advantages inherent in qualitative research especially insofar as the conceptualisation of social-linked phenomena like organisational accident informed the choice of qualitative research methodology, they included: its permitting of the investigation of multiple realities to a phenomenon; utility in the description of complex phenomena such as accidents; permitting of detailed description of phenomena as well as its effectiveness is studies where sequential patterns and change need to be documented and explored (South Alabama, 2014).

However whilst the above advantages strengthen the quality of the research insofar as validity and reliability are concerned, acknowledgement is made of the existence of a number of inherent weaknesses in qualitative methodology that may limit the quality of this study. They include: the difficulties it poses to hypothesis testing; it hindering prediction or forecasting of results; it is a time consuming methodology especially in regard to data analysis; the potential of the personal biases and values of the researcher influencing the observation and understanding of the phenomenon under investigation (South Alabama, 2014). To counter the impact of methodological weaknesses on the result of the investigation, all potential limitations encountered during the study will be laid out with acknowledgement of the modes through it they could impact the results of this investigation.

3.3 Research method

There are multiple methods through which an inquiry can be executed in each of the two methodological paradigms. Some of the most popular methods in qualitative organisational research include: interviews; self-administered questionnaires; focus group meetings; case studies among others (De Massis and Kotlar, 2014). There is also growing using of archival analysis in qualitative research especially because of its effectiveness insofar as the use of primary source materials as well as multiple databases and informational repositories but also because they are effective in grounding research to a particular historical context and allow a research project to explore new directions based on the findings discovered during the analysis of archives.

Given the objectives of this research study more so as pertains the investigation of an accident that occurred a couple of years ago but also in regard to the results of the first investigation providing a basis and direction for the next study, the archival research method was chosen as the technique for analysis of information. Indeed justification for the fit of the chosen technique to the study is further provided by the fact that archival analysis permits the use of several databases and informational sources as possible for the framing of a study.

In archival analysis research it is critical that sources of information are identified, especially so regard the initial ones because the availability of multiple sources of information can lead to a situation where the investigation is hampered by not only contrasting information contained in different informational sources but also the sheer volume of information available more so on phenomena like major accidents in contemporary society. According the following sources were identified as the main information source for analysis:

Associated company websites
The Health and Safety Executive website
Informational archive of the local borough council
Competent Authority of Control of Major Accident Hazards website
Major electronic journals

3.4 Limitations of the study

Even though the delineation of the epistemological and ontological assumptions taken by the researcher in the framing, planning and execution of the study go some way in addressing some of the limitations to this study’s quality in regard to reliability and validity. There are still a number of limitations that may not only affect the results of this investigation but also the transferability of the findings to the next project and indeed other contexts. They include the following:

The technique used for collection of information and subsequently its analysis (archival analysis) is inherently subjective not least because of the increased involvement of the researcher in the selection of informational sources but also their judgement of what information applies to the context of the phenomenon being investigated.
The scope of the informational sources selected have the potential to transfer errors and biases contained in past studies as well as highly subjective perspectives of investigators and organisations to this study.
Use of a time-limited qualitative methodology rather than a more rigorous quantitative research methodology.

Chapter 4; Findings of the Investigation

4.1 Using Barrier Analysis

Barrier analysis is used to recognise hazards/dangers associated with accidents and the ‘barriers’ that must have been in place to avert hazards from occurring. Booth (2011) defines barriers as a means used to control, prevent, or hinder the hazard from reaching the target. Therefore, the barrier analysis needs to examine;

Barriers that were in place and how they had performed
Barriers that were in place but were not used
Barriers that were not in place but their presence was required
Barriers that, if existed or reinforced, would prevent similar accidents from occurring in the future

To categorise barriers broadly; they are divided into two types; physical and management barriers. To compare, physical barriers include anything ranging from warning devices, guard rails, and safety devices to equipment and engineering design. On the other hand, management barriers include hazard analysis, training/supervision, working planning/procedures, and line management oversight. Many safety professionals and accident investigators divide the types of barriers using an alternative method- ‘hard’ (engineered) barriers and ‘soft’ (administrative) barriers (Booth, 2011).

Basic steps of a barrier analysis include;

Identifying the hazard and the target.
Identifying each barrier.
Identifying how the barrier performed.
Identifying and considering the possible causes that may have led to barrier failure.
Evaluating the consequences of the failure in regards to the accident.

Using the basic barrier analysis as outlined above the hazards present at the Buncefield oil storage depot are analysed to indicate the hazards, target, and barriers that were present. The barriers analysed are categorised in table 1 below. However, any barrier that would have averted the accident from occurring needs to be incorporated into a barrier analysis.

Table 1- Barrier Categories (Booth, 2011)

Barriers Categories
Barriers that failed	Booth (2011) defines it as barriers that were in place and operational at the time of the accident, however, they had failed to stop the accident from occurring.
Barriers that were not used	Krauss (2005) defines this as the barrier being available, but employees/staff/workers chose not to use it.
Barriers that did not exist	Krauss (2005) defines these as barriers that were non-existent at the time the accident occurred.

Table 2- Barriers Analysis for Buncefield Oil Storage Depot Incident

Barriers Analysed for Buncefield Oil Storage Depot Incident

Barriers that failed:

1. Tank 912 was fitted with a new high-level switch designed, manufactured, and supplied by TAV Engineering Ltd, and independent company. Workers at the Buncefield facility did not fully comprehend the way the switch worked.

2. Failure of ATG system

3. Emergency shutdown button that is used to shut down all tank side valves was not working.

Barriers that were not used:

1. Failure of supervisors to fix the servo-gauge ‘sticking’ definitive problem while only relying on the method of ‘stowing’ which is to raise the gauge to its highest position and then letting it settle again.

2. Tanks were not being emptied at the loading bays as there had been an increase in the throughput or amount of petrol product incoming to the depot. There was a drastic increase in the number of tanker workers and contractors on the site of the depot which was increasing the workload of the supervisors. As a result there was increased pressure on ullage space with certain batches of produce being diverted between the tanks on the site to keep it from filling to its maximum.

3. There were defects with shift handover process and coinciding screens on the ATG system causing supervisors to become confused as to which pipeline was filling which tank.

Barriers that did not exist:

1. Failure of having an effective fault logging process and lack of maintenance regime considered as root managerial and organisational failures.

2. No proactive facility on the Buncefield site to close down UKOP incoming pipelines and the emergency shutdown button was not fitted into the system.

3. Buncefield did not have a containment plan in place for secondary and tertiary containment. The containment systems of the site were constricted to the site’s drainage systems that were designed for withstanding heavy rainfall, minor spills, and loss of products but it was not designed for any circumstance that could withstand large-scale releases from bunds which had occurred.

Based on the research conducted by Shahrikhi and Bernard (2010) the barrier analysis technique can also be used for the assessment of energy flows as the cause of an accident that are known to exist as either energy barriers or target barriers. TRAC (1995a) has reiterated that accidents may occur when energy begins to flow in high quantities that cross the limitations which are built-in to resistance of structures or when the energy flow interferes with normal exchange of energy between the components of a system.

To summarise, the Buncefield incident reveals that preconditions had existed allowing the accident to occur within the specific site. It is revealed that the site had particular types of energy that were known to cause injury and damage in addition to multiple carriers of energy. Based on the analysis the following factors are considered to be the underlying cause of energy flow accidents;

Kinetic energy inherent in the moving petrol as well as various mechanical systems, equipment and human beings.
Chemical energy in the form of petrol
Electrical energy in firewater pump and other equipment, and electrical lines.

There was an unwanted flow of petrol from the storage tank to a number of environmental spheres which also included the immediate area surrounding tank 912 which also includes the atmosphere in the form of vapour cloud that spread across and beyond various barriers at the site to the parking lot of the business in juxtaposition to the tank farms. Figure1 below illustrates the flow of unwanted energy before the accident occurred.

Figure 1- Flow of unwanted energy before Buncefield Accident

As assessed in Table 2 there were several barriers that were present within the Buncefield oil storage facility prior to the occurrence of the accident, during and after the incident. The main barriers are;

Fuel Storage
Energy containment structure and equipment
Release rate
Space and time
Material barriers
Signals

Based on the investigations concerning barriers an analysis worksheet is composed to highlight the hazards in association to its target for each of the barriers that are identified as a root cause for the Buncefield incidence.

Hazard: Automatic Tank Gauging (ATG) System		Target: Tank 912
What were the barriers?	How did each barrier perform?	Why did the barrier fail?	How did the barrier affect the accident?
Technical fault in ATG	Sept. 11, 2005 ATG which measured rising level of fuel and displayed this information stopped registering the rising level of fuel in tank.	The servo-gauge was stuck.	Tank 912 continued to fill even above its limit
ATG alarms	Alarms were unable to go off as tank reading was below each of the alarm levels.	ATG stopped registering the level of fuel in tank; supervisors worked in accordance to alarms an so were not alert to the tank overflowing.	Level of petrol continuously rose unchecked.

Hazard: Independent high-level switch (IHLS)		Target: Tank 912
What were the barriers?	How did each barrier perform?	Why did the barrier fail?	How did the barrier affect the accident?
Independent company’s designs	IHLS failed to register increasing level of petrol	Design of switch was faulty (See Figure 3)	Final alarm did not sound, and automatic shutdown not activated so by 5:37 level of petrol in tank exceeded maximum capacity and petrol spilled out of vents in tank’s roof.

Hazard: Incoming fuel		Target: Tank 912
What were the barriers?	How did each barrier perform?	Why did the barrier fail?	How did the barrier affect the accident?
Methods of controlling receipt of fuel batches from pipelines	Supervisors inadequately planned and controlled the management of incoming fuel	UKOP pipelines were given more preference over Finaline for fear of the depot sustaining a financial penalty if UKOP lines were slowed from delivering product.	Increased flow rates incoming from UKOP pipeline with a flow rate of 900 m³/hr shortly before explosion changing from its previous rate of 500 m³/hr.
Increase in throughput	Terminal’s operations increased quadrupling throughput of product. Increased in number of tanker drivers and contractors on site resulting in negative impact on workload of supervisors.	Increased pressure on ullage space with batches of petrol being averted between tanks causing supervisors to be confused of which pipeline was filling which tank. Hefty consignments of unleaded fuel was being received by both Finaline and UKOP South line.	Increased pressure on storage capacity of incoming fuel giving way to greater chance of tanks overflowing.

Hazard: Bunding		Target: Buncefield Facility & Subsequent Explosion
What were the barriers?	How did each barrier perform?	Why did the barrier fail?	How did the barrier affect the accident?
Bundings	During implosion of fire, the sealant and other joint materials became badly damaged allowing some joints to leak fuel, foam, and firewater onto the site’s roadways.	Three bunds did not contain water stops	Fire damage on to joints of bunds allowed fuel, foam, and firewater to leak making them compromised and unable to resist the impact of the fire.
Pipework penetration	Bunds had pipes penetrating through the walls and floors	Since pipes were going through the bunds, the bunds could not retain the liquids.	Catastrophic failure of walls at pipe penetration; product pipes leading to tanks ruptured and leaked causing escape of fuel to pipes that were in unbunded areas. There was also loss of seal between pipes and walls.

The following illustrations represent the sequence of events that led to the HOSL explosions and fires using identified barriers that led to the accident occurring. Each event is broken down to highlight the barriers that were influencing the event to take place. Later in the study these barriers will be associated to conditions that caused the event to take places gradually leading up to the overall accident.

The following structure was used to identity barriers sequence as adapted from (SOURCE):

Occurrence: Name of Event

Barrier Analysis:

Figure 2- Barrier Analysis through sequence of events; Occurrence: Buncefield Incidence

4.2 Energy

According to Shahrokhi and Bernard (2010), the barrier analysis technique uses energy flow to investigate the causal factors of accidents that are posited to exist in either of two parts energy barriers and target barriers. An accident according to this technique is conceptualised as the impact of a hazard agent on a target, mainly due to a failure of not only controls but crucially the protective barriers in a system or setting (Shahrokhi and Bernard, 2010). The technique according to Oakley (2003) is founded on the Haddon Matrix theory that posits the existence of three unique phases to an accident including: the pre-injury phase; the injury phase and the post-injury phase. According to the Haddon Matrix theory the interaction between different components of a system or organisation, often involves energy flows across so called barriers. Failures either the energy barriers or the target barriers (Shahrokhi and Bernard, 2010) culminate in the flow of unwanted energy from one phase or component to the other, ultimately leading to an accident or incident (TRAC, 1995a). In each of the 3 phases it is further argued 3 factors influence the dynamics of the event once there has been a flow of unwanted energy from one to the other, including equipment factors, human factors and environmental factors (Oakley, 2003).

According to TRAC (1995a), energy flow dynamics involved in all societal processes and systems, especially so in regard to pathways, amounts and rates has the capacity to cause damage objects and systems, degrade processes and injure people. The barrier technique posits there are different forms of energy with the potential to cause injury and damage to different entities including: kinetic; chemical; biological; thermal; electrical; as well as ionising and non-ionising radiation (TRAC, 1995a). In the view of the proponents of the energy flow school of thought of accident causation, accidents either occur when energy flows in quantities beyond the in-built resistance of structures on which they invade or when there is interference in the so called normal exchange of energy between the components of a system (TRAC, 1995a).

4.3 Potentially Harmful Energy Flow

Literature posits the flow of unwanted energy prior to an accident can either be: to non-functional (components and parts that lie outside of the system) or to functional parts of the system, a1 and a2 respectively (TRAC, 1995a). All evidence points to the flow of energy at the Buncefield site being to both functional and non-functional parts of the system. The former inherent in the flow of energy (in this case petrol) from the pipeline to the storage tank and from the tank to the ground and immediate vicinity of bund A at the site, and the latter inherent in the flow of the vapour cloud beyond the perimeter of bund A to the estate adjacent to the site. The figure below depicts the flow of unwanted energy to both the functional and non-functional parts of the system at Buncefield:

Figure 2b- flow of unwanted energy

A1 Flow of potentially unwanted energy to non-functional components of the system

B1, B2

Insofar the flow of unwanted energy from to the non-functional component of the site and its surroundings, all evidence points to the absence of adequate control of the unwanted energy flow. Granted the scope for the control of especially environmental conditions prior to the accident were beyond the scope of the company running the site, as they could not do much regarding the cold air and the current of flow of the same, there were a couple of failings insofar environmental barriers were concerned as well as other material barriers that could have helped lessen the movement of the vapour cloud from the spill-over tank to other areas of with and outside the tank farm. That is notwithstanding the lack of evidence regarding the dynamics of the movement of the vapour cloud as has been identified by both the Major Incident Investigation Board and the Health and Safety Executive (See MIIB, 2008; HSE, 2014).

One of the major failings in environmental and material barriers at the site of the accident including the lack of enough trees around the perimeter of the tank farm. Trees are known to moderate the flow of air-currents from one place to another. At the site of the accident there were only a few trees to the west of bund A where vapour originated from and even fewer at the northern part of the site and no physical barriers in the form of trees on the southern edge of the site. That being so it is not abundantly clear what utility the presence of air current movement breaks in the form of trees would have served in preventing the movement of the vapour cloud from the point of over-flow. Moreover there are still a number of informational gaps regarding the exact dynamics of the movement of the vapour cloud as the characteristics exhibited by the movement of the vapour cloud at the site are not typical of what current models posit they should be. To that end, the control of the flow of unwanted energy to and from the non-functional part components of the site can be judged to have been impracticable. In which case the risk should have been identified, assessed and managed.

However there is no evidence to show the safety analysis had taken into consideration the likelihood of vapour cloud movement as occurred during the accident. Conversely however, as pertains to whether the flow of unwanted energy to the non-functional components of the system at Buncefield was concerned, there is also a case to be made regarding the potential for control of the flow of energy with evidence point to a number of areas where it would not only have been practicable. Clearly whilst it was possible for the flow of energy to the ground to be controlled either through the design of a more robust storage tank or the maintenance of gauging system and shut-off mechanism. Across all the areas where the control of unwanted energy flow was practicable, evidence shows these were far from adequate with examples including failure of supervisory mechanism to pick up mistakes, to faulty installation, to the absence of capacity for immediate shut off of the flow of energy. There should have been a patrol by operational staff to the tank where pumping was taking place especially subsequent to pumping having gone on for many hours.

A2 Flow of unwanted energy to functional components of the system

B3, B4 Administrative controls and processes for the diversion of energy

Evidence seen however supports the observation to the effect that the flow of unwanted energy to functional parts/components at the site was the precursor and root cause of the accident at Buncefield. The following were identified as some of the deficiencies and defects in administrative systems at HSOL at the time leading up to and during the accident:

Deficient management systems attached to tank filling operations with the result that the functioning of the system could not pick up the ‘flat-lining’ of the gauge meant to measure the level of petrol filling in the tank.
Failures to follow laid out administrative and management procedures, with the situation not shown to have improved even after systems had been independently audited for compliance and functionality.
Failure of the management systems to provide adequate information to staff running the pipelines, with the result that staff did not have enough capacity to adequately manage the storage of fuel received at the depot.
The site had grown in automation to the extent that staff manning the control room had very little influence on the flow rates of fuel into the depot as well as the timing of receipt of the oil products delivered to the site.
There was no input insofar as engineering support was concerned from the head office of HSOL, a position that meant the organisation as a whole could not pick up of evidence of increasing pressure being exerted on employees in such things as throughput among others.
Supervision and management of the site had a created an environment that focused on keeping the processes in the site going rather than on process safety with the result that no attention was given to safety issues, let alone its prioritisation or the allocation of sufficient resources to the process safety management issues.

C1 Diversion of harmful energy flows or environmental conditions

Whilst there were processes and equipment in place for the purpose of ensuring the diversion of potentially harmful energy flow in the event of failure in kinetic energy flow barrier in the form of a gauge for the monitoring of the filling operation and an independent high-level switch whose purpose was to automatically trigger the shut-down of operations in the event of overfilling, the following failures were observed to have played a key part in the accident:

Failure of operational and management systems on-site as well as in partner organisations especially so in the case of the system maintenance contractors to flag up and effectively address the intermittent functioning and the unreliability of the filling gauge.
The fitting of the independent high-level switch had been flawed, even so the operational systems at the site had not picked up the fact that the said switch had not been in operation since its installation due to the omission of a vital component of the system.
The information sharing frameworks between HSOL, the designer of the independent high-level switch and the contractor who fitted the device where inadequate if not lacking as evidence by the failure of any of them to identify and flag up to each other the most critical elements of the cut-off system operations during installation.
The fact that an estimated 250,000 litres of petrol had overflowed to the ground and not been picked up or identified is a damning indictment of the processes for the monitoring of over-flow from the storage tank as well as the management of the site estate themselves.
There was no system to divert the over-flowed oil to a more secure location or indeed a mechanism for the absorption of large quantities of overflowed oil and its transfer to a different place either at or outside of the site.
System security of was inadequate not least given the fact that control room staff had the opportunity to among other things alter all operational parameters including the opportunity to change the settings of alarms.

All indications point to the potential for diversion of the energy not only being practicable including the existence of a number of technologies for tailored for the purpose. Indeed one such technology had been installed at the sight for the purpose of diverting overflowing. However the installed capacity for the diversion mechanism was woefully inadequate, in addition there is no evidence of management having considered the potential for an overflow of the size and scope as happened subsequent to the breach of control mechanisms.

Environmental Conditions

Environmental conditions on-site and in surrounding areas at the time leading up to, during and after the accident either played a part in influence and exacerbating factors during the accident or did not help the control and containment of the energy flow at any one time. Both the MIIB (2008) and the Competent Authority for the Control of Major Accident Hazards assert the cold temperature as well as still air at the site played a part in the accident. The former insofar as causing or enabling the formation of a vapour cloud that most likely included ice crystals and the latter insofar as hampering the rapid movement of the vapour cloud away from the site. Conversely it could be argued that by not aiding the rapid movement of the vapour cloud away from the over-flow site at greater speeds the air currents played a part in lessening the eventual scope and size of the blaze in that the vapour cloud did not spread to an area wider longer than 360 metres from the point of overflow.

Barriers and Controls

According to TRAC (1995a) energy flow barriers in operating systems can be classified into either of two broad categories, control barriers and safety barriers. The following were some of the control barriers that were available at the site at the time of the accident, all of which were deficient as evidenced by the failures to contain, flag-up or control the dynamics involved in causing and exacerbating the explosion-In keeping with the known scope of known energy flow barriers, they spanned both human factors and processes as well as technical factors and process:

Energy containment structures in the form of oil storage tanks.
Energy flow containment equipment such as the filling gauge, the independent high-level switch and systems and processes for delivery of information to staff at the control room.
Equipment and technical knowledge for the control of energy release rate including various signals.
Material barriers at the site including the wall fence, bund system and other physical barriers such as trees.
Work procedures and methods and pattern of work including the supervision management of staff.

The scope of safety barriers against unwanted energy flow observed at the site shows some similarity with control barriers. Indeed some of them were technical and physical whilst others skill-based in outlook. In much the same case as was with control barriers, there were a number of observed inadequacies and deficiencies in the safety control barriers with the result that they failed to contain, control and minimise the hazards inherent in the accident. They included:

The zoning of the site into bunds
Knowledge and skills of employees
Organisational culture
Supervisory and management frameworks
Early warning devices
Firewater pump
Procedures and work processes
External auditing of process functions
Design and composition of fuel storage tanks
Fire control systems, mechanisms and processes
Risk management systems. In particular the fault logging on-site was observed to be inadequate not only as pertains to critical equipment but also practices at HSOL.
Shift working pattern. This led to the development of a short-term rather than long-term focus during the management of problems and issues at site.
Engineering expertise.

4.4 Vulnerable People and Objects

The size and proximity of the site to a number of developments meant the scope and types of people and objects that were vulnerable to the accident was wide and varied. Some of the key categories of people, objects and properties that were vulnerable to the effects of the accident included the following:

Under the category of functional people and objects that were targets were the following:

Tank delivery drivers
Control room operators
Other employees of the site
Buildings at the site
Fuel storage tanks
Equipment and machinery at site including motor vehicles and other site management equipment

Under the category of non-functional targets of the accident were the following:

Commuters and vehicles on the M1 motorway
Property, equipment and cars at the Marylands Estate
Residential houses near the site and in surrounding areas
Fire fighters and police officers
Inhabitants of nearby community developments

4.5 Energy Precursors

Whereas any accident can be stripped back to a particular trigger event, there are usually several multi-faceted and highly complicated factors involved in an accident, which explains why many accident causation models assert the existence of a series of often interrelated factors otherwise called root causes, as well as other underlying factors and conditions that contribute to or influence the dynamics of the accident (See USDoE, 1992; HSE, 2001; NR1, 2008; Santos-Reyes and Beard, 2009; Gerbec, 2013; Mannering and Bhat, 2014).

According to the TRAC (1995a) identification of the energy precursors and conditions to an accident needs to be done by the use of another accident investigation technique, the Events and Causal Factors Analysis technique (See TRAC, 1995b). Accidents as conceptualised by TRAC (1995b) involve primary events, secondary events as well as contributing factors and systemic factors. The following sections outlines the findings of the analysis of the accident at Buncefield using the Events and Causal Factors technique.

But first, a summary of the hazards and their associated/linked barriers/defences/controls existent at the site at the time of the incident are summarised as below;

Pumping and storage of oil at Buncefield Tank Farm
Hazard (s)	Existing Barriers/Controls/Defences	Failsafe attributes	Suggestions for improvement	Additional Barriers needed?
Volatile/highly flammable petrol	-Physical Storage tanks Pipeline Bund Control equipment -Administrative Procedures Processes Custom/norms Attitudes -Operational Shift work Supervision of delivery -Signals -Separation of components in space and time -Release rate	Medium Weak Weak Weak Weak Weak	Strengthening of physical barriers Review and redesign of administrative, operational and organisational barriers Regular testing	-Limit energy flow -Reduce system design and operating pressure -Use double walled tans -Deploy look outs during pumping -interlocks
Equipment and machinery on site	-Safety related barriers including location, movement patterns, maintenance, systems and processes -Control barriers including testing	Weak Weak	Review the spatial separation between movable equipment and machinery and the oil storage tanks	-Develop and operate explosive quantity distance rules -House all electronic equipment
Firewater pump	-Safety barriers Risk management system Early warning devices External auditing of work processes -Control barriers Fire control mechanisms, systems and processes Shift working pattern	Weak Weak	Incorporate robust and responsive risk management framework Institute arrangements to review findings of external auditors	No
Severe weather	-Safety barriers Risk management framework Working patterns Supervision and administrative arrangements	Weak	Improving forecasting and response to sudden change in environmental factors	Strengthen all potential targets Modify the rate of release of energy Investigate dynamics of vapour cloud formation and design appropriate safeguards were possible
Fire/explosion	Management decisions Organisational processes Physical equipment Bunds Design and layout of site Employee training Alarms	Poor management control Errors and violations of procedures and conditions Personal errors and violations Inadequate barriers	Incorporation of procedures to avoid and limit latent failure pathways of management control and individual errors	Whole systems needs looking into
Workplace errors including inadequate processes and procedures, a poor safety culture, violations of protocol	Supervision systems Incident report systems Procedure for work Design and layout Shift scheduling Audit	Weak	Re-train staff Hire new managers Introduce penalties for failures Encourage blameless reporting	No
Personal and team inadequacies (skills, experience, expertise, risk culture/attitude	Management systems COMAH framework	Weak	Re-train staff Bring in new employees Strengthen reporting and communication framework	No
Weak internal and external audit and oversight	Legal, legislative and corporate governance frameworks	Medium	Need stringent application for COMAH sites	No

4.6 MORT Analysis of Buncefield Oil Depot Accident

It is not possible in the limited scope of this thesis to provide a fully detailed and comprehensive analysis using the MORT event tree for evaluation of the Buncefield accident. The actual event tree working model can be detailed on a single chart that may measure up to 30 in x 24 in, without any attached instructions to it. Thus, reproduction of an entire event tree would necessitate the use of several pages making it impractical to do so in the current study (Benner, 1975). The MORT event tree analysis also requires special training in order to comprehend and execute it which is also beyond the scope of the current study and the researcher. However, due to the complexity and overwhelming nature of the full MORT event tree, the current study uses a simplified version of the full MORT which includes Mini-MORT and the top branches of the MORT analytical tree event to define the risk factors and simply the analysis. Figure (4) illustrates the top branches of the MORT analytical event tree.

During accident investigation, the MORT analysis is started right as the accident or incident begins. The MORT process then moves from what is known; which is the event of the accident to the unknown, primarily the casual factors. This process is completed through very complex, precise, and extremely duteous process of elimination. For the Buncefield incident which occurred on December 11, 2005 the events which occurred have been recorded, investigated and re-investigated. Through analysis of reports that have been extracted the top event was isolated and given the most priority. According to Figure (4) the top event which consists of injuries, damages, and performance losses is identified and assigned the suitable position in the rectangle at the top of the event tree.

Thus, Figure (4) reveals the top event being the Buncefield incident which injured 43 people, severely injured 2 people, caused damage to the site’s property and surrounding properties. The Buncefield incident can be linked to various oversight and omissions that were taken by the employees and supervisors on the site. According to the British Geological Survey (2005) the reason there was an explosion that took place at 6:01 UTC near tank 912 was caused from “fuel-air explosion” which was considered to be of unusual high strength. However, the underlying cause of the explosion and subsequent fire are seen to be inaccuracy of workers on the site. The immediate causal factor that contributed to the accident was the major failure of both the ATG and IHLS that operated the fuel level in Tank 912. There were many flaws in overall management of operation at the site which is considered as a ‘high-hazard’ site which led to the failures defined in Table 2.

At approximately 0600 hours on December 11, 2005 pipelines within the oil depot site were transporting the following petroleum products into HSOL (as cited in HSE, 2006);

Finaline delivery of unleaded petrol at a flow rate of 220 m3/hour into Tank 915
M/B North pipeline delivery of diesel oil at a flow rate of 400 m3/hour into Tank 908
T/K South pipelines delivery of unleaded petrol at a flow rate of 890 m3/hour into Tank 912.

Based on the investigation conducted it is evident that Tank 912 was being filled with unleaded petrol at a flow rate much higher to the other products giving indication that Tank 912 was overfilling with the petrol product. To understand the method by which fuel escaped to form a vapour cloud it is essential to understand the controls and instruments fitted into the tank and their functions.

The figure below illustrates the basic layout of Tank 912 which is considered as the main perpetrator of the accident. Based on the image it is evident that Tank 912 is a floating deck tank which had features of a fixed roof, an internal deck which floats on the fuel allowing to decrease the emission of vapour from the fuel surface.

Figure 3- Layout of Tank 912 (Source; HSE 2006)

As discussed extensively in this study, Tank 912 was fitted with various instruments that measured and monitored the temperature and level amount of product in the tank. All instruments were connected to the automatic tank gauging system with which levels of tanks were displayed in a control using the system. It was the responsibility of the servo-gauge to measure the level of produce. The tank was also fitted with an independent safety switch that allowed the operator to have a visual and audible alarm in the control room in case the tank’s product had reached a specific maximum level considered to be an “ultimate high level”. The alarm functioned to initiate a trip function that allowed the closure of valves from specific incoming pipelines. However, the major high level safety switch on the tank was able to sense when the product reached maximum levels in the situation if all other alarms in the system had failed. The main purpose of this specific instrument was to provide an alarm to operators in the control room and begin an automatic lockdown of delivery if the maximum level of the product was reached. Based on its design, the switch was supposed to alert the control room operator through a flashing lamp which was available for each tank on the site and attached was a buzzer that provided sound. Furthermore the maximum level safety alarm also functioned to signal any overflowing in tanks within the HSOL site with the information being sent to computer controls and instruments that were related to the Finaline pipelines and UKOP.

Due to error logging failure and management issues within HSOL it is evident that the control had not been working properly. According to HSE (2006) based on records of the ATG system, Tank 912 showed that the level of petrol product in the tank was two-thirds full and remained this way until 0300 hours. At the time of the incident automatic shutdown had not taken place. HSE (2006) reports that based on the valve position from the ATG database, the inlet valve to Tank 912 was connected to UKOP petrol concluding that Tank 912 was still filling even after 0300 hours.

Firstly, the tank of interest and the root cause of incident tank; Tank 912 was fitted with a new independent high-level switch known to be manufactured and supplier by TAV Engineers Ltd on 1^st July 2004. TAV had designed the switch in such a way that its functionality may be tested routinely. The first oversight that occurred in terms of management system factors (M) (i.e. Figure (4)) was that employees of the site who installed and operated the switch did not have full knowledge and comprehension on how the device worked. They also did not comprehend the imperative role that the padlocked played in regards to the switch which left it deemed inoperable (See Figure (3b)). It was possible for the faulty design to be replaced if TAV had gone through a rigorous process of reviewing its designs. Also, it is clear that lack of guidance in terms of giving clear instructions to the safety imperativeness of the padlock should have been appropriately disseminated to those who installed and used the device. This leading root cause had triggered the subsequent events to take place leading to the overall conflagration and explosion at Buncefield oil depot.

Figure 3b- Principles of Operating the IHLS (Source: HSE, 2011)

The switch worked when the alarm circuit was activated; occurring when the floating internal deck (lid) made contact and rose the internal suspended weight. This results in raising a magnet that activates the reed switch. The check lever allows the switch and the alarm circuit to be activated autonomously from the movement of the floating lid. Thus, the checking action simulates accurately what will occur if the floating lid arrives at a specific point. The device contains three specific positions on the lever. When operating, the horizontal position is considered to be the normal operating position allowing it to operate as expected. However, if the floating lid lifts the weight the reed switch changes state and initiates an emergency shutdown. Tank 912’s IHLS was installed with a design that included the use of padlock which secures the lever in the normal position.

The switch can also be installed to detect low levels of fuel in a tank allowing it to also work in the opposite manner. If installed in that way, the test which is carried out by lowering the check level is done. But lowering the check lever when the switch’s main purpose of operation is to check for high-level is then disabled. The padlock is used to make sure that when in normal operation the check level stays in the horizontal position; thus an imperative security measure. Under the circumstance that the padlock was not replaced there is a plausibility that the check lever remains in its lower position or as expected, fall. Regardless of this, the switch is considered to be disabled.

Tank 912’s IHLS had the function to look for lower positions which is not considered to be useful. The switch had featured a hazardous disabled position making it at risk to be inoperable.

Figure 4- The Top Branches of the MORT Event Tree [adapted from Source: Vincoli, 2006 ]

Based on the MORT analysis, several risks had been assumed to cause the Burchfield incidence. The presence of these risk factors were evaluated using the question, “if the risk was not in place, would the accident have occurred?”. If the answer to this question was ‘yes’, then the risk was considered non-significant. However, if the answer was ‘no’, then the risk was taken into account as being a supporting cause to the overall occurrence of the event.

Following are the risks as identified by the MORT analysis;

Risk 1- Inadequate management system in place; discussed further in risks assessment system of Buncefield.
Risk 2-Structural drainage design flaws
Risk 3- Inadequate fault logging in regards to key equipment and working practices.
Risk 4- Increase pressure of work placed on supervisors caused by increased throughput.
Risk 5- Overall tank filling system, ATG, and monitoring systems of tanks.

Identification of the major risks that were present before the accident occurred for an analytical risk assessment to take place particularly the lack of risk assessment that was present under the management system factors.

Before the accident had occurred, management inadequately assessed the risks present in the current systems. Firstly, there were structural design faults at the Buncefield which led to tertiary containment of the incidence to be impossible. There was no tertiary containment system in place at the site. As analysed by the facilities designs, the containment systems that were in place were placed for the site’s drainage systems that were specifically designed to deal with rainwater and minor spills and loss of product. Rainwater, minor spills, and loss or product on the site were to flow to interceptors and the site’s treatment plant. However, the drainage was not designed to manage large-scale released from the bunds which had taken placed during the accident. It is found from assessment that no kerbing or boundary wall was constructed to ensure that liquids remained on site and directed to the drainage systems. Thus, once the liquids were released they could flow in any direction, an event that occurred during the accident. Furthermore, the drains and lagoon’s volume was too small. Also, the liner of the firewater lagoon on site was vulnerable to damage from fire and debris from explosion. It was also found that the pumping liquids were very much depended on making the site susceptible to an inadequate pumping volume; failure of pumps at power outage; and inability to use pumps in case flammable vapour was released onto the site.

Another risk that is considered to be a specific control in causing the accident was inadequate fault logging. The facility had a faulty logging system in regards to how key equipment and working practices were logged. Buncefield had a shift system which had led to short-term apparent fixing of issues without a proper overview of what was going wrong and why. There was a short overlap time between shifts of supervisors. According to Benner (1975) this handover time or overlap time is considered to be a very imperative time when outgoing supervisors are able to pass on vital information about events that occurred during their shifts incoming supervisors.

At the time, Hertfordshire Oil Storage Terminal (HOSL) only allotted fifteen minutes for handover and also asserted that they were not being paid for this time. During these fifteen minutes, the handover documentations developed by shift supervisors only covered information in regards to the Finaline pipeline while UKOP pipelines information were on an ad-hoc basis. There was a flaw in documentation as it only recorded information of occurrences during the end of the shift without capturing and recording incident information about the entire shift. HOSL’s operations coordinators had devised an electronic defect log but the supervisors on the site were not capable of using the system appropriately. As mentioned before in the Barrier analysis, the ATG gauge on Tank 912 had stuck fourteen times over the last three months before the accident took place.

However, these occurrences and errors were not recorded in the defect log making the operations manager unaware of the regularity of the failure. Analysis of reports on the Buncefield incident have also found that the defect logging system was not used on a frequent basis particularly when there was presence of defect that was fixed quickly. The same irresponsibility is seen with the IHLS as it had faulty practices and methods to deal with the failure of the switch. Based on accident reports, in the first week of April 2004 management became aware that the IHLS on Tank 912 was not working as it should, but still the management allowed the tank to be used with the new switch being fitted on July 1^st, 2004. Furthermore, Tank 911 was operating without the presence of IHLS for nine months; this tank was known to be very busy in filling and flow of unleaded petrol. It can be concluded from this analysis that had management scrutinised the logging system the vulnerabilities that were present in the overall system would have been revealed on time which may have aided in avoiding the current accident.

There was also an increase of pressure felt by supervisors on the HOSL site. As revealed from the barrier analysis in table 2, supervisors were unable to predict the working parameters of the UKOP lines resulting in unpredictable fuel deliveries through the pipelines. This risk further led to increase in pressure on the storage capacity of fuel causing increased throughput on HOSL. These incidences are linked to the increased pressure that was put on supervisors causing supervisors to devise a system that relieved the pressure. Based on accident reports, supervisors began to use an alarm clock in the control room to track product interfaced on the Finaline line. The alarm clock was occasionally used for reminding supervisors that tanks were becoming full or getting closer to their capacity with the Finaline product. This occurred due to supervisors having a lack in confidence on the ATG system due to its unreliability. There was addition pressure exerted from working patterns of employees on HOSL site. The supervisors were working 12-hour shifts while performing other duties in addition to monitoring the filling and emptying of tanks. At other times supervisors had to work five shifts consecutively with overtime resulting in 84 hours of working for a seven day work period. According to the report published by HSE (2014a) there were no fixed breaks scheduled resulting in breaks being taken when operating conditions allowed for such.

Hence, supervisors worked a great deal of hours including overtime and resisted hiring more supervisors as it will lead to a loss of income. A stable working environment relieves pressure from employees allowing them to be relaxed and work more effectively. Since this was not the case in the current situation, increased pressure led to staff becoming disordered causing them to overlook many risks that led to the explosions on the site and fires from factors which could have been managed. It is management’s responsibility and duty to monitor the working pressures that are placed on staff and to take immediate action to maintain acceptable levels of workload.

Figure 5- Mini- MORT of Buncefield Oil Depot Incidence

4.6 Events and Causal Factors at the Buncefield Oil Depot Accident

As argued by Song and Ying, (2011) the interaction between the parts of a system be they human or technological is such that there are not only complex but also intricate transfers of energy as well as information and material from one phase of the accident to another and even within the same phase of the accident. The Events and Causal Factors analytic techniques enables both the identification of the direction of the flow of the elements and factors in a hierarchical manner as well as the identification of the underlying factors for the movement of accident elements and factors (TRAC, 1995b).

The ECFA technique assumes a structured, systematic and logical outlook in the examination of the energy flow between components of a system and involve the charting of the initial stage of the accident as well the pre-accident and the management phase of the accident (TRAC, 1995b; NRI, 2007; Saleh et al., 2010;

Cheng et al., 2013).

The following flow chart-1 depicts the major events and causal factors involved (factors the barrier analysis techniques conceptualises as energy precursors) in the accident at Buncefield Oil storage depot.

(Flow Chart-1)

The following figures illustrate with more detail what the underlying causal factor for each of the major events during the incident were ECFA for the Loss of Primary Containment

Failure of the Independent High Level Switch Flow chart

(Flow Chart-2)

The Automatic Tank Gauging System (ATG)

(Flow Chart-3)

Malfunctioning Monitoring Screen

(Flow Chart-4)

4.7 Other Underlying Factors and Events

Two feeder lines supplying fuel to the depot were operated by different set of people, the Finaline was managed by supervisors at the sight whilst the UKOP line was controlled by an entity external to the site
Information supplied to operators of the various lines was markedly different, the Finaline operators for instance did not have access to monitoring data and so couldn’t know without using ATG if fuel was flowing or not as well as what the flow rate for fuel was.
Increase in throughput
Poor tank filling operations
Pressure of work
Loss of secondary containment
Tie bar operations inadequacies

Events in the ECFA charts above are depicted by rectangles whilst conditions are depicted in oval form. The above events and causal factor are by no means the only ones that were involved or influenced the accident at the Buncefield depot, indeed a host of other underlying systemic and organisational factors were involved including:

Supervisory failures
Malfunctioning of alarm function in the ATG system
Increase in throughput of the product
Poor organisational safety culture
Failures in work procedures.

4.8 Events and Causal Factors Analysis of Buncefield Accident

As discussed in length, accidents are investigated to recognise the cause of their occurrence and are also used to determine the actions or steps that need to be taken in order to prevent them from occurring again. Therefore, it is imperative that accident investigators probe in depth into the events and the conditions that create accident situations as well as taken into consideration the managerial control systems that may have led to the development of the root causes to the accident (Benner, 1975). If these root causes are identified there develops a great deal of comprehension of the interactions of events and casual factors through a sequenced chain of events and activities that begins with an “initiating” events all the way to the final losses that may have been produced from the incident (Kuhlman 1977).

Factors that are considered to be very important in accident causation materialise as being sequential or simultaneously occurring events that interact with existing conditions (Benner, 1975). It is then from these patterns of conditions and events which allow for outlining an image to reconstruct the multiple factors that led to the unwarranted loss or other potential losses (Benner, 1975). It is only through pedantically tracing unwanted energy transfers and their connection to each other and to the individuals, procedures, infrastructure, and controls does one understand the implications which caused the accident to occur and further delineates the sequence of events that have led to accident development (Benner, 1975).

It is through the use of an Event and Casual Factors (ECF) chart that illustrates the essential and appropriate events and causal factors for accident occurrence in a rational sequence. This is often used to analyse not only the accident but is also an essential tool for evaluating the various evidences during the examination of the accident (Benner, 1975). This tool also aids in validating the accuracy of pre-accident systems. Followed is the use of Events and Casual Factors Analysis (ECFA) which is considered to be an intricate and imperative part of the MORT-Based accident investigation method. ECFA is often used with other major MORT tools such as those used in this particular study, MORT tree analysis, energy trace, and barrier analysis in order to achieve maximum results in the investigation of the Buncefield accident.

In order to determine the casual factors associated with incident under study it is necessary to conduct an analysis to determine the casual factors of the accident (Benner, 1975). This is considered as an imperative process in order to conclude what the root causes of the accident were. For this reason, deductive reasoning is used to determine which events or conductions contributed to the accident. The significance of the events within the accident sequence will be evaluated using the question premise:

‘If this event had not occurred, would the accident have occurred?’

Based on this question the causal factors were assessed and then considered before inserting them within the chart. The chart below is the events and casual factor (EFC) that has been composed to outline the events that have led to the subsequent explosion and fire in Buncefield. The chart has only considered important events that overlapped with the MORT analysis and Barrier Analysis. These are considered to be important as they aid in the analysis of the root causes of the accident in order to ensure that only important events and factors are considered when analysing the underlying causation of the event (Benner, 1975). The EFC follows the basic standards and rules for composition as outline in the figure which shows a general example of EFC charts.

Chart 5; EFC of Buncefield Incident

General conventions were used in composing the EFC chart above. The reason that the general method was used was so that it can improve the comparability and consistency in accident reporting and aid in circumstances of communicating the investigation findings. The figure below provides a brief insight into the general format of EFC that was followed to assess the Buncefield incident.

Figure 6- General outline of EFC chart (Source; SCIENTECH, Inc., 1995)

This particular convention attempts to be as simple as possible while at the same time maintaining the effectiveness of the event and casual factor analysis. As outlined in the figure, the square boxes are indications of events, when these events are lined horizontal they are considered as primary events while those in a vertical succession are considered as secondary events. Oval shapes used in the diagram are indications of conditions following the same vertical and horizontal rules applied to events. Events are connected in solid arrows while conditions are connected to events and each other with dashed lines.

Using the ECFA charting technique and subsequent analysis brings about two primary benefits:

Meets the general purposes of accident investigation and conducting investigations
Aids in ease of writing the investigation report

As it is the primary purpose of accident investigation to identify what happened and why it happened to ensure that similar accidents do not occur again in the future. Under the circumstances of major accidents there are underlying indicative factors of systematic defects which have also showed to reduce performance and production. This is evident with the Buncefield incident, based on the EFC chart that was composed. The underlying cause which is considered a primary root cause to the failure of barriers and the overall accident is deficiencies within the management system. The deficiencies that have been exposed from the EFC need to be reviewed and benefits need to be derived from them that go beyond the limit of correcting the immediate causes of the accident.

Firstly, as seen in the barrier analysis and MORT analysis, there is a great deal of defects in the management system of HOSL. Management over works their employees leading to greater chances of underperformance and errors. Further, management has shown a great deal of issues in logging for errors which is considered as a root cause that led to the incident to take place. Had management logged errors in the ATG and IHLS these root technical problems would have been solved and the overall accident would have been avoided. However, there was poor management through the facility.

Based on the EFCA conducted it is evident that there is a cause-oriented explanation of the accident. This can be explained clearly using the conditions and events from the EFC to make a table that details a cause and effect relationship. These cause and effect relationships have been outlined in the table below.

Table 3- Cause and Effect Analysis of Accident

CAUSE	EFFECT
Management fault in error logging	Faulty ATG, faulty ATG alarm, faulty IHLS
Faulty ATG, faulty ATG alarm, faulty IHLS	Tank 912 filling beyond maximum capacity
Tank 912 filling beyond maximum capacity	Petroleum product overflows from vents
Petroleum product overflows from vents	Vapour cloud formation above Tank 912
Vapour cloud formation above Tank 912, presence of weather conditions cause cloud to move	Vapour cloud spreads to 360 m spreading over Tank 12
Vapour cloud over tank 12 which contains aviation kerosene which is highly flammable	Fire alarm is pressed at indication of vapour cloud whose ignition is the alleged culprit causing explosion
Explosion occurs over tank	Fire ignites
Fire is not controlled or contained due to management not having setup secondary and tertiary containment; bunding infrastructure is faulty	Bunding material melts as it is not fire resistant
OVERALL IMPACT: Fire is not contained leading to 43 injuries, 2 individuals seriously injured, nearby residents and businesses shutdown and put at risk, HSOL facility damage

4.9 Thematic Areas for Safety Professionals Highlighted by the Buncefield Accident

One of the central purposes for inherent in the investigation of accident in general but more so major accidents of the type as occurred at Buncefield is the opportunity to highlight not only organisational learning points but also the advancement of the field of safety management and professional awareness and knowledge of accidents, in order to avoid repeat but also to inform response and mitigation efforts (HSE, 2003).

According to the HSE (2014), whilst the incident at Buncefield does not flag up new areas insofar major accident prevention are concerned the accident still had utility in regard to its efficacy in strengthening and reinforcing critical process management principles that organisations as well as professionals linked to the safety management paradigm have been aware of for some time. To that end, the following have been identified in literature as some of the key thematic areas for safety professionals that the accident helped reinforce:

Time and safety resources are of vital importance in process safety planning and management. The criticality of the need for resources to process safety is particular pertinent given the conflict between resource allocation between business activities and safety management activities, with the latter often considered to be a resource depleting rather than value creation activity. However as revealed by the incident, more so the effect suffered by the operators of the site as well as non-functional targets of the accident site, the failure to provide sufficient resources as well as the failure to allow for sufficient time for staff to consider safety during process operations can have very severe financial and reputational impacts let alone legal penalties and sanctions.
Culture and systems for the identification of failure in components critical for safety are vital to organisations. Whilst the design and automation of current process operations makes for a setting where systems for identification of failure in organisations abound, the functioning of the system and the effectiveness of the detection of failure cannot be delinked from safety culture within an organisation. Because of the poor culture in HSOL pertaining to safety, faults as well as inoperability of safety critical components were not highlighted. Indeed literature shows an organisational culture that is focused on continuity of operations at the expense of safety considerations runs the risk of experiencing a collapse of the oversight and management functions that are vital to the hazard identification and risk management frameworks.
Awareness of risks, hazards and risk management needs to cut across the organisation and involve every strata and individual in an organisation. Moreover for purposes of ensuring effectiveness of safety management functions with the organisation is it vital that top management not only considers but rather owns the safety management issues and concerns inherent in processes, activities and operations of the organisation that they manage. Also because of increasing interconnectedness and indeed the nature of business and corporate management in general, organisations often link up with or work in concert with other organisations that have different attitude and culture to risk as well as engaged in different sectors. The failure of the informational sharing framework between the operator of the site at Buncefield and its partners in the form of designers of safety equipment (independent high-level switch) as well as contractors and external auditors, underscore the importance of an organisation that works with major hazards ensuring all its partners not only have robust risk/hazard management frameworks in place but equally importantly have a focus and attitude similar if not better than their own when it comes to safety management.
Organisations and professional should not take it for granted that once safety management systems are in place then they are effective in advancing safety management in the manner in which they have been designed. It is of vital importance that vital safety management systems and equipment are not only audited but issues addressed in a quick and effective manner. The criticality of testing the effectiveness or capacity of designed systems and process to work in the manner in which they have been designed is highlighted by the failure of the independent high-level switch to shut of the petrol filling operations. A lot of movement has been witnessed in this area of safety management subsequent to the disaster with the adoption of disaster exercises (also known as simulations or war-games). It is however important that an organisation does not become content in the effectiveness of the accident war-gaming in highlight issues and problems rather it should put procedures, and processes in place to ensure highlighted issues are address expeditiously but more importantly effectively as well.

4.10 Informational Gaps

There is a wealth of in-depth information in nearly all areas pertinent to the accident, except for the lack of understanding of the dynamics of the vapour cloud movement and the subsequent explosion dynamics as detailed in the report of the Major Incident Investigation Bureau and other reports on the accident such as the Competent Authority’s on COMAH report.

4.11 Effectiveness of Barrier Analysis and ECFA/MORT Techniques

Whereas Barrier Analysis and ECFA/MORT techniques have proven utility in the investigation of accidents and there precursors, there are a number of limitations attached to both categories of techniques that make it difficult to gauge their effectiveness in relation to accident investigation in general. Not least because of the existence of unique set of circumstances for every incident but also because of the blindness of the techniques to the investigation of a number of accident dynamics including:

Identification of certain classes of hazards, more so in the case of Barrier Analysis where the emphasis is on the flow of unwanted and hazardous energy. The use of this technique on its own will mean those types of hazards that cannot be characterised in terms of energy flow are not investigated if it is the only technique that is used in the analysis.
It is difficult to determine whether energy can be reduced or even re-directed mainly because the design and build of systems and their components structures are such that it is not easily apparent that either of those control/safety features can be carried out.
Barrier Analysis does not permit the identification of all hazards irrespective of the robustness of the hazard identification process especially so in regard to hazards that are a combination of various factors and elements and hazards that arise due to co-existing system failure modes.
Barrier Analysis and ECFA/MORT are also heavily dependent on the knowledge an investigator has of the failed system as well as the level of experience they have in applying it. They are as such not techniques that are appropriate for investigation of incidents where the accident investigator does not have a certain level of detailed knowledge of a system.

That being so, Barrier Analysis as an accident investigation technique is particularly useful in circumstances where the investigation and identification of hazards that are linked to energy sources is pertinent as well as instances where the aim is to examine either retrospectively or proactively whether barriers/safety features offer adequate protection to vulnerable people and other targets. If the objective is the identification of critical events and not the entirety of hazards and precursor conditions and circumstances, then Barrier Analysis and ECFA and MORT techniques offer strong functionality for doing so. As posited by the HSE (2001), Barrier Analysis and other MORT linked techniques are made further attractive due to their inherent flexibility, a quality that means they can be applied to the investigation of all types of problems more so as a means to establishing a baseline/foundation for further investigation.

Chapter 5; Presentation of Results

Using the MORT tree map, Barrier analysis, and events and causal factors analysis there is substantial evidence to conclude that the underlying root causes of the explosion at the Buncefield oil storage depot was technical and arose from management error. To conclude, the root causes have been identified as follows from the accident investigation tools used;

Failure of the independent high-level switch mainly found in the switch’s design
Failure of the automatic gauging systems
Failure in monitoring of tanks
Failure in methods of controlling receivable fuel batches from pipelines
Failure in pipework penetration and bunding infrastructure

All the root causes as highlighted above are directly or indirectly caused by defects found in the managerial oversight and leadership of the company HSOL. It is evident from the analysis that there are massive deficiencies with the HSOL’s management including

safety management system; no safety procedures taught or implemented within HSOL
Management was unable to provide and implement an adequate error logging system and it did not train employees to have full extent of knowledge of the system in place.
There was increased pressure of work caused by increased throughput to the facility as all gas pipelines in the area were diverted to the Buncefield oil depot. Supervisors were not equipped to hand the increase in flow of product. Also, there was resignation to higher more supervisors as it would lead to a pay decrease for employees already present.
Supervisors had used inappropriate controlling and management methods to record and control the fuel that was incoming from pipelines.
HSOL did not attempt a risk assessment to produce and implement risk management systems to avoid the issues related on this list.
There was no presence of contingency plans, secondary or tertiary containment in the case of such an incidence.
Extremely poor communication between employees especially shift changing supervisors; incoming and outgoing supervisors.

The following sections of the study provided a detailed look into the root causes that are concluded to be the main events, factors, barriers, and conditions that led to the Buncefield incident. The sections touch upon problem areas in corporate governance and management of the accident site and looks to analyse the main management failures that have been identified extensively using the MORT tree map, barrier analysis, and EFCA. Had these root causes been uncovered before and taken immediate action it is highly likely that the Buncefield incident would not have occurred.

5.1. Human, Organisational and Technical Precursors at Buncefield

Main management failures discovered using MORT Model Inadequacies in management functions at Buncefield spanned the three major areas that literature posits are the main categories where precursors of accidents irrespective of the size tend to fall under-human, technical and organisational. Table 4 below captures some of the major problems that were observed at Buncefield after analysis of the contextual factors using the MORT model. The author contends they are all linked to the noted problems with the leadership and management oversight at the site. For some of the issues raised, the link is more apparent including inadequacies of the monitoring function within the site as it reflects not only poor strategic direction but also the lack of appropriate supervision and management control.

For others including failure of barriers (be they mitigation, control and preventive), the link to poor and/or insufficient management is not readily apparent but when consideration is given to the why for instance the wrong or inadequate physical barriers where installed it can be established that it connects with either poor decision making in top management bodies, the lack of commitment and focus as well as poor attitude and organisational culture.

Table 4; Main failures that were observed using the MORT technique

Number	Description
1	Inadequate monitoring of operations
2	Inadequate external communication framework
3	Deficiencies in the informational systems
4	Lack of coordination
5	Failure of barriers
6	Lack of contingency plan for the vapour cloud explosion event
7	Deficiencies in the definition of responsibilities within the organisation
8	Deficient emergency response
9	Lack of support and guidance of top management
10	Key decision makers failure to act promptly
11	No evidence of risk assessment
12	Failure to learn from past safety failures and incidents
13	Lack of clarity in definition of responsibilities
14	Absent or insufficient hazard identification
15	Poor top management attitude.
16	Poor training of staff/lack of training

Main management failures observed using the Barrier Analysis model

Failures and inadequacies in management function at Buncefield spanned not only the so called soft defences but did actually extend to the what literatures considers to be hard defences-alarms and physical barriers such as bunds and oil storage tanks.

Failures in management that fall under the soft defences include inadequacies in regulations, poor procedures and poor training. They link with accident prevention through their influence on processes, procedures and systems for risk and hazard identification, accident risk mitigation, the review and monitoring function and engendering and promotion of an appropriate organisational safety culture as well as individual attitudes to risk management in general.

Management failures such as poor top management attitude to safety, lack of training, poor supervision and lack of coordination served to erode accident prevention defences as failures cut across successive layers that are known to be pertinent for effective accident prevention in organisation. Indeed even in instances where the management failings were limited to one layer of the organisation’s barriers (as is the case for all the failings in human resource management), the erosion of that layer meant that the whole system was left vulnerable to collapse not least because of the interconnectedness between the various types of barriers.

Table 5 below summarises some of the top management failures that were discovered on analysis of the pre-accident and post-accident context using the Barrier Analysis technique. Many of the management failures discovered using barrier analysis relate to the state or the absence of safety functions within the organisational structure as well as corporate management of the site.

Table 5; Main management failures at Buncefield discovered using the Barrier Analysis model

Number	Description
1	Poor corporate safety management
2	Poor local planning
3	Inadequate planning of operations
4	Unclear responsibilities
5	Unsafe routines of work
6	Absence of appropriate informal practices
7	Poor scheduling of operator shifts
8	Inadequate/lack of audit and review function
9	Delay in execution of jobs leading to stress

5.1.1 Organisational Precursors

Responsibility of Buncefield site managers insofar as organisational factors that triggered the accident span factors that were connected with emergency preparedness and the emergency evaluation plan and response.

In a departure from established good practised for COMAH sites, management had never conducted any emergency drills or exercises. Indeed the setup of the organisation was such that there we no existent emergency preparedness drills or exercises embedded into the risk and emergency management frameworks. Further evidence suggests management was positioned to do the bare minimum to meet regulatory compliance-it didn’t help that in some instances the compliance had all to do with having documents that stipulated procedures and processes but nothing was on operational.

In addition the communication framework was so inadequate such that not only where there problems in stakeholder engagement but also ineffectiveness in communication between the company and its contractors. The latter was especially responsible for failure to discover poor installations of equipment as well as the poor functioning of systems at the site. Table 6 below summarises organisational deficiencies and problems that played a part in incubating, causing and exacerbating the accident.

Table 6; Main organisational deficiencies and problems

Number	Description
1	Poor and/or inappropriate safety management system
2	Inadequate or absent safety and operational procedures
3	Lack of an up to date and appropriate emergency management plan
4	Poor regulatory compliance
5	Lack of leadership
6	Unclear roles and responsibilities
7	Poor internal and external communication frameworks
8	Lack of enforcement of rules and regulations
9	Poor documentation
10	Absence of emergency drills and exercises
11	Weak strategic management

5.1.1.1 Corporate culture and governance

The deficiencies and failures in human resource management and organisational leadership in regard to safety culture, practices and norms stretched beyond the top level management level of the operators of the Buncefield depot.

Board level involvement was non-existent in regard to the stewardship and oversight of corporate safety in general. Analysis of the expertise and experience of the board members of the companies that were jointly running the site shows that they lacked competence in corporate risk management of a major hazards site such as Buncefield. Accordingly safety leadership problems and issues run all the way up to the top corporate governance institutions. The inadequacy of board level stewardship did ultimately feed into the executive management approach to risk management which in turn trickled down to operational employee.

Under such conditions corporate safety culture became so lax as reflected by absence of procedures, established norms, lack of processes and focus on doing things to meet minimum compliance requires rather than genuine consideration and implementation of initiatives that lessened the risk of the sites activities impacting its stakeholders financial, socially and indeed environmentally.

5.1.1.2 Corporate supervision of the audit programme

A number of failings that directly led to the explosion had been picked up by external auditors. However the implementation of findings as well as the follow and review of the highlighted deficiencies was not sufficient. The internal audit process was so weak as to be non-functional because of a number of issues, the main one of which was the lack of leadership and ownership of the audit protocol and process. Failures in the audit programme that were observed at the site included the following:

Insufficient frequency of audits
No clarity on what audit protocols needed to be used for auditing of operations
The procedure for the reporting of audit findings was not clarified
The audit manual did not specify what procedures, activities and areas would be audited and the direction of the audit insofar as its focus on either health and safety or environmental protection and also fuel transfer and storage was missing.
As far as could be established, there is also no procedure for follow-up of procedures and the audit function was silent regarding to whom roles and responsibilities for the same would be. This left an environment where there was not only no identification with the audit procedure but crucially no ownership of the post-audit implementation phase.
Good practice in the field of organisational auditing requires that resources and personnel required for the audit are specified before. No evidence was seen to prove that had been the case in Buncefield. It is accordingly most likely that the failure to clearly delineate what resources would be needed and what personnel would be involved in the audit, meant that there were gaps in the conduct of the audit function was proven to be the case by the failure of management to implement recommendations of external auditors.

5.1.1.3 Safety management

In line with requirements mandated by the health and safety law for Control of Major Accident Hazards (COMAH) designated sites, there was evidence of embedded risk management systems and a framework that specified initiatives for the management of the major hazards attached to the operations of the site. However evidence reviewed showed that management was at best doing the bare minimum that was required of it to meet regulatory compliance.
Indeed evidence of the same is provided by the fact that there was a significant disconnect between what was specified in compliance documentation/risk management systems and what was actually happening at the site. A number of inadequacies including the absence of a procedure for management of change of critical parts, ill-prepared and ill-considered critical parts list and general failings in the safety management system such as the failure to log incidents, poor safety culture and poor attitude by top management as well as employees.
The extent of management failings at the site was further reflected by the failure of the established risk management framework to identify the possibility of several tanks catching fire, failures in ensuring good practice was followed in the design, build and commissioning of physical barriers such as bunds and a less than adequate inspection and maintenance regime. Moreover the lack of an appropriate inspection and maintenance regime was indicative of the lack of consideration of the health and safety implications in the running of the business with managers tending to focus on the financial aspects instead.

5.1.2 Human Precursors

5.1.2.1 Personal experience, staff knowledge, attentiveness, motivation and personal attitude

A number of incidents prior to the accident, as well as during and after the explosion bring to the fore deficiencies regarding employees’ experience, both in the operational running of the site as well as the management of emergency situations.

Whilst the lack of fatalities at the site could be viewed as representative of employee effectiveness in handling emergency situation, there is insufficient evidence to support that position. Rather the absence of loss of human life was remarkable not least because staff had not been trained in appropriate evacuation operations. Indeed because no simulations, drills or emergency exercises had been conducted staff lacked experience insofar as the conduct of emergency evacuations was concerned.

The fact that overfilling of tank 912 went on for several hours before being noticed never mind that the automatic gauging system had failed further attests to the lack of situation awareness by the operational stall. Experience staff who have had an idea of roughly how long the filling of a tank should take and that should have triggered their investigation of the tank filling operations once they realised it had gone on for a long time. The reliance on technology and alarm systems that failed is also strong evidence pointing out the inadequacies in staff knowledge of operational systems as well as their attentiveness to conditions in their work environment. Lack of attentiveness to the contextual environment was also reflected in the failure to notice the overflow of the tank and the subsequent formation of a vapour cloud, especially so as members of the public in the surrounding community had observed an abnormally and had wrong advising of the same.

Motivation of staff was also observed to be lacking, partly due to increased stress of work but also because of changes in shift patterns and scheduling of work. Indeed the increase in through put wold have been deciphered as the lack of management interest in their employees who would in turn responded by not being attentive and driven to ensure safety procedures and culture were adhered to.

Employee attitude to health and safety was also remarkably poor and in some cases the behaviour exhibited by staff increased and amplified risk and hazards rather than reduced them. Staff errors and well as failure to log incidents, disregard of rule and established procedures of performing specified operations as well as distractions were indicative of a very poor attitude to health and safety in general and accident prevention at the site. The failure to log previous incidents as near-misses in a site replete with major hazards as Buncefield was is also indicative of not only individual employee disregard of safety but more importantly showed the failures in human resource management at the site.

5.1.3 Physical/technical Precursors

5.1.3.1 Workplace layout

The three different operational sites at Buncefield all complied with requirements to be rated as so called ‘top tier’ COMAH site. There was clear separation of storage tanks based on the kinds of fuel that was held in them, with different storage areas bundled and zoned.

The site was as such generally well laid out with clearly demarcated areas for different operations including designated zones for moving equipment and machinery among other things. Adjacent to the storage tanks were a number of drains and soak ways. These however were not known to the employees at the site, a situation that is indicative of the lack of detailed site plans at the depot.

The layout of the site in relation to other settlements and installations was however problematic. There was a big industrial estate adjacent to the tank farm, and residential settlements were a couple of 100 feet away from site. Further, the site was adjacent to a rather busy motorway (m1).

The development of an industrial site next to the site as well as residential dwelling in close proximity to a site of such high risk is indicative of general failings in spatial planning and societal risk management on the part of regulatory authorities and public governance institutions, but it is also symptomatic of the lack of engagement of the top management at Buncefield with the development review process. There is no evidence to show they objected to the location of major facilities next to a site of such high risk.

5.1.3.2 Design of equipment

The design and nature of equipment at Buncefield was in keeping with leading practice in installations in oil storage depots and oil facilities in general. Indeed the observed failures in control and forewarning equipment such as the independent high level switch and the tank gauging system had nothing to do with the design, but rather the failures in maintenance, inspection and repair as well as commission of storage and protective installations.

Moreover the overwhelming failures of the tanks once they had caught fire also had nothing to do with flaws or inadequacies with the design of the tanks rather the intensity of the resultant blaze was such that even the superior design and make-up of the storage tanks could not withstand the ferocity of the fire.

*5.1.3.3 Physical environment***

Aside from a few number of trees around the periphery of the depot there weren’t any physical environmental features or landmarks that could be construed as having played a part in causing or exacerbating the accident. The general layout of the surrounding area is flat and undulating with sparse vegetation. Moreover the physical environmental aspects that played a central role in engendering the incident (ice and cold) were not unique to the site. There was as such not much that the organisation’s management could have done except identification of the likelihood as well as the potential impact of the physical environment on causation of the appearance of a vapour cloud in the event of a leakage.

5.1.3.4 Safety management

In line with requirements mandated by the health and safety law for Control of Major Accident Hazards (COMAH) designated sites, there was evidence of embedded risk management systems and a framework that specified initiatives for the management of the major hazards attached to the operations of the site. However evidence reviewed showed that management was at best doing the bare minimum that was required of it to meet regulatory compliance.

Indeed evidence of the same is provided by the fact that there was a significant disconnect between what was specified in compliance documentation/risk management systems and what was actually happening at the site. A number of inadequacies including the absence of a procedure for management of change of critical parts, ill-prepared and ill-considered critical parts list and general failings in the safety management system such as the failure to log incidents, poor safety culture and poor attitude by top management as well as employees.

The extent of management failings at the site was further reflected by the failure of the established risk management framework to identify the possibility of several tanks catching fire, failures in ensuring good practice was followed in the design, build and commissioning of physical barriers such as bunds and a less than adequate inspection and maintenance regime. Moreover the lack of an appropriate inspection and maintenance regime was indicative of the lack of consideration of the health and safety implications in the running of the business with managers tending to focus on the financial aspects instead.

5.1.4 External Precursors

5.1.4.1 Political Influence

Attributing the influence of major political events and factors to the 2005 Buncefield disaster is by no means an easy task. Not least because suggesting a causal link between external political events and operational issues and factors that led to the occurrence of the accident is by no means a straight-forward task, precisely because of the fuzziness in the dynamic between politics/political events and organisational performance.

The following three political events could have played a part in causing the accident, both directly and indirectly. In the case of the former through their influence on the price of oil that rose sharply in the year 2005 and in the case of the latter through their influence on management indifference to safety concerns as has anecdotally been shown to happen during election years as well as years major environmental disaster as did happen in 2005 happen.

Table 7: Major political events that could have played a part in causing and engendering Buncefield incident

Political Event	Location	Potential Influence
Geo-political crisis in the Middle-East	Middle East	Sharp increase in the price of oil in 2005 which could then have led to the company increasing throughput so as to make as much profit as possible from high prices
UK general election	United Kingdom	Moderation of the workings of regulatory authorities as they take steps not to cause the emergence of news or information that could influence political outcome of the election
Election of Mahmoud Ahmedinajad to the presidency of Iran	Iran	Increased geo-political tensions which in turn led to market instability and high prices which then could have influenced the production capacity at the factor.

5.1.4.2 Regulatory influence

There is evidence to show that the Buncefield accident was both a result of systemic failures in the oil industry in general not least because of the poor handling of health and safety by corporate entities but also as a single event disaster of the low probability-high impact kind.

A number of missed opportunities as well as failure to conduct certain oversight function including the monitoring of risk the risk management framework as well as the auditing of processes and general lack of compliance monitoring regarding such things as contingency plans show that there were failures in the design and implementation of the risk management framework as well as major problems in the operational oversight function of the regulatory regime put in place ensure companies are run in a manner that ensures their potential to damage the environment, property and human beings are minimised. Moreover the context of the dismantling of the tough corporate regulatory environment that had commenced under the government of at the time of the disaster may have led to the laxity on the part of the Health and Safety Executive, the Environment Agency and other corporate governance regulatory bodies to conduct their duties. The weakening of the regulatory environment as a result of governmental policy could conversely be argued to mark the accident as a so called policy disaster not least because the unintended consequence of the governments poor intentional decision making in relaxing the regulatory environment for the purpose of cutting red-tape turned out to be a bad decision as it created an environment where corporate entities could get away with not putting in place effective controls and systems that may have prevented the accident from occurring.

The table below reflects some of the regulatory failures and inadequacies that played a part in causing the explosion at Buncefield oil depot.

Table 8: Regulatory influence

Number	Description of Issue
1	Weakness, ambiguity and contradiction in regulatory strategies between the Environmental Agency, the Health and Safety Executive, the Local Council and corporate governance bodies
2	Deficient communication frameworks between regulatory authorities and the operators of the site leading to failure to explicitly lay out what conduct was expected.
3	Breakdown of trust and accountability between the operators and the lead health and safety regulatory agency, the Health and Safety Executive

5.1.4.3 Societal influence

Social factors that may have influenced the explosion at Buncefield are a little bit difficult to delineated not least because unlike other factors that form part of the key drivers of safety culture and conduct in an organisation such as regulations and policies, audits, safety training and initiatives that are aimed at making employees develop and operate safety norms and behaviour.

Management culpability in the area insofar as allowing societal factors influence the accident at the depot relate to their failure to ensure networking relationships and social trust between their organisation and external stakeholders that included governmental agencies but also their suppliers. The failures and inadequacies in external communication, trust, and openness led to a situation where the social safety climate was eroded and ultimately led to the erosion of the safety climate within the organisation. This among others was evidenced by the fact that the installers of some of the safety equipment at the site failed to inform the company of the need for a component that needed removing so the gauging system would be activated and work properly. But that was by no means the only evidence of the erosion of social trust between the organisation and its stakeholders.

5.2 Effectiveness of MORT and Barrier Analysis as Accident Investigation Tools

The ability to learn from accident events is often lauded as one of most critical principles in effective safety management hence the presence of a number of post-accident investigation techniques including those that are founded on collection of statistical information and those are viewed as in-depth analytical methods that reveal not only patterns but also accident precursors and conditions that when managed well can prevent further events (Lundberg et al., 2010), albeit the notion of prevention of accidents is a hotly contested one.

Whilst the utility of systematic accident investigation insofar as accident prevention is well espoused, there is a wealth of evidence that suggests the presence of inherent biases in specific accident investigation techniques as well as widely spread sources of error in the field of accident investigation in general, all of which can impact investigation of an accident but more importantly the extent to which individuals and organisations can learn from accidents (Johnson, 2003; Lundberg et al., 2010). Indeed the effectiveness of an accident investigation technique is dependent on not only its fit with the context it is employed in but their effectiveness has also been shown to be influenced by a number of individual-specific as well as the background from which an investigation is conducted, for instance Svenson et al., (1999) posit that the professional background as well as the psychology of an investigator impact the analysis of accidents never mind the choice of investigation tool or technique.

The situation is not helped by the absence of a holistic and comprehensive accident investigation technique that is applicable for the analysis of all accidents irrespective of the contextual factors and sectors or areas in which they occur. This section evaluates the effectiveness of two of the most commonly used systematic accident investigation techniques, MORT and Barrier Analysis.

5.2.1 Effectiveness of MORT

The MORT methodology for accident investigation is part of a group of models that are conceptualised as holistic partly because it highlights an accident’s causal factors but also because it delineates what the events leading up to the incident were (Attwood, 2006). By its incorporation and inclusion of extra safety measures elements in its analytical scope, MORT is largely a more comprehensive approach to the investigation of an accident. It is further strengthened by its investigation of the causal relationship between so called trigger factors and enabling events as well as the failure of preventive action including those that are centred in the areas of equipment protection, operator protection, operational staff recovery and mitigation measures.

Whilst its inclusion of a breadth of events, trigger factors and causal factors as well as safety barriers ensures as wide a scope as possible is cast over the accident context, there is a danger its extensive scope may lead to a superficial investigation of links and relationships between the said factors not least due to the tendency for analytical work to be time barred. That said, MORT is a proficient methodology for instances where there is an urgent need for valid information that then feeds into the design of immediate action plans as it enables immediate from an accident event. The MORT technique through its enabling of the recording of the so called non-contributory events is particularly useful as it enables implications regarding the causation of similar events that occur in different contexts to be drawn. So whilst the recording of non-contributory events and factors does can be of no immediate use, the design of the MORT framework is such that that information becomes useful to other incidents. In so doing it advances individual as well as organisational learning from disasters.

MORT model is however decidedly qualitative in nature. Granted there are a lot of positives to qualitative analysis of accidents including simplicity of application, enabling of detailed examination of an event and it’s enabling of a foundation for subsequent analytical work to be undertaken. But there are inherent weaknesses in qualitative linked analytical models not least because they are impacted by subjective opinions, experiences and expertise of investigators but also because they do not permit modelling of events and factors dynamics. For instance whereas the use of MORT enabled the identification of the vapour cloud as one of the key factors at play during the incident at Buncefield, except for that identification enabling subsequent quantitative modelling of the dynamics of the vapour cloud in the context of the prevailing conditions at the time of the accident it was not possible to decipher how big the vapour cloud was and how fast it was moving once it had been formed.

Another deficiency of the MORT model is inherent in its identification of factors that are at times best characterised as proximate causal factors as so called root cause factors. In so doing there is the potential of symptoms of an incident or accident being managed in a way that does not actually do much to reducing future accidents (Leveson, 2004). It is the reason why Hoveden et al (2008) argues that MORT often does need supplementing with models that not only represent are more suited to engendering alternative thinking and consideration of accident dynamics and also support imaginative thinking and creativity insofar as accident prevention is concerned as well as frameworks that incorporate system dynamics modelling including techniques that enable data mining and the study of work processes.

5.2.2 Effectiveness of Barrier Analysis

The Barrier Analysis accident investigation technique is founded on Gibson (1961) energy-barrier principle that posited accident occur due to the loss of control of dangerous energy, hence the suggestions for the separation of energy from vulnerable targets. However as argued by Reason (1997) in the so called Swiss-Cheese model, every barrier has deficiencies (holes) that have the potential to line up and in so doing allow a hazard to penetrate a system. The Swiss-Cheese model in effect questions the effectiveness of Barrier Analysis insofar as accident investigation is concerned because even though robust steps are taken to manage barriers in such a way that the inherent barriers in a systems are maintained and improved through the lifespan of a system, considerable challenges exist albeit there are conversely a number of benefits to be derived in the use of BA in accident investigation (Johansen and Rausand, 2015).

According to Hollnagel (2004) and Sklet (2005) one of the key benefits of using BA as an accident investigation technique is its permitting the classification of barriers in a number of approaches including; classification based on the role and function of the barrier in the accident sequence (preventive, mitigation or controlling barriers) and categorisation based on the nature of the barrier hence the notion of technical, organisational, operational as well as distinction as physical, symbolic, functional and incorporeal. In the case of Buncefield the use of BA enabled the researcher to clearly distinguish barriers not only based on functionality but also based on the nature of the barrier itself.

Whilst the categorisation of barriers enables an accident investigator to drill-down and look at functional as well as physical nature-specific factors of an accident, the overall effectiveness of the technique is limited by a number of deficiencies not only in regard to philosophical foundations but also in regard to the frameworks lack of clarity regarding what is and what is not a barrier in an accident environment. Because of the absence barrier-linked performance requirements for the various functions, systems and elements of the Buncefield accident site, it was difficult to judge the difference in positions between the regulatory authority positions and those of the operators of the site. Further, it was not easy to distinguish between operational and organisational elements of the accident as the Barrier Analysis framework is ambiguous of the distinction between those two groups of elements, a situation not helped by existence of published opinion that considers the two to be one and the same.

The Barrier Analysis framework also does require an investigator to know the performance of a barrier beforehand so that they can then make a judgement regarding whether it the a specific barrier was functioning well or impaired, it is accordingly not suitable for investigator that lack prior knowledge of the system that they are investigating as well as those who are in-experienced in system audits and the requirements of a fully operational installation.

Chapter 6; Application of Findings

6.1 Utility of Systematic Accident Investigation Techniques in Learning from Disasters

The very notion of organisational or individual capacity to learn from an accident or near miss event is strongly contested by a number of authors including Hopkins (2008) who posit that the continued reoccurrence of major accidents and indeed the increase in the number of accidents both in scope, size and severity reflect the inability of organisations and individuals to learn from lessons inherent in past failures or accidents. This view however ignores strong evidence not only regarding the utility of accidents in that meanings are imputed to historical events even if doing so depends among other things on the manner in which an event is portrayed as well as the manner in which the portrayal of an event is interpreted by the society in general as well as individuals (Marcuse, 2009).

Indeed the is wide consensus both in research and accident management on the notion that systematic accident investigations are critical in enabling organisations as well as individuals derive benefit from an accident (Stoop and Roed-Larsen, 2009). But what tends to always happen especially so in situations where independent boards are engaged to investigate accidents is that processes the investigation serves as a baseline for the establishment of processes to deal with the accident and as such is it open to questions whether it is done in such a way that it does actually enable learning from disasters (Braut et al., 2014).

Moreover similar incidents such as the Qingdao storm drain disaster in which crude oil vapour explosion killed 62 people and injured scores (Zhu et al., 2015) considerably dent the notion of humans and organisations being able to learn from disaster, not least because whilst the anatomy of the Buncefield explosion incident was considered to have engendered research of the dynamic of oil vapour clouds more so in regard to increasing understanding of the explosion limits of vapour clouds and the understanding of the relationship between the upper explosive limit and vapour pressure of oil vapour, the explosion in Qingdao’s because of its being linked to a number of human, technical and social factors that had been observed in Buncefield show that little if anything has been learnt by organisations.

To however take the evidence of the continued occurrence of similar vapour cloud explosion accidents as evidence of the failure or indeed inability of individual and organisation capability to learn from disasters and near miss events is not tenable, despite the some authors such as Borodcizc (2005) asserting that empirical evidence suggests ability to learn from accidents is negligible due to deficiencies in human cognition as well as their inability to comprehend the dynamics of socio-technical systems interactions that with increasing automatic and complexity are even more difficult to decipher-as evidence by the BP Deepwater Horizon disaster explosion in the Gulf of Mexico. Doing so misses the point that recommendations of subsequent independent bodies and regulator-led investigations came up with a number of not only explicit hazard identification and risk assessment of similar contextual environment but also suggested a number of approaches for improving the health and safety management in oil installations. The subsequent strengthening of compliance with good practice guidance as well as development of robust systems for investigation of near miss incidents developed by the Health and Safety Executive can be taken as one of the most critical indicators that emerged subsequent to the accident in Buncefield.

The persistence of problems in general corporate hazard and risk management operations that are reflected by the failures of regulatory authorities to tie all the loop holes that allow companies that breached safety legislation to re-brand and re-emerge as different entities as did happen with the re-branding of one of the key players at the Buncefield incident-Motherwell Control Systems, and its re-appearance for operations close to the accident area would ordinarily be taken to reflect serious deficiencies in the risk management framework as a whole, but the fact that the re-branded company was subsequent found out can conversely be construed as evidence of civil society and other stakeholders new ability to learn that was developed after the incident in Buncefield. In that the scale of the disasters notwithstanding the absence of fatalities, re-doubled oversight organisations and private individual efforts insofar as being vigilant and looking for failures and system deficiencies that would otherwise lead to the occurrence of a similar if not bigger incident.

Buncefield along with similar accidents in Qingdao (Zhu et al., 2015) and Jaipur (Sharma et al., 2013) utility in furthering learning from disasters has been the advancement of vapour cloud dynamics modelling. Whilst there is still some ground to go before our understanding of the emergence, explosion limits, ignitability and movement of vapour clouds still has some way to go, advancements have been made in the estimation and modelling of the dispersion of vapour clouds in different environmental conditions as has been our capacity to reveal trends and relationships between different factors that influence the emergence of vapour clouds and their potential to explode (Sharma et al., 2013).

It is quite conceivable that had it had the Buncefield explosion been of much smaller in that had the plume not drifted as far and wide and mainland Europe and the smoke from the resultant explosion no been big enough to see from space, then the examination of the dynamics of oil vapour clouds may not have happened as other factors would have come to the fore as potential causes. To that end Buncefield has had utility in risk management frameworks design, implementation and review as well as triggered an increased interest in vapour dynamic modelling and forecasting, hence it can be argued despite other similar incidents that it advanced oil installation hazard and risk identification and management processes.

Chapter 7; Discussions of Results

7.1 Safety leadership and management

Available evidence clearly shows that organisational/human factors as well as deficiencies and problems in technical systems and environmental conditions played a central role in the explosion at Buncefield tank farm. A detailed analysis of the contextual environment and a review of procedures, processes, activities and norms show that the management function of the operators of the site was either woefully deficient or indifferent to health and safety concerns. Specifically there was lack of leadership as well as the absence of adequate board-level involvement in issues concerned with safety.

Indeed whilst the failures in emergency planning witnessed in executive management level of the site reflect not only the lack of competence in risk management at the top of corporate management at the site, a majority of the observed failings and absence of safe systems and procedures mainly relate to the lack of enabling corporate culture and poor corporate governance. The failure to develop a comprehensive emergency plan is clearly due to the lack of strategic leadership by managers. This was particularly remarkable given that the organisation and its set up ranked as a site of major hazards and accordingly was expected to adhere to more stringent arrangements given the risk inherent in its activities. However the weakness in board-level governance due in part by their lack of competence in risk management but also as a result of potential focus on economic performance as the expense of safety, played a part in ensuring an environment developed where managers could at best get away with having a plan on paper of which nothing was implemented.

As such whilst the first obvious inadequacy insofar as the management function at the site was concerned had to do with the lack of planning or at best poor strategic planning, culpability for the same covers both executive managers as well as the board. Not least because corporate governance legislation and regulations in the United Kingdom mean that responsibility for guidance of management function in finance, operations and risk management is the remit of the board of an organisation as well as the top management, who then have a role in cascading the right culture, practices and norms across the entire organisation.

Closely linked with oversight and strategic direction is failure to adequately supervise both on the part of management as well as external regulators. Indeed failures in the supervisory function internally and externally made for a situation where safety management had been deteriorating for a considerable time. Analysed evidence showing that previous faults weren’t logged and indeed the absence of an appropriate framework for the recording and review of near miss enabled some issues that ultimately led to the failures in identification of risks and vulnerabilities to develop up to the extent where the system could no longer bear any more. This could have been addressed had the external supervisory function been functioning robustly and effectively. But the break of trust and the erosion of the social protective layer represented by an ineffectively functioning communication and networking framework between the organisation and its stakeholders especially so for regulatory ones, meant that issues that were flagged up were not followed-up. The result of which was a steady and gradual deterioration of safety management at the site with the result that management was emboldened to go as far as producing documents but not implementing commitments to compliance in some areas.

Effective emergency planning and for that matter management is not however possible if the risk and hazard identification process of a company’s risk management framework is not comprehensive and inclusive enough to identify all potential as well as imminent and likely hazards. Corporate functions for hazard and risk identification were inadequate and seriously lacking at Buncefield. For a hazard and risk identification processes not to flag up the possibility of several oil storage tanks being on fire at any one time is damning never mind them clearly containing highly flammable liquids. Similarly the failure to pick up the possibility of a petrol vapour cloud forming is poor, especially so given that similar explosions had happened elsewhere before (Texas City). Accordingly the emergency plan was flawed from the outset as it left out two key hazards/risks that caused the explosion and influence the size of the subsequent explosion. This could have been rectified had there been an effective arrangement for routine review of safety issues at the site. There was no system for the detection of failure of not only the hazard and risk identification process but indeed operational failure and unsafe culture at the depot. So while there were several signals and opportunities for weaknesses and failures to be picked up, because the organisational culture was poor added to the absence of systems no one was able to connect the myriad of safety incidents to the potential of an explosion happening. Management was so focused on increasing throughput and increasing productivity at the site that even employee stress caused by those two happenings did not trigger any alarms.

In high reliability organisations it is critical that safety systems are maintained and check regularly to ensure they are working properly. Because the failure of one component of the system quickly expands across the entire organisation as a result of the interconnectedness between different systems and functions across the organisation. The failure of the independent high level switched meant that pumping could not be shut off once the limit of the tank had been reached. The fact that the said switch had not been functional for a considerable amount of time, clearly shows checks were irregular and the maintenance inadequate.

Results of the review further show that it is possible to have an audit protocol that does not accord an organisation the feed-back it needs to improve its safety management and culture. At Buncefield a number of external audits had flagged up many issues that needed address but due to the lack of an effective protocol within the organisation and lack of an enabling communication framework, the utility of the audits insofar as ensuring identified failures were dealt with before hand was lost. Effective auditing rests among others on the clear delineation of roles and responsibilities for the execution of the audit protocol as well as implementation findings, allocation of appropriate resources and regularity of execution. Moreover the importance of an effective audit cannot be underscored not least because it helps identify and plug any holes in the risk management framework. Particularly so given that because of the nature of risks/hazard as well as their being multi-faceted and capable of emanating from different areas as well as the evolution of hazards and risk, no risk management framework can be designed in such a way that it accounts for all potential outcomes. Accordingly adaptability as well as robustness become critical elements in an effective risk management framework, these two qualities hinge on the effectiveness of the audit protocol.

7.2 Accident Investigation Tools

For investigating accident there are numerous tools that have been developed considered as being sufficient to be used in all kinds and contexts of accidents. However, the reality of the situation is; it is never sufficient to use a single investigation tool to determine the underlying causes of an accident. For specific accident investigations it is necessary to use multiple investigation techniques throughout the investigation.

This is evident for the current study of the Buncefield accident in which multiple techniques were used to investigate the root causes of the accident. The techniques used for the current study included: Barrier Analysis, MORT model, and Events and Casual Factor Analysis (ECFA). The barrier analysis and ECFA are tools that are interrelated to the MORT model as they stem from MORT. All the techniques used for the current investigation of the accident are considered as a robust utility providing for high reliability of findings. The tools selected for the current study were suitable for the complexity found in the Buncefield case’s environment and organisation. There is a specific setback with using the particular tools; that is the forecasting of future scenarios. However, to overcome this setback, the tools that were used are extremely accurate in determining the root causes of the accident. This will enable organisations such as HOSL to make necessary changes to divert similar events to take place in the future. This can be achieved through making risk assessments when uncovering risks within the organisation’s management infrastructure, physical environment, policies and procedures, and communication.

Chapter 8; Conclusions

Based on the literature assessed in the current study it is evident that accidents are a result from various factors and events such as human errors, commonly seen through failings from the management or the organisation at large; in addition to technical factors. The current study had reviewed the incident that occurred at the Buncefield Oil Depot which was a series of explosions that would be labelled as the largest fire Europe has witnessed since World War II. Reviewing the factors and events that led to the explosion and subsequent fires

A review of the incident at Buncefield revealed the influence of all the different categories of precursor events even though the bulk of them where in the category of human factors. The approach used in the investigation of the incident especially the involvement of several organisations and the methodological step by step review of all the events and the determination of the sequence of main events. Whilst the approach and the layout of the approach was comprehensive, there were still a number of significant informational gaps not least the dynamics of the vapour cloud and its formation.

As posited by the Normal Accident Theory, the failures in management functions at Buncefield both at the executive level as well as board level made for an environment where precursors of the explosion that happened in 2005 unavoidable. Not only was there a lack of systems and procedures but even in areas where there were established protocols and systems, the failures in operational management and oversight was such that they were not sufficient to pick up faults. Moreover failures in physical components at the site were also due to failures in management function especially in the management of contractors and the installation of adequate protective and mitigation facilities.

Mistakes and failures in organisation management where exacerbated by inadequacies in external regulations as unsafe behaviour was allowed to develop due to the erosion of trust and failures in the communication frameworks between stakeholders. This was quite evident in organisation that was running operations at the Buncefield oil depot. Throughout the current study, various management errors had arisen that led to an increased risk for accidents to occur. Particularly, it was found from the research that management had placed a great deal of pressure on supervisors which led to subsequent factors such as overload of work, overlapping of systems, fault in error logging, and technical mishaps to go unnoticed.

It is recommended that organisations that are dealing in sensitive materials or those that are risky implement policies and procedures which adhere to safety protocol. It is essential for organisations to run routine risk assessments in all departments of the organisation, including operations, functions, and management. These risk assessments provide organisational leaders insight into factors that may put the organisation at risk of accident occurrence. Safety protocols in place of the site will ensure that human capital, infrastructure capital and resources are kept safe in the face of danger. From the current study it is evident that management plays a very critical role in preventing accidents by analysing frequently factors that may put the organisation at risk of accident occurrence.

References

Borodcizc E. P., (2005). Risk, Crisis and Security Management. John Wiley and Sons, Chichester, England.

Braut G. S., Solberg O., and Nja O., (2014). Organisational effects of experience from accidents: Learning in the aftermath of the Tretten and Astan train accidents. Transportation Research Part A: Policy and Practice Vol. 69 Iss pp354-366.

Hopkins A., (2008). Failure to Learn: The BP Texas City Refinery Disaster. CCH Australia, Sydney, NSW.

Marcuse H., (2009). Reception history: Definitions and quotations. www.history.ucsb.edu/faculty/marcuse/receptionhist.html. Accessed 2 March 2015.

Al-shanini A., Ahmad A., and Khan F., (2014). Accident analysis and modelling in process industries. Journal of Loss Prevention in the Process Industries Vol. 32 Iss pp 319-334.

Antao P., and Soares G., (2008). Causal factors in accidents of high-speed craft and conventional ocean going vessels. Reliability Engineering and System Safety Vol. 93 Iss 9 pp 1292-1304.

Baysari T., Caponneccha C., McIntosh A. S., and Wilson J. R., (2009). Classification of errors contributing to rail incidents and accidents: A comparison of two human error identification techniques. Safety Science Vol. 47 Iss 7 pp 948-957.

Borodcicz E. P., (2005). Risk, Crisis and Security Management. John Wiley and Sons, Chichester, England.

Benner Jr., I., (1975) . Accident investigations: Multilinear events sequencing methods. Journal of Safety Research Vol. 7 Iss 2 pp. 567-574

Booth R., (2011). How hindsight bias distorts history. http://www.hastam.co.uk/wp/wp-content/uploads/2014/06/hindsight-bias-short-01-2012.pdf. Accessed 17 November 2015.

Cheng C-W., Yao H., and Wu T-C., (2013). Applying data mining techniques to analyse the causes of major occupational accidents in the petrochemical industry. Journal of Loss Prevention in the Process Industries. Vol. 26 Iss 6 pp 1269-1278.

Cousins C., (2002). Getting to the “truth”: Issues in contemporary qualitative research. Australian Journal of Adult Learning Vol. 42 pp 192-204.

De Massis A., and Kotlar J., (2014). The case study method in family businesses research: Guidelines for qualitative scholarship. Journal of Family Business Strategy Vol. 5 Iss 1 pp 15-29.

Dobson P. J., (2002). Critical realism and informational systems research: Why bother with philosophy? Information Research—An International Electronic Journal Vol. 7 Iss 2 Accessed 22 October 2014.

Erricsson C. A., (2005). Hazard Analysis Techniques for System Safety. John Wiley and Sons, Fredericksburg, Virginia.

Doytchev D. E., and Szwillus G., (2009). Combining task analysis and fault tree analysis for accident and incident analysis: A case study from Bulgaria. Accident Analysis and Prevention Vol. 41 Iss 6 pp 1172-1179.

Gerbec M., (2013). Supporting organisational learning by comparing activities and outcomes of the safety management system. Journal of Loss Prevention in the Process Industries.

Hams-Ringdahl L., (2009). Analysis of safety functions and barriers in accidents. Safety Science Vol. 47 Iss 3 pp 353-363.

HSE (2014a). Accident Investigations in Practice-Part 2. Health and Safety Executive. http://www.hse.gov.uk/chemicals/workshop/accident-investigation-10/accident-investigations2.pdf. Accessed 11^th October 2014.

HSE (2014b). Buncefield: Why did it Happen? http://www.hse.gov.uk/comah/buncefield/buncefield-report.pdf. Accessed 20^th October 2014.

HSE (2006). The Buncefield incident 11 December 2005- The final report of the major incident investigation board vol.2. http://www.hse.gov.uk/comah/buncefield/miib-final-volume2a.pdf. Accessed 12th November 2015.

HSE (2003). Learning from incidents involving E/E/PE systems: Part 1-Review of Methods and Industry Practice. Health and Safety Executive, Liverpool, England.

HSE (2001). Root causes analysis: Literature review. Research Report 325/2001 Health and Safety Executive, Liverpool, England.

IET (2012). Accident Investigation: Health and Safety Briefing No. 60. The Institution of Engineering and Technology.

Katsakiori P., Sakellaropoulos G., and Manatakis E., (2009). Towards an evaluation of accident investigation models in terms of their alignment with accident investigation causation models. Safety Science Vol. 47 Iss 7 pp 1007-1015.

Konstandinidou M., Nivolianitou Z., Kefalogianni E., and Caroni C., (2011). In-depth analysis of the causal factors of incidents reported in the Greek petrochemical industry. Reliability Engineering and System Safety Vol. 96 Iss 11 pp 1448-1455.

Kontogiannis T., (2012). Modelling patterns of breakdown (or archetypes) of human and organisational processes in accidents using systems dynamics. Safety Science Vol. 50 pp 931-944.

Kim D. S., and Yoon W. C., (2013). An accident causation model for the railway industry: Application of the model to 80 railway accident investigation reports from the UK. Safety Science Vol. 60 pp 57-68.

Krauss S. E., (2005). Research paradigms and meaning making: A primer. The Qualitative Report Vol. 10 pp 758-770.

Lyons M., Adams S., Woloshynowych M., and Vincent C., (2004). Human reliability analysis in healthcare: A review of techniques. International Journal of Risk and Safety in Medicine Vol. 16 pp 223-237.

Mannering F. L., and Bhat C. R., (2014). Analytic methods in accident research: Methodological frontier and future directions. Analytic Methods in Accident Research Vol. 1 pp 1—22.

Martin W. F., and Walters J. B., (2001). Accident investigation techniques. Safety and Health Essentials. Pp 42-54.

MIIB (2008). The Buncefield Incident 11 December 2005: The Final Report of the Major Incident Investigation Board Vol. 1. http://www.buncefieldinvestigation.gov.uk/reports/volume1.pdf. Accessed 10^th October 2014.

NRI (2009). NRI MORT User’s Manual: For use with the Management Oversight and Risk Tree Analytical Logic Diagram. The Noordwijk Risk Initiative Foundation, Delft, Netherlands.

NRI (2008). 3CA: Control, Change and Cause Analysis: Investigators Manual 2^nd Ed. The Noordwijk Risk Initiative Foundation, Delft, Netherlands.

NRI (2007). ECFA+: Events and Conditional Factors Analysis Manual. The Noordwijk Risk Initiative Foundation, Delft, Netherlands.

Oakley J. S., (2003). Accident Investigation Techniques. American Society of Safety Engineer, Illinois, USA.

Okoh P., and Haugen S., (2014). A study of maintenance-related major accident cases in the 21^st Century. Process Safety and Environmental Protection Vol. 92 Iss 4 pp 346-356.

Saleh J. H., Marias K. B., Bakolas E., and Cowlagi R. W., (2010). Highlights from literature on accident causation and system safety: Review of major ideas, current contributions and challenges. Reliability Engineering and System Safety Vol. 95 Iss 11 pp 1105-1116.

Santos-Reyes J., and Beard A. N., (2009). A systematic analysis of the Edge Hill railway accident. Accident Analysis and Prevention Vol. 41 Iss 6 pp 1133-1144.

Santos-Reyes J., Olmos-Pena S., Alvarado-Corona R., and Hernandez-Simon (2009). Applying MORT to the analysis of the Tlahuac incident. Reliability Engineering and System Safety Vol. 94 Iss 10 pp 1557-1556.

Shahrokhi M., and Bernard A., (2010). A development in energy flow/barrier analysis. Safety Science Vol. 48 Iss 5 pp 598-606.

Song W., and Ying W., (2011). Causation analysis of complex system safety accident based on brittle structure collapse theory. Procedia Engineering Vol. 15 Iss pp 365-369.

South Alabama (2014). Strengths and weaknesses of qualitative research. http://www.southalabama.edu/coe/bset/johnson/oh_master/Ch14/Tab14-02.pdf. Accessed 22 October 2014.

Thompson P., (2014). Learning from Disasters. School of the Built Environment, Heriot-Watt University.

TRAC (1995a). Barrier Analysis. The Technical Research and Analysis Centre. Idaho Falls, Idaho, USA.

TRAC (1995b). Events and Causal Factors Analysis. The Technical Research and Analysis Centre. Idaho Falls, USA.

Thwaites P., Smith S. Q.., and Riccomagno E., (2010). Causal analysis with chain event graphs. Artificial Intelligence Vol. 174 Iss 12-13 pp 889-909.

Underwood P., and Waterson P., (2014). Systems thinking, the Swiss Cheese Model and accident analysis: A comparative systemic analysis of the Grayrigg train derailment using the ATSB, AcciMap and STAMP models. Accident Analysis and Prevention, Volume 68 pp 75-94.

Underwood P., and Waterson P., (2013). Systemic accident analysis: Examining the gap between research and practice. Accident Analysis and Prevention Vol. 55 pp 154-164.

USDoE (1992). Root Cause Analysis Guidance Document. United States Department of Energy, Washington D.C, USA.

Vestrucci P., (2013). On the “post-dictive” use of the fault tree method for accident investigation in aid of judicial procedures. Safety Science Vol. 53 Iss pp 240-247.

Sharma R. K., Gurjar B. R., Wate S. R., Ghuge S. P., and Agrawal R., (2013). Assessment of accidental vapour cloud explosion: Lessons from Indian Oil Corporation Ltd accident at Jaipur, India. Journal of Loss prevention in the Process Industries Vol. 26 Iss 1 pp 82-90.

Stoop J., and Roed-Larsen S., (2009). Public safety investigations-A new evolutionary step in safety enhancement? Reliability Engineering and System Safety Vol. 94 Iss 9 pp 1471-1479.

Zhu Y., Qian X., Liu Z., Huang P., and Yuan M., (2015). Analysis and assessment of Qingdao oil vapour explosion accident: Lessons learnt. Journal of Loss Prevention in the Process Industries Vol. 33 pp 289-303.

Attwood D., Khan F., and Veitch B., (2006). Occupational accident models-Where have we been and where are we going? Journal of Loss Prevention in the Process Industries Vol. 19 pp 664-682.

Hovden J., Albrechtsen E., and Herrera A., (2008). Is there a need for new theories, models and approaches to occupational accident prevention? Safety Science Vol. 48 Iss 8 pp 950-956.

Hollnagel E., (2004). Barriers and Accident Prevention. Ashgate, Aldershot, United Kingdom.

Johansen I. L., and Rausand M., (2015). Barrier management in the offshore oil and gas industry. Journal of Loss Prevention in the Process Industries Vol. 34 Iss pp 49-55.

Johnson C. W., (2003). Failure in Safety-critical Systems: A Handbook of Accident and Incident Reporting. University of Glasgow Press, Glasgow, Scotland.

Leveson S., (2004). A new accident model for engineering safer systems. Safety Science Vol. 42 Iss pp 237-270.

Lundberg J., Rollenhagen C., and Hollnagel E., (2010). What you find is not always what you fix-How aspects other than causes of accidents decide recommendations for remedial actions. Accident Analysis and Prevention Vol. 42 Iss pp 2132-2139.

Sklet S., (2005). Safety Barriers in Oil and Gas Platforms: Means to Prevent Hydrocarbons Releases. Norwegian University of Science and Technology, Trondheim, Norway.

Svenson O., Lekberg A., and Johansson A. E. L., (1999). On perspective, expertise and differences in accident analysis: Arguments for a multi-disciplinary integrated approach. Ergonomics Vol. 42 Iss 11 pp 1561-1571.

Appendix 1

Colour code	MORT Reference Code	Keywords - description of relevance to…
Red		Where a problem is found
Green		Issue resolved satisfactorily
Blue		Relevant issue but with scarce information for proper assessment
Red	SA1	Accident - Explosion at Buncefield Tank Farm
Blue	SA1 SB1	Potentially Harmful Energy Flow or Environmental Condition -Flow of petrol to tank 912 and overflow to the ground -Flow of petrol vapour to the air
Blue	SA1 SB1 a1	Non-functional Energy -Vaporised petrol to the air
Blue	SA1 SB1 a1 b1	Control of Non-functional Energy -Not practicable
Red	SA1 SB1 a1 b2	Control Impracticable -Due to unknown dynamics and scope of the flow of energy, control of vapour flow into the atmosphere was impracticable
Red	SA1 SB1 a2	Functional Energy -Kinetic energy to storage tank 912
Red	SA1 SB1 a2 b3	Control of Use LTA -A number of controls in place both administrative and design linked but all proved defective on the day of the accident
Red	SA1 SB1 a2 b4	Diversion LTA -Installed capacity for diversion but failures meant the functionality was not used. There was inattention by staff in that it took several hours for it to be realised that energy was flowing in the wrong direction. No one had the experience to connect the other signs that were happening to decipher problems that were happening.
Red	SA1 SB1 a2 b4 c1	Control of Functional Energy LTA -All known controls not working. Tank filling gauging alarm was not working, overflow shut off, procedure for monitoring, the computer system and management function were either below the required standard or poorly installed
Red	SA1 SB1 a2 b4 c1	Diversion of functional Energy LTA -Not done It took several hours for operational staff to pick up the loss of control of functional energy and nothing was done till it was too late. When it was eventually attempted, the wrong valve was opened by the supervisor in the process exacerbating the issue with the wrong flow of functional energy
Green	SA1 SB2	Vulnerable People or Objects -Tank delivery drivers -Control room operators -Equipment - Various groups and objects where all subject to different types of hazards from the site, some more significantly than others. Notable key hazards included fire, flying debris from the explosion, smoke, particulates, and polluted water.
Green	SA1 SB2 a1	Non-functional People or Objects -Neighbouring business premises, equipment and cars -Residents of neighbouring communities -Commuters on the M1 Mainly from the fire and smoke as well as particulates, polluted water, chemical residue and other noxious gases from combustion of petrol and the products in burning buildings and other physical products.
Red	SA1 SB2 a1 b1	Control LTA -Control defective Physical barriers, work processes and systems as well as organisational culture and management were all defective.
Blue	SA1 SB2 a1 b2	Control Impracticable -Some scope for physical control as well as the use of processes and systems might have helped though the exact extent to which or how effective they would have been needs investigation
Blue	SA1 SB2 a2	Functional People or Objects -Control room operators -Tank delivery drivers There were oversights, omissions and loss of control on the part of the former (Control room operators) and oversights on the part of the tank delivery drivers
Red	SA1 SB2 a2 b3	Control of Exposure LTA -A number of physical barriers, systems and processes in place albeit defective
Blue	SA1 SB2 a2 b4	Evasive Action LTA -Not seen By the time it was realised there was the wrong flow, it was too late for evasive action to be taken. Indeed tens of thousands of petrol had overflowed onto the ground and dispersed to the air.
Blue	SA1 sb2 a2 b4 c1	Means of Evasion LTA -Shut off value and system to divert inflow to another pipeline. Diversion to another pipeline was not attempted till much later.
Blue	SA1 SB2 a2 b4 c2	Evasion Impracticable -Evasion was practicable
Red	SA1 SB3	Barriers and Controls LTA -Physical, process and administrative: all however were either ineffective or defective
Red	SA1 SB3 SC1	Control of work and process LTA -Some satisfactory others woefully inadequate. Logging of faults and near misses was inadequate
Red	SA1 SB3 SC1 SD1	Technical Information Systems LTA -Failed, and not properly maintained or installed properly
Green	SA1 SB3 SC1 SD1 a1	Technical Information LTA -Sufficient
Blue	SA1 SB3 SC1 SD1 a1 b1	Knowledge LTA -Gaps in some key areas
Green	SA1 SB3 SC1 SD1 a1 b1 c1	Based on Existing Knowledge -Yes
Red	SA1 SB3 SC1 SD1 a1 b1 c1 d1	Application of Codes and Manuals, LTA -Not satisfactory
Blue	SA1 SB3 SC1 SD1 a1 b1 c1 d2	List of Experts LTA -None seen in the evidence reviewed, presumption is there wasn’t one.
Blue	SA1 SB3 SC1 SD1 a1 b1 c1 d3	Local Knowledge LTA Possible case of oversight as no modelling had picked up the potential of local conditions contributing to the formation of a vapour cloud
	SA1 SB3 SC1 SD1 a1 b1 c1 d4	Solution Research LTA -N/A
Green	SA1 SB3 SC1 SD1 a1 b1 c2	If there was no known precedent -Yes
Blue	SA1 SB3 SC1 SD1 a1 b1 c2 d5	Previous investigation and analysis LTA -Some had been undertaken in the form of audit. But no evidence seen of previous incidents and near misses being properly investigated and documented
	SA1 SB3 SC1 SD1 a1 b1 c2 d6	Research LTA -Loss of control
	SA1 SB3 SC1 SD1 a1 b2	Communication of Knowledge LTA -Broken internal and external communication frameworks especially for contractors, regulatory authorities and employees
Red	SA1 SB3 SC1 SD1 a1 b2 c3	Internal Communication LTA -A number of deficiencies
Green	SA1 SB3 SC1 SD1 a1 b2 c3 d7	Internal Network Structure LTA -Strong
Red	SA1 SB3 SC1 SD1 a1 b2 c3 d8	Operation of Internal Network LTA -Poor
Red	SA1 SB3 SC1 SD1 a1 b2 c4	Was the external communication LTA? -Not effective
Red	SA1 SB3 SC1 SD1 a1 b2 c4 d9	External Network Definition LTA -Poor
Red	SA1 SB3 SC1 SD1 a1 b2 c4 d10	External Network Operation LTA -Poor
Red	SA1 SB3 SC1 SD1 a2	Data Collection LTA -Logging of previous faults and near misses not
Green	SA1 SB3 SC1 SD1 a2 b3	Monitoring Plan LTA -Existent
Red	SA1 SB3 SC1 SD1 a2 b4	Independent Review LTA -Done but recommendations not effected
Green	SA1 SB3 SC1 SD1 a2 b5	Use of Previous Accident/Incident Information LTA -No previous comparable accidents
Blue	SA1 SB3 SC1 SD1 a2 b6	Learning from employee/contractor's personnel experience LTA -Possible
Red	SA1 SB3 SC1 SD1 a2 b7	Were routine inspections of the work/process LTA -Inspections existent but not routine
Red	SA1 SB3 SC1 SD1 a2 b8	Upstream Audits LTA -Not done
Red	SA1 SB3 SC1 SD1 a2 b9	Health Monitoring LTA -Not done
Red	SA1 SB3 SC1 SD1 a3	Data Analysis LTA -Ineffective
Red	SA1 SB3 SC1 SD1 a3 b10	Priority Problem List LTA -None existent, logging of problems was poor
Red	SA1 SB3 SC1 SD1 a3 b11	Statistics and Risk projection LTA -Done for some but not the key catastrophic risks linked to the accident
Green	SA1 SB3 SC1 SD1 a3 b12	Status Display LTA -Done
Blue	SA1 SB3 SC1 SD1 a4	Triggers to Risk Analysis LTA -Not seen
Red	SA1 SB3 SC1 SD1 a4 b13	Sensitivity LTA -Not done
	SA1 SB3 SC1 SD1 a4 b14	Priority Problem Fixes LTA -
Blue	SA1 SB3 SC1 SD1 a4 b15	Planned Change Controls LTA -Not smoothly executed
Red	SA1 SB3 SC1 SD1 a4 b16	Unplanned Change Controls LTA -Poor
Red	SA1 SB3 SC1 SD1 a4 b17	New Information use LTA -Not good
Green	SA1 SB3 SC1 SD1 a5	Independent Audit and Appraisal LTA -Done
Green	SA1 SB3 SC1 SD2	Operational Readiness LTA -Done
Blue	SA1 SB3 SC1 SD2 a1	Verification of Operational Readiness LTA -Not apparent
Blue	SA1 SB3 SC1 SD2 a1 b1	Did not Specify Check -For some areas, yes
Red	SA1 SB3 SC1 SD2 a1 b2	Readiness Criteria LTA -Not there
Blue	SA1 SB3 SC1 SD2 a1 b3	Verification Procedure LTA -Not seen
Blue	SA1 SB3 SC1 SD2 a1 b4	Competence LTA -Inadequacies in some areas
Red	SA1 SB3 SC1 SD2 a1 b5	Follow-up LTA -Poor
Red	SA1 SB3 SC1 SD2 a2	Technical Support LTA -Poor
Red	SA1 SB3 SC1 SD2 a3	Interface between Operations and Maintenance or Testing Activities LTA -Poor
Green	SA1 SB3 SC1 SD2 a4	Configuration LTA -Good
Red	SA1 SB3 SC1 SD3	Inspection LTA -Poor Not regular, not well documented, corrective action not followed up
Red	SA1 SB3 SC1 SD3 a1	Planning Process LTA -Poor
Blue	SA1 SB3 SC1 SD3 a1 b1	Specification of Plan LTA -Not good
Blue	SA1 SB3 SC1 SD3 a1 b1 c1	Maintainability (Inspect-ability) LTA -Possible but not done
Red	SA1 SB3 SC1 SD3 a1 b1 c2	Completeness of the Plan LTA -Poor
Red	SA1 SB3 SC1 SD3 a1 b1 c3	Schedule LTA -Not thought through
Red	SA1 SB3 SC1 SD3 a1 b1 c4	Coordination LTA -Poor
Red	SA1 SB3 SC1 SD3 a1 b1 c5	Competence LTA -Poor
Red	SA1 SB3 SC1 SD3 a1 b2	Analysis of Failures LTA -Oversights, inadequacies and poor planning and supervision
Red	SA1 SB3 SC1 SD3 a2	Execution LTA -Poor
Blue	SA1 SB3 SC1 SD3 a2 b3	"Point of Operation" Log LTA -Not seen
Blue	SA1 SB3 SC1 SD3 a2 b4	Failure caused by maintenance (inspection) activity -Yes
Red	SA1 SB3 SC1 SD3 a2 b5	Time LTA -Not appropriate
Red	SA1 SB3 SC1 SD3 a2 b6	Task Performance Errors -Several
Green	SA1 SB3 SC1 SD4	Maintenance LTA -Yes
Blue	SA1 SB3 SC1 SD4 a1	Planning Process LTA -Poor
Blue	SA1 SB3 SC1 SD4 a1 b1	Specification of Plan LTA -Inadequate
	SA1 SB3 SC1 SD4 a1 b1 c1	Maintainability (Inspect-ability) LTA -
	SA1 SB3 SC1 SD4 a1 b1 c2	Completeness of the Plan LTA -N/A
Red	SA1 SB3 SC1 SD4 a1 b1 c3	Schedule LTA -Not good
Blue	SA1 SB3 SC1 SD4 a1 b1 c4	Coordination LTA -Some fairly good
Red	SA1 SB3 SC1 SD4 a1 b1 c5	Competence LTA -Wholly lacking
	SA1 SB3 SC1 SD4 a1 b2	Analysis of Failures LTA -
	SA1 SB3 SC1 SD4 a2	Execution LTA -
	SA1 SB3 SC1 SD4 a2 b3	"Point of Operation" Log LTA -
Red	SA1 SB3 SC1 SD4 a2 b4	Failure caused by maintenance (inspection) activity -Yes
Red	SA1 SB3 SC1 SD4 a2 b5	Time LTA -Not good
Red	SA1 SB3 SC1 SD4 a2 b6	Task Performance Errors -Several
Red	SA1 SB3 SC1 SD5	Supervision & Staff Performance LTA -Very poor
Red	SA1 SB3 SC1 SD5 a1	Time LTA -Ineffective
Red	SA1 SB3 SC1 SD5 a2	Continuity of Supervision LTA -Poor
Red	SA1 SB3 SC1 SD5 a3	Detection/Correction of Hazards LTA -Poor
Red	SA1 SB3 SC1 SD5 a3 b1	Detection of Hazards LTA -Poor
Red	SA1 SB3 SC1 SD5 a3 b1 c1	Checklists LTA -Not used
Blue	SA1 SB3 SC1 SD5 a3 b1 c2	Detection Plan LTA -Not seen
Blue	SA1 SB3 SC1 SD5 a3 b1 c2 d1	Logs and Diagrams LTA -Existent but not used
Red	SA1 SB3 SC1 SD5 a3 b1 c2 d2	Supervisor's Monitor Plan LTA -Poor
Blue	SA1 SB3 SC1 SD5 a3 b1 c2 d3	Review of Changes LTA - Not seen
Red	SA1 SB3 SC1 SD5 a3 b1 c2 d4	Did not Relate to Prior Events -It did
	SA1 SB3 SC1 SD5 a3 b1 c3	Time LTA -
Blue	SA1 SB3 SC1 SD5 a3 b1 c4	Workforce Input LTA -None
Blue	SA1 SB3 SC1 SD5 a3 b2	Correction of Hazards LTA -None
Red	SA1 SB3 SC1 SD5 a3 b2 c5	Inter-departmental Co-ordination LTA -poor
Green	SA1 SB3 SC1 SD5 a3 b2 c6	Postponed -yes
Red	SA1 SB3 SC1 SD5 a3 b2 c7	Did not Correct in Time -yes
Red	SA1 SB3 SC1 SD5 a3 b2 c7 d5	Authority LTA -poor
Blue	SA1 SB3 SC1 SD5 a3 b2 c7 d6	Budget LTA -possible but difficult to decide
	SA1 SB3 SC1 SD5 a3 b2 c7 d7	Time LTA -
Red	SA1 SB3 SC1 SD5 a3 b2 c8	Housekeeping LTA -Poor
Red	SA1 SB3 SC1 SD5 a3 b2 c9	Supervisor Judgment LTA -Questionable
Red	SA1 SB3 SC1 SD5 a4	Performance Errors -Several
Red	SA1 SB3 SC1 SD5 a4 b3	Task Performance Errors -Several
	SA1 SB3 SC1 SD5 a4 b3 c10	Task Assignment LTA -
Red	SA1 SB3 SC1 SD5 a4 b3 c11	Task-specific Risk Assessment not performed -Yes
Red	SA1 SB3 SC1 SD5 a4 b3 c11 d8	High Potential not Identified -Yes
	SA1 SB3 SC1 SD5 a4 b3 c11 d8 e1	Task Analysis not Required -
Red	SA1 SB3 SC1 SD5 a4 b3 c11 d8 e2	Task Analysis LTA -Poor
	SA1 SB3 SC1 SD5 a4 b3 c11 d8 e3	Task Analysis not made -
	SA1 SB3 SC1 SD5 a4 b3 c11 d8 e3 f1	Authority LTA -
	SA1 SB3 SC1 SD5 a4 b3 c11 d8 e3 f2	Budget LTA -
	SA1 SB3 SC1 SD5 a4 b3 c11 d8 e3 f3	Time LTA -
	SA1 SB3 SC1 SD5 a4 b3 c11 d8 e3 f4	Supervisor Judgment LTA -
	SA1 SB3 SC1 SD5 a4 b3 c11 d9	Low Potential -
	SA1 SB3 SC1 SD5 a4 b3 c12	Task-specific Risk Assessment LTA -Done but risk framework not always followed
	SA1 SB3 SC1 SD5 a4 b3 c12 d10	Task-specific Risk Analysis LTA -
	SA1 SB3 SC1 SD5 a4 b3 c12 d10 e4	Knowledge LTA -Seems to have been lacking
Blue	SA1 SB3 SC1 SD5 a4 b3 c12 d10 e4 f5	Use of Workers ‘Suggestions and Inputs LTA -Not apparent
Red	SA1 SB3 SC1 SD5 a4 b3 c12 d10 e4 f6	Technical Information Systems LTA -poor
Red	SA1 SB3 SC1 SD5 a4 b3 c12 d10 e5	Execution LTA -poor
	SA1 SB3 SC1 SD5 a4 b3 c12 d10 e5 f7	Time LTA -Not a significant factor
	SA1 SB3 SC1 SD5 a4 b3 c12 d10 e5 f8	Budget LTA -Presumed to have been tight
	SA1 SB3 SC1 SD5 a4 b3 c12 d10 e5 f9	Scope LTA -
Blue	SA1 SB3 SC1 SD5 a4 b3 c12 d10 e5 f10	Analytical Skill LTA -Insufficient
Red	SA1 SB3 SC1 SD5 a4 b3 c12 d10 e5 f11	Hazard Selection LTA -Not done
Red	SA1 SB3 SC1 SD5 a4 b3 c12 d10 e5 f11 g1	Hazard Identification LTA -Poor
Red	SA1 SB3 SC1 SD5 a4 b3 c12 d10 e5 f11 g2	Hazard Prioritization LTA -Poor
Red	SA1 SB3 SC1 SD5 a4 b3 c12 d11	Recommended Risk Controls LTA -Not effective
	SA1 SB3 SC1 SD5 a4 b3 c12 d11 e6	Clarity LTA -Followed good practice
	SA1 SB3 SC1 SD5 a4 b3 c12 d11 e7	Compatibility LTA -Close but significant departure from good practice
	SA1 SB3 SC1 SD5 a4 b3 c12 d11 e8	Testing of control LTA -Infrequent
	SA1 SB3 SC1 SD5 a4 b3 c12 d11 e9	Directive to Use LTA -Existent
	SA1 SB3 SC1 SD5 a4 b3 c12 d11 e10	Availability LTA -Yes
	SA1 SB3 SC1 SD5 a4 b3 c12 d11 e11	Adaptability LTA -No, designed for specific contents; could have been effective in use in others
	SA1 SB3 SC1 SD5 a4 b3 c12 d11 e12	Use not Mandatory -It was
	SA1 SB3 SC1 SD5 a4 b3 c13	Pre-task Briefing LTA -Yes
	SA1 SB3 SC1 SD5 a4 b3 c14	Fit between Task Procedures and actual Situation LTA -
	SA1 SB3 SC1 SD5 a4 b3 c15	Personnel Performance Discrepancy -None
	SA1 SB3 SC1 SD5 a4 b3 c15 d12	Personnel Selection LTA -Showed significant problems
	SA1 SB3 SC1 SD5 a4 b3 c15 d12 e13	Criteria LTA -
	SA1 SB3 SC1 SD5 a4 b3 c15 d12 e14	Testing LTA -Not done
	SA1 SB3 SC1 SD5 a4 b3 c15 d13	Training LTA -No records
	SA1 SB3 SC1 SD5 a4 b3 c15 d13 e15	No training -
	SA1 SB3 SC1 SD5 a4 b3 c15 d13 e16	Criteria Training LTA -Not seen
	SA1 SB3 SC1 SD5 a4 b3 c15 d13 e17	Methods LTA -Unverifiable
	SA1 SB3 SC1 SD5 a4 b3 c15 d13 e18	Trainer Skills LTA -Not known
	SA1 SB3 SC1 SD5 a4 b3 c15 d13 e19	Verification LTA -
	SA1 SB3 SC1 SD5 a4 b3 c15 d14	Consideration of Deviations LTA -Poor and weak systems and frameworks
	SA1 SB3 SC1 SD5 a4 b3 c15 d14 e20	Normal Variability -Very high
	SA1 SB3 SC1 SD5 a4 b3 c15 d14 e21	Changes -Few and far between
	SA1 SB3 SC1 SD5 a4 b3 c15 d14 e22	Supervisor Observation LTA -Ineffective
	SA1 SB3 SC1 SD5 a4 b3 c15 d14 e23	Supervisor Correction LTA -None
	SA1 SB3 SC1 SD5 a4 b3 c15 d14 e23 f12	Re-instruction LTA -
Red	SA1 SB3 SC1 SD5 a4 b3 c15 d14 e23 f13	Enforcement LTA -POOR
Red	SA1 SB3 SC1 SD5 a4 b3 c15 d15	Employee Motivation LTA -Poor, loads of stress placed on employees
Red	SA1 SB3 SC1 SD5 a4 b3 c15 d15 e24	Leadership & Examples LTA -No effective
Red	SA1 SB3 SC1 SD5 a4 b3 c15 d15 e25	Time Pressure -Yes
Blue	SA1 SB3 SC1 SD5 a4 b3 c15 d15 e26	Correct Performance is Punished -Not apparent
Green	SA1 SB3 SC1 SD5 a4 b3 c15 d15 e27	Incorrect Performance is Rewarded -No
Red	SA1 SB3 SC1 SD5 a4 b3 c15 d15 e28	Job Interest Building LTA -None
Blue	SA1 SB3 SC1 SD5 a4 b3 c15 d15 e29	Group Norms Conflict -Yes
Blue	SA1 SB3 SC1 SD5 a4 b3 c15 d15 e30	Obstacles Prevent Performance -Yes
Blue	SA1 SB3 SC1 SD5 a4 b3 c15 d15 e31	Personal Conflict -Yes
	SA1 SB3 SC1 SD5 a4 b3 c15 d15 e31 f15	[Conflict] with Supervisor -
	SA1 SB3 SC1 SD5 a4 b3 c15 d15 e31 f16	[Conflict] with Others -
Blue	SA1 SB3 SC1 SD5 a4 b3 c15 d15 e31 f17	Deviant Traits -Yes
Red	SA1 SB3 SC1 SD5 a4 b3 c15 d15 e32	General Motivation Program LTA -Not there
Red	SA1 SB3 SC1 SD5 a4 b4	Performance Errors in unrelated tasks -Yes
Green	SA1 SB3 SC1 SD5 a4 b4 c16	Allowed Activities -Yes
	SA1 SB3 SC1 SD5 a4 b4 c17	Prohibited Activities -
Red	SA1 SB3 SC1 SD5 a4 b5	Emergency Shut-off Performance Errors -Yes
Red	SA1 SB3 SC1 SD5 a4 b5 c18	Task Performance Errors -Many
	SA1 SB3 SC1 SD5 a4 b5 c19	Unrelated Task Errors -A couple
	SA1 SB3 SC1 SD6	Support of Supervisors LTA -Not there
Red	SA1 SB3 SC1 SD6 a1	Help and Training LTA -Insufficient
	SA1 SB3 SC1 SD6 a2	Research and Fact-Finding LTA -
	SA1 SB3 SC1 SD6 a3	Information Exchange LTA -
Blue	SA1 SB3 SC1 SD6 a4	Standards and Directives LTA -There
	SA1 SB3 SC1 SD6 a5	Resources LTA -Not sufficient
Red	SA1 SB3 SC1 SD6 a5 b1	Training LTA -Poor
Red	SA1 SB3 SC1 SD6 a5 b2	Access to Expertise LTA -Poor
Red	SA1 SB3 SC1 SD6 a5 b3	Access to Equipment & Materials LTA -Poor
	SA1 SB3 SC1 SD6 a5 b4	Coordination of Resources LTA -Fair
Red	SA1 SB3 SC1 SD6 a6	Deployment of Resources LTA -Poor
Red	SA1 SB3 SC1 SD6 a7	Referred Risk Response LTA -Poor
Green	SA1 SB3 SC2	Barriers LTA -Physical and non-physical
	SA1 SB3 SC2 a1	On the Energy Source
	SA1 SB3 SC2 a1 b1	Barriers None Possible -
	SA1 SB3 SC2 a1 b2	Barrier Failed -Yes
	SA1 SB3 SC2 a1 b3	Did not Use -
	SA1 SB3 SC2 a1 b3 c1	Did not Provide -
Red	SA1 SB3 SC2 a1 b3 c2	Task Performance Error -Yes
Red	SA1 SB3 SC2 a2	Between energy source and target -Yes
Red	SA1 SB3 SC2 a3	On Persons or Objects -Yes
Red	SA1 SB3 SC2 a4	Separate Time and distance -No
Red	SA1 SB4	Events and Energy Flows Leading to Accident/Incident -Man
Blue	SA1 SB4 SC3	Barriers and Controls LTA -Some good others bad
Blue	SA1 SB4 SC4	Energy Transfers -To functional and non-functional areas
Red	SA2	Stabilization & Restoration LTA -None
Red	SA2 a1	Prevention of Follow-up Accidents -Not done
Red	SA2 a1 b1	Plan LTA -Poor
	SA2 a1 b2	Execution of Plan LTA -
	SA2 a1 b2 c1	Notification LTA (Trigger) -
Red	SA2 a1 b2 c2	Training and Experience LTA -Poor
Green	SA2 a1 b2 c3	Personnel and/or Equipment Changes -None
	SA2 a1 b2 c4	Logistics LTA -
	SA2 a1 b2 c5	Task Performance Errors -Yes
Green	SA2 a1 b2 c6	Response Delay -No
Red	SA2 a2	Emergency Action (Firefighters, etc.) LTA -Poor
Red	SA2 a3	Rescue and Salvage LTA -Not possible
	SA2 a4	Medical Services LTA -Yes
	SA2 a5	Dissemination of Information LTA -Poor
	SA2 a6	Restoration and Rehabilitation LTA -Not possible
Red	SA2 a6 b3	Operational Continuity LTA -None
	SA2 a6 b4	Rehabilitation LTA -
	SA2 a6 b5	Restoration LTA -
	SA2 a6 b6	Absorb Loss -


	M	Management System Factors LTA -
Red	MA1	Policy LTA -Poor
	MA2	Implementation of Policy LTA -Poor
	MA2 a1	Planning Process LTA -Poor
	MA2 a1 b1	Specification of Plan LTA -
Red	MA2 a1 b1 c1	Methods, Criteria, Analyses LTA -Insufficient
Red	MA2 a1 b1 c2	Specification of Responsibilities LTA -Poor
Blue	MA2 a1 b1 c2 d1	Definition of Line-responsibility LTA -Yes
Green	MA2 a1 b1 c2 d2	Staff Responsibility LTA -Yes
	MA2 a1 b1 c2 d3	Task Assignment LTA -
	MA2 a1 b1 c3	Schedule LTA -
Blue	MA2 a1 b1 c4	Budgets LTA -Insufficient
	MA2 a1 b1 c5	Communication Plan LTA -Poor
Blue	MA2 a1 b1 c5 d4	Information Flow LTA -Poor
Blue	MA2 a1 b1 c5 d5	Guidance and Directives LTA -Yes
Blue	MA2 a1 b2	Use of Feedback LTA -Yes
Red	MA2 a2	Execution of Policy Implementation Plan LTA -None
Red	MA2 a2 b3	Leadership LTA -Poor
Red	MA2 a2 b4	Capability LTA -Poor
Blue	MA2 a2 b4 c6	Authority LTA -Questionable
Red	MA2 a2 b4 c7	Accountability LTA -Poor
Red	MA2 a2 b4 c8	Task Performance Errors -Yes
Red	MA2 a2 b5	Practical Support LTA -Poor
Red	MA2 a2 b6	Time and Budget LTA -Not enough
Red	MA2 a2 b7	Delays -some
Red	MA2 a2 b8	Caused Failure -Yes
Red	MA2 a3	Monitoring LTA -Poor
Red	MA3	Risk Management System LTA -ineffective
Red	MA3 MB1	Risk Management Policy LTA -Yes
Red	MA3 MB2	Implementation of Risk Management Policy LTA -Poor
Red	MA3 MB3	Risk Analysis Process LTA -Poor
Red	MA3 MB3 a1	Concepts and Requirements LTA -Not good
Red	MA3 MB3 a1 b1	Technical Information System LTA -Poor
Red	MA3 MB3 a1 b2	Definition of Goals and tolerance Risks LTA -None
Red	MA3 MB3 a1 b2 c1	ES&H Goals and Risks not defined -No
Blue	MA3 MB3 a1 b2 c2	Performance Goals and Risks not defined -No
Green	MA3 MB3 a1 b3	Risk Analysis Criteria LTA -Yes
	MA3 MB3 a1 b3 c3	Plan LTA -
	MA3 MB3 a1 b3 c4	Change Analysis LTA -
	MA3 MB3 a1 b3 c5	Other Analytical Methods LTA -
	MA3 MB3 a1 b3 c6	Scaling Mechanism LTA -
	MA3 MB3 a1 b3 c7	Required Alternatives LTA -
	MA3 MB3 a1 b3 c8	Solution Precedence Sequence LTA -
	MA3 MB3 a1 b4	Criteria for Procedures LTA -
	MA3 MB3 a1 b5	Specification of Requirements LTA -
	MA3 MB3 a1 b3 c9	Stakeholder/customer requirements -
	MA3 MB3 a1 b3 c10	Statutory codes and regulations -
	MA3 MB3 a1 b3 c11	Requirements of other National and International codes and standards -
	MA3 MB3 a1 b3 c12	Local Codes and Bylaws -
	MA3 MB3 a1 b3 c13	Internal Standards -
	MA3 MB3 a1 b6	Information Search LTA -
Red	MA3 MB3 a1 b7	Life Cycle Analysis LTA -Yes
	MA3 MB3 a1 b7 c14	Scope LTA -Not wide
Red	MA3 MB3 a1 b7 c15	Analysis of Environmental Impact LTA -Not comprehensive
	MA3 MB3 a1 b7 c16	Requirement for Life Cycle Analysis LTA -No
Red	MA3 MB3 a1 b7 c17	Extended Use Analysis LTA -No
Red	MA3 MB3 a2	Design and Development LTA -No
Red	MA3 MB3 a2 b8	Energy Control LTA -No
Red	MA3 MB3 a2 b8 c18	Safer Energy -No
Green	MA3 MB3 a2 b8 c19	Limitation of Energy LTA -Ye
Green	MA3 MB3 a2 b8 c20	Automatic Controls LTA -Yes
Red	MA3 MB3 a2 b8 c21	Warnings LTA -Poor
Green	MA3 MB3 a2 b8 c22	Manual Controls LTA -Yes
Red	MA3 MB3 a2 b8 c23	Safe Energy Release LTA -No
Red	MA3 MB3 a2 b8 c24	Controls and Barriers LTA -Poor
	MA3 MB3 a2 b9	Human Factors (Ergonomics) Review LTA -
Red	MA3 MB3 a2 b9 c25	Professional HF Skills LTA -No
Red	MA3 MB3 a2 b9 c26	Task Analysis LTA -Poor
Red	MA3 MB3 a2 b9 c27	Allocation Human/Machine Tasks LTA -Insufficient
	MA3 MB3 a2 b9 c28	Did not Establish Human Task Requirements -
	MA3 MB3 a2 b9 c28 d1	Did not Define Users -
	MA3 MB3 a2 b9 c28 d2	Design of Displays LTA -
	MA3 MB3 a2 b9 c28 d3	Interpretation LTA -
	MA3 MB3 a2 b9 c28 d4	Design of Controls LTA -
	MA3 MB3 a2 b9 c29	Did not Predict Errors -
	MA3 MB3 a2 b10	Inspection Plan LTA -
	MA3 MB3 a2 b11	Maintenance Plan LTA -
	MA3 MB3 a2 b12	Arrangement LTA -
	MA3 MB3 a2 b13	Environment LTA -
	MA3 MB3 a2 b14	Specification of Operational Readiness LTA -
	MA3 MB3 a2 b14 c30	Test and Qualification LTA -
	MA3 MB3 a2 b14 c31	[Specification of] Supervision LTA -
	MA3 MB3 a2 b14 c32	Task Procedures LTA -
	MA3 MB3 a2 b14 c32 d5	Match to Hardware Change LTA -
	MA3 MB3 a2 b14 c32 d6	Match to Users LTA -
	MA3 MB3 a2 b14 c32 d7	Match to Task and Equipment LTA -
	MA3 MB3 a2 b14 c32 d8	Emergency Provisions LTA -
	MA3 MB3 a2 b14 c32 d9	Cautions and Warnings LTA -
	MA3 MB3 a2 b14 c32 d10	Task Sequence LTA -
	MA3 MB3 a2 b14 c32 d11	Lockouts LTA -
	MA3 MB3 a2 b14 c32 d12	Communications Interfaces LTA -
	MA3 MB3 a2 b14 c32 d13	Specification of Work Conditioning LTA -
	MA3 MB3 a2 b14 c33	Personnel Selection LTA -
	MA3 MB3 a2 b14 c34	Personnel Training and Qualification LTA -
	MA3 MB3 a2 b14 c35	Personnel Motivation LTA -
	MA3 MB3 a2 b14 c36	Monitor Points LTA -
	MA3 MB3 a2 b15	Emergency Shutdown Provision LTA -
	MA3 MB3 a2 b16	Contingency Planning LTA -
	MA3 MB3 a2 b17	Disposal Planning LTA -
	MA3 MB3 a2 b18	Independent Review -
	MA3 MB3 a2 b19	Configuration Control LTA -
	MA3 MB3 a2 b20	Documentation Control LTA -
	MA3 MB3 a2 b21	Fast Action Cycle LTA -
	MA3 MB3 a2 b22	Design Acceptance and Change Control Processes LTA -
	MA3 MB3 a2 b22 c37	Code Compliance Verification LTA -
	MA3 MB3 a2 b22 c38	Engineering Studies LTA -
	MA3 MB3 a2 b22 c39	Standardization of Parts LTA -
	MA3 MB3 a2 b22 c40	Design Description LTA -
	MA3 MB3 a2 b22 c41	Acceptance Criteria LTA -
	MA3 MB3 a2 b22 c42	Development and Qualification Testing LTA -
	MA3 MB3 a2 b22 c43	Change Review Procedure LTA -
	MA3 MB3 a2 b22 c44	Reliability and Quality Assurance LTA -
	MA3 MB4	Risk Management Assurance Programme LTA -
	MA3 MB4 a1	Definition of Aims and Policy LTA -
	MA3 MB4 a2	Programme Scope LTA -
	MA3 MB4 a3	Documentation LTA -
	MA3 MB4 a4	Assurance Programme Organization LTA -
	MA3 MB4 a4 b1	Risk Management Assurance Staff Performance LTA -
	MA3 MB4 a4 b2	Management Committees LTA -
	MA3 MB4 a4 b3	Organisation for Improvement LTA -
	MA3 MB4 a5	Assurance Programme Services LTA -
Red	MA3 MB4 a6	Activities LTA -No
Red	MA3 MB5	Review of Risk Management System LTA -No

admin ha

Comments are closed.

Hire a Writer

Check Examples

Academic Library

Health & Safety Management

Improving Occupants Safety in High Rise Buildings

Building Adaption & Conservation

Health & Safety Management

Chapter 1; Introduction

Overall and Specific Objectives of the Study

Brief of the Accident

Chapter 2; Literature Review

Accident Investigation Techniques

Management Oversight and Risk Tree (MORT) Technique

Chapter 3; Research Methodology

3.1 Research Paradigm

3.2 Research methodology

3.3 Research method

3.4 Limitations of the study

Chapter 4; Findings of the Investigation

4.1 Using Barrier Analysis

4.2 Energy

4.3 Potentially Harmful Energy Flow

4.4 Vulnerable People and Objects

4.5 Energy Precursors

4.6 MORT Analysis of Buncefield Oil Depot Accident

4.6 Events and Causal Factors at the Buncefield Oil Depot Accident

4.7 Other Underlying Factors and Events

4.8 Events and Causal Factors Analysis of Buncefield Accident

4.9 Thematic Areas for Safety Professionals Highlighted by the Buncefield Accident

4.10 Informational Gaps

4.11 Effectiveness of Barrier Analysis and ECFA/MORT Techniques

Chapter 5; Presentation of Results

5.1. Human, Organisational and Technical Precursors at Buncefield

5.1.1 Organisational Precursors

5.1.1.1 Corporate culture and governance

5.1.1.2 Corporate supervision of the audit programme

5.1.1.3 Safety management

5.1.2 Human Precursors

5.1.3 Physical/technical Precursors

5.1.3.2 Design of equipment

5.1.3.3 Physical environment

5.1.3.4 Safety management

5.1.4 External Precursors

5.1.4.1 Political Influence

5.1.4.2 Regulatory influence

5.1.4.3 Societal influence

5.2 Effectiveness of MORT and Barrier Analysis as Accident Investigation Tools

5.2.1 Effectiveness of MORT

5.2.2 Effectiveness of Barrier Analysis

Chapter 6; Application of Findings

6.1 Utility of Systematic Accident Investigation Techniques in Learning from Disasters

Chapter 7; Discussions of Results

7.1 Safety leadership and management

7.2 Accident Investigation Tools

Chapter 8; Conclusions

References

Appendix 1

admin ha

Related posts

Law Dissertation Examples

The Impact of Corporate Governance on Financial Performance of SMEs: A Case of SMEs in the Retail Industry in Nairobi CBD

He Impact of Airport Terminal Expansion on Customer Services

*5.1.3.3 Physical environment***