GCPS 2013 __________________________________________________________________________

Connecting the Dots Managing the Little Things That Lead to Big
Accidents



Dave Jones
Chevron Energy Technology Company
6001 Bollinger Canyon Road, San Ramon, CA 94583
dwjones@chevron.com


Anne ONeal
Chevron Oronite
6001 Bollinger Canyon Road, San Ramon, CA 94583
anneoneal@chevron.com




Prepared for Presentation at
American Institute of Chemical Engineers
2013 Spring Meeting
9th Global Congress on Process Safety
San Antonio, Texas
April 28 May 1, 2013


UNPUBLISHED


AIChE shall not be responsible for statements or opinions contained
in papers or printed in its publications
GCPS 2013 __________________________________________________________________________

Connecting the Dots Managing the Little Things That Lead to Big
Accidents



Dave Jones
Chevron Energy Technology Company
6001 Bollinger Canyon Road, San Ramon, CA 94583
dwjones@chevron.com


Anne ONeal
Chevron Oronite
6001 Bollinger Canyon Road, San Ramon, CA 94583
anneoneal@chevron.com

Keywords: Major accidents, details, dots, culture

Abstract

Major accidents often result from a failure to attend to seemingly little details. Examples might
include an improperly designed injection point; a procedure that is mostly, but not completely
followed; a small part with the wrong metallurgy; or other design, maintenance or operating
discrepancies. In many cases, system flaws can exist for extended periods of time, detected or
undetected, with little or no consequence. However, on occasion, and with the right initiating
event, they can combine with other system flaws, allowing an unforeseen chain of events to
propagate into a major accident.

This paper will review aggregated information from a range of process safety incidents,
including "subtle" accidents resulting from a series of "little" failures. It will highlight the
management system breakdowns that contributed to the incidents, and examine the complex
interactions among people, process safety systems, and equipment as orchestrated by the overall
organizational culture. The paper will reinforce the concept that an effective process safety
culture is key to "connecting the dots" that, if unchecked, can result in a major accident.

1. Introduction

Following the Piper Alpha tragedy in the North Sea, in which 167 men lost their lives, Dr. Tony
Barrell of the United Kingdom Health and Safety Executive said, I wouldn't put it above or
below other disasters. There is, actually, an awful sameness about these incidents.
1


The awful sameness to which Dr. Barrell refers may reflect an observation that, with rare
exception, all process safety accidents can be described within a common, recurring group of
management system failures. For example, a failure to manage change was a key contributor to
process safety events at Flixborough and Chernobyl, among others.
2
Similarly, the accidents at
GCPS 2013 __________________________________________________________________________
Longford and Grangemouth were attributed to inadequate hazard identification/risk assessment.
2

Permit-to-work systems/safe work practice failures were identified as contributing to the Piper
Alpha and Pasadena Texas (1989) fires and explosions.
2


Clearly, major accidents have multiple management system contributors. The Bhopal tragedy
involved, among other things, breakdowns in hazard identification/risk management,
management of change, asset integrity, incident investigation, process safety competency, and
emergency response.
2
Other events have different combinations of contributing factors.

However, when we evaluate a range of process safety incidents, we find that the management
system failures leading to these events begin to repeat themselves into well defined categories.
The CCPS Guidelines for Risk Based Process Safety
3
represent, in the authors view, the current
best compilation of these categories, often called elements (CCPS elements). The CCPS book
discusses 20 elements altogether, ranging from process safety culture to management review and
continuous improvement and including key areas such as risk analysis, asset integrity and
auditing. For a complete list and comprehensive treatment of these elements, see reference 3.

In this paper we will attempt to show that while the process safety management systems
themselves are relatively simple, their actual application requires attention to innumerable little
things, any one of which has the potential to initiate or propagate a major accident. Identifying
and managing these little things necessitates a combination of big picture thinking and
rigorous attention to detail across all elements of process safety management and all relevant
organizational functions.

2. Little Things That need to be Managed

In this section we will illustrate the dynamic nature and seemingly limitless numbers of details at
work within each of the process safety management systems and highlight some of the
complexities involved in managing them.

2.1 Accident Models

Many accident models have been developed. These include variations on the Swiss Cheese
model, first proposed by James Reason
4
and the Bow Tie model emerging out of European and
UK risk assessment applications. More recently, Nancy Leveson from the Massachusetts
Institute of Technology has proposed the System-Theoretic Accident Model and Process
(STAMP)
5
which attempts to include human error and culture into the accident equation. In the
authors view, all of these models have merit, yet none is perfect. For internal educational
purposes Chevron uses a hybrid model as shown in Figure 1.

It is worth noting that each of the above models characterizes large-scale accidents as a coming
together of multiple system failures. This theme is directly counter to the traditional concept of
double jeopardy which holds that the combined failure of two independent systems is so
unlikely as to not require special consideration. Industry accidents over the last 30 years have
clearly demonstrated the fallacy of a double jeopardy approach to process safety.

GCPS 2013 __________________________________________________________________________
2.2 Dynamic Nature of Process Safety

The Swiss cheese shown in Figure 1 represents basic prevention equipment, engineering
controls, software, human actions, etc. These include facility-specific procedures, training,
protective devices, inspection programs, and design integrity, among others and are the real-
world manifestations of process safety management systems. They are the mechanisms that
actually intercede to stop an accident from starting or propagating.




Driving the effectiveness of the Swiss cheese are the process safety management systems
themselves - the CCPS Elements. Ultimately, the organizational culture as applied to process
safety determines how well the management systems perform. In real time, each component of
this and any other accident model is in constant flux. For example:

The effectiveness of safeguards can change;
o Safety systems can degrade, go untested, be compromised, or improve in
functionality
o Corrosion mechanisms can increase or decrease, or be introduced to previously
unaffected areas
o Procedures and training can vary in effectiveness, depending upon facility
changes
Process safety management systems change;
o Critical controls such as management of change can get overwhelmed, allowing
higher risk changes to sneak through
o Personnel movements can lead to lost understanding of risks, or bring new,
beneficial approaches
o Process safety information can become quickly out of date
Overriding process safety culture can degrade or strengthen with retirements and
reassignments of key personnel, acquisitions or external pressures.
GCPS 2013 __________________________________________________________________________

Given the constant change experienced by each of the above components in the accident chain, it
is clear that process safety can never be viewed as a static condition. There is no milestone that
can be achieved and final victory declared over major accidents. Effective process safety
management approaches all aspects of the accident model with a sense of vulnerability, aware
that one or multiple components may be compromised at any given time. Ongoing diligent
monitoring and continuous improvement are the best defense.

2.3 Management Systems vs. Facility Complexity

The distillation of process safety into 20 key elements can mask the magnitude of the effort
required to prevent major accidents. Given facility complexities, large equipment counts,
variations in administrative controls, and human performance, the potential for flawed execution
within each element is seemingly endless.

As an example, a process safety management system for Asset Integrity and Reliability requires
that safety-critical shutdown systems be identified and tested at prescribed frequencies and
repaired as necessary. Some of the factors that could influence how well this fundamental
requirement is implemented for a specific shutdown system are suggested in Table 1.

Table 1 Factors Potentially Compromising A Specific Shutdown System Integrity
Failure to identify the system as safety critical
System identified but not included in testing program
System not designed to be testable on line
System designed to be mostly testable, except for final control element
System designed to be mostly testable, except for the process connection valves subject to
plugging
Testing poses a potential to shut down or damage the facility
Procedure for testing is complex
Modifications to system design not included in testing procedures
Personnel not trained in testing the system
Shutdown system bypassed during startup and not reactivated
Shutdown system bypassed because of threat of spurious trips
Importance of shutdown system not understood
Software modification altering shutdown system set point
Internal control system failure
Testing poorly documented
Identified non-conformance not acted upon
.ad infinitum


The list in Table 1, which is by no means exhaustive, helps illustrate the challenge in
implementing just one aspect of one process safety management system for one piece of
equipment. Nor does the above list include the human performance or cultural forces that can
affect the viability of the system tests, such as operating distractions or lack of management
emphasis and monitoring. More importantly, any one of the above shortcomings in execution
could become part of a sequence of events ultimately leading to an accident.
GCPS 2013 __________________________________________________________________________

If we began to construct similar facility-specific lists for all the CCPS Elements, applied to the
entire inventory of equipment and activities, a picture would start to emerge of the enormous
variety and complexity of the little things that can degrade process safety and ultimately
contribute to a major accident. We dont have to look too far to find verification that it is these
little things that present the challenge. In July 2000, the crash of the Air France Concorde jet
was attributed to a small strip of titanium that had fallen off another airplane minutes earlier.
6

In 1980 the floating dormitory for North Sea oil workers Alexander Keilland sank, killing 123
people, when a cracked strut failed. A shipyard painter had painted over the crack during
maintenance so it went undetected.
6
Similarly, one link in the accident chain that caused the
Ocean Ranger drill ship to go down in 1982 off the coast of Newfoundland, killing 54 people on
board, was the failure of small glass porthole window allowing seawater to enter the ballast
control room.
6


2.4 Picture the Dots

If we were to graph the relationships among the management systems and the little things
ultimately precipitating an accident, they might look like Figure 2.

PS
Mgmt
Sys X
PS
Mgmt
Sys Y
PS
Mgmt
Sys Z
PS
Mgmt
Sys N
E
q
u
i
p
m
e
n
t

a
n
d

A
c
t
i
v
i
t
y
-
S
p
e
c
i
f
i
c

S
a
f
e
g
u
a
r
d
s

L
i
t
t
l
e

T
h
i
n
g
s

Figure 2 Graphical Representation of Little Details


X
1

X
2

X
3

Y
1

Y
2

Y
3

Z
1

Z
2

Z
3

N
1

N
2

N
3

X
4

X
5

X
M

Y
4

Y
5

Y
M
Z
M
N
M

Z
4

Z
5

N
4

N
5

Accident
Sequence
Enabled
GCPS 2013 __________________________________________________________________________
3. Case Study
7


This case study helps to illustrate the complex nature of the little things associated with just a
couple of management systems Operating Procedures, Training and Performance Assurance,
and Asset Integrity and Reliability.
4
Caustic
Storage
Tank
Caustic
Pretreater
To Relief
LPG to
Process
Caustic
Caustic
Untreated
LPG from
Process
S
Sample
Point
Gauge
Glass Pump
Caustic Settler
Degasser
Figure 3 LPG Treater Flow Diagram
Represents Caustic
Represents LPG


Figure 3 shows the flow diagram for a fairly standard process for treating liquefied petroleum
gas (LPG) with caustic (sodium hydroxide) to remove certain impurities prior to further
processing. The green represent caustic inventories, while the remaining volumes in the Caustic
Pretreater are LPG. The Caustic Settler has an LPG inventory as well a vapor space. While
performing a routine duty to drain caustic from the Caustic Pretreater, the draining operation was
continued to the point where all the caustic material was removed and LPG was directed to the
atmospheric Caustic Storage Tank resulting in a loss of containment at the tank. There were no
injuries related to this incident.

3.1 Sequence of Events

The operators routine duties included periodically transferring caustic from both the Pretreater
and Settler to the Degasser and then to the Storage Tank. After sampling the Pretreater for
caustic, the operator opened the manual valve on the outlet of the Pretreater to start the caustic
transfer. The operator also started the Degasser pump to transfer caustic from the Degasser to
the Storage Tank. The gauge glass on the Pretreater was dirty and difficult to read, but it was
GCPS 2013 __________________________________________________________________________
assumed that the caustic level was above the gauge glass. The actual level was most likely below
the gauge glass but above the sample point.

The Pretreater level was then depleted by the operator, with LPG going to the Degasser and with
flaring through the relief system increasing. The valve from the Pretreater was then closed.
Caustic transfer was then started from the Settler, and the valve from the Pretreater was
reopened, sending pure LPG to the Degasser from the Pretreater. The operator saw increased
flaring as confirmation that procedures were being done properly, since two vessels were being
fed to the Degasser, with increased vapor release from the entrained LPG in caustic. Some of the
increased flaring was from the pure LPG being sent from the Pretreater.

With the Degasser pump continuing to run, the Degasser caustic level was depleted and LPG was
transferred to the Storage Tank. The low level alarm on the Degasser was not functioning. As
the level of caustic and LPG increased in the Storage Tank the operator stopped flow from the
Settler and Pretreater. Attempts were then made to bring the level of caustic back up in the
Degasser by opening the Pretreater valve, which sent more LPG to the Degasser since it
remained depleted of caustic. Shortly afterwards, the Storage Tank high level alarm sounded,
and material was released from the top of storage tank.

3.2 Analysis

The above incident description suggests that, as with many other accidents, there were a lot of
things going on increasing the potential for incomplete diagnosis and overlooking of details.
Focusing initially on just three of the management systems (CCPS Elements) involved we can
see firsthand some of the little things that need to be managed to prevent incidents of this type.

3.2.1 Operating Procedures

The procedure for transferring caustic from the Pretreater did not specify whether the Degasser
pump should be used simultaneously to the transfer. The purpose of such a restriction is to avoid
inadvertently sending LPG to the Storage Tank, and also to allow sufficient retention time in the
Degasser for disengagement of any entrained LPG from the caustic. Had either one of these
process-related details been included in the operating procedures and training, it would have
provided operating personnel with a broader view of the potential consequences related to this
transfer. It might have helped them connect the dots.

The investigation also concluded that the operator was monitoring too many items at once and
did not notice that the caustic level in the Degasser had been depleted. Since the Degasser level
alarm was dysfunctional, this would have meant that the operator would have to verify the level
manually. This would be another little thing that might have compensated for the level alarm
failure.

3.2.2 Training and Performance Assurance

The gauge glass on the Pretreater was difficult to read. Although included in field training the
technique for blowing down and clearing the gauge glass was not fully understood by the
GCPS 2013 __________________________________________________________________________
operator. Improved training learning objectives might have provided the operator with a better
understanding of the Pretreater level.

Risks and precautionary steps associated with LPG transfer during caustic transfer were not fully
understood after classroom and field training. Improved training and learning objectives might
have aided the operator in detecting potential LPG carryover to the Storage Tank.

3.2.3 Asset Integrity and Reliability

The Degasser low level alarm did not function correctly. It had been falsely indicating a low
level condition for several months prior to the incident. A previous alarm replacement did not
address the root cause of the malfunction.

3.3 Process Safety is all About Details

As the Swiss Cheese model suggests, had any one of the Swiss cheese layers been effective,
this incident might not have progressed. It is also worth noting that the actual incident
investigation went beyond the three process safety systems indicated above, in alignment with
other areas identified in Figure 1.

Even the above limited review illustrates the many little things that contribute to an incident,
and the many seemingly small opportunities for preventing it. Slightly modified operating
procedures, better training on level gauges, clearer understanding of risks in transferring LPG,
and others are all minor improvements on systems and activities already in place that might have
stopped the accident from progressing It is this little bit extra that often means a difference
between a non-event and an accident. For example, this can mean going one step further in
training, adding one additional precaution in an operating procedure and, of course, ensuring that
all alarms, even those perceived as less important, are functioning properly.

This incident also illustrates an important process safety opportunity. How do we know when
one little thing can interact with another, progressing the accident sequence? How do we
connect the dots? Put another way, how do we broaden our thinking so that when something
abnormal is occurring in one area of an operation we are aware that other areas can potentially be
impacted? For example, as the operator was having difficulty reading the Pretreater level gauge,
the additional knowledge that the Degasser level alarm was not functional and that LPG could be
sent to the Storage Tank might have driven different actions.

4. Connecting and Managing the Little Things

If we extend the lessons from the Case Study to a facility or even company-wide scale, several
key focus areas are suggested that might help to prevent similar incidents.

4.1 Understand that Details Drive Accidents

Major accidents almost always come down to little things done, not done, or performed
incompletely. This extends beyond the operating and maintenance roles into engineering and
GCPS 2013 __________________________________________________________________________
management. For example, a major fire occurred on an offshore platform because the
compressor seal oil pumps had no back-up power supply an engineering detail overlooked. On
the management side, the Space Shuttle Challenger represents a clear example of where
management ignored the recommendations of engineers and failed to fully appreciate the
catastrophic consequences that could result from an O-ring failure if a launch were to occur in
cold weather.
2


4.2 Get the Big Picture

Process safety elements are often viewed in silos, rather than as holistically interactive
management systems that depend upon each other to function properly. When one system has a
breakdown assumptions may be made that other prevention devices will be working properly.
Statements like, the shutdown system will handle it or it will be picked up on operator
rounds reflect this tendency to rely on other mechanisms to stop the event. These other
safeguards may or may not be working well enough to prevent the scenario from developing.

Before determining that a serious potential consequence is unlikely to occur after an initial
failure, management, engineering and operating personnel should look across the spectrum of
affected process safety systems, and verify that backup safeguards are functional and
sufficiently effective. In some cases, simple questions might help broaden the identification
process and identify seemingly small, but important breakdowns in the protection layers:

What else can be affected? (Texas City)
2

How cold can we go? (Challenger Space Shuttle, Longford Gas plant)
2

Where is the feed going? (Three Mile Island)
2

Was the job finished and ready to return to service? (Piper Alpha)
2

In what order do I open these valves? (Feyzin)
2

What happens if we turn this up? (Chernobyl)
2

What does my Technical Authority say about this? (Flixborough)
2


For the accidents indicated in the parentheses above, the answers to the preceding questions are
obvious in hindsight. The challenge is to ask the right questions ahead of time and encourage
personnel to explore consequences and safeguards beyond the obvious.

Understanding the big picture can be complicated by the natural segregation of functional
activities. Performing separate but interrelated tasks in silos can make it difficult to fully
comprehend how one effort might create dots that negatively combine with the dots of
another effort. A review of the sinking of the Herald of Free Enterprise at the Zeebrugge,
Belgium port might help demonstrate this point.

Reference 2 discusses the process safety system failures involved in the Zeebrugge accident. The
ferry departed port with the bow doors open, and capsized about a mile offshore. 193 lives were
lost. The little things contributing this tragedy included: (1) nobody checked to verify the
doors were closed; (2) there were no clear procedures on who exactly was responsible for
checking the doors; and (3) the Assistant Bosun, who had the task of closing the doors, was
GCPS 2013 __________________________________________________________________________
asleep in his cabin and did not hear the ship intercom call to attend to stations. Other contributing
factors included basic design flaws, incompatibility with berth designs and overloading.
2


Specific process safety management systems involved included hazard identification and risk
analysis, operating procedures and incident investigation (there were five previous incidents of
sailing with the doors open). In addition, the ferry designs were modeled after World War II
beach landing craft, which were intended for a radically different purpose. The application of
these designs to the safe transport of people should have been (but were not) subjected to a
rigorous management of change procedure.
2


Figure 4 The Complex Pattern of the Zeebrugge Accident Taken From Rasmussen
11





Figure 4 presents a causal tree for the Zeebrugge incident taken from Rasmussen.
11
He contends
that major accidents are not a coincidence of independent failures and human errors but rather
a coming together of different activities often working towards different objectives. The
interactions among them can enhance the potential for accident.
GCPS 2013 __________________________________________________________________________

As illustrated in Figure 4, each of the functions necessary for ferry operations (Vessel Design,
Harbor Design, Cargo Management, Passenger Management, Traffic Scheduling and Vessel
Operation) were conducted as relatively separate activities. Each also tried to optimize
performance within their scope of work. This resulted in negative impacts to other functional
areas. For example, optimizing cargo and passenger management meant adding additional
weight to the ferry, directly compromising vessel stability.

Similarly, since the ferry was not designed for the berth at Zeebrugge, docking procedures had to
be modified to allow passenger vehicle loading and unloading. These procedures negatively
impacted requirements for traffic scheduling and standing orders for vessel operation.

Within the processing industries, engineering, operations, maintenance and other departments
have the potential to operate in silos, each focused on achieving their own metrics. This brings
attention to the importance of applying process safety management systems across all relevant
parts of the organization to help identify and address interrelated impacts.

As a final example, a process plant upgrade included significant piping and equipment
modifications, and new additional equipment. Parts of the piping were subject to a well-known
corrosion mechanism. Piping and valves were specified appropriately to minimize corrosion.
After installation and commissioning, one of the valves failed within 48 hours, requiring a
widespread facility shutdown. The investigation revealed that while originally specified
correctly, the Purchasing Department had substituted a different valve material, helping to meet
their goal of lower cost and faster delivery. This valve did not undergo a positive material
identification upon receipt or prior to installation.

The above example helps illustrate the breadth of application required for process safety to be
effective across organizational boundaries. In this case, extending process safety to the
purchasing department and developing appropriate procedures that ensure alignment with
engineering specifications would have prevented the incident. It was also the little thing of not
verifying materials of construction upon receipt of this valve that finally initiated the accident.

4.3 Perform Thorough Hazard Identification and Risk Assessments

Hazard and operability studies (HAZOPs) and other qualitative risk assessments represent the
best formal opportunity for understanding the interactions among little things. Fully
connecting the dots requires the most experienced team members be made available. Also, the
HAZOP team leader must be highly qualified and able to encourage the team to look beyond
their normal, day-to-day experiences. Team qualification requirements can be difficult to
sustain, study after study. However, it is essential risk assessments be done with the right
personnel.

For a risk assessment to be effective, the team must be able to connect the dots in two distinct
ways. Firstly, the team must have the ability to imagine a wide range of scenarios, including the
unlikely. If the consequences are not fully developed and include low-frequency events, only a
GCPS 2013 __________________________________________________________________________
limited set of safeguards will be identified. These may not include the ones necessary to prevent
or mitigate the full scenario.

Secondly, safeguards must be verified. This means confirming that little things are in place and
working effectively: Do equipment or activity-specific procedures really exist and are they
included in training? Is the alarm or shutdown tested? Is it testable? How often is it tested?
What is done with the test results? Does the corrosion monitoring program include the piping
system of concern? What are the inspection results? Is the relief valve sized for this case?
When was the relief valve tested? Has the discharge piping been designed for the anticipated
Joule-Thompson cooling?

All of above are indicative of the kinds of questions a qualified leader would guide the HAZOP
team into exploring. Moreover, the team must have the expertise and documentation to be able
to answer the questions.

4.4 Apply Discipline in Performing Basic Process Safety

The hunt for little things does not preclude the need to continuously manage all process safety
systems. Alarms need to be tested, piping needs to be inspected, equipment needs to be
maintained, changes need to be controlled, and engineering designs need to be appropriately
executed consistent with relevant technical codes and standards, as examples. These overriding
management systems, if effective, set the framework for finding the little things and allowing
the interconnections among safeguards to be understood.

4.5 Stay Vigilant to Signals

Many major accidents were preceded by dry runs. For example, a control valve slammed shut
in a hot crude oil feed line, causing a pressure surge that damaged the feed pump seal. A year
later, the same valve abruptly closed with the subsequent pressure surge causing a flange to
open. Hot oil was released and a fire burned for several hours, requiring significant
reconstruction. By thoroughly investigating these kinds of earlier incidents and taking
corrective actions, the potential for later more serious events to recur is reduced. Reference 2
devotes an entire chapter to this subject, titled Not Learning from Near Misses.

Since major accidents or even major near misses are infrequent occurrences, relying on them as
indicators for corrective actions may be too late. When process safety management systems start
to degrade, there are usually many small indicators. For example, important aspects of process
safety information might be out of date, a few changes might be slipping through the system
without proper management of change analysis, or there may be a handful of overdue inspections
or corrective actions. Overall, the process safety systems appear to be functioning well, but with
some gaps. Gaps can become dots in the accident chain. These leading indicators of system
degradation represent the earliest opportunities to improve effectiveness. Special efforts should
be made, through self auditing, to identify them.

Appendix A of the CCPS publication, Recognizing Catastrophic Incident Warning Signs
(Reference 8) provides a useful checklist of warning signs as indicators that some degradation
GCPS 2013 __________________________________________________________________________
in process safety effectiveness is occurring. Of relevance, many of these checklist questions
address little details ranging from loose bolts to instruments bypassed.

Recently there has been renewed interest in the concept of High Reliability Organizations
(HROs) Much of the early work on this subject emerged from research efforts on aircraft carrier
and air traffic control operations.
9
Subsequent work attempted to identify key aspects of
excellence exhibited by HROs. These include a preoccupation with failure and reluctance to
simplify interpretations among others.
10
While a clear mapping between those organizations
giving birth the HRO concept (highly repetitive yet variable activities) and complex processing
facility operations has yet to be established, the reluctance to simplify interpretations is, in the
authors opinion, directly transferrable. By searching for a deeper meaning behind even the
smallest of failures, organizations will be connecting the dots and evaluating those other
components that, had circumstances been different, would have allowed that small failure to
progress.

4.6 The Role of Culture

A wealth of literature is available reinforcing the principle that the overall organizational culture
drives the effectiveness of the process safety management systems. Figure 1 conveys this
concept. Leadership, starting with top management, sets the culture.

In Chevron, process safety is deployed within the context of our overall Operational Excellence
(OE) efforts. As stated in Company literature:

Leadership is the single largest factor for success in OE. Leaders establish the vision
and set objectives that challenge the organization to achieve world-class results. .

Leaders visibly demonstrate their commitment through personal engagement with the
workforce and by showing concern for the health and safety of every individual. They
demonstrate the same commitment to protecting the environment and process safety
risk mitigation.

The second sentence holds the key to success in process safety and OE. In order to affect the
culture, leaders must do more than pronounce support. They must demonstrate it. Part of that
demonstration is reinforcing the need for attention to detail and to the little things that lead to
big accidents.

5. Conclusion

In this paper weve attempted to show that the devil is in the details. Major accidents are often
the result of small things that are easily overlooked or tolerated. Identifying the little details that
can enable an accident to develop requires a big picture approach to understand the full
breadth of the potential accident chain. It also requires a renewed rigor in such basics as
qualitative risk assessments and incident investigation in order to ferret out those little things.
There is neither a Holy Grail nor a quick solution to process safety. Accident prevention comes
GCPS 2013 __________________________________________________________________________
down to implementing the CCPS elements consistently, thoroughly, and across all affected
functions.



6 References

[1] Barrell, Tony, PhD, Former Head of UK HSE Offshore Safety Division (1998), as quoted
in the BBC Video Spiral to Disaster.
[2] CCPS, Incidents that Define Process Safety, BP; Center for Chemical Process Safety,
New York, NY. (2008)
[3] CCPS Guidelines for Risk Based Process Safety, Center for Chemical Process Safety,
New York, NY. (2007)
[4] Reason, James, "The Contribution of Latent Human Failures to the Breakdown of
Complex Systems," Philosophical Transactions of the Royal Society of London. (1990)
[5] Leveson, Nancy, Engineering a Safer World, Systems Thinking Applied to Safety,
Unpublished Draft. 2009)
[6] Chiles, James Inviting Disaster, Lessons from the Edge of Technology HarperCollins
Publishers. (2002)

[7] LPG Release from Caustic System, API AFPM Operating Practices Symposium, Los
Angeles, CA, Nov 13, 2012.

[8] CCPS, Recognizing Catastrophic Incident Warning Signs, Center for Chemical Process
Safety, New York, NY. (2012)
[9] Roberts, K. H., Some Characteristics of High-Reliability Organizations. Organization
Science, 1, 160-177. (1990)

[10] Weick, K. E., Sutcliffe, K. M., & Obstfeld, D., Organizing for High Reliability:
Processes of Collective Mindfulness. In B. M. Staw & L. L. Cummings (Eds.), Research
in Organizational Behavior (Vol. 21, pp. 81-123). Greenwich, CT: JAI Press, Inc. (1999).

[11] Rasmussen, J., Risk Management in a Dynamic Society: A Modeling Problem, Safety
Science, Vol 27 No. 2/3 Pp 187-213 Elsevier Science Limited. (1997)