Cross-industry Learning from High Hazard Sectors

Risk & Safety
26th March 2020

Article by Gabor Posta

How we choose to learn can determine whether we will repeat similar situations, says Gabor Posta

IN 2008, a sharp increase in hydraulic fracturing (“fracking”) sent crude oil production in North America soaring. Production quickly outgrew existing pipeline capacity and saw record volumes of crude oil being hauled by rail. The 2013 high-profile crude oil train disaster at Lac-Mégantic, Canada – which killed 47 people and destroyed most of the town – was an unfortunate reminder of the dangers associated with this method of transportation. It led to a permanent change in public perception alongside a re-examination of the regulatory approach. At the same time, opposition to pipeline projects meant that there remained a heavy reliance on the transportation via rail, and there was significant resistance from rail operators towards retrofitting safety features and upgrading their rolling stock.

Seven years on from the crude oil train accident at Lac-Mégantic, have the right lessons been learned and applied? In this article, we discuss the challenges behind the transportation of crude oil by rail, but more importantly we also identify and examine some of the universal learning opportunities for both established and emerging high hazard sectors.

Canadian Press/Shutterstock

Lac-Mégantic: Seven years on, have we learnt the right lessons?

What went wrong?

In the early 2000s, advancements in drilling technology, combined with the use of hydraulic fracturing, resulted in a surge in oil production. This led to an oil boom with increased reliance on transportation via rail. Association of American Railroads data^1,2show that approximately 9,500 rail tank cars of crude oil were shipped in the US in 2008, increasing sharply to a peak of approximately 493,000 rail tank cars in 2014. With such a rise in hazardous material transportation, why wasn’t safety and the associated risk being closely and regularly reviewed?

Due to the wide range of factors contributing to the Lac-Mégantic accident, arguably the systems engineering and system safety way of thinking is the most suitable approach for reviewing the accident. A wide range of system safety analysis and visualisation techniques are available to modern-day safety practitioners. For this article, Rasmussen’s AcciMap approach was used (see Figure 1). It is a simple but powerful way of capturing a wide range of causal links for accidents that have already occurred. The following sections discuss some of the contributing factors to the accident.

Figure 1: AcciMap representation of Lac-Mégantic accident

Societal perception and pressures

Societal perception and pressures were the fundamental starting point to the unfortunate sequence of events that led to the Lac-Mégantic accident. Market pressures and changes meant that a fracking-led oil boom took place, resulting in the rapid production of oil from a range of new sources. The profit to be made by refining the crude oil extracted from the Bakken rock formation region meant that the oil was to be transported long distances to refineries located across North America. The combination of societal rejection of pipelines and the need for transportation along routes where pipelines were not always feasible transportation options meant that there became a very heavy reliance on transportation of crude oil via rail.

Government legislation

Legislation exacerbated the reliance on rail for crude oil transportation by bowing to public pressure on pipelines. One of the most high-profile cases was that of Keystone XL, a planned extension to the Keystone Pipeline System in Canada and the US. Fierce opposition on environmental, political and other grounds meant that the project was perpetually delayed. This increased strain on the rail industry for crude oil transportation was made worse by the overly-permissive rail legislation in place regarding the rolling stock (trains) and the rail infrastructure in place – both no longer suitable given the increased volumes and volatility of the oil being hauled.

Regulatory bodies and industry associations

Regulatory bodies and industry associations were continuously pushing and pulling to find an appropriate balance between the need for reducing risks whilst ensuring that associated costs were reasonable. A key example of this was the debate around the adoption of stricter rail tank car design standards. Upgrading rail tank cars to newer standards had the benefit of providing increased protection against some of the more common known tank car failure modes. However, a range of industry bodies initially pushed back on the implementation of some of these standards, arguing that the costs to retrofit the existing train fleet was disproportionate relative to the safety benefit gained.

Corporate culture

Corporate culture at the train company, MMA Railway, was a significant contributor to the accident as found in the official accident report³. The poor safety culture and lack of an appropriate safety management system meant that the known ongoing maintenance issues with the Lac-Mégantic train’s locomotive were not treated with sufficient caution and were a symptom of wider systemic issues within the company. The societal, legislative and regulatory pressures resulting in poorly-designed rail tank cars hauling large volumes of crude oil were not offset even partially by MMA Railway’s approach, setting in motion the final fatal chain of events. Although system safety thinking generally shies away from the use of the Swiss cheese accident causation model (branding it too simplistic), in many ways the MMA Railway corporate culture was the final slice of
unfortunately-aligned cheese in this accident.

Technical deficiencies

Technical deficiencies were all but inevitable given the corporate culture at MMA Railway, and these manifested themselves in a range of ways. Poor inspection and maintenance of its trains, faults not being taken sufficiently seriously, and pressures caused by other sociotechnical categories further up the AcciMap meant that the already unsafe rail tank cars were having their safety eroded even further by incorrect functioning of risk reduction measures. These include both administrative measures (eg failure to undertake required checks before leaving the parked train unattended overnight), and engineered measures (eg incorrect wiring between brakes and train electrical system).

Physical accident sequence

The physical accident sequence initiated is relatively linear when compared to some of the entries further up the AcciMap. The complex combination of all the sociotechnical issues described in earlier paragraphs contributed directly to each step in the accident sequence. The accident began with brake failure when parked on an incline, quickly turning into a runaway train and eventually derailing within the town of Lac-Mégantic, in part due to unsafe freight route planning. The loss of containment followed by fire and explosion resulted in 47 deaths, the destruction of the town centre, and significant environmental damage.

Striving for improvement

When investigating a major accident, there is an understandable focus on the details of the circumstances, reconstructing a detailed accident sequence such that specific causal links can be identified and rectified. The official Lac-Mégantic accident report³ thoroughly undertakes these tasks. However, it is important to consider whether there is commonality across many high hazard sectors in terms of both accident root causes and also high-level cross-industry lessons that can be distilled and learned.

It is important to consider whether there is commonality across many high hazard sectors in terms of both accident root causes and also high-level cross-industry lessons that can be distilled and learned

Emerging sectors such as connected and autonomous vehicles do not traditionally fall under the “high hazard” umbrella. Nevertheless, new accidental and malicious risks related to eg use of artificial intelligence⁴ may pose novel and unique low frequency, high consequence event types, whilst potentially also still showing some vulnerabilities which have parallels to older malicious attack vectors such as that used to infect Iranian nuclear centrifuges with the Stuxnet computer worm in 2010. Industry groups, researchers and intelligence organisations have become increasingly vocal regarding the security deficiencies of industrial control systems^5,6 connected to the internet with the advent of the Internet of Things, and it is important that continuous improvements are made in the interface between safety and security.

Learning opportunities

Safety professionals all have a part to play in actively disseminating lessons, whether with colleagues who work in other sectors or through professional engineering institutions. Disseminating inter-sector learning opportunities should be seen as an additional key indicator of a successful safety culture within an organisation. Five key high-level learning opportunities are identified in this article.

Significant rates of change

This should have triggered a review of safety arrangements. The rate of change of volume of crude oil transportation via rail was excessive. Increases of over an order of magnitude in any parameters within a relatively short timescale should automatically prompt review of whether a system has been correctly engineered and is being correctly managed at all levels, and whether any further changes should be made (either in parallel with the operations continuing or making the decision to halt the activity pending review) to ensure ongoing safety. Such a sudden surge in a process parameter (eg temperature) would not be acceptable in a process plant, and the same logic should be applied to “process parameters” on a systems level in a broader sense.

Characterisation of properties

From a hazard perspective, this must always be considered. The volatility of (and therefore the degree of explosion risk posed by) Bakken crude oil was severely underestimated through assuming that it would be similar to more conventional types of crude oils, meaning that the safety measures in place (such as those on older DOT-111 rail tank car designs) were inappropriate for the hazard posed. The handling of (tangible or intangible) “materials” with such significant unknown properties via processes with a different design basis should not be accepted without checks being undertaken to confirm suitability. A nuclear decommissioning plant would not feed legacy waste materials through without conducting a proper material assay, and machine learning applications should be wary of the quality of learning datasets (whether of insufficient quality by chance or actively fed bad data by malicious threats).

Self-regulation

Self regulation is a valuable mechanism when used responsibly, but regulatory bodies being increasingly stretched thin has resulted in a general trend over the past decades toward allowing increased self-regulation across numerous sectors. The Lac-Mégantic accident and the recent Boeing 737 MAX accidents have shown that, whilst conceptually useful, self-regulation should be used very sparingly, and only under the right conditions. This should take full cognisance of the human factors limitations (such as normalisation of deviance within an organisation) and the potential conflicts of interest that may arise.

Ethical lobbying and advocacy

Ethical lobbying and advocacy may have helped avoid the accident at Lac-Mégantic, had a much larger network of pipelines been constructed against public opinion. Some recent studies have indicated that blocking of pipeline projects does not decrease crude oil production, and instead shifts the burden of transportation onto rail⁷, increasing the overall risk. Public engagement and communications are now more important than ever to mitigate the hurdles posed by the general public towards sectors involving emotive subjects. This is exacerbated by the current ‘post-truth’ political climate worldwide. Companies and organisations across all sectors should allocate significant effort towards (ethical) lobbying and advocacy to achieve outcomes that are objectively beneficial for society.

ALARP demonstration at a holistic level

This should be a key consideration for all sectors. There is a tendency in “as low as reasonably practicable” (ALARP) demonstrations to focus on a single system being assessed, not adequately considering how system interfaces may affect the holistic risk profile. Risk reduction to an ALARP level should be demonstrated through consideration of eg all levels of an AcciMap diagram (especially focussing on societal, organisational and regulatory considerations) to provide evidence that residual risks have been balanced appropriately.

Sûreté du Québec/Wikipedia

Lac-Mégantic: Ethical lobbying and advocacy may have helped avoid the accident

Safety is a mindset

It is important that, in the process of striving for improving the safety performance of this sector, wider endeavours are undertaken to apply any learnings (whether specific or high-level) to other sectors, both established and emerging.

High hazard sectors can encompass not only existing established traditional sectors such as nuclear and oil and gas, but also emerging sectors and technologies such as connected and autonomous vehicles and hydrogen for domestic uses where the low frequency, high consequence type accidents can still result in significant numbers of injuries and fatalities, and where rapid development of the technologies and their implementation could lead to the repeating of past mistakes in unrelated sectors.

When looking to identify lessons, there is also a risk that overly specific lessons are identified, missing an opportunity to identify and disseminate the higher-level learning opportunities across sectors, and thus a concerted effort is needed from safety specialists across all sectors. Whilst adoption rates from lessons learned vary by several orders of magnitude across sectors, there are nevertheless significant success cases (eg the adoption of aviation-style checklists during surgical procedures) even in industries such as healthcare, where the adoption rate of new processes is traditionally extremely slow.

Traditional safety and risk analysis techniques are still largely relevant to the modern world. But the current fast pace of technological change can sometimes mean that there is a reduced ability to learn from past experience, and it is therefore more important than ever that all major learning opportunities are utilised to their full potential regardless of the originating sector.

If you are interested in finding out more, a full conference paper at http://bit.ly/32meHn3 expands on the subject.

References

1. https://bit.ly/2VMBbwd

2. https://bit.ly/2vzxwqK

3. https://bit.ly/2VGYXK0

4. Brundage, M, et al (2018), The Malicious Use of Artificial Intelligence: Forecasting, Prevention, and Mitigation.

5. Kaspersky Lab (2018), Threat Landscape for Industrial Automation Systems in H2 2017, ICS CERT.

6. National Cyber Security Centre, GCHQ (2018), Advisory: Hostile state actors compromising UK organisations with focus on engineering and industrial control companies.

7. Covert, T and Kellogg, R (2017), Crude by rail, option value, and pipeline investment, National Bureau of Economic Research (NBER) Working Paper Series – 23855.