Embed Size (px)
Citation preview
Safety Mismanagement
and
High Consequence
Accidents
.
THE ORGANISATION (TOP LEVEL
MANAGEMENT) HAS MATERIAL
RESPONSIBILITIES FOR SAFETY
• Responsibilities first formally defined by HM
Railways Inspectorate (UK) in 1858
• Investigation of 1870 collision (Brockley Whins)
found management “wholly responsible”
Human error in the
BoardroomManagement cock-ups in five flavours:
1. don’t understand hazard
2. production considerations dominate
3. don’t define/assign safety responsibility
4 ignore, or don’t learn from, experience
5 don’t maintain corporate memory
• SL-1 reactivity insertion accident
(1961)
• Herald of Free Enterprise capsize
(1987)
• Challenger explosion (1986)
• Pickering pressure tube failure (1983)
• Pickering SLOCA (1994)
• Fuel string relocation issue (1962-
present)
SL-1
National Reactor Testing
Station, Idaho Falls
SL-1
• duration of nuclear portion of accident:
2 ms
• total duration of accident:
2-4 s
• Period of interest:
August 1959-December 1960
(17 months or 90.6336 Ms)
SL-1 History
• August 1959: Significant design
deficiencies identified
• August 1960: Significant (hazardous) core
deterioration reported
• September 1960: SL-1 returned to service
at higher power level
• September-December 1960: severe
deterioration in CR performance
CR drive disassembly
procedure1 secure special tool CRT No 1 on top of rack and
raise rod not more than 4 inches. Secure C-clamp to rack at top of spring housing
2 Remove special tool CRT No 1 from rack and remove slotted nut and washer
3 Secure special tool CRT No 1 to top of rack and remove C-clamp, then lower control rod until the gripper knob located at the upper end of element makes contact with the core shroud
Assembly of the rod drive mechanism… are the reverse of disassembly
Underlying failures
• safety responsibility
undefined/unassigned
• hazard not clearly defined/understood
• no effective response to early
indications of design deficiency or
core deterioration
• dominating production imperative
Dominating production imperativeIt is clear, and many people have later said so, that the reactor should have been shut down pending resolution of the boron difficulties and the general deterioration of control rod operation. In fact no one did so or even brought the malfunctions to the attention of any responsible safety group. In the climate that existed before the accident, it is likely that if one man had decided that the reactor should be shut down for safety reasons he would have been ridiculed and would almost certainly have had an unfriendly response since he would have had to say some rather harsh things to accomplish his purpose. [T J Thompson]
Cross-channel ferry
Herald of Free Enterprise
Zeebrugge, 1987
What happened?• assistant bosun not at his station to close doors
• Officer of Watch did not remain at door station to supervise
• doors not visible from bridge (standing orders required Captain to assume vessel in all respects ready for sea if no report to contrary)
• vessel trimmed by the head (~3 ft) for loading
• dynamic sinkage (at 18 kts) brought bow wave to ~ 6 ft above lower edge of loading doors
• open vehicle deck flooded rapidly (initial 30o list to port in less than 1 min)
The environment
• Standing Orders inadequate, ambiguous and unworkable (previously identified)
• strong management pressure for early departure
• sailing with open loading doors an identified issue (five instances reported to management since 1983)
• routine failure to comply with legal requirements (identified in 1983)
• routine operation in unknown stability conditions (identified in 1983)
• routine overloading
Excessive passengers
carried• two instances reported in 1982
• instances reported in 1983 and 1984
• five instances reported in 1986
more passengers carried than permitted
(loading limit)
more passengers carried than life-saving
appliances
• dominating production imperative
• misperception of hazard (wilful or
otherwise)
• refusal to respond to clear indication
os unsafe conditions
• no defined safety responsibility
Loss of Space Shuttle
Challenger
• safety responsibility undefined/unassigned
• nature of hazard either not understood or
wilfully ignored
• no substantive response to O-ring erosion
• production imperative in overall
programme and in specific launch decision
Pickering Unit 2 pressure tube
failure, August 1983
• failure to respond to operating
experience and/or misperception of
hazard
• dominating production imperative
Two more quick ones
• Pickering Unit 2 SLOCA (1994)
• Fuel string relocation reactivity issue
(1962-present)
Pickering SLOCA
• Pickering Unit 2 SLOC of 1994 Root
Cause Investigation did not identify
root cause (some information actively
concealed)
RCI recommendations
• training to broaden awareness of safety issues
• breakdowns and failures in the analysis process
should be communicated to all nuclear safety
staff so everyone has the opportunity to learn
from the mistakes of the past
REPORT NEVER FORMALLY ISSUED
Some other examples
• Brockley Whins collison (1870): “I find the company's management wholly to blame for this accident”
• Shipton derailment (1874) 34 dead• Aberfan landslide (1966) 144 dead (116
children)• Flixborough explosion (1974) 28 dead• Hinton (Alta) rail collision February 1986: 23
dead• Kings Cross fire November 1987: 31 dead• Ocean Ranger oil rig sinking (1982) 84 dead• Bhopal (1984) >3000 dead
• Piper Alpha oil rig fire July 1988: 167 dead
• Clapham Junction rail collision (1988) 35 dead
• Westray mine explosion May 1992: 26 dead
• Ladbroke Grove rail collision (1991) 31 dead
• Columbia STS breakup on re-entry (2003) 7 dead
• Crash of RAF Nimrod XV230,
Afghanistan, (14 dead) 2006
• Sayano-Shushenskaya (Khakassia)
dam turbine failure (75 dead), 2009
