EG 2401 Engineering Professionalism

Topic 7: Commitment to Safety

Topic 8: International Engineering
Professionalism
Topic 9: Engineers and the Environment
K. G. Neoh
Dept. of Chemical & Biomolecular Eng

EG 2401 - K. G. Neoh

Topic 7: Commitment to Safety

1. Introduction
2. Safety and Risk
3. Difficulty in Estimating Risk
4. Defining Acceptable Risk
5. Liability for Risk
6. Designing for Safety
7. Causes of Technological Disasters
8. Case Study
Reference Reading: Fleddermann 3rd or 4th Ed Chp 5
& Harris 4th Ed Sections 5.7 to 5.10 + Chp 7
EG 2401 - K. G. Neoh

1. Introduction
No duty of the engineer is more important than his/her duty to
protect the safety and well-being of the public - Fleddermann

EG 2401 - K. G. Neoh

Responsibility in Engineering
Engineering is an important and
With great power
comes great
responsibility

learned profession
Engineers work has great impact on
society & peoples lives
Impact is the result of engineers
expertise (or lack of)
But engineering work involves
risk (social experimentation)
Expertise carries with it
professional responsibility!
EG 2401 - K. G. Neoh

Examples of Technological Disasters

Aerospace Challenger (86); TWA Flight 800 (96);
Columbia (03)
Chemical Love Canal (78); Bhopal (84); Industrial
Accidents in China (05/06)
Civil Mississippi River Bridge (07); Dam Failure in
Spain (98); WTC Collapse (01)
Electrical US NE Blackout (65, 03); Three Mile
Island (79)
Mechanical Ford Pinto (60s); Hyatt Regency
Walkway Collapse (81)

EG 2401 - K. G. Neoh

2. Safety and Risk

Risk: possibility of suffering harm or loss
Safety: value judgment, related to risk
Safety and risk depend on many factors:
- voluntary vs involuntary risk
- short-term vs long-term consequences
- expected probability
- reversible effects
- threshold levels
- delayed vs immediate risk
EG 2401 - K. G. Neoh

Class Discussion: Perception of Risk

In 1992, roughly the same number of fatalities
occurred in USA involving different forms of
transportation:
Airplanes 775
Trains 755
Bicycles 722
Is the public perception of risk involved in each
transportation mode the same?
Why?
EG 2401 - K. G. Neoh

3. Difficulty in Estimating Risk

Risk assessment is the uncertain prediction of
the probability of harm
(i) Not possible to anticipate all of the technical
problems which can result in a failure
(ii) Not possible to anticipate all human errors
which can result in a failure
(iii) Possibilities assigned to failure modes are
highly conjectural and cannot be corroborated
by experimental testing
(iv) Cannot be sure of the sequence of the
initiating events
EG 2401 - K. G. Neoh

4. Defining Acceptable Risk

In the face of uncertainties inherent in the prediction of
risk, how do we define acceptable risk?
Balance between utilitarian and respect-for-persons (RP)
considerations
Principle of acceptable risk: People should be protected
from the harmful effects of technology, especially when
the harms are not consented to or when they are unjustly
distributed, except that this protection must sometimes
be balanced against (a) the need to preserve great and
irreplaceable benefits and (b) the limitations on our
ability to obtain informed consent (Harris)
Approaches of laypeople vs experts
EG 2401 - K. G. Neoh

 Laypeoples perception of risk often includes value

judgment: a risk imposed involuntarily is more risky
than one that is voluntarily assumed, eg exposure to
toxic waste vs smoking
voluntarily assumed risks are more acceptable
than risks not voluntarily assumed
willing to accept higher risk if compensated
To give free and informed consent to risks imposed by
technology, a person must (i) not be coerced, (ii) have
the relevant info, and (iii) be rational and competent
enough to evaluate the info
acceptable risk is one which is freely assumed by
free and informed consent, or properly
compensated, and which is justly distributed
EG 2401 - K. G. Neoh

10

 Experts definition: Risk = Probability x Magnitude of

harm
acceptable risk is define in utilitarian terms (costbenefit analysis)
Government regulators face a dilemma (i) regulate
only when there is a provable connection or (ii) eliminate
any possible risk?
Option (i) may expose public to unacceptable risks since
there are difficulties in establishing effects and limits
Option (ii) would result in cost-ineffectiveness since large
amounts of money would have to be spent to eliminate
even minute risks
acceptable risk is one in which protecting the public
from harm has been weighted more heavily than
benefiting the public
EG 2401 - K. G. Neoh

11

5. Liability for Risk

Risks impose liabilities on engineers, which often result
in litigation
Litigation seeking redress from harm commonly appeals
to Tort Law which deals with injuries to one person
caused by another, usually as a result of negligence of
the injuring party
Standard of proof in tort law that a given substance
caused a harm is usually less stringent compared to
scientific studies as well as in criminal proceedings
Ethical question: should we be more concerned with
protecting the rights of plaintiffs who may have been
unjustly harmed or with promoting economic efficiency
and protecting defendants against unjust charges of
harm?
EG 2401 - K. G. Neoh

12

 Protecting engineers from liability: sometimes the threat of

legal liability prevents engineers from assuming the
responsibility to protect public safety
Example: use of trench boxes in excavating for
foundations and pipelines, etc. People who work in deep
trenches are subjected to considerable risk of death or
injury from collapsing trench walls

Trench boxes greatly reduce the risks

but should engineers specify the use of
trench boxes?
If they do not workers are subjected
to high risks
If they do they may incur liability in
case of accident
EG 2401 - K. G. Neoh

13

6. Designing for Safety

4 criteria needed to help ensure a safe design
- design must comply with applicable laws
- design must meet the standard of acceptable
practice
- potentially safer alternative designs must be
explored
- engineer must attempt to foresee potential
misuses of product and design to avoid these
problems
Once a product is designed both prototypes and
finished devices must be rigorously tested with
regards to specifications as well as safety
EG 2401 - K. G. Neoh

14

Class Discussion: De Havilland Comet 1

1st commercial jet airliner (1952: maiden flight from
London to Johannesburg)
Disastrous History
- Mar 1953: Crash on takeoff: All dead
- May 1953: Crash on takeoff: All dead
- Jan 1954: Broke up in flight and
crashed into the sea: All dead
Why???

Designers wanted square window to

Comet 4 - Redesigned and entered
15
differentiate from ships portholes EG 2401 - K. G. Neohcommercial service in 1958. But??

Class Discussion: Herald of Free

Enterprise
Roll-on-Roll-off passenger and car ferry
Operate on route across English Channel
1987 Capsized within

minutes after leaving harbor

Loss of 188 lives

Simulation: http://www.youtube.com/watch?v=jz2jpLO-bYw
EG 2401 - K. G. Neoh

16

 Multistep procedure for effectively executing engineering

designs:
(i) define the problem, ie needs, requirements, constraints
(ii) generate several alternative solutions
(iii) analyze pros and cons of each solution
(iv) test the solutions
(v) select the best solution
(vi) implement the best solution
Safe exits impossible to build a product that will never
fail. Hence in terms of sound engineering, assure that
when a product fails,
- it will fail safely
- the product can be abandoned safely, or
- the user can safely escape the product
EG 2401 - K. G. Neoh

17

 Example of lack of safe exits

Titanic largest and most luxurious steamship of its time
Confidence in its (unsinkable) design was so high that
owners and builders had rejected plans for 64 lifeboats.
The 20 lifeboats on the Titanic could only accommodate
about half of the 2228 passengers.
> 1500 people perished when the Titanic sank after
hitting an iceberg on its maiden voyage in 1912

EG 2401 - K. G. Neoh

18

Normalization of Deviance
Risk is increased when engineers accept anomalies and increase
the boundaries of acceptable risk
Challenger accident in Jan 1986 the space shuttle
exploded shortly after launch
Technical fault failure of the O-rings in the SRB
Contributing factor the decision to launch on a
particularly cold day
- Lowest T the shuttle had previously encountered during
launch was 53 F. Prior to launch in Jan 1986, T of seals was
29 F and some engineers expressed concern that the cold
weather may affect the O-ring
- By deciding to launch, the boundary
for acceptable risk was expanded
by 24 F
EG 2401 - K. G. Neoh

19

7. Causes of Technological Disasters

Technical design factors
Faulty design
Defective equipment
Defective materials
Faulty testing procedures

Human factors
Operator error/ Ignorance
Misinterpretation/
Misjudgment
Human-machine
mismatch
Unethical/willful acts

Socio-cultural factors
Organizational system
factors
Values placed on safety
Policy failures
Attitudes towards risk
Cost pressures
Institutional (regulatory,
Communication failure
educational) mechanisms
Faulty group decision
EG 2401 - K. G. Neoh
making

20

Class Discussion: Nuclear Plant Accidents

Where are serious accidents likely to occur?

EG 2401 - K. G. Neoh

21

1957 Sept: Mayak nuclear complex (USSR) fault in cooling system led to
explosion and release of ~ 70 to 80 tonnes of radioactive materials

1957 Oct: Windscale nuclear reactor (UK) fire in graphite core, limited
radioactivity release

1961 Jan: US Army SL-1 reactor (Idaho) explosion killed 3 workers

1979 Mar: 3 Mile Island power plant (USA) cooling malfunction, partial
meltdown, limited radioactivity release

1986 Apr: Chernoby (USSR) fire and explosion, ~30 deaths soon after
and thousands of extra cancer deaths, release of 100X more radiation than
A-bombs dropped on Nagasaki and Hiroshima
1999 Sept: Tokaimura nuclear fuel processing facility (Japan) - Workers
break safety regulations by mixing dangerously large amounts of treated
uranium, setting off a nuclear reaction, 2 deaths, workers exposed to high
radiation

2004 Aug: Mihama (Japan) steam pipe rupture, 5 killed, no radiation leak

2011 Mar: Fukushima (Japan) fires after cooling systems failed due to
damage from tsunami, large scale release of radioactive material
EG 2401 - K. G. Neoh

22

Class Discussion: Mihama 2004

Deadliest nuclear power plant accident in Japan before
Fukushima
5 people killed, 6 injured when steam pipe in secondary
coolant system ruptured. Luckily, no radiation leak.
Pipe has never been checked
in 28 yrs of operation

Steam at 140 C, 9.5 atm P

Original wall thickness 10mm

Corroded to 1mm

Available guidelines for

checking coolant pipes but
implementation is voluntary
Poor plant management or
slack regulatory body?
Flowmeter

Class Discussion: Fukushima 2011

Death toll from accident
is low but radioactivity
released can lead to
cancer deaths
Was the Fukushima
disaster a man-made
one?

Plant operator TEPCO after accident: size of tsunami

was beyond all expectations
Japanese parliamentary panel 2012: root causes
were organizational and regulatory systems that
supported faulty rationales for decisions and actions
EG 2401 - K. G. Neoh

24

 Plants structure was not capable of withstanding the

effects of the earthquake and the tsunami
TEPCO and the regulators were aware of the risk from
such natural disasters, but neither had taken steps to
put preventive measures in place:
TEPCO had not upgraded the reactors seismic defenses as
required by Japans Nuclear and Industrial Safety Agency;
the agency failed to enforce the upgrade

Its fundamental causes are to be found in the

ingrained conventions of Japanese culture: our
reflexive obedience; our reluctance to question
authority; our devotion to sticking with the program;
our groupism; and our insularity.
EG 2401 - K. G. Neoh

25

Video Screening 1
Title: Engineering Disasters 3

(TA495 Eng 2002)

Documentary with archival footages shows how

easy it is for small errors to be transformed into
failure or tragedy
- Idaho experimental nuclear reactor
- Space missions
What lessons can be learned from these
accidents?
EG 2401 - K. G. Neoh

26

8. Case Study: The Bhopal Disaster

Worlds worst industrial disaster
On the night of Dec 2, 1984, >20 tons of toxic
chemicals escaped from the Union Carbide
plant
Approximately half of Bhopals population (~
1/2 million) was exposed to the toxic gas
Estimated 2000 8000 people died, and
survivors continued to experience permanent
disabilities and chronic ailments
Postings of Bhopal Disaster documentary are available on Web. Eg:
http://www.youtube.com/watch?v=AXEYGIIxONU
http://www.youtube.com/watch?v=rJg19W8x_Ls
EG 2401 - K. G. Neoh

27

Historical Development of Bhopal Plant

Bhopal plant opened in 1969 and was first
limited to formulating pesticides (mixing stable
compounds to get final product)
Plant was owned and operated by Union
Carbide India, Limited (UCIL) and UC owned
50.9% of UCIL shares
In 1970s, the plant obtained license from the
Indian Govt. to manufacture pesticides (rather
than just formulating) which required the
handling of dangerous chemicals
EG 2401 - K. G. Neoh

28

Union Carbide Corporation

Had

a long and respected

history in India since 1934
UC entered the pesticide
industry in early 1960s as
market was booming
As the pesticide market
decreased and grew more
competitive, UCIL hoped that by
manufacturing raw materials
and intermediates, it could
increase sales and satisfy the
Indian Govt.s push for domestic
manufacture
EG 2401 - K. G. Neoh

29

Background Info UCIL Plant

Union Carbide plant
at Bhopal
manufactured
pesticides using MIC
(methyl isocyanate)
Many people lived in
shanty towns built
alongside the factory
and thousands more
lived nearby in the old
city
EG 2401 - K. G. Neoh

30

Methyl Isocyanate (CH3-N=C=O)

Used for the
manufacture of
pesticide
Highly toxic
TLV value of MIC is
0.1 of mustard gas,
a chemical weapon
used in WW 1

Highly reactive
Runaway reaction
possible if mixed
with water or metals

EG 2401 - K. G. Neoh

31

What Caused the Bhopal Disaster?

Accidental mixing of water and MIC
Inadequate training of personnel
Poor maintenance of equipment
Failure of safety systems
Lack of contingency plans with regards to
notification and evacuation of surrounding
population in event of emergency
EG 2401 - K. G. Neoh

32

Accidental Mixing of Water and MIC

Water could have entered the MIC storage tank
E610 during the washing of the vent lines
because workers did not follow SOP
Water reacts vigorously with MIC resulting in
heat release, causing the T of MIC to increase
High T caused the MIC to vaporize, leading to
buildup of pressure in the tank
When the internal pressure of the tank became
sufficiently high, the pressure relief valve
opened, releasing the MIC vapor
EG 2401 - K. G. Neoh

33

Inadequate Training of Personnel

When plant was first opened, UCIL sent its
workers to the Institute Plant in W. Virginia for
training
Later more experienced workers at the Bhopal
plant were supposed to train the new employees
With high worker turnover, the quality of
instruction progressively diminished
Training period also reduced to cut costs
EG 2401 - K. G. Neoh

34

Poor Maintenance of Equipment

Plants recent worker cutback resulted in halving
of maintenance crew
Patchwork maintenance jobs to cut costs as
plant was losing money
Minor leaks routinely occurred in plant
6 accidents had occurred at the plant between
1981 and 1984; 3 involving MIC or phosgene
(another toxic chemical) resulting in 1 fatality

EG 2401 - K. G. Neoh

35

Failure of Safety Systems

Plant was designed with safety systems to
prevent or mitigate potential accidents

- MIC storage tank had a refrigeration unit to keep T

down to prevent vaporization

- scrubber system to neutralize toxic vapors with

caustic soda

- flare system to burn vapors before entering

atmosphere

None of the safety systems was functional on

the night of the accident
EG 2401 - K. G. Neoh

36

Failure of Safety Systems

Disabled safety
systems useless as
increasing gas P
blew open the valve
Contents from
E610 could not be
transferred to E619
which was the
safety overflow bec
it also contained
MIC

EG 2401 - K. G. Neoh

37

Lack of Contingency Plan

Plant employees did not appreciate dangers of
MIC due to their lack of knowledge of its effects
Little communication between plant and
community regarding actions to be taken in case
of a major accident
On night of accident:
- poor coordination between plant employees and
officials: alarms & evacuation buses not well-utilized
- populace not advised on precautions which could
have reduced fatalities
EG 2401 - K. G. Neoh

38

The Day After

Most of initial deaths occurred as a result of MICs
effects on the respiratory system

EG 2401 - K. G. Neoh

39

Aftermath of Bhopal Disaster

In 1989, UC paid US$470 million to the
Government of India as compensation to victims
Activists continued to argue for higher
compensation
Dow Chemical has purchased UC, and claimed
no further responsibility for compensation
Thousands of people around Bhopal still remain
at risk of poisoning
-

tons of toxic waste remain on site

groundwater has high levels of contaminants
residents are plagued by medical and economical problems
Indian Govt. said it will clean up the site
EG 2401 - K. G. Neoh

40

Who is Responsible?
[1] Was such an accident foreseeable by UC?
- known problems with leaks in MIC system at
Bhopal plant
- UC aware of potential of runaway reaction in W.
Virginia plant
- UC safety audit team had highlighted deficiencies
in safety measures at Bhopal plant, eg
no automatic controls on MIC feeder tanks,
unreliable gauges and valves
insufficient training, lack of preventive maintenance
high employee turnover
EG 2401 - K. G. Neoh

41

[2] Should the Indian Govt. share some of the

blame?
- environmental and safety standards are less
stringent than in US
- no policy or zoning forbidding people from
living so close to a plant where hazardous
chemicals were stored and used
- pressure to design a labor intensive plant (to
improve employment) instead of more
automated plant and to use locally produced
equipment when possible
EG 2401 - K. G. Neoh

42

[3] Was the plant management negligent?

- safety systems were not functional
even if disaster could not be averted, the effects
could had been mitigated

- inadequate training, and maintenance and

safety procedures
cost cutting measures compromised safety

- lack of communication with community

inadequate info provided on effects of MIC
exposure and treatment

EG 2401 - K. G. Neoh

43

[4] Employee sabotage?

From UCs Report:

Proposed that an employee at the Bhopal plant

deliberately introduced water into the MIC tank
EG 2401 - K. G. Neoh

44

End of Topic 7

EG 2401 - K. G. Neoh

45