say the least.

Cost cutting measures

THE BHOPAL DISASTER were introduced at the cost of safety.

The value of human life in India was not
a priority

– learning from failures and 쐌 The lies – management at the plant

(none of whom died that night)
commented that the gas was similar

evaluating risk to tear gas and that the effects would

fade in three days…some twenty years
later the effects are still evident. Union
Carbide Corporation and the Indian
Government claimed, until 1994, that
the gas Methyl Isocyanate (MIC) had no
Abstract

The economic, technological and organizational errors attributable long term effects.
to the root causes of the Bhopal disaster of the 2nd and 3rd of 쐌 A vast history of events (since 1976)
leading up to the event had gone
December 1984 are identified. In particular, the technical causes unheeded by the Corporation, and
of the failure from a design and operational perspective are to this day they have not claimed full
responsibility for any wrongdoing; nor
highlighted. An investigation is then carried out to determine does anyone sit in jail for the ‘murder’ of
the major consequences of the failure. Fault Tree Analysis (FTA) so many.
쐌 Reports issued months prior to the
and Reliability Block Diagrams (RBDs) are then used to model incident by scientists within Union
the causes, and determine the probability of occurrence, of the Carbide Corp. warned of the possibility
of an accident almost identical to that
accident. The innovative aspect of this work is that whereas such which happened – reports which were
techniques are usually employed at an equipment level they are ignored and were never delivered to
senior staff.
used here to analyse a catastrophic event. Recommendations The aim of the study reported here was
regarding emergency and contingency planning are then provided. to produce an objective Fault Tree which
would help to identify what could be
It is concluded that, in future multi-national company (MNC)
learned from this terrible incident and
projects, designs of installations need to be peer reviewed and to show that it was indeed ‘an accident
waiting to happen’, by –
more stringent environmental, health and safety considerations
쐌 Discovering the technical causes of the
adopted, and that governments need to be aware of the failure from a design and operations
requirement for segregation of hazardous operations from facilities perspective.
and adjacent domestic populations. 쐌 Identifying the major consequences of
the failure – then and today.
쐌 Using a Fault Tree Analysis and
Keywords: Bhopal, Fault Tree Analysis, Reliability Block Diagrams Reliability Block Diagram analysis to
determine the probability of such an
occurrence happening.
Ashraf W. Ramesh 쐌 Recreating, using the Minimal Cut Set
Labib, Champaneri, School method, a ‘new’ Fault Tree Analysis.
Portsmouth of Engineering, 쐌 Setting recommendations regarding
Business Science and emergency and contingency planning.
School, Design, Glasgow
University of Caledonian
Portsmouth University BACKGROUND
In 1969, the multi-national corporation
(MNC) Union Carbide (UC) established a
INTRODUCTION This particular gas then enters the lungs, small Indian subsidiary – Union Carbide
where it reacts with bodily fluids, filling the India Ltd (UCIL) – to manufacture
In 1984 Bhopal city, located in the centre
lungs and drowning a person ‘from the pesticides at Bhopal in India. The Indian
of India with a population of approximately
inside’. This was a disaster the town might plant offered competitive advantages
1.4 million, became one of the best known
eventually (over a long period of time and because of its low labour costs, access
places in the world – but for all the wrong
with help) have come to terms with, were it to an established and rapidly growing
reasons. On December 3rd , when the
not for the following facts: market and lower operating costs. In
town’s people slept, the Union Carbide
addition UCIL was able to exploit India’s
Pesticide Plant , about five miles away, 쐌 The deaths did not stop at 3,000 – they lax environmental and safety regulations
unleashed ‘hell on earth’. Poisonous gases are reputed to total 20,000 to date (see as the country strived to attract large
were released into the atmosphere and earlier) – and to this day approximately MNCs for its developing industrialisation
killed some 3,000 people (up-to-date 120,000 people continue to suffer from
programme. Until 1979 UCIL imported
figures indicate 8,000 fatalities at the the resulting serious ill health problems.
Methyl Isocyanate (MIC), a key component
time and a further 12,000 since). These 쐌 ‘It was an accident waiting to happen’ in the production of pesticides, from its
gases included one used in early World – comparisons with the operation of
parent company, UC. The new Bhopal
Wars that attacks the ‘wet’ parts of the similar plants in US and India indicate
facility was advertised as being designed
body, such as the eyes, mouth and throat. that the Bhopal plant was neglected to
and built on the basis of twenty years of

maintenance & asset management vol 27 no 3 | ME | May/June 2012 | 41

experience with UC’s MIC facility in West management in the USA indicated that being allowed to continue.
Virginia, USA. there was – “a serious potential for sizeable 쐌 The blow-down valve of the MIC 610
releases of toxic materials in the MIC unit tank was known to be malfunctioning;
Installation either due to equipment failure, operating consequentially it was permanently
problems or maintenance problem, thus open. This valve should have been
As early as 1972 a UC internal report requiring various changes to reduce the repaired or the tank should have been
had recommended that if additional danger of the plant, There is no evidence removed from service until repaired.
MIC plants were to be built they should that the recommendations were ever 쐌 The danger alarm sirens used for
be constructed of materials as good as implemented” [1]. warning the adjacent residential
those used on the West Virginia plant. It communities were switched off after
became clearly evident that although UC five minutes in accordance with
engineers oversaw the design, build and Precursors leading to the revised company safety practices. This
operation until the end of 1982 along with disaster clearly highlights why the site required
technical support and safety reviews, the Prior to the disaster, both training, manning emergency procedures to be in place
Indian facility underwent cost-cutting levels and the educational standards of and continually reviewed.
programmes in design and construction the employees of the plant workforce 쐌 The plant superintendent did not notify
which were not mirrored in comparable were reduced. Between 1980 and 1984, external agencies of the accident
Western plants, viz. the plants workforce was reduced by half and initially denied the accident had
with no clear investment in technology to occurred. This was clear negligence on
쐌 Carbon steel piping, which is more behalf of the management but typified
corrosive, replaced stainless steel warrant this reduction
the poor health and safety culture within
piping. The basic operation of the plant was further the plant.
쐌 The number and quality of safety compromised by management decisions 쐌 The civic authorities did not know what
devices was reduced (a $3-6 million to operate the plant either outside its actions to take in light of there being
saving). designed operating parameters or to no emergency procedures in place and
쐌 Installed safety devices in western implement revised processes to ensure were un-informed of the hazardous
plants were automatically controlled continued production while essential materials stored within the plant. The
with back-up devices – at Bhopal they components of the system had known requirements for good communications
were manual. defects which had the potential to impact and established emergency procedures
쐌 At similar Western plants computerised on the safety integrity of the plant. with local agencies and emergency
early warning systems sensed services highlighted these shortfalls.
leaks, monitored their rates and 쐌 Gauges measuring temperature and
concentrations and were linked to a DIRECT CAUSES OF THE pressure in the various parts of the
telephone system to automatically ACCIDENT facility, including the crucial MIC
dial out alerts – In Bhopal there were The production of a deadly cloud of MIC storage tanks, were so notoriously
not even any emergency planning was produced as a consequence of a unreliable that workers ignored early
measures. cheap engineering solution to a known signs [1]. The company should have had
쐌 At Bhopal one vent gas scrubber maintenance problem. A “jumper line” a robust maintenance regime which
(VGS) was installed. resulting in no connected a relief valve header to a should have prevented this, coupled
redundancy. The equivalent plant in the pressure vent header enabling water from with a safety culture which should have
USA had four VGSs. questioned any unsafe conditions.
a routine washing operation to pass to MIC
쐌 At Bhopal only one flare tower was storage tank 610. The ingress of water to 쐌 The refrigeration unit for keeping MIC at
installed, i.e. no redundancy. The the MIC tank created an uncontrollable low temperatures, and therefore making
equivalent plant in the USA had two. runaway exothermic reaction. The reaction it less likely to undergo overheating
and expansion should contamination
쐌 In Bhopal, no unit storage tank between products passed through the process vent
enter the tank, had been shut off for
MIC manufacture and the main storage header to the jumper line, to the relief valve some time [1]. This issue could have
tank was installed to check for purity. vent header, onto the vent gas scrubber only been resolved by the management
This was designed in and installed on and finally to the atmosphere through the having a commitment to safety and
the US plant. atmospheric vent line. The toxic gases process guarding as opposed to profit
None of the six main safety features of were discharged for 2 hours 15 minutes. generation.
the plant were efficient due to design but
The release of toxic gases was assisted The failings below are attributable to
also on the night of the incident, none
by the following defects and lapses in design reductions and the fact that UCIL
were operational due to an under pressure
standard operating procedures which was able to dilute its safety protection
maintenance schedule (due to under
could have easily been averted in many devices in order to maximise profits, while
staffing).
instances: any local peer reviews of designs by local
At the local level, no emergency planning safety/engineers were non-existent:
쐌 MIC storage tank number 610 was
was undertaken prior to the commissioning filled beyond recommended capacity. – The gas scrubber, designed to neutralize
of the plant. In the US emergency planning Functional contents gauges should any escaping MIC, had been shut off for
had been essential and had involved all have provided warning of this and the maintenance. Even had it been operative,
of the emergency services and a public process halted until rectified. post disaster inquiries revealed that
broadcasting system. 쐌 A storage tank which was supposed the maximum pressure it could handle
to be held in reserve for excess MIC was only one quarter of that which was
Prior to the disaster, operating incidents
already contained MIC [2]. The reserve actually reached in the accident [1].
resulting in plant workers being killed or
injured, and minor amounts of toxic gases storage tank should have been empty – The flare tower, designed to burn
and any production should have been off MIC escaping from the scrubber,
being released, had caused UC to send, in
halted until this requirement had been was also turned off, waiting for the
May 1982, a team of US experts to inspect
established. This should have been a replacement of a corroded piece
the Bhopal plant as part of a safety audit, formal requirement ‘hold point’ in the of pipe. The tower, however, was
Their report, which was passed to UC’s control process prior to production inadequately designed for its task, as it

42 | May/June 2012 | ME | maintenance & asset management vol 27 no 3

 THE BHOPAL DISASTER
Designing food –product
learning from failures
safety and evaluating
y through risk
an effective
implementation of maintenance engineering

TE - Release of toxic gases to atmosphere

was capable of handling only a quarter
of the volume of the gas released [1].
– The water curtain, designed to
neutralise any remaining gas, was too
short to reach the top of the flare tower
where the MIC billowed out [1].
– There was a lack of effective warning A - Ineffective B - Failure of plant due to C - Management D - Poor maintenance of
systems; the alarm on the storage workforce diminished design specifications Decisions plant
tank failed to signal the increase in of plant
temperature on the night of the disaster
[2].
Go to Go to Go to
Fig. 2 Fig. 3 Fig. 4
THEORY AND CALCULATION
Fault Tree Analysis (FTA) and a Reliability
Block Diagram (RBD) have been used
to map the root causes of the disaster
E - Poor
or Health &
and calculate its overall probability of Safety awareness
1 - Quality of
occurrence, the RBD being derived employees
from the FTA. The parallel and series reduced i.e.
lower
connections in the RBD, which are derived educational
standards
from the AND and OR gates respectively
of the FTA, describe how the system
functions (or fails to function), but do not
necessarily indicate any actual physical 3- Poor Health
2 -Safety and Safety
connection nor any sequence of operation. training culture
In other words, the RBD does not model of staff
the flow of material nor any sequence reduced

of time events, but instead models the

inter-dependencies of the root causes that
led to the failure mode at the apex of the Figure 1 Overall Fault Tree Analysis of the disaster
Fault Tree.
provide protection against a disaster be a involved. Availability is calculated as a
There are many benefits derivable from an
low figure or a high one? function of both the frequency of a failure
analysis based on FTA and RBD modelling.
(i.e. the mean time between failures, a
Firstly, it helps to highlight vulnerable, To attempt to answer this last seemingly
measure of reliability) and its severity (i.e.
or weak, areas in the model that need simple question, one needs to go back to
the mean time to repair, a measure of
attention in the form of adding, for example, the fundamental definitions of the terms
built-in-testing, redundancy, or more
preventive maintenance. Secondly, it acts
B - Failure of plant due to Diminished
as a knowledge-base of how a system fails Design Specifications of plant
and hence can be used for diagnostics
or fault finding. Finally, given the value
of availability of each ‘box’ in the RBD
model it is possible to estimate the whole
system’s reliability – which is useful both
when aiming to improve system reliability
by preventing things from going wrong,
4 -Stainless 5 - No 6 - No 7-
and when aiming at system recovery by Steel piping Computeriz Unit Ineffective
restoring elements that have failed. replaced by ed Warning Storage water spray
Carbon steel Systems Tank system
Normally, we use FTA and RBD to model a
failure mode at an equipment or machine
level. Such a mode may, for example,
be ‘Motor A fails to start’. In this study, F - Safety Devices G - Ineffective Flare Tower
however, the same methods of analysis are capability Impaired

applied on a larger scale, where the failure

mode is the occurrence of a disastrous
situation such as that at Bhopal. Here,
there are two distinct features that need
to be considered. Firstly, the situation is
complex, influenced by a range of human,
social and environmental factors which are
difficult to evaluate. Secondly, the whole 8- 9- 10 - 11
Quality of Quantity of No Incapable of
meaning of ‘availability’, in the context of safety devices Safety devices redundancy dealing with
modelling a disastrous situation, can be reduced reduced quantity of gases
a matter of debate or even confusion, To released
pose a fundamental question: should we
expect that the total availability of a plant to
Figure 2 Fault Tree of failure due to diminished design specifications

maintenance & asset management vol 27 no 3 | ME | May/June 2012 | 43

 maintainability). Since a disaster is, by its not be the case when the existing design Figure 1 shows the overall Fault Tree
very nature, a severe and yet a rare event, and operation of the system is not fit for analysis.
one would normally expect high figures purpose, and hence it is a disaster waiting
Figures 2, 3 and 4 further extend the
for availability of protection against its to happen, and in this situation one would
analysis of Figure 1.
occurrence - due to its very low frequency expect that total system availability would
(a one-off event). However, this would be rather low. The reliability block diagrams for each tree
are then presented in Figure 5, and the
overall reliability block diagram related to
the disaster in Figure 6.
C – Incorrect
management decisions
Table 1 (see pages 46-47) presents our
estimated ‘probabilities of failures’ for the
various contributory events discussed
in the previous, ‘Direct Causes’, Section.
Estimates of Pf (probability of systems
failure) are used as a measure of
unreliability – where the sum of Pf and Ps
(probability of success) equals one as the
system is either in a fault or running state.
12 – 13 - Plant 14 -Reserve 15 - Plant
Refrig’ation MIC storage being operated
Again, ‘probability’ may here have different
manning
unit shut levels tank allowed outside design meanings, i.e. a measure of confidence
down reduced to be used parameters or a measure of availability. Either way, we
use it in this context to provide us with
an indication of the relative importance
(priority) of the various factors that led
H -Emergency response
deficiencies to the disaster. Note that the numbers
labelling the various FTA events and/
or RBD boxes in the figures refer to the
numbers used to list the various events/
factors listed in Table 1. It must be stressed
that this is very much a speculative
evaluation. It is suggested that using these
data and applying straightforward Boolean
analysis of the logic of the Fault Trees
16 - No 17 -Lack of 18- Alarm (which is beyond the scope of this paper)
emergency notification of siren turned off
planning incident by – Management could form the basis of an informative
procedures plant decision estimate of the relative significance of the
management factors that may have contributed to the
disaster.

DISCUSSION
Figure 3 Fault Tree of incorrect management decisions
UCIL had allowed safety standards and
maintenance at the plant to deteriorate
to cataclysmic levels even though the
D - Poor maintenance of
plant potential for such an incident had been
highlighted two years prior in a UC internal
report. Clearly UCIL had dropped the
operating and safety standards of the
Bhopal facility well below those maintained
in the near identical facility in West
Virginia. The fact that UCIL was able to
do this was due in part to lacking safety
J - Poor maintenance
and environmental laws and regulations
19 -Defective 20-Substitute procedures on plant 21 - which were not enforced by the Indian
blow down engineering Defective government. Immediately after the
valve in MIC solution used gauges not disaster in India, UC, while maintaining no
tank 610 “Jumper line” repaired knowledge of the cause of the accident
in India, shut down the MIC plant in West
Virginia to allow five million dollars worth
of changes to its safety devices to be
accomplished.

22 -Slip 23 - No CONCLUSION
blind checking
process of related The Indian government, although keen to
omitted lines attract foreign investment, needed to factor
in basic safety requirements for its citizens.
During future MNC projects, designs of
installations need to be peer reviewed and
Figure 4 Fault Tree of poor maintenance

44 | May/June 2012 | ME | maintenance & asset management vol 27 no 3

 THE BHOPAL DISASTER
Designing food –product
learning from failures
safety and evaluating
y through risk
an effective
implementation of maintenance engineering

are commended rather than chastised and

RBD: Ineffective workforce safety is the optimum driver rather than
profit motivation.
2 MNC need to re-instigate high levels of
1 safety training to improve employees’
awareness of hazards. In addition, the
3
quality of the employees and staff numbers
should not be reduced at the expense of
RBD: Failure of plant due to diminished design specifications safety to bolster company profits.
MNCs attracted to third world countries
4 5 6 7 8 9 10 11 by the prospect of cheap labour costs and
potentially less stringent environmental,
health and safety legislation need to
RBD: Management decisions consider the adverse impact on their
business brought about by focused media
coverage resulting from perceived neglect
12 13 14 15 16 17 18
to the health and safety of their workforce,
which ultimately impacts on their company
RBD: Poor maintenance reputation.
The main significance of this work is that
23
we demonstrate that learning can be
21 20 19
addressed in three perspectives which are:
22 ( i) feedback from the users (maintenance)
to design, (ii) the incorporation of advanced
tools in innovative applications, and (iii) the
Figure 5 Reliability Block Diagrams
fostering of interdisciplinary approaches
and generic lessons. Our basic findings are
2 therefore related to the feedback process
through advice to both future MNC
1
projects in terms of designs of installations,
3 as well as recommendations to
Governments in terms of health and safety
considerations. We have incorporated tools
4 5 6 7 8 9 10 11 such as fault tree analysis, reliability block
diagrams and cut set calculations, which
have helped us to develop an objective
model to discover what can be learned
TOP from this terrible incident. In doing so, we
have tried to develop a generic approach
12 13 14 15 16 17 18 that can be used to learn from any future
disasters.

ACKNOWLEDGEMENTS:
We are grateful to John Unwin, Paul
23
McGibney, and Mazen Al-Shanfari, who
4 2 2 1
helped to collect the data for the case
1 0 9
22 study. We are also grateful to Ms Rebecca
Harris for the proof reading and editing of
the manuscript.
Figure 6 Combined Reliability Diagram for the disaster

REFERENCES
more stringent environmental, health and adjacent domestic populations. In the [1] Weir D, The Bhopal Syndrome: Pesticides,
safety considerations adopted. case of Bhopal the local communities Environment and Health. San Francisco
and “squatter camps” should have been 1987
During any future plant builds, standards
relocated prior to any company being [2] Cassels J, The Uncertain Promise of Law:
of materials and equipment used should
given permission to start mass production Lessons from Bhopal. University of Toronto
reflect those used in Western countries.
of inherently dangerous substances. Press 1993
MNC need to be aware that reduction in
safety standards as a means of improving A means of guarding operating processes, [3] Chouhan T, The Unfolding of the Bhopal
profit margins is not an option in light of the along with habitual safety checking, needs Disaster, Journal of Loss Prevention in the
Process Industries, Vol.18, pp 205–208. 2005
disaster at Bhopal. to be implemented and established as a
corner stone of any safety culture within
Governments need to be aware of
hazardous plants like Bhopal. The safety
the requirement for segregation of
culture of any such plants needs to be
hazardous operations from facilities and
developed so that questioning attitudes Table 1 continued on page 52 

maintenance & asset management vol 27 no 3 | ME | May/June 2012 | 45

 Continued from page 51

Event No. Comments Pf = F / S + F Actual Pf Value

1 – Quality of employees Reduction of Operators with High school education over 5 years = (9 / 6 +15) / 43800 9.6 × 10ˉ 6
reduced =9
No. of Operators with High school education at time of disaster
=6
No. of Operators with High school education in 1979 = 15
No. of hours for 5 year period = 24 x365 x 5 = 43800

2 – Safety training of staff Original No. of training days = 18 months x 30 days = 540 = (523/540 + 17) / 43800 21.4 × 10ˉ 6
reduced
Reduction in training days during 5 year period = 523
No .of actual training days = 17
No. of hours for 5 year period = 24 x 365 x 5 = 43800

3 – Poor Health and Safety Assumption – health and safety culture dependent upon quality = 9.6 x 10ˉ 6 +21.4 x 10ˉ 6 31.1 × 10ˉ 6
Culture and training of staff
Pf value = event 1 + 2

4 – Stainless Steel piping Guess – No. of new repairs performed = 1000 = 1000/25000 + 1000 40 × 10ˉ 3
replaced by carbon steel
No. of repairs performed since opening of plant = 25 000

5 – No computerized warning Guess – No of failures detected by staff = 20000 = 2000/20000 + 2000 90.9 × 10ˉ 3
systems – human detection
No. of failures missed during inspections = 2000

6 – No unit storage tank Guess: No unit storage tank fitted to check purity therefore = 260/1825 142.4 × 10ˉ 3
assuming check performed once a week during 5 years 52 x 5
= 260
System would fail once ever week day over 5 year period =
365x5 = 1825

7 – Ineffective water spray Guess: System would fail to suppress gases due to design error = (1/ 5000) /1825 109.6 × 10ˉ 9
system associated with height in MIC area which represented area only
1/5000 of plant
System failed in MIC area on day over 5 year period of MIC
production = 365x5 = 1825

8 – Quality of safety devices Assumptions: reduced quality of safety devices resulted in 50% 16 × 10ˉ 3
reduced increase failure rate
Guess Previous Pf value = 8 x 10ˉ ³

9 – Quantity of safety devices Assumption: number of devices Reduced by 25% therefore Pf 10 × 10ˉ 3
reduced value increased by 25%
Guess: Previous Pf value = 8 x 10ˉ ³

10 – No redundancy (flare Two built in USA plant, 1 installed in India. Item under (1/2) / 43800 11.4 × 10ˉ 6
tower) maintenance for
Duration of use of single flare tower over 5 years = 24 x 365 x5 =
43800 hours

46 | May/June 2012 | ME | maintenance & asset management vol 27 no 3

 THE BHOPAL DISASTER – learning from failures and evaluating
y through risk
an effective
implementation of maintenance engineering

11 – Incapable of dealing with System not designed to deal with volume of gases. Therefore 2.5/43800 57.1 × 10ˉ 6
quantity of gasest the system failed to handle this volume of gas for 2.5 hours (time
of disaster)
Duration in hours system operating over 5 years = 24 x 365 x5 =
43800 hours

12 – Refrigeration unit shut Unit shut down for past year = 365 days 365/1825 + 365 166.3 × 10ˉ 3
down
MIC production over last 5 years = 365 x 5 = 1825

13 – Plant manning levels Overall 20% reduction of staff in 4 years (20/100)/ 1460 136.9 × 10ˉ 6
reduced
Duration = 365 x 4 = 1460 days

14 – Reserve MIC storage Assumption: MIC storage tank used for 50% of time (50/100) / 1825 273.9 × 10ˉ 6
tank allowed to be used
Duration of use = 5 years = 1825 days

15 – Plant being operated Assumption: 10% of plant being operated outside design (10/100)/1825 54.8 × 10ˉ 6
outside design parameters parameters for 5 years.

16 – No emergency planning No Emergency planning in place – operation failed on day 1/1825 0.55 × 10ˉ 3
procedures
5 years of MIC production at plant = 5 x 365 =1825
17 – Lack of notification No Emergency planning in place – operation failed on day 1/1825 0.55 × 10ˉ 3
of incident by plant
management
5 years of MIC production at plant = 5 x 365 =1825

18 – Alarm siren turned off – No. of hours siren turned off = 2

Management decision
No. of hours available for use = 24 x 365 x 5 = 43800 2/43800 45.7 × 10ˉ 6

19 – Defective blow down Total number of days Defective in past 5 years = 12 12/1825 6.6 × 10ˉ 3
valve in MIC tank
Total number of days in 5 years = 1825

20 – Substitute engineering No of times procedure used = 150 150/ 450 +150 250 × 10ˉ 3
solution used “Jumper line”
Number of flushing operation = 450

21 – Defective gauges not Guess: No. of gauges defective or still in use = 1320 1320/1320 + 6000 180.3 × 10ˉ 3
repaired
Total number of gauges on plant = 6000

22 – Slip blind process Guess: No of procedures requiring slip blinds but not used = 50 50/220 + 50 185.1 × 10ˉ 3
omitted
Total number of procedures requiring slip blinds = 220

23 – No checking of related Guess: No. of times procedure required during maintenance in 300/15000 + 300 19.6 × 10ˉ 3
lines 5 years = 300
Total number of maintenance procedures in 5 years = 15 000

Table 1 Estimated ‘Probabilities of Failure’ for contributory events’ (MIC production assumed to have commenced in 1979, i.e. five years before disaster)

maintenance & asset management vol 27 no 3 | ME | May/June 2012 | 47