Pike River Mine Disaster: Systems-engineering and Organisational Contributions

The Pike River mine (PRM), an underground coal mine in New Zealand (NZ), exploded in 2010. This paper analyses the causes of the disaster, with a particular focus on the systems engineering and organisational contributions. Poor systems-engineering contributed via poorly designed ventilation, use of power-electronics underground, and placement of the main ventilation fan underground. Management rushed prematurely into production even though the technology development in the mine was incomplete. Investment in non-productive infrastructure was deprioritised resulting in inadequate ventilation, and the lack of a viable second emergency egress. The risk assessments were deficient, incomplete, or not actioned. Warnings and feedback from staff were ignored. Risk arises as a consequence of the complex interactions between the components of the sociotechnical system. Organisations will need to strengthen the integrity of their risk management processes at engineering, management, and board levels. The systems engineering perspective shows the interacting causality between the engineering challenges (ventilation, mining method, electrical power), project deliverables, management priorities, organisational culture, and workers' behaviour. Use of the barrier method provides a new way to examine the risk-management strategies of the mine. The breakdowns in organisational safety management systems are explicitly identified.


Introduction
The Pike River mine (PRM) was an underground coal mine in New Zealand (NZ), located on the South Island, in the Paparoa mountain range.It suffered an underground explosion on 19 November 2010 with two workers escaping, and 29 lives lost.Several subsequent explosions occurred in the following days, and made it unsafe to re-enter the mine.
'The Pike River underground coal mine lies high in the rugged Paparoa Range on the West Coast of the South Island.Access to the mine workings was through a single 2.3 km stone drift, or tunnel, which ran upwards through complex geological faulting to intersect the Brunner coal seam.On Friday 19 November 2010, at 3:45 p.m., the mine exploded.Twenty-nine men underground died immediately, or shortly afterwards, from the blast or from the toxic atmosphere.Two men in the stone drift, some distance from the mine workings, managed to escape.Over the next nine days the mine exploded three more times before it was sealed.There is currently no access to the mine.' [1].
The aftermath bankrupted the company and closed the mine.This was supposed to be a world class mine for low environmental impact, high safety, and modern machinery.So the question arises as to why the disaster occurred.
A governmental commission of enquiry was established [1], and uncovered serious safety deficiencies in the mine, primarily in the engineering implementation of the ventilation hardware (the ventilation system provides fresh air to the miners and also removes flammable methane gas Safety 2016, 2, 21 2 of 26 from the mine), the work procedures, risk management practices, and the executive decision-making.There was national disquiet at these wide-ranging systematic failures, and the underpinning culture of organisational neglect.It did not prove possible to secure a conviction against any manager, executive, or directors, despite multiple organisational failings.This disaster precipitated a total reconsideration of the national health and safety (H&S) legislation, culminating in a new Act in 2015.This paper analyses the causes of the Pike River disaster, and the legislative consequences.

Background
A governmental Royal Commission of enquiry was established into the disaster [1], and uncovered serious safety deficiencies in the mine, primarily in the engineering implementation of the ventilation hardware (the ventilation system provides fresh air to the miners and also removes flammable methane gas from the mine), the work procedures, risk management practices, and the executive decision-making.There was national disquiet at these wide-ranging systematic failures, and the underpinning culture of organisational neglect.It did not prove possible to secure a conviction against any manager, executive, or directors, despite multiple organisational failings.This disaster precipitated a total reconsideration of the national health and safety (H&S) legislation, culminating in a new Act in 2015.
The approach of PRM to safety is best described as preventative risk management, implemented in an ad-hoc manner.They were aware of the safety hazards, of which methane explosion presented the greatest risk for catastrophe.They had several mechanisms in place for preventing explosion, but these-as will be shown-were implemented poorly and hence lacked robustness.For example, methane sensors were provided but were not always working, and those on vehicles were sometimes deliberately defeated.The organisational response to emerging hazards was deficient: they collected safety incident reports but did little or nothing with them; they partially developed a risk management plan but did not take it through to completion; the ventilation system lacked a systematic design.
The preventative perspective is also apparent in the reports produced by the Royal Commission.The focus was on explaining the cause and contributory factors for this specific accident.In such situations of national disaster there is a need for explanations of causation, i.e., to identify the factors that initiated the event in the first place.Also, safety regulators want to know how similar disasters can be prevented in future.Hence it is natural that investigations focus on what caused the initial physical accident and how to prevent it in the future.
The dominant methodology for hazard reduction is risk management, e.g., ISO 31000 [2], with its emphasis on prevention of risk by treatments applied before the risk eventuates.Although the risk management method does not preclude the provision of post-accident recovery mechanisms, these are often de-emphasised in practice.In the case of the Pike River disaster, the organisation was attempting to apply preventative risk management, though the execution was poor and undoubtedly contributed to the disaster occurring.However, as will be shown, the recovery perspective was practically non-existent.From the recovery perspective an accident unfolds over time, and there are opportunities to reduce its extent, providing that mechanisms have previously been put in place to do so.An accident does not immediately progress from initiation of the hazard to a full disaster: deliberate actions of intervention are generally possible.These recovery mechanisms will not necessarily prevent the hazard arising, but they can change the locus of the accident propagation sequence so that only a few deaths occur rather than many (disaster).
In general the sequence from initial hazard event, to accident, to serious harm, to a few deaths, to multiple deaths (disaster) is not temporally immediate.Even after the accident occurs it is often possible to take actions that reduce consequences, e.g., reduce the number of deaths.A deeper understanding of mechanics and trauma is required to appreciate where the possibilities may exist to recover some of the situation.Recovery means that the disaster is not as large as it might have been.In the case of the PRM disaster the initial explosion itself was potentially survivable, but the Safety 2016, 2, 21 3 of 26 organisation had given insufficient thought to means of recovering the situation to prevent further loss of life.
It is well known that there is a need for systematic, holistic methods to reduce safety risk.The issue is not so much the lack of methods, rather it is poor execution at organisational level.There is a general recognition of the importance of organisational systems and the necessity for executives to show leadership in the development and resourcing of such systems.This is emphasised by several standards including those for quality (ISO 9001) [3], risk (ISO 31000) [2], environmental (ISO 14001) [4], and safety (ISO/DIS 45001 or BS 18001 or AS/NZS 4801) [5].These standards are intended to be used in a complementary way, since the management activities are similar for them all.In the safety standard the organisational content includes a description of the type of management systems necessary to support health and safety, authority for agency, accountability of those with organisational roles, participation of staff, methods for determining hazards, documentation, and monitoring the efficacy of treatments, inter alia.This standard sets out good practice in the area of safety at the organisational level.However the implementation of these principles is difficult for many organisations.The operating conditions for organisations, and PRM would be a case in point, are dynamic especially when in the development stages.Consequently the safety systems as actually implemented can be ad hoc rather than planned, piecemeal rather than integrated, improvised rather than resourced, and of uncertain efficacy rather than monitored.All of these were issues at Pike River Mine.
Coming back to the balance between prevention and recovery, there is a tendency for the safety standard [5] to emphasise the preventative aspect: it is true that emergency preparedness is included, but only in the later versions and even then not as a major feature.In comparison the hierarchy of hazard control-with its focus on prevention via eliminate, minimise, control, protect-has greater prominence.Likewise although a NZ code of practice subsequently arose for mine explosion [6], this too emphasises the hierarchy of hazard control on the prevention side of the accident locus, and the emergency plan it encourages is mostly directed to fire-fighting rather than the more profound question of how to design the systems to maximise survivability.No hazard can be completely eliminated, either because the solution introduces new hazards or the procedural treatments are of imperfect reliability [7], and consequently it is necessary to prepare emergency responses for the real possibility of a serious accident occurring.
In summary, there are two main risks for the implementation of health and safety systems: (1) the practical difficulty of achieving sufficient integration and resourcing of health and safety at the organisational level; and (2) an inadequate construct of harm causality whereby the organisation focusses on prevention to the exclusion of recovery.These two risks compound each other: the organisation only plans for prevention, fails to achieve this due to poor organisational systems, which means that the residual risk is much greater than anticipated, and hence that accidents are more likely to occur and more likely to escalate to catastrophe.
The Pike River Mine disaster evidenced both failings, and this compounding effect.The organisational failings were clear in the findings of the Royal Commission, but the recovery perspective was merely tacit, and this was because the Royal Commission was focussed on the causes of the accident.The fact that the PRM disaster happened at all, despite the local mining industry representing itself as being self-regulating for safety, shows that it is not necessarily straightforward to implement a health and safety system whatever the standards say.Consequently it is important and valuable to analyse the organisational factors and recovery mechanisms in the PRM disaster, and seek insights from a holistic perspective that may help other industries reduce their own risk of disaster.

Purpose
The purpose of this paper is to analyse the Pike River disaster and extract implications for industrial safety generally.The specific areas under examination are the organisational factors and recovery mechanisms, i.e., how the disaster might have led to less severe outcomes.This is different to the approach taken by the commission of enquiry.A second purpose of this paper was to explain the regulatory aftermath of the PRM disaster, and how it led to a new national legislation for health and safety.While the principles adopted in the New Zealand legislation are not new-they are a derivative of the Australian legislation-the alignment between the PRM disaster and the legislation is of interest.

Approach
The approach was to retrospectively analyse the failure from a holistic perspective, using a systems engineering method.This is consistent with the whole-of-organisation method perspective of safety standards such as [5].The approach comprises the following methodologies applied sequentially.
The first methodology applied is a systems engineering analysis.We started by identifying the overall causal sequence for the accident.The Royal Commission produced an extensive set of reports on the accident [1], which form the primary source documents for the present analysis.
The physical accident sequence is distilled from the source documents.Next we extracted the failings of a systems nature.These are identified as the power electronics, and the ventilation system.The next level of analysis extracted the organisational factors.A semi-qualitative research method is used here, whereby recurring themes are extracted from the accident report.This is achieved by inspection of the occurrence of similar words or concepts, or similar types of failures.We did not impose any specific categorisation on this, neither the human error causal factors of slips-lapses-mistakes-violations [7], nor any other.Instead we sought answers to the question: How did people working at the mine make sense of their own behaviours and those of others?We were interested in sense-making at worker, manager, engineer, and executive levels.Culture emerges as the key factor here, and is different for workers and managers.We show that the overall causal sequence for the accident is not a linear progression, but rather a complex interplay of the engineering challenges, project deliverables, management priorities, organisational culture, and worker behaviour.
The second methodology applied is bowtie analysis.This method excels at representing the processes that are in place to prevent risk and recover from disaster.Processes are an important part of any industrial system, and key to both quality and safety.The process perspective also complements the systems engineering perspective.The official enquiry took a qualitative approach to documenting its findings, and did not apply fault tree analysis (FTA), cause-consequence analysis, nor bowtie analysis.We re-analyse the accident using the bowtie method and the results suggest there were serious deficiencies in the mine's processes.More importantly, the absence of any real planning for recovery suggests that the mining organisation had a deficient construct of risk management.Therein are the implications for other organisations, specifically the need to go beyond mere preventative risk treatments, to explore the recovery mechanisms.This is particularly important for organisation that have a significant chance of experiencing a disaster (multiple deaths).
The third part of the work shows how the organisational failings are addressed in the new Act for New Zealand.In the past the way risk management has been applied in technological organisations is for technical staff to determine the hazards, treat them, and assess the outcomes.This process is well-defined in risk management standards [2].However it became apparent in the case of the Pike River Mine organisation that this process was decoupled from executive decision-making.Consequently decisions made by executives and directors inadequately considered the safety risks.From the legislative perspective it was necessary to ensure that boards gave as much attention to safety as to their governance and financial duties.This was achieved in the legislation by creating new duties for executives and directors.These are briefly summarised.The overall implication is that organisations need to broaden their internal stakeholder discussions when applying risk management methods, as opposed to focussing on specialist technical discussion.Organisations need to develop more holistic constructs of safety that include all levels of decision-making.

Physical Accident Sequence
This first section of the results summarises the physical accident sequence, as this is important for understanding the interplay of the other causal factors.The explosion involved a deflagration (explosive burn) rather than a detonation.This was deduced from the long-duration pressure wave and relatively cool blast wave experienced by the two survivors [1].

Fuel Source
The most likely scenario, represented in Figure 1, was that a large volume of methane gas was produced from the mining activities, at location |1| on the figure.It was a gassy coal-mine, hence prone to liberating methane.Furthermore the hydro-mining (water jet cutting) method was known to cause goaf (roof) falls.These falls not only liberated methane, but also forcibly expulsed the gas into the roadways (passages), see |2|.Goaf falls are known to be a significant cause of methane hazard [8].
implication is that organisations need to broaden their internal stakeholder discussions when applying risk management methods, as opposed to focussing on specialist technical discussion.Organisations need to develop more holistic constructs of safety that include all levels of decisionmaking.

Physical Accident Sequence
This first section of the results summarises the physical accident sequence, as this is important for understanding the interplay of the other causal factors.The explosion involved a deflagration (explosive burn) rather than a detonation.This was deduced from the long-duration pressure wave and relatively cool blast wave experienced by the two survivors [1].

Fuel Source
The most likely scenario, represented in Figure 1, was that a large volume of methane gas was produced from the mining activities, at location |1| on the figure.It was a gassy coal-mine, hence prone to liberating methane.Furthermore the hydro-mining (water jet cutting) method was known to cause goaf (roof) falls.These falls not only liberated methane, but also forcibly expulsed the gas into the roadways (passages), see |2|.Goaf falls are known to be a significant cause of methane hazard [8].This was a wet mine, and therefore coal dust was not a major fuel.In other drier coal mines the usual practice is to remove excess coal dust, dust the surfaces with limestone [9], and provide bags of such stone dust [10] to reduce the opportunities for and size of any explosion [11].Stone dusting was supposed to be applied at Pike, but implementation was poor, to the extent that it had been raised as an issue by the mines inspector.Interestingly in April of the same year (2010) 29 men had died in a methane explosion in the Upper Big Branch mine (USA).In that case the methane explosion also triggered a coal-dust explosion [12], which was not the case in the Pike case.However the Pike mine Safety 2016, 2, 21 6 of 26 did suffer from delayed secondary explosions, most likely due to burning coal.Active barrier systems do exist for suppressing methane/coal dust deflagrations [13], but these were not installed at Pike.
Horizontal boreholes existed for draining methane, a method established some years ago [14].This was essential because of the highly gassy nature of the coal at Pike, which in turn was a consequence of the faulted geology causing encapsulated compartments of coal.Ideally the boreholes would be orientated to pre-drain the methane ahead of mining.However this was not the case because the mine was simultaneously in an exploratory phase and a production phase.Consequently the exploratory boreholes tended to become intersected by subsequent cutting of roadways or of hydromining.This liberated additional methane above that of the mining itself.The methane drainage systems were generally inadequately implemented, and there were many cases where bores had been freely venting to roadways.This issue was known to the mine, since workers and various consultants had identified this as a deficiency.The gas drainage system was at capacity, and sometimes unable to cope.Important maintenance actions such as dewatering were not conducted reliably.In some locations in the mine a substantial volume of methane was freely vented by boreholes.On the day of the accident one of the most in-bye work-crews was cutting a roadway, and progress was delayed because the tunnel intersected a borehole.
The general consensus of the Commission was that the most likely source of methane for the explosion was an accumulation of the gas within the goaf at the production area, but the possibility of boreholes being the source could not be eliminated.The likely scenario was that methane accumulated in the goaf, which was not ventilated, and then a goaf fall displaced the methane into the roadways where it met an ignition source.

Ignition Source
For an explosion the methane needs to be in the combustible range, and there needs to be an ignition source.There were many possible ignition sources, including electrical hardware, frictional ignition, contraband (cell-phones, watches), and diesel engines.These types of sources have long been known [15] and mines actively manage them by controlling the hardware that is admitted to the mine and the safety procedures.In the case of Pike, the commission could not identify the source with precision.However it was noted that the explosion occurred seconds after electrical power was restored to the pumps, and this coincidence suggested an electrical origin.It is unlikely that the electrical system itself caused the methane to be liberated, as there was reason to believe that the pumps were still only in the start-up phase at the time.Rather, that the methane had previously been liberated, that a goaf fall moved it into the roadways, and that the gas encountered an electrical anomaly in the roadway.It is relevant to note that the mine took an unconventional approach to its electrical system design, described later.An origin of an electrical disturbance within region |3| of the figure is therefore plausible.However other origins are not excluded.
'The commission is satisfied that the immediate cause of the first explosion was the ignition of a substantial volume of methane gas.The commission's report identifies a number of possible explanations for the source of that accumulation of methane, and the circumstances in which it was ignited.' [1].
The location of ignition was identified as approximately in region |4| of the figure.This was based on the commission's modelling of the blast propagation using computational flow dynamics (CFD).Similar modelling methods have been applied to other mine explosions [16][17][18].The volume of methane combusted was estimated at 1000-6000 m 3 and was a burn rather than a detonation as already mentioned.This blast-wave propagated through the roadways and towards the two exits.The main exit path was the inclined drift (tunnel) into the mine, see |6|.This was 2300 m long, a considerable distance especially for emergency egress.The only two survivors were those in the drift, and they experienced a flash of light and an intense and prolonged blast of air that knocked The other exit for the blast was a vertical ventilation shaft |7|.Although this was of lesser cross-sectional area, the blast certainly did find its way up this shaft, since it caused extensive damage to the hardware located at the surface.This hardware included the secondary ventilation fan, the loss of which had severe subsequent implications.Workers who may have survived (if any) could not realistically climb the vertical escape shaft (approximately 100 m vertical), especially not with the shaft functioning as a burning chimney.After the first explosion the lack of a viable emergency egress route proved to be a failing.It also meant that it was impossible to re-ventilate the mine quickly.Nor was it possible to enter the mine to attempt a rescue.Additional explosions and fires occurred, destroying any hope that the miners might have survived.At the time of writing the mine is sealed and the bodies remain inside.

Contribution from Deficient Engineering Systems
The engineering system design contributed to the accident.The main issues, as shown in Figure 2, were the location of power-electronics hardware, and the ventilation system.
(CFD).Similar modelling methods have been applied to other mine explosions [16][17][18].The volume of methane combusted was estimated at 1000-6000 m 3 and was a burn rather than a detonation as already mentioned.This blast-wave propagated through the roadways and towards the two exits.The main exit path was the inclined drift (tunnel) into the mine, see |6|.This was 2300 m long, a considerable distance especially for emergency egress.The only two survivors were those in the drift, and they experienced a flash of light and an intense and prolonged blast of air that knocked them down.They did not experience serious burns.They quickly lost consciousness due to oxygen depletion, and regained consciousness about an hour later.
The other exit for the blast was a vertical ventilation shaft |7|.Although this was of lesser crosssectional area, the blast certainly did find its way up this shaft, since it caused extensive damage to the hardware located at the surface.This hardware included the secondary ventilation fan, the loss of which had severe subsequent implications.Workers who may have survived (if any) could not realistically climb the vertical escape shaft (approximately 100 m vertical), especially not with the shaft functioning as a burning chimney.After the first explosion the lack of a viable emergency egress route proved to be a failing.It also meant that it was impossible to re-ventilate the mine quickly.Nor was it possible to enter the mine to attempt a rescue.Additional explosions and fires occurred, destroying any hope that the miners might have survived.At the time of writing the mine is sealed and the bodies remain inside.

Contribution from Deficient Engineering Systems
The engineering system design contributed to the accident.The main issues, as shown in Figure 2, were the location of power-electronics hardware, and the ventilation system.

Unconventional Power Electrical System
Mines generally make extensive use of electrical systems, which include power cables, switch boards, transformers, variable speed drives (VSD), and electrical motors.Any electrical device has the potential to cause ignition of flammable gas due to arcing or high temperature.Equipment can be designed to reduce the risk, e.g., by preventing gas ingress, reducing the energy of the arc, or preventing heat build-up.There are a number of international standards for electrical equipment manufacturers.
An obvious precaution is not to locate electrical equipment in areas where there is flammable gas.PRM had two locations for electrical plant, these being the two 'pit bottoms' shown in Figure 2. One was located in the stone to the north side of the main drift, and supplied power to much of the underground plant.This was supplied by two 11 kV lines through the drift.
A second location for electrical plant was deeper in the mine, in the coal seam itself, see 'pit bottom in coal', Figure 2.This powered the main ventilation fan and some pumps, including the hydromonitor pump (used for hydro mining) and was supplied by a third 11 kV line along the drift.Selecting this location was unconventional because of the fire and explosion hazard.This was also an imprudent decision given that much of the equipment located here was neither flameproof nor intrinsically safe, and this included the motor for the main ventilation fan.The underlying problem was that Pike defined for itself 'restricted' and 'non-restricted' zones, see Figure 2, based on engineering convenience rather than prudent consideration of the risk.In fact the Royal Commission found there was no risk assessment at all for locating these electrical services in the coal.The restricted zone was where methane was expected and operators were required to take precautions, whereas the non-restricted zone-which included the bit bottom in coal-required no special precautions.
The pit bottom in coal did have one protective feature, which was that it was protected by one or more methane sensors, which were intended to trip the circuits if gas concentrations were too high.However the more important issue was the proximity to gassy areas of the mine and the lack of flameproof equipment.Also, the electrical cables, including the three high voltage supply lines, were located and even wrapped around other services.In other places electrical equipment was located under water pipes.
At Pike there were twelve VSDs, ten in the bit bottom in stone and two in the pit bottom in coal.Although the use of these devices in mines is accepted, Pike was unconventional in the extent to which these were used to drive infrastructure, and where it located them.There had been multiple issues with VSDs at PRM in that several of them had failed in ways that could potentially generate an ignition, and issues were ongoing at the time of the accident.Furthermore the VSD supplying the main ventilation fan had overheating problems, the solution to which was to leave the enclosure open while waiting for an air-conditioner to arrive-but the explosion occurred first.
The commission found fault with Pike's assessment of its electrical risks.Overall the design and maintenance of the electrical systems was ad hoc.The risk of ignition was compounded by multiple concurrent deficiencies in choice of non-restricted zone, use of non-flameproof electrical plant, use of VSDs in an extensive plant setting, overheating/failure problems with VSDs, and layout of electrical cables and plant relative to other services.Also problematic was the long drift, and although this was not perceived as a risk at the time, it had the unfortunate consequence that the electrical infrastructure become inaccessible for all practical purposes after the accident.This seriously decreased the recovery options.

Unconventional Location of Main Ventilating Fan
Another unconventional and risky systems-engineering decision was placement of the main ventilating fan underground.The fact that it was not a flame-proof motor, and was placed inside the gassy coal, is astonishing from a risk-management perspective.The Mines Inspector had reservations about this, but the Pike management rebutted these by pointing out that it was not explicitly illegal.Management also expressed a wilful determination to persist with their system design in this regard.From a human error perspective this is an example of people persevering with a 'mistake' [7] by disregarding disconfirmatory information.
The reason it is unwise to place the main ventilation fan inside a mine, is because it increases the risk that the ventilation system fails in the event of accident inside the mine.It exposes the fan to many more root causes than experienced by a surface mounted fan.For example the fan itself could fail in which case it is more difficult to repair compared to a surface fan.Also, an underground fan has to be supplied by an electrical power cable (which ran up the main drift in the Pike mine), which is at risk of damage from rock-fall or machinery impact.In the case of Pike, once the disaster happened, there was no possibility to get inside the mine to repair/replace the main fan, so the methane built up and exploded several times with even more destructive blasts than the first.A surface fan would have been much easier to service.Consequently the placement of the main fan inside the mine jeopardised the ability of the firm to recover afterwards.

Ventilation System
The main fan, located in the mine, expelled stale and methane-rich air up the vertical ventilation shaft (111 m high).The system drew in fresh air through the drift (2300 m long).A mine ventilation system performs two main functions: one is to provide fresh air to the workers, and the other is to scavenge methane gas out of the mine.In the case of Pike, it was the second function that did not work properly.'Methane gas, which is found naturally in coal, is explosive when it comprises 5% to 15% in volume of air.In that range it is easily ignited.Methane control is therefore a crucial requirement in all underground coal mines.Control is maintained by effective ventilation, draining methane from the coal seam before mining if necessary, and by constant monitoring of the mine's atmosphere.' [1].
Important parts of the ventilation system are the fan, the routing of air through the mine, and the ingress of fresh air.The fan needs to have sufficient capacity to get the airflow to all parts of the mine.Localised pockets of high-concentration methane may form around mining machines, and require ventilation to dilute the methane to safe concentrations [19].Sometimes small auxiliary fans are used to blow air into dead-ends and other areas of low-flow.These were used at Pike. Figure 3 shows the air flow through the mine.Note the location of the main fan and the ventilation shaft in the coal, and how deep they are into the mine.Also note the electrical plant which was necessary to power the fans.
In some roadway junctions it is necessary for fresh and spent air streams to cross through the same place.These airflows are kept apart by stoppings to divert airflow, which may be as simple as wood and fabric constructions, or more substantial steel fabrications.In the case of the Pike mine, these stoppings were of variable and often inferior quality of construction and had failed in the past.The consequence of a failure of the stopping is that fresh air is diluted with stale air, and methane is not properly extracted.In summary, the ventilation plan for the mine was poorly designed and executed, and contributed to the disaster by not extracting the methane fast enough.'Pike's ventilation and methane drainage systems could not cope with everything the company was trying to do: driving roadways through coal, drilling ahead into the coal seam and extracting coal by hydro mining, a method known to produce large quantities of methane.' [1].
The interdependency between ventilation and methane was known to Pike.However, perhaps they did not comprehend the full complexity, because they seemed to treat the inadequate ventilation system as a given, and methane as an independent variable to be managed as best it could.Methods exist for determining the effectiveness of methane control [20], but Pike appeared to take a more reactive approach to methane based on local measurements.The mine did not apply sufficient resources to get the ventilation system to the level where the methane risk was under control, nor did they consistently evacuate the mine when the ventilation system was not coping.Mine ventilation is expensive and is always a difficult economic decision [21].Unfortunately Pike's decisions appeared to prioritise the economic considerations too greatly.Managers knew the methane was not in control (see the workers' reports), and had the intention to improve ventilation in the future, but actively incentivised increased mining production (hence also increased methane release).They were imprudent in considering the mine to be in the development phase, but nonetheless operating it at heightened production.The drive for production meant that many more people were working in the mine (hence more lives at stake) than if the mine had truly been in a development phase.So these management decisions increased the production of methane (hence the likelihood of explosion) and also increased the consequences of any explosion (more people in the mine).The interdependency between ventilation and methane was known to Pike.However, perhaps they did not comprehend the full complexity, because they seemed to treat the inadequate ventilation system as a given, and methane as an independent variable to be managed as best it could.Methods exist for determining the effectiveness of methane control [20], but Pike appeared to take a more reactive approach to methane based on local measurements.The mine did not apply sufficient resources to get the ventilation system to the level where the methane risk was under control, nor did they consistently evacuate the mine when the ventilation system was not coping.Mine ventilation is expensive and is always a difficult economic decision [21].Unfortunately Pike's decisions appeared to prioritise the economic considerations too greatly.Managers knew the methane was not in control (see the workers' reports), and had the intention to improve ventilation in the future, but actively incentivised increased mining production (hence also increased methane release).They were imprudent in considering the mine to be in the development phase, but nonetheless operating it at heightened production.The drive for production meant that many more people were working in the mine (hence more lives at stake) than if the mine had truly been in a development phase.So these management decisions increased the production of methane (hence the likelihood of explosion) and also increased the consequences of any explosion (more people in the mine).
There must also be a secondary fan as an emergency backup.In the case of Pike this was positioned outside the mine, on the top of the ventilation shaft, see Figure 4.This had a lesser airflow capacity to the main fan, and was probably incapable of adequately ventilating the mine except in an emergency.It was located on a hillside deep in the forest, and the only access was by helicopter.It was therefore powered by diesel emergency generators.Unfortunately the design doomed the secondary fan.The blast panels inadequately protected the fan from the over-pressure.These panels were supposed to vent the blast directly to atmosphere, thereby sparing the fan.In defence, the modelling of blasts is not straightforward [22].Also problematic was that the secondary fan was There must also be a secondary fan as an emergency backup.In the case of Pike this was positioned outside the mine, on the top of the ventilation shaft, see Figure 4.This had a lesser airflow capacity to the main fan, and was probably incapable of adequately ventilating the mine except in an emergency.It was located on a hillside deep in the forest, and the only access was by helicopter.It was therefore powered by diesel emergency generators.Unfortunately the design doomed the secondary fan.The blast panels inadequately protected the fan from the over-pressure.These panels were supposed to vent the blast directly to atmosphere, thereby sparing the fan.In defence, the modelling of blasts is not straightforward [22].Also problematic was that the secondary fan was placed too close to the blast axis of the vent.The first explosion therefore damaged the fan blades, fan housing, generators, and controls.(It is instructive to note that the control panel had been overturned by the blast and struck the emergency stop button of one of two generators).The secondary fan system was sufficiently damaged by the first explosion that it did not function.It could possibly have been repaired, but not immediately and at some safety risk: this was not attempted.The fan and supporting infrastructure was altogether destroyed in the second and subsequent explosions.
housing, generators, and controls.(It is instructive to note that the control panel had been overturned by the blast and struck the emergency stop button of one of two generators).The secondary fan system was sufficiently damaged by the first explosion that it did not function.It could possibly have been repaired, but not immediately and at some safety risk: this was not attempted.The fan and supporting infrastructure was altogether destroyed in the second and subsequent explosions.Methane continually leaks out of the coal in these types of mines, whether or not mining activities occur.Once the secondary ventilation system was destroyed, this methane began to build up as there was no means of removing it from the mine.
The poor design of the ventilation system meant that it was rendered inoperable at the first blast, with no practical way of re-instating the capacity in a reasonable time.The system was brittle, and did not fail gracefully.Pike had no recovery mechanisms, no spare fan waiting, and no deeper recovery methods.This failure had three extremely serious consequences.

1.
It made the atmosphere inside the mine inhospitable to life, since there was no fresh air circulating in the mine.Consequently any miners who may have survived the first blast had no real chance of walking out themselves, not with the distances involved.Miners did have rebreathing apparatus with them, but the survivors reported that they did not work and so discarded them.However those survivors were in the drift (entrance tunnel) so closer to fresh air.

2.
It made it impossible to mount a rescue from outside, because the state of the mine was unknown.
It is a basic principle that rescue teams should only be sent in once the methane levels are known to be safe.Pike had no way to reduce the methane levels.It also had no way of measuring the methane levels, because it had not installed the remote sampling instruments that would have made this possible.Such instruments have long been in existence [23].
'After the explosion a major search and rescue effort was launched.There was no predictable window of opportunity within which the Mines Rescue Service (MRS) could have safely entered the mine.Pike had no system for sampling the mine atmosphere after an explosion and without that information it was impossible to assess the risks of entry.The placement of the main fan underground and the damage caused to the back-up fan on the surface meant that the mine could not be reventilated quickly.' [1].

3.
The ventilation failure caused repeated explosions, more violent than the first.
'For the first few days the families were given an over optimistic view of their men's chances of survival, but this was inadvertent.When the second explosion occurred five days later any remaining hope disappeared.'[1].
So the failure of the ventilation system created an irrespirable atmosphere such that there was no chance of saving miners who might have survived the initial deflagration.It was not even possible to recover the bodies.

Management and Organisational Failings
Most of all, the disaster was caused by management decisions.Their decisions increased the likelihood of explosion to the point of being inevitable.
'The drive for coal production before the mine was ready created the circumstances within which the tragedy occurred.'[1].

For the Best of Economic Reasons
Executives and directors rushed prematurely into production even though the technology development in the mine was incomplete.They did this for the best of economic reasons.If they had not, then the venture might have failed and the business closed, along with the livelihoods of all who worked there.As it was, the business was closed in the end, but not until many people had died.So they achieved the same outcome in the end, but with loss of life.
'A drive for production is a normal feature of coal mining but Pike was in a particularly difficult situation.It had only one mine, which was its sole source of revenue.The company was continuing to borrow to keep operations going.' [1].
The resulting financial pressures and cash-flow problems caused managers to seek a quick production solution.This meant increasing income and decreasing cost.Hence investment in non-productive infrastructure was reduced, with disastrous consequences for health and safety.
'Development of the mine had been difficult from the start and the company's original prediction that it would produce more than a million tonnes of coal a year by 2008 had proved illusory.The company had shipped only 42,000 tonnes of coal in total.' [1].
The expedient solution was to forge ahead with extracting coal, even though the cutting technology was still under development, and the infrastructure of the mine was incomplete.The critical infrastructural deficiencies were the inadequate ventilation of the mine, and the lack of a viable second emergency egress route.Financial pressure was the reason for not having these facilities.Production and economic considerations dominated over safety.
'The mine was new and the owner, Pike River Coal Ltd (Pike), had not completed the systems and infrastructure necessary to safely produce coal.Its health and safety systems were inadequate.' [1].

Deficient Risk Management
The preoccupation with coal production caused directors and executives to lose focus on safety.A competent risk management process would ensure that staff were assessing and treating hazards, and management were providing the necessary resources.However in this case the company risk assessments were variously deficient, incomplete, or not actioned.Warnings and feedback from staff were ignored: 'It is the commission's view that even though the company was operating in a known high-hazard industry, the board of directors did not ensure that health and safety was being properly managed and the executive managers did not properly assess the health and safety risks that the workers were facing.In the drive towards coal production the directors and executive managers paid insufficient attention to health and safety and exposed the company's workers to unacceptable risks.' [1].
There are many risks to consider in a mine: roof fall, rock outburst, flooding, electrocution, explosion, among others.This makes for a complex set of risks.Methods exist for assessing risk generally [2], and there are also specific adaptations for mines [24].Regardless of the method used, it is important to fully identify the hazards, evaluate them against some decision criteria (usually internally set risk-tolerance), implement treatments, and then monitor the efficacy thereof.The deficiency with Pike was particularly acute in the lack of treatments and the paucity of monitoring.

Organisational Culture
Organisational culture refers to the norms of behaviour that become established as acceptable within the organisation.It is a shared understanding of how things are done in the place.It arises by vicarious learning: workers observe which of their behaviours are rewarded by managers, which are overlooked, and which are rejected.Consequently both managers and workers shape the organisational culture.Even the leadership style can have an effect [25].
So it was that an organisational culture emerged that encouraged conscientious workers to reduce any barriers to productivity, and allowed any non-conscientious workers to believe that violations of procedures were implicitly condoned.Organisational culture affects the behaviours that underpin some types of human error, especially the violations.Other types of human error include slips, lapses, and mistakes in the classical perspective, see also [26].Increasing the number of rules and procedures is not necessarily an effective route to increased safety, because worker may perceive these as constraints contrary to their own efficacy, and hence desire to avoid them.For a mining investigation into this phenomenon see [27].In the case of Pike, the enquiry did not find fault with the number of safety procedures, but rather with the frequency of the violations.The production incentive offered to miners would have changed their rationale for risk-taking, see [28].
There were methane detecting instruments in the mine.Managers knew the methane readings were high, but continued operating all the same.Workers too, since they sometimes carried on working even when the machines were supposed to be stopped due to high methane levels.Miners would sometimes use plastic bags to bypass the methane sensors on their equipment.
There was a general sense that methane was just an operational issue to be managed, rather than a fundamental problem that needed urgent resourcing.They had got away with operating the mine with high levels of methane, without having explosions and became complacent about the risk.They abused the reserve in the system.Some workers expressed concerns, but these did not result in action by management: 'There were numerous warnings of a potential catastrophe at Pike River.One source of these was the reports made by the underground deputies and workers.For months they had reported incidents of excess methane (and many other health and safety problems).In the last 48 days before the explosion there were 21 reports of methane levels reaching explosive volumes, and 27 reports of lesser, but potentially dangerous, volumes.The reports of excess methane continued up to the very morning of the tragedy.The warnings were not heeded.'[1].
Safety 2016, 2, 21 14 of 26 Some systems provide two levels of warning: a first notification, and then a second warning when things get more critical.However mine explosions are less forgiving.They need fuel, oxygen, and ignition source to be in the same place.The fact that explosions do not occur every time methane levels are high should not be relied on to always be the case.
In addition there appeared to be a culture of neglect regarding monitoring the efficacy of treatments of hazards.The methane samples from the boreholes were seldom analysed, portable methane sensors were often out of service, maintenance on methane drainage lines was sporadic, safety inductions of workers was not rigorous, stoppings were often constructed of indifferent quality, the fresh air base was ineffective, risk assessments were not completed, key planning processes (e.g., for ventilation, electrical layout) were not taken to their logical conclusions, safety reports were not acted on, stone dusting was sub-standard, among others.The common theme is procedural failings at organisational level.Pike appears to have had a construct of risk-treatment that was focussed on the provision of technology hardware, but they appeared oblivious to the risks caused by procedures not being followed (violations).For example they were trying to improve the hardware of the ventilation system to reduce methane levels, but not putting in the maintenance effort to ensure that the existing methane drainage system was working at maximum effectiveness.

Marginal Finances
Fundamentally the company had insufficient funds to set up a venture of that complexity while still managing the risks.It is understandable that firms do not have perfect knowledge when they start a venture, but they also do need to have the courage to stop when new information becomes available that shows the risks to be greater than the benefits.In desperate financially situations organisations often do not objectively reconsider their strategies for the venture, do not perform risk assessment (Pike River mine was specifically criticised for this), and instead persist in trying to achieve the outcomes.This is the well-known sunk-cost bias.In the case of Pike River Mine it would have been better, when the high methane levels became apparent, to stop operations and take time out to re-examine the situational risks and the business case.Other experts could have been brought in, and a consensus forged as to how to proceed with the development, as opposed to executives making those decisions on mainly economic grounds.Fewer lives would have been lost if the mine had changed its focus away from production and back to development, gone back to the drawing board: 'Mining should have stopped until the risks could be properly managed.' [1].

Lack of Recovery Mechanisms
One of the major organisational failings was the lack of mechanisms to help recovery the situation.After the first explosion the lack of a viable emergency egress route proved to be a failing.Workers who may have survived could not realistically climb the vertical escape shaft, with the shaft functioning as a burning chimney.
Pike management were tardy in their response after the accident.They took a long time to recognise that there had been an explosion, even though the office was immediately aware of the loss of communication and power into the mine.They thought it was a routine issue.They did not declare an emergency, but simply sent an electrician to drive up to the mine (without a respirator) to check on the electrical system.That person alerted the office to the disaster, but only after considerable time had elapsed.Pike management had no further recovery plans in place, and could do nothing but rely on outside help.
'The New Zealand Police led the emergency response and made the major decisions in Wellington.There had been no combined testing of an emergency response of this nature involving Pike, mining specialists, the MRS, the police and emergency services.'[1].
The police did what they could, but they lacked contextual knowledge of handling a mine disaster.It was impossible to enter the mine to attempt a rescue.Additional explosions and fires occurred and destroyed any hope that the miners might have survived.Instead all that could be done was flood the mine with a CO 2 rich atmosphere (from the exhaust of a gas turbine) and then plug the mine entrance portal to prevent oxygen ingress.This is the state of the mine at the time of writing.

Systems Engineering Model of the Interacting Causation
The following diagram shows the complex interplay of these factors: the engineering challenges, project deliverables, management priorities, organisational culture, and workers' behaviour, see Figure 5.

Bowtie Analysis
This next section applies bowtie analysis to the disaster.This is useful because it shows where the systems were weak.Many risk-assessment methods are focussed solely on prevention of accidents, and are relatively poor at disaster-recovery.This is where the bowtie method is especially effective.4.5.1.Background to the Method An accident does not simply occur, but rather has a preceding event that could perhaps have been prevented.In safety-critical situations, multiple layers of defence or barriers (see Swiss Cheese model [7]) are designed into the system to prevent an initial event progressing to an accident.These defences may include processes (e.g., regular inspections), technology hardware (e.g., provision of redundant systems), and functionality (e.g., fail-safe design), among others.Each of these has limitations or failings: it protects against some events, but not all.Also, these defences are of variable efficacy at any particular time, e.g., due to the variability of human attentiveness.The analysis of barrier and recovery mechanisms is a development of the barrier approach, and combines the preventative barriers that prevent the hazard from emerging, and the recovery mechanisms that prevent hazard from further progressing to a catastrophe.The dominant way of representing the results is using a Bowtie diagram.The methodology was developed in the oil and gas industry and thereafter was quickly adopted in the aviation industry, and spread to others where operating procedures are important.
The bowtie has two primary components: (1) the barriers that prevent a hazard becoming an accident ('top event'); and (2) the recovery mechanisms that limit the consequences afterwards.It can also include secondary components for managing and validating the efficacy of the barrier mechanisms, see Figure 6.The method combines some aspects of fault trees and event/consequence trees, but without the logical structures and quantitative probabilities.It is mainly a qualitative method that focusses on barriers and mechanisms rather than probabilities or risk per se (although those can be added).Individual barriers have different deficiencies and none on their own can totally prevent the accident from occurring.

Bowtie Analysis
This next section applies bowtie analysis to the disaster.This is useful because it shows where the systems were weak.Many risk-assessment methods are focussed solely on prevention of accidents, and are relatively poor at disaster-recovery.This is where the bowtie method is especially effective.4.5.1.Background to the Method An accident does not simply occur, but rather has a preceding event that could perhaps have been prevented.In safety-critical situations, multiple layers of defence or barriers (see Swiss Cheese model [7]) are designed into the system to prevent an initial event progressing to an accident.These defences may include processes (e.g., regular inspections), technology hardware (e.g., provision of redundant systems), and functionality (e.g., fail-safe design), among others.Each of these has limitations or failings: it protects against some events, but not all.Also, these defences are of variable efficacy at any particular time, e.g., due to the variability of human attentiveness.The analysis of barrier and recovery mechanisms is a development of the barrier approach, and combines the preventative barriers that prevent the hazard from emerging, and the recovery mechanisms that prevent hazard from further progressing to a catastrophe.The dominant way of representing the results is using a Bowtie diagram.The methodology was developed in the oil and gas industry and thereafter was quickly adopted in the aviation industry, and spread to others where operating procedures are important.
The bowtie has two primary components: (1) the barriers that prevent a hazard becoming an accident ('top event'); and (2) the recovery mechanisms that limit the consequences afterwards.It can also include secondary components for managing and validating the efficacy of the barrier mechanisms, see Figure 6.The method combines some aspects of fault trees and event/consequence trees, but without the logical structures and quantitative probabilities.It is mainly a qualitative method that focusses on barriers and mechanisms rather than probabilities or risk per se (although those can be added).Individual barriers have different deficiencies and none on their own can totally prevent the accident from occurring.

Prevention Side
On the threat side of the bowtie are the preventative barriers.These barriers are typically identified as part of hazard analysis or risk management.These come in two main types: 1.
Technology mechanisms, including: a. Good design practices that eliminate or minimise hazards in the hardware a-priori.b.
Instrumentation to detect hazards and warn humans.c.
Automatic control systems that suppress hazards.d.
Personal protective equipment, which is the last line of defence.

2.
Human behavioural actions.These are the things that people do, most commonly represented as procedures.It is important to have a system: to be specific about these procedures and to monitor their efficacy.In the case of Pike it was reported: 'Its health and safety systems were inadequate.' [1].
Pike did not have a coherent risk management plan.It did not systematically identify the hazards, and was slow to implement treatments.Its monitoring of the efficacy of existing controls was also deficient, in that it failed to act on the incident reports and other signs that things were not well.
The bowtie for the preventative barriers for Pike is shown in Figure 7.An explosion in such a mine requires methane in flammable concentration, and an ignition source.These need to be co-located.The nature of the coal and the type of mining method ensured a plentiful supply of methane.Under no circumstances should the methane come into contact with ignition sources.Pike failed to adequately maintain this separation.They located the electrical systems too close to methane sources, and their ventilation system was inadequate to keep the methane sufficiently diluted and away from ignition sources.When the methane was not under control, or had travelled to locations of known ignition sources, it would have been appropriate to shut down the electrical systems and evacuate the mine.This would reduce the ignition sources, and avoid fatalities if an explosion did occur.In fact Pike did occasionally close the mine for high methane, but not consistently.They frequently operated the mine knowing that methane levels were high in places.The figure critiques the mine operations in these various areas.
No mine is risk-free.It is to be expected that large volumes of methane will be produced occasionally.The engineering problem at Pike was that they could not extract that methane quickly enough, so it flowed into other areas thereby expanding the chance of encountering an ignition source.Nor were they quick to evacuate the mine when methane was high.Pike managers knew about the high methane, but seemed inattentive to the risk of it migrating to more dangerous places.They attempted to manage the methane problem by hoping that the ventilation system would extract it.They knew that was not happening as well as it should, but they had no other strategy.They needed coal production to pay for further development of the mine, including a better ventilation system and a second egress.So they disregarded the methane readings, and pushed ahead with mining so that they could get the organisation into a better future state.The absence of small explosions was perhaps interpreted as confirmation that their course of action was not particularly hazardous.Managers did not deliberately put miners' health in danger or destroy the business: it is more likely that they did not realise how little safety margin was left in the system.
'It is the commission's view that even though the company was operating in a known high-hazard industry, the board of directors did not ensure that health and safety was being properly managed and the executive managers did not properly assess the health and safety risks that the workers were facing.In the drive towards coal production the directors and executive managers paid insufficient attention to health and safety and exposed the company's workers to unacceptable risks.Mining should have stopped until the risks could be properly managed.' [1].The overall impression is that the Pike managers were trying to do the best they could in the situation, but were trying to solve the methane, ventilation, electrical, and production problems as independent issues.They did not seem to anticipate the risks that arose at the intersections, or appreciate the complexity in the situation.
Given the poor performance of the ventilation system, it would have been prudent to:  The overall impression is that the Pike managers were trying to do the best they could in the situation, but were trying to solve the methane, ventilation, electrical, and production problems as independent issues.They did not seem to anticipate the risks that arose at the intersections, or appreciate the complexity in the situation.
Given the poor performance of the ventilation system, it would have been prudent to: (a) maximise what capacity the ventilation system did have, by attention to construction quality of stoppings; (b) avoid putting electrical systems in areas which could conceivably be reached by a methane burst; (c) increase vigilance regarding ignition sources; (d) minimise the number of people working in the mine when methane production could be expected to be high; (e) increase methane monitoring frequency and locations; (f) act on methane spikes by temporarily evacuating the mine.Pike did have a risk management process, but it was focussed on the prevention side, and even then was poor in its analysis, treatments, and monitoring.

Recovery Side
Once the hazard (undesired system state) has eventuated, then the recovery mechanisms prevent the undesired state from progressing to further catastrophe.These are REACTIVE barriers.They recover the situation, by reducing either the severity of the consequence, or its likelihood.Like all other barriers, they have inadequacies.
The first mechanism is for the human or control system to recognise that there is a problem, correctly diagnose it, and communicate the information as necessary.If this does not happen, then it severely limits the ability to apply corrective actions.Subsequent recovery actions include human intervention by operators, and automatic control systems.If these also fail, then the last resort is often the reserve that the designers have built into the system.This could be reserve capacity or safety margin.It could also be a system that is deliberately designed such that its performance degrades gracefully, as opposed to abruptly or totally.(Pike's ventilation system failed abruptly, and was impractical to re-instate in a timely manner.) Pike did this poorly.Not only were they slow to realise that an accident had happened, but they were also slow to act on that information, and had no real recovery mechanisms in place beforehand, see Figure 8.It is known from the two survivors that the explosion was survivable in some parts of the mine.The issue was not so much barotrauma, but unconsciousness from lack of oxygen.It is possible that other miners could have survived the first deflagration in an unconscious state.It is one thing to have an explosion, but that does not necessarily mean that everyone in the mine will die.The recovery side of the bowtie, shown below, represents the activities that might have prevented an explosion from progressing to a disaster.
The first essential activity is to sustain the life of miners underground.Their immediate need is for breathable air.This may be achieved by providing respirators (which the survivors said did not work), and re-instating the air circulation.It is also necessary to provide a refuge, where bottled oxygen and other essentials are available.For those miners who are able to use it, an emergency exit is necessary.As the figure shows, these recovery mechanisms were lacking in Pike.
Miners may be injured or unconscious, and may need external assistance to escape, hence a rescue has to be considered.This is only safe if methane levels are below the flammable range [29,30].In turn this requires a working ventilation system, or the means to immediately re-establish ventilation.This did not occur, due to the poor design and the difficulty of repair.
It is evident from the bowtie analysis that re-instatement of the ventilation system was on the critical recovery path.The other recovery activities all depended on it.Realistically, a serious explosion is likely to result in damage to ventilation systems.However the extent of the damage and the rapidity with which ventilation may be re-instated is a variable that is at least partly under the control of the mining company.The controls are affected by engineering design that provides for graceful degradation of technical function, provision of redundancies in key systems, and emergency response procedures that ensure human agency is directed to solving the key problems as quickly as possible.Agency is the ability to exert effort purposefully to achieve an outcome.Pike was poor on all these counts.The design of the ventilation system was vulnerable to an explosion as a common mode failure: the one event overwhelmed both the primary and the secondary fan.They had indeed provided a secondary fan, but its blast doors were too small and the hardware was positioned too close to the blast axis.So the fan, its housing, and its controls, were all damaged.The secondary fan was also under-designed for airflow capacity and hence too small to function as a main ventilation fan.Had it Safety 2016, 2, 21 20 of 26 instead been designed to the same capacity as the main fan, which is not an unreasonable expectation, it would have had larger flow apertures and been significantly more capable of venting the explosion with less damage.Given that the mine had decided to put the main fan underground, this created a critical dependency on the secondary fan.Given also that the secondary fan was located in an area without road access, was known to be under-specified for the task, and was also the emergency egress route from the mine, it really is extraordinary that the design of the secondary fan system was not more robust.This is consistent with Pike's inadequate risk assessment of its ventilation system.It appears the company had never really thought in an integrated way about how the various hazards intersected and compounded each other.As it was the secondary fan was deemed by some staff to be capable of being repaired after the first explosion.However the response from the emergency managers was slow-agency was not exerted in the direction of reinstating the ventilation-and the subsequent explosions destroyed the fan completely. in an area without road access, was known to be under-specified for the task, and was also the emergency egress route from the mine, it really is extraordinary that the design of the secondary fan system was not more robust.This is consistent with Pike's inadequate risk assessment of its ventilation system.It appears the company had never really thought in an integrated way about how the various hazards intersected and compounded each other.As it was the secondary fan was deemed by some staff to be capable of being repaired after the first explosion.However the response from the emergency managers was slow-agency was not exerted in the direction of reinstating the ventilation-and the subsequent explosions destroyed the fan completely.There was no evidence in the report [1] that Pike's risk management plans ever looked at recovery in the type of structured way provided by a bowtie analysis.
The bowtie method may be extended to create a safety management system, by doing the following: There was no evidence in the report [1] that Pike's risk management plans ever looked at recovery in the type of structured way provided by a bowtie analysis.
The bowtie method may be extended to create a safety management system, by doing the following: • assess the reliability of each barrier and its limitations (size of the holes), • identify secondary 'escalation' factors that cause a barrier to fail, • implement deeper level barriers to prevent the 'escalation' factors from occurring, these are 'escalation factor barriers', identify what is required to maintain the barrier, and allocate responsibilities to people, • test and evaluate the efficacy of the barriers.
None of those actions were evident in the case of Pike.

Implications: Legislative Consequences
In the case of the Pike River Mine the physical accident involved an explosion of methane gas, which is naturally liberated from coal.There was no shortage of possible ignition sources, ranging from worker violations (cell phones, watches), diesel engines, electrical arcing, and power electronics.Some poor engineering decisions were made regarding electrical systems in particular.However a small methane explosion could have been survivable, but not the series of large explosions that actually occurred.Consequently part of the problem was excessive methane in the mine.In turn this was caused by the mismatch between the increased methane caused by accelerated coal extraction (made necessary by cash-flow problems), and insufficient withdrawal of methane by the fan ventilation system.The problems with the ventilation system included imprudent engineering system design (placement of fan inside the mine), insufficient ventilation capacity, and management prioritisation of production over solving ventilation problems.
This was supposed to be a self-regulated mining operation, since the industry had successfully represented to government that it had the maturity to deal competently with its own risks.Consequently regulatory oversight of the mine had been light.The mine broke this promise with its poor internal management of risk and safety.
'The Department [of Labour] assumed that Pike was complying with the law, even though there was ample evidence to the contrary.The department should have prohibited Pike from operating the mine until its health and safety systems were adequate.'[1].
The catastrophe was not merely a random accident, but the consequence of persistent failures of organisational systems at executive, management, and operator levels.It was not possible to secure a conviction against any board directors or executives of the mining company.Under the previous law it was an adequate defence to claim ignorance of the hazards.Thus the disaster became a breaking point for health and safety at the national level.It directly precipitated a major change in the health and safety legislation.This included radical redefinition of the duties, especially of executives and organisations.The Act was passed in 2015 [31].
Now an organisation has a Primary duty of care to take care, as far as is reasonably practicable, of any people it affects: its workers, all the workers of any subcontractors (workers of other organisations that do work on the site), trainees, visitors, and the public at large.This responsibility extends to providing a safe work environment, having safe equipment and facilities, having protocols, storing materials safely, training workers, and monitoring the health of workers.In particular, note that the duty extends to all workers, whoever employs them, including those of sub-contractors.
In the past the engineering and technical staff were primarily responsible for the locus of action for hazard management, see Figure 9.They were expected to apply the risk assessment methodology to identify hazards, rank them, and apply treatment.Those treatments were formulated in terms of a hierarchy of hazard control: eliminate, isolate, minimise.That work stream survives into the new Act, except that it only refers to elimination and minimisation (the difference is not significant).However a major change occurred in the additional work stream required of all directors and executives ('officers').The Duty of Due Diligence requires officers to make themselves informed of hazards and ensure that the organisation is dealing with them effectively, see Figure 10.Ignorance of the hazards faced by workers is no longer a defence, but is instead an offense in its own right.Nor can officers delegate the duty.Even though they can task others in the organisation to implement the health and safety treatments, the officers still retain responsibility for the outcomes.The Act effectively elevates health and safety considerations to the same level as the strategic and fiduciary duties that already apply to boards.As a consequence prudent directors and executives of technology-based organisations will need to assess their current practices, and make changes to their systems to remedy deficiencies.They will need systems to collect evidence-based statistics on organisational performance: actual effectiveness of treatments, summaries of violations, trends in safety incidents.Officers will need to take note of However a major change occurred in the additional work stream required of all directors and executives ('officers').The Duty of Due Diligence requires officers to make themselves informed of hazards and ensure that the organisation is dealing with them effectively, see Figure 10.Ignorance of the hazards faced by workers is no longer a defence, but is instead an offense in its own right.Nor can officers delegate the duty.Even though they can task others in the organisation to implement the health and safety treatments, the officers still retain responsibility for the outcomes.The Act effectively elevates health and safety considerations to the same level as the strategic and fiduciary duties that already apply to boards.However a major change occurred in the additional work stream required of all directors and executives ('officers').The Duty of Due Diligence requires officers to make themselves informed of hazards and ensure that the organisation is dealing with them effectively, see Figure 10.Ignorance of the hazards faced by workers is no longer a defence, but is instead an offense in its own right.Nor can officers delegate the duty.Even though they can task others in the organisation to implement the health and safety treatments, the officers still retain responsibility for the outcomes.The Act effectively elevates health and safety considerations to the same level as the strategic and fiduciary duties that already apply to boards.As a consequence prudent directors and executives of technology-based organisations will need to assess their current practices, and make changes to their systems to remedy deficiencies.They will need systems to collect evidence-based statistics on organisational performance: actual effectiveness of treatments, summaries of violations, trends in safety incidents.Officers will need to take note of As a consequence prudent directors and executives of technology-based organisations will need to assess their current practices, and make changes to their systems to remedy deficiencies.They will need systems to collect evidence-based statistics on organisational performance: actual effectiveness of treatments, summaries of violations, trends in safety incidents.Officers will need to take note of these reports, and exert personal agency to fix the issues and change the organisational practices and culture where necessary.
Another important change is that the new Act does not preserve the category of 'serious harm'.Instead the new Act defines a 'notifiable incident' as merely the exposure to serious harm, whether or not serious harm actually occurs.As the term suggests, such near accidents must now be notified to the Regulator, and can arise in penalties.In the old way of thinking a 'near-miss' did not have much consequence under law, and thus did not always encourage people to preventative agency.Now with the new law it would be prudent for organisations to learn to articulate as 'near-accidents'.It may require a culture change to achieve this shift.
Were a similar accident to occur now, the directors and executives would be exposed to criminal charges for neglecting their duties in multiple areas.The diagram in Figure 11 illustrates some of the common weaknesses: incomplete hazard assessments, under-resourced treatment plans, processes that are overwhelmed by the number of incidents, neglect of introduced and residual risks, poor culture towards violations, ad-hoc or lack of reporting of safety statistics to the board.These are known barriers to effective risk management at the engineering level.Organisations absolutely are expected to be competent at these processes, since the risk assessment process is well-established.Another important change is that the new Act does not preserve the category of 'serious harm'.Instead the new Act defines a 'notifiable incident' as merely the exposure to serious harm, whether or not serious harm actually occurs.As the term suggests, such near accidents must now be notified to the Regulator, and can arise in penalties.In the old way of thinking a 'near-miss' did not have much consequence under law, and thus did not always encourage people to preventative agency.Now with the new law it would be prudent for organisations to learn to articulate these as 'near-accidents'.It may require a culture change to achieve this shift.
Were a similar accident to occur now, the directors and executives would be exposed to criminal charges for neglecting their duties in multiple areas.The diagram in Figure 11 illustrates some of the common weaknesses: incomplete hazard assessments, under-resourced treatment plans, processes that are overwhelmed by the number of incidents, neglect of introduced and residual risks, poor culture towards violations, ad-hoc or lack of reporting of safety statistics to the board.These are known barriers to effective risk management at the engineering level.Organisations absolutely are expected to be competent at these processes, since the risk assessment process is well-established.The Act deliberately criminalises deficiencies in judgement at the board level.The diagram shows the types of deficiencies that could result in liability under the Act.This is a new concept and for some organisations will require a change in attitudes and priorities of directors and executives.Organisations will need to strengthen the integrity of their risk management processes at engineering and operational levels, and also at board level.There is more accountability on decision-makers, i.e., those with the resources to solve health and safety problems.They are required to keep themselves The Act deliberately criminalises deficiencies in judgement at the board level.The diagram shows the types of deficiencies that could result in liability under the Act.This is a new concept and for some organisations will require a change in attitudes and priorities of directors and executives.Organisations will need to strengthen the integrity of their risk management processes at engineering and operational levels, and also at board level.There is more accountability on decision-makers, i.e., those with the resources to solve health and safety problems.They are required to keep themselves informed of health and safety issues in the organisation ('due diligence'), and failure to do so is an offense it itself.In contrast the previous act tended to encourage people to avoid liability by not being involved.
Subsequent to the explosion the NZ government also introduced a code of practice [6] that specifically described the minimum expectations for preventing mine fires and explosions.This is effectively a regulation in its degree of compulsion.It is also very specific in that it covers the practicalities of risk assessment for mine explosions, the contents of a risk management plan, collection of monitoring data (e.g., measurements required around hydro-mining machines), fire suppressant controls on apparatus, fire-fighting provisions, water deluge systems, stone dusting, explosion barriers, refuge chambers, emergency egress, record-keeping, and much more.This standard therefore addressed many of the issues raised by the Pike failure.
Taken together with the Act, this means that the self-regulating safety regime that the NZ mining industry was previously operating under, has been replaced in a relatively short period of time with a much more prescriptive regime.All of this came about primarily because one organisation, the Pike River Mining company, failed to do due diligence to its safety responsibilities.This destroyed the trust between the regulator and the industry, and radically reset the relationship between the NZ people and the mining industry.Therein lies another lesson: that the privilege of self-regulation regarding safety is part of a social contract between industry and society, and one that can be reshaped if the privilege is abused.

Conclusions
This paper has re-analysed the Pike River disaster.The overall finding is that Pike had a deficient construct of risk management.They had a simplistic understanding of risk, mainly of the preventative aspects, and even then poorly executed.They did not evidence comprehension of the way that risk arose as a consequence of the complex interactions between the components of the sociotechnical system.
There are a number of original contributions.The first is the application of a systems engineering perspective.This shows the interacting causality between the engineering challenges (ventilation, mining method, and electrical power), project deliverables, management priorities, organisational culture, and workers' behaviour.These interactions are only implicit in the official report of the accident.The second contribution is the application of the barrier method, using bowtie analysis, to the disaster.This provides a new way to examine the risk-management strategies of the mine, and the results suggest the mine was doing a poor job of preventative risk treatment, and had major deficiencies in its management of the recovery mechanisms.A third contribution is showing where the breakdowns occurred in Pike's safety management systems, and how these would be judged according to the new Act.These findings are broadly relevant to all organisations.

Figure 1 .
Figure 1.PIKE RIVER MINE: Layout of mine and possible mechanics of the deflagration.Image D Pons based on images and information in the report of the Royal Commission on the Pike River Coal Mine Tragedy (Te Komihana a te Karauna mo te Parekura Ana Waro o te Awa o Pike) [1].

Figure 1 .
Figure 1.PIKE RIVER MINE: Layout of mine and possible mechanics of the deflagration.Image D Pons based on images and information in the report of the Royal Commission on the Pike River Coal Mine Tragedy (Te Komihana a te Karauna mo te Parekura Ana Waro o te Awa o Pike) [1].
They did not experience serious burns.They quickly lost consciousness due to oxygen depletion, and regained consciousness about an hour later.

Figure 2 .
Figure 2. UNCONVENTIONAL SYSTEM DESIGN: The location of electrical hardware was unconventional.Image D Pons based on images and information in the report of the Royal Commission on the Pike River Coal Mine Tragedy (Te Komihana a te Karauna mo te Parekura Ana Waro o te Awa o Pike) [1].

Figure 2 .
Figure 2. UNCONVENTIONAL SYSTEM DESIGN: The location of electrical hardware was unconventional.Image D Pons based on images and information in the report of the Royal Commission on the Pike River Coal Mine Tragedy (Te Komihana a te Karauna mo te Parekura Ana Waro o te Awa o Pike) [1].

Figure 3 .
Figure 3. STRETCHED VENTILATION SYSTEM: The system for extracting methane from the mine did not always perform that function adequately.Image D Pons based on images and information in the report of the Royal Commission on the Pike River Coal Mine Tragedy (Te Komihana a te Karauna mo te Parekura Ana Waro o te Awa o Pike) [1].

Figure 3 .
Figure 3. STRETCHED VENTILATION SYSTEM: The system for extracting methane from the mine did not always perform that function adequately.Image D Pons based on images and information in the report of the Royal Commission on the Pike River Coal Mine Tragedy (Te Komihana a te Karauna mo te Parekura Ana Waro o te Awa o Pike) [1].

Figure 4 .
Figure 4. BLAST CHIMNEY: The vertical shaft had three intended purposes: vent for the main fan, suction path for the secondary fan, and the only other emergency exit from the mine.Its actual behaviour was entirely different: it provided a blast path to destroy the main fan, it directed the blast at the secondary fan and so destroyed that too, and it functioned as a chimney of fire which made that route impassable for escape.Note that the rock-fall at the base of the shaft arose during construction, hence the bypass design.Image D Pons.

Figure 4 .
Figure 4. BLAST CHIMNEY: The vertical shaft had three intended purposes: vent for the main fan, suction path for the secondary fan, and the only other emergency exit from the mine.Its actual behaviour was entirely different: it provided a blast path to destroy the main fan, it directed the blast at the secondary fan and so destroyed that too, and it functioned as a chimney of fire which made that route impassable for escape.Note that the rock-fall at the base of the shaft arose during construction, hence the bypass design.Image D Pons.

Figure 6 .
Figure 6.BOWTIE: Multiple THREATS or root causes exist and can, if unchecked, lead to an undesired system state (ACCIDENT), which in turn can progress to a CATASTROPHE.Proactive barrier are the preventative mechanisms which prevent the threat from progressing to a hazard.There is LOSS OF CONTROL when the threat overwhelms or evades the barriers, to cause the accident.Reactive barriers are the recovery mechanisms that prevent the undesired accident state from progressing to further catastrophe.They recover the situation, by reducing either the severity of the consequence, or its likelihood.Image D Pons.

Figure 6 .
Figure 6.BOWTIE: Multiple THREATS or root causes exist and can, if unchecked, lead to an undesired system state (ACCIDENT), which in turn can progress to a CATASTROPHE.Proactive barrier are the preventative mechanisms which prevent the threat from progressing to a hazard.There is LOSS OF CONTROL when the threat overwhelms or evades the barriers, to cause the accident.Reactive barriers are the recovery mechanisms that prevent the undesired accident state from progressing to further catastrophe.They recover the situation, by reducing either the severity of the consequence, or its likelihood.Image D Pons.

Figure 7 .
Figure 7. PREVENTION SIDE: PROACTIVE Barriers and Preventative mechanisms for Pike River mine.These are measures which prevent the threat from progressing to an incident.Colours indicate the degree to which the barrier was successful, with red being least successful, and green being generally successful.Colours are assigned subjectively based on a reading of the Commission's report.Image D Pons.
(a) maximise what capacity the ventilation system did have, by attention to construction quality of stoppings; (b) avoid putting electrical systems in areas which could conceivably be reached by a methane burst; (c) increase vigilance regarding ignition sources; (d) minimise the number of people

Figure 7 .
Figure 7. PREVENTION SIDE: PROACTIVE Barriers and Preventative mechanisms for Pike River mine.These are measures which prevent the threat from progressing to an incident.Colours indicate the degree to which the barrier was successful, with red being least successful, and green being generally successful.Colours are assigned subjectively based on a reading of the Commission's report.Image D Pons.

Figure 8 .
Figure 8. CONSEQUENCE SIDE: Recovery mechanisms prevent the undesired state from progressing to further catastrophe.They recover the situation, by reducing either the severity of the consequence, or its likelihood.In Pike's case the recovery mechanisms were mostly absent or failed.Image D Pons.

Figure 8 .
Figure 8. CONSEQUENCE SIDE: Recovery mechanisms prevent the undesired state from progressing to further catastrophe.They recover the situation, by reducing either the severity of the consequence, or its likelihood.In Pike's case the recovery mechanisms were mostly absent or failed.Image D Pons.

Safety 2016, 2 , 21 23 of 27 Figure 9 .
Figure 9. TECHNICAL WORK STREAM: The typical organisational approach to hazards is based on technical staff determining the hazards, treating them, and assessing the outcomes.The process needs to be robust enough to detect when new hazards are introduced as part of treatment, and to assess the residual risk after treatment.Image D Pons.

Figure 10 .
Figure 10.OFFICERS' WORK STREAM: Directors and Executives are now required to keep themselves informed about hazards in their organisation, show ongoing commitment to reduction of harm, and apply diligence to verify the state of the organisation's processes.Image D Pons.

Figure 9 .
Figure 9. TECHNICAL WORK STREAM: The typical organisational approach to hazards is based on technical staff determining the hazards, treating them, and assessing the outcomes.The process needs to be robust enough to detect when new hazards are introduced as part of treatment, and to assess the residual risk after treatment.Image D Pons.

Safety 2016, 2 , 21 23 of 27 Figure 9 .
Figure 9. TECHNICAL WORK STREAM: The typical organisational approach to hazards is based on technical staff determining the hazards, treating them, and assessing the outcomes.The process needs to be robust enough to detect when new hazards are introduced as part of treatment, and to assess the residual risk after treatment.Image D Pons.

Figure 10 .
Figure 10.OFFICERS' WORK STREAM: Directors and Executives are now required to keep themselves informed about hazards in their organisation, show ongoing commitment to reduction of harm, and apply diligence to verify the state of the organisation's processes.Image D Pons.

Figure 10 .
Figure 10.OFFICERS' WORK STREAM: Directors and Executives are now required to keep themselves informed about hazards in their organisation, show ongoing commitment to reduction of harm, and apply diligence to verify the state of the organisation's processes.Image D Pons.
and exert personal agency to fix the issues and change the organisational practices and culture where necessary.

Figure 11 .
Figure 11.NEW EXPECTATIONS: If a similar accident were to occur now, the directors and executives ('Officers') would be guilty on multiple counts, for being negligent regarding their 'duty of due diligence' and for failing to ensure that the organisation met its 'primary duty of care'.Image D Pons.

Figure 11 .
Figure 11.NEW EXPECTATIONS: If a similar accident were to occur now, the directors and executives ('Officers') would be guilty on multiple counts, for being negligent regarding their 'duty of due diligence' and for failing to ensure that the organisation met its 'primary duty of care'.Image D Pons.