News That Stays News

Calculating Catastrophic Risk December 11, 2010

In honor of my risk-adverse streak, I’m going to repost an entire article from Joel Katz’s blog.

Deepwater Horizon

Folks who know me know that I love to read reports of accident investigations. I tend to find aviation accident reports the most interesting, but I also read reports of pipeline accidents, industrial accidents, and the like.

Generally, accidents fall into one of several categories. There are the sudden catatrophic failure accidents such as TWA flight 800 or American 587, the one really stupid thing accidents such as the Chalk’s air crash or the crash that killed Aaliyah, the long chain of small things accidents such as the Piper Alpha disaster or the gas pipeline explosion in Rancho Cordova in 2008.

However, the Deepwater Horizon disaster seems to be in a category all by itself. Just from what we know already, and we may have a very incomplete picture, the number of ‘very stupid things’ hovers at around seven. And these are some mind-bogglingly stupid things.

Let’s start with the blowout preventer. This is a critical piece of safety equipment. It’s so critical, and its failure can be so catastrophic, that key portions of it are redundant. For example, it has two control modules. Well, one of those modules had a bad battery. But that wasn’t considered particularly important to fix. Why? Because it was redundant — there was another battery in the other control module.

This is so mind-bogglingly stupid it’s hard to know how to point out how stupid it is without just blubbering in shock. What if there was an undetected problem in the second control module? That’s the reason they’re redundant in the first place.

But it gets worse. The other control module had a problem with a mechanically-operated valve. That was considered non-critical because there was a similar valve in the other control module … the one with the bad battery. It’s hard to point out how stupid this is without cursing.

Then there was the negative pressure test. This is a key test to assess the integrity of the well prior to removing the mud that prevents the well from blowing out. Well, the well failed the test. Managers decided that even though the test had failed, it was still possible that the well’s integrity was uncompromised — there are ways the test can report a problem when there is none. So they considered the test to have been passed even though it was failed.

Again, it’s hard to explain how mind-bogglingly dumb this is because it’s so obvious. In case you don’t see it, imagine someone goes to take a driving test to get their license. They do terribly, they run over cones, they show no lane control, and so on. But then you find out their baby sister was yelling all night the previous night, they didn’t get much sleep, and their nerves are shot. That can explain a failed driving test — the bad test doesn’t prove they’re not a good driver under normal conditions. So, you give them their license. Of course, the problem is, you have no reason to believe they are a competent driver, which is what the test was supposed to assure.

And this really is just the tip of the iceberg. Once the mud was removed, there were indications of a serious problem 40 minutes before the crew made any attempts to even assess the condition of the well much less try to regain control of it.

This is the worst of what we know so far. Let’s hope this remains the only disaster in this new category — long chain of astonishingly stupid actions that miraculously didn’t cause a disaster until now because of dumb luck.

Things this article makes me worry about:

1. E.T. The list of things that had to go wrong for the oil spill to happen seems to be as long as the list of things that need to go right in the Drake Equation to give us an intelligent neighbor.

2. Nuclear war. A lot of things stop a lot of other things from going wrong, but you never know which redundant system will develop a bad battery. Here are some examples of Cold War mishaps that could have led to nuclear war:

1956, Nov.5:  Suez Crisis coincidence.

British and French forces were attacking Egypt at the Suez Canal.  The
Soviet Government had suggested to U.S. that they combine forces to stop
this by a joint military action, and had warned the British and French
governments that (non-nuclear) rocket attacks on London and Paris were
being considered.  That night the U.S. military HQ in Europe received
messages that:
(i) unidentified aircraft were flying over Turkey and the Turkish
air force was on alert
(ii) 100 Soviet MIG-15’s were flying over Syria
(iii) a British Canberra bomber had been shot down over Syria
(iv) the Russian fleet was moving through the Dardanelles.

It is reported that in U.S.A. General Goodpaster himself was concerned
that these events might trigger the NATO operations plan for nuclear
strikes against U.S.S.R.

The 4 reports were all shown afterwards to have innocent explanations.
They were due, respectively, to:
(i) a flight of swans
(ii) a routine air force escort (much smaller than the number
reported) for the president of Syria, who was returning from a visit to
Moscow
(iii) the Canberra bomber was forced down by mechanical problems
(iv) the Russian fleet was engaged in scheduled routine exercises.

1962, Oct.25:  Duluth intruder.

At around midnight on 25 October, a guard at Duluth Sector Direction
Center saw a figure climbing the security fence. He shot at it, and
activated the “sabotage alarm”.  This automatically set off sabotage
alarms at all bases in the area.  At Volk Field, Wisconsin, the alarm
was wrongly wired, and the Klaxon sounded which ordered nuclear-armed
F-106A interceptors to take off.  The pilots knew there would be no
practice alert drills while DEFCON 3 was in force, and they believed
World War III had started.

Immediate communication with Duluth showed there was an error.  By this
time aircraft were starting down the runway.  A car raced from the
command center and successfully signalled the aircraft to stop.

The original intruder was a bear.

1968, Jan.21:  B-52 crash near Thule.

Communication between NORAD HQ and the BMEWS station at Thule had 3
elements:
1. Direct radio communication.
2. A “bomb alarm” as described above.
3. Radio communication relayed by a B-52 bomber on airborne alert.

On 21 January, 1968, fire broke out in the B-52 bomber on airborne alert
near Thule.  The pilot prepared for an emergency landing at the base.
However the situation deteriorated rapidly, and the crew had to bale
out.  There had been no time to communicate with SAC HQ, and the
pilotless plane flew over the Thule base before crashing on the ice 7
miles offshore.  Its fuel and the high explosive component of its
nuclear weapons exploded, but there was no nuclear detonation.

At that time, the “one point safe” condition of the nuclear weapons
could not be guaranteed, and it is believed that a nuclear explosion
could have resulted from accidental detonation of the high explosive
trigger.  Had there been a nuclear detonation even at 7 miles distant,
and certainly if much nearer the base, all three communication methods
would have given an indication consistent with a successful nuclear
attack on both the base and the B-52 bomber.  The bomb alarm would have
shown red, and the two other communication paths would have gone dead.
It would hardly have been anticipated that the combination could have
been caused by accident, particularly as the map of the routes for B-52
airborne alert flights approved by the president showed no flight near
to Thule.  The route had apparently been changed without informing the
White House.

Credit: Julia