system safety case study - critical uncertainties · pdf filesystem safety case study ......
TRANSCRIPT
System Safety Case StudyThe Loss of the USS Thresher V1.1
Matthew Squair
UNSW@Canberra
12 March 2015
1 Matthew Squair The Loss of the USS Thresher V1.1
Except for images whose sources are specifically identified, this copyright work islicensed under a Creative Commons Attribution-Noncommercial, No-derivatives 4.0International licence.
To view a copy of this licence, visit http://creativecommons.org/licenses/by-nc-nd/4.0/
2 Matthew Squair The Loss of the USS Thresher V1.1
Introduction
3 Matthew Squair The Loss of the USS Thresher V1.1
Introduction
Introduction
On the 10 Apr 1963 the USS Thresher was lost with all hands off thecoast of Cape Cod during sea trials
129 ship and dockyard staff were lost
Various theories have been advanced, but unfortunately we don’t knowwith absolute certainty what happened
(flooding? plane jam? open seavalve? reactor crew error?)
The following case study is based on what is considered to be the mostlikely accident scenarios
4 Matthew Squair The Loss of the USS Thresher V1.1
Introduction
Introduction
On the 10 Apr 1963 the USS Thresher was lost with all hands off thecoast of Cape Cod during sea trials
129 ship and dockyard staff were lost
Various theories have been advanced, but unfortunately we don’t knowwith absolute certainty what happened (flooding?
plane jam? open seavalve? reactor crew error?)
The following case study is based on what is considered to be the mostlikely accident scenarios
4 Matthew Squair The Loss of the USS Thresher V1.1
Introduction
Introduction
On the 10 Apr 1963 the USS Thresher was lost with all hands off thecoast of Cape Cod during sea trials
129 ship and dockyard staff were lost
Various theories have been advanced, but unfortunately we don’t knowwith absolute certainty what happened (flooding? plane jam?
open seavalve? reactor crew error?)
The following case study is based on what is considered to be the mostlikely accident scenarios
4 Matthew Squair The Loss of the USS Thresher V1.1
Introduction
Introduction
On the 10 Apr 1963 the USS Thresher was lost with all hands off thecoast of Cape Cod during sea trials
129 ship and dockyard staff were lost
Various theories have been advanced, but unfortunately we don’t knowwith absolute certainty what happened (flooding? plane jam? open seavalve?
reactor crew error?)
The following case study is based on what is considered to be the mostlikely accident scenarios
4 Matthew Squair The Loss of the USS Thresher V1.1
Introduction
Introduction
On the 10 Apr 1963 the USS Thresher was lost with all hands off thecoast of Cape Cod during sea trials
129 ship and dockyard staff were lost
Various theories have been advanced, but unfortunately we don’t knowwith absolute certainty what happened (flooding? plane jam? open seavalve? reactor crew error?)
The following case study is based on what is considered to be the mostlikely accident scenarios
4 Matthew Squair The Loss of the USS Thresher V1.1
Nuclear submarine design and safety
Nuclear submarine design and safety
Submarine safety goals
prevent uncontrolled flooding
recover from a loss of depth control hazard
...and Reactor safety goals
Ensure a reactor casualty does not occur
Ensure defence in depth to recover from such a casualty
Thresher was a new and complex build (bow sonar, stealth features)designed to meet two sets of standards
Designers focused on nuclear systems and their safety (Rickover effect)
5 Matthew Squair The Loss of the USS Thresher V1.1
Nuclear submarine design and safety
Thresher design and construction
Launched ’60, commissioned ’61, still recovering from shock trials
Much more piping, more small bore (< 4”) requiring brazing
Two standards for silver brazing (if access tight use hand)
Traditional QC via hydro tests inadequate
USN specified ultrasonic tests of brazed joints (not enforced)
MBT reducing valves did not meet spec.
Strainer added upstream to protect red. valve by manufacturer
Design requirements for HP system not enforced
System design of MBT was, ’flawed’, for emergency blow
Early reactors would SCRAM unexpectedly, difficult to start
Manual SCRAM introduces human error possibility
6 Matthew Squair The Loss of the USS Thresher V1.1
Nuclear submarine design and safety
Emergency versus ballast blow
7 Matthew Squair The Loss of the USS Thresher V1.1
Nuclear submarine design and safety
Emergency versus ballast blow
7 Matthew Squair The Loss of the USS Thresher V1.1
The accident and causes
Accident event sequence (most likely)
Most likely scenario
1 High pressure leak (or open sea valve) in engine room
2 Water short-circuits vital electrical equipment
3 Short circuit or human error causes a reactor SCRAM
4 Submarine loses primary propulsion
5 Emergency propulsion is insufficient to drive up
6 Moisture in ballast air causes icing in ballast line strainers
7 Loss of ballast blow
Possibility of an uncontrolled dive due to a reactor SCRAM event (thisactually occurred to a US sub several years later)
8 Matthew Squair The Loss of the USS Thresher V1.1
The accident and causes
Fault tree model of Thresher causal factors
9 Matthew Squair The Loss of the USS Thresher V1.1
The accident and causes
Root causes
1 Diffuse responsibility for decisions
2 Lack of safety staff independence & authority
3 Personnel turnover (CO, XO, Chief superintendent) in refit
4 Superficial QC, corrective action, compliance enforcement etc
5 Ineffective risk controls, strainer was a ’patch’ fix
6 Failure to eliminate basic design flaws (E/MBT piping)
7 Failure to evaluate changes (Reactor SCRAM, stealth, size)
8 Poor information recording, collecting & use
9 Poor test program, no type tests of MBT/EBT
10 Matthew Squair The Loss of the USS Thresher V1.1
The response of the USN
USN response
A mix of specific and more strategic actions
Specific (tactical)
Eliminate brazing QC defects (today 60% u/s test rate)
Minimise emergency ballast failure rate
Eliminate moisture from air banks
Centrally controlled hull valve closure system
Centrally controlled emergency blow ’chicken switch’
Emergency rescue capability
Strategic - Establishes the SUBSAFE program
A step change in safety culture for the USN, since the Thresher the USNhas not lost another submarine to flooding
11 Matthew Squair The Loss of the USS Thresher V1.1
The response of the USN
USN SYSCOM organisation chart circa 2002
12 Matthew Squair The Loss of the USS Thresher V1.1
The response of the USN
NAVSEA safety management responsibilities
13 Matthew Squair The Loss of the USS Thresher V1.1
The response of the USN
Technical lessons
What the USN did not realise at the time was that there was a conflictbetween the safety objectives of the reactor and that of the submarine
Reactor - In an emergency SCRAM and black out
Boat - In a flooding emergency keep power on to drive up
That conflict in turn became one of the causal factors for the most likelymishap scenario
Harmonising safety objectives
One of the objectives of a system safety program is to ensure thatcompeting safety objectives do not conflict and that one control does notnegate another
14 Matthew Squair The Loss of the USS Thresher V1.1