Samarcos mine woes: operational risk and level of responsibility


The tailings dam failure at an iron ore mine operated by Samarco (jointly owned by BHP Billiton and Vale) in the Bento Rodrigues district of Brazil on 5th November 2015 has been much in the news.  One view is that the water from the dam does not contain any toxic materials, the other view is that it does.  Whatever the truth of that, at least 13 lives were lost and the large volume of water and silt escaped from the dam (BBC news 20/12/2015).

According to reports, the Government of Brazil has been very vocal in its condemnation of the company and has been quick to take legal action.  As at 20th December 2015, it is reported (ibid.):

  • 28th November 2015- a law suit was filed by the Government
  • 17th December 2015 – a federal judge has blocked the assets of the company because they do not have enough resources to cover the potential damages, estimated at $5.2 billion.
  • Also required is that the company “immediately implement damage-mitigating environmental measures” or face a fine of $38M per day.  It is thought that about 500km of the Rio Doce will have to be dredged and other remedial works undertaken.
  • The company had earlier agreed to immediately pay $260M compensation to victims.

The Sydney Morning Herald of 18th November 2015 repeated comments made by Klebba Terra, director of operations at the mine, in the O Estado de S.Paulo newspaper: “We are very sympathetic and distraught about what happened. We work with the best dam monitoring technicians but we cannot say that this tragedy could have been avoided.”

By any standards, this is clearly what is defined in Chapter 5 (Table 5.4, page 75) as an Operational Risk:  Energy (or Threat) exists in significant and unusual quantities and in circumstances closely associated with the function of the organisation, so there is a potential for a highly significant adverse effect on the organisation, possibly even threatening its existence. 

On 30/8/2016 the BBC (, viewed 18 October 2016) reported that a technical analysis of the failure (commissioned by the plant owners BHP Billiton and Vale through law firm Cleary Gottlieb Steen & Hamilton) had concluded that the failure was due to design flaws apparently arising from a change to the design that occurred between 2011 and 2012 that led to “less efficient water drainage” – I suspect this may actually mean an increase in the depth of material allowed in the dam.  This led to increased saturation of the earth wall of the dam and the eventual liquefaction of the particles making up part at least of the dam wall and to its failure at that point.


The rapidity with which the assumption is made by the Government that this is the fault of the company is noteworthy and interesting in the context of Chapters 1 and 2.  It seems this conclusion must surely have been drawn by them without the benefit of knowing what the Mechanism is?  I have seen other cases where Governments act rapidly to prosecute those most closely involved, without waiting for the conclusions of a technical investigation.  In the background, in both the cases known to me, the relevant Government department went quietly about making the design changes that it had failed to make before disaster struck.  In one case, the expert evidence made it clear the party being prosecuted was not at fault.

Given the assertive moves made by the Government (above), it is one of the most evident cases in recent times of the potential for operational risks to threaten the existence of the company.  Another very public case in recent times (2010) is BP’s Gulf of New Mexico Deep Water Horizon oil spill.

It is also in the Risk Type I category defined in Chapter 8 (Table 8.1, page 122): Moral and ethical obligations exist, expressed legally as a duty of care. Evaluation involves understanding the required standard of care in the situation. 

I expect that prior to the failure of the dam this would be known:

  1. If the dam water is toxic, then there is a chemical energy threat.  It is not uncommon for such water to contain various chemicals arising from the production process that make it something other than pure rain water
  2. The volume of water in the dam was sufficiently large to swamp nearby and downstream settlements
  3. The flow path of water from a breach of the dam predictably includes natural water courses eventually finding its way to the sea via the Rio Doce.
  4. The silt in the water could potentially adversely affect the ecology of natural water courses.

It is very unlikely that a breach in the dam is necessary to make any of the above evident.  I expect that at the time of planning the mine the location of the dam and an understanding of downstream flow paths from dam overflow (for example following heavy rain fall) would have been taken in to account.  One might also expect that the mine received planning approval from the relevant Government department.

As Klebba Terra made clear, significant dams are managed by dedicated geo-technical engineering specialists.  Such dams are also designed by these specialists.  It is entirely appropriate for operational risks to be under the immediate control of technical specialists.  I think it is also true that the real world is not like a laboratory and at times provides surprises.


Using the Time Sequence Model (TSM)

Mechanism  is what resulted in the dam failing.  General options (Table 3.5, page 41) include:

  • Purposeful (that is, intending to damage as in sabotage)
  • Incidental (not applicable)
  • Unintentional (physical failure of energy containment properties or devices)

The last of these appears relevant.  Structural failure is for ‘primary, secondary or command’ reasons.  This means, respectively:

  • Failure under normal loading (structural deterioration leads to weakening of the structure; this could be due to natural actions like erosion of the wall foundation or the unexpected effect of human action such as drilling to check the foundation)
  • Failure under abnormal loading (a healthy structure is loaded beyond its design capability, as when a dam’s level rises perhaps due to heavy rainfall, inertia loads are imposed by an earthquake or excessive strain results from ground movement) or
  • Failure when commanded to do so (possible command failure options are not evident to me in this case).

Event is the point in time when the structural failure began, perhaps a breach of the dam for one of the reasons above allowed flow to seep through a specific route.

Outcome possibly the Event resulted in a widening of the the breach, allowing a greater flow which escalated until a major section of dam wall failed under the pressure of water.  The torrent escapes the dam and flows down natural watercourses depositing large volumes of mud, submerging and pushing out of the way houses etc.

Assets include people, livestock, houses, rural and industrial livelihoods, infrastructure, watercourse ecosystems, freshwater springs etc., production, revenue, cash resources, share price, operating licence, reputation and so on.

Consequence Types include injury, environmental damage, business loss, financial loss.


Using the Risk Model

With Type I Risks, the most significant aspect of Risk that is of immediate concern is the Likely Worst Consequence (LWC) (Fig 4.1, page 61). This awful case is an excellent example of just that.  Does it really matter what the Frequency estimates are?  Probably not, at least for immediate needs.


Responsibility and Authority

The discussion on page 193 (Chapter 11) on the elements of a Risk Management System repeats the emphasis on the LWC in the context of the adequacy of control measures.    As I wrote (Page 197) “The first task of a risk management system is to pay attention to the technology surrounding high Consequence risks and to attend to the quality of its design and operation.”

In this case, the LWC is of such a significance that once it happens it immediately gets the attention of the international boards of the parent companies. However, the details of the technical management of the dams is in the hands of the ‘technicians’ mentioned by the Operations Manager.  One wonders about the communication pathways between these the technicians and the board, people at such very different levels in the organisation and wonders about the level of explicit awareness of this risk and its methods of management there was at the level of the board.  One wonders also about the common cultural/organisation barriers to such communication that may exist; the possible communication barriers between departments and the influence of expenditure cutbacks with the current downturn in the price of iron ore, for example.

It is common for these minutiae to find their way into court rooms.  Many a manager has commented on the minute technical detail seen to be at the start of a disaster and asked how they could be expected to know about it?

The main conclusion that can be drawn from this is that control measures need to be consciously understood and approved by the level of manager who will be held responsible if (actually when) they fail.  This is determined by the LWC.  In this case, it is hard to see this as being other than the board.

I had a good example of this at a large integrated steel plant in Asia – see the example in point 7 on page 201.  That manager knew he would be held responsible so he became involved personally in the small detail necessary for control over the risk.

The organisational detail can be understood by considering the various ways in which Time Zone 1 of the TSM (Chapter 3) can be described and explained and connecting these ideas with those of Chapter 11.


To be kept in mind

I trust it is obvious to readers that the information available to me and on which I have based this comes from the press sources cited.  No doubt much will come out and be reported on in the years to come following investigations and court cases.  I have not written anything here intending to predict any conclusions that may be drawn in the future nor have I intended to draw attention to any particular aspects of the behaviour of the companies faced with this disaster or the people who work for them or the Government of Brazil.  I have no knowledge of the risk management practices of those companies.  My intention is solely to use what is known from the cited sources to illustrate relevance and potential relevance to various parts of the text for the benefit of readers.



BBC Viewed 20/12/2015

SMH   Viewed 20/12/2015

Leave a Comment