Post on 15-Nov-2018
Modelo de acidente de ruptura de
barragem
Ildeberto Muniz de Almeida
Agradecimentos: AFT Mário Parreiras
AFT Ivone C Baumecker
Min do Trab e Emprego (MTE)
Setor de Vigilância
MS - SUS
Auditoria do MTE
Hierarquia de Estruturas de Controle de Segurança
Governo, políticas & orçamento
Corporações reguladoras, sindicatos e associações
Planejamento, orçamento e governo Local
Gestão e planejamento da Empresa
Processo físico e atividades dos atores
Equipamentos & em torno
Políticas e práticas da empresa
Sindicatos de Empresas
e empregados
Gerente da empresa
Min de Minas & Energia
Min do Meio Ambiente
CREA
Aprovação e gestão dos projeto de barragem e
de sua ampliação
Gestão da construção e ampliação da barragem
Gestão de SST
Gestão da operação da barragem
Motoristas de caminhões Operadores de escavadeiras e máquinas pesadas
Gestão da produção da mina
Unidade de Meio
Ambiente
Unidade de Meio Ambiente (FEAM)
MTE
Setor de Vigilância
MS - SUS
Auditoria do MTE
Hierarquia de Estruturas de Controle de Segurança e constragimentos
Governo, políticas & orçamentoCorporações reguladoras, sindicatos e associações
Planejamento, orçamento e governo local
Gestão e planejamento da Empresa
Processo físico e atividades dos atores
Equipamentos & entorno
Políticas e práticas da
empresa
Sindicatos de Empresas e empregados
Gerente da empresa
Min de Minas & Energia
Min do Meio Ambiente
CREA
Aprovação e gestão dos projeto de barragem e de
sua ampliação
Gestão da construção e ampliação da barragem
Gestão de
SST
Gestão da operação da barragem
Motoristas de caminhões Operadores de escavadeiras e máquinas pesadas
Gestão da produção da mina
Unid de MA
Unidade de Meio Ambiente (FEAM)
Política Nacional
Legislação de M-A Legislação de SST
Concepçao de
polit. e estrat de
auditoria/ vigilânciaConcepçao de polit. e
estrat de auditoriaAprovação de projetos de
construçao e ampliação
S
N
Pol. de SST
Audit externas, inspeções e anál. de acidentes
Pol local/reg de MA
RIMAARTSubmeter projetos
Boas técnicas
Dec.
internas,
superv,
audit, anál.
Acid. e vig.
Boas técnicas
Controle de Ql
Supervisão
da
percolagem
Supervisão
da injeção de
rejeitos
Condições da barragem,
superv de planos de
implementar /aumentar,
Aspectos boas técnicas: padrões de segurança, est. geotécnicos,
cálc estruturais, sist de percolagem, análise de riscos, etc.
Projeto
Determinação das ações de
controle inadequadas e que
falharam em manter o necessário
constrangimento de segurança
MTE
Setor de Vigilância
MS - SUS
Auditoria do MTE
Hierarquia de Estruturas de Controle de Segurança, constragimentos (“enforcements”) e adaptações locais
Governo, políticas & orçamentoCorporações reguladoras, sindicatos e associações
Planejamento, orçamento e governo Local
Gestão e planejamento da Empresa
Processo físico e atividades dos atores
Equipamentos & entorno
Políticas e práticas da
empresa
Sindicatos de Empresas e empregados
Gerente da empresa
Min de Minas & Energia
Min do Meio Ambiente
CREA
Aprovação e gestão dos projeto de barragem e de
sua ampliação
Gestão da construção e ampliação da barragem
Gestão de
SST
Gestão da operação da barragem
Motoristas de caminhões Operadores de escavadeiras e máquinas pesadas
Gestão da produção da mina
Unid de MA
Unidade de Meio Ambiente (FEAM)
Política Nacional
Legislação de M-A Legislação de SST
Concepçao de
polit. e estrat de
auditoria/ vigilânciaConcepçao de polit. e
estrat de auditoriaAprovação de projetos de
construçao e ampliação S
N
Pol. de SST
Audit externas, inspeções e anál. de acidentes
Pol local/reg de MA
RIMA
Projeto não
submetido
*
.
* Ausência de adesão a aspectos boas técnicas
Falha no leiaute de dutos de drenagem; elevação feita em cima de área já elevada
*
Adaptation: Map of the accident analysis according Rasmussen suggestion.
Government, policy & budgeting
Regulatory bodies, & Associations
Local Area goverm, planning & budgets
Company planning & Mngmnt
Physical process and actor activities
Equipment & surroundings
National policy
General environment protection requirements
National Envir. Protection Policy
National work Health & Safety Guidelines & policy
Design of HS audits policy / strategies
Design of E audits policy / strategies
Dam construction/raising project approval?
Budgets Regional and local policy
(objectives, priorities, resources,
etc): audits, inspections and
accident analysis
Design of HS policy / strategies
Dam raising safety plan effective?
Resources and staff effective
NoYes
No Yes
Only architectonic
project had been
elaborated
Loc or reg Envir policy
Project not
submitted to Min Previous FEAM inspections
detects no problems in Dam
project or execution
No HS inspection
during Dam raising
NoYes
Dam
instability
No
percolation
project
Critical event:
Dam raise is
made over area
already raised
Failure in
lay out of
drain tubes
Int Safety Env plans and
oversight effective?
NoYes
Crit event:
Dam wall
infiltration
Delay in problems
recognition
No study
about geo
techn stability
Dam’s percolation
isn’t supervised
Reject is being
bombed into trench 1
Trucks and “tracked
excavator” are over
dam’s wall
Dam
rupture
3 trucks, 1 tracked excavator are
destroyed
The river is affected
1 Km area is covered by rejects
5 workers died
Workers and equipment
over the dam’s wall
Mngnmt, Envir and Safety policy and practices effective?
No Yes
Wall heighted
13 m over the
planed
Competence & education
Worker’s plan effctive?
Yes No
Determine the various explanations for the
inadequate control based on the standard
components of a control loop
Alças de controle e falhas estabelecer e no “fazer cumprir” medidas de prevenção
1. Alça controle do projeto da barragem – nível de planejamento e gestão da empresa:
1. Falha na solicitação de projetos (gestor de projeto)2. Falha na designação de responsável pelo projeto
1. Recém formada3. Falha na supervisão/acompanhamento de projeto
(UM-A; GSST; Gerência empresa ...)1. Projeto só arquitetônico2. Ausência: de cálculos estruturais; de estudo
geotécnico; de projeto de percolagem; de análise de perigos e riscos
4. Falha na definição de variáveis a serem acompanhadas na execução do projeto e operação da barragem:1. Ausência controle de percolagem e infiltrações
...
Falhas em alças de controle para fazer cumprir medidas de prevenção
• Alça Governo–Empresa:
– Ausência de responsável pela aprovação do projeto de barragem
• Alça Regulador (CREA)-Empresa:
– Checa apenas profissão do responsável pelo projeto.
Falhas em alças de controle para fazer cumprir medidas de prevenção
• Gestor da empresa / gestão de produção:
– Falha na explicitação de modelo de processo (quem designar e que pedir sobre barragem a construir?) e;
– Modelos de comportamento do sistema (Considera risco de ruptura? Como controla?)
– Falha da definição de feedback do processo.
• Gestor de desenvolvimento e execução de projetos
– Falha na definição de variáveis a serem acompanhadas na construção, elevação e operação da barragem
Possible Partial Control Diagram to Dam project - 1
Project development manager
Model of
process
Model of interfaces: good techniques,
health, safety and environmental compliance
Reports and formal communication
Disturbances
Process output:
Projects (partial or final)
Process inputs: press bottom
Dam construction and raising projects
Models of
process
Company manager or Dam operation mngmnt
Models of the system
behaviour
Actuators: No automatic devices
Hazards: dam rupture, material loss, environmental impact
Constraint: percolation monitoring, raising inspections, etc.
Process: dam raising
Demand
of project
Feed back: reports about
project development
and final project
Variables controlled: structural
calculus, geotechnical analysis,
plans for percolation and control
of infiltrations, hazard analysis,
evaluation of stability of dam wall,
etc
Possible Partial Control Diagram to Dam project - 2
External Project development manager
Model of
process
Model of interfaces: good techniques,
health, safety and environmental compliance
Reports and formal communication
Disturbances
Process output:
Projects (partial or final)
Process inputs: press bottom
Dam construction and raising projects
Models of
process
Company manager or Dam operation mngmnt
Models of the system
behaviour
Actuators: No automatic devices
Hazards: dam rupture, material loss, environmental impact
Constraint: percolation monitoring, raising inspections, etc.
Process: dam raising
Demand
of project
Feed back: reports about
project development
and final project
Variables controlled: structural calculus,
geotechnical analysis, plans for
percolation and control of infiltrations,
hazard analysis, evaluation of stability of
dam wall, etc
Possible Partial Control Diagram to Dam project –Local adaptation
External Engineer hired to sign dam / raising project
Model of
process
Model of interfaces: good techniques,
health, safety and environmental compliance
Reports and formal communication
Disturbances
Process output:
Project signed by external engineer
Process inputs: press bottom
Dam construction and raising projects signedModels
of process
Company manager or Dam operation mngmnt
Models of the system
behaviour
Actuators: No automatic devices
Hazards: dam rupture, material loss, environmental impact
Constraint: percolation monitoring, raising inspections, etc.
Process: dam raising
Demand
of project
Feed back: reports
about final project
Variables controlled: structural calculus,
geotechnical analysis, plans for
percolation and control of infiltrations,
hazard analysis, evaluation of stability of
dam wall, etc
Environmental controllers:
Model of process: emphasis on Env. impact
Model of interfaces: “in situ” (mainly oversight of environmental rules compliance. Secondary (?) aspects may involve
percolation, infiltrations,
documentation analysis, etc
Reports and formal communication
DisturbancesProcess inputs: press bottom
Models of
process
Dam operation mngmnt
Models of the system
behaviour
Actuators: No automatic devices
Hazards: dam rupture, material loss, environmental impact
Constraint: percolation monitoring, raising inspections, etc.
Process: dam raising
Demand
of control
Variables controlled: Percolation
conditions, infiltrations, hazard
analysis, stability of dam wall, etc
Environmental rules compliance
Are there environmental risks?
Feed back: reports about compliance or
no compliance,
possible consequences
Process output:
If Yes, establish recommendations or
procedures and present to dam
operation mngmnt or other responsible.
Possible Partial Control Diagram to Dam construction and oversight - 1
Environmental controllers:
Model of process: emphasis on Env. impact
Model of interfaces: “in situ” (mainly oversight of environmental rules compliance. Secondary (?) aspects may involve
percolation, infiltrations,
documentation analysis, etc
Reports and formal communication
DisturbancesProcess inputs: press bottom
Models of
process
Dam operation mngmnt
Models of the system
behaviour
Actuators: No automatic devices
Hazards: dam rupture, material loss, environmental impact
Constraint: percolation monitoring, raising inspections, etc.
Process: dam raising
No
Demand
about
control
Variables controlled: Percolation
conditions, infiltrations, hazard
analysis, stability of dam wall, etc
Oversight Environm rules compliance
Are there environmental risks?
Feed back: No reports about no
compliance with good
techniques in dam raising
process
Process output: oversight of
environmental rules compliance not
exploring technical aspects of dam raising process.
Possible Partial Control Diagram to Dam construction and oversight – 1: local adaptations
Safety manager controller:
Model of process: emphasis on Env. HS risks
Model of interfaces: “in situ” (mainly
oversight of health and safety
compliance. Secondary aspects may involve
percolation and infiltrations analysis
Reports and formal communication
Disturbances
Process output:
If Yes, establish recommendations or
procedures and present to dam
operation mngmnt or other responsible.
Process inputs: press bottom
Oversight Health-Safety compliance
Are there health and safety risks?
Models of
process
Dam operation mngmnt
Models of the system
behaviour
Actuators: No automatic devices
Hazards: dam rupture, material loss, environmental impact
Constraint: percolation monitoring, raising inspections, etc.
Process: dam raising
Controls
Variables controlled: Percolation
conditions, infiltrations, stability of
dam wall, etc
Feed back: reports about compliance or
no compliance,
possible consequences
Possible Partial Control Diagram to Dam construction and oversight - 2
Safety manager controller:
Model of process: emphasis on Env. HS risks
Model of interfaces: “in situ” (mainly
oversight of health and safety
compliance. Secondary aspects may involve
percolation and infiltrations analysis
Reports and formal communication
DisturbancesProcess inputs: press bottom
Oversight Health-Safety compliance
Are there health and safety risks?
Models of
process
Dam operation mngmnt
Models of the system
behaviour
Actuators: No automatic devices
Hazards: dam rupture, material loss, environmental impact
Constraint: percolation monitoring, raising inspections, etc.
Process: dam raising
Variables controlled: Percolation
conditions, infiltrations, stability of
dam wall, etc
Possible Partial Control Diagram to Dam construction and oversight - 2
No
Demand
about
control
Feed back: No reports about no
compliance with good
techniques in dam raising
process
Process output: oversight of Health
and safety compliance not
exploring technical aspects of dam raising process.
Dam operation controller:
Model of
process
Model of interfaces: “in situ” direct oversight of project, H, S & E rules
compliance including good techniques
application, percolation and infiltrations analysis, etc.
Reports and formal communication
Disturbances
Process output:
If Yes, establish recommendations or
procedures and present to dam
operation mngmnt or other responsible.
Process inputs: press bottom
Project compliance
Are there health and safety risks?
Models of
process
Company manager
Models of the system
behaviour
Actuators: No automatic devices
Hazards: dam rupture, material loss, environmental impact
Constraint: percolation monitoring, raising inspections, etc.
Process: dam raising
Controls
Variables controlled: Percolation
conditions, infiltrations, stability of
dam wall, etc
Feed back: reports about compliance or
no compliance,
possible consequences
Possible Partial Control Diagram to Dam construction and oversight - 3
Dam operation controller:
Model of
process
Model of interfaces: “in situ” direct oversight of project, H, S & E rules
compliance including good techniques
application, percolation and infiltrations analysis, etc.
Reports and formal communication
DisturbancesProcess inputs: press bottom
Oversight of project compliance
Are there flaws or risks?
Models of
process
Company manager
Models of the system
behaviour
Actuators: No automatic devices
Hazards: dam rupture, material loss, environmental impact
Constraint: percolation monitoring, raising inspections, etc.
Process: dam raising
Variables controlled: Percolation
conditions, infiltrations, stability of
dam wall, etc
Possible Partial Control Diagram to Dam construction and oversight - 3
No
Demand
about
control
Feed back: No reports about no
compliance with good
techniques in dam raising
process
Process output: No oversight of good techniques
compliance.
Workers controllers (truck drivers and others)
Model of
process
Model of interfaces: bring raw materials
using trucks, control of technical aspects and
safety constraint, etc …
Reports and formal communication
DisturbancesProcess inputs: press bottom
Dam wall being raised
Models of
process
Dam operation manager ?
Models of the system
behaviour
Actuators: No automatic devices
Hazards: dam rupture, material loss, environmental impact
Constraint: percolation monitoring, raising inspections, etc.
Process: dam raising
Variables controlled: trucks and
excavators circulation, dam height,
qt of material used, etc
Possible Partial Control Diagram to Dam raising and oversight:
Demand
dam
raising
Process output: Dam reaches
planned height.
Feed back: reports about
project development
Workers controllers (truck drivers and others)
Model of
process
Reports and formal communication
DisturbancesProcess inputs: press bottom
Dam wall raised 13 m over the
planned
Models of
process
Dam operation manager ?
Models of the system
behaviour
Actuators: No automatic devices
Hazards: dam rupture, material loss, environmental impact
Constraint: percolation monitoring, raising inspections, etc.
Process: dam raising
Variables controlled: flaws in
control of trucks circulation, dam
height and stability, etc
Possible Partial Control Diagram to Dam raising and oversight: Accident situation
Demand
dam
raising
Process output: Dam rupture
Feed back: No reports
about project development
Model of interfaces: lax control of
technical aspects and safety constraint, etc
…
Contextual aspects: no control of dam percolation, no detection of dam wall
infiltration, project has no structural calculus, etc. External Environmental protection Agency
audit detects no problem related to dam stability.
Risk of dam rupture
Risk of being reached in case of dam rupture
Dam raising project approval
Project
compliance
to safety
standards
Project
compliance to
hazards
analysis
Previous
Geotechnical
studies
Project with
previous
structural calculus
Percolation
oversightDam conditions
and raising plans
implementation
oversight
Project with
Percolation
system
Oversight dam
feed plans
(rejects
injection)
Oversight dam
conditions and dam
raising plans
Oversight
rejects
injection.
RIMA
approval
External
inspections
Compliance to
the project
Ad equation
of
inspections
plan
+++
+
+
+
Elaboration
of (only)
architectonic
project
_
+
+
_
__
_
_
_
+ +
++
+
+
++
+
++
+
A system dynamics model for the dam raising.
+
+
+
+
Percolation
evaluation
plan
+
+
+
+
+
+
Risk of dam rupture
+
A system dynamics model for the dam raising.
Raising dam
without
structural
project
Raising
Dam
without
compliance
of safety
standards
Raising dam
without
hazards
analysis
Raising dam
without
geotechnical
studies
Raising dam
without structural
calculus
Raising dam
without project of
percolation
system
Raising
dam
without
RIMA
Dam raising project approval
__
__ _
_
No
percolation
oversight
No oversight of
Dam conditions
and raising plans
implementation
No plans about
oversight dam
feed (rejects
injection)
No plans about
oversight dam
conditions and dam
raising
No oversight
of rejects
injection.
No plan
about
percolation
evaluation.
External
inspections
Ad equation of
inspections
plan
Enterprise
fear of
punishment
Enterprise
safety culture
Dam raise is
made over area
already raised
Failure in
lay out of
drain tubes
Dam wall
infiltration
++
+ ++
++
Delay on
infiltration
detection
+
+
+ ++
++
+ ++
++
++
Cascade (Falls) of positive
influences going to the accident.
++
+
+
Conclusions
Conclusions
Control flaws leading to Hazards: Dam rupture• 1.2) Inappropriate, ineffective, or missing control actions for
identified hazard
• 1.2.1 ) Design of control algorithm (process) doesn’t enforce constraint,
• Flaw(s) in creation process,
Min of Mines and energy
• Flaws in control of technical aspects of project: previous approval? Specific guidelines?
• Reason: Failure in model of process: Underestimation of risk of HE? Risk “normalization”? (Brazilian aspect) Production pressures?
Min of Environmental Protection
• Flaws in program to control risks/losses in Dam constructions
Min of Transport, Min of Health and Min of Labour:
• Flaws in program or plan to control safety in Dam constructions.
• Reasons: Failure in model process. Cultural aspect: technical requirements of the process aren’t considered as safety problems.
CREA (engineer’s council)
Control flaws leading to Hazards: Dam rupture
• 1.2.1 ) Design of control algorithm (process) doesn’t enforce constraint,
• Flaws in creation process
Company manager
• There’s no enforcement to establish safety constraint during dam’s project elaboration and implementation. Neither constraints (technical, safety and environmental requirements, trainings, oversight …) nor responsibilities are clearly established. Construction and raising were developed only with an architectonical project.
• Incorrect modification or adaptation:
Company manager (Dam operation, Safety and Environment mngmnt)
• Project establishes dam raising over area already raised.
• Reason: Failure in model of process
• 1.2) Inappropriate, Ineffective or missing control actions for identified hazards. (Cont):
• 1.2.2) Process models inconsistent, incomplete, or incorrect (lack of linkup)– Flaws in creation process:Min of Mines & Energy:– Dam construction and operation weren’t monitored.
• Reasons: inadequate mental model about the process? Contextual factors as lack of resources (budgets reductions?) Conflicting policies? …
– Flaws in updating process (asynchronous evolution):Company management:– ..
Control flaws leading to Hazards: Dam rupture
• 1) Inadequate enforcement of constraint (control actions) (cont).
• 1.2.3) Inadequate coordination among controllers and decision makers:Min of Labour, Min of Health and Min of Environmental Protection (federal,
regional and local levels).– Lack of constraint to establish oversight of the dam construction and
raising. There’s overlap of attributions among national, regional and local HSE authorities without ways to coordinate the actions of these three areas. None of these institutions oversights technical aspects of dam construction or raising.
• Reasons: Contextual factors conflicting policies? Lack of resources? No enforcement to coordinate actions …
Company management (Company manager, …)
– There’s overlap of attributions related do technical and safety compliance among Dam operation, Safety and Environmental managements. None of them assumed the responsibilities maybe thinking that they belong to the others
• Reasons: Inadequate mental models about process (underestimation of risks?). Safety and environmental areas are not considered as interlocutors during project elaboration and implementation (Organizational/cultural aspect).
Control flaws leading to Hazards: Dam rupture
2) Inadequate Execution of control action:• 2.1) Communication flaw:
Company management (Company manager, Dam operation manager, safety and environment management …)
• No enforcement to establish communication process about the risk of dam rupture and ways of prevention
Min of Labour, Min of Health and Min of Environmental Protection (federal, regional and local levels)
• There’s no exchange of information among them in relation to dam construction/raising oversight.
• Reasons: inadequate mental models about process and about furnace operation? Safety culture problems?
Control flaws leading to Hazards: Dam rupture
• 2.2) Inadequate actuator (automatic and Human?) operationMin of Labour, Min of Health and Min of Environmental Protection (federal,
regional and local levels)– Audits from Environmental protection agency didn’t identify neither
projects problems nor implementation problems (no percolation evaluation, no infiltration oversight, raising been made over areas already raised etc) ??
– Health and Safety area had no previous inspection on the dam area.Company management (Company manager, dam operation, Safety,
environmental management– Lack of enforcements to technical and safety constraints: dam wall raised
over area already raised; dam wall heighted 13 m over the planned; wall infiltration not detected, percolation not oversighted …
• Reasons: Inadequate mental model about process. Safety culture problems?
Control flaws leading to Hazards: Dam rupture
• 3) Inadequate or missing feedback:Company management, Dam operation, safety and environmental
management– 3.1) Not provided in system design:– Design of control system didn’t establish percolation and infiltration
oversight as kinds of feedback managers and operators would receive.• Reasons: Inadequate mental model about the system? Competence/
training problems? Safety culture/organizational problems? Risk normalization (Brazilian aspect: normalization without risk analysis).
– 3.2) Communication flaw– In the region there were previous dam ruptures. Why the lessons
weren’t learned?• Reasons: Safety culture problems? Failure in accident analysis
practices? Cultural aspects: accidents tends to be explained as technical phenomenon and as a consequence, managerial and organizational aspects that are part of accidents origins aren’t considered as causes.
– 3.4) Inadequate sensor operation (incorrect or nor information provided)
– Warns about flaws in dam percolation and dam infiltration couldn’t be detected. (discuss: 3.1 or 3.4???)
• Reasons:
Control flaws leading to Hazards: Dam rupture
Comments
• Most important causes seem related to lack of enforcement enterprise to establish safety constraint since begin of dam project elaboration.
• Continuous degradation of safety during a long period without enforcement of safety constraint or good techniques of dam construction are in the origins of the accident.
• Lack of supervision (oversight) of technical development of the project, lack of internal safety or environmental inspections and audits related to the risk of dam rupture contributes to avoid early detection of the problems. This problem is more important because there were previous dam ruptures in the same state (region).
• This can be pointed as aspect of Brazilian heterogeneity of safety situation, maybe his worst face. The persistence of enterprises handing with high risks technologies without any compliance related do good techniques and legal safety constraint. In these kind of enterprises Health and Safety management seems to be fragile (technical, organizational and political) structures to face this kind of challenger. Mainly in situations where they live besides these problems for long periods.
• Maybe flaws in external environmental protection agency audits of the dam raising had contributed to this process because they didn’t find any problem related do dam wall stability.
• This aspect points to the existence of flaws in government actions. Maybe there are problems in competence / training programs and the need of better coordination among the different agencies involved in audits/inspections of systems that are handling high risks technologies.