mac lecture
TRANSCRIPT
![Page 1: Mac Lecture](https://reader036.vdocuments.site/reader036/viewer/2022062320/55b535c4bb61eb28258b4782/html5/thumbnails/1.jpg)
Safety Mismanagement
and
High Consequence
Accidents
![Page 2: Mac Lecture](https://reader036.vdocuments.site/reader036/viewer/2022062320/55b535c4bb61eb28258b4782/html5/thumbnails/2.jpg)
.
![Page 3: Mac Lecture](https://reader036.vdocuments.site/reader036/viewer/2022062320/55b535c4bb61eb28258b4782/html5/thumbnails/3.jpg)
THE ORGANISATION (TOP LEVEL
MANAGEMENT) HAS MATERIAL
RESPONSIBILITIES FOR SAFETY
• Responsibilities first formally defined by HM
Railways Inspectorate (UK) in 1858
• Investigation of 1870 collision (Brockley Whins)
found management “wholly responsible”
![Page 4: Mac Lecture](https://reader036.vdocuments.site/reader036/viewer/2022062320/55b535c4bb61eb28258b4782/html5/thumbnails/4.jpg)
Human error in the
BoardroomManagement cock-ups in five flavours:
1. don’t understand hazard
2. production considerations dominate
3. don’t define/assign safety responsibility
4 ignore, or don’t learn from, experience
5 don’t maintain corporate memory
![Page 5: Mac Lecture](https://reader036.vdocuments.site/reader036/viewer/2022062320/55b535c4bb61eb28258b4782/html5/thumbnails/5.jpg)
• SL-1 reactivity insertion accident
(1961)
• Herald of Free Enterprise capsize
(1987)
• Challenger explosion (1986)
• Pickering pressure tube failure (1983)
• Pickering SLOCA (1994)
• Fuel string relocation issue (1962-
present)
![Page 6: Mac Lecture](https://reader036.vdocuments.site/reader036/viewer/2022062320/55b535c4bb61eb28258b4782/html5/thumbnails/6.jpg)
SL-1
National Reactor Testing
Station, Idaho Falls
![Page 7: Mac Lecture](https://reader036.vdocuments.site/reader036/viewer/2022062320/55b535c4bb61eb28258b4782/html5/thumbnails/7.jpg)
SL-1
![Page 8: Mac Lecture](https://reader036.vdocuments.site/reader036/viewer/2022062320/55b535c4bb61eb28258b4782/html5/thumbnails/8.jpg)
![Page 9: Mac Lecture](https://reader036.vdocuments.site/reader036/viewer/2022062320/55b535c4bb61eb28258b4782/html5/thumbnails/9.jpg)
![Page 10: Mac Lecture](https://reader036.vdocuments.site/reader036/viewer/2022062320/55b535c4bb61eb28258b4782/html5/thumbnails/10.jpg)
![Page 11: Mac Lecture](https://reader036.vdocuments.site/reader036/viewer/2022062320/55b535c4bb61eb28258b4782/html5/thumbnails/11.jpg)
![Page 12: Mac Lecture](https://reader036.vdocuments.site/reader036/viewer/2022062320/55b535c4bb61eb28258b4782/html5/thumbnails/12.jpg)
![Page 13: Mac Lecture](https://reader036.vdocuments.site/reader036/viewer/2022062320/55b535c4bb61eb28258b4782/html5/thumbnails/13.jpg)
![Page 14: Mac Lecture](https://reader036.vdocuments.site/reader036/viewer/2022062320/55b535c4bb61eb28258b4782/html5/thumbnails/14.jpg)
• duration of nuclear portion of accident:
2 ms
• total duration of accident:
2-4 s
• Period of interest:
August 1959-December 1960
(17 months or 90.6336 Ms)
![Page 15: Mac Lecture](https://reader036.vdocuments.site/reader036/viewer/2022062320/55b535c4bb61eb28258b4782/html5/thumbnails/15.jpg)
SL-1 History
• August 1959: Significant design
deficiencies identified
• August 1960: Significant (hazardous) core
deterioration reported
• September 1960: SL-1 returned to service
at higher power level
• September-December 1960: severe
deterioration in CR performance
![Page 16: Mac Lecture](https://reader036.vdocuments.site/reader036/viewer/2022062320/55b535c4bb61eb28258b4782/html5/thumbnails/16.jpg)
![Page 17: Mac Lecture](https://reader036.vdocuments.site/reader036/viewer/2022062320/55b535c4bb61eb28258b4782/html5/thumbnails/17.jpg)
CR drive disassembly
procedure1 secure special tool CRT No 1 on top of rack and
raise rod not more than 4 inches. Secure C-clamp to rack at top of spring housing
2 Remove special tool CRT No 1 from rack and remove slotted nut and washer
3 Secure special tool CRT No 1 to top of rack and remove C-clamp, then lower control rod until the gripper knob located at the upper end of element makes contact with the core shroud
Assembly of the rod drive mechanism… are the reverse of disassembly
![Page 18: Mac Lecture](https://reader036.vdocuments.site/reader036/viewer/2022062320/55b535c4bb61eb28258b4782/html5/thumbnails/18.jpg)
![Page 19: Mac Lecture](https://reader036.vdocuments.site/reader036/viewer/2022062320/55b535c4bb61eb28258b4782/html5/thumbnails/19.jpg)
![Page 20: Mac Lecture](https://reader036.vdocuments.site/reader036/viewer/2022062320/55b535c4bb61eb28258b4782/html5/thumbnails/20.jpg)
Underlying failures
• safety responsibility
undefined/unassigned
• hazard not clearly defined/understood
• no effective response to early
indications of design deficiency or
core deterioration
• dominating production imperative
![Page 21: Mac Lecture](https://reader036.vdocuments.site/reader036/viewer/2022062320/55b535c4bb61eb28258b4782/html5/thumbnails/21.jpg)
Dominating production imperativeIt is clear, and many people have later said so, that the reactor should have been shut down pending resolution of the boron difficulties and the general deterioration of control rod operation. In fact no one did so or even brought the malfunctions to the attention of any responsible safety group. In the climate that existed before the accident, it is likely that if one man had decided that the reactor should be shut down for safety reasons he would have been ridiculed and would almost certainly have had an unfriendly response since he would have had to say some rather harsh things to accomplish his purpose. [T J Thompson]
![Page 22: Mac Lecture](https://reader036.vdocuments.site/reader036/viewer/2022062320/55b535c4bb61eb28258b4782/html5/thumbnails/22.jpg)
Cross-channel ferry
Herald of Free Enterprise
Zeebrugge, 1987
![Page 23: Mac Lecture](https://reader036.vdocuments.site/reader036/viewer/2022062320/55b535c4bb61eb28258b4782/html5/thumbnails/23.jpg)
![Page 24: Mac Lecture](https://reader036.vdocuments.site/reader036/viewer/2022062320/55b535c4bb61eb28258b4782/html5/thumbnails/24.jpg)
![Page 25: Mac Lecture](https://reader036.vdocuments.site/reader036/viewer/2022062320/55b535c4bb61eb28258b4782/html5/thumbnails/25.jpg)
![Page 26: Mac Lecture](https://reader036.vdocuments.site/reader036/viewer/2022062320/55b535c4bb61eb28258b4782/html5/thumbnails/26.jpg)
![Page 27: Mac Lecture](https://reader036.vdocuments.site/reader036/viewer/2022062320/55b535c4bb61eb28258b4782/html5/thumbnails/27.jpg)
![Page 28: Mac Lecture](https://reader036.vdocuments.site/reader036/viewer/2022062320/55b535c4bb61eb28258b4782/html5/thumbnails/28.jpg)
What happened?• assistant bosun not at his station to close doors
• Officer of Watch did not remain at door station to supervise
• doors not visible from bridge (standing orders required Captain to assume vessel in all respects ready for sea if no report to contrary)
• vessel trimmed by the head (~3 ft) for loading
• dynamic sinkage (at 18 kts) brought bow wave to ~ 6 ft above lower edge of loading doors
• open vehicle deck flooded rapidly (initial 30o list to port in less than 1 min)
![Page 29: Mac Lecture](https://reader036.vdocuments.site/reader036/viewer/2022062320/55b535c4bb61eb28258b4782/html5/thumbnails/29.jpg)
The environment
• Standing Orders inadequate, ambiguous and unworkable (previously identified)
• strong management pressure for early departure
• sailing with open loading doors an identified issue (five instances reported to management since 1983)
• routine failure to comply with legal requirements (identified in 1983)
• routine operation in unknown stability conditions (identified in 1983)
• routine overloading
![Page 30: Mac Lecture](https://reader036.vdocuments.site/reader036/viewer/2022062320/55b535c4bb61eb28258b4782/html5/thumbnails/30.jpg)
![Page 31: Mac Lecture](https://reader036.vdocuments.site/reader036/viewer/2022062320/55b535c4bb61eb28258b4782/html5/thumbnails/31.jpg)
Excessive passengers
carried• two instances reported in 1982
• instances reported in 1983 and 1984
• five instances reported in 1986
more passengers carried than permitted
(loading limit)
more passengers carried than life-saving
appliances
![Page 32: Mac Lecture](https://reader036.vdocuments.site/reader036/viewer/2022062320/55b535c4bb61eb28258b4782/html5/thumbnails/32.jpg)
• dominating production imperative
• misperception of hazard (wilful or
otherwise)
• refusal to respond to clear indication
os unsafe conditions
• no defined safety responsibility
![Page 33: Mac Lecture](https://reader036.vdocuments.site/reader036/viewer/2022062320/55b535c4bb61eb28258b4782/html5/thumbnails/33.jpg)
![Page 34: Mac Lecture](https://reader036.vdocuments.site/reader036/viewer/2022062320/55b535c4bb61eb28258b4782/html5/thumbnails/34.jpg)
Loss of Space Shuttle
Challenger
![Page 35: Mac Lecture](https://reader036.vdocuments.site/reader036/viewer/2022062320/55b535c4bb61eb28258b4782/html5/thumbnails/35.jpg)
![Page 36: Mac Lecture](https://reader036.vdocuments.site/reader036/viewer/2022062320/55b535c4bb61eb28258b4782/html5/thumbnails/36.jpg)
![Page 37: Mac Lecture](https://reader036.vdocuments.site/reader036/viewer/2022062320/55b535c4bb61eb28258b4782/html5/thumbnails/37.jpg)
![Page 38: Mac Lecture](https://reader036.vdocuments.site/reader036/viewer/2022062320/55b535c4bb61eb28258b4782/html5/thumbnails/38.jpg)
![Page 39: Mac Lecture](https://reader036.vdocuments.site/reader036/viewer/2022062320/55b535c4bb61eb28258b4782/html5/thumbnails/39.jpg)
![Page 40: Mac Lecture](https://reader036.vdocuments.site/reader036/viewer/2022062320/55b535c4bb61eb28258b4782/html5/thumbnails/40.jpg)
![Page 41: Mac Lecture](https://reader036.vdocuments.site/reader036/viewer/2022062320/55b535c4bb61eb28258b4782/html5/thumbnails/41.jpg)
![Page 42: Mac Lecture](https://reader036.vdocuments.site/reader036/viewer/2022062320/55b535c4bb61eb28258b4782/html5/thumbnails/42.jpg)
• safety responsibility undefined/unassigned
• nature of hazard either not understood or
wilfully ignored
• no substantive response to O-ring erosion
• production imperative in overall
programme and in specific launch decision
![Page 43: Mac Lecture](https://reader036.vdocuments.site/reader036/viewer/2022062320/55b535c4bb61eb28258b4782/html5/thumbnails/43.jpg)
![Page 44: Mac Lecture](https://reader036.vdocuments.site/reader036/viewer/2022062320/55b535c4bb61eb28258b4782/html5/thumbnails/44.jpg)
Pickering Unit 2 pressure tube
failure, August 1983
![Page 45: Mac Lecture](https://reader036.vdocuments.site/reader036/viewer/2022062320/55b535c4bb61eb28258b4782/html5/thumbnails/45.jpg)
![Page 46: Mac Lecture](https://reader036.vdocuments.site/reader036/viewer/2022062320/55b535c4bb61eb28258b4782/html5/thumbnails/46.jpg)
![Page 47: Mac Lecture](https://reader036.vdocuments.site/reader036/viewer/2022062320/55b535c4bb61eb28258b4782/html5/thumbnails/47.jpg)
• failure to respond to operating
experience and/or misperception of
hazard
• dominating production imperative
![Page 48: Mac Lecture](https://reader036.vdocuments.site/reader036/viewer/2022062320/55b535c4bb61eb28258b4782/html5/thumbnails/48.jpg)
Two more quick ones
• Pickering Unit 2 SLOCA (1994)
• Fuel string relocation reactivity issue
(1962-present)
![Page 49: Mac Lecture](https://reader036.vdocuments.site/reader036/viewer/2022062320/55b535c4bb61eb28258b4782/html5/thumbnails/49.jpg)
Pickering SLOCA
• Pickering Unit 2 SLOC of 1994 Root
Cause Investigation did not identify
root cause (some information actively
concealed)
![Page 50: Mac Lecture](https://reader036.vdocuments.site/reader036/viewer/2022062320/55b535c4bb61eb28258b4782/html5/thumbnails/50.jpg)
RCI recommendations
• training to broaden awareness of safety issues
• breakdowns and failures in the analysis process
should be communicated to all nuclear safety
staff so everyone has the opportunity to learn
from the mistakes of the past
REPORT NEVER FORMALLY ISSUED
![Page 51: Mac Lecture](https://reader036.vdocuments.site/reader036/viewer/2022062320/55b535c4bb61eb28258b4782/html5/thumbnails/51.jpg)
Some other examples
• Brockley Whins collison (1870): “I find the company's management wholly to blame for this accident”
• Shipton derailment (1874) 34 dead• Aberfan landslide (1966) 144 dead (116
children)• Flixborough explosion (1974) 28 dead• Hinton (Alta) rail collision February 1986: 23
dead• Kings Cross fire November 1987: 31 dead• Ocean Ranger oil rig sinking (1982) 84 dead• Bhopal (1984) >3000 dead
![Page 52: Mac Lecture](https://reader036.vdocuments.site/reader036/viewer/2022062320/55b535c4bb61eb28258b4782/html5/thumbnails/52.jpg)
• Piper Alpha oil rig fire July 1988: 167 dead
• Clapham Junction rail collision (1988) 35 dead
• Westray mine explosion May 1992: 26 dead
• Ladbroke Grove rail collision (1991) 31 dead
• Columbia STS breakup on re-entry (2003) 7 dead
![Page 53: Mac Lecture](https://reader036.vdocuments.site/reader036/viewer/2022062320/55b535c4bb61eb28258b4782/html5/thumbnails/53.jpg)
• Crash of RAF Nimrod XV230,
Afghanistan, (14 dead) 2006
• Sayano-Shushenskaya (Khakassia)
dam turbine failure (75 dead), 2009