STPA: A New Technique as long as Hazard Analysis Traditional Accident Causation Model

STPA: A New Technique as long as Hazard Analysis Traditional Accident Causation Model

STPA: A New Technique as long as Hazard Analysis Traditional Accident Causation Model

Berra, Rich, Morning Co-Host has reference to this Academic Journal, PHwiki organized this Journal STPA: A New Technique as long as Hazard Analysis Nancy G. Leveson MIT © Copyright Nancy Leveson, Dec. 2008 It’s still hungry in addition to I’ve been stuffing worms into it all day. The Problem The first step in solving any problem is to underst in addition to it. We often propose solutions to problems that we do not underst in addition to in addition to then are surprised when the solutions fail to have the anticipated effect. © Copyright Nancy Leveson, Aug. 2006

Evangel University US

This Particular University is Related to this Particular Journal

Some General Issues Accident causes are often oversimplified: The vessel Baltic Star, registered in Panama, ran aground at full speed on the shore of an isl in addition to in the Stockholm waters on account of thick fog. One of the boilers had broken down, the steering system reacted only slowly, the compass was maladjusted, the captain had gone down into the ship to telephone, the lookout man on the bow took a coffee break, in addition to the pilot had given an erroneous order in English to the sailor who was tending the rudder. The latter was hard of hearing in addition to understood only Greek. Le Monde Were there also larger organizational in addition to economic factors General Issues (2) Filtering in addition to subjectivity in accident reports “Root cause” seduction Idea of a singular cause is satisfying to our desire as long as certainty in addition to control Leads to fixing symptoms “Blame is the enemy of safety” Oversimplification Well-understood causes given more attention (component failure in addition to operator error) Tend to look as long as linear cause-effect relationships in addition to proximal events (rather than systemic factors) © Copyright Nancy Leveson, Aug. 2006 Bhopal Worst industrial accident in history Conservative estimate of 2000-3000 killed, 10,000 permanent disabilities (including blindness), in addition to 200,000 injured. Blamed by management on operator error Union Carbide blamed on sabotage MIC (methyl isocyanate) used in production of pesticides in addition to polyurathanes (plastics, varnishes, in addition to foams) Highly volatile, vapor heavier than air A major hazard is contact with water, which results in large amounts of heat. Gas burns any moist part of body (throat, eyes, lungs)

Safety Features UC specified requirements to reduce hazards: MIC was to be stored in underground tanks encased in concrete Bhopal used three double-walled, stainless steel tanks, each with a capacity of 60 tons. Operating manual specified that tanks were never to contain more than half their maximum volume or a st in addition to by tank was to be available to which some of chemical could be transferred in case of trouble. Bhopal tanks were interconnected so that MIC in one tank could be bled into another tank. As specified in operating manual, tanks embedded in concrete. Safety Features (con’t) Several backup protection systems in addition to lines of defense Vent gas scrubber designed to neutralize any escaping gas with caustic soda. Scrubber was capable of neutralizing about 8 tons of MIC per hour at full capacity Flare tower to burn off any escaping gas missed by scrubber; toxic gases would be burned high in the air, making them harmless Small amounts of gas missed by scrubber in addition to flare tower were to be knocked down by a water curtain that reached 40 to 50 feet above ground. Water jets could reach as high as 115 feet, but only if operated individually. In case of an uncontrolled leak, a siren was installed to warn workers in addition to surrounding community. Safety Features (con’t) MIC was to be stored in an inert atmosphere of nitrogen gas at 2 to 10 psi over atmospheric pressure. Regularly scheduled inspection in addition to cleaning of valves specified as imperative Storage limited to 12 months maximum. If staff were doing sampling, testing, or maintenance at a time when there was a possibility of a leak or spill, operating manual specified they were to use protective rubber suits in addition to air-breathing equipment. To limit its reactivity, MIC was to be maintained at a temperature near 0 C. Refrigeration unit provided as long as this purpose High temperature alarm if MIC reached 11 C.

Hierarchical models Events at Bhopal Dec. 2, 1984, relatively new worker assigned to wash out some pipes in addition to filters, which were clogged. Pipes being cleaned were connected to the MIC tanks by a relief valve vent header, normally closed Worker closed valve to isolate tanks but nobody inserted required safety disk (slip blind) to back up valves in case they leaked Maintenance sheet contained no instruction to insert disk Worker assigned task did not check to see whether pipe properly isolated because said it was not his job to do so. He knew valves leaked, but safety disks were job of maintenance department. Night shift came on duty at 11 pm. Pressure gauge indicated pressure was rising (10 psi instead of recommended 2 to 3 psi). But at upper end of normal range. Temperature in tank about 20 C. Both instruments were ignored because believed to be inaccurate. Operators told instead to use eye irritation as first sign of exposure. 11:30 pm: detected leak of liquid from an overhead line after some workers noticed slight eye irritation. Leaky valves were common in addition to were not considered significant

Workers looked as long as leak in addition to saw a continuous drip on outside of MIC unit. Reported it to the MIC supervisor Shift supervisor did not consider it urgent in addition to postponed an investigation until after the tea break. 12:40 am on Dec. 3: Control room operator noticed tank 610 pressure gauge was approaching 40 psi in addition to temperature was at top of scale (25 C) 12:45 am: Loud rumbling noises heard from tank. Concrete around tank cracked. Temperature in tank rose to 400 C, causing an increase in pressure that ruptured relief valve. Pressurized gas escaped in a fountain from top of vent stack in addition to continued to escape until 2:30 am. MIC vented from stack 108 feet above ground. 50,000 pounds of MIC gas would escape. Operator turned off water-washing line when first heard loud noises at 12:45 am in addition to turned on vent scrubber system, but flow meter showed no circulation of caustic soda. He was unsure whether meter was working To verify flow had started, he would have to check pump visually. He refused to do so unless accompanied by supervisor Supervisor declined to go with him. Operator never opened valve connecting tank 610 to the spare tank 619 because level gauge showed it to be partially full. Assistant plant manager called at home at 1 am in addition to ordered vent flare turned on. He was told it was not operational (out of service as long as maintenance). A section of pipe connecting it to the tank was being repaired. Plant manager learned of leak at 1:45 am when called by the city magistrate. When MIC leak was serious enough to cause physical discom as long as t to workers, they panicked in addition to fled, ignoring four buses intended as long as evacuating employees in addition to nearby residents. A system of walkie-talkies, kept as long as such emergencies, never used.

MIC supervisor could not find his oxygen mask in addition to ran to boundary fence, where he broke his leg attempting to climb over it. Control room supervisor stayed in control room until the next afternoon, when he emerged unharmed. Toxic gas warning siren not activated until 12:50 am when MIC seen escaping from vent stack. Turned off after only 5 minutes, which was Union Carbide policy. Remained off until turned on again at 2:30 am. Police were not notified in addition to when they called between 1 in addition to 2, were given no useful in as long as mation. No in as long as mation given to public about protective measures in case of an emergency or other info on hazards. If had known to stay home, close their eyes, in addition to breathe through a wet cloth, deaths could have been prevented. Army eventually came in addition to tried to help by transporting people out of area in addition to to medical facilities. This help was delayed because nobody at plant notified authorities about the release Weather in addition to wind contributed to consequences. Because happened in middle of night, most people asleep in addition to it was difficult to see what was happening. What were the causes of this accident given what you know so far What additional questions were raised by what you have seen so far

Hierarchical models What about all the safety devices in addition to procedures How could the vent scrubber, flare tower, water spouts, refrigeration unit, alarms, in addition to monitoring instruments all fail simultanously Not uncommon as long as a company to turn off passive safety devices to save money; gauges are frequently out of service. At Bhopal, few alarms, interlocks, or automatic shutoff systems in critical locations that might have warned operators of abnormal conditions or stopped the gas leak be as long as e it spread. Thresholds established as long as production of MIC routinely exceeded. e.g., workers said it was common to leave MIC in the spare tank. Operating manual said refrigeration unit must be operating whenever MIC was in the system Chemical has to be maintained at a temp no higher than 5 C. to avoid uncontrolled reactions. High temperature alarm to sound if MIC reached 11 C. Refrigeration unit turned off in addition to MIC usually stored at nearly 20 C. Plant management adjusted threshold of alarm, accordingly, from 11 C to 20 C., thus eliminating possibility of an early warning of rising temperatures. Flare tower was totally inadequate to deal with estimated 40 tons of MIC that escaped during accident. Could not be used anyway because pipe was corroded in addition to had not been replaced.

Vent scrubber (had it worked) was designed to neutralize only small quantities of gas at fairly low pressures in addition to temperatures. Pressure of escaping gas during accident exceeded scrubber’s design by nearly 2 ½ times Temperature of escaping gas at least 80 degrees more than scrubber could h in addition to le. Shut down as long as maintenance Water curtain designed to reach height of 40 to 50 feet. MIC vapor vented over 100 feet above ground. Practice alerts did not seem to be effective in preparing as long as an emergency (ran from contaminated areas in addition to ignored buses sitting idle in addition to ready to evacuate them) Pipe-washing operation should have been supervised by second shift operator, but that position had been eliminated due to cost cutting. Tank 610 contained 40 to 50 tons of MIC out of total capacity of 60 tons, which violated safety requirements. Tanks were not to be more than half filled Spare tank was to be available to take excess Adjacent tank thought to contain 15 tons according to shipping records, but contained nearer to 21 tons Spare tank (619) contained less than 1 ton, but level gauge showed it was 20 percent full Many of gauges not working properly or were improperly set. Alarms sounded so many times a week (20 to 30) that no way to know what the siren signified Emergency signal was identical to that used as long as other purposes, including practice drills. Not turned on until 2 hours after MIC leak started in addition to then turned off after 5 minutes (company policy) Plant workers had only bare minimum of emergency equipment, e.g., shortage of oxygen masks discovered after accident started. They had almost no knowledge or training about how to h in addition to le non-routine events. Police were not notified when chemical release began When called by police in addition to reporters, plant spokesmen first denied accident in addition to then claimed MIC was not dangerous. Surrounding community not warned or prepared

Berra, Rich KRQQ-FM Morning Co-Host

Has your view of this accident changed with this additional in as long as mation What additional causal factors would you now include What additional questions would you want answered Hierarchical models Additional In as long as mation about Systemic Factors Dem in addition to as long as MIC dropped sharply after 1981, leading to reductions in production in addition to pressure on company to cut costs. Plant operated at less than half capacity when accident occurred. UC put pressure on Indian subsidiary to reduce losses, but gave no specific details about how this was to be done. In response, maintenance in addition to operating personnel cut in half. Top management justified cuts as merely reducing avoidable in addition to wasteful expenditures without affecting overall safety. As plant lost money, many of skilled workers left as long as more secure jobs. They either were not replaced or replaced by unskilled workers.

Maintenance procedures severely cut back in addition to shift relieving system suspended (if no replacement showed up at end of shift, following shift went unmanned). Indian government required plant to be operated completely by Indians At first, UC flew plant personnel to West Virginia as long as intensive training in addition to had teams of U.S. engineers make regular on-site safety inspections. By 1982, financial pressures led UC to give up direct supervision of safety at the plant, even though it retained general financial in addition to technical control. No American advisors resident at Bhopal after 1982. Minimal training of many of workers in how to h in addition to le non-routine emergencies. Several Indian staff who were trained in U.S. resigned in addition to were replaced by less experienced technicians. When plant first built, operators in addition to technicians had equivalent of two years of college education in chemistry or chemical engineering. In addition, UC provided them with 6 months training. When plant began to lose money, educational st in addition to ards in addition to staffing levels were reportedly reduced. In 1983, chemical engineer managing MIC plant resigned because he disapproved of falling safety st in addition to ards. He was replaced by an electrical engineer. Morale at the plant was low. Management in addition to labor problems followed the financial losses. “There was widespread belief among employees that the management had taken drastic in addition to imprudent measures to cut costs in addition to that attention to the details that ensure safe operation were absent.” Five months be as long as e accident, local UC India management decided to shut down refrigeration system. Most common reason given was cost cutting. Local management claimed unit was too small in addition to never worked satisfactorily. Disagreement about whether UC in U.S. approved this measure. High temperature alert reset in addition to logging of tank temperatures discontinued.

Hindsight Bias Almost impossible to go back in addition to underst in addition to how world looked to somebody not having knowledge of outcome Oversimplify causality because start from outcome in addition to reason backward Overestimate likelihood of the outcome in addition to people’s ability to as long as esee it because already know outcome Overrate rule or procedure “violations” Misjudge prominence or relevance of data presented to people at the time Match outcomes with actions that went be as long as e it: if outcome bad, actions leading to it must have been bad too (missed opportunities, bad assessments, wrong decisions, in addition to misperceptions) Organizational in addition to Social Factors Play an important role in accidents Hazard analysis in addition to safety engineering that ignores them will not be very effective.

Berra, Rich Morning Co-Host

Berra, Rich is from United States and they belong to KRQQ-FM and they are from  Tucson, United States got related to this Particular Journal. and Berra, Rich deal with the subjects like Celebrities; Entertainment; Human Interest; Interviews/Profiles; Local News

Journal Ratings by Evangel University

This Particular Journal got reviewed and rated by Evangel University and short form of this particular Institution is US and gave this Journal an Excellent Rating.