The Petrobras 36 platform was an offshore floating semi-submersible oil platform, and in 2001 was the largest in the world. The platform was constructed by the company Petrobras, a semi-publicly owned oil and gas company originating in Brazil. The platform was stationed 80 miles off the coast of Brazil in the Roncador Oil Fields. On March 15, 2001, the platform suffered catastrophic failures that resulted in two explosions, deaths of 11 people, and a complete loss of the platform.
== Mechanical Errors ==
=== Contributing Factors ===
The first major contributing factor that resulted in the loss of Petrobras Platform 36 is issues with the placement of the Emergency Drain Pipe (EDT). The EDT was not properly aligned, and was therefore led to the production header as opposed to the production cassion. This is what allowed for hydrocarbons to get into the starboard EDT.The Second Major Contributing factor is how long it took to activate the port EDT drainage. This caused a wait to release the hydrocarbons. With this came a failure in ventilation dampers, this allowed for more water to enter, flood the starboard column and the floatation devices used.
=== Poor Design Placement of Safety-Critical Paths ===
The first major mechanical failure of the platform came from the poor placement of the EDT. The placement of the EDT was placed close to a seawater pipe running up one of the main support columns. By having these two components close to one another there is a common failure point created, increasing the risk for more issues. Once the failure occurred in the EDT the problem was compounded by rupturing the seawater pipe. With the pipe being ruptured it was unable to help support the fire fighting effort. This design flaw considered major and led to a search for the hazard analysis report after the accident, when none was found there was concern that no report was ever generated.
=== Component Failure Without Backup ===
The second major mechanical flaw was the improper backups for key component failures. The intake valve connected to the starboard aft EDT, supposed to isolate it, had no redundancy for leaks. Since the drainage pump for this EDT was removed for repair, together they caused the over-pressurization of said EDT and led to the first explosion of this EDT. Later, the seawater pump short-circuited due to the flooding, contributing to the flooding of the starboard aft column and pontoon. Valves to the sea were also fail-set and locked in the open position.
=== Alarm System ===
The third major mechanical failure was the alarm system. The platform had 1,723 alarms that were triggered in a span of 17 minutes. The issue that arose from this is that the alarms had no priority system. This meant that without precise knowledge of alarms, and which should be examined first, there was no way of going to the biggest issue. This led to confusion and prevented an efficient method of correcting the issues.
== Latent Management Issues ==
=== Prioritizing Profit ===
Petrobras restructured to a new organizational model in the early 2000s, emphasizing business units and meeting targets. This caused many questionable decisions in the management that indirectly contributed to the incident.
The platform was not finished at the moment of the accident, and the assembling of equipment was carried out in parallel with production activity because of the shortened deadlines for the production targets. The company also cut corners in many security practices. They postponed many maintenance jobs, and cut costs in prescriptive engineering, inspections, and quality requirements. Managers on the rig reported several problems in the pipes days before the accident and recommended a temporary shutdown to change the equipment, but they were ignored by the head office. Profit-oriented plans also led them to use more poorly trained contractor workers, relying on safety mechanisms to fill knowledge gaps from lack of training, but the contractors would frequently misuse equipment. By design, the drains storage tank should only be used in emergency draining, but they are used frequently like in this incident for convenience. Draining water through the production header was also not recommended when they should discharge water directly into the sea, which is also one of the main causes of contaminated water flowing into the starboard aft tank. The manholes to the starboard aft column and the stability box were left open due to an inspection of crack repairs from a previous day. This led to the flooding of the column, and due to its large volume, decisively sunk the platform.
=== "Humans are the weak link" ===
In the early 1990s, as complex technical systems expanded, their reliability stagnated or even decreased. In normal times, the systems are managed automatically, but in cases of emergency, operators are called in despite they had lost their expertise and context information about such emergency because the system had been managed automatically. Companies taking this position viewed human factors as the "weak link" in a complex system, the primary source of unreliability, and aimed to replace all human intervention. It is evident that Petrobras took this position in designing their oil platforms, and the onboard operators are disconnected from the system by the automated computers.
After the first explosion, the operators had no information about the accident site. An operator from the platform reported that "it was difficult to determine what had happened", so they had to send in a brigade to investigate. Their command to send in the fire brigade was a risky one, and all 11 people killed during the second explosion are from the fire brigade. They had no sensors to back their operations in the starboard aft column, and the "communication was faulty" with the rig's command. The thousands of alarms contributed further to the confusion of operators. Under normal conditions, these could be dealt with by sequentially following appropriate procedures, even with little training. However, this lack of training left contractors uninformed as to which alarms should be prioritized and safety procedures that should be followed during a catastrophic failure of this scale.
== General Ethical Lessons ==
=== External Regulation vs. Self-Regulation ===
The balance of external regulation (via governmental agencies) versus self-regulation (within an industry or company) is a common conflict between industries and government. Increases in technological complexity and scope of industrial projects likewise raise the workload of regulatory agencies that review these projects. Industrial self-regulation (ISR) is often used to lower this workload, with the assumption that companies are more knowledgeable about their own products and can thus best judge whether they are safe. Supporters of ISR argue that corporations benefit from a reputation of quality and are thus already incentivized to strive for safety. With ISR, regulatory agencies allow industries to police themselves while they willingly act in the public’s self interest, with threat of regulation if they cause public harm. In practice, self-regulation can lead to cost-cutting in critical areas, providing increased profits to corporations while no serious accidents occur in spite of these violations. Without guidance and incentives from regulation, the results of accidents serve as the only negative incentives, leading to a safety and quality management system that is reactive rather than preventive. When accidents reveal deficiencies in ISR policies, agencies pass external regulation, introducing review procedures with guidelines for approval.Prior to this accident, Brazil’s petroleum industry was entirely self-regulated with regards to risk assessment and inspection, with no formal plan in place. Since then, Brazil’s National Petroleum Agency (ANP) performed a benchmarking study alongside agencies in other countries, leading to Resolution No. 43/2007. This law establishes an Operational Safety Management System (SGSO) with 17 Management Practices (MP) in categories of leadership, installation, and operational practices. Each practice is intended to prevent a repeat of factors present in a noteworthy accident. MP 15, regulating Operational Procedures, is the direct result of P-36’s sinking.
=== Automation and Expertise ===
Professionally responsible automation should augment human labor without replacing, overriding, or neglecting human expertise and the process of development thereof. If automation is relied upon too heavily, it can limit capabilities for developing expertise beyond the system’s constraints, thus creating dependency on the system. This allows cost-cutting businesses to hire technological system supervisors rather than experts. This can save money if all systems remain functional, but it risks creating a single point of failure in the automated system. Using automation to assist expertise can remove tedium to redirect expertise towards more important tasks. However, replacing expertise with automation shifts reliance from expertise at the site of work (an immediate, first-hand source of expertise) to the expertise of remote programmers who likely do not perform the work directly (a distant, second-hand source of expertise).With Platform 36, expertise of safety engineers was pushed aside in favor of automation of safety mechanisms. Rather than hiring more engineers, Petrobras hired contractors, and rather than thoroughly train them, Petrobras relied on safety mechanisms to fill knowledge gaps from lack of training. After the explosion, over 1000 alarms designed to notify workers of problems were triggered in close succession. Under normal conditions, these could be dealt with by sequentially following appropriate procedures, even with little training. However, this lack of training left contractors uninformed as to which alarms should be prioritized and safety procedures that should be followed during a catastrophic failure of this scale.
== Conclusion ==
Due to limited access to primary sources, and partly due to the role of operators replaced by digital systems, we couldn't provide more details on the mistakes from the company managers. If given access to further resources, future work could add more details on how those mistakes contributed to this incident. Another direction of expansion could focus on similar accidents where human operators fail to respond to emergencies due to machine intervention.
== References ==