“Always lists to be made, as if writing items in neat vertical rows might stave off randomness and chaos.” — Dani Shapiro

People love lists. Top Ten Lists. Top Twelve Lists. Casey Kasem’s American Top Forty. And for those with short attention spans, Top Three Lists.

I recently received an email asking if I agreed that the top three reasons for chemical incidents were

  1. Human Error/Operator Error
  2. Equipment/Design Failure
  3. Safety/Management System Deficiencies

Even if we’ve never been asked this specific question, I suspect that it is lurking in the back of our minds.

Let me start by saying that I have some problems with this particular list.

Human Error/Operator Error

I think it is a mistake to blame operator error for chemical incidents. As Alexander Pope put it, “to err is human.” Since operators are human, to blame chemical incidents on human error makes no more sense than blaming confined space entry incidents on the need to breathe.

If the absence of error is necessary to avoid a chemical incident, then all we need to avoid chemical incidents is to require that our operators be perfect. But no one is perfect. So, if an error is part of the sequence that leads to a chemical incident, it is because the process has been designed so that it is vulnerable to the error.

Let’s imagine that there has been a chemical incident and we are conducting the incident investigation. Any good incident investigation report is going to include recommendations for reducing the likelihood that a similar incident will occur again. Do any of us believe that a recommendation of “do not have operator errors” is going to fly?

Early in my career, I participated in a PHA where we spent a lot of time discussing operator errors. Having grown weary of what felt like personal attacks, the lone operator in the PHA finally spoke up. “Why is it that when I make a mistake, you guys call it an ‘operator error’ but when you engineers make a mistake, you call it a ‘design error’?”

Which brings us to the second thing on the list.

Equipment/Design Failure

I believe that equipment failures are different from design errors. Everything fails. Because of entropy, equipment failures are as inevitable as operator errors. The more reliable a piece of equipment is, the less frequently it will fail. “Less frequent” is not, however, the same as “never.” When an equipment failure results in a chemical incident, it is because the design did not account for the inevitability of failure. Designs, like all human endeavors, are imperfect.

Let’s imagine that we are back on that incident investigation. Do any of us believe that a recommendation to “replace the broken part” should fly, especially if we are simply going to replace it with another part that can also break? This kind of recommendation often does fly, but should it?

It may be that the design actually accounted for the inevitability of failure, but the operation and maintenance of the process didn’t. Or couldn’t. All design choices are a deliberate trade-off between performance, reliability, and cost. With every choice, there is some potential for failure, especially if operating and maintenance demands push the design beyond its intent. The result can then be a chemical incident.

Safety/Management System Deficiencies

What leads us to push designers to point that design errors result? What leads us to push designs beyond their intent, to the point of failure? What leads us to push people to the point where operator error becomes inevitable?

That brings us to safety and management systems and the choices they lead to. When a choice is unambiguously bad, i.e., unsafe, even the loosest, sloppiest, most careless management system will not make that choice. On the other hand, when a choice is unambiguously good, i.e., safe, even the most rigid, conservative, risk-averse management system will make that choice. It is in the grey area in between, when choices are neither unambiguously bad nor unambiguously good, that management systems and the managers that create, implement, and execute them distinguish themselves.

Choices

Management systems guide design choices, and design choices impact the vulnerability of a process to human error and equipment failure. Who makes these choices? Ultimately, isn’t it management? Which means that management and the management systems in which they function bear responsibility for all chemical incidents.

Bad Luck

We call the choices that management make decisions. We tend to think of management decisions with good outcomes as good decisions and management decisions with bad outcomes as bad decisions. But it is entirely possible, with good luck, for a bad decision to result in a good outcome. With bad luck, a good decision can result in a bad outcome.

I don’t expect to see “bad luck” on any list of reasons for chemical incidents. Neither should anyone else. If we don’t acknowledge the impact of bad luck, however, we can expect to continue to see chemical incidents.

Good luck.

Author

  • Mike Schmidt

    With a career in the CPI that began in 1977 with Union Carbide, Mike was profoundly impacted by the 1984 tragedy in Bhopal and has been working on process safety ever since.

    View all posts