The Weekly Reflektion Week 08/2021
The Swiss cheese model of accident causation was developed by Dante Orlandella and James Reason at the University of Manchester. The model describes a series of barriers that prevent hazards becoming Major Accidents. The barriers are likened to slices of swiss cheese since they have holes that can let the hazards through.
Do you understand the distinction between active failures and latent conditions and how these may lead to disaster?
The Swiss cheese model of accident causation is used in risk analysis and barrier management and describes a ‘defence in depth’ approach to prevent hazards leading to undesired events and in particular Major Accidents. The barriers are not 100 percent effective all the time and the holes in the barriers can be attributed to active failures and latent conditions. Active failures are the technical, operational and/or organisational actions or acts that are directly related to the incident. The latent conditions are the faults and failures that have lain dormant and are just waiting for the right conditions and circumstances to contribute to an accident. The fire and explosion of the Mumbai High North oil production platform on 27th July 2005 is a tragic example of active failures and latent conditions leading to a disaster.
The Mumbai High North platform was a processing facility supported on a steel jacket and part of a four-platform complex. Export oil and gas risers and gas-lift risers were installed on the platform. In July 2005, a multipurpose support vessel (MSV), the Samundra Suraksha, was completing a diving campaign when a crewmember was injured. The cook had cut off the tips of two fingers. The weather conditions were not suitable for a helicopter transfer due to the forecast of monsoon rains and high winds. The Mumbai High complex had medical facilities to treat the person, so preparations were made to transfer the cook to the platform by personal basket.
The crane on the leeward side of the platform was out of service (active failure 1) so the master of the MSV asked to approach on the windward side. This was not in accordance with procedures (active failure 2). The MSV was a class DP2 vessel and had three modes of operation, DP, manual and emergency. As the vessel approached the platform the master noticed that the starboard azimuth thruster was sluggish. The master decided to continue the approach and put the DP system into emergency mode (active failure 3). In emergency mode the thrusters are activated by push buttons. The cook was successfully transferred however as the MSV moved away from the platform a large heave caused the MSV to hit the platform. The helideck of the MSV ruptured one or more of the gas-lift risers (latent condition 1) and the gas ignited almost immediately. The resulting fire spread to adjacent risers that had no passive fire protection (latent condition 2). These also ruptured and the oil and gas contributed to the fire. Emergency valves in the some of the pipelines failed to isolate the hydrocarbons (active failure 4). The Mumbai High North Platform was destroyed, and 22 people died.
How do you prevent active failures that punch holes in your barriers? How do you find the latent conditions that are holes in your barriers? If you can’t answer these questions you may be on the way to disaster.
Thanks to Ole Martin Dahle for his input to this Reflektion. We are always interested in hearing about Major Accidents and of course how we can learn from them.