Three accidents in European dynamite production plants: An attempt to improve the external lessons learning

Journal of Loss Prevention in the Process Industries 44 (2016) 12e23

Contents lists available at ScienceDirect

Journal of Loss Prevention in the Process Industries journal homepage: www.elsevier.com/locate/jlp

Three accidents in European dynamite production plants: An attempt to improve the external lessons learning Milos Ferjencik a, *, Nicolas Dechy b a b

University of Pardubice, Faculty of Chemical Technology, Studentska 573, 53210 Pardubice, Czech Republic Club Heuristique pour l’Analyse Organisationnelle de la S ecurit e Mas Saint-Sauveur, Route de Toreilles, 66430 Bompas, France

a r t i c l e i n f o

a b s t r a c t

Article history: Received 18 April 2016 Received in revised form 10 August 2016 Accepted 13 August 2016 Available online 16 August 2016

Three serious accidents occurred in three dynamite manufacturing plants within three European countries during a relatively short time period triggering the question of effective external learning. The article discusses the lessons for the prevention of accidents learned from retrospective comparative analysis. It advocates for a better process for learning lessons. It attempts to show how a two level approach to accident analysis may help to reveal a common deeper learning hidden under diverse routine lessons. © 2016 Elsevier Ltd. All rights reserved.

Keywords: Underlying cause Root cause analysis Lessons learned Accident prevention Explosion Dynamite

1. Introduction Between 2003 and 2011, three serious accidents occurred in three European plants which produced industrial gelatinized (dynamite-like) explosives:  On March 27, 2003, in Nitrochimie, Billy-Berclau, France: 4 fatalities.  On March 11, 2008, in Austin Int., Sankt Lambrecht, Austria: 2 fatalities.  On April 20, 2011, in Explosia, Pardubice, Czech Republic: 4 fatalities. The article is built on a case study that focuses on the direct and root causes of three accidents. First of all, it attempts to look for some similarities and discrepancies among their causes. Second, the article addresses what has been learned and especially what else could have been learned in retrospect. Therefore it advocates for a two level approach to get deeper lessons from root and underlying causes of accidents. The empirical analysis helps answer

* Corresponding author. E-mail addresses: [email protected] (M. Ferjencik), [email protected] (N. Dechy). http://dx.doi.org/10.1016/j.jlp.2016.08.006 0950-4230/© 2016 Elsevier Ltd. All rights reserved.

the triggering question of the article: Could the lessons to be learned from the previous accidents have helped to prevent those that followed? Barriers to learning and failures to do so are known to be numerous (Hopkins, 2008; Dechy et al., 2011, 2013; ESReDA, 2015). Several disasters and major accidents have shown several failures to learn as they are among the contributing causes of accidents: in the Ladbroke Grove train collision near Paddington train station in United Kingdom in 1999 (Cullen, 2000) the disintegration of the space shuttle Columbia in 2003 (CAIB, 2003); the refinery explosion and fire at Texas City in 2005 (CSB, 2007). In addition, several deficiencies in the learning process have been identified by several researchers, especially regarding the ability to analyse the underlying causes of events and the ability to learn from others (ESReDA, 2009, 2015; Dechy et al., 2012; Dien et al., 2012; Drupsteen et al., 2013). To improve the external learning process, especially from events occurring abroad, the implementation of a two level approach to accident analysis is performed. It is composed of an enhanced root cause analysis (Ferjencik, 2014) and an organizational approach (Dien et al., 2004, 2012). The resulting text presents the comparative analysis of three accidents in high-risk industrial systems with the routine lessons and deeper lessons learned. This exercise leads to identifying some recurring patterns and a few organizational

M. Ferjencik, N. Dechy / Journal of Loss Prevention in the Process Industries 44 (2016) 12e23

13

lessons: the safety degradation due to the lost memory of designers, the missed opportunities for improvement, and the limited ability to learn. The article is organized into seven sections. Sections 2 and 3 represent basic case study. They present information about three accidents and the findings obtainable from a routine root cause analysis. Section 4 describes the proposed two-level approach to improve lessons learning. In Section 5 it is shown that, though the routine analysis does not find interesting similarities, the analysis that goes beyond the routine approach reveals a few common deficiencies in the organization of the safety management systems of individual plants. The substantial gap that exists between the lessons to be learned from the accidents and the routine learning that did occur is noted. Section 6 discusses the role of memory and proactivity towards the prevention of safety degradation. The identified findings are condensed into organizational lessons. Section 7, Conclusions, answers the question which triggered this case study. The text is based on our initial paper (Ferjencik and Dechy, 2013). 2. Three accidents in the dynamite industry of Europe

Fig. 2. Workshops No. 49 and 50 in Billy-Berclau according to Lecoze et al. (2005). The star denotes the point where detonation initiated; black points denote positions of victims.

2.1. Production process of dynamite-like explosives A modern dynamite-like explosive is a mixture of a few substances. Liquid nitro esters e typically nitro glycero glycol (NGG) e with nitrocellulose (NC) create what is called the blasting gelatine, in which powdery additives are mixed such as ammonium nitrate (AN) and/or trinitrotoluene (TNT). The resulting viscous mixture (paste) is created in several phases inside a mixing bowl. The bowl is then emptied, and the mixture fills a plastic wrapping to create stick-like cartridges. Mixing bowls may be stationary or mobile. Typically, several bowls are used simultaneously, each of them in a different phase of the procedure. Fig. 1 divides the production of dynamite into nine phases. NGG is explosive and highly sensitive to stimuli. Therefore, NGG is stored in the form of an aqueous emulsion, which is not explosive. For safety reasons, NGG is separated from water in a separator just before the start of batch mixing. The prepared mixture is much less sensitive than NGG. However, it can be initiated: e.g. during cartridging, if a foreign object gets into a screw conveyer that extrudes the mixture. The production of dynamite is a batch procedure and fits within the loosely coupled and low complexity categories (Perrow, 1984). 2.2. Billy-Berclau accident The initial accidental explosion occurred during cartridging i.e. during the last phase (9) of the production process. The cartridging machine stood in workshop No. 50 that was completely surrounded

by barricades (concrete walls and banks of a few meters high). Fig. 2 indicates that the workshop represented a part of a large complex of mounded workshops, the closest of which was workshop No. 49. The explosion occurred in workshop No 50 at the start of a cartridging machine (Lecoze et al., 2005). The operator came to the machine at 6 a.m. to start the process. He faced problems with processing the paste through the die. A few minutes before the accident, the assistant joined him. A few seconds before it, the cleaner came into the workshop and took the pyrotechnic paper garbage. Also the mechanical maintenance technician who had forgotten a tool was walking in front of the tunnel between workshop No 49 and No 50 when the explosion occurred at 06:16:34 a.m. In total about 580 kg of high explosives detonated, 150 kg of which was inside the machine. The remaining explosive materials were a few meters distanced and sympathetically exploded. The most probable initiating event was a penetration of foreign object into the feeder. One victim was the operator of machine. The two additional victims in workshop No 50 were the assistant to the operator and the cleaner. The fourth victim was a maintenance technician. The cartridging machine has to be adjusted at the start. Then it works automatically. Adjusting is performed by an operator. An assistant is not necessary and should not be present during this action. Indeed, the start of a cartridging machine is considered to be a critical operation, implying that the accepted risk requires having

Fig. 1. Phases of production of dynamite.

14

M. Ferjencik, N. Dechy / Journal of Loss Prevention in the Process Industries 44 (2016) 12e23

only one worker exposed during this phase. Therefore, the presence of three additional persons in the vicinity of the cartridging machine during its start was an undesirable coincidence. The presence of additional persons was to be prevented with two barriers (circulation routes and rules for workers from workshop to workshop; compliance to the schedule to ensure coordination). However, prevention was not achieved. 2.3. Sankt Lambrecht accident In St. Lambrecht, dynamite was produced in mobile mixing bowls (Held, 2012). Doses of NGG were delivered from building 111 (see Fig. 3) to the southeast annex of building 147 by the NGG emulsion transfer line. NGG and NC were mixed manually in bowls in this annex. Then the bowls were transported into the east annex of 147, where powdery additives were added. Phase (7) e stirring the mixture e was performed remotely inside the main underground compartment of building 147. Bowls with the prepared mixture were transported into underground building 148, where their content was tipped into trolleys. Loaded trolleys were waiting here for transport to the cartridging buildings. The accident occurred during the afternoon shift at the time of maximum volume in the production approximately at 2:40 pm. At this moment there was about 100 kg NGG in building 111 in phase (2) NGG dosing, 300 kg NGG in the southeast annex of 147 in phase (5) NC inclusion, 300 kg NGG plus powdery additives in the east annex of 147 in phase (6), 1400 kg of a mixture in the main compartment of 147 in phase (7), 700 kg of a prepared mixture in the handling area of building 147, and 1575 kg of a prepared mixture in building 148 in phase (8) tipping. Several trolleys from the dynamite tipping area were parked outside building 148 waiting to be transferred to the cartridging houses. Two detonations occurred within an interval of several hundred milliseconds. The first detonation took place in buildings 111 and 147 (NGG dosing, NC inclusion, and additives mixing area). The following three occurrences were proposed to account for the initial explosion: 1) mechanical failure in the NC inclusion area, 2) operator error during the mixing of NGG with NC, 3) failure during (semi)automatic addition of powdery additives to the NGG/NC mixture. The initial detonation was then transmitted to building 148 (tipping area). Accelerated fast moving objects probably impacted the ready mixed dynamite in parked trolleys. The secondary detonation was much heavier than the first one. Totally about 2300 kg of high explosives detonated. The explosions however did not destroy the main compartment and handling area in building 147 where around 2100 kg of the mixture remained intact. One victim of the accident was the operator in building 147. The second victim was the operator in the tipping house (building 148).

Fig. 4. Production technology from Pardubice. Dashed lines denote the interlocking of valves under storage and dosing tanks, double lines represent a newly installed pipeline.

2.4. Pardubice accident Fig. 4 shows two separated buildings surrounded by barricades where the accident occurred (Ferjencík, 2011). Phase (2) of the production process e NGG separation and dosing e was performed in the building A55/1. Phases (5) to (8) e NC inclusion to tipping the mixture e were performed in stationary mixing bowls in building A55. The production cycle is started by opening the valve V1 under the storage tank. A non-explosive mixture of NGG and water begins to flow into the empty separator. NGG is separated and flows through the open valve V2 into the dosing tank. Valve V3 into the settling tank is closed. When the requested quantity of NGG is inside the dosing tank, then valves V2 and V1 are closed and valve V3 is opened. Excess NGG from the separator and the line is collected under water inside the settling tank. From time to time, settled NGG is pumped by injector from here back to the storage tank. Throughout NGG dosing, valve V4 below the dosing tank is

Fig. 3. The production unit from St. Lambrecht, adapted from Held (2012). Dashed lines denote underground buildings, solid lines denote aboveground buildings, and the two stars denote the point of the secondary explosion.

M. Ferjencik, N. Dechy / Journal of Loss Prevention in the Process Industries 44 (2016) 12e23

closed. It is interlocked with valve V1. Interlock makes simultaneous opening of both valves impossible. This is a safety measure for the situation when the initiation of detonation in the separator would occur. Interlock prevents the transfer of detonation to the mixing bowl. After some 15 years of operation, and about 14 years before the accident, a new pipeline was installed. Its purpose was to allow for the pumping of NGG settled in the settling tank directly into the separator without delay in the storage tank. During the installation of the new line, valve V5 before the separator was not interlocked with valve V4 analogously as the inlet valve from the emulsion storage tank was interlocked. No interlock on the valve within the new line made possible a simultaneous opening of both the inlet to the separator from the settling tank, and the line to the mixing bowl. The staff noticed that this simultaneous opening allowed a shortening of the production cycle. They started to pump NGG from the settling tank more frequently. Gradually the staff became accustomed to pumping the NGG directly from the settling tank to the separator regularly, roughly once per every second NGG dosing. To speed up the work, staff also accustomed to opening the valve on the new line before closing valve V4. No written instructions prevented this evolution. The foremen surely were aware of gradual changes but did not recognize their consequences for safety. The accident occurred at 6:43 a.m., i.e. 43 min after the start of work shift. At this moment, there were less than 100 kg of NGG in building A55/1 and more than 800 kg of explosives in building A55. The production sequence in the buildings until the time of the accident corresponded to standard workday behaviour. All four workers were present at their corresponding positions in A55. The initiation of detonation occurred in the separator. It is probable that a foreign object entered or was created inside the separator, causing the initiation. The initiation occurred shortly after the start of pumping of NGG through the new line from the settling tank to the separator. The dosing tank was not completely emptied, and the valve under it was not closed at the time of the initiation. The connecting pipe from the NGG dosing building was filled with NGG. The detonation inside building A55/1 therefore caused a sympathetic detonation in building A55 also. In total about 900 kg of high explosives detonated. Four workers in A55 died. 3. Results of routine cause analysis 3.1. Probable causes of initiating events The direct causes of initiating events were not established reliably and accurately for any one of the accidents. However, the most probable causes were established as shown in Table 1. Foreign objects and/or mechanical failures capable of initiating the explosive paste represent the common features of these initiating events. For all three accidents, there is a lack of reasonable

15

grounds to determine the underlying causes of initiating events. 3.2. Developments of accidents It is valid in all three cases that the developments of accidents were not limited to the occurrence of the initiating event. Based on the information in (Lecoze et al., 2005; Held, 2012; Ferjen cík, 2011), and according to (CCPS, 2003), brief causal charts describing the developments of accidents were created and are shown in Figs. 5e7. Causal factors i.e. occurrences which shape the undesirable development of accidents are identified in charts and denoted by “CF” symbol. 3.3. Root causes of developing events Satisfactory determination of direct and underlying causes of initiating events was not possible. However, it is possible to identify likely direct and underlying causes of developing events. Root cause analysis e method B (CCPS, 2003) was applied. The predefined causal tree from (Ferjencik, 2014) was used for this purpose. The structure of the causal tree copies the structure of the safety management system that is described in (CCPS, 2007). Root causes which result from the application of the predefined tree are summarised in Table 2. The inconsistent implementation of safe work practices and deficient control over access and occupancy seem to correspond best with causal factors BB-4 to BB-6. The root cause of causal factor SL-5 is found in the lack of understanding that a trolley standing outside the tipping house represents a hazard. Failure of protection against inadvertent change and/or failure of focus of change authorizers on important issues caused the causal factor PA-2. Upon initial review, the causal paths from direct to root causes in Table 2 are rather different for each accident. They reveal different individual deficiencies of local safety management systems. At the same time, they do not help to detect similarities of deeper safety management problems. 3.4. Routine lessons The causes of the initial events could not be determined reliably and relied on assumptions. However, the occurrence of all three initiating events is not a surprise in a dynamite production plant. Those events belong to the known part of the risk and are not atypical in this sense (Paltrinieri et al., 2012). NGG separation and dosing, NC inclusion, and the cartridging of the mixture are critical operations, in which initiation cannot be excluded. In all three accident cases, barriers against initiation failed during critical operations. Although likely at some point, no signs of insufficient care about barriers against initiation were identified by investigators. Prevention of the intrusion of foreign objects or

Table 1 Initiating events and probable causes. Accident

Billy-Berclau

St. Lambrecht

Pardubice

Initiating event

BB-1: An event in cartridging machine initiates detonation.

PA-1: A foreign object is created probably inside the separator distributor.

Probable causes

A foreign object entered the feeder of the cartridging machine. It was either introduced by the operator, or already present in the vessel with the prepared mixture.

SL-1: An event in inclusion of nitrocellulose (NC) or in addition of powdery additives initiates detonation. A mechanical failure in the NC inclusion area. Or an operator error during inclusion of NC (introduction of foreign object or mechanical impact). Or a failure during the addition of powdery additives.

A mechanical failure or material fatigue in equipment that creates crack, chip or protrusion inside separator distributor.

16

M. Ferjencik, N. Dechy / Journal of Loss Prevention in the Process Industries 44 (2016) 12e23

Fig. 5. Event & causal factor chart for the accident in Billy-Berclau.

Fig. 6. Event & causal factor chart for the accident in St. Lambrecht.

Fig. 7. Event & causal factor chart for the accident in Pardubice.

effects of mechanical deficiencies are known to be difficult and to require long term vigilance. Among others, it depends on long term human, process and equipment reliability and maintenance. While initiating events were predictable and are not showing gross errors in safety measures, it is noteworthy that in all three

cases the initiation event was followed by unexpected escalation as summarised in Table 3. These unexpected escalations show that operating companies relied too much, first, on initiation prevention in critical operations, and second, on passive protection measures (safe distance,

M. Ferjencik, N. Dechy / Journal of Loss Prevention in the Process Industries 44 (2016) 12e23

17

Table 2 Root causes of developing causal factors. Causal factor

Root cause

Billy-Berclau BB-4: Detonation kills the assistant of operator of cartridging machine. BB-5: Detonation kills the cleaner of the pyrotechnic waste. BB-6: Detonation kills maintenance technician at tunnel to workshop No 49 St. Lambrecht SL-5: Flying fragment transmits detonation to a trolley in front of tipping house. Pardubice PA-2: Feeding the separator starts before the connecting pipe is empty.

Manage risk > Safe work practices > Maintain a dependable practice > Ensure consistent implementation Manage risk > Conduct of Operations > Control Operations Activities > Control access and occupancy Understand hazards and risk > Hazard identification and risk analysis (HIRA) > Identify hazards and evaluate risks > Gather and use appropriate data to identify hazards and evaluate risks Understand hazards and risk > Process knowledge management > Protect and update process knowledge > Protect against inadvertent change Manage risk > Management of change > Decide whether to allow the change > Ensure that change authorizers address important issues

Table 3 Unexpected escalations. Billy-Berclau

St. Lambrecht

Pardubice

The deaths of an operator assistant, cleaner and maintenance technician should not ever occur. Two barriers (circulation routes and rules for workers from workshop to workshop, compliance to the schedule to ensure coordination) were designed to prevent the random entrance or proximity to the Workshop 50 during cartridging operations and start-up. However, prohibition was not achieved due to a lack of communication and coordination, and an inadequate compliance with rules. It looks as the necessary barrier should have been implemented automatically, without any effort (e.g. closing the access to the area). Secondary (and bigger) detonation inside the tipping house and death of second worker should not ever occur. Nobody supposed in this plant that a detonation trans-mission could have occurred to longer distance than was the recommended quantity-distance (Q-D). It was probably a lack of knowledge: Q-D rules do not warrant absolute impossibility of transmission. They warrant only that the transmission is excluded with high probability but do not estimate how high is this probability. Secondary (and bigger) detonation inside the building A55 and death of four workers should not ever occur. Originally, the design of the plant made the feeding of separator when the connecting pipeline between buildings A55 and A55/1 was open impossible. After some 15 years of operation and 14 years before the accident, a new pipeline was added into the NGG dosing building. The new line made possible the feeding of the separator with an open connecting line. The safety issue that was hidden in this solution was not revealed. The use of the new pipeline was not restricted. Moreover, operators learned to use the new line regularly - many times per a shift.

barricades, concrete walls …). Some of the passive barriers had a latent deficiency (Reason, 1990) such as the expected “safe” distance to avoid sympathetic detonation. Some active mitigation measures such as the prevention of exposure of workers and the closure of the connecting pipeline were not adequately implemented the days of the accident or maintained over the years. The Swiss cheese holes were ready (Reason, 1990) for “an accident waiting to happen”. Learning from the routine analysis of initiating and developing events may be condensed into two routine lessons:  Prevent foreign objects and mechanical failures that can initiate an explosion.  Also pay attention to the barriers that mitigate the possible escalation. Other layers of protection are required to comply with the defence-in-depth principle. Eventually, similar causes were identified for all three accidents. But they are not new for the explosive industry and, regrettably, seem to be too general. Until more specific recommendations are to be provided, root causes from Table 2 have to be used. They, however, are not much similar, and do not address similar problems in safety management. So, at first sight, it is improbable that routine learning from Billy-Berclau accident could have helped to prevent/ mitigate the two following accidents or that the learning from St. Lambrecht could have helped to prevent Pardubice accident. 4. External learning 4.1. A limited ability to learn from others The three accidents occurred in a rather small industrial sector

of the explosive industry. Within the sector, the exchange of explosives incident information is performed quite extensively through a voluntary association SAFEX Int. since 1954. SAFEX represents a platform that aims at maximizing the potential to prevent or mitigate similar accidents in the future. The webpage of SAFEX states: “this is essential to maximize the learning potential of the incident information we acquire”. Although SAFEX creates appropriate opportunity for learning lessons from external accidents in the industrial sector, relevant findings suggest that only a small part of this opportunity was exploited. Especially the second accident attracted attention in the third company but this impulse did not lead to systematic lessons learned. Even the two above-mentioned routine lessons seem to be deeper than real lessons learned which focused on marginal features of the accident. Probably only a limited ability to learn existed. What conditions have to be met in an organization that wants to maximize the learning potential of the information about external accidents? What preconditions have to be met to help managers, operators and safety analysts to overcome the organizational deficiencies they did not handle or ignored for decades and ensure that lessons learned from previous accidents actually help to mitigate the next accidents? 4.2. Preconditions for deeper external learning 1. Policy, readiness and resources. Organizations need enough will, competencies and time to close external feedback loops. Generally they need adequate resources to be invested into learning from external events. The willingness to invest resources reflects the receptiveness of an organization to impulses for improvement and a general learning policy in relation to accidents. A readiness program can be initiated (Kingston et al., 2007;

18

M. Ferjencik, N. Dechy / Journal of Loss Prevention in the Process Industries 44 (2016) 12e23

ESReDA, 2009; see Fig. 11). 2. Organizations should share a common goal. Despite economic competition between businesses there are common interests in exchanging incident information and safety lessons especially in high-risk industries. The sentence “… in the eyes of the public the industry is one” is well-known in this context. An accident somewhere could have regulatory consequences in other countries (e.g. within the EU). 3. Organizations should acknowledge a paradigm shift. Accidents are not the sole product of human and/or technical failures. Although, these are the direct causes of events, the scientific literature (e.g. Rasmussen, 1997; Reason, 1997; Dien et al., 2004) and major accidents investigations have shown for more than a decade that root causes originate in organizational factors (e.g. Cullen, 2000; CSB, 2007; CAIB, 2003). It might sometimes be difficult for managers to accept this idea since it means admitting that some mistakes can be made at each level of responsibility and that they are induced by the organizational and work conditions they contribute to setting. Thus, deeper problems may exist in the organization of safety management and the efficiency of regulatory control. These issues should be addressed. 4. More efficient analysis methods. Root cause analyses have shown their limits (Ferjencik, 2011, 2014; Dien et al., 2012). More advanced approaches, which identify underlying causes beyond what are traditionally called “root causes”, involve enhanced root cause methods for engineers and organizational analyses taking into account human and organizational factors with adequate specialists. 5. More frequent application of advanced methods. Although they should be seriously increased, resources for learning will always be limited; hence all incidents cannot receive the maximum analytical investment. Thus an optimization question is raised on how to maximize the learning and safety benefits and balance them with the costs for learning. Therefore a two-level approach may seem appropriate: first, for rather frequent incidents, an enhanced root causes analysis could be launched more often. Plants' engineers and technicians can be trained in the principles of these methods and supported by experts in the methods (Frei et al., 2003; Sklet, 2004). Secondly, for less frequent and serious incidents with deeper learning potential, an organizational analysis should be launched with the support of dedicated analysts which are at least experts in human and organizational factors, and safety and risk management (Dien et al., 2004, 2012; ESReDA, 2009).

5. Results from beyond the routine analysis 5.1. Lessons learned from Billy-Berclau Unexpected escalation that is described in the first line of Table 3 highlights the prevention and mitigation of consequences of initiating event BB-1 from Fig. 5. Every carefully performed risk analysis in Billy-Berclau would certainly identify an undesirable explosion during cartridging as a possible initiating event of an accident scenario that cannot be neglected. This result would be followed by the efforts to prevent the initiating event and mitigate the development of an accident. The term risk analysis was not known and the abbreviation QRA did not exist when the plant in Billy-Berclau was being built. Nevertheless, there is no doubt that designers of workshop 50 were aware of the non-negligible possibility of a detonation during the cartridging phase and the possible escalation of consequences. If they were not aware, they would not have placed the cartridging workplace into a mounded building, and they would not have introduced control over foreign objects. Also, any knowledge would not have arisen about the inappropriateness of movement of persons, whose presence is not necessary, in the vicinity of the cartridging machine. However, the designer's intention to eliminate the presence of all superfluous persons in the vicinity of the cartridging machine, although recognized as a necessary operational condition, was not sufficiently projected into relevant operational instructions, and active or passive barriers. The schedule was a means of global coordination that was vulnerable to short and local adaptations to daily disturbances, therefore finally eroding safety requirements. The original designer's intention was lost. Many years after the plant in Billy-Berclau had started its production, legislation flowing from the Seveso II Directive started to be applied. According to this legislation, one duty of an operating company is to develop a safety case report which includes, among others, the results of risk analysis (it then provides the basis to articulate the safety management system). The process safety oriented approach and the safety management system formal orientation were not opportunities that triggered the address of daily disturbances or the strengthening of safety measures or efficient compliance. One can deduce that the opportunity for improvement which had been created by the legislative impulse from Seveso II Directive was missed.

4.3. Underlying causes beyond root causes: a two level approach 5.2. Lessons learned from St. Lambrecht For the first step in the two-level approach, an example of a structured and systematic method for questioning safety management issues that seems to be able to reach enhanced results, is called IPICA_Lite (Ferjencik, 2014). The method represents a simplified version of the enhanced root cause analysis procedure from (Ferjencik, 2011). The application of IPICA_Lite e.g. to causal factor PA-2 (feeding of the separator starts before the connecting pipe is empty) would gradually proceed through a hierarchy of processes, and identify organizational causes in each of them, finally showing a deficiency in the process of the “preparation of management-of-change rules” that is supported by insufficient information in the safety documentation. Similarly, the analysis would lead to the result that the loss of awareness (sense of vulnerability according to CCPS, 2007) among middle managers, supported by insufficient information in the safety documentation that would have warned them against escalation, contributed to the escalation of the accident. A similar deeper underlying cause contributed to all three analysed accidents.

The unexpected escalation that is described in the second line of Table 3 followed after the initiating event SL-1 from Fig. 6. A carefully performed risk analysis in St. Lambrecht would certainly identify an undesirable explosion during NC inclusion or the addition of powdery additives as a possible initiating event of the accident scenario that cannot be neglected. This result would be followed by the efforts to prevent the initiating event and mitigate the development of accident. Although the St. Lambrecht plant had been built long before QRA started to be applied, there is no doubt that designers of dynamite production facilities were aware of the non-negligible possibility of detonation during the NC inclusion phase and the possible escalation of consequences. If they were not aware, they would not have placed the addition of additives into light, aboveground buildings, while mixing and tipping into heavy, underground bunkers with exhaust walls. Apparently, they attempted to make it impossible for a detonation to transmit from smaller and more sensitive explosive volumes to higher and less sensitive volumes during critical operations.

M. Ferjencik, N. Dechy / Journal of Loss Prevention in the Process Industries 44 (2016) 12e23

However, the designer's intention to implement this principle, which means also that the filled trolleys have to be hidden underground, has never been declared as a necessary operational condition. Hence, it has never been projected into relevant operational instructions. Since such a limiting condition did not exist, it was not reminded in everyday operation and training, and the existence of its intention was eventually forgotten and replaced by an illusory understanding of Q-D rules. The original designer's intention was lost, too. Similarly as in Billy-Berclau, many years after the plant in St. Lambrecht had started its production, the duty to develop a safety case report which includes the results of a risk analysis started to be applied. The occurrence of the accident confirms that the intention to make the transmission of a detonation during critical operations impossible from smaller and more sensitive explosive volumes to higher and less sensitive volumes was not declared and projected into the operational condition before the accident. The opportunity for improvement which had been created by the legislative impulse was missed, too. 5.3. Lessons learned from Pardubice The unexpected escalation from the third line of Table 3 resulted from the initiating event PA-1 (see Fig. 7) during NGG dosing. Risk analysis in Pardubice would certainly identify an undesirable explosion during NGG dosing as a possible initiating event of the accident scenario that cannot be neglected. This result would be followed by the efforts to prevent the initiating event and mitigate the development of an accident. Although QRA did not exist in time of construction of the plant in Pardubice, also in this case there is no doubt that designers of building A55/1 were aware of the non-negligible possibility of a detonation during the NGG dosing phase and the possible escalation of consequences. If they were not aware, they would not have made it impossible to feed the separator when the connecting pipeline between buildings was open. However, the designer's intention to eliminate the feeding of the separator with an open connecting pipeline between buildings has never been declared as a necessary operational condition. Hence, it has never been projected into relevant operational instructions. Since such a limiting condition did not exist, it was not reminded in everyday operation and training, and was eventually forgotten and violated. The original designer's intention was lost, too. Similarly as in Billy-Berclau and St. Lambrecht, the new duty to develop a safety case report did not change anything nor did the safety management system. The occurrence of an accident confirms that the intention to eliminate the feeding of the separator with an open connecting pipeline was not declared and projected into the operational condition before the accident. The opportunity for improvement which had been created by the legislative impulse was missed. 5.4. The lost memory of designers' intentions Principles suitable for the mitigation of accident escalations were considered in all three companies. The safety principles were projected into facility design and implementation, and framed the operating envelope. However, the principles were not sufficiently explicitly formulated in specifications and made neither firm operational rules nor regulations, nor efficient active or passive barriers. So in the end they were skewed or forgotten. Details see Table 4. It may be concluded that in all three cases if the original intentions of the designers were projected into corresponding operational safety limits then the escalations of initiating detonations

19

would have been prevented, and undesirable consequences would have been decreased substantially. 5.5. The missed opportunities and impulses for improvement The 1996 European Commission Seveso II Directive on the prevention of major accidents in process industries came into force in all European countries at the turn of the 20th and 21st centuries. According to the directive, enterprises (including the three above mentioned dynamite production plants) had to compile a risk analysis and project it into the safety management system and emergency preparedness measures. It overlapped explosives manufacturing and storing regulations which already existed. Thorough risk analysis should have been capable to reveal weaknesses of all three companies. But no such updates or changes happened. It is not a big surprise when you introduce a new safety document into an established and a fairly well-worn safety management system. Without making the safety report a principal source of safety fundamentals for other local regulations (content of fundamentals may be similar to that shown in Wincek, 2011) the introduction of a safety case report was not able to bring a positive change. Apparently, companies strive to meet new legislative requirements without significantly interfering with the established field practices. But if they are not motivated for a more meaningful approach, staying at the level of paper compliance or “checking the box mentality” with documents staying on the shelves, or diverting from the field to write the safety case report (Lecoze et al., 2005) for formal (paper) inspections, then such a legislative impulse results only in a lost opportunity for improvement. 5.6. Beyond-routine lessons Some identified problems are localized deeper than in the results of the organization of the local safety management system where they would have been revealed by the root cause analysis. The analysis shows that some components of the safety management system were inadequately designed and/or operated. Deeper organizational causes contributed to the development of accidents. In all three cases, the initiating event was followed by a similar pattern, an escalation leading to unexpected severe effects. The analysis attempted to explain how such a recurring deficiency in defence-in-depth occurred. The main lessons which are arising from the analysis are that the safety management dynamic was degraded due to two main reasons:  A loss of memory of safety specifications during the operations,  Missed opportunities and a loss of impulse for safety improvements. Thus, similar underlying causes of the three accidents are identified in retrospect. They should but cannot be learned by routine analysis. They are not as ordinary as routine lessons in Section 3.4 but again seem to be too general. More specific recommendations standing behind these lessons are necessary. Without them it is impossible to decide whether this learning could help prevent/mitigate future accidents. 6. Discussion of lessons learned Every industrial system is coping with factors that impact safety, both positively and adversely. The life of an industrial system, from a safety standpoint, can be seen as continuous tension between resilient organizational factors (ROF) and pathogenic organizational factors (POF). An accident occurs when POFs overtake ROFs

20

M. Ferjencik, N. Dechy / Journal of Loss Prevention in the Process Industries 44 (2016) 12e23

Table 4 Lost memories of designers' intentions. Billy-Berclau

St. Lambrecht

Pardubice

It was assumed that the general rule of limiting the random presence of other operators during critical operations would be sufficient through the implementation of two barriers (circulation routes and rules for workers from workshop to workshop; compliance to the schedule to ensure coordination). However, these principles did not become a hard operational rule, a physical limiting condition of safe operation (e.g. closing the area access; interrupt operation and coordinate with others in case of schedule slide). The designers placed NGG dosing and addition of additives into light aboveground buildings, while mixing and tipping into heavy underground bunkers with exhaust walls. Apparently, they attempted to make it impossible for the transmission of detonation from smaller and more sensitive explosive volumes to higher and less sensitive volumes. However, they did not emphasize that consequent implementation of this principle implies that the filled trolleys also have to be hidden in underground. They did not warn against illusory understanding of Q-D rules. Such a warning was not projected into an operational limit that would have prohibited standing filled trolleys outside building 148. The original plant design made impossible the feeding of the separator when the connecting pipeline between buildings was open. This principle was not made an operational limit. Eventually it became unintelligible. 15 years later it was forgotten and violated.

(Dien et al., 2012; ESReDA, 2009). The beyond routine analysis of the underlying causes of these three accidents showed a few paths to mitigate the risk of safety degradation. 6.1. Avoid unlearning, keep memory As for people, basically, not everything is useful to remember, and the hierarchy of important memories to keep is changed from time to time. However, the context of high risk industries puts some requirements on this issue. Although due to the accident cases, our focus has been on the relationship with what design memory to keep; the operational memory has to be kept and updated too. The main risk was well defined by G. Santayana (1905): “Those who cannot remember the past are condemned to repeat it”. Both fit in the historical dimension of learning (Dechy et al., 2013) toward the future but using the past knowns and known unknowns as fundamental safety issues to follow. In all three accidents, there were gaps in safety documents (representing a part of the organizational memory) and in the coordination of tasks in a loose coupled system. Original designers' intentions were not incorporated within safety documents and translated to suitable coordination rules; hence they were not kept alive during the operation of processes. Such a deficiency represents a relatively deep and underlying disturbance in the local safety system that can remain unnoticed for a long time and that is difficult to be found by routine feedback. What could be the possible recommendations? First of all, it basically requires designers' specifications to be documented in the design books. Additional efforts of traceability should be performed and include: the trade-offs and decisions made, the parameters, the data and the models used. Secondly, the design is made to match the nominal assumptions and critical accident scenarios. The translation of critical scenarios into safety principles and boundaries are the base of the design and operation safety envelope. Safety fundamentals consist of critical scenarios and safety principles. This information should be part of the operation documentation too, used for trainings, consulted for any modifications and updated after any change. Thirdly, the lessons from incidents translated into the design should be part of procedure warnings. These recommendations do not seem that new (ESReDA, 2009; Leveson, 2004). Safety fundamentals represent critical parts of the realization of the safety management system pillars Understand Hazards and Risk and Manage Risk (CCPS, 2007). More detailed explanation of safety fundamentals is given in (Ferjencik, 2014). Table 5 summarizes the safety principles deduced from the lessons that should be kept in these organizations' living memory. Individual critical scenarios and safety principles may be too specific to be transferred from one organization to others. But the approach within which the identification of critical scenarios and safety principles is considered to be unavoidable has a generic character

and should be adopted by other organizations willing to learn from others. However, these solutions have inherent limits. Kletz (1993) already warned us that “organizations have no memory, only people have”. So some actions (information, training, sharing practices, and former incidents discussions) should be performed to keep those safety fundamentals alive. Llory (1996) suggests relying on “pillars of experience” who are experienced system actors who keep the memory of the process performance and the incidents throughout the years. 6.2. Take advantage of opportunities for improvement Organizations should keep being receptive to the impulses for improvements coming from their societal environment. In all three cases the operating companies missed the improvement impulse coming from new regulation. It is understandable that sometimes it is difficult for the organization after many years of operation to accept new requirements for a regulation as a stimulating and useful impulse, and to invest sufficient sources into the response. At the same time, it is understandable that sources of impulses for improvement are not limited to new regulations. At least two other sources of opportunities for improvement of safety management system can be identified: - internal experience, and - external experience. Except for Billy-Berclau (Lecoze et al., 2005), we lack of details about how internal learning from undesirable events was organized in the three dynamite production plants. Unsystematic findings indicate that internal feedback should deal with larger amounts of minor incidents. Anyway, the occurrence of accidents testifies that undesirable events exposing the weaknesses in the mitigation of accident initiation consequently either did not occur or remained unnoticed. Adequate impulses from internal feedback apparently did not arise in the investigated production plants. Internal feedback did not provide an opportunity to improve the prevention of accidents caused either by mismanagement or by lack of strong signals available internally (e.g. Billy-Berclau). The three accidents were sufficiently severe to be known abroad within the dynamite manufacturing industry. The Billy-Berclau accident represented an opportunity to improve process safety in St. Lambrecht and Pardubice. The St. Lambrecht accident was an opportunity for Pardubice management. It is known that the St. Lambrecht accident generated a lot of interest in the Pardubice plant. The attention was focused on the fact that a sympathetic detonation occurred. It cannot be expected however that a routine analysis of the event would have led to the mitigation of the Pardubice accident. The analysis would have probably focused on the possibility of an escalation beyond the Q-D

M. Ferjencik, N. Dechy / Journal of Loss Prevention in the Process Industries 44 (2016) 12e23

21

Table 5 Items from safety fundamentals. Plant

Critical scenario

Safety principle

Billy-Berclau

Detonation during start-up of cartridging machine and its development.

St. Lambrecht

Detonation during NGG dosing or during NC inclusion and its development. Detonation during NGG dosing and its development.

Only the operator of the cartridging machine is allowed to be present in or near workshop No 50 during start-up of machine. All explosives present in stirring and tipping operations have to be permanently kept in underground buildings. Connecting pipeline between buildings that transports NGG to stirring is not allowed to be open when the feeding of separator is open.

Pardubice

rules, especially on the escalation caused by flying fragments under open sky. But the cause which was similar to the cause in Pardubice was lying deeper than the root cause analysis was able to capture. It is probable that using the results similar to Table 2 would be another lost opportunity to improve the prevention. As shown above, besides the fact that the organizations have to be motivated enough to take advantage of opportunities for improvement, they also have to be sufficiently competent to exploit the possibilities offered by the opportunities. That is why improving the method for learning should be recommended, too.

learning. In this case detailed routine lessons did not seem to recur. Thus they distract attention into different directions and make the exploitation of the potential of a platform for information exchange harder. However, if the analysis progressed to the beyond-routine learning, some lessons would be recurring, and the learning potential would be more visible and exploitable. Therefore a more thorough approach of learning from external events is necessary for this purpose. SAFEX could promote it towards its stakeholders.

6.3. Exploit the potential of external lessons learned

The resulting organizational lessons (see Table 6) could be more able to prevent destructive escalations since they do not stick to deficiencies in the shape and content of the safety management system, but tackle some deficiencies in the underlying organization of safety management and the history of decisions (e.g. in design). Some of them could be translated into safety management system activities, but the underlying rationale is that if the procedural and rule-bases approaches fit well with the safety management system, the informal daily trade-offs are hardly addressed.

Presumably, if the previous beyond-routine lessons-to-belearned had been deduced after the first accident, and if they had been learned (i.e. taken seriously enough), they would have substantially mitigated the consequences of both following accidents. This conclusion means that beyond-routine lessons have to be learned in order to bridge the existing gap between the routine learning and learning that is necessary to mitigate potential following accidents. Routine learning addresses deficiencies in the results of the organization of a safety management system. Beyond-routine lessons or lessons to be learned should address deficiencies in the organizational process itself what also includes daily safety management. They would go deeper in the daily real work circumstances, work practices and in the overall organizational network (hierarchical and vertical, horizontal and transversal, see Dien et al., 2012; Dechy et al., 2013), and in the history of decisions, to the level on which learning from past accidents has the potential to prevent or mitigate similar accidents in the future. Although (more or less detailed) information about accidents had been sent to SAFEX, the achievable potential of this information platform seems to remain unexploited. The existence of three accidents from dynamite production plants with certain similarities may support the assumption that the learning potential was not maximised in the described case. SAFEX exchange platform provides the information, but it is the analysis of available information and the potential lessons to be learned that could maximize their learning potential. The example of these three accidents shows that external learning potential can remain invisible if the analysis progresses only to the routine

6.4. Organizational lessons

7. Conclusions 7.1. Lessons learned from previous accidents could help The lost memory of designers' intention in three accidents has shown how insidious (and hard to notice) safety degradations can be. Degraded organizational dynamics should ultimately question the issue of continuous improvement advocated by managers inspired by Quality Management principles which can become an illusion. Missed opportunities for improvement increased the gap between real safety and the safety level required to operate those processes. Theoretically, the path for reliability and safety improvements is permanently open during the operation period of a system. Along with their commitment to safety, the management and decision makers accept, from time to time, to make strong and costly improvements when a strong enough impulse is created. These impulses may come from legislation asking for deeper risk analysis but it was hardly the case for three analysed plants. Therefore, the remaining principal sources of strong impulses are undesirable events which expose safety management weaknesses.

Table 6 Organizational lessons. Keep the memory of designers' intentions:  by transforming the intentions into the identification of critical scenarios and safety principles, and  by consistently using them during the operation and management of change. Take advantage of opportunities to improve:  by taking regulatory changes as strong signals to upgrade,  by learning from near-misses for existing plants, and  by learning from external accidents. Learn to realize deeper learning from near misses and external accidents:  that goes deeper than routine root cause analysis, and  that is able to identify organizational causes in design and operation of daily safety management.

22

M. Ferjencik, N. Dechy / Journal of Loss Prevention in the Process Industries 44 (2016) 12e23

Otherwise, an “incubation period” (Turner and Pidgeon, 1997) has likely started meaning that some signals of potential danger are not treated accordingly preparing the scene for “an accident waiting to happen”. A limited ability to learn is demonstrated by a gap between the routine lessons and the organizational lessons-to-be-learned. This questions the suitability of analysis methods; and calls for deeper approaches, which would be suitable to maximize the learning potential of accidents. It is concluded that the lessons learned from the first accident could have helped to prevent or mitigate those that followed. However, the achievement of sufficient ability to learn is impossible without a substantial improvement in the approach to learning. 7.2. Need for the improved lessons learning The discussion in Section 4 identifies five preconditions, fulfilment of which seems to be necessary. If the organizations in the explosive industry do not want continuous improvement to be a mere illusion, they should learn to implement deeper learning especially from external events. It becomes obvious that SAFEX could strengthen its enabling role but it would also require operators to better use SAFEX and its network. Several specialists (e.g. Kletz, 2001) have stated that in order to conduct analysis into the underlying causes one should not stop asking why; though analysts may apply “stop rules” (Rasmussen, 1988; Hopkins, 2003) and have difficulty addressing “taboo subjects” (Sagan, 1994), they also could face epistemological barriers (Dien et al., 2012). Indeed, when there are deeper deficiencies undermining the potential performance of the local safety management, root cause analysis will face limits with the identification of underlying causes since they should search deeper into the organization beyond the safety management system activities (e.g. Lecoze et al., 2005) with dedicated methods and analysts (Dien et al., 2012). A two-level approach is recommended in Section 4 based on the understanding that events with higher learning potential need a more thorough analysis method. Usually the fact, whether the accident has lower or higher learning potential, comes out gradually during the analysis. Therefore, the most efficient “ideal” analysis method should be able to accommodate its analysis tools depending on the symptoms of higher learning potential. Indication that deficiencies in process managers' safety culture contributed to a causal factor may be an example of such a symptom. Although a method as IPICA_Lite may be very useful in the identification of underlying causes, it should not be considered almighty. Methods of investigation of causes of accidents and learning are based on some assumptions and underlying models of accidents and safety (e.g. ESReDA, 2009; Lundberg et al., 2009). The translation of these worldviews and expectations into a set of functions, items, relationships such as predefined causal trees (classical example is MORT, see NRI, 2009) has a prescriptive effect of what should be implemented to prevent accidents. This prescriptive effect is known and rather efficient by giving objectives to the required fixes. However, it focuses on the results of organizational processes rather than on the underlying causes (Dien et al., 2012). In order to be convinced by the added value of in-depth analysis, reading practical examples (Cullen, 2000; CSB, 2007; CAIB, 2003) seems to be the best solution. 7.3. Need for the managers' commitment Three accidents in dynamite production plants occurred in Europe. The last conclusion from this bitter experience is identical to what was expressed by (Zhao et al., 2014) for the situation in

China: Important progress in accidents risk reduction requires a commitment to learn from past accidents. Lesson learning does require a high self-learning capability. References Cullen, W.D., 2000. The Ladbroke Grove Rail Inquiry, Part 1 & Part 2 Reports. Norwich [Lord]. HSE Books, Her Majesty’s Stationery Office. CAIB - Columbia Accident Investigation Board, 2003. Report Volume 1. National Aeronautics and Space Administration, Washington DC. Available from: http:// caib.nasa.gov. CCPS - Center for Chemical Process Safety, 2003. Guidelines for Investigating Chemical Process Incidents, second ed. American Institute of Chemical Engineers, New York. CCPS - Center for Chemical Process Safety, 2007. Guidelines for Risk Based Process Safety. American Institute of Chemical Engineers, New York. CSB - US Chemical Safety Board, 2007. Investigation Report, Refinery Explosion and Fire, BP e Texas City, Texas, March 23, 2005. Report N 2005-04-I-TX. Available from: www.csb.gov. Dechy, N., Rousseau, J.-M., Jeffroy, F., 2011. Learning lessons from accidents with a human and organisational factors perspective: deficiencies and failures of operating experience feedback systems. In: Proceedings of the EUROSAFE 2011 Conference, Paris. Available from: http://www.eurosafe-forum.org/. Dechy, N., Dien, Y., Funnemark, E., Roed-Larsen, S., Stoop, J., Valvisto, T., Vetere Arellano, A.-L., 2012. Results and lessons learned from the ESReDA's accident investigation working group. Saf. Sci. 50, 1380e1391. Dechy, N., Dien, Y., Llory, M., 2013. Towards a new knowledge and culture of accidents in order to avoid the recurrence of accidents. In: Proceedings of the 45th ESReDA Seminar, Porto, Portugal, October 23-24, 2013. Dien, Y., Llory, M., Montmayeul, R., 2004. Organisational accidents investigation: methodology and lessons learned. J. Hazard. Mater. 111, 147e153. Dien, Y., Dechy, N., Guillaume, E., 2012. Accident investigation: from searching direct causes to finding in-depth causes. Problem of Analysis or/and of Analyst? Saf. Sci. 50, 1398e1407. Drupsteen, L., Groeneweg, J., Zwetsloot, G.I.J.M., 2013. Critical steps in learning from incidents: using learning potential in the process from reporting an incident to accident prevention. Int. J. Occup. Saf. Ergonomics 19, 63e77. ESReDA, 2009. Guidelines for Safety Investigation of Accidents. Available from: www.esreda.org. ESReDA, 2015. In: Marsden, E. (Ed.), Barriers to Learning from Incidents and Accidents. Available from: www.esreda.org. podobne jsí sce  n Ferjen cík, M., 2011. Nejpravde are a prí ciny hav arie z 20. 4. 2011 na  zhodnocení informací zjiste ných vysetrovací komisí. Univerzita Parz aklade dubice, Fakulta chemicko-technologick a, Ústav energetických materi al u. Ferjencik, M., 2011. An integrated approach to the analysis of incident causes. Saf. Sci. 49, 886e905. Ferjencik, M., 2014. IPICA_Lite e improvements to root cause analysis. Reliab. Eng. Syst. Saf. 131, 1e13. Ferjencik, M., Dechy, N., 2013. Three accidents in european dynamite production plants: the lost memory of designers' intention and the lost opportunities for improvement. In: Proceedings of the 45th ESReDA Seminar, Porto, Portugal, October 23-24, 2013. Frei, R., Kingston, J., Koornneef, F., Schallier, P., 2003. Investigation tools in context. In: Proceedings of the JRC/ESReDA Seminar on Safety Investigation of Accidents, Petten, The Netherlands, May 12-13, 2003. Revised version available from: www.nri.eu.com. Held, M., 2012. Investigation Report No. IR 857. SAFEX International. Hopkins, A., 2003. Lessons from Longford. The Esso Gas Plant Explosion, seventh ed. CCH Australia Limited. Hopkins, A., 2008. Failure to Learn, the BP Texas City Refinery Disaster. CCH. Kingston, J., Frei, R., Koornneef, F., Schallier, P., 2007. Defining Operational Readiness to Investigate e DORI White Paper e NRI/RoSPA. Available from: www.nri.eu. com. Kletz, T., 1993. Lessons from Disaster: How Organizations Have No Memory and Accidents Recur. Gulf Publishing Company, Houston. Kletz, T., 2001. Learning from Accidents, third ed. Butterworth-Heinemann, Oxford. Lecoze, J.-C., Dechy, N., Lim, S., Leprette, E., Branka, R., 2005. The 27 March 2003 billy-berclau accident: a technical and organisational investigation. In: 2005 AIChE Spring National Meeting Conference Proceedings, pp. 4563e4591 and Proceedings of the Center for Chemical Process Safety, 39th Loss Prevention Symposium, 6d, pp. 457e485. Leveson, N.G., 2004. A new accident model for engineering safety systems. Saf. Sci. 42 (4), 237e270. rateurs prive s de parole Llory, M., 1996. Accidents industriels: le coût du silence, Ope  et cadres introuvables. Editions L'Harmattan, Paris. Lundberg, J., Rollenhagen, C., Hollnagel, E., 2009. What-You-Look-For-Is-What-YouFind e the consequences of underlying accident models in eight accident investigation manuals. Saf. Sci. 47, 1297e1311. NRI - Noordwijk Risk Initiative Foundation, 2009. MORT, Management and Oversight Risk Tree. Available from: www.nri.eu.com. Paltrinieri, N., Dechy, N., Salzano, E., Wardman, M., Cozzani, V., 2012. Lessons learned from toulouse and buncefield disasters: from risk analysis failures to the identification of atypical scenarios through a better knowledge

M. Ferjencik, N. Dechy / Journal of Loss Prevention in the Process Industries 44 (2016) 12e23 management. Risk Anal. 32 (8), 1404e1419. Perrow, C., 1984. Normal accidents - Living with High-risk Technologies. Princeton University Press, Princeton, New Jersey. Rasmussen, J., 1997. Risk management in a dynamic society: a modeling problem. Saf. Sci. 27, 183e213. Rasmussen, J., 1988. Human error mechanisms in complex work environments. Reliab. Eng. Syst. Saf. 22, 155e167. Reason, J., 1990. Human Error. Cambridge University Press. Reason, J., 1997. Managing the Risks of Organizational Accidents, Ashgate, Aldershot. Sagan, S., 1994. Toward a political theory of organizational reliability.

23

J. Contingencies Crisis Manag. 2 (4), 228e240. Santayana, G., 1905. The Life of Reason: Reason in Common Sense. Scribner’s. Sklet, S., 2004. Comparison of some selected methods for accident investigation. J. Hazard. Mater. 111, 29e37. Turner, B., Pidgeon, N., 1997. Man-made Disasters, second ed. Butterworth Heinemann. Wincek, J.C., 2011. Basis of safety: a concise communication method for critical process safety information. Process Saf. Prog. 30, 315e318. Zhao, J., Suikkanen, J., Wood, M., 2014. Lessons learned for process safety management in China. J. Loss Prev. Process Industries 29, 170e176.