The notion that accidents just happen has been discredited by a wealth of evidence and theories, suggesting that indeed the current prevailing view posits accidents are caused by; mainly as a result of the interplay between several elements and hierarchies inherent in sociological and technical systems, particularly so in contemporary society that is characterised by increased inter-connectedness, reliability and complex automation (Song and Ying, 2011; Oakley, 2003). There are accordingly several accident causation models, theories and associated accident investigation models (Katsakiori et al., 2009). Some of the most common theories include: The Multiple Causation Theory; the Epidemiological Model; the Haddon Matrix Model; Sequence of Events Theory (Oakley, 2003); Man-made disasters; Normal Accident Theory; High-Reliability Organisation Theory (Saleh et al., 2010).
The multiplicity of accident causation models and investigation techniques is indicative of two things, firstly the criticality and centrality of safety to human systems and discourse (Song and Ying, 2011), secondly the increasing appreciation of the notion of the utility of learning from disasters and accident events (Santos-Reyes and Beard, 2009) insofar as accident prevention and safety promotion are concerned (Saley and Pendley, 2012). Whilst the existence of multiple theoretical paradigms could be taken to suggest the prevalence of strong disagreements regarding the phenomenology of accidents and disasters, there are multiple points of convergence between the different theories insofar as what the initiating events of accidents are, the diversity of agency as well as groups and individuals who influence and/or contribute to accident causation and prevention, accident precursors and accident pathogen (Saley and Pendley, 2012). Moreover there are context-specific (in regard to technology, organisation, systems and operational environment) differences nature/type and pattern of accident precursors with some accidents mainly caused by failures, absence of or inadequacies of human elements whilst others caused by failures in technical and structural systems among other (Antao and Soares, 2008).
According to Katsakiori et al., (2009), there has been a gradual evolution of accident causation theory characterised by movement of opinion and practice from the previously prevalent sequence of events focused techniques and models to the now emerging representation of accident causation in terms of whole system event-a shift that has correspondingly caused a movement in accident investigation techniques from investigation of single immediate cause to a recognition of the influence of several causes. This study takes the latter format in the investigation of an explosion that occurred in the early hours of Sunday the 11th December 2005 at the oil storage and transfer depot in Buncefield, Hemel Hempstead (MIIB, 2008). The evaluation of the investigation approach and techniques employed subsequent to the major incident was effected through archival research of published reports and published literature, with the use of two specific accident investigation techniques-Barrier Analysis and Events and Causal Factors Analysis.
The overall objective of the investigation was three-pronged: 1) Examination of what went wrong; 2) Evaluation of informational deficiencies pertaining to the incident: 3) Evaluation of the utility of systematic approaches to the investigation of accidents, especially in regard to their efficacy in helping organisations and individuals learn from disasters. In this respect, the following key parameters are subjected to be considered;
What follows is a conceptual look into MORT, BA and ECFA for the purpose of providing justification for the choice of the accident investigation techniques chosen and the findings subsequent to the use of the techniques in respect to the Buncefield incident.
Buncefield accident-a major petrochemical industry accident, occurred at the fifth largest oils storage and transportation site in the United Kingdom on the morning of 11th December 2005 (MIIB, 2008). The site of the incident, better described as a tank farm close to M1 motor in Hemel Hempstead, Hertfordshire, had three operating sites: one which was a joint venture between Total UK Ltd and Chevron Ltd, known as Hertfordshire Oil Storage Limited (HSOL); the second site was also a joint venture between BP Oil and Shell Oil, the British Pipeline Agency Ltd (BPA); and the third site operated by BP Oil UK Ltd (HSE, 2014b).
According to the MIIB (2008) transportation of fuel to the site was effected through 3 different pipelines (Finaline; M/B pipeline; and T/K pipeline), all of which delivered fuel in batches to several storage tanks situated within a walled area, otherwise known as a bund. Just before 7 PM on Saturday the 10th December, a delivery of unleaded petrol into HOSL’s tank 912 located in bund A was started (HSE, 2014b). The delivery process continued through the night into the morning, and just before 6 AM the 6 million litre capacity of tank 912 had long been exceeded (HSE, 2014b). As result of the malfunctioning of designed safety systems in the said tank, petrol started to flow out of the said tank with estimates holding up to 300 tonnes of petrol escaped from the tank (MIIB, 2008). Because of the prevailing environmental conditions at the site at the time, it is thought 10 % of the escaped petrol turned into vapour, which on mixing with the cold air reached concentrations that were enough to make it flammable (HSE, 2014b; MIIB, 2008).
The petrol vapour cloud was of such proportions that it spread further than the boundaries of the tank farm to the nearby estate car park. Investigations by the HSE (2014b) assert an alarm was subsequently raised by members of the public off the site and by tanker drivers, following which the fire alarm button was activated and the firewater pump started. Investigations further posit the firewater pump provided the spark that ignited the vapour cloud, an explosion and a fire that spread to more than 20 oil storage tanks across the Buncefield tank farm (MIIB, 2008). The resulting inferno burned for 5 days and is reputed as having been the biggest peace-time fire incident in the United Kingdom, albeit no fatalities were involved, more than 40 people were injured with considerable damage to property and surrounding businesses occurred (HSE, 2014b).
According to Martin and Walters (2001) there are three reasons for conducting an investigation subsequent to an accident: the determination of direct and indirect precursors of the accident; establishment of ways for prevention of recurrence of similar accidents; and documentation of facts of the incident for legal and regulatory purposes. Indeed it is well established that there are safety management concerns and issues attached to every incident and accident, reason why investigation especially so in the context of the petrochemical industry where there are serious social issues linked to accidents and major incidents (Cheng et al., 2013).
The understanding of the precursors to an accident or incident (including so called ‘near-misses’) is critical to safety, be it in organisational or societal settings, to which end several different methods and techniques have been developed to help the achievement of better safety management across the board (Doytchev and Szwillus, 2009).
There are a number of accident investigation techniques that can be used for the investigation of root causes to accidents including (See Oakley, 2003):
Lyons et al., (2004) identify up to 35 different accident investigation techniques, all of which are aimed at identifying not only errors and weaknesses inherent in work as well as in personnel who carry out work. They are all aimed at two things, improving reliability as well as safety across all industries, sectors and organisations.
Besides their utility insofar as helping organisations and individuals establish the anatomy of accidents and disasters as well as learn from such events, accident investigation techniques have grown in popularity and use in legal and regulatory management of disasters including the area of litigation where they are increasingly helping judicial officers and litigants not only re-construct accidents but also predict the outlook of accident event (Vestrucci, 2013). This is particularly so in regard to the Fault Tree Analysis technique, where it is possible to predict the outlook of an accident’s undesirable event (also known as Top Event) from analysis of external events, component failures and human errors (Vestrucci, 2013).
According to Kim and Yoon (2013), the multiple accident causation models that exist are founded on the notion that accidents have components. These components form what literature conceptualises as the anatomy of an accident (Vestrucci, 2013), which whilst different from one accident or near miss context to another broadly conform to one cross-cutting characteristic in that they almost always include not only human failures but also technical failures and external intrusions (Kim and Yoon, 2013). Indeed in virtually all accident and near-miss events human failure have some, which explains the growing recognition and popularity of the notion that there is no such a thing as “act of God” because even in situations and circumstances like natural disasters, there is a significant influence of anthropological factors and/or human failures represented in the form of lack of cognition, oversight, mistakes let alone the limitations in human capacity to comprehensively understand the workings of systems that comprise social settings (Borodcizc, 2005).
Evidence albeit varying shows that in respect to major accidents that occurred in the United States and the European Union, maintenance issues were linked to nearly half of all the major accidents in general with lack of barrier maintenance accounting for 50 % of accidents, but also with significant influence of deficient design, organisation and resource management, as well as deficient planning, scheduling and fault diagnosis (Okoh and Haugen, 2014). Moreover as argued by Kim and Yoon, (2013), the components of systems and the components of accidents for that matter have interesting interactions with the various modes of interaction having implication for safety and accident prevention or the mitigation of the number and frequency of accidents.
Accident investigation techniques whilst numerous as highlighted by Vestrucci (2013) can be grouped into a number of broad categories based on the theoretical paradigms on which they are based. According to Kontogiannis (2012), most of the widely used accident investigation techniques are taken on a systems outlook where emphasis is given to the so called organisational archetypes (organisational dynamics) that not only lead to the erosion of preventive barriers but also a movement away from safe process and safe margins. The viable system model that is built on the systems theory for instance conceptualises organisational processes and human factors in accident causation and investigation (Kontogiannis, 2012).
Other investigation techniques are designed for specific identification of a particular set of accident components as represented by human error identification techniques such as the human factors analysis and classification technique (Baysari, 2009). According to Lyons et al., (2004), categorisation of accident investigation techniques is based on the purpose for which they are designed and the principle outlook of accident analysis they conform to. Evidence suggests there are up to 5 broad categories, albeit with those technique that are descriptive and data gathering in nature feeding into more sophisticated ones. The categories include: data collection techniques whose main scope includes collection of information on tasks, goals, incidents and the like; task description techniques that use data collected by data collection techniques; techniques that are aimed at simulation of the accident or incident; human error identification and error analysis techniques and human error quantification techniques (Lyons et al., 2004). The two techniques that will be used to evaluate the incident at Buncefield tank farm belong to fourth category, the error identification and error analysis technique group of accident identification techniques. They are all based on systems theory conceptualisation of accidents.
For the purpose of this study and because of its utility for the investigation of accident in the context as happened at Buncefield tank farm, the MORT technique and two other closely linked techniques (BA and ECFA) were employed. The following section briefly explains what they are.
According to the NRI (2009), the MORT technique encompasses a number of structured, logical and systemic accident investigation techniques that include the Barrier Analysis technique (TRAC, 1995a) and the Events and Causal Factors Analysis technique (TRAC, 1995B). The MORT framework by design is aimed at ensuring there is no oversight insofar as the identification of causal factors (precursors) to accidents in organisations, and is represented in the form of chart that enables the identification of specific factors linked to an accident as well as the identification of failures in management that allow accident precursors to not only emerge, but also incubate and exist within organisations (USDoE, 1992).
The MORT technique according to Reyes-Santos et al., (2010) is essentially a structured checklist that is represented in the form of a so called fault-tree, whose purpose is the investigation of all aspects of organisational management for potential causes of an accident. The MORT techniques has accordingly been conceptualised as a particularly effective approach for the identification of root causes of organisational accidents (Ferjencik and Kuracina, 2008). As argued by Oakley (2003) the technique is founded on a number of accident causation theories, all of which posit the influence of organisational processes, systems, activities and cultures in accident causation either because of the ineffective of these or lack thereof but also because, complexity inherent in not only organisational structures but also system, process and technology are such that organisations usually have some influence insofar as accident root causes are concerned, either because the context provides precursors or allows faults and problems to incubate and develop to the extent that a trigger event subsequently cause the collapse of the entire system or even organisation.
The purpose of MORT is three-fold: the identification of safety-related oversights, as well as errors and omissions that are precursors to an incident or accident occurring (Ericsson, 2005). The design and the operation of the technique make for a situation where most observers describe the technique as mainly reactionary but it also has proven utility as a proactive evaluation technique as well as a tool for the control of hazards mainly because of its functionality insofar as tracing and identification of all causal factors to an accident (Ericsson, 2005).
Barrier Analysis and Events and Causal Factors Analysis
As conceptualised by the NRI (2009) MORT is both a stand-alone systematic technique but it does also included accident investigation techniques that have subsequently been developed to investigate root causes in specific organisation processes and system. Two of the main accident investigation techniques that are linked to MORT according to TRAC (1995a; 1995b) are barrier analysis and the Events and Causal Factors analysis technique. The former investigates root causes inherent in the flow of energy between multiple phases and objects that are typical of an organisation, whilst the latter takes this process a little further by investigation the logical sequence of events and root causes through highlighting the relationship between events as well as the relationship between events and causal factors (TRAC, 1995b). Barrier Analysis accident investigation technique is founded on the notion that there are a number of controls and devices for the protection of not only people but also equipment and the environment, and they mainly take three forms: physical barriers that would have to be breached before an accident occurs; managerial barriers that encompass not only the organisation of processes, supervision of tasks as well as in-built controls that encompass policies, procedures, methods of communication among other things; and cognitive barriers that include customs and the like (IET, 2012).
The ECFA is at times conceptualised as a technique that charts the course for the movement of energy from one organisational object to another, a process that involves the breaching of barriers between the different components in an organisation (TRAC, 1995b). To which end it is quite common for ECFA to be used in tandem with the barrier analysis technique, specifically for the analysis of energy precursors and the movement of unwanted energy that is lined to accident causation from one component to another (TRAC, 1995a). However ECFA still does have utility as a stand-alone investigation technique in contexts where specific causal relationships need to be investigated and charted, especially in accidents that occur in highly complex organisations or in system and process that involve advanced automation and interconnectivity.
There are a number of reasons that inform research undertakings, some studies are conceptualised for the purpose of improving social understanding of phenomena and issues and how they come about as well as explaining why they are the way they are whilst some studies are designed for the purpose of finding answers to specific questions. The former descripts what is classified as pure research while the latter denotes what is classed as applied research. This study fits the mould of studies that belong to the applied research group of studies, mainly because it sought to find reasons as to why an explosion occurred at Buncefield tank farm.
According to Krauss (2005) most research is value-laden, which explains the importance of an investigator not only acknowledging their standpoints and biases but more importantly take steps to ensure they are minimised so as to ensure the quality and validity of their study is not compromised. To that end, it is critical for the philosophical foundation/ontology (research paradigm) as well as the epistemological foundation and the methodology of a research study to be clearly defined and justified (Krauss, 2005). Ontology and epistemology are very closely linked.
Most if not all research is undertaken from either of two ontological/epistemological frameworks, the objectivist school of thought (also known as positivist research paradigm) and the subjectivist school of thought (also conceptualised as the constructivist paradigm) (Cousins, 2002). The former paradigm denotes inquiry that is designed in such a way that the study is independent of the researcher and knowledge created by direct observation and verification of phenomena whilst the latter paradigm approaches knowledge creation from a standpoint that holds that subjective meanings to social phenomena exist and there is close interaction between the researcher and the study object(s) albeit the level and nature of the interaction is managed in such a way that the researcher’s values, ethics and philosophies do not distort the reality being observed (Cousins, 2002).
This study was accordingly designed on the principles and philosophical standpoints that fall under the constructivist school of thought, as the researcher approached from the perspective that whilst accidents and disasters are real, they are a construct of subjective meanings attached to various factors and more so the existence of multiple subjective standpoints do not only influence the understanding of the phenomenon of accidents but indeed plays a part in either providing precursors to it or triggering the event.
According to Krauss (2005), there are two main epistemological foundations to research, quantitative methodology and qualitative methodology with the distinction between the two paradigms mainly philosophical in scope rather than methodological. Literature posits a choice of either method (methodology) is moderated by the ontological assumptions taken by or held by a researcher mainly due to the influence of underlying belief system of a researcher (Dobson, 2002). Whilst there are some major differences between the quantitative and qualitative paradigms in research, not least as evidenced by the different assumptions held by either school of thought insofar as conceptualisation of reality and how knowledge is created, the two schools are not mutually exclusive (Krauss, 2005). Indeed a so called ‘third’ methodological paradigm dubbed ‘mixed methods’ research has emerged and is gaining utility especially in organisational research. Because of the ontological and epistemological standpoints taken by the research as well as its fit with the research objectives, this investigation was conducted based on the qualitative methodological standpoint.
Aside from its fit with the philosophical assumptions and research objectives, a number of advantages inherent in qualitative research especially insofar as the conceptualisation of social-linked phenomena like organisational accident informed the choice of qualitative research methodology, they included: its permitting of the investigation of multiple realities to a phenomenon; utility in the description of complex phenomena such as accidents; permitting of detailed description of phenomena as well as its effectiveness is studies where sequential patterns and change need to be documented and explored (South Alabama, 2014).
However whilst the above advantages strengthen the quality of the research insofar as validity and reliability are concerned, acknowledgement is made of the existence of a number of inherent weaknesses in qualitative methodology that may limit the quality of this study. They include: the difficulties it poses to hypothesis testing; it hindering prediction or forecasting of results; it is a time consuming methodology especially in regard to data analysis; the potential of the personal biases and values of the researcher influencing the observation and understanding of the phenomenon under investigation (South Alabama, 2014). To counter the impact of methodological weaknesses on the result of the investigation, all potential limitations encountered during the study will be laid out with acknowledgement of the modes through it they could impact the results of this investigation.
There are multiple methods through which an inquiry can be executed in each of the two methodological paradigms. Some of the most popular methods in qualitative organisational research include: interviews; self-administered questionnaires; focus group meetings; case studies among others (De Massis and Kotlar, 2014). There is also growing using of archival analysis in qualitative research especially because of its effectiveness insofar as the use of primary source materials as well as multiple databases and informational repositories but also because they are effective in grounding research to a particular historical context and allow a research project to explore new directions based on the findings discovered during the analysis of archives.
Given the objectives of this research study more so as pertains the investigation of an accident that occurred a couple of years ago but also in regard to the results of the first investigation providing a basis and direction for the next study, the archival research method was chosen as the technique for analysis of information. Indeed justification for the fit of the chosen technique to the study is further provided by the fact that archival analysis permits the use of several databases and informational sources as possible for the framing of a study.
In archival analysis research it is critical that sources of information are identified, especially so regard the initial ones because the availability of multiple sources of information can lead to a situation where the investigation is hampered by not only contrasting information contained in different informational sources but also the sheer volume of information available more so on phenomena like major accidents in contemporary society. According the following sources were identified as the main information source for analysis:
Even though the delineation of the epistemological and ontological assumptions taken by the researcher in the framing, planning and execution of the study go some way in addressing some of the limitations to this study’s quality in regard to reliability and validity. There are still a number of limitations that may not only affect the results of this investigation but also the transferability of the findings to the next project and indeed other contexts. They include the following:
Barrier analysis is used to recognise hazards/dangers associated with accidents and the ‘barriers’ that must have been in place to avert hazards from occurring. Booth (2011) defines barriers as a means used to control, prevent, or hinder the hazard from reaching the target. Therefore, the barrier analysis needs to examine;
To categorise barriers broadly; they are divided into two types; physical and management barriers. To compare, physical barriers include anything ranging from warning devices, guard rails, and safety devices to equipment and engineering design. On the other hand, management barriers include hazard analysis, training/supervision, working planning/procedures, and line management oversight. Many safety professionals and accident investigators divide the types of barriers using an alternative method- ‘hard’ (engineered) barriers and ‘soft’ (administrative) barriers (Booth, 2011).
Basic steps of a barrier analysis include;
Using the basic barrier analysis as outlined above the hazards present at the Buncefield oil storage depot are analysed to indicate the hazards, target, and barriers that were present. The barriers analysed are categorised in table 1 below. However, any barrier that would have averted the accident from occurring needs to be incorporated into a barrier analysis.
Table 1- Barrier Categories (Booth, 2011)
Barriers that failed
Booth (2011) defines it as barriers that were in place and operational at the time of the accident, however, they had failed to stop the accident from occurring.
Barriers that were not used
Krauss (2005) defines this as the barrier being available, but employees/staff/workers chose not to use it.
Barriers that did not exist
Krauss (2005) defines these as barriers that were non-existent at the time the accident occurred.
Table 2- Barriers Analysis for Buncefield Oil Storage Depot Incident
Barriers Analysed for Buncefield Oil Storage Depot Incident
Barriers that failed:
1. Tank 912 was fitted with a new high-level switch designed, manufactured, and supplied by TAV Engineering Ltd, and independent company. Workers at the Buncefield facility did not fully comprehend the way the switch worked.
2. Failure of ATG system
3. Emergency shutdown button that is used to shut down all tank side valves was not working.
Barriers that were not used:
1. Failure of supervisors to fix the servo-gauge ‘sticking’ definitive problem while only relying on the method of ‘stowing’ which is to raise the gauge to its highest position and then letting it settle again.
2. Tanks were not being emptied at the loading bays as there had been an increase in the throughput or amount of petrol product incoming to the depot. There was a drastic increase in the number of tanker workers and contractors on the site of the depot which was increasing the workload of the supervisors. As a result there was increased pressure on ullage space with certain batches of produce being diverted between the tanks on the site to keep it from filling to its maximum.
3. There were defects with shift handover process and coinciding screens on the ATG system causing supervisors to become confused as to which pipeline was filling which tank.
Barriers that did not exist:
1. Failure of having an effective fault logging process and lack of maintenance regime considered as root managerial and organisational failures.
2. No proactive facility on the Buncefield site to close down UKOP incoming pipelines and the emergency shutdown button was not fitted into the system.
3. Buncefield did not have a containment plan in place for secondary and tertiary containment. The containment systems of the site were constricted to the site’s drainage systems that were designed for withstanding heavy rainfall, minor spills, and loss of products but it was not designed for any circumstance that could withstand large-scale releases from bunds which had occurred.
Based on the research conducted by Shahrikhi and Bernard (2010) the barrier analysis technique can also be used for the assessment of energy flows as the cause of an accident that are known to exist as either energy barriers or target barriers. TRAC (1995a) has reiterated that accidents may occur when energy begins to flow in high quantities that cross the limitations which are built-in to resistance of structures or when the energy flow interferes with normal exchange of energy between the components of a system.
To summarise, the Buncefield incident reveals that preconditions had existed allowing the accident to occur within the specific site. It is revealed that the site had particular types of energy that were known to cause injury and damage in addition to multiple carriers of energy. Based on the analysis the following factors are considered to be the underlying cause of energy flow accidents;
There was an unwanted flow of petrol from the storage tank to a number of environmental spheres which also included the immediate area surrounding tank 912 which also includes the atmosphere in the form of vapour cloud that spread across and beyond various barriers at the site to the parking lot of the business in juxtaposition to the tank farms. Figure1 below illustrates the flow of unwanted energy before the accident occurred.
Figure 1- Flow of unwanted energy before Buncefield Accident
As assessed in Table 2 there were several barriers that were present within the Buncefield oil storage facility prior to the occurrence of the accident, during and after the incident. The main barriers are;
Based on the investigations concerning barriers an analysis worksheet is composed to highlight the hazards in association to its target for each of the barriers that are identified as a root cause for the Buncefield incidence.
Hazard: Automatic Tank Gauging (ATG) System
Target: Tank 912
What were the barriers?
How did each barrier perform?
Why did the barrier fail?
How did the barrier affect the accident?
Technical fault in ATG
Sept. 11, 2005 ATG which measured rising level of fuel and displayed this information stopped registering the rising level of fuel in tank.
The servo-gauge was stuck.
Tank 912 continued to fill even above its limit
Alarms were unable to go off as tank reading was below each of the alarm levels.
ATG stopped registering the level of fuel in tank; supervisors worked in accordance to alarms an so were not alert to the tank overflowing.
Level of petrol continuously rose unchecked.
Hazard: Independent high-level switch (IHLS)
Target: Tank 912
What were the barriers?
How did each barrier perform?
Why did the barrier fail?
How did the barrier affect the accident?
Independent company’s designs
IHLS failed to register increasing level of petrol
Design of switch was faulty (See Figure 3)
Final alarm did not sound, and automatic shutdown not activated so by 5:37 level of petrol in tank exceeded maximum capacity and petrol spilled out of vents in tank’s roof.
Hazard: Incoming fuel
Target: Tank 912
What were the barriers?
How did each barrier perform?
Why did the barrier fail?
How did the barrier affect the accident?
Methods of controlling receipt of fuel batches from pipelines
Supervisors inadequately planned and controlled the management of incoming fuel
UKOP pipelines were given more preference over Finaline for fear of the depot sustaining a financial penalty if UKOP lines were slowed from delivering product.
Increased flow rates incoming from UKOP pipeline with a flow rate of 900 m3/hr shortly before explosion changing from its previous rate of 500 m3/hr.
Increase in throughput
Terminal’s operations increased quadrupling throughput of product. Increased in number of tanker drivers and contractors on site resulting in negative impact on workload of supervisors.
Increased pressure on ullage space with batches of petrol being averted between tanks causing supervisors to be confused of which pipeline was filling which tank. Hefty consignments of unleaded fuel was being received by both Finaline and UKOP South line.
Increased pressure on storage capacity of incoming fuel giving way to greater chance of tanks overflowing.
Target: Buncefield Facility & Subsequent Explosion
What were the barriers?
How did each barrier perform?
Why did the barrier fail?
How did the barrier affect the accident?
During implosion of fire, the sealant and other joint materials became badly damaged allowing some joints to leak fuel, foam, and firewater onto the site’s roadways.
Three bunds did not contain water stops
Fire damage on to joints of bunds allowed fuel, foam, and firewater to leak making them compromised and unable to resist the impact of the fire.
Bunds had pipes penetrating through the walls and floors
Since pipes were going through the bunds, the bunds could not retain the liquids.
Catastrophic failure of walls at pipe penetration; product pipes leading to tanks ruptured and leaked causing escape of fuel to pipes that were in unbunded areas. There was also loss of seal between pipes and walls.
The following illustrations represent the sequence of events that led to the HOSL explosions and fires using identified barriers that led to the accident occurring. Each event is broken down to highlight the barriers that were influencing the event to take place. Later in the study these barriers will be associated to conditions that caused the event to take places gradually leading up to the overall accident.
The following structure was used to identity barriers sequence as adapted from (SOURCE):
Occurrence: Name of Event
Figure 2- Barrier Analysis through sequence of events; Occurrence: Buncefield Incidence
According to Shahrokhi and Bernard (2010), the barrier analysis technique uses energy flow to investigate the causal factors of accidents that are posited to exist in either of two parts energy barriers and target barriers. An accident according to this technique is conceptualised as the impact of a hazard agent on a target, mainly due to a failure of not only controls but crucially the protective barriers in a system or setting (Shahrokhi and Bernard, 2010). The technique according to Oakley (2003) is founded on the Haddon Matrix theory that posits the existence of three unique phases to an accident including: the pre-injury phase; the injury phase and the post-injury phase. According to the Haddon Matrix theory the interaction between different components of a system or organisation, often involves energy flows across so called barriers. Failures either the energy barriers or the target barriers (Shahrokhi and Bernard, 2010) culminate in the flow of unwanted energy from one phase or component to the other, ultimately leading to an accident or incident (TRAC, 1995a). In each of the 3 phases it is further argued 3 factors influence the dynamics of the event once there has been a flow of unwanted energy from one to the other, including equipment factors, human factors and environmental factors (Oakley, 2003).
According to TRAC (1995a), energy flow dynamics involved in all societal processes and systems, especially so in regard to pathways, amounts and rates has the capacity to cause damage objects and systems, degrade processes and injure people. The barrier technique posits there are different forms of energy with the potential to cause injury and damage to different entities including: kinetic; chemical; biological; thermal; electrical; as well as ionising and non-ionising radiation (TRAC, 1995a). In the view of the proponents of the energy flow school of thought of accident causation, accidents either occur when energy flows in quantities beyond the in-built resistance of structures on which they invade or when there is interference in the so called normal exchange of energy between the components of a system (TRAC, 1995a).
Literature posits the flow of unwanted energy prior to an accident can either be: to non-functional (components and parts that lie outside of the system) or to functional parts of the system, a1 and a2 respectively (TRAC, 1995a). All evidence points to the flow of energy at the Buncefield site being to both functional and non-functional parts of the system. The former inherent in the flow of energy (in this case petrol) from the pipeline to the storage tank and from the tank to the ground and immediate vicinity of bund A at the site, and the latter inherent in the flow of the vapour cloud beyond the perimeter of bund A to the estate adjacent to the site. The figure below depicts the flow of unwanted energy to both the functional and non-functional parts of the system at Buncefield:
Figure 2b- flow of unwanted energy
A1 Flow of potentially unwanted energy to non-functional components of the system B1, B2
Insofar the flow of unwanted energy from to the non-functional component of the site and its surroundings, all evidence points to the absence of adequate control of the unwanted energy flow. Granted the scope for the control of especially environmental conditions prior to the accident were beyond the scope of the company running the site, as they could not do much regarding the cold air and the current of flow of the same, there were a couple of failings insofar environmental barriers were concerned as well as other material barriers that could have helped lessen the movement of the vapour cloud from the spill-over tank to other areas of with and outside the tank farm. That is notwithstanding the lack of evidence regarding the dynamics of the movement of the vapour cloud as has been identified by both the Major Incident Investigation Board and the Health and Safety Executive (See MIIB, 2008; HSE, 2014).
One of the major failings in environmental and material barriers at the site of the accident including the lack of enough trees around the perimeter of the tank farm. Trees are known to moderate the flow of air-currents from one place to another. At the site of the accident there were only a few trees to the west of bund A where vapour originated from and even fewer at the northern part of the site and no physical barriers in the form of trees on the southern edge of the site. That being so it is not abundantly clear what utility the presence of air current movement breaks in the form of trees would have served in preventing the movement of the vapour cloud from the point of over-flow. Moreover there are still a number of informational gaps regarding the exact dynamics of the movement of the vapour cloud as the characteristics exhibited by the movement of the vapour cloud at the site are not typical of what current models posit they should be. To that end, the control of the flow of unwanted energy to and from the non-functional part components of the site can be judged to have been impracticable. In which case the risk should have been identified, assessed and managed.
However there is no evidence to show the safety analysis had taken into consideration the likelihood of vapour cloud movement as occurred during the accident. Conversely however, as pertains to whether the flow of unwanted energy to the non-functional components of the system at Buncefield was concerned, there is also a case to be made regarding the potential for control of the flow of energy with evidence point to a number of areas where it would not only have been practicable. Clearly whilst it was possible for the flow of energy to the ground to be controlled either through the design of a more robust storage tank or the maintenance of gauging system and shut-off mechanism. Across all the areas where the control of unwanted energy flow was practicable, evidence shows these were far from adequate with examples including failure of supervisory mechanism to pick up mistakes, to faulty installation, to the absence of capacity for immediate shut off of the flow of energy. There should have been a patrol by operational staff to the tank where pumping was taking place especially subsequent to pumping having gone on for many hours.
A2 Flow of unwanted energy to functional components of the system
B3, B4 Administrative controls and processes for the diversion of energy
Evidence seen however supports the observation to the effect that the flow of unwanted energy to functional parts/components at the site was the precursor and root cause of the accident at Buncefield. The following were identified as some of the deficiencies and defects in administrative systems at HSOL at the time leading up to and during the accident:
C1 Diversion of harmful energy flows or environmental conditions
Whilst there were processes and equipment in place for the purpose of ensuring the diversion of potentially harmful energy flow in the event of failure in kinetic energy flow barrier in the form of a gauge for the monitoring of the filling operation and an independent high-level switch whose purpose was to automatically trigger the shut-down of operations in the event of overfilling, the following failures were observed to have played a key part in the accident:
All indications point to the potential for diversion of the energy not only being practicable including the existence of a number of technologies for tailored for the purpose. Indeed one such technology had been installed at the sight for the purpose of diverting overflowing. However the installed capacity for the diversion mechanism was woefully inadequate, in addition there is no evidence of management having considered the potential for an overflow of the size and scope as happened subsequent to the breach of control mechanisms.
Environmental conditions on-site and in surrounding areas at the time leading up to, during and after the accident either played a part in influence and exacerbating factors during the accident or did not help the control and containment of the energy flow at any one time. Both the MIIB (2008) and the Competent Authority for the Control of Major Accident Hazards assert the cold temperature as well as still air at the site played a part in the accident. The former insofar as causing or enabling the formation of a vapour cloud that most likely included ice crystals and the latter insofar as hampering the rapid movement of the vapour cloud away from the site. Conversely it could be argued that by not aiding the rapid movement of the vapour cloud away from the over-flow site at greater speeds the air currents played a part in lessening the eventual scope and size of the blaze in that the vapour cloud did not spread to an area wider longer than 360 metres from the point of overflow.
Barriers and Controls
According to TRAC (1995a) energy flow barriers in operating systems can be classified into either of two broad categories, control barriers and safety barriers. The following were some of the control barriers that were available at the site at the time of the accident, all of which were deficient as evidenced by the failures to contain, flag-up or control the dynamics involved in causing and exacerbating the explosion-In keeping with the known scope of known energy flow barriers, they spanned both human factors and processes as well as technical factors and process:
The scope of safety barriers against unwanted energy flow observed at the site shows some similarity with control barriers. Indeed some of them were technical and physical whilst others skill-based in outlook. In much the same case as was with control barriers, there were a number of observed inadequacies and deficiencies in the safety control barriers with the result that they failed to contain, control and minimise the hazards inherent in the accident. They included:
The size and proximity of the site to a number of developments meant the scope and types of people and objects that were vulnerable to the accident was wide and varied. Some of the key categories of people, objects and properties that were vulnerable to the effects of the accident included the following:
Under the category of functional people and objects that were targets were the following:
Under the category of non-functional targets of the accident were the following:
Whereas any accident can be stripped back to a particular trigger event, there are usually several multi-faceted and highly complicated factors involved in an accident, which explains why many accident causation models assert the existence of a series of often interrelated factors otherwise called root causes, as well as other underlying factors and conditions that contribute to or influence the dynamics of the accident (See USDoE, 1992; HSE, 2001; NR1, 2008; Santos-Reyes and Beard, 2009; Gerbec, 2013; Mannering and Bhat, 2014).
According to the TRAC (1995a) identification of the energy precursors and conditions to an accident needs to be done by the use of another accident investigation technique, the Events and Causal Factors Analysis technique (See TRAC, 1995b). Accidents as conceptualised by TRAC (1995b) involve primary events, secondary events as well as contributing factors and systemic factors. The following sections outlines the findings of the analysis of the accident at Buncefield using the Events and Causal Factors technique.
But first, a summary of the hazards and their associated/linked barriers/defences/controls existent at the site at the time of the incident are summarised as below;
Pumping and storage of oil at Buncefield Tank Farm
Suggestions for improvement
Additional Barriers needed?
Volatile/highly flammable petrol
Supervision of delivery
-Separation of components in space and time
Strengthening of physical barriers
Review and redesign of administrative, operational and organisational barriers
-Limit energy flow
-Reduce system design and operating pressure
-Use double walled tans
-Deploy look outs during pumping
Equipment and machinery on site
-Safety related barriers including location, movement patterns, maintenance, systems and processes
-Control barriers including testing
Review the spatial separation between movable equipment and machinery and the oil storage tanks
-Develop and operate explosive quantity distance rules
-House all electronic equipment
Risk management system
Early warning devices
External auditing of work processes
Fire control mechanisms, systems and processes
Shift working pattern
Incorporate robust and responsive risk management framework
Institute arrangements to review findings of external auditors
Risk management framework
Supervision and administrative arrangements
Improving forecasting and response to sudden change in environmental factors
Strengthen all potential targets
Modify the rate of release of energy
Investigate dynamics of vapour cloud formation and design appropriate safeguards were possible
Design and layout of site
Poor management control
Errors and violations of procedures and conditions
Personal errors and violations
Incorporation of procedures to avoid and limit latent failure pathways of management control and individual errors
Whole systems needs looking into
Workplace errors including inadequate processes and procedures, a poor safety culture, violations of protocol
Incident report systems
Procedure for work
Design and layout
Hire new managers
Introduce penalties for failures
Encourage blameless reporting
Personal and team inadequacies (skills, experience, expertise, risk culture/attitude
Bring in new employees
Strengthen reporting and communication framework
Weak internal and external audit and oversight
Legal, legislative and corporate governance frameworks
Need stringent application for COMAH sites
It is not possible in the limited scope of this thesis to provide a fully detailed and comprehensive analysis using the MORT event tree for evaluation of the Buncefield accident. The actual event tree working model can be detailed on a single chart that may measure up to 30 in x 24 in, without any attached instructions to it. Thus, reproduction of an entire event tree would necessitate the use of several pages making it impractical to do so in the current study (Benner, 1975). The MORT event tree analysis also requires special training in order to comprehend and execute it which is also beyond the scope of the current study and the researcher. However, due to the complexity and overwhelming nature of the full MORT event tree, the current study uses a simplified version of the full MORT which includes Mini-MORT and the top branches of the MORT analytical tree event to define the risk factors and simply the analysis. Figure (4) illustrates the top branches of the MORT analytical event tree.
During accident investigation, the MORT analysis is started right as the accident or incident begins. The MORT process then moves from what is known; which is the event of the accident to the unknown, primarily the casual factors. This process is completed through very complex, precise, and extremely duteous process of elimination. For the Buncefield incident which occurred on December 11, 2005 the events which occurred have been recorded, investigated and re-investigated. Through analysis of reports that have been extracted the top event was isolated and given the most priority. According to Figure (4) the top event which consists of injuries, damages, and performance losses is identified and assigned the suitable position in the rectangle at the top of the event tree.
Thus, Figure (4) reveals the top event being the Buncefield incident which injured 43 people, severely injured 2 people, caused damage to the site’s property and surrounding properties. The Buncefield incident can be linked to various oversight and omissions that were taken by the employees and supervisors on the site. According to the British Geological Survey (2005) the reason there was an explosion that took place at 6:01 UTC near tank 912 was caused from “fuel-air explosion” which was considered to be of unusual high strength. However, the underlying cause of the explosion and subsequent fire are seen to be inaccuracy of workers on the site. The immediate causal factor that contributed to the accident was the major failure of both the ATG and IHLS that operated the fuel level in Tank 912. There were many flaws in overall management of operation at the site which is considered as a ‘high-hazard’ site which led to the failures defined in Table 2.
At approximately 0600 hours on December 11, 2005 pipelines within the oil depot site were transporting the following petroleum products into HSOL (as cited in HSE, 2006);
Based on the investigation conducted it is evident that Tank 912 was being filled with unleaded petrol at a flow rate much higher to the other products giving indication that Tank 912 was overfilling with the petrol product. To understand the method by which fuel escaped to form a vapour cloud it is essential to understand the controls and instruments fitted into the tank and their functions.
The figure below illustrates the basic layout of Tank 912 which is considered as the main perpetrator of the accident. Based on the image it is evident that Tank 912 is a floating deck tank which had features of a fixed roof, an internal deck which floats on the fuel allowing to decrease the emission of vapour from the fuel surface.
Figure 3- Layout of Tank 912 (Source; HSE 2006)
As discussed extensively in this study, Tank 912 was fitted with various instruments that measured and monitored the temperature and level amount of product in the tank. All instruments were connected to the automatic tank gauging system with which levels of tanks were displayed in a control using the system. It was the responsibility of the servo-gauge to measure the level of produce. The tank was also fitted with an independent safety switch that allowed the operator to have a visual and audible alarm in the control room in case the tank’s product had reached a specific maximum level considered to be an “ultimate high level”. The alarm functioned to initiate a trip function that allowed the closure of valves from specific incoming pipelines. However, the major high level safety switch on the tank was able to sense when the product reached maximum levels in the situation if all other alarms in the system had failed. The main purpose of this specific instrument was to provide an alarm to operators in the control room and begin an automatic lockdown of delivery if the maximum level of the product was reached. Based on its design, the switch was supposed to alert the control room operator through a flashing lamp which was available for each tank on the site and attached was a buzzer that provided sound. Furthermore the maximum level safety alarm also functioned to signal any overflowing in tanks within the HSOL site with the information being sent to computer controls and instruments that were related to the Finaline pipelines and UKOP.
Due to error logging failure and management issues within HSOL it is evident that the control had not been working properly. According to HSE (2006) based on records of the ATG system, Tank 912 showed that the level of petrol product in the tank was two-thirds full and remained this way until 0300 hours. At the time of the incident automatic shutdown had not taken place. HSE (2006) reports that based on the valve position from the ATG database, the inlet valve to Tank 912 was connected to UKOP petrol concluding that Tank 912 was still filling even after 0300 hours.
Firstly, the tank of interest and the root cause of incident tank; Tank 912 was fitted with a new independent high-level switch known to be manufactured and supplier by TAV Engineers Ltd on 1st July 2004. TAV had designed the switch in such a way that its functionality may be tested routinely. The first oversight that occurred in terms of management system factors (M) (i.e. Figure (4)) was that employees of the site who installed and operated the switch did not have full knowledge and comprehension on how the device worked. They also did not comprehend the imperative role that the padlocked played in regards to the switch which left it deemed inoperable (See Figure (3b)). It was possible for the faulty design to be replaced if TAV had gone through a rigorous process of reviewing its designs. Also, it is clear that lack of guidance in terms of giving clear instructions to the safety imperativeness of the padlock should have been appropriately disseminated to those who installed and used the device. This leading root cause had triggered the subsequent events to take place leading to the overall conflagration and explosion at Buncefield oil depot.
Figure 3b- Principles of Operating the IHLS (Source: HSE, 2011)
The switch worked when the alarm circuit was activated; occurring when the floating internal deck (lid) made contact and rose the internal suspended weight. This results in raising a magnet that activates the reed switch. The check lever allows the switch and the alarm circuit to be activated autonomously from the movement of the floating lid. Thus, the checking action simulates accurately what will occur if the floating lid arrives at a specific point. The device contains three specific positions on the lever. When operating, the horizontal position is considered to be the normal operating position allowing it to operate as expected. However, if the floating lid lifts the weight the reed switch changes state and initiates an emergency shutdown. Tank 912’s IHLS was installed with a design that included the use of padlock which secures the lever in the normal position.
The switch can also be installed to detect low levels of fuel in a tank allowing it to also work in the opposite manner. If installed in that way, the test which is carried out by lowering the check level is done. But lowering the check lever when the switch’s main purpose of operation is to check for high-level is then disabled. The padlock is used to make sure that when in normal operation the check level stays in the horizontal position; thus an imperative security measure. Under the circumstance that the padlock was not replaced there is a plausibility that the check lever remains in its lower position or as expected, fall. Regardless of this, the switch is considered to be disabled.
Tank 912’s IHLS had the function to look for lower positions which is not considered to be useful. The switch had featured a hazardous disabled position making it at risk to be inoperable.
Figure 4- The Top Branches of the MORT Event Tree [adapted from Source: Vincoli, 2006 ]
Based on the MORT analysis, several risks had been assumed to cause the Burchfield incidence. The presence of these risk factors were evaluated using the question, “if the risk was not in place, would the accident have occurred?”. If the answer to this question was ‘yes’, then the risk was considered non-significant. However, if the answer was ‘no’, then the risk was taken into account as being a supporting cause to the overall occurrence of the event.
Following are the risks as identified by the MORT analysis;
Identification of the major risks that were present before the accident occurred for an analytical risk assessment to take place particularly the lack of risk assessment that was present under the management system factors.
Before the accident had occurred, management inadequately assessed the risks present in the current systems. Firstly, there were structural design faults at the Buncefield which led to tertiary containment of the incidence to be impossible. There was no tertiary containment system in place at the site. As analysed by the facilities designs, the containment systems that were in place were placed for the site’s drainage systems that were specifically designed to deal with rainwater and minor spills and loss of product. Rainwater, minor spills, and loss or product on the site were to flow to interceptors and the site’s treatment plant. However, the drainage was not designed to manage large-scale released from the bunds which had taken placed during the accident. It is found from assessment that no kerbing or boundary wall was constructed to ensure that liquids remained on site and directed to the drainage systems. Thus, once the liquids were released they could flow in any direction, an event that occurred during the accident. Furthermore, the drains and lagoon’s volume was too small. Also, the liner of the firewater lagoon on site was vulnerable to damage from fire and debris from explosion. It was also found that the pumping liquids were very much depended on making the site susceptible to an inadequate pumping volume; failure of pumps at power outage; and inability to use pumps in case flammable vapour was released onto the site.
Another risk that is considered to be a specific control in causing the accident was inadequate fault logging. The facility had a faulty logging system in regards to how key equipment and working practices were logged. Buncefield had a shift system which had led to short-term apparent fixing of issues without a proper overview of what was going wrong and why. There was a short overlap time between shifts of supervisors. According to Benner (1975) this handover time or overlap time is considered to be a very imperative time when outgoing supervisors are able to pass on vital information about events that occurred during their shifts incoming supervisors.
At the time, Hertfordshire Oil Storage Terminal (HOSL) only allotted fifteen minutes for handover and also asserted that they were not being paid for this time. During these fifteen minutes, the handover documentations developed by shift supervisors only covered information in regards to the Finaline pipeline while UKOP pipelines information were on an ad-hoc basis. There was a flaw in documentation as it only recorded information of occurrences during the end of the shift without capturing and recording incident information about the entire shift. HOSL’s operations coordinators had devised an electronic defect log but the supervisors on the site were not capable of using the system appropriately. As mentioned before in the Barrier analysis, the ATG gauge on Tank 912 had stuck fourteen times over the last three months before the accident took place.
However, these occurrences and errors were not recorded in the defect log making the operations manager unaware of the regularity of the failure. Analysis of reports on the Buncefield incident have also found that the defect logging system was not used on a frequent basis particularly when there was presence of defect that was fixed quickly. The same irresponsibility is seen with the IHLS as it had faulty practices and methods to deal with the failure of the switch. Based on accident reports, in the first week of April 2004 management became aware that the IHLS on Tank 912 was not working as it should, but still the management allowed the tank to be used with the new switch being fitted on July 1st, 2004. Furthermore, Tank 911 was operating without the presence of IHLS for nine months; this tank was known to be very busy in filling and flow of unleaded petrol. It can be concluded from this analysis that had management scrutinised the logging system the vulnerabilities that were present in the overall system would have been revealed on time which may have aided in avoiding the current accident.
There was also an increase of pressure felt by supervisors on the HOSL site. As revealed from the barrier analysis in table 2, supervisors were unable to predict the working parameters of the UKOP lines resulting in unpredictable fuel deliveries through the pipelines. This risk further led to increase in pressure on the storage capacity of fuel causing increased throughput on HOSL. These incidences are linked to the increased pressure that was put on supervisors causing supervisors to devise a system that relieved the pressure. Based on accident reports, supervisors began to use an alarm clock in the control room to track product interfaced on the Finaline line. The alarm clock was occasionally used for reminding supervisors that tanks were becoming full or getting closer to their capacity with the Finaline product. This occurred due to supervisors having a lack in confidence on the ATG system due to its unreliability. There was addition pressure exerted from working patterns of employees on HOSL site. The supervisors were working 12-hour shifts while performing other duties in addition to monitoring the filling and emptying of tanks. At other times supervisors had to work five shifts consecutively with overtime resulting in 84 hours of working for a seven day work period. According to the report published by HSE (2014a) there were no fixed breaks scheduled resulting in breaks being taken when operating conditions allowed for such.
Hence, supervisors worked a great deal of hours including overtime and resisted hiring more supervisors as it will lead to a loss of income. A stable working environment relieves pressure from employees allowing them to be relaxed and work more effectively. Since this was not the case in the current situation, increased pressure led to staff becoming disordered causing them to overlook many risks that led to the explosions on the site and fires from factors which could have been managed. It is management’s responsibility and duty to monitor the working pressures that are placed on staff and to take immediate action to maintain acceptable levels of workload.
Figure 5- Mini- MORT of Buncefield Oil Depot Incidence
As argued by Song and Ying, (2011) the interaction between the parts of a system be they human or technological is such that there are not only complex but also intricate transfers of energy as well as information and material from one phase of the accident to another and even within the same phase of the accident. The Events and Causal Factors analytic techniques enables both the identification of the direction of the flow of the elements and factors in a hierarchical manner as well as the identification of the underlying factors for the movement of accident elements and factors (TRAC, 1995b).
The ECFA technique assumes a structured, systematic and logical outlook in the examination of the energy flow between components of a system and involve the charting of the initial stage of the accident as well the pre-accident and the management phase of the accident (TRAC, 1995b; NRI, 2007; Saleh et al., 2010;
Cheng et al., 2013).
The following flow chart-1 depicts the major events and causal factors involved (factors the barrier analysis techniques conceptualises as energy precursors) in the accident at Buncefield Oil storage depot.
The following figures illustrate with more detail what the underlying causal factor for each of the major events during the incident were ECFA for the Loss of Primary Containment
Failure of the Independent High Level Switch Flow chart
The Automatic Tank Gauging System (ATG)
Malfunctioning Monitoring Screen
Events in the ECFA charts above are depicted by rectangles whilst conditions are depicted in oval form. The above events and causal factor are by no means the only ones that were involved or influenced the accident at the Buncefield depot, indeed a host of other underlying systemic and organisational factors were involved including:
As discussed in length, accidents are investigated to recognise the cause of their occurrence and are also used to determine the actions or steps that need to be taken in order to prevent them from occurring again. Therefore, it is imperative that accident investigators probe in depth into the events and the conditions that create accident situations as well as taken into consideration the managerial control systems that may have led to the development of the root causes to the accident (Benner, 1975). If these root causes are identified there develops a great deal of comprehension of the interactions of events and casual factors through a sequenced chain of events and activities that begins with an “initiating” events all the way to the final losses that may have been produced from the incident (Kuhlman 1977).
Factors that are considered to be very important in accident causation materialise as being sequential or simultaneously occurring events that interact with existing conditions (Benner, 1975). It is then from these patterns of conditions and events which allow for outlining an image to reconstruct the multiple factors that led to the unwarranted loss or other potential losses (Benner, 1975). It is only through pedantically tracing unwanted energy transfers and their connection to each other and to the individuals, procedures, infrastructure, and controls does one understand the implications which caused the accident to occur and further delineates the sequence of events that have led to accident development (Benner, 1975).
It is through the use of an Event and Casual Factors (ECF) chart that illustrates the essential and appropriate events and causal factors for accident occurrence in a rational sequence. This is often used to analyse not only the accident but is also an essential tool for evaluating the various evidences during the examination of the accident (Benner, 1975). This tool also aids in validating the accuracy of pre-accident systems. Followed is the use of Events and Casual Factors Analysis (ECFA) which is considered to be an intricate and imperative part of the MORT-Based accident investigation method. ECFA is often used with other major MORT tools such as those used in this particular study, MORT tree analysis, energy trace, and barrier analysis in order to achieve maximum results in the investigation of the Buncefield accident.
In order to determine the casual factors associated with incident under study it is necessary to conduct an analysis to determine the casual factors of the accident (Benner, 1975). This is considered as an imperative process in order to conclude what the root causes of the accident were. For this reason, deductive reasoning is used to determine which events or conductions contributed to the accident. The significance of the events within the accident sequence will be evaluated using the question premise:
‘If this event had not occurred, would the accident have occurred?’
Based on this question the causal factors were assessed and then considered before inserting them within the chart. The chart below is the events and casual factor (EFC) that has been composed to outline the events that have led to the subsequent explosion and fire in Buncefield. The chart has only considered important events that overlapped with the MORT analysis and Barrier Analysis. These are considered to be important as they aid in the analysis of the root causes of the accident in order to ensure that only important events and factors are considered when analysing the underlying causation of the event (Benner, 1975). The EFC follows the basic standards and rules for composition as outline in the figure which shows a general example of EFC charts.
Chart 5; EFC of Buncefield Incident
General conventions were used in composing the EFC chart above. The reason that the general method was used was so that it can improve the comparability and consistency in accident reporting and aid in circumstances of communicating the investigation findings. The figure below provides a brief insight into the general format of EFC that was followed to assess the Buncefield incident.
Figure 6- General outline of EFC chart (Source; SCIENTECH, Inc., 1995)
This particular convention attempts to be as simple as possible while at the same time maintaining the effectiveness of the event and casual factor analysis. As outlined in the figure, the square boxes are indications of events, when these events are lined horizontal they are considered as primary events while those in a vertical succession are considered as secondary events. Oval shapes used in the diagram are indications of conditions following the same vertical and horizontal rules applied to events. Events are connected in solid arrows while conditions are connected to events and each other with dashed lines.
Using the ECFA charting technique and subsequent analysis brings about two primary benefits:
As it is the primary purpose of accident investigation to identify what happened and why it happened to ensure that similar accidents do not occur again in the future. Under the circumstances of major accidents there are underlying indicative factors of systematic defects which have also showed to reduce performance and production. This is evident with the Buncefield incident, based on the EFC chart that was composed. The underlying cause which is considered a primary root cause to the failure of barriers and the overall accident is deficiencies within the management system. The deficiencies that have been exposed from the EFC need to be reviewed and benefits need to be derived from them that go beyond the limit of correcting the immediate causes of the accident.
Firstly, as seen in the barrier analysis and MORT analysis, there is a great deal of defects in the management system of HOSL. Management over works their employees leading to greater chances of underperformance and errors. Further, management has shown a great deal of issues in logging for errors which is considered as a root cause that led to the incident to take place. Had management logged errors in the ATG and IHLS these root technical problems would have been solved and the overall accident would have been avoided. However, there was poor management through the facility.
Based on the EFCA conducted it is evident that there is a cause-oriented explanation of the accident. This can be explained clearly using the conditions and events from the EFC to make a table that details a cause and effect relationship. These cause and effect relationships have been outlined in the table below.
Table 3- Cause and Effect Analysis of Accident
Management fault in error logging
Faulty ATG, faulty ATG alarm, faulty IHLS
Faulty ATG, faulty ATG alarm, faulty IHLS
Tank 912 filling beyond maximum capacity
Tank 912 filling beyond maximum capacity
Petroleum product overflows from vents
Petroleum product overflows from vents
Vapour cloud formation above Tank 912
Vapour cloud formation above Tank 912, presence of weather conditions cause cloud to move
Vapour cloud spreads to 360 m spreading over Tank 12
Vapour cloud over tank 12 which contains aviation kerosene which is highly flammable
Fire alarm is pressed at indication of vapour cloud whose ignition is the alleged culprit causing explosion
Explosion occurs over tank
Fire is not controlled or contained due to management not having setup secondary and tertiary containment; bunding infrastructure is faulty
Bunding material melts as it is not fire resistant
OVERALL IMPACT: Fire is not contained leading to 43 injuries, 2 individuals seriously injured, nearby residents and businesses shutdown and put at risk, HSOL facility damage
One of the central purposes for inherent in the investigation of accident in general but more so major accidents of the type as occurred at Buncefield is the opportunity to highlight not only organisational learning points but also the advancement of the field of safety management and professional awareness and knowledge of accidents, in order to avoid repeat but also to inform response and mitigation efforts (HSE, 2003).
According to the HSE (2014), whilst the incident at Buncefield does not flag up new areas insofar major accident prevention are concerned the accident still had utility in regard to its efficacy in strengthening and reinforcing critical process management principles that organisations as well as professionals linked to the safety management paradigm have been aware of for some time. To that end, the following have been identified in literature as some of the key thematic areas for safety professionals that the accident helped reinforce:
There is a wealth of in-depth information in nearly all areas pertinent to the accident, except for the lack of understanding of the dynamics of the vapour cloud movement and the subsequent explosion dynamics as detailed in the report of the Major Incident Investigation Bureau and other reports on the accident such as the Competent Authority’s on COMAH report.
Whereas Barrier Analysis and ECFA/MORT techniques have proven utility in the investigation of accidents and there precursors, there are a number of limitations attached to both categories of techniques that make it difficult to gauge their effectiveness in relation to accident investigation in general. Not least because of the existence of unique set of circumstances for every incident but also because of the blindness of the techniques to the investigation of a number of accident dynamics including:
That being so, Barrier Analysis as an accident investigation technique is particularly useful in circumstances where the investigation and identification of hazards that are linked to energy sources is pertinent as well as instances where the aim is to examine either retrospectively or proactively whether barriers/safety features offer adequate protection to vulnerable people and other targets. If the objective is the identification of critical events and not the entirety of hazards and precursor conditions and circumstances, then Barrier Analysis and ECFA and MORT techniques offer strong functionality for doing so. As posited by the HSE (2001), Barrier Analysis and other MORT linked techniques are made further attractive due to their inherent flexibility, a quality that means they can be applied to the investigation of all types of problems more so as a means to establishing a baseline/foundation for further investigation.
Using the MORT tree map, Barrier analysis, and events and causal factors analysis there is substantial evidence to conclude that the underlying root causes of the explosion at the Buncefield oil storage depot was technical and arose from management error. To conclude, the root causes have been identified as follows from the accident investigation tools used;
All the root causes as highlighted above are directly or indirectly caused by defects found in the managerial oversight and leadership of the company HSOL. It is evident from the analysis that there are massive deficiencies with the HSOL’s management including
The following sections of the study provided a detailed look into the root causes that are concluded to be the main events, factors, barriers, and conditions that led to the Buncefield incident. The sections touch upon problem areas in corporate governance and management of the accident site and looks to analyse the main management failures that have been identified extensively using the MORT tree map, barrier analysis, and EFCA. Had these root causes been uncovered before and taken immediate action it is highly likely that the Buncefield incident would not have occurred.
Main management failures discovered using MORT Model Inadequacies in management functions at Buncefield spanned the three major areas that literature posits are the main categories where precursors of accidents irrespective of the size tend to fall under-human, technical and organisational. Table 4 below captures some of the major problems that were observed at Buncefield after analysis of the contextual factors using the MORT model. The author contends they are all linked to the noted problems with the leadership and management oversight at the site. For some of the issues raised, the link is more apparent including inadequacies of the monitoring function within the site as it reflects not only poor strategic direction but also the lack of appropriate supervision and management control.
For others including failure of barriers (be they mitigation, control and preventive), the link to poor and/or insufficient management is not readily apparent but when consideration is given to the why for instance the wrong or inadequate physical barriers where installed it can be established that it connects with either poor decision making in top management bodies, the lack of commitment and focus as well as poor attitude and organisational culture.
Table 4; Main failures that were observed using the MORT technique
Inadequate monitoring of operations
Inadequate external communication framework
Deficiencies in the informational systems
Lack of coordination
Failure of barriers
Lack of contingency plan for the vapour cloud explosion event
Deficiencies in the definition of responsibilities within the organisation
Deficient emergency response
Lack of support and guidance of top management
Key decision makers failure to act promptly
No evidence of risk assessment
Failure to learn from past safety failures and incidents
Lack of clarity in definition of responsibilities
Absent or insufficient hazard identification
Poor top management attitude.
Poor training of staff/lack of training
Main management failures observed using the Barrier Analysis model
Failures and inadequacies in management function at Buncefield spanned not only the so called soft defences but did actually extend to the what literatures considers to be hard defences-alarms and physical barriers such as bunds and oil storage tanks.
Failures in management that fall under the soft defences include inadequacies in regulations, poor procedures and poor training. They link with accident prevention through their influence on processes, procedures and systems for risk and hazard identification, accident risk mitigation, the review and monitoring function and engendering and promotion of an appropriate organisational safety culture as well as individual attitudes to risk management in general.
Management failures such as poor top management attitude to safety, lack of training, poor supervision and lack of coordination served to erode accident prevention defences as failures cut across successive layers that are known to be pertinent for effective accident prevention in organisation. Indeed even in instances where the management failings were limited to one layer of the organisation’s barriers (as is the case for all the failings in human resource management), the erosion of that layer meant that the whole system was left vulnerable to collapse not least because of the interconnectedness between the various types of barriers.
Table 5 below summarises some of the top management failures that were discovered on analysis of the pre-accident and post-accident context using the Barrier Analysis technique. Many of the management failures discovered using barrier analysis relate to the state or the absence of safety functions within the organisational structure as well as corporate management of the site.
Table 5; Main management failures at Buncefield discovered using the Barrier Analysis model
Poor corporate safety management
Poor local planning
Inadequate planning of operations
Unsafe routines of work
Absence of appropriate informal practices
Poor scheduling of operator shifts
Inadequate/lack of audit and review function
Delay in execution of jobs leading to stress
Responsibility of Buncefield site managers insofar as organisational factors that triggered the accident span factors that were connected with emergency preparedness and the emergency evaluation plan and response.
In a departure from established good practised for COMAH sites, management had never conducted any emergency drills or exercises. Indeed the setup of the organisation was such that there we no existent emergency preparedness drills or exercises embedded into the risk and emergency management frameworks. Further evidence suggests management was positioned to do the bare minimum to meet regulatory compliance-it didn’t help that in some instances the compliance had all to do with having documents that stipulated procedures and processes but nothing was on operational.
In addition the communication framework was so inadequate such that not only where there problems in stakeholder engagement but also ineffectiveness in communication between the company and its contractors. The latter was especially responsible for failure to discover poor installations of equipment as well as the poor functioning of systems at the site. Table 6 below summarises organisational deficiencies and problems that played a part in incubating, causing and exacerbating the accident.
Table 6; Main organisational deficiencies and problems
Poor and/or inappropriate safety management system
Inadequate or absent safety and operational procedures
Lack of an up to date and appropriate emergency management plan
Poor regulatory compliance
Lack of leadership
Unclear roles and responsibilities
Poor internal and external communication frameworks
Lack of enforcement of rules and regulations
Absence of emergency drills and exercises
Weak strategic management
The deficiencies and failures in human resource management and organisational leadership in regard to safety culture, practices and norms stretched beyond the top level management level of the operators of the Buncefield depot.
Board level involvement was non-existent in regard to the stewardship and oversight of corporate safety in general. Analysis of the expertise and experience of the board members of the companies that were jointly running the site shows that they lacked competence in corporate risk management of a major hazards site such as Buncefield. Accordingly safety leadership problems and issues run all the way up to the top corporate governance institutions. The inadequacy of board level stewardship did ultimately feed into the executive management approach to risk management which in turn trickled down to operational employee.
Under such conditions corporate safety culture became so lax as reflected by absence of procedures, established norms, lack of processes and focus on doing things to meet minimum compliance requires rather than genuine consideration and implementation of initiatives that lessened the risk of the sites activities impacting its stakeholders financial, socially and indeed environmentally.
A number of failings that directly led to the explosion had been picked up by external auditors. However the implementation of findings as well as the follow and review of the highlighted deficiencies was not sufficient. The internal audit process was so weak as to be non-functional because of a number of issues, the main one of which was the lack of leadership and ownership of the audit protocol and process. Failures in the audit programme that were observed at the site included the following:
Personal experience, staff knowledge, attentiveness, motivation and personal attitude
A number of incidents prior to the accident, as well as during and after the explosion bring to the fore deficiencies regarding employees’ experience, both in the operational running of the site as well as the management of emergency situations.
Whilst the lack of fatalities at the site could be viewed as representative of employee effectiveness in handling emergency situation, there is insufficient evidence to support that position. Rather the absence of loss of human life was remarkable not least because staff had not been trained in appropriate evacuation operations. Indeed because no simulations, drills or emergency exercises had been conducted staff lacked experience insofar as the conduct of emergency evacuations was concerned.
The fact that overfilling of tank 912 went on for several hours before being noticed never mind that the automatic gauging system had failed further attests to the lack of situation awareness by the operational stall. Experience staff who have had an idea of roughly how long the filling of a tank should take and that should have triggered their investigation of the tank filling operations once they realised it had gone on for a long time. The reliance on technology and alarm systems that failed is also strong evidence pointing out the inadequacies in staff knowledge of operational systems as well as their attentiveness to conditions in their work environment. Lack of attentiveness to the contextual environment was also reflected in the failure to notice the overflow of the tank and the subsequent formation of a vapour cloud, especially so as members of the public in the surrounding community had observed an abnormally and had wrong advising of the same.
Motivation of staff was also observed to be lacking, partly due to increased stress of work but also because of changes in shift patterns and scheduling of work. Indeed the increase in through put wold have been deciphered as the lack of management interest in their employees who would in turn responded by not being attentive and driven to ensure safety procedures and culture were adhered to.
Employee attitude to health and safety was also remarkably poor and in some cases the behaviour exhibited by staff increased and amplified risk and hazards rather than reduced them. Staff errors and well as failure to log incidents, disregard of rule and established procedures of performing specified operations as well as distractions were indicative of a very poor attitude to health and safety in general and accident prevention at the site. The failure to log previous incidents as near-misses in a site replete with major hazards as Buncefield was is also indicative of not only individual employee disregard of safety but more importantly showed the failures in human resource management at the site.
The three different operational sites at Buncefield all complied with requirements to be rated as so called ‘top tier’ COMAH site. There was clear separation of storage tanks based on the kinds of fuel that was held in them, with different storage areas bundled and zoned.
The site was as such generally well laid out with clearly demarcated areas for different operations including designated zones for moving equipment and machinery among other things. Adjacent to the storage tanks were a number of drains and soak ways. These however were not known to the employees at the site, a situation that is indicative of the lack of detailed site plans at the depot.
The layout of the site in relation to other settlements and installations was however problematic. There was a big industrial estate adjacent to the tank farm, and residential settlements were a couple of 100 feet away from site. Further, the site was adjacent to a rather busy motorway (m1).
The development of an industrial site next to the site as well as residential dwelling in close proximity to a site of such high risk is indicative of general failings in spatial planning and societal risk management on the part of regulatory authorities and public governance institutions, but it is also symptomatic of the lack of engagement of the top management at Buncefield with the development review process. There is no evidence to show they objected to the location of major facilities next to a site of such high risk.
The design and nature of equipment at Buncefield was in keeping with leading practice in installations in oil storage depots and oil facilities in general. Indeed the observed failures in control and forewarning equipment such as the independent high level switch and the tank gauging system had nothing to do with the design, but rather the failures in maintenance, inspection and repair as well as commission of storage and protective installations.
Moreover the overwhelming failures of the tanks once they had caught fire also had nothing to do with flaws or inadequacies with the design of the tanks rather the intensity of the resultant blaze was such that even the superior design and make-up of the storage tanks could not withstand the ferocity of the fire.
Aside from a few number of trees around the periphery of the depot there weren’t any physical environmental features or landmarks that could be construed as having played a part in causing or exacerbating the accident. The general layout of the surrounding area is flat and undulating with sparse vegetation. Moreover the physical environmental aspects that played a central role in engendering the incident (ice and cold) were not unique to the site. There was as such not much that the organisation’s management could have done except identification of the likelihood as well as the potential impact of the physical environment on causation of the appearance of a vapour cloud in the event of a leakage.
In line with requirements mandated by the health and safety law for Control of Major Accident Hazards (COMAH) designated sites, there was evidence of embedded risk management systems and a framework that specified initiatives for the management of the major hazards attached to the operations of the site. However evidence reviewed showed that management was at best doing the bare minimum that was required of it to meet regulatory compliance.
Indeed evidence of the same is provided by the fact that there was a significant disconnect between what was specified in compliance documentation/risk management systems and what was actually happening at the site. A number of inadequacies including the absence of a procedure for management of change of critical parts, ill-prepared and ill-considered critical parts list and general failings in the safety management system such as the failure to log incidents, poor safety culture and poor attitude by top management as well as employees.
The extent of management failings at the site was further reflected by the failure of the established risk management framework to identify the possibility of several tanks catching fire, failures in ensuring good practice was followed in the design, build and commissioning of physical barriers such as bunds and a less than adequate inspection and maintenance regime. Moreover the lack of an appropriate inspection and maintenance regime was indicative of the lack of consideration of the health and safety implications in the running of the business with managers tending to focus on the financial aspects instead.
Attributing the influence of major political events and factors to the 2005 Buncefield disaster is by no means an easy task. Not least because suggesting a causal link between external political events and operational issues and factors that led to the occurrence of the accident is by no means a straight-forward task, precisely because of the fuzziness in the dynamic between politics/political events and organisational performance.
The following three political events could have played a part in causing the accident, both directly and indirectly. In the case of the former through their influence on the price of oil that rose sharply in the year 2005 and in the case of the latter through their influence on management indifference to safety concerns as has anecdotally been shown to happen during election years as well as years major environmental disaster as did happen in 2005 happen.
Table 7: Major political events that could have played a part in causing and engendering Buncefield incident
Geo-political crisis in the Middle-East
Sharp increase in the price of oil in 2005 which could then have led to the company increasing throughput so as to make as much profit as possible from high prices
UK general election
Moderation of the workings of regulatory authorities as they take steps not to cause the emergence of news or information that could influence political outcome of the election
Election of Mahmoud Ahmedinajad to the presidency of Iran
Increased geo-political tensions which in turn led to market instability and high prices which then could have influenced the production capacity at the factor.
There is evidence to show that the Buncefield accident was both a result of systemic failures in the oil industry in general not least because of the poor handling of health and safety by corporate entities but also as a single event disaster of the low probability-high impact kind.
A number of missed opportunities as well as failure to conduct certain oversight function including the monitoring of risk the risk management framework as well as the auditing of processes and general lack of compliance monitoring regarding such things as contingency plans show that there were failures in the design and implementation of the risk management framework as well as major problems in the operational oversight function of the regulatory regime put in place ensure companies are run in a manner that ensures their potential to damage the environment, property and human beings are minimised. Moreover the context of the dismantling of the tough corporate regulatory environment that had commenced under the government of at the time of the disaster may have led to the laxity on the part of the Health and Safety Executive, the Environment Agency and other corporate governance regulatory bodies to conduct their duties. The weakening of the regulatory environment as a result of governmental policy could conversely be argued to mark the accident as a so called policy disaster not least because the unintended consequence of the governments poor intentional decision making in relaxing the regulatory environment for the purpose of cutting red-tape turned out to be a bad decision as it created an environment where corporate entities could get away with not putting in place effective controls and systems that may have prevented the accident from occurring.
The table below reflects some of the regulatory failures and inadequacies that played a part in causing the explosion at Buncefield oil depot.
Table 8: Regulatory influence
Description of Issue
Weakness, ambiguity and contradiction in regulatory strategies between the Environmental Agency, the Health and Safety Executive, the Local Council and corporate governance bodies
Deficient communication frameworks between regulatory authorities and the operators of the site leading to failure to explicitly lay out what conduct was expected.
Breakdown of trust and accountability between the operators and the lead health and safety regulatory agency, the Health and Safety Executive
Social factors that may have influenced the explosion at Buncefield are a little bit difficult to delineated not least because unlike other factors that form part of the key drivers of safety culture and conduct in an organisation such as regulations and policies, audits, safety training and initiatives that are aimed at making employees develop and operate safety norms and behaviour.
Management culpability in the area insofar as allowing societal factors influence the accident at the depot relate to their failure to ensure networking relationships and social trust between their organisation and external stakeholders that included governmental agencies but also their suppliers. The failures and inadequacies in external communication, trust, and openness led to a situation where the social safety climate was eroded and ultimately led to the erosion of the safety climate within the organisation. This among others was evidenced by the fact that the installers of some of the safety equipment at the site failed to inform the company of the need for a component that needed removing so the gauging system would be activated and work properly. But that was by no means the only evidence of the erosion of social trust between the organisation and its stakeholders.
The ability to learn from accident events is often lauded as one of most critical principles in effective safety management hence the presence of a number of post-accident investigation techniques including those that are founded on collection of statistical information and those are viewed as in-depth analytical methods that reveal not only patterns but also accident precursors and conditions that when managed well can prevent further events (Lundberg et al., 2010), albeit the notion of prevention of accidents is a hotly contested one.
Whilst the utility of systematic accident investigation insofar as accident prevention is well espoused, there is a wealth of evidence that suggests the presence of inherent biases in specific accident investigation techniques as well as widely spread sources of error in the field of accident investigation in general, all of which can impact investigation of an accident but more importantly the extent to which individuals and organisations can learn from accidents (Johnson, 2003; Lundberg et al., 2010). Indeed the effectiveness of an accident investigation technique is dependent on not only its fit with the context it is employed in but their effectiveness has also been shown to be influenced by a number of individual-specific as well as the background from which an investigation is conducted, for instance Svenson et al., (1999) posit that the professional background as well as the psychology of an investigator impact the analysis of accidents never mind the choice of investigation tool or technique.
The situation is not helped by the absence of a holistic and comprehensive accident investigation technique that is applicable for the analysis of all accidents irrespective of the contextual factors and sectors or areas in which they occur. This section evaluates the effectiveness of two of the most commonly used systematic accident investigation techniques, MORT and Barrier Analysis.
The MORT methodology for accident investigation is part of a group of models that are conceptualised as holistic partly because it highlights an accident’s causal factors but also because it delineates what the events leading up to the incident were (Attwood, 2006). By its incorporation and inclusion of extra safety measures elements in its analytical scope, MORT is largely a more comprehensive approach to the investigation of an accident. It is further strengthened by its investigation of the causal relationship between so called trigger factors and enabling events as well as the failure of preventive action including those that are centred in the areas of equipment protection, operator protection, operational staff recovery and mitigation measures.
Whilst its inclusion of a breadth of events, trigger factors and causal factors as well as safety barriers ensures as wide a scope as possible is cast over the accident context, there is a danger its extensive scope may lead to a superficial investigation of links and relationships between the said factors not least due to the tendency for analytical work to be time barred. That said, MORT is a proficient methodology for instances where there is an urgent need for valid information that then feeds into the design of immediate action plans as it enables immediate from an accident event. The MORT technique through its enabling of the recording of the so called non-contributory events is particularly useful as it enables implications regarding the causation of similar events that occur in different contexts to be drawn. So whilst the recording of non-contributory events and factors does can be of no immediate use, the design of the MORT framework is such that that information becomes useful to other incidents. In so doing it advances individual as well as organisational learning from disasters.
MORT model is however decidedly qualitative in nature. Granted there are a lot of positives to qualitative analysis of accidents including simplicity of application, enabling of detailed examination of an event and it’s enabling of a foundation for subsequent analytical work to be undertaken. But there are inherent weaknesses in qualitative linked analytical models not least because they are impacted by subjective opinions, experiences and expertise of investigators but also because they do not permit modelling of events and factors dynamics. For instance whereas the use of MORT enabled the identification of the vapour cloud as one of the key factors at play during the incident at Buncefield, except for that identification enabling subsequent quantitative modelling of the dynamics of the vapour cloud in the context of the prevailing conditions at the time of the accident it was not possible to decipher how big the vapour cloud was and how fast it was moving once it had been formed.
Another deficiency of the MORT model is inherent in its identification of factors that are at times best characterised as proximate causal factors as so called root cause factors. In so doing there is the potential of symptoms of an incident or accident being managed in a way that does not actually do much to reducing future accidents (Leveson, 2004). It is the reason why Hoveden et al (2008) argues that MORT often does need supplementing with models that not only represent are more suited to engendering alternative thinking and consideration of accident dynamics and also support imaginative thinking and creativity insofar as accident prevention is concerned as well as frameworks that incorporate system dynamics modelling including techniques that enable data mining and the study of work processes.
The Barrier Analysis accident investigation technique is founded on Gibson (1961) energy-barrier principle that posited accident occur due to the loss of control of dangerous energy, hence the suggestions for the separation of energy from vulnerable targets. However as argued by Reason (1997) in the so called Swiss-Cheese model, every barrier has deficiencies (holes) that have the potential to line up and in so doing allow a hazard to penetrate a system. The Swiss-Cheese model in effect questions the effectiveness of Barrier Analysis insofar as accident investigation is concerned because even though robust steps are taken to manage barriers in such a way that the inherent barriers in a systems are maintained and improved through the lifespan of a system, considerable challenges exist albeit there are conversely a number of benefits to be derived in the use of BA in accident investigation (Johansen and Rausand, 2015).
According to Hollnagel (2004) and Sklet (2005) one of the key benefits of using BA as an accident investigation technique is its permitting the classification of barriers in a number of approaches including; classification based on the role and function of the barrier in the accident sequence (preventive, mitigation or controlling barriers) and categorisation based on the nature of the barrier hence the notion of technical, organisational, operational as well as distinction as physical, symbolic, functional and incorporeal. In the case of Buncefield the use of BA enabled the researcher to clearly distinguish barriers not only based on functionality but also based on the nature of the barrier itself.
Whilst the categorisation of barriers enables an accident investigator to drill-down and look at functional as well as physical nature-specific factors of an accident, the overall effectiveness of the technique is limited by a number of deficiencies not only in regard to philosophical foundations but also in regard to the frameworks lack of clarity regarding what is and what is not a barrier in an accident environment. Because of the absence barrier-linked performance requirements for the various functions, systems and elements of the Buncefield accident site, it was difficult to judge the difference in positions between the regulatory authority positions and those of the operators of the site. Further, it was not easy to distinguish between operational and organisational elements of the accident as the Barrier Analysis framework is ambiguous of the distinction between those two groups of elements, a situation not helped by existence of published opinion that considers the two to be one and the same.
The Barrier Analysis framework also does require an investigator to know the performance of a barrier beforehand so that they can then make a judgement regarding whether it the a specific barrier was functioning well or impaired, it is accordingly not suitable for investigator that lack prior knowledge of the system that they are investigating as well as those who are in-experienced in system audits and the requirements of a fully operational installation.
The very notion of organisational or individual capacity to learn from an accident or near miss event is strongly contested by a number of authors including Hopkins (2008) who posit that the continued reoccurrence of major accidents and indeed the increase in the number of accidents both in scope, size and severity reflect the inability of organisations and individuals to learn from lessons inherent in past failures or accidents. This view however ignores strong evidence not only regarding the utility of accidents in that meanings are imputed to historical events even if doing so depends among other things on the manner in which an event is portrayed as well as the manner in which the portrayal of an event is interpreted by the society in general as well as individuals (Marcuse, 2009).
Indeed the is wide consensus both in research and accident management on the notion that systematic accident investigations are critical in enabling organisations as well as individuals derive benefit from an accident (Stoop and Roed-Larsen, 2009). But what tends to always happen especially so in situations where independent boards are engaged to investigate accidents is that processes the investigation serves as a baseline for the establishment of processes to deal with the accident and as such is it open to questions whether it is done in such a way that it does actually enable learning from disasters (Braut et al., 2014).
Moreover similar incidents such as the Qingdao storm drain disaster in which crude oil vapour explosion killed 62 people and injured scores (Zhu et al., 2015) considerably dent the notion of humans and organisations being able to learn from disaster, not least because whilst the anatomy of the Buncefield explosion incident was considered to have engendered research of the dynamic of oil vapour clouds more so in regard to increasing understanding of the explosion limits of vapour clouds and the understanding of the relationship between the upper explosive limit and vapour pressure of oil vapour, the explosion in Qingdao’s because of its being linked to a number of human, technical and social factors that had been observed in Buncefield show that little if anything has been learnt by organisations.
To however take the evidence of the continued occurrence of similar vapour cloud explosion accidents as evidence of the failure or indeed inability of individual and organisation capability to learn from disasters and near miss events is not tenable, despite the some authors such as Borodcizc (2005) asserting that empirical evidence suggests ability to learn from accidents is negligible due to deficiencies in human cognition as well as their inability to comprehend the dynamics of socio-technical systems interactions that with increasing automatic and complexity are even more difficult to decipher-as evidence by the BP Deepwater Horizon disaster explosion in the Gulf of Mexico. Doing so misses the point that recommendations of subsequent independent bodies and regulator-led investigations came up with a number of not only explicit hazard identification and risk assessment of similar contextual environment but also suggested a number of approaches for improving the health and safety management in oil installations. The subsequent strengthening of compliance with good practice guidance as well as development of robust systems for investigation of near miss incidents developed by the Health and Safety Executive can be taken as one of the most critical indicators that emerged subsequent to the accident in Buncefield.
The persistence of problems in general corporate hazard and risk management operations that are reflected by the failures of regulatory authorities to tie all the loop holes that allow companies that breached safety legislation to re-brand and re-emerge as different entities as did happen with the re-branding of one of the key players at the Buncefield incident-Motherwell Control Systems, and its re-appearance for operations close to the accident area would ordinarily be taken to reflect serious deficiencies in the risk management framework as a whole, but the fact that the re-branded company was subsequent found out can conversely be construed as evidence of civil society and other stakeholders new ability to learn that was developed after the incident in Buncefield. In that the scale of the disasters notwithstanding the absence of fatalities, re-doubled oversight organisations and private individual efforts insofar as being vigilant and looking for failures and system deficiencies that would otherwise lead to the occurrence of a similar if not bigger incident.
Buncefield along with similar accidents in Qingdao (Zhu et al., 2015) and Jaipur (Sharma et al., 2013) utility in furthering learning from disasters has been the advancement of vapour cloud dynamics modelling. Whilst there is still some ground to go before our understanding of the emergence, explosion limits, ignitability and movement of vapour clouds still has some way to go, advancements have been made in the estimation and modelling of the dispersion of vapour clouds in different environmental conditions as has been our capacity to reveal trends and relationships between different factors that influence the emergence of vapour clouds and their potential to explode (Sharma et al., 2013).
It is quite conceivable that had it had the Buncefield explosion been of much smaller in that had the plume not drifted as far and wide and mainland Europe and the smoke from the resultant explosion no been big enough to see from space, then the examination of the dynamics of oil vapour clouds may not have happened as other factors would have come to the fore as potential causes. To that end Buncefield has had utility in risk management frameworks design, implementation and review as well as triggered an increased interest in vapour dynamic modelling and forecasting, hence it can be argued despite other similar incidents that it advanced oil installation hazard and risk identification and management processes.
Available evidence clearly shows that organisational/human factors as well as deficiencies and problems in technical systems and environmental conditions played a central role in the explosion at Buncefield tank farm. A detailed analysis of the contextual environment and a review of procedures, processes, activities and norms show that the management function of the operators of the site was either woefully deficient or indifferent to health and safety concerns. Specifically there was lack of leadership as well as the absence of adequate board-level involvement in issues concerned with safety.
Indeed whilst the failures in emergency planning witnessed in executive management level of the site reflect not only the lack of competence in risk management at the top of corporate management at the site, a majority of the observed failings and absence of safe systems and procedures mainly relate to the lack of enabling corporate culture and poor corporate governance. The failure to develop a comprehensive emergency plan is clearly due to the lack of strategic leadership by managers. This was particularly remarkable given that the organisation and its set up ranked as a site of major hazards and accordingly was expected to adhere to more stringent arrangements given the risk inherent in its activities. However the weakness in board-level governance due in part by their lack of competence in risk management but also as a result of potential focus on economic performance as the expense of safety, played a part in ensuring an environment developed where managers could at best get away with having a plan on paper of which nothing was implemented.
As such whilst the first obvious inadequacy insofar as the management function at the site was concerned had to do with the lack of planning or at best poor strategic planning, culpability for the same covers both executive managers as well as the board. Not least because corporate governance legislation and regulations in the United Kingdom mean that responsibility for guidance of management function in finance, operations and risk management is the remit of the board of an organisation as well as the top management, who then have a role in cascading the right culture, practices and norms across the entire organisation.
Closely linked with oversight and strategic direction is failure to adequately supervise both on the part of management as well as external regulators. Indeed failures in the supervisory function internally and externally made for a situation where safety management had been deteriorating for a considerable time. Analysed evidence showing that previous faults weren’t logged and indeed the absence of an appropriate framework for the recording and review of near miss enabled some issues that ultimately led to the failures in identification of risks and vulnerabilities to develop up to the extent where the system could no longer bear any more. This could have been addressed had the external supervisory function been functioning robustly and effectively. But the break of trust and the erosion of the social protective layer represented by an ineffectively functioning communication and networking framework between the organisation and its stakeholders especially so for regulatory ones, meant that issues that were flagged up were not followed-up. The result of which was a steady and gradual deterioration of safety management at the site with the result that management was emboldened to go as far as producing documents but not implementing commitments to compliance in some areas.
Effective emergency planning and for that matter management is not however possible if the risk and hazard identification process of a company’s risk management framework is not comprehensive and inclusive enough to identify all potential as well as imminent and likely hazards. Corporate functions for hazard and risk identification were inadequate and seriously lacking at Buncefield. For a hazard and risk identification processes not to flag up the possibility of several oil storage tanks being on fire at any one time is damning never mind them clearly containing highly flammable liquids. Similarly the failure to pick up the possibility of a petrol vapour cloud forming is poor, especially so given that similar explosions had happened elsewhere before (Texas City). Accordingly the emergency plan was flawed from the outset as it left out two key hazards/risks that caused the explosion and influence the size of the subsequent explosion. This could have been rectified had there been an effective arrangement for routine review of safety issues at the site. There was no system for the detection of failure of not only the hazard and risk identification process but indeed operational failure and unsafe culture at the depot. So while there were several signals and opportunities for weaknesses and failures to be picked up, because the organisational culture was poor added to the absence of systems no one was able to connect the myriad of safety incidents to the potential of an explosion happening. Management was so focused on increasing throughput and increasing productivity at the site that even employee stress caused by those two happenings did not trigger any alarms.
In high reliability organisations it is critical that safety systems are maintained and check regularly to ensure they are working properly. Because the failure of one component of the system quickly expands across the entire organisation as a result of the interconnectedness between different systems and functions across the organisation. The failure of the independent high level switched meant that pumping could not be shut off once the limit of the tank had been reached. The fact that the said switch had not been functional for a considerable amount of time, clearly shows checks were irregular and the maintenance inadequate.
Results of the review further show that it is possible to have an audit protocol that does not accord an organisation the feed-back it needs to improve its safety management and culture. At Buncefield a number of external audits had flagged up many issues that needed address but due to the lack of an effective protocol within the organisation and lack of an enabling communication framework, the utility of the audits insofar as ensuring identified failures were dealt with before hand was lost. Effective auditing rests among others on the clear delineation of roles and responsibilities for the execution of the audit protocol as well as implementation findings, allocation of appropriate resources and regularity of execution. Moreover the importance of an effective audit cannot be underscored not least because it helps identify and plug any holes in the risk management framework. Particularly so given that because of the nature of risks/hazard as well as their being multi-faceted and capable of emanating from different areas as well as the evolution of hazards and risk, no risk management framework can be designed in such a way that it accounts for all potential outcomes. Accordingly adaptability as well as robustness become critical elements in an effective risk management framework, these two qualities hinge on the effectiveness of the audit protocol.
For investigating accident there are numerous tools that have been developed considered as being sufficient to be used in all kinds and contexts of accidents. However, the reality of the situation is; it is never sufficient to use a single investigation tool to determine the underlying causes of an accident. For specific accident investigations it is necessary to use multiple investigation techniques throughout the investigation.
This is evident for the current study of the Buncefield accident in which multiple techniques were used to investigate the root causes of the accident. The techniques used for the current study included: Barrier Analysis, MORT model, and Events and Casual Factor Analysis (ECFA). The barrier analysis and ECFA are tools that are interrelated to the MORT model as they stem from MORT. All the techniques used for the current investigation of the accident are considered as a robust utility providing for high reliability of findings. The tools selected for the current study were suitable for the complexity found in the Buncefield case’s environment and organisation. There is a specific setback with using the particular tools; that is the forecasting of future scenarios. However, to overcome this setback, the tools that were used are extremely accurate in determining the root causes of the accident. This will enable organisations such as HOSL to make necessary changes to divert similar events to take place in the future. This can be achieved through making risk assessments when uncovering risks within the organisation’s management infrastructure, physical environment, policies and procedures, and communication.
Based on the literature assessed in the current study it is evident that accidents are a result from various factors and events such as human errors, commonly seen through failings from the management or the organisation at large; in addition to technical factors. The current study had reviewed the incident that occurred at the Buncefield Oil Depot which was a series of explosions that would be labelled as the largest fire Europe has witnessed since World War II. Reviewing the factors and events that led to the explosion and subsequent fires
A review of the incident at Buncefield revealed the influence of all the different categories of precursor events even though the bulk of them where in the category of human factors. The approach used in the investigation of the incident especially the involvement of several organisations and the methodological step by step review of all the events and the determination of the sequence of main events. Whilst the approach and the layout of the approach was comprehensive, there were still a number of significant informational gaps not least the dynamics of the vapour cloud and its formation.
As posited by the Normal Accident Theory, the failures in management functions at Buncefield both at the executive level as well as board level made for an environment where precursors of the explosion that happened in 2005 unavoidable. Not only was there a lack of systems and procedures but even in areas where there were established protocols and systems, the failures in operational management and oversight was such that they were not sufficient to pick up faults. Moreover failures in physical components at the site were also due to failures in management function especially in the management of contractors and the installation of adequate protective and mitigation facilities.
Mistakes and failures in organisation management where exacerbated by inadequacies in external regulations as unsafe behaviour was allowed to develop due to the erosion of trust and failures in the communication frameworks between stakeholders. This was quite evident in organisation that was running operations at the Buncefield oil depot. Throughout the current study, various management errors had arisen that led to an increased risk for accidents to occur. Particularly, it was found from the research that management had placed a great deal of pressure on supervisors which led to subsequent factors such as overload of work, overlapping of systems, fault in error logging, and technical mishaps to go unnoticed.
It is recommended that organisations that are dealing in sensitive materials or those that are risky implement policies and procedures which adhere to safety protocol. It is essential for organisations to run routine risk assessments in all departments of the organisation, including operations, functions, and management. These risk assessments provide organisational leaders insight into factors that may put the organisation at risk of accident occurrence. Safety protocols in place of the site will ensure that human capital, infrastructure capital and resources are kept safe in the face of danger. From the current study it is evident that management plays a very critical role in preventing accidents by analysing frequently factors that may put the organisation at risk of accident occurrence.
Borodcizc E. P., (2005). Risk, Crisis and Security Management. John Wiley and Sons, Chichester, England.
Braut G. S., Solberg O., and Nja O., (2014). Organisational effects of experience from accidents: Learning in the aftermath of the Tretten and Astan train accidents. Transportation Research Part A: Policy and Practice Vol. 69 Iss pp354-366.
Hopkins A., (2008). Failure to Learn: The BP Texas City Refinery Disaster. CCH Australia, Sydney, NSW.
Marcuse H., (2009). Reception history: Definitions and quotations. www.history.ucsb.edu/faculty/marcuse/receptionhist.html. Accessed 2 March 2015.
Al-shanini A., Ahmad A., and Khan F., (2014). Accident analysis and modelling in process industries. Journal of Loss Prevention in the Process Industries Vol. 32 Iss pp 319-334.
Antao P., and Soares G., (2008). Causal factors in accidents of high-speed craft and conventional ocean going vessels. Reliability Engineering and System Safety Vol. 93 Iss 9 pp 1292-1304.
Baysari T., Caponneccha C., McIntosh A. S., and Wilson J. R., (2009). Classification of errors contributing to rail incidents and accidents: A comparison of two human error identification techniques. Safety Science Vol. 47 Iss 7 pp 948-957.
Borodcicz E. P., (2005). Risk, Crisis and Security Management. John Wiley and Sons, Chichester, England.
Benner Jr., I., (1975) . Accident investigations: Multilinear events sequencing methods. Journal of Safety Research Vol. 7 Iss 2 pp. 567-574
Booth R., (2011). How hindsight bias distorts history. http://www.hastam.co.uk/wp/wp-content/uploads/2014/06/hindsight-bias-short-01-2012.pdf. Accessed 17 November 2015.
Cheng C-W., Yao H., and Wu T-C., (2013). Applying data mining techniques to analyse the causes of major occupational accidents in the petrochemical industry. Journal of Loss Prevention in the Process Industries. Vol. 26 Iss 6 pp 1269-1278.
Cousins C., (2002). Getting to the “truth”: Issues in contemporary qualitative research. Australian Journal of Adult Learning Vol. 42 pp 192-204.
De Massis A., and Kotlar J., (2014). The case study method in family businesses research: Guidelines for qualitative scholarship. Journal of Family Business Strategy Vol. 5 Iss 1 pp 15-29.
Dobson P. J., (2002). Critical realism and informational systems research: Why bother with philosophy? Information Research—An International Electronic Journal Vol. 7 Iss 2 Accessed 22 October 2014.
Erricsson C. A., (2005). Hazard Analysis Techniques for System Safety. John Wiley and Sons, Fredericksburg, Virginia.
Doytchev D. E., and Szwillus G., (2009). Combining task analysis and fault tree analysis for accident and incident analysis: A case study from Bulgaria. Accident Analysis and Prevention Vol. 41 Iss 6 pp 1172-1179.
Gerbec M., (2013). Supporting organisational learning by comparing activities and outcomes of the safety management system. Journal of Loss Prevention in the Process Industries.
Hams-Ringdahl L., (2009). Analysis of safety functions and barriers in accidents. Safety Science Vol. 47 Iss 3 pp 353-363.
HSE (2014a). Accident Investigations in Practice-Part 2. Health and Safety Executive. http://www.hse.gov.uk/chemicals/workshop/accident-investigation-10/accident-investigations2.pdf. Accessed 11th October 2014.
HSE (2014b). Buncefield: Why did it Happen? http://www.hse.gov.uk/comah/buncefield/buncefield-report.pdf. Accessed 20th October 2014.
HSE (2006). The Buncefield incident 11 December 2005- The final report of the major incident investigation board vol.2. http://www.hse.gov.uk/comah/buncefield/miib-final-volume2a.pdf. Accessed 12th November 2015.
HSE (2003). Learning from incidents involving E/E/PE systems: Part 1-Review of Methods and Industry Practice. Health and Safety Executive, Liverpool, England.
HSE (2001). Root causes analysis: Literature review. Research Report 325/2001 Health and Safety Executive, Liverpool, England.
IET (2012). Accident Investigation: Health and Safety Briefing No. 60. The Institution of Engineering and Technology.
Katsakiori P., Sakellaropoulos G., and Manatakis E., (2009). Towards an evaluation of accident investigation models in terms of their alignment with accident investigation causation models. Safety Science Vol. 47 Iss 7 pp 1007-1015.
Konstandinidou M., Nivolianitou Z., Kefalogianni E., and Caroni C., (2011). In-depth analysis of the causal factors of incidents reported in the Greek petrochemical industry. Reliability Engineering and System Safety Vol. 96 Iss 11 pp 1448-1455.
Kontogiannis T., (2012). Modelling patterns of breakdown (or archetypes) of human and organisational processes in accidents using systems dynamics. Safety Science Vol. 50 pp 931-944.
Kim D. S., and Yoon W. C., (2013). An accident causation model for the railway industry: Application of the model to 80 railway accident investigation reports from the UK. Safety Science Vol. 60 pp 57-68.
Krauss S. E., (2005). Research paradigms and meaning making: A primer. The Qualitative Report Vol. 10 pp 758-770.
Lyons M., Adams S., Woloshynowych M., and Vincent C., (2004). Human reliability analysis in healthcare: A review of techniques. International Journal of Risk and Safety in Medicine Vol. 16 pp 223-237.
Mannering F. L., and Bhat C. R., (2014). Analytic methods in accident research: Methodological frontier and future directions. Analytic Methods in Accident Research Vol. 1 pp 1—22.
Martin W. F., and Walters J. B., (2001). Accident investigation techniques. Safety and Health Essentials. Pp 42-54.
MIIB (2008). The Buncefield Incident 11 December 2005: The Final Report of the Major Incident Investigation Board Vol. 1. http://www.buncefieldinvestigation.gov.uk/reports/volume1.pdf. Accessed 10th October 2014.
NRI (2009). NRI MORT User’s Manual: For use with the Management Oversight and Risk Tree Analytical Logic Diagram. The Noordwijk Risk Initiative Foundation, Delft, Netherlands.
NRI (2008). 3CA: Control, Change and Cause Analysis: Investigators Manual 2nd Ed. The Noordwijk Risk Initiative Foundation, Delft, Netherlands.
NRI (2007). ECFA+: Events and Conditional Factors Analysis Manual. The Noordwijk Risk Initiative Foundation, Delft, Netherlands.
Oakley J. S., (2003). Accident Investigation Techniques. American Society of Safety Engineer, Illinois, USA.
Okoh P., and Haugen S., (2014). A study of maintenance-related major accident cases in the 21st Century. Process Safety and Environmental Protection Vol. 92 Iss 4 pp 346-356.
Saleh J. H., Marias K. B., Bakolas E., and Cowlagi R. W., (2010). Highlights from literature on accident causation and system safety: Review of major ideas, current contributions and challenges. Reliability Engineering and System Safety Vol. 95 Iss 11 pp 1105-1116.
Santos-Reyes J., and Beard A. N., (2009). A systematic analysis of the Edge Hill railway accident. Accident Analysis and Prevention Vol. 41 Iss 6 pp 1133-1144.
Santos-Reyes J., Olmos-Pena S., Alvarado-Corona R., and Hernandez-Simon (2009). Applying MORT to the analysis of the Tlahuac incident. Reliability Engineering and System Safety Vol. 94 Iss 10 pp 1557-1556.
Shahrokhi M., and Bernard A., (2010). A development in energy flow/barrier analysis. Safety Science Vol. 48 Iss 5 pp 598-606.
Song W., and Ying W., (2011). Causation analysis of complex system safety accident based on brittle structure collapse theory. Procedia Engineering Vol. 15 Iss pp 365-369.
South Alabama (2014). Strengths and weaknesses of qualitative research. http://www.southalabama.edu/coe/bset/johnson/oh_master/Ch14/Tab14-02.pdf. Accessed 22 October 2014.
Thompson P., (2014). Learning from Disasters. School of the Built Environment, Heriot-Watt University.
TRAC (1995a). Barrier Analysis. The Technical Research and Analysis Centre. Idaho Falls, Idaho, USA.
TRAC (1995b). Events and Causal Factors Analysis. The Technical Research and Analysis Centre. Idaho Falls, USA.
Thwaites P., Smith S. Q.., and Riccomagno E., (2010). Causal analysis with chain event graphs. Artificial Intelligence Vol. 174 Iss 12-13 pp 889-909.
Underwood P., and Waterson P., (2014). Systems thinking, the Swiss Cheese Model and accident analysis: A comparative systemic analysis of the Grayrigg train derailment using the ATSB, AcciMap and STAMP models. Accident Analysis and Prevention, Volume 68 pp 75-94.
Underwood P., and Waterson P., (2013). Systemic accident analysis: Examining the gap between research and practice. Accident Analysis and Prevention Vol. 55 pp 154-164.
USDoE (1992). Root Cause Analysis Guidance Document. United States Department of Energy, Washington D.C, USA.
Vestrucci P., (2013). On the “post-dictive” use of the fault tree method for accident investigation in aid of judicial procedures. Safety Science Vol. 53 Iss pp 240-247.
Sharma R. K., Gurjar B. R., Wate S. R., Ghuge S. P., and Agrawal R., (2013). Assessment of accidental vapour cloud explosion: Lessons from Indian Oil Corporation Ltd accident at Jaipur, India. Journal of Loss prevention in the Process Industries Vol. 26 Iss 1 pp 82-90.
Stoop J., and Roed-Larsen S., (2009). Public safety investigations-A new evolutionary step in safety enhancement? Reliability Engineering and System Safety Vol. 94 Iss 9 pp 1471-1479.
Zhu Y., Qian X., Liu Z., Huang P., and Yuan M., (2015). Analysis and assessment of Qingdao oil vapour explosion accident: Lessons learnt. Journal of Loss Prevention in the Process Industries Vol. 33 pp 289-303.
Attwood D., Khan F., and Veitch B., (2006). Occupational accident models-Where have we been and where are we going? Journal of Loss Prevention in the Process Industries Vol. 19 pp 664-682.
Hovden J., Albrechtsen E., and Herrera A., (2008). Is there a need for new theories, models and approaches to occupational accident prevention? Safety Science Vol. 48 Iss 8 pp 950-956.
Hollnagel E., (2004). Barriers and Accident Prevention. Ashgate, Aldershot, United Kingdom.
Johansen I. L., and Rausand M., (2015). Barrier management in the offshore oil and gas industry. Journal of Loss Prevention in the Process Industries Vol. 34 Iss pp 49-55.
Johnson C. W., (2003). Failure in Safety-critical Systems: A Handbook of Accident and Incident Reporting. University of Glasgow Press, Glasgow, Scotland.
Leveson S., (2004). A new accident model for engineering safer systems. Safety Science Vol. 42 Iss pp 237-270.
Lundberg J., Rollenhagen C., and Hollnagel E., (2010). What you find is not always what you fix-How aspects other than causes of accidents decide recommendations for remedial actions. Accident Analysis and Prevention Vol. 42 Iss pp 2132-2139.
Sklet S., (2005). Safety Barriers in Oil and Gas Platforms: Means to Prevent Hydrocarbons Releases. Norwegian University of Science and Technology, Trondheim, Norway.
Svenson O., Lekberg A., and Johansson A. E. L., (1999). On perspective, expertise and differences in accident analysis: Arguments for a multi-disciplinary integrated approach. Ergonomics Vol. 42 Iss 11 pp 1561-1571.
MORT Reference Code
Where a problem is found
Issue resolved satisfactorily
Relevant issue but with scarce information for proper assessment
- Explosion at Buncefield Tank Farm
Potentially Harmful Energy Flow or Environmental Condition
-Flow of petrol to tank 912 and overflow to the ground
-Flow of petrol vapour to the air
SA1 SB1 a1
-Vaporised petrol to the air
SA1 SB1 a1 b1
Control of Non-functional Energy
SA1 SB1 a1 b2
-Due to unknown dynamics and scope of the flow of energy, control of vapour flow into the atmosphere was impracticable
SA1 SB1 a2
-Kinetic energy to storage tank 912
SA1 SB1 a2 b3
Control of Use LTA
-A number of controls in place both administrative and design linked but all proved defective on the day of the accident
SA1 SB1 a2 b4
-Installed capacity for diversion but failures meant the functionality was not used. There was inattention by staff in that it took several hours for it to be realised that energy was flowing in the wrong direction. No one had the experience to connect the other signs that were happening to decipher problems that were happening.
SA1 SB1 a2 b4 c1
Control of Functional Energy LTA
-All known controls not working. Tank filling gauging alarm was not working, overflow shut off, procedure for monitoring, the computer system and management function were either below the required standard or poorly installed
SA1 SB1 a2 b4 c1
Diversion of functional Energy LTA
It took several hours for operational staff to pick up the loss of control of functional energy and nothing was done till it was too late. When it was eventually attempted, the wrong valve was opened by the supervisor in the process exacerbating the issue with the wrong flow of functional energy
Vulnerable People or Objects
-Tank delivery drivers
-Control room operators
- Various groups and objects where all subject to different types of hazards from the site, some more significantly than others. Notable key hazards included fire, flying debris from the explosion, smoke, particulates, and polluted water.
SA1 SB2 a1
Non-functional People or Objects
-Neighbouring business premises, equipment and cars
-Residents of neighbouring communities
-Commuters on the M1
Mainly from the fire and smoke as well as particulates, polluted water, chemical residue and other noxious gases from combustion of petrol and the products in burning buildings and other physical products.
SA1 SB2 a1 b1
Physical barriers, work processes and systems as well as organisational culture and management were all defective.
SA1 SB2 a1 b2
-Some scope for physical control as well as the use of processes and systems might have helped though the exact extent to which or how effective they would have been needs investigation
SA1 SB2 a2
Functional People or Objects
-Control room operators
-Tank delivery drivers
There were oversights, omissions and loss of control on the part of the former (Control room operators) and oversights on the part of the tank delivery drivers
SA1 SB2 a2 b3
Control of Exposure LTA
-A number of physical barriers, systems and processes in place albeit defective
SA1 SB2 a2 b4
Evasive Action LTA
By the time it was realised there was the wrong flow, it was too late for evasive action to be taken. Indeed tens of thousands of petrol had overflowed onto the ground and dispersed to the air.
SA1 sb2 a2 b4 c1
Means of Evasion LTA
-Shut off value and system to divert inflow to another pipeline. Diversion to another pipeline was not attempted till much later.
SA1 SB2 a2 b4 c2
-Evasion was practicable
Barriers and Controls LTA
-Physical, process and administrative: all however were either ineffective or defective
SA1 SB3 SC1
Control of work and process LTA
-Some satisfactory others woefully inadequate. Logging of faults and near misses was inadequate
SA1 SB3 SC1 SD1
Technical Information Systems LTA
-Failed, and not properly maintained or installed properly
SA1 SB3 SC1 SD1 a1
Technical Information LTA
SA1 SB3 SC1 SD1 a1 b1
-Gaps in some key areas
SA1 SB3 SC1 SD1 a1 b1 c1
Based on Existing Knowledge
SA1 SB3 SC1 SD1 a1 b1 c1 d1
Application of Codes and Manuals, LTA
SA1 SB3 SC1 SD1 a1 b1 c1 d2
List of Experts LTA
-None seen in the evidence reviewed, presumption is there wasn’t one.
SA1 SB3 SC1 SD1 a1 b1 c1 d3
Local Knowledge LTA
Possible case of oversight as no modelling had picked up the potential of local conditions contributing to the formation of a vapour cloud
SA1 SB3 SC1 SD1 a1 b1 c1 d4
Solution Research LTA
SA1 SB3 SC1 SD1 a1 b1 c2
If there was no known precedent
SA1 SB3 SC1 SD1 a1 b1 c2 d5
Previous investigation and analysis LTA
-Some had been undertaken in the form of audit. But no evidence seen of previous incidents and near misses being properly investigated and documented
SA1 SB3 SC1 SD1 a1 b1 c2 d6
-Loss of control
SA1 SB3 SC1 SD1 a1 b2
Communication of Knowledge LTA
-Broken internal and external communication frameworks especially for contractors, regulatory authorities and employees
SA1 SB3 SC1 SD1 a1 b2 c3
Internal Communication LTA
-A number of deficiencies
SA1 SB3 SC1 SD1 a1 b2 c3 d7
Internal Network Structure LTA
SA1 SB3 SC1 SD1 a1 b2 c3 d8
Operation of Internal Network LTA
SA1 SB3 SC1 SD1 a1 b2 c4
Was the external communication LTA?
SA1 SB3 SC1 SD1 a1 b2 c4 d9
External Network Definition LTA
SA1 SB3 SC1 SD1 a1 b2 c4 d10
External Network Operation LTA
SA1 SB3 SC1 SD1 a2
Data Collection LTA
-Logging of previous faults and near misses not
SA1 SB3 SC1 SD1 a2 b3
Monitoring Plan LTA
SA1 SB3 SC1 SD1 a2 b4
Independent Review LTA
-Done but recommendations not effected
SA1 SB3 SC1 SD1 a2 b5
Use of Previous Accident/Incident Information LTA
-No previous comparable accidents
SA1 SB3 SC1 SD1 a2 b6
Learning from employee/contractor's personnel experience LTA
SA1 SB3 SC1 SD1 a2 b7
Were routine inspections of the work/process LTA
-Inspections existent but not routine
SA1 SB3 SC1 SD1 a2 b8
Upstream Audits LTA
SA1 SB3 SC1 SD1 a2 b9
Health Monitoring LTA
SA1 SB3 SC1 SD1 a3
Data Analysis LTA
SA1 SB3 SC1 SD1 a3 b10
Priority Problem List LTA
-None existent, logging of problems was poor
SA1 SB3 SC1 SD1 a3 b11
Statistics and Risk projection LTA
-Done for some but not the key catastrophic risks linked to the accident
SA1 SB3 SC1 SD1 a3 b12
Status Display LTA
SA1 SB3 SC1 SD1 a4
Triggers to Risk Analysis LTA
SA1 SB3 SC1 SD1 a4 b13
SA1 SB3 SC1 SD1 a4 b14
Priority Problem Fixes LTA
SA1 SB3 SC1 SD1 a4 b15
Planned Change Controls LTA
-Not smoothly executed
SA1 SB3 SC1 SD1 a4 b16
Unplanned Change Controls LTA
SA1 SB3 SC1 SD1 a4 b17
New Information use LTA
SA1 SB3 SC1 SD1 a5
Independent Audit and Appraisal LTA
SA1 SB3 SC1 SD2
Operational Readiness LTA
SA1 SB3 SC1 SD2 a1
Verification of Operational Readiness LTA
SA1 SB3 SC1 SD2 a1 b1
Did not Specify Check
-For some areas, yes
SA1 SB3 SC1 SD2 a1 b2
Readiness Criteria LTA
SA1 SB3 SC1 SD2 a1 b3
Verification Procedure LTA
SA1 SB3 SC1 SD2 a1 b4
-Inadequacies in some areas
SA1 SB3 SC1 SD2 a1 b5
SA1 SB3 SC1 SD2 a2
Technical Support LTA
SA1 SB3 SC1 SD2 a3
Interface between Operations and Maintenance or Testing Activities LTA
SA1 SB3 SC1 SD2 a4
SA1 SB3 SC1 SD3
Not regular, not well documented, corrective action not followed up
SA1 SB3 SC1 SD3 a1
Planning Process LTA
SA1 SB3 SC1 SD3 a1 b1
Specification of Plan LTA
SA1 SB3 SC1 SD3 a1 b1 c1
Maintainability (Inspect-ability) LTA
-Possible but not done
SA1 SB3 SC1 SD3 a1 b1 c2
Completeness of the Plan LTA
SA1 SB3 SC1 SD3 a1 b1 c3
-Not thought through
SA1 SB3 SC1 SD3 a1 b1 c4
SA1 SB3 SC1 SD3 a1 b1 c5
SA1 SB3 SC1 SD3 a1 b2
Analysis of Failures LTA
-Oversights, inadequacies and poor planning and supervision
SA1 SB3 SC1 SD3 a2
SA1 SB3 SC1 SD3 a2 b3
"Point of Operation" Log LTA
SA1 SB3 SC1 SD3 a2 b4
Failure caused by maintenance (inspection) activity
SA1 SB3 SC1 SD3 a2 b5
SA1 SB3 SC1 SD3 a2 b6
Task Performance Errors
SA1 SB3 SC1 SD4
SA1 SB3 SC1 SD4 a1
Planning Process LTA
SA1 SB3 SC1 SD4 a1 b1
Specification of Plan LTA
SA1 SB3 SC1 SD4 a1 b1 c1
Maintainability (Inspect-ability) LTA
SA1 SB3 SC1 SD4 a1 b1 c2
Completeness of the Plan LTA
SA1 SB3 SC1 SD4 a1 b1 c3
SA1 SB3 SC1 SD4 a1 b1 c4
-Some fairly good
SA1 SB3 SC1 SD4 a1 b1 c5
SA1 SB3 SC1 SD4 a1 b2
Analysis of Failures LTA
SA1 SB3 SC1 SD4 a2
SA1 SB3 SC1 SD4 a2 b3
"Point of Operation" Log LTA
SA1 SB3 SC1 SD4 a2 b4
Failure caused by maintenance (inspection) activity
SA1 SB3 SC1 SD4 a2 b5
SA1 SB3 SC1 SD4 a2 b6
Task Performance Errors
SA1 SB3 SC1 SD5
Supervision & Staff Performance LTA
SA1 SB3 SC1 SD5 a1
SA1 SB3 SC1 SD5 a2
Continuity of Supervision LTA
SA1 SB3 SC1 SD5 a3
Detection/Correction of Hazards LTA
SA1 SB3 SC1 SD5 a3 b1
Detection of Hazards LTA
SA1 SB3 SC1 SD5 a3 b1 c1
SA1 SB3 SC1 SD5 a3 b1 c2
Detection Plan LTA
SA1 SB3 SC1 SD5 a3 b1 c2 d1
Logs and Diagrams LTA
-Existent but not used
SA1 SB3 SC1 SD5 a3 b1 c2 d2
Supervisor's Monitor Plan LTA
SA1 SB3 SC1 SD5 a3 b1 c2 d3
Review of Changes LTA
- Not seen
SA1 SB3 SC1 SD5 a3 b1 c2 d4
Did not Relate to Prior Events
SA1 SB3 SC1 SD5 a3 b1 c3
SA1 SB3 SC1 SD5 a3 b1 c4
Workforce Input LTA
SA1 SB3 SC1 SD5 a3 b2
Correction of Hazards LTA
SA1 SB3 SC1 SD5 a3 b2 c5
Inter-departmental Co-ordination LTA
SA1 SB3 SC1 SD5 a3 b2 c6
SA1 SB3 SC1 SD5 a3 b2 c7
Did not Correct in Time
SA1 SB3 SC1 SD5 a3 b2 c7 d5
SA1 SB3 SC1 SD5 a3 b2 c7 d6
-possible but difficult to decide
SA1 SB3 SC1 SD5 a3 b2 c7 d7
SA1 SB3 SC1 SD5 a3 b2 c8
SA1 SB3 SC1 SD5 a3 b2 c9
Supervisor Judgment LTA
SA1 SB3 SC1 SD5 a4
SA1 SB3 SC1 SD5 a4 b3
Task Performance Errors
SA1 SB3 SC1 SD5 a4 b3 c10
Task Assignment LTA
SA1 SB3 SC1 SD5 a4 b3 c11
Task-specific Risk Assessment not performed
SA1 SB3 SC1 SD5 a4 b3 c11 d8
High Potential not Identified
SA1 SB3 SC1 SD5 a4 b3 c11 d8 e1
Task Analysis not Required
SA1 SB3 SC1 SD5 a4 b3 c11 d8 e2
Task Analysis LTA
SA1 SB3 SC1 SD5 a4 b3 c11 d8 e3
Task Analysis not made
SA1 SB3 SC1 SD5 a4 b3 c11 d8 e3 f1
SA1 SB3 SC1 SD5 a4 b3 c11 d8 e3 f2
SA1 SB3 SC1 SD5 a4 b3 c11 d8 e3 f3
SA1 SB3 SC1 SD5 a4 b3 c11 d8 e3 f4
Supervisor Judgment LTA
SA1 SB3 SC1 SD5 a4 b3 c11 d9
SA1 SB3 SC1 SD5 a4 b3 c12
Task-specific Risk Assessment LTA
-Done but risk framework not always followed
SA1 SB3 SC1 SD5 a4 b3 c12 d10
Task-specific Risk Analysis LTA
SA1 SB3 SC1 SD5 a4 b3 c12 d10 e4
-Seems to have been lacking
SA1 SB3 SC1 SD5 a4 b3 c12 d10 e4 f5
Use of Workers ‘Suggestions and Inputs LTA
SA1 SB3 SC1 SD5 a4 b3 c12 d10 e4 f6
Technical Information Systems LTA
SA1 SB3 SC1 SD5 a4 b3 c12 d10 e5
SA1 SB3 SC1 SD5 a4 b3 c12 d10 e5 f7
-Not a significant factor
SA1 SB3 SC1 SD5 a4 b3 c12 d10 e5 f8
-Presumed to have been tight
SA1 SB3 SC1 SD5 a4 b3 c12 d10 e5 f9
SA1 SB3 SC1 SD5 a4 b3 c12 d10 e5 f10
Analytical Skill LTA
SA1 SB3 SC1 SD5 a4 b3 c12 d10 e5 f11
Hazard Selection LTA
SA1 SB3 SC1 SD5 a4 b3 c12 d10 e5 f11 g1
Hazard Identification LTA
SA1 SB3 SC1 SD5 a4 b3 c12 d10 e5 f11 g2
Hazard Prioritization LTA
SA1 SB3 SC1 SD5 a4 b3 c12 d11
Recommended Risk Controls LTA
SA1 SB3 SC1 SD5 a4 b3 c12 d11 e6
-Followed good practice
SA1 SB3 SC1 SD5 a4 b3 c12 d11 e7
-Close but significant departure from good practice
SA1 SB3 SC1 SD5 a4 b3 c12 d11 e8
Testing of control LTA
SA1 SB3 SC1 SD5 a4 b3 c12 d11 e9
Directive to Use LTA
SA1 SB3 SC1 SD5 a4 b3 c12 d11 e10
SA1 SB3 SC1 SD5 a4 b3 c12 d11 e11
-No, designed for specific contents; could have been effective in use in others
SA1 SB3 SC1 SD5 a4 b3 c12 d11 e12
Use not Mandatory
SA1 SB3 SC1 SD5 a4 b3 c13
Pre-task Briefing LTA
SA1 SB3 SC1 SD5 a4 b3 c14
Fit between Task Procedures and actual Situation LTA
SA1 SB3 SC1 SD5 a4 b3 c15
Personnel Performance Discrepancy
SA1 SB3 SC1 SD5 a4 b3 c15 d12
Personnel Selection LTA
-Showed significant problems
SA1 SB3 SC1 SD5 a4 b3 c15 d12 e13
SA1 SB3 SC1 SD5 a4 b3 c15 d12 e14
SA1 SB3 SC1 SD5 a4 b3 c15 d13
SA1 SB3 SC1 SD5 a4 b3 c15 d13 e15
SA1 SB3 SC1 SD5 a4 b3 c15 d13 e16
Criteria Training LTA
SA1 SB3 SC1 SD5 a4 b3 c15 d13 e17
SA1 SB3 SC1 SD5 a4 b3 c15 d13 e18
Trainer Skills LTA
SA1 SB3 SC1 SD5 a4 b3 c15 d13 e19
SA1 SB3 SC1 SD5 a4 b3 c15 d14
Consideration of Deviations LTA
-Poor and weak systems and frameworks
SA1 SB3 SC1 SD5 a4 b3 c15 d14 e20
SA1 SB3 SC1 SD5 a4 b3 c15 d14 e21
-Few and far between
SA1 SB3 SC1 SD5 a4 b3 c15 d14 e22
Supervisor Observation LTA
SA1 SB3 SC1 SD5 a4 b3 c15 d14 e23
Supervisor Correction LTA
SA1 SB3 SC1 SD5 a4 b3 c15 d14 e23 f12
SA1 SB3 SC1 SD5 a4 b3 c15 d14 e23 f13
SA1 SB3 SC1 SD5 a4 b3 c15 d15
Employee Motivation LTA
-Poor, loads of stress placed on employees
SA1 SB3 SC1 SD5 a4 b3 c15 d15 e24
Leadership & Examples LTA
SA1 SB3 SC1 SD5 a4 b3 c15 d15 e25
SA1 SB3 SC1 SD5 a4 b3 c15 d15 e26
Correct Performance is Punished
SA1 SB3 SC1 SD5 a4 b3 c15 d15 e27
Incorrect Performance is Rewarded
SA1 SB3 SC1 SD5 a4 b3 c15 d15 e28
Job Interest Building LTA
SA1 SB3 SC1 SD5 a4 b3 c15 d15 e29
Group Norms Conflict
SA1 SB3 SC1 SD5 a4 b3 c15 d15 e30
Obstacles Prevent Performance
SA1 SB3 SC1 SD5 a4 b3 c15 d15 e31
SA1 SB3 SC1 SD5 a4 b3 c15 d15 e31 f15
[Conflict] with Supervisor
SA1 SB3 SC1 SD5 a4 b3 c15 d15 e31 f16
[Conflict] with Others
SA1 SB3 SC1 SD5 a4 b3 c15 d15 e31 f17
SA1 SB3 SC1 SD5 a4 b3 c15 d15 e32
General Motivation Program LTA
SA1 SB3 SC1 SD5 a4 b4
Performance Errors in unrelated tasks
SA1 SB3 SC1 SD5 a4 b4 c16
SA1 SB3 SC1 SD5 a4 b4 c17
SA1 SB3 SC1 SD5 a4 b5
Emergency Shut-off Performance Errors
SA1 SB3 SC1 SD5 a4 b5 c18
Task Performance Errors
SA1 SB3 SC1 SD5 a4 b5 c19
Unrelated Task Errors
SA1 SB3 SC1 SD6
Support of Supervisors LTA
SA1 SB3 SC1 SD6 a1
Help and Training LTA
SA1 SB3 SC1 SD6 a2
Research and Fact-Finding LTA
SA1 SB3 SC1 SD6 a3
Information Exchange LTA
SA1 SB3 SC1 SD6 a4
Standards and Directives LTA
SA1 SB3 SC1 SD6 a5
SA1 SB3 SC1 SD6 a5 b1
SA1 SB3 SC1 SD6 a5 b2
Access to Expertise LTA
SA1 SB3 SC1 SD6 a5 b3
Access to Equipment & Materials LTA
SA1 SB3 SC1 SD6 a5 b4
Coordination of Resources LTA
SA1 SB3 SC1 SD6 a6
Deployment of Resources LTA
SA1 SB3 SC1 SD6 a7
Referred Risk Response LTA
SA1 SB3 SC2
-Physical and non-physical
SA1 SB3 SC2 a1
On the Energy Source
SA1 SB3 SC2 a1 b1
Barriers None Possible
SA1 SB3 SC2 a1 b2
SA1 SB3 SC2 a1 b3
Did not Use
SA1 SB3 SC2 a1 b3 c1
Did not Provide
SA1 SB3 SC2 a1 b3 c2
Task Performance Error
SA1 SB3 SC2 a2
Between energy source and target
SA1 SB3 SC2 a3
On Persons or Objects
SA1 SB3 SC2 a4
Separate Time and distance
Events and Energy Flows Leading to Accident/Incident
SA1 SB4 SC3
Barriers and Controls LTA
-Some good others bad
SA1 SB4 SC4
-To functional and non-functional areas
Stabilization & Restoration LTA
Prevention of Follow-up Accidents
SA2 a1 b1
SA2 a1 b2
Execution of Plan LTA
SA2 a1 b2 c1
Notification LTA (Trigger)
SA2 a1 b2 c2
Training and Experience LTA
SA2 a1 b2 c3
Personnel and/or Equipment Changes
SA2 a1 b2 c4
SA2 a1 b2 c5
Task Performance Errors
SA2 a1 b2 c6
Emergency Action (Firefighters, etc.) LTA
Rescue and Salvage LTA
Medical Services LTA
Dissemination of Information LTA
Restoration and Rehabilitation LTA
SA2 a6 b3
Operational Continuity LTA
SA2 a6 b4
SA2 a6 b5
SA2 a6 b6
Management System Factors LTA
Implementation of Policy LTA
Planning Process LTA
MA2 a1 b1
Specification of Plan LTA
MA2 a1 b1 c1
Methods, Criteria, Analyses LTA
MA2 a1 b1 c2
Specification of Responsibilities LTA
MA2 a1 b1 c2 d1
Definition of Line-responsibility LTA
MA2 a1 b1 c2 d2
Staff Responsibility LTA
MA2 a1 b1 c2 d3
Task Assignment LTA
MA2 a1 b1 c3
MA2 a1 b1 c4
MA2 a1 b1 c5
Communication Plan LTA
MA2 a1 b1 c5 d4
Information Flow LTA
MA2 a1 b1 c5 d5
Guidance and Directives LTA
MA2 a1 b2
Use of Feedback LTA
Execution of Policy Implementation Plan LTA
MA2 a2 b3
MA2 a2 b4
MA2 a2 b4 c6
MA2 a2 b4 c7
MA2 a2 b4 c8
Task Performance Errors
MA2 a2 b5
Practical Support LTA
MA2 a2 b6
Time and Budget LTA
MA2 a2 b7
MA2 a2 b8
Risk Management System LTA
Risk Management Policy LTA
Implementation of Risk Management Policy LTA
Risk Analysis Process LTA
MA3 MB3 a1
Concepts and Requirements LTA
MA3 MB3 a1 b1
Technical Information System LTA
MA3 MB3 a1 b2
Definition of Goals and tolerance Risks LTA
MA3 MB3 a1 b2 c1
ES&H Goals and Risks not defined
MA3 MB3 a1 b2 c2
Performance Goals and Risks not defined
MA3 MB3 a1 b3
Risk Analysis Criteria LTA
MA3 MB3 a1 b3 c3
MA3 MB3 a1 b3 c4
Change Analysis LTA
MA3 MB3 a1 b3 c5
Other Analytical Methods LTA
MA3 MB3 a1 b3 c6
Scaling Mechanism LTA
MA3 MB3 a1 b3 c7
Required Alternatives LTA
MA3 MB3 a1 b3 c8
Solution Precedence Sequence LTA
MA3 MB3 a1 b4
Criteria for Procedures LTA
MA3 MB3 a1 b5
Specification of Requirements LTA
MA3 MB3 a1 b3 c9
MA3 MB3 a1 b3 c10
Statutory codes and regulations
MA3 MB3 a1 b3 c11
Requirements of other National and International codes and standards
MA3 MB3 a1 b3 c12
Local Codes and Bylaws
MA3 MB3 a1 b3 c13
MA3 MB3 a1 b6
Information Search LTA
MA3 MB3 a1 b7
Life Cycle Analysis LTA
MA3 MB3 a1 b7 c14
MA3 MB3 a1 b7 c15
Analysis of Environmental Impact LTA
MA3 MB3 a1 b7 c16
Requirement for Life Cycle Analysis LTA
MA3 MB3 a1 b7 c17
Extended Use Analysis LTA
MA3 MB3 a2
Design and Development LTA
MA3 MB3 a2 b8
Energy Control LTA
MA3 MB3 a2 b8 c18
MA3 MB3 a2 b8 c19
Limitation of Energy LTA
MA3 MB3 a2 b8 c20
Automatic Controls LTA
MA3 MB3 a2 b8 c21
MA3 MB3 a2 b8 c22
Manual Controls LTA
MA3 MB3 a2 b8 c23
Safe Energy Release LTA
MA3 MB3 a2 b8 c24
Controls and Barriers LTA
MA3 MB3 a2 b9
Human Factors (Ergonomics) Review LTA
MA3 MB3 a2 b9 c25
Professional HF Skills LTA
MA3 MB3 a2 b9 c26
Task Analysis LTA
MA3 MB3 a2 b9 c27
Allocation Human/Machine Tasks LTA
MA3 MB3 a2 b9 c28
Did not Establish Human Task Requirements
MA3 MB3 a2 b9 c28 d1
Did not Define Users
MA3 MB3 a2 b9 c28 d2
Design of Displays LTA
MA3 MB3 a2 b9 c28 d3
MA3 MB3 a2 b9 c28 d4
Design of Controls LTA
MA3 MB3 a2 b9 c29
Did not Predict Errors
MA3 MB3 a2 b10
Inspection Plan LTA
MA3 MB3 a2 b11
Maintenance Plan LTA
MA3 MB3 a2 b12
MA3 MB3 a2 b13
MA3 MB3 a2 b14
Specification of Operational Readiness LTA
MA3 MB3 a2 b14 c30
Test and Qualification LTA
MA3 MB3 a2 b14 c31
[Specification of] Supervision LTA
MA3 MB3 a2 b14 c32
Task Procedures LTA
MA3 MB3 a2 b14 c32 d5
Match to Hardware Change LTA
MA3 MB3 a2 b14 c32 d6
Match to Users LTA
MA3 MB3 a2 b14 c32 d7
Match to Task and Equipment LTA
MA3 MB3 a2 b14 c32 d8
Emergency Provisions LTA
MA3 MB3 a2 b14 c32 d9
Cautions and Warnings LTA
MA3 MB3 a2 b14 c32 d10
Task Sequence LTA
MA3 MB3 a2 b14 c32 d11
MA3 MB3 a2 b14 c32 d12
Communications Interfaces LTA
MA3 MB3 a2 b14 c32 d13
Specification of Work Conditioning LTA
MA3 MB3 a2 b14 c33
Personnel Selection LTA
MA3 MB3 a2 b14 c34
Personnel Training and Qualification LTA
MA3 MB3 a2 b14 c35
Personnel Motivation LTA
MA3 MB3 a2 b14 c36
Monitor Points LTA
MA3 MB3 a2 b15
Emergency Shutdown Provision LTA
MA3 MB3 a2 b16
Contingency Planning LTA
MA3 MB3 a2 b17
Disposal Planning LTA
MA3 MB3 a2 b18
MA3 MB3 a2 b19
Configuration Control LTA
MA3 MB3 a2 b20
Documentation Control LTA
MA3 MB3 a2 b21
Fast Action Cycle LTA
MA3 MB3 a2 b22
Design Acceptance and Change Control Processes LTA
MA3 MB3 a2 b22 c37
Code Compliance Verification LTA
MA3 MB3 a2 b22 c38
Engineering Studies LTA
MA3 MB3 a2 b22 c39
Standardization of Parts LTA
MA3 MB3 a2 b22 c40
Design Description LTA
MA3 MB3 a2 b22 c41
Acceptance Criteria LTA
MA3 MB3 a2 b22 c42
Development and Qualification Testing LTA
MA3 MB3 a2 b22 c43
Change Review Procedure LTA
MA3 MB3 a2 b22 c44
Reliability and Quality Assurance LTA
Risk Management Assurance Programme LTA
MA3 MB4 a1
Definition of Aims and Policy LTA
MA3 MB4 a2
Programme Scope LTA
MA3 MB4 a3
MA3 MB4 a4
Assurance Programme Organization LTA
MA3 MB4 a4 b1
Risk Management Assurance Staff Performance LTA
MA3 MB4 a4 b2
Management Committees LTA
MA3 MB4 a4 b3
Organisation for Improvement LTA
MA3 MB4 a5
Assurance Programme Services LTA
MA3 MB4 a6
Review of Risk Management System LTA