Comments about technological history, system fractures, and human resilience from James R. Chiles, the author of Inviting Disaster: Lessons from the Edge of Technology (HarperBusiness 2001; paperback 2002) and The God Machine: From Boomerangs to Black Hawks, the Story of the Helicopter (Random House, 2007, paperback 2008)

Sunday, December 19, 2010

San Bruno Pipeline Blast: Another NTSB update

On Tuesday the NTSB released a short update and a few more pictures of a 28-foot-long ruptured section of the pipe involved in the San Bruno gas explosion. 

News reports picked up on two new pieces of information about pipe construction:
  • While PG&E's specifications on file for the 1956 construction say that the pipe was of seamless manufacture, some of the length had welded seams; and
  • While some of those seams were welded inside and out, others were welded only on the outside.
Earlier photographs indicated that some of the pipes had welded seams, like this one:
What appears to be a weld bead is visible as a light gray line in the shadow on the lower left. This is in a long segment.

Despite the headlines and commentaries this week it's not yet clear from the NTSB's sparse technical information whether welding methods played a part in this failure. NTSB might have been pointing out that pipeline companies could do a better job of having their filed surveys match the as-builts.

Based on the photographs and two papers released so far, I'm guessing that the fracture started in one of the short segments (called pups), or a junction between them. Pups are short lengths of pipe, typically installed so that the pipeline can make a bend. This location is at the bottom of a hill so that could explain the pups. 

The pups mentioned in the report are a little more than three feet long. In this photo they are called Short Segments 1 to 4.

My inference from the photos is that the NTSB is taking a good deal of interest in two of the pups, labeled Short Segments 1 and 2. Take a look at this photo:

The investigator is cleaning fracture faces at the junction of two cracks. One crack runs along a failed girth weld that joined Pups 1 and 2; the second is a longitudinal fracture in Pup 2. This second fracture runs down Pup 2 toward the lower right, joins another girth crack, and trails off a few inches later. It's hard to tell from the photograph whether this second crack follows a seam weld.

All catastrophic fractures have to initiate somewhere and I'm guessing that the starting point is in the foreground of the photograph above, perhaps near the investigator's left hand.

I also feel pretty confident that the segment we see in the photographs is inverted, that is, that we are seeing it upside-down compared to its original position underground. 

Note that the NTSB in its update said there is no evidence of external corrosion on the outer surfaces; it didn't dismiss internal corrosion.

Those who want to take a closer look at the photographs and updates can find them on the NTSB's docket page.

Friday, December 17, 2010

Unstoppable and the Story of CSX 8888

The movie Unstoppable will add another heartwarming holiday movie tradition, the runaway train heading for a tank farm. The opening of the movie says it was inspired by true events. As in: loosely inspired by unmanned, runaway locomotive CSX 8888, dragging 47 cars through central Ohio on the afternoon of May 15, 2001. What railfans call the story of Crazy Eights was due to a combination of errors (most of them made in haste by the engineer) that exposed a loophole in the alerter, aka dead man switch.

This particular engine was an Electromotive SD-40-2. It followed all the basic principles of diesel-electric engines used on the high line:
  • They're powered by big diesel motors;
  • Those diesels turn generators;
  • The generators send power through heavy cables to traction motors in the sets of wheels below the main body of the locomotive;
  • When he wants to slow down, the engineer has a choice of three braking systems: he can (1) apply air-operated brakes on the locomotive itself (called the independent brake); (2) apply air brakes on all the trailing cars but only if the air lines are connected (called the automatic brake); or (3) reverse the operation of the traction motors so they act as generators, which makes each motor act like a brake (called the dynamic).
  • Since the reversed motors now act as generators, the energy has to go somewhere; while in theory it could be used to charge batteries hybrid-fashion, these would have to be very large so instead it's dumped to the air through giant resistance elements on the top of the locomotive. These are called braking grids. If you're standing on a bridge as a train passes under, you can see the big round openings that allow air through the grids. They look like window fans laid on their sides; the fans are to help pull the heat out.
  • Because steel wheels on steel rails have low friction, trains and individual railcars can start running away when unpowered, after mass and gravity have overcome brakes and other obstacles. Runaways under power are quite rare.
  • Guarding against this is the dead man switch or “alerter”, a fail-safe device to shut off engine power and apply brakes if the engineer fails to show any activity. On this model, that time span was 40 seconds … but only if it wasn't deactivated.
The movie had to jazz things up here, and simplify there. There wasn't a man lowered by helicopter; “Crazy Eights” didn't ram railcars or any other vehicles; the only injuries were minor, to the engineer; and it didn't almost fly off on a curve next to a tank farm. And the movie didn't explain the chain of events that set 8888 loose.

But there were many exciting aspects of the real incident that the movie drew upon: an attempt by police to use gunfire to hit the emergency shutoff (failed), an attempt to use a portable derailer (failed), and a chase from behind in which a locomotive latched on and used dynamic braking (which worked well enough, and better than shown in the movie). The train consist did include two cars with molten phenol.

While the chase was exciting, safety-lesson-wise the most interesting events all happened in Toledo's Stanley Yard, where the incident began.

Set aside the full track layout; concentrate only on three relevant tracks. Think of the capital letter “Y,” with a two-armed fork above and a stem below. The time is about 12:30 pm. As the story begins, the train is sitting in one fork of the Y, in the railyard. Because the train isn't complete as a “consist” yet, it needs to pull forward out of one arm of the fork into the stem, then come to a stop while the switch behind it is thrown; and then back up into the other arm of the fork to pick up some more cars. 

This is such a routine operation around railyards, where cars are always being shifted around, that the crews don't fasten the air hoses from the railcars to the locomotive, which would be necessary to operate the brakes on each car. (The movie shows this as an aberration, but it's a routine time-saver.) So the only way to brake this short-lived train will be to use the “independent” air brake on the locomotive. Once it's made up into a consist, the crew will make the train ready by hooking up the air hoses.

To move his train into the stem of the Y so it can be switched, the engineer throttles up. With just a few more cars necessary to clear the switch, a brakeman standing there calls the engineer on his radio and tells him to start slowing down, since the train has to stop and come back once the switch is thrown, to move into another track in the classification yard. No answer! In fact, the train gains speed to 11 mph.

The answer to this odd behavior can be found at the head of the train, a half mile away. The engineer had heard via radio that another switch in front of the engine, further along the stem of the Y, has been left in the improper position. He's moving too fast to stop short of it and he concludes that if the locomotive hits the switch as is, it's going to cause damage and delay. What to do? There's nobody up ahead he can radio to line the switch. 

The engineer decides in a flash that he will reset the controls to slow and then stop the train, but jump off before it stops, and dash ahead to reset the second switch himself. It's an odd decision for an experienced engineer, since engineers aren't permitted to jump off a moving train other than in cases of imminent collision.

His plan is to use all three braking methods to slow the train. He applies the independent brake on the locomotive. Normally the locomotive's brake shoes would be enough to stop the 3,000-ton train … but only if the engine was not producing force.

But he also tries to apply the train's automatic air-brake system and to engage the dynamic brake. These latter two actions are the immediate cause of the problem. I'll get to the reasons in a minute. Without time to check what he did, or tried to do, he jumps off the locomotive and sprints ahead, throwing the second switch with seconds to spare. He hears that the train is under power and sees that it is speeding up. So he tries to get back on board as the engine passes. But it's raining and he slips before getting aboard the engine. He is dragged a few dozen feet, then lets go. He puts out the alarm that a runaway train is heading south on the high line.

Controllers clear the path, police guard the crossings, and CSX tries to use a derailer on a siding to stop it. That fails. In the end, a chase locomotive catches up with it at Kenton, Ohio, and latches on. Using the dynamic brake, the crew slows it enough that an engineer can clamber aboard Engine 8888 and reset the controls.

The first error was that somebody left the second switch ahead of the train in the wrong position. That error forced the engineer into a hasty action that otherwise he wouldn't have taken.

The other errors were by the engineer. He inadvertently set the lever in “Run 8” position, which brought it to full power, instead of setting up the dynamic braking. It wasn't a good idea even to try to use the dynamic, since it's something to use on the high line at speed, rather than while crawling around a trainyard. Proper procedure would have been to bring down the throttle and apply the independent brake, accepting any damage to the switch as the lesser of two evils. It wasn't the engineer's problem to solve.

So why didn't the alerter, the deadman switch, automatically shut down the locomotive after just 40 seconds of inactivity by the engineer, before it even left Stanley Yard? Because the engineer had tried to apply the automatic air brakes along the length of the train. They weren't connected so they didn't work; worse, just the attempt to apply them raised the brake pipe pressure and disabled the alerter. The reason for this loophole is that engineers sometimes have to set the brakes and get off a locomotive after it stops, and they want to leave it running rather than have it shut off automatically.

With power in Run 8, the only force holding back the locomotive was the locomotive's independent brakes. Those brakes were of little effect against a full power setting, and even less effective after they burned off entirely.

Sunday, December 12, 2010

Snowplows and Snowhogs: Getting to know the Avalanche Effect

 Digging through snowplow-created berms during this weekend's storm: I sent Son #3 to scale the ridge line with a shovel. He on the street, me on the driveway, we attacked it from both sides. First we made a hole and shook hands like sandhogs working on a tunnel from both ends, then went at it with a will until the hole was a valley and finally a gap big enough to drive a car through. Wished for a tunnel-boring machine.

Those living south of the snowplow line may be surprised to hear that snow gently falling on the ground is not the same as snow that has been pummeled by a snowplow blade or, even more, transformed by a slab avalanche.

This phenomenon is rarely depicted in action movies. I suppose it's because the screenwriters haven't been close to an avalanche, nor read much about them.

Slab avalanches leave anyone alive trapped in icy debris that is most impressively dense and hard. This set-up happens instantly, as the friction-heated snow refreezes. Here's an illustration: a hiker whose lower leg is covered by the fringe runout of a slab avalanche will not be able to get her foot loose without literally chopping the ice away. The consistency is something like cured, low-grade Plaster of Paris; not quite as tough as concrete, but not something she can gouge with her hands. Without a metal shovel or better yet an ice axe close to hand, she'll be lucky to get loose, boots or not. Here's an explanation from the Utah Avalanche Center, including a narrative of what it feels like to be inside one and survive.

Which leads me to a book I highly recommend for outdoorspeople: Ian Stark's Last Breath: The Limits of Adventure. It's grim but excellent reading, and goes far to strip away dangerous and foolish notions about the course of medical emergencies in the wilderness.

Each of the eleven chapters is a fictional narrative, with all events grounded in medical fact and relevant physics (as in, the physics of snow and debris in an avalanche). Some of the fictional characters survive; some don't, so there's an element of suspense in each tale. I thought I knew about dehydration until I read Stark's last chapter, "In a Land Beyond the Shade."

Rather than leave readers with bad feelings about snow, here's a picture from the storm: a pretty little cornice that formed under the eaves of our house, changing by the hour as a brisk wind carved here, and added there.