PPT – PowerPoint presentation | free to download

About This Presentation

Title:

Description:

CAUSES traditionally component failure and operator error frequently these turn out to be effects rather than causes better regarded as ... – PowerPoint PPT presentation

Number of Views:2

Avg rating:3.0/5.0

Slides: 83

Provided by: DavidM222

more less

Transcript and Presenter's Notes

Title:

1
CAUSES

traditionally component failure and operator
error
frequently these turn out to be effects rather
than causes
better regarded as initiating events
Three Mile Island a classic example

2
CAUSES

human action or inaction (management decisions)?
usually remote in location, time and corporate
hierarchy from the human-machine interface
may not be recognised or acknowledged as
safety-related

THE ORGANISATION (TOP LEVEL MANAGEMENT) HAS
MATERIAL RESPONSIBILITIES FOR SAFETY
Responsibilities first formally defined by HM
Railways Inspectorate (UK) in 1858
Investigation of 1870 collision (Brockley Whins)
found management wholly responsible

we spend enormous amounts of time and effort on
ensuring materials and components will perform
properly
we spend similar amounts writing procedures,
training operators and monitoring their
performance
we spend similar amounts on ensuring engineering
design is adequate
how much attention is paid to management
performance?

5
Human error in the Boardroom

Management cock-ups in five flavours
1. dont understand hazard
2. production considerations dominate
3. dont define/assign safety responsibility
4 ignore, or dont learn from, experience
5 dont maintain corporate memory

6
1 Misperception of hazard

specific vulnerabilities of technology not
appreciated or wilfully ignored
technical safety envelope not understood
Can occur anywhere in management chain, but most
frequently at senior levels

7
2 Dominant Production Imperative

production considerations override safety
potential economic loss of accidents discounted
or ignored
resources not applied to maintain or improve
safety

8
3 Safety responsibility undefined

responsibility/authority for safety inadequately
defined, assigned or discharged
safety responsibility/authority does not run in
unbroken chain to most senior level
senior management must be in control of all
safety design and operating decisions throughout
the life of the plant (Brown Meneley, 1983)?

9
4 Failure to learn from experience

failure to recognise, acknowledge or respond
effectively to an unsatisfactory or deteriorating
safety situation
failure to analyse, interpret or apply operating
experience
wilful disregard of operating experience

10
5 Corporate amnesia

failure to maintain required levels of
technical/intellectual resources
failure to formalise compilation, analysis and
recording of operating experience (discounting
historical experience)?
closely related to 4 most likely results from
1 and 2

SL-1 reactivity insertion accident (1961)?
Herald of Free Enterprise capsize (1987)?
Challenger explosion (1986)?
Pickering pressure tube failure (1983)?
Pickering SLOCA (1994)?
Fuel string relocation issue (1962-present)?

12
SL-1

National Reactor Testing Station, Idaho Falls

13
SL-1

stationary low-power reactor for remote military
installations (air transportable)?
3 MWth direct cycle BWR designed by Argonne
National Laboratory
started up August 1958 at National Reactor
Testing Station, Idaho Falls
concept demonstration and training, managed by
Combustion Engineering
operated by military personnel under training

14
SL-1
15
SL-1 design features

fuel 91 percent U-235 metal
core structural materials aluminium-nickel alloy
(first use in reactor)?
burnable poison strips tack welded to fuel
assemblies
withdrawal of central control rod sufficient to
bring reactor critical (rod provided with 19 in
follower to preclude its dropping out of core)?
only core access via CR nozzles, which required
dismantling of CR drives and removal of shield
plugs

16
(No Transcript)
17
(No Transcript)
18
(No Transcript)
19
(No Transcript)
20
(No Transcript)
21

duration of nuclear portion of accident
2 ms
total duration of accident
2-4 s
Period of interest
August 1959-December 1960
(17 months or 90.6336 Ms)?

22
SL-1 History

August 1959 Significant design deficiencies
identified
August 1960 Significant (hazardous) core
deterioration reported
September 1960 SL-1 returned to service at
higher power level
September-December 1960 severe deterioration in
CR performance

23
SL-1 August 1959

distortion of poison strips noted in August 1959
CE recommends
stainless steel should be used as core material
(including fuel cladding)?
reactor should have adequate shutdown margin with
any one control rod removed
control rod drive mechanisms should be redesigned
recommendations accepted by AEC-- new core to be
available by spring 1961
SL-1 operations continue

24
SL-1 August 1960

Severe core deterioration reported
pieces of boron strip missing
core inspection curtailed because of safety
concerns
14.3 in central CR withdrawal sufficient to
achieve criticality
inspection report concluded rate of loss of
boron has been constant shutdown margin will
continue to decrease, thus requiring remedial
action
inspection results reported in Nucleonics

25
SL-1 September-December 1960

cadmium strips added to increase shutdown margin
reactor returned to power at 4.7 MWth
significant deterioration in CR performance (33
cases of sticking rods in November-December)?
rod performance not reported-- not regarded as
malfunction
SL-1 shutdown 23 December
flux measuring wires installed 3 January 1961

26
3 January 1961

1600-midnight shift to re-assemble CR drives and
prepare reactor for start up
three operators on duty
re-assembly of CR drives included movement of CR

27
CR drives and core access

access to core via CR drive nozzles required
disconnection of rod drives
manual raising of control rod for disconnection
of stop washer, then lowering rod again
disassembly and removal of drive gear
removal of shield plug

28
(No Transcript)
29
CR drive disassembly procedure

secure special tool CRT No 1 on top of rack and
raise rod not more than 4 inches. Secure C-clamp
to rack at top of spring housing
Remove special tool CRT No 1 from rack and remove
slotted nut and washer
Secure special tool CRT No 1 to top of rack and
remove C-clamp, then lower control rod until the
gripper knob located at the upper end of element
makes contact with the core shroud
Assembly of the rod drive mechanism are the
reverse of disassembly

30
(No Transcript)
31
SL-1 sequence 2100

central CR raised to 20 in reactivity insertion
24 mk
power peak 20,000 MWth
2 ms nuclear energy release ends
34 ms water strikes vessel head loose shield
plugs ejected vessel begins to rise
160 ms operator impaled to ceiling
800 ms vessel hits ceiling
2000-4000 ms vessel back in place

32
Underlying failures

safety responsibility undefined/unassigned
hazard not clearly defined/understood
no effective response to early indications of
design deficiency or core deterioration
dominating production imperative

33
Safety responsibility/authority undefined

Multiplicity of responsible organisations
Argonne National Laboratories
Combustion Engineering
AEC Chicago Operations
AEC Idaho Operations
AEC Military Reactors Division
AEC Army Reactors Office (Washington)?
No single continuously assigned safety authority

34
Misperception of hazard

C/R drive maintenance procedures ignored
criticality implications of control rod movement
control rod sticking not considered a
malfunction and not reported

35
Failure to respond

core design/materials established (and
acknowledged) to be unsatisfactory but no
revision of operating regime
serious core deterioration (with criticality
implications) prompted no operational changes or
procedural revisions

36
Dominating production imperative

It is clear, and many people have later said so,
that the reactor should have been shut down
pending resolution of the boron difficulties and
the general deterioration of control rod
operation. In fact no one did so or even brought
the malfunctions to the attention of any
responsible safety group. In the climate that
existed before the accident, it is likely that if
one man had decided that the reactor should be
shut down for safety reasons he would have been
ridiculed and would almost certainly have had an
unfriendly response since he would have had to
say some rather harsh things to accomplish his
purpose. T J Thompson

Cross-channel ferry
Herald of Free Enterprise
Zeebrugge, 1987

38
Herald of Free Enterprise

Ro-Ro ferry capsized in about three minutes on 87
03 06 after leaving Zeebrugge with bow loading
doors open
188 deaths
greatest British peacetime maritime loss since
RMS Titanic

39
Standing Orders

required OOW to be on the bridge 15 min before
sailing time
required loading officer (who was also the OOW)
to supervise door closing
1982 memo from senior Captain identifying
inconsistency It is impractical for the O.O.W.
(either the Chief or Second Officer) to be on the
Bridge 15 minutes before sailing time. Both are
fully committed to loading the ship.
no action taken

40
Schedule pressure

Intense pressure on officers for early departure
every effort has to be made to sail the ship 15
minutes earlier... put pressure on the first
officer if you dont think he is moving fast
enough August 1986 memo from Operations Manager

41
Precursors

instances of vessels sailing with open doors
reported in 1983 and 1984
Captains suggest installation of indicator lights
suggestion rejected by Board of Directors

by the autumn of 1986 the shore staff of the
Company were well aware of the possibility that
one of their ships would sail with her stern or
bow doors open. They were also aware of a very
sensible and simple device in the form of
indicator lights which had been suggested by
responsible Masters

43
Legal requirements not met

excessive passenger numbers carried (masters not
informed of passenger complement and discouraged
from checking)?
masters not informed of load
draught marks could not be read-- fictitious
numbers recorded (requests for draught indicators
refused)?
vessels frequently sailed in unknown stability
conditions, significantly trimmed by the head

vessels are required to have on board sufficient
life-saving equipment for all passengers and crew
1971 Merchant Shipping Act requires that master
be aware of passenger complement and cargo load,
and that the draught marks (ship's trim) be
recorded in the log

45
Excessive passengers carried

two instances reported in 1982
instances reported in 1983 and 1984
five instances reported in 1986
more passengers carried than permitted (loading
limit)?
more passengers carried than life-saving
appliances

46
Excessive passengers carried

1982-86 repeated written complaints from seven
masters to shore management about excessive
passenger complement
passenger manifests falsified-- at first the
director's answers were very evasive but
eventually he agreed that the figure given in the
manifest was a false figure
no remedial action-- ... was unwilling to accept
the figures given to him by no less than seven
masters... the Court reluctantly concluded that
he made no proper or sincere effort to solve
the problem

dominating production imperative
misperception of hazard (wilful or otherwise)?
refusal to respond to clear indication os unsafe
conditions
no defined safety responsibility

48
Dominating production imperative

just about everywhere
indicator light proposal rejected (1985)?
high speed ballast pump proposal rejected
continual emphasis on fast turn-round put
pressure on the First Officer its fifteen
minutes early for us operations manager

49
Misperception of Hazard (1)?

no substantive response to loading door issue
routine overloading and excessive passenger
complement accepted/ignored/encouraged
trim issues ignored (stability very sensitive to
trim) an operational difficulty problem
grossly exaggerated
Marine Director appeared to think Herald was
designed to proceed at sea trimmed 1 m by the
head despite the fact he had no stability
information for the ship in that trim
routine violation of Merchant Shipping Act
accepted/ignored/encouraged

50
Misperception of Hazard (2)?

those charged with the management of the
Companys Ro-Ro fleet were not qualified to deal
with many nautical matters and were unwilling to
listen to their Masters, who were well-qualified
Wreck Commissioner

51
Failure to respond (1)

inconsistent Standing Orders (identified to
management in 1982)?
excessive passenger numbers carried (at least
seven examples formally reported 1982-1986)?
sailing with loading doors open
no investigation of draught gauges

52
Failure to respond (2)?

1982 Collision Investigation Report
ships draught not read before sailing
(policy)?
master not informed of passenger figures
(working practice)?
master not informed of tonnage of cargo (working
practice)?
full speed maintained in dense fog (policy)?

53
Undefined safety responsibility

no director responsible for safety
Board did not appreciate their responsibility
for the safe management of their ships
Court singularly unimpressed by Technical
Director and Operations Director-- thoroughly
unsatisfactory witnesses

Loss of Space Shuttle Challenger

55
STS Challenger

vehicle destroyed 86 01 28
combustion gas leak from aft field joint on
starboard SRB (678 ms after ignition)?
gas jet breached external tank at 66.46 s
shuttle destroyed at 76.3 s, altitude 46,000 ft,
speed M1.92

56
(No Transcript)
57
(No Transcript)
58
(No Transcript)
59
(No Transcript)
60
SRM joint design deficiency

identified in 1977 (hydrostatic testing)?
formally reported as unsatisfactory 1979
the clevis joint secondary O-ring seal has been
verified by tests to be unsatisfactory
redundancy of joint not verifiable, yet
classified 1R in 1980
reclassified 1 (ie non-redundant) in 1982

61
Flight history

second flight (Nov 1981) showed primary O-ring
erosion
12 of 15 shuttle flights (Feb 84-Jan 86) showed
blow-by/erosion
O-ring damage severity correlated with
temperature

safety responsibility undefined/unassigned
nature of hazard either not understood or
wilfully ignored
no substantive response to O-ring erosion
production imperative in overall programme and in
specific launch decision

63
Safety Responsibility Undefined

no single group with continuous direct safety
responsibility
upward reporting (Level III to Level II) of
flight safety issues stopped in 1983

64
Misperception of Hazard

little NASA experience with solid fuel rockets
confusion over redundancy of joint
O-ring erosion acceptable
remedial action none required Possibility
exists for some O-ring erosion on future flights
temperature sensitivity of O-ring ignored
reliability expectations 3 orders of magnitude
above reality (R P Feynman)?

65
Failure to respond

inadequacy of design clearly identified by 1979
O-ring distress/erosion occurred in majority of
flights (80 percent)?
O-ring erosion not recorded as flight anomaly and
not considered during flight readiness reviews

66
Dominating production imperative

selection of SRM design based on cost MTI was
least acceptable technically
ambitious flight schedule combined with staff
reductions
routine use of waivers to permit flight with
non-redundant field joint
concerns about low temperature launch over-ridden
(when do you want me to launch, Thiokol? In
July?)?
no SRQA representative involved in Challenger
launch decision

67
Pickering-2 PT failure

failure of Zircaloy PT G-16 on 1 August 1983--
leak rate 19 kg/s
unit shut down in controlled fashion
failure due to PT-CT contact occurring 2-5 years
after start up
early contact due to out of position spacer
unit 1 not shut down until 14 November
retubing programme for all 4 Pickering units

68
(No Transcript)
69

failure to respond to operating experience and/or
misperception of hazard
dominating production imperative

70
Failure to respond...

inspection programme 1979-82 suggested 30 percent
of P1 2 PT in contact with CT due to misplaced
garter springs
calculation of heat loss to moderator only
recorded response
OH Research strongly urged removal of Zr tube for
examination
focus on Zr-Nb?
early indications at WNRE in 1976?
PT sagging more or less as predicted? Bothwell

71
Production imperative

operators should have tripped reactor promptly
OH did not shut down Unit 1 for 3 ½ months

72
(No Transcript)
73
Two more quick ones

Pickering Unit 2 SLOCA (1994)?
Fuel string relocation reactivity issue
(1962-present)?

response to an accident (or event) can be very
revealing...
Pickering Unit 2 SLOC of 1994 Root Cause
Investigation did not identify root cause (some
information actively concealed)?
fuel string relocation issue consigned to
corporate memory hole

75
Pickering-2 SLOCA

10 December 1994
liquid relief valve fails open (diaphragm fails
due to thermal aging)?
bleed condenser relief valves open RV 5
chattered cracking inlet line 68 kg/s leak to
boiler room

76
RCI findings

diaphragm replacement frequency changed from 2
years to 10 years some time in the past
authority and bases for this change not recorded
lack of knowledge in the Canadian nuclear
industry about sensitivity of spring-loaded
relief valves (?!)?
two separate designers-- one specified valve
size, the other designed piping layout

77
Fuel string relocation

en masse fuel movement identified for one LOCA
scenario in March 1993
Bruce A and B derated to 60 percent
potential for fuel movement recognised since 1962
(NPD start up) yet reactivity effects never
defined as safety concern

78
RCI findings

lack of sufficient questioning attitude and
environment
insufficiently broad knowledge in individuals
ineffective communication of new information and
emerging issues
adequate scoping and review inhibited by time and
budget constraints

79
RCI recommends

training to broaden awareness of safety issues
breakdowns and failures in the analysis process
should be communicated to all nuclear safety
staff so everyone has the opportunity to learn
from the mistakes of the past
REPORT NEVER FORMALLY ISSUED

80
Some other examples

Brockley Whins collison (1870) I find the
company's management wholly to blame for this
accident
Shipton derailment (1874) 34 dead
Aberfan landslide (1966) 144 dead (116 children)?
Flixborough explosion (1974) 28 dead
Hinton (Alta) rail collision February 1986 23
dead
Kings Cross fire November 1987 31 dead
Ocean Ranger oil rig sinking (1982) 84 dead
Bhopal (1984) gt3000 dead