“Panic is a natural response to danger, but it’s one that severely compounds the risk.” — David Ignatius
At 2:30 am, on Saturday, October 2, 2021, a split in the San Pedro Bay Pipeline began discharging oil into the Pacific Ocean off the coast of California. Low pressure alarms in the control room indicated that there was a breach. It took Amplify Energy Corporation until 6:01 am to shut the pipeline down and until 9:07 am to report the release.
A Delay in Responding
Initial reports estimated that over 3,100 barrels of oil was released. This from a rig that was producing about 3,600 barrels per day. Weeks later, the estimate was revised down to 600 barrels, consistent with about four hours of production.
This suggests that if operators had shut down on low pressure, at 2:31 am, the release would have been a few barrels, not a few hundred barrels. But they didn’t. Despite a stated policy in Amplify’s response plan that “In General – For Spill Response – Do Not Delay. Plan Ahead. Over-respond and stand down if necessary. Do not get behind on the curve,” operators in the control didn’t feel like they had the authority to shut down the pipeline.
Instead, at 2:30 am on a Saturday morning, they called higher ups to get permission to shut down. It didn’t come for over three hours as managers who were not on the scene dithered. Then, after shutting the pipeline down, they took another three hours before reporting the spill.
It is not unusual for companies to dither about shutting down—about pushing the emergency stop button—when there is uncertainty about whether there is really an emergency. After all, there are real costs associated with an unscheduled shutdown, and real hazards with starting back up.
Worse, some alarms are false alarms. If the incident investigation later determines that the shutdown was the result of a false alarm, it’s not unusual for the e-stop to be referred to as the “panic button” and to chastise whoever pushed it for panicking.
One of the most disturbing aspects of the Deepwater Horizon disaster in the Gulf of Mexico that began with a blowout and explosions on April 20, 2010, is the response, or lack of it, by managers on the rig. The rig was on fire, bigger than they could put out, so there was no uncertainty about the peril they were in. Despite their awareness of “the big picture”, or perhaps because of it, they hadn’t called for help.
It was Andrea Fleytas, a 23-year-old third mate recently graduated from the California Maritime Academy who noticed that no one had issued a distress call and got on the radio to call “Mayday.” Was she congratulated for her presence of mind? No. The captain of the rig reprimanded her, demanding “Did I give you authority to do that?”
Regardless of policies that state that employees are empowered to stop work if they believe that conditions are unsafe, the message that many employees get is that they do not have that authority, and that they will be punished if they attempt to use it.
The “Get-Fired” Button
During a conversation with a group of chemical plant operators, I heard something really disturbing. I was curious about emergency response, and whether they had been trained on what pushing the emergency stop button would trigger. “The e-stop button? Oh, you mean the ‘get-fired’ button.” They went on to tell the story of an operator who had concluded that conditions were unsafe and pushed the e-stop button. The plant shut down. The subsequent investigation determined that conditions hadn’t really warranted a shutdown, and the operator was let go. Not for pushing the e-stop button, but for something that the other operators all considered a pretext.
One operator commented. “We have seconds to make a decision that might affect our lives and the lives of the people we work with. Then they take weeks to do an investigation and determine that we made the wrong decision. Hell no, I’m never pushing that damn ‘get fired’ button.”
Some e-stop buttons are required by code or regulation. The NFPA boiler codes require manual e-stops. Many facilities install them, even when not required by code. How much do they reduce risk? They don’t. Automatic responses can reduce risk, but e-stop buttons, even if they work perfectly, will do nothing if no one is willing to push them. Time and again, incident investigations show that people really do not feel empowered to shut the plant down, to push the e-stop button. No one want to be the person who panicked.
Don’t Take Credit for E-Stops
Is there any harm in installing an e-stop button? No, not when it is well-maintained and personnel are trained on its use and its function. If it is not well-maintained, so there is no assurance it will work as designed when pushed or if personnel have incorrect expectations about what it will do when pressed, however, an e-stop is not helpful and may increase the risk of the facility. Regardless, no one should count on an e-stop button being pushed in an emergency, especially if the unspoken message in the organization is that pushing the button will have repercussions—if personnel think of the e-stop button as a “get fired” button.
During the risk assessment portion of a process hazard analysis or a layer of protection analysis, it is perfectly reasonable to acknowledge that an e-stop exists. Just don’t take any credit for it.