Nightmare Pipeline Failures: Fantasy Planning, Black Swans and Integrity Management
The worst nightmares of the oil and gas pipeline industry are coming true in the United States. High-pressure natural gas pipelines run underground through many suburban areas as part of the network providing fuel to homes and businesses. This infrastructure poses an immense, but insufficiently recognized, threat to the general public. In 2010, one of these pipelines ruptured in San Bruno, a suburb of San Francisco adjacent to the international airport. The result was a massive explosion and fire in which eight people died, many were injured, and 38 homes were destroyed. This possibility haunts many cities around the world.
Coincidentally in the same year, another worst-case scenario came true, near Marshall, in the state of Michigan. A pipeline rupture released vast quantities of oily sludge into a local river system. The smell was so offensive that many nearby residents were forced to sell their homes and get out. The clean-up cost the pipeline owner more than a billion dollars, making it the most expensive oil spill on land in US history.
Nightmare Pipeline Failures examines the causes of these two events. It argues that, although they were profoundly surprising to the companies concerned, from a broader perspective they were no surprise at all, stemming as they did from well-known human, organizational and regulatory failures. In particular, we emphasize two contrasting but equally flawed approaches to prevention of rare but catastrophic events.
Companies often try to convince themselves, regulators and members of the public that they have the relevant hazards under control because they have elaborate plans to deal with them. When it comes to the point, these plans turn out to be wildly optimistic and full of unjustified assumptions and inaccurate data. Their function is symbolic rather than instrumental – that is, they serve as statements that the hazard is under control, rather than as real instruments of control. Fantasy planning was very evident in both accidents.
The second approach adopts the currently fashionable “black swan” metaphor. In Europe, historically, all swans are white, and Europeans could not conceive of a black swan – until they discovered Australia. In the 21st century, the concept of a black swan has taken on new meaning – a rare event with major impact, quite unpredictable at the time, although possibly explicable in hindsight. Nowadays, major industrial accidents, such as the blowout in the Gulf of Mexico in 2010, are sometimes referred to as black swans. But here the analogy breaks down. Black swans were unforeseeable to Europeans. Major accidents are not unforeseeable to risk analysts. In fact, it is their responsibility to foresee them and to put in place barriers against them. Accidents occur when those barriers fail. The metaphor is therefore wrong. In fact, it seems to be nothing more than a contemporary version of the idea that major accidents are inevitable – the ‘stuff happens’ view of risk management.
These two concepts shed new light on why integrity management is so difficult to get right and also how it can be improved. We hope that those in positions of responsibility in companies that have responsibility for hazardous facilities will feel the need to scrutinize their own integrity management systems with these absurdities in mind. The major failings we have identified provide valuable lessons for all organizations that use risk assessments to manage and prioritize routine activities.
|Product Line||Wolters Kluwer Legal & Regulatory U.S.|
- Chapter 1 - Introduction
- Chapter 2 - Lethal maintenance
- Chapter 3 - MAOP determination and grandfatherinG
- Chapter 4 - The Marshall and Gulf of Mexico oil spills
- Chapter 5 - Integrity management and risk assessment
- Chapter 6 - The meaning of safety
- Chapter 7 - Dealing with uncertainty
- Chapter 8 - Setting senior management priorities
- Chapter 9 - Effective safety regulation
- Chapter 10 - The compliance paradox
- Chapter 11 - Concluding remarks
- Appendix - Combining risk scores for individual threats