|
It’s much easier for the mishap investigator to specify what didn’t happen, because there are so many more “didn’t happens” than “did happens.” In fact,
there are ( -1) events or scenarios that didn’t happen, and only one that did.
System safety practitioners need to demand robust evaluation of their work to ensure it improves the system. It’s not comfortable to tell the boss that you don’t know why your predictive analysis did not forestall the undesired system
operation.
Let’s take a look at a specific government accident report in which the investigators’ “did nots” stifled the understanding needed to improve both
process efficiency and safety analyses.5 (“Did nots” are identified in italics.)
Chapter 4.4, “Process Hazard Analysis,” states:
“During design in 1990 and again in 1999, after several years of operating experience, Amoco conducted process hazard analyses6 of the Amodel process using hazard and operability (HAZOP) techniques.7
Both the polymer catch tank and the reactor knockout pot were considered during the analyses, but credible scenarios that could lead
to excess pressure or level were not identified.”
This vague “did not,” in the passive voice, asserts that anyone and everyone who performed the HAZOP analyses (more than one) did not identify any
scenarios that led to undiscovered pressures which might expel the contents of the process vessel. We don’t know why these scenarios weren’t identified; was
it faulty investigation methodology, or the way it was implemented?
|
