Push Button, Automatic

More on the Macondo Block Oil Spill – Often it’s not how long until the operator shuts down, it’s whether they chose to shut down at all

More and more information is leaking out (pardon the pun) from the Macondo block oil spill in the Gulf of Mexico last year. One of the better summaries recently comes courtesy of the New York Times.

http://www.nytimes.com/2010/12/26/us/26spill.html?scp=1&sq=bp%20alarm&st=cse

Just like on Piper Alpha, the evacuation alarm wasn’t sounded.

It’s worth looking at the testimony from the operator in the control room at the time (you can read the full article at the link above).

From the New York Times:

Ms. Fleytas, 23, had graduated from maritime school in 2008 and had only been on the Horizon for 18 months. This was her first well-control emergency. But she had been trained, she said, to immediately sound the general master alarm if two or more sensors detected gas. She knew it had to be activated manually. She also knew how important it was to get crew members out of spaces filled with gas.
Yet with as many as 20 sensors glowing magenta on her console, Ms. Fleytas hesitated. She did not sound the general master alarm. Instead she began pressing buttons that told the system that the bridge crew was aware of the alarms.
“It was a lot to take in,” she testified. “There was a lot going on.”
Her boss, Yancy Keplinger, was also on the bridge. The alarms, in addition to flashing magenta, were making a warning sound. Mr. Keplinger said he kept trying to silence the alarms so he could think about what to do next. “I don’t think anybody was trained for the massive detectors that were going off that night,” he said.

Ms. Fleytas said it never occurred to her to use the emergency shutdown system. In any event, she explained, she had not been taught how to use it. “I don’t know of any procedures,” she said.

There are two interesting issues that I’d like to discuss in this entry. The first is the decision to disable the automated alarm and replace it with a manually initiated function. The second is the pressures on the person performing that manual action.

Fire and gas alarms are notorious for false alarms, particularly offshore. There is also a lack of real guidance as to ‘best practice’. Standards for safety systems or alarm handling often consider alarms in the ‘preventative’ layers of the safety ‘onion’, but seldom consider alarms in the ‘mitigation’ layer.

Transocean appears to have removed the automated alarm, replacing it with a human ‘component’ rather than address the root cause of the false alarms. What they presumably wanted from this change was a human ‘sticking plaster’ to cover an engineering and design problem, what they got was the potential for error and delay.

I fail to see what the design change to remove the automated element was attempting to achieve. If the automated alarm was ‘any two detectors’, then replacing it with a manual button, with an instruction to sound the alarm if any two detectors alarm is functionally the same. Unless of course the implied instruction is that it is, in fact, a judgement call on the part of the operator. Despite the training, I suspect that the implication was to investigate the cause prior to sounding the alarm.

So what of the competence of the operator in charge? When they (presumably) risk assessed this design change, do you think they considered that the human component in this safety critical function might have less than 18 months experience?

Competence is more than just training or qualifications. Where the big decisions are concerned, experience, knowledge and authority are also key. How many times have we heard that the operator tried to maintain the process or production well past the point at which they were really ‘out of control’ because they failed to appreciate the nature of the problem or because of production (money) or other pressures?

On Piper Alpha, the adjacent platforms maintained production, feeding the fire, because they were reluctant to shut down and lose valuable production; on the flight deck of PLF-101, the Captain may have taken decision to land under pressure from the Chief of the Air Force and the President of Poland, knowing they would be disciplined if he chose to divert; and on the Deepwater Horizon may have hesitated to sound the alarm to evacuate the platform due to pressures on the individual operator.

All of these decisions were a product of the pressures and culture to which the operator was exposed over the weeks and months leading up to the incident and all these factors are firmly in the control of the management of the respective organisation.

We need to send the right message to the operator that the decision to shut down safely will be supported and will be backed up. The way we investigate, learn from and publicise safe shutdowns will impact on the decision making process for future crises. The operator who successfully maintains the production by taking risks with production or safety is often lauded by his peers and his management. However, it’s the operator that takes the decision to shut down safely who’s the real hero.

Over to you, what do you think?

 

Categories and Tags
About the author

Tony Atkinson

I lead the ABB Consulting Operational Human Factors team. I've spent over 30 years in the process industries, working in control rooms around the world, in the fields of ergonomics, control and alarm systems, control room design and operational and cultural issues such as communications, competency and fatigue. I've been blogging on diverse topics that interest me in the widest sense of 'human factors', all of which share the same common element, the 'Mk.1 Human Being' and their unique limitations, abilities and behaviours. I'll discuss the technical and organisational issues that affect safety and performance of these process safety operators and technicians and how this impacts control rooms and the wider plant. However learning comes from many places and you can expect entries about aviation, automotive, marine, healthcare, military and many other fields. Outside of work, I indulge in travel, food, wine and flying kites to keep myself moderately sane. Please feel free to post your comments on each post. Blog entries are posted with no set frequency. To ensure you don't miss out on the latest blog post, click the button below to subscribe to email alerts when a new blog has been posted.
Comment on this article
Community guidelines