Safety Case Studies – Parallel Project Training Blog | APM Project Management Articles, Information and News from ParallelProjectTraining.com http://blog.parallelprojecttraining.com Tue, 14 Mar 2017 16:54:52 +0000 en-US hourly 1 https://wordpress.org/?v=4.7.3 Space Shuttle Challenger disaster 1986 http://blog.parallelprojecttraining.com/safety-case-studies/space-shuttle-challenger-disaster-1986/ http://blog.parallelprojecttraining.com/safety-case-studies/space-shuttle-challenger-disaster-1986/#respond Mon, 07 Feb 2011 14:17:45 +0000 http://blog.parallelprojecttraining.com/project-case-studies/space-shuttle-challenger-disaster-1986/   The Space Shuttle Challenger disaster occurred on January 28, 1986, when Space Shuttle Challenger broke apart 73 seconds into its flight, leading to the deaths of its seven crew members. The spacecraft disintegrated over the Atlantic Ocean, off the coast of central Florida, United States, at 11:39 a.m. Disintegration of the entire vehicle began…

The post Space Shuttle Challenger disaster 1986 appeared first on Parallel Project Training Blog | APM Project Management Articles, Information and News from ParallelProjectTraining.com.

]]>
 

The Space Shuttle Challenger disaster occurred on January 28, 1986, when Space Shuttle Challenger broke apart 73 seconds into its flight, leading to the deaths of its seven crew members. The spacecraft disintegrated over the Atlantic Ocean, off the coast of central Florida, United States, at 11:39 a.m.

Disintegration of the entire vehicle began after an O-ring seal in its right solid rocket booster (SRB) failed at liftoff. The O-ring failure caused a breach in the SRB joint it sealed, allowing pressurized hot gas from within the solid rocket motor to reach the outside and impinge upon the adjacent SRB attachment hardware and external fuel tank. This led to the separation of the right-hand SRB’s aft attachment and the structural failure of the external tank. Aerodynamic forces promptly broke up the orbiter.

The disaster resulted in a 32-month hiatus in the shuttle program and the formation of the Rogers Commission, a special commission appointed by United States President Ronald Reagan to investigate the accident. The Rogers Commission found that NASA’s organizational culture and decision-making processes had been a key contributing factor to the accident. NASA managers had known that contractor Morton Thiokol’s design of the SRBs contained a potentially catastrophic flaw in the O-rings since 1977, but they failed to address it properly. They also disregarded warnings from engineers about the dangers of launching posed by the low temperatures of that morning and had failed to adequately report these technical concerns to their superiors. The Rogers Commission offered NASA nine recommendations that were to be implemented before shuttle flights resumed.

Pre-launch conditions and delay

Challenger was originally set to launch from Kennedy Space Center in Florida at 2:42 p.m. Eastern Standard Time (EST) on January 22. However, delays suffered by the previous mission, STS-61-C, caused the launch date to be pushed back to January 23 and then to January 24. Launch was then rescheduled to January 25 due to bad weather at the Transoceanic Abort Landing (TAL) site in Dakar, Senegal. NASA decided to use Casablanca as the TAL site, but because it was not equipped for night landings, the launch had to be moved to the morning (Florida time). Predictions of unacceptable weather at Kennedy Space Centre caused the launch to be rescheduled for 9:37 a.m. EST on January 27.

The launch was delayed the next day by problems with the exterior access hatch. First, one of the micro switch indicators used to verify that the hatch was safely locked malfunctioned. Then, a stripped bolt prevented the closeout crew from removing a closing fixture from the orbiter’s hatch. When the fixture was finally sawn off, crosswinds at the Shuttle Landing Facility exceeded the limits for a Return to Launch Site (RTLS) abort. The crew waited for the winds to die down until the launch window finally ran out, forcing yet another scrub.

Forecasts for January 28 predicted an unusually cold morning, with temperatures close to 31 °F (−1 °C), the minimum temperature permitted for launch. The low temperature had prompted concern from engineers at Morton Thiokol, the contractor responsible for the construction and maintenance of the shuttle’s SRBs. At a teleconference on the evening of January 27, Thiokol engineers and managers discussed the weather conditions with NASA managers from Kennedy Space Center and Marshall Space Flight Center. Several engineers—most notably Roger Boisjoly, who had voiced similar concerns previously—expressed their concern about the effect of the temperature on the resilience of the rubber O-rings that sealed the joints of the SRBs. Each SRB was constructed of six sections joined in three factory joints and three “field joints”. The factory joints were welded, but the field joints—assembled in the Vehicle Assembly Building at Kennedy Space Center—each used two rubber O-rings, a primary and a secondary (backup), to seal them. The seals of all of the SRB joints were required to contain the hot high-pressure gases produced by the burning solid propellant inside, forcing it out the nozzle at the aft end of each rocket. Thiokol engineers argued that if the O-rings were colder than 53 °F (12 °C), they did not have enough data to determine whether the joint would seal properly. This was an important consideration, since the SRB O-rings had been designated as a “Criticality 1” component—meaning that there was no backup if both the primary and secondary O-rings failed, and their failure would destroy the Orbiter and its crew.

One argument of NASA personnel in contest to Thiokol’s concerns was that if the primary O-ring failed the secondary O-ring would still seal. This was unproven, and was in any case an illegitimate argument for a Criticality 1 component. (As astronaut Sally Ride cited in questioning NASA managers before the Rogers Commission, it is forbidden to rely on a backup for a Criticality 1 component. The backup is there to provide redundancy in case of unforeseen failure, not to replace the primary device, leaving no backup.) The engineers at Thiokol also argued that the low overnight temperatures (18 degrees F the evening prior to launch) would almost certainly result in SRB temperatures below their redline of 40 °F (4 °C). Ice had accumulated all over the launch pad, raising concerns that ice could damage the shuttle upon lift-off.

However, they were overruled by Morton Thiokol management, who recommended that the launch proceed as scheduled. Despite public perceptions that NASA always maintained a “fail-safe” approach, Thiokol management was influenced by demands from NASA managers that they show it was not safe to launch rather than prove conditions were safe. It later emerged in the aftermath of the accident that NASA managers frequently evaded safety regulations to maintain the launch manifest (schedule).

Due to the low temperature, a significant amount of ice built up on the fixed service structure that stood beside the shuttle. The Kennedy Ice Team inadvertently pointed an infrared camera at the aft field joint of the right SRB and found the temperature to be only 8 °F (−13 °C). This was believed to be the result of supercooled air blowing on the joint from the liquid oxygen tank vent. It was much lower than the air temperature and far below the design specifications for the O-rings. However, the 8 °F (−13 °C) reading was later determined to be erroneous, the error caused by not following the temperature probe manufacturer’s instructions. Tests and adjusted calculations later confirmed that the temperature of the joint was not substantially different than the ambient temperature.

Although the Ice Team had worked through the night removing ice, engineers at Rockwell International, the shuttle’s prime contractor, still expressed concern. Rockwell engineers watching the pad from their headquarters in Downey, California, were horrified when they saw the amount of ice. They feared that during launch, ice might be shaken loose and strike the shuttle’s thermal protection tiles, possibly due to the aspiration induced by the jet of exhaust gas from the SRBs. Rocco Petrone, the head of Rockwell’s space transportation division, and his colleagues viewed this situation as a launch constraint, and told Rockwell’s managers at the Cape that Rockwell could not support a launch. However, Rockwell’s managers at the Cape voiced their concerns in a manner that led Houston-based mission manager Arnold Aldrich to go ahead with the launch. Aldrich decided to postpone the shuttle launch by an hour to give the Ice Team time to perform another inspection. After that last inspection, during which the ice appeared to be melting, Challenger was finally cleared to launch at 11:38 a.m. EST.

The accident

Later review of launch film showed that at T+0.678, strong puffs of dark gray smoke were emitted from the right-hand SRB near the aft strut that attaches the booster to the ET. The last smoke puff occurred at about T+2.733. The last view of smoke around the strut was at T+3.375. It was later determined that these smoke puffs were caused by the opening and closing of the aft field joint of the right-hand SRB. The booster’s casing had ballooned under the stress of ignition. As a result of this ballooning, the metal parts of the casing bent away from each other, opening a gap through which hot gases—above 5,000 °F (2,800 °C)—leaked. This had occurred in previous launches, but each time the primary O-ring had shifted out of its groove and formed a seal. Although the SRB was not designed to function this way, it appeared to work well enough, and Morton-Thiokol changed the design specs to accommodate this process, known as extrusion.

Unfortunately, while extrusion was taking place, hot gases would leak past, a process called blow-by, damaging the O-rings until a seal was made. Investigations into the matter by Morton-Thiokol engineers determined that the amount of damage to the O-rings was directly related to the time it took for extrusion to occur, and that cold weather, by causing the O-rings to harden, lengthened the time of extrusion.

On the morning of the disaster, the primary O-ring had become so hard due to the cold that it couldn’t seal in time. The secondary O-ring was not in its seated position due to the metal bending. There was now no barrier to the gases, and both O-rings were vaporized across 70 degrees of arc. However, aluminum oxides from the burned solid propellant sealed the damaged joint, temporarily replacing the O-ring seal before actual flame rushed through the joint.

As the vehicle cleared the tower, the SSMEs were operating at 104% of their rated maximum thrust, and control switched from the Launch Control Center (LCC) at Kennedy to the Mission Control Center (MCC) at Johnson Space Center in Houston, Texas. To prevent aerodynamic forces from structurally overloading the orbiter, at T+28 the SSMEs began throttling down to limit the velocity of the shuttle in the dense lower atmosphere, as per normal operating procedure. At T+35.379, the SSMEs throttled back further to the planned 65%. Five seconds later, at about 5,800 metres (19,000 ft), Challenger passed through Mach 1. At T+51.860, the SSMEs began throttling back up to 104% as the vehicle passed beyond Max Q, the period of maximum aerodynamic pressure on the vehicle.

Beginning at about T+37, the shuttle experienced a series of wind shear events over the next 27 seconds that were the strongest recorded to date in the shuttle program. At T+58.788, a tracking film camera captured the beginnings of a plume near the aft attach strut on the right SRB. Unknown to those on Challenger or in Houston, hot gas had begun to leak through a growing hole in one of the right-hand SRB’s joints. The force of the wind shear shattered the temporary oxide seal that had taken the place of the damaged O-rings, removing the last barrier to flame rushing through the joint. Had it not been for the wind shear, the fortuitous oxide seal might have held through booster burnout.

Within a second, the plume became well defined and intense. Internal pressure in the right SRB began to drop because of the rapidly enlarging hole in the failed joint, and at T+60.238 there was visual evidence of flame coming through the joint and impinging on the external tank.

At T+64.660, the plume suddenly changed shape, indicating that a leak had begun in the liquid hydrogen tank, located in the aft portion of the external tank. The nozzles of the main engines pivoted under computer control to compensate for the unbalanced thrust produced by the booster burn-through. The pressure in the shuttle’s external liquid hydrogen tank began to drop at T+66.764, indicating the effect of the leak.

At this stage the situation still seemed normal both to the astronauts and to flight controllers. At T+68, the CAPCOM Richard Covey informed the crew that they were “go at throttle up”, and Commander Dick Scobee confirmed the call. His response, “Roger, go at throttle up,” was the last communication from Challenger on the air-to-ground loop.

Vehicle breakup

At T+72.284, the right SRB apparently pulled away from the aft strut attaching it to the external tank. Later analysis of telemetry data showed a sudden lateral acceleration to the right at T+72.525, which may have been felt by the crew. The last statement captured by the crew cabin recorder came just half a second after this acceleration, when Pilot Michael J. Smith said “Uh oh.” Smith may also have been responding to onboard indications of main engine performance, or to falling pressures in the external fuel tank.

At T+73.124, the aft dome of the liquid hydrogen tank failed, producing a propulsive force that pushed the hydrogen tank into the liquid oxygen tank in the forward part of the ET. At the same time, the right SRB rotated about the forward attach strut, and struck the intertank structure.

The breakup of the vehicle began at T+73.162 seconds and at an altitude of 48,000 feet (14.6 km). With the external tank disintegrating (and with the semi-detached right SRB contributing its thrust on an anomalous vector), Challenger veered from its correct attitude with respect to the local air flow and was immediately torn apart by abnormal aerodynamic forces, resulting in a load factor of up to 20 (or 20 g), well over its design limit of 5 g. The two SRBs, which can withstand greater aerodynamic loads, separated from the ET and continued in uncontrolled powered flight for another 37 seconds. The SRB casings were made of half-inch (12.7 mm) thick steel and were much stronger than the orbiter and ET; thus, both SRBs survived the breakup of the space shuttle stack, even though the right SRB was still suffering the effects of the joint burn-through that had set the destruction of Challenger in motion.

Investigation by Rogers Commission

The Presidential Commission on the Space Shuttle Challenger Accident, also known as the Rogers Commission (after its chairman), was formed to investigate the disaster. The commission members were Chairman William P. Rogers, Vice Chairman Neil Armstrong, David Acheson, Eugene Covert, Richard Feynman, Robert Hotz, Donald Kutyna, Sally Ride, Robert Rummel, Joseph Sutter, Arthur Walker, Albert Wheelon, and Chuck Yeager. The commission worked for several months and published a report of its findings. It found that the Challenger accident was caused by a failure in the O-rings sealing a joint on the right solid rocket booster, which allowed pressurized hot gases and eventually flame to “blow by” the O-ring and make contact with the adjacent external tank, causing structural failure. The failure of the O-rings was attributed to a faulty design, whose performance could be too easily compromised by factors including the low temperature on the day of launch.

More broadly, the report also considered the contributing causes of the accident. Most salient was the failure of both NASA and Morton Thiokol to respond adequately to the danger posed by the deficient joint design. However, rather than redesigning the joint, they came to define the problem as an acceptable flight risk. The report found that managers at Marshall had known about the flawed design since 1977, but never discussed the problem outside their reporting channels with Thiokol—a flagrant violation of NASA regulations. Even when it became more apparent how serious the flaw was, no one at Marshall considered grounding the shuttles until a fix could be implemented. On the contrary, Marshall managers went as far as to issue and waive six launch constraints related to the O-rings. The report also strongly criticized the decision making process that led to the launch of Challenger, saying that it was seriously flawed.

” …failures in communication… resulted in a decision to launch 51-L based on incomplete and sometimes misleading information, a conflict between engineering data and management judgments, and a NASA management structure that permitted internal flight safety problems to bypass key Shuttle managers.”

One of the commission’s most well-known members was theoretical physicist Richard Feynman. During a televised hearing, he famously demonstrated how the O-rings became less resilient and subject to seal failures at ice-cold temperatures by immersing a sample of the material in a glass of ice water. He was so critical of flaws in NASA’s “safety culture” that he threatened to remove his name from the report unless it included his personal observations on the reliability of the shuttle, which appeared as Appendix F. In the appendix, he argued that the estimates of reliability offered by NASA management were wildly unrealistic, differing as much as a thousand fold from the estimates of working engineers. “For a successful technology,” he concluded, “reality must take precedence over public relations, for nature cannot be fooled.”

The U.S. House Committee on Science and Technology also conducted hearings, and on October 29, 1986 released its own report on the Challenger accident. The committee reviewed the findings of the Rogers Commission as part of its investigation, and agreed with the Rogers Commission as to the technical causes of the accident. However, it differed from the committee in its assessment of the accident’s contributing causes.

” …the Committee feels that the underlying problem which led to the Challenger accident was not poor communication or underlying procedures as implied by the Rogers Commission conclusion. Rather, the fundamental problem was poor technical decision-making over a period of several years by top NASA and contractor personnel, who failed to act decisively to solve the increasingly serious anomalies in the Solid Rocket Booster joints.”

In response to the commission’s recommendation, NASA initiated a total redesign of the space shuttle’s solid rocket boosters, which was watched over by an independent oversight group as stipulated by the commission. NASA’s contract with Morton Thiokol, the contractor responsible for the solid rocket boosters, included a clause stating that in the event of a failure leading to “loss of life or mission,” Thiokol would forfeit $10 million of its incentive fee and formally accept legal liability for the failure. After the Challenger accident, Thiokol agreed to “voluntarily accept” the monetary penalty in exchange for not being forced to accept liability.

Although significant changes were made by NASA after the Challenger accident, many commentators have argued that the changes in its management structure and organizational culture were neither deep nor long-lasting. After the Space Shuttle Columbia disaster in 2003, attention once again focused on the attitude of NASA management towards safety issues. The Columbia Accident Investigation Board (CAIB) concluded that NASA had failed to learn many of the lessons of Challenger. In particular, the agency had not set up a truly independent office for safety oversight; the CAIB felt that in this area, “NASA’s response to the Rogers Commission did not meet the Commission’s intent”. The CAIB believed that “the causes of the institutional failure responsible for Challenger have not been fixed,” saying that the same “flawed decision making process” that had resulted in the Challenger accident was responsible for Columbia’s destruction seventeen years later.

Similar Posts:

The post Space Shuttle Challenger disaster 1986 appeared first on Parallel Project Training Blog | APM Project Management Articles, Information and News from ParallelProjectTraining.com.

]]>
http://blog.parallelprojecttraining.com/safety-case-studies/space-shuttle-challenger-disaster-1986/feed/ 0
Deepwater Horizon a Case in Risk Management http://blog.parallelprojecttraining.com/safety-case-studies/deepwater-horizon-a-case-in-risk-management/ http://blog.parallelprojecttraining.com/safety-case-studies/deepwater-horizon-a-case-in-risk-management/#respond Mon, 07 Feb 2011 14:15:39 +0000 http://blog.parallelprojecttraining.com/project-case-studies/deepwater-horizon-a-case-in-risk-management/   “The companies involved in the Gulf of Mexico oil spill made decisions to cut costs and save time that contributed to the disaster” National Commission on the BP Deepwater Horizon Oil Spill and Offshore Drilling Introduction The Deepwater Horizon was a 9-year-old semi-submersible mobile offshore drilling unit, a massive floating, dynamically positioned drilling rig…

The post Deepwater Horizon a Case in Risk Management appeared first on Parallel Project Training Blog | APM Project Management Articles, Information and News from ParallelProjectTraining.com.

]]>
 

“The companies involved in the Gulf of Mexico oil spill made decisions to cut costs and save time that contributed to the disaster”

National Commission on the BP Deepwater Horizon Oil Spill and Offshore Drilling

Introduction

The Deepwater Horizon was a 9-year-old semi-submersible mobile offshore drilling unit, a massive floating, dynamically positioned drilling rig that could operate in waters up to 8,000 feet (2,400 m) deep and drill down to 30,000 feet (9,100 m). The rig was built by South Korean company Hyundai Heavy Industries. It was owned by Transocean, operated under the Marshallese flag of convenience, and was under lease to BP from March 2008 to September 2013. At the time of the explosion, it was drilling an exploratory well at a water depth of approximately 5,000 feet (1,500 m) in the Macondo Prospect, located in the Mississippi Canyon Block 252 of the Gulf of Mexico in the United States exclusive economic zone about 41 miles (66 km) off the Louisiana coast.

The production casing was being installed and cemented by Halliburton Energy Services. Once the cementing was complete, the well would have been tested for integrity and a cement plug set, after which no further activities would take place until the well was later activated as a subsea producer. At this point, Halliburton modelling systems were used to design the cement slurry mix and ascertain what other supports were needed in the well bore. BP is the operator and principal developer of the Macondo Prospect with a 65% share, while 25% is owned by Anadarko Petroleum Corporation, and 10% by MOEX Offshore 2007, a unit of Mitsui.

The Accident

At approximately 9:45 p.m. CDT on April 20, 2010, methane gas from the well, under high pressure, shot all the way up and out of the drill column, expanded onto the platform, and then ignited and exploded. Fire then engulfed the platform. Most of the workers escaped the rig by lifeboat and were subsequently evacuated by boat or airlifted by helicopter for medical treatment; however, eleven workers were never found despite a three-day Coast Guard search operation, and are presumed to have died in the explosion. Efforts by multiple ships to douse the flames were unsuccessful. After burning for approximately 36 hours, the Deepwater Horizon sank on the morning of April 22, 2010.

Volume and extent of oil spill

An oil leak was discovered on the afternoon of April 22 when a large oil slick began to spread at the former rig site. According to the Flow Rate Technical Group the leak amounted to about 4.9 million barrels (205.8 million gallons) of oil exceeding the 1989 Exxon Valdez oil spill as the largest ever to originate in U.S.-controlled waters. In their permit to drill the well, BP estimated the worst case flow at 162,000 barrels per day.. Immediately after the explosion BP and the United States Coast Guard did not estimate any oil leaking from the sunken rig or from the well. On April 24, Coast Guard Rear Admiral Mary Landry announced that a damaged wellhead was indeed leaking. She stated that “the leak was a new discovery but could have begun when the offshore platform sank …” two days after the initial explosion. Initial estimates by Coast Guard and BP officials, based on remotely operated vehicles as well as the oil slick size, indicated the leak was as much as 1,000 barrels per day. Outside scientists quickly produced higher estimates, which presaged later increases in official numbers. Official estimates increased from 1,000 to 5,000 barrels per day on April 29, to 12,000 to 19,000 barrels per day on May to 25,000 to 30,000 barrels per day on June 10, and to between 35,000 and 60,000 barrels per day, on June 15. Internal BP documents, released by Congress, estimated the flow could be as much as 100,000 barrels per day, if the blowout preventer and wellhead were removed from the modelling.

Investigations into the Root Cause

In August 2010 BP reported on an internal investigation of the accident and identified eight key findings. The eight key findings related to the causes of the accident emerged. These findings are briefly described below. Refer to Figure 2 for details of the well.

  1. The annulus cement barrier did not isolate the hydrocarbons. The day before the accident, cement had been pumped down the production casing and up into the wellbore annulus to prevent hydrocarbons from entering the wellbore from the reservoir. The annulus cement that was placed across the main hydrocarbon zone was a light nitrified foam cement slurry. This annulus cement probably experienced nitrogen breakout and migration, allowing hydrocarbons to enter the wellbore annulus. The investigation team concluded that there were weaknesses in cement design and testing, quality assurance and risk assessment.
  2. The shoe track barriers did not isolate the hydrocarbons. Having entered the wellbore annulus, hydrocarbons passed down the wellbore and entered the 9 7/8 in. x 7 in. production casing through the shoe track, installed in the bottom of the casing. Flow entered into the casing rather than the casing annulus. For this to happen, both barriers in the shoe track must have failed to prevent hydrocarbon entry into the production casing. The first barrier was the cement in the shoe track, and the second was the float collar, a device at the top of the shoe track designed to prevent fluid ingress into the casing. The investigation team concluded that hydrocarbon ingress was through the shoe track, rather than through a failure in the production casing itself or up the wellbore annulus and through the casing hanger seal assembly. The investigation team has identified potential failure modes that could explain how the shoe track cement and the float collar allowed hydrocarbon ingress into the production casing.
  3. The negative-pressure test was accepted although well integrity had not been established. Prior to temporarily abandoning the well, a negative-pressure test was conducted to verify the integrity of the mechanical barriers (the shoe track, production casing and casing hanger seal assembly). The test involved replacing heavy drilling mud with lighter seawater to place the well in a controlled underbalanced condition. In retrospect, pressure readings and volume bled at the time of the negative-pressure test were indications of flow-path communication with the reservoir, signifying that the integrity of these barriers had not been achieved. The Transocean rig crew and BP well site leaders reached the incorrect view that the test was successful and that well integrity had been established.
  4. Influx was not recognized until hydrocarbons were in the riser. With the negative-pressure test having been accepted, the well was returned to an overbalanced condition, preventing further influx into the wellbore. Later, as part of normal operations to temporarily abandon the well, heavy drilling mud was again replaced with seawater, underbalancing the well. Over time, this allowed hydrocarbons to flow up through the production casing and passed the BOP. Indications of influx with an increase in drill pipe pressure are discernable in real-time data from approximately 40 minutes before the rig crew took action to control the well. The rig crew’s first apparent well control actions occurred after hydrocarbons were rapidly flowing to the surface. The rig crew did not recognize the influx and did not act to control the well until hydrocarbons had passed through the BOP and into the riser.
  5. Well control response actions failed to regain control of the well. The first well control actions were to close the BOP and diverter, routing the fluids exiting the riser to the Deepwater Horizon mud gas separator (MGS) system rather than to the overboard diverter line. If fluids had been diverted overboard, rather than to the MGS, there may have been more time to respond, and the consequences of the accident may have been reduced
  6. Diversion to the mud gas separator resulted in gas venting onto the rig. Once diverted to the MGS, hydrocarbons were vented directly onto the rig through the 12 in. goosenecked vent exiting the MGS, and other flow-lines also directed gas onto the rig. This increased the potential for the gas to reach an ignition source. The design of the MGS system allowed diversion of the riser contents to the MGS vessel although the well was in a high flow condition. This overwhelmed the MGS system.
  7. The fire and gas system did not prevent hydrocarbon ignition. Hydrocarbons migrated beyond areas on Deepwater Horizon that were electrically classified to areas where the potential for ignition was higher. The heating, ventilation and air conditioning system probably transferred a gas-rich mixture into the engine rooms, causing at least one engine to overspeed, creating a potential source of ignition.
  8. The BOP emergency mode did not seal the well. Three methods for operating the BOP in the emergency mode were unsuccessful in sealing the well. The explosions and fire very likely disabled the emergency disconnect sequence, the primary emergency method available to the rig personnel, which was designed to seal the wellbore and disconnect the marine riser from the well. The condition of critical components in the yellow and blue control pods on the BOP very likely prevented activation of another emergency method of well control, the automatic mode function (AMF), which was designed to seal the well without rig personnel intervention upon loss of hydraulic pressure, electric power and communications from the rig to the BOP control pods. An examination of the BOP control pods following the accident revealed that there was a fault in a critical solenoid valve in the yellow control pod and that the blue control pod AMF batteries had insufficient charge; these faults likely existed at the time of the accident.

The team did not identify any single action or inaction that caused this accident. Rather, a complex and interlinked series of mechanical failures, human judgments, engineering design, operational implementation and team interfaces came together to allow the initiation and escalation of the accident. Multiple companies, work teams and circumstances were involved over time.

Other perspectives on the Accident

 

On November 8, the inquiry by the Oil Spill Commission revealed its findings that BP had not sacrificed safety in attempts to make money, but that some decisions had increased risks on the rig. However, the panel said a day later that there had been “a rush to completion” on the well, criticizing poor management decisions. “There was not a culture of safety on that rig,” co-chair Bill Reilly said. One of the decisions met with tough questions was that BP refuted the findings of advanced modelling software that had ascertained over three times as many centralizers were needed on the rig. It also decided not to rerun the software when it stuck with only six centralizers, and ignored or misread warnings from other key tests, the panel revealed.[30]

On November 16, an independent 15-member committee released a report stating BP and others, including federal regulators, ignored “near misses”. University of Michigan engineering practice professor and committee chairman Donald Winter that sealing the well continued “despite several indications of potential hazard”. For example, tests showed the cement was not strong enough to prevent oil and gas from escaping. Also, BP lost drilling materials in the hole. According to Donald Winter, the panel of investigators could not pin the explosion aboard the rig on a single decision made by BP, or anyone else, they found that the companies’ focus on speed over safety, given that the well was behind schedule costing BP $1.5 million a day-helped lead to the accident. As Donald Winter told the New York Times, “A large number of decisions were made that were highly questionable and potentially contributed to the blowout of the Macondo well… Virtually all were made in favour of approaches which were shorter in time and lower in cost. That gives us concern that there was not proper consideration of the tradeoffs between cost and schedule and risk and safety.” A document obtained by Greenwire, shows BP PLC, Halliburton Co. and Transocean Ltd. made a series of 11 unnecessary decisions that may have increased the chances of disaster. The document outlines 11 specific decisions that BP and its contractors made ahead of the disaster that may have increased risk on the rig. At least nine of the decisions saved time, the document shows, and the majority of the decisions were made by BP personnel on shore. These decisions were most likely made to try to save money since the well was significantly underperforming.

On December 8th Joe Keith, a senior Halliburton manager, admitted to the U.S. Coast Guard-Interior Department panel in Houston that he left his post aboard Transocean’s rig to smoke a cigarette on the night of the April disaster in the Gulf. While he was away from his monitors, charts entered into evidence showed that pressure data indicated the well was filling up with explosive natural gas and crude

 

Questions

 

Was the accident on the Deep Horizon Rig just bad luck or poor management?

To what extent were the risks associated with the project identified and managed?

What if any systematic root causes exist for the accident?

Could this happen in your organisation?

Similar Posts:

The post Deepwater Horizon a Case in Risk Management appeared first on Parallel Project Training Blog | APM Project Management Articles, Information and News from ParallelProjectTraining.com.

]]>
http://blog.parallelprojecttraining.com/safety-case-studies/deepwater-horizon-a-case-in-risk-management/feed/ 0
Extract from Haddon Cave Report into the loss of RAF Nimrod XV230 http://blog.parallelprojecttraining.com/safety-case-studies/extract-from-haddon-cave-report-into-the-loss-of-raf-nimrod-xv230/ http://blog.parallelprojecttraining.com/safety-case-studies/extract-from-haddon-cave-report-into-the-loss-of-raf-nimrod-xv230/#respond Mon, 07 Feb 2011 14:12:09 +0000 http://blog.parallelprojecttraining.com/default/extract-from-haddon-cave-report-into-the-loss-of-raf-nimrod-xv230/ Executive Summary Introduction The extract below is taken from the Haddon Cave report into the accident leading to the loss of the Nimrod XV230 in Afghanistan. It is crown copy write and the full report is available from http://www.official-documents.gov.uk/document/hc0809/hc10/1025/1025.asp Loss of XV230 1. RAF Nimrod XV230 was lost on 2 September 2006 on a mission…

The post Extract from Haddon Cave Report into the loss of RAF Nimrod XV230 appeared first on Parallel Project Training Blog | APM Project Management Articles, Information and News from ParallelProjectTraining.com.

]]>
Executive Summary

Introduction

The extract below is taken from the Haddon Cave report into the accident leading to the loss of the Nimrod XV230 in Afghanistan. It is crown copy write and the full report is available from http://www.official-documents.gov.uk/document/hc0809/hc10/1025/1025.asp

Loss of XV230

1. RAF Nimrod XV230 was lost on 2 September 2006 on a mission over Afghanistan when she suffered a catastrophic mid-air fire, leading to the total loss of the aircraft and the death of all 14 service personnel on board. Investigation of the crash scene had to be curtailed because of enemy presence but, fortunately, photographs were taken and crucial recording equipment recovered. Subsequently,most of the aircraft wreckage disappeared.

History

2. The Nimrod, a derivative of the De Havilland Comet, has a long and distinguished record in maritime reconnaissance and other roles over 40 years, and continues to play an important role in Defence. XV230 was the first Nimrod to enter service with the RAF on 2 October 1969.

Board of Inquiry

3. The Board of Inquiry conducted a seven-month inquiry and, despite the absence of physical evidence, was able to determine that the most probable physical causes of the fire and explosion were: (1) Fuel source: The escape of fuel during Air-to-Air Refuelling, or a leak from a fuel coupling or pipe, led to an accumulation of fuel within the No. 7 Tank Dry Bay; alternatively, although of a lower probability, a hot air leak damaging fuel system seals. (2) Ignition source: Ignition of that fuel by the Cross Feed/SCP duct. The main conclusions of the Board of Inquiry have been confirmed by two leading agencies, the UK Air Accident Investigation Branch and the United States Air Force Safety Center. I am satisfied that the BOI’s findings are a sound basis upon which to found this

Physical Causes

Ignition source

4. There can be no doubt that the ignition source was the Cross-Feed/SCP duct in the starboard No. 7 Tank Dry Bay, and the most probable point of ignition was the SCP muff.

Probable fuel sources

5. I have concluded that the most likely source of fuel was an overflow during Air-to-Air Refuelling. New evidence has come to light which points to this being the most probable cause (Chapter 6).The second most likely source of fuel was a leak from either an FRS or an Avimo fuel coupling in the starboard No. 7 Tank Dry Bay (Chapter 5). The third, and only other viable,11 source of fuel could have been coupling damage caused by a Cross-Feed/SCP duct failure, but this mechanism is much less likely than the other two. (Chapter 7)

Responsibility for design flaws

6. Design flaws introduced at three stages played a crucial part in the loss of XV230. First, the original fitting of the Cross-Feed duct by Hawker Siddeley12 in about 1969 (Chapter 4). Second, the addition of the SCP by British Aerospace13 in about 1979 (Chapter 4). Third, the fitting of the permanent Airto- Air Refuelling modification by British Aerospace in about 1989. (Chapter 6)

Previous incidents

7. There were a number of previous incidents and warning signs potentially relevant to XV230; in particular, the rupture of the SCP duct in Nimrod XV227 in November 2004 should have been a“wake up call”. (Chapter 8)

Nimrod Safety Case

8. The drawing up of a ‘Safety Case’, to identify, assess, and mitigate potentially catastrophic hazards before they could cause an accident, was mandated for military aircraft and other military platforms by regulations introduced in September 2002. (Chapter 9)

Loss of XV230 avoidable

9. The Nimrod Safety Case was drawn up between 2001 and 2005 by BAE Systems (Phases 1 and 2) and the MOD Nimrod Integrated Project Team (Third Phase), with QinetiQ acting as independent advisor. The Nimrod Safety Case represented the best opportunity to capture the serious design flaws in the Nimrod which had lain dormant for years. If the Nimrod Safety Case had been drawn up with proper skill, care and attention, the catastrophic fire risks to the Nimrod MR2 fleet presented by the Cross-Feed/SCP duct and the Air-to-Air Refuelling modification would have been identified and dealt with, and the loss of XV230 in September 2006 would have been avoided.

Lamentable job

10. Unfortunately, the Nimrod Safety Case was a lamentable job from start to finish. It was riddled with errors. It missed the key dangers. Its production is a story of incompetence, complacency, and cynicism. The best opportunity to prevent the accident to XV230 was, tragically, lost. (Chapters 10A and 10B)

General malaise

11. The Nimrod Safety Case process was fatally undermined by a general malaise: a widespread assumption by those involved that the Nimrod was ‘safe anyway’ (because it had successfully flown for 30 years) and the task of drawing up the Safety Case became essentially a paperwork and ‘tickbox’ exercise. (Chapter 11)

Criticisms of BAE Systems

12. BAE Systems bears substantial responsibility for the failure of the Nimrod Safety Case. Phases 1 and 2 were poorly planned, poorly managed and poorly executed, work was rushed and corners were cut. The end product was seriously defective. There was a big hole in its analysis: BAE Systems had left 40% of the hazards “Open” and 30% “Unclassified”. The work was, in any event, riddled with errors of fact, analysis and risk categorisation. The critical catastrophic fire hazard relating to the Cross-Feed/SCP duct (Hazard H73) had not been properly assessed and, in fact, was one of those left “Open” and “Unclassified”. Further, at handover meetings in 2004, BAE Systems gave the misleading impression to the Nimrod IPT and QinetiQ that the task had been properly completed and could be signed off and deliberately did not disclose to its customer the scale of the hazards it had left “Open” and “Unclassified” (many with only vague recommendations that ‘further work’ was required). The Nimrod IPT and QinetiQ representatives were lulled into a false sense of security. These matters raised question marks about the prevailing ethical culture at BAE Systems. (Chapter 11)

Chapter 1 – Introduction and Summary

13. Three key BAE Systems management personnel involved in the Nimrod Safety Case bear primary responsibility for the above matters and are the subject of significant criticism: (1) the Chief Airworthiness Engineer; (2) the Task Leader; and (3) the Flight Systems and Avionics Manager. (Chapter 11)

Criticisms of Nimrod IPT

14. The Nimrod IPT bears substantial responsibility for the failure of the Nimrod Safety Case. The Nimrod IPT inappropriately delegated project management of the Nimrod Safety Case task to a relatively junior person without adequate oversight or supervision; failed to ensure adequate operator involvement in BAE Systems’ work on Phases 1 and 2; failed to project manage properly, or to act as an ‘intelligent customer’ at any stage; failed to read the BAE System Reports carefully or otherwise check BAE Systems’ work; failed to follow its own Safety Management Plan; failed properly to appoint an Independent Safety Advisor to audit the Nimrod Safety Case; and signed-off BAE Systems’ work in circumstances where it was manifestly inappropriate to do so. Subsequently, the Nimrod IPT sentenced the outstanding risks on a manifestly inadequate, flawed and unrealistic basis, and in doing so mis-categorised the catastrophic fire risk represented by the Cross-Feed/SCP duct (Hazard H73) as ‘Tolerable’ when it plainly was not. The Nimrod IPT was sloppy and complacent and outsourced its thinking. (Chapter 11)

15. Three key Nimrod IPT personnel involved in the Nimrod Safety Case bear primary responsibility for the above matters and are the subject of significant criticism: (1) the Nimrod IPT Leader, (2) the Head of Air Vehicle, and (3) the Safety Manager. (Chapter 11)

Criticisms of QinetiQ

16. QinetiQ also bears a share of responsibility for the failure of the Nimrod Safety Case. QinetiQ failed properly to carry out its role as ‘independent advisor’ and, in particular: failed to clarify its role at any stage; failed to check that BAE Systems sentenced risks in an appropriate manner and included risk mitigation evidence in its Reports; sent someone inadequately briefed to the critical handover meeting; failed to read the BAE Systems reports or otherwise check BAE Systems’ work properly; failed to advise its customer properly or ask any intelligent questions at the key handover meetings; and subsequently ‘signed-off’ BAE Systems’ work in circumstances where it was manifestly inappropriate to do so: in particular, without even having read any of the BAE Systems Reports and contrary to relevant regulations and standards.14 QinetiQ’s approach was fundamentally lax and compliant. (Chapter 11)

17. Two key QinetiQ personnel involved in the Nimrod Safety Case bear primary responsibility for the above matters and are the subject of significant criticism: (1) the Task Manager and (2) the Technical Assurance Manager. (Chapter 11)

Organisational Causes

18. Organisational causes played a major part in the loss of XV230. Organisational causes adversely affected the ability of the Nimrod IPT to do its job, the oversight to which it was subject, and the culture within which it operated, during the crucial years when the Nimrod Safety Case was being prepared, in particular 2001-2004.

History of MOD In-Service Support

19. Huge organisational changes took place in the MOD in-service support and airworthiness arrangements for Defence equipment and RAF aircraft in the years prior to the loss of XV230. There were three major themes at work: (a) a shift from organisation along purely ‘functional’ to projectoriented lines; (b) the ‘rolling up’ of organisations to create larger and larger ‘purple’ and ‘throughlife’management structures; and (c) ‘outsourcing’ to industry. (Chapter 12)

Warning in 1998

20. A Nimrod report in 1998 warned of “the conflict between ever-reducing resources and … increasing demands; whether they be operational, financial, legislative, or merely those symptomatic of keeping an old ac flying”, and called for Nimrod management that was “highly attentive” and “closely attuned to the incipient threat to safe standards”, in order to safeguard the airworthiness of the fleet in the future.15 These warnings were not sufficiently heeded in the following years. (Chapter 13)

Organisational trauma 1998-2006

21. The MOD suffered a sustained period of deep organisational trauma between 1998 and 2006, beginning with the 1998 Strategic Defence Review. Financial pressures and cuts drove a cascade of multifarious organisational changes, which led to a dilution of the airworthiness regime and culture within the MOD, and distraction from safety and airworthiness issues as the top priority. There was a shift in culture and priorities in the MOD towards ‘business’ and financial targets, at the expense of functional values such as safety and airworthiness. The Defence Logistics Organisation, in particular, came under huge pressure. Its primary focus became delivering ‘change’ and the ‘change programme’ and achieving the ‘Strategic Goal’ of a 20% reduction in output costs in five years and other financial savings. Airworthiness was a victim of the process started by the 1998 Strategic Defence Review. (Chapter 13)

22. Two senior personnel who presided over the Defence Logistics Organisation during the crucial period 2000-2004 bear particular responsibility for the episode of cuts, change, dilution and distraction and its consequences, and are the subject of significant criticism: (1) the first Chief of Defence Logistics (April 1999 to August 2002); and (2) the second Chief of Defence Logistics (September 2002 to December 2004). (Chapter 13)

Procurement

23. But for the delays in the Nimrod MRA4 replacement programme, XV230 would probably have no longer have been flying in September 2006, because it would have reached its Out-of-Service Date and already been scrapped or stripped for conversion. The history of Procurement generally in the MOD has been one of years of major delays and cost overruns. This has had a baleful effect on In- Service Support and safety and airworthiness generally. Poor Procurement practices have helped create ‘bow waves’ of deferred financial problems, the knock-on effects of which have been visited on In-Service Support, with concomitant change, confusion, dilution, and distraction as occurred in the post-Strategic Defence Review period 1998-2006. As the Rt Hon. John Hutton stated the day before his resignation as Secretary of State for Defence, “we have no choice but to act with urgency” on Procurement. (Chapter 14).

Aftermath

BOI Recommendations and post-XV230 events and measures

24. A large number of steps have been taken post-XV230 in relation to the Nimrod fleet to address the Board of Inquiry Recommendations and other maintenance and airworthiness issues which have since been revealed by subsequent incidents and investigations. I have been kept closely informed of all such developments. Pursuant to my Terms of Reference, I would have issued an immediate interim report if, at any stage, a matter of concern had come to my attention which I felt affected the immediate airworthiness of the Nimrod fleet or safety of its crews. I have not felt it necessary to issue an interim report at any stage. The continued successful deployment and operation of the Nimrod fleet post-XV230 is a tribute to the dedication of the Nimrod community and leadership at RAF Kinloss and RAF Waddington and their parent Headquarters. (Chapter 15)

Coroner’s Inquest

25. The Coroner’s Inquest produced little factual evidence of value to the Review. The Coroner’s finding as to the likely source of fuel did not accord with the realistic probabilities, or the evidence before him, and his Rule 43 recommendation (that the Nimrod fleet should be grounded pending certain repairs) was based on his misunderstanding of the meaning of As Low as Reasonably Practicable(ALARP). The Coroner’s widely-publicised remark that the MOD had a “cavalier approach to safety”was unjustified. The fundamental problems are ones of structure, culture, and procedure, not

indifference. (Chapter 16)

Lessons and Recommendations

26. The lessons to the learned from the loss of Nimrod XV230 are profound and wide-ranging. Many of the lessons to be learned are not new. The organisational causes of the loss of Nimrod XV230 echo other major accident cases, in particular the loss of the Space Shuttles Challenger and Columbia, and cases such as the Herald of Free Enterprise, the King’s Cross Fire, the Marchioness Disaster and BP Texas City. (Chapter 17)

27. Those involved in Military Aviation Airworthiness would benefit from an understanding of Accident Theory. (Chapter 18)

28. The shortcomings in the current airworthiness system in the MOD are manifold and include

(Chapter 19):

(1) a failure to adhere to basic Principles;

(2) a Military Airworthiness System that is not fit for purpose;

(3) a Safety Case regime which is ineffective and wasteful;

(4) an inadequate appreciation of the needs of Aged Aircraft;

(5) a series of weaknesses in the area of Personnel;

(6) an unsatisfactory relationship between the MOD and Industry;

(7) an unacceptable Procurement process leading to serial delays and cost-overruns; and (8) a Safety Culture that has allowed ‘business’ to eclipse Airworthiness.

29. I make Recommendations in the following eight key areas:

(1) A new set of Principles: I recommend adherence to four key principles (Chapter 20):

_ Leadership

_ Independence

_ People

_ Simplicity

(2) A new Military Airworthiness Regime: I make detailed and comprehensive recommendations under 10 headings comprising a blueprint to enable the MOD to build a New Military Airworthiness Regime (under the control of an independent Military Airworthiness Authority), which is effective, relevant and understood, which properly addresses Risk to Life, and which drives new attitudes, behaviours, and a new Safety Culture. (Chapter 21)

(3) A new approach to Safety Cases: I make recommendations for best practice for Safety Cases for the future, which are to be brought in-house, re-named ‘Risk Cases’, and made more focused, proportionate, and relevant. (Chapter 22)

A new attitude to Aged Aircraft: I recommend that generic problems associated with aged and ‘legacy’ aircraft are addressed. (Chapter 23)

(5) A new Personnel Strategy: I recommend that current weaknesses in the area of personnel are addressed. (Chapter 24)

(6) A new Industry Strategy: I recommend that flaws in the current bilateral and triangular relationships between the MOD, BAE Systems, and QinetiQ revealed by the Nimrod Safety Case are addressed. (Chapter 25)

(7) A new Procurement Strategy: I recommend that Bernard Gray’s Report on Procurement is published without delay16 and appropriate action taken as a matter of urgency. (Chapter 26)

(8) A new Safety Culture: I make recommendations for a new Safety Culture comprising a Reporting Culture, a Just Culture, a Flexible Culture, a Learning Culture, and a Questioning Culture.(Chapter 27)

30. I also make a number of further Recommendations. (Chapter 28)

31. The ultimate aim of this Report is to improve Safety and Airworthiness for the Future. The duty of those in authority reading this Report is to bring about, as quickly as possible, the much-needed and fundamental improvements for the Future which I have identified. This is not only for the safety of the men and women in the Services most immediately at risk, but also for the benefit of the effectiveness of Defence generally. A safe and airworthy fleet is also a more capable and effective fleet

.

32. I welcome the setting up by the MOD of the Haddon-Cave Review Implementation Team17 to implement the Recommendations in this Report as rapidly as possible.

Military Covenant

33. In my view, XV230 was lost because of a systemic breach of the Military Covenant brought about by significant failures on the part of all those involved. This must not be allowed to happen again. (Chapter 29)

Similar Posts:

The post Extract from Haddon Cave Report into the loss of RAF Nimrod XV230 appeared first on Parallel Project Training Blog | APM Project Management Articles, Information and News from ParallelProjectTraining.com.

]]>
http://blog.parallelprojecttraining.com/safety-case-studies/extract-from-haddon-cave-report-into-the-loss-of-raf-nimrod-xv230/feed/ 0