22.2 Case Study 2: Overview
Hydrazine is a rocket fuel that is used in the space shuttle and in today's modern fighter jets. It is a suspected human carcinogen, corrosive, highly toxic, sensitizer; liver, kidney, nervous system, blood, and lung toxin; skin and eye hazard; as well as an odorless, colorless combustible liquid. An amount as little as 1 oz may be considered a spill. When a spill occurs, an emergency response team is dispatched to stop and contain that spill. The emergency team consists of two elements: the base fire department and the hydrazine response team.
The following section presents an analysis of a hydrazine spill. Seven primary events were identified and an event tree was constructed. The event tree graphically represented the process flow. The event tree was analyzed and actions that may cause a failure of the process were identified. Next, a preliminary hazard analysis (PHA) was performed. An analysis of the PHA helped identify what actions may fail and the way in which these actions might fail. The PHA led to the development of the fault tree. The fault tree facilitates a systematic computer analysis of the actions involved and their effects. Where applicable, the failure of an action to achieve the desired results was analyzed. The mode in which the failure occurred, the effects of such a failure, and an attempt to determine just how critical to the safe stoppage, containment, and clean up of the spill that failure was will be analyzed. Safety of the personnel performing the work, safety of the airplane, and the safety of the surrounding personnel was considered.
Mitigations and interventions were discussed to determine ways to reduce the risks when performing these actions. These mitigations may include additional protective equipment, communications equipment, personnel training, and procedures where additional hardware equipment is needed for the stoppage, containment, and cleanup of the spill.
22.2.1 Introduction
Today's fighter plane requires a tremendous amount of thrust to propel it into action against the enemy. Figure 22.6 shows an F-16 creating vapor discs as it accelerates to supersonic speeds.
Figure 22.6 Moving fast.
Hydrazine is a rocket fuel. It is used in the space shuttle and in today's modern fighter jets. This fuel packs the energy required by military combat planes. This fuel drives thousands of pounds of fighter plane and armament at speeds well in excess of a 1000 mph. However, its use is not without risks. This risk assessment is being performed to determine some of the vulnerabilities associated with this power source. When a fighter pilot goes into harm's way, the threat is obvious. For the men and women who maintain these weapons of war, the threat is as real though not so obvious.
Hydrazine not only provides a vast amount of energy in a small volume, it is a suspected human carcinogen, corrosive, highly toxic, sensitizer; liver, kidney, nervous system, blood, and lung toxin; skin and eye hazard; as well as an odorless, colorless combustible liquid.
22.2.2 Approach
My team met and watched a video of a drill that accurately portrayed a simulation of a hydrazine leak from a Lockheed Martin F-16 fighter jet. We developed the flow diagram, made notes from the video, and pictured ourselves as participants in the drill. As participants of the drill, we watched the video and cleared up any questions the analysis team had.
A discussion of the basic events that occur during a spill is now appropriate. When a spill occurs, an emergency response team is dispatched to stop and contain the spill. The emergency team consisted of two elements: the base fire department and the hydrazine response team. This team decontaminates the tools used in the spill control and spill area and renders the spilled hydrazine harmless by neutralization. Figure 22.7 shows an F-16s up close.
Figure 22.7 F-16s up close.
The desired end result is the recovery of the F-16 with no contamination of personnel and no release of hydrazine to the environment. When a spill or a potential spill is reported, the pilot parks the jet with the exhaust port downwind (right wing). This allows the hydrazine response team to approach the airplane from up wind and extract the pilot when it is necessary.
The pilot remains inside on portable oxygen until the emergency response team confirms that there is a spill or there is no spill. If it is confirmed that there is no spill, then the pilot is extracted and removed from the area. If a spill is confirmed, the pilot remains inside the sealed cockpit on portable breathing air until it is safe for him/her to leave the aircraft.
The response team must perform such activities as don personal protective equipment (PPE) and enter the area. They must contain the leaking hydrazine with buckets and depressurize the emergency power unit fuel system (to stop hydrazine leaks or spray). After the spill is contained, the hydrazine response team extracts the pilot from the aircraft and out of the area (usually with a portable breathing apparatus). The pilot cannot remain on breathing air for the entire spill cleanup process because he does not have that much oxygen on board.
The risks do not stop there. After stopping the leak and containing further spread of the liquid, the hydrazine response team begins the process of cleaning up the spill. The liquid that is not caught in buckets is absorbed and placed in a container where it can be diluted and neutralized. The plane and the tools used must be decontaminated and verified as clean. The PPE that the hydrazine response team is wearing must be decontaminated and removed. Hydrazine contact is not the only risk faced by the team. The PPE worn by the team is heavy and hot. The team members run the risk of heat exhaustion and must be carefully monitored. Team members may be rotated in and out of the area as necessary for their protection.
The analysis team watched the video and broke the spill into the events depicted in the flow diagram. This flow diagram (Fig. 22.8) is unique in that it shows the basic events and the basic faults associated with each event.
Figure 22.8 Process flow for hydrazine leak.
To assist the analysis teams in determining what activities were most likely to fail and therefore pose the highest risk, a software program called Saphire available from the Idaho National Engineering and Environmental Laboratory (INEEL) was enlisted as the analysis tool used. An event tree was constructed in this software and a fault tree was extracted from this event tree. A sensitivity analysis was conducted. This confirmed the expected result. When all failures are the result of human error, there is no redundancy built into the system and all actions have an equal probability for failure. No one path is more sensitive than another. The cut sets verified this premise.
Next, using technique for human error prediction (THERP) tables, values were assigned to each event. Inadequate preparation of the response accounts for 47.3% of the failures and the probability of failure is 0.009 or 1 in 111.11 times the cart will not be prepared properly. Rinse water not being collected while decontaminating the air plane accounts for 36.8% of the failures and has a probability of occurring of 0.007 or it will occur once in every 142.86 times. The results of the cut sets generated are shown in Tables 22.1 and 22.2.
Table 22.1 Original Cut Sets
Table 22.2 Modified Cut Sets
As the analysis team reviewed the fault tree, various risk mitigations were suggested. The method of choice proved to be a checklist to help ensure all the actions required to stop and clean up the spill were taken.
Checklists were included for the following cut sets:
The implementation of these checklists causes a marked shift in the probabilities of occurrence. This was reflected in the rearrangement of some of the cut sets. Even with the checklist, the response cart preparation activity is still the most likely activity to fail. However, the probability of failure is 0.0045 or 1 in every 222 times. The simple act of using a checklist doubled the probability of success. Failure to adequately perform the decontamination of the plane was second and dropped to 0.000003 or 1 in 333,333.
22.2.3 Conclusions
This demonstrates large shifts in probabilities based on relatively low productivity and cost impact of introducing a checklist. When the most probable failure has been identified, the effect of that (used in determining the importance of the failure) method to reduce the probability or risk is more easily determined. Then placing them in the event and fault trees can test those methods of risk reduction. Cost-effective methods thus developed and tested can be implemented with some degree of certainty of success.
A word of caution must be introduced at this point. The event tree and fault trees must be developed and reviewed with guidance from people who are very familiar with the process or types of processes involved. These people can screen the trees not only for logic errors but also to ensure that the results make sense. The Saphire program is a useful tool but is not without its own set of faults. It is not an intuitive program. Training on how to enter the data and interpret the results is required. When the event tree was built and the fault and cut sets were extracted, the results were not always logical. The first time the program was run, it indicated that the second most likely fault was the airplane not being adequately decontaminated.
Saphire is designed to be downloaded from the Internet to any computer having sufficient capacity. However, this did not prove to be the case. Certain Internet browsers such as the one used by America Online (AOL) seem to be an obstacle to such downloads. It may take several attempts on various Internet service providers to find a compatible Internet browser. Saphire seems to work well with either Netscape or Internet Explorer.
The results were reviewed and because of the few steps and the simple procedures involved, it was determined that this was not logically the place of the most likely failure. The THERP tables contain correction factors that take into account the complexity of tasks. When the correction factor was correctly applied, the decontamination of the air plane event moved to number 11.