Case Studies
Summaries of some major industrial accidents
Deepwater Horizon/Macondo:-
- (A former employee of Cameron International – who designed and made the BOP – has described this as an ‘excellent article’.)
- summary of the findings from the final BOEMRE report (September 2011).
- . In addition there are the summary findings of the Dec 2011 US Academy of Engineering report on lessons for improving offshore safety.(Note: BOEMRE was renamed the Bureau of Safety and Environmental Enforcement BSEE in 2012.)
- This article from Offshore magazine (Dec 2016) summarises the new US offshore drilling regulations and their effects on the offshore O&G industry
- Despite the major differences between the 2005 BP Texas City accident and Deepwater Horizon, there was always a suspicion that there had to be some sort of corporate common cause between the two events. This has now been identified in the CSB’s report volume 3, published 2016. The relevant extract shows that the process safety lessons learned as a result of Texas City had not been applied to the Macondo-DeepwaterHorizon project.
Fukushima:-
- 6MB conference presentation on Fukushima and its consequences (November 2011)
- Journal article Fukushima and its consequences (Nuclear Future, April 2012)
- Journal article Emergency Planning after Fukushima (Nuclear Future, April 2012)
- A one-page summary of key lessons from Fukushima
Ammonium Nitrate accidents:-
- An overview of three major accidents (Oppau 1921, Texas City 1947, Toulouse 2001) is available here.
- A list of ammonium nitrate accidents (as comprehensive as I can manage) is given here. The appalling Beirut explosion of 4 August 2020 is the latest example – probably hundreds dead from 2700 tonnes of ammonium nitrate.
The Kyshtym accident, Chelyabinsk:-
Some case studies of digital C&I systems failures
Some of these were tragic; the others were just expensive. Item 8 (Tornes’s fuel route) consumed about 4 years of my life.
I have included several aviation accidents and incidents here; modern civil aircraft have completely digital control systems and HMIs, and the complexity of these systems and the number of aircraft in service mean that there is now a body of case studies to which other industries should pay attention.
A general lesson here is that Complexity in design is the enemy of safety.
- Pipe handling control system failure
- Paperless chart recorder failure
- Uljin 3 common-cause software error
- Kashiwazaki–Kariwa NPP IC failure due to electro migration
- Boeing 757 crash Feb 1996 (extract from IET journal)
- Airbus crash AF447 over mid-Atlantic June 2009
- Common-mode failure of high-integrity C&I systems
- Torness NPP fuel route protection systems (Journal paper)
- Boeing 737 crash Feb 2009 An example of a latent specification error, compounded by poor response to fault reporting and pilot error
- Airbus A330 incident 2008 A control system fault that led to a sudden pitch-down when at cruising height, injuring 119 passengers and crew. This accident was an interesting example of a latent, subtle, dangerous failure in a high-integrity software system that had been developed to high standards. The accident was caused by a Single Event Upset (SEU) fault in an Inertial Reference Unit, compounded by architectural weaknesses and a latent software specification error that allowed the single SEU fault to affect multiple channels.
- Boeing 767 crash May 1991 Control system fault leading to thrust reverser operation caused a fatal crash.
- Airbus A340 fuel starvation incident 2005 Hardware faults, specification issues and HMI issues led to a near-miss when two engines lost power.
- Cyber security incidents affecting nuclear power plants Summary details of three incidents affecting nuclear plants (pre-Stuxnet)
- Automobile recalls for software faults There have now been a number of very expensive recalls for safety-related software faults in automobiles. This presents summary details of three examples.
- An interesting list of major non-safety commercial and industrial software failures during 2011 was presented in www.businesscomputingworld.co.uk/top-10-software-failures-of-2011/
- A more recent list of major software failures for 2017 can be found at https://www.worksoft.com/top-software-failures-of-2017-so-far Also see https://www.computerworlduk.com/galleries/infrastructure/top-software-failures-recent-history-3599618/
- After the AirFrance A330 crash in the mid-Atlantic in 2009 (see above), many (including me) thought it was such a strange accident that nothing like this would happen again. In December 2014, a similar accident happened to an Air Asia Airbus A320. The causes are similar: high altitude stall, while under ‘Alternate law’ control (i.e. with reduced in-built protection). As with the Air France accident five years previously, the aircrew had not received training in recovery from high altitude stalls. It appears there are still serious issues to be addressed regarding Airbus HMI design and aircrew training.
- The two Boeing 737 Max8 crashes in 2018/2019 were Lionair 610 (189 dead, 29 October 2018) and Ethiopian 302 (157 dead, 10 March 2019). There were a number of common issues: 1. The Max8 was a major redesign (new, relocated engines, new control systems) yet pilot training was inadequate. 2. The Max8 was a response to the market challenge posed by Airbus 320 Neo. 3. The Max8 had a new control system (MCAS) which could automatically initiate nose-down trim changes. 4. There was a single-component (Angle of Attack indicator) dangerous failure mode in the MCAS. 5. The FAA had delegated its independent safety oversight role to designated Boeing employees. Boeing has very large costs arising from these accidents (Max8 potential cancellations, Max8 groundings, legal challenges) and airlines are struggling with the costs of grounded aircraft (on top of the lost revenue from the 2020 Covid pandemic). The September 2020 House Committee on Transportation and Infrastructure report “The Design Development and Certification of the Boeing 737 Max” is available at https://transportation.house.gov/committee-activity/boeing-737-max-investigation. Here is my 2021 presentation “The Boeing 737 Max accidents: Bad design, failed regulation and deceitfulness“.
- Although not safety-related, the UK Post Office/Fujitsu Horizon scandal is a clear example of the importance of retaining and maintaining knowledge within organisations about how their software-based management systems actually work. This may seem obvious, but I suspect there will be more events like this shameful scandal which has led to the wrongful conviction of hundreds of UK sub-postmasters from the period 2001 to 2015.
Personal near-misses
Each of the following relates to safety anomalies or near-misses that I have witnessed. None led to injuries or accidents. One or two are actually quite funny, I think, but some others were potentially serious.
For some, I have not named the exact place or people involved.
- Oil shore terminal deluge systems
- Nuclear power station – inspection of the storage tank in a pit
- Nuclear power station loss of electricity grid during severe storm
- Helicopter safety briefing, Indian Ocean
- Oil shore terminal permit to work arrangements
- Discussion with refinery senior management about hydrocarbon release response
- Fabrication of separator vessels, land-based oil field, Central Asia
Some good links
Many books and reports have reviewed and summarised the key points from major industrial accidents. One good source is https://www.fabig.com/industrial-accidents/ which gives concise summaries of many accidents including Flixborough, Seveso, Mexico City, Bhopal, Piper Alpha, Texas City, Buncefield, Deepwater Horizon, etc.
High-integrity C&I systems and new (or emerging) technologies are difficult bedfellows – to ensure high integrity, tried-and-tested technologies are preferable. This makes the adoption of new or emerging technologies a tricky area. One recent report that carries out an excellent review of the state of the art is http://www.nrc.gov/reading-rm/doc-collections/nuregs/contract/cr6992/ which is a report produced for the US Nuclear Regulatory Commission in 2009 by Oak Ridge National Laboratory.
An excellent low-priced beginners’ guide to Field Programmable Gated Arrays (FPGAs) is given in “FPGAs – Instant Access” by Clive Maxfield which is available on Amazon at http://www.amazon.co.uk/FPGAs-Instant-Access-Newnes-Series/dp/0750689749/ref=sr_1_2?ie=UTF8&qid=1340610757&sr=8-2
A fascinating report called APT1, into Chinese cyber-attacks on Western companies, is available at https://www.fireeye.com/ . Fireeye (previously Mandiant) identified the Chinese organisation (dubbed APT1 – Advanced Persistent Threat 1) as responsible for many organised cyber-attacks which have systematically stolen data from major corporations. Fireeye has subsequently identified at least 16 other such threats from China, North Korea, Iran and elsewhere.
The Oil & Gas UK website contains some excellent information. They have recently made a lot of reports available free to download as pdfs. Go to www.oilandgasuk.co.uk . The information available includes annual reports on the economic state of the industry, and its health and safety record.
The History of Technology and Safety
This section presents a series of essays about ‘how we have learned to control technology’.
I would greatly welcome any feedback from website visitors – please use the ‘contact’ page.
- Learning from ignorance v2_1369218320_2Learning from Ignorance is an essay about the development of pressure vessel integrity since the 19th century. Basically, the design and construction of pressure vessels were a long way ahead of the underpinning scientific understanding of metal failure – and there were many serious accidents before the gap between science and engineering was closed.
- The Second Industrial Revolution presents a very brief history of computer development and discusses some of the safety issues raised by computers.
- The Chernobyl Accident – A Retrospective presents a personal view of the April 1986 accident, its causes and consequences, and the difficulties of managing safety in a totalitarian regime.
- Situation Awareness and the Human-Machine Interface discusses three commercial aircraft crashes where the crew lost situational awareness. In each case, misleading information from the aircrafts’ digital systems confused the pilots in the few minutes they had to make key decisions.
- Human Behaviour in a Crisis – The Saudia 163 Accident, 1980 describes the horrific accident at Riyadh airport when 301 passengers and crew died on the runway after their Lockheed L-1011 Tristar airliner had completed an emergency landing due to an onboard fire. The official report, published by the Saudi government in 1982 with technical support from Lockheed, but almost all the blame on the captain while failing to give an adequate explanation of what went wrong. My report (published in 2013) summarised some of the questions surrounding the official Saudi government report. After publishing this I was approached by someone who had been close to a member of the accident investigation team, and who was able to supply technical information from the accident investigation. This new information explains many of the significant gaps in the official report. I have now (December 2020) revised and greatly enlarged my account “New insights into the Saudia 163 Accident“. This explains how the captain was unable to stop the aircraft quickly because of hydraulic problems, and how the flight engineer shut the fuselage ventilation valves on the landing which led to a build-up of toxic fumes and also kept the aircraft pressurised so passengers were unable to evacuate.
- The Piper Alpha accident in 1988 caused a complete re-baselining of safety management in the North Sea oil and gas industry. The report by Lord Cullen was a model of its kind. This note describes some of the human failings that caused the initial accident and the poor emergency response.
- Refineries and three accident case studies present a brief overview of refineries and their accident record, followed by three accident case studies: (i) A pipeline rupture and fire in Washington State, USA, on 10th June 1999, (ii) An accident at the coking plant of the Anacortes refinery, Puget Sound, Washington State, USA, on 10th June 1999, and (iii) The BP Texas City refinery fire and explosion on 23rd March 2005. A presentation about the Anacortes refinery coking plant accident, given at the REFCOMM 2020 virtual conference, can be read here.
- The Management of Ageing Combat Aircraft – the Nimrod Story presents a summary of the findings of the Hadden-Cave report into the Nimrod accident in Afghanistan in 2006 and some thoughts on the role of safety analysis.
- Nuclear research in Germany 1938-1945 is a journal paper published in 1985, about the inconsistency between Werner Heisenberg’s and David Irving’s accounts regarding what the German nuclear programme during the war was trying to achieve – a reactor or a bomb? Since I wrote this article, various other accounts have been written, e.g. Thomas Power’s ‘Heisenberg’s War: The secret history of the German bomb’ (Penguin 1994) and David Cassidy’s ‘Uncertainty – The life and science of Werner Heisenberg’ (Freeman 1992), which have developed this story in much more detail. This topic is a fascinating footnote to the Second World War. In 2014, I was going to deliver a presentation on this topic to the Nuclear Institute but they decided the topic was too controversial, which was surprising – the only real controversy is about scientific ethics and honesty. I decided to finish the presentation anyway – here it is – it is much too big to have been a single lecture, but I hope this is an interesting summary of the work of various writers who have researched this fascinating topic. In 2020, I finally got round to writing my version of this fascinating piece of history for publication – German Wartime Nuclear Research and the ‘Heisenberg Myth’ – A Review.
- A great article on the dilemmas facing engineers when dealing with safety issues was presented in The New Yorker magazine, May 2015. It is a piece about auto recalls for safety defects, and how the debate about whether or not to recall can be overtaken by emotional arguments. In particular, it refers to the case of the Ford Pinto from the 1970s and 80s. A good read. www.newyorker.com/magazine/2015/05/04/the-engineers-lament
- Nuclear energy in spaceflight is (or will be) used in three ways – radiothermal generators (RTGs) using the heat of radioactive decay, nuclear reactors using nuclear fission, and nuclear rocket motors using high-temperature nuclear reactors to heat hydrogen propellant. This 2021 article “Nuclear power in space – past, present and future” reviews experience and looks at what is ahead.
- The US spent over $1 billion in the 1950s pursuing nuclear-powered jet engines, before the work was cancelled in the early 1960s. The USSR did some similar work at that time. The difficulties of nuclear powered jet engines were overwhelming – these included the weight of shielding required, atmospheric activation products, and accident risk. Nevertheless, in 2018 Russia announced it was developing Burevestnik, an unmanned nuclear-powered cruise missile. This article (published 2021 in Nuclear Future) reviews the history of this folly.
- In radiological protection and the design of nuclear power plants, ‘Linear No Threshold’ has been the basis since the 1940s. This means that even very small radiation doses are presumed to increase the risk of cancer, although this is impossible to confirm experimentally because of cancers caused by other causes (or indeed none), so there is a consequent high ‘signal-to-noise’ ratio in any attempts to measure the effects of low-level radiation. Linear No Threshold to be reconsidered v4 In particular, natural DNA repair mechanisms have been discovered which give a theoretical basis for introducing a threshold below which no harm from radiation occurs. This presentation summarises the argument. It is likely to be several years before any change to radiation limits will be formally proposed by the International Commission on Radiological Protection (ICRP) and then accepted by nuclear safety regulators.
- Pakistan has developed its own nuclear weapon arsenal beginning in the 1970s , and exported the technology to Iran and North Korea, and attempted to export technology to Libya and (probably) Iraq. This 2023 article Pakistan, nuclear weapons, and proliferation FINALreviews a variety of published sources to provide a summary of how a country that is only the 140th richest country in the world (on a GDP per capita basis) was able to do this, despite international efforts at regulating access to such technology.
- Hanford in the 1940s was the world’s first plutonium separation plant, which provided the plutonium for the US nuclear arsenal, including the Hiroshima and Nagasaki weapons. The plant was built at astonishing speed, using chemical data that were measured from microscopic quantities. Conservative decision-making meant the ‘plutonium route’ for atomic weapons was achieved before the notionally easier ‘uranium route’ – the Trinity test explosion in July 1945 was a plutonium device. The Hanford plant at first produced significant radioactive discharges which were reduced as plant improvements were carried out.
Climate Change
I completed a Master’s degree in Earth Science in 2019 (The Open University). My motivation was that, having spent my career in energy industries, I was keen to understand throroughly the science of the prediction of future climates, since fossil fuel combustion is causing long-term change. This involves an understanding of geology (where the evidence of past climate change comes from) as well as studying the Earth as an engineering system – its atmosphere, its oceans, tectonics, and changes to solar radiant energy.
My MSc thesis was a fascinating piece of work to emulate monsoon rainfall in India and SE Asia over the last 30 My. This was based on an idea from my amazing supervisor Phil Holden. My MSc thesis is here, and a paper published in Nature Communications in June 2021 is here, with supplementary information here. (For beginners, I would suggest starting with my MSc thesis. Papers for Nature can be very densely written! For an even more straightforward summary of the work, see this 20-page powerpoint presentation.)
The UK seems likely to be affected less than some other parts of the planet, at least in the next century or so. We may get wetter, but not much warmer. A major impact of climate change in the UK and elsewhere will be the rising sea level. Again, not a lot will happen in the next century or so, but thereafter coastal cities and low-lying farmland will be badly affected. This presentation gives an overview of the uncertainties in the predictions of future global mean sea level (GMSL).
Another reason for my interest in climate change is that we own a small holiday house on the beautiful sea-loch (i.e. fjord) of Loch Goil in Argyll, Scotland; our house is only a short distance from the sea. Loch Goil has been carved from bedrock by the action of glaciers during the last glaciation. A short presentation, written for the local online newspaper, on the Ice Age landscape of Loch Goil is presented here.
Here is a 2019 article published by the Nuclear Institute Climate Change and Energy Supply, which tries to highlight the gap between aspiration and reality for ‘net-zero’ carbon emissions by 2050 – and the consequences if we fail.
A further article “Keeping UK lights on during the transition to net zero” was published in 2022. This article explores the difficulties in getting renewable energy sources to produce adequate supplies reliably and to cope with increasing demand for all-electric, carbon-free economy. It concludes that nuclear power is essential for a reliable grid supply.