Lecture on Safety Mismanagement, Mac<aster University, November 2009

1. Safety Mismanagement
and
High Consequence Accidents

2. .

3. THE ORGANISATION (TOP LEVEL
MANAGEMENT) HAS MATERIAL
RESPONSIBILITIES FOR SAFETY
• Responsibilities first formally defined by HM
Railways Inspectorate (UK) in 1858
• Investigation of 1870 collision (Brockley Whins)
found management “wholly responsible”

4. Human error in the Boardroom
Management cock-ups in five flavours:
1. don’t understand hazard
2. production considerations dominate
3. don’t define/assign safety responsibility
4 ignore, or don’t learn from, experience
5 don’t maintain corporate memory

5. • SL-1 reactivity insertion accident (1961)
• Herald of Free Enterprise capsize (1987)
• Challenger explosion (1986)
• Pickering pressure tube failure (1983)
• Pickering SLOCA (1994)
• Fuel string relocation issue (1962-present)

6. SL-1
National Reactor Testing
Station, Idaho Falls

7. SL-1

14. • duration of nuclear portion of accident:
2 ms
• total duration of accident:
2-4 s
• Period of interest:
August 1959-December 1960
(17 months or 90.6336 Ms)

15. SL-1 History
• August 1959: Significant design deficiencies
identified
• August 1960: Significant (hazardous) core
deterioration reported
• September 1960: SL-1 returned to service at higher
power level
• September-December 1960: severe deterioration
in CR performance

17. CR drive disassembly procedure
1 secure special tool CRT No 1 on top of rack and raise
rod not more than 4 inches. Secure C-clamp to rack at
top of spring housing
2 Remove special tool CRT No 1 from rack and remove
slotted nut and washer
3 Secure special tool CRT No 1 to top of rack and
remove C-clamp, then lower control rod until the
gripper knob located at the upper end of element
makes contact with the core shroud
Assembly of the rod drive mechanism… are the reverse
of disassembly

20. Underlying failures
• safety responsibility undefined/unassigned
• hazard not clearly defined/understood
• no effective response to early indications of
design deficiency or core deterioration
• dominating production imperative

21. Dominating production imperative
It is clear, and many people have later said so, that the
reactor should have been shut down pending resolution
of the boron difficulties and the general deterioration of
control rod operation. In fact no one did so or even
brought the malfunctions to the attention of any
responsible safety group. In the climate that existed
before the accident, it is likely that if one man had
decided that the reactor should be shut down for safety
reasons he would have been ridiculed and would almost
certainly have had an unfriendly response since he
would have had to say some rather harsh things to
accomplish his purpose. [T J Thompson]

22. Cross-channel ferry
Herald of Free Enterprise
Zeebrugge, 1987

28. What happened?
• assistant bosun not at his station to close doors
• Officer of Watch did not remain at door station to supervise
• doors not visible from bridge (standing orders required Captain to
assume vessel in all respects ready for sea if no report to contrary)
• vessel trimmed by the head (~3 ft) for loading
• dynamic sinkage (at 18 kts) brought bow wave to ~ 6 ft above lower
edge of loading doors
• open vehicle deck flooded rapidly (initial 30o list to port in less than
1 min)

29. The environment
• Standing Orders inadequate, ambiguous and
unworkable (previously identified)
• strong management pressure for early departure
• sailing with open loading doors an identified
issue (five instances reported to management
since 1983)
• routine failure to comply with legal
requirements (identified in 1983)
• routine operation in unknown stability
conditions (identified in 1983)
• routine overloading

31. Excessive passengers carried
• two instances reported in 1982
• instances reported in 1983 and 1984
• five instances reported in 1986
more passengers carried than permitted
(loading limit)
more passengers carried than life-saving
appliances

32. • dominating production imperative
• misperception of hazard (wilful or
otherwise)
• refusal to respond to clear indication os
unsafe conditions
• no defined safety responsibility

34. Loss of Space Shuttle Challenger

42. • safety responsibility undefined/unassigned
• nature of hazard either not understood or
wilfully ignored
• no substantive response to O-ring erosion
• production imperative in overall
programme and in specific launch decision

44. Pickering Unit 2 pressure tube
failure, August 1983

47. • failure to respond to operating experience
and/or misperception of hazard
• dominating production imperative

48. Two more quick ones
• Pickering Unit 2 SLOCA (1994)
• Fuel string relocation reactivity issue (1962-
present)

49. Pickering SLOCA
• Pickering Unit 2 SLOC of 1994 Root Cause
Investigation did not identify root cause
(some information actively concealed)

50. RCI recommendations
• training to broaden awareness of safety issues
• breakdowns and failures in the analysis process
should be communicated to all nuclear safety
staff so everyone has the opportunity to learn
from the mistakes of the past
REPORT NEVER FORMALLY ISSUED

51. Some other examples
• Brockley Whins collison (1870): “I find the
company's management wholly to blame for this
accident”
• Shipton derailment (1874) 34 dead
• Aberfan landslide (1966) 144 dead (116 children)
• Flixborough explosion (1974) 28 dead
• Hinton (Alta) rail collision February 1986: 23 dead
• Kings Cross fire November 1987: 31 dead
• Ocean Ranger oil rig sinking (1982) 84 dead
• Bhopal (1984) >3000 dead

52. • Piper Alpha oil rig fire July 1988: 167 dead
• Clapham Junction rail collision (1988) 35
dead
• Westray mine explosion May 1992: 26
dead
• Ladbroke Grove rail collision (1991) 31
dead
• Columbia STS breakup on re-entry (2003)
7 dead

53. • Crash of RAF Nimrod XV230,
Afghanistan, (14 dead) 2006
• Sayano-Shushenskaya (Khakassia) dam
turbine failure (75 dead), 2009