On the 12th February 2003, the Australian navy came within 20 seconds of losing HMAS Dechaineux, one of its new Collins Class submarines.
Collins Class submarines
The cause of the problem was a burst flexible pipe (hose) in the auxiliary seawater cooling system. The hose burst when the Dechaineux was close to its maximum operating depth flooding the engine space with some 12 tones of water in 7 or 8 seconds.
As with the automatic shutdown of the CERN Large Hadron Collider (LHC) discussed in ‘If it can go wrong……’ [view the post] trained people and automatic responses to the emergency saved the submarine: the external valves in the hull were closed, the submarine was brought to full speed and maximum rate of ascent and all ballast was ‘blown’. Most of the responses that saved the submarine were implemented in the first 15 seconds following the disaster.
What makes this a really interesting study is the cause of the hose failure has never been identified. The short term solution was to limit the submarines maximum operating depth; the long term solution was to re-engineer the connection to eliminate the flexible hoses.
The flexible hoses were always identified as a critical safety item. Of every batch of hoses delivered, 10% were tested to destruction – none failed at less that 4 times the maximum operating pressure and every hose fitted was tested to more than the maximum operating pressure. The broken hose has been microscopically examined and no flaws identified.
In exactly the same way, the LHC management cannot identify the cause of the substation tripping out (causing the LHC shutdown in November), the Navy does not know what caused the flexible hose on the Dechaineux to fail.
What both incidents clearly demonstrate is that it is impossible to predict every source of risk and/or potential catastrophic failure. Other approaches are needed.
- The first is to design good emergency procedures that can avert disasters even if the precise cause of the failure is unknown or unpredicted. This should be a major consideration in any technical design. Both failures were in a predictable ‘class’ – the LHC could predicts power outages, submarines will occasionally suffer major leaks or flooding.
- The second is regardless of the statistical data collected, past performance cannot guarantee future outcomes. Any statistical simulation, including Monte Carlo has a range error. The result may be 90%, 95% or even 99% reliable but there is still a possibility of a result falling outside of the predicted range. The key message from ‘The illusion of control: dancing with chance’ [view the post], is the need to accept that there are things that you simply can’t control, and one of those things is the future.
It is only through recognising and embracing uncertainty can systems be developed to deal with the risk you did not foresee.
For more on the Dechaineux incident see: http://www.newsawards.com.au/files/pdf/05/sir-keith-02_1.pdf?download=1&filename=sir-keith-02_1.pdf
Pat Weaver
Lynda Bourne
Aavssitedev's Blog
Pingback: The powerful illusion of control | Stakeholder
Pingback: The powerful illusion of control « Stakeholder Management's Blog
Another dimension to the illusion of control is that individuals who have power to think they have more personal control over outcomes than they, in fact, do. Power has been demonstrated to lead to perceived control over outcomes that were either uncontrollable or unrelated to the power. For more on this see: The powerful illusion of control at http://stakeholdermanagement.wordpress.com/2010/03/28/the-powerful-illusion-of-control/
Lynda,
Those who hold a “powerful illusion” of control likely exist, but it seems important for the conversation here to confirm LHC and Dechaineux are examples of this illusion before drawing broader conclusions
Are you saying from your experience, or documented experience of others, through interviewing and assessing the mental and behavioral state with those who design and operate machines like the submarine, LHC, petrochemical plants, or manned spaceflight craft, — they are operating under the illusion of control?
See if Chapter 8 of
http://www.nasa.gov/exploration/news/ESAS_report.html
informs the conversation about such things as essentially dangerous machines, the processes around them and the people who design and operate them. We work this program on the Crew Vehicle side everyday.
Fail to safety is a design criteria. In both examples you mention this was the result.
My view is the examples of both the LHC and Dechaineux are the antithesis of senior managers having the ‘powerful illusion of control’ – both systems had very effective procedures developed in anticipation of the possibility of a failure management could not control.
Pat, can you clarify your point above please. On one hand you agree that “it is impossible to predict every source of risk and/or potential catastrophic failure”. I interpret this to mean that in every endeavour there are unknown unknowns. On the other hand you suggest that “it is only through recognising and embracing uncertainty can systems be developed to deal with the risk you did not foresee.”
I’m not sure I understand your point. Your first suggested bullet point falls within the realm on known unknowns, in which case it will be dealt with as part of the prediction process. As to your second bullet point, that falls into the realm of unknown unknowns, in which case it wouldn’t have provided a viable mitigation strategy for the failed submarine.
Cheers, Shim.
The designers, fleet managers and crew of the Dechaineux had no idea a flexible hose in the lower engine room could fail and had taken extraordinary to ensure the hose was 100% failsafe.
When the hose failed (a real ‘black swan’) there were no processes to deal with the specific failure. However, there were systems and procedures in place to deal with emergencies that cut in within a few seconds and saved 55 lives. These procedures were developed in the expectation they would never be used.
But there are still events in any walk of life you simply cannot foresee, predict or prevent.